1 /*-
2 * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved.
3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * a) Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 *
12 * b) Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the distribution.
15 *
16 * c) Neither the name of Cisco Systems, Inc. nor the names of its
17 * contributors may be used to endorse or promote products derived
18 * from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30 * THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD: releng/11.2/sys/netinet/sctp_indata.c 334734 2018-06-06 20:28:17Z tuexen $");
35
36 #include <netinet/sctp_os.h>
37 #include <sys/proc.h>
38 #include <netinet/sctp_var.h>
39 #include <netinet/sctp_sysctl.h>
40 #include <netinet/sctp_header.h>
41 #include <netinet/sctp_pcb.h>
42 #include <netinet/sctputil.h>
43 #include <netinet/sctp_output.h>
44 #include <netinet/sctp_uio.h>
45 #include <netinet/sctp_auth.h>
46 #include <netinet/sctp_timer.h>
47 #include <netinet/sctp_asconf.h>
48 #include <netinet/sctp_indata.h>
49 #include <netinet/sctp_bsd_addr.h>
50 #include <netinet/sctp_input.h>
51 #include <netinet/sctp_crc32.h>
52 #include <netinet/sctp_lock_bsd.h>
53 /*
54 * NOTES: On the outbound side of things I need to check the sack timer to
55 * see if I should generate a sack into the chunk queue (if I have data to
56 * send that is and will be sending it .. for bundling.
57 *
58 * The callback in sctp_usrreq.c will get called when the socket is read from.
59 * This will cause sctp_service_queues() to get called on the top entry in
60 * the list.
61 */
62 static uint32_t
63 sctp_add_chk_to_control(struct sctp_queued_to_read *control,
64 struct sctp_stream_in *strm,
65 struct sctp_tcb *stcb,
66 struct sctp_association *asoc,
67 struct sctp_tmit_chunk *chk, int lock_held);
68
69
70 void
71 sctp_set_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc)
72 {
73 asoc->my_rwnd = sctp_calc_rwnd(stcb, asoc);
74 }
75
76 /* Calculate what the rwnd would be */
77 uint32_t
78 sctp_calc_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc)
79 {
80 uint32_t calc = 0;
81
82 /*
83 * This is really set wrong with respect to a 1-2-m socket. Since
84 * the sb_cc is the count that everyone as put up. When we re-write
85 * sctp_soreceive then we will fix this so that ONLY this
86 * associations data is taken into account.
87 */
88 if (stcb->sctp_socket == NULL) {
89 return (calc);
90 }
91 KASSERT(asoc->cnt_on_reasm_queue > 0 || asoc->size_on_reasm_queue == 0,
92 ("size_on_reasm_queue is %u", asoc->size_on_reasm_queue));
93 KASSERT(asoc->cnt_on_all_streams > 0 || asoc->size_on_all_streams == 0,
94 ("size_on_all_streams is %u", asoc->size_on_all_streams));
95 if (stcb->asoc.sb_cc == 0 &&
96 asoc->cnt_on_reasm_queue == 0 &&
97 asoc->cnt_on_all_streams == 0) {
98 /* Full rwnd granted */
99 calc = max(SCTP_SB_LIMIT_RCV(stcb->sctp_socket), SCTP_MINIMAL_RWND);
100 return (calc);
101 }
102 /* get actual space */
103 calc = (uint32_t)sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv);
104 /*
105 * take out what has NOT been put on socket queue and we yet hold
106 * for putting up.
107 */
108 calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_reasm_queue +
109 asoc->cnt_on_reasm_queue * MSIZE));
110 calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_all_streams +
111 asoc->cnt_on_all_streams * MSIZE));
112 if (calc == 0) {
113 /* out of space */
114 return (calc);
115 }
116 /* what is the overhead of all these rwnd's */
117 calc = sctp_sbspace_sub(calc, stcb->asoc.my_rwnd_control_len);
118 /*
119 * If the window gets too small due to ctrl-stuff, reduce it to 1,
120 * even it is 0. SWS engaged
121 */
122 if (calc < stcb->asoc.my_rwnd_control_len) {
123 calc = 1;
124 }
125 return (calc);
126 }
127
128
129
130 /*
131 * Build out our readq entry based on the incoming packet.
132 */
133 struct sctp_queued_to_read *
134 sctp_build_readq_entry(struct sctp_tcb *stcb,
135 struct sctp_nets *net,
136 uint32_t tsn, uint32_t ppid,
137 uint32_t context, uint16_t sid,
138 uint32_t mid, uint8_t flags,
139 struct mbuf *dm)
140 {
141 struct sctp_queued_to_read *read_queue_e = NULL;
142
143 sctp_alloc_a_readq(stcb, read_queue_e);
144 if (read_queue_e == NULL) {
145 goto failed_build;
146 }
147 memset(read_queue_e, 0, sizeof(struct sctp_queued_to_read));
148 read_queue_e->sinfo_stream = sid;
149 read_queue_e->sinfo_flags = (flags << 8);
150 read_queue_e->sinfo_ppid = ppid;
151 read_queue_e->sinfo_context = context;
152 read_queue_e->sinfo_tsn = tsn;
153 read_queue_e->sinfo_cumtsn = tsn;
154 read_queue_e->sinfo_assoc_id = sctp_get_associd(stcb);
155 read_queue_e->mid = mid;
156 read_queue_e->top_fsn = read_queue_e->fsn_included = 0xffffffff;
157 TAILQ_INIT(&read_queue_e->reasm);
158 read_queue_e->whoFrom = net;
159 atomic_add_int(&net->ref_count, 1);
160 read_queue_e->data = dm;
161 read_queue_e->stcb = stcb;
162 read_queue_e->port_from = stcb->rport;
163 failed_build:
164 return (read_queue_e);
165 }
166
167 struct mbuf *
168 sctp_build_ctl_nchunk(struct sctp_inpcb *inp, struct sctp_sndrcvinfo *sinfo)
169 {
170 struct sctp_extrcvinfo *seinfo;
171 struct sctp_sndrcvinfo *outinfo;
172 struct sctp_rcvinfo *rcvinfo;
173 struct sctp_nxtinfo *nxtinfo;
174 struct cmsghdr *cmh;
175 struct mbuf *ret;
176 int len;
177 int use_extended;
178 int provide_nxt;
179
180 if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT) &&
181 sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVRCVINFO) &&
182 sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVNXTINFO)) {
183 /* user does not want any ancillary data */
184 return (NULL);
185 }
186 len = 0;
187 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
188 len += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
189 }
190 seinfo = (struct sctp_extrcvinfo *)sinfo;
191 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO) &&
192 (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_AVAIL)) {
193 provide_nxt = 1;
194 len += CMSG_SPACE(sizeof(struct sctp_nxtinfo));
195 } else {
196 provide_nxt = 0;
197 }
198 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) {
199 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXT_RCVINFO)) {
200 use_extended = 1;
201 len += CMSG_SPACE(sizeof(struct sctp_extrcvinfo));
202 } else {
203 use_extended = 0;
204 len += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
205 }
206 } else {
207 use_extended = 0;
208 }
209
210 ret = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
211 if (ret == NULL) {
212 /* No space */
213 return (ret);
214 }
215 SCTP_BUF_LEN(ret) = 0;
216
217 /* We need a CMSG header followed by the struct */
218 cmh = mtod(ret, struct cmsghdr *);
219 /*
220 * Make sure that there is no un-initialized padding between the
221 * cmsg header and cmsg data and after the cmsg data.
222 */
223 memset(cmh, 0, len);
224 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
225 cmh->cmsg_level = IPPROTO_SCTP;
226 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
227 cmh->cmsg_type = SCTP_RCVINFO;
228 rcvinfo = (struct sctp_rcvinfo *)CMSG_DATA(cmh);
229 rcvinfo->rcv_sid = sinfo->sinfo_stream;
230 rcvinfo->rcv_ssn = sinfo->sinfo_ssn;
231 rcvinfo->rcv_flags = sinfo->sinfo_flags;
232 rcvinfo->rcv_ppid = sinfo->sinfo_ppid;
233 rcvinfo->rcv_tsn = sinfo->sinfo_tsn;
234 rcvinfo->rcv_cumtsn = sinfo->sinfo_cumtsn;
235 rcvinfo->rcv_context = sinfo->sinfo_context;
236 rcvinfo->rcv_assoc_id = sinfo->sinfo_assoc_id;
237 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_rcvinfo)));
238 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
239 }
240 if (provide_nxt) {
241 cmh->cmsg_level = IPPROTO_SCTP;
242 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_nxtinfo));
243 cmh->cmsg_type = SCTP_NXTINFO;
244 nxtinfo = (struct sctp_nxtinfo *)CMSG_DATA(cmh);
245 nxtinfo->nxt_sid = seinfo->serinfo_next_stream;
246 nxtinfo->nxt_flags = 0;
247 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_UNORDERED) {
248 nxtinfo->nxt_flags |= SCTP_UNORDERED;
249 }
250 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_NOTIFICATION) {
251 nxtinfo->nxt_flags |= SCTP_NOTIFICATION;
252 }
253 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_ISCOMPLETE) {
254 nxtinfo->nxt_flags |= SCTP_COMPLETE;
255 }
256 nxtinfo->nxt_ppid = seinfo->serinfo_next_ppid;
257 nxtinfo->nxt_length = seinfo->serinfo_next_length;
258 nxtinfo->nxt_assoc_id = seinfo->serinfo_next_aid;
259 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_nxtinfo)));
260 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_nxtinfo));
261 }
262 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) {
263 cmh->cmsg_level = IPPROTO_SCTP;
264 outinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmh);
265 if (use_extended) {
266 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_extrcvinfo));
267 cmh->cmsg_type = SCTP_EXTRCV;
268 memcpy(outinfo, sinfo, sizeof(struct sctp_extrcvinfo));
269 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_extrcvinfo));
270 } else {
271 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo));
272 cmh->cmsg_type = SCTP_SNDRCV;
273 *outinfo = *sinfo;
274 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
275 }
276 }
277 return (ret);
278 }
279
280
281 static void
282 sctp_mark_non_revokable(struct sctp_association *asoc, uint32_t tsn)
283 {
284 uint32_t gap, i, cumackp1;
285 int fnd = 0;
286 int in_r = 0, in_nr = 0;
287
288 if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
289 return;
290 }
291 cumackp1 = asoc->cumulative_tsn + 1;
292 if (SCTP_TSN_GT(cumackp1, tsn)) {
293 /*
294 * this tsn is behind the cum ack and thus we don't need to
295 * worry about it being moved from one to the other.
296 */
297 return;
298 }
299 SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn);
300 in_r = SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap);
301 in_nr = SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap);
302 if ((in_r == 0) && (in_nr == 0)) {
303 #ifdef INVARIANTS
304 panic("Things are really messed up now");
305 #else
306 SCTP_PRINTF("gap:%x tsn:%x\n", gap, tsn);
307 sctp_print_mapping_array(asoc);
308 #endif
309 }
310 if (in_nr == 0)
311 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
312 if (in_r)
313 SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap);
314 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
315 asoc->highest_tsn_inside_nr_map = tsn;
316 }
317 if (tsn == asoc->highest_tsn_inside_map) {
318 /* We must back down to see what the new highest is */
319 for (i = tsn - 1; SCTP_TSN_GE(i, asoc->mapping_array_base_tsn); i--) {
320 SCTP_CALC_TSN_TO_GAP(gap, i, asoc->mapping_array_base_tsn);
321 if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap)) {
322 asoc->highest_tsn_inside_map = i;
323 fnd = 1;
324 break;
325 }
326 }
327 if (!fnd) {
328 asoc->highest_tsn_inside_map = asoc->mapping_array_base_tsn - 1;
329 }
330 }
331 }
332
333 static int
334 sctp_place_control_in_stream(struct sctp_stream_in *strm,
335 struct sctp_association *asoc,
336 struct sctp_queued_to_read *control)
337 {
338 struct sctp_queued_to_read *at;
339 struct sctp_readhead *q;
340 uint8_t flags, unordered;
341
342 flags = (control->sinfo_flags >> 8);
343 unordered = flags & SCTP_DATA_UNORDERED;
344 if (unordered) {
345 q = &strm->uno_inqueue;
346 if (asoc->idata_supported == 0) {
347 if (!TAILQ_EMPTY(q)) {
348 /*
349 * Only one stream can be here in old style
350 * -- abort
351 */
352 return (-1);
353 }
354 TAILQ_INSERT_TAIL(q, control, next_instrm);
355 control->on_strm_q = SCTP_ON_UNORDERED;
356 return (0);
357 }
358 } else {
359 q = &strm->inqueue;
360 }
361 if ((flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
362 control->end_added = 1;
363 control->first_frag_seen = 1;
364 control->last_frag_seen = 1;
365 }
366 if (TAILQ_EMPTY(q)) {
367 /* Empty queue */
368 TAILQ_INSERT_HEAD(q, control, next_instrm);
369 if (unordered) {
370 control->on_strm_q = SCTP_ON_UNORDERED;
371 } else {
372 control->on_strm_q = SCTP_ON_ORDERED;
373 }
374 return (0);
375 } else {
376 TAILQ_FOREACH(at, q, next_instrm) {
377 if (SCTP_MID_GT(asoc->idata_supported, at->mid, control->mid)) {
378 /*
379 * one in queue is bigger than the new one,
380 * insert before this one
381 */
382 TAILQ_INSERT_BEFORE(at, control, next_instrm);
383 if (unordered) {
384 control->on_strm_q = SCTP_ON_UNORDERED;
385 } else {
386 control->on_strm_q = SCTP_ON_ORDERED;
387 }
388 break;
389 } else if (SCTP_MID_EQ(asoc->idata_supported, at->mid, control->mid)) {
390 /*
391 * Gak, He sent me a duplicate msg id
392 * number?? return -1 to abort.
393 */
394 return (-1);
395 } else {
396 if (TAILQ_NEXT(at, next_instrm) == NULL) {
397 /*
398 * We are at the end, insert it
399 * after this one
400 */
401 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
402 sctp_log_strm_del(control, at,
403 SCTP_STR_LOG_FROM_INSERT_TL);
404 }
405 TAILQ_INSERT_AFTER(q, at, control, next_instrm);
406 if (unordered) {
407 control->on_strm_q = SCTP_ON_UNORDERED;
408 } else {
409 control->on_strm_q = SCTP_ON_ORDERED;
410 }
411 break;
412 }
413 }
414 }
415 }
416 return (0);
417 }
418
419 static void
420 sctp_abort_in_reasm(struct sctp_tcb *stcb,
421 struct sctp_queued_to_read *control,
422 struct sctp_tmit_chunk *chk,
423 int *abort_flag, int opspot)
424 {
425 char msg[SCTP_DIAG_INFO_LEN];
426 struct mbuf *oper;
427
428 if (stcb->asoc.idata_supported) {
429 snprintf(msg, sizeof(msg),
430 "Reass %x,CF:%x,TSN=%8.8x,SID=%4.4x,FSN=%8.8x,MID:%8.8x",
431 opspot,
432 control->fsn_included,
433 chk->rec.data.tsn,
434 chk->rec.data.sid,
435 chk->rec.data.fsn, chk->rec.data.mid);
436 } else {
437 snprintf(msg, sizeof(msg),
438 "Reass %x,CI:%x,TSN=%8.8x,SID=%4.4x,FSN=%4.4x,SSN:%4.4x",
439 opspot,
440 control->fsn_included,
441 chk->rec.data.tsn,
442 chk->rec.data.sid,
443 chk->rec.data.fsn,
444 (uint16_t)chk->rec.data.mid);
445 }
446 oper = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
447 sctp_m_freem(chk->data);
448 chk->data = NULL;
449 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
450 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_1;
451 sctp_abort_an_association(stcb->sctp_ep, stcb, oper, SCTP_SO_NOT_LOCKED);
452 *abort_flag = 1;
453 }
454
455 static void
456 sctp_clean_up_control(struct sctp_tcb *stcb, struct sctp_queued_to_read *control)
457 {
458 /*
459 * The control could not be placed and must be cleaned.
460 */
461 struct sctp_tmit_chunk *chk, *nchk;
462
463 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
464 TAILQ_REMOVE(&control->reasm, chk, sctp_next);
465 if (chk->data)
466 sctp_m_freem(chk->data);
467 chk->data = NULL;
468 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
469 }
470 sctp_free_a_readq(stcb, control);
471 }
472
473 /*
474 * Queue the chunk either right into the socket buffer if it is the next one
475 * to go OR put it in the correct place in the delivery queue. If we do
476 * append to the so_buf, keep doing so until we are out of order as
477 * long as the control's entered are non-fragmented.
478 */
479 static void
480 sctp_queue_data_to_stream(struct sctp_tcb *stcb,
481 struct sctp_association *asoc,
482 struct sctp_queued_to_read *control, int *abort_flag, int *need_reasm)
483 {
484 /*
485 * FIX-ME maybe? What happens when the ssn wraps? If we are getting
486 * all the data in one stream this could happen quite rapidly. One
487 * could use the TSN to keep track of things, but this scheme breaks
488 * down in the other type of stream usage that could occur. Send a
489 * single msg to stream 0, send 4Billion messages to stream 1, now
490 * send a message to stream 0. You have a situation where the TSN
491 * has wrapped but not in the stream. Is this worth worrying about
492 * or should we just change our queue sort at the bottom to be by
493 * TSN.
494 *
495 * Could it also be legal for a peer to send ssn 1 with TSN 2 and
496 * ssn 2 with TSN 1? If the peer is doing some sort of funky TSN/SSN
497 * assignment this could happen... and I don't see how this would be
498 * a violation. So for now I am undecided an will leave the sort by
499 * SSN alone. Maybe a hybred approach is the answer
500 *
501 */
502 struct sctp_queued_to_read *at;
503 int queue_needed;
504 uint32_t nxt_todel;
505 struct mbuf *op_err;
506 struct sctp_stream_in *strm;
507 char msg[SCTP_DIAG_INFO_LEN];
508
509 strm = &asoc->strmin[control->sinfo_stream];
510 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
511 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_INTO_STRD);
512 }
513 if (SCTP_MID_GT((asoc->idata_supported), strm->last_mid_delivered, control->mid)) {
514 /* The incoming sseq is behind where we last delivered? */
515 SCTPDBG(SCTP_DEBUG_INDATA1, "Duplicate S-SEQ: %u delivered: %u from peer, Abort association\n",
516 strm->last_mid_delivered, control->mid);
517 /*
518 * throw it in the stream so it gets cleaned up in
519 * association destruction
520 */
521 TAILQ_INSERT_HEAD(&strm->inqueue, control, next_instrm);
522 if (asoc->idata_supported) {
523 snprintf(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x",
524 strm->last_mid_delivered, control->sinfo_tsn,
525 control->sinfo_stream, control->mid);
526 } else {
527 snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
528 (uint16_t)strm->last_mid_delivered,
529 control->sinfo_tsn,
530 control->sinfo_stream,
531 (uint16_t)control->mid);
532 }
533 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
534 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_2;
535 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
536 *abort_flag = 1;
537 return;
538
539 }
540 queue_needed = 1;
541 asoc->size_on_all_streams += control->length;
542 sctp_ucount_incr(asoc->cnt_on_all_streams);
543 nxt_todel = strm->last_mid_delivered + 1;
544 if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) {
545 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
546 struct socket *so;
547
548 so = SCTP_INP_SO(stcb->sctp_ep);
549 atomic_add_int(&stcb->asoc.refcnt, 1);
550 SCTP_TCB_UNLOCK(stcb);
551 SCTP_SOCKET_LOCK(so, 1);
552 SCTP_TCB_LOCK(stcb);
553 atomic_subtract_int(&stcb->asoc.refcnt, 1);
554 if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
555 SCTP_SOCKET_UNLOCK(so, 1);
556 return;
557 }
558 #endif
559 /* can be delivered right away? */
560 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
561 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_IMMED_DEL);
562 }
563 /* EY it wont be queued if it could be delivered directly */
564 queue_needed = 0;
565 if (asoc->size_on_all_streams >= control->length) {
566 asoc->size_on_all_streams -= control->length;
567 } else {
568 #ifdef INVARIANTS
569 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
570 #else
571 asoc->size_on_all_streams = 0;
572 #endif
573 }
574 sctp_ucount_decr(asoc->cnt_on_all_streams);
575 strm->last_mid_delivered++;
576 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
577 sctp_add_to_readq(stcb->sctp_ep, stcb,
578 control,
579 &stcb->sctp_socket->so_rcv, 1,
580 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_LOCKED);
581 TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, at) {
582 /* all delivered */
583 nxt_todel = strm->last_mid_delivered + 1;
584 if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid) &&
585 (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG)) {
586 if (control->on_strm_q == SCTP_ON_ORDERED) {
587 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
588 if (asoc->size_on_all_streams >= control->length) {
589 asoc->size_on_all_streams -= control->length;
590 } else {
591 #ifdef INVARIANTS
592 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
593 #else
594 asoc->size_on_all_streams = 0;
595 #endif
596 }
597 sctp_ucount_decr(asoc->cnt_on_all_streams);
598 #ifdef INVARIANTS
599 } else {
600 panic("Huh control: %p is on_strm_q: %d",
601 control, control->on_strm_q);
602 #endif
603 }
604 control->on_strm_q = 0;
605 strm->last_mid_delivered++;
606 /*
607 * We ignore the return of deliver_data here
608 * since we always can hold the chunk on the
609 * d-queue. And we have a finite number that
610 * can be delivered from the strq.
611 */
612 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
613 sctp_log_strm_del(control, NULL,
614 SCTP_STR_LOG_FROM_IMMED_DEL);
615 }
616 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
617 sctp_add_to_readq(stcb->sctp_ep, stcb,
618 control,
619 &stcb->sctp_socket->so_rcv, 1,
620 SCTP_READ_LOCK_NOT_HELD,
621 SCTP_SO_LOCKED);
622 continue;
623 } else if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) {
624 *need_reasm = 1;
625 }
626 break;
627 }
628 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
629 SCTP_SOCKET_UNLOCK(so, 1);
630 #endif
631 }
632 if (queue_needed) {
633 /*
634 * Ok, we did not deliver this guy, find the correct place
635 * to put it on the queue.
636 */
637 if (sctp_place_control_in_stream(strm, asoc, control)) {
638 snprintf(msg, sizeof(msg),
639 "Queue to str MID: %u duplicate",
640 control->mid);
641 sctp_clean_up_control(stcb, control);
642 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
643 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_3;
644 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
645 *abort_flag = 1;
646 }
647 }
648 }
649
650
651 static void
652 sctp_setup_tail_pointer(struct sctp_queued_to_read *control)
653 {
654 struct mbuf *m, *prev = NULL;
655 struct sctp_tcb *stcb;
656
657 stcb = control->stcb;
658 control->held_length = 0;
659 control->length = 0;
660 m = control->data;
661 while (m) {
662 if (SCTP_BUF_LEN(m) == 0) {
663 /* Skip mbufs with NO length */
664 if (prev == NULL) {
665 /* First one */
666 control->data = sctp_m_free(m);
667 m = control->data;
668 } else {
669 SCTP_BUF_NEXT(prev) = sctp_m_free(m);
670 m = SCTP_BUF_NEXT(prev);
671 }
672 if (m == NULL) {
673 control->tail_mbuf = prev;
674 }
675 continue;
676 }
677 prev = m;
678 atomic_add_int(&control->length, SCTP_BUF_LEN(m));
679 if (control->on_read_q) {
680 /*
681 * On read queue so we must increment the SB stuff,
682 * we assume caller has done any locks of SB.
683 */
684 sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m);
685 }
686 m = SCTP_BUF_NEXT(m);
687 }
688 if (prev) {
689 control->tail_mbuf = prev;
690 }
691 }
692
693 static void
694 sctp_add_to_tail_pointer(struct sctp_queued_to_read *control, struct mbuf *m, uint32_t *added)
695 {
696 struct mbuf *prev = NULL;
697 struct sctp_tcb *stcb;
698
699 stcb = control->stcb;
700 if (stcb == NULL) {
701 #ifdef INVARIANTS
702 panic("Control broken");
703 #else
704 return;
705 #endif
706 }
707 if (control->tail_mbuf == NULL) {
708 /* TSNH */
709 control->data = m;
710 sctp_setup_tail_pointer(control);
711 return;
712 }
713 control->tail_mbuf->m_next = m;
714 while (m) {
715 if (SCTP_BUF_LEN(m) == 0) {
716 /* Skip mbufs with NO length */
717 if (prev == NULL) {
718 /* First one */
719 control->tail_mbuf->m_next = sctp_m_free(m);
720 m = control->tail_mbuf->m_next;
721 } else {
722 SCTP_BUF_NEXT(prev) = sctp_m_free(m);
723 m = SCTP_BUF_NEXT(prev);
724 }
725 if (m == NULL) {
726 control->tail_mbuf = prev;
727 }
728 continue;
729 }
730 prev = m;
731 if (control->on_read_q) {
732 /*
733 * On read queue so we must increment the SB stuff,
734 * we assume caller has done any locks of SB.
735 */
736 sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m);
737 }
738 *added += SCTP_BUF_LEN(m);
739 atomic_add_int(&control->length, SCTP_BUF_LEN(m));
740 m = SCTP_BUF_NEXT(m);
741 }
742 if (prev) {
743 control->tail_mbuf = prev;
744 }
745 }
746
747 static void
748 sctp_build_readq_entry_from_ctl(struct sctp_queued_to_read *nc, struct sctp_queued_to_read *control)
749 {
750 memset(nc, 0, sizeof(struct sctp_queued_to_read));
751 nc->sinfo_stream = control->sinfo_stream;
752 nc->mid = control->mid;
753 TAILQ_INIT(&nc->reasm);
754 nc->top_fsn = control->top_fsn;
755 nc->mid = control->mid;
756 nc->sinfo_flags = control->sinfo_flags;
757 nc->sinfo_ppid = control->sinfo_ppid;
758 nc->sinfo_context = control->sinfo_context;
759 nc->fsn_included = 0xffffffff;
760 nc->sinfo_tsn = control->sinfo_tsn;
761 nc->sinfo_cumtsn = control->sinfo_cumtsn;
762 nc->sinfo_assoc_id = control->sinfo_assoc_id;
763 nc->whoFrom = control->whoFrom;
764 atomic_add_int(&nc->whoFrom->ref_count, 1);
765 nc->stcb = control->stcb;
766 nc->port_from = control->port_from;
767 }
768
769 static void
770 sctp_reset_a_control(struct sctp_queued_to_read *control,
771 struct sctp_inpcb *inp, uint32_t tsn)
772 {
773 control->fsn_included = tsn;
774 if (control->on_read_q) {
775 /*
776 * We have to purge it from there, hopefully this will work
777 * :-)
778 */
779 TAILQ_REMOVE(&inp->read_queue, control, next);
780 control->on_read_q = 0;
781 }
782 }
783
784 static int
785 sctp_handle_old_unordered_data(struct sctp_tcb *stcb,
786 struct sctp_association *asoc,
787 struct sctp_stream_in *strm,
788 struct sctp_queued_to_read *control,
789 uint32_t pd_point,
790 int inp_read_lock_held)
791 {
792 /*
793 * Special handling for the old un-ordered data chunk. All the
794 * chunks/TSN's go to mid 0. So we have to do the old style watching
795 * to see if we have it all. If you return one, no other control
796 * entries on the un-ordered queue will be looked at. In theory
797 * there should be no others entries in reality, unless the guy is
798 * sending both unordered NDATA and unordered DATA...
799 */
800 struct sctp_tmit_chunk *chk, *lchk, *tchk;
801 uint32_t fsn;
802 struct sctp_queued_to_read *nc;
803 int cnt_added;
804
805 if (control->first_frag_seen == 0) {
806 /* Nothing we can do, we have not seen the first piece yet */
807 return (1);
808 }
809 /* Collapse any we can */
810 cnt_added = 0;
811 restart:
812 fsn = control->fsn_included + 1;
813 /* Now what can we add? */
814 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, lchk) {
815 if (chk->rec.data.fsn == fsn) {
816 /* Ok lets add it */
817 sctp_alloc_a_readq(stcb, nc);
818 if (nc == NULL) {
819 break;
820 }
821 memset(nc, 0, sizeof(struct sctp_queued_to_read));
822 TAILQ_REMOVE(&control->reasm, chk, sctp_next);
823 sctp_add_chk_to_control(control, strm, stcb, asoc, chk, SCTP_READ_LOCK_NOT_HELD);
824 fsn++;
825 cnt_added++;
826 chk = NULL;
827 if (control->end_added) {
828 /* We are done */
829 if (!TAILQ_EMPTY(&control->reasm)) {
830 /*
831 * Ok we have to move anything left
832 * on the control queue to a new
833 * control.
834 */
835 sctp_build_readq_entry_from_ctl(nc, control);
836 tchk = TAILQ_FIRST(&control->reasm);
837 if (tchk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
838 TAILQ_REMOVE(&control->reasm, tchk, sctp_next);
839 if (asoc->size_on_reasm_queue >= tchk->send_size) {
840 asoc->size_on_reasm_queue -= tchk->send_size;
841 } else {
842 #ifdef INVARIANTS
843 panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, tchk->send_size);
844 #else
845 asoc->size_on_reasm_queue = 0;
846 #endif
847 }
848 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
849 nc->first_frag_seen = 1;
850 nc->fsn_included = tchk->rec.data.fsn;
851 nc->data = tchk->data;
852 nc->sinfo_ppid = tchk->rec.data.ppid;
853 nc->sinfo_tsn = tchk->rec.data.tsn;
854 sctp_mark_non_revokable(asoc, tchk->rec.data.tsn);
855 tchk->data = NULL;
856 sctp_free_a_chunk(stcb, tchk, SCTP_SO_NOT_LOCKED);
857 sctp_setup_tail_pointer(nc);
858 tchk = TAILQ_FIRST(&control->reasm);
859 }
860 /* Spin the rest onto the queue */
861 while (tchk) {
862 TAILQ_REMOVE(&control->reasm, tchk, sctp_next);
863 TAILQ_INSERT_TAIL(&nc->reasm, tchk, sctp_next);
864 tchk = TAILQ_FIRST(&control->reasm);
865 }
866 /*
867 * Now lets add it to the queue
868 * after removing control
869 */
870 TAILQ_INSERT_TAIL(&strm->uno_inqueue, nc, next_instrm);
871 nc->on_strm_q = SCTP_ON_UNORDERED;
872 if (control->on_strm_q) {
873 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
874 control->on_strm_q = 0;
875 }
876 }
877 if (control->pdapi_started) {
878 strm->pd_api_started = 0;
879 control->pdapi_started = 0;
880 }
881 if (control->on_strm_q) {
882 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
883 control->on_strm_q = 0;
884 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
885 }
886 if (control->on_read_q == 0) {
887 sctp_add_to_readq(stcb->sctp_ep, stcb, control,
888 &stcb->sctp_socket->so_rcv, control->end_added,
889 inp_read_lock_held, SCTP_SO_NOT_LOCKED);
890 }
891 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
892 if ((nc->first_frag_seen) && !TAILQ_EMPTY(&nc->reasm)) {
893 /*
894 * Switch to the new guy and
895 * continue
896 */
897 control = nc;
898 goto restart;
899 } else {
900 if (nc->on_strm_q == 0) {
901 sctp_free_a_readq(stcb, nc);
902 }
903 }
904 return (1);
905 } else {
906 sctp_free_a_readq(stcb, nc);
907 }
908 } else {
909 /* Can't add more */
910 break;
911 }
912 }
913 if ((control->length > pd_point) && (strm->pd_api_started == 0)) {
914 strm->pd_api_started = 1;
915 control->pdapi_started = 1;
916 sctp_add_to_readq(stcb->sctp_ep, stcb, control,
917 &stcb->sctp_socket->so_rcv, control->end_added,
918 inp_read_lock_held, SCTP_SO_NOT_LOCKED);
919 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
920 return (0);
921 } else {
922 return (1);
923 }
924 }
925
926 static void
927 sctp_inject_old_unordered_data(struct sctp_tcb *stcb,
928 struct sctp_association *asoc,
929 struct sctp_queued_to_read *control,
930 struct sctp_tmit_chunk *chk,
931 int *abort_flag)
932 {
933 struct sctp_tmit_chunk *at;
934 int inserted;
935
936 /*
937 * Here we need to place the chunk into the control structure sorted
938 * in the correct order.
939 */
940 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
941 /* Its the very first one. */
942 SCTPDBG(SCTP_DEBUG_XXX,
943 "chunk is a first fsn: %u becomes fsn_included\n",
944 chk->rec.data.fsn);
945 if (control->first_frag_seen) {
946 /*
947 * In old un-ordered we can reassembly on one
948 * control multiple messages. As long as the next
949 * FIRST is greater then the old first (TSN i.e. FSN
950 * wise)
951 */
952 struct mbuf *tdata;
953 uint32_t tmp;
954
955 if (SCTP_TSN_GT(chk->rec.data.fsn, control->fsn_included)) {
956 /*
957 * Easy way the start of a new guy beyond
958 * the lowest
959 */
960 goto place_chunk;
961 }
962 if ((chk->rec.data.fsn == control->fsn_included) ||
963 (control->pdapi_started)) {
964 /*
965 * Ok this should not happen, if it does we
966 * started the pd-api on the higher TSN
967 * (since the equals part is a TSN failure
968 * it must be that).
969 *
970 * We are completly hosed in that case since
971 * I have no way to recover. This really
972 * will only happen if we can get more TSN's
973 * higher before the pd-api-point.
974 */
975 sctp_abort_in_reasm(stcb, control, chk,
976 abort_flag,
977 SCTP_FROM_SCTP_INDATA + SCTP_LOC_4);
978
979 return;
980 }
981 /*
982 * Ok we have two firsts and the one we just got is
983 * smaller than the one we previously placed.. yuck!
984 * We must swap them out.
985 */
986 /* swap the mbufs */
987 tdata = control->data;
988 control->data = chk->data;
989 chk->data = tdata;
990 /* Save the lengths */
991 chk->send_size = control->length;
992 /* Recompute length of control and tail pointer */
993 sctp_setup_tail_pointer(control);
994 /* Fix the FSN included */
995 tmp = control->fsn_included;
996 control->fsn_included = chk->rec.data.fsn;
997 chk->rec.data.fsn = tmp;
998 /* Fix the TSN included */
999 tmp = control->sinfo_tsn;
1000 control->sinfo_tsn = chk->rec.data.tsn;
1001 chk->rec.data.tsn = tmp;
1002 /* Fix the PPID included */
1003 tmp = control->sinfo_ppid;
1004 control->sinfo_ppid = chk->rec.data.ppid;
1005 chk->rec.data.ppid = tmp;
1006 /* Fix tail pointer */
1007 goto place_chunk;
1008 }
1009 control->first_frag_seen = 1;
1010 control->fsn_included = chk->rec.data.fsn;
1011 control->top_fsn = chk->rec.data.fsn;
1012 control->sinfo_tsn = chk->rec.data.tsn;
1013 control->sinfo_ppid = chk->rec.data.ppid;
1014 control->data = chk->data;
1015 sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
1016 chk->data = NULL;
1017 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
1018 sctp_setup_tail_pointer(control);
1019 return;
1020 }
1021 place_chunk:
1022 inserted = 0;
1023 TAILQ_FOREACH(at, &control->reasm, sctp_next) {
1024 if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) {
1025 /*
1026 * This one in queue is bigger than the new one,
1027 * insert the new one before at.
1028 */
1029 asoc->size_on_reasm_queue += chk->send_size;
1030 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
1031 inserted = 1;
1032 TAILQ_INSERT_BEFORE(at, chk, sctp_next);
1033 break;
1034 } else if (at->rec.data.fsn == chk->rec.data.fsn) {
1035 /*
1036 * They sent a duplicate fsn number. This really
1037 * should not happen since the FSN is a TSN and it
1038 * should have been dropped earlier.
1039 */
1040 sctp_abort_in_reasm(stcb, control, chk,
1041 abort_flag,
1042 SCTP_FROM_SCTP_INDATA + SCTP_LOC_5);
1043 return;
1044 }
1045 }
1046 if (inserted == 0) {
1047 /* Its at the end */
1048 asoc->size_on_reasm_queue += chk->send_size;
1049 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
1050 control->top_fsn = chk->rec.data.fsn;
1051 TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next);
1052 }
1053 }
1054
1055 static int
1056 sctp_deliver_reasm_check(struct sctp_tcb *stcb, struct sctp_association *asoc,
1057 struct sctp_stream_in *strm, int inp_read_lock_held)
1058 {
1059 /*
1060 * Given a stream, strm, see if any of the SSN's on it that are
1061 * fragmented are ready to deliver. If so go ahead and place them on
1062 * the read queue. In so placing if we have hit the end, then we
1063 * need to remove them from the stream's queue.
1064 */
1065 struct sctp_queued_to_read *control, *nctl = NULL;
1066 uint32_t next_to_del;
1067 uint32_t pd_point;
1068 int ret = 0;
1069
1070 if (stcb->sctp_socket) {
1071 pd_point = min(SCTP_SB_LIMIT_RCV(stcb->sctp_socket) >> SCTP_PARTIAL_DELIVERY_SHIFT,
1072 stcb->sctp_ep->partial_delivery_point);
1073 } else {
1074 pd_point = stcb->sctp_ep->partial_delivery_point;
1075 }
1076 control = TAILQ_FIRST(&strm->uno_inqueue);
1077
1078 if ((control != NULL) &&
1079 (asoc->idata_supported == 0)) {
1080 /* Special handling needed for "old" data format */
1081 if (sctp_handle_old_unordered_data(stcb, asoc, strm, control, pd_point, inp_read_lock_held)) {
1082 goto done_un;
1083 }
1084 }
1085 if (strm->pd_api_started) {
1086 /* Can't add more */
1087 return (0);
1088 }
1089 while (control) {
1090 SCTPDBG(SCTP_DEBUG_XXX, "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u -uo\n",
1091 control, control->end_added, control->mid, control->top_fsn, control->fsn_included);
1092 nctl = TAILQ_NEXT(control, next_instrm);
1093 if (control->end_added) {
1094 /* We just put the last bit on */
1095 if (control->on_strm_q) {
1096 #ifdef INVARIANTS
1097 if (control->on_strm_q != SCTP_ON_UNORDERED) {
1098 panic("Huh control: %p on_q: %d -- not unordered?",
1099 control, control->on_strm_q);
1100 }
1101 #endif
1102 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
1103 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
1104 control->on_strm_q = 0;
1105 }
1106 if (control->on_read_q == 0) {
1107 sctp_add_to_readq(stcb->sctp_ep, stcb,
1108 control,
1109 &stcb->sctp_socket->so_rcv, control->end_added,
1110 inp_read_lock_held, SCTP_SO_NOT_LOCKED);
1111 }
1112 } else {
1113 /* Can we do a PD-API for this un-ordered guy? */
1114 if ((control->length >= pd_point) && (strm->pd_api_started == 0)) {
1115 strm->pd_api_started = 1;
1116 control->pdapi_started = 1;
1117 sctp_add_to_readq(stcb->sctp_ep, stcb,
1118 control,
1119 &stcb->sctp_socket->so_rcv, control->end_added,
1120 inp_read_lock_held, SCTP_SO_NOT_LOCKED);
1121
1122 break;
1123 }
1124 }
1125 control = nctl;
1126 }
1127 done_un:
1128 control = TAILQ_FIRST(&strm->inqueue);
1129 if (strm->pd_api_started) {
1130 /* Can't add more */
1131 return (0);
1132 }
1133 if (control == NULL) {
1134 return (ret);
1135 }
1136 if (SCTP_MID_EQ(asoc->idata_supported, strm->last_mid_delivered, control->mid)) {
1137 /*
1138 * Ok the guy at the top was being partially delivered
1139 * completed, so we remove it. Note the pd_api flag was
1140 * taken off when the chunk was merged on in
1141 * sctp_queue_data_for_reasm below.
1142 */
1143 nctl = TAILQ_NEXT(control, next_instrm);
1144 SCTPDBG(SCTP_DEBUG_XXX,
1145 "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (lastdel: %u)- o\n",
1146 control, control->end_added, control->mid,
1147 control->top_fsn, control->fsn_included,
1148 strm->last_mid_delivered);
1149 if (control->end_added) {
1150 if (control->on_strm_q) {
1151 #ifdef INVARIANTS
1152 if (control->on_strm_q != SCTP_ON_ORDERED) {
1153 panic("Huh control: %p on_q: %d -- not ordered?",
1154 control, control->on_strm_q);
1155 }
1156 #endif
1157 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
1158 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
1159 if (asoc->size_on_all_streams >= control->length) {
1160 asoc->size_on_all_streams -= control->length;
1161 } else {
1162 #ifdef INVARIANTS
1163 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
1164 #else
1165 asoc->size_on_all_streams = 0;
1166 #endif
1167 }
1168 sctp_ucount_decr(asoc->cnt_on_all_streams);
1169 control->on_strm_q = 0;
1170 }
1171 if (strm->pd_api_started && control->pdapi_started) {
1172 control->pdapi_started = 0;
1173 strm->pd_api_started = 0;
1174 }
1175 if (control->on_read_q == 0) {
1176 sctp_add_to_readq(stcb->sctp_ep, stcb,
1177 control,
1178 &stcb->sctp_socket->so_rcv, control->end_added,
1179 inp_read_lock_held, SCTP_SO_NOT_LOCKED);
1180 }
1181 control = nctl;
1182 }
1183 }
1184 if (strm->pd_api_started) {
1185 /*
1186 * Can't add more must have gotten an un-ordered above being
1187 * partially delivered.
1188 */
1189 return (0);
1190 }
1191 deliver_more:
1192 next_to_del = strm->last_mid_delivered + 1;
1193 if (control) {
1194 SCTPDBG(SCTP_DEBUG_XXX,
1195 "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (nxtdel: %u)- o\n",
1196 control, control->end_added, control->mid, control->top_fsn, control->fsn_included,
1197 next_to_del);
1198 nctl = TAILQ_NEXT(control, next_instrm);
1199 if (SCTP_MID_EQ(asoc->idata_supported, control->mid, next_to_del) &&
1200 (control->first_frag_seen)) {
1201 int done;
1202
1203 /* Ok we can deliver it onto the stream. */
1204 if (control->end_added) {
1205 /* We are done with it afterwards */
1206 if (control->on_strm_q) {
1207 #ifdef INVARIANTS
1208 if (control->on_strm_q != SCTP_ON_ORDERED) {
1209 panic("Huh control: %p on_q: %d -- not ordered?",
1210 control, control->on_strm_q);
1211 }
1212 #endif
1213 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
1214 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
1215 if (asoc->size_on_all_streams >= control->length) {
1216 asoc->size_on_all_streams -= control->length;
1217 } else {
1218 #ifdef INVARIANTS
1219 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
1220 #else
1221 asoc->size_on_all_streams = 0;
1222 #endif
1223 }
1224 sctp_ucount_decr(asoc->cnt_on_all_streams);
1225 control->on_strm_q = 0;
1226 }
1227 ret++;
1228 }
1229 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
1230 /*
1231 * A singleton now slipping through - mark
1232 * it non-revokable too
1233 */
1234 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
1235 } else if (control->end_added == 0) {
1236 /*
1237 * Check if we can defer adding until its
1238 * all there
1239 */
1240 if ((control->length < pd_point) || (strm->pd_api_started)) {
1241 /*
1242 * Don't need it or cannot add more
1243 * (one being delivered that way)
1244 */
1245 goto out;
1246 }
1247 }
1248 done = (control->end_added) && (control->last_frag_seen);
1249 if (control->on_read_q == 0) {
1250 if (!done) {
1251 if (asoc->size_on_all_streams >= control->length) {
1252 asoc->size_on_all_streams -= control->length;
1253 } else {
1254 #ifdef INVARIANTS
1255 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
1256 #else
1257 asoc->size_on_all_streams = 0;
1258 #endif
1259 }
1260 strm->pd_api_started = 1;
1261 control->pdapi_started = 1;
1262 }
1263 sctp_add_to_readq(stcb->sctp_ep, stcb,
1264 control,
1265 &stcb->sctp_socket->so_rcv, control->end_added,
1266 inp_read_lock_held, SCTP_SO_NOT_LOCKED);
1267 }
1268 strm->last_mid_delivered = next_to_del;
1269 if (done) {
1270 control = nctl;
1271 goto deliver_more;
1272 }
1273 }
1274 }
1275 out:
1276 return (ret);
1277 }
1278
1279
1280 uint32_t
1281 sctp_add_chk_to_control(struct sctp_queued_to_read *control,
1282 struct sctp_stream_in *strm,
1283 struct sctp_tcb *stcb, struct sctp_association *asoc,
1284 struct sctp_tmit_chunk *chk, int hold_rlock)
1285 {
1286 /*
1287 * Given a control and a chunk, merge the data from the chk onto the
1288 * control and free up the chunk resources.
1289 */
1290 uint32_t added = 0;
1291 int i_locked = 0;
1292
1293 if (control->on_read_q && (hold_rlock == 0)) {
1294 /*
1295 * Its being pd-api'd so we must do some locks.
1296 */
1297 SCTP_INP_READ_LOCK(stcb->sctp_ep);
1298 i_locked = 1;
1299 }
1300 if (control->data == NULL) {
1301 control->data = chk->data;
1302 sctp_setup_tail_pointer(control);
1303 } else {
1304 sctp_add_to_tail_pointer(control, chk->data, &added);
1305 }
1306 control->fsn_included = chk->rec.data.fsn;
1307 asoc->size_on_reasm_queue -= chk->send_size;
1308 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
1309 sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
1310 chk->data = NULL;
1311 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
1312 control->first_frag_seen = 1;
1313 control->sinfo_tsn = chk->rec.data.tsn;
1314 control->sinfo_ppid = chk->rec.data.ppid;
1315 }
1316 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
1317 /* Its complete */
1318 if ((control->on_strm_q) && (control->on_read_q)) {
1319 if (control->pdapi_started) {
1320 control->pdapi_started = 0;
1321 strm->pd_api_started = 0;
1322 }
1323 if (control->on_strm_q == SCTP_ON_UNORDERED) {
1324 /* Unordered */
1325 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
1326 control->on_strm_q = 0;
1327 } else if (control->on_strm_q == SCTP_ON_ORDERED) {
1328 /* Ordered */
1329 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
1330 /*
1331 * Don't need to decrement
1332 * size_on_all_streams, since control is on
1333 * the read queue.
1334 */
1335 sctp_ucount_decr(asoc->cnt_on_all_streams);
1336 control->on_strm_q = 0;
1337 #ifdef INVARIANTS
1338 } else if (control->on_strm_q) {
1339 panic("Unknown state on ctrl: %p on_strm_q: %d", control,
1340 control->on_strm_q);
1341 #endif
1342 }
1343 }
1344 control->end_added = 1;
1345 control->last_frag_seen = 1;
1346 }
1347 if (i_locked) {
1348 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
1349 }
1350 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
1351 return (added);
1352 }
1353
1354 /*
1355 * Dump onto the re-assembly queue, in its proper place. After dumping on the
1356 * queue, see if anthing can be delivered. If so pull it off (or as much as
1357 * we can. If we run out of space then we must dump what we can and set the
1358 * appropriate flag to say we queued what we could.
1359 */
1360 static void
1361 sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
1362 struct sctp_queued_to_read *control,
1363 struct sctp_tmit_chunk *chk,
1364 int created_control,
1365 int *abort_flag, uint32_t tsn)
1366 {
1367 uint32_t next_fsn;
1368 struct sctp_tmit_chunk *at, *nat;
1369 struct sctp_stream_in *strm;
1370 int do_wakeup, unordered;
1371 uint32_t lenadded;
1372
1373 strm = &asoc->strmin[control->sinfo_stream];
1374 /*
1375 * For old un-ordered data chunks.
1376 */
1377 if ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) {
1378 unordered = 1;
1379 } else {
1380 unordered = 0;
1381 }
1382 /* Must be added to the stream-in queue */
1383 if (created_control) {
1384 if (unordered == 0) {
1385 sctp_ucount_incr(asoc->cnt_on_all_streams);
1386 }
1387 if (sctp_place_control_in_stream(strm, asoc, control)) {
1388 /* Duplicate SSN? */
1389 sctp_abort_in_reasm(stcb, control, chk,
1390 abort_flag,
1391 SCTP_FROM_SCTP_INDATA + SCTP_LOC_6);
1392 sctp_clean_up_control(stcb, control);
1393 return;
1394 }
1395 if ((tsn == (asoc->cumulative_tsn + 1) && (asoc->idata_supported == 0))) {
1396 /*
1397 * Ok we created this control and now lets validate
1398 * that its legal i.e. there is a B bit set, if not
1399 * and we have up to the cum-ack then its invalid.
1400 */
1401 if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0) {
1402 sctp_abort_in_reasm(stcb, control, chk,
1403 abort_flag,
1404 SCTP_FROM_SCTP_INDATA + SCTP_LOC_7);
1405 return;
1406 }
1407 }
1408 }
1409 if ((asoc->idata_supported == 0) && (unordered == 1)) {
1410 sctp_inject_old_unordered_data(stcb, asoc, control, chk, abort_flag);
1411 return;
1412 }
1413 /*
1414 * Ok we must queue the chunk into the reasembly portion: o if its
1415 * the first it goes to the control mbuf. o if its not first but the
1416 * next in sequence it goes to the control, and each succeeding one
1417 * in order also goes. o if its not in order we place it on the list
1418 * in its place.
1419 */
1420 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
1421 /* Its the very first one. */
1422 SCTPDBG(SCTP_DEBUG_XXX,
1423 "chunk is a first fsn: %u becomes fsn_included\n",
1424 chk->rec.data.fsn);
1425 if (control->first_frag_seen) {
1426 /*
1427 * Error on senders part, they either sent us two
1428 * data chunks with FIRST, or they sent two
1429 * un-ordered chunks that were fragmented at the
1430 * same time in the same stream.
1431 */
1432 sctp_abort_in_reasm(stcb, control, chk,
1433 abort_flag,
1434 SCTP_FROM_SCTP_INDATA + SCTP_LOC_8);
1435 return;
1436 }
1437 control->first_frag_seen = 1;
1438 control->sinfo_ppid = chk->rec.data.ppid;
1439 control->sinfo_tsn = chk->rec.data.tsn;
1440 control->fsn_included = chk->rec.data.fsn;
1441 control->data = chk->data;
1442 sctp_mark_non_revokable(asoc, chk->rec.data.tsn);
1443 chk->data = NULL;
1444 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
1445 sctp_setup_tail_pointer(control);
1446 asoc->size_on_all_streams += control->length;
1447 } else {
1448 /* Place the chunk in our list */
1449 int inserted = 0;
1450
1451 if (control->last_frag_seen == 0) {
1452 /* Still willing to raise highest FSN seen */
1453 if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) {
1454 SCTPDBG(SCTP_DEBUG_XXX,
1455 "We have a new top_fsn: %u\n",
1456 chk->rec.data.fsn);
1457 control->top_fsn = chk->rec.data.fsn;
1458 }
1459 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
1460 SCTPDBG(SCTP_DEBUG_XXX,
1461 "The last fsn is now in place fsn: %u\n",
1462 chk->rec.data.fsn);
1463 control->last_frag_seen = 1;
1464 }
1465 if (asoc->idata_supported || control->first_frag_seen) {
1466 /*
1467 * For IDATA we always check since we know
1468 * that the first fragment is 0. For old
1469 * DATA we have to receive the first before
1470 * we know the first FSN (which is the TSN).
1471 */
1472 if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) {
1473 /*
1474 * We have already delivered up to
1475 * this so its a dup
1476 */
1477 sctp_abort_in_reasm(stcb, control, chk,
1478 abort_flag,
1479 SCTP_FROM_SCTP_INDATA + SCTP_LOC_9);
1480 return;
1481 }
1482 }
1483 } else {
1484 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
1485 /* Second last? huh? */
1486 SCTPDBG(SCTP_DEBUG_XXX,
1487 "Duplicate last fsn: %u (top: %u) -- abort\n",
1488 chk->rec.data.fsn, control->top_fsn);
1489 sctp_abort_in_reasm(stcb, control,
1490 chk, abort_flag,
1491 SCTP_FROM_SCTP_INDATA + SCTP_LOC_10);
1492 return;
1493 }
1494 if (asoc->idata_supported || control->first_frag_seen) {
1495 /*
1496 * For IDATA we always check since we know
1497 * that the first fragment is 0. For old
1498 * DATA we have to receive the first before
1499 * we know the first FSN (which is the TSN).
1500 */
1501
1502 if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) {
1503 /*
1504 * We have already delivered up to
1505 * this so its a dup
1506 */
1507 SCTPDBG(SCTP_DEBUG_XXX,
1508 "New fsn: %u is already seen in included_fsn: %u -- abort\n",
1509 chk->rec.data.fsn, control->fsn_included);
1510 sctp_abort_in_reasm(stcb, control, chk,
1511 abort_flag,
1512 SCTP_FROM_SCTP_INDATA + SCTP_LOC_11);
1513 return;
1514 }
1515 }
1516 /*
1517 * validate not beyond top FSN if we have seen last
1518 * one
1519 */
1520 if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) {
1521 SCTPDBG(SCTP_DEBUG_XXX,
1522 "New fsn: %u is beyond or at top_fsn: %u -- abort\n",
1523 chk->rec.data.fsn,
1524 control->top_fsn);
1525 sctp_abort_in_reasm(stcb, control, chk,
1526 abort_flag,
1527 SCTP_FROM_SCTP_INDATA + SCTP_LOC_12);
1528 return;
1529 }
1530 }
1531 /*
1532 * If we reach here, we need to place the new chunk in the
1533 * reassembly for this control.
1534 */
1535 SCTPDBG(SCTP_DEBUG_XXX,
1536 "chunk is a not first fsn: %u needs to be inserted\n",
1537 chk->rec.data.fsn);
1538 TAILQ_FOREACH(at, &control->reasm, sctp_next) {
1539 if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) {
1540 /*
1541 * This one in queue is bigger than the new
1542 * one, insert the new one before at.
1543 */
1544 SCTPDBG(SCTP_DEBUG_XXX,
1545 "Insert it before fsn: %u\n",
1546 at->rec.data.fsn);
1547 asoc->size_on_reasm_queue += chk->send_size;
1548 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
1549 TAILQ_INSERT_BEFORE(at, chk, sctp_next);
1550 inserted = 1;
1551 break;
1552 } else if (at->rec.data.fsn == chk->rec.data.fsn) {
1553 /*
1554 * Gak, He sent me a duplicate str seq
1555 * number
1556 */
1557 /*
1558 * foo bar, I guess I will just free this
1559 * new guy, should we abort too? FIX ME
1560 * MAYBE? Or it COULD be that the SSN's have
1561 * wrapped. Maybe I should compare to TSN
1562 * somehow... sigh for now just blow away
1563 * the chunk!
1564 */
1565 SCTPDBG(SCTP_DEBUG_XXX,
1566 "Duplicate to fsn: %u -- abort\n",
1567 at->rec.data.fsn);
1568 sctp_abort_in_reasm(stcb, control,
1569 chk, abort_flag,
1570 SCTP_FROM_SCTP_INDATA + SCTP_LOC_13);
1571 return;
1572 }
1573 }
1574 if (inserted == 0) {
1575 /* Goes on the end */
1576 SCTPDBG(SCTP_DEBUG_XXX, "Inserting at tail of list fsn: %u\n",
1577 chk->rec.data.fsn);
1578 asoc->size_on_reasm_queue += chk->send_size;
1579 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
1580 TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next);
1581 }
1582 }
1583 /*
1584 * Ok lets see if we can suck any up into the control structure that
1585 * are in seq if it makes sense.
1586 */
1587 do_wakeup = 0;
1588 /*
1589 * If the first fragment has not been seen there is no sense in
1590 * looking.
1591 */
1592 if (control->first_frag_seen) {
1593 next_fsn = control->fsn_included + 1;
1594 TAILQ_FOREACH_SAFE(at, &control->reasm, sctp_next, nat) {
1595 if (at->rec.data.fsn == next_fsn) {
1596 /* We can add this one now to the control */
1597 SCTPDBG(SCTP_DEBUG_XXX,
1598 "Adding more to control: %p at: %p fsn: %u next_fsn: %u included: %u\n",
1599 control, at,
1600 at->rec.data.fsn,
1601 next_fsn, control->fsn_included);
1602 TAILQ_REMOVE(&control->reasm, at, sctp_next);
1603 lenadded = sctp_add_chk_to_control(control, strm, stcb, asoc, at, SCTP_READ_LOCK_NOT_HELD);
1604 if (control->on_read_q) {
1605 do_wakeup = 1;
1606 } else {
1607 /*
1608 * We only add to the
1609 * size-on-all-streams if its not on
1610 * the read q. The read q flag will
1611 * cause a sballoc so its accounted
1612 * for there.
1613 */
1614 asoc->size_on_all_streams += lenadded;
1615 }
1616 next_fsn++;
1617 if (control->end_added && control->pdapi_started) {
1618 if (strm->pd_api_started) {
1619 strm->pd_api_started = 0;
1620 control->pdapi_started = 0;
1621 }
1622 if (control->on_read_q == 0) {
1623 sctp_add_to_readq(stcb->sctp_ep, stcb,
1624 control,
1625 &stcb->sctp_socket->so_rcv, control->end_added,
1626 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
1627 }
1628 break;
1629 }
1630 } else {
1631 break;
1632 }
1633 }
1634 }
1635 if (do_wakeup) {
1636 /* Need to wakeup the reader */
1637 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
1638 }
1639 }
1640
1641 static struct sctp_queued_to_read *
1642 sctp_find_reasm_entry(struct sctp_stream_in *strm, uint32_t mid, int ordered, int idata_supported)
1643 {
1644 struct sctp_queued_to_read *control;
1645
1646 if (ordered) {
1647 TAILQ_FOREACH(control, &strm->inqueue, next_instrm) {
1648 if (SCTP_MID_EQ(idata_supported, control->mid, mid)) {
1649 break;
1650 }
1651 }
1652 } else {
1653 if (idata_supported) {
1654 TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) {
1655 if (SCTP_MID_EQ(idata_supported, control->mid, mid)) {
1656 break;
1657 }
1658 }
1659 } else {
1660 control = TAILQ_FIRST(&strm->uno_inqueue);
1661 }
1662 }
1663 return (control);
1664 }
1665
1666 static int
1667 sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc,
1668 struct mbuf **m, int offset, int chk_length,
1669 struct sctp_nets *net, uint32_t *high_tsn, int *abort_flag,
1670 int *break_flag, int last_chunk, uint8_t chk_type)
1671 {
1672 /* Process a data chunk */
1673 /* struct sctp_tmit_chunk *chk; */
1674 struct sctp_tmit_chunk *chk;
1675 uint32_t tsn, fsn, gap, mid;
1676 struct mbuf *dmbuf;
1677 int the_len;
1678 int need_reasm_check = 0;
1679 uint16_t sid;
1680 struct mbuf *op_err;
1681 char msg[SCTP_DIAG_INFO_LEN];
1682 struct sctp_queued_to_read *control, *ncontrol;
1683 uint32_t ppid;
1684 uint8_t chk_flags;
1685 struct sctp_stream_reset_list *liste;
1686 int ordered;
1687 size_t clen;
1688 int created_control = 0;
1689
1690 if (chk_type == SCTP_IDATA) {
1691 struct sctp_idata_chunk *chunk, chunk_buf;
1692
1693 chunk = (struct sctp_idata_chunk *)sctp_m_getptr(*m, offset,
1694 sizeof(struct sctp_idata_chunk), (uint8_t *)&chunk_buf);
1695 chk_flags = chunk->ch.chunk_flags;
1696 clen = sizeof(struct sctp_idata_chunk);
1697 tsn = ntohl(chunk->dp.tsn);
1698 sid = ntohs(chunk->dp.sid);
1699 mid = ntohl(chunk->dp.mid);
1700 if (chk_flags & SCTP_DATA_FIRST_FRAG) {
1701 fsn = 0;
1702 ppid = chunk->dp.ppid_fsn.ppid;
1703 } else {
1704 fsn = ntohl(chunk->dp.ppid_fsn.fsn);
1705 ppid = 0xffffffff; /* Use as an invalid value. */
1706 }
1707 } else {
1708 struct sctp_data_chunk *chunk, chunk_buf;
1709
1710 chunk = (struct sctp_data_chunk *)sctp_m_getptr(*m, offset,
1711 sizeof(struct sctp_data_chunk), (uint8_t *)&chunk_buf);
1712 chk_flags = chunk->ch.chunk_flags;
1713 clen = sizeof(struct sctp_data_chunk);
1714 tsn = ntohl(chunk->dp.tsn);
1715 sid = ntohs(chunk->dp.sid);
1716 mid = (uint32_t)(ntohs(chunk->dp.ssn));
1717 fsn = tsn;
1718 ppid = chunk->dp.ppid;
1719 }
1720 if ((size_t)chk_length == clen) {
1721 /*
1722 * Need to send an abort since we had a empty data chunk.
1723 */
1724 op_err = sctp_generate_no_user_data_cause(tsn);
1725 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_14;
1726 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1727 *abort_flag = 1;
1728 return (0);
1729 }
1730 if ((chk_flags & SCTP_DATA_SACK_IMMEDIATELY) == SCTP_DATA_SACK_IMMEDIATELY) {
1731 asoc->send_sack = 1;
1732 }
1733 ordered = ((chk_flags & SCTP_DATA_UNORDERED) == 0);
1734 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
1735 sctp_log_map(tsn, asoc->cumulative_tsn, asoc->highest_tsn_inside_map, SCTP_MAP_TSN_ENTERS);
1736 }
1737 if (stcb == NULL) {
1738 return (0);
1739 }
1740 SCTP_LTRACE_CHK(stcb->sctp_ep, stcb, chk_type, tsn);
1741 if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
1742 /* It is a duplicate */
1743 SCTP_STAT_INCR(sctps_recvdupdata);
1744 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) {
1745 /* Record a dup for the next outbound sack */
1746 asoc->dup_tsns[asoc->numduptsns] = tsn;
1747 asoc->numduptsns++;
1748 }
1749 asoc->send_sack = 1;
1750 return (0);
1751 }
1752 /* Calculate the number of TSN's between the base and this TSN */
1753 SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn);
1754 if (gap >= (SCTP_MAPPING_ARRAY << 3)) {
1755 /* Can't hold the bit in the mapping at max array, toss it */
1756 return (0);
1757 }
1758 if (gap >= (uint32_t)(asoc->mapping_array_size << 3)) {
1759 SCTP_TCB_LOCK_ASSERT(stcb);
1760 if (sctp_expand_mapping_array(asoc, gap)) {
1761 /* Can't expand, drop it */
1762 return (0);
1763 }
1764 }
1765 if (SCTP_TSN_GT(tsn, *high_tsn)) {
1766 *high_tsn = tsn;
1767 }
1768 /* See if we have received this one already */
1769 if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap) ||
1770 SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap)) {
1771 SCTP_STAT_INCR(sctps_recvdupdata);
1772 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) {
1773 /* Record a dup for the next outbound sack */
1774 asoc->dup_tsns[asoc->numduptsns] = tsn;
1775 asoc->numduptsns++;
1776 }
1777 asoc->send_sack = 1;
1778 return (0);
1779 }
1780 /*
1781 * Check to see about the GONE flag, duplicates would cause a sack
1782 * to be sent up above
1783 */
1784 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
1785 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
1786 (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET))) {
1787 /*
1788 * wait a minute, this guy is gone, there is no longer a
1789 * receiver. Send peer an ABORT!
1790 */
1791 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
1792 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1793 *abort_flag = 1;
1794 return (0);
1795 }
1796 /*
1797 * Now before going further we see if there is room. If NOT then we
1798 * MAY let one through only IF this TSN is the one we are waiting
1799 * for on a partial delivery API.
1800 */
1801
1802 /* Is the stream valid? */
1803 if (sid >= asoc->streamincnt) {
1804 struct sctp_error_invalid_stream *cause;
1805
1806 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_invalid_stream),
1807 0, M_NOWAIT, 1, MT_DATA);
1808 if (op_err != NULL) {
1809 /* add some space up front so prepend will work well */
1810 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
1811 cause = mtod(op_err, struct sctp_error_invalid_stream *);
1812 /*
1813 * Error causes are just param's and this one has
1814 * two back to back phdr, one with the error type
1815 * and size, the other with the streamid and a rsvd
1816 */
1817 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_invalid_stream);
1818 cause->cause.code = htons(SCTP_CAUSE_INVALID_STREAM);
1819 cause->cause.length = htons(sizeof(struct sctp_error_invalid_stream));
1820 cause->stream_id = htons(sid);
1821 cause->reserved = htons(0);
1822 sctp_queue_op_err(stcb, op_err);
1823 }
1824 SCTP_STAT_INCR(sctps_badsid);
1825 SCTP_TCB_LOCK_ASSERT(stcb);
1826 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
1827 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1828 asoc->highest_tsn_inside_nr_map = tsn;
1829 }
1830 if (tsn == (asoc->cumulative_tsn + 1)) {
1831 /* Update cum-ack */
1832 asoc->cumulative_tsn = tsn;
1833 }
1834 return (0);
1835 }
1836 /*
1837 * If its a fragmented message, lets see if we can find the control
1838 * on the reassembly queues.
1839 */
1840 if ((chk_type == SCTP_IDATA) &&
1841 ((chk_flags & SCTP_DATA_FIRST_FRAG) == 0) &&
1842 (fsn == 0)) {
1843 /*
1844 * The first *must* be fsn 0, and other (middle/end) pieces
1845 * can *not* be fsn 0. XXX: This can happen in case of a
1846 * wrap around. Ignore is for now.
1847 */
1848 snprintf(msg, sizeof(msg), "FSN zero for MID=%8.8x, but flags=%2.2x",
1849 mid, chk_flags);
1850 goto err_out;
1851 }
1852 control = sctp_find_reasm_entry(&asoc->strmin[sid], mid, ordered, asoc->idata_supported);
1853 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags:0x%x look for control on queues %p\n",
1854 chk_flags, control);
1855 if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) {
1856 /* See if we can find the re-assembly entity */
1857 if (control != NULL) {
1858 /* We found something, does it belong? */
1859 if (ordered && (mid != control->mid)) {
1860 snprintf(msg, sizeof(msg), "Reassembly problem (MID=%8.8x)", mid);
1861 err_out:
1862 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1863 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_15;
1864 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1865 *abort_flag = 1;
1866 return (0);
1867 }
1868 if (ordered && ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED)) {
1869 /*
1870 * We can't have a switched order with an
1871 * unordered chunk
1872 */
1873 snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)",
1874 tsn);
1875 goto err_out;
1876 }
1877 if (!ordered && (((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) == 0)) {
1878 /*
1879 * We can't have a switched unordered with a
1880 * ordered chunk
1881 */
1882 snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)",
1883 tsn);
1884 goto err_out;
1885 }
1886 }
1887 } else {
1888 /*
1889 * Its a complete segment. Lets validate we don't have a
1890 * re-assembly going on with the same Stream/Seq (for
1891 * ordered) or in the same Stream for unordered.
1892 */
1893 if (control != NULL) {
1894 if (ordered || asoc->idata_supported) {
1895 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x dup detected on MID: %u\n",
1896 chk_flags, mid);
1897 snprintf(msg, sizeof(msg), "Duplicate MID=%8.8x detected.", mid);
1898 goto err_out;
1899 } else {
1900 if ((tsn == control->fsn_included + 1) &&
1901 (control->end_added == 0)) {
1902 snprintf(msg, sizeof(msg), "Illegal message sequence, missing end for MID: %8.8x", control->fsn_included);
1903 goto err_out;
1904 } else {
1905 control = NULL;
1906 }
1907 }
1908 }
1909 }
1910 /* now do the tests */
1911 if (((asoc->cnt_on_all_streams +
1912 asoc->cnt_on_reasm_queue +
1913 asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) ||
1914 (((int)asoc->my_rwnd) <= 0)) {
1915 /*
1916 * When we have NO room in the rwnd we check to make sure
1917 * the reader is doing its job...
1918 */
1919 if (stcb->sctp_socket->so_rcv.sb_cc) {
1920 /* some to read, wake-up */
1921 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1922 struct socket *so;
1923
1924 so = SCTP_INP_SO(stcb->sctp_ep);
1925 atomic_add_int(&stcb->asoc.refcnt, 1);
1926 SCTP_TCB_UNLOCK(stcb);
1927 SCTP_SOCKET_LOCK(so, 1);
1928 SCTP_TCB_LOCK(stcb);
1929 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1930 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1931 /* assoc was freed while we were unlocked */
1932 SCTP_SOCKET_UNLOCK(so, 1);
1933 return (0);
1934 }
1935 #endif
1936 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
1937 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1938 SCTP_SOCKET_UNLOCK(so, 1);
1939 #endif
1940 }
1941 /* now is it in the mapping array of what we have accepted? */
1942 if (chk_type == SCTP_DATA) {
1943 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map) &&
1944 SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1945 /* Nope not in the valid range dump it */
1946 dump_packet:
1947 sctp_set_rwnd(stcb, asoc);
1948 if ((asoc->cnt_on_all_streams +
1949 asoc->cnt_on_reasm_queue +
1950 asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) {
1951 SCTP_STAT_INCR(sctps_datadropchklmt);
1952 } else {
1953 SCTP_STAT_INCR(sctps_datadroprwnd);
1954 }
1955 *break_flag = 1;
1956 return (0);
1957 }
1958 } else {
1959 if (control == NULL) {
1960 goto dump_packet;
1961 }
1962 if (SCTP_TSN_GT(fsn, control->top_fsn)) {
1963 goto dump_packet;
1964 }
1965 }
1966 }
1967 #ifdef SCTP_ASOCLOG_OF_TSNS
1968 SCTP_TCB_LOCK_ASSERT(stcb);
1969 if (asoc->tsn_in_at >= SCTP_TSN_LOG_SIZE) {
1970 asoc->tsn_in_at = 0;
1971 asoc->tsn_in_wrapped = 1;
1972 }
1973 asoc->in_tsnlog[asoc->tsn_in_at].tsn = tsn;
1974 asoc->in_tsnlog[asoc->tsn_in_at].strm = sid;
1975 asoc->in_tsnlog[asoc->tsn_in_at].seq = mid;
1976 asoc->in_tsnlog[asoc->tsn_in_at].sz = chk_length;
1977 asoc->in_tsnlog[asoc->tsn_in_at].flgs = chunk_flags;
1978 asoc->in_tsnlog[asoc->tsn_in_at].stcb = (void *)stcb;
1979 asoc->in_tsnlog[asoc->tsn_in_at].in_pos = asoc->tsn_in_at;
1980 asoc->in_tsnlog[asoc->tsn_in_at].in_out = 1;
1981 asoc->tsn_in_at++;
1982 #endif
1983 /*
1984 * Before we continue lets validate that we are not being fooled by
1985 * an evil attacker. We can only have Nk chunks based on our TSN
1986 * spread allowed by the mapping array N * 8 bits, so there is no
1987 * way our stream sequence numbers could have wrapped. We of course
1988 * only validate the FIRST fragment so the bit must be set.
1989 */
1990 if ((chk_flags & SCTP_DATA_FIRST_FRAG) &&
1991 (TAILQ_EMPTY(&asoc->resetHead)) &&
1992 (chk_flags & SCTP_DATA_UNORDERED) == 0 &&
1993 SCTP_MID_GE(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered, mid)) {
1994 /* The incoming sseq is behind where we last delivered? */
1995 SCTPDBG(SCTP_DEBUG_INDATA1, "EVIL/Broken-Dup S-SEQ: %u delivered: %u from peer, Abort!\n",
1996 mid, asoc->strmin[sid].last_mid_delivered);
1997
1998 if (asoc->idata_supported) {
1999 snprintf(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x",
2000 asoc->strmin[sid].last_mid_delivered,
2001 tsn,
2002 sid,
2003 mid);
2004 } else {
2005 snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
2006 (uint16_t)asoc->strmin[sid].last_mid_delivered,
2007 tsn,
2008 sid,
2009 (uint16_t)mid);
2010 }
2011 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2012 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_16;
2013 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
2014 *abort_flag = 1;
2015 return (0);
2016 }
2017 if (chk_type == SCTP_IDATA) {
2018 the_len = (chk_length - sizeof(struct sctp_idata_chunk));
2019 } else {
2020 the_len = (chk_length - sizeof(struct sctp_data_chunk));
2021 }
2022 if (last_chunk == 0) {
2023 if (chk_type == SCTP_IDATA) {
2024 dmbuf = SCTP_M_COPYM(*m,
2025 (offset + sizeof(struct sctp_idata_chunk)),
2026 the_len, M_NOWAIT);
2027 } else {
2028 dmbuf = SCTP_M_COPYM(*m,
2029 (offset + sizeof(struct sctp_data_chunk)),
2030 the_len, M_NOWAIT);
2031 }
2032 #ifdef SCTP_MBUF_LOGGING
2033 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
2034 sctp_log_mbc(dmbuf, SCTP_MBUF_ICOPY);
2035 }
2036 #endif
2037 } else {
2038 /* We can steal the last chunk */
2039 int l_len;
2040
2041 dmbuf = *m;
2042 /* lop off the top part */
2043 if (chk_type == SCTP_IDATA) {
2044 m_adj(dmbuf, (offset + sizeof(struct sctp_idata_chunk)));
2045 } else {
2046 m_adj(dmbuf, (offset + sizeof(struct sctp_data_chunk)));
2047 }
2048 if (SCTP_BUF_NEXT(dmbuf) == NULL) {
2049 l_len = SCTP_BUF_LEN(dmbuf);
2050 } else {
2051 /*
2052 * need to count up the size hopefully does not hit
2053 * this to often :-0
2054 */
2055 struct mbuf *lat;
2056
2057 l_len = 0;
2058 for (lat = dmbuf; lat; lat = SCTP_BUF_NEXT(lat)) {
2059 l_len += SCTP_BUF_LEN(lat);
2060 }
2061 }
2062 if (l_len > the_len) {
2063 /* Trim the end round bytes off too */
2064 m_adj(dmbuf, -(l_len - the_len));
2065 }
2066 }
2067 if (dmbuf == NULL) {
2068 SCTP_STAT_INCR(sctps_nomem);
2069 return (0);
2070 }
2071 /*
2072 * Now no matter what, we need a control, get one if we don't have
2073 * one (we may have gotten it above when we found the message was
2074 * fragmented
2075 */
2076 if (control == NULL) {
2077 sctp_alloc_a_readq(stcb, control);
2078 sctp_build_readq_entry_mac(control, stcb, asoc->context, net, tsn,
2079 ppid,
2080 sid,
2081 chk_flags,
2082 NULL, fsn, mid);
2083 if (control == NULL) {
2084 SCTP_STAT_INCR(sctps_nomem);
2085 return (0);
2086 }
2087 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
2088 struct mbuf *mm;
2089
2090 control->data = dmbuf;
2091 for (mm = control->data; mm; mm = mm->m_next) {
2092 control->length += SCTP_BUF_LEN(mm);
2093 }
2094 control->tail_mbuf = NULL;
2095 control->end_added = 1;
2096 control->last_frag_seen = 1;
2097 control->first_frag_seen = 1;
2098 control->fsn_included = fsn;
2099 control->top_fsn = fsn;
2100 }
2101 created_control = 1;
2102 }
2103 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x ordered: %d MID: %u control: %p\n",
2104 chk_flags, ordered, mid, control);
2105 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG &&
2106 TAILQ_EMPTY(&asoc->resetHead) &&
2107 ((ordered == 0) ||
2108 (SCTP_MID_EQ(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered + 1, mid) &&
2109 TAILQ_EMPTY(&asoc->strmin[sid].inqueue)))) {
2110 /* Candidate for express delivery */
2111 /*
2112 * Its not fragmented, No PD-API is up, Nothing in the
2113 * delivery queue, Its un-ordered OR ordered and the next to
2114 * deliver AND nothing else is stuck on the stream queue,
2115 * And there is room for it in the socket buffer. Lets just
2116 * stuff it up the buffer....
2117 */
2118 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
2119 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
2120 asoc->highest_tsn_inside_nr_map = tsn;
2121 }
2122 SCTPDBG(SCTP_DEBUG_XXX, "Injecting control: %p to be read (MID: %u)\n",
2123 control, mid);
2124
2125 sctp_add_to_readq(stcb->sctp_ep, stcb,
2126 control, &stcb->sctp_socket->so_rcv,
2127 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
2128
2129 if ((chk_flags & SCTP_DATA_UNORDERED) == 0) {
2130 /* for ordered, bump what we delivered */
2131 asoc->strmin[sid].last_mid_delivered++;
2132 }
2133 SCTP_STAT_INCR(sctps_recvexpress);
2134 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
2135 sctp_log_strm_del_alt(stcb, tsn, mid, sid,
2136 SCTP_STR_LOG_FROM_EXPRS_DEL);
2137 }
2138 control = NULL;
2139 goto finish_express_del;
2140 }
2141 /* Now will we need a chunk too? */
2142 if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) {
2143 sctp_alloc_a_chunk(stcb, chk);
2144 if (chk == NULL) {
2145 /* No memory so we drop the chunk */
2146 SCTP_STAT_INCR(sctps_nomem);
2147 if (last_chunk == 0) {
2148 /* we copied it, free the copy */
2149 sctp_m_freem(dmbuf);
2150 }
2151 return (0);
2152 }
2153 chk->rec.data.tsn = tsn;
2154 chk->no_fr_allowed = 0;
2155 chk->rec.data.fsn = fsn;
2156 chk->rec.data.mid = mid;
2157 chk->rec.data.sid = sid;
2158 chk->rec.data.ppid = ppid;
2159 chk->rec.data.context = stcb->asoc.context;
2160 chk->rec.data.doing_fast_retransmit = 0;
2161 chk->rec.data.rcv_flags = chk_flags;
2162 chk->asoc = asoc;
2163 chk->send_size = the_len;
2164 chk->whoTo = net;
2165 SCTPDBG(SCTP_DEBUG_XXX, "Building ck: %p for control: %p to be read (MID: %u)\n",
2166 chk,
2167 control, mid);
2168 atomic_add_int(&net->ref_count, 1);
2169 chk->data = dmbuf;
2170 }
2171 /* Set the appropriate TSN mark */
2172 if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
2173 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
2174 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
2175 asoc->highest_tsn_inside_nr_map = tsn;
2176 }
2177 } else {
2178 SCTP_SET_TSN_PRESENT(asoc->mapping_array, gap);
2179 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map)) {
2180 asoc->highest_tsn_inside_map = tsn;
2181 }
2182 }
2183 /* Now is it complete (i.e. not fragmented)? */
2184 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
2185 /*
2186 * Special check for when streams are resetting. We could be
2187 * more smart about this and check the actual stream to see
2188 * if it is not being reset.. that way we would not create a
2189 * HOLB when amongst streams being reset and those not being
2190 * reset.
2191 *
2192 */
2193 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) &&
2194 SCTP_TSN_GT(tsn, liste->tsn)) {
2195 /*
2196 * yep its past where we need to reset... go ahead
2197 * and queue it.
2198 */
2199 if (TAILQ_EMPTY(&asoc->pending_reply_queue)) {
2200 /* first one on */
2201 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next);
2202 } else {
2203 struct sctp_queued_to_read *lcontrol, *nlcontrol;
2204 unsigned char inserted = 0;
2205
2206 TAILQ_FOREACH_SAFE(lcontrol, &asoc->pending_reply_queue, next, nlcontrol) {
2207 if (SCTP_TSN_GT(control->sinfo_tsn, lcontrol->sinfo_tsn)) {
2208
2209 continue;
2210 } else {
2211 /* found it */
2212 TAILQ_INSERT_BEFORE(lcontrol, control, next);
2213 inserted = 1;
2214 break;
2215 }
2216 }
2217 if (inserted == 0) {
2218 /*
2219 * must be put at end, use prevP
2220 * (all setup from loop) to setup
2221 * nextP.
2222 */
2223 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next);
2224 }
2225 }
2226 goto finish_express_del;
2227 }
2228 if (chk_flags & SCTP_DATA_UNORDERED) {
2229 /* queue directly into socket buffer */
2230 SCTPDBG(SCTP_DEBUG_XXX, "Unordered data to be read control: %p MID: %u\n",
2231 control, mid);
2232 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
2233 sctp_add_to_readq(stcb->sctp_ep, stcb,
2234 control,
2235 &stcb->sctp_socket->so_rcv, 1,
2236 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
2237
2238 } else {
2239 SCTPDBG(SCTP_DEBUG_XXX, "Queue control: %p for reordering MID: %u\n", control,
2240 mid);
2241 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
2242 if (*abort_flag) {
2243 if (last_chunk) {
2244 *m = NULL;
2245 }
2246 return (0);
2247 }
2248 }
2249 goto finish_express_del;
2250 }
2251 /* If we reach here its a reassembly */
2252 need_reasm_check = 1;
2253 SCTPDBG(SCTP_DEBUG_XXX,
2254 "Queue data to stream for reasm control: %p MID: %u\n",
2255 control, mid);
2256 sctp_queue_data_for_reasm(stcb, asoc, control, chk, created_control, abort_flag, tsn);
2257 if (*abort_flag) {
2258 /*
2259 * the assoc is now gone and chk was put onto the reasm
2260 * queue, which has all been freed.
2261 */
2262 if (last_chunk) {
2263 *m = NULL;
2264 }
2265 return (0);
2266 }
2267 finish_express_del:
2268 /* Here we tidy up things */
2269 if (tsn == (asoc->cumulative_tsn + 1)) {
2270 /* Update cum-ack */
2271 asoc->cumulative_tsn = tsn;
2272 }
2273 if (last_chunk) {
2274 *m = NULL;
2275 }
2276 if (ordered) {
2277 SCTP_STAT_INCR_COUNTER64(sctps_inorderchunks);
2278 } else {
2279 SCTP_STAT_INCR_COUNTER64(sctps_inunorderchunks);
2280 }
2281 SCTP_STAT_INCR(sctps_recvdata);
2282 /* Set it present please */
2283 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
2284 sctp_log_strm_del_alt(stcb, tsn, mid, sid, SCTP_STR_LOG_FROM_MARK_TSN);
2285 }
2286 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2287 sctp_log_map(asoc->mapping_array_base_tsn, asoc->cumulative_tsn,
2288 asoc->highest_tsn_inside_map, SCTP_MAP_PREPARE_SLIDE);
2289 }
2290 if (need_reasm_check) {
2291 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[sid], SCTP_READ_LOCK_NOT_HELD);
2292 need_reasm_check = 0;
2293 }
2294 /* check the special flag for stream resets */
2295 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) &&
2296 SCTP_TSN_GE(asoc->cumulative_tsn, liste->tsn)) {
2297 /*
2298 * we have finished working through the backlogged TSN's now
2299 * time to reset streams. 1: call reset function. 2: free
2300 * pending_reply space 3: distribute any chunks in
2301 * pending_reply_queue.
2302 */
2303 sctp_reset_in_stream(stcb, liste->number_entries, liste->list_of_streams);
2304 TAILQ_REMOVE(&asoc->resetHead, liste, next_resp);
2305 sctp_send_deferred_reset_response(stcb, liste, SCTP_STREAM_RESET_RESULT_PERFORMED);
2306 SCTP_FREE(liste, SCTP_M_STRESET);
2307 /* sa_ignore FREED_MEMORY */
2308 liste = TAILQ_FIRST(&asoc->resetHead);
2309 if (TAILQ_EMPTY(&asoc->resetHead)) {
2310 /* All can be removed */
2311 TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
2312 TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
2313 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
2314 if (*abort_flag) {
2315 return (0);
2316 }
2317 if (need_reasm_check) {
2318 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
2319 need_reasm_check = 0;
2320 }
2321 }
2322 } else {
2323 TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
2324 if (SCTP_TSN_GT(control->sinfo_tsn, liste->tsn)) {
2325 break;
2326 }
2327 /*
2328 * if control->sinfo_tsn is <= liste->tsn we
2329 * can process it which is the NOT of
2330 * control->sinfo_tsn > liste->tsn
2331 */
2332 TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
2333 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
2334 if (*abort_flag) {
2335 return (0);
2336 }
2337 if (need_reasm_check) {
2338 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
2339 need_reasm_check = 0;
2340 }
2341 }
2342 }
2343 }
2344 return (1);
2345 }
2346
2347 static const int8_t sctp_map_lookup_tab[256] = {
2348 0, 1, 0, 2, 0, 1, 0, 3,
2349 0, 1, 0, 2, 0, 1, 0, 4,
2350 0, 1, 0, 2, 0, 1, 0, 3,
2351 0, 1, 0, 2, 0, 1, 0, 5,
2352 0, 1, 0, 2, 0, 1, 0, 3,
2353 0, 1, 0, 2, 0, 1, 0, 4,
2354 0, 1, 0, 2, 0, 1, 0, 3,
2355 0, 1, 0, 2, 0, 1, 0, 6,
2356 0, 1, 0, 2, 0, 1, 0, 3,
2357 0, 1, 0, 2, 0, 1, 0, 4,
2358 0, 1, 0, 2, 0, 1, 0, 3,
2359 0, 1, 0, 2, 0, 1, 0, 5,
2360 0, 1, 0, 2, 0, 1, 0, 3,
2361 0, 1, 0, 2, 0, 1, 0, 4,
2362 0, 1, 0, 2, 0, 1, 0, 3,
2363 0, 1, 0, 2, 0, 1, 0, 7,
2364 0, 1, 0, 2, 0, 1, 0, 3,
2365 0, 1, 0, 2, 0, 1, 0, 4,
2366 0, 1, 0, 2, 0, 1, 0, 3,
2367 0, 1, 0, 2, 0, 1, 0, 5,
2368 0, 1, 0, 2, 0, 1, 0, 3,
2369 0, 1, 0, 2, 0, 1, 0, 4,
2370 0, 1, 0, 2, 0, 1, 0, 3,
2371 0, 1, 0, 2, 0, 1, 0, 6,
2372 0, 1, 0, 2, 0, 1, 0, 3,
2373 0, 1, 0, 2, 0, 1, 0, 4,
2374 0, 1, 0, 2, 0, 1, 0, 3,
2375 0, 1, 0, 2, 0, 1, 0, 5,
2376 0, 1, 0, 2, 0, 1, 0, 3,
2377 0, 1, 0, 2, 0, 1, 0, 4,
2378 0, 1, 0, 2, 0, 1, 0, 3,
2379 0, 1, 0, 2, 0, 1, 0, 8
2380 };
2381
2382
2383 void
2384 sctp_slide_mapping_arrays(struct sctp_tcb *stcb)
2385 {
2386 /*
2387 * Now we also need to check the mapping array in a couple of ways.
2388 * 1) Did we move the cum-ack point?
2389 *
2390 * When you first glance at this you might think that all entries
2391 * that make up the position of the cum-ack would be in the
2392 * nr-mapping array only.. i.e. things up to the cum-ack are always
2393 * deliverable. Thats true with one exception, when its a fragmented
2394 * message we may not deliver the data until some threshold (or all
2395 * of it) is in place. So we must OR the nr_mapping_array and
2396 * mapping_array to get a true picture of the cum-ack.
2397 */
2398 struct sctp_association *asoc;
2399 int at;
2400 uint8_t val;
2401 int slide_from, slide_end, lgap, distance;
2402 uint32_t old_cumack, old_base, old_highest, highest_tsn;
2403
2404 asoc = &stcb->asoc;
2405
2406 old_cumack = asoc->cumulative_tsn;
2407 old_base = asoc->mapping_array_base_tsn;
2408 old_highest = asoc->highest_tsn_inside_map;
2409 /*
2410 * We could probably improve this a small bit by calculating the
2411 * offset of the current cum-ack as the starting point.
2412 */
2413 at = 0;
2414 for (slide_from = 0; slide_from < stcb->asoc.mapping_array_size; slide_from++) {
2415 val = asoc->nr_mapping_array[slide_from] | asoc->mapping_array[slide_from];
2416 if (val == 0xff) {
2417 at += 8;
2418 } else {
2419 /* there is a 0 bit */
2420 at += sctp_map_lookup_tab[val];
2421 break;
2422 }
2423 }
2424 asoc->cumulative_tsn = asoc->mapping_array_base_tsn + (at - 1);
2425
2426 if (SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_map) &&
2427 SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_nr_map)) {
2428 #ifdef INVARIANTS
2429 panic("huh, cumack 0x%x greater than high-tsn 0x%x in map",
2430 asoc->cumulative_tsn, asoc->highest_tsn_inside_map);
2431 #else
2432 SCTP_PRINTF("huh, cumack 0x%x greater than high-tsn 0x%x in map - should panic?\n",
2433 asoc->cumulative_tsn, asoc->highest_tsn_inside_map);
2434 sctp_print_mapping_array(asoc);
2435 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2436 sctp_log_map(0, 6, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
2437 }
2438 asoc->highest_tsn_inside_map = asoc->cumulative_tsn;
2439 asoc->highest_tsn_inside_nr_map = asoc->cumulative_tsn;
2440 #endif
2441 }
2442 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2443 highest_tsn = asoc->highest_tsn_inside_nr_map;
2444 } else {
2445 highest_tsn = asoc->highest_tsn_inside_map;
2446 }
2447 if ((asoc->cumulative_tsn == highest_tsn) && (at >= 8)) {
2448 /* The complete array was completed by a single FR */
2449 /* highest becomes the cum-ack */
2450 int clr;
2451 #ifdef INVARIANTS
2452 unsigned int i;
2453 #endif
2454
2455 /* clear the array */
2456 clr = ((at + 7) >> 3);
2457 if (clr > asoc->mapping_array_size) {
2458 clr = asoc->mapping_array_size;
2459 }
2460 memset(asoc->mapping_array, 0, clr);
2461 memset(asoc->nr_mapping_array, 0, clr);
2462 #ifdef INVARIANTS
2463 for (i = 0; i < asoc->mapping_array_size; i++) {
2464 if ((asoc->mapping_array[i]) || (asoc->nr_mapping_array[i])) {
2465 SCTP_PRINTF("Error Mapping array's not clean at clear\n");
2466 sctp_print_mapping_array(asoc);
2467 }
2468 }
2469 #endif
2470 asoc->mapping_array_base_tsn = asoc->cumulative_tsn + 1;
2471 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map = asoc->cumulative_tsn;
2472 } else if (at >= 8) {
2473 /* we can slide the mapping array down */
2474 /* slide_from holds where we hit the first NON 0xff byte */
2475
2476 /*
2477 * now calculate the ceiling of the move using our highest
2478 * TSN value
2479 */
2480 SCTP_CALC_TSN_TO_GAP(lgap, highest_tsn, asoc->mapping_array_base_tsn);
2481 slide_end = (lgap >> 3);
2482 if (slide_end < slide_from) {
2483 sctp_print_mapping_array(asoc);
2484 #ifdef INVARIANTS
2485 panic("impossible slide");
2486 #else
2487 SCTP_PRINTF("impossible slide lgap: %x slide_end: %x slide_from: %x? at: %d\n",
2488 lgap, slide_end, slide_from, at);
2489 return;
2490 #endif
2491 }
2492 if (slide_end > asoc->mapping_array_size) {
2493 #ifdef INVARIANTS
2494 panic("would overrun buffer");
2495 #else
2496 SCTP_PRINTF("Gak, would have overrun map end: %d slide_end: %d\n",
2497 asoc->mapping_array_size, slide_end);
2498 slide_end = asoc->mapping_array_size;
2499 #endif
2500 }
2501 distance = (slide_end - slide_from) + 1;
2502 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2503 sctp_log_map(old_base, old_cumack, old_highest,
2504 SCTP_MAP_PREPARE_SLIDE);
2505 sctp_log_map((uint32_t)slide_from, (uint32_t)slide_end,
2506 (uint32_t)lgap, SCTP_MAP_SLIDE_FROM);
2507 }
2508 if (distance + slide_from > asoc->mapping_array_size ||
2509 distance < 0) {
2510 /*
2511 * Here we do NOT slide forward the array so that
2512 * hopefully when more data comes in to fill it up
2513 * we will be able to slide it forward. Really I
2514 * don't think this should happen :-0
2515 */
2516
2517 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2518 sctp_log_map((uint32_t)distance, (uint32_t)slide_from,
2519 (uint32_t)asoc->mapping_array_size,
2520 SCTP_MAP_SLIDE_NONE);
2521 }
2522 } else {
2523 int ii;
2524
2525 for (ii = 0; ii < distance; ii++) {
2526 asoc->mapping_array[ii] = asoc->mapping_array[slide_from + ii];
2527 asoc->nr_mapping_array[ii] = asoc->nr_mapping_array[slide_from + ii];
2528
2529 }
2530 for (ii = distance; ii < asoc->mapping_array_size; ii++) {
2531 asoc->mapping_array[ii] = 0;
2532 asoc->nr_mapping_array[ii] = 0;
2533 }
2534 if (asoc->highest_tsn_inside_map + 1 == asoc->mapping_array_base_tsn) {
2535 asoc->highest_tsn_inside_map += (slide_from << 3);
2536 }
2537 if (asoc->highest_tsn_inside_nr_map + 1 == asoc->mapping_array_base_tsn) {
2538 asoc->highest_tsn_inside_nr_map += (slide_from << 3);
2539 }
2540 asoc->mapping_array_base_tsn += (slide_from << 3);
2541 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2542 sctp_log_map(asoc->mapping_array_base_tsn,
2543 asoc->cumulative_tsn, asoc->highest_tsn_inside_map,
2544 SCTP_MAP_SLIDE_RESULT);
2545 }
2546 }
2547 }
2548 }
2549
2550 void
2551 sctp_sack_check(struct sctp_tcb *stcb, int was_a_gap)
2552 {
2553 struct sctp_association *asoc;
2554 uint32_t highest_tsn;
2555 int is_a_gap;
2556
2557 sctp_slide_mapping_arrays(stcb);
2558 asoc = &stcb->asoc;
2559 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2560 highest_tsn = asoc->highest_tsn_inside_nr_map;
2561 } else {
2562 highest_tsn = asoc->highest_tsn_inside_map;
2563 }
2564 /* Is there a gap now? */
2565 is_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
2566
2567 /*
2568 * Now we need to see if we need to queue a sack or just start the
2569 * timer (if allowed).
2570 */
2571 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
2572 /*
2573 * Ok special case, in SHUTDOWN-SENT case. here we maker
2574 * sure SACK timer is off and instead send a SHUTDOWN and a
2575 * SACK
2576 */
2577 if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
2578 sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
2579 stcb->sctp_ep, stcb, NULL,
2580 SCTP_FROM_SCTP_INDATA + SCTP_LOC_17);
2581 }
2582 sctp_send_shutdown(stcb,
2583 ((stcb->asoc.alternate) ? stcb->asoc.alternate : stcb->asoc.primary_destination));
2584 if (is_a_gap) {
2585 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
2586 }
2587 } else {
2588 /*
2589 * CMT DAC algorithm: increase number of packets received
2590 * since last ack
2591 */
2592 stcb->asoc.cmt_dac_pkts_rcvd++;
2593
2594 if ((stcb->asoc.send_sack == 1) || /* We need to send a
2595 * SACK */
2596 ((was_a_gap) && (is_a_gap == 0)) || /* was a gap, but no
2597 * longer is one */
2598 (stcb->asoc.numduptsns) || /* we have dup's */
2599 (is_a_gap) || /* is still a gap */
2600 (stcb->asoc.delayed_ack == 0) || /* Delayed sack disabled */
2601 (stcb->asoc.data_pkts_seen >= stcb->asoc.sack_freq) /* hit limit of pkts */
2602 ) {
2603
2604 if ((stcb->asoc.sctp_cmt_on_off > 0) &&
2605 (SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) &&
2606 (stcb->asoc.send_sack == 0) &&
2607 (stcb->asoc.numduptsns == 0) &&
2608 (stcb->asoc.delayed_ack) &&
2609 (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer))) {
2610
2611 /*
2612 * CMT DAC algorithm: With CMT, delay acks
2613 * even in the face of
2614 *
2615 * reordering. Therefore, if acks that do
2616 * not have to be sent because of the above
2617 * reasons, will be delayed. That is, acks
2618 * that would have been sent due to gap
2619 * reports will be delayed with DAC. Start
2620 * the delayed ack timer.
2621 */
2622 sctp_timer_start(SCTP_TIMER_TYPE_RECV,
2623 stcb->sctp_ep, stcb, NULL);
2624 } else {
2625 /*
2626 * Ok we must build a SACK since the timer
2627 * is pending, we got our first packet OR
2628 * there are gaps or duplicates.
2629 */
2630 (void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
2631 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
2632 }
2633 } else {
2634 if (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
2635 sctp_timer_start(SCTP_TIMER_TYPE_RECV,
2636 stcb->sctp_ep, stcb, NULL);
2637 }
2638 }
2639 }
2640 }
2641
2642 int
2643 sctp_process_data(struct mbuf **mm, int iphlen, int *offset, int length,
2644 struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2645 struct sctp_nets *net, uint32_t *high_tsn)
2646 {
2647 struct sctp_chunkhdr *ch, chunk_buf;
2648 struct sctp_association *asoc;
2649 int num_chunks = 0; /* number of control chunks processed */
2650 int stop_proc = 0;
2651 int break_flag, last_chunk;
2652 int abort_flag = 0, was_a_gap;
2653 struct mbuf *m;
2654 uint32_t highest_tsn;
2655 uint16_t chk_length;
2656
2657 /* set the rwnd */
2658 sctp_set_rwnd(stcb, &stcb->asoc);
2659
2660 m = *mm;
2661 SCTP_TCB_LOCK_ASSERT(stcb);
2662 asoc = &stcb->asoc;
2663 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2664 highest_tsn = asoc->highest_tsn_inside_nr_map;
2665 } else {
2666 highest_tsn = asoc->highest_tsn_inside_map;
2667 }
2668 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
2669 /*
2670 * setup where we got the last DATA packet from for any SACK that
2671 * may need to go out. Don't bump the net. This is done ONLY when a
2672 * chunk is assigned.
2673 */
2674 asoc->last_data_chunk_from = net;
2675
2676 /*-
2677 * Now before we proceed we must figure out if this is a wasted
2678 * cluster... i.e. it is a small packet sent in and yet the driver
2679 * underneath allocated a full cluster for it. If so we must copy it
2680 * to a smaller mbuf and free up the cluster mbuf. This will help
2681 * with cluster starvation. Note for __Panda__ we don't do this
2682 * since it has clusters all the way down to 64 bytes.
2683 */
2684 if (SCTP_BUF_LEN(m) < (long)MLEN && SCTP_BUF_NEXT(m) == NULL) {
2685 /* we only handle mbufs that are singletons.. not chains */
2686 m = sctp_get_mbuf_for_msg(SCTP_BUF_LEN(m), 0, M_NOWAIT, 1, MT_DATA);
2687 if (m) {
2688 /* ok lets see if we can copy the data up */
2689 caddr_t *from, *to;
2690
2691 /* get the pointers and copy */
2692 to = mtod(m, caddr_t *);
2693 from = mtod((*mm), caddr_t *);
2694 memcpy(to, from, SCTP_BUF_LEN((*mm)));
2695 /* copy the length and free up the old */
2696 SCTP_BUF_LEN(m) = SCTP_BUF_LEN((*mm));
2697 sctp_m_freem(*mm);
2698 /* success, back copy */
2699 *mm = m;
2700 } else {
2701 /* We are in trouble in the mbuf world .. yikes */
2702 m = *mm;
2703 }
2704 }
2705 /* get pointer to the first chunk header */
2706 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
2707 sizeof(struct sctp_chunkhdr),
2708 (uint8_t *)&chunk_buf);
2709 if (ch == NULL) {
2710 return (1);
2711 }
2712 /*
2713 * process all DATA chunks...
2714 */
2715 *high_tsn = asoc->cumulative_tsn;
2716 break_flag = 0;
2717 asoc->data_pkts_seen++;
2718 while (stop_proc == 0) {
2719 /* validate chunk length */
2720 chk_length = ntohs(ch->chunk_length);
2721 if (length - *offset < chk_length) {
2722 /* all done, mutulated chunk */
2723 stop_proc = 1;
2724 continue;
2725 }
2726 if ((asoc->idata_supported == 1) &&
2727 (ch->chunk_type == SCTP_DATA)) {
2728 struct mbuf *op_err;
2729 char msg[SCTP_DIAG_INFO_LEN];
2730
2731 snprintf(msg, sizeof(msg), "%s", "I-DATA chunk received when DATA was negotiated");
2732 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2733 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_18;
2734 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2735 return (2);
2736 }
2737 if ((asoc->idata_supported == 0) &&
2738 (ch->chunk_type == SCTP_IDATA)) {
2739 struct mbuf *op_err;
2740 char msg[SCTP_DIAG_INFO_LEN];
2741
2742 snprintf(msg, sizeof(msg), "%s", "DATA chunk received when I-DATA was negotiated");
2743 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2744 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_19;
2745 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2746 return (2);
2747 }
2748 if ((ch->chunk_type == SCTP_DATA) ||
2749 (ch->chunk_type == SCTP_IDATA)) {
2750 uint16_t clen;
2751
2752 if (ch->chunk_type == SCTP_DATA) {
2753 clen = sizeof(struct sctp_data_chunk);
2754 } else {
2755 clen = sizeof(struct sctp_idata_chunk);
2756 }
2757 if (chk_length < clen) {
2758 /*
2759 * Need to send an abort since we had a
2760 * invalid data chunk.
2761 */
2762 struct mbuf *op_err;
2763 char msg[SCTP_DIAG_INFO_LEN];
2764
2765 snprintf(msg, sizeof(msg), "%s chunk of length %u",
2766 ch->chunk_type == SCTP_DATA ? "DATA" : "I-DATA",
2767 chk_length);
2768 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2769 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_20;
2770 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2771 return (2);
2772 }
2773 #ifdef SCTP_AUDITING_ENABLED
2774 sctp_audit_log(0xB1, 0);
2775 #endif
2776 if (SCTP_SIZE32(chk_length) == (length - *offset)) {
2777 last_chunk = 1;
2778 } else {
2779 last_chunk = 0;
2780 }
2781 if (sctp_process_a_data_chunk(stcb, asoc, mm, *offset,
2782 chk_length, net, high_tsn, &abort_flag, &break_flag,
2783 last_chunk, ch->chunk_type)) {
2784 num_chunks++;
2785 }
2786 if (abort_flag)
2787 return (2);
2788
2789 if (break_flag) {
2790 /*
2791 * Set because of out of rwnd space and no
2792 * drop rep space left.
2793 */
2794 stop_proc = 1;
2795 continue;
2796 }
2797 } else {
2798 /* not a data chunk in the data region */
2799 switch (ch->chunk_type) {
2800 case SCTP_INITIATION:
2801 case SCTP_INITIATION_ACK:
2802 case SCTP_SELECTIVE_ACK:
2803 case SCTP_NR_SELECTIVE_ACK:
2804 case SCTP_HEARTBEAT_REQUEST:
2805 case SCTP_HEARTBEAT_ACK:
2806 case SCTP_ABORT_ASSOCIATION:
2807 case SCTP_SHUTDOWN:
2808 case SCTP_SHUTDOWN_ACK:
2809 case SCTP_OPERATION_ERROR:
2810 case SCTP_COOKIE_ECHO:
2811 case SCTP_COOKIE_ACK:
2812 case SCTP_ECN_ECHO:
2813 case SCTP_ECN_CWR:
2814 case SCTP_SHUTDOWN_COMPLETE:
2815 case SCTP_AUTHENTICATION:
2816 case SCTP_ASCONF_ACK:
2817 case SCTP_PACKET_DROPPED:
2818 case SCTP_STREAM_RESET:
2819 case SCTP_FORWARD_CUM_TSN:
2820 case SCTP_ASCONF:
2821 {
2822 /*
2823 * Now, what do we do with KNOWN
2824 * chunks that are NOT in the right
2825 * place?
2826 *
2827 * For now, I do nothing but ignore
2828 * them. We may later want to add
2829 * sysctl stuff to switch out and do
2830 * either an ABORT() or possibly
2831 * process them.
2832 */
2833 struct mbuf *op_err;
2834 char msg[SCTP_DIAG_INFO_LEN];
2835
2836 snprintf(msg, sizeof(msg), "DATA chunk followed by chunk of type %2.2x",
2837 ch->chunk_type);
2838 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2839 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2840 return (2);
2841 }
2842 default:
2843 /*
2844 * Unknown chunk type: use bit rules after
2845 * checking length
2846 */
2847 if (chk_length < sizeof(struct sctp_chunkhdr)) {
2848 /*
2849 * Need to send an abort since we
2850 * had a invalid chunk.
2851 */
2852 struct mbuf *op_err;
2853 char msg[SCTP_DIAG_INFO_LEN];
2854
2855 snprintf(msg, sizeof(msg), "Chunk of length %u",
2856 chk_length);
2857 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2858 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_20;
2859 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED);
2860 return (2);
2861 }
2862 if (ch->chunk_type & 0x40) {
2863 /* Add a error report to the queue */
2864 struct mbuf *op_err;
2865 struct sctp_gen_error_cause *cause;
2866
2867 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause),
2868 0, M_NOWAIT, 1, MT_DATA);
2869 if (op_err != NULL) {
2870 cause = mtod(op_err, struct sctp_gen_error_cause *);
2871 cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK);
2872 cause->length = htons((uint16_t)(chk_length + sizeof(struct sctp_gen_error_cause)));
2873 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
2874 SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, chk_length, M_NOWAIT);
2875 if (SCTP_BUF_NEXT(op_err) != NULL) {
2876 sctp_queue_op_err(stcb, op_err);
2877 } else {
2878 sctp_m_freem(op_err);
2879 }
2880 }
2881 }
2882 if ((ch->chunk_type & 0x80) == 0) {
2883 /* discard the rest of this packet */
2884 stop_proc = 1;
2885 } /* else skip this bad chunk and
2886 * continue... */
2887 break;
2888 } /* switch of chunk type */
2889 }
2890 *offset += SCTP_SIZE32(chk_length);
2891 if ((*offset >= length) || stop_proc) {
2892 /* no more data left in the mbuf chain */
2893 stop_proc = 1;
2894 continue;
2895 }
2896 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
2897 sizeof(struct sctp_chunkhdr),
2898 (uint8_t *)&chunk_buf);
2899 if (ch == NULL) {
2900 *offset = length;
2901 stop_proc = 1;
2902 continue;
2903 }
2904 }
2905 if (break_flag) {
2906 /*
2907 * we need to report rwnd overrun drops.
2908 */
2909 sctp_send_packet_dropped(stcb, net, *mm, length, iphlen, 0);
2910 }
2911 if (num_chunks) {
2912 /*
2913 * Did we get data, if so update the time for auto-close and
2914 * give peer credit for being alive.
2915 */
2916 SCTP_STAT_INCR(sctps_recvpktwithdata);
2917 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
2918 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
2919 stcb->asoc.overall_error_count,
2920 0,
2921 SCTP_FROM_SCTP_INDATA,
2922 __LINE__);
2923 }
2924 stcb->asoc.overall_error_count = 0;
2925 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_last_rcvd);
2926 }
2927 /* now service all of the reassm queue if needed */
2928 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
2929 /* Assure that we ack right away */
2930 stcb->asoc.send_sack = 1;
2931 }
2932 /* Start a sack timer or QUEUE a SACK for sending */
2933 sctp_sack_check(stcb, was_a_gap);
2934 return (0);
2935 }
2936
2937 static int
2938 sctp_process_segment_range(struct sctp_tcb *stcb, struct sctp_tmit_chunk **p_tp1, uint32_t last_tsn,
2939 uint16_t frag_strt, uint16_t frag_end, int nr_sacking,
2940 int *num_frs,
2941 uint32_t *biggest_newly_acked_tsn,
2942 uint32_t *this_sack_lowest_newack,
2943 int *rto_ok)
2944 {
2945 struct sctp_tmit_chunk *tp1;
2946 unsigned int theTSN;
2947 int j, wake_him = 0, circled = 0;
2948
2949 /* Recover the tp1 we last saw */
2950 tp1 = *p_tp1;
2951 if (tp1 == NULL) {
2952 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2953 }
2954 for (j = frag_strt; j <= frag_end; j++) {
2955 theTSN = j + last_tsn;
2956 while (tp1) {
2957 if (tp1->rec.data.doing_fast_retransmit)
2958 (*num_frs) += 1;
2959
2960 /*-
2961 * CMT: CUCv2 algorithm. For each TSN being
2962 * processed from the sent queue, track the
2963 * next expected pseudo-cumack, or
2964 * rtx_pseudo_cumack, if required. Separate
2965 * cumack trackers for first transmissions,
2966 * and retransmissions.
2967 */
2968 if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
2969 (tp1->whoTo->find_pseudo_cumack == 1) &&
2970 (tp1->snd_count == 1)) {
2971 tp1->whoTo->pseudo_cumack = tp1->rec.data.tsn;
2972 tp1->whoTo->find_pseudo_cumack = 0;
2973 }
2974 if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
2975 (tp1->whoTo->find_rtx_pseudo_cumack == 1) &&
2976 (tp1->snd_count > 1)) {
2977 tp1->whoTo->rtx_pseudo_cumack = tp1->rec.data.tsn;
2978 tp1->whoTo->find_rtx_pseudo_cumack = 0;
2979 }
2980 if (tp1->rec.data.tsn == theTSN) {
2981 if (tp1->sent != SCTP_DATAGRAM_UNSENT) {
2982 /*-
2983 * must be held until
2984 * cum-ack passes
2985 */
2986 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
2987 /*-
2988 * If it is less than RESEND, it is
2989 * now no-longer in flight.
2990 * Higher values may already be set
2991 * via previous Gap Ack Blocks...
2992 * i.e. ACKED or RESEND.
2993 */
2994 if (SCTP_TSN_GT(tp1->rec.data.tsn,
2995 *biggest_newly_acked_tsn)) {
2996 *biggest_newly_acked_tsn = tp1->rec.data.tsn;
2997 }
2998 /*-
2999 * CMT: SFR algo (and HTNA) - set
3000 * saw_newack to 1 for dest being
3001 * newly acked. update
3002 * this_sack_highest_newack if
3003 * appropriate.
3004 */
3005 if (tp1->rec.data.chunk_was_revoked == 0)
3006 tp1->whoTo->saw_newack = 1;
3007
3008 if (SCTP_TSN_GT(tp1->rec.data.tsn,
3009 tp1->whoTo->this_sack_highest_newack)) {
3010 tp1->whoTo->this_sack_highest_newack =
3011 tp1->rec.data.tsn;
3012 }
3013 /*-
3014 * CMT DAC algo: also update
3015 * this_sack_lowest_newack
3016 */
3017 if (*this_sack_lowest_newack == 0) {
3018 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
3019 sctp_log_sack(*this_sack_lowest_newack,
3020 last_tsn,
3021 tp1->rec.data.tsn,
3022 0,
3023 0,
3024 SCTP_LOG_TSN_ACKED);
3025 }
3026 *this_sack_lowest_newack = tp1->rec.data.tsn;
3027 }
3028 /*-
3029 * CMT: CUCv2 algorithm. If (rtx-)pseudo-cumack for corresp
3030 * dest is being acked, then we have a new (rtx-)pseudo-cumack. Set
3031 * new_(rtx_)pseudo_cumack to TRUE so that the cwnd for this dest can be
3032 * updated. Also trigger search for the next expected (rtx-)pseudo-cumack.
3033 * Separate pseudo_cumack trackers for first transmissions and
3034 * retransmissions.
3035 */
3036 if (tp1->rec.data.tsn == tp1->whoTo->pseudo_cumack) {
3037 if (tp1->rec.data.chunk_was_revoked == 0) {
3038 tp1->whoTo->new_pseudo_cumack = 1;
3039 }
3040 tp1->whoTo->find_pseudo_cumack = 1;
3041 }
3042 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
3043 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
3044 }
3045 if (tp1->rec.data.tsn == tp1->whoTo->rtx_pseudo_cumack) {
3046 if (tp1->rec.data.chunk_was_revoked == 0) {
3047 tp1->whoTo->new_pseudo_cumack = 1;
3048 }
3049 tp1->whoTo->find_rtx_pseudo_cumack = 1;
3050 }
3051 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
3052 sctp_log_sack(*biggest_newly_acked_tsn,
3053 last_tsn,
3054 tp1->rec.data.tsn,
3055 frag_strt,
3056 frag_end,
3057 SCTP_LOG_TSN_ACKED);
3058 }
3059 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3060 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_GAP,
3061 tp1->whoTo->flight_size,
3062 tp1->book_size,
3063 (uint32_t)(uintptr_t)tp1->whoTo,
3064 tp1->rec.data.tsn);
3065 }
3066 sctp_flight_size_decrease(tp1);
3067 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3068 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
3069 tp1);
3070 }
3071 sctp_total_flight_decrease(stcb, tp1);
3072
3073 tp1->whoTo->net_ack += tp1->send_size;
3074 if (tp1->snd_count < 2) {
3075 /*-
3076 * True non-retransmited chunk
3077 */
3078 tp1->whoTo->net_ack2 += tp1->send_size;
3079
3080 /*-
3081 * update RTO too ?
3082 */
3083 if (tp1->do_rtt) {
3084 if (*rto_ok) {
3085 tp1->whoTo->RTO =
3086 sctp_calculate_rto(stcb,
3087 &stcb->asoc,
3088 tp1->whoTo,
3089 &tp1->sent_rcv_time,
3090 SCTP_RTT_FROM_DATA);
3091 *rto_ok = 0;
3092 }
3093 if (tp1->whoTo->rto_needed == 0) {
3094 tp1->whoTo->rto_needed = 1;
3095 }
3096 tp1->do_rtt = 0;
3097 }
3098 }
3099 }
3100 if (tp1->sent <= SCTP_DATAGRAM_RESEND) {
3101 if (SCTP_TSN_GT(tp1->rec.data.tsn,
3102 stcb->asoc.this_sack_highest_gap)) {
3103 stcb->asoc.this_sack_highest_gap =
3104 tp1->rec.data.tsn;
3105 }
3106 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
3107 sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
3108 #ifdef SCTP_AUDITING_ENABLED
3109 sctp_audit_log(0xB2,
3110 (stcb->asoc.sent_queue_retran_cnt & 0x000000ff));
3111 #endif
3112 }
3113 }
3114 /*-
3115 * All chunks NOT UNSENT fall through here and are marked
3116 * (leave PR-SCTP ones that are to skip alone though)
3117 */
3118 if ((tp1->sent != SCTP_FORWARD_TSN_SKIP) &&
3119 (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) {
3120 tp1->sent = SCTP_DATAGRAM_MARKED;
3121 }
3122 if (tp1->rec.data.chunk_was_revoked) {
3123 /* deflate the cwnd */
3124 tp1->whoTo->cwnd -= tp1->book_size;
3125 tp1->rec.data.chunk_was_revoked = 0;
3126 }
3127 /* NR Sack code here */
3128 if (nr_sacking &&
3129 (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) {
3130 if (stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
3131 stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues--;
3132 #ifdef INVARIANTS
3133 } else {
3134 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
3135 #endif
3136 }
3137 if ((stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
3138 (stcb->asoc.strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
3139 TAILQ_EMPTY(&stcb->asoc.strmout[tp1->rec.data.sid].outqueue)) {
3140 stcb->asoc.trigger_reset = 1;
3141 }
3142 tp1->sent = SCTP_DATAGRAM_NR_ACKED;
3143 if (tp1->data) {
3144 /*
3145 * sa_ignore
3146 * NO_NULL_CHK
3147 */
3148 sctp_free_bufspace(stcb, &stcb->asoc, tp1, 1);
3149 sctp_m_freem(tp1->data);
3150 tp1->data = NULL;
3151 }
3152 wake_him++;
3153 }
3154 }
3155 break;
3156 } /* if (tp1->tsn == theTSN) */
3157 if (SCTP_TSN_GT(tp1->rec.data.tsn, theTSN)) {
3158 break;
3159 }
3160 tp1 = TAILQ_NEXT(tp1, sctp_next);
3161 if ((tp1 == NULL) && (circled == 0)) {
3162 circled++;
3163 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
3164 }
3165 } /* end while (tp1) */
3166 if (tp1 == NULL) {
3167 circled = 0;
3168 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
3169 }
3170 /* In case the fragments were not in order we must reset */
3171 } /* end for (j = fragStart */
3172 *p_tp1 = tp1;
3173 return (wake_him); /* Return value only used for nr-sack */
3174 }
3175
3176
3177 static int
3178 sctp_handle_segments(struct mbuf *m, int *offset, struct sctp_tcb *stcb, struct sctp_association *asoc,
3179 uint32_t last_tsn, uint32_t *biggest_tsn_acked,
3180 uint32_t *biggest_newly_acked_tsn, uint32_t *this_sack_lowest_newack,
3181 int num_seg, int num_nr_seg, int *rto_ok)
3182 {
3183 struct sctp_gap_ack_block *frag, block;
3184 struct sctp_tmit_chunk *tp1;
3185 int i;
3186 int num_frs = 0;
3187 int chunk_freed;
3188 int non_revocable;
3189 uint16_t frag_strt, frag_end, prev_frag_end;
3190
3191 tp1 = TAILQ_FIRST(&asoc->sent_queue);
3192 prev_frag_end = 0;
3193 chunk_freed = 0;
3194
3195 for (i = 0; i < (num_seg + num_nr_seg); i++) {
3196 if (i == num_seg) {
3197 prev_frag_end = 0;
3198 tp1 = TAILQ_FIRST(&asoc->sent_queue);
3199 }
3200 frag = (struct sctp_gap_ack_block *)sctp_m_getptr(m, *offset,
3201 sizeof(struct sctp_gap_ack_block), (uint8_t *)&block);
3202 *offset += sizeof(block);
3203 if (frag == NULL) {
3204 return (chunk_freed);
3205 }
3206 frag_strt = ntohs(frag->start);
3207 frag_end = ntohs(frag->end);
3208
3209 if (frag_strt > frag_end) {
3210 /* This gap report is malformed, skip it. */
3211 continue;
3212 }
3213 if (frag_strt <= prev_frag_end) {
3214 /* This gap report is not in order, so restart. */
3215 tp1 = TAILQ_FIRST(&asoc->sent_queue);
3216 }
3217 if (SCTP_TSN_GT((last_tsn + frag_end), *biggest_tsn_acked)) {
3218 *biggest_tsn_acked = last_tsn + frag_end;
3219 }
3220 if (i < num_seg) {
3221 non_revocable = 0;
3222 } else {
3223 non_revocable = 1;
3224 }
3225 if (sctp_process_segment_range(stcb, &tp1, last_tsn, frag_strt, frag_end,
3226 non_revocable, &num_frs, biggest_newly_acked_tsn,
3227 this_sack_lowest_newack, rto_ok)) {
3228 chunk_freed = 1;
3229 }
3230 prev_frag_end = frag_end;
3231 }
3232 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3233 if (num_frs)
3234 sctp_log_fr(*biggest_tsn_acked,
3235 *biggest_newly_acked_tsn,
3236 last_tsn, SCTP_FR_LOG_BIGGEST_TSNS);
3237 }
3238 return (chunk_freed);
3239 }
3240
3241 static void
3242 sctp_check_for_revoked(struct sctp_tcb *stcb,
3243 struct sctp_association *asoc, uint32_t cumack,
3244 uint32_t biggest_tsn_acked)
3245 {
3246 struct sctp_tmit_chunk *tp1;
3247
3248 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
3249 if (SCTP_TSN_GT(tp1->rec.data.tsn, cumack)) {
3250 /*
3251 * ok this guy is either ACK or MARKED. If it is
3252 * ACKED it has been previously acked but not this
3253 * time i.e. revoked. If it is MARKED it was ACK'ed
3254 * again.
3255 */
3256 if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked)) {
3257 break;
3258 }
3259 if (tp1->sent == SCTP_DATAGRAM_ACKED) {
3260 /* it has been revoked */
3261 tp1->sent = SCTP_DATAGRAM_SENT;
3262 tp1->rec.data.chunk_was_revoked = 1;
3263 /*
3264 * We must add this stuff back in to assure
3265 * timers and such get started.
3266 */
3267 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3268 sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE,
3269 tp1->whoTo->flight_size,
3270 tp1->book_size,
3271 (uint32_t)(uintptr_t)tp1->whoTo,
3272 tp1->rec.data.tsn);
3273 }
3274 sctp_flight_size_increase(tp1);
3275 sctp_total_flight_increase(stcb, tp1);
3276 /*
3277 * We inflate the cwnd to compensate for our
3278 * artificial inflation of the flight_size.
3279 */
3280 tp1->whoTo->cwnd += tp1->book_size;
3281 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
3282 sctp_log_sack(asoc->last_acked_seq,
3283 cumack,
3284 tp1->rec.data.tsn,
3285 0,
3286 0,
3287 SCTP_LOG_TSN_REVOKED);
3288 }
3289 } else if (tp1->sent == SCTP_DATAGRAM_MARKED) {
3290 /* it has been re-acked in this SACK */
3291 tp1->sent = SCTP_DATAGRAM_ACKED;
3292 }
3293 }
3294 if (tp1->sent == SCTP_DATAGRAM_UNSENT)
3295 break;
3296 }
3297 }
3298
3299
3300 static void
3301 sctp_strike_gap_ack_chunks(struct sctp_tcb *stcb, struct sctp_association *asoc,
3302 uint32_t biggest_tsn_acked, uint32_t biggest_tsn_newly_acked, uint32_t this_sack_lowest_newack, int accum_moved)
3303 {
3304 struct sctp_tmit_chunk *tp1;
3305 int strike_flag = 0;
3306 struct timeval now;
3307 int tot_retrans = 0;
3308 uint32_t sending_seq;
3309 struct sctp_nets *net;
3310 int num_dests_sacked = 0;
3311
3312 /*
3313 * select the sending_seq, this is either the next thing ready to be
3314 * sent but not transmitted, OR, the next seq we assign.
3315 */
3316 tp1 = TAILQ_FIRST(&stcb->asoc.send_queue);
3317 if (tp1 == NULL) {
3318 sending_seq = asoc->sending_seq;
3319 } else {
3320 sending_seq = tp1->rec.data.tsn;
3321 }
3322
3323 /* CMT DAC algo: finding out if SACK is a mixed SACK */
3324 if ((asoc->sctp_cmt_on_off > 0) &&
3325 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3326 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3327 if (net->saw_newack)
3328 num_dests_sacked++;
3329 }
3330 }
3331 if (stcb->asoc.prsctp_supported) {
3332 (void)SCTP_GETTIME_TIMEVAL(&now);
3333 }
3334 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
3335 strike_flag = 0;
3336 if (tp1->no_fr_allowed) {
3337 /* this one had a timeout or something */
3338 continue;
3339 }
3340 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3341 if (tp1->sent < SCTP_DATAGRAM_RESEND)
3342 sctp_log_fr(biggest_tsn_newly_acked,
3343 tp1->rec.data.tsn,
3344 tp1->sent,
3345 SCTP_FR_LOG_CHECK_STRIKE);
3346 }
3347 if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked) ||
3348 tp1->sent == SCTP_DATAGRAM_UNSENT) {
3349 /* done */
3350 break;
3351 }
3352 if (stcb->asoc.prsctp_supported) {
3353 if ((PR_SCTP_TTL_ENABLED(tp1->flags)) && tp1->sent < SCTP_DATAGRAM_ACKED) {
3354 /* Is it expired? */
3355 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) {
3356 /* Yes so drop it */
3357 if (tp1->data != NULL) {
3358 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1,
3359 SCTP_SO_NOT_LOCKED);
3360 }
3361 continue;
3362 }
3363 }
3364 }
3365 if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->this_sack_highest_gap) &&
3366 !(accum_moved && asoc->fast_retran_loss_recovery)) {
3367 /* we are beyond the tsn in the sack */
3368 break;
3369 }
3370 if (tp1->sent >= SCTP_DATAGRAM_RESEND) {
3371 /* either a RESEND, ACKED, or MARKED */
3372 /* skip */
3373 if (tp1->sent == SCTP_FORWARD_TSN_SKIP) {
3374 /* Continue strikin FWD-TSN chunks */
3375 tp1->rec.data.fwd_tsn_cnt++;
3376 }
3377 continue;
3378 }
3379 /*
3380 * CMT : SFR algo (covers part of DAC and HTNA as well)
3381 */
3382 if (tp1->whoTo && tp1->whoTo->saw_newack == 0) {
3383 /*
3384 * No new acks were receieved for data sent to this
3385 * dest. Therefore, according to the SFR algo for
3386 * CMT, no data sent to this dest can be marked for
3387 * FR using this SACK.
3388 */
3389 continue;
3390 } else if (tp1->whoTo &&
3391 SCTP_TSN_GT(tp1->rec.data.tsn,
3392 tp1->whoTo->this_sack_highest_newack) &&
3393 !(accum_moved && asoc->fast_retran_loss_recovery)) {
3394 /*
3395 * CMT: New acks were receieved for data sent to
3396 * this dest. But no new acks were seen for data
3397 * sent after tp1. Therefore, according to the SFR
3398 * algo for CMT, tp1 cannot be marked for FR using
3399 * this SACK. This step covers part of the DAC algo
3400 * and the HTNA algo as well.
3401 */
3402 continue;
3403 }
3404 /*
3405 * Here we check to see if we were have already done a FR
3406 * and if so we see if the biggest TSN we saw in the sack is
3407 * smaller than the recovery point. If so we don't strike
3408 * the tsn... otherwise we CAN strike the TSN.
3409 */
3410 /*
3411 * @@@ JRI: Check for CMT if (accum_moved &&
3412 * asoc->fast_retran_loss_recovery && (sctp_cmt_on_off ==
3413 * 0)) {
3414 */
3415 if (accum_moved && asoc->fast_retran_loss_recovery) {
3416 /*
3417 * Strike the TSN if in fast-recovery and cum-ack
3418 * moved.
3419 */
3420 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3421 sctp_log_fr(biggest_tsn_newly_acked,
3422 tp1->rec.data.tsn,
3423 tp1->sent,
3424 SCTP_FR_LOG_STRIKE_CHUNK);
3425 }
3426 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3427 tp1->sent++;
3428 }
3429 if ((asoc->sctp_cmt_on_off > 0) &&
3430 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3431 /*
3432 * CMT DAC algorithm: If SACK flag is set to
3433 * 0, then lowest_newack test will not pass
3434 * because it would have been set to the
3435 * cumack earlier. If not already to be
3436 * rtx'd, If not a mixed sack and if tp1 is
3437 * not between two sacked TSNs, then mark by
3438 * one more. NOTE that we are marking by one
3439 * additional time since the SACK DAC flag
3440 * indicates that two packets have been
3441 * received after this missing TSN.
3442 */
3443 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) &&
3444 SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) {
3445 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3446 sctp_log_fr(16 + num_dests_sacked,
3447 tp1->rec.data.tsn,
3448 tp1->sent,
3449 SCTP_FR_LOG_STRIKE_CHUNK);
3450 }
3451 tp1->sent++;
3452 }
3453 }
3454 } else if ((tp1->rec.data.doing_fast_retransmit) &&
3455 (asoc->sctp_cmt_on_off == 0)) {
3456 /*
3457 * For those that have done a FR we must take
3458 * special consideration if we strike. I.e the
3459 * biggest_newly_acked must be higher than the
3460 * sending_seq at the time we did the FR.
3461 */
3462 if (
3463 #ifdef SCTP_FR_TO_ALTERNATE
3464 /*
3465 * If FR's go to new networks, then we must only do
3466 * this for singly homed asoc's. However if the FR's
3467 * go to the same network (Armando's work) then its
3468 * ok to FR multiple times.
3469 */
3470 (asoc->numnets < 2)
3471 #else
3472 (1)
3473 #endif
3474 ) {
3475
3476 if (SCTP_TSN_GE(biggest_tsn_newly_acked,
3477 tp1->rec.data.fast_retran_tsn)) {
3478 /*
3479 * Strike the TSN, since this ack is
3480 * beyond where things were when we
3481 * did a FR.
3482 */
3483 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3484 sctp_log_fr(biggest_tsn_newly_acked,
3485 tp1->rec.data.tsn,
3486 tp1->sent,
3487 SCTP_FR_LOG_STRIKE_CHUNK);
3488 }
3489 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3490 tp1->sent++;
3491 }
3492 strike_flag = 1;
3493 if ((asoc->sctp_cmt_on_off > 0) &&
3494 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3495 /*
3496 * CMT DAC algorithm: If
3497 * SACK flag is set to 0,
3498 * then lowest_newack test
3499 * will not pass because it
3500 * would have been set to
3501 * the cumack earlier. If
3502 * not already to be rtx'd,
3503 * If not a mixed sack and
3504 * if tp1 is not between two
3505 * sacked TSNs, then mark by
3506 * one more. NOTE that we
3507 * are marking by one
3508 * additional time since the
3509 * SACK DAC flag indicates
3510 * that two packets have
3511 * been received after this
3512 * missing TSN.
3513 */
3514 if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
3515 (num_dests_sacked == 1) &&
3516 SCTP_TSN_GT(this_sack_lowest_newack,
3517 tp1->rec.data.tsn)) {
3518 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3519 sctp_log_fr(32 + num_dests_sacked,
3520 tp1->rec.data.tsn,
3521 tp1->sent,
3522 SCTP_FR_LOG_STRIKE_CHUNK);
3523 }
3524 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3525 tp1->sent++;
3526 }
3527 }
3528 }
3529 }
3530 }
3531 /*
3532 * JRI: TODO: remove code for HTNA algo. CMT's SFR
3533 * algo covers HTNA.
3534 */
3535 } else if (SCTP_TSN_GT(tp1->rec.data.tsn,
3536 biggest_tsn_newly_acked)) {
3537 /*
3538 * We don't strike these: This is the HTNA
3539 * algorithm i.e. we don't strike If our TSN is
3540 * larger than the Highest TSN Newly Acked.
3541 */
3542 ;
3543 } else {
3544 /* Strike the TSN */
3545 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3546 sctp_log_fr(biggest_tsn_newly_acked,
3547 tp1->rec.data.tsn,
3548 tp1->sent,
3549 SCTP_FR_LOG_STRIKE_CHUNK);
3550 }
3551 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3552 tp1->sent++;
3553 }
3554 if ((asoc->sctp_cmt_on_off > 0) &&
3555 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3556 /*
3557 * CMT DAC algorithm: If SACK flag is set to
3558 * 0, then lowest_newack test will not pass
3559 * because it would have been set to the
3560 * cumack earlier. If not already to be
3561 * rtx'd, If not a mixed sack and if tp1 is
3562 * not between two sacked TSNs, then mark by
3563 * one more. NOTE that we are marking by one
3564 * additional time since the SACK DAC flag
3565 * indicates that two packets have been
3566 * received after this missing TSN.
3567 */
3568 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) &&
3569 SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) {
3570 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3571 sctp_log_fr(48 + num_dests_sacked,
3572 tp1->rec.data.tsn,
3573 tp1->sent,
3574 SCTP_FR_LOG_STRIKE_CHUNK);
3575 }
3576 tp1->sent++;
3577 }
3578 }
3579 }
3580 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
3581 struct sctp_nets *alt;
3582
3583 /* fix counts and things */
3584 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3585 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_RSND,
3586 (tp1->whoTo ? (tp1->whoTo->flight_size) : 0),
3587 tp1->book_size,
3588 (uint32_t)(uintptr_t)tp1->whoTo,
3589 tp1->rec.data.tsn);
3590 }
3591 if (tp1->whoTo) {
3592 tp1->whoTo->net_ack++;
3593 sctp_flight_size_decrease(tp1);
3594 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3595 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
3596 tp1);
3597 }
3598 }
3599 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
3600 sctp_log_rwnd(SCTP_INCREASE_PEER_RWND,
3601 asoc->peers_rwnd, tp1->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
3602 }
3603 /* add back to the rwnd */
3604 asoc->peers_rwnd += (tp1->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
3605
3606 /* remove from the total flight */
3607 sctp_total_flight_decrease(stcb, tp1);
3608
3609 if ((stcb->asoc.prsctp_supported) &&
3610 (PR_SCTP_RTX_ENABLED(tp1->flags))) {
3611 /*
3612 * Has it been retransmitted tv_sec times? -
3613 * we store the retran count there.
3614 */
3615 if (tp1->snd_count > tp1->rec.data.timetodrop.tv_sec) {
3616 /* Yes, so drop it */
3617 if (tp1->data != NULL) {
3618 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1,
3619 SCTP_SO_NOT_LOCKED);
3620 }
3621 /* Make sure to flag we had a FR */
3622 if (tp1->whoTo != NULL) {
3623 tp1->whoTo->net_ack++;
3624 }
3625 continue;
3626 }
3627 }
3628 /*
3629 * SCTP_PRINTF("OK, we are now ready to FR this
3630 * guy\n");
3631 */
3632 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3633 sctp_log_fr(tp1->rec.data.tsn, tp1->snd_count,
3634 0, SCTP_FR_MARKED);
3635 }
3636 if (strike_flag) {
3637 /* This is a subsequent FR */
3638 SCTP_STAT_INCR(sctps_sendmultfastretrans);
3639 }
3640 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3641 if (asoc->sctp_cmt_on_off > 0) {
3642 /*
3643 * CMT: Using RTX_SSTHRESH policy for CMT.
3644 * If CMT is being used, then pick dest with
3645 * largest ssthresh for any retransmission.
3646 */
3647 tp1->no_fr_allowed = 1;
3648 alt = tp1->whoTo;
3649 /* sa_ignore NO_NULL_CHK */
3650 if (asoc->sctp_cmt_pf > 0) {
3651 /*
3652 * JRS 5/18/07 - If CMT PF is on,
3653 * use the PF version of
3654 * find_alt_net()
3655 */
3656 alt = sctp_find_alternate_net(stcb, alt, 2);
3657 } else {
3658 /*
3659 * JRS 5/18/07 - If only CMT is on,
3660 * use the CMT version of
3661 * find_alt_net()
3662 */
3663 /* sa_ignore NO_NULL_CHK */
3664 alt = sctp_find_alternate_net(stcb, alt, 1);
3665 }
3666 if (alt == NULL) {
3667 alt = tp1->whoTo;
3668 }
3669 /*
3670 * CUCv2: If a different dest is picked for
3671 * the retransmission, then new
3672 * (rtx-)pseudo_cumack needs to be tracked
3673 * for orig dest. Let CUCv2 track new (rtx-)
3674 * pseudo-cumack always.
3675 */
3676 if (tp1->whoTo) {
3677 tp1->whoTo->find_pseudo_cumack = 1;
3678 tp1->whoTo->find_rtx_pseudo_cumack = 1;
3679 }
3680 } else { /* CMT is OFF */
3681
3682 #ifdef SCTP_FR_TO_ALTERNATE
3683 /* Can we find an alternate? */
3684 alt = sctp_find_alternate_net(stcb, tp1->whoTo, 0);
3685 #else
3686 /*
3687 * default behavior is to NOT retransmit
3688 * FR's to an alternate. Armando Caro's
3689 * paper details why.
3690 */
3691 alt = tp1->whoTo;
3692 #endif
3693 }
3694
3695 tp1->rec.data.doing_fast_retransmit = 1;
3696 tot_retrans++;
3697 /* mark the sending seq for possible subsequent FR's */
3698 /*
3699 * SCTP_PRINTF("Marking TSN for FR new value %x\n",
3700 * (uint32_t)tpi->rec.data.tsn);
3701 */
3702 if (TAILQ_EMPTY(&asoc->send_queue)) {
3703 /*
3704 * If the queue of send is empty then its
3705 * the next sequence number that will be
3706 * assigned so we subtract one from this to
3707 * get the one we last sent.
3708 */
3709 tp1->rec.data.fast_retran_tsn = sending_seq;
3710 } else {
3711 /*
3712 * If there are chunks on the send queue
3713 * (unsent data that has made it from the
3714 * stream queues but not out the door, we
3715 * take the first one (which will have the
3716 * lowest TSN) and subtract one to get the
3717 * one we last sent.
3718 */
3719 struct sctp_tmit_chunk *ttt;
3720
3721 ttt = TAILQ_FIRST(&asoc->send_queue);
3722 tp1->rec.data.fast_retran_tsn =
3723 ttt->rec.data.tsn;
3724 }
3725
3726 if (tp1->do_rtt) {
3727 /*
3728 * this guy had a RTO calculation pending on
3729 * it, cancel it
3730 */
3731 if ((tp1->whoTo != NULL) &&
3732 (tp1->whoTo->rto_needed == 0)) {
3733 tp1->whoTo->rto_needed = 1;
3734 }
3735 tp1->do_rtt = 0;
3736 }
3737 if (alt != tp1->whoTo) {
3738 /* yes, there is an alternate. */
3739 sctp_free_remote_addr(tp1->whoTo);
3740 /* sa_ignore FREED_MEMORY */
3741 tp1->whoTo = alt;
3742 atomic_add_int(&alt->ref_count, 1);
3743 }
3744 }
3745 }
3746 }
3747
3748 struct sctp_tmit_chunk *
3749 sctp_try_advance_peer_ack_point(struct sctp_tcb *stcb,
3750 struct sctp_association *asoc)
3751 {
3752 struct sctp_tmit_chunk *tp1, *tp2, *a_adv = NULL;
3753 struct timeval now;
3754 int now_filled = 0;
3755
3756 if (asoc->prsctp_supported == 0) {
3757 return (NULL);
3758 }
3759 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
3760 if (tp1->sent != SCTP_FORWARD_TSN_SKIP &&
3761 tp1->sent != SCTP_DATAGRAM_RESEND &&
3762 tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
3763 /* no chance to advance, out of here */
3764 break;
3765 }
3766 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
3767 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) ||
3768 (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) {
3769 sctp_misc_ints(SCTP_FWD_TSN_CHECK,
3770 asoc->advanced_peer_ack_point,
3771 tp1->rec.data.tsn, 0, 0);
3772 }
3773 }
3774 if (!PR_SCTP_ENABLED(tp1->flags)) {
3775 /*
3776 * We can't fwd-tsn past any that are reliable aka
3777 * retransmitted until the asoc fails.
3778 */
3779 break;
3780 }
3781 if (!now_filled) {
3782 (void)SCTP_GETTIME_TIMEVAL(&now);
3783 now_filled = 1;
3784 }
3785 /*
3786 * now we got a chunk which is marked for another
3787 * retransmission to a PR-stream but has run out its chances
3788 * already maybe OR has been marked to skip now. Can we skip
3789 * it if its a resend?
3790 */
3791 if (tp1->sent == SCTP_DATAGRAM_RESEND &&
3792 (PR_SCTP_TTL_ENABLED(tp1->flags))) {
3793 /*
3794 * Now is this one marked for resend and its time is
3795 * now up?
3796 */
3797 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) {
3798 /* Yes so drop it */
3799 if (tp1->data) {
3800 (void)sctp_release_pr_sctp_chunk(stcb, tp1,
3801 1, SCTP_SO_NOT_LOCKED);
3802 }
3803 } else {
3804 /*
3805 * No, we are done when hit one for resend
3806 * whos time as not expired.
3807 */
3808 break;
3809 }
3810 }
3811 /*
3812 * Ok now if this chunk is marked to drop it we can clean up
3813 * the chunk, advance our peer ack point and we can check
3814 * the next chunk.
3815 */
3816 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) ||
3817 (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) {
3818 /* advance PeerAckPoint goes forward */
3819 if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->advanced_peer_ack_point)) {
3820 asoc->advanced_peer_ack_point = tp1->rec.data.tsn;
3821 a_adv = tp1;
3822 } else if (tp1->rec.data.tsn == asoc->advanced_peer_ack_point) {
3823 /* No update but we do save the chk */
3824 a_adv = tp1;
3825 }
3826 } else {
3827 /*
3828 * If it is still in RESEND we can advance no
3829 * further
3830 */
3831 break;
3832 }
3833 }
3834 return (a_adv);
3835 }
3836
3837 static int
3838 sctp_fs_audit(struct sctp_association *asoc)
3839 {
3840 struct sctp_tmit_chunk *chk;
3841 int inflight = 0, resend = 0, inbetween = 0, acked = 0, above = 0;
3842 int ret;
3843 #ifndef INVARIANTS
3844 int entry_flight, entry_cnt;
3845 #endif
3846
3847 ret = 0;
3848 #ifndef INVARIANTS
3849 entry_flight = asoc->total_flight;
3850 entry_cnt = asoc->total_flight_count;
3851 #endif
3852 if (asoc->pr_sctp_cnt >= asoc->sent_queue_cnt)
3853 return (0);
3854
3855 TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
3856 if (chk->sent < SCTP_DATAGRAM_RESEND) {
3857 SCTP_PRINTF("Chk TSN: %u size: %d inflight cnt: %d\n",
3858 chk->rec.data.tsn,
3859 chk->send_size,
3860 chk->snd_count);
3861 inflight++;
3862 } else if (chk->sent == SCTP_DATAGRAM_RESEND) {
3863 resend++;
3864 } else if (chk->sent < SCTP_DATAGRAM_ACKED) {
3865 inbetween++;
3866 } else if (chk->sent > SCTP_DATAGRAM_ACKED) {
3867 above++;
3868 } else {
3869 acked++;
3870 }
3871 }
3872
3873 if ((inflight > 0) || (inbetween > 0)) {
3874 #ifdef INVARIANTS
3875 panic("Flight size-express incorrect? \n");
3876 #else
3877 SCTP_PRINTF("asoc->total_flight: %d cnt: %d\n",
3878 entry_flight, entry_cnt);
3879
3880 SCTP_PRINTF("Flight size-express incorrect F: %d I: %d R: %d Ab: %d ACK: %d\n",
3881 inflight, inbetween, resend, above, acked);
3882 ret = 1;
3883 #endif
3884 }
3885 return (ret);
3886 }
3887
3888
3889 static void
3890 sctp_window_probe_recovery(struct sctp_tcb *stcb,
3891 struct sctp_association *asoc,
3892 struct sctp_tmit_chunk *tp1)
3893 {
3894 tp1->window_probe = 0;
3895 if ((tp1->sent >= SCTP_DATAGRAM_ACKED) || (tp1->data == NULL)) {
3896 /* TSN's skipped we do NOT move back. */
3897 sctp_misc_ints(SCTP_FLIGHT_LOG_DWN_WP_FWD,
3898 tp1->whoTo ? tp1->whoTo->flight_size : 0,
3899 tp1->book_size,
3900 (uint32_t)(uintptr_t)tp1->whoTo,
3901 tp1->rec.data.tsn);
3902 return;
3903 }
3904 /* First setup this by shrinking flight */
3905 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3906 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
3907 tp1);
3908 }
3909 sctp_flight_size_decrease(tp1);
3910 sctp_total_flight_decrease(stcb, tp1);
3911 /* Now mark for resend */
3912 tp1->sent = SCTP_DATAGRAM_RESEND;
3913 sctp_ucount_incr(asoc->sent_queue_retran_cnt);
3914
3915 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3916 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_WP,
3917 tp1->whoTo->flight_size,
3918 tp1->book_size,
3919 (uint32_t)(uintptr_t)tp1->whoTo,
3920 tp1->rec.data.tsn);
3921 }
3922 }
3923
3924 void
3925 sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
3926 uint32_t rwnd, int *abort_now, int ecne_seen)
3927 {
3928 struct sctp_nets *net;
3929 struct sctp_association *asoc;
3930 struct sctp_tmit_chunk *tp1, *tp2;
3931 uint32_t old_rwnd;
3932 int win_probe_recovery = 0;
3933 int win_probe_recovered = 0;
3934 int j, done_once = 0;
3935 int rto_ok = 1;
3936 uint32_t send_s;
3937
3938 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) {
3939 sctp_misc_ints(SCTP_SACK_LOG_EXPRESS, cumack,
3940 rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd);
3941 }
3942 SCTP_TCB_LOCK_ASSERT(stcb);
3943 #ifdef SCTP_ASOCLOG_OF_TSNS
3944 stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cumack;
3945 stcb->asoc.cumack_log_at++;
3946 if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) {
3947 stcb->asoc.cumack_log_at = 0;
3948 }
3949 #endif
3950 asoc = &stcb->asoc;
3951 old_rwnd = asoc->peers_rwnd;
3952 if (SCTP_TSN_GT(asoc->last_acked_seq, cumack)) {
3953 /* old ack */
3954 return;
3955 } else if (asoc->last_acked_seq == cumack) {
3956 /* Window update sack */
3957 asoc->peers_rwnd = sctp_sbspace_sub(rwnd,
3958 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
3959 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
3960 /* SWS sender side engages */
3961 asoc->peers_rwnd = 0;
3962 }
3963 if (asoc->peers_rwnd > old_rwnd) {
3964 goto again;
3965 }
3966 return;
3967 }
3968 /* First setup for CC stuff */
3969 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3970 if (SCTP_TSN_GT(cumack, net->cwr_window_tsn)) {
3971 /* Drag along the window_tsn for cwr's */
3972 net->cwr_window_tsn = cumack;
3973 }
3974 net->prev_cwnd = net->cwnd;
3975 net->net_ack = 0;
3976 net->net_ack2 = 0;
3977
3978 /*
3979 * CMT: Reset CUC and Fast recovery algo variables before
3980 * SACK processing
3981 */
3982 net->new_pseudo_cumack = 0;
3983 net->will_exit_fast_recovery = 0;
3984 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) {
3985 (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) (stcb, net);
3986 }
3987 }
3988 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
3989 tp1 = TAILQ_LAST(&asoc->sent_queue,
3990 sctpchunk_listhead);
3991 send_s = tp1->rec.data.tsn + 1;
3992 } else {
3993 send_s = asoc->sending_seq;
3994 }
3995 if (SCTP_TSN_GE(cumack, send_s)) {
3996 struct mbuf *op_err;
3997 char msg[SCTP_DIAG_INFO_LEN];
3998
3999 *abort_now = 1;
4000 /* XXX */
4001 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal than TSN %8.8x",
4002 cumack, send_s);
4003 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
4004 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_21;
4005 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4006 return;
4007 }
4008 asoc->this_sack_highest_gap = cumack;
4009 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4010 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4011 stcb->asoc.overall_error_count,
4012 0,
4013 SCTP_FROM_SCTP_INDATA,
4014 __LINE__);
4015 }
4016 stcb->asoc.overall_error_count = 0;
4017 if (SCTP_TSN_GT(cumack, asoc->last_acked_seq)) {
4018 /* process the new consecutive TSN first */
4019 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
4020 if (SCTP_TSN_GE(cumack, tp1->rec.data.tsn)) {
4021 if (tp1->sent == SCTP_DATAGRAM_UNSENT) {
4022 SCTP_PRINTF("Warning, an unsent is now acked?\n");
4023 }
4024 if (tp1->sent < SCTP_DATAGRAM_ACKED) {
4025 /*
4026 * If it is less than ACKED, it is
4027 * now no-longer in flight. Higher
4028 * values may occur during marking
4029 */
4030 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
4031 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
4032 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA,
4033 tp1->whoTo->flight_size,
4034 tp1->book_size,
4035 (uint32_t)(uintptr_t)tp1->whoTo,
4036 tp1->rec.data.tsn);
4037 }
4038 sctp_flight_size_decrease(tp1);
4039 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
4040 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
4041 tp1);
4042 }
4043 /* sa_ignore NO_NULL_CHK */
4044 sctp_total_flight_decrease(stcb, tp1);
4045 }
4046 tp1->whoTo->net_ack += tp1->send_size;
4047 if (tp1->snd_count < 2) {
4048 /*
4049 * True non-retransmited
4050 * chunk
4051 */
4052 tp1->whoTo->net_ack2 +=
4053 tp1->send_size;
4054
4055 /* update RTO too? */
4056 if (tp1->do_rtt) {
4057 if (rto_ok) {
4058 tp1->whoTo->RTO =
4059 /*
4060 * sa_ignore
4061 * NO_NULL_CHK
4062 */
4063 sctp_calculate_rto(stcb,
4064 asoc, tp1->whoTo,
4065 &tp1->sent_rcv_time,
4066 SCTP_RTT_FROM_DATA);
4067 rto_ok = 0;
4068 }
4069 if (tp1->whoTo->rto_needed == 0) {
4070 tp1->whoTo->rto_needed = 1;
4071 }
4072 tp1->do_rtt = 0;
4073 }
4074 }
4075 /*
4076 * CMT: CUCv2 algorithm. From the
4077 * cumack'd TSNs, for each TSN being
4078 * acked for the first time, set the
4079 * following variables for the
4080 * corresp destination.
4081 * new_pseudo_cumack will trigger a
4082 * cwnd update.
4083 * find_(rtx_)pseudo_cumack will
4084 * trigger search for the next
4085 * expected (rtx-)pseudo-cumack.
4086 */
4087 tp1->whoTo->new_pseudo_cumack = 1;
4088 tp1->whoTo->find_pseudo_cumack = 1;
4089 tp1->whoTo->find_rtx_pseudo_cumack = 1;
4090
4091 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
4092 /* sa_ignore NO_NULL_CHK */
4093 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
4094 }
4095 }
4096 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
4097 sctp_ucount_decr(asoc->sent_queue_retran_cnt);
4098 }
4099 if (tp1->rec.data.chunk_was_revoked) {
4100 /* deflate the cwnd */
4101 tp1->whoTo->cwnd -= tp1->book_size;
4102 tp1->rec.data.chunk_was_revoked = 0;
4103 }
4104 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
4105 if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
4106 asoc->strmout[tp1->rec.data.sid].chunks_on_queues--;
4107 #ifdef INVARIANTS
4108 } else {
4109 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
4110 #endif
4111 }
4112 }
4113 if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
4114 (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
4115 TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) {
4116 asoc->trigger_reset = 1;
4117 }
4118 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
4119 if (tp1->data) {
4120 /* sa_ignore NO_NULL_CHK */
4121 sctp_free_bufspace(stcb, asoc, tp1, 1);
4122 sctp_m_freem(tp1->data);
4123 tp1->data = NULL;
4124 }
4125 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4126 sctp_log_sack(asoc->last_acked_seq,
4127 cumack,
4128 tp1->rec.data.tsn,
4129 0,
4130 0,
4131 SCTP_LOG_FREE_SENT);
4132 }
4133 asoc->sent_queue_cnt--;
4134 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED);
4135 } else {
4136 break;
4137 }
4138 }
4139
4140 }
4141 /* sa_ignore NO_NULL_CHK */
4142 if (stcb->sctp_socket) {
4143 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4144 struct socket *so;
4145
4146 #endif
4147 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
4148 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4149 /* sa_ignore NO_NULL_CHK */
4150 sctp_wakeup_log(stcb, 1, SCTP_WAKESND_FROM_SACK);
4151 }
4152 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4153 so = SCTP_INP_SO(stcb->sctp_ep);
4154 atomic_add_int(&stcb->asoc.refcnt, 1);
4155 SCTP_TCB_UNLOCK(stcb);
4156 SCTP_SOCKET_LOCK(so, 1);
4157 SCTP_TCB_LOCK(stcb);
4158 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4159 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
4160 /* assoc was freed while we were unlocked */
4161 SCTP_SOCKET_UNLOCK(so, 1);
4162 return;
4163 }
4164 #endif
4165 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket);
4166 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4167 SCTP_SOCKET_UNLOCK(so, 1);
4168 #endif
4169 } else {
4170 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4171 sctp_wakeup_log(stcb, 1, SCTP_NOWAKE_FROM_SACK);
4172 }
4173 }
4174
4175 /* JRS - Use the congestion control given in the CC module */
4176 if ((asoc->last_acked_seq != cumack) && (ecne_seen == 0)) {
4177 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4178 if (net->net_ack2 > 0) {
4179 /*
4180 * Karn's rule applies to clearing error
4181 * count, this is optional.
4182 */
4183 net->error_count = 0;
4184 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
4185 /* addr came good */
4186 net->dest_state |= SCTP_ADDR_REACHABLE;
4187 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
4188 0, (void *)net, SCTP_SO_NOT_LOCKED);
4189 }
4190 if (net == stcb->asoc.primary_destination) {
4191 if (stcb->asoc.alternate) {
4192 /*
4193 * release the alternate,
4194 * primary is good
4195 */
4196 sctp_free_remote_addr(stcb->asoc.alternate);
4197 stcb->asoc.alternate = NULL;
4198 }
4199 }
4200 if (net->dest_state & SCTP_ADDR_PF) {
4201 net->dest_state &= ~SCTP_ADDR_PF;
4202 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT,
4203 stcb->sctp_ep, stcb, net,
4204 SCTP_FROM_SCTP_INDATA + SCTP_LOC_22);
4205 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
4206 asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
4207 /* Done with this net */
4208 net->net_ack = 0;
4209 }
4210 /* restore any doubled timers */
4211 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
4212 if (net->RTO < stcb->asoc.minrto) {
4213 net->RTO = stcb->asoc.minrto;
4214 }
4215 if (net->RTO > stcb->asoc.maxrto) {
4216 net->RTO = stcb->asoc.maxrto;
4217 }
4218 }
4219 }
4220 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, 1, 0, 0);
4221 }
4222 asoc->last_acked_seq = cumack;
4223
4224 if (TAILQ_EMPTY(&asoc->sent_queue)) {
4225 /* nothing left in-flight */
4226 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4227 net->flight_size = 0;
4228 net->partial_bytes_acked = 0;
4229 }
4230 asoc->total_flight = 0;
4231 asoc->total_flight_count = 0;
4232 }
4233 /* RWND update */
4234 asoc->peers_rwnd = sctp_sbspace_sub(rwnd,
4235 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
4236 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4237 /* SWS sender side engages */
4238 asoc->peers_rwnd = 0;
4239 }
4240 if (asoc->peers_rwnd > old_rwnd) {
4241 win_probe_recovery = 1;
4242 }
4243 /* Now assure a timer where data is queued at */
4244 again:
4245 j = 0;
4246 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4247 if (win_probe_recovery && (net->window_probe)) {
4248 win_probe_recovered = 1;
4249 /*
4250 * Find first chunk that was used with window probe
4251 * and clear the sent
4252 */
4253 /* sa_ignore FREED_MEMORY */
4254 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4255 if (tp1->window_probe) {
4256 /* move back to data send queue */
4257 sctp_window_probe_recovery(stcb, asoc, tp1);
4258 break;
4259 }
4260 }
4261 }
4262 if (net->flight_size) {
4263 j++;
4264 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net);
4265 if (net->window_probe) {
4266 net->window_probe = 0;
4267 }
4268 } else {
4269 if (net->window_probe) {
4270 /*
4271 * In window probes we must assure a timer
4272 * is still running there
4273 */
4274 net->window_probe = 0;
4275 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4276 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net);
4277 }
4278 } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4279 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4280 stcb, net,
4281 SCTP_FROM_SCTP_INDATA + SCTP_LOC_23);
4282 }
4283 }
4284 }
4285 if ((j == 0) &&
4286 (!TAILQ_EMPTY(&asoc->sent_queue)) &&
4287 (asoc->sent_queue_retran_cnt == 0) &&
4288 (win_probe_recovered == 0) &&
4289 (done_once == 0)) {
4290 /*
4291 * huh, this should not happen unless all packets are
4292 * PR-SCTP and marked to skip of course.
4293 */
4294 if (sctp_fs_audit(asoc)) {
4295 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4296 net->flight_size = 0;
4297 }
4298 asoc->total_flight = 0;
4299 asoc->total_flight_count = 0;
4300 asoc->sent_queue_retran_cnt = 0;
4301 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4302 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
4303 sctp_flight_size_increase(tp1);
4304 sctp_total_flight_increase(stcb, tp1);
4305 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) {
4306 sctp_ucount_incr(asoc->sent_queue_retran_cnt);
4307 }
4308 }
4309 }
4310 done_once = 1;
4311 goto again;
4312 }
4313 /**********************************/
4314 /* Now what about shutdown issues */
4315 /**********************************/
4316 if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) {
4317 /* nothing left on sendqueue.. consider done */
4318 /* clean up */
4319 if ((asoc->stream_queue_cnt == 1) &&
4320 ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
4321 (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED)) &&
4322 ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc))) {
4323 asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
4324 }
4325 if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
4326 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
4327 (asoc->stream_queue_cnt == 1) &&
4328 (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
4329 struct mbuf *op_err;
4330
4331 *abort_now = 1;
4332 /* XXX */
4333 op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
4334 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24;
4335 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4336 return;
4337 }
4338 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) &&
4339 (asoc->stream_queue_cnt == 0)) {
4340 struct sctp_nets *netp;
4341
4342 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
4343 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4344 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4345 }
4346 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
4347 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
4348 sctp_stop_timers_for_shutdown(stcb);
4349 if (asoc->alternate) {
4350 netp = asoc->alternate;
4351 } else {
4352 netp = asoc->primary_destination;
4353 }
4354 sctp_send_shutdown(stcb, netp);
4355 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
4356 stcb->sctp_ep, stcb, netp);
4357 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
4358 stcb->sctp_ep, stcb, netp);
4359 } else if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) &&
4360 (asoc->stream_queue_cnt == 0)) {
4361 struct sctp_nets *netp;
4362
4363 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4364 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
4365 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
4366 sctp_stop_timers_for_shutdown(stcb);
4367 if (asoc->alternate) {
4368 netp = asoc->alternate;
4369 } else {
4370 netp = asoc->primary_destination;
4371 }
4372 sctp_send_shutdown_ack(stcb, netp);
4373 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
4374 stcb->sctp_ep, stcb, netp);
4375 }
4376 }
4377 /*********************************************/
4378 /* Here we perform PR-SCTP procedures */
4379 /* (section 4.2) */
4380 /*********************************************/
4381 /* C1. update advancedPeerAckPoint */
4382 if (SCTP_TSN_GT(cumack, asoc->advanced_peer_ack_point)) {
4383 asoc->advanced_peer_ack_point = cumack;
4384 }
4385 /* PR-Sctp issues need to be addressed too */
4386 if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) {
4387 struct sctp_tmit_chunk *lchk;
4388 uint32_t old_adv_peer_ack_point;
4389
4390 old_adv_peer_ack_point = asoc->advanced_peer_ack_point;
4391 lchk = sctp_try_advance_peer_ack_point(stcb, asoc);
4392 /* C3. See if we need to send a Fwd-TSN */
4393 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cumack)) {
4394 /*
4395 * ISSUE with ECN, see FWD-TSN processing.
4396 */
4397 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) {
4398 send_forward_tsn(stcb, asoc);
4399 } else if (lchk) {
4400 /* try to FR fwd-tsn's that get lost too */
4401 if (lchk->rec.data.fwd_tsn_cnt >= 3) {
4402 send_forward_tsn(stcb, asoc);
4403 }
4404 }
4405 }
4406 if (lchk) {
4407 /* Assure a timer is up */
4408 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4409 stcb->sctp_ep, stcb, lchk->whoTo);
4410 }
4411 }
4412 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) {
4413 sctp_misc_ints(SCTP_SACK_RWND_UPDATE,
4414 rwnd,
4415 stcb->asoc.peers_rwnd,
4416 stcb->asoc.total_flight,
4417 stcb->asoc.total_output_queue_size);
4418 }
4419 }
4420
4421 void
4422 sctp_handle_sack(struct mbuf *m, int offset_seg, int offset_dup,
4423 struct sctp_tcb *stcb,
4424 uint16_t num_seg, uint16_t num_nr_seg, uint16_t num_dup,
4425 int *abort_now, uint8_t flags,
4426 uint32_t cum_ack, uint32_t rwnd, int ecne_seen)
4427 {
4428 struct sctp_association *asoc;
4429 struct sctp_tmit_chunk *tp1, *tp2;
4430 uint32_t last_tsn, biggest_tsn_acked, biggest_tsn_newly_acked, this_sack_lowest_newack;
4431 uint16_t wake_him = 0;
4432 uint32_t send_s = 0;
4433 long j;
4434 int accum_moved = 0;
4435 int will_exit_fast_recovery = 0;
4436 uint32_t a_rwnd, old_rwnd;
4437 int win_probe_recovery = 0;
4438 int win_probe_recovered = 0;
4439 struct sctp_nets *net = NULL;
4440 int done_once;
4441 int rto_ok = 1;
4442 uint8_t reneged_all = 0;
4443 uint8_t cmt_dac_flag;
4444
4445 /*
4446 * we take any chance we can to service our queues since we cannot
4447 * get awoken when the socket is read from :<
4448 */
4449 /*
4450 * Now perform the actual SACK handling: 1) Verify that it is not an
4451 * old sack, if so discard. 2) If there is nothing left in the send
4452 * queue (cum-ack is equal to last acked) then you have a duplicate
4453 * too, update any rwnd change and verify no timers are running.
4454 * then return. 3) Process any new consequtive data i.e. cum-ack
4455 * moved process these first and note that it moved. 4) Process any
4456 * sack blocks. 5) Drop any acked from the queue. 6) Check for any
4457 * revoked blocks and mark. 7) Update the cwnd. 8) Nothing left,
4458 * sync up flightsizes and things, stop all timers and also check
4459 * for shutdown_pending state. If so then go ahead and send off the
4460 * shutdown. If in shutdown recv, send off the shutdown-ack and
4461 * start that timer, Ret. 9) Strike any non-acked things and do FR
4462 * procedure if needed being sure to set the FR flag. 10) Do pr-sctp
4463 * procedures. 11) Apply any FR penalties. 12) Assure we will SACK
4464 * if in shutdown_recv state.
4465 */
4466 SCTP_TCB_LOCK_ASSERT(stcb);
4467 /* CMT DAC algo */
4468 this_sack_lowest_newack = 0;
4469 SCTP_STAT_INCR(sctps_slowpath_sack);
4470 last_tsn = cum_ack;
4471 cmt_dac_flag = flags & SCTP_SACK_CMT_DAC;
4472 #ifdef SCTP_ASOCLOG_OF_TSNS
4473 stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cum_ack;
4474 stcb->asoc.cumack_log_at++;
4475 if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) {
4476 stcb->asoc.cumack_log_at = 0;
4477 }
4478 #endif
4479 a_rwnd = rwnd;
4480
4481 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) {
4482 sctp_misc_ints(SCTP_SACK_LOG_NORMAL, cum_ack,
4483 rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd);
4484 }
4485 old_rwnd = stcb->asoc.peers_rwnd;
4486 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4487 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4488 stcb->asoc.overall_error_count,
4489 0,
4490 SCTP_FROM_SCTP_INDATA,
4491 __LINE__);
4492 }
4493 stcb->asoc.overall_error_count = 0;
4494 asoc = &stcb->asoc;
4495 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4496 sctp_log_sack(asoc->last_acked_seq,
4497 cum_ack,
4498 0,
4499 num_seg,
4500 num_dup,
4501 SCTP_LOG_NEW_SACK);
4502 }
4503 if ((num_dup) && (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE)) {
4504 uint16_t i;
4505 uint32_t *dupdata, dblock;
4506
4507 for (i = 0; i < num_dup; i++) {
4508 dupdata = (uint32_t *)sctp_m_getptr(m, offset_dup + i * sizeof(uint32_t),
4509 sizeof(uint32_t), (uint8_t *)&dblock);
4510 if (dupdata == NULL) {
4511 break;
4512 }
4513 sctp_log_fr(*dupdata, 0, 0, SCTP_FR_DUPED);
4514 }
4515 }
4516 /* reality check */
4517 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
4518 tp1 = TAILQ_LAST(&asoc->sent_queue,
4519 sctpchunk_listhead);
4520 send_s = tp1->rec.data.tsn + 1;
4521 } else {
4522 tp1 = NULL;
4523 send_s = asoc->sending_seq;
4524 }
4525 if (SCTP_TSN_GE(cum_ack, send_s)) {
4526 struct mbuf *op_err;
4527 char msg[SCTP_DIAG_INFO_LEN];
4528
4529 /*
4530 * no way, we have not even sent this TSN out yet. Peer is
4531 * hopelessly messed up with us.
4532 */
4533 SCTP_PRINTF("NEW cum_ack:%x send_s:%x is smaller or equal\n",
4534 cum_ack, send_s);
4535 if (tp1) {
4536 SCTP_PRINTF("Got send_s from tsn:%x + 1 of tp1: %p\n",
4537 tp1->rec.data.tsn, (void *)tp1);
4538 }
4539 hopeless_peer:
4540 *abort_now = 1;
4541 /* XXX */
4542 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal than TSN %8.8x",
4543 cum_ack, send_s);
4544 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
4545 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_25;
4546 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4547 return;
4548 }
4549 /**********************/
4550 /* 1) check the range */
4551 /**********************/
4552 if (SCTP_TSN_GT(asoc->last_acked_seq, last_tsn)) {
4553 /* acking something behind */
4554 return;
4555 }
4556 /* update the Rwnd of the peer */
4557 if (TAILQ_EMPTY(&asoc->sent_queue) &&
4558 TAILQ_EMPTY(&asoc->send_queue) &&
4559 (asoc->stream_queue_cnt == 0)) {
4560 /* nothing left on send/sent and strmq */
4561 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
4562 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
4563 asoc->peers_rwnd, 0, 0, a_rwnd);
4564 }
4565 asoc->peers_rwnd = a_rwnd;
4566 if (asoc->sent_queue_retran_cnt) {
4567 asoc->sent_queue_retran_cnt = 0;
4568 }
4569 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4570 /* SWS sender side engages */
4571 asoc->peers_rwnd = 0;
4572 }
4573 /* stop any timers */
4574 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4575 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4576 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_26);
4577 net->partial_bytes_acked = 0;
4578 net->flight_size = 0;
4579 }
4580 asoc->total_flight = 0;
4581 asoc->total_flight_count = 0;
4582 return;
4583 }
4584 /*
4585 * We init netAckSz and netAckSz2 to 0. These are used to track 2
4586 * things. The total byte count acked is tracked in netAckSz AND
4587 * netAck2 is used to track the total bytes acked that are un-
4588 * amibguious and were never retransmitted. We track these on a per
4589 * destination address basis.
4590 */
4591 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4592 if (SCTP_TSN_GT(cum_ack, net->cwr_window_tsn)) {
4593 /* Drag along the window_tsn for cwr's */
4594 net->cwr_window_tsn = cum_ack;
4595 }
4596 net->prev_cwnd = net->cwnd;
4597 net->net_ack = 0;
4598 net->net_ack2 = 0;
4599
4600 /*
4601 * CMT: Reset CUC and Fast recovery algo variables before
4602 * SACK processing
4603 */
4604 net->new_pseudo_cumack = 0;
4605 net->will_exit_fast_recovery = 0;
4606 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) {
4607 (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) (stcb, net);
4608 }
4609 /*
4610 * CMT: SFR algo (and HTNA) - this_sack_highest_newack has
4611 * to be greater than the cumack. Also reset saw_newack to 0
4612 * for all dests.
4613 */
4614 net->saw_newack = 0;
4615 net->this_sack_highest_newack = last_tsn;
4616 }
4617 /* process the new consecutive TSN first */
4618 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4619 if (SCTP_TSN_GE(last_tsn, tp1->rec.data.tsn)) {
4620 if (tp1->sent != SCTP_DATAGRAM_UNSENT) {
4621 accum_moved = 1;
4622 if (tp1->sent < SCTP_DATAGRAM_ACKED) {
4623 /*
4624 * If it is less than ACKED, it is
4625 * now no-longer in flight. Higher
4626 * values may occur during marking
4627 */
4628 if ((tp1->whoTo->dest_state &
4629 SCTP_ADDR_UNCONFIRMED) &&
4630 (tp1->snd_count < 2)) {
4631 /*
4632 * If there was no retran
4633 * and the address is
4634 * un-confirmed and we sent
4635 * there and are now
4636 * sacked.. its confirmed,
4637 * mark it so.
4638 */
4639 tp1->whoTo->dest_state &=
4640 ~SCTP_ADDR_UNCONFIRMED;
4641 }
4642 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
4643 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
4644 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA,
4645 tp1->whoTo->flight_size,
4646 tp1->book_size,
4647 (uint32_t)(uintptr_t)tp1->whoTo,
4648 tp1->rec.data.tsn);
4649 }
4650 sctp_flight_size_decrease(tp1);
4651 sctp_total_flight_decrease(stcb, tp1);
4652 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
4653 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo,
4654 tp1);
4655 }
4656 }
4657 tp1->whoTo->net_ack += tp1->send_size;
4658
4659 /* CMT SFR and DAC algos */
4660 this_sack_lowest_newack = tp1->rec.data.tsn;
4661 tp1->whoTo->saw_newack = 1;
4662
4663 if (tp1->snd_count < 2) {
4664 /*
4665 * True non-retransmited
4666 * chunk
4667 */
4668 tp1->whoTo->net_ack2 +=
4669 tp1->send_size;
4670
4671 /* update RTO too? */
4672 if (tp1->do_rtt) {
4673 if (rto_ok) {
4674 tp1->whoTo->RTO =
4675 sctp_calculate_rto(stcb,
4676 asoc, tp1->whoTo,
4677 &tp1->sent_rcv_time,
4678 SCTP_RTT_FROM_DATA);
4679 rto_ok = 0;
4680 }
4681 if (tp1->whoTo->rto_needed == 0) {
4682 tp1->whoTo->rto_needed = 1;
4683 }
4684 tp1->do_rtt = 0;
4685 }
4686 }
4687 /*
4688 * CMT: CUCv2 algorithm. From the
4689 * cumack'd TSNs, for each TSN being
4690 * acked for the first time, set the
4691 * following variables for the
4692 * corresp destination.
4693 * new_pseudo_cumack will trigger a
4694 * cwnd update.
4695 * find_(rtx_)pseudo_cumack will
4696 * trigger search for the next
4697 * expected (rtx-)pseudo-cumack.
4698 */
4699 tp1->whoTo->new_pseudo_cumack = 1;
4700 tp1->whoTo->find_pseudo_cumack = 1;
4701 tp1->whoTo->find_rtx_pseudo_cumack = 1;
4702
4703
4704 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4705 sctp_log_sack(asoc->last_acked_seq,
4706 cum_ack,
4707 tp1->rec.data.tsn,
4708 0,
4709 0,
4710 SCTP_LOG_TSN_ACKED);
4711 }
4712 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
4713 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK);
4714 }
4715 }
4716 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
4717 sctp_ucount_decr(asoc->sent_queue_retran_cnt);
4718 #ifdef SCTP_AUDITING_ENABLED
4719 sctp_audit_log(0xB3,
4720 (asoc->sent_queue_retran_cnt & 0x000000ff));
4721 #endif
4722 }
4723 if (tp1->rec.data.chunk_was_revoked) {
4724 /* deflate the cwnd */
4725 tp1->whoTo->cwnd -= tp1->book_size;
4726 tp1->rec.data.chunk_was_revoked = 0;
4727 }
4728 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
4729 tp1->sent = SCTP_DATAGRAM_ACKED;
4730 }
4731 }
4732 } else {
4733 break;
4734 }
4735 }
4736 biggest_tsn_newly_acked = biggest_tsn_acked = last_tsn;
4737 /* always set this up to cum-ack */
4738 asoc->this_sack_highest_gap = last_tsn;
4739
4740 if ((num_seg > 0) || (num_nr_seg > 0)) {
4741
4742 /*
4743 * thisSackHighestGap will increase while handling NEW
4744 * segments this_sack_highest_newack will increase while
4745 * handling NEWLY ACKED chunks. this_sack_lowest_newack is
4746 * used for CMT DAC algo. saw_newack will also change.
4747 */
4748 if (sctp_handle_segments(m, &offset_seg, stcb, asoc, last_tsn, &biggest_tsn_acked,
4749 &biggest_tsn_newly_acked, &this_sack_lowest_newack,
4750 num_seg, num_nr_seg, &rto_ok)) {
4751 wake_him++;
4752 }
4753 /*
4754 * validate the biggest_tsn_acked in the gap acks if strict
4755 * adherence is wanted.
4756 */
4757 if (SCTP_TSN_GE(biggest_tsn_acked, send_s)) {
4758 /*
4759 * peer is either confused or we are under attack.
4760 * We must abort.
4761 */
4762 SCTP_PRINTF("Hopeless peer! biggest_tsn_acked:%x largest seq:%x\n",
4763 biggest_tsn_acked, send_s);
4764 goto hopeless_peer;
4765 }
4766 }
4767 /*******************************************/
4768 /* cancel ALL T3-send timer if accum moved */
4769 /*******************************************/
4770 if (asoc->sctp_cmt_on_off > 0) {
4771 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4772 if (net->new_pseudo_cumack)
4773 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4774 stcb, net,
4775 SCTP_FROM_SCTP_INDATA + SCTP_LOC_27);
4776
4777 }
4778 } else {
4779 if (accum_moved) {
4780 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4781 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4782 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_28);
4783 }
4784 }
4785 }
4786 /********************************************/
4787 /* drop the acked chunks from the sentqueue */
4788 /********************************************/
4789 asoc->last_acked_seq = cum_ack;
4790
4791 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
4792 if (SCTP_TSN_GT(tp1->rec.data.tsn, cum_ack)) {
4793 break;
4794 }
4795 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
4796 if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) {
4797 asoc->strmout[tp1->rec.data.sid].chunks_on_queues--;
4798 #ifdef INVARIANTS
4799 } else {
4800 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid);
4801 #endif
4802 }
4803 }
4804 if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) &&
4805 (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) &&
4806 TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) {
4807 asoc->trigger_reset = 1;
4808 }
4809 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
4810 if (PR_SCTP_ENABLED(tp1->flags)) {
4811 if (asoc->pr_sctp_cnt != 0)
4812 asoc->pr_sctp_cnt--;
4813 }
4814 asoc->sent_queue_cnt--;
4815 if (tp1->data) {
4816 /* sa_ignore NO_NULL_CHK */
4817 sctp_free_bufspace(stcb, asoc, tp1, 1);
4818 sctp_m_freem(tp1->data);
4819 tp1->data = NULL;
4820 if (asoc->prsctp_supported && PR_SCTP_BUF_ENABLED(tp1->flags)) {
4821 asoc->sent_queue_cnt_removeable--;
4822 }
4823 }
4824 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4825 sctp_log_sack(asoc->last_acked_seq,
4826 cum_ack,
4827 tp1->rec.data.tsn,
4828 0,
4829 0,
4830 SCTP_LOG_FREE_SENT);
4831 }
4832 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED);
4833 wake_him++;
4834 }
4835 if (TAILQ_EMPTY(&asoc->sent_queue) && (asoc->total_flight > 0)) {
4836 #ifdef INVARIANTS
4837 panic("Warning flight size is positive and should be 0");
4838 #else
4839 SCTP_PRINTF("Warning flight size incorrect should be 0 is %d\n",
4840 asoc->total_flight);
4841 #endif
4842 asoc->total_flight = 0;
4843 }
4844 /* sa_ignore NO_NULL_CHK */
4845 if ((wake_him) && (stcb->sctp_socket)) {
4846 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4847 struct socket *so;
4848
4849 #endif
4850 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
4851 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4852 sctp_wakeup_log(stcb, wake_him, SCTP_WAKESND_FROM_SACK);
4853 }
4854 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4855 so = SCTP_INP_SO(stcb->sctp_ep);
4856 atomic_add_int(&stcb->asoc.refcnt, 1);
4857 SCTP_TCB_UNLOCK(stcb);
4858 SCTP_SOCKET_LOCK(so, 1);
4859 SCTP_TCB_LOCK(stcb);
4860 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4861 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
4862 /* assoc was freed while we were unlocked */
4863 SCTP_SOCKET_UNLOCK(so, 1);
4864 return;
4865 }
4866 #endif
4867 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket);
4868 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4869 SCTP_SOCKET_UNLOCK(so, 1);
4870 #endif
4871 } else {
4872 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4873 sctp_wakeup_log(stcb, wake_him, SCTP_NOWAKE_FROM_SACK);
4874 }
4875 }
4876
4877 if (asoc->fast_retran_loss_recovery && accum_moved) {
4878 if (SCTP_TSN_GE(asoc->last_acked_seq, asoc->fast_recovery_tsn)) {
4879 /* Setup so we will exit RFC2582 fast recovery */
4880 will_exit_fast_recovery = 1;
4881 }
4882 }
4883 /*
4884 * Check for revoked fragments:
4885 *
4886 * if Previous sack - Had no frags then we can't have any revoked if
4887 * Previous sack - Had frag's then - If we now have frags aka
4888 * num_seg > 0 call sctp_check_for_revoked() to tell if peer revoked
4889 * some of them. else - The peer revoked all ACKED fragments, since
4890 * we had some before and now we have NONE.
4891 */
4892
4893 if (num_seg) {
4894 sctp_check_for_revoked(stcb, asoc, cum_ack, biggest_tsn_acked);
4895 asoc->saw_sack_with_frags = 1;
4896 } else if (asoc->saw_sack_with_frags) {
4897 int cnt_revoked = 0;
4898
4899 /* Peer revoked all dg's marked or acked */
4900 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4901 if (tp1->sent == SCTP_DATAGRAM_ACKED) {
4902 tp1->sent = SCTP_DATAGRAM_SENT;
4903 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
4904 sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE,
4905 tp1->whoTo->flight_size,
4906 tp1->book_size,
4907 (uint32_t)(uintptr_t)tp1->whoTo,
4908 tp1->rec.data.tsn);
4909 }
4910 sctp_flight_size_increase(tp1);
4911 sctp_total_flight_increase(stcb, tp1);
4912 tp1->rec.data.chunk_was_revoked = 1;
4913 /*
4914 * To ensure that this increase in
4915 * flightsize, which is artificial, does not
4916 * throttle the sender, we also increase the
4917 * cwnd artificially.
4918 */
4919 tp1->whoTo->cwnd += tp1->book_size;
4920 cnt_revoked++;
4921 }
4922 }
4923 if (cnt_revoked) {
4924 reneged_all = 1;
4925 }
4926 asoc->saw_sack_with_frags = 0;
4927 }
4928 if (num_nr_seg > 0)
4929 asoc->saw_sack_with_nr_frags = 1;
4930 else
4931 asoc->saw_sack_with_nr_frags = 0;
4932
4933 /* JRS - Use the congestion control given in the CC module */
4934 if (ecne_seen == 0) {
4935 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4936 if (net->net_ack2 > 0) {
4937 /*
4938 * Karn's rule applies to clearing error
4939 * count, this is optional.
4940 */
4941 net->error_count = 0;
4942 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
4943 /* addr came good */
4944 net->dest_state |= SCTP_ADDR_REACHABLE;
4945 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
4946 0, (void *)net, SCTP_SO_NOT_LOCKED);
4947 }
4948 if (net == stcb->asoc.primary_destination) {
4949 if (stcb->asoc.alternate) {
4950 /*
4951 * release the alternate,
4952 * primary is good
4953 */
4954 sctp_free_remote_addr(stcb->asoc.alternate);
4955 stcb->asoc.alternate = NULL;
4956 }
4957 }
4958 if (net->dest_state & SCTP_ADDR_PF) {
4959 net->dest_state &= ~SCTP_ADDR_PF;
4960 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT,
4961 stcb->sctp_ep, stcb, net,
4962 SCTP_FROM_SCTP_INDATA + SCTP_LOC_29);
4963 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
4964 asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
4965 /* Done with this net */
4966 net->net_ack = 0;
4967 }
4968 /* restore any doubled timers */
4969 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
4970 if (net->RTO < stcb->asoc.minrto) {
4971 net->RTO = stcb->asoc.minrto;
4972 }
4973 if (net->RTO > stcb->asoc.maxrto) {
4974 net->RTO = stcb->asoc.maxrto;
4975 }
4976 }
4977 }
4978 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, accum_moved, reneged_all, will_exit_fast_recovery);
4979 }
4980 if (TAILQ_EMPTY(&asoc->sent_queue)) {
4981 /* nothing left in-flight */
4982 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4983 /* stop all timers */
4984 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4985 stcb, net,
4986 SCTP_FROM_SCTP_INDATA + SCTP_LOC_30);
4987 net->flight_size = 0;
4988 net->partial_bytes_acked = 0;
4989 }
4990 asoc->total_flight = 0;
4991 asoc->total_flight_count = 0;
4992 }
4993 /**********************************/
4994 /* Now what about shutdown issues */
4995 /**********************************/
4996 if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) {
4997 /* nothing left on sendqueue.. consider done */
4998 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
4999 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
5000 asoc->peers_rwnd, 0, 0, a_rwnd);
5001 }
5002 asoc->peers_rwnd = a_rwnd;
5003 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
5004 /* SWS sender side engages */
5005 asoc->peers_rwnd = 0;
5006 }
5007 /* clean up */
5008 if ((asoc->stream_queue_cnt == 1) &&
5009 ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
5010 (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED)) &&
5011 ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc))) {
5012 asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
5013 }
5014 if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
5015 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
5016 (asoc->stream_queue_cnt == 1) &&
5017 (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
5018 struct mbuf *op_err;
5019
5020 *abort_now = 1;
5021 /* XXX */
5022 op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
5023 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24;
5024 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
5025 return;
5026 }
5027 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) &&
5028 (asoc->stream_queue_cnt == 0)) {
5029 struct sctp_nets *netp;
5030
5031 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
5032 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
5033 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
5034 }
5035 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
5036 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
5037 sctp_stop_timers_for_shutdown(stcb);
5038 if (asoc->alternate) {
5039 netp = asoc->alternate;
5040 } else {
5041 netp = asoc->primary_destination;
5042 }
5043 sctp_send_shutdown(stcb, netp);
5044 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
5045 stcb->sctp_ep, stcb, netp);
5046 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
5047 stcb->sctp_ep, stcb, netp);
5048 return;
5049 } else if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) &&
5050 (asoc->stream_queue_cnt == 0)) {
5051 struct sctp_nets *netp;
5052
5053 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
5054 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
5055 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
5056 sctp_stop_timers_for_shutdown(stcb);
5057 if (asoc->alternate) {
5058 netp = asoc->alternate;
5059 } else {
5060 netp = asoc->primary_destination;
5061 }
5062 sctp_send_shutdown_ack(stcb, netp);
5063 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
5064 stcb->sctp_ep, stcb, netp);
5065 return;
5066 }
5067 }
5068 /*
5069 * Now here we are going to recycle net_ack for a different use...
5070 * HEADS UP.
5071 */
5072 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5073 net->net_ack = 0;
5074 }
5075
5076 /*
5077 * CMT DAC algorithm: If SACK DAC flag was 0, then no extra marking
5078 * to be done. Setting this_sack_lowest_newack to the cum_ack will
5079 * automatically ensure that.
5080 */
5081 if ((asoc->sctp_cmt_on_off > 0) &&
5082 SCTP_BASE_SYSCTL(sctp_cmt_use_dac) &&
5083 (cmt_dac_flag == 0)) {
5084 this_sack_lowest_newack = cum_ack;
5085 }
5086 if ((num_seg > 0) || (num_nr_seg > 0)) {
5087 sctp_strike_gap_ack_chunks(stcb, asoc, biggest_tsn_acked,
5088 biggest_tsn_newly_acked, this_sack_lowest_newack, accum_moved);
5089 }
5090 /* JRS - Use the congestion control given in the CC module */
5091 asoc->cc_functions.sctp_cwnd_update_after_fr(stcb, asoc);
5092
5093 /* Now are we exiting loss recovery ? */
5094 if (will_exit_fast_recovery) {
5095 /* Ok, we must exit fast recovery */
5096 asoc->fast_retran_loss_recovery = 0;
5097 }
5098 if ((asoc->sat_t3_loss_recovery) &&
5099 SCTP_TSN_GE(asoc->last_acked_seq, asoc->sat_t3_recovery_tsn)) {
5100 /* end satellite t3 loss recovery */
5101 asoc->sat_t3_loss_recovery = 0;
5102 }
5103 /*
5104 * CMT Fast recovery
5105 */
5106 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5107 if (net->will_exit_fast_recovery) {
5108 /* Ok, we must exit fast recovery */
5109 net->fast_retran_loss_recovery = 0;
5110 }
5111 }
5112
5113 /* Adjust and set the new rwnd value */
5114 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
5115 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
5116 asoc->peers_rwnd, asoc->total_flight, (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)), a_rwnd);
5117 }
5118 asoc->peers_rwnd = sctp_sbspace_sub(a_rwnd,
5119 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
5120 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
5121 /* SWS sender side engages */
5122 asoc->peers_rwnd = 0;
5123 }
5124 if (asoc->peers_rwnd > old_rwnd) {
5125 win_probe_recovery = 1;
5126 }
5127 /*
5128 * Now we must setup so we have a timer up for anyone with
5129 * outstanding data.
5130 */
5131 done_once = 0;
5132 again:
5133 j = 0;
5134 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5135 if (win_probe_recovery && (net->window_probe)) {
5136 win_probe_recovered = 1;
5137 /*-
5138 * Find first chunk that was used with
5139 * window probe and clear the event. Put
5140 * it back into the send queue as if has
5141 * not been sent.
5142 */
5143 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
5144 if (tp1->window_probe) {
5145 sctp_window_probe_recovery(stcb, asoc, tp1);
5146 break;
5147 }
5148 }
5149 }
5150 if (net->flight_size) {
5151 j++;
5152 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
5153 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
5154 stcb->sctp_ep, stcb, net);
5155 }
5156 if (net->window_probe) {
5157 net->window_probe = 0;
5158 }
5159 } else {
5160 if (net->window_probe) {
5161 /*
5162 * In window probes we must assure a timer
5163 * is still running there
5164 */
5165 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
5166 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
5167 stcb->sctp_ep, stcb, net);
5168
5169 }
5170 } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
5171 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
5172 stcb, net,
5173 SCTP_FROM_SCTP_INDATA + SCTP_LOC_32);
5174 }
5175 }
5176 }
5177 if ((j == 0) &&
5178 (!TAILQ_EMPTY(&asoc->sent_queue)) &&
5179 (asoc->sent_queue_retran_cnt == 0) &&
5180 (win_probe_recovered == 0) &&
5181 (done_once == 0)) {
5182 /*
5183 * huh, this should not happen unless all packets are
5184 * PR-SCTP and marked to skip of course.
5185 */
5186 if (sctp_fs_audit(asoc)) {
5187 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5188 net->flight_size = 0;
5189 }
5190 asoc->total_flight = 0;
5191 asoc->total_flight_count = 0;
5192 asoc->sent_queue_retran_cnt = 0;
5193 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
5194 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
5195 sctp_flight_size_increase(tp1);
5196 sctp_total_flight_increase(stcb, tp1);
5197 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) {
5198 sctp_ucount_incr(asoc->sent_queue_retran_cnt);
5199 }
5200 }
5201 }
5202 done_once = 1;
5203 goto again;
5204 }
5205 /*********************************************/
5206 /* Here we perform PR-SCTP procedures */
5207 /* (section 4.2) */
5208 /*********************************************/
5209 /* C1. update advancedPeerAckPoint */
5210 if (SCTP_TSN_GT(cum_ack, asoc->advanced_peer_ack_point)) {
5211 asoc->advanced_peer_ack_point = cum_ack;
5212 }
5213 /* C2. try to further move advancedPeerAckPoint ahead */
5214 if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) {
5215 struct sctp_tmit_chunk *lchk;
5216 uint32_t old_adv_peer_ack_point;
5217
5218 old_adv_peer_ack_point = asoc->advanced_peer_ack_point;
5219 lchk = sctp_try_advance_peer_ack_point(stcb, asoc);
5220 /* C3. See if we need to send a Fwd-TSN */
5221 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cum_ack)) {
5222 /*
5223 * ISSUE with ECN, see FWD-TSN processing.
5224 */
5225 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
5226 sctp_misc_ints(SCTP_FWD_TSN_CHECK,
5227 0xee, cum_ack, asoc->advanced_peer_ack_point,
5228 old_adv_peer_ack_point);
5229 }
5230 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) {
5231 send_forward_tsn(stcb, asoc);
5232 } else if (lchk) {
5233 /* try to FR fwd-tsn's that get lost too */
5234 if (lchk->rec.data.fwd_tsn_cnt >= 3) {
5235 send_forward_tsn(stcb, asoc);
5236 }
5237 }
5238 }
5239 if (lchk) {
5240 /* Assure a timer is up */
5241 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
5242 stcb->sctp_ep, stcb, lchk->whoTo);
5243 }
5244 }
5245 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) {
5246 sctp_misc_ints(SCTP_SACK_RWND_UPDATE,
5247 a_rwnd,
5248 stcb->asoc.peers_rwnd,
5249 stcb->asoc.total_flight,
5250 stcb->asoc.total_output_queue_size);
5251 }
5252 }
5253
5254 void
5255 sctp_update_acked(struct sctp_tcb *stcb, struct sctp_shutdown_chunk *cp, int *abort_flag)
5256 {
5257 /* Copy cum-ack */
5258 uint32_t cum_ack, a_rwnd;
5259
5260 cum_ack = ntohl(cp->cumulative_tsn_ack);
5261 /* Arrange so a_rwnd does NOT change */
5262 a_rwnd = stcb->asoc.peers_rwnd + stcb->asoc.total_flight;
5263
5264 /* Now call the express sack handling */
5265 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, abort_flag, 0);
5266 }
5267
5268 static void
5269 sctp_kick_prsctp_reorder_queue(struct sctp_tcb *stcb,
5270 struct sctp_stream_in *strmin)
5271 {
5272 struct sctp_queued_to_read *control, *ncontrol;
5273 struct sctp_association *asoc;
5274 uint32_t mid;
5275 int need_reasm_check = 0;
5276
5277 asoc = &stcb->asoc;
5278 mid = strmin->last_mid_delivered;
5279 /*
5280 * First deliver anything prior to and including the stream no that
5281 * came in.
5282 */
5283 TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) {
5284 if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) {
5285 /* this is deliverable now */
5286 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
5287 if (control->on_strm_q) {
5288 if (control->on_strm_q == SCTP_ON_ORDERED) {
5289 TAILQ_REMOVE(&strmin->inqueue, control, next_instrm);
5290 } else if (control->on_strm_q == SCTP_ON_UNORDERED) {
5291 TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm);
5292 #ifdef INVARIANTS
5293 } else {
5294 panic("strmin: %p ctl: %p unknown %d",
5295 strmin, control, control->on_strm_q);
5296 #endif
5297 }
5298 control->on_strm_q = 0;
5299 }
5300 /* subtract pending on streams */
5301 if (asoc->size_on_all_streams >= control->length) {
5302 asoc->size_on_all_streams -= control->length;
5303 } else {
5304 #ifdef INVARIANTS
5305 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
5306 #else
5307 asoc->size_on_all_streams = 0;
5308 #endif
5309 }
5310 sctp_ucount_decr(asoc->cnt_on_all_streams);
5311 /* deliver it to at least the delivery-q */
5312 if (stcb->sctp_socket) {
5313 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
5314 sctp_add_to_readq(stcb->sctp_ep, stcb,
5315 control,
5316 &stcb->sctp_socket->so_rcv,
5317 1, SCTP_READ_LOCK_HELD,
5318 SCTP_SO_NOT_LOCKED);
5319 }
5320 } else {
5321 /* Its a fragmented message */
5322 if (control->first_frag_seen) {
5323 /*
5324 * Make it so this is next to
5325 * deliver, we restore later
5326 */
5327 strmin->last_mid_delivered = control->mid - 1;
5328 need_reasm_check = 1;
5329 break;
5330 }
5331 }
5332 } else {
5333 /* no more delivery now. */
5334 break;
5335 }
5336 }
5337 if (need_reasm_check) {
5338 int ret;
5339
5340 ret = sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD);
5341 if (SCTP_MID_GT(asoc->idata_supported, mid, strmin->last_mid_delivered)) {
5342 /* Restore the next to deliver unless we are ahead */
5343 strmin->last_mid_delivered = mid;
5344 }
5345 if (ret == 0) {
5346 /* Left the front Partial one on */
5347 return;
5348 }
5349 need_reasm_check = 0;
5350 }
5351 /*
5352 * now we must deliver things in queue the normal way if any are
5353 * now ready.
5354 */
5355 mid = strmin->last_mid_delivered + 1;
5356 TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) {
5357 if (SCTP_MID_EQ(asoc->idata_supported, mid, control->mid)) {
5358 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) {
5359 /* this is deliverable now */
5360 if (control->on_strm_q) {
5361 if (control->on_strm_q == SCTP_ON_ORDERED) {
5362 TAILQ_REMOVE(&strmin->inqueue, control, next_instrm);
5363 } else if (control->on_strm_q == SCTP_ON_UNORDERED) {
5364 TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm);
5365 #ifdef INVARIANTS
5366 } else {
5367 panic("strmin: %p ctl: %p unknown %d",
5368 strmin, control, control->on_strm_q);
5369 #endif
5370 }
5371 control->on_strm_q = 0;
5372 }
5373 /* subtract pending on streams */
5374 if (asoc->size_on_all_streams >= control->length) {
5375 asoc->size_on_all_streams -= control->length;
5376 } else {
5377 #ifdef INVARIANTS
5378 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
5379 #else
5380 asoc->size_on_all_streams = 0;
5381 #endif
5382 }
5383 sctp_ucount_decr(asoc->cnt_on_all_streams);
5384 /* deliver it to at least the delivery-q */
5385 strmin->last_mid_delivered = control->mid;
5386 if (stcb->sctp_socket) {
5387 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
5388 sctp_add_to_readq(stcb->sctp_ep, stcb,
5389 control,
5390 &stcb->sctp_socket->so_rcv, 1,
5391 SCTP_READ_LOCK_HELD, SCTP_SO_NOT_LOCKED);
5392
5393 }
5394 mid = strmin->last_mid_delivered + 1;
5395 } else {
5396 /* Its a fragmented message */
5397 if (control->first_frag_seen) {
5398 /*
5399 * Make it so this is next to
5400 * deliver
5401 */
5402 strmin->last_mid_delivered = control->mid - 1;
5403 need_reasm_check = 1;
5404 break;
5405 }
5406 }
5407 } else {
5408 break;
5409 }
5410 }
5411 if (need_reasm_check) {
5412 (void)sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD);
5413 }
5414 }
5415
5416
5417
5418 static void
5419 sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb,
5420 struct sctp_association *asoc,
5421 uint16_t stream, uint32_t mid, int ordered, uint32_t cumtsn)
5422 {
5423 struct sctp_queued_to_read *control;
5424 struct sctp_stream_in *strm;
5425 struct sctp_tmit_chunk *chk, *nchk;
5426 int cnt_removed = 0;
5427
5428 /*
5429 * For now large messages held on the stream reasm that are complete
5430 * will be tossed too. We could in theory do more work to spin
5431 * through and stop after dumping one msg aka seeing the start of a
5432 * new msg at the head, and call the delivery function... to see if
5433 * it can be delivered... But for now we just dump everything on the
5434 * queue.
5435 */
5436 strm = &asoc->strmin[stream];
5437 control = sctp_find_reasm_entry(strm, mid, ordered, asoc->idata_supported);
5438 if (control == NULL) {
5439 /* Not found */
5440 return;
5441 }
5442 if (!asoc->idata_supported && !ordered && SCTP_TSN_GT(control->fsn_included, cumtsn)) {
5443 return;
5444 }
5445 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) {
5446 /* Purge hanging chunks */
5447 if (!asoc->idata_supported && (ordered == 0)) {
5448 if (SCTP_TSN_GT(chk->rec.data.tsn, cumtsn)) {
5449 break;
5450 }
5451 }
5452 cnt_removed++;
5453 TAILQ_REMOVE(&control->reasm, chk, sctp_next);
5454 if (asoc->size_on_reasm_queue >= chk->send_size) {
5455 asoc->size_on_reasm_queue -= chk->send_size;
5456 } else {
5457 #ifdef INVARIANTS
5458 panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, chk->send_size);
5459 #else
5460 asoc->size_on_reasm_queue = 0;
5461 #endif
5462 }
5463 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
5464 if (chk->data) {
5465 sctp_m_freem(chk->data);
5466 chk->data = NULL;
5467 }
5468 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
5469 }
5470 if (!TAILQ_EMPTY(&control->reasm)) {
5471 /* This has to be old data, unordered */
5472 if (control->data) {
5473 sctp_m_freem(control->data);
5474 control->data = NULL;
5475 }
5476 sctp_reset_a_control(control, stcb->sctp_ep, cumtsn);
5477 chk = TAILQ_FIRST(&control->reasm);
5478 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
5479 TAILQ_REMOVE(&control->reasm, chk, sctp_next);
5480 sctp_add_chk_to_control(control, strm, stcb, asoc,
5481 chk, SCTP_READ_LOCK_HELD);
5482 }
5483 sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_HELD);
5484 return;
5485 }
5486 if (control->on_strm_q == SCTP_ON_ORDERED) {
5487 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
5488 if (asoc->size_on_all_streams >= control->length) {
5489 asoc->size_on_all_streams -= control->length;
5490 } else {
5491 #ifdef INVARIANTS
5492 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
5493 #else
5494 asoc->size_on_all_streams = 0;
5495 #endif
5496 }
5497 sctp_ucount_decr(asoc->cnt_on_all_streams);
5498 control->on_strm_q = 0;
5499 } else if (control->on_strm_q == SCTP_ON_UNORDERED) {
5500 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
5501 control->on_strm_q = 0;
5502 #ifdef INVARIANTS
5503 } else if (control->on_strm_q) {
5504 panic("strm: %p ctl: %p unknown %d",
5505 strm, control, control->on_strm_q);
5506 #endif
5507 }
5508 control->on_strm_q = 0;
5509 if (control->on_read_q == 0) {
5510 sctp_free_remote_addr(control->whoFrom);
5511 if (control->data) {
5512 sctp_m_freem(control->data);
5513 control->data = NULL;
5514 }
5515 sctp_free_a_readq(stcb, control);
5516 }
5517 }
5518
5519 void
5520 sctp_handle_forward_tsn(struct sctp_tcb *stcb,
5521 struct sctp_forward_tsn_chunk *fwd,
5522 int *abort_flag, struct mbuf *m, int offset)
5523 {
5524 /* The pr-sctp fwd tsn */
5525 /*
5526 * here we will perform all the data receiver side steps for
5527 * processing FwdTSN, as required in by pr-sctp draft:
5528 *
5529 * Assume we get FwdTSN(x):
5530 *
5531 * 1) update local cumTSN to x 2) try to further advance cumTSN to x
5532 * + others we have 3) examine and update re-ordering queue on
5533 * pr-in-streams 4) clean up re-assembly queue 5) Send a sack to
5534 * report where we are.
5535 */
5536 struct sctp_association *asoc;
5537 uint32_t new_cum_tsn, gap;
5538 unsigned int i, fwd_sz, m_size;
5539 uint32_t str_seq;
5540 struct sctp_stream_in *strm;
5541 struct sctp_queued_to_read *control, *sv;
5542
5543 asoc = &stcb->asoc;
5544 if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) {
5545 SCTPDBG(SCTP_DEBUG_INDATA1,
5546 "Bad size too small/big fwd-tsn\n");
5547 return;
5548 }
5549 m_size = (stcb->asoc.mapping_array_size << 3);
5550 /*************************************************************/
5551 /* 1. Here we update local cumTSN and shift the bitmap array */
5552 /*************************************************************/
5553 new_cum_tsn = ntohl(fwd->new_cumulative_tsn);
5554
5555 if (SCTP_TSN_GE(asoc->cumulative_tsn, new_cum_tsn)) {
5556 /* Already got there ... */
5557 return;
5558 }
5559 /*
5560 * now we know the new TSN is more advanced, let's find the actual
5561 * gap
5562 */
5563 SCTP_CALC_TSN_TO_GAP(gap, new_cum_tsn, asoc->mapping_array_base_tsn);
5564 asoc->cumulative_tsn = new_cum_tsn;
5565 if (gap >= m_size) {
5566 if ((long)gap > sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv)) {
5567 struct mbuf *op_err;
5568 char msg[SCTP_DIAG_INFO_LEN];
5569
5570 /*
5571 * out of range (of single byte chunks in the rwnd I
5572 * give out). This must be an attacker.
5573 */
5574 *abort_flag = 1;
5575 snprintf(msg, sizeof(msg),
5576 "New cum ack %8.8x too high, highest TSN %8.8x",
5577 new_cum_tsn, asoc->highest_tsn_inside_map);
5578 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
5579 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_33;
5580 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
5581 return;
5582 }
5583 SCTP_STAT_INCR(sctps_fwdtsn_map_over);
5584
5585 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
5586 asoc->mapping_array_base_tsn = new_cum_tsn + 1;
5587 asoc->highest_tsn_inside_map = new_cum_tsn;
5588
5589 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size);
5590 asoc->highest_tsn_inside_nr_map = new_cum_tsn;
5591
5592 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
5593 sctp_log_map(0, 3, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
5594 }
5595 } else {
5596 SCTP_TCB_LOCK_ASSERT(stcb);
5597 for (i = 0; i <= gap; i++) {
5598 if (!SCTP_IS_TSN_PRESENT(asoc->mapping_array, i) &&
5599 !SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, i)) {
5600 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, i);
5601 if (SCTP_TSN_GT(asoc->mapping_array_base_tsn + i, asoc->highest_tsn_inside_nr_map)) {
5602 asoc->highest_tsn_inside_nr_map = asoc->mapping_array_base_tsn + i;
5603 }
5604 }
5605 }
5606 }
5607 /*************************************************************/
5608 /* 2. Clear up re-assembly queue */
5609 /*************************************************************/
5610
5611 /* This is now done as part of clearing up the stream/seq */
5612 if (asoc->idata_supported == 0) {
5613 uint16_t sid;
5614
5615 /* Flush all the un-ordered data based on cum-tsn */
5616 SCTP_INP_READ_LOCK(stcb->sctp_ep);
5617 for (sid = 0; sid < asoc->streamincnt; sid++) {
5618 sctp_flush_reassm_for_str_seq(stcb, asoc, sid, 0, 0, new_cum_tsn);
5619 }
5620 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
5621 }
5622 /*******************************************************/
5623 /* 3. Update the PR-stream re-ordering queues and fix */
5624 /* delivery issues as needed. */
5625 /*******************************************************/
5626 fwd_sz -= sizeof(*fwd);
5627 if (m && fwd_sz) {
5628 /* New method. */
5629 unsigned int num_str;
5630 uint32_t mid, cur_mid;
5631 uint16_t sid;
5632 uint16_t ordered, flags;
5633 struct sctp_strseq *stseq, strseqbuf;
5634 struct sctp_strseq_mid *stseq_m, strseqbuf_m;
5635
5636 offset += sizeof(*fwd);
5637
5638 SCTP_INP_READ_LOCK(stcb->sctp_ep);
5639 if (asoc->idata_supported) {
5640 num_str = fwd_sz / sizeof(struct sctp_strseq_mid);
5641 } else {
5642 num_str = fwd_sz / sizeof(struct sctp_strseq);
5643 }
5644 for (i = 0; i < num_str; i++) {
5645 if (asoc->idata_supported) {
5646 stseq_m = (struct sctp_strseq_mid *)sctp_m_getptr(m, offset,
5647 sizeof(struct sctp_strseq_mid),
5648 (uint8_t *)&strseqbuf_m);
5649 offset += sizeof(struct sctp_strseq_mid);
5650 if (stseq_m == NULL) {
5651 break;
5652 }
5653 sid = ntohs(stseq_m->sid);
5654 mid = ntohl(stseq_m->mid);
5655 flags = ntohs(stseq_m->flags);
5656 if (flags & PR_SCTP_UNORDERED_FLAG) {
5657 ordered = 0;
5658 } else {
5659 ordered = 1;
5660 }
5661 } else {
5662 stseq = (struct sctp_strseq *)sctp_m_getptr(m, offset,
5663 sizeof(struct sctp_strseq),
5664 (uint8_t *)&strseqbuf);
5665 offset += sizeof(struct sctp_strseq);
5666 if (stseq == NULL) {
5667 break;
5668 }
5669 sid = ntohs(stseq->sid);
5670 mid = (uint32_t)ntohs(stseq->ssn);
5671 ordered = 1;
5672 }
5673 /* Convert */
5674
5675 /* now process */
5676
5677 /*
5678 * Ok we now look for the stream/seq on the read
5679 * queue where its not all delivered. If we find it
5680 * we transmute the read entry into a PDI_ABORTED.
5681 */
5682 if (sid >= asoc->streamincnt) {
5683 /* screwed up streams, stop! */
5684 break;
5685 }
5686 if ((asoc->str_of_pdapi == sid) &&
5687 (asoc->ssn_of_pdapi == mid)) {
5688 /*
5689 * If this is the one we were partially
5690 * delivering now then we no longer are.
5691 * Note this will change with the reassembly
5692 * re-write.
5693 */
5694 asoc->fragmented_delivery_inprogress = 0;
5695 }
5696 strm = &asoc->strmin[sid];
5697 for (cur_mid = strm->last_mid_delivered; SCTP_MID_GE(asoc->idata_supported, mid, cur_mid); cur_mid++) {
5698 sctp_flush_reassm_for_str_seq(stcb, asoc, sid, cur_mid, ordered, new_cum_tsn);
5699 }
5700 TAILQ_FOREACH(control, &stcb->sctp_ep->read_queue, next) {
5701 if ((control->sinfo_stream == sid) &&
5702 (SCTP_MID_EQ(asoc->idata_supported, control->mid, mid))) {
5703 str_seq = (sid << 16) | (0x0000ffff & mid);
5704 control->pdapi_aborted = 1;
5705 sv = stcb->asoc.control_pdapi;
5706 control->end_added = 1;
5707 if (control->on_strm_q == SCTP_ON_ORDERED) {
5708 TAILQ_REMOVE(&strm->inqueue, control, next_instrm);
5709 if (asoc->size_on_all_streams >= control->length) {
5710 asoc->size_on_all_streams -= control->length;
5711 } else {
5712 #ifdef INVARIANTS
5713 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length);
5714 #else
5715 asoc->size_on_all_streams = 0;
5716 #endif
5717 }
5718 sctp_ucount_decr(asoc->cnt_on_all_streams);
5719 } else if (control->on_strm_q == SCTP_ON_UNORDERED) {
5720 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm);
5721 #ifdef INVARIANTS
5722 } else if (control->on_strm_q) {
5723 panic("strm: %p ctl: %p unknown %d",
5724 strm, control, control->on_strm_q);
5725 #endif
5726 }
5727 control->on_strm_q = 0;
5728 stcb->asoc.control_pdapi = control;
5729 sctp_ulp_notify(SCTP_NOTIFY_PARTIAL_DELVIERY_INDICATION,
5730 stcb,
5731 SCTP_PARTIAL_DELIVERY_ABORTED,
5732 (void *)&str_seq,
5733 SCTP_SO_NOT_LOCKED);
5734 stcb->asoc.control_pdapi = sv;
5735 break;
5736 } else if ((control->sinfo_stream == sid) &&
5737 SCTP_MID_GT(asoc->idata_supported, control->mid, mid)) {
5738 /* We are past our victim SSN */
5739 break;
5740 }
5741 }
5742 if (SCTP_MID_GT(asoc->idata_supported, mid, strm->last_mid_delivered)) {
5743 /* Update the sequence number */
5744 strm->last_mid_delivered = mid;
5745 }
5746 /* now kick the stream the new way */
5747 /* sa_ignore NO_NULL_CHK */
5748 sctp_kick_prsctp_reorder_queue(stcb, strm);
5749 }
5750 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
5751 }
5752 /*
5753 * Now slide thing forward.
5754 */
5755 sctp_slide_mapping_arrays(stcb);
5756 }
Cache object: df152b494e7ef9850d744c985f3d1d46
|