2 * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
7 * a) Redistributions of source code must retain the above copyright notice,
8 * this list of conditions and the following disclaimer.
10 * b) Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the distribution.
14 * c) Neither the name of Cisco Systems, Inc. nor the names of its
15 * contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
28 * THE POSSIBILITY OF SUCH DAMAGE.
31 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
36 #include <netinet/sctp_os.h>
37 #include <netinet/sctp_var.h>
38 #include <netinet/sctp_sysctl.h>
39 #include <netinet/sctp_pcb.h>
40 #include <netinet/sctp_header.h>
41 #include <netinet/sctputil.h>
42 #include <netinet/sctp_output.h>
43 #include <netinet/sctp_input.h>
44 #include <netinet/sctp_auth.h>
45 #include <netinet/sctp_indata.h>
46 #include <netinet/sctp_asconf.h>
47 #include <netinet/sctp_bsd_addr.h>
48 #include <netinet/sctp_timer.h>
49 #include <netinet/udp.h>
54 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
56 struct sctp_nets *net;
59 * This now not only stops all cookie timers it also stops any INIT
60 * timers as well. This will make sure that the timers are stopped
61 * in all collision cases.
63 SCTP_TCB_LOCK_ASSERT(stcb);
64 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
65 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
66 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
69 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1);
70 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
71 sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
74 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2);
81 sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
82 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
83 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, uint16_t port)
85 struct sctp_init *init;
89 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n",
93 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
99 /* First are we accepting? */
100 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) {
101 SCTPDBG(SCTP_DEBUG_INPUT2,
102 "sctp_handle_init: Abort, so_qlimit:%d\n",
103 inp->sctp_socket->so_qlimit);
105 * FIX ME ?? What about TCP model and we have a
106 * match/restart case? Actually no fix is needed. the lookup
107 * will always find the existing assoc so stcb would not be
108 * NULL. It may be questionable to do this since we COULD
109 * just send back the INIT-ACK and hope that the app did
110 * accept()'s by the time the COOKIE was sent. But there is
111 * a price to pay for COOKIE generation and I don't want to
112 * pay it on the chance that the app will actually do some
113 * accepts(). The App just looses and should NOT be in this
116 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
119 *abort_no_unlock = 1;
122 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
124 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
125 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
128 *abort_no_unlock = 1;
131 /* validate parameters */
132 if (init->initiate_tag == 0) {
133 /* protocol error... send abort */
134 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
135 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
138 *abort_no_unlock = 1;
141 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
142 /* invalid parameter... send abort */
143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
147 *abort_no_unlock = 1;
150 if (init->num_inbound_streams == 0) {
151 /* protocol error... send abort */
152 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
153 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
156 *abort_no_unlock = 1;
159 if (init->num_outbound_streams == 0) {
160 /* protocol error... send abort */
161 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
162 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
165 *abort_no_unlock = 1;
168 init_limit = offset + ntohs(cp->ch.chunk_length);
169 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
171 /* auth parameter(s) error... send abort */
172 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, port);
174 *abort_no_unlock = 1;
177 /* send an INIT-ACK w/cookie */
178 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n");
179 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, port,
180 ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED));
183 SCTP_INP_RUNLOCK(inp);
188 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
192 sctp_is_there_unsent_data(struct sctp_tcb *stcb)
195 struct sctp_stream_queue_pending *sp;
196 struct sctp_stream_out *strq;
197 struct sctp_association *asoc;
200 * This function returns the number of streams that have true unsent
201 * data on them. Note that as it looks through it will clean up any
202 * places that have old data that has been sent but left at top of
206 SCTP_TCB_SEND_LOCK(stcb);
207 if (!TAILQ_EMPTY(&asoc->out_wheel)) {
208 /* Check to see if some data queued */
209 TAILQ_FOREACH(strq, &asoc->out_wheel, next_spoke) {
211 /* sa_ignore FREED_MEMORY */
212 sp = TAILQ_FIRST(&strq->outqueue);
216 if ((sp->msg_is_complete) &&
218 (sp->sender_all_done)) {
220 * We are doing differed cleanup. Last time
221 * through when we took all the data the
222 * sender_all_done was not set.
224 if (sp->put_last_out == 0) {
225 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
226 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
232 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
233 TAILQ_REMOVE(&strq->outqueue, sp, next);
234 sctp_free_remote_addr(sp->net);
236 sctp_m_freem(sp->data);
239 sctp_free_a_strmoq(stcb, sp);
240 goto is_there_another;
247 SCTP_TCB_SEND_UNLOCK(stcb);
248 return (unsent_data);
252 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb,
253 struct sctp_nets *net)
255 struct sctp_init *init;
256 struct sctp_association *asoc;
257 struct sctp_nets *lnet;
262 /* save off parameters */
263 asoc->peer_vtag = ntohl(init->initiate_tag);
264 asoc->peers_rwnd = ntohl(init->a_rwnd);
265 if (TAILQ_FIRST(&asoc->nets)) {
266 /* update any ssthresh's that may have a default */
267 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
268 lnet->ssthresh = asoc->peers_rwnd;
270 if (sctp_logging_level & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) {
271 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
275 SCTP_TCB_SEND_LOCK(stcb);
276 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
278 struct sctp_stream_out *outs;
279 struct sctp_stream_queue_pending *sp;
281 /* cut back on number of streams */
282 newcnt = ntohs(init->num_inbound_streams);
283 /* This if is probably not needed but I am cautious */
285 /* First make sure no data chunks are trapped */
286 for (i = newcnt; i < asoc->pre_open_streams; i++) {
287 outs = &asoc->strmout[i];
288 sp = TAILQ_FIRST(&outs->outqueue);
290 TAILQ_REMOVE(&outs->outqueue, sp,
292 asoc->stream_queue_cnt--;
293 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
294 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT,
295 sp, SCTP_SO_NOT_LOCKED);
297 sctp_m_freem(sp->data);
300 sctp_free_remote_addr(sp->net);
303 SCTP_PRINTF("sp:%p tcb:%p weird free case\n",
306 sctp_free_a_strmoq(stcb, sp);
307 /* sa_ignore FREED_MEMORY */
308 sp = TAILQ_FIRST(&outs->outqueue);
312 /* cut back the count and abandon the upper streams */
313 asoc->pre_open_streams = newcnt;
315 SCTP_TCB_SEND_UNLOCK(stcb);
316 asoc->streamoutcnt = asoc->pre_open_streams;
318 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
319 if (sctp_logging_level & SCTP_MAP_LOGGING_ENABLE) {
320 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
322 /* This is the next one we expect */
323 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
325 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
326 asoc->cumulative_tsn = asoc->asconf_seq_in;
327 asoc->last_echo_tsn = asoc->asconf_seq_in;
328 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
329 /* open the requested streams */
331 if (asoc->strmin != NULL) {
332 /* Free the old ones */
333 struct sctp_queued_to_read *ctl;
335 for (i = 0; i < asoc->streamincnt; i++) {
336 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
338 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next);
339 sctp_free_remote_addr(ctl->whoFrom);
341 sctp_m_freem(ctl->data);
343 sctp_free_a_readq(stcb, ctl);
344 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
347 SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
349 asoc->streamincnt = ntohs(init->num_outbound_streams);
350 if (asoc->streamincnt > MAX_SCTP_STREAMS) {
351 asoc->streamincnt = MAX_SCTP_STREAMS;
353 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
354 sizeof(struct sctp_stream_in), SCTP_M_STRMI);
355 if (asoc->strmin == NULL) {
356 /* we didn't get memory for the streams! */
357 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n");
360 for (i = 0; i < asoc->streamincnt; i++) {
361 asoc->strmin[i].stream_no = i;
362 asoc->strmin[i].last_sequence_delivered = 0xffff;
364 * U-stream ranges will be set when the cookie is unpacked.
365 * Or for the INIT sender they are un set (if pr-sctp not
366 * supported) when the INIT-ACK arrives.
368 TAILQ_INIT(&asoc->strmin[i].inqueue);
369 asoc->strmin[i].delivery_started = 0;
372 * load_address_from_init will put the addresses into the
373 * association when the COOKIE is processed or the INIT-ACK is
374 * processed. Both types of COOKIE's existing and new call this
375 * routine. It will remove addresses that are no longer in the
376 * association (for the restarting case where addresses are
377 * removed). Up front when the INIT arrives we will discard it if it
378 * is a restart and new addresses have been added.
380 /* sa_ignore MEMLEAK */
385 * INIT-ACK message processing/consumption returns value < 0 on error
388 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
389 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
390 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id)
392 struct sctp_association *asoc;
394 int retval, abort_flag;
395 uint32_t initack_limit;
397 /* First verify that we have no illegal param's */
401 op_err = sctp_arethere_unrecognized_parameters(m,
402 (offset + sizeof(struct sctp_init_chunk)),
403 &abort_flag, (struct sctp_chunkhdr *)cp);
405 /* Send an abort and notify peer */
406 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err, SCTP_SO_NOT_LOCKED);
407 *abort_no_unlock = 1;
411 /* process the peer's parameters in the INIT-ACK */
412 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net);
416 initack_limit = offset + ntohs(cp->ch.chunk_length);
417 /* load all addresses */
418 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen,
419 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh,
421 /* Huh, we should abort */
422 SCTPDBG(SCTP_DEBUG_INPUT1,
423 "Load addresses from INIT causes an abort %d\n",
425 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
427 *abort_no_unlock = 1;
430 /* if the peer doesn't support asconf, flush the asconf queue */
431 if (asoc->peer_supports_asconf == 0) {
432 struct sctp_asconf_addr *aparam;
434 while (!TAILQ_EMPTY(&asoc->asconf_queue)) {
435 /* sa_ignore FREED_MEMORY */
436 aparam = TAILQ_FIRST(&asoc->asconf_queue);
437 TAILQ_REMOVE(&asoc->asconf_queue, aparam, next);
438 SCTP_FREE(aparam, SCTP_M_ASC_ADDR);
441 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
442 stcb->asoc.local_hmacs);
444 sctp_queue_op_err(stcb, op_err);
445 /* queuing will steal away the mbuf chain to the out queue */
448 /* extract the cookie and queue it to "echo" it back... */
449 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
450 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
451 stcb->asoc.overall_error_count,
453 SCTP_FROM_SCTP_INPUT,
456 stcb->asoc.overall_error_count = 0;
457 net->error_count = 0;
460 * Cancel the INIT timer, We do this first before queueing the
461 * cookie. We always cancel at the primary to assue that we are
462 * canceling the timer started by the INIT which always goes to the
465 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
466 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4);
468 /* calculate the RTO */
469 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy);
471 retval = sctp_send_cookie_echo(m, offset, stcb, net);
474 * No cookie, we probably should send a op error. But in any
475 * case if there is no cookie in the INIT-ACK, we can
476 * abandon the peer, its broke.
479 /* We abort with an error of missing mandatory param */
481 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM);
484 * Expand beyond to include the mandatory
487 struct sctp_inv_mandatory_param *mp;
489 SCTP_BUF_LEN(op_err) =
490 sizeof(struct sctp_inv_mandatory_param);
492 struct sctp_inv_mandatory_param *);
493 /* Subtract the reserved param */
495 htons(sizeof(struct sctp_inv_mandatory_param) - 2);
496 mp->num_param = htonl(1);
497 mp->param = htons(SCTP_STATE_COOKIE);
500 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
501 sh, op_err, 0, net->port);
502 *abort_no_unlock = 1;
510 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
511 struct sctp_tcb *stcb, struct sctp_nets *net)
513 struct sockaddr_storage store;
514 struct sockaddr_in *sin;
515 struct sockaddr_in6 *sin6;
516 struct sctp_nets *r_net;
520 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
524 sin = (struct sockaddr_in *)&store;
525 sin6 = (struct sockaddr_in6 *)&store;
527 memset(&store, 0, sizeof(store));
528 if (cp->heartbeat.hb_info.addr_family == AF_INET &&
529 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
530 sin->sin_family = cp->heartbeat.hb_info.addr_family;
531 sin->sin_len = cp->heartbeat.hb_info.addr_len;
532 sin->sin_port = stcb->rport;
533 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address,
534 sizeof(sin->sin_addr));
535 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 &&
536 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
537 sin6->sin6_family = cp->heartbeat.hb_info.addr_family;
538 sin6->sin6_len = cp->heartbeat.hb_info.addr_len;
539 sin6->sin6_port = stcb->rport;
540 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address,
541 sizeof(sin6->sin6_addr));
545 r_net = sctp_findnet(stcb, (struct sockaddr *)sin);
547 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n");
550 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
551 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
552 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
554 * If the its a HB and it's random value is correct when can
555 * confirm the destination.
557 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
558 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) {
559 stcb->asoc.primary_destination = r_net;
560 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY;
561 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY;
562 r_net = TAILQ_FIRST(&stcb->asoc.nets);
563 if (r_net != stcb->asoc.primary_destination) {
565 * first one on the list is NOT the primary
566 * sctp_cmpaddr() is much more efficent if
567 * the primary is the first on the list,
570 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
571 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
575 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
576 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
578 r_net->error_count = 0;
579 r_net->hb_responded = 1;
580 tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
581 tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
582 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) {
583 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE;
584 r_net->dest_state |= SCTP_ADDR_REACHABLE;
585 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
586 SCTP_HEARTBEAT_SUCCESS, (void *)r_net, SCTP_SO_NOT_LOCKED);
587 /* now was it the primary? if so restore */
588 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) {
589 (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net);
593 * JRS 5/14/07 - If CMT PF is on and the destination is in PF state,
594 * set the destination to active state and set the cwnd to one or
595 * two MTU's based on whether PF1 or PF2 is being used. If a T3
596 * timer is running, for the destination, stop the timer because a
597 * PF-heartbeat was received.
599 if (sctp_cmt_on_off && sctp_cmt_pf && (net->dest_state & SCTP_ADDR_PF) ==
601 if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
602 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
604 SCTP_FROM_SCTP_INPUT + SCTP_LOC_5);
606 net->dest_state &= ~SCTP_ADDR_PF;
607 net->cwnd = net->mtu * sctp_cmt_pf;
608 SCTPDBG(SCTP_DEBUG_INPUT1, "Destination %p moved from PF to reachable with cwnd %d.\n",
611 /* Now lets do a RTO with this */
612 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy);
613 /* Mobility adaptation */
615 if ((sctp_is_mobility_feature_on(stcb->sctp_ep,
616 SCTP_MOBILITY_BASE) ||
617 sctp_is_mobility_feature_on(stcb->sctp_ep,
618 SCTP_MOBILITY_FASTHANDOFF)) &&
619 sctp_is_mobility_feature_on(stcb->sctp_ep,
620 SCTP_MOBILITY_PRIM_DELETED)) {
622 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER + SCTP_LOC_7);
623 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
624 SCTP_MOBILITY_FASTHANDOFF)) {
625 sctp_assoc_immediate_retrans(stcb,
626 stcb->asoc.primary_destination);
628 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
629 SCTP_MOBILITY_BASE)) {
630 sctp_move_chunks_from_deleted_prim(stcb,
631 stcb->asoc.primary_destination);
633 sctp_delete_prim_timer(stcb->sctp_ep, stcb,
634 stcb->asoc.deleted_primary);
640 sctp_handle_abort(struct sctp_abort_chunk *cp,
641 struct sctp_tcb *stcb, struct sctp_nets *net)
643 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
648 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n");
652 /* stop any receive timers */
653 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
654 /* notify user of the abort and clean up... */
655 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED);
657 #if defined(SCTP_PANIC_ON_ABORT)
658 printf("stcb:%p state:%d rport:%d net:%p\n",
659 stcb, stcb->asoc.state, stcb->rport, net);
660 if (!(stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) {
661 panic("Received an ABORT");
663 printf("No panic its in state %x closed\n", stcb->asoc.state);
666 SCTP_STAT_INCR_COUNTER32(sctps_aborted);
667 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
668 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
669 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
671 #ifdef SCTP_ASOCLOG_OF_TSNS
672 sctp_print_out_track_log(stcb);
674 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
675 so = SCTP_INP_SO(stcb->sctp_ep);
676 atomic_add_int(&stcb->asoc.refcnt, 1);
677 SCTP_TCB_UNLOCK(stcb);
678 SCTP_SOCKET_LOCK(so, 1);
680 atomic_subtract_int(&stcb->asoc.refcnt, 1);
682 stcb->asoc.state |= SCTP_STATE_WAS_ABORTED;
683 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
684 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
685 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
686 SCTP_SOCKET_UNLOCK(so, 1);
688 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n");
692 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
693 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
695 struct sctp_association *asoc;
696 int some_on_streamwheel;
698 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
703 SCTPDBG(SCTP_DEBUG_INPUT2,
704 "sctp_handle_shutdown: handling SHUTDOWN\n");
708 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
709 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
712 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
713 /* Shutdown NOT the expected size */
716 sctp_update_acked(stcb, cp, net, abort_flag);
718 if (asoc->control_pdapi) {
720 * With a normal shutdown we assume the end of last record.
722 SCTP_INP_READ_LOCK(stcb->sctp_ep);
723 asoc->control_pdapi->end_added = 1;
724 asoc->control_pdapi->pdapi_aborted = 1;
725 asoc->control_pdapi = NULL;
726 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
727 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
728 so = SCTP_INP_SO(stcb->sctp_ep);
729 atomic_add_int(&stcb->asoc.refcnt, 1);
730 SCTP_TCB_UNLOCK(stcb);
731 SCTP_SOCKET_LOCK(so, 1);
733 atomic_subtract_int(&stcb->asoc.refcnt, 1);
734 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
735 /* assoc was freed while we were unlocked */
736 SCTP_SOCKET_UNLOCK(so, 1);
740 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
741 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
742 SCTP_SOCKET_UNLOCK(so, 1);
745 /* goto SHUTDOWN_RECEIVED state to block new requests */
746 if (stcb->sctp_socket) {
747 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
748 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) &&
749 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
750 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED);
751 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
753 * notify upper layer that peer has initiated a
756 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
759 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
762 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
764 * stop the shutdown timer, since we WILL move to
767 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
769 /* Now is there unsent data on a stream somewhere? */
770 some_on_streamwheel = sctp_is_there_unsent_data(stcb);
772 if (!TAILQ_EMPTY(&asoc->send_queue) ||
773 !TAILQ_EMPTY(&asoc->sent_queue) ||
774 some_on_streamwheel) {
775 /* By returning we will push more data out */
778 /* no outstanding data to send, so move on... */
779 /* send SHUTDOWN-ACK */
780 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
781 /* move to SHUTDOWN-ACK-SENT state */
782 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
783 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
784 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
786 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
787 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
788 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net,
789 SCTP_FROM_SCTP_INPUT + SCTP_LOC_7);
790 /* start SHUTDOWN timer */
791 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
797 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp,
798 struct sctp_tcb *stcb, struct sctp_nets *net)
800 struct sctp_association *asoc;
802 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
805 so = SCTP_INP_SO(stcb->sctp_ep);
807 SCTPDBG(SCTP_DEBUG_INPUT2,
808 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
813 /* process according to association state */
814 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
815 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
816 /* unexpected SHUTDOWN-ACK... so ignore... */
817 SCTP_TCB_UNLOCK(stcb);
820 if (asoc->control_pdapi) {
822 * With a normal shutdown we assume the end of last record.
824 SCTP_INP_READ_LOCK(stcb->sctp_ep);
825 asoc->control_pdapi->end_added = 1;
826 asoc->control_pdapi->pdapi_aborted = 1;
827 asoc->control_pdapi = NULL;
828 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
829 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
830 atomic_add_int(&stcb->asoc.refcnt, 1);
831 SCTP_TCB_UNLOCK(stcb);
832 SCTP_SOCKET_LOCK(so, 1);
834 atomic_subtract_int(&stcb->asoc.refcnt, 1);
835 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
836 /* assoc was freed while we were unlocked */
837 SCTP_SOCKET_UNLOCK(so, 1);
841 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
842 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
843 SCTP_SOCKET_UNLOCK(so, 1);
846 /* are the queues empty? */
847 if (!TAILQ_EMPTY(&asoc->send_queue) ||
848 !TAILQ_EMPTY(&asoc->sent_queue) ||
849 !TAILQ_EMPTY(&asoc->out_wheel)) {
850 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED);
853 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9);
854 /* send SHUTDOWN-COMPLETE */
855 sctp_send_shutdown_complete(stcb, net);
856 /* notify upper layer protocol */
857 if (stcb->sctp_socket) {
858 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
859 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
860 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
861 /* Set the connected flag to disconnected */
862 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
865 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
866 /* free the TCB but first save off the ep */
867 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
868 atomic_add_int(&stcb->asoc.refcnt, 1);
869 SCTP_TCB_UNLOCK(stcb);
870 SCTP_SOCKET_LOCK(so, 1);
872 atomic_subtract_int(&stcb->asoc.refcnt, 1);
874 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
875 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10);
876 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
877 SCTP_SOCKET_UNLOCK(so, 1);
882 * Skip past the param header and then we will find the chunk that caused the
883 * problem. There are two possiblities ASCONF or FWD-TSN other than that and
884 * our peer must be broken.
887 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
888 struct sctp_nets *net)
890 struct sctp_chunkhdr *chk;
892 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr));
893 switch (chk->chunk_type) {
894 case SCTP_ASCONF_ACK:
896 sctp_asconf_cleanup(stcb, net);
898 case SCTP_FORWARD_CUM_TSN:
899 stcb->asoc.peer_supports_prsctp = 0;
902 SCTPDBG(SCTP_DEBUG_INPUT2,
903 "Peer does not support chunk type %d(%x)??\n",
904 chk->chunk_type, (uint32_t) chk->chunk_type);
910 * Skip past the param header and then we will find the param that caused the
911 * problem. There are a number of param's in a ASCONF OR the prsctp param
912 * these will turn of specific features.
915 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
917 struct sctp_paramhdr *pbad;
920 switch (ntohs(pbad->param_type)) {
922 case SCTP_PRSCTP_SUPPORTED:
923 stcb->asoc.peer_supports_prsctp = 0;
925 case SCTP_SUPPORTED_CHUNK_EXT:
927 /* draft-ietf-tsvwg-addip-sctp */
928 case SCTP_ECN_NONCE_SUPPORTED:
929 stcb->asoc.peer_supports_ecn_nonce = 0;
930 stcb->asoc.ecn_nonce_allowed = 0;
931 stcb->asoc.ecn_allowed = 0;
933 case SCTP_ADD_IP_ADDRESS:
934 case SCTP_DEL_IP_ADDRESS:
935 case SCTP_SET_PRIM_ADDR:
936 stcb->asoc.peer_supports_asconf = 0;
938 case SCTP_SUCCESS_REPORT:
939 case SCTP_ERROR_CAUSE_IND:
940 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n");
941 SCTPDBG(SCTP_DEBUG_INPUT2,
942 "Turning off ASCONF to this strange peer\n");
943 stcb->asoc.peer_supports_asconf = 0;
946 SCTPDBG(SCTP_DEBUG_INPUT2,
947 "Peer does not support param type %d(%x)??\n",
948 pbad->param_type, (uint32_t) pbad->param_type);
954 sctp_handle_error(struct sctp_chunkhdr *ch,
955 struct sctp_tcb *stcb, struct sctp_nets *net)
958 struct sctp_paramhdr *phdr;
961 struct sctp_association *asoc;
964 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
969 /* parse through all of the errors and process */
971 phdr = (struct sctp_paramhdr *)((caddr_t)ch +
972 sizeof(struct sctp_chunkhdr));
973 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
974 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
975 /* Process an Error Cause */
976 error_type = ntohs(phdr->param_type);
977 error_len = ntohs(phdr->param_length);
978 if ((error_len > chklen) || (error_len == 0)) {
979 /* invalid param length for this param */
980 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n",
984 switch (error_type) {
985 case SCTP_CAUSE_INVALID_STREAM:
986 case SCTP_CAUSE_MISSING_PARAM:
987 case SCTP_CAUSE_INVALID_PARAM:
988 case SCTP_CAUSE_NO_USER_DATA:
989 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n",
992 case SCTP_CAUSE_STALE_COOKIE:
994 * We only act if we have echoed a cookie and are
997 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
1000 p = (int *)((caddr_t)phdr + sizeof(*phdr));
1001 /* Save the time doubled */
1002 asoc->cookie_preserve_req = ntohl(*p) << 1;
1003 asoc->stale_cookie_count++;
1004 if (asoc->stale_cookie_count >
1005 asoc->max_init_times) {
1006 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED);
1007 /* now free the asoc */
1008 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1009 so = SCTP_INP_SO(stcb->sctp_ep);
1010 atomic_add_int(&stcb->asoc.refcnt, 1);
1011 SCTP_TCB_UNLOCK(stcb);
1012 SCTP_SOCKET_LOCK(so, 1);
1013 SCTP_TCB_LOCK(stcb);
1014 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1016 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
1017 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11);
1018 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1019 SCTP_SOCKET_UNLOCK(so, 1);
1023 /* blast back to INIT state */
1024 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
1025 asoc->state |= SCTP_STATE_COOKIE_WAIT;
1027 sctp_stop_all_cookie_timers(stcb);
1028 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
1031 case SCTP_CAUSE_UNRESOLVABLE_ADDR:
1033 * Nothing we can do here, we don't do hostname
1034 * addresses so if the peer does not like my IPv6
1035 * (or IPv4 for that matter) it does not matter. If
1036 * they don't support that type of address, they can
1037 * NOT possibly get that packet type... i.e. with no
1038 * IPv6 you can't recieve a IPv6 packet. so we can
1039 * safely ignore this one. If we ever added support
1040 * for HOSTNAME Addresses, then we would need to do
1044 case SCTP_CAUSE_UNRECOG_CHUNK:
1045 sctp_process_unrecog_chunk(stcb, phdr, net);
1047 case SCTP_CAUSE_UNRECOG_PARAM:
1048 sctp_process_unrecog_param(stcb, phdr);
1050 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
1052 * We ignore this since the timer will drive out a
1053 * new cookie anyway and there timer will drive us
1054 * to send a SHUTDOWN_COMPLETE. We can't send one
1055 * here since we don't have their tag.
1058 case SCTP_CAUSE_DELETING_LAST_ADDR:
1059 case SCTP_CAUSE_RESOURCE_SHORTAGE:
1060 case SCTP_CAUSE_DELETING_SRC_ADDR:
1062 * We should NOT get these here, but in a
1065 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n",
1068 case SCTP_CAUSE_OUT_OF_RESC:
1070 * And what, pray tell do we do with the fact that
1071 * the peer is out of resources? Not really sure we
1072 * could do anything but abort. I suspect this
1073 * should have came WITH an abort instead of in a
1078 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n",
1082 adjust = SCTP_SIZE32(error_len);
1084 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust);
1090 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
1091 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
1092 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id)
1094 struct sctp_init_ack *init_ack;
1095 struct mbuf *op_err;
1097 SCTPDBG(SCTP_DEBUG_INPUT2,
1098 "sctp_handle_init_ack: handling INIT-ACK\n");
1101 SCTPDBG(SCTP_DEBUG_INPUT2,
1102 "sctp_handle_init_ack: TCB is null\n");
1105 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
1106 /* Invalid length */
1107 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1108 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1109 op_err, 0, net->port);
1110 *abort_no_unlock = 1;
1113 init_ack = &cp->init;
1114 /* validate parameters */
1115 if (init_ack->initiate_tag == 0) {
1116 /* protocol error... send an abort */
1117 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1118 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1119 op_err, 0, net->port);
1120 *abort_no_unlock = 1;
1123 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
1124 /* protocol error... send an abort */
1125 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1126 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1127 op_err, 0, net->port);
1128 *abort_no_unlock = 1;
1131 if (init_ack->num_inbound_streams == 0) {
1132 /* protocol error... send an abort */
1133 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1134 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1135 op_err, 0, net->port);
1136 *abort_no_unlock = 1;
1139 if (init_ack->num_outbound_streams == 0) {
1140 /* protocol error... send an abort */
1141 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1142 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1143 op_err, 0, net->port);
1144 *abort_no_unlock = 1;
1147 /* process according to association state... */
1148 switch (stcb->asoc.state & SCTP_STATE_MASK) {
1149 case SCTP_STATE_COOKIE_WAIT:
1150 /* this is the expected state for this chunk */
1151 /* process the INIT-ACK parameters */
1152 if (stcb->asoc.primary_destination->dest_state &
1153 SCTP_ADDR_UNCONFIRMED) {
1155 * The primary is where we sent the INIT, we can
1156 * always consider it confirmed when the INIT-ACK is
1157 * returned. Do this before we load addresses
1160 stcb->asoc.primary_destination->dest_state &=
1161 ~SCTP_ADDR_UNCONFIRMED;
1162 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
1163 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED);
1165 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb,
1166 net, abort_no_unlock, vrf_id) < 0) {
1167 /* error in parsing parameters */
1170 /* update our state */
1171 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
1172 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED);
1174 /* reset the RTO calc */
1175 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
1176 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
1177 stcb->asoc.overall_error_count,
1179 SCTP_FROM_SCTP_INPUT,
1182 stcb->asoc.overall_error_count = 0;
1183 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
1185 * collapse the init timer back in case of a exponential
1188 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
1191 * the send at the end of the inbound data processing will
1192 * cause the cookie to be sent
1195 case SCTP_STATE_SHUTDOWN_SENT:
1196 /* incorrect state... discard */
1198 case SCTP_STATE_COOKIE_ECHOED:
1199 /* incorrect state... discard */
1201 case SCTP_STATE_OPEN:
1202 /* incorrect state... discard */
1204 case SCTP_STATE_EMPTY:
1205 case SCTP_STATE_INUSE:
1207 /* incorrect state... discard */
1211 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
1217 * handle a state cookie for an existing association m: input packet mbuf
1218 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
1219 * "split" mbuf and the cookie signature does not exist offset: offset into
1220 * mbuf to the cookie-echo chunk
1222 static struct sctp_tcb *
1223 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1224 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1225 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
1226 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id,
1229 struct sctp_association *asoc;
1230 struct sctp_init_chunk *init_cp, init_buf;
1231 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1233 int init_offset, initack_offset, i;
1238 /* I know that the TCB is non-NULL from the caller */
1240 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) {
1241 if (asoc->cookie_how[how_indx] == 0)
1244 if (how_indx < sizeof(asoc->cookie_how)) {
1245 asoc->cookie_how[how_indx] = 1;
1247 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1248 /* SHUTDOWN came in after sending INIT-ACK */
1249 struct mbuf *op_err;
1250 struct sctp_paramhdr *ph;
1252 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1253 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
1254 0, M_DONTWAIT, 1, MT_DATA);
1255 if (op_err == NULL) {
1259 /* pre-reserve some space */
1261 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
1263 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
1265 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
1266 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
1268 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr);
1269 ph = mtod(op_err, struct sctp_paramhdr *);
1270 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN);
1271 ph->param_length = htons(sizeof(struct sctp_paramhdr));
1272 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag,
1274 if (how_indx < sizeof(asoc->cookie_how))
1275 asoc->cookie_how[how_indx] = 2;
1279 * find and validate the INIT chunk in the cookie (peer's info) the
1280 * INIT should start after the cookie-echo header struct (chunk
1281 * header, state cookie header struct)
1283 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1285 init_cp = (struct sctp_init_chunk *)
1286 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1287 (uint8_t *) & init_buf);
1288 if (init_cp == NULL) {
1289 /* could not pull a INIT chunk in cookie */
1292 chk_length = ntohs(init_cp->ch.chunk_length);
1293 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1297 * find and validate the INIT-ACK chunk in the cookie (my info) the
1298 * INIT-ACK follows the INIT chunk
1300 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1301 initack_cp = (struct sctp_init_ack_chunk *)
1302 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1303 (uint8_t *) & initack_buf);
1304 if (initack_cp == NULL) {
1305 /* could not pull INIT-ACK chunk in cookie */
1308 chk_length = ntohs(initack_cp->ch.chunk_length);
1309 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1312 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1313 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1315 * case D in Section 5.2.4 Table 2: MMAA process accordingly
1316 * to get into the OPEN state
1318 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1320 * Opps, this means that we somehow generated two vtag's
1321 * the same. I.e. we did:
1323 * <---INIT(tag=a)------
1324 * ----INIT-ACK(tag=t)-->
1325 * ----INIT(tag=t)------> *1
1326 * <---INIT-ACK(tag=a)---
1327 * <----CE(tag=t)------------- *2
1329 * At point *1 we should be generating a different
1330 * tag t'. Which means we would throw away the CE and send
1331 * ours instead. Basically this is case C (throw away side).
1333 if (how_indx < sizeof(asoc->cookie_how))
1334 asoc->cookie_how[how_indx] = 17;
1338 switch SCTP_GET_STATE
1340 case SCTP_STATE_COOKIE_WAIT:
1341 case SCTP_STATE_COOKIE_ECHOED:
1343 * INIT was sent but got a COOKIE_ECHO with the
1344 * correct tags... just accept it...but we must
1345 * process the init so that we can make sure we have
1346 * the right seq no's.
1348 /* First we must process the INIT !! */
1349 retval = sctp_process_init(init_cp, stcb, net);
1351 if (how_indx < sizeof(asoc->cookie_how))
1352 asoc->cookie_how[how_indx] = 3;
1355 /* we have already processed the INIT so no problem */
1356 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1357 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12);
1358 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13);
1359 /* update current state */
1360 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
1361 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1363 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1365 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1366 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1367 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1368 stcb->sctp_ep, stcb, asoc->primary_destination);
1370 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1371 sctp_stop_all_cookie_timers(stcb);
1372 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1373 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1374 (inp->sctp_socket->so_qlimit == 0)
1376 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1381 * Here is where collision would go if we
1382 * did a connect() and instead got a
1383 * init/init-ack/cookie done before the
1384 * init-ack came back..
1386 stcb->sctp_ep->sctp_flags |=
1387 SCTP_PCB_FLAGS_CONNECTED;
1388 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1389 so = SCTP_INP_SO(stcb->sctp_ep);
1390 atomic_add_int(&stcb->asoc.refcnt, 1);
1391 SCTP_TCB_UNLOCK(stcb);
1392 SCTP_SOCKET_LOCK(so, 1);
1393 SCTP_TCB_LOCK(stcb);
1394 atomic_add_int(&stcb->asoc.refcnt, -1);
1395 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1396 SCTP_SOCKET_UNLOCK(so, 1);
1400 soisconnected(stcb->sctp_socket);
1401 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1402 SCTP_SOCKET_UNLOCK(so, 1);
1405 /* notify upper layer */
1406 *notification = SCTP_NOTIFY_ASSOC_UP;
1408 * since we did not send a HB make sure we don't
1411 net->hb_responded = 1;
1412 net->RTO = sctp_calculate_rto(stcb, asoc, net,
1413 &cookie->time_entered, sctp_align_unsafe_makecopy);
1415 if (stcb->asoc.sctp_autoclose_ticks &&
1416 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
1417 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1423 * we're in the OPEN state (or beyond), so peer must
1424 * have simply lost the COOKIE-ACK
1428 sctp_stop_all_cookie_timers(stcb);
1430 * We ignore the return code here.. not sure if we should
1431 * somehow abort.. but we do have an existing asoc. This
1432 * really should not fail.
1434 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1435 init_offset + sizeof(struct sctp_init_chunk),
1436 initack_offset, sh, init_src)) {
1437 if (how_indx < sizeof(asoc->cookie_how))
1438 asoc->cookie_how[how_indx] = 4;
1441 /* respond with a COOKIE-ACK */
1442 sctp_toss_old_cookies(stcb, asoc);
1443 sctp_send_cookie_ack(stcb);
1444 if (how_indx < sizeof(asoc->cookie_how))
1445 asoc->cookie_how[how_indx] = 5;
1448 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1449 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1450 cookie->tie_tag_my_vtag == 0 &&
1451 cookie->tie_tag_peer_vtag == 0) {
1453 * case C in Section 5.2.4 Table 2: XMOO silently discard
1455 if (how_indx < sizeof(asoc->cookie_how))
1456 asoc->cookie_how[how_indx] = 6;
1459 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag &&
1460 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag ||
1461 init_cp->init.initiate_tag == 0)) {
1463 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
1464 * should be ok, re-accept peer info
1466 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1468 * Extension of case C. If we hit this, then the
1469 * random number generator returned the same vtag
1470 * when we first sent our INIT-ACK and when we later
1471 * sent our INIT. The side with the seq numbers that
1472 * are different will be the one that normnally
1473 * would have hit case C. This in effect "extends"
1474 * our vtags in this collision case to be 64 bits.
1475 * The same collision could occur aka you get both
1476 * vtag and seq number the same twice in a row.. but
1477 * is much less likely. If it did happen then we
1478 * would proceed through and bring up the assoc.. we
1479 * may end up with the wrong stream setup however..
1480 * which would be bad.. but there is no way to
1481 * tell.. until we send on a stream that does not
1484 if (how_indx < sizeof(asoc->cookie_how))
1485 asoc->cookie_how[how_indx] = 7;
1489 if (how_indx < sizeof(asoc->cookie_how))
1490 asoc->cookie_how[how_indx] = 8;
1491 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14);
1492 sctp_stop_all_cookie_timers(stcb);
1494 * since we did not send a HB make sure we don't double
1497 net->hb_responded = 1;
1498 if (stcb->asoc.sctp_autoclose_ticks &&
1499 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
1500 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1503 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1504 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1506 /* Note last_cwr_tsn? where is this used? */
1507 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1508 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
1510 * Ok the peer probably discarded our data (if we
1511 * echoed a cookie+data). So anything on the
1512 * sent_queue should be marked for retransmit, we
1513 * may not get something to kick us so it COULD
1514 * still take a timeout to move these.. but it can't
1515 * hurt to mark them.
1517 struct sctp_tmit_chunk *chk;
1519 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
1520 if (chk->sent < SCTP_DATAGRAM_RESEND) {
1521 chk->sent = SCTP_DATAGRAM_RESEND;
1522 sctp_flight_size_decrease(chk);
1523 sctp_total_flight_decrease(stcb, chk);
1524 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
1530 /* process the INIT info (peer's info) */
1531 retval = sctp_process_init(init_cp, stcb, net);
1533 if (how_indx < sizeof(asoc->cookie_how))
1534 asoc->cookie_how[how_indx] = 9;
1537 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1538 init_offset + sizeof(struct sctp_init_chunk),
1539 initack_offset, sh, init_src)) {
1540 if (how_indx < sizeof(asoc->cookie_how))
1541 asoc->cookie_how[how_indx] = 10;
1544 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
1545 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
1546 *notification = SCTP_NOTIFY_ASSOC_UP;
1548 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1549 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1550 (inp->sctp_socket->so_qlimit == 0)) {
1551 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1555 stcb->sctp_ep->sctp_flags |=
1556 SCTP_PCB_FLAGS_CONNECTED;
1557 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1558 so = SCTP_INP_SO(stcb->sctp_ep);
1559 atomic_add_int(&stcb->asoc.refcnt, 1);
1560 SCTP_TCB_UNLOCK(stcb);
1561 SCTP_SOCKET_LOCK(so, 1);
1562 SCTP_TCB_LOCK(stcb);
1563 atomic_add_int(&stcb->asoc.refcnt, -1);
1564 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1565 SCTP_SOCKET_UNLOCK(so, 1);
1569 soisconnected(stcb->sctp_socket);
1570 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1571 SCTP_SOCKET_UNLOCK(so, 1);
1574 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
1575 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1577 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1578 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1579 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
1580 SCTP_STAT_INCR_COUNTER32(sctps_restartestab);
1582 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1584 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1585 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1586 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1587 stcb->sctp_ep, stcb, asoc->primary_destination);
1589 sctp_stop_all_cookie_timers(stcb);
1590 sctp_toss_old_cookies(stcb, asoc);
1591 sctp_send_cookie_ack(stcb);
1594 * only if we have retrans set do we do this. What
1595 * this call does is get only the COOKIE-ACK out and
1596 * then when we return the normal call to
1597 * sctp_chunk_output will get the retrans out behind
1600 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED);
1602 if (how_indx < sizeof(asoc->cookie_how))
1603 asoc->cookie_how[how_indx] = 11;
1607 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1608 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1609 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1610 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1611 cookie->tie_tag_peer_vtag != 0) {
1612 struct sctpasochead *head;
1615 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1618 if (how_indx < sizeof(asoc->cookie_how))
1619 asoc->cookie_how[how_indx] = 12;
1620 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15);
1621 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
1623 *sac_assoc_id = sctp_get_associd(stcb);
1624 /* notify upper layer */
1625 *notification = SCTP_NOTIFY_ASSOC_RESTART;
1626 atomic_add_int(&stcb->asoc.refcnt, 1);
1627 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) &&
1628 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
1629 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
1630 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1632 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
1633 SCTP_STAT_INCR_GAUGE32(sctps_restartestab);
1634 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) {
1635 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab);
1637 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1638 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1639 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1640 stcb->sctp_ep, stcb, asoc->primary_destination);
1642 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
1643 /* move to OPEN state, if not in SHUTDOWN_SENT */
1644 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1646 asoc->pre_open_streams =
1647 ntohs(initack_cp->init.num_outbound_streams);
1648 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1649 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1650 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
1652 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1653 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1655 asoc->str_reset_seq_in = asoc->init_seq_number;
1657 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1658 if (asoc->mapping_array) {
1659 memset(asoc->mapping_array, 0,
1660 asoc->mapping_array_size);
1662 SCTP_TCB_UNLOCK(stcb);
1663 SCTP_INP_INFO_WLOCK();
1664 SCTP_INP_WLOCK(stcb->sctp_ep);
1665 SCTP_TCB_LOCK(stcb);
1666 atomic_add_int(&stcb->asoc.refcnt, -1);
1667 /* send up all the data */
1668 SCTP_TCB_SEND_LOCK(stcb);
1670 sctp_report_all_outbound(stcb, 1, SCTP_SO_NOT_LOCKED);
1671 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
1672 stcb->asoc.strmout[i].stream_no = i;
1673 stcb->asoc.strmout[i].next_sequence_sent = 0;
1674 stcb->asoc.strmout[i].last_msg_incomplete = 0;
1676 /* process the INIT-ACK info (my info) */
1677 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1678 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1680 /* pull from vtag hash */
1681 LIST_REMOVE(stcb, sctp_asocs);
1682 /* re-insert to new vtag position */
1683 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
1684 sctppcbinfo.hashasocmark)];
1686 * put it in the bucket in the vtag hash of assoc's for the
1689 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
1691 /* Is this the first restart? */
1692 if (stcb->asoc.in_restart_hash == 0) {
1693 /* Ok add it to assoc_id vtag hash */
1694 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id,
1695 sctppcbinfo.hashrestartmark)];
1696 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash);
1697 stcb->asoc.in_restart_hash = 1;
1699 /* process the INIT info (peer's info) */
1700 SCTP_TCB_SEND_UNLOCK(stcb);
1701 SCTP_INP_WUNLOCK(stcb->sctp_ep);
1702 SCTP_INP_INFO_WUNLOCK();
1704 retval = sctp_process_init(init_cp, stcb, net);
1706 if (how_indx < sizeof(asoc->cookie_how))
1707 asoc->cookie_how[how_indx] = 13;
1712 * since we did not send a HB make sure we don't double
1715 net->hb_responded = 1;
1717 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1718 init_offset + sizeof(struct sctp_init_chunk),
1719 initack_offset, sh, init_src)) {
1720 if (how_indx < sizeof(asoc->cookie_how))
1721 asoc->cookie_how[how_indx] = 14;
1725 /* respond with a COOKIE-ACK */
1726 sctp_stop_all_cookie_timers(stcb);
1727 sctp_toss_old_cookies(stcb, asoc);
1728 sctp_send_cookie_ack(stcb);
1729 if (how_indx < sizeof(asoc->cookie_how))
1730 asoc->cookie_how[how_indx] = 15;
1734 if (how_indx < sizeof(asoc->cookie_how))
1735 asoc->cookie_how[how_indx] = 16;
1736 /* all other cases... */
1742 * handle a state cookie for a new association m: input packet mbuf chain--
1743 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
1744 * and the cookie signature does not exist offset: offset into mbuf to the
1745 * cookie-echo chunk length: length of the cookie chunk to: where the init
1746 * was from returns a new TCB
1748 static struct sctp_tcb *
1749 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1750 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1751 struct sctp_inpcb *inp, struct sctp_nets **netp,
1752 struct sockaddr *init_src, int *notification,
1753 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1754 uint32_t vrf_id, uint16_t port)
1756 struct sctp_tcb *stcb;
1757 struct sctp_init_chunk *init_cp, init_buf;
1758 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1759 struct sockaddr_storage sa_store;
1760 struct sockaddr *initack_src = (struct sockaddr *)&sa_store;
1761 struct sockaddr_in *sin;
1762 struct sockaddr_in6 *sin6;
1763 struct sctp_association *asoc;
1765 int init_offset, initack_offset, initack_limit;
1769 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
1771 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1774 so = SCTP_INP_SO(inp);
1778 * find and validate the INIT chunk in the cookie (peer's info) the
1779 * INIT should start after the cookie-echo header struct (chunk
1780 * header, state cookie header struct)
1782 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
1783 init_cp = (struct sctp_init_chunk *)
1784 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1785 (uint8_t *) & init_buf);
1786 if (init_cp == NULL) {
1787 /* could not pull a INIT chunk in cookie */
1788 SCTPDBG(SCTP_DEBUG_INPUT1,
1789 "process_cookie_new: could not pull INIT chunk hdr\n");
1792 chk_length = ntohs(init_cp->ch.chunk_length);
1793 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1794 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n");
1797 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1799 * find and validate the INIT-ACK chunk in the cookie (my info) the
1800 * INIT-ACK follows the INIT chunk
1802 initack_cp = (struct sctp_init_ack_chunk *)
1803 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1804 (uint8_t *) & initack_buf);
1805 if (initack_cp == NULL) {
1806 /* could not pull INIT-ACK chunk in cookie */
1807 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n");
1810 chk_length = ntohs(initack_cp->ch.chunk_length);
1811 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1815 * NOTE: We can't use the INIT_ACK's chk_length to determine the
1816 * "initack_limit" value. This is because the chk_length field
1817 * includes the length of the cookie, but the cookie is omitted when
1818 * the INIT and INIT_ACK are tacked onto the cookie...
1820 initack_limit = offset + cookie_len;
1823 * now that we know the INIT/INIT-ACK are in place, create a new TCB
1828 * Here we do a trick, we set in NULL for the proc/thread argument.
1829 * We do this since in effect we only use the p argument when the
1830 * socket is unbound and we must do an implicit bind. Since we are
1831 * getting a cookie, we cannot be unbound.
1833 stcb = sctp_aloc_assoc(inp, init_src, 0, &error,
1834 ntohl(initack_cp->init.initiate_tag), vrf_id,
1835 (struct thread *)NULL
1838 struct mbuf *op_err;
1840 /* memory problem? */
1841 SCTPDBG(SCTP_DEBUG_INPUT1,
1842 "process_cookie_new: no room for another TCB!\n");
1843 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1845 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
1846 sh, op_err, vrf_id, port);
1849 /* get the correct sctp_nets */
1851 *netp = sctp_findnet(stcb, init_src);
1854 /* get scope variables out of cookie */
1855 asoc->ipv4_local_scope = cookie->ipv4_scope;
1856 asoc->site_scope = cookie->site_scope;
1857 asoc->local_scope = cookie->local_scope;
1858 asoc->loopback_scope = cookie->loopback_scope;
1860 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) ||
1861 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) {
1862 struct mbuf *op_err;
1865 * Houston we have a problem. The EP changed while the
1866 * cookie was in flight. Only recourse is to abort the
1869 atomic_add_int(&stcb->asoc.refcnt, 1);
1870 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1871 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
1872 sh, op_err, vrf_id, port);
1873 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1874 SCTP_TCB_UNLOCK(stcb);
1875 SCTP_SOCKET_LOCK(so, 1);
1876 SCTP_TCB_LOCK(stcb);
1878 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
1879 SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
1880 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1881 SCTP_SOCKET_UNLOCK(so, 1);
1883 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1886 /* process the INIT-ACK info (my info) */
1887 old_tag = asoc->my_vtag;
1888 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1889 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1890 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1891 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1892 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1893 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
1894 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1895 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1896 asoc->str_reset_seq_in = asoc->init_seq_number;
1898 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1900 /* process the INIT info (peer's info) */
1902 retval = sctp_process_init(init_cp, stcb, *netp);
1906 atomic_add_int(&stcb->asoc.refcnt, 1);
1907 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1908 SCTP_TCB_UNLOCK(stcb);
1909 SCTP_SOCKET_LOCK(so, 1);
1910 SCTP_TCB_LOCK(stcb);
1912 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
1913 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1914 SCTP_SOCKET_UNLOCK(so, 1);
1916 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1919 /* load all addresses */
1920 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1921 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh,
1923 atomic_add_int(&stcb->asoc.refcnt, 1);
1924 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1925 SCTP_TCB_UNLOCK(stcb);
1926 SCTP_SOCKET_LOCK(so, 1);
1927 SCTP_TCB_LOCK(stcb);
1929 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
1930 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1931 SCTP_SOCKET_UNLOCK(so, 1);
1933 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1937 * verify any preceding AUTH chunk that was skipped
1939 /* pull the local authentication parameters from the cookie/init-ack */
1940 sctp_auth_get_cookie_params(stcb, m,
1941 initack_offset + sizeof(struct sctp_init_ack_chunk),
1942 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
1944 struct sctp_auth_chunk *auth;
1946 auth = (struct sctp_auth_chunk *)
1947 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
1948 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
1949 /* auth HMAC failed, dump the assoc and packet */
1950 SCTPDBG(SCTP_DEBUG_AUTH1,
1951 "COOKIE-ECHO: AUTH failed\n");
1952 atomic_add_int(&stcb->asoc.refcnt, 1);
1953 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1954 SCTP_TCB_UNLOCK(stcb);
1955 SCTP_SOCKET_LOCK(so, 1);
1956 SCTP_TCB_LOCK(stcb);
1958 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18);
1959 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1960 SCTP_SOCKET_UNLOCK(so, 1);
1962 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1965 /* remaining chunks checked... good to go */
1966 stcb->asoc.authenticated = 1;
1969 /* update current state */
1970 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
1971 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1972 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1973 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1974 stcb->sctp_ep, stcb, asoc->primary_destination);
1976 sctp_stop_all_cookie_timers(stcb);
1977 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
1978 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1981 * if we're doing ASCONFs, check to see if we have any new local
1982 * addresses that need to get added to the peer (eg. addresses
1983 * changed while cookie echo in flight). This needs to be done
1984 * after we go to the OPEN state to do the correct asconf
1985 * processing. else, make sure we have the correct addresses in our
1989 /* warning, we re-use sin, sin6, sa_store here! */
1990 /* pull in local_address (our "from" address) */
1991 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) {
1992 /* source addr is IPv4 */
1993 sin = (struct sockaddr_in *)initack_src;
1994 memset(sin, 0, sizeof(*sin));
1995 sin->sin_family = AF_INET;
1996 sin->sin_len = sizeof(struct sockaddr_in);
1997 sin->sin_addr.s_addr = cookie->laddress[0];
1998 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) {
1999 /* source addr is IPv6 */
2000 sin6 = (struct sockaddr_in6 *)initack_src;
2001 memset(sin6, 0, sizeof(*sin6));
2002 sin6->sin6_family = AF_INET6;
2003 sin6->sin6_len = sizeof(struct sockaddr_in6);
2004 sin6->sin6_scope_id = cookie->scope_id;
2005 memcpy(&sin6->sin6_addr, cookie->laddress,
2006 sizeof(sin6->sin6_addr));
2008 atomic_add_int(&stcb->asoc.refcnt, 1);
2009 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2010 SCTP_TCB_UNLOCK(stcb);
2011 SCTP_SOCKET_LOCK(so, 1);
2012 SCTP_TCB_LOCK(stcb);
2014 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
2015 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2016 SCTP_SOCKET_UNLOCK(so, 1);
2018 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2022 /* set up to notify upper layer */
2023 *notification = SCTP_NOTIFY_ASSOC_UP;
2024 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2025 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
2026 (inp->sctp_socket->so_qlimit == 0)) {
2028 * This is an endpoint that called connect() how it got a
2029 * cookie that is NEW is a bit of a mystery. It must be that
2030 * the INIT was sent, but before it got there.. a complete
2031 * INIT/INIT-ACK/COOKIE arrived. But of course then it
2032 * should have went to the other code.. not here.. oh well..
2033 * a bit of protection is worth having..
2035 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2036 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2037 atomic_add_int(&stcb->asoc.refcnt, 1);
2038 SCTP_TCB_UNLOCK(stcb);
2039 SCTP_SOCKET_LOCK(so, 1);
2040 SCTP_TCB_LOCK(stcb);
2041 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2042 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2043 SCTP_SOCKET_UNLOCK(so, 1);
2047 soisconnected(stcb->sctp_socket);
2048 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2049 SCTP_SOCKET_UNLOCK(so, 1);
2051 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
2052 (inp->sctp_socket->so_qlimit)) {
2054 * We don't want to do anything with this one. Since it is
2055 * the listening guy. The timer will get started for
2056 * accepted connections in the caller.
2060 /* since we did not send a HB make sure we don't double things */
2061 if ((netp) && (*netp))
2062 (*netp)->hb_responded = 1;
2064 if (stcb->asoc.sctp_autoclose_ticks &&
2065 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2066 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
2068 /* calculate the RTT */
2069 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
2070 if ((netp) && (*netp)) {
2071 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
2072 &cookie->time_entered, sctp_align_unsafe_makecopy);
2074 /* respond with a COOKIE-ACK */
2075 sctp_send_cookie_ack(stcb);
2078 * check the address lists for any ASCONFs that need to be sent
2079 * AFTER the cookie-ack is sent
2081 sctp_check_address_list(stcb, m,
2082 initack_offset + sizeof(struct sctp_init_ack_chunk),
2083 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
2084 initack_src, cookie->local_scope, cookie->site_scope,
2085 cookie->ipv4_scope, cookie->loopback_scope);
2093 * handles a COOKIE-ECHO message stcb: modified to either a new or left as
2094 * existing (non-NULL) TCB
2096 static struct mbuf *
2097 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
2098 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
2099 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
2100 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
2101 struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint16_t port)
2103 struct sctp_state_cookie *cookie;
2104 struct sockaddr_in6 sin6;
2105 struct sockaddr_in sin;
2106 struct sctp_tcb *l_stcb = *stcb;
2107 struct sctp_inpcb *l_inp;
2108 struct sockaddr *to;
2109 sctp_assoc_t sac_restart_id;
2110 struct sctp_pcb *ep;
2112 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
2114 uint8_t cookie_ok = 0;
2115 unsigned int size_of_pkt, sig_offset, cookie_offset;
2116 unsigned int cookie_len;
2118 struct timeval time_expires;
2119 struct sockaddr_storage dest_store;
2120 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store;
2122 int notification = 0;
2123 struct sctp_nets *netl;
2124 int had_a_existing_tcb = 0;
2126 SCTPDBG(SCTP_DEBUG_INPUT2,
2127 "sctp_handle_cookie: handling COOKIE-ECHO\n");
2129 if (inp_p == NULL) {
2132 /* First get the destination address setup too. */
2133 iph = mtod(m, struct ip *);
2134 switch (iph->ip_v) {
2138 struct sockaddr_in *lsin;
2140 lsin = (struct sockaddr_in *)(localep_sa);
2141 memset(lsin, 0, sizeof(*lsin));
2142 lsin->sin_family = AF_INET;
2143 lsin->sin_len = sizeof(*lsin);
2144 lsin->sin_port = sh->dest_port;
2145 lsin->sin_addr.s_addr = iph->ip_dst.s_addr;
2146 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph);
2150 case IPV6_VERSION >> 4:
2153 struct ip6_hdr *ip6;
2154 struct sockaddr_in6 *lsin6;
2156 lsin6 = (struct sockaddr_in6 *)(localep_sa);
2157 memset(lsin6, 0, sizeof(*lsin6));
2158 lsin6->sin6_family = AF_INET6;
2159 lsin6->sin6_len = sizeof(struct sockaddr_in6);
2160 ip6 = mtod(m, struct ip6_hdr *);
2161 lsin6->sin6_port = sh->dest_port;
2162 lsin6->sin6_addr = ip6->ip6_dst;
2163 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen;
2171 cookie = &cp->cookie;
2172 cookie_offset = offset + sizeof(struct sctp_chunkhdr);
2173 cookie_len = ntohs(cp->ch.chunk_length);
2175 if ((cookie->peerport != sh->src_port) &&
2176 (cookie->myport != sh->dest_port) &&
2177 (cookie->my_vtag != sh->v_tag)) {
2179 * invalid ports or bad tag. Note that we always leave the
2180 * v_tag in the header in network order and when we stored
2181 * it in the my_vtag slot we also left it in network order.
2182 * This maintains the match even though it may be in the
2183 * opposite byte order of the machine :->
2187 if (cookie_len > size_of_pkt ||
2188 cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
2189 sizeof(struct sctp_init_chunk) +
2190 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
2191 /* cookie too long! or too small */
2195 * split off the signature into its own mbuf (since it should not be
2196 * calculated in the sctp_hmac_m() call).
2198 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
2199 if (sig_offset > size_of_pkt) {
2200 /* packet not correct size! */
2201 /* XXX this may already be accounted for earlier... */
2204 m_sig = m_split(m, sig_offset, M_DONTWAIT);
2205 if (m_sig == NULL) {
2206 /* out of memory or ?? */
2209 #ifdef SCTP_MBUF_LOGGING
2210 if (sctp_logging_level & SCTP_MBUF_LOGGING_ENABLE) {
2215 if (SCTP_BUF_IS_EXTENDED(mat)) {
2216 sctp_log_mb(mat, SCTP_MBUF_SPLIT);
2218 mat = SCTP_BUF_NEXT(mat);
2224 * compute the signature/digest for the cookie
2226 ep = &(*inp_p)->sctp_ep;
2229 SCTP_TCB_UNLOCK(l_stcb);
2231 SCTP_INP_RLOCK(l_inp);
2233 SCTP_TCB_LOCK(l_stcb);
2235 /* which cookie is it? */
2236 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
2237 (ep->current_secret_number != ep->last_secret_number)) {
2238 /* it's the old cookie */
2239 (void)sctp_hmac_m(SCTP_HMAC,
2240 (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
2241 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2243 /* it's the current cookie */
2244 (void)sctp_hmac_m(SCTP_HMAC,
2245 (uint8_t *) ep->secret_key[(int)ep->current_secret_number],
2246 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2248 /* get the signature */
2249 SCTP_INP_RUNLOCK(l_inp);
2250 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig);
2252 /* couldn't find signature */
2253 sctp_m_freem(m_sig);
2256 /* compare the received digest with the computed digest */
2257 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
2258 /* try the old cookie? */
2259 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
2260 (ep->current_secret_number != ep->last_secret_number)) {
2261 /* compute digest with old */
2262 (void)sctp_hmac_m(SCTP_HMAC,
2263 (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
2264 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2266 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
2274 * Now before we continue we must reconstruct our mbuf so that
2275 * normal processing of any other chunks will work.
2281 while (SCTP_BUF_NEXT(m_at) != NULL) {
2282 m_at = SCTP_BUF_NEXT(m_at);
2284 SCTP_BUF_NEXT(m_at) = m_sig;
2287 if (cookie_ok == 0) {
2288 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n");
2289 SCTPDBG(SCTP_DEBUG_INPUT2,
2290 "offset = %u, cookie_offset = %u, sig_offset = %u\n",
2291 (uint32_t) offset, cookie_offset, sig_offset);
2295 * check the cookie timestamps to be sure it's not stale
2297 (void)SCTP_GETTIME_TIMEVAL(&now);
2298 /* Expire time is in Ticks, so we convert to seconds */
2299 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life);
2300 time_expires.tv_usec = cookie->time_entered.tv_usec;
2301 if (timevalcmp(&now, &time_expires, >)) {
2302 /* cookie is stale! */
2303 struct mbuf *op_err;
2304 struct sctp_stale_cookie_msg *scm;
2307 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg),
2308 0, M_DONTWAIT, 1, MT_DATA);
2309 if (op_err == NULL) {
2313 /* pre-reserve some space */
2315 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
2317 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
2319 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
2320 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
2323 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg);
2324 scm = mtod(op_err, struct sctp_stale_cookie_msg *);
2325 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
2326 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
2327 (sizeof(uint32_t))));
2328 /* seconds to usec */
2329 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
2332 tim = now.tv_usec - cookie->time_entered.tv_usec;
2333 scm->time_usec = htonl(tim);
2334 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag,
2339 * Now we must see with the lookup address if we have an existing
2340 * asoc. This will only happen if we were in the COOKIE-WAIT state
2341 * and a INIT collided with us and somewhere the peer sent the
2342 * cookie on another address besides the single address our assoc
2343 * had for him. In this case we will have one of the tie-tags set at
2344 * least AND the address field in the cookie can be used to look it
2348 if (cookie->addr_type == SCTP_IPV6_ADDRESS) {
2349 memset(&sin6, 0, sizeof(sin6));
2350 sin6.sin6_family = AF_INET6;
2351 sin6.sin6_len = sizeof(sin6);
2352 sin6.sin6_port = sh->src_port;
2353 sin6.sin6_scope_id = cookie->scope_id;
2354 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
2355 sizeof(sin6.sin6_addr.s6_addr));
2356 to = (struct sockaddr *)&sin6;
2357 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) {
2358 memset(&sin, 0, sizeof(sin));
2359 sin.sin_family = AF_INET;
2360 sin.sin_len = sizeof(sin);
2361 sin.sin_port = sh->src_port;
2362 sin.sin_addr.s_addr = cookie->address[0];
2363 to = (struct sockaddr *)&sin;
2365 /* This should not happen */
2368 if ((*stcb == NULL) && to) {
2369 /* Yep, lets check */
2370 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL);
2371 if (*stcb == NULL) {
2373 * We should have only got back the same inp. If we
2374 * got back a different ep we have a problem. The
2375 * original findep got back l_inp and now
2377 if (l_inp != *inp_p) {
2378 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n");
2381 if (*locked_tcb == NULL) {
2383 * In this case we found the assoc only
2384 * after we locked the create lock. This
2385 * means we are in a colliding case and we
2386 * must make sure that we unlock the tcb if
2387 * its one of the cases where we throw away
2388 * the incoming packets.
2390 *locked_tcb = *stcb;
2393 * We must also increment the inp ref count
2394 * since the ref_count flags was set when we
2395 * did not find the TCB, now we found it
2396 * which reduces the refcount.. we must
2397 * raise it back out to balance it all :-)
2399 SCTP_INP_INCR_REF((*stcb)->sctp_ep);
2400 if ((*stcb)->sctp_ep != l_inp) {
2401 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n",
2402 (*stcb)->sctp_ep, l_inp);
2410 cookie_len -= SCTP_SIGNATURE_SIZE;
2411 if (*stcb == NULL) {
2412 /* this is the "normal" case... get a new TCB */
2413 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie,
2414 cookie_len, *inp_p, netp, to, ¬ification,
2415 auth_skipped, auth_offset, auth_len, vrf_id, port);
2417 /* this is abnormal... cookie-echo on existing TCB */
2418 had_a_existing_tcb = 1;
2419 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh,
2420 cookie, cookie_len, *inp_p, *stcb, *netp, to,
2421 ¬ification, &sac_restart_id, vrf_id);
2424 if (*stcb == NULL) {
2425 /* still no TCB... must be bad cookie-echo */
2429 * Ok, we built an association so confirm the address we sent the
2432 netl = sctp_findnet(*stcb, to);
2434 * This code should in theory NOT run but
2437 /* TSNH! Huh, why do I need to add this address here? */
2440 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE,
2441 SCTP_IN_COOKIE_PROC);
2442 netl = sctp_findnet(*stcb, to);
2445 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
2446 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2447 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
2449 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2450 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2454 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p,
2457 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2458 if (!had_a_existing_tcb ||
2459 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2461 * If we have a NEW cookie or the connect never
2462 * reached the connected state during collision we
2463 * must do the TCP accept thing.
2465 struct socket *so, *oso;
2466 struct sctp_inpcb *inp;
2468 if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2470 * For a restart we will keep the same
2471 * socket, no need to do anything. I THINK!!
2473 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id, SCTP_SO_NOT_LOCKED);
2476 oso = (*inp_p)->sctp_socket;
2477 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2478 SCTP_TCB_UNLOCK((*stcb));
2479 so = sonewconn(oso, 0
2481 SCTP_TCB_LOCK((*stcb));
2482 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2485 struct mbuf *op_err;
2487 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2488 struct socket *pcb_so;
2491 /* Too many sockets */
2492 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n");
2493 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
2494 sctp_abort_association(*inp_p, NULL, m, iphlen,
2495 sh, op_err, vrf_id, port);
2496 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2497 pcb_so = SCTP_INP_SO(*inp_p);
2498 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2499 SCTP_TCB_UNLOCK((*stcb));
2500 SCTP_SOCKET_LOCK(pcb_so, 1);
2501 SCTP_TCB_LOCK((*stcb));
2502 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2504 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20);
2505 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2506 SCTP_SOCKET_UNLOCK(pcb_so, 1);
2510 inp = (struct sctp_inpcb *)so->so_pcb;
2511 SCTP_INP_INCR_REF(inp);
2513 * We add the unbound flag here so that if we get an
2514 * soabort() before we get the move_pcb done, we
2515 * will properly cleanup.
2517 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2518 SCTP_PCB_FLAGS_CONNECTED |
2519 SCTP_PCB_FLAGS_IN_TCPPOOL |
2520 SCTP_PCB_FLAGS_UNBOUND |
2521 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2522 SCTP_PCB_FLAGS_DONT_WAKE);
2523 inp->sctp_features = (*inp_p)->sctp_features;
2524 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features;
2525 inp->sctp_socket = so;
2526 inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
2527 inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
2528 inp->sctp_context = (*inp_p)->sctp_context;
2529 inp->inp_starting_point_for_iterator = NULL;
2531 * copy in the authentication parameters from the
2534 if (inp->sctp_ep.local_hmacs)
2535 sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
2536 inp->sctp_ep.local_hmacs =
2537 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
2538 if (inp->sctp_ep.local_auth_chunks)
2539 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
2540 inp->sctp_ep.local_auth_chunks =
2541 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);
2542 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys,
2543 &inp->sctp_ep.shared_keys);
2546 * Now we must move it from one hash table to
2547 * another and get the tcb in the right place.
2549 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2551 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2552 SCTP_TCB_UNLOCK((*stcb));
2554 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb,
2556 SCTP_TCB_LOCK((*stcb));
2557 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2561 * now we must check to see if we were aborted while
2562 * the move was going on and the lock/unlock
2565 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
2567 * yep it was, we leave the assoc attached
2568 * to the socket since the sctp_inpcb_free()
2569 * call will send an abort for us.
2571 SCTP_INP_DECR_REF(inp);
2574 SCTP_INP_DECR_REF(inp);
2575 /* Switch over to the new guy */
2577 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2580 * Pull it from the incomplete queue and wake the
2583 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2584 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2585 SCTP_TCB_UNLOCK((*stcb));
2586 SCTP_SOCKET_LOCK(so, 1);
2589 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2590 SCTP_TCB_LOCK((*stcb));
2591 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2592 SCTP_SOCKET_UNLOCK(so, 1);
2597 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
2598 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2604 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp,
2605 struct sctp_tcb *stcb, struct sctp_nets *net)
2607 /* cp must not be used, others call this without a c-ack :-) */
2608 struct sctp_association *asoc;
2610 SCTPDBG(SCTP_DEBUG_INPUT2,
2611 "sctp_handle_cookie_ack: handling COOKIE-ACK\n");
2617 sctp_stop_all_cookie_timers(stcb);
2618 /* process according to association state */
2619 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
2620 /* state change only needed when I am in right state */
2621 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
2622 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
2623 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2624 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2625 stcb->sctp_ep, stcb, asoc->primary_destination);
2629 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
2630 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2631 if (asoc->overall_error_count == 0) {
2632 net->RTO = sctp_calculate_rto(stcb, asoc, net,
2633 &asoc->time_entered, sctp_align_safe_nocopy);
2635 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
2636 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2637 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2638 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2639 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2643 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2644 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2645 so = SCTP_INP_SO(stcb->sctp_ep);
2646 atomic_add_int(&stcb->asoc.refcnt, 1);
2647 SCTP_TCB_UNLOCK(stcb);
2648 SCTP_SOCKET_LOCK(so, 1);
2649 SCTP_TCB_LOCK(stcb);
2650 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2651 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2652 SCTP_SOCKET_UNLOCK(so, 1);
2656 soisconnected(stcb->sctp_socket);
2657 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2658 SCTP_SOCKET_UNLOCK(so, 1);
2661 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
2664 * since we did not send a HB make sure we don't double
2667 net->hb_responded = 1;
2669 if (stcb->asoc.sctp_autoclose_ticks &&
2670 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2671 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
2672 stcb->sctp_ep, stcb, NULL);
2675 * send ASCONF if parameters are pending and ASCONFs are
2676 * allowed (eg. addresses changed when init/cookie echo were
2679 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
2680 (stcb->asoc.peer_supports_asconf) &&
2681 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
2682 #ifdef SCTP_TIMER_BASED_ASCONF
2683 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
2684 stcb->sctp_ep, stcb,
2685 stcb->asoc.primary_destination);
2687 sctp_send_asconf(stcb, stcb->asoc.primary_destination,
2688 SCTP_ADDR_NOT_LOCKED);
2692 /* Toss the cookie if I can */
2693 sctp_toss_old_cookies(stcb, asoc);
2694 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
2695 /* Restart the timer if we have pending data */
2696 struct sctp_tmit_chunk *chk;
2698 chk = TAILQ_FIRST(&asoc->sent_queue);
2700 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2707 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
2708 struct sctp_tcb *stcb)
2710 struct sctp_nets *net;
2711 struct sctp_tmit_chunk *lchk;
2714 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) {
2717 SCTP_STAT_INCR(sctps_recvecne);
2718 tsn = ntohl(cp->tsn);
2719 /* ECN Nonce stuff: need a resync and disable the nonce sum check */
2720 /* Also we make sure we disable the nonce_wait */
2721 lchk = TAILQ_FIRST(&stcb->asoc.send_queue);
2723 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq;
2725 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq;
2727 stcb->asoc.nonce_wait_for_ecne = 0;
2728 stcb->asoc.nonce_sum_check = 0;
2730 /* Find where it was sent, if possible */
2732 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue);
2734 if (lchk->rec.data.TSN_seq == tsn) {
2738 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ))
2740 lchk = TAILQ_NEXT(lchk, sctp_next);
2743 /* default is we use the primary */
2744 net = stcb->asoc.primary_destination;
2746 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) {
2748 * JRS - Use the congestion control given in the pluggable
2751 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net);
2753 * we reduce once every RTT. So we will only lower cwnd at
2754 * the next sending seq i.e. the resync_tsn.
2756 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn;
2759 * We always send a CWR this way if our previous one was lost our
2760 * peer will get an update, or if it is not time again to reduce we
2761 * still get the cwr to the peer.
2763 sctp_send_cwr(stcb, net, tsn);
2767 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb)
2770 * Here we get a CWR from the peer. We must look in the outqueue and
2771 * make sure that we have a covered ECNE in teh control chunk part.
2774 struct sctp_tmit_chunk *chk;
2775 struct sctp_ecne_chunk *ecne;
2777 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
2778 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
2782 * Look for and remove if it is the right TSN. Since there
2783 * is only ONE ECNE on the control queue at any one time we
2784 * don't need to worry about more than one!
2786 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
2787 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn),
2788 MAX_TSN) || (cp->tsn == ecne->tsn)) {
2789 /* this covers this ECNE, we can remove it */
2790 stcb->asoc.ecn_echo_cnt_onq--;
2791 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
2794 sctp_m_freem(chk->data);
2797 stcb->asoc.ctrl_queue_cnt--;
2798 sctp_free_a_chunk(stcb, chk);
2805 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp,
2806 struct sctp_tcb *stcb, struct sctp_nets *net)
2808 struct sctp_association *asoc;
2810 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2815 SCTPDBG(SCTP_DEBUG_INPUT2,
2816 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
2821 /* process according to association state */
2822 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
2823 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
2824 SCTPDBG(SCTP_DEBUG_INPUT2,
2825 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n");
2826 SCTP_TCB_UNLOCK(stcb);
2829 /* notify upper layer protocol */
2830 if (stcb->sctp_socket) {
2831 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2832 /* are the queues empty? they should be */
2833 if (!TAILQ_EMPTY(&asoc->send_queue) ||
2834 !TAILQ_EMPTY(&asoc->sent_queue) ||
2835 !TAILQ_EMPTY(&asoc->out_wheel)) {
2836 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED);
2839 /* stop the timer */
2840 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22);
2841 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
2843 SCTPDBG(SCTP_DEBUG_INPUT2,
2844 "sctp_handle_shutdown_complete: calls free-asoc\n");
2845 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2846 so = SCTP_INP_SO(stcb->sctp_ep);
2847 atomic_add_int(&stcb->asoc.refcnt, 1);
2848 SCTP_TCB_UNLOCK(stcb);
2849 SCTP_SOCKET_LOCK(so, 1);
2850 SCTP_TCB_LOCK(stcb);
2851 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2853 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23);
2854 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2855 SCTP_SOCKET_UNLOCK(so, 1);
2861 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
2862 struct sctp_nets *net, uint8_t flg)
2864 switch (desc->chunk_type) {
2866 /* find the tsn to resend (possibly */
2869 struct sctp_tmit_chunk *tp1;
2871 tsn = ntohl(desc->tsn_ifany);
2872 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2874 if (tp1->rec.data.TSN_seq == tsn) {
2878 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn,
2884 tp1 = TAILQ_NEXT(tp1, sctp_next);
2888 * Do it the other way , aka without paying
2889 * attention to queue seq order.
2891 SCTP_STAT_INCR(sctps_pdrpdnfnd);
2892 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2894 if (tp1->rec.data.TSN_seq == tsn) {
2898 tp1 = TAILQ_NEXT(tp1, sctp_next);
2902 SCTP_STAT_INCR(sctps_pdrptsnnf);
2904 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
2907 if ((stcb->asoc.peers_rwnd == 0) &&
2908 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
2909 SCTP_STAT_INCR(sctps_pdrpdiwnp);
2912 if (stcb->asoc.peers_rwnd == 0 &&
2913 (flg & SCTP_FROM_MIDDLE_BOX)) {
2914 SCTP_STAT_INCR(sctps_pdrpdizrw);
2917 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+
2918 sizeof(struct sctp_data_chunk));
2922 for (iii = 0; iii < sizeof(desc->data_bytes);
2924 if (ddp[iii] != desc->data_bytes[iii]) {
2925 SCTP_STAT_INCR(sctps_pdrpbadd);
2931 * We zero out the nonce so resync not
2934 tp1->rec.data.ect_nonce = 0;
2938 * this guy had a RTO calculation
2939 * pending on it, cancel it
2943 SCTP_STAT_INCR(sctps_pdrpmark);
2944 if (tp1->sent != SCTP_DATAGRAM_RESEND)
2945 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
2946 tp1->sent = SCTP_DATAGRAM_RESEND;
2948 * mark it as if we were doing a FR, since
2949 * we will be getting gap ack reports behind
2950 * the info from the router.
2952 tp1->rec.data.doing_fast_retransmit = 1;
2954 * mark the tsn with what sequences can
2957 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
2958 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
2960 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
2963 /* restart the timer */
2964 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2965 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24);
2966 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2969 /* fix counts and things */
2970 if (sctp_logging_level & SCTP_FLIGHT_LOGGING_ENABLE) {
2971 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP,
2972 tp1->whoTo->flight_size,
2975 tp1->rec.data.TSN_seq);
2977 sctp_flight_size_decrease(tp1);
2978 sctp_total_flight_decrease(stcb, tp1);
2984 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
2985 if (tp1->sent == SCTP_DATAGRAM_RESEND)
2988 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
2990 if (tp1->sent == SCTP_DATAGRAM_RESEND)
2993 if (audit != stcb->asoc.sent_queue_retran_cnt) {
2994 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n",
2995 audit, stcb->asoc.sent_queue_retran_cnt);
2996 #ifndef SCTP_AUDITING_ENABLED
2997 stcb->asoc.sent_queue_retran_cnt = audit;
3005 struct sctp_tmit_chunk *asconf;
3007 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
3009 if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
3014 if (asconf->sent != SCTP_DATAGRAM_RESEND)
3015 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3016 asconf->sent = SCTP_DATAGRAM_RESEND;
3017 asconf->snd_count--;
3021 case SCTP_INITIATION:
3022 /* resend the INIT */
3023 stcb->asoc.dropped_special_cnt++;
3024 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
3026 * If we can get it in, in a few attempts we do
3027 * this, otherwise we let the timer fire.
3029 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
3030 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25);
3031 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
3034 case SCTP_SELECTIVE_ACK:
3035 /* resend the sack */
3036 sctp_send_sack(stcb);
3038 case SCTP_HEARTBEAT_REQUEST:
3039 /* resend a demand HB */
3040 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) {
3042 * Only retransmit if we KNOW we wont destroy the
3045 (void)sctp_send_hb(stcb, 1, net);
3049 sctp_send_shutdown(stcb, net);
3051 case SCTP_SHUTDOWN_ACK:
3052 sctp_send_shutdown_ack(stcb, net);
3054 case SCTP_COOKIE_ECHO:
3056 struct sctp_tmit_chunk *cookie;
3059 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
3061 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
3066 if (cookie->sent != SCTP_DATAGRAM_RESEND)
3067 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3068 cookie->sent = SCTP_DATAGRAM_RESEND;
3069 sctp_stop_all_cookie_timers(stcb);
3073 case SCTP_COOKIE_ACK:
3074 sctp_send_cookie_ack(stcb);
3076 case SCTP_ASCONF_ACK:
3077 /* resend last asconf ack */
3078 sctp_send_asconf_ack(stcb);
3080 case SCTP_FORWARD_CUM_TSN:
3081 send_forward_tsn(stcb, &stcb->asoc);
3083 /* can't do anything with these */
3084 case SCTP_PACKET_DROPPED:
3085 case SCTP_INITIATION_ACK: /* this should not happen */
3086 case SCTP_HEARTBEAT_ACK:
3087 case SCTP_ABORT_ASSOCIATION:
3088 case SCTP_OPERATION_ERROR:
3089 case SCTP_SHUTDOWN_COMPLETE:
3099 sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
3105 * We set things to 0xffff since this is the last delivered sequence
3106 * and we will be sending in 0 after the reset.
3109 if (number_entries) {
3110 for (i = 0; i < number_entries; i++) {
3111 temp = ntohs(list[i]);
3112 if (temp >= stcb->asoc.streamincnt) {
3115 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff;
3119 for (i = 0; i < stcb->asoc.streamincnt; i++) {
3120 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
3123 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3127 sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
3131 if (number_entries == 0) {
3132 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3133 stcb->asoc.strmout[i].next_sequence_sent = 0;
3135 } else if (number_entries) {
3136 for (i = 0; i < number_entries; i++) {
3139 temp = ntohs(list[i]);
3140 if (temp >= stcb->asoc.streamoutcnt) {
3141 /* no such stream */
3144 stcb->asoc.strmout[temp].next_sequence_sent = 0;
3147 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3151 struct sctp_stream_reset_out_request *
3152 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
3154 struct sctp_association *asoc;
3155 struct sctp_stream_reset_out_req *req;
3156 struct sctp_stream_reset_out_request *r;
3157 struct sctp_tmit_chunk *chk;
3161 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
3162 asoc->stream_reset_outstanding = 0;
3165 if (stcb->asoc.str_reset == NULL) {
3166 asoc->stream_reset_outstanding = 0;
3169 chk = stcb->asoc.str_reset;
3170 if (chk->data == NULL) {
3174 /* he wants a copy of the chk pointer */
3177 clen = chk->send_size;
3178 req = mtod(chk->data, struct sctp_stream_reset_out_req *);
3180 if (ntohl(r->request_seq) == seq) {
3184 len = SCTP_SIZE32(ntohs(r->ph.param_length));
3185 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
3186 /* move to the next one, there can only be a max of two */
3187 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len);
3188 if (ntohl(r->request_seq) == seq) {
3192 /* that seq is not here */
3197 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
3199 struct sctp_association *asoc;
3200 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset;
3202 if (stcb->asoc.str_reset == NULL) {
3207 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26);
3208 TAILQ_REMOVE(&asoc->control_send_queue,
3212 sctp_m_freem(chk->data);
3215 asoc->ctrl_queue_cnt--;
3216 sctp_free_a_chunk(stcb, chk);
3217 /* sa_ignore NO_NULL_CHK */
3218 stcb->asoc.str_reset = NULL;
3223 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
3224 uint32_t seq, uint32_t action,
3225 struct sctp_stream_reset_response *respin)
3229 struct sctp_association *asoc = &stcb->asoc;
3230 struct sctp_tmit_chunk *chk;
3231 struct sctp_stream_reset_out_request *srparam;
3234 if (asoc->stream_reset_outstanding == 0) {
3238 if (seq == stcb->asoc.str_reset_seq_out) {
3239 srparam = sctp_find_stream_reset(stcb, seq, &chk);
3241 stcb->asoc.str_reset_seq_out++;
3242 type = ntohs(srparam->ph.param_type);
3243 lparm_len = ntohs(srparam->ph.param_length);
3244 if (type == SCTP_STR_RESET_OUT_REQUEST) {
3245 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
3246 asoc->stream_reset_out_is_outstanding = 0;
3247 if (asoc->stream_reset_outstanding)
3248 asoc->stream_reset_outstanding--;
3249 if (action == SCTP_STREAM_RESET_PERFORMED) {
3251 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams);
3253 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
3255 } else if (type == SCTP_STR_RESET_IN_REQUEST) {
3256 /* Answered my request */
3257 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
3258 if (asoc->stream_reset_outstanding)
3259 asoc->stream_reset_outstanding--;
3260 if (action != SCTP_STREAM_RESET_PERFORMED) {
3261 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
3263 } else if (type == SCTP_STR_RESET_TSN_REQUEST) {
3265 * a) Adopt the new in tsn.
3267 * c) Adopt the new out-tsn
3269 struct sctp_stream_reset_response_tsn *resp;
3270 struct sctp_forward_tsn_chunk fwdtsn;
3273 if (respin == NULL) {
3277 if (action == SCTP_STREAM_RESET_PERFORMED) {
3278 resp = (struct sctp_stream_reset_response_tsn *)respin;
3279 asoc->stream_reset_outstanding--;
3280 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3281 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3282 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
3283 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3287 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
3288 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
3289 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
3290 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
3291 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
3292 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;
3294 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3295 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3299 /* get rid of the request and get the request flags */
3300 if (asoc->stream_reset_outstanding == 0) {
3301 sctp_clean_up_stream_reset(stcb);
3309 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
3310 struct sctp_tmit_chunk *chk,
3311 struct sctp_stream_reset_in_request *req, int trunc)
3319 * peer wants me to send a str-reset to him for my outgoing seq's if
3322 struct sctp_association *asoc = &stcb->asoc;
3324 seq = ntohl(req->request_seq);
3325 if (asoc->str_reset_seq_in == seq) {
3327 /* Can't do it, since they exceeded our buffer size */
3328 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3329 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
3330 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3331 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
3332 len = ntohs(req->ph.param_length);
3333 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
3334 for (i = 0; i < number_entries; i++) {
3335 temp = ntohs(req->list_of_streams[i]);
3336 req->list_of_streams[i] = temp;
3338 /* move the reset action back one */
3339 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3340 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3341 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams,
3342 asoc->str_reset_seq_out,
3343 seq, (asoc->sending_seq - 1));
3344 asoc->stream_reset_out_is_outstanding = 1;
3345 asoc->str_reset = chk;
3346 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
3347 stcb->asoc.stream_reset_outstanding++;
3349 /* Can't do it, since we have sent one out */
3350 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3351 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER;
3352 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3354 asoc->str_reset_seq_in++;
3355 } else if (asoc->str_reset_seq_in - 1 == seq) {
3356 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3357 } else if (asoc->str_reset_seq_in - 2 == seq) {
3358 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3360 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
3365 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
3366 struct sctp_tmit_chunk *chk,
3367 struct sctp_stream_reset_tsn_request *req)
3369 /* reset all in and out and update the tsn */
3371 * A) reset my str-seq's on in and out. B) Select a receive next,
3372 * and set cum-ack to it. Also process this selected number as a
3373 * fwd-tsn as well. C) set in the response my next sending seq.
3375 struct sctp_forward_tsn_chunk fwdtsn;
3376 struct sctp_association *asoc = &stcb->asoc;
3380 seq = ntohl(req->request_seq);
3381 if (asoc->str_reset_seq_in == seq) {
3382 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3383 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3384 fwdtsn.ch.chunk_flags = 0;
3385 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
3386 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3390 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
3391 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
3392 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1;
3393 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
3394 atomic_add_int(&stcb->asoc.sending_seq, 1);
3395 /* save off historical data for retrans */
3396 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0];
3397 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq;
3398 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0];
3399 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn;
3401 sctp_add_stream_reset_result_tsn(chk,
3402 ntohl(req->request_seq),
3403 SCTP_STREAM_RESET_PERFORMED,
3404 stcb->asoc.sending_seq,
3405 stcb->asoc.mapping_array_base_tsn);
3406 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3407 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3408 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
3409 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3411 asoc->str_reset_seq_in++;
3412 } else if (asoc->str_reset_seq_in - 1 == seq) {
3413 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3414 stcb->asoc.last_sending_seq[0],
3415 stcb->asoc.last_base_tsnsent[0]
3417 } else if (asoc->str_reset_seq_in - 2 == seq) {
3418 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
3419 stcb->asoc.last_sending_seq[1],
3420 stcb->asoc.last_base_tsnsent[1]
3423 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
3429 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
3430 struct sctp_tmit_chunk *chk,
3431 struct sctp_stream_reset_out_request *req, int trunc)
3434 int number_entries, len;
3435 struct sctp_association *asoc = &stcb->asoc;
3437 seq = ntohl(req->request_seq);
3439 /* now if its not a duplicate we process it */
3440 if (asoc->str_reset_seq_in == seq) {
3441 len = ntohs(req->ph.param_length);
3442 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
3444 * the sender is resetting, handle the list issue.. we must
3445 * a) verify if we can do the reset, if so no problem b) If
3446 * we can't do the reset we must copy the request. c) queue
3447 * it, and setup the data in processor to trigger it off
3448 * when needed and dequeue all the queued data.
3450 tsn = ntohl(req->send_reset_at_tsn);
3452 /* move the reset action back one */
3453 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3455 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
3456 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
3457 } else if ((tsn == asoc->cumulative_tsn) ||
3458 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) {
3459 /* we can do it now */
3460 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
3461 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
3462 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3465 * we must queue it up and thus wait for the TSN's
3466 * to arrive that are at or before tsn
3468 struct sctp_stream_reset_list *liste;
3471 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
3472 SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
3473 siz, SCTP_M_STRESET);
3474 if (liste == NULL) {
3475 /* gak out of memory */
3476 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
3477 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
3481 liste->number_entries = number_entries;
3482 memcpy(&liste->req, req,
3483 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t))));
3484 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
3485 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
3486 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3488 asoc->str_reset_seq_in++;
3489 } else if ((asoc->str_reset_seq_in - 1) == seq) {
3491 * one seq back, just echo back last action since my
3492 * response was lost.
3494 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3495 } else if ((asoc->str_reset_seq_in - 2) == seq) {
3497 * two seq back, just echo back last action since my
3498 * response was lost.
3500 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3502 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
3507 __attribute__((noinline))
3510 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
3511 struct sctp_stream_reset_out_req *sr_req)
3513 int chk_length, param_len, ptype;
3514 struct sctp_paramhdr pstore;
3515 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
3520 struct sctp_tmit_chunk *chk;
3521 struct sctp_chunkhdr *ch;
3522 struct sctp_paramhdr *ph;
3526 /* now it may be a reset or a reset-response */
3527 chk_length = ntohs(sr_req->ch.chunk_length);
3529 /* setup for adding the response */
3530 sctp_alloc_a_chunk(stcb, chk);
3534 chk->rec.chunk_id.id = SCTP_STREAM_RESET;
3535 chk->rec.chunk_id.can_take_data = 0;
3536 chk->asoc = &stcb->asoc;
3537 chk->no_fr_allowed = 0;
3538 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
3539 chk->book_size_scale = 0;
3540 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
3541 if (chk->data == NULL) {
3544 sctp_m_freem(chk->data);
3547 sctp_free_a_chunk(stcb, chk);
3550 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
3552 /* setup chunk parameters */
3553 chk->sent = SCTP_DATAGRAM_UNSENT;
3555 chk->whoTo = stcb->asoc.primary_destination;
3556 atomic_add_int(&chk->whoTo->ref_count, 1);
3558 ch = mtod(chk->data, struct sctp_chunkhdr *);
3559 ch->chunk_type = SCTP_STREAM_RESET;
3560 ch->chunk_flags = 0;
3561 ch->chunk_length = htons(chk->send_size);
3562 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
3563 offset += sizeof(struct sctp_chunkhdr);
3564 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
3565 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
3568 param_len = ntohs(ph->param_length);
3569 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
3573 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
3574 (uint8_t *) & cstore);
3575 ptype = ntohs(ph->param_type);
3577 if (param_len > (int)sizeof(cstore)) {
3583 if (num_param > SCTP_MAX_RESET_PARAMS) {
3584 /* hit the max of parameters already sorry.. */
3587 if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
3588 struct sctp_stream_reset_out_request *req_out;
3590 req_out = (struct sctp_stream_reset_out_request *)ph;
3592 if (stcb->asoc.stream_reset_outstanding) {
3593 seq = ntohl(req_out->response_seq);
3594 if (seq == stcb->asoc.str_reset_seq_out) {
3596 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL);
3599 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc);
3600 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
3601 struct sctp_stream_reset_in_request *req_in;
3605 req_in = (struct sctp_stream_reset_in_request *)ph;
3607 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc);
3608 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
3609 struct sctp_stream_reset_tsn_request *req_tsn;
3612 req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
3614 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
3616 goto strres_nochunk;
3620 } else if (ptype == SCTP_STR_RESET_RESPONSE) {
3621 struct sctp_stream_reset_response *resp;
3624 resp = (struct sctp_stream_reset_response *)ph;
3625 seq = ntohl(resp->response_seq);
3626 result = ntohl(resp->result);
3627 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
3629 goto strres_nochunk;
3634 offset += SCTP_SIZE32(param_len);
3635 chk_length -= SCTP_SIZE32(param_len);
3638 /* we have no response free the stuff */
3639 goto strres_nochunk;
3641 /* ok we have a chunk to link in */
3642 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
3645 stcb->asoc.ctrl_queue_cnt++;
3650 * Handle a router or endpoints report of a packet loss, there are two ways
3651 * to handle this, either we get the whole packet and must disect it
3652 * ourselves (possibly with truncation and or corruption) or it is a summary
3653 * from a middle box that did the disectting for us.
3656 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
3657 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
3659 uint32_t bottle_bw, on_queue;
3663 struct sctp_chunk_desc desc;
3664 struct sctp_chunkhdr *ch;
3666 chlen = ntohs(cp->ch.chunk_length);
3667 chlen -= sizeof(struct sctp_pktdrop_chunk);
3668 /* XXX possible chlen underflow */
3671 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
3672 SCTP_STAT_INCR(sctps_pdrpbwrpt);
3674 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
3675 chlen -= sizeof(struct sctphdr);
3676 /* XXX possible chlen underflow */
3677 memset(&desc, 0, sizeof(desc));
3679 trunc_len = (uint16_t) ntohs(cp->trunc_len);
3680 if (trunc_len > limit) {
3683 /* now the chunks themselves */
3684 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
3685 desc.chunk_type = ch->chunk_type;
3686 /* get amount we need to move */
3687 at = ntohs(ch->chunk_length);
3688 if (at < sizeof(struct sctp_chunkhdr)) {
3689 /* corrupt chunk, maybe at the end? */
3690 SCTP_STAT_INCR(sctps_pdrpcrupt);
3693 if (trunc_len == 0) {
3694 /* we are supposed to have all of it */
3696 /* corrupt skip it */
3697 SCTP_STAT_INCR(sctps_pdrpcrupt);
3701 /* is there enough of it left ? */
3702 if (desc.chunk_type == SCTP_DATA) {
3703 if (chlen < (sizeof(struct sctp_data_chunk) +
3704 sizeof(desc.data_bytes))) {
3708 if (chlen < sizeof(struct sctp_chunkhdr)) {
3713 if (desc.chunk_type == SCTP_DATA) {
3714 /* can we get out the tsn? */
3715 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
3716 SCTP_STAT_INCR(sctps_pdrpmbda);
3718 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) {
3720 struct sctp_data_chunk *dcp;
3724 dcp = (struct sctp_data_chunk *)ch;
3725 ddp = (uint8_t *) (dcp + 1);
3726 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
3727 desc.data_bytes[iii] = ddp[iii];
3729 desc.tsn_ifany = dcp->dp.tsn;
3731 /* nope we are done. */
3732 SCTP_STAT_INCR(sctps_pdrpnedat);
3736 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
3737 SCTP_STAT_INCR(sctps_pdrpmbct);
3740 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
3741 SCTP_STAT_INCR(sctps_pdrppdbrk);
3744 if (SCTP_SIZE32(at) > chlen) {
3747 chlen -= SCTP_SIZE32(at);
3748 if (chlen < sizeof(struct sctp_chunkhdr)) {
3749 /* done, none left */
3752 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at));
3754 /* Now update any rwnd --- possibly */
3755 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
3756 /* From a peer, we get a rwnd report */
3759 SCTP_STAT_INCR(sctps_pdrpfehos);
3761 bottle_bw = ntohl(cp->bottle_bw);
3762 on_queue = ntohl(cp->current_onq);
3763 if (bottle_bw && on_queue) {
3764 /* a rwnd report is in here */
3765 if (bottle_bw > on_queue)
3766 a_rwnd = bottle_bw - on_queue;
3771 stcb->asoc.peers_rwnd = 0;
3773 if (a_rwnd > stcb->asoc.total_flight) {
3774 stcb->asoc.peers_rwnd =
3775 a_rwnd - stcb->asoc.total_flight;
3777 stcb->asoc.peers_rwnd = 0;
3779 if (stcb->asoc.peers_rwnd <
3780 stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
3781 /* SWS sender side engages */
3782 stcb->asoc.peers_rwnd = 0;
3787 SCTP_STAT_INCR(sctps_pdrpfmbox);
3790 /* now middle boxes in sat networks get a cwnd bump */
3791 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
3792 (stcb->asoc.sat_t3_loss_recovery == 0) &&
3793 (stcb->asoc.sat_network)) {
3795 * This is debateable but for sat networks it makes sense
3796 * Note if a T3 timer has went off, we will prohibit any
3797 * changes to cwnd until we exit the t3 loss recovery.
3799 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb,
3800 net, cp, &bottle_bw, &on_queue);
3805 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
3806 * still contain IP/SCTP header - stcb: is the tcb found for this packet -
3807 * offset: offset into the mbuf chain to first chunkhdr - length: is the
3808 * length of the complete packet outputs: - length: modified to remaining
3809 * length after control processing - netp: modified to new sctp_nets after
3810 * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
3811 * bad packet,...) otherwise return the tcb for this packet
3814 __attribute__((noinline))
3816 static struct sctp_tcb *
3817 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
3818 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
3819 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen,
3820 uint32_t vrf_id, uint16_t port)
3822 struct sctp_association *asoc;
3824 int num_chunks = 0; /* number of control chunks processed */
3825 uint32_t chk_length;
3827 int abort_no_unlock = 0;
3830 * How big should this be, and should it be alloc'd? Lets try the
3831 * d-mtu-ceiling for now (2k) and that should hopefully work ...
3832 * until we get into jumbo grams and such..
3834 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
3835 struct sctp_tcb *locked_tcb = stcb;
3837 uint32_t auth_offset = 0, auth_len = 0;
3838 int auth_skipped = 0;
3841 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3846 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
3847 iphlen, *offset, length, stcb);
3849 /* validate chunk header length... */
3850 if (ntohs(ch->chunk_length) < sizeof(*ch)) {
3851 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n",
3852 ntohs(ch->chunk_length));
3854 SCTP_TCB_UNLOCK(locked_tcb);
3859 * validate the verification tag
3861 vtag_in = ntohl(sh->v_tag);
3864 SCTP_TCB_LOCK_ASSERT(locked_tcb);
3866 if (ch->chunk_type == SCTP_INITIATION) {
3867 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n",
3868 ntohs(ch->chunk_length), vtag_in);
3870 /* protocol error- silently discard... */
3871 SCTP_STAT_INCR(sctps_badvtag);
3873 SCTP_TCB_UNLOCK(locked_tcb);
3877 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
3879 * If there is no stcb, skip the AUTH chunk and process
3880 * later after a stcb is found (to validate the lookup was
3883 if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
3884 (stcb == NULL) && !sctp_auth_disable) {
3885 /* save this chunk for later processing */
3887 auth_offset = *offset;
3888 auth_len = ntohs(ch->chunk_length);
3890 /* (temporarily) move past this chunk */
3891 *offset += SCTP_SIZE32(auth_len);
3892 if (*offset >= length) {
3893 /* no more data left in the mbuf chain */
3896 SCTP_TCB_UNLOCK(locked_tcb);
3900 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3901 sizeof(struct sctp_chunkhdr), chunk_buf);
3907 SCTP_TCB_UNLOCK(locked_tcb);
3911 if (ch->chunk_type == SCTP_COOKIE_ECHO) {
3912 goto process_control_chunks;
3915 * first check if it's an ASCONF with an unknown src addr we
3916 * need to look inside to find the association
3918 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
3919 struct sctp_chunkhdr *asconf_ch = ch;
3920 uint32_t asconf_offset = 0, asconf_len = 0;
3922 /* inp's refcount may be reduced */
3923 SCTP_INP_INCR_REF(inp);
3925 asconf_offset = *offset;
3927 asconf_len = ntohs(asconf_ch->chunk_length);
3928 if (asconf_len < sizeof(struct sctp_asconf_paramhdr))
3930 stcb = sctp_findassociation_ep_asconf(m, iphlen,
3931 *offset, sh, &inp, netp);
3934 asconf_offset += SCTP_SIZE32(asconf_len);
3935 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset,
3936 sizeof(struct sctp_chunkhdr), chunk_buf);
3937 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF);
3940 * reduce inp's refcount if not reduced in
3941 * sctp_findassociation_ep_asconf().
3943 SCTP_INP_DECR_REF(inp);
3948 /* now go back and verify any auth chunk to be sure */
3949 if (auth_skipped && (stcb != NULL)) {
3950 struct sctp_auth_chunk *auth;
3952 auth = (struct sctp_auth_chunk *)
3953 sctp_m_getptr(m, auth_offset,
3954 auth_len, chunk_buf);
3957 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
3959 /* auth HMAC failed so dump it */
3962 SCTP_TCB_UNLOCK(locked_tcb);
3966 /* remaining chunks are HMAC checked */
3967 stcb->asoc.authenticated = 1;
3972 /* no association, so it's out of the blue... */
3973 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL,
3977 SCTP_TCB_UNLOCK(locked_tcb);
3982 /* ABORT and SHUTDOWN can use either v_tag... */
3983 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
3984 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
3985 (ch->chunk_type == SCTP_PACKET_DROPPED)) {
3986 if ((vtag_in == asoc->my_vtag) ||
3987 ((ch->chunk_flags & SCTP_HAD_NO_TCB) &&
3988 (vtag_in == asoc->peer_vtag))) {
3991 /* drop this packet... */
3992 SCTP_STAT_INCR(sctps_badvtag);
3994 SCTP_TCB_UNLOCK(locked_tcb);
3998 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
3999 if (vtag_in != asoc->my_vtag) {
4001 * this could be a stale SHUTDOWN-ACK or the
4002 * peer never got the SHUTDOWN-COMPLETE and
4003 * is still hung; we have started a new asoc
4004 * but it won't complete until the shutdown
4008 SCTP_TCB_UNLOCK(locked_tcb);
4010 sctp_handle_ootb(m, iphlen, *offset, sh, inp,
4011 NULL, vrf_id, port);
4015 /* for all other chunks, vtag must match */
4016 if (vtag_in != asoc->my_vtag) {
4017 /* invalid vtag... */
4018 SCTPDBG(SCTP_DEBUG_INPUT3,
4019 "invalid vtag: %xh, expect %xh\n",
4020 vtag_in, asoc->my_vtag);
4021 SCTP_STAT_INCR(sctps_badvtag);
4023 SCTP_TCB_UNLOCK(locked_tcb);
4029 } /* end if !SCTP_COOKIE_ECHO */
4031 * process all control chunks...
4033 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
4034 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
4035 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
4036 /* implied cookie-ack.. we must have lost the ack */
4037 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4038 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4039 stcb->asoc.overall_error_count,
4041 SCTP_FROM_SCTP_INPUT,
4044 stcb->asoc.overall_error_count = 0;
4045 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
4048 process_control_chunks:
4049 while (IS_SCTP_CONTROL(ch)) {
4050 /* validate chunk length */
4051 chk_length = ntohs(ch->chunk_length);
4052 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n",
4053 ch->chunk_type, chk_length);
4054 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length);
4055 if (chk_length < sizeof(*ch) ||
4056 (*offset + (int)chk_length) > length) {
4059 SCTP_TCB_UNLOCK(locked_tcb);
4063 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
4065 * INIT-ACK only gets the init ack "header" portion only
4066 * because we don't have to process the peer's COOKIE. All
4067 * others get a complete chunk.
4069 if ((ch->chunk_type == SCTP_INITIATION_ACK) ||
4070 (ch->chunk_type == SCTP_INITIATION)) {
4071 /* get an init-ack chunk */
4072 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4073 sizeof(struct sctp_init_ack_chunk), chunk_buf);
4077 SCTP_TCB_UNLOCK(locked_tcb);
4082 /* For cookies and all other chunks. */
4083 if (chk_length > sizeof(chunk_buf)) {
4085 * use just the size of the chunk buffer so
4086 * the front part of our chunks fit in
4087 * contiguous space up to the chunk buffer
4088 * size (508 bytes). For chunks that need to
4089 * get more than that they must use the
4090 * sctp_m_getptr() function or other means
4091 * (e.g. know how to parse mbuf chains).
4092 * Cookies do this already.
4094 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4095 (sizeof(chunk_buf) - 4),
4100 SCTP_TCB_UNLOCK(locked_tcb);
4105 /* We can fit it all */
4106 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4107 chk_length, chunk_buf);
4109 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n");
4112 SCTP_TCB_UNLOCK(locked_tcb);
4119 /* Save off the last place we got a control from */
4121 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) {
4123 * allow last_control to be NULL if
4124 * ASCONF... ASCONF processing will find the
4127 if ((netp != NULL) && (*netp != NULL))
4128 stcb->asoc.last_control_chunk_from = *netp;
4131 #ifdef SCTP_AUDITING_ENABLED
4132 sctp_audit_log(0xB0, ch->chunk_type);
4135 /* check to see if this chunk required auth, but isn't */
4136 if ((stcb != NULL) && !sctp_auth_disable &&
4137 sctp_auth_is_required_chunk(ch->chunk_type,
4138 stcb->asoc.local_auth_chunks) &&
4139 !stcb->asoc.authenticated) {
4140 /* "silently" ignore */
4141 SCTP_STAT_INCR(sctps_recvauthmissing);
4144 switch (ch->chunk_type) {
4145 case SCTP_INITIATION:
4146 /* must be first and only chunk */
4147 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n");
4148 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4149 /* We are not interested anymore? */
4150 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4152 * collision case where we are
4153 * sending to them too
4158 SCTP_TCB_UNLOCK(locked_tcb);
4164 if ((chk_length > SCTP_LARGEST_INIT_ACCEPTED) ||
4166 (sctp_strict_init && (length - *offset > (int)SCTP_SIZE32(chk_length)))) {
4169 SCTP_TCB_UNLOCK(locked_tcb);
4173 if ((stcb != NULL) &&
4174 (SCTP_GET_STATE(&stcb->asoc) ==
4175 SCTP_STATE_SHUTDOWN_ACK_SENT)) {
4176 sctp_send_shutdown_ack(stcb,
4177 stcb->asoc.primary_destination);
4179 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
4181 SCTP_TCB_UNLOCK(locked_tcb);
4186 sctp_handle_init(m, iphlen, *offset, sh,
4187 (struct sctp_init_chunk *)ch, inp,
4188 stcb, *netp, &abort_no_unlock, vrf_id, port);
4190 if (abort_no_unlock)
4195 SCTP_TCB_UNLOCK(locked_tcb);
4199 case SCTP_PAD_CHUNK:
4201 case SCTP_INITIATION_ACK:
4202 /* must be first and only chunk */
4203 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n");
4204 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4205 /* We are not interested anymore */
4206 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4210 SCTP_TCB_UNLOCK(locked_tcb);
4214 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4215 so = SCTP_INP_SO(inp);
4216 atomic_add_int(&stcb->asoc.refcnt, 1);
4217 SCTP_TCB_UNLOCK(stcb);
4218 SCTP_SOCKET_LOCK(so, 1);
4219 SCTP_TCB_LOCK(stcb);
4220 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4222 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
4223 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4224 SCTP_SOCKET_UNLOCK(so, 1);
4230 if ((num_chunks > 1) ||
4231 (sctp_strict_init && (length - *offset > (int)SCTP_SIZE32(chk_length)))) {
4234 SCTP_TCB_UNLOCK(locked_tcb);
4238 if ((netp) && (*netp)) {
4239 ret = sctp_handle_init_ack(m, iphlen, *offset, sh,
4240 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id);
4245 * Special case, I must call the output routine to
4246 * get the cookie echoed
4248 if (abort_no_unlock)
4251 if ((stcb) && ret == 0)
4252 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
4255 SCTP_TCB_UNLOCK(locked_tcb);
4259 case SCTP_SELECTIVE_ACK:
4260 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n");
4261 SCTP_STAT_INCR(sctps_recvsacks);
4263 struct sctp_sack_chunk *sack;
4265 uint32_t a_rwnd, cum_ack;
4269 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_sack_chunk))) {
4270 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on sack chunk, too small\n");
4274 SCTP_TCB_UNLOCK(locked_tcb);
4278 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
4280 * If we have sent a shutdown-ack, we will pay no
4281 * attention to a sack sent in to us since
4282 * we don't care anymore.
4286 sack = (struct sctp_sack_chunk *)ch;
4287 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM;
4288 cum_ack = ntohl(sack->sack.cum_tsn_ack);
4289 num_seg = ntohs(sack->sack.num_gap_ack_blks);
4290 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd);
4291 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
4296 stcb->asoc.seen_a_sack_this_pkt = 1;
4297 if ((stcb->asoc.pr_sctp_cnt == 0) &&
4299 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) ||
4300 (cum_ack == stcb->asoc.last_acked_seq)) &&
4301 (stcb->asoc.saw_sack_with_frags == 0) &&
4302 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
4305 * We have a SIMPLE sack having no
4306 * prior segments and data on sent
4307 * queue to be acked.. Use the
4308 * faster path sack processing. We
4309 * also allow window update sacks
4310 * with no missing segments to go
4313 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag,
4317 sctp_handle_sack(m, *offset,
4318 sack, stcb, *netp, &abort_now, chk_length, a_rwnd);
4321 /* ABORT signal from sack processing */
4327 case SCTP_HEARTBEAT_REQUEST:
4328 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n");
4329 if ((stcb) && netp && *netp) {
4330 SCTP_STAT_INCR(sctps_recvheartbeat);
4331 sctp_send_heartbeat_ack(stcb, m, *offset,
4334 /* He's alive so give him credit */
4335 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4336 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4337 stcb->asoc.overall_error_count,
4339 SCTP_FROM_SCTP_INPUT,
4342 stcb->asoc.overall_error_count = 0;
4345 case SCTP_HEARTBEAT_ACK:
4346 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n");
4347 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) {
4351 SCTP_TCB_UNLOCK(locked_tcb);
4355 /* He's alive so give him credit */
4356 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4357 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4358 stcb->asoc.overall_error_count,
4360 SCTP_FROM_SCTP_INPUT,
4363 stcb->asoc.overall_error_count = 0;
4364 SCTP_STAT_INCR(sctps_recvheartbeatack);
4366 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
4369 case SCTP_ABORT_ASSOCIATION:
4370 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n",
4372 if ((stcb) && netp && *netp)
4373 sctp_handle_abort((struct sctp_abort_chunk *)ch,
4379 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n",
4381 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) {
4384 SCTP_TCB_UNLOCK(locked_tcb);
4388 if (netp && *netp) {
4391 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
4392 stcb, *netp, &abort_flag);
4399 case SCTP_SHUTDOWN_ACK:
4400 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb);
4401 if ((stcb) && (netp) && (*netp))
4402 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
4407 case SCTP_OPERATION_ERROR:
4408 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n");
4409 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) {
4415 case SCTP_COOKIE_ECHO:
4416 SCTPDBG(SCTP_DEBUG_INPUT3,
4417 "SCTP_COOKIE-ECHO, stcb %p\n", stcb);
4418 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4421 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4422 /* We are not interested anymore */
4428 * First are we accepting? We do this again here
4429 * sincen it is possible that a previous endpoint
4430 * WAS listening responded to a INIT-ACK and then
4431 * closed. We opened and bound.. and are now no
4435 if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) {
4436 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
4437 (sctp_abort_if_one_2_one_hits_limit)) {
4439 struct sctp_paramhdr *phdr;
4441 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
4442 0, M_DONTWAIT, 1, MT_DATA);
4444 SCTP_BUF_LEN(oper) =
4445 sizeof(struct sctp_paramhdr);
4447 struct sctp_paramhdr *);
4449 htons(SCTP_CAUSE_OUT_OF_RESC);
4450 phdr->param_length =
4451 htons(sizeof(struct sctp_paramhdr));
4453 sctp_abort_association(inp, stcb, m,
4454 iphlen, sh, oper, vrf_id, port);
4459 struct mbuf *ret_buf;
4460 struct sctp_inpcb *linp;
4469 SCTP_ASOC_CREATE_LOCK(linp);
4473 sctp_handle_cookie_echo(m, iphlen,
4475 (struct sctp_cookie_echo_chunk *)ch,
4487 SCTP_ASOC_CREATE_UNLOCK(linp);
4489 if (ret_buf == NULL) {
4491 SCTP_TCB_UNLOCK(locked_tcb);
4493 SCTPDBG(SCTP_DEBUG_INPUT3,
4494 "GAK, null buffer\n");
4499 /* if AUTH skipped, see if it verified... */
4504 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
4506 * Restart the timer if we have
4509 struct sctp_tmit_chunk *chk;
4511 chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
4513 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4514 stcb->sctp_ep, stcb,
4520 case SCTP_COOKIE_ACK:
4521 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb);
4522 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) {
4524 SCTP_TCB_UNLOCK(locked_tcb);
4528 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4529 /* We are not interested anymore */
4530 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4533 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4534 so = SCTP_INP_SO(inp);
4535 atomic_add_int(&stcb->asoc.refcnt, 1);
4536 SCTP_TCB_UNLOCK(stcb);
4537 SCTP_SOCKET_LOCK(so, 1);
4538 SCTP_TCB_LOCK(stcb);
4539 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4541 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
4542 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4543 SCTP_SOCKET_UNLOCK(so, 1);
4549 /* He's alive so give him credit */
4550 if ((stcb) && netp && *netp) {
4551 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4552 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4553 stcb->asoc.overall_error_count,
4555 SCTP_FROM_SCTP_INPUT,
4558 stcb->asoc.overall_error_count = 0;
4559 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
4563 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n");
4564 /* He's alive so give him credit */
4565 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) {
4568 SCTP_TCB_UNLOCK(locked_tcb);
4574 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4575 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4576 stcb->asoc.overall_error_count,
4578 SCTP_FROM_SCTP_INPUT,
4581 stcb->asoc.overall_error_count = 0;
4582 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
4587 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n");
4588 /* He's alive so give him credit */
4589 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) {
4592 SCTP_TCB_UNLOCK(locked_tcb);
4598 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4599 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4600 stcb->asoc.overall_error_count,
4602 SCTP_FROM_SCTP_INPUT,
4605 stcb->asoc.overall_error_count = 0;
4606 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb);
4609 case SCTP_SHUTDOWN_COMPLETE:
4610 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb);
4611 /* must be first and only chunk */
4612 if ((num_chunks > 1) ||
4613 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
4616 SCTP_TCB_UNLOCK(locked_tcb);
4620 if ((stcb) && netp && *netp) {
4621 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
4628 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n");
4629 /* He's alive so give him credit */
4631 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4632 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4633 stcb->asoc.overall_error_count,
4635 SCTP_FROM_SCTP_INPUT,
4638 stcb->asoc.overall_error_count = 0;
4639 sctp_handle_asconf(m, *offset,
4640 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0);
4644 case SCTP_ASCONF_ACK:
4645 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n");
4646 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
4649 SCTP_TCB_UNLOCK(locked_tcb);
4654 if ((stcb) && netp && *netp) {
4655 /* He's alive so give him credit */
4656 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4657 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4658 stcb->asoc.overall_error_count,
4660 SCTP_FROM_SCTP_INPUT,
4663 stcb->asoc.overall_error_count = 0;
4664 sctp_handle_asconf_ack(m, *offset,
4665 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock);
4666 if (abort_no_unlock)
4670 case SCTP_FORWARD_CUM_TSN:
4671 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n");
4672 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
4675 SCTP_TCB_UNLOCK(locked_tcb);
4680 /* He's alive so give him credit */
4684 stcb->asoc.overall_error_count = 0;
4685 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4686 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4687 stcb->asoc.overall_error_count,
4689 SCTP_FROM_SCTP_INPUT,
4693 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4694 /* We are not interested anymore */
4695 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4696 so = SCTP_INP_SO(inp);
4697 atomic_add_int(&stcb->asoc.refcnt, 1);
4698 SCTP_TCB_UNLOCK(stcb);
4699 SCTP_SOCKET_LOCK(so, 1);
4700 SCTP_TCB_LOCK(stcb);
4701 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4703 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29);
4704 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4705 SCTP_SOCKET_UNLOCK(so, 1);
4710 sctp_handle_forward_tsn(stcb,
4711 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset);
4716 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
4717 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4718 stcb->asoc.overall_error_count,
4720 SCTP_FROM_SCTP_INPUT,
4723 stcb->asoc.overall_error_count = 0;
4728 case SCTP_STREAM_RESET:
4729 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n");
4730 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) {
4733 SCTP_TCB_UNLOCK(locked_tcb);
4738 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4739 /* We are not interested anymore */
4740 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4741 so = SCTP_INP_SO(inp);
4742 atomic_add_int(&stcb->asoc.refcnt, 1);
4743 SCTP_TCB_UNLOCK(stcb);
4744 SCTP_SOCKET_LOCK(so, 1);
4745 SCTP_TCB_LOCK(stcb);
4746 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4748 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_30);
4749 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4750 SCTP_SOCKET_UNLOCK(so, 1);
4755 if (stcb->asoc.peer_supports_strreset == 0) {
4757 * hmm, peer should have announced this, but
4758 * we will turn it on since he is sending us
4761 stcb->asoc.peer_supports_strreset = 1;
4763 if (sctp_handle_stream_reset(stcb, m, *offset, (struct sctp_stream_reset_out_req *)ch)) {
4764 /* stop processing */
4769 case SCTP_PACKET_DROPPED:
4770 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n");
4771 /* re-get it all please */
4772 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
4775 SCTP_TCB_UNLOCK(locked_tcb);
4780 if (ch && (stcb) && netp && (*netp)) {
4781 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
4783 min(chk_length, (sizeof(chunk_buf) - 4)));
4788 case SCTP_AUTHENTICATION:
4789 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n");
4790 if (sctp_auth_disable)
4794 /* save the first AUTH for later processing */
4795 if (auth_skipped == 0) {
4796 auth_offset = *offset;
4797 auth_len = chk_length;
4800 /* skip this chunk (temporarily) */
4803 if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
4804 (chk_length > (sizeof(struct sctp_auth_chunk) +
4805 SCTP_AUTH_DIGEST_LEN_MAX))) {
4808 SCTP_TCB_UNLOCK(locked_tcb);
4813 if (got_auth == 1) {
4814 /* skip this chunk... it's already auth'd */
4818 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch,
4820 /* auth HMAC failed so dump the packet */
4824 /* remaining chunks are HMAC checked */
4825 stcb->asoc.authenticated = 1;
4831 /* it's an unknown chunk! */
4832 if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
4834 struct sctp_paramhdr *phd;
4836 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
4837 0, M_DONTWAIT, 1, MT_DATA);
4839 phd = mtod(mm, struct sctp_paramhdr *);
4841 * We cheat and use param type since
4842 * we did not bother to define a
4843 * error cause struct. They are the
4844 * same basic format with different
4847 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK);
4848 phd->param_length = htons(chk_length + sizeof(*phd));
4849 SCTP_BUF_LEN(mm) = sizeof(*phd);
4850 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length),
4852 if (SCTP_BUF_NEXT(mm)) {
4853 #ifdef SCTP_MBUF_LOGGING
4854 if (sctp_logging_level & SCTP_MBUF_LOGGING_ENABLE) {
4857 mat = SCTP_BUF_NEXT(mm);
4859 if (SCTP_BUF_IS_EXTENDED(mat)) {
4860 sctp_log_mb(mat, SCTP_MBUF_ICOPY);
4862 mat = SCTP_BUF_NEXT(mat);
4866 sctp_queue_op_err(stcb, mm);
4872 if ((ch->chunk_type & 0x80) == 0) {
4873 /* discard this packet */
4876 } /* else skip this bad chunk and continue... */
4878 } /* switch (ch->chunk_type) */
4882 /* get the next chunk */
4883 *offset += SCTP_SIZE32(chk_length);
4884 if (*offset >= length) {
4885 /* no more data left in the mbuf chain */
4888 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4889 sizeof(struct sctp_chunkhdr), chunk_buf);
4892 SCTP_TCB_UNLOCK(locked_tcb);
4899 if (asconf_cnt > 0 && stcb != NULL) {
4900 sctp_send_asconf_ack(stcb);
4907 * Process the ECN bits we have something set so we must look to see if it is
4908 * ECN(0) or ECN(1) or CE
4911 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net,
4914 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
4916 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) {
4918 * we only add to the nonce sum for ECT1, ECT0 does not
4919 * change the NS bit (that we have yet to find a way to send
4923 /* ECN Nonce stuff */
4924 stcb->asoc.receiver_nonce_sum++;
4925 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM;
4928 * Drag up the last_echo point if cumack is larger since we
4929 * don't want the point falling way behind by more than
4930 * 2^^31 and then having it be incorrect.
4932 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
4933 stcb->asoc.last_echo_tsn, MAX_TSN)) {
4934 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
4936 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) {
4938 * Drag up the last_echo point if cumack is larger since we
4939 * don't want the point falling way behind by more than
4940 * 2^^31 and then having it be incorrect.
4942 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
4943 stcb->asoc.last_echo_tsn, MAX_TSN)) {
4944 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
4950 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net,
4951 uint32_t high_tsn, uint8_t ecn_bits)
4953 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
4955 * we possibly must notify the sender that a congestion
4956 * window reduction is in order. We do this by adding a ECNE
4957 * chunk to the output chunk queue. The incoming CWR will
4958 * remove this chunk.
4960 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn,
4962 /* Yep, we need to add a ECNE */
4963 sctp_send_ecn_echo(stcb, net, high_tsn);
4964 stcb->asoc.last_echo_tsn = high_tsn;
4971 sctp_validate_no_locks(struct sctp_inpcb *inp)
4973 struct sctp_tcb *stcb;
4975 LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
4976 if (mtx_owned(&stcb->tcb_mtx)) {
4977 panic("Own lock on stcb at return from input");
4985 * common input chunk processing (v4 and v6)
4988 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset,
4989 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch,
4990 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
4991 uint8_t ecn_bits, uint32_t vrf_id, uint16_t port)
4994 * Control chunk processing
4997 int fwd_tsn_seen = 0, data_processed = 0;
4998 struct mbuf *m = *mm;
5002 SCTP_STAT_INCR(sctps_recvdatagrams);
5003 #ifdef SCTP_AUDITING_ENABLED
5004 sctp_audit_log(0xE0, 1);
5005 sctp_auditing(0, inp, stcb, net);
5008 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d stcb:%p\n",
5009 m, iphlen, offset, stcb);
5011 /* always clear this before beginning a packet */
5012 stcb->asoc.authenticated = 0;
5013 stcb->asoc.seen_a_sack_this_pkt = 0;
5014 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n",
5015 stcb, stcb->asoc.state);
5017 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) ||
5018 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) {
5020 * If we hit here, we had a ref count
5021 * up when the assoc was aborted and the
5022 * timer is clearing out the assoc, we should
5023 * NOT respond to any packet.. its OOTB.
5025 SCTP_TCB_UNLOCK(stcb);
5026 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
5031 if (IS_SCTP_CONTROL(ch)) {
5032 /* process the control portion of the SCTP packet */
5033 /* sa_ignore NO_NULL_CHK */
5034 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch,
5035 inp, stcb, &net, &fwd_tsn_seen, vrf_id, port);
5038 * This covers us if the cookie-echo was there and
5039 * it changes our INP.
5041 inp = stcb->sctp_ep;
5045 * no control chunks, so pre-process DATA chunks (these
5046 * checks are taken care of by control processing)
5050 * if DATA only packet, and auth is required, then punt...
5051 * can't have authenticated without any AUTH (control)
5054 if ((stcb != NULL) && !sctp_auth_disable &&
5055 sctp_auth_is_required_chunk(SCTP_DATA,
5056 stcb->asoc.local_auth_chunks)) {
5057 /* "silently" ignore */
5058 SCTP_STAT_INCR(sctps_recvauthmissing);
5059 SCTP_TCB_UNLOCK(stcb);
5063 /* out of the blue DATA chunk */
5064 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
5068 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
5069 /* v_tag mismatch! */
5070 SCTP_STAT_INCR(sctps_badvtag);
5071 SCTP_TCB_UNLOCK(stcb);
5078 * no valid TCB for this packet, or we found it's a bad
5079 * packet while processing control, or we're done with this
5080 * packet (done or skip rest of data), so we drop it...
5085 * DATA chunk processing
5087 /* plow through the data chunks while length > offset */
5090 * Rest should be DATA only. Check authentication state if AUTH for
5093 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable &&
5094 sctp_auth_is_required_chunk(SCTP_DATA,
5095 stcb->asoc.local_auth_chunks) &&
5096 !stcb->asoc.authenticated) {
5097 /* "silently" ignore */
5098 SCTP_STAT_INCR(sctps_recvauthmissing);
5099 SCTPDBG(SCTP_DEBUG_AUTH1,
5100 "Data chunk requires AUTH, skipped\n");
5103 if (length > offset) {
5107 * First check to make sure our state is correct. We would
5108 * not get here unless we really did have a tag, so we don't
5109 * abort if this happens, just dump the chunk silently.
5111 switch (SCTP_GET_STATE(&stcb->asoc)) {
5112 case SCTP_STATE_COOKIE_ECHOED:
5114 * we consider data with valid tags in this state
5115 * shows us the cookie-ack was lost. Imply it was
5118 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) {
5119 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5120 stcb->asoc.overall_error_count,
5122 SCTP_FROM_SCTP_INPUT,
5125 stcb->asoc.overall_error_count = 0;
5126 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
5128 case SCTP_STATE_COOKIE_WAIT:
5130 * We consider OOTB any data sent during asoc setup.
5132 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
5134 SCTP_TCB_UNLOCK(stcb);
5136 /* sa_ignore NOTREACHED */
5138 case SCTP_STATE_EMPTY: /* should not happen */
5139 case SCTP_STATE_INUSE: /* should not happen */
5140 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */
5141 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5143 SCTP_TCB_UNLOCK(stcb);
5145 /* sa_ignore NOTREACHED */
5147 case SCTP_STATE_OPEN:
5148 case SCTP_STATE_SHUTDOWN_SENT:
5151 /* take care of ECN, part 1. */
5152 if (stcb->asoc.ecn_allowed &&
5153 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
5154 sctp_process_ecn_marked_a(stcb, net, ecn_bits);
5156 /* plow through the data chunks while length > offset */
5157 retval = sctp_process_data(mm, iphlen, &offset, length, sh,
5158 inp, stcb, net, &high_tsn);
5161 * The association aborted, NO UNLOCK needed since
5162 * the association is destroyed.
5168 /* take care of ecn part 2. */
5169 if (stcb->asoc.ecn_allowed &&
5170 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
5171 sctp_process_ecn_marked_b(stcb, net, high_tsn,
5176 * Anything important needs to have been m_copy'ed in
5180 if ((data_processed == 0) && (fwd_tsn_seen)) {
5183 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map,
5184 stcb->asoc.cumulative_tsn, MAX_TSN)) {
5185 /* there was a gap before this data was processed */
5188 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag);
5190 /* Again, we aborted so NO UNLOCK needed */
5194 /* trigger send of any chunks in queue... */
5196 #ifdef SCTP_AUDITING_ENABLED
5197 sctp_audit_log(0xE0, 2);
5198 sctp_auditing(1, inp, stcb, net);
5200 SCTPDBG(SCTP_DEBUG_INPUT1,
5201 "Check for chunk output prw:%d tqe:%d tf=%d\n",
5202 stcb->asoc.peers_rwnd,
5203 TAILQ_EMPTY(&stcb->asoc.control_send_queue),
5204 stcb->asoc.total_flight);
5205 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
5207 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) ||
5209 (stcb->asoc.peers_rwnd > 0 ||
5210 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) {
5211 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n");
5212 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
5213 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n");
5215 #ifdef SCTP_AUDITING_ENABLED
5216 sctp_audit_log(0xE0, 3);
5217 sctp_auditing(2, inp, stcb, net);
5219 SCTP_TCB_UNLOCK(stcb);
5222 sctp_validate_no_locks(inp);
5229 sctp_input_with_port(i_pak, off, port)
5234 #ifdef SCTP_MBUF_LOGGING
5240 uint32_t vrf_id = 0;
5244 struct sctp_inpcb *inp = NULL;
5246 uint32_t check, calc_check;
5247 struct sctp_nets *net;
5248 struct sctp_tcb *stcb = NULL;
5249 struct sctp_chunkhdr *ch;
5250 int refcount_up = 0;
5251 int length, mlen, offset;
5254 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) {
5255 SCTP_RELEASE_PKT(i_pak);
5258 mlen = SCTP_HEADER_LEN(i_pak);
5260 m = SCTP_HEADER_TO_CHAIN(i_pak);
5263 SCTP_STAT_INCR(sctps_recvpackets);
5264 SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
5267 #ifdef SCTP_MBUF_LOGGING
5268 /* Log in any input mbufs */
5269 if (sctp_logging_level & SCTP_MBUF_LOGGING_ENABLE) {
5272 if (SCTP_BUF_IS_EXTENDED(mat)) {
5273 sctp_log_mb(mat, SCTP_MBUF_INPUT);
5275 mat = SCTP_BUF_NEXT(mat);
5279 #ifdef SCTP_PACKET_LOGGING
5280 if (sctp_logging_level & SCTP_LAST_PACKET_TRACING)
5281 sctp_packet_log(m, mlen);
5284 * Must take out the iphlen, since mlen expects this (only effect lb
5290 * Get IP, SCTP, and first chunk header together in first mbuf.
5292 ip = mtod(m, struct ip *);
5293 offset = iphlen + sizeof(*sh) + sizeof(*ch);
5294 if (SCTP_BUF_LEN(m) < offset) {
5295 if ((m = m_pullup(m, offset)) == 0) {
5296 SCTP_STAT_INCR(sctps_hdrops);
5299 ip = mtod(m, struct ip *);
5301 sh = (struct sctphdr *)((caddr_t)ip + iphlen);
5302 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh));
5303 SCTPDBG(SCTP_DEBUG_INPUT1,
5304 "sctp_input() length:%d iphlen:%d\n", mlen, iphlen);
5306 /* SCTP does not allow broadcasts or multicasts */
5307 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
5310 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) {
5312 * We only look at broadcast if its a front state, All
5313 * others we will not have a tcb for anyway.
5317 /* validate SCTP checksum */
5318 check = sh->checksum; /* save incoming checksum */
5319 if ((check == 0) && (sctp_no_csum_on_loopback) &&
5320 ((ip->ip_src.s_addr == ip->ip_dst.s_addr) ||
5321 (SCTP_IS_IT_LOOPBACK(m)))
5323 goto sctp_skip_csum_4;
5325 sh->checksum = 0; /* prepare for calc */
5326 calc_check = sctp_calculate_sum(m, &mlen, iphlen);
5327 if (calc_check != check) {
5328 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n",
5329 calc_check, check, m, mlen, iphlen);
5331 stcb = sctp_findassociation_addr(m, iphlen,
5332 offset - sizeof(*ch),
5335 if ((net) && (port)) {
5336 if (net->port == 0) {
5337 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
5341 if ((inp) && (stcb)) {
5342 sctp_send_packet_dropped(stcb, net, m, iphlen, 1);
5343 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED);
5344 } else if ((inp != NULL) && (stcb == NULL)) {
5347 SCTP_STAT_INCR(sctps_badsum);
5348 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
5351 sh->checksum = calc_check;
5353 /* destination port of 0 is illegal, based on RFC2960. */
5354 if (sh->dest_port == 0) {
5355 SCTP_STAT_INCR(sctps_hdrops);
5358 /* validate mbuf chain length with IP payload length */
5359 if (mlen < (ip->ip_len - iphlen)) {
5360 SCTP_STAT_INCR(sctps_hdrops);
5364 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants
5365 * IP/SCTP/first chunk header...
5367 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch),
5368 sh, ch, &inp, &net, vrf_id);
5369 if ((net) && (port)) {
5370 if (net->port == 0) {
5371 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
5375 /* inp's ref-count increased && stcb locked */
5377 struct sctp_init_chunk *init_chk, chunk_buf;
5379 SCTP_STAT_INCR(sctps_noport);
5382 * we use the bandwidth limiting to protect against sending
5383 * too many ABORTS all at once. In this case these count the
5384 * same as an ICMP message.
5386 if (badport_bandlim(0) < 0)
5388 #endif /* ICMP_BANDLIM */
5389 SCTPDBG(SCTP_DEBUG_INPUT1,
5390 "Sending a ABORT from packet entry!\n");
5391 if (ch->chunk_type == SCTP_INITIATION) {
5393 * we do a trick here to get the INIT tag, dig in
5394 * and get the tag from the INIT and put it in the
5397 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
5398 iphlen + sizeof(*sh), sizeof(*init_chk),
5399 (uint8_t *) & chunk_buf);
5400 if (init_chk != NULL)
5401 sh->v_tag = init_chk->init.initiate_tag;
5403 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
5404 sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id, port);
5407 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
5410 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION)
5411 sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, port);
5413 } else if (stcb == NULL) {
5418 * I very much doubt any of the IPSEC stuff will work but I have no
5419 * idea, so I will leave it in place.
5421 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) {
5422 ipsec4stat.in_polvio++;
5423 SCTP_STAT_INCR(sctps_hdrops);
5429 * common chunk processing
5431 length = ip->ip_len + iphlen;
5432 offset -= sizeof(struct sctp_chunkhdr);
5434 ecn_bits = ip->ip_tos;
5436 /* sa_ignore NO_NULL_CHK */
5437 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch,
5438 inp, stcb, net, ecn_bits, vrf_id, port);
5439 /* inp's ref-count reduced && stcb unlocked */
5443 if ((inp) && (refcount_up)) {
5444 /* reduce ref-count */
5445 SCTP_INP_DECR_REF(inp);
5450 SCTP_TCB_UNLOCK(stcb);
5452 if ((inp) && (refcount_up)) {
5453 /* reduce ref-count */
5454 SCTP_INP_DECR_REF(inp);
5462 sctp_input(i_pak, off)
5466 sctp_input_with_port(i_pak, off, 0);