2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
7 * a) Redistributions of source code must retain the above copyright notice,
8 * this list of conditions and the following disclaimer.
10 * b) Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the distribution.
14 * c) Neither the name of Cisco Systems, Inc. nor the names of its
15 * contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
28 * THE POSSIBILITY OF SUCH DAMAGE.
31 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
36 #include <netinet/sctp_os.h>
37 #include <netinet/sctp_var.h>
38 #include <netinet/sctp_sysctl.h>
39 #include <netinet/sctp_pcb.h>
40 #include <netinet/sctp_header.h>
41 #include <netinet/sctputil.h>
42 #include <netinet/sctp_output.h>
43 #include <netinet/sctp_input.h>
44 #include <netinet/sctp_auth.h>
45 #include <netinet/sctp_indata.h>
46 #include <netinet/sctp_asconf.h>
47 #include <netinet/sctp_bsd_addr.h>
48 #include <netinet/sctp_timer.h>
49 #include <netinet/udp.h>
54 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
56 struct sctp_nets *net;
59 * This now not only stops all cookie timers it also stops any INIT
60 * timers as well. This will make sure that the timers are stopped
61 * in all collision cases.
63 SCTP_TCB_LOCK_ASSERT(stcb);
64 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
65 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
66 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
69 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1);
70 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
71 sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
74 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2);
81 sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
82 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
83 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, uint16_t port)
85 struct sctp_init *init;
89 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n",
93 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
99 /* First are we accepting? */
100 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) {
101 SCTPDBG(SCTP_DEBUG_INPUT2,
102 "sctp_handle_init: Abort, so_qlimit:%d\n",
103 inp->sctp_socket->so_qlimit);
105 * FIX ME ?? What about TCP model and we have a
106 * match/restart case? Actually no fix is needed. the lookup
107 * will always find the existing assoc so stcb would not be
108 * NULL. It may be questionable to do this since we COULD
109 * just send back the INIT-ACK and hope that the app did
110 * accept()'s by the time the COOKIE was sent. But there is
111 * a price to pay for COOKIE generation and I don't want to
112 * pay it on the chance that the app will actually do some
113 * accepts(). The App just looses and should NOT be in this
116 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
119 *abort_no_unlock = 1;
122 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
124 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
125 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
128 *abort_no_unlock = 1;
131 /* validate parameters */
132 if (init->initiate_tag == 0) {
133 /* protocol error... send abort */
134 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
135 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
138 *abort_no_unlock = 1;
141 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
142 /* invalid parameter... send abort */
143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
147 *abort_no_unlock = 1;
150 if (init->num_inbound_streams == 0) {
151 /* protocol error... send abort */
152 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
153 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
156 *abort_no_unlock = 1;
159 if (init->num_outbound_streams == 0) {
160 /* protocol error... send abort */
161 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
162 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
165 *abort_no_unlock = 1;
168 init_limit = offset + ntohs(cp->ch.chunk_length);
169 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
171 /* auth parameter(s) error... send abort */
172 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, port);
174 *abort_no_unlock = 1;
177 /* send an INIT-ACK w/cookie */
178 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n");
179 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, port,
180 ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED));
183 SCTP_INP_RUNLOCK(inp);
188 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
192 sctp_is_there_unsent_data(struct sctp_tcb *stcb)
195 struct sctp_stream_queue_pending *sp;
196 struct sctp_stream_out *strq;
197 struct sctp_association *asoc;
200 * This function returns the number of streams that have true unsent
201 * data on them. Note that as it looks through it will clean up any
202 * places that have old data that has been sent but left at top of
206 SCTP_TCB_SEND_LOCK(stcb);
207 if (!TAILQ_EMPTY(&asoc->out_wheel)) {
208 /* Check to see if some data queued */
209 TAILQ_FOREACH(strq, &asoc->out_wheel, next_spoke) {
211 /* sa_ignore FREED_MEMORY */
212 sp = TAILQ_FIRST(&strq->outqueue);
216 if ((sp->msg_is_complete) &&
218 (sp->sender_all_done)) {
220 * We are doing differed cleanup. Last time
221 * through when we took all the data the
222 * sender_all_done was not set.
224 if (sp->put_last_out == 0) {
225 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
226 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
232 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
233 TAILQ_REMOVE(&strq->outqueue, sp, next);
234 sctp_free_remote_addr(sp->net);
236 sctp_m_freem(sp->data);
239 sctp_free_a_strmoq(stcb, sp);
240 goto is_there_another;
247 SCTP_TCB_SEND_UNLOCK(stcb);
248 return (unsent_data);
252 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb,
253 struct sctp_nets *net)
255 struct sctp_init *init;
256 struct sctp_association *asoc;
257 struct sctp_nets *lnet;
262 /* save off parameters */
263 asoc->peer_vtag = ntohl(init->initiate_tag);
264 asoc->peers_rwnd = ntohl(init->a_rwnd);
265 if (TAILQ_FIRST(&asoc->nets)) {
266 /* update any ssthresh's that may have a default */
267 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
268 lnet->ssthresh = asoc->peers_rwnd;
270 if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) {
271 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
275 SCTP_TCB_SEND_LOCK(stcb);
276 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
278 struct sctp_stream_out *outs;
279 struct sctp_stream_queue_pending *sp;
281 /* cut back on number of streams */
282 newcnt = ntohs(init->num_inbound_streams);
283 /* This if is probably not needed but I am cautious */
285 /* First make sure no data chunks are trapped */
286 for (i = newcnt; i < asoc->pre_open_streams; i++) {
287 outs = &asoc->strmout[i];
288 sp = TAILQ_FIRST(&outs->outqueue);
290 TAILQ_REMOVE(&outs->outqueue, sp,
292 asoc->stream_queue_cnt--;
293 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
294 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT,
295 sp, SCTP_SO_NOT_LOCKED);
297 sctp_m_freem(sp->data);
300 sctp_free_remote_addr(sp->net);
303 SCTP_PRINTF("sp:%p tcb:%p weird free case\n",
306 sctp_free_a_strmoq(stcb, sp);
307 /* sa_ignore FREED_MEMORY */
308 sp = TAILQ_FIRST(&outs->outqueue);
312 /* cut back the count and abandon the upper streams */
313 asoc->pre_open_streams = newcnt;
315 SCTP_TCB_SEND_UNLOCK(stcb);
316 asoc->streamoutcnt = asoc->pre_open_streams;
318 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
319 /* EY - nr_sack: initialize highest tsn in nr_mapping_array */
320 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
321 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
322 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
324 /* This is the next one we expect */
325 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
327 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
329 * EY 05/13/08 - nr_sack: initialize nr_mapping array's base tsn
332 asoc->nr_mapping_array_base_tsn = ntohl(init->initial_tsn);
333 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in;
334 asoc->last_echo_tsn = asoc->asconf_seq_in;
335 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
336 /* open the requested streams */
338 if (asoc->strmin != NULL) {
339 /* Free the old ones */
340 struct sctp_queued_to_read *ctl;
342 for (i = 0; i < asoc->streamincnt; i++) {
343 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
345 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next);
346 sctp_free_remote_addr(ctl->whoFrom);
348 sctp_m_freem(ctl->data);
350 sctp_free_a_readq(stcb, ctl);
351 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
354 SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
356 asoc->streamincnt = ntohs(init->num_outbound_streams);
357 if (asoc->streamincnt > MAX_SCTP_STREAMS) {
358 asoc->streamincnt = MAX_SCTP_STREAMS;
360 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
361 sizeof(struct sctp_stream_in), SCTP_M_STRMI);
362 if (asoc->strmin == NULL) {
363 /* we didn't get memory for the streams! */
364 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n");
367 for (i = 0; i < asoc->streamincnt; i++) {
368 asoc->strmin[i].stream_no = i;
369 asoc->strmin[i].last_sequence_delivered = 0xffff;
371 * U-stream ranges will be set when the cookie is unpacked.
372 * Or for the INIT sender they are un set (if pr-sctp not
373 * supported) when the INIT-ACK arrives.
375 TAILQ_INIT(&asoc->strmin[i].inqueue);
376 asoc->strmin[i].delivery_started = 0;
379 * load_address_from_init will put the addresses into the
380 * association when the COOKIE is processed or the INIT-ACK is
381 * processed. Both types of COOKIE's existing and new call this
382 * routine. It will remove addresses that are no longer in the
383 * association (for the restarting case where addresses are
384 * removed). Up front when the INIT arrives we will discard it if it
385 * is a restart and new addresses have been added.
387 /* sa_ignore MEMLEAK */
392 * INIT-ACK message processing/consumption returns value < 0 on error
395 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
396 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
397 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id)
399 struct sctp_association *asoc;
401 int retval, abort_flag;
402 uint32_t initack_limit;
403 int nat_friendly = 0;
405 /* First verify that we have no illegal param's */
409 op_err = sctp_arethere_unrecognized_parameters(m,
410 (offset + sizeof(struct sctp_init_chunk)),
411 &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly);
413 /* Send an abort and notify peer */
414 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err, SCTP_SO_NOT_LOCKED);
415 *abort_no_unlock = 1;
419 asoc->peer_supports_nat = (uint8_t) nat_friendly;
420 /* process the peer's parameters in the INIT-ACK */
421 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net);
425 initack_limit = offset + ntohs(cp->ch.chunk_length);
426 /* load all addresses */
427 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen,
428 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh,
430 /* Huh, we should abort */
431 SCTPDBG(SCTP_DEBUG_INPUT1,
432 "Load addresses from INIT causes an abort %d\n",
434 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
436 *abort_no_unlock = 1;
439 /* if the peer doesn't support asconf, flush the asconf queue */
440 if (asoc->peer_supports_asconf == 0) {
441 struct sctp_asconf_addr *aparam;
443 while (!TAILQ_EMPTY(&asoc->asconf_queue)) {
444 /* sa_ignore FREED_MEMORY */
445 aparam = TAILQ_FIRST(&asoc->asconf_queue);
446 TAILQ_REMOVE(&asoc->asconf_queue, aparam, next);
447 SCTP_FREE(aparam, SCTP_M_ASC_ADDR);
450 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
451 stcb->asoc.local_hmacs);
453 sctp_queue_op_err(stcb, op_err);
454 /* queuing will steal away the mbuf chain to the out queue */
457 /* extract the cookie and queue it to "echo" it back... */
458 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
459 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
460 stcb->asoc.overall_error_count,
462 SCTP_FROM_SCTP_INPUT,
465 stcb->asoc.overall_error_count = 0;
466 net->error_count = 0;
469 * Cancel the INIT timer, We do this first before queueing the
470 * cookie. We always cancel at the primary to assue that we are
471 * canceling the timer started by the INIT which always goes to the
474 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
475 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4);
477 /* calculate the RTO */
478 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy);
480 retval = sctp_send_cookie_echo(m, offset, stcb, net);
483 * No cookie, we probably should send a op error. But in any
484 * case if there is no cookie in the INIT-ACK, we can
485 * abandon the peer, its broke.
488 /* We abort with an error of missing mandatory param */
490 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM);
493 * Expand beyond to include the mandatory
496 struct sctp_inv_mandatory_param *mp;
498 SCTP_BUF_LEN(op_err) =
499 sizeof(struct sctp_inv_mandatory_param);
501 struct sctp_inv_mandatory_param *);
502 /* Subtract the reserved param */
504 htons(sizeof(struct sctp_inv_mandatory_param) - 2);
505 mp->num_param = htonl(1);
506 mp->param = htons(SCTP_STATE_COOKIE);
509 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
510 sh, op_err, 0, net->port);
511 *abort_no_unlock = 1;
519 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
520 struct sctp_tcb *stcb, struct sctp_nets *net)
522 struct sockaddr_storage store;
523 struct sockaddr_in *sin;
524 struct sockaddr_in6 *sin6;
525 struct sctp_nets *r_net;
529 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
533 sin = (struct sockaddr_in *)&store;
534 sin6 = (struct sockaddr_in6 *)&store;
536 memset(&store, 0, sizeof(store));
537 if (cp->heartbeat.hb_info.addr_family == AF_INET &&
538 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
539 sin->sin_family = cp->heartbeat.hb_info.addr_family;
540 sin->sin_len = cp->heartbeat.hb_info.addr_len;
541 sin->sin_port = stcb->rport;
542 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address,
543 sizeof(sin->sin_addr));
544 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 &&
545 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
546 sin6->sin6_family = cp->heartbeat.hb_info.addr_family;
547 sin6->sin6_len = cp->heartbeat.hb_info.addr_len;
548 sin6->sin6_port = stcb->rport;
549 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address,
550 sizeof(sin6->sin6_addr));
554 r_net = sctp_findnet(stcb, (struct sockaddr *)sin);
556 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n");
559 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
560 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
561 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
563 * If the its a HB and it's random value is correct when can
564 * confirm the destination.
566 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
567 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) {
568 stcb->asoc.primary_destination = r_net;
569 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY;
570 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY;
571 r_net = TAILQ_FIRST(&stcb->asoc.nets);
572 if (r_net != stcb->asoc.primary_destination) {
574 * first one on the list is NOT the primary
575 * sctp_cmpaddr() is much more efficent if
576 * the primary is the first on the list,
579 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
580 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
584 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
585 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
587 r_net->error_count = 0;
588 r_net->hb_responded = 1;
589 tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
590 tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
591 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) {
592 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE;
593 r_net->dest_state |= SCTP_ADDR_REACHABLE;
594 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
595 SCTP_HEARTBEAT_SUCCESS, (void *)r_net, SCTP_SO_NOT_LOCKED);
596 /* now was it the primary? if so restore */
597 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) {
598 (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net);
602 * JRS 5/14/07 - If CMT PF is on and the destination is in PF state,
603 * set the destination to active state and set the cwnd to one or
604 * two MTU's based on whether PF1 or PF2 is being used. If a T3
605 * timer is running, for the destination, stop the timer because a
606 * PF-heartbeat was received.
608 if (SCTP_BASE_SYSCTL(sctp_cmt_on_off) &&
609 SCTP_BASE_SYSCTL(sctp_cmt_pf) &&
610 (net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF) {
611 if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
612 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
614 SCTP_FROM_SCTP_INPUT + SCTP_LOC_5);
616 net->dest_state &= ~SCTP_ADDR_PF;
617 net->cwnd = net->mtu * SCTP_BASE_SYSCTL(sctp_cmt_pf);
618 SCTPDBG(SCTP_DEBUG_INPUT1, "Destination %p moved from PF to reachable with cwnd %d.\n",
621 /* Now lets do a RTO with this */
622 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy);
623 /* Mobility adaptation */
625 if ((sctp_is_mobility_feature_on(stcb->sctp_ep,
626 SCTP_MOBILITY_BASE) ||
627 sctp_is_mobility_feature_on(stcb->sctp_ep,
628 SCTP_MOBILITY_FASTHANDOFF)) &&
629 sctp_is_mobility_feature_on(stcb->sctp_ep,
630 SCTP_MOBILITY_PRIM_DELETED)) {
632 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER + SCTP_LOC_7);
633 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
634 SCTP_MOBILITY_FASTHANDOFF)) {
635 sctp_assoc_immediate_retrans(stcb,
636 stcb->asoc.primary_destination);
638 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
639 SCTP_MOBILITY_BASE)) {
640 sctp_move_chunks_from_deleted_prim(stcb,
641 stcb->asoc.primary_destination);
643 sctp_delete_prim_timer(stcb->sctp_ep, stcb,
644 stcb->asoc.deleted_primary);
650 sctp_handle_nat_colliding_state(struct sctp_tcb *stcb)
653 * return 0 means we want you to proceed with the abort non-zero
654 * means no abort processing
656 struct sctpasochead *head;
658 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) {
659 /* generate a new vtag and send init */
660 LIST_REMOVE(stcb, sctp_asocs);
661 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
662 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
664 * put it in the bucket in the vtag hash of assoc's for the
667 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
668 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
671 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED) {
673 * treat like a case where the cookie expired i.e.: - dump
674 * current cookie. - generate a new vtag. - resend init.
676 /* generate a new vtag and send init */
677 LIST_REMOVE(stcb, sctp_asocs);
678 stcb->asoc.state &= ~SCTP_STATE_COOKIE_ECHOED;
679 stcb->asoc.state |= SCTP_STATE_COOKIE_WAIT;
680 sctp_stop_all_cookie_timers(stcb);
681 sctp_toss_old_cookies(stcb, &stcb->asoc);
682 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
683 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
685 * put it in the bucket in the vtag hash of assoc's for the
688 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
689 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
696 sctp_handle_nat_missing_state(struct sctp_tcb *stcb,
697 struct sctp_nets *net)
700 * return 0 means we want you to proceed with the abort non-zero
701 * means no abort processing
703 if (stcb->asoc.peer_supports_auth == 0) {
704 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n");
707 sctp_asconf_send_nat_state_update(stcb, net);
713 sctp_handle_abort(struct sctp_abort_chunk *cp,
714 struct sctp_tcb *stcb, struct sctp_nets *net)
716 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
722 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n");
726 len = ntohs(cp->ch.chunk_length);
727 if (len > sizeof(struct sctp_chunkhdr)) {
729 * Need to check the cause codes for our two magic nat
730 * aborts which don't kill the assoc necessarily.
732 struct sctp_abort_chunk *cpnext;
733 struct sctp_missing_nat_state *natc;
738 natc = (struct sctp_missing_nat_state *)cpnext;
739 cause = ntohs(natc->cause);
740 if (cause == SCTP_CAUSE_NAT_COLLIDING_STATE) {
741 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
743 if (sctp_handle_nat_colliding_state(stcb)) {
746 } else if (cause == SCTP_CAUSE_NAT_MISSING_STATE) {
747 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
749 if (sctp_handle_nat_missing_state(stcb, net)) {
754 /* stop any receive timers */
755 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
756 /* notify user of the abort and clean up... */
757 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED);
759 #if defined(SCTP_PANIC_ON_ABORT)
760 printf("stcb:%p state:%d rport:%d net:%p\n",
761 stcb, stcb->asoc.state, stcb->rport, net);
762 if (!(stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) {
763 panic("Received an ABORT");
765 printf("No panic its in state %x closed\n", stcb->asoc.state);
768 SCTP_STAT_INCR_COUNTER32(sctps_aborted);
769 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
770 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
771 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
773 #ifdef SCTP_ASOCLOG_OF_TSNS
774 sctp_print_out_track_log(stcb);
776 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
777 so = SCTP_INP_SO(stcb->sctp_ep);
778 atomic_add_int(&stcb->asoc.refcnt, 1);
779 SCTP_TCB_UNLOCK(stcb);
780 SCTP_SOCKET_LOCK(so, 1);
782 atomic_subtract_int(&stcb->asoc.refcnt, 1);
784 stcb->asoc.state |= SCTP_STATE_WAS_ABORTED;
785 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
786 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
787 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
788 SCTP_SOCKET_UNLOCK(so, 1);
790 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n");
794 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
795 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
797 struct sctp_association *asoc;
798 int some_on_streamwheel;
800 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
805 SCTPDBG(SCTP_DEBUG_INPUT2,
806 "sctp_handle_shutdown: handling SHUTDOWN\n");
810 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
811 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
814 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
815 /* Shutdown NOT the expected size */
818 sctp_update_acked(stcb, cp, net, abort_flag);
820 if (asoc->control_pdapi) {
822 * With a normal shutdown we assume the end of last record.
824 SCTP_INP_READ_LOCK(stcb->sctp_ep);
825 asoc->control_pdapi->end_added = 1;
826 asoc->control_pdapi->pdapi_aborted = 1;
827 asoc->control_pdapi = NULL;
828 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
829 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
830 so = SCTP_INP_SO(stcb->sctp_ep);
831 atomic_add_int(&stcb->asoc.refcnt, 1);
832 SCTP_TCB_UNLOCK(stcb);
833 SCTP_SOCKET_LOCK(so, 1);
835 atomic_subtract_int(&stcb->asoc.refcnt, 1);
836 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
837 /* assoc was freed while we were unlocked */
838 SCTP_SOCKET_UNLOCK(so, 1);
842 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
843 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
844 SCTP_SOCKET_UNLOCK(so, 1);
847 /* goto SHUTDOWN_RECEIVED state to block new requests */
848 if (stcb->sctp_socket) {
849 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
850 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) &&
851 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
852 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED);
853 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
855 * notify upper layer that peer has initiated a
858 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
861 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
864 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
866 * stop the shutdown timer, since we WILL move to
869 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
871 /* Now is there unsent data on a stream somewhere? */
872 some_on_streamwheel = sctp_is_there_unsent_data(stcb);
874 if (!TAILQ_EMPTY(&asoc->send_queue) ||
875 !TAILQ_EMPTY(&asoc->sent_queue) ||
876 some_on_streamwheel) {
877 /* By returning we will push more data out */
880 /* no outstanding data to send, so move on... */
881 /* send SHUTDOWN-ACK */
882 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
883 /* move to SHUTDOWN-ACK-SENT state */
884 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
885 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
886 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
888 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
889 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
890 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net,
891 SCTP_FROM_SCTP_INPUT + SCTP_LOC_7);
892 /* start SHUTDOWN timer */
893 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
899 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp,
900 struct sctp_tcb *stcb, struct sctp_nets *net)
902 struct sctp_association *asoc;
904 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
907 so = SCTP_INP_SO(stcb->sctp_ep);
909 SCTPDBG(SCTP_DEBUG_INPUT2,
910 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
915 /* process according to association state */
916 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
917 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
918 /* unexpected SHUTDOWN-ACK... so ignore... */
919 SCTP_TCB_UNLOCK(stcb);
922 if (asoc->control_pdapi) {
924 * With a normal shutdown we assume the end of last record.
926 SCTP_INP_READ_LOCK(stcb->sctp_ep);
927 asoc->control_pdapi->end_added = 1;
928 asoc->control_pdapi->pdapi_aborted = 1;
929 asoc->control_pdapi = NULL;
930 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
931 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
932 atomic_add_int(&stcb->asoc.refcnt, 1);
933 SCTP_TCB_UNLOCK(stcb);
934 SCTP_SOCKET_LOCK(so, 1);
936 atomic_subtract_int(&stcb->asoc.refcnt, 1);
937 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
938 /* assoc was freed while we were unlocked */
939 SCTP_SOCKET_UNLOCK(so, 1);
943 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
944 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
945 SCTP_SOCKET_UNLOCK(so, 1);
948 /* are the queues empty? */
949 if (!TAILQ_EMPTY(&asoc->send_queue) ||
950 !TAILQ_EMPTY(&asoc->sent_queue) ||
951 !TAILQ_EMPTY(&asoc->out_wheel)) {
952 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED);
955 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9);
956 /* send SHUTDOWN-COMPLETE */
957 sctp_send_shutdown_complete(stcb, net);
958 /* notify upper layer protocol */
959 if (stcb->sctp_socket) {
960 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
961 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
962 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
963 /* Set the connected flag to disconnected */
964 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
967 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
968 /* free the TCB but first save off the ep */
969 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
970 atomic_add_int(&stcb->asoc.refcnt, 1);
971 SCTP_TCB_UNLOCK(stcb);
972 SCTP_SOCKET_LOCK(so, 1);
974 atomic_subtract_int(&stcb->asoc.refcnt, 1);
976 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
977 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10);
978 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
979 SCTP_SOCKET_UNLOCK(so, 1);
984 * Skip past the param header and then we will find the chunk that caused the
985 * problem. There are two possiblities ASCONF or FWD-TSN other than that and
986 * our peer must be broken.
989 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
990 struct sctp_nets *net)
992 struct sctp_chunkhdr *chk;
994 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr));
995 switch (chk->chunk_type) {
996 case SCTP_ASCONF_ACK:
998 sctp_asconf_cleanup(stcb, net);
1000 case SCTP_FORWARD_CUM_TSN:
1001 stcb->asoc.peer_supports_prsctp = 0;
1004 SCTPDBG(SCTP_DEBUG_INPUT2,
1005 "Peer does not support chunk type %d(%x)??\n",
1006 chk->chunk_type, (uint32_t) chk->chunk_type);
1012 * Skip past the param header and then we will find the param that caused the
1013 * problem. There are a number of param's in a ASCONF OR the prsctp param
1014 * these will turn of specific features.
1017 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
1019 struct sctp_paramhdr *pbad;
1022 switch (ntohs(pbad->param_type)) {
1024 case SCTP_PRSCTP_SUPPORTED:
1025 stcb->asoc.peer_supports_prsctp = 0;
1027 case SCTP_SUPPORTED_CHUNK_EXT:
1029 /* draft-ietf-tsvwg-addip-sctp */
1030 case SCTP_HAS_NAT_SUPPORT:
1031 stcb->asoc.peer_supports_nat = 0;
1033 case SCTP_ECN_NONCE_SUPPORTED:
1034 stcb->asoc.peer_supports_ecn_nonce = 0;
1035 stcb->asoc.ecn_nonce_allowed = 0;
1036 stcb->asoc.ecn_allowed = 0;
1038 case SCTP_ADD_IP_ADDRESS:
1039 case SCTP_DEL_IP_ADDRESS:
1040 case SCTP_SET_PRIM_ADDR:
1041 stcb->asoc.peer_supports_asconf = 0;
1043 case SCTP_SUCCESS_REPORT:
1044 case SCTP_ERROR_CAUSE_IND:
1045 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n");
1046 SCTPDBG(SCTP_DEBUG_INPUT2,
1047 "Turning off ASCONF to this strange peer\n");
1048 stcb->asoc.peer_supports_asconf = 0;
1051 SCTPDBG(SCTP_DEBUG_INPUT2,
1052 "Peer does not support param type %d(%x)??\n",
1053 pbad->param_type, (uint32_t) pbad->param_type);
1059 sctp_handle_error(struct sctp_chunkhdr *ch,
1060 struct sctp_tcb *stcb, struct sctp_nets *net)
1063 struct sctp_paramhdr *phdr;
1064 uint16_t error_type;
1066 struct sctp_association *asoc;
1069 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1074 /* parse through all of the errors and process */
1076 phdr = (struct sctp_paramhdr *)((caddr_t)ch +
1077 sizeof(struct sctp_chunkhdr));
1078 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
1079 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
1080 /* Process an Error Cause */
1081 error_type = ntohs(phdr->param_type);
1082 error_len = ntohs(phdr->param_length);
1083 if ((error_len > chklen) || (error_len == 0)) {
1084 /* invalid param length for this param */
1085 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n",
1089 switch (error_type) {
1090 case SCTP_CAUSE_INVALID_STREAM:
1091 case SCTP_CAUSE_MISSING_PARAM:
1092 case SCTP_CAUSE_INVALID_PARAM:
1093 case SCTP_CAUSE_NO_USER_DATA:
1094 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n",
1097 case SCTP_CAUSE_NAT_COLLIDING_STATE:
1098 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
1100 if (sctp_handle_nat_colliding_state(stcb)) {
1104 case SCTP_CAUSE_NAT_MISSING_STATE:
1105 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
1107 if (sctp_handle_nat_missing_state(stcb, net)) {
1111 case SCTP_CAUSE_STALE_COOKIE:
1113 * We only act if we have echoed a cookie and are
1116 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
1119 p = (int *)((caddr_t)phdr + sizeof(*phdr));
1120 /* Save the time doubled */
1121 asoc->cookie_preserve_req = ntohl(*p) << 1;
1122 asoc->stale_cookie_count++;
1123 if (asoc->stale_cookie_count >
1124 asoc->max_init_times) {
1125 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED);
1126 /* now free the asoc */
1127 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1128 so = SCTP_INP_SO(stcb->sctp_ep);
1129 atomic_add_int(&stcb->asoc.refcnt, 1);
1130 SCTP_TCB_UNLOCK(stcb);
1131 SCTP_SOCKET_LOCK(so, 1);
1132 SCTP_TCB_LOCK(stcb);
1133 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1135 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
1136 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11);
1137 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1138 SCTP_SOCKET_UNLOCK(so, 1);
1142 /* blast back to INIT state */
1143 sctp_toss_old_cookies(stcb, &stcb->asoc);
1144 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
1145 asoc->state |= SCTP_STATE_COOKIE_WAIT;
1146 sctp_stop_all_cookie_timers(stcb);
1147 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
1150 case SCTP_CAUSE_UNRESOLVABLE_ADDR:
1152 * Nothing we can do here, we don't do hostname
1153 * addresses so if the peer does not like my IPv6
1154 * (or IPv4 for that matter) it does not matter. If
1155 * they don't support that type of address, they can
1156 * NOT possibly get that packet type... i.e. with no
1157 * IPv6 you can't recieve a IPv6 packet. so we can
1158 * safely ignore this one. If we ever added support
1159 * for HOSTNAME Addresses, then we would need to do
1163 case SCTP_CAUSE_UNRECOG_CHUNK:
1164 sctp_process_unrecog_chunk(stcb, phdr, net);
1166 case SCTP_CAUSE_UNRECOG_PARAM:
1167 sctp_process_unrecog_param(stcb, phdr);
1169 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
1171 * We ignore this since the timer will drive out a
1172 * new cookie anyway and there timer will drive us
1173 * to send a SHUTDOWN_COMPLETE. We can't send one
1174 * here since we don't have their tag.
1177 case SCTP_CAUSE_DELETING_LAST_ADDR:
1178 case SCTP_CAUSE_RESOURCE_SHORTAGE:
1179 case SCTP_CAUSE_DELETING_SRC_ADDR:
1181 * We should NOT get these here, but in a
1184 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n",
1187 case SCTP_CAUSE_OUT_OF_RESC:
1189 * And what, pray tell do we do with the fact that
1190 * the peer is out of resources? Not really sure we
1191 * could do anything but abort. I suspect this
1192 * should have came WITH an abort instead of in a
1197 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n",
1201 adjust = SCTP_SIZE32(error_len);
1203 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust);
1209 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
1210 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
1211 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id)
1213 struct sctp_init_ack *init_ack;
1214 struct mbuf *op_err;
1216 SCTPDBG(SCTP_DEBUG_INPUT2,
1217 "sctp_handle_init_ack: handling INIT-ACK\n");
1220 SCTPDBG(SCTP_DEBUG_INPUT2,
1221 "sctp_handle_init_ack: TCB is null\n");
1224 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
1225 /* Invalid length */
1226 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1227 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1228 op_err, 0, net->port);
1229 *abort_no_unlock = 1;
1232 init_ack = &cp->init;
1233 /* validate parameters */
1234 if (init_ack->initiate_tag == 0) {
1235 /* protocol error... send an abort */
1236 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1237 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1238 op_err, 0, net->port);
1239 *abort_no_unlock = 1;
1242 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
1243 /* protocol error... send an abort */
1244 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1245 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1246 op_err, 0, net->port);
1247 *abort_no_unlock = 1;
1250 if (init_ack->num_inbound_streams == 0) {
1251 /* protocol error... send an abort */
1252 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1253 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1254 op_err, 0, net->port);
1255 *abort_no_unlock = 1;
1258 if (init_ack->num_outbound_streams == 0) {
1259 /* protocol error... send an abort */
1260 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
1261 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
1262 op_err, 0, net->port);
1263 *abort_no_unlock = 1;
1266 /* process according to association state... */
1267 switch (stcb->asoc.state & SCTP_STATE_MASK) {
1268 case SCTP_STATE_COOKIE_WAIT:
1269 /* this is the expected state for this chunk */
1270 /* process the INIT-ACK parameters */
1271 if (stcb->asoc.primary_destination->dest_state &
1272 SCTP_ADDR_UNCONFIRMED) {
1274 * The primary is where we sent the INIT, we can
1275 * always consider it confirmed when the INIT-ACK is
1276 * returned. Do this before we load addresses
1279 stcb->asoc.primary_destination->dest_state &=
1280 ~SCTP_ADDR_UNCONFIRMED;
1281 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
1282 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED);
1284 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb,
1285 net, abort_no_unlock, vrf_id) < 0) {
1286 /* error in parsing parameters */
1289 /* update our state */
1290 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
1291 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED);
1293 /* reset the RTO calc */
1294 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
1295 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
1296 stcb->asoc.overall_error_count,
1298 SCTP_FROM_SCTP_INPUT,
1301 stcb->asoc.overall_error_count = 0;
1302 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
1304 * collapse the init timer back in case of a exponential
1307 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
1310 * the send at the end of the inbound data processing will
1311 * cause the cookie to be sent
1314 case SCTP_STATE_SHUTDOWN_SENT:
1315 /* incorrect state... discard */
1317 case SCTP_STATE_COOKIE_ECHOED:
1318 /* incorrect state... discard */
1320 case SCTP_STATE_OPEN:
1321 /* incorrect state... discard */
1323 case SCTP_STATE_EMPTY:
1324 case SCTP_STATE_INUSE:
1326 /* incorrect state... discard */
1330 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
1334 static struct sctp_tcb *
1335 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1336 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1337 struct sctp_inpcb *inp, struct sctp_nets **netp,
1338 struct sockaddr *init_src, int *notification,
1339 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1340 uint32_t vrf_id, uint16_t port);
1344 * handle a state cookie for an existing association m: input packet mbuf
1345 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
1346 * "split" mbuf and the cookie signature does not exist offset: offset into
1347 * mbuf to the cookie-echo chunk
1349 static struct sctp_tcb *
1350 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1351 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1352 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp,
1353 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id,
1354 uint32_t vrf_id, int auth_skipped, uint32_t auth_offset, uint32_t auth_len, uint16_t port)
1356 struct sctp_association *asoc;
1357 struct sctp_init_chunk *init_cp, init_buf;
1358 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1359 struct sctp_nets *net;
1360 struct mbuf *op_err;
1361 struct sctp_paramhdr *ph;
1363 int init_offset, initack_offset, i;
1369 /* I know that the TCB is non-NULL from the caller */
1371 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) {
1372 if (asoc->cookie_how[how_indx] == 0)
1375 if (how_indx < sizeof(asoc->cookie_how)) {
1376 asoc->cookie_how[how_indx] = 1;
1378 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1379 /* SHUTDOWN came in after sending INIT-ACK */
1380 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1381 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
1382 0, M_DONTWAIT, 1, MT_DATA);
1383 if (op_err == NULL) {
1387 /* pre-reserve some space */
1389 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
1391 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
1393 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
1394 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
1396 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr);
1397 ph = mtod(op_err, struct sctp_paramhdr *);
1398 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN);
1399 ph->param_length = htons(sizeof(struct sctp_paramhdr));
1400 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag,
1402 if (how_indx < sizeof(asoc->cookie_how))
1403 asoc->cookie_how[how_indx] = 2;
1407 * find and validate the INIT chunk in the cookie (peer's info) the
1408 * INIT should start after the cookie-echo header struct (chunk
1409 * header, state cookie header struct)
1411 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1413 init_cp = (struct sctp_init_chunk *)
1414 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1415 (uint8_t *) & init_buf);
1416 if (init_cp == NULL) {
1417 /* could not pull a INIT chunk in cookie */
1420 chk_length = ntohs(init_cp->ch.chunk_length);
1421 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1425 * find and validate the INIT-ACK chunk in the cookie (my info) the
1426 * INIT-ACK follows the INIT chunk
1428 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1429 initack_cp = (struct sctp_init_ack_chunk *)
1430 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1431 (uint8_t *) & initack_buf);
1432 if (initack_cp == NULL) {
1433 /* could not pull INIT-ACK chunk in cookie */
1436 chk_length = ntohs(initack_cp->ch.chunk_length);
1437 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1440 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1441 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1443 * case D in Section 5.2.4 Table 2: MMAA process accordingly
1444 * to get into the OPEN state
1446 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1448 * Opps, this means that we somehow generated two vtag's
1449 * the same. I.e. we did:
1451 * <---INIT(tag=a)------
1452 * ----INIT-ACK(tag=t)-->
1453 * ----INIT(tag=t)------> *1
1454 * <---INIT-ACK(tag=a)---
1455 * <----CE(tag=t)------------- *2
1457 * At point *1 we should be generating a different
1458 * tag t'. Which means we would throw away the CE and send
1459 * ours instead. Basically this is case C (throw away side).
1461 if (how_indx < sizeof(asoc->cookie_how))
1462 asoc->cookie_how[how_indx] = 17;
1466 switch SCTP_GET_STATE
1468 case SCTP_STATE_COOKIE_WAIT:
1469 case SCTP_STATE_COOKIE_ECHOED:
1471 * INIT was sent but got a COOKIE_ECHO with the
1472 * correct tags... just accept it...but we must
1473 * process the init so that we can make sure we have
1474 * the right seq no's.
1476 /* First we must process the INIT !! */
1477 retval = sctp_process_init(init_cp, stcb, net);
1479 if (how_indx < sizeof(asoc->cookie_how))
1480 asoc->cookie_how[how_indx] = 3;
1483 /* we have already processed the INIT so no problem */
1484 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1485 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12);
1486 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13);
1487 /* update current state */
1488 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
1489 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1491 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1493 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1494 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1495 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1496 stcb->sctp_ep, stcb, asoc->primary_destination);
1498 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1499 sctp_stop_all_cookie_timers(stcb);
1500 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1501 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1502 (inp->sctp_socket->so_qlimit == 0)
1504 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1509 * Here is where collision would go if we
1510 * did a connect() and instead got a
1511 * init/init-ack/cookie done before the
1512 * init-ack came back..
1514 stcb->sctp_ep->sctp_flags |=
1515 SCTP_PCB_FLAGS_CONNECTED;
1516 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1517 so = SCTP_INP_SO(stcb->sctp_ep);
1518 atomic_add_int(&stcb->asoc.refcnt, 1);
1519 SCTP_TCB_UNLOCK(stcb);
1520 SCTP_SOCKET_LOCK(so, 1);
1521 SCTP_TCB_LOCK(stcb);
1522 atomic_add_int(&stcb->asoc.refcnt, -1);
1523 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1524 SCTP_SOCKET_UNLOCK(so, 1);
1528 soisconnected(stcb->sctp_socket);
1529 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1530 SCTP_SOCKET_UNLOCK(so, 1);
1533 /* notify upper layer */
1534 *notification = SCTP_NOTIFY_ASSOC_UP;
1536 * since we did not send a HB make sure we don't
1539 net->hb_responded = 1;
1540 net->RTO = sctp_calculate_rto(stcb, asoc, net,
1541 &cookie->time_entered, sctp_align_unsafe_makecopy);
1543 if (stcb->asoc.sctp_autoclose_ticks &&
1544 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
1545 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1551 * we're in the OPEN state (or beyond), so peer must
1552 * have simply lost the COOKIE-ACK
1556 sctp_stop_all_cookie_timers(stcb);
1558 * We ignore the return code here.. not sure if we should
1559 * somehow abort.. but we do have an existing asoc. This
1560 * really should not fail.
1562 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1563 init_offset + sizeof(struct sctp_init_chunk),
1564 initack_offset, sh, init_src)) {
1565 if (how_indx < sizeof(asoc->cookie_how))
1566 asoc->cookie_how[how_indx] = 4;
1569 /* respond with a COOKIE-ACK */
1570 sctp_toss_old_cookies(stcb, asoc);
1571 sctp_send_cookie_ack(stcb);
1572 if (how_indx < sizeof(asoc->cookie_how))
1573 asoc->cookie_how[how_indx] = 5;
1576 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1577 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1578 cookie->tie_tag_my_vtag == 0 &&
1579 cookie->tie_tag_peer_vtag == 0) {
1581 * case C in Section 5.2.4 Table 2: XMOO silently discard
1583 if (how_indx < sizeof(asoc->cookie_how))
1584 asoc->cookie_how[how_indx] = 6;
1588 * If nat support, and the below and stcb is established, send back
1589 * a ABORT(colliding state) if we are established.
1591 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) &&
1592 (asoc->peer_supports_nat) &&
1593 ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1594 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
1595 (asoc->peer_vtag == 0)))) {
1597 * Special case - Peer's support nat. We may have two init's
1598 * that we gave out the same tag on since one was not
1599 * established.. i.e. we get INIT from host-1 behind the nat
1600 * and we respond tag-a, we get a INIT from host-2 behind
1601 * the nat and we get tag-a again. Then we bring up host-1
1602 * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1).
1603 * Now we have colliding state. We must send an abort here
1604 * with colliding state indication.
1606 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
1607 0, M_DONTWAIT, 1, MT_DATA);
1608 if (op_err == NULL) {
1612 /* pre-reserve some space */
1614 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
1616 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
1618 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
1619 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
1621 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr);
1622 ph = mtod(op_err, struct sctp_paramhdr *);
1623 ph->param_type = htons(SCTP_CAUSE_NAT_COLLIDING_STATE);
1624 ph->param_length = htons(sizeof(struct sctp_paramhdr));
1625 sctp_send_abort(m, iphlen, sh, 0, op_err, vrf_id, port);
1628 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1629 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
1630 (asoc->peer_vtag == 0))) {
1632 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
1633 * should be ok, re-accept peer info
1635 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1637 * Extension of case C. If we hit this, then the
1638 * random number generator returned the same vtag
1639 * when we first sent our INIT-ACK and when we later
1640 * sent our INIT. The side with the seq numbers that
1641 * are different will be the one that normnally
1642 * would have hit case C. This in effect "extends"
1643 * our vtags in this collision case to be 64 bits.
1644 * The same collision could occur aka you get both
1645 * vtag and seq number the same twice in a row.. but
1646 * is much less likely. If it did happen then we
1647 * would proceed through and bring up the assoc.. we
1648 * may end up with the wrong stream setup however..
1649 * which would be bad.. but there is no way to
1650 * tell.. until we send on a stream that does not
1653 if (how_indx < sizeof(asoc->cookie_how))
1654 asoc->cookie_how[how_indx] = 7;
1658 if (how_indx < sizeof(asoc->cookie_how))
1659 asoc->cookie_how[how_indx] = 8;
1660 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14);
1661 sctp_stop_all_cookie_timers(stcb);
1663 * since we did not send a HB make sure we don't double
1666 net->hb_responded = 1;
1667 if (stcb->asoc.sctp_autoclose_ticks &&
1668 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
1669 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1672 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1673 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1675 /* Note last_cwr_tsn? where is this used? */
1676 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1677 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
1679 * Ok the peer probably discarded our data (if we
1680 * echoed a cookie+data). So anything on the
1681 * sent_queue should be marked for retransmit, we
1682 * may not get something to kick us so it COULD
1683 * still take a timeout to move these.. but it can't
1684 * hurt to mark them.
1686 struct sctp_tmit_chunk *chk;
1688 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
1689 if (chk->sent < SCTP_DATAGRAM_RESEND) {
1690 chk->sent = SCTP_DATAGRAM_RESEND;
1691 sctp_flight_size_decrease(chk);
1692 sctp_total_flight_decrease(stcb, chk);
1693 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
1699 /* process the INIT info (peer's info) */
1700 retval = sctp_process_init(init_cp, stcb, net);
1702 if (how_indx < sizeof(asoc->cookie_how))
1703 asoc->cookie_how[how_indx] = 9;
1706 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1707 init_offset + sizeof(struct sctp_init_chunk),
1708 initack_offset, sh, init_src)) {
1709 if (how_indx < sizeof(asoc->cookie_how))
1710 asoc->cookie_how[how_indx] = 10;
1713 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
1714 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
1715 *notification = SCTP_NOTIFY_ASSOC_UP;
1717 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1718 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1719 (inp->sctp_socket->so_qlimit == 0)) {
1720 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1724 stcb->sctp_ep->sctp_flags |=
1725 SCTP_PCB_FLAGS_CONNECTED;
1726 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1727 so = SCTP_INP_SO(stcb->sctp_ep);
1728 atomic_add_int(&stcb->asoc.refcnt, 1);
1729 SCTP_TCB_UNLOCK(stcb);
1730 SCTP_SOCKET_LOCK(so, 1);
1731 SCTP_TCB_LOCK(stcb);
1732 atomic_add_int(&stcb->asoc.refcnt, -1);
1733 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1734 SCTP_SOCKET_UNLOCK(so, 1);
1738 soisconnected(stcb->sctp_socket);
1739 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1740 SCTP_SOCKET_UNLOCK(so, 1);
1743 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
1744 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1746 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1747 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1748 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
1749 SCTP_STAT_INCR_COUNTER32(sctps_restartestab);
1751 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1753 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1754 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1755 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1756 stcb->sctp_ep, stcb, asoc->primary_destination);
1758 sctp_stop_all_cookie_timers(stcb);
1759 sctp_toss_old_cookies(stcb, asoc);
1760 sctp_send_cookie_ack(stcb);
1763 * only if we have retrans set do we do this. What
1764 * this call does is get only the COOKIE-ACK out and
1765 * then when we return the normal call to
1766 * sctp_chunk_output will get the retrans out behind
1769 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED);
1771 if (how_indx < sizeof(asoc->cookie_how))
1772 asoc->cookie_how[how_indx] = 11;
1776 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1777 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1778 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1779 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1780 cookie->tie_tag_peer_vtag != 0) {
1781 struct sctpasochead *head;
1783 if (asoc->peer_supports_nat) {
1785 * This is a gross gross hack. just call the
1786 * cookie_new code since we are allowing a duplicate
1787 * association. I hope this works...
1789 return (sctp_process_cookie_new(m, iphlen, offset, sh, cookie, cookie_len,
1790 inp, netp, init_src, notification,
1791 auth_skipped, auth_offset, auth_len,
1795 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1798 if (how_indx < sizeof(asoc->cookie_how))
1799 asoc->cookie_how[how_indx] = 12;
1800 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15);
1801 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
1803 *sac_assoc_id = sctp_get_associd(stcb);
1804 /* notify upper layer */
1805 *notification = SCTP_NOTIFY_ASSOC_RESTART;
1806 atomic_add_int(&stcb->asoc.refcnt, 1);
1807 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) &&
1808 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
1809 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
1810 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1812 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
1813 SCTP_STAT_INCR_GAUGE32(sctps_restartestab);
1814 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) {
1815 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab);
1817 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1818 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1819 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1820 stcb->sctp_ep, stcb, asoc->primary_destination);
1822 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
1823 /* move to OPEN state, if not in SHUTDOWN_SENT */
1824 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1826 asoc->pre_open_streams =
1827 ntohs(initack_cp->init.num_outbound_streams);
1828 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1829 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1830 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
1832 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1833 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1835 asoc->str_reset_seq_in = asoc->init_seq_number;
1837 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1838 if (asoc->mapping_array) {
1839 memset(asoc->mapping_array, 0,
1840 asoc->mapping_array_size);
1842 /* EY 05/13/08 - nr_sack version of the above if statement */
1843 if (asoc->nr_mapping_array && SCTP_BASE_SYSCTL(sctp_nr_sack_on_off)
1844 && asoc->peer_supports_nr_sack) {
1845 memset(asoc->nr_mapping_array, 0,
1846 asoc->nr_mapping_array_size);
1848 SCTP_TCB_UNLOCK(stcb);
1849 SCTP_INP_INFO_WLOCK();
1850 SCTP_INP_WLOCK(stcb->sctp_ep);
1851 SCTP_TCB_LOCK(stcb);
1852 atomic_add_int(&stcb->asoc.refcnt, -1);
1853 /* send up all the data */
1854 SCTP_TCB_SEND_LOCK(stcb);
1856 sctp_report_all_outbound(stcb, 1, SCTP_SO_NOT_LOCKED);
1857 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
1858 stcb->asoc.strmout[i].stream_no = i;
1859 stcb->asoc.strmout[i].next_sequence_sent = 0;
1860 stcb->asoc.strmout[i].last_msg_incomplete = 0;
1862 /* process the INIT-ACK info (my info) */
1863 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1864 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1866 /* pull from vtag hash */
1867 LIST_REMOVE(stcb, sctp_asocs);
1868 /* re-insert to new vtag position */
1869 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
1870 SCTP_BASE_INFO(hashasocmark))];
1872 * put it in the bucket in the vtag hash of assoc's for the
1875 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
1877 /* process the INIT info (peer's info) */
1878 SCTP_TCB_SEND_UNLOCK(stcb);
1879 SCTP_INP_WUNLOCK(stcb->sctp_ep);
1880 SCTP_INP_INFO_WUNLOCK();
1882 retval = sctp_process_init(init_cp, stcb, net);
1884 if (how_indx < sizeof(asoc->cookie_how))
1885 asoc->cookie_how[how_indx] = 13;
1890 * since we did not send a HB make sure we don't double
1893 net->hb_responded = 1;
1895 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1896 init_offset + sizeof(struct sctp_init_chunk),
1897 initack_offset, sh, init_src)) {
1898 if (how_indx < sizeof(asoc->cookie_how))
1899 asoc->cookie_how[how_indx] = 14;
1903 /* respond with a COOKIE-ACK */
1904 sctp_stop_all_cookie_timers(stcb);
1905 sctp_toss_old_cookies(stcb, asoc);
1906 sctp_send_cookie_ack(stcb);
1907 if (how_indx < sizeof(asoc->cookie_how))
1908 asoc->cookie_how[how_indx] = 15;
1912 if (how_indx < sizeof(asoc->cookie_how))
1913 asoc->cookie_how[how_indx] = 16;
1914 /* all other cases... */
1920 * handle a state cookie for a new association m: input packet mbuf chain--
1921 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
1922 * and the cookie signature does not exist offset: offset into mbuf to the
1923 * cookie-echo chunk length: length of the cookie chunk to: where the init
1924 * was from returns a new TCB
1927 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1928 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1929 struct sctp_inpcb *inp, struct sctp_nets **netp,
1930 struct sockaddr *init_src, int *notification,
1931 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1932 uint32_t vrf_id, uint16_t port)
1934 struct sctp_tcb *stcb;
1935 struct sctp_init_chunk *init_cp, init_buf;
1936 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1937 struct sockaddr_storage sa_store;
1938 struct sockaddr *initack_src = (struct sockaddr *)&sa_store;
1939 struct sockaddr_in *sin;
1940 struct sockaddr_in6 *sin6;
1941 struct sctp_association *asoc;
1943 int init_offset, initack_offset, initack_limit;
1947 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
1949 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1952 so = SCTP_INP_SO(inp);
1956 * find and validate the INIT chunk in the cookie (peer's info) the
1957 * INIT should start after the cookie-echo header struct (chunk
1958 * header, state cookie header struct)
1960 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
1961 init_cp = (struct sctp_init_chunk *)
1962 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1963 (uint8_t *) & init_buf);
1964 if (init_cp == NULL) {
1965 /* could not pull a INIT chunk in cookie */
1966 SCTPDBG(SCTP_DEBUG_INPUT1,
1967 "process_cookie_new: could not pull INIT chunk hdr\n");
1970 chk_length = ntohs(init_cp->ch.chunk_length);
1971 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1972 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n");
1975 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1977 * find and validate the INIT-ACK chunk in the cookie (my info) the
1978 * INIT-ACK follows the INIT chunk
1980 initack_cp = (struct sctp_init_ack_chunk *)
1981 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1982 (uint8_t *) & initack_buf);
1983 if (initack_cp == NULL) {
1984 /* could not pull INIT-ACK chunk in cookie */
1985 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n");
1988 chk_length = ntohs(initack_cp->ch.chunk_length);
1989 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1993 * NOTE: We can't use the INIT_ACK's chk_length to determine the
1994 * "initack_limit" value. This is because the chk_length field
1995 * includes the length of the cookie, but the cookie is omitted when
1996 * the INIT and INIT_ACK are tacked onto the cookie...
1998 initack_limit = offset + cookie_len;
2001 * now that we know the INIT/INIT-ACK are in place, create a new TCB
2006 * Here we do a trick, we set in NULL for the proc/thread argument.
2007 * We do this since in effect we only use the p argument when the
2008 * socket is unbound and we must do an implicit bind. Since we are
2009 * getting a cookie, we cannot be unbound.
2011 stcb = sctp_aloc_assoc(inp, init_src, 0, &error,
2012 ntohl(initack_cp->init.initiate_tag), vrf_id,
2013 (struct thread *)NULL
2016 struct mbuf *op_err;
2018 /* memory problem? */
2019 SCTPDBG(SCTP_DEBUG_INPUT1,
2020 "process_cookie_new: no room for another TCB!\n");
2021 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
2023 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
2024 sh, op_err, vrf_id, port);
2027 /* get the correct sctp_nets */
2029 *netp = sctp_findnet(stcb, init_src);
2032 /* get scope variables out of cookie */
2033 asoc->ipv4_local_scope = cookie->ipv4_scope;
2034 asoc->site_scope = cookie->site_scope;
2035 asoc->local_scope = cookie->local_scope;
2036 asoc->loopback_scope = cookie->loopback_scope;
2038 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) ||
2039 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) {
2040 struct mbuf *op_err;
2043 * Houston we have a problem. The EP changed while the
2044 * cookie was in flight. Only recourse is to abort the
2047 atomic_add_int(&stcb->asoc.refcnt, 1);
2048 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
2049 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
2050 sh, op_err, vrf_id, port);
2051 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2052 SCTP_TCB_UNLOCK(stcb);
2053 SCTP_SOCKET_LOCK(so, 1);
2054 SCTP_TCB_LOCK(stcb);
2056 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2057 SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
2058 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2059 SCTP_SOCKET_UNLOCK(so, 1);
2061 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2064 /* process the INIT-ACK info (my info) */
2065 old_tag = asoc->my_vtag;
2066 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
2067 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
2068 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
2069 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
2070 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
2071 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
2072 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
2073 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
2074 asoc->str_reset_seq_in = asoc->init_seq_number;
2076 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
2078 /* process the INIT info (peer's info) */
2080 retval = sctp_process_init(init_cp, stcb, *netp);
2084 atomic_add_int(&stcb->asoc.refcnt, 1);
2085 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2086 SCTP_TCB_UNLOCK(stcb);
2087 SCTP_SOCKET_LOCK(so, 1);
2088 SCTP_TCB_LOCK(stcb);
2090 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
2091 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2092 SCTP_SOCKET_UNLOCK(so, 1);
2094 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2097 /* load all addresses */
2098 if (sctp_load_addresses_from_init(stcb, m, iphlen,
2099 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh,
2101 atomic_add_int(&stcb->asoc.refcnt, 1);
2102 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2103 SCTP_TCB_UNLOCK(stcb);
2104 SCTP_SOCKET_LOCK(so, 1);
2105 SCTP_TCB_LOCK(stcb);
2107 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
2108 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2109 SCTP_SOCKET_UNLOCK(so, 1);
2111 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2115 * verify any preceding AUTH chunk that was skipped
2117 /* pull the local authentication parameters from the cookie/init-ack */
2118 sctp_auth_get_cookie_params(stcb, m,
2119 initack_offset + sizeof(struct sctp_init_ack_chunk),
2120 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
2122 struct sctp_auth_chunk *auth;
2124 auth = (struct sctp_auth_chunk *)
2125 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
2126 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
2127 /* auth HMAC failed, dump the assoc and packet */
2128 SCTPDBG(SCTP_DEBUG_AUTH1,
2129 "COOKIE-ECHO: AUTH failed\n");
2130 atomic_add_int(&stcb->asoc.refcnt, 1);
2131 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2132 SCTP_TCB_UNLOCK(stcb);
2133 SCTP_SOCKET_LOCK(so, 1);
2134 SCTP_TCB_LOCK(stcb);
2136 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18);
2137 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2138 SCTP_SOCKET_UNLOCK(so, 1);
2140 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2143 /* remaining chunks checked... good to go */
2144 stcb->asoc.authenticated = 1;
2147 /* update current state */
2148 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
2149 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
2150 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2151 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2152 stcb->sctp_ep, stcb, asoc->primary_destination);
2154 sctp_stop_all_cookie_timers(stcb);
2155 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
2156 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2159 * if we're doing ASCONFs, check to see if we have any new local
2160 * addresses that need to get added to the peer (eg. addresses
2161 * changed while cookie echo in flight). This needs to be done
2162 * after we go to the OPEN state to do the correct asconf
2163 * processing. else, make sure we have the correct addresses in our
2167 /* warning, we re-use sin, sin6, sa_store here! */
2168 /* pull in local_address (our "from" address) */
2169 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) {
2170 /* source addr is IPv4 */
2171 sin = (struct sockaddr_in *)initack_src;
2172 memset(sin, 0, sizeof(*sin));
2173 sin->sin_family = AF_INET;
2174 sin->sin_len = sizeof(struct sockaddr_in);
2175 sin->sin_addr.s_addr = cookie->laddress[0];
2176 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) {
2177 /* source addr is IPv6 */
2178 sin6 = (struct sockaddr_in6 *)initack_src;
2179 memset(sin6, 0, sizeof(*sin6));
2180 sin6->sin6_family = AF_INET6;
2181 sin6->sin6_len = sizeof(struct sockaddr_in6);
2182 sin6->sin6_scope_id = cookie->scope_id;
2183 memcpy(&sin6->sin6_addr, cookie->laddress,
2184 sizeof(sin6->sin6_addr));
2186 atomic_add_int(&stcb->asoc.refcnt, 1);
2187 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2188 SCTP_TCB_UNLOCK(stcb);
2189 SCTP_SOCKET_LOCK(so, 1);
2190 SCTP_TCB_LOCK(stcb);
2192 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
2193 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2194 SCTP_SOCKET_UNLOCK(so, 1);
2196 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2200 /* set up to notify upper layer */
2201 *notification = SCTP_NOTIFY_ASSOC_UP;
2202 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2203 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
2204 (inp->sctp_socket->so_qlimit == 0)) {
2206 * This is an endpoint that called connect() how it got a
2207 * cookie that is NEW is a bit of a mystery. It must be that
2208 * the INIT was sent, but before it got there.. a complete
2209 * INIT/INIT-ACK/COOKIE arrived. But of course then it
2210 * should have went to the other code.. not here.. oh well..
2211 * a bit of protection is worth having..
2213 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2214 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2215 atomic_add_int(&stcb->asoc.refcnt, 1);
2216 SCTP_TCB_UNLOCK(stcb);
2217 SCTP_SOCKET_LOCK(so, 1);
2218 SCTP_TCB_LOCK(stcb);
2219 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2220 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2221 SCTP_SOCKET_UNLOCK(so, 1);
2225 soisconnected(stcb->sctp_socket);
2226 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2227 SCTP_SOCKET_UNLOCK(so, 1);
2229 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
2230 (inp->sctp_socket->so_qlimit)) {
2232 * We don't want to do anything with this one. Since it is
2233 * the listening guy. The timer will get started for
2234 * accepted connections in the caller.
2238 /* since we did not send a HB make sure we don't double things */
2239 if ((netp) && (*netp))
2240 (*netp)->hb_responded = 1;
2242 if (stcb->asoc.sctp_autoclose_ticks &&
2243 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2244 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
2246 /* calculate the RTT */
2247 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
2248 if ((netp) && (*netp)) {
2249 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
2250 &cookie->time_entered, sctp_align_unsafe_makecopy);
2252 /* respond with a COOKIE-ACK */
2253 sctp_send_cookie_ack(stcb);
2256 * check the address lists for any ASCONFs that need to be sent
2257 * AFTER the cookie-ack is sent
2259 sctp_check_address_list(stcb, m,
2260 initack_offset + sizeof(struct sctp_init_ack_chunk),
2261 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
2262 initack_src, cookie->local_scope, cookie->site_scope,
2263 cookie->ipv4_scope, cookie->loopback_scope);
2270 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e
2271 * we NEED to make sure we are not already using the vtag. If so we
2272 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit!
2273 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag,
2274 SCTP_BASE_INFO(hashasocmark))];
2275 LIST_FOREACH(stcb, head, sctp_asocs) {
2276 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) {
2277 -- SEND ABORT - TRY AGAIN --
2283 * handles a COOKIE-ECHO message stcb: modified to either a new or left as
2284 * existing (non-NULL) TCB
2286 static struct mbuf *
2287 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
2288 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
2289 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
2290 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
2291 struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint16_t port)
2293 struct sctp_state_cookie *cookie;
2294 struct sockaddr_in6 sin6;
2295 struct sockaddr_in sin;
2296 struct sctp_tcb *l_stcb = *stcb;
2297 struct sctp_inpcb *l_inp;
2298 struct sockaddr *to;
2299 sctp_assoc_t sac_restart_id;
2300 struct sctp_pcb *ep;
2302 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
2304 uint8_t cookie_ok = 0;
2305 unsigned int size_of_pkt, sig_offset, cookie_offset;
2306 unsigned int cookie_len;
2308 struct timeval time_expires;
2309 struct sockaddr_storage dest_store;
2310 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store;
2312 int notification = 0;
2313 struct sctp_nets *netl;
2314 int had_a_existing_tcb = 0;
2316 SCTPDBG(SCTP_DEBUG_INPUT2,
2317 "sctp_handle_cookie: handling COOKIE-ECHO\n");
2319 if (inp_p == NULL) {
2322 /* First get the destination address setup too. */
2323 iph = mtod(m, struct ip *);
2324 switch (iph->ip_v) {
2328 struct sockaddr_in *lsin;
2330 lsin = (struct sockaddr_in *)(localep_sa);
2331 memset(lsin, 0, sizeof(*lsin));
2332 lsin->sin_family = AF_INET;
2333 lsin->sin_len = sizeof(*lsin);
2334 lsin->sin_port = sh->dest_port;
2335 lsin->sin_addr.s_addr = iph->ip_dst.s_addr;
2336 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph);
2340 case IPV6_VERSION >> 4:
2343 struct ip6_hdr *ip6;
2344 struct sockaddr_in6 *lsin6;
2346 lsin6 = (struct sockaddr_in6 *)(localep_sa);
2347 memset(lsin6, 0, sizeof(*lsin6));
2348 lsin6->sin6_family = AF_INET6;
2349 lsin6->sin6_len = sizeof(struct sockaddr_in6);
2350 ip6 = mtod(m, struct ip6_hdr *);
2351 lsin6->sin6_port = sh->dest_port;
2352 lsin6->sin6_addr = ip6->ip6_dst;
2353 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen;
2361 cookie = &cp->cookie;
2362 cookie_offset = offset + sizeof(struct sctp_chunkhdr);
2363 cookie_len = ntohs(cp->ch.chunk_length);
2365 if ((cookie->peerport != sh->src_port) &&
2366 (cookie->myport != sh->dest_port) &&
2367 (cookie->my_vtag != sh->v_tag)) {
2369 * invalid ports or bad tag. Note that we always leave the
2370 * v_tag in the header in network order and when we stored
2371 * it in the my_vtag slot we also left it in network order.
2372 * This maintains the match even though it may be in the
2373 * opposite byte order of the machine :->
2377 if (cookie_len > size_of_pkt ||
2378 cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
2379 sizeof(struct sctp_init_chunk) +
2380 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
2381 /* cookie too long! or too small */
2385 * split off the signature into its own mbuf (since it should not be
2386 * calculated in the sctp_hmac_m() call).
2388 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
2389 if (sig_offset > size_of_pkt) {
2390 /* packet not correct size! */
2391 /* XXX this may already be accounted for earlier... */
2394 m_sig = m_split(m, sig_offset, M_DONTWAIT);
2395 if (m_sig == NULL) {
2396 /* out of memory or ?? */
2399 #ifdef SCTP_MBUF_LOGGING
2400 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
2405 if (SCTP_BUF_IS_EXTENDED(mat)) {
2406 sctp_log_mb(mat, SCTP_MBUF_SPLIT);
2408 mat = SCTP_BUF_NEXT(mat);
2414 * compute the signature/digest for the cookie
2416 ep = &(*inp_p)->sctp_ep;
2419 SCTP_TCB_UNLOCK(l_stcb);
2421 SCTP_INP_RLOCK(l_inp);
2423 SCTP_TCB_LOCK(l_stcb);
2425 /* which cookie is it? */
2426 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
2427 (ep->current_secret_number != ep->last_secret_number)) {
2428 /* it's the old cookie */
2429 (void)sctp_hmac_m(SCTP_HMAC,
2430 (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
2431 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2433 /* it's the current cookie */
2434 (void)sctp_hmac_m(SCTP_HMAC,
2435 (uint8_t *) ep->secret_key[(int)ep->current_secret_number],
2436 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2438 /* get the signature */
2439 SCTP_INP_RUNLOCK(l_inp);
2440 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig);
2442 /* couldn't find signature */
2443 sctp_m_freem(m_sig);
2446 /* compare the received digest with the computed digest */
2447 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
2448 /* try the old cookie? */
2449 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
2450 (ep->current_secret_number != ep->last_secret_number)) {
2451 /* compute digest with old */
2452 (void)sctp_hmac_m(SCTP_HMAC,
2453 (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
2454 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2456 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
2464 * Now before we continue we must reconstruct our mbuf so that
2465 * normal processing of any other chunks will work.
2471 while (SCTP_BUF_NEXT(m_at) != NULL) {
2472 m_at = SCTP_BUF_NEXT(m_at);
2474 SCTP_BUF_NEXT(m_at) = m_sig;
2477 if (cookie_ok == 0) {
2478 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n");
2479 SCTPDBG(SCTP_DEBUG_INPUT2,
2480 "offset = %u, cookie_offset = %u, sig_offset = %u\n",
2481 (uint32_t) offset, cookie_offset, sig_offset);
2485 * check the cookie timestamps to be sure it's not stale
2487 (void)SCTP_GETTIME_TIMEVAL(&now);
2488 /* Expire time is in Ticks, so we convert to seconds */
2489 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life);
2490 time_expires.tv_usec = cookie->time_entered.tv_usec;
2492 * TODO sctp_constants.h needs alternative time macros when _KERNEL
2495 if (timevalcmp(&now, &time_expires, >)) {
2496 /* cookie is stale! */
2497 struct mbuf *op_err;
2498 struct sctp_stale_cookie_msg *scm;
2501 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg),
2502 0, M_DONTWAIT, 1, MT_DATA);
2503 if (op_err == NULL) {
2507 /* pre-reserve some space */
2509 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
2511 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
2513 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
2514 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
2517 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg);
2518 scm = mtod(op_err, struct sctp_stale_cookie_msg *);
2519 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
2520 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
2521 (sizeof(uint32_t))));
2522 /* seconds to usec */
2523 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
2526 tim = now.tv_usec - cookie->time_entered.tv_usec;
2527 scm->time_usec = htonl(tim);
2528 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag,
2533 * Now we must see with the lookup address if we have an existing
2534 * asoc. This will only happen if we were in the COOKIE-WAIT state
2535 * and a INIT collided with us and somewhere the peer sent the
2536 * cookie on another address besides the single address our assoc
2537 * had for him. In this case we will have one of the tie-tags set at
2538 * least AND the address field in the cookie can be used to look it
2542 if (cookie->addr_type == SCTP_IPV6_ADDRESS) {
2543 memset(&sin6, 0, sizeof(sin6));
2544 sin6.sin6_family = AF_INET6;
2545 sin6.sin6_len = sizeof(sin6);
2546 sin6.sin6_port = sh->src_port;
2547 sin6.sin6_scope_id = cookie->scope_id;
2548 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
2549 sizeof(sin6.sin6_addr.s6_addr));
2550 to = (struct sockaddr *)&sin6;
2551 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) {
2552 memset(&sin, 0, sizeof(sin));
2553 sin.sin_family = AF_INET;
2554 sin.sin_len = sizeof(sin);
2555 sin.sin_port = sh->src_port;
2556 sin.sin_addr.s_addr = cookie->address[0];
2557 to = (struct sockaddr *)&sin;
2559 /* This should not happen */
2562 if ((*stcb == NULL) && to) {
2563 /* Yep, lets check */
2564 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL);
2565 if (*stcb == NULL) {
2567 * We should have only got back the same inp. If we
2568 * got back a different ep we have a problem. The
2569 * original findep got back l_inp and now
2571 if (l_inp != *inp_p) {
2572 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n");
2575 if (*locked_tcb == NULL) {
2577 * In this case we found the assoc only
2578 * after we locked the create lock. This
2579 * means we are in a colliding case and we
2580 * must make sure that we unlock the tcb if
2581 * its one of the cases where we throw away
2582 * the incoming packets.
2584 *locked_tcb = *stcb;
2587 * We must also increment the inp ref count
2588 * since the ref_count flags was set when we
2589 * did not find the TCB, now we found it
2590 * which reduces the refcount.. we must
2591 * raise it back out to balance it all :-)
2593 SCTP_INP_INCR_REF((*stcb)->sctp_ep);
2594 if ((*stcb)->sctp_ep != l_inp) {
2595 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n",
2596 (*stcb)->sctp_ep, l_inp);
2604 cookie_len -= SCTP_SIGNATURE_SIZE;
2605 if (*stcb == NULL) {
2606 /* this is the "normal" case... get a new TCB */
2607 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie,
2608 cookie_len, *inp_p, netp, to, ¬ification,
2609 auth_skipped, auth_offset, auth_len, vrf_id, port);
2611 /* this is abnormal... cookie-echo on existing TCB */
2612 had_a_existing_tcb = 1;
2613 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh,
2614 cookie, cookie_len, *inp_p, *stcb, netp, to,
2615 ¬ification, &sac_restart_id, vrf_id, auth_skipped, auth_offset, auth_len, port);
2618 if (*stcb == NULL) {
2619 /* still no TCB... must be bad cookie-echo */
2623 * Ok, we built an association so confirm the address we sent the
2626 netl = sctp_findnet(*stcb, to);
2628 * This code should in theory NOT run but
2631 /* TSNH! Huh, why do I need to add this address here? */
2634 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE,
2635 SCTP_IN_COOKIE_PROC);
2636 netl = sctp_findnet(*stcb, to);
2639 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
2640 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2641 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
2643 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2644 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2648 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p,
2651 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2652 if (!had_a_existing_tcb ||
2653 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2655 * If we have a NEW cookie or the connect never
2656 * reached the connected state during collision we
2657 * must do the TCP accept thing.
2659 struct socket *so, *oso;
2660 struct sctp_inpcb *inp;
2662 if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2664 * For a restart we will keep the same
2665 * socket, no need to do anything. I THINK!!
2667 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id, SCTP_SO_NOT_LOCKED);
2670 oso = (*inp_p)->sctp_socket;
2671 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2672 SCTP_TCB_UNLOCK((*stcb));
2673 so = sonewconn(oso, 0
2675 SCTP_TCB_LOCK((*stcb));
2676 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2679 struct mbuf *op_err;
2681 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2682 struct socket *pcb_so;
2685 /* Too many sockets */
2686 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n");
2687 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
2688 sctp_abort_association(*inp_p, NULL, m, iphlen,
2689 sh, op_err, vrf_id, port);
2690 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2691 pcb_so = SCTP_INP_SO(*inp_p);
2692 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2693 SCTP_TCB_UNLOCK((*stcb));
2694 SCTP_SOCKET_LOCK(pcb_so, 1);
2695 SCTP_TCB_LOCK((*stcb));
2696 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2698 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20);
2699 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2700 SCTP_SOCKET_UNLOCK(pcb_so, 1);
2704 inp = (struct sctp_inpcb *)so->so_pcb;
2705 SCTP_INP_INCR_REF(inp);
2707 * We add the unbound flag here so that if we get an
2708 * soabort() before we get the move_pcb done, we
2709 * will properly cleanup.
2711 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2712 SCTP_PCB_FLAGS_CONNECTED |
2713 SCTP_PCB_FLAGS_IN_TCPPOOL |
2714 SCTP_PCB_FLAGS_UNBOUND |
2715 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2716 SCTP_PCB_FLAGS_DONT_WAKE);
2717 inp->sctp_features = (*inp_p)->sctp_features;
2718 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features;
2719 inp->sctp_socket = so;
2720 inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
2721 inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
2722 inp->sctp_context = (*inp_p)->sctp_context;
2723 inp->inp_starting_point_for_iterator = NULL;
2725 * copy in the authentication parameters from the
2728 if (inp->sctp_ep.local_hmacs)
2729 sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
2730 inp->sctp_ep.local_hmacs =
2731 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
2732 if (inp->sctp_ep.local_auth_chunks)
2733 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
2734 inp->sctp_ep.local_auth_chunks =
2735 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);
2738 * Now we must move it from one hash table to
2739 * another and get the tcb in the right place.
2741 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2743 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2744 SCTP_TCB_UNLOCK((*stcb));
2746 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb,
2748 SCTP_TCB_LOCK((*stcb));
2749 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2753 * now we must check to see if we were aborted while
2754 * the move was going on and the lock/unlock
2757 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
2759 * yep it was, we leave the assoc attached
2760 * to the socket since the sctp_inpcb_free()
2761 * call will send an abort for us.
2763 SCTP_INP_DECR_REF(inp);
2766 SCTP_INP_DECR_REF(inp);
2767 /* Switch over to the new guy */
2769 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2772 * Pull it from the incomplete queue and wake the
2775 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2776 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2777 SCTP_TCB_UNLOCK((*stcb));
2778 SCTP_SOCKET_LOCK(so, 1);
2781 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2782 SCTP_TCB_LOCK((*stcb));
2783 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2784 SCTP_SOCKET_UNLOCK(so, 1);
2789 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
2790 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2796 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp,
2797 struct sctp_tcb *stcb, struct sctp_nets *net)
2799 /* cp must not be used, others call this without a c-ack :-) */
2800 struct sctp_association *asoc;
2802 SCTPDBG(SCTP_DEBUG_INPUT2,
2803 "sctp_handle_cookie_ack: handling COOKIE-ACK\n");
2809 sctp_stop_all_cookie_timers(stcb);
2810 /* process according to association state */
2811 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
2812 /* state change only needed when I am in right state */
2813 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
2814 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
2815 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2816 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2817 stcb->sctp_ep, stcb, asoc->primary_destination);
2821 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
2822 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2823 if (asoc->overall_error_count == 0) {
2824 net->RTO = sctp_calculate_rto(stcb, asoc, net,
2825 &asoc->time_entered, sctp_align_safe_nocopy);
2827 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
2828 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2829 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2830 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2831 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2835 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2836 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2837 so = SCTP_INP_SO(stcb->sctp_ep);
2838 atomic_add_int(&stcb->asoc.refcnt, 1);
2839 SCTP_TCB_UNLOCK(stcb);
2840 SCTP_SOCKET_LOCK(so, 1);
2841 SCTP_TCB_LOCK(stcb);
2842 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2843 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2844 SCTP_SOCKET_UNLOCK(so, 1);
2848 soisconnected(stcb->sctp_socket);
2849 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2850 SCTP_SOCKET_UNLOCK(so, 1);
2853 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
2856 * since we did not send a HB make sure we don't double
2859 net->hb_responded = 1;
2861 if (stcb->asoc.sctp_autoclose_ticks &&
2862 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2863 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
2864 stcb->sctp_ep, stcb, NULL);
2867 * send ASCONF if parameters are pending and ASCONFs are
2868 * allowed (eg. addresses changed when init/cookie echo were
2871 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
2872 (stcb->asoc.peer_supports_asconf) &&
2873 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
2874 #ifdef SCTP_TIMER_BASED_ASCONF
2875 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
2876 stcb->sctp_ep, stcb,
2877 stcb->asoc.primary_destination);
2879 sctp_send_asconf(stcb, stcb->asoc.primary_destination,
2880 SCTP_ADDR_NOT_LOCKED);
2884 /* Toss the cookie if I can */
2885 sctp_toss_old_cookies(stcb, asoc);
2886 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
2887 /* Restart the timer if we have pending data */
2888 struct sctp_tmit_chunk *chk;
2890 chk = TAILQ_FIRST(&asoc->sent_queue);
2892 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2899 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
2900 struct sctp_tcb *stcb)
2902 struct sctp_nets *net;
2903 struct sctp_tmit_chunk *lchk;
2906 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) {
2909 SCTP_STAT_INCR(sctps_recvecne);
2910 tsn = ntohl(cp->tsn);
2911 /* ECN Nonce stuff: need a resync and disable the nonce sum check */
2912 /* Also we make sure we disable the nonce_wait */
2913 lchk = TAILQ_FIRST(&stcb->asoc.send_queue);
2915 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq;
2917 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq;
2919 stcb->asoc.nonce_wait_for_ecne = 0;
2920 stcb->asoc.nonce_sum_check = 0;
2922 /* Find where it was sent, if possible */
2924 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue);
2926 if (lchk->rec.data.TSN_seq == tsn) {
2930 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ))
2932 lchk = TAILQ_NEXT(lchk, sctp_next);
2935 /* default is we use the primary */
2936 net = stcb->asoc.primary_destination;
2938 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) {
2940 * JRS - Use the congestion control given in the pluggable
2943 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net);
2945 * we reduce once every RTT. So we will only lower cwnd at
2946 * the next sending seq i.e. the resync_tsn.
2948 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn;
2951 * We always send a CWR this way if our previous one was lost our
2952 * peer will get an update, or if it is not time again to reduce we
2953 * still get the cwr to the peer.
2955 sctp_send_cwr(stcb, net, tsn);
2959 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb)
2962 * Here we get a CWR from the peer. We must look in the outqueue and
2963 * make sure that we have a covered ECNE in teh control chunk part.
2966 struct sctp_tmit_chunk *chk;
2967 struct sctp_ecne_chunk *ecne;
2969 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
2970 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
2974 * Look for and remove if it is the right TSN. Since there
2975 * is only ONE ECNE on the control queue at any one time we
2976 * don't need to worry about more than one!
2978 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
2979 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn),
2980 MAX_TSN) || (cp->tsn == ecne->tsn)) {
2981 /* this covers this ECNE, we can remove it */
2982 stcb->asoc.ecn_echo_cnt_onq--;
2983 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
2986 sctp_m_freem(chk->data);
2989 stcb->asoc.ctrl_queue_cnt--;
2990 sctp_free_a_chunk(stcb, chk);
2997 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp,
2998 struct sctp_tcb *stcb, struct sctp_nets *net)
3000 struct sctp_association *asoc;
3002 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3007 SCTPDBG(SCTP_DEBUG_INPUT2,
3008 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
3013 /* process according to association state */
3014 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
3015 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
3016 SCTPDBG(SCTP_DEBUG_INPUT2,
3017 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n");
3018 SCTP_TCB_UNLOCK(stcb);
3021 /* notify upper layer protocol */
3022 if (stcb->sctp_socket) {
3023 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
3024 /* are the queues empty? they should be */
3025 if (!TAILQ_EMPTY(&asoc->send_queue) ||
3026 !TAILQ_EMPTY(&asoc->sent_queue) ||
3027 !TAILQ_EMPTY(&asoc->out_wheel)) {
3028 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED);
3031 /* stop the timer */
3032 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22);
3033 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
3035 SCTPDBG(SCTP_DEBUG_INPUT2,
3036 "sctp_handle_shutdown_complete: calls free-asoc\n");
3037 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3038 so = SCTP_INP_SO(stcb->sctp_ep);
3039 atomic_add_int(&stcb->asoc.refcnt, 1);
3040 SCTP_TCB_UNLOCK(stcb);
3041 SCTP_SOCKET_LOCK(so, 1);
3042 SCTP_TCB_LOCK(stcb);
3043 atomic_subtract_int(&stcb->asoc.refcnt, 1);
3045 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23);
3046 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3047 SCTP_SOCKET_UNLOCK(so, 1);
3053 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
3054 struct sctp_nets *net, uint8_t flg)
3056 switch (desc->chunk_type) {
3058 /* find the tsn to resend (possibly */
3061 struct sctp_tmit_chunk *tp1;
3063 tsn = ntohl(desc->tsn_ifany);
3064 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
3066 if (tp1->rec.data.TSN_seq == tsn) {
3070 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn,
3076 tp1 = TAILQ_NEXT(tp1, sctp_next);
3080 * Do it the other way , aka without paying
3081 * attention to queue seq order.
3083 SCTP_STAT_INCR(sctps_pdrpdnfnd);
3084 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
3086 if (tp1->rec.data.TSN_seq == tsn) {
3090 tp1 = TAILQ_NEXT(tp1, sctp_next);
3094 SCTP_STAT_INCR(sctps_pdrptsnnf);
3096 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
3099 if ((stcb->asoc.peers_rwnd == 0) &&
3100 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
3101 SCTP_STAT_INCR(sctps_pdrpdiwnp);
3104 if (stcb->asoc.peers_rwnd == 0 &&
3105 (flg & SCTP_FROM_MIDDLE_BOX)) {
3106 SCTP_STAT_INCR(sctps_pdrpdizrw);
3109 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+
3110 sizeof(struct sctp_data_chunk));
3114 for (iii = 0; iii < sizeof(desc->data_bytes);
3116 if (ddp[iii] != desc->data_bytes[iii]) {
3117 SCTP_STAT_INCR(sctps_pdrpbadd);
3123 * We zero out the nonce so resync not
3126 tp1->rec.data.ect_nonce = 0;
3130 * this guy had a RTO calculation
3131 * pending on it, cancel it
3135 SCTP_STAT_INCR(sctps_pdrpmark);
3136 if (tp1->sent != SCTP_DATAGRAM_RESEND)
3137 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3138 tp1->sent = SCTP_DATAGRAM_RESEND;
3140 * mark it as if we were doing a FR, since
3141 * we will be getting gap ack reports behind
3142 * the info from the router.
3144 tp1->rec.data.doing_fast_retransmit = 1;
3146 * mark the tsn with what sequences can
3149 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
3150 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
3152 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
3155 /* restart the timer */
3156 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3157 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24);
3158 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3161 /* fix counts and things */
3162 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3163 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP,
3164 tp1->whoTo->flight_size,
3167 tp1->rec.data.TSN_seq);
3169 sctp_flight_size_decrease(tp1);
3170 sctp_total_flight_decrease(stcb, tp1);
3176 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3177 if (tp1->sent == SCTP_DATAGRAM_RESEND)
3180 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
3182 if (tp1->sent == SCTP_DATAGRAM_RESEND)
3185 if (audit != stcb->asoc.sent_queue_retran_cnt) {
3186 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n",
3187 audit, stcb->asoc.sent_queue_retran_cnt);
3188 #ifndef SCTP_AUDITING_ENABLED
3189 stcb->asoc.sent_queue_retran_cnt = audit;
3197 struct sctp_tmit_chunk *asconf;
3199 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
3201 if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
3206 if (asconf->sent != SCTP_DATAGRAM_RESEND)
3207 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3208 asconf->sent = SCTP_DATAGRAM_RESEND;
3209 asconf->snd_count--;
3213 case SCTP_INITIATION:
3214 /* resend the INIT */
3215 stcb->asoc.dropped_special_cnt++;
3216 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
3218 * If we can get it in, in a few attempts we do
3219 * this, otherwise we let the timer fire.
3221 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
3222 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25);
3223 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
3226 case SCTP_SELECTIVE_ACK:
3227 /* resend the sack */
3228 sctp_send_sack(stcb);
3230 /* EY for nr_sacks */
3231 case SCTP_NR_SELECTIVE_ACK:
3232 sctp_send_nr_sack(stcb); /* EY resend the nr-sack */
3234 case SCTP_HEARTBEAT_REQUEST:
3235 /* resend a demand HB */
3236 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) {
3238 * Only retransmit if we KNOW we wont destroy the
3241 (void)sctp_send_hb(stcb, 1, net);
3245 sctp_send_shutdown(stcb, net);
3247 case SCTP_SHUTDOWN_ACK:
3248 sctp_send_shutdown_ack(stcb, net);
3250 case SCTP_COOKIE_ECHO:
3252 struct sctp_tmit_chunk *cookie;
3255 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
3257 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
3262 if (cookie->sent != SCTP_DATAGRAM_RESEND)
3263 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3264 cookie->sent = SCTP_DATAGRAM_RESEND;
3265 sctp_stop_all_cookie_timers(stcb);
3269 case SCTP_COOKIE_ACK:
3270 sctp_send_cookie_ack(stcb);
3272 case SCTP_ASCONF_ACK:
3273 /* resend last asconf ack */
3274 sctp_send_asconf_ack(stcb);
3276 case SCTP_FORWARD_CUM_TSN:
3277 send_forward_tsn(stcb, &stcb->asoc);
3279 /* can't do anything with these */
3280 case SCTP_PACKET_DROPPED:
3281 case SCTP_INITIATION_ACK: /* this should not happen */
3282 case SCTP_HEARTBEAT_ACK:
3283 case SCTP_ABORT_ASSOCIATION:
3284 case SCTP_OPERATION_ERROR:
3285 case SCTP_SHUTDOWN_COMPLETE:
3295 sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
3301 * We set things to 0xffff since this is the last delivered sequence
3302 * and we will be sending in 0 after the reset.
3305 if (number_entries) {
3306 for (i = 0; i < number_entries; i++) {
3307 temp = ntohs(list[i]);
3308 if (temp >= stcb->asoc.streamincnt) {
3311 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff;
3315 for (i = 0; i < stcb->asoc.streamincnt; i++) {
3316 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
3319 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3323 sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
3327 if (number_entries == 0) {
3328 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3329 stcb->asoc.strmout[i].next_sequence_sent = 0;
3331 } else if (number_entries) {
3332 for (i = 0; i < number_entries; i++) {
3335 temp = ntohs(list[i]);
3336 if (temp >= stcb->asoc.streamoutcnt) {
3337 /* no such stream */
3340 stcb->asoc.strmout[temp].next_sequence_sent = 0;
3343 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3347 struct sctp_stream_reset_out_request *
3348 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
3350 struct sctp_association *asoc;
3351 struct sctp_stream_reset_out_req *req;
3352 struct sctp_stream_reset_out_request *r;
3353 struct sctp_tmit_chunk *chk;
3357 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
3358 asoc->stream_reset_outstanding = 0;
3361 if (stcb->asoc.str_reset == NULL) {
3362 asoc->stream_reset_outstanding = 0;
3365 chk = stcb->asoc.str_reset;
3366 if (chk->data == NULL) {
3370 /* he wants a copy of the chk pointer */
3373 clen = chk->send_size;
3374 req = mtod(chk->data, struct sctp_stream_reset_out_req *);
3376 if (ntohl(r->request_seq) == seq) {
3380 len = SCTP_SIZE32(ntohs(r->ph.param_length));
3381 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
3382 /* move to the next one, there can only be a max of two */
3383 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len);
3384 if (ntohl(r->request_seq) == seq) {
3388 /* that seq is not here */
3393 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
3395 struct sctp_association *asoc;
3396 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset;
3398 if (stcb->asoc.str_reset == NULL) {
3403 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26);
3404 TAILQ_REMOVE(&asoc->control_send_queue,
3408 sctp_m_freem(chk->data);
3411 asoc->ctrl_queue_cnt--;
3412 sctp_free_a_chunk(stcb, chk);
3413 /* sa_ignore NO_NULL_CHK */
3414 stcb->asoc.str_reset = NULL;
3419 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
3420 uint32_t seq, uint32_t action,
3421 struct sctp_stream_reset_response *respin)
3425 struct sctp_association *asoc = &stcb->asoc;
3426 struct sctp_tmit_chunk *chk;
3427 struct sctp_stream_reset_out_request *srparam;
3430 if (asoc->stream_reset_outstanding == 0) {
3434 if (seq == stcb->asoc.str_reset_seq_out) {
3435 srparam = sctp_find_stream_reset(stcb, seq, &chk);
3437 stcb->asoc.str_reset_seq_out++;
3438 type = ntohs(srparam->ph.param_type);
3439 lparm_len = ntohs(srparam->ph.param_length);
3440 if (type == SCTP_STR_RESET_OUT_REQUEST) {
3441 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
3442 asoc->stream_reset_out_is_outstanding = 0;
3443 if (asoc->stream_reset_outstanding)
3444 asoc->stream_reset_outstanding--;
3445 if (action == SCTP_STREAM_RESET_PERFORMED) {
3447 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams);
3449 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
3451 } else if (type == SCTP_STR_RESET_IN_REQUEST) {
3452 /* Answered my request */
3453 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
3454 if (asoc->stream_reset_outstanding)
3455 asoc->stream_reset_outstanding--;
3456 if (action != SCTP_STREAM_RESET_PERFORMED) {
3457 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
3459 } else if (type == SCTP_STR_RESET_TSN_REQUEST) {
3461 * a) Adopt the new in tsn.
3463 * c) Adopt the new out-tsn
3465 struct sctp_stream_reset_response_tsn *resp;
3466 struct sctp_forward_tsn_chunk fwdtsn;
3469 if (respin == NULL) {
3473 if (action == SCTP_STREAM_RESET_PERFORMED) {
3474 resp = (struct sctp_stream_reset_response_tsn *)respin;
3475 asoc->stream_reset_outstanding--;
3476 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3477 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3478 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
3479 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3483 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
3484 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
3485 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
3487 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
3488 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
3489 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
3492 * EY 05/13/08 - nr_sack: to keep
3493 * nr_mapping array be consistent
3494 * with mapping_array
3496 if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack) {
3497 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
3498 stcb->asoc.nr_mapping_array_base_tsn = stcb->asoc.mapping_array_base_tsn;
3499 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.nr_mapping_array_size);
3501 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
3502 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;
3504 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3505 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3509 /* get rid of the request and get the request flags */
3510 if (asoc->stream_reset_outstanding == 0) {
3511 sctp_clean_up_stream_reset(stcb);
3519 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
3520 struct sctp_tmit_chunk *chk,
3521 struct sctp_stream_reset_in_request *req, int trunc)
3529 * peer wants me to send a str-reset to him for my outgoing seq's if
3532 struct sctp_association *asoc = &stcb->asoc;
3534 seq = ntohl(req->request_seq);
3535 if (asoc->str_reset_seq_in == seq) {
3537 /* Can't do it, since they exceeded our buffer size */
3538 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3539 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
3540 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3541 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
3542 len = ntohs(req->ph.param_length);
3543 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
3544 for (i = 0; i < number_entries; i++) {
3545 temp = ntohs(req->list_of_streams[i]);
3546 req->list_of_streams[i] = temp;
3548 /* move the reset action back one */
3549 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3550 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3551 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams,
3552 asoc->str_reset_seq_out,
3553 seq, (asoc->sending_seq - 1));
3554 asoc->stream_reset_out_is_outstanding = 1;
3555 asoc->str_reset = chk;
3556 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
3557 stcb->asoc.stream_reset_outstanding++;
3559 /* Can't do it, since we have sent one out */
3560 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3561 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER;
3562 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3564 asoc->str_reset_seq_in++;
3565 } else if (asoc->str_reset_seq_in - 1 == seq) {
3566 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3567 } else if (asoc->str_reset_seq_in - 2 == seq) {
3568 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3570 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
3575 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
3576 struct sctp_tmit_chunk *chk,
3577 struct sctp_stream_reset_tsn_request *req)
3579 /* reset all in and out and update the tsn */
3581 * A) reset my str-seq's on in and out. B) Select a receive next,
3582 * and set cum-ack to it. Also process this selected number as a
3583 * fwd-tsn as well. C) set in the response my next sending seq.
3585 struct sctp_forward_tsn_chunk fwdtsn;
3586 struct sctp_association *asoc = &stcb->asoc;
3590 seq = ntohl(req->request_seq);
3591 if (asoc->str_reset_seq_in == seq) {
3592 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3593 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3594 fwdtsn.ch.chunk_flags = 0;
3595 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
3596 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3600 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
3601 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
3602 sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
3604 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
3605 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1;
3606 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
3608 * EY 05/13/08 -nr_sack: to keep nr_mapping array consistent
3609 * with mapping array
3611 if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack) {
3612 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
3613 stcb->asoc.nr_mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1;
3614 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.nr_mapping_array_size);
3616 atomic_add_int(&stcb->asoc.sending_seq, 1);
3617 /* save off historical data for retrans */
3618 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0];
3619 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq;
3620 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0];
3621 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn;
3623 sctp_add_stream_reset_result_tsn(chk,
3624 ntohl(req->request_seq),
3625 SCTP_STREAM_RESET_PERFORMED,
3626 stcb->asoc.sending_seq,
3627 stcb->asoc.mapping_array_base_tsn);
3628 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3629 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3630 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
3631 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3633 asoc->str_reset_seq_in++;
3634 } else if (asoc->str_reset_seq_in - 1 == seq) {
3635 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3636 stcb->asoc.last_sending_seq[0],
3637 stcb->asoc.last_base_tsnsent[0]
3639 } else if (asoc->str_reset_seq_in - 2 == seq) {
3640 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
3641 stcb->asoc.last_sending_seq[1],
3642 stcb->asoc.last_base_tsnsent[1]
3645 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
3651 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
3652 struct sctp_tmit_chunk *chk,
3653 struct sctp_stream_reset_out_request *req, int trunc)
3656 int number_entries, len;
3657 struct sctp_association *asoc = &stcb->asoc;
3659 seq = ntohl(req->request_seq);
3661 /* now if its not a duplicate we process it */
3662 if (asoc->str_reset_seq_in == seq) {
3663 len = ntohs(req->ph.param_length);
3664 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
3666 * the sender is resetting, handle the list issue.. we must
3667 * a) verify if we can do the reset, if so no problem b) If
3668 * we can't do the reset we must copy the request. c) queue
3669 * it, and setup the data in processor to trigger it off
3670 * when needed and dequeue all the queued data.
3672 tsn = ntohl(req->send_reset_at_tsn);
3674 /* move the reset action back one */
3675 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3677 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
3678 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
3679 } else if ((tsn == asoc->cumulative_tsn) ||
3680 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) {
3681 /* we can do it now */
3682 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
3683 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
3684 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3687 * we must queue it up and thus wait for the TSN's
3688 * to arrive that are at or before tsn
3690 struct sctp_stream_reset_list *liste;
3693 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
3694 SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
3695 siz, SCTP_M_STRESET);
3696 if (liste == NULL) {
3697 /* gak out of memory */
3698 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
3699 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
3703 liste->number_entries = number_entries;
3704 memcpy(&liste->req, req,
3705 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t))));
3706 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
3707 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
3708 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
3710 asoc->str_reset_seq_in++;
3711 } else if ((asoc->str_reset_seq_in - 1) == seq) {
3713 * one seq back, just echo back last action since my
3714 * response was lost.
3716 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3717 } else if ((asoc->str_reset_seq_in - 2) == seq) {
3719 * two seq back, just echo back last action since my
3720 * response was lost.
3722 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3724 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
3729 __attribute__((noinline))
3732 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
3733 struct sctp_stream_reset_out_req *sr_req)
3735 int chk_length, param_len, ptype;
3736 struct sctp_paramhdr pstore;
3737 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
3742 struct sctp_tmit_chunk *chk;
3743 struct sctp_chunkhdr *ch;
3744 struct sctp_paramhdr *ph;
3748 /* now it may be a reset or a reset-response */
3749 chk_length = ntohs(sr_req->ch.chunk_length);
3751 /* setup for adding the response */
3752 sctp_alloc_a_chunk(stcb, chk);
3756 chk->rec.chunk_id.id = SCTP_STREAM_RESET;
3757 chk->rec.chunk_id.can_take_data = 0;
3758 chk->asoc = &stcb->asoc;
3759 chk->no_fr_allowed = 0;
3760 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
3761 chk->book_size_scale = 0;
3762 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
3763 if (chk->data == NULL) {
3766 sctp_m_freem(chk->data);
3769 sctp_free_a_chunk(stcb, chk);
3772 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
3774 /* setup chunk parameters */
3775 chk->sent = SCTP_DATAGRAM_UNSENT;
3777 chk->whoTo = stcb->asoc.primary_destination;
3778 atomic_add_int(&chk->whoTo->ref_count, 1);
3780 ch = mtod(chk->data, struct sctp_chunkhdr *);
3781 ch->chunk_type = SCTP_STREAM_RESET;
3782 ch->chunk_flags = 0;
3783 ch->chunk_length = htons(chk->send_size);
3784 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
3785 offset += sizeof(struct sctp_chunkhdr);
3786 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
3787 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
3790 param_len = ntohs(ph->param_length);
3791 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
3795 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
3796 (uint8_t *) & cstore);
3797 ptype = ntohs(ph->param_type);
3799 if (param_len > (int)sizeof(cstore)) {
3805 if (num_param > SCTP_MAX_RESET_PARAMS) {
3806 /* hit the max of parameters already sorry.. */
3809 if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
3810 struct sctp_stream_reset_out_request *req_out;
3812 req_out = (struct sctp_stream_reset_out_request *)ph;
3814 if (stcb->asoc.stream_reset_outstanding) {
3815 seq = ntohl(req_out->response_seq);
3816 if (seq == stcb->asoc.str_reset_seq_out) {
3818 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL);
3821 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc);
3822 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
3823 struct sctp_stream_reset_in_request *req_in;
3827 req_in = (struct sctp_stream_reset_in_request *)ph;
3829 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc);
3830 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
3831 struct sctp_stream_reset_tsn_request *req_tsn;
3834 req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
3836 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
3838 goto strres_nochunk;
3842 } else if (ptype == SCTP_STR_RESET_RESPONSE) {
3843 struct sctp_stream_reset_response *resp;
3846 resp = (struct sctp_stream_reset_response *)ph;
3847 seq = ntohl(resp->response_seq);
3848 result = ntohl(resp->result);
3849 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
3851 goto strres_nochunk;
3856 offset += SCTP_SIZE32(param_len);
3857 chk_length -= SCTP_SIZE32(param_len);
3860 /* we have no response free the stuff */
3861 goto strres_nochunk;
3863 /* ok we have a chunk to link in */
3864 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
3867 stcb->asoc.ctrl_queue_cnt++;
3872 * Handle a router or endpoints report of a packet loss, there are two ways
3873 * to handle this, either we get the whole packet and must disect it
3874 * ourselves (possibly with truncation and or corruption) or it is a summary
3875 * from a middle box that did the disectting for us.
3878 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
3879 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
3881 uint32_t bottle_bw, on_queue;
3885 struct sctp_chunk_desc desc;
3886 struct sctp_chunkhdr *ch;
3888 chlen = ntohs(cp->ch.chunk_length);
3889 chlen -= sizeof(struct sctp_pktdrop_chunk);
3890 /* XXX possible chlen underflow */
3893 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
3894 SCTP_STAT_INCR(sctps_pdrpbwrpt);
3896 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
3897 chlen -= sizeof(struct sctphdr);
3898 /* XXX possible chlen underflow */
3899 memset(&desc, 0, sizeof(desc));
3901 trunc_len = (uint16_t) ntohs(cp->trunc_len);
3902 if (trunc_len > limit) {
3905 /* now the chunks themselves */
3906 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
3907 desc.chunk_type = ch->chunk_type;
3908 /* get amount we need to move */
3909 at = ntohs(ch->chunk_length);
3910 if (at < sizeof(struct sctp_chunkhdr)) {
3911 /* corrupt chunk, maybe at the end? */
3912 SCTP_STAT_INCR(sctps_pdrpcrupt);
3915 if (trunc_len == 0) {
3916 /* we are supposed to have all of it */
3918 /* corrupt skip it */
3919 SCTP_STAT_INCR(sctps_pdrpcrupt);
3923 /* is there enough of it left ? */
3924 if (desc.chunk_type == SCTP_DATA) {
3925 if (chlen < (sizeof(struct sctp_data_chunk) +
3926 sizeof(desc.data_bytes))) {
3930 if (chlen < sizeof(struct sctp_chunkhdr)) {
3935 if (desc.chunk_type == SCTP_DATA) {
3936 /* can we get out the tsn? */
3937 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
3938 SCTP_STAT_INCR(sctps_pdrpmbda);
3940 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) {
3942 struct sctp_data_chunk *dcp;
3946 dcp = (struct sctp_data_chunk *)ch;
3947 ddp = (uint8_t *) (dcp + 1);
3948 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
3949 desc.data_bytes[iii] = ddp[iii];
3951 desc.tsn_ifany = dcp->dp.tsn;
3953 /* nope we are done. */
3954 SCTP_STAT_INCR(sctps_pdrpnedat);
3958 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
3959 SCTP_STAT_INCR(sctps_pdrpmbct);
3962 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
3963 SCTP_STAT_INCR(sctps_pdrppdbrk);
3966 if (SCTP_SIZE32(at) > chlen) {
3969 chlen -= SCTP_SIZE32(at);
3970 if (chlen < sizeof(struct sctp_chunkhdr)) {
3971 /* done, none left */
3974 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at));
3976 /* Now update any rwnd --- possibly */
3977 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
3978 /* From a peer, we get a rwnd report */
3981 SCTP_STAT_INCR(sctps_pdrpfehos);
3983 bottle_bw = ntohl(cp->bottle_bw);
3984 on_queue = ntohl(cp->current_onq);
3985 if (bottle_bw && on_queue) {
3986 /* a rwnd report is in here */
3987 if (bottle_bw > on_queue)
3988 a_rwnd = bottle_bw - on_queue;
3993 stcb->asoc.peers_rwnd = 0;
3995 if (a_rwnd > stcb->asoc.total_flight) {
3996 stcb->asoc.peers_rwnd =
3997 a_rwnd - stcb->asoc.total_flight;
3999 stcb->asoc.peers_rwnd = 0;
4001 if (stcb->asoc.peers_rwnd <
4002 stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4003 /* SWS sender side engages */
4004 stcb->asoc.peers_rwnd = 0;
4009 SCTP_STAT_INCR(sctps_pdrpfmbox);
4012 /* now middle boxes in sat networks get a cwnd bump */
4013 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
4014 (stcb->asoc.sat_t3_loss_recovery == 0) &&
4015 (stcb->asoc.sat_network)) {
4017 * This is debateable but for sat networks it makes sense
4018 * Note if a T3 timer has went off, we will prohibit any
4019 * changes to cwnd until we exit the t3 loss recovery.
4021 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb,
4022 net, cp, &bottle_bw, &on_queue);
4027 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
4028 * still contain IP/SCTP header - stcb: is the tcb found for this packet -
4029 * offset: offset into the mbuf chain to first chunkhdr - length: is the
4030 * length of the complete packet outputs: - length: modified to remaining
4031 * length after control processing - netp: modified to new sctp_nets after
4032 * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
4033 * bad packet,...) otherwise return the tcb for this packet
4036 __attribute__((noinline))
4038 static struct sctp_tcb *
4039 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
4040 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
4041 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen,
4042 uint32_t vrf_id, uint16_t port)
4044 struct sctp_association *asoc;
4046 int num_chunks = 0; /* number of control chunks processed */
4047 uint32_t chk_length;
4049 int abort_no_unlock = 0;
4052 * How big should this be, and should it be alloc'd? Lets try the
4053 * d-mtu-ceiling for now (2k) and that should hopefully work ...
4054 * until we get into jumbo grams and such..
4056 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
4057 struct sctp_tcb *locked_tcb = stcb;
4059 uint32_t auth_offset = 0, auth_len = 0;
4060 int auth_skipped = 0;
4063 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4068 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
4069 iphlen, *offset, length, stcb);
4071 /* validate chunk header length... */
4072 if (ntohs(ch->chunk_length) < sizeof(*ch)) {
4073 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n",
4074 ntohs(ch->chunk_length));
4076 SCTP_TCB_UNLOCK(locked_tcb);
4081 * validate the verification tag
4083 vtag_in = ntohl(sh->v_tag);
4086 SCTP_TCB_LOCK_ASSERT(locked_tcb);
4088 if (ch->chunk_type == SCTP_INITIATION) {
4089 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n",
4090 ntohs(ch->chunk_length), vtag_in);
4092 /* protocol error- silently discard... */
4093 SCTP_STAT_INCR(sctps_badvtag);
4095 SCTP_TCB_UNLOCK(locked_tcb);
4099 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
4101 * If there is no stcb, skip the AUTH chunk and process
4102 * later after a stcb is found (to validate the lookup was
4105 if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
4107 !SCTP_BASE_SYSCTL(sctp_auth_disable)) {
4108 /* save this chunk for later processing */
4110 auth_offset = *offset;
4111 auth_len = ntohs(ch->chunk_length);
4113 /* (temporarily) move past this chunk */
4114 *offset += SCTP_SIZE32(auth_len);
4115 if (*offset >= length) {
4116 /* no more data left in the mbuf chain */
4119 SCTP_TCB_UNLOCK(locked_tcb);
4123 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4124 sizeof(struct sctp_chunkhdr), chunk_buf);
4130 SCTP_TCB_UNLOCK(locked_tcb);
4134 if (ch->chunk_type == SCTP_COOKIE_ECHO) {
4135 goto process_control_chunks;
4138 * first check if it's an ASCONF with an unknown src addr we
4139 * need to look inside to find the association
4141 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
4142 struct sctp_chunkhdr *asconf_ch = ch;
4143 uint32_t asconf_offset = 0, asconf_len = 0;
4145 /* inp's refcount may be reduced */
4146 SCTP_INP_INCR_REF(inp);
4148 asconf_offset = *offset;
4150 asconf_len = ntohs(asconf_ch->chunk_length);
4151 if (asconf_len < sizeof(struct sctp_asconf_paramhdr))
4153 stcb = sctp_findassociation_ep_asconf(m, iphlen,
4154 *offset, sh, &inp, netp, vrf_id);
4157 asconf_offset += SCTP_SIZE32(asconf_len);
4158 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset,
4159 sizeof(struct sctp_chunkhdr), chunk_buf);
4160 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF);
4163 * reduce inp's refcount if not reduced in
4164 * sctp_findassociation_ep_asconf().
4166 SCTP_INP_DECR_REF(inp);
4171 /* now go back and verify any auth chunk to be sure */
4172 if (auth_skipped && (stcb != NULL)) {
4173 struct sctp_auth_chunk *auth;
4175 auth = (struct sctp_auth_chunk *)
4176 sctp_m_getptr(m, auth_offset,
4177 auth_len, chunk_buf);
4180 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
4182 /* auth HMAC failed so dump it */
4185 SCTP_TCB_UNLOCK(locked_tcb);
4189 /* remaining chunks are HMAC checked */
4190 stcb->asoc.authenticated = 1;
4195 /* no association, so it's out of the blue... */
4196 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL,
4200 SCTP_TCB_UNLOCK(locked_tcb);
4205 /* ABORT and SHUTDOWN can use either v_tag... */
4206 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
4207 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
4208 (ch->chunk_type == SCTP_PACKET_DROPPED)) {
4209 if ((vtag_in == asoc->my_vtag) ||
4210 ((ch->chunk_flags & SCTP_HAD_NO_TCB) &&
4211 (vtag_in == asoc->peer_vtag))) {
4214 /* drop this packet... */
4215 SCTP_STAT_INCR(sctps_badvtag);
4217 SCTP_TCB_UNLOCK(locked_tcb);
4221 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
4222 if (vtag_in != asoc->my_vtag) {
4224 * this could be a stale SHUTDOWN-ACK or the
4225 * peer never got the SHUTDOWN-COMPLETE and
4226 * is still hung; we have started a new asoc
4227 * but it won't complete until the shutdown
4231 SCTP_TCB_UNLOCK(locked_tcb);
4233 sctp_handle_ootb(m, iphlen, *offset, sh, inp,
4234 NULL, vrf_id, port);
4238 /* for all other chunks, vtag must match */
4239 if (vtag_in != asoc->my_vtag) {
4240 /* invalid vtag... */
4241 SCTPDBG(SCTP_DEBUG_INPUT3,
4242 "invalid vtag: %xh, expect %xh\n",
4243 vtag_in, asoc->my_vtag);
4244 SCTP_STAT_INCR(sctps_badvtag);
4246 SCTP_TCB_UNLOCK(locked_tcb);
4252 } /* end if !SCTP_COOKIE_ECHO */
4254 * process all control chunks...
4256 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
4258 (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) ||
4259 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
4260 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
4261 /* implied cookie-ack.. we must have lost the ack */
4262 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4263 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4264 stcb->asoc.overall_error_count,
4266 SCTP_FROM_SCTP_INPUT,
4269 stcb->asoc.overall_error_count = 0;
4270 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
4273 process_control_chunks:
4274 while (IS_SCTP_CONTROL(ch)) {
4275 /* validate chunk length */
4276 chk_length = ntohs(ch->chunk_length);
4277 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n",
4278 ch->chunk_type, chk_length);
4279 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length);
4280 if (chk_length < sizeof(*ch) ||
4281 (*offset + (int)chk_length) > length) {
4284 SCTP_TCB_UNLOCK(locked_tcb);
4288 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
4290 * INIT-ACK only gets the init ack "header" portion only
4291 * because we don't have to process the peer's COOKIE. All
4292 * others get a complete chunk.
4294 if ((ch->chunk_type == SCTP_INITIATION_ACK) ||
4295 (ch->chunk_type == SCTP_INITIATION)) {
4296 /* get an init-ack chunk */
4297 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4298 sizeof(struct sctp_init_ack_chunk), chunk_buf);
4302 SCTP_TCB_UNLOCK(locked_tcb);
4307 /* For cookies and all other chunks. */
4308 if (chk_length > sizeof(chunk_buf)) {
4310 * use just the size of the chunk buffer so
4311 * the front part of our chunks fit in
4312 * contiguous space up to the chunk buffer
4313 * size (508 bytes). For chunks that need to
4314 * get more than that they must use the
4315 * sctp_m_getptr() function or other means
4316 * (e.g. know how to parse mbuf chains).
4317 * Cookies do this already.
4319 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4320 (sizeof(chunk_buf) - 4),
4325 SCTP_TCB_UNLOCK(locked_tcb);
4330 /* We can fit it all */
4331 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4332 chk_length, chunk_buf);
4334 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n");
4337 SCTP_TCB_UNLOCK(locked_tcb);
4344 /* Save off the last place we got a control from */
4346 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) {
4348 * allow last_control to be NULL if
4349 * ASCONF... ASCONF processing will find the
4352 if ((netp != NULL) && (*netp != NULL))
4353 stcb->asoc.last_control_chunk_from = *netp;
4356 #ifdef SCTP_AUDITING_ENABLED
4357 sctp_audit_log(0xB0, ch->chunk_type);
4360 /* check to see if this chunk required auth, but isn't */
4361 if ((stcb != NULL) &&
4362 !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
4363 sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
4364 !stcb->asoc.authenticated) {
4365 /* "silently" ignore */
4366 SCTP_STAT_INCR(sctps_recvauthmissing);
4369 switch (ch->chunk_type) {
4370 case SCTP_INITIATION:
4371 /* must be first and only chunk */
4372 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n");
4373 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4374 /* We are not interested anymore? */
4375 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4377 * collision case where we are
4378 * sending to them too
4383 SCTP_TCB_UNLOCK(locked_tcb);
4389 if ((chk_length > SCTP_LARGEST_INIT_ACCEPTED) ||
4391 (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) {
4394 SCTP_TCB_UNLOCK(locked_tcb);
4398 if ((stcb != NULL) &&
4399 (SCTP_GET_STATE(&stcb->asoc) ==
4400 SCTP_STATE_SHUTDOWN_ACK_SENT)) {
4401 sctp_send_shutdown_ack(stcb,
4402 stcb->asoc.primary_destination);
4404 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
4406 SCTP_TCB_UNLOCK(locked_tcb);
4411 sctp_handle_init(m, iphlen, *offset, sh,
4412 (struct sctp_init_chunk *)ch, inp,
4413 stcb, *netp, &abort_no_unlock, vrf_id, port);
4415 if (abort_no_unlock)
4420 SCTP_TCB_UNLOCK(locked_tcb);
4424 case SCTP_PAD_CHUNK:
4426 case SCTP_INITIATION_ACK:
4427 /* must be first and only chunk */
4428 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n");
4429 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4430 /* We are not interested anymore */
4431 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4435 SCTP_TCB_UNLOCK(locked_tcb);
4439 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4440 so = SCTP_INP_SO(inp);
4441 atomic_add_int(&stcb->asoc.refcnt, 1);
4442 SCTP_TCB_UNLOCK(stcb);
4443 SCTP_SOCKET_LOCK(so, 1);
4444 SCTP_TCB_LOCK(stcb);
4445 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4447 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
4448 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4449 SCTP_SOCKET_UNLOCK(so, 1);
4455 if ((num_chunks > 1) ||
4456 (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) {
4459 SCTP_TCB_UNLOCK(locked_tcb);
4463 if ((netp) && (*netp)) {
4464 ret = sctp_handle_init_ack(m, iphlen, *offset, sh,
4465 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id);
4470 * Special case, I must call the output routine to
4471 * get the cookie echoed
4473 if (abort_no_unlock)
4476 if ((stcb) && ret == 0)
4477 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
4480 SCTP_TCB_UNLOCK(locked_tcb);
4484 case SCTP_SELECTIVE_ACK:
4485 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n");
4486 SCTP_STAT_INCR(sctps_recvsacks);
4488 struct sctp_sack_chunk *sack;
4490 uint32_t a_rwnd, cum_ack;
4494 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_sack_chunk))) {
4495 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on sack chunk, too small\n");
4498 SCTP_TCB_UNLOCK(locked_tcb);
4502 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
4504 * If we have sent a shutdown-ack, we will pay no
4505 * attention to a sack sent in to us since
4506 * we don't care anymore.
4510 sack = (struct sctp_sack_chunk *)ch;
4511 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM;
4512 cum_ack = ntohl(sack->sack.cum_tsn_ack);
4513 num_seg = ntohs(sack->sack.num_gap_ack_blks);
4514 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd);
4515 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
4520 stcb->asoc.seen_a_sack_this_pkt = 1;
4521 if ((stcb->asoc.pr_sctp_cnt == 0) &&
4523 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) ||
4524 (cum_ack == stcb->asoc.last_acked_seq)) &&
4525 (stcb->asoc.saw_sack_with_frags == 0) &&
4526 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
4529 * We have a SIMPLE sack having no
4530 * prior segments and data on sent
4531 * queue to be acked.. Use the
4532 * faster path sack processing. We
4533 * also allow window update sacks
4534 * with no missing segments to go
4537 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag,
4541 sctp_handle_sack(m, *offset,
4542 sack, stcb, *netp, &abort_now, chk_length, a_rwnd);
4544 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
4545 TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
4546 (stcb->asoc.stream_queue_cnt == 0)) {
4547 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
4550 /* ABORT signal from sack processing */
4557 * EY - nr_sack: If the received chunk is an
4560 case SCTP_NR_SELECTIVE_ACK:
4561 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n");
4562 SCTP_STAT_INCR(sctps_recvsacks);
4564 struct sctp_nr_sack_chunk *nr_sack;
4566 uint32_t a_rwnd, cum_ack;
4567 uint16_t num_seg, num_nr_seg;
4568 int nonce_sum_flag, all_bit;
4570 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_nr_sack_chunk))) {
4571 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on nr_sack chunk, too small\n");
4575 SCTP_TCB_UNLOCK(locked_tcb);
4580 * EY nr_sacks have not been negotiated but
4581 * the peer end sent an nr_sack, silently
4584 if (!(SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack)) {
4587 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
4589 * If we have sent a shutdown-ack, we will pay no
4590 * attention to a sack sent in to us since
4591 * we don't care anymore.
4593 goto ignore_nr_sack;
4595 nr_sack = (struct sctp_nr_sack_chunk *)ch;
4596 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM;
4597 all_bit = ch->chunk_flags & SCTP_NR_SACK_ALL_BIT;
4599 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack);
4600 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks);
4602 * EY -if All bit is set, then there are as
4603 * many gaps as nr_gaps
4606 num_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
4608 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
4609 a_rwnd = (uint32_t) ntohl(nr_sack->nr_sack.a_rwnd);
4610 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
4615 stcb->asoc.seen_a_sack_this_pkt = 1;
4616 if ((stcb->asoc.pr_sctp_cnt == 0) &&
4618 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) ||
4619 (cum_ack == stcb->asoc.last_acked_seq)) &&
4620 (stcb->asoc.saw_sack_with_frags == 0) &&
4621 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
4624 * We have a SIMPLE sack having no
4625 * prior segments and data on sent
4626 * queue to be acked.. Use the
4627 * faster path sack processing. We
4628 * also allow window update sacks
4629 * with no missing segments to go
4632 sctp_express_handle_nr_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag,
4636 sctp_handle_nr_sack(m, *offset,
4637 nr_sack, stcb, *netp, &abort_now, chk_length, a_rwnd);
4639 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
4640 TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
4641 (stcb->asoc.stream_queue_cnt == 0)) {
4642 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
4645 /* ABORT signal from sack processing */
4652 case SCTP_HEARTBEAT_REQUEST:
4653 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n");
4654 if ((stcb) && netp && *netp) {
4655 SCTP_STAT_INCR(sctps_recvheartbeat);
4656 sctp_send_heartbeat_ack(stcb, m, *offset,
4659 /* He's alive so give him credit */
4660 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4661 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4662 stcb->asoc.overall_error_count,
4664 SCTP_FROM_SCTP_INPUT,
4667 stcb->asoc.overall_error_count = 0;
4670 case SCTP_HEARTBEAT_ACK:
4671 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n");
4672 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) {
4676 SCTP_TCB_UNLOCK(locked_tcb);
4680 /* He's alive so give him credit */
4681 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4682 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4683 stcb->asoc.overall_error_count,
4685 SCTP_FROM_SCTP_INPUT,
4688 stcb->asoc.overall_error_count = 0;
4689 SCTP_STAT_INCR(sctps_recvheartbeatack);
4691 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
4694 case SCTP_ABORT_ASSOCIATION:
4695 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n",
4697 if ((stcb) && netp && *netp)
4698 sctp_handle_abort((struct sctp_abort_chunk *)ch,
4704 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n",
4706 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) {
4709 SCTP_TCB_UNLOCK(locked_tcb);
4713 if (netp && *netp) {
4716 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
4717 stcb, *netp, &abort_flag);
4724 case SCTP_SHUTDOWN_ACK:
4725 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb);
4726 if ((stcb) && (netp) && (*netp))
4727 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
4732 case SCTP_OPERATION_ERROR:
4733 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n");
4734 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) {
4740 case SCTP_COOKIE_ECHO:
4741 SCTPDBG(SCTP_DEBUG_INPUT3,
4742 "SCTP_COOKIE-ECHO, stcb %p\n", stcb);
4743 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4746 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4747 /* We are not interested anymore */
4753 * First are we accepting? We do this again here
4754 * sincen it is possible that a previous endpoint
4755 * WAS listening responded to a INIT-ACK and then
4756 * closed. We opened and bound.. and are now no
4760 if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) {
4761 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
4762 (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) {
4764 struct sctp_paramhdr *phdr;
4766 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
4767 0, M_DONTWAIT, 1, MT_DATA);
4769 SCTP_BUF_LEN(oper) =
4770 sizeof(struct sctp_paramhdr);
4772 struct sctp_paramhdr *);
4774 htons(SCTP_CAUSE_OUT_OF_RESC);
4775 phdr->param_length =
4776 htons(sizeof(struct sctp_paramhdr));
4778 sctp_abort_association(inp, stcb, m,
4779 iphlen, sh, oper, vrf_id, port);
4784 struct mbuf *ret_buf;
4785 struct sctp_inpcb *linp;
4794 SCTP_ASOC_CREATE_LOCK(linp);
4798 sctp_handle_cookie_echo(m, iphlen,
4800 (struct sctp_cookie_echo_chunk *)ch,
4812 SCTP_ASOC_CREATE_UNLOCK(linp);
4814 if (ret_buf == NULL) {
4816 SCTP_TCB_UNLOCK(locked_tcb);
4818 SCTPDBG(SCTP_DEBUG_INPUT3,
4819 "GAK, null buffer\n");
4824 /* if AUTH skipped, see if it verified... */
4829 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
4831 * Restart the timer if we have
4834 struct sctp_tmit_chunk *chk;
4836 chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
4838 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4839 stcb->sctp_ep, stcb,
4845 case SCTP_COOKIE_ACK:
4846 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb);
4847 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) {
4849 SCTP_TCB_UNLOCK(locked_tcb);
4853 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4854 /* We are not interested anymore */
4855 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4858 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4859 so = SCTP_INP_SO(inp);
4860 atomic_add_int(&stcb->asoc.refcnt, 1);
4861 SCTP_TCB_UNLOCK(stcb);
4862 SCTP_SOCKET_LOCK(so, 1);
4863 SCTP_TCB_LOCK(stcb);
4864 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4866 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
4867 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4868 SCTP_SOCKET_UNLOCK(so, 1);
4874 /* He's alive so give him credit */
4875 if ((stcb) && netp && *netp) {
4876 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4877 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4878 stcb->asoc.overall_error_count,
4880 SCTP_FROM_SCTP_INPUT,
4883 stcb->asoc.overall_error_count = 0;
4884 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
4888 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n");
4889 /* He's alive so give him credit */
4890 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) {
4893 SCTP_TCB_UNLOCK(locked_tcb);
4899 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4900 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4901 stcb->asoc.overall_error_count,
4903 SCTP_FROM_SCTP_INPUT,
4906 stcb->asoc.overall_error_count = 0;
4907 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
4912 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n");
4913 /* He's alive so give him credit */
4914 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) {
4917 SCTP_TCB_UNLOCK(locked_tcb);
4923 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4924 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4925 stcb->asoc.overall_error_count,
4927 SCTP_FROM_SCTP_INPUT,
4930 stcb->asoc.overall_error_count = 0;
4931 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb);
4934 case SCTP_SHUTDOWN_COMPLETE:
4935 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb);
4936 /* must be first and only chunk */
4937 if ((num_chunks > 1) ||
4938 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
4941 SCTP_TCB_UNLOCK(locked_tcb);
4945 if ((stcb) && netp && *netp) {
4946 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
4953 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n");
4954 /* He's alive so give him credit */
4956 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4957 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4958 stcb->asoc.overall_error_count,
4960 SCTP_FROM_SCTP_INPUT,
4963 stcb->asoc.overall_error_count = 0;
4964 sctp_handle_asconf(m, *offset,
4965 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0);
4969 case SCTP_ASCONF_ACK:
4970 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n");
4971 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
4974 SCTP_TCB_UNLOCK(locked_tcb);
4979 if ((stcb) && netp && *netp) {
4980 /* He's alive so give him credit */
4981 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4982 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4983 stcb->asoc.overall_error_count,
4985 SCTP_FROM_SCTP_INPUT,
4988 stcb->asoc.overall_error_count = 0;
4989 sctp_handle_asconf_ack(m, *offset,
4990 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock);
4991 if (abort_no_unlock)
4995 case SCTP_FORWARD_CUM_TSN:
4996 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n");
4997 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
5000 SCTP_TCB_UNLOCK(locked_tcb);
5005 /* He's alive so give him credit */
5009 stcb->asoc.overall_error_count = 0;
5010 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5011 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5012 stcb->asoc.overall_error_count,
5014 SCTP_FROM_SCTP_INPUT,
5018 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5019 /* We are not interested anymore */
5020 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5021 so = SCTP_INP_SO(inp);
5022 atomic_add_int(&stcb->asoc.refcnt, 1);
5023 SCTP_TCB_UNLOCK(stcb);
5024 SCTP_SOCKET_LOCK(so, 1);
5025 SCTP_TCB_LOCK(stcb);
5026 atomic_subtract_int(&stcb->asoc.refcnt, 1);
5028 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29);
5029 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5030 SCTP_SOCKET_UNLOCK(so, 1);
5035 sctp_handle_forward_tsn(stcb,
5036 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset);
5041 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5042 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5043 stcb->asoc.overall_error_count,
5045 SCTP_FROM_SCTP_INPUT,
5048 stcb->asoc.overall_error_count = 0;
5053 case SCTP_STREAM_RESET:
5054 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n");
5055 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) {
5058 SCTP_TCB_UNLOCK(locked_tcb);
5063 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5064 /* We are not interested anymore */
5065 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5066 so = SCTP_INP_SO(inp);
5067 atomic_add_int(&stcb->asoc.refcnt, 1);
5068 SCTP_TCB_UNLOCK(stcb);
5069 SCTP_SOCKET_LOCK(so, 1);
5070 SCTP_TCB_LOCK(stcb);
5071 atomic_subtract_int(&stcb->asoc.refcnt, 1);
5073 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_30);
5074 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5075 SCTP_SOCKET_UNLOCK(so, 1);
5080 if (stcb->asoc.peer_supports_strreset == 0) {
5082 * hmm, peer should have announced this, but
5083 * we will turn it on since he is sending us
5086 stcb->asoc.peer_supports_strreset = 1;
5088 if (sctp_handle_stream_reset(stcb, m, *offset, (struct sctp_stream_reset_out_req *)ch)) {
5089 /* stop processing */
5094 case SCTP_PACKET_DROPPED:
5095 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n");
5096 /* re-get it all please */
5097 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
5100 SCTP_TCB_UNLOCK(locked_tcb);
5105 if (ch && (stcb) && netp && (*netp)) {
5106 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
5108 min(chk_length, (sizeof(chunk_buf) - 4)));
5113 case SCTP_AUTHENTICATION:
5114 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n");
5115 if (SCTP_BASE_SYSCTL(sctp_auth_disable))
5119 /* save the first AUTH for later processing */
5120 if (auth_skipped == 0) {
5121 auth_offset = *offset;
5122 auth_len = chk_length;
5125 /* skip this chunk (temporarily) */
5128 if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
5129 (chk_length > (sizeof(struct sctp_auth_chunk) +
5130 SCTP_AUTH_DIGEST_LEN_MAX))) {
5133 SCTP_TCB_UNLOCK(locked_tcb);
5138 if (got_auth == 1) {
5139 /* skip this chunk... it's already auth'd */
5143 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch,
5145 /* auth HMAC failed so dump the packet */
5149 /* remaining chunks are HMAC checked */
5150 stcb->asoc.authenticated = 1;
5156 /* it's an unknown chunk! */
5157 if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
5159 struct sctp_paramhdr *phd;
5161 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
5162 0, M_DONTWAIT, 1, MT_DATA);
5164 phd = mtod(mm, struct sctp_paramhdr *);
5166 * We cheat and use param type since
5167 * we did not bother to define a
5168 * error cause struct. They are the
5169 * same basic format with different
5172 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK);
5173 phd->param_length = htons(chk_length + sizeof(*phd));
5174 SCTP_BUF_LEN(mm) = sizeof(*phd);
5175 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length),
5177 if (SCTP_BUF_NEXT(mm)) {
5178 #ifdef SCTP_MBUF_LOGGING
5179 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
5182 mat = SCTP_BUF_NEXT(mm);
5184 if (SCTP_BUF_IS_EXTENDED(mat)) {
5185 sctp_log_mb(mat, SCTP_MBUF_ICOPY);
5187 mat = SCTP_BUF_NEXT(mat);
5191 sctp_queue_op_err(stcb, mm);
5197 if ((ch->chunk_type & 0x80) == 0) {
5198 /* discard this packet */
5201 } /* else skip this bad chunk and continue... */
5203 } /* switch (ch->chunk_type) */
5207 /* get the next chunk */
5208 *offset += SCTP_SIZE32(chk_length);
5209 if (*offset >= length) {
5210 /* no more data left in the mbuf chain */
5213 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
5214 sizeof(struct sctp_chunkhdr), chunk_buf);
5217 SCTP_TCB_UNLOCK(locked_tcb);
5224 if (asconf_cnt > 0 && stcb != NULL) {
5225 sctp_send_asconf_ack(stcb);
5232 * Process the ECN bits we have something set so we must look to see if it is
5233 * ECN(0) or ECN(1) or CE
5236 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net,
5239 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
5241 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) {
5243 * we only add to the nonce sum for ECT1, ECT0 does not
5244 * change the NS bit (that we have yet to find a way to send
5248 /* ECN Nonce stuff */
5249 stcb->asoc.receiver_nonce_sum++;
5250 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM;
5253 * Drag up the last_echo point if cumack is larger since we
5254 * don't want the point falling way behind by more than
5255 * 2^^31 and then having it be incorrect.
5257 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
5258 stcb->asoc.last_echo_tsn, MAX_TSN)) {
5259 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
5261 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) {
5263 * Drag up the last_echo point if cumack is larger since we
5264 * don't want the point falling way behind by more than
5265 * 2^^31 and then having it be incorrect.
5267 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
5268 stcb->asoc.last_echo_tsn, MAX_TSN)) {
5269 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
5275 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net,
5276 uint32_t high_tsn, uint8_t ecn_bits)
5278 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
5280 * we possibly must notify the sender that a congestion
5281 * window reduction is in order. We do this by adding a ECNE
5282 * chunk to the output chunk queue. The incoming CWR will
5283 * remove this chunk.
5285 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn,
5287 /* Yep, we need to add a ECNE */
5288 sctp_send_ecn_echo(stcb, net, high_tsn);
5289 stcb->asoc.last_echo_tsn = high_tsn;
5296 sctp_validate_no_locks(struct sctp_inpcb *inp)
5298 struct sctp_tcb *stcb;
5300 LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
5301 if (mtx_owned(&stcb->tcb_mtx)) {
5302 panic("Own lock on stcb at return from input");
5310 * common input chunk processing (v4 and v6)
5313 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset,
5314 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch,
5315 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
5316 uint8_t ecn_bits, uint32_t vrf_id, uint16_t port)
5319 * Control chunk processing
5322 int fwd_tsn_seen = 0, data_processed = 0;
5323 struct mbuf *m = *mm;
5327 SCTP_STAT_INCR(sctps_recvdatagrams);
5328 #ifdef SCTP_AUDITING_ENABLED
5329 sctp_audit_log(0xE0, 1);
5330 sctp_auditing(0, inp, stcb, net);
5333 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n",
5334 m, iphlen, offset, length, stcb);
5336 /* always clear this before beginning a packet */
5337 stcb->asoc.authenticated = 0;
5338 stcb->asoc.seen_a_sack_this_pkt = 0;
5339 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n",
5340 stcb, stcb->asoc.state);
5342 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) ||
5343 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) {
5345 * If we hit here, we had a ref count
5346 * up when the assoc was aborted and the
5347 * timer is clearing out the assoc, we should
5348 * NOT respond to any packet.. its OOTB.
5350 SCTP_TCB_UNLOCK(stcb);
5351 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
5356 if (IS_SCTP_CONTROL(ch)) {
5357 /* process the control portion of the SCTP packet */
5358 /* sa_ignore NO_NULL_CHK */
5359 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch,
5360 inp, stcb, &net, &fwd_tsn_seen, vrf_id, port);
5363 * This covers us if the cookie-echo was there and
5364 * it changes our INP.
5366 inp = stcb->sctp_ep;
5367 if ((net) && (port)) {
5368 if (net->port == 0) {
5369 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
5376 * no control chunks, so pre-process DATA chunks (these
5377 * checks are taken care of by control processing)
5381 * if DATA only packet, and auth is required, then punt...
5382 * can't have authenticated without any AUTH (control)
5385 if ((stcb != NULL) &&
5386 !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
5387 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
5388 /* "silently" ignore */
5389 SCTP_STAT_INCR(sctps_recvauthmissing);
5390 SCTP_TCB_UNLOCK(stcb);
5394 /* out of the blue DATA chunk */
5395 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
5399 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
5400 /* v_tag mismatch! */
5401 SCTP_STAT_INCR(sctps_badvtag);
5402 SCTP_TCB_UNLOCK(stcb);
5409 * no valid TCB for this packet, or we found it's a bad
5410 * packet while processing control, or we're done with this
5411 * packet (done or skip rest of data), so we drop it...
5416 * DATA chunk processing
5418 /* plow through the data chunks while length > offset */
5421 * Rest should be DATA only. Check authentication state if AUTH for
5424 if ((length > offset) &&
5426 !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
5427 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
5428 !stcb->asoc.authenticated) {
5429 /* "silently" ignore */
5430 SCTP_STAT_INCR(sctps_recvauthmissing);
5431 SCTPDBG(SCTP_DEBUG_AUTH1,
5432 "Data chunk requires AUTH, skipped\n");
5435 if (length > offset) {
5439 * First check to make sure our state is correct. We would
5440 * not get here unless we really did have a tag, so we don't
5441 * abort if this happens, just dump the chunk silently.
5443 switch (SCTP_GET_STATE(&stcb->asoc)) {
5444 case SCTP_STATE_COOKIE_ECHOED:
5446 * we consider data with valid tags in this state
5447 * shows us the cookie-ack was lost. Imply it was
5450 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5451 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5452 stcb->asoc.overall_error_count,
5454 SCTP_FROM_SCTP_INPUT,
5457 stcb->asoc.overall_error_count = 0;
5458 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
5460 case SCTP_STATE_COOKIE_WAIT:
5462 * We consider OOTB any data sent during asoc setup.
5464 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
5466 SCTP_TCB_UNLOCK(stcb);
5468 /* sa_ignore NOTREACHED */
5470 case SCTP_STATE_EMPTY: /* should not happen */
5471 case SCTP_STATE_INUSE: /* should not happen */
5472 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */
5473 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5475 SCTP_TCB_UNLOCK(stcb);
5477 /* sa_ignore NOTREACHED */
5479 case SCTP_STATE_OPEN:
5480 case SCTP_STATE_SHUTDOWN_SENT:
5483 /* take care of ECN, part 1. */
5484 if (stcb->asoc.ecn_allowed &&
5485 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
5486 sctp_process_ecn_marked_a(stcb, net, ecn_bits);
5488 /* plow through the data chunks while length > offset */
5489 retval = sctp_process_data(mm, iphlen, &offset, length, sh,
5490 inp, stcb, net, &high_tsn);
5493 * The association aborted, NO UNLOCK needed since
5494 * the association is destroyed.
5500 /* take care of ecn part 2. */
5501 if (stcb->asoc.ecn_allowed &&
5502 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
5503 sctp_process_ecn_marked_b(stcb, net, high_tsn,
5508 * Anything important needs to have been m_copy'ed in
5512 if ((data_processed == 0) && (fwd_tsn_seen)) {
5515 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map,
5516 stcb->asoc.cumulative_tsn, MAX_TSN)) {
5517 /* there was a gap before this data was processed */
5520 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag);
5522 /* Again, we aborted so NO UNLOCK needed */
5526 /* trigger send of any chunks in queue... */
5528 #ifdef SCTP_AUDITING_ENABLED
5529 sctp_audit_log(0xE0, 2);
5530 sctp_auditing(1, inp, stcb, net);
5532 SCTPDBG(SCTP_DEBUG_INPUT1,
5533 "Check for chunk output prw:%d tqe:%d tf=%d\n",
5534 stcb->asoc.peers_rwnd,
5535 TAILQ_EMPTY(&stcb->asoc.control_send_queue),
5536 stcb->asoc.total_flight);
5537 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
5539 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) ||
5541 (stcb->asoc.peers_rwnd > 0 ||
5542 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) {
5543 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n");
5544 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
5545 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n");
5547 #ifdef SCTP_AUDITING_ENABLED
5548 sctp_audit_log(0xE0, 3);
5549 sctp_auditing(2, inp, stcb, net);
5551 SCTP_TCB_UNLOCK(stcb);
5554 sctp_validate_no_locks(inp);
5561 sctp_print_mbuf_chain(struct mbuf *m)
5563 for (; m; m = SCTP_BUF_NEXT(m)) {
5564 printf("%p: m_len = %ld\n", m, SCTP_BUF_LEN(m));
5565 if (SCTP_BUF_IS_EXTENDED(m))
5566 printf("%p: extend_size = %d\n", m, SCTP_BUF_EXTEND_SIZE(m));
5573 sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port)
5575 #ifdef SCTP_MBUF_LOGGING
5581 uint32_t vrf_id = 0;
5585 struct sctp_inpcb *inp = NULL;
5587 uint32_t check, calc_check;
5588 struct sctp_nets *net;
5589 struct sctp_tcb *stcb = NULL;
5590 struct sctp_chunkhdr *ch;
5591 int refcount_up = 0;
5592 int length, mlen, offset;
5595 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) {
5596 SCTP_RELEASE_PKT(i_pak);
5599 mlen = SCTP_HEADER_LEN(i_pak);
5601 m = SCTP_HEADER_TO_CHAIN(i_pak);
5604 SCTP_STAT_INCR(sctps_recvpackets);
5605 SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
5608 #ifdef SCTP_MBUF_LOGGING
5609 /* Log in any input mbufs */
5610 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
5613 if (SCTP_BUF_IS_EXTENDED(mat)) {
5614 sctp_log_mb(mat, SCTP_MBUF_INPUT);
5616 mat = SCTP_BUF_NEXT(mat);
5620 #ifdef SCTP_PACKET_LOGGING
5621 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
5622 sctp_packet_log(m, mlen);
5625 * Must take out the iphlen, since mlen expects this (only effect lb
5631 * Get IP, SCTP, and first chunk header together in first mbuf.
5633 ip = mtod(m, struct ip *);
5634 offset = iphlen + sizeof(*sh) + sizeof(*ch);
5635 if (SCTP_BUF_LEN(m) < offset) {
5636 if ((m = m_pullup(m, offset)) == 0) {
5637 SCTP_STAT_INCR(sctps_hdrops);
5640 ip = mtod(m, struct ip *);
5642 sh = (struct sctphdr *)((caddr_t)ip + iphlen);
5643 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh));
5644 SCTPDBG(SCTP_DEBUG_INPUT1,
5645 "sctp_input() length:%d iphlen:%d\n", mlen, iphlen);
5647 /* SCTP does not allow broadcasts or multicasts */
5648 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
5651 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) {
5653 * We only look at broadcast if its a front state, All
5654 * others we will not have a tcb for anyway.
5658 /* validate SCTP checksum */
5659 check = sh->checksum; /* save incoming checksum */
5660 if ((check == 0) && (SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback)) &&
5661 ((ip->ip_src.s_addr == ip->ip_dst.s_addr) ||
5662 (SCTP_IS_IT_LOOPBACK(m)))
5664 goto sctp_skip_csum_4;
5666 sh->checksum = 0; /* prepare for calc */
5667 calc_check = sctp_calculate_sum(m, &mlen, iphlen);
5668 if (calc_check != check) {
5669 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n",
5670 calc_check, check, m, mlen, iphlen);
5672 stcb = sctp_findassociation_addr(m, iphlen,
5673 offset - sizeof(*ch),
5676 if ((net) && (port)) {
5677 if (net->port == 0) {
5678 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
5682 if ((inp) && (stcb)) {
5683 sctp_send_packet_dropped(stcb, net, m, iphlen, 1);
5684 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED);
5685 } else if ((inp != NULL) && (stcb == NULL)) {
5688 SCTP_STAT_INCR(sctps_badsum);
5689 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
5692 sh->checksum = calc_check;
5694 /* destination port of 0 is illegal, based on RFC2960. */
5695 if (sh->dest_port == 0) {
5696 SCTP_STAT_INCR(sctps_hdrops);
5699 /* validate mbuf chain length with IP payload length */
5700 if (mlen < (SCTP_GET_IPV4_LENGTH(ip) - iphlen)) {
5701 SCTP_STAT_INCR(sctps_hdrops);
5705 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants
5706 * IP/SCTP/first chunk header...
5708 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch),
5709 sh, ch, &inp, &net, vrf_id);
5710 if ((net) && (port)) {
5711 if (net->port == 0) {
5712 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
5716 /* inp's ref-count increased && stcb locked */
5718 struct sctp_init_chunk *init_chk, chunk_buf;
5720 SCTP_STAT_INCR(sctps_noport);
5723 * we use the bandwidth limiting to protect against sending
5724 * too many ABORTS all at once. In this case these count the
5725 * same as an ICMP message.
5727 if (badport_bandlim(0) < 0)
5729 #endif /* ICMP_BANDLIM */
5730 SCTPDBG(SCTP_DEBUG_INPUT1,
5731 "Sending a ABORT from packet entry!\n");
5732 if (ch->chunk_type == SCTP_INITIATION) {
5734 * we do a trick here to get the INIT tag, dig in
5735 * and get the tag from the INIT and put it in the
5738 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
5739 iphlen + sizeof(*sh), sizeof(*init_chk),
5740 (uint8_t *) & chunk_buf);
5741 if (init_chk != NULL)
5742 sh->v_tag = init_chk->init.initiate_tag;
5744 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
5745 sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id, port);
5748 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
5751 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION)
5752 sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, port);
5754 } else if (stcb == NULL) {
5759 * I very much doubt any of the IPSEC stuff will work but I have no
5760 * idea, so I will leave it in place.
5762 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) {
5763 MODULE_GLOBAL(MOD_IPSEC, ipsec4stat).in_polvio++;
5764 SCTP_STAT_INCR(sctps_hdrops);
5770 * common chunk processing
5772 length = ip->ip_len + iphlen;
5773 offset -= sizeof(struct sctp_chunkhdr);
5775 ecn_bits = ip->ip_tos;
5777 /* sa_ignore NO_NULL_CHK */
5778 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch,
5779 inp, stcb, net, ecn_bits, vrf_id, port);
5780 /* inp's ref-count reduced && stcb unlocked */
5784 if ((inp) && (refcount_up)) {
5785 /* reduce ref-count */
5786 SCTP_INP_DECR_REF(inp);
5791 SCTP_TCB_UNLOCK(stcb);
5793 if ((inp) && (refcount_up)) {
5794 /* reduce ref-count */
5795 SCTP_INP_DECR_REF(inp);
5803 sctp_input(i_pak, off)
5807 sctp_input_with_port(i_pak, off, 0);