Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet/sctp_input.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. 5 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved. 6 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions are met: 10 * 11 * a) Redistributions of source code must retain the above copyright notice, 12 * this list of conditions and the following disclaimer. 13 * 14 * b) Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the distribution. 17 * 18 * c) Neither the name of Cisco Systems, Inc. nor the names of its 19 * contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 26 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 29 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 30 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 32 * THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 #include <sys/cdefs.h> 36 __FBSDID("$FreeBSD$"); 37 38 #include <netinet/sctp_os.h> 39 #include <netinet/sctp_var.h> 40 #include <netinet/sctp_sysctl.h> 41 #include <netinet/sctp_pcb.h> 42 #include <netinet/sctp_header.h> 43 #include <netinet/sctputil.h> 44 #include <netinet/sctp_output.h> 45 #include <netinet/sctp_input.h> 46 #include <netinet/sctp_auth.h> 47 #include <netinet/sctp_indata.h> 48 #include <netinet/sctp_asconf.h> 49 #include <netinet/sctp_bsd_addr.h> 50 #include <netinet/sctp_timer.h> 51 #include <netinet/sctp_crc32.h> 52 #include <netinet/sctp_kdtrace.h> 53 #if defined(INET) || defined(INET6) 54 #include <netinet/udp.h> 55 #endif 56 #include <sys/smp.h> 57 58 static void 59 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 60 { 61 struct sctp_nets *net; 62 63 /* 64 * This now not only stops all cookie timers it also stops any INIT 65 * timers as well. This will make sure that the timers are stopped 66 * in all collision cases. 67 */ 68 SCTP_TCB_LOCK_ASSERT(stcb); 69 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 70 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 71 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 72 stcb->sctp_ep, 73 stcb, 74 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 75 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 76 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 77 stcb->sctp_ep, 78 stcb, 79 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 80 } 81 } 82 } 83 84 /* INIT handler */ 85 static void 86 sctp_handle_init(struct mbuf *m, int iphlen, int offset, 87 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh, 88 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, 89 struct sctp_tcb *stcb, struct sctp_nets *net, 90 uint8_t mflowtype, uint32_t mflowid, 91 uint32_t vrf_id, uint16_t port) 92 { 93 struct sctp_init *init; 94 struct mbuf *op_err; 95 96 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n", 97 (void *)stcb); 98 if (stcb == NULL) { 99 SCTP_INP_RLOCK(inp); 100 } 101 /* Validate parameters */ 102 init = &cp->init; 103 if (ntohl(init->initiate_tag) == 0) { 104 goto outnow; 105 } 106 if ((ntohl(init->a_rwnd) < SCTP_MIN_RWND) || 107 (ntohs(init->num_inbound_streams) == 0) || 108 (ntohs(init->num_outbound_streams) == 0)) { 109 /* protocol error... send abort */ 110 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, ""); 111 sctp_send_abort(m, iphlen, src, dst, sh, init->initiate_tag, op_err, 112 mflowtype, mflowid, inp->fibnum, 113 vrf_id, port); 114 goto outnow; 115 } 116 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 117 offset + ntohs(cp->ch.chunk_length))) { 118 /* auth parameter(s) error... send abort */ 119 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 120 "Problem with AUTH parameters"); 121 sctp_send_abort(m, iphlen, src, dst, sh, init->initiate_tag, op_err, 122 mflowtype, mflowid, inp->fibnum, 123 vrf_id, port); 124 goto outnow; 125 } 126 /* We are only accepting if we have a listening socket. */ 127 if ((stcb == NULL) && 128 ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || 129 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || 130 (!SCTP_IS_LISTENING(inp)))) { 131 /* 132 * FIX ME ?? What about TCP model and we have a 133 * match/restart case? Actually no fix is needed. the lookup 134 * will always find the existing assoc so stcb would not be 135 * NULL. It may be questionable to do this since we COULD 136 * just send back the INIT-ACK and hope that the app did 137 * accept()'s by the time the COOKIE was sent. But there is 138 * a price to pay for COOKIE generation and I don't want to 139 * pay it on the chance that the app will actually do some 140 * accepts(). The App just looses and should NOT be in this 141 * state :-) 142 */ 143 if (SCTP_BASE_SYSCTL(sctp_blackhole) == 0) { 144 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 145 "No listener"); 146 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err, 147 mflowtype, mflowid, inp->fibnum, 148 vrf_id, port); 149 } 150 goto outnow; 151 } 152 if ((stcb != NULL) && 153 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT)) { 154 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending SHUTDOWN-ACK\n"); 155 sctp_send_shutdown_ack(stcb, NULL); 156 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 157 } else { 158 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n"); 159 sctp_send_initiate_ack(inp, stcb, net, m, iphlen, offset, 160 src, dst, sh, cp, 161 mflowtype, mflowid, 162 vrf_id, port); 163 } 164 outnow: 165 if (stcb == NULL) { 166 SCTP_INP_RUNLOCK(inp); 167 } 168 } 169 170 /* 171 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 172 */ 173 174 int 175 sctp_is_there_unsent_data(struct sctp_tcb *stcb, int so_locked) 176 { 177 int unsent_data; 178 unsigned int i; 179 struct sctp_stream_queue_pending *sp; 180 struct sctp_association *asoc; 181 182 SCTP_TCB_LOCK_ASSERT(stcb); 183 184 /* 185 * This function returns if any stream has true unsent data on it. 186 * Note that as it looks through it will clean up any places that 187 * have old data that has been sent but left at top of stream queue. 188 */ 189 asoc = &stcb->asoc; 190 unsent_data = 0; 191 if (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) { 192 /* Check to see if some data queued */ 193 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 194 /* sa_ignore FREED_MEMORY */ 195 sp = TAILQ_FIRST(&stcb->asoc.strmout[i].outqueue); 196 if (sp == NULL) { 197 continue; 198 } 199 if ((sp->msg_is_complete) && 200 (sp->length == 0) && 201 (sp->sender_all_done)) { 202 /* 203 * We are doing differed cleanup. Last time 204 * through when we took all the data the 205 * sender_all_done was not set. 206 */ 207 if (sp->put_last_out == 0) { 208 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n"); 209 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n", 210 sp->sender_all_done, 211 sp->length, 212 sp->msg_is_complete, 213 sp->put_last_out); 214 } 215 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1); 216 TAILQ_REMOVE(&stcb->asoc.strmout[i].outqueue, sp, next); 217 stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, &asoc->strmout[i], sp); 218 if (sp->net) { 219 sctp_free_remote_addr(sp->net); 220 sp->net = NULL; 221 } 222 if (sp->data) { 223 sctp_m_freem(sp->data); 224 sp->data = NULL; 225 } 226 sctp_free_a_strmoq(stcb, sp, so_locked); 227 if (!TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) { 228 unsent_data++; 229 } 230 } else { 231 unsent_data++; 232 } 233 if (unsent_data > 0) { 234 break; 235 } 236 } 237 } 238 return (unsent_data); 239 } 240 241 static int 242 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb) 243 { 244 struct sctp_init *init; 245 struct sctp_association *asoc; 246 struct sctp_nets *lnet; 247 unsigned int i; 248 249 SCTP_TCB_LOCK_ASSERT(stcb); 250 251 init = &cp->init; 252 asoc = &stcb->asoc; 253 /* save off parameters */ 254 asoc->peer_vtag = ntohl(init->initiate_tag); 255 asoc->peers_rwnd = ntohl(init->a_rwnd); 256 /* init tsn's */ 257 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 258 259 if (!TAILQ_EMPTY(&asoc->nets)) { 260 /* update any ssthresh's that may have a default */ 261 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 262 lnet->ssthresh = asoc->peers_rwnd; 263 if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) { 264 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 265 } 266 } 267 } 268 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 269 unsigned int newcnt; 270 struct sctp_stream_out *outs; 271 struct sctp_stream_queue_pending *sp, *nsp; 272 struct sctp_tmit_chunk *chk, *nchk; 273 274 /* abandon the upper streams */ 275 newcnt = ntohs(init->num_inbound_streams); 276 TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) { 277 if (chk->rec.data.sid >= newcnt) { 278 TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next); 279 asoc->send_queue_cnt--; 280 if (asoc->strmout[chk->rec.data.sid].chunks_on_queues > 0) { 281 asoc->strmout[chk->rec.data.sid].chunks_on_queues--; 282 #ifdef INVARIANTS 283 } else { 284 panic("No chunks on the queues for sid %u.", chk->rec.data.sid); 285 #endif 286 } 287 if (chk->data != NULL) { 288 sctp_free_bufspace(stcb, asoc, chk, 1); 289 sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb, 290 0, chk, SCTP_SO_NOT_LOCKED); 291 if (chk->data) { 292 sctp_m_freem(chk->data); 293 chk->data = NULL; 294 } 295 } 296 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 297 /* sa_ignore FREED_MEMORY */ 298 } 299 } 300 if (asoc->strmout) { 301 for (i = newcnt; i < asoc->pre_open_streams; i++) { 302 outs = &asoc->strmout[i]; 303 TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) { 304 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1); 305 TAILQ_REMOVE(&outs->outqueue, sp, next); 306 stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, outs, sp); 307 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 308 stcb, 0, sp, SCTP_SO_NOT_LOCKED); 309 if (sp->data) { 310 sctp_m_freem(sp->data); 311 sp->data = NULL; 312 } 313 if (sp->net) { 314 sctp_free_remote_addr(sp->net); 315 sp->net = NULL; 316 } 317 /* Free the chunk */ 318 sctp_free_a_strmoq(stcb, sp, SCTP_SO_NOT_LOCKED); 319 /* sa_ignore FREED_MEMORY */ 320 } 321 outs->state = SCTP_STREAM_CLOSED; 322 } 323 } 324 /* cut back the count */ 325 asoc->pre_open_streams = newcnt; 326 } 327 asoc->streamoutcnt = asoc->pre_open_streams; 328 if (asoc->strmout) { 329 for (i = 0; i < asoc->streamoutcnt; i++) { 330 asoc->strmout[i].state = SCTP_STREAM_OPEN; 331 } 332 } 333 /* EY - nr_sack: initialize highest tsn in nr_mapping_array */ 334 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map; 335 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 336 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 337 } 338 /* This is the next one we expect */ 339 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 340 341 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 342 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in; 343 344 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 345 /* open the requested streams */ 346 347 if (asoc->strmin != NULL) { 348 /* Free the old ones */ 349 for (i = 0; i < asoc->streamincnt; i++) { 350 sctp_clean_up_stream(stcb, &asoc->strmin[i].inqueue); 351 sctp_clean_up_stream(stcb, &asoc->strmin[i].uno_inqueue); 352 } 353 SCTP_FREE(asoc->strmin, SCTP_M_STRMI); 354 } 355 if (asoc->max_inbound_streams > ntohs(init->num_outbound_streams)) { 356 asoc->streamincnt = ntohs(init->num_outbound_streams); 357 } else { 358 asoc->streamincnt = asoc->max_inbound_streams; 359 } 360 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 361 sizeof(struct sctp_stream_in), SCTP_M_STRMI); 362 if (asoc->strmin == NULL) { 363 /* we didn't get memory for the streams! */ 364 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n"); 365 return (-1); 366 } 367 for (i = 0; i < asoc->streamincnt; i++) { 368 asoc->strmin[i].sid = i; 369 asoc->strmin[i].last_mid_delivered = 0xffffffff; 370 TAILQ_INIT(&asoc->strmin[i].inqueue); 371 TAILQ_INIT(&asoc->strmin[i].uno_inqueue); 372 asoc->strmin[i].pd_api_started = 0; 373 asoc->strmin[i].delivery_started = 0; 374 } 375 /* 376 * load_address_from_init will put the addresses into the 377 * association when the COOKIE is processed or the INIT-ACK is 378 * processed. Both types of COOKIE's existing and new call this 379 * routine. It will remove addresses that are no longer in the 380 * association (for the restarting case where addresses are 381 * removed). Up front when the INIT arrives we will discard it if it 382 * is a restart and new addresses have been added. 383 */ 384 /* sa_ignore MEMLEAK */ 385 return (0); 386 } 387 388 /* 389 * INIT-ACK message processing/consumption returns value < 0 on error 390 */ 391 static int 392 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 393 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh, 394 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 395 struct sctp_nets *net, int *abort_no_unlock, 396 uint8_t mflowtype, uint32_t mflowid, 397 uint32_t vrf_id) 398 { 399 struct sctp_association *asoc; 400 struct mbuf *op_err; 401 int retval, abort_flag, cookie_found; 402 int initack_limit; 403 int nat_friendly = 0; 404 405 /* First verify that we have no illegal param's */ 406 abort_flag = 0; 407 cookie_found = 0; 408 409 op_err = sctp_arethere_unrecognized_parameters(m, 410 (offset + sizeof(struct sctp_init_chunk)), 411 &abort_flag, (struct sctp_chunkhdr *)cp, 412 &nat_friendly, &cookie_found); 413 if (abort_flag) { 414 /* Send an abort and notify peer */ 415 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 416 src, dst, sh, op_err, 417 mflowtype, mflowid, 418 vrf_id, net->port); 419 *abort_no_unlock = 1; 420 return (-1); 421 } 422 if (!cookie_found) { 423 uint16_t len; 424 425 /* Only report the missing cookie parameter */ 426 if (op_err != NULL) { 427 sctp_m_freem(op_err); 428 } 429 len = (uint16_t)(sizeof(struct sctp_error_missing_param) + sizeof(uint16_t)); 430 /* We abort with an error of missing mandatory param */ 431 op_err = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA); 432 if (op_err != NULL) { 433 struct sctp_error_missing_param *cause; 434 435 SCTP_BUF_LEN(op_err) = len; 436 cause = mtod(op_err, struct sctp_error_missing_param *); 437 /* Subtract the reserved param */ 438 cause->cause.code = htons(SCTP_CAUSE_MISSING_PARAM); 439 cause->cause.length = htons(len); 440 cause->num_missing_params = htonl(1); 441 cause->type[0] = htons(SCTP_STATE_COOKIE); 442 } 443 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 444 src, dst, sh, op_err, 445 mflowtype, mflowid, 446 vrf_id, net->port); 447 *abort_no_unlock = 1; 448 return (-3); 449 } 450 asoc = &stcb->asoc; 451 asoc->peer_supports_nat = (uint8_t)nat_friendly; 452 /* process the peer's parameters in the INIT-ACK */ 453 if (sctp_process_init((struct sctp_init_chunk *)cp, stcb) < 0) { 454 if (op_err != NULL) { 455 sctp_m_freem(op_err); 456 } 457 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 458 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n"); 459 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 460 src, dst, sh, op_err, 461 mflowtype, mflowid, 462 vrf_id, net->port); 463 *abort_no_unlock = 1; 464 return (-1); 465 } 466 initack_limit = offset + ntohs(cp->ch.chunk_length); 467 /* load all addresses */ 468 if ((retval = sctp_load_addresses_from_init(stcb, m, 469 offset + sizeof(struct sctp_init_chunk), 470 initack_limit, src, dst, NULL, stcb->asoc.port)) < 0) { 471 if (op_err != NULL) { 472 sctp_m_freem(op_err); 473 } 474 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 475 "Problem with address parameters"); 476 SCTPDBG(SCTP_DEBUG_INPUT1, 477 "Load addresses from INIT causes an abort %d\n", 478 retval); 479 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 480 src, dst, sh, op_err, 481 mflowtype, mflowid, 482 vrf_id, net->port); 483 *abort_no_unlock = 1; 484 return (-1); 485 } 486 /* if the peer doesn't support asconf, flush the asconf queue */ 487 if (asoc->asconf_supported == 0) { 488 struct sctp_asconf_addr *param, *nparam; 489 490 TAILQ_FOREACH_SAFE(param, &asoc->asconf_queue, next, nparam) { 491 TAILQ_REMOVE(&asoc->asconf_queue, param, next); 492 SCTP_FREE(param, SCTP_M_ASC_ADDR); 493 } 494 } 495 496 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 497 stcb->asoc.local_hmacs); 498 if (op_err) { 499 sctp_queue_op_err(stcb, op_err); 500 /* queuing will steal away the mbuf chain to the out queue */ 501 op_err = NULL; 502 } 503 /* extract the cookie and queue it to "echo" it back... */ 504 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 505 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 506 stcb->asoc.overall_error_count, 507 0, 508 SCTP_FROM_SCTP_INPUT, 509 __LINE__); 510 } 511 stcb->asoc.overall_error_count = 0; 512 net->error_count = 0; 513 514 /* 515 * Cancel the INIT timer, We do this first before queueing the 516 * cookie. We always cancel at the primary to assume that we are 517 * canceling the timer started by the INIT which always goes to the 518 * primary. 519 */ 520 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 521 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 522 523 /* calculate the RTO */ 524 sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, 525 SCTP_RTT_FROM_NON_DATA); 526 retval = sctp_send_cookie_echo(m, offset, initack_limit, stcb, net); 527 return (retval); 528 } 529 530 static void 531 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 532 struct sctp_tcb *stcb, struct sctp_nets *net) 533 { 534 union sctp_sockstore store; 535 struct sctp_nets *r_net, *f_net; 536 struct timeval tv; 537 int req_prim = 0; 538 uint16_t old_error_counter; 539 540 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 541 /* Invalid length */ 542 return; 543 } 544 545 memset(&store, 0, sizeof(store)); 546 switch (cp->heartbeat.hb_info.addr_family) { 547 #ifdef INET 548 case AF_INET: 549 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 550 store.sin.sin_family = cp->heartbeat.hb_info.addr_family; 551 store.sin.sin_len = cp->heartbeat.hb_info.addr_len; 552 store.sin.sin_port = stcb->rport; 553 memcpy(&store.sin.sin_addr, cp->heartbeat.hb_info.address, 554 sizeof(store.sin.sin_addr)); 555 } else { 556 return; 557 } 558 break; 559 #endif 560 #ifdef INET6 561 case AF_INET6: 562 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 563 store.sin6.sin6_family = cp->heartbeat.hb_info.addr_family; 564 store.sin6.sin6_len = cp->heartbeat.hb_info.addr_len; 565 store.sin6.sin6_port = stcb->rport; 566 memcpy(&store.sin6.sin6_addr, cp->heartbeat.hb_info.address, sizeof(struct in6_addr)); 567 } else { 568 return; 569 } 570 break; 571 #endif 572 default: 573 return; 574 } 575 r_net = sctp_findnet(stcb, &store.sa); 576 if (r_net == NULL) { 577 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n"); 578 return; 579 } 580 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 581 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 582 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 583 /* 584 * If the its a HB and it's random value is correct when can 585 * confirm the destination. 586 */ 587 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 588 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 589 stcb->asoc.primary_destination = r_net; 590 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 591 f_net = TAILQ_FIRST(&stcb->asoc.nets); 592 if (f_net != r_net) { 593 /* 594 * first one on the list is NOT the primary 595 * sctp_cmpaddr() is much more efficient if 596 * the primary is the first on the list, 597 * make it so. 598 */ 599 TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next); 600 TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next); 601 } 602 req_prim = 1; 603 } 604 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 605 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED); 606 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, 607 r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 608 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net); 609 } 610 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 611 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 612 stcb->asoc.overall_error_count, 613 0, 614 SCTP_FROM_SCTP_INPUT, 615 __LINE__); 616 } 617 stcb->asoc.overall_error_count = 0; 618 old_error_counter = r_net->error_count; 619 r_net->error_count = 0; 620 r_net->hb_responded = 1; 621 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 622 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 623 /* Now lets do a RTO with this */ 624 sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, 625 SCTP_RTT_FROM_NON_DATA); 626 if ((r_net->dest_state & SCTP_ADDR_REACHABLE) == 0) { 627 r_net->dest_state |= SCTP_ADDR_REACHABLE; 628 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 629 0, (void *)r_net, SCTP_SO_NOT_LOCKED); 630 } 631 if (r_net->dest_state & SCTP_ADDR_PF) { 632 r_net->dest_state &= ~SCTP_ADDR_PF; 633 stcb->asoc.cc_functions.sctp_cwnd_update_exit_pf(stcb, net); 634 } 635 if (old_error_counter > 0) { 636 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 637 stcb, r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 638 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net); 639 } 640 if (r_net == stcb->asoc.primary_destination) { 641 if (stcb->asoc.alternate) { 642 /* release the alternate, primary is good */ 643 sctp_free_remote_addr(stcb->asoc.alternate); 644 stcb->asoc.alternate = NULL; 645 } 646 } 647 /* Mobility adaptation */ 648 if (req_prim) { 649 if ((sctp_is_mobility_feature_on(stcb->sctp_ep, 650 SCTP_MOBILITY_BASE) || 651 sctp_is_mobility_feature_on(stcb->sctp_ep, 652 SCTP_MOBILITY_FASTHANDOFF)) && 653 sctp_is_mobility_feature_on(stcb->sctp_ep, 654 SCTP_MOBILITY_PRIM_DELETED)) { 655 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, 656 stcb->sctp_ep, stcb, NULL, 657 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 658 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 659 SCTP_MOBILITY_FASTHANDOFF)) { 660 sctp_assoc_immediate_retrans(stcb, 661 stcb->asoc.primary_destination); 662 } 663 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 664 SCTP_MOBILITY_BASE)) { 665 sctp_move_chunks_from_net(stcb, 666 stcb->asoc.deleted_primary); 667 } 668 sctp_delete_prim_timer(stcb->sctp_ep, stcb); 669 } 670 } 671 } 672 673 static int 674 sctp_handle_nat_colliding_state(struct sctp_tcb *stcb) 675 { 676 /* 677 * Return 0 means we want you to proceed with the abort non-zero 678 * means no abort processing. 679 */ 680 uint32_t new_vtag; 681 struct sctpasochead *head; 682 683 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) || 684 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) { 685 atomic_add_int(&stcb->asoc.refcnt, 1); 686 SCTP_TCB_UNLOCK(stcb); 687 SCTP_INP_INFO_WLOCK(); 688 SCTP_TCB_LOCK(stcb); 689 atomic_subtract_int(&stcb->asoc.refcnt, 1); 690 } else { 691 return (0); 692 } 693 new_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1); 694 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) { 695 /* generate a new vtag and send init */ 696 LIST_REMOVE(stcb, sctp_asocs); 697 stcb->asoc.my_vtag = new_vtag; 698 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))]; 699 /* 700 * put it in the bucket in the vtag hash of assoc's for the 701 * system 702 */ 703 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 704 SCTP_INP_INFO_WUNLOCK(); 705 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 706 return (1); 707 } else { 708 /* 709 * treat like a case where the cookie expired i.e.: - dump 710 * current cookie. - generate a new vtag. - resend init. 711 */ 712 /* generate a new vtag and send init */ 713 LIST_REMOVE(stcb, sctp_asocs); 714 SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT); 715 sctp_stop_all_cookie_timers(stcb); 716 sctp_toss_old_cookies(stcb, &stcb->asoc); 717 stcb->asoc.my_vtag = new_vtag; 718 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))]; 719 /* 720 * put it in the bucket in the vtag hash of assoc's for the 721 * system 722 */ 723 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 724 SCTP_INP_INFO_WUNLOCK(); 725 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 726 return (1); 727 } 728 return (0); 729 } 730 731 static int 732 sctp_handle_nat_missing_state(struct sctp_tcb *stcb, 733 struct sctp_nets *net) 734 { 735 /* 736 * return 0 means we want you to proceed with the abort non-zero 737 * means no abort processing 738 */ 739 if (stcb->asoc.auth_supported == 0) { 740 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n"); 741 return (0); 742 } 743 sctp_asconf_send_nat_state_update(stcb, net); 744 return (1); 745 } 746 747 /* Returns 1 if the stcb was aborted, 0 otherwise */ 748 static int 749 sctp_handle_abort(struct sctp_abort_chunk *abort, 750 struct sctp_tcb *stcb, struct sctp_nets *net) 751 { 752 uint16_t len; 753 uint16_t error; 754 755 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n"); 756 if (stcb == NULL) 757 return (0); 758 759 len = ntohs(abort->ch.chunk_length); 760 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_error_cause)) { 761 /* 762 * Need to check the cause codes for our two magic nat 763 * aborts which don't kill the assoc necessarily. 764 */ 765 struct sctp_error_cause *cause; 766 767 cause = (struct sctp_error_cause *)(abort + 1); 768 error = ntohs(cause->code); 769 if (error == SCTP_CAUSE_NAT_COLLIDING_STATE) { 770 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state, ABORT flags:%x\n", 771 abort->ch.chunk_flags); 772 if (sctp_handle_nat_colliding_state(stcb)) { 773 return (0); 774 } 775 } else if (error == SCTP_CAUSE_NAT_MISSING_STATE) { 776 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state, ABORT flags:%x\n", 777 abort->ch.chunk_flags); 778 if (sctp_handle_nat_missing_state(stcb, net)) { 779 return (0); 780 } 781 } 782 } else { 783 error = 0; 784 } 785 /* stop any receive timers */ 786 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, NULL, 787 SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 788 /* notify user of the abort and clean up... */ 789 sctp_abort_notification(stcb, true, false, error, abort, SCTP_SO_NOT_LOCKED); 790 /* free the tcb */ 791 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 792 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) || 793 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 794 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 795 } 796 #ifdef SCTP_ASOCLOG_OF_TSNS 797 sctp_print_out_track_log(stcb); 798 #endif 799 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 800 SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 801 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n"); 802 return (1); 803 } 804 805 static void 806 sctp_start_net_timers(struct sctp_tcb *stcb) 807 { 808 uint32_t cnt_hb_sent; 809 struct sctp_nets *net; 810 811 cnt_hb_sent = 0; 812 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 813 /* 814 * For each network start: 1) A pmtu timer. 2) A HB timer 3) 815 * If the dest in unconfirmed send a hb as well if under 816 * max_hb_burst have been sent. 817 */ 818 sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, stcb->sctp_ep, stcb, net); 819 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net); 820 if ((net->dest_state & SCTP_ADDR_UNCONFIRMED) && 821 (cnt_hb_sent < SCTP_BASE_SYSCTL(sctp_hb_maxburst))) { 822 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED); 823 cnt_hb_sent++; 824 } 825 } 826 if (cnt_hb_sent) { 827 sctp_chunk_output(stcb->sctp_ep, stcb, 828 SCTP_OUTPUT_FROM_COOKIE_ACK, 829 SCTP_SO_NOT_LOCKED); 830 } 831 } 832 833 static void 834 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 835 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 836 { 837 struct sctp_association *asoc; 838 int some_on_streamwheel; 839 int old_state; 840 841 SCTPDBG(SCTP_DEBUG_INPUT2, 842 "sctp_handle_shutdown: handling SHUTDOWN\n"); 843 if (stcb == NULL) 844 return; 845 asoc = &stcb->asoc; 846 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) || 847 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) { 848 return; 849 } 850 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 851 /* Shutdown NOT the expected size */ 852 return; 853 } 854 old_state = SCTP_GET_STATE(stcb); 855 sctp_update_acked(stcb, cp, abort_flag); 856 if (*abort_flag) { 857 return; 858 } 859 if (asoc->control_pdapi) { 860 /* 861 * With a normal shutdown we assume the end of last record. 862 */ 863 SCTP_INP_READ_LOCK(stcb->sctp_ep); 864 if (asoc->control_pdapi->on_strm_q) { 865 struct sctp_stream_in *strm; 866 867 strm = &asoc->strmin[asoc->control_pdapi->sinfo_stream]; 868 if (asoc->control_pdapi->on_strm_q == SCTP_ON_UNORDERED) { 869 /* Unordered */ 870 TAILQ_REMOVE(&strm->uno_inqueue, asoc->control_pdapi, next_instrm); 871 asoc->control_pdapi->on_strm_q = 0; 872 } else if (asoc->control_pdapi->on_strm_q == SCTP_ON_ORDERED) { 873 /* Ordered */ 874 TAILQ_REMOVE(&strm->inqueue, asoc->control_pdapi, next_instrm); 875 asoc->control_pdapi->on_strm_q = 0; 876 #ifdef INVARIANTS 877 } else { 878 panic("Unknown state on ctrl:%p on_strm_q:%d", 879 asoc->control_pdapi, 880 asoc->control_pdapi->on_strm_q); 881 #endif 882 } 883 } 884 asoc->control_pdapi->end_added = 1; 885 asoc->control_pdapi->pdapi_aborted = 1; 886 asoc->control_pdapi = NULL; 887 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 888 if (stcb->sctp_socket) { 889 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 890 } 891 } 892 /* goto SHUTDOWN_RECEIVED state to block new requests */ 893 if (stcb->sctp_socket) { 894 if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) && 895 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) && 896 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT)) { 897 SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_RECEIVED); 898 /* 899 * notify upper layer that peer has initiated a 900 * shutdown 901 */ 902 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 903 904 /* reset time */ 905 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 906 } 907 } 908 if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) { 909 /* 910 * stop the shutdown timer, since we WILL move to 911 * SHUTDOWN-ACK-SENT. 912 */ 913 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, 914 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 915 } 916 /* Now is there unsent data on a stream somewhere? */ 917 some_on_streamwheel = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED); 918 919 if (!TAILQ_EMPTY(&asoc->send_queue) || 920 !TAILQ_EMPTY(&asoc->sent_queue) || 921 some_on_streamwheel) { 922 /* By returning we will push more data out */ 923 return; 924 } else { 925 /* no outstanding data to send, so move on... */ 926 /* send SHUTDOWN-ACK */ 927 /* move to SHUTDOWN-ACK-SENT state */ 928 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) || 929 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 930 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 931 } 932 if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 933 SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_ACK_SENT); 934 sctp_stop_timers_for_shutdown(stcb); 935 sctp_send_shutdown_ack(stcb, net); 936 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, 937 stcb->sctp_ep, stcb, net); 938 } else if (old_state == SCTP_STATE_SHUTDOWN_ACK_SENT) { 939 sctp_send_shutdown_ack(stcb, net); 940 } 941 } 942 } 943 944 static void 945 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp SCTP_UNUSED, 946 struct sctp_tcb *stcb, 947 struct sctp_nets *net) 948 { 949 struct sctp_association *asoc; 950 951 SCTPDBG(SCTP_DEBUG_INPUT2, 952 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 953 if (stcb == NULL) 954 return; 955 956 asoc = &stcb->asoc; 957 /* process according to association state */ 958 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) || 959 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) { 960 /* unexpected SHUTDOWN-ACK... do OOTB handling... */ 961 sctp_send_shutdown_complete(stcb, net, 1); 962 SCTP_TCB_UNLOCK(stcb); 963 return; 964 } 965 if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) && 966 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 967 /* unexpected SHUTDOWN-ACK... so ignore... */ 968 SCTP_TCB_UNLOCK(stcb); 969 return; 970 } 971 if (asoc->control_pdapi) { 972 /* 973 * With a normal shutdown we assume the end of last record. 974 */ 975 SCTP_INP_READ_LOCK(stcb->sctp_ep); 976 asoc->control_pdapi->end_added = 1; 977 asoc->control_pdapi->pdapi_aborted = 1; 978 asoc->control_pdapi = NULL; 979 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 980 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 981 } 982 #ifdef INVARIANTS 983 if (!TAILQ_EMPTY(&asoc->send_queue) || 984 !TAILQ_EMPTY(&asoc->sent_queue) || 985 sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED)) { 986 panic("Queues are not empty when handling SHUTDOWN-ACK"); 987 } 988 #endif 989 /* stop the timer */ 990 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, 991 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 992 /* send SHUTDOWN-COMPLETE */ 993 sctp_send_shutdown_complete(stcb, net, 0); 994 /* notify upper layer protocol */ 995 if (stcb->sctp_socket) { 996 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 997 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 998 SCTP_SB_CLEAR(stcb->sctp_socket->so_snd); 999 } 1000 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 1001 } 1002 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 1003 /* free the TCB but first save off the ep */ 1004 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 1005 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1006 } 1007 1008 static void 1009 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, uint8_t chunk_type) 1010 { 1011 switch (chunk_type) { 1012 case SCTP_ASCONF_ACK: 1013 case SCTP_ASCONF: 1014 sctp_asconf_cleanup(stcb); 1015 break; 1016 case SCTP_IFORWARD_CUM_TSN: 1017 case SCTP_FORWARD_CUM_TSN: 1018 stcb->asoc.prsctp_supported = 0; 1019 break; 1020 default: 1021 SCTPDBG(SCTP_DEBUG_INPUT2, 1022 "Peer does not support chunk type %d (0x%x).\n", 1023 chunk_type, chunk_type); 1024 break; 1025 } 1026 } 1027 1028 /* 1029 * Skip past the param header and then we will find the param that caused the 1030 * problem. There are a number of param's in a ASCONF OR the prsctp param 1031 * these will turn of specific features. 1032 * XXX: Is this the right thing to do? 1033 */ 1034 static void 1035 sctp_process_unrecog_param(struct sctp_tcb *stcb, uint16_t parameter_type) 1036 { 1037 switch (parameter_type) { 1038 /* pr-sctp draft */ 1039 case SCTP_PRSCTP_SUPPORTED: 1040 stcb->asoc.prsctp_supported = 0; 1041 break; 1042 case SCTP_SUPPORTED_CHUNK_EXT: 1043 break; 1044 /* draft-ietf-tsvwg-addip-sctp */ 1045 case SCTP_HAS_NAT_SUPPORT: 1046 stcb->asoc.peer_supports_nat = 0; 1047 break; 1048 case SCTP_ADD_IP_ADDRESS: 1049 case SCTP_DEL_IP_ADDRESS: 1050 case SCTP_SET_PRIM_ADDR: 1051 stcb->asoc.asconf_supported = 0; 1052 break; 1053 case SCTP_SUCCESS_REPORT: 1054 case SCTP_ERROR_CAUSE_IND: 1055 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n"); 1056 SCTPDBG(SCTP_DEBUG_INPUT2, 1057 "Turning off ASCONF to this strange peer\n"); 1058 stcb->asoc.asconf_supported = 0; 1059 break; 1060 default: 1061 SCTPDBG(SCTP_DEBUG_INPUT2, 1062 "Peer does not support param type %d (0x%x)??\n", 1063 parameter_type, parameter_type); 1064 break; 1065 } 1066 } 1067 1068 static int 1069 sctp_handle_error(struct sctp_chunkhdr *ch, 1070 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit) 1071 { 1072 struct sctp_error_cause *cause; 1073 struct sctp_association *asoc; 1074 uint32_t remaining_length, adjust; 1075 uint16_t code, cause_code, cause_length; 1076 1077 /* parse through all of the errors and process */ 1078 asoc = &stcb->asoc; 1079 cause = (struct sctp_error_cause *)((caddr_t)ch + 1080 sizeof(struct sctp_chunkhdr)); 1081 remaining_length = ntohs(ch->chunk_length); 1082 if (remaining_length > limit) { 1083 remaining_length = limit; 1084 } 1085 if (remaining_length >= sizeof(struct sctp_chunkhdr)) { 1086 remaining_length -= sizeof(struct sctp_chunkhdr); 1087 } else { 1088 remaining_length = 0; 1089 } 1090 code = 0; 1091 while (remaining_length >= sizeof(struct sctp_error_cause)) { 1092 /* Process an Error Cause */ 1093 cause_code = ntohs(cause->code); 1094 cause_length = ntohs(cause->length); 1095 if ((cause_length > remaining_length) || (cause_length == 0)) { 1096 /* Invalid cause length, possibly due to truncation. */ 1097 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in cause - bytes left: %u cause length: %u\n", 1098 remaining_length, cause_length); 1099 return (0); 1100 } 1101 if (code == 0) { 1102 /* report the first error cause */ 1103 code = cause_code; 1104 } 1105 switch (cause_code) { 1106 case SCTP_CAUSE_INVALID_STREAM: 1107 case SCTP_CAUSE_MISSING_PARAM: 1108 case SCTP_CAUSE_INVALID_PARAM: 1109 case SCTP_CAUSE_NO_USER_DATA: 1110 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %u back? We have a bug :/ (or do they?)\n", 1111 cause_code); 1112 break; 1113 case SCTP_CAUSE_NAT_COLLIDING_STATE: 1114 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state, ERROR flags: %x\n", 1115 ch->chunk_flags); 1116 if (sctp_handle_nat_colliding_state(stcb)) { 1117 return (0); 1118 } 1119 break; 1120 case SCTP_CAUSE_NAT_MISSING_STATE: 1121 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state, ERROR flags: %x\n", 1122 ch->chunk_flags); 1123 if (sctp_handle_nat_missing_state(stcb, net)) { 1124 return (0); 1125 } 1126 break; 1127 case SCTP_CAUSE_STALE_COOKIE: 1128 /* 1129 * We only act if we have echoed a cookie and are 1130 * waiting. 1131 */ 1132 if ((cause_length >= sizeof(struct sctp_error_stale_cookie)) && 1133 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) { 1134 struct sctp_error_stale_cookie *stale_cookie; 1135 1136 stale_cookie = (struct sctp_error_stale_cookie *)cause; 1137 /* stable_time is in usec, convert to msec. */ 1138 asoc->cookie_preserve_req = ntohl(stale_cookie->stale_time) / 1000; 1139 /* Double it to be more robust on RTX. */ 1140 asoc->cookie_preserve_req *= 2; 1141 asoc->stale_cookie_count++; 1142 if (asoc->stale_cookie_count > 1143 asoc->max_init_times) { 1144 sctp_abort_notification(stcb, false, true, 0, NULL, SCTP_SO_NOT_LOCKED); 1145 /* now free the asoc */ 1146 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 1147 SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1148 return (-1); 1149 } 1150 /* blast back to INIT state */ 1151 sctp_toss_old_cookies(stcb, &stcb->asoc); 1152 SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT); 1153 sctp_stop_all_cookie_timers(stcb); 1154 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 1155 } 1156 break; 1157 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 1158 /* 1159 * Nothing we can do here, we don't do hostname 1160 * addresses so if the peer does not like my IPv6 1161 * (or IPv4 for that matter) it does not matter. If 1162 * they don't support that type of address, they can 1163 * NOT possibly get that packet type... i.e. with no 1164 * IPv6 you can't receive a IPv6 packet. so we can 1165 * safely ignore this one. If we ever added support 1166 * for HOSTNAME Addresses, then we would need to do 1167 * something here. 1168 */ 1169 break; 1170 case SCTP_CAUSE_UNRECOG_CHUNK: 1171 if (cause_length >= sizeof(struct sctp_error_unrecognized_chunk)) { 1172 struct sctp_error_unrecognized_chunk *unrec_chunk; 1173 1174 unrec_chunk = (struct sctp_error_unrecognized_chunk *)cause; 1175 sctp_process_unrecog_chunk(stcb, unrec_chunk->ch.chunk_type); 1176 } 1177 break; 1178 case SCTP_CAUSE_UNRECOG_PARAM: 1179 /* XXX: We only consider the first parameter */ 1180 if (cause_length >= sizeof(struct sctp_error_cause) + sizeof(struct sctp_paramhdr)) { 1181 struct sctp_paramhdr *unrec_parameter; 1182 1183 unrec_parameter = (struct sctp_paramhdr *)(cause + 1); 1184 sctp_process_unrecog_param(stcb, ntohs(unrec_parameter->param_type)); 1185 } 1186 break; 1187 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 1188 /* 1189 * We ignore this since the timer will drive out a 1190 * new cookie anyway and there timer will drive us 1191 * to send a SHUTDOWN_COMPLETE. We can't send one 1192 * here since we don't have their tag. 1193 */ 1194 break; 1195 case SCTP_CAUSE_DELETING_LAST_ADDR: 1196 case SCTP_CAUSE_RESOURCE_SHORTAGE: 1197 case SCTP_CAUSE_DELETING_SRC_ADDR: 1198 /* 1199 * We should NOT get these here, but in a 1200 * ASCONF-ACK. 1201 */ 1202 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a error cause with code %u.\n", 1203 cause_code); 1204 break; 1205 case SCTP_CAUSE_OUT_OF_RESC: 1206 /* 1207 * And what, pray tell do we do with the fact that 1208 * the peer is out of resources? Not really sure we 1209 * could do anything but abort. I suspect this 1210 * should have came WITH an abort instead of in a 1211 * OP-ERROR. 1212 */ 1213 break; 1214 default: 1215 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown code 0x%x\n", 1216 cause_code); 1217 break; 1218 } 1219 adjust = SCTP_SIZE32(cause_length); 1220 if (remaining_length >= adjust) { 1221 remaining_length -= adjust; 1222 } else { 1223 remaining_length = 0; 1224 } 1225 cause = (struct sctp_error_cause *)((caddr_t)cause + adjust); 1226 } 1227 sctp_ulp_notify(SCTP_NOTIFY_REMOTE_ERROR, stcb, code, ch, SCTP_SO_NOT_LOCKED); 1228 return (0); 1229 } 1230 1231 static int 1232 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, 1233 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh, 1234 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 1235 struct sctp_nets *net, int *abort_no_unlock, 1236 uint8_t mflowtype, uint32_t mflowid, 1237 uint32_t vrf_id) 1238 { 1239 struct sctp_init_ack *init_ack; 1240 struct mbuf *op_err; 1241 1242 SCTPDBG(SCTP_DEBUG_INPUT2, 1243 "sctp_handle_init_ack: handling INIT-ACK\n"); 1244 1245 if (stcb == NULL) { 1246 SCTPDBG(SCTP_DEBUG_INPUT2, 1247 "sctp_handle_init_ack: TCB is null\n"); 1248 return (-1); 1249 } 1250 /* Only process the INIT-ACK chunk in COOKIE WAIT state. */ 1251 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) { 1252 init_ack = &cp->init; 1253 /* Validate parameters. */ 1254 if ((ntohl(init_ack->initiate_tag) == 0) || 1255 (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) || 1256 (ntohs(init_ack->num_inbound_streams) == 0) || 1257 (ntohs(init_ack->num_outbound_streams) == 0)) { 1258 /* One of the mandatory parameters is illegal. */ 1259 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, ""); 1260 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 1261 src, dst, sh, op_err, 1262 mflowtype, mflowid, 1263 vrf_id, net->port); 1264 *abort_no_unlock = 1; 1265 return (-1); 1266 } 1267 if (stcb->asoc.primary_destination->dest_state & 1268 SCTP_ADDR_UNCONFIRMED) { 1269 /* 1270 * The primary is where we sent the INIT, we can 1271 * always consider it confirmed when the INIT-ACK is 1272 * returned. Do this before we load addresses 1273 * though. 1274 */ 1275 stcb->asoc.primary_destination->dest_state &= 1276 ~SCTP_ADDR_UNCONFIRMED; 1277 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1278 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED); 1279 } 1280 if (sctp_process_init_ack(m, iphlen, offset, src, dst, sh, cp, stcb, 1281 net, abort_no_unlock, 1282 mflowtype, mflowid, 1283 vrf_id) < 0) { 1284 /* error in parsing parameters */ 1285 return (-1); 1286 } 1287 /* Update our state. */ 1288 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n"); 1289 SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_ECHOED); 1290 1291 /* Reset the RTO calculation. */ 1292 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 1293 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 1294 stcb->asoc.overall_error_count, 1295 0, 1296 SCTP_FROM_SCTP_INPUT, 1297 __LINE__); 1298 } 1299 stcb->asoc.overall_error_count = 0; 1300 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1301 /* 1302 * Collapse the init timer back in case of a exponential 1303 * backoff. 1304 */ 1305 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1306 stcb, net); 1307 /* 1308 * The output routine at the end of the inbound data 1309 * processing will cause the cookie to be sent. 1310 */ 1311 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n"); 1312 return (0); 1313 } else { 1314 return (-1); 1315 } 1316 } 1317 1318 static struct sctp_tcb * 1319 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1320 struct sockaddr *src, struct sockaddr *dst, 1321 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1322 struct sctp_inpcb *inp, struct sctp_nets **netp, 1323 struct sockaddr *init_src, int *notification, 1324 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1325 uint8_t mflowtype, uint32_t mflowid, 1326 uint32_t vrf_id, uint16_t port); 1327 1328 /* 1329 * handle a state cookie for an existing association m: input packet mbuf 1330 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1331 * "split" mbuf and the cookie signature does not exist offset: offset into 1332 * mbuf to the cookie-echo chunk 1333 */ 1334 static struct sctp_tcb * 1335 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1336 struct sockaddr *src, struct sockaddr *dst, 1337 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1338 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp, 1339 struct sockaddr *init_src, int *notification, 1340 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1341 uint8_t mflowtype, uint32_t mflowid, 1342 uint32_t vrf_id, uint16_t port) 1343 { 1344 struct sctp_association *asoc; 1345 struct sctp_init_chunk *init_cp, init_buf; 1346 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1347 struct sctp_asconf_addr *aparam, *naparam; 1348 struct sctp_asconf_ack *aack, *naack; 1349 struct sctp_tmit_chunk *chk, *nchk; 1350 struct sctp_stream_reset_list *strrst, *nstrrst; 1351 struct sctp_queued_to_read *sq, *nsq; 1352 struct sctp_nets *net; 1353 struct mbuf *op_err; 1354 struct timeval old; 1355 int init_offset, initack_offset, i; 1356 int retval; 1357 int spec_flag = 0; 1358 uint32_t how_indx; 1359 #if defined(SCTP_DETAILED_STR_STATS) 1360 int j; 1361 #endif 1362 1363 net = *netp; 1364 /* I know that the TCB is non-NULL from the caller */ 1365 asoc = &stcb->asoc; 1366 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1367 if (asoc->cookie_how[how_indx] == 0) 1368 break; 1369 } 1370 if (how_indx < sizeof(asoc->cookie_how)) { 1371 asoc->cookie_how[how_indx] = 1; 1372 } 1373 if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1374 /* SHUTDOWN came in after sending INIT-ACK */ 1375 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1376 op_err = sctp_generate_cause(SCTP_CAUSE_COOKIE_IN_SHUTDOWN, ""); 1377 sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err, 1378 mflowtype, mflowid, inp->fibnum, 1379 vrf_id, net->port); 1380 if (how_indx < sizeof(asoc->cookie_how)) 1381 asoc->cookie_how[how_indx] = 2; 1382 SCTP_TCB_UNLOCK(stcb); 1383 return (NULL); 1384 } 1385 /* 1386 * find and validate the INIT chunk in the cookie (peer's info) the 1387 * INIT should start after the cookie-echo header struct (chunk 1388 * header, state cookie header struct) 1389 */ 1390 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1391 1392 init_cp = (struct sctp_init_chunk *) 1393 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1394 (uint8_t *)&init_buf); 1395 if (init_cp == NULL) { 1396 /* could not pull a INIT chunk in cookie */ 1397 SCTP_TCB_UNLOCK(stcb); 1398 return (NULL); 1399 } 1400 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1401 SCTP_TCB_UNLOCK(stcb); 1402 return (NULL); 1403 } 1404 /* 1405 * find and validate the INIT-ACK chunk in the cookie (my info) the 1406 * INIT-ACK follows the INIT chunk 1407 */ 1408 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length)); 1409 initack_cp = (struct sctp_init_ack_chunk *) 1410 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1411 (uint8_t *)&initack_buf); 1412 if (initack_cp == NULL) { 1413 /* could not pull INIT-ACK chunk in cookie */ 1414 SCTP_TCB_UNLOCK(stcb); 1415 return (NULL); 1416 } 1417 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1418 SCTP_TCB_UNLOCK(stcb); 1419 return (NULL); 1420 } 1421 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1422 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1423 /* 1424 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1425 * to get into the OPEN state 1426 */ 1427 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1428 /*- 1429 * Opps, this means that we somehow generated two vtag's 1430 * the same. I.e. we did: 1431 * Us Peer 1432 * <---INIT(tag=a)------ 1433 * ----INIT-ACK(tag=t)--> 1434 * ----INIT(tag=t)------> *1 1435 * <---INIT-ACK(tag=a)--- 1436 * <----CE(tag=t)------------- *2 1437 * 1438 * At point *1 we should be generating a different 1439 * tag t'. Which means we would throw away the CE and send 1440 * ours instead. Basically this is case C (throw away side). 1441 */ 1442 if (how_indx < sizeof(asoc->cookie_how)) 1443 asoc->cookie_how[how_indx] = 17; 1444 SCTP_TCB_UNLOCK(stcb); 1445 return (NULL); 1446 } 1447 switch (SCTP_GET_STATE(stcb)) { 1448 case SCTP_STATE_COOKIE_WAIT: 1449 case SCTP_STATE_COOKIE_ECHOED: 1450 /* 1451 * INIT was sent but got a COOKIE_ECHO with the 1452 * correct tags... just accept it...but we must 1453 * process the init so that we can make sure we have 1454 * the right seq no's. 1455 */ 1456 /* First we must process the INIT !! */ 1457 if (sctp_process_init(init_cp, stcb) < 0) { 1458 if (how_indx < sizeof(asoc->cookie_how)) 1459 asoc->cookie_how[how_indx] = 3; 1460 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 1461 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n"); 1462 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 1463 src, dst, sh, op_err, 1464 mflowtype, mflowid, 1465 vrf_id, net->port); 1466 return (NULL); 1467 } 1468 /* we have already processed the INIT so no problem */ 1469 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, 1470 stcb, net, 1471 SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1472 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, 1473 stcb, net, 1474 SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1475 /* update current state */ 1476 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED) 1477 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1478 else 1479 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1480 1481 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN); 1482 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1483 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1484 stcb->sctp_ep, stcb, NULL); 1485 } 1486 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1487 sctp_stop_all_cookie_timers(stcb); 1488 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1489 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1490 (!SCTP_IS_LISTENING(inp))) { 1491 /* 1492 * Here is where collision would go if we 1493 * did a connect() and instead got a 1494 * init/init-ack/cookie done before the 1495 * init-ack came back.. 1496 */ 1497 sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED); 1498 soisconnected(stcb->sctp_socket); 1499 } 1500 /* notify upper layer */ 1501 *notification = SCTP_NOTIFY_ASSOC_UP; 1502 /* 1503 * since we did not send a HB make sure we don't 1504 * double things 1505 */ 1506 old.tv_sec = cookie->time_entered.tv_sec; 1507 old.tv_usec = cookie->time_entered.tv_usec; 1508 net->hb_responded = 1; 1509 sctp_calculate_rto(stcb, asoc, net, &old, 1510 SCTP_RTT_FROM_NON_DATA); 1511 1512 if (stcb->asoc.sctp_autoclose_ticks && 1513 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1514 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1515 inp, stcb, NULL); 1516 } 1517 break; 1518 default: 1519 /* 1520 * we're in the OPEN state (or beyond), so peer must 1521 * have simply lost the COOKIE-ACK 1522 */ 1523 break; 1524 } /* end switch */ 1525 sctp_stop_all_cookie_timers(stcb); 1526 if ((retval = sctp_load_addresses_from_init(stcb, m, 1527 init_offset + sizeof(struct sctp_init_chunk), 1528 initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) { 1529 if (how_indx < sizeof(asoc->cookie_how)) 1530 asoc->cookie_how[how_indx] = 4; 1531 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 1532 "Problem with address parameters"); 1533 SCTPDBG(SCTP_DEBUG_INPUT1, 1534 "Load addresses from INIT causes an abort %d\n", 1535 retval); 1536 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 1537 src, dst, sh, op_err, 1538 mflowtype, mflowid, 1539 vrf_id, net->port); 1540 return (NULL); 1541 } 1542 /* respond with a COOKIE-ACK */ 1543 sctp_toss_old_cookies(stcb, asoc); 1544 sctp_send_cookie_ack(stcb); 1545 if (how_indx < sizeof(asoc->cookie_how)) 1546 asoc->cookie_how[how_indx] = 5; 1547 return (stcb); 1548 } 1549 1550 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1551 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1552 cookie->tie_tag_my_vtag == 0 && 1553 cookie->tie_tag_peer_vtag == 0) { 1554 /* 1555 * case C in Section 5.2.4 Table 2: XMOO silently discard 1556 */ 1557 if (how_indx < sizeof(asoc->cookie_how)) 1558 asoc->cookie_how[how_indx] = 6; 1559 SCTP_TCB_UNLOCK(stcb); 1560 return (NULL); 1561 } 1562 /* 1563 * If nat support, and the below and stcb is established, send back 1564 * a ABORT(colliding state) if we are established. 1565 */ 1566 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) && 1567 (asoc->peer_supports_nat) && 1568 ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1569 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) || 1570 (asoc->peer_vtag == 0)))) { 1571 /* 1572 * Special case - Peer's support nat. We may have two init's 1573 * that we gave out the same tag on since one was not 1574 * established.. i.e. we get INIT from host-1 behind the nat 1575 * and we respond tag-a, we get a INIT from host-2 behind 1576 * the nat and we get tag-a again. Then we bring up host-1 1577 * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1). 1578 * Now we have colliding state. We must send an abort here 1579 * with colliding state indication. 1580 */ 1581 op_err = sctp_generate_cause(SCTP_CAUSE_NAT_COLLIDING_STATE, ""); 1582 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err, 1583 mflowtype, mflowid, inp->fibnum, 1584 vrf_id, port); 1585 SCTP_TCB_UNLOCK(stcb); 1586 return (NULL); 1587 } 1588 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1589 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) || 1590 (asoc->peer_vtag == 0))) { 1591 /* 1592 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1593 * should be ok, re-accept peer info 1594 */ 1595 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1596 /* 1597 * Extension of case C. If we hit this, then the 1598 * random number generator returned the same vtag 1599 * when we first sent our INIT-ACK and when we later 1600 * sent our INIT. The side with the seq numbers that 1601 * are different will be the one that normally would 1602 * have hit case C. This in effect "extends" our 1603 * vtags in this collision case to be 64 bits. The 1604 * same collision could occur aka you get both vtag 1605 * and seq number the same twice in a row.. but is 1606 * much less likely. If it did happen then we would 1607 * proceed through and bring up the assoc.. we may 1608 * end up with the wrong stream setup however.. 1609 * which would be bad.. but there is no way to 1610 * tell.. until we send on a stream that does not 1611 * exist :-) 1612 */ 1613 if (how_indx < sizeof(asoc->cookie_how)) 1614 asoc->cookie_how[how_indx] = 7; 1615 1616 SCTP_TCB_UNLOCK(stcb); 1617 return (NULL); 1618 } 1619 if (how_indx < sizeof(asoc->cookie_how)) 1620 asoc->cookie_how[how_indx] = 8; 1621 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, 1622 SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1623 sctp_stop_all_cookie_timers(stcb); 1624 /* 1625 * since we did not send a HB make sure we don't double 1626 * things 1627 */ 1628 net->hb_responded = 1; 1629 if (stcb->asoc.sctp_autoclose_ticks && 1630 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1631 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1632 NULL); 1633 } 1634 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1635 if (asoc->pre_open_streams < asoc->streamoutcnt) { 1636 asoc->pre_open_streams = asoc->streamoutcnt; 1637 } 1638 1639 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1640 /* 1641 * Ok the peer probably discarded our data (if we 1642 * echoed a cookie+data). So anything on the 1643 * sent_queue should be marked for retransmit, we 1644 * may not get something to kick us so it COULD 1645 * still take a timeout to move these.. but it can't 1646 * hurt to mark them. 1647 */ 1648 1649 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1650 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1651 chk->sent = SCTP_DATAGRAM_RESEND; 1652 sctp_flight_size_decrease(chk); 1653 sctp_total_flight_decrease(stcb, chk); 1654 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1655 spec_flag++; 1656 } 1657 } 1658 } 1659 /* process the INIT info (peer's info) */ 1660 if (sctp_process_init(init_cp, stcb) < 0) { 1661 if (how_indx < sizeof(asoc->cookie_how)) 1662 asoc->cookie_how[how_indx] = 9; 1663 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 1664 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n"); 1665 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 1666 src, dst, sh, op_err, 1667 mflowtype, mflowid, 1668 vrf_id, net->port); 1669 return (NULL); 1670 } 1671 if ((retval = sctp_load_addresses_from_init(stcb, m, 1672 init_offset + sizeof(struct sctp_init_chunk), 1673 initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) { 1674 if (how_indx < sizeof(asoc->cookie_how)) 1675 asoc->cookie_how[how_indx] = 10; 1676 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 1677 "Problem with address parameters"); 1678 SCTPDBG(SCTP_DEBUG_INPUT1, 1679 "Load addresses from INIT causes an abort %d\n", 1680 retval); 1681 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 1682 src, dst, sh, op_err, 1683 mflowtype, mflowid, 1684 vrf_id, net->port); 1685 return (NULL); 1686 } 1687 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) || 1688 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) { 1689 *notification = SCTP_NOTIFY_ASSOC_UP; 1690 1691 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1692 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1693 (!SCTP_IS_LISTENING(inp))) { 1694 sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED); 1695 soisconnected(stcb->sctp_socket); 1696 } 1697 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED) 1698 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1699 else 1700 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1701 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1702 } else if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) { 1703 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1704 } else { 1705 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1706 } 1707 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN); 1708 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1709 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1710 stcb->sctp_ep, stcb, NULL); 1711 } 1712 sctp_stop_all_cookie_timers(stcb); 1713 sctp_toss_old_cookies(stcb, asoc); 1714 sctp_send_cookie_ack(stcb); 1715 if (spec_flag) { 1716 /* 1717 * only if we have retrans set do we do this. What 1718 * this call does is get only the COOKIE-ACK out and 1719 * then when we return the normal call to 1720 * sctp_chunk_output will get the retrans out behind 1721 * this. 1722 */ 1723 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED); 1724 } 1725 if (how_indx < sizeof(asoc->cookie_how)) 1726 asoc->cookie_how[how_indx] = 11; 1727 1728 return (stcb); 1729 } 1730 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1731 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1732 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1733 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1734 cookie->tie_tag_peer_vtag != 0) { 1735 struct sctpasochead *head; 1736 1737 if (asoc->peer_supports_nat) { 1738 struct sctp_tcb *local_stcb; 1739 1740 /* 1741 * This is a gross gross hack. Just call the 1742 * cookie_new code since we are allowing a duplicate 1743 * association. I hope this works... 1744 */ 1745 local_stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst, 1746 sh, cookie, cookie_len, 1747 inp, netp, init_src, notification, 1748 auth_skipped, auth_offset, auth_len, 1749 mflowtype, mflowid, 1750 vrf_id, port); 1751 if (local_stcb == NULL) { 1752 SCTP_TCB_UNLOCK(stcb); 1753 } 1754 return (local_stcb); 1755 } 1756 /* 1757 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1758 */ 1759 /* temp code */ 1760 if (how_indx < sizeof(asoc->cookie_how)) 1761 asoc->cookie_how[how_indx] = 12; 1762 sctp_stop_association_timers(stcb, false); 1763 /* notify upper layer */ 1764 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1765 atomic_add_int(&stcb->asoc.refcnt, 1); 1766 if ((SCTP_GET_STATE(stcb) != SCTP_STATE_OPEN) && 1767 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1768 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT)) { 1769 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1770 } 1771 if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) { 1772 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1773 } else if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) { 1774 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1775 } 1776 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1777 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN); 1778 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1779 stcb->sctp_ep, stcb, NULL); 1780 1781 } else if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) { 1782 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1783 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN); 1784 } 1785 if (asoc->pre_open_streams < asoc->streamoutcnt) { 1786 asoc->pre_open_streams = asoc->streamoutcnt; 1787 } 1788 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1789 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1790 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 1791 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1792 asoc->str_reset_seq_in = asoc->init_seq_number; 1793 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1794 asoc->send_sack = 1; 1795 asoc->data_pkts_seen = 0; 1796 asoc->last_data_chunk_from = NULL; 1797 asoc->last_control_chunk_from = NULL; 1798 asoc->last_net_cmt_send_started = NULL; 1799 if (asoc->mapping_array) { 1800 memset(asoc->mapping_array, 0, 1801 asoc->mapping_array_size); 1802 } 1803 if (asoc->nr_mapping_array) { 1804 memset(asoc->nr_mapping_array, 0, 1805 asoc->mapping_array_size); 1806 } 1807 SCTP_TCB_UNLOCK(stcb); 1808 SCTP_INP_INFO_WLOCK(); 1809 SCTP_INP_WLOCK(stcb->sctp_ep); 1810 SCTP_TCB_LOCK(stcb); 1811 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1812 /* send up all the data */ 1813 sctp_report_all_outbound(stcb, 0, SCTP_SO_LOCKED); 1814 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1815 stcb->asoc.strmout[i].chunks_on_queues = 0; 1816 #if defined(SCTP_DETAILED_STR_STATS) 1817 for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) { 1818 asoc->strmout[i].abandoned_sent[j] = 0; 1819 asoc->strmout[i].abandoned_unsent[j] = 0; 1820 } 1821 #else 1822 asoc->strmout[i].abandoned_sent[0] = 0; 1823 asoc->strmout[i].abandoned_unsent[0] = 0; 1824 #endif 1825 stcb->asoc.strmout[i].next_mid_ordered = 0; 1826 stcb->asoc.strmout[i].next_mid_unordered = 0; 1827 stcb->asoc.strmout[i].sid = i; 1828 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1829 } 1830 TAILQ_FOREACH_SAFE(strrst, &asoc->resetHead, next_resp, nstrrst) { 1831 TAILQ_REMOVE(&asoc->resetHead, strrst, next_resp); 1832 SCTP_FREE(strrst, SCTP_M_STRESET); 1833 } 1834 TAILQ_FOREACH_SAFE(sq, &asoc->pending_reply_queue, next, nsq) { 1835 TAILQ_REMOVE(&asoc->pending_reply_queue, sq, next); 1836 if (sq->data) { 1837 sctp_m_freem(sq->data); 1838 sq->data = NULL; 1839 } 1840 sctp_free_remote_addr(sq->whoFrom); 1841 sq->whoFrom = NULL; 1842 sq->stcb = NULL; 1843 sctp_free_a_readq(stcb, sq); 1844 } 1845 TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) { 1846 TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next); 1847 if (chk->data) { 1848 sctp_m_freem(chk->data); 1849 chk->data = NULL; 1850 } 1851 if (chk->holds_key_ref) 1852 sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED); 1853 sctp_free_remote_addr(chk->whoTo); 1854 SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk); 1855 SCTP_DECR_CHK_COUNT(); 1856 } 1857 asoc->ctrl_queue_cnt = 0; 1858 asoc->str_reset = NULL; 1859 asoc->stream_reset_outstanding = 0; 1860 TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) { 1861 TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next); 1862 if (chk->data) { 1863 sctp_m_freem(chk->data); 1864 chk->data = NULL; 1865 } 1866 if (chk->holds_key_ref) 1867 sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED); 1868 sctp_free_remote_addr(chk->whoTo); 1869 SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk); 1870 SCTP_DECR_CHK_COUNT(); 1871 } 1872 TAILQ_FOREACH_SAFE(aparam, &asoc->asconf_queue, next, naparam) { 1873 TAILQ_REMOVE(&asoc->asconf_queue, aparam, next); 1874 SCTP_FREE(aparam, SCTP_M_ASC_ADDR); 1875 } 1876 TAILQ_FOREACH_SAFE(aack, &asoc->asconf_ack_sent, next, naack) { 1877 TAILQ_REMOVE(&asoc->asconf_ack_sent, aack, next); 1878 if (aack->data != NULL) { 1879 sctp_m_freem(aack->data); 1880 } 1881 SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asconf_ack), aack); 1882 } 1883 1884 /* process the INIT-ACK info (my info) */ 1885 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1886 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1887 1888 /* pull from vtag hash */ 1889 LIST_REMOVE(stcb, sctp_asocs); 1890 /* re-insert to new vtag position */ 1891 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1892 SCTP_BASE_INFO(hashasocmark))]; 1893 /* 1894 * put it in the bucket in the vtag hash of assoc's for the 1895 * system 1896 */ 1897 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1898 1899 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1900 SCTP_INP_INFO_WUNLOCK(); 1901 asoc->total_flight = 0; 1902 asoc->total_flight_count = 0; 1903 /* process the INIT info (peer's info) */ 1904 if (sctp_process_init(init_cp, stcb) < 0) { 1905 if (how_indx < sizeof(asoc->cookie_how)) 1906 asoc->cookie_how[how_indx] = 13; 1907 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 1908 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n"); 1909 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 1910 src, dst, sh, op_err, 1911 mflowtype, mflowid, 1912 vrf_id, net->port); 1913 return (NULL); 1914 } 1915 /* 1916 * since we did not send a HB make sure we don't double 1917 * things 1918 */ 1919 net->hb_responded = 1; 1920 1921 if ((retval = sctp_load_addresses_from_init(stcb, m, 1922 init_offset + sizeof(struct sctp_init_chunk), 1923 initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) { 1924 if (how_indx < sizeof(asoc->cookie_how)) 1925 asoc->cookie_how[how_indx] = 14; 1926 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 1927 "Problem with address parameters"); 1928 SCTPDBG(SCTP_DEBUG_INPUT1, 1929 "Load addresses from INIT causes an abort %d\n", 1930 retval); 1931 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 1932 src, dst, sh, op_err, 1933 mflowtype, mflowid, 1934 vrf_id, net->port); 1935 return (NULL); 1936 } 1937 /* respond with a COOKIE-ACK */ 1938 sctp_send_cookie_ack(stcb); 1939 if (how_indx < sizeof(asoc->cookie_how)) 1940 asoc->cookie_how[how_indx] = 15; 1941 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE) && 1942 (asoc->sctp_autoclose_ticks > 0)) { 1943 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1944 } 1945 return (stcb); 1946 } 1947 if (how_indx < sizeof(asoc->cookie_how)) 1948 asoc->cookie_how[how_indx] = 16; 1949 /* all other cases... */ 1950 SCTP_TCB_UNLOCK(stcb); 1951 return (NULL); 1952 } 1953 1954 /* 1955 * handle a state cookie for a new association m: input packet mbuf chain-- 1956 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1957 * and the cookie signature does not exist offset: offset into mbuf to the 1958 * cookie-echo chunk length: length of the cookie chunk to: where the init 1959 * was from returns a new TCB 1960 */ 1961 static struct sctp_tcb * 1962 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1963 struct sockaddr *src, struct sockaddr *dst, 1964 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1965 struct sctp_inpcb *inp, struct sctp_nets **netp, 1966 struct sockaddr *init_src, int *notification, 1967 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1968 uint8_t mflowtype, uint32_t mflowid, 1969 uint32_t vrf_id, uint16_t port) 1970 { 1971 struct sctp_tcb *stcb; 1972 struct sctp_init_chunk *init_cp, init_buf; 1973 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1974 union sctp_sockstore store; 1975 struct sctp_association *asoc; 1976 int init_offset, initack_offset, initack_limit; 1977 int error = 0; 1978 uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 1979 1980 /* 1981 * find and validate the INIT chunk in the cookie (peer's info) the 1982 * INIT should start after the cookie-echo header struct (chunk 1983 * header, state cookie header struct) 1984 */ 1985 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1986 init_cp = (struct sctp_init_chunk *) 1987 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1988 (uint8_t *)&init_buf); 1989 if (init_cp == NULL) { 1990 /* could not pull a INIT chunk in cookie */ 1991 SCTPDBG(SCTP_DEBUG_INPUT1, 1992 "process_cookie_new: could not pull INIT chunk hdr\n"); 1993 return (NULL); 1994 } 1995 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1996 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n"); 1997 return (NULL); 1998 } 1999 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length)); 2000 /* 2001 * find and validate the INIT-ACK chunk in the cookie (my info) the 2002 * INIT-ACK follows the INIT chunk 2003 */ 2004 initack_cp = (struct sctp_init_ack_chunk *) 2005 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 2006 (uint8_t *)&initack_buf); 2007 if (initack_cp == NULL) { 2008 /* could not pull INIT-ACK chunk in cookie */ 2009 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 2010 return (NULL); 2011 } 2012 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 2013 return (NULL); 2014 } 2015 /* 2016 * NOTE: We can't use the INIT_ACK's chk_length to determine the 2017 * "initack_limit" value. This is because the chk_length field 2018 * includes the length of the cookie, but the cookie is omitted when 2019 * the INIT and INIT_ACK are tacked onto the cookie... 2020 */ 2021 initack_limit = offset + cookie_len; 2022 2023 /* 2024 * now that we know the INIT/INIT-ACK are in place, create a new TCB 2025 * and populate 2026 */ 2027 2028 /* 2029 * Here we do a trick, we set in NULL for the proc/thread argument. 2030 * We do this since in effect we only use the p argument when the 2031 * socket is unbound and we must do an implicit bind. Since we are 2032 * getting a cookie, we cannot be unbound. 2033 */ 2034 stcb = sctp_aloc_assoc(inp, init_src, &error, 2035 ntohl(initack_cp->init.initiate_tag), 2036 ntohl(initack_cp->init.initial_tsn), vrf_id, 2037 ntohs(initack_cp->init.num_outbound_streams), 2038 port, 2039 (struct thread *)NULL, 2040 SCTP_DONT_INITIALIZE_AUTH_PARAMS); 2041 if (stcb == NULL) { 2042 struct mbuf *op_err; 2043 2044 /* memory problem? */ 2045 SCTPDBG(SCTP_DEBUG_INPUT1, 2046 "process_cookie_new: no room for another TCB!\n"); 2047 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 2048 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 2049 src, dst, sh, op_err, 2050 mflowtype, mflowid, 2051 vrf_id, port); 2052 return (NULL); 2053 } 2054 asoc = &stcb->asoc; 2055 /* get scope variables out of cookie */ 2056 asoc->scope.ipv4_local_scope = cookie->ipv4_scope; 2057 asoc->scope.site_scope = cookie->site_scope; 2058 asoc->scope.local_scope = cookie->local_scope; 2059 asoc->scope.loopback_scope = cookie->loopback_scope; 2060 2061 if ((asoc->scope.ipv4_addr_legal != cookie->ipv4_addr_legal) || 2062 (asoc->scope.ipv6_addr_legal != cookie->ipv6_addr_legal)) { 2063 struct mbuf *op_err; 2064 2065 /* 2066 * Houston we have a problem. The EP changed while the 2067 * cookie was in flight. Only recourse is to abort the 2068 * association. 2069 */ 2070 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 2071 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 2072 src, dst, sh, op_err, 2073 mflowtype, mflowid, 2074 vrf_id, port); 2075 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 2076 SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 2077 return (NULL); 2078 } 2079 /* process the INIT-ACK info (my info) */ 2080 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 2081 2082 /* process the INIT info (peer's info) */ 2083 if (sctp_process_init(init_cp, stcb) < 0) { 2084 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 2085 SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 2086 return (NULL); 2087 } 2088 /* load all addresses */ 2089 if (sctp_load_addresses_from_init(stcb, m, 2090 init_offset + sizeof(struct sctp_init_chunk), 2091 initack_offset, src, dst, init_src, port) < 0) { 2092 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 2093 SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2094 return (NULL); 2095 } 2096 /* 2097 * verify any preceding AUTH chunk that was skipped 2098 */ 2099 /* pull the local authentication parameters from the cookie/init-ack */ 2100 sctp_auth_get_cookie_params(stcb, m, 2101 initack_offset + sizeof(struct sctp_init_ack_chunk), 2102 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 2103 if (auth_skipped) { 2104 struct sctp_auth_chunk *auth; 2105 2106 if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) { 2107 auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 2108 } else { 2109 auth = NULL; 2110 } 2111 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { 2112 /* auth HMAC failed, dump the assoc and packet */ 2113 SCTPDBG(SCTP_DEBUG_AUTH1, 2114 "COOKIE-ECHO: AUTH failed\n"); 2115 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 2116 SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2117 return (NULL); 2118 } else { 2119 /* remaining chunks checked... good to go */ 2120 stcb->asoc.authenticated = 1; 2121 } 2122 } 2123 2124 /* 2125 * if we're doing ASCONFs, check to see if we have any new local 2126 * addresses that need to get added to the peer (eg. addresses 2127 * changed while cookie echo in flight). This needs to be done 2128 * after we go to the OPEN state to do the correct asconf 2129 * processing. else, make sure we have the correct addresses in our 2130 * lists 2131 */ 2132 2133 /* warning, we re-use sin, sin6, sa_store here! */ 2134 /* pull in local_address (our "from" address) */ 2135 switch (cookie->laddr_type) { 2136 #ifdef INET 2137 case SCTP_IPV4_ADDRESS: 2138 /* source addr is IPv4 */ 2139 memset(&store.sin, 0, sizeof(struct sockaddr_in)); 2140 store.sin.sin_family = AF_INET; 2141 store.sin.sin_len = sizeof(struct sockaddr_in); 2142 store.sin.sin_addr.s_addr = cookie->laddress[0]; 2143 break; 2144 #endif 2145 #ifdef INET6 2146 case SCTP_IPV6_ADDRESS: 2147 /* source addr is IPv6 */ 2148 memset(&store.sin6, 0, sizeof(struct sockaddr_in6)); 2149 store.sin6.sin6_family = AF_INET6; 2150 store.sin6.sin6_len = sizeof(struct sockaddr_in6); 2151 store.sin6.sin6_scope_id = cookie->scope_id; 2152 memcpy(&store.sin6.sin6_addr, cookie->laddress, sizeof(struct in6_addr)); 2153 break; 2154 #endif 2155 default: 2156 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 2157 SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2158 return (NULL); 2159 } 2160 2161 /* update current state */ 2162 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2163 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN); 2164 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2165 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2166 stcb->sctp_ep, stcb, NULL); 2167 } 2168 sctp_stop_all_cookie_timers(stcb); 2169 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 2170 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2171 2172 /* set up to notify upper layer */ 2173 *notification = SCTP_NOTIFY_ASSOC_UP; 2174 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2175 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 2176 (!SCTP_IS_LISTENING(inp))) { 2177 /* 2178 * This is an endpoint that called connect() how it got a 2179 * cookie that is NEW is a bit of a mystery. It must be that 2180 * the INIT was sent, but before it got there.. a complete 2181 * INIT/INIT-ACK/COOKIE arrived. But of course then it 2182 * should have went to the other code.. not here.. oh well.. 2183 * a bit of protection is worth having.. 2184 * 2185 * XXXMJ unlocked 2186 */ 2187 sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED); 2188 soisconnected(stcb->sctp_socket); 2189 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 2190 (SCTP_IS_LISTENING(inp))) { 2191 /* 2192 * We don't want to do anything with this one. Since it is 2193 * the listening guy. The timer will get started for 2194 * accepted connections in the caller. 2195 */ 2196 ; 2197 } 2198 if (stcb->asoc.sctp_autoclose_ticks && 2199 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2200 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 2201 } 2202 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 2203 *netp = sctp_findnet(stcb, init_src); 2204 if (*netp != NULL) { 2205 struct timeval old; 2206 2207 /* 2208 * Since we did not send a HB, make sure we don't double 2209 * things. 2210 */ 2211 (*netp)->hb_responded = 1; 2212 /* Calculate the RTT. */ 2213 old.tv_sec = cookie->time_entered.tv_sec; 2214 old.tv_usec = cookie->time_entered.tv_usec; 2215 sctp_calculate_rto(stcb, asoc, *netp, &old, SCTP_RTT_FROM_NON_DATA); 2216 } 2217 /* respond with a COOKIE-ACK */ 2218 sctp_send_cookie_ack(stcb); 2219 2220 /* 2221 * check the address lists for any ASCONFs that need to be sent 2222 * AFTER the cookie-ack is sent 2223 */ 2224 sctp_check_address_list(stcb, m, 2225 initack_offset + sizeof(struct sctp_init_ack_chunk), 2226 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 2227 &store.sa, cookie->local_scope, cookie->site_scope, 2228 cookie->ipv4_scope, cookie->loopback_scope); 2229 2230 return (stcb); 2231 } 2232 2233 /* 2234 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e 2235 * we NEED to make sure we are not already using the vtag. If so we 2236 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit! 2237 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag, 2238 SCTP_BASE_INFO(hashasocmark))]; 2239 LIST_FOREACH(stcb, head, sctp_asocs) { 2240 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) { 2241 -- SEND ABORT - TRY AGAIN -- 2242 } 2243 } 2244 */ 2245 2246 /* 2247 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 2248 * existing (non-NULL) TCB 2249 */ 2250 static struct mbuf * 2251 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 2252 struct sockaddr *src, struct sockaddr *dst, 2253 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 2254 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 2255 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 2256 struct sctp_tcb **locked_tcb, 2257 uint8_t mflowtype, uint32_t mflowid, 2258 uint32_t vrf_id, uint16_t port) 2259 { 2260 struct sctp_state_cookie *cookie; 2261 struct sctp_tcb *l_stcb = *stcb; 2262 struct sctp_inpcb *l_inp; 2263 struct sockaddr *to; 2264 struct sctp_pcb *ep; 2265 struct mbuf *m_sig; 2266 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 2267 uint8_t *sig; 2268 uint8_t cookie_ok = 0; 2269 unsigned int sig_offset, cookie_offset; 2270 unsigned int cookie_len; 2271 struct timeval now; 2272 struct timeval time_entered, time_expires; 2273 int notification = 0; 2274 struct sctp_nets *netl; 2275 int had_a_existing_tcb = 0; 2276 int send_int_conf = 0; 2277 #ifdef INET 2278 struct sockaddr_in sin; 2279 #endif 2280 #ifdef INET6 2281 struct sockaddr_in6 sin6; 2282 #endif 2283 2284 SCTPDBG(SCTP_DEBUG_INPUT2, 2285 "sctp_handle_cookie: handling COOKIE-ECHO\n"); 2286 2287 if (inp_p == NULL) { 2288 return (NULL); 2289 } 2290 cookie = &cp->cookie; 2291 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 2292 cookie_len = ntohs(cp->ch.chunk_length); 2293 2294 if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 2295 sizeof(struct sctp_init_chunk) + 2296 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 2297 /* cookie too small */ 2298 return (NULL); 2299 } 2300 if ((cookie->peerport != sh->src_port) || 2301 (cookie->myport != sh->dest_port) || 2302 (cookie->my_vtag != sh->v_tag)) { 2303 /* 2304 * invalid ports or bad tag. Note that we always leave the 2305 * v_tag in the header in network order and when we stored 2306 * it in the my_vtag slot we also left it in network order. 2307 * This maintains the match even though it may be in the 2308 * opposite byte order of the machine :-> 2309 */ 2310 return (NULL); 2311 } 2312 /* 2313 * split off the signature into its own mbuf (since it should not be 2314 * calculated in the sctp_hmac_m() call). 2315 */ 2316 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 2317 m_sig = m_split(m, sig_offset, M_NOWAIT); 2318 if (m_sig == NULL) { 2319 /* out of memory or ?? */ 2320 return (NULL); 2321 } 2322 #ifdef SCTP_MBUF_LOGGING 2323 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 2324 sctp_log_mbc(m_sig, SCTP_MBUF_SPLIT); 2325 } 2326 #endif 2327 2328 /* 2329 * compute the signature/digest for the cookie 2330 */ 2331 if (l_stcb != NULL) { 2332 atomic_add_int(&l_stcb->asoc.refcnt, 1); 2333 SCTP_TCB_UNLOCK(l_stcb); 2334 } 2335 l_inp = *inp_p; 2336 SCTP_INP_RLOCK(l_inp); 2337 if (l_stcb != NULL) { 2338 SCTP_TCB_LOCK(l_stcb); 2339 atomic_subtract_int(&l_stcb->asoc.refcnt, 1); 2340 } 2341 if (l_inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE | SCTP_PCB_FLAGS_SOCKET_ALLGONE)) { 2342 SCTP_INP_RUNLOCK(l_inp); 2343 sctp_m_freem(m_sig); 2344 return (NULL); 2345 } 2346 ep = &(*inp_p)->sctp_ep; 2347 /* which cookie is it? */ 2348 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 2349 (ep->current_secret_number != ep->last_secret_number)) { 2350 /* it's the old cookie */ 2351 (void)sctp_hmac_m(SCTP_HMAC, 2352 (uint8_t *)ep->secret_key[(int)ep->last_secret_number], 2353 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2354 } else { 2355 /* it's the current cookie */ 2356 (void)sctp_hmac_m(SCTP_HMAC, 2357 (uint8_t *)ep->secret_key[(int)ep->current_secret_number], 2358 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2359 } 2360 /* get the signature */ 2361 SCTP_INP_RUNLOCK(l_inp); 2362 sig = (uint8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *)&tmp_sig); 2363 if (sig == NULL) { 2364 /* couldn't find signature */ 2365 sctp_m_freem(m_sig); 2366 return (NULL); 2367 } 2368 /* compare the received digest with the computed digest */ 2369 if (timingsafe_bcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 2370 /* try the old cookie? */ 2371 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 2372 (ep->current_secret_number != ep->last_secret_number)) { 2373 /* compute digest with old */ 2374 (void)sctp_hmac_m(SCTP_HMAC, 2375 (uint8_t *)ep->secret_key[(int)ep->last_secret_number], 2376 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2377 /* compare */ 2378 if (timingsafe_bcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 2379 cookie_ok = 1; 2380 } 2381 } else { 2382 cookie_ok = 1; 2383 } 2384 2385 /* 2386 * Now before we continue we must reconstruct our mbuf so that 2387 * normal processing of any other chunks will work. 2388 */ 2389 { 2390 struct mbuf *m_at; 2391 2392 m_at = m; 2393 while (SCTP_BUF_NEXT(m_at) != NULL) { 2394 m_at = SCTP_BUF_NEXT(m_at); 2395 } 2396 SCTP_BUF_NEXT(m_at) = m_sig; 2397 } 2398 2399 if (cookie_ok == 0) { 2400 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n"); 2401 SCTPDBG(SCTP_DEBUG_INPUT2, 2402 "offset = %u, cookie_offset = %u, sig_offset = %u\n", 2403 (uint32_t)offset, cookie_offset, sig_offset); 2404 return (NULL); 2405 } 2406 2407 if (sctp_ticks_to_msecs(cookie->cookie_life) > SCTP_MAX_COOKIE_LIFE) { 2408 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: Invalid cookie lifetime\n"); 2409 return (NULL); 2410 } 2411 time_entered.tv_sec = cookie->time_entered.tv_sec; 2412 time_entered.tv_usec = cookie->time_entered.tv_usec; 2413 if ((time_entered.tv_sec < 0) || 2414 (time_entered.tv_usec < 0) || 2415 (time_entered.tv_usec >= 1000000)) { 2416 /* Invalid time stamp. Cookie must have been modified. */ 2417 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: Invalid time stamp\n"); 2418 return (NULL); 2419 } 2420 (void)SCTP_GETTIME_TIMEVAL(&now); 2421 if (timevalcmp(&now, &time_entered, <)) { 2422 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie generated in the future!\n"); 2423 return (NULL); 2424 } 2425 /* 2426 * Check the cookie timestamps to be sure it's not stale. 2427 * cookie_life is in ticks, so we convert to seconds. 2428 */ 2429 time_expires.tv_sec = time_entered.tv_sec + sctp_ticks_to_secs(cookie->cookie_life); 2430 time_expires.tv_usec = time_entered.tv_usec; 2431 if (timevalcmp(&now, &time_expires, >)) { 2432 /* cookie is stale! */ 2433 struct mbuf *op_err; 2434 struct sctp_error_stale_cookie *cause; 2435 struct timeval diff; 2436 uint32_t staleness; 2437 2438 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_stale_cookie), 2439 0, M_NOWAIT, 1, MT_DATA); 2440 if (op_err == NULL) { 2441 /* FOOBAR */ 2442 return (NULL); 2443 } 2444 /* Set the len */ 2445 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_stale_cookie); 2446 cause = mtod(op_err, struct sctp_error_stale_cookie *); 2447 cause->cause.code = htons(SCTP_CAUSE_STALE_COOKIE); 2448 cause->cause.length = htons(sizeof(struct sctp_error_stale_cookie)); 2449 diff = now; 2450 timevalsub(&diff, &time_expires); 2451 if ((uint32_t)diff.tv_sec > UINT32_MAX / 1000000) { 2452 staleness = UINT32_MAX; 2453 } else { 2454 staleness = (uint32_t)diff.tv_sec * 1000000; 2455 } 2456 if (UINT32_MAX - staleness >= (uint32_t)diff.tv_usec) { 2457 staleness += (uint32_t)diff.tv_usec; 2458 } else { 2459 staleness = UINT32_MAX; 2460 } 2461 cause->stale_time = htonl(staleness); 2462 sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err, 2463 mflowtype, mflowid, l_inp->fibnum, 2464 vrf_id, port); 2465 return (NULL); 2466 } 2467 /* 2468 * Now we must see with the lookup address if we have an existing 2469 * asoc. This will only happen if we were in the COOKIE-WAIT state 2470 * and a INIT collided with us and somewhere the peer sent the 2471 * cookie on another address besides the single address our assoc 2472 * had for him. In this case we will have one of the tie-tags set at 2473 * least AND the address field in the cookie can be used to look it 2474 * up. 2475 */ 2476 to = NULL; 2477 switch (cookie->addr_type) { 2478 #ifdef INET6 2479 case SCTP_IPV6_ADDRESS: 2480 memset(&sin6, 0, sizeof(sin6)); 2481 sin6.sin6_family = AF_INET6; 2482 sin6.sin6_len = sizeof(sin6); 2483 sin6.sin6_port = sh->src_port; 2484 sin6.sin6_scope_id = cookie->scope_id; 2485 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2486 sizeof(sin6.sin6_addr.s6_addr)); 2487 to = (struct sockaddr *)&sin6; 2488 break; 2489 #endif 2490 #ifdef INET 2491 case SCTP_IPV4_ADDRESS: 2492 memset(&sin, 0, sizeof(sin)); 2493 sin.sin_family = AF_INET; 2494 sin.sin_len = sizeof(sin); 2495 sin.sin_port = sh->src_port; 2496 sin.sin_addr.s_addr = cookie->address[0]; 2497 to = (struct sockaddr *)&sin; 2498 break; 2499 #endif 2500 default: 2501 /* This should not happen */ 2502 return (NULL); 2503 } 2504 if (*stcb == NULL) { 2505 /* Yep, lets check */ 2506 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, dst, NULL); 2507 if (*stcb == NULL) { 2508 /* 2509 * We should have only got back the same inp. If we 2510 * got back a different ep we have a problem. The 2511 * original findep got back l_inp and now 2512 */ 2513 if (l_inp != *inp_p) { 2514 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n"); 2515 } 2516 } else { 2517 if (*locked_tcb == NULL) { 2518 /* 2519 * In this case we found the assoc only 2520 * after we locked the create lock. This 2521 * means we are in a colliding case and we 2522 * must make sure that we unlock the tcb if 2523 * its one of the cases where we throw away 2524 * the incoming packets. 2525 */ 2526 *locked_tcb = *stcb; 2527 2528 /* 2529 * We must also increment the inp ref count 2530 * since the ref_count flags was set when we 2531 * did not find the TCB, now we found it 2532 * which reduces the refcount.. we must 2533 * raise it back out to balance it all :-) 2534 */ 2535 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2536 if ((*stcb)->sctp_ep != l_inp) { 2537 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n", 2538 (void *)(*stcb)->sctp_ep, (void *)l_inp); 2539 } 2540 } 2541 } 2542 } 2543 2544 cookie_len -= SCTP_SIGNATURE_SIZE; 2545 if (*stcb == NULL) { 2546 /* this is the "normal" case... get a new TCB */ 2547 *stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst, sh, 2548 cookie, cookie_len, *inp_p, 2549 netp, to, ¬ification, 2550 auth_skipped, auth_offset, auth_len, 2551 mflowtype, mflowid, 2552 vrf_id, port); 2553 } else { 2554 /* this is abnormal... cookie-echo on existing TCB */ 2555 had_a_existing_tcb = 1; 2556 *stcb = sctp_process_cookie_existing(m, iphlen, offset, 2557 src, dst, sh, 2558 cookie, cookie_len, *inp_p, *stcb, netp, to, 2559 ¬ification, auth_skipped, auth_offset, auth_len, 2560 mflowtype, mflowid, 2561 vrf_id, port); 2562 if (*stcb == NULL) { 2563 *locked_tcb = NULL; 2564 } 2565 } 2566 2567 if (*stcb == NULL) { 2568 /* still no TCB... must be bad cookie-echo */ 2569 return (NULL); 2570 } 2571 if (*netp != NULL) { 2572 (*netp)->flowtype = mflowtype; 2573 (*netp)->flowid = mflowid; 2574 } 2575 /* 2576 * Ok, we built an association so confirm the address we sent the 2577 * INIT-ACK to. 2578 */ 2579 netl = sctp_findnet(*stcb, to); 2580 /* 2581 * This code should in theory NOT run but 2582 */ 2583 if (netl == NULL) { 2584 /* TSNH! Huh, why do I need to add this address here? */ 2585 if (sctp_add_remote_addr(*stcb, to, NULL, port, 2586 SCTP_DONOT_SETSCOPE, SCTP_IN_COOKIE_PROC)) { 2587 return (NULL); 2588 } 2589 netl = sctp_findnet(*stcb, to); 2590 } 2591 if (netl) { 2592 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2593 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2594 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2595 netl); 2596 send_int_conf = 1; 2597 } 2598 } 2599 sctp_start_net_timers(*stcb); 2600 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2601 if (!had_a_existing_tcb || 2602 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2603 /* 2604 * If we have a NEW cookie or the connect never 2605 * reached the connected state during collision we 2606 * must do the TCP accept thing. 2607 */ 2608 struct socket *so, *oso; 2609 struct sctp_inpcb *inp; 2610 2611 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2612 /* 2613 * For a restart we will keep the same 2614 * socket, no need to do anything. I THINK!! 2615 */ 2616 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2617 if (send_int_conf) { 2618 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2619 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2620 } 2621 return (m); 2622 } 2623 oso = (*inp_p)->sctp_socket; 2624 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2625 SCTP_TCB_UNLOCK((*stcb)); 2626 CURVNET_SET(oso->so_vnet); 2627 so = sonewconn(oso, 0 2628 ); 2629 CURVNET_RESTORE(); 2630 SCTP_TCB_LOCK((*stcb)); 2631 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2632 2633 if (so == NULL) { 2634 struct mbuf *op_err; 2635 2636 /* Too many sockets */ 2637 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n"); 2638 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 2639 sctp_abort_association(*inp_p, NULL, m, iphlen, 2640 src, dst, sh, op_err, 2641 mflowtype, mflowid, 2642 vrf_id, port); 2643 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, 2644 SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2645 return (NULL); 2646 } 2647 inp = (struct sctp_inpcb *)so->so_pcb; 2648 SCTP_INP_INCR_REF(inp); 2649 /* 2650 * We add the unbound flag here so that if we get an 2651 * soabort() before we get the move_pcb done, we 2652 * will properly cleanup. 2653 */ 2654 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2655 SCTP_PCB_FLAGS_CONNECTED | 2656 SCTP_PCB_FLAGS_IN_TCPPOOL | 2657 SCTP_PCB_FLAGS_UNBOUND | 2658 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2659 SCTP_PCB_FLAGS_DONT_WAKE); 2660 inp->sctp_features = (*inp_p)->sctp_features; 2661 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features; 2662 inp->sctp_socket = so; 2663 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2664 inp->max_cwnd = (*inp_p)->max_cwnd; 2665 inp->sctp_cmt_on_off = (*inp_p)->sctp_cmt_on_off; 2666 inp->ecn_supported = (*inp_p)->ecn_supported; 2667 inp->prsctp_supported = (*inp_p)->prsctp_supported; 2668 inp->auth_supported = (*inp_p)->auth_supported; 2669 inp->asconf_supported = (*inp_p)->asconf_supported; 2670 inp->reconfig_supported = (*inp_p)->reconfig_supported; 2671 inp->nrsack_supported = (*inp_p)->nrsack_supported; 2672 inp->pktdrop_supported = (*inp_p)->pktdrop_supported; 2673 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2674 inp->sctp_context = (*inp_p)->sctp_context; 2675 inp->local_strreset_support = (*inp_p)->local_strreset_support; 2676 inp->fibnum = (*inp_p)->fibnum; 2677 /* 2678 * copy in the authentication parameters from the 2679 * original endpoint 2680 */ 2681 if (inp->sctp_ep.local_hmacs) 2682 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2683 inp->sctp_ep.local_hmacs = 2684 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2685 if (inp->sctp_ep.local_auth_chunks) 2686 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2687 inp->sctp_ep.local_auth_chunks = 2688 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2689 2690 /* 2691 * Now we must move it from one hash table to 2692 * another and get the tcb in the right place. 2693 */ 2694 2695 /* 2696 * This is where the one-2-one socket is put into 2697 * the accept state waiting for the accept! 2698 */ 2699 if (*stcb) { 2700 SCTP_ADD_SUBSTATE(*stcb, SCTP_STATE_IN_ACCEPT_QUEUE); 2701 } 2702 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2703 2704 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2705 SCTP_TCB_UNLOCK((*stcb)); 2706 2707 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, 2708 0); 2709 SCTP_TCB_LOCK((*stcb)); 2710 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2711 2712 /* 2713 * now we must check to see if we were aborted while 2714 * the move was going on and the lock/unlock 2715 * happened. 2716 */ 2717 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2718 /* 2719 * yep it was, we leave the assoc attached 2720 * to the socket since the sctp_inpcb_free() 2721 * call will send an abort for us. 2722 */ 2723 SCTP_INP_DECR_REF(inp); 2724 return (NULL); 2725 } 2726 SCTP_INP_DECR_REF(inp); 2727 /* Switch over to the new guy */ 2728 *inp_p = inp; 2729 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2730 if (send_int_conf) { 2731 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2732 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2733 } 2734 2735 /* 2736 * Pull it from the incomplete queue and wake the 2737 * guy 2738 */ 2739 soisconnected(so); 2740 return (m); 2741 } 2742 } 2743 if (notification) { 2744 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2745 } 2746 if (send_int_conf) { 2747 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2748 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2749 } 2750 return (m); 2751 } 2752 2753 static void 2754 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp SCTP_UNUSED, 2755 struct sctp_tcb *stcb, struct sctp_nets *net) 2756 { 2757 /* cp must not be used, others call this without a c-ack :-) */ 2758 struct sctp_association *asoc; 2759 struct sctp_tmit_chunk *chk; 2760 2761 SCTPDBG(SCTP_DEBUG_INPUT2, 2762 "sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2763 if ((stcb == NULL) || (net == NULL)) { 2764 return; 2765 } 2766 2767 asoc = &stcb->asoc; 2768 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 2769 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 2770 asoc->overall_error_count, 2771 0, 2772 SCTP_FROM_SCTP_INPUT, 2773 __LINE__); 2774 } 2775 asoc->overall_error_count = 0; 2776 sctp_stop_all_cookie_timers(stcb); 2777 /* process according to association state */ 2778 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED) { 2779 /* state change only needed when I am in right state */ 2780 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2781 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN); 2782 sctp_start_net_timers(stcb); 2783 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2784 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2785 stcb->sctp_ep, stcb, NULL); 2786 } 2787 /* update RTO */ 2788 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2789 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2790 if (asoc->overall_error_count == 0) { 2791 sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, 2792 SCTP_RTT_FROM_NON_DATA); 2793 } 2794 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2795 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2796 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2797 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2798 sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED); 2799 if ((stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) == 0) { 2800 soisconnected(stcb->sctp_socket); 2801 } 2802 } 2803 /* 2804 * since we did not send a HB make sure we don't double 2805 * things 2806 */ 2807 net->hb_responded = 1; 2808 2809 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2810 /* 2811 * We don't need to do the asconf thing, nor hb or 2812 * autoclose if the socket is closed. 2813 */ 2814 goto closed_socket; 2815 } 2816 2817 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2818 stcb, net); 2819 2820 if (stcb->asoc.sctp_autoclose_ticks && 2821 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2822 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2823 stcb->sctp_ep, stcb, NULL); 2824 } 2825 /* 2826 * send ASCONF if parameters are pending and ASCONFs are 2827 * allowed (eg. addresses changed when init/cookie echo were 2828 * in flight) 2829 */ 2830 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2831 (stcb->asoc.asconf_supported == 1) && 2832 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2833 #ifdef SCTP_TIMER_BASED_ASCONF 2834 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2835 stcb->sctp_ep, stcb, 2836 stcb->asoc.primary_destination); 2837 #else 2838 sctp_send_asconf(stcb, stcb->asoc.primary_destination, 2839 SCTP_ADDR_NOT_LOCKED); 2840 #endif 2841 } 2842 } 2843 closed_socket: 2844 /* Toss the cookie if I can */ 2845 sctp_toss_old_cookies(stcb, asoc); 2846 /* Restart the timer if we have pending data */ 2847 TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) { 2848 if (chk->whoTo != NULL) { 2849 break; 2850 } 2851 } 2852 if (chk != NULL) { 2853 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo); 2854 } 2855 } 2856 2857 static void 2858 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2859 struct sctp_tcb *stcb) 2860 { 2861 struct sctp_nets *net; 2862 struct sctp_tmit_chunk *lchk; 2863 struct sctp_ecne_chunk bkup; 2864 uint8_t override_bit; 2865 uint32_t tsn, window_data_tsn; 2866 int len; 2867 unsigned int pkt_cnt; 2868 2869 len = ntohs(cp->ch.chunk_length); 2870 if (len == sizeof(struct old_sctp_ecne_chunk)) { 2871 /* Its the old format */ 2872 memcpy(&bkup, cp, sizeof(struct old_sctp_ecne_chunk)); 2873 bkup.num_pkts_since_cwr = htonl(1); 2874 cp = &bkup; 2875 } 2876 SCTP_STAT_INCR(sctps_recvecne); 2877 tsn = ntohl(cp->tsn); 2878 pkt_cnt = ntohl(cp->num_pkts_since_cwr); 2879 lchk = TAILQ_LAST(&stcb->asoc.send_queue, sctpchunk_listhead); 2880 if (lchk == NULL) { 2881 window_data_tsn = stcb->asoc.sending_seq - 1; 2882 } else { 2883 window_data_tsn = lchk->rec.data.tsn; 2884 } 2885 2886 /* Find where it was sent to if possible. */ 2887 net = NULL; 2888 TAILQ_FOREACH(lchk, &stcb->asoc.sent_queue, sctp_next) { 2889 if (lchk->rec.data.tsn == tsn) { 2890 net = lchk->whoTo; 2891 net->ecn_prev_cwnd = lchk->rec.data.cwnd_at_send; 2892 break; 2893 } 2894 if (SCTP_TSN_GT(lchk->rec.data.tsn, tsn)) { 2895 break; 2896 } 2897 } 2898 if (net == NULL) { 2899 /* 2900 * What to do. A previous send of a CWR was possibly lost. 2901 * See how old it is, we may have it marked on the actual 2902 * net. 2903 */ 2904 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 2905 if (tsn == net->last_cwr_tsn) { 2906 /* Found him, send it off */ 2907 break; 2908 } 2909 } 2910 if (net == NULL) { 2911 /* 2912 * If we reach here, we need to send a special CWR 2913 * that says hey, we did this a long time ago and 2914 * you lost the response. 2915 */ 2916 net = TAILQ_FIRST(&stcb->asoc.nets); 2917 if (net == NULL) { 2918 /* TSNH */ 2919 return; 2920 } 2921 override_bit = SCTP_CWR_REDUCE_OVERRIDE; 2922 } else { 2923 override_bit = 0; 2924 } 2925 } else { 2926 override_bit = 0; 2927 } 2928 if (SCTP_TSN_GT(tsn, net->cwr_window_tsn) && 2929 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) { 2930 /* 2931 * JRS - Use the congestion control given in the pluggable 2932 * CC module 2933 */ 2934 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 0, pkt_cnt); 2935 /* 2936 * We reduce once every RTT. So we will only lower cwnd at 2937 * the next sending seq i.e. the window_data_tsn 2938 */ 2939 net->cwr_window_tsn = window_data_tsn; 2940 net->ecn_ce_pkt_cnt += pkt_cnt; 2941 net->lost_cnt = pkt_cnt; 2942 net->last_cwr_tsn = tsn; 2943 } else { 2944 override_bit |= SCTP_CWR_IN_SAME_WINDOW; 2945 if (SCTP_TSN_GT(tsn, net->last_cwr_tsn) && 2946 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) { 2947 /* 2948 * Another loss in the same window update how many 2949 * marks/packets lost we have had. 2950 */ 2951 int cnt = 1; 2952 2953 if (pkt_cnt > net->lost_cnt) { 2954 /* Should be the case */ 2955 cnt = (pkt_cnt - net->lost_cnt); 2956 net->ecn_ce_pkt_cnt += cnt; 2957 } 2958 net->lost_cnt = pkt_cnt; 2959 net->last_cwr_tsn = tsn; 2960 /* 2961 * Most CC functions will ignore this call, since we 2962 * are in-window yet of the initial CE the peer saw. 2963 */ 2964 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 1, cnt); 2965 } 2966 } 2967 /* 2968 * We always send a CWR this way if our previous one was lost our 2969 * peer will get an update, or if it is not time again to reduce we 2970 * still get the cwr to the peer. Note we set the override when we 2971 * could not find the TSN on the chunk or the destination network. 2972 */ 2973 sctp_send_cwr(stcb, net, net->last_cwr_tsn, override_bit); 2974 } 2975 2976 static void 2977 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb, struct sctp_nets *net) 2978 { 2979 /* 2980 * Here we get a CWR from the peer. We must look in the outqueue and 2981 * make sure that we have a covered ECNE in the control chunk part. 2982 * If so remove it. 2983 */ 2984 struct sctp_tmit_chunk *chk, *nchk; 2985 struct sctp_ecne_chunk *ecne; 2986 int override; 2987 uint32_t cwr_tsn; 2988 2989 cwr_tsn = ntohl(cp->tsn); 2990 override = cp->ch.chunk_flags & SCTP_CWR_REDUCE_OVERRIDE; 2991 TAILQ_FOREACH_SAFE(chk, &stcb->asoc.control_send_queue, sctp_next, nchk) { 2992 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2993 continue; 2994 } 2995 if ((override == 0) && (chk->whoTo != net)) { 2996 /* Must be from the right src unless override is set */ 2997 continue; 2998 } 2999 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 3000 if (SCTP_TSN_GE(cwr_tsn, ntohl(ecne->tsn))) { 3001 /* this covers this ECNE, we can remove it */ 3002 stcb->asoc.ecn_echo_cnt_onq--; 3003 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 3004 sctp_next); 3005 stcb->asoc.ctrl_queue_cnt--; 3006 sctp_m_freem(chk->data); 3007 chk->data = NULL; 3008 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 3009 if (override == 0) { 3010 break; 3011 } 3012 } 3013 } 3014 } 3015 3016 static void 3017 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp SCTP_UNUSED, 3018 struct sctp_tcb *stcb, struct sctp_nets *net) 3019 { 3020 3021 SCTPDBG(SCTP_DEBUG_INPUT2, 3022 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 3023 if (stcb == NULL) 3024 return; 3025 3026 /* process according to association state */ 3027 if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 3028 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 3029 SCTPDBG(SCTP_DEBUG_INPUT2, 3030 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n"); 3031 SCTP_TCB_UNLOCK(stcb); 3032 return; 3033 } 3034 /* notify upper layer protocol */ 3035 if (stcb->sctp_socket) { 3036 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 3037 } 3038 #ifdef INVARIANTS 3039 if (!TAILQ_EMPTY(&stcb->asoc.send_queue) || 3040 !TAILQ_EMPTY(&stcb->asoc.sent_queue) || 3041 sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED)) { 3042 panic("Queues are not empty when handling SHUTDOWN-COMPLETE"); 3043 } 3044 #endif 3045 /* stop the timer */ 3046 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, 3047 SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 3048 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 3049 /* free the TCB */ 3050 SCTPDBG(SCTP_DEBUG_INPUT2, 3051 "sctp_handle_shutdown_complete: calls free-asoc\n"); 3052 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 3053 SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 3054 return; 3055 } 3056 3057 static int 3058 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 3059 struct sctp_nets *net, uint8_t flg) 3060 { 3061 switch (desc->chunk_type) { 3062 case SCTP_DATA: 3063 case SCTP_IDATA: 3064 /* find the tsn to resend (possibly) */ 3065 { 3066 uint32_t tsn; 3067 struct sctp_tmit_chunk *tp1; 3068 3069 tsn = ntohl(desc->tsn_ifany); 3070 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3071 if (tp1->rec.data.tsn == tsn) { 3072 /* found it */ 3073 break; 3074 } 3075 if (SCTP_TSN_GT(tp1->rec.data.tsn, tsn)) { 3076 /* not found */ 3077 tp1 = NULL; 3078 break; 3079 } 3080 } 3081 if (tp1 == NULL) { 3082 /* 3083 * Do it the other way , aka without paying 3084 * attention to queue seq order. 3085 */ 3086 SCTP_STAT_INCR(sctps_pdrpdnfnd); 3087 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3088 if (tp1->rec.data.tsn == tsn) { 3089 /* found it */ 3090 break; 3091 } 3092 } 3093 } 3094 if (tp1 == NULL) { 3095 SCTP_STAT_INCR(sctps_pdrptsnnf); 3096 } 3097 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 3098 if (((flg & SCTP_BADCRC) == 0) && 3099 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 3100 return (0); 3101 } 3102 if ((stcb->asoc.peers_rwnd == 0) && 3103 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 3104 SCTP_STAT_INCR(sctps_pdrpdiwnp); 3105 return (0); 3106 } 3107 if (stcb->asoc.peers_rwnd == 0 && 3108 (flg & SCTP_FROM_MIDDLE_BOX)) { 3109 SCTP_STAT_INCR(sctps_pdrpdizrw); 3110 return (0); 3111 } 3112 if ((uint32_t)SCTP_BUF_LEN(tp1->data) < 3113 SCTP_DATA_CHUNK_OVERHEAD(stcb) + SCTP_NUM_DB_TO_VERIFY) { 3114 /* Payload not matching. */ 3115 SCTP_STAT_INCR(sctps_pdrpbadd); 3116 return (-1); 3117 } 3118 if (memcmp(mtod(tp1->data, caddr_t)+SCTP_DATA_CHUNK_OVERHEAD(stcb), 3119 desc->data_bytes, SCTP_NUM_DB_TO_VERIFY) != 0) { 3120 /* Payload not matching. */ 3121 SCTP_STAT_INCR(sctps_pdrpbadd); 3122 return (-1); 3123 } 3124 if (tp1->do_rtt) { 3125 /* 3126 * this guy had a RTO calculation 3127 * pending on it, cancel it 3128 */ 3129 if (tp1->whoTo->rto_needed == 0) { 3130 tp1->whoTo->rto_needed = 1; 3131 } 3132 tp1->do_rtt = 0; 3133 } 3134 SCTP_STAT_INCR(sctps_pdrpmark); 3135 if (tp1->sent != SCTP_DATAGRAM_RESEND) 3136 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3137 /* 3138 * mark it as if we were doing a FR, since 3139 * we will be getting gap ack reports behind 3140 * the info from the router. 3141 */ 3142 tp1->rec.data.doing_fast_retransmit = 1; 3143 /* 3144 * mark the tsn with what sequences can 3145 * cause a new FR. 3146 */ 3147 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 3148 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 3149 } else { 3150 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.tsn; 3151 } 3152 3153 /* restart the timer */ 3154 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 3155 stcb, tp1->whoTo, 3156 SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3157 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 3158 stcb, tp1->whoTo); 3159 3160 /* fix counts and things */ 3161 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3162 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 3163 tp1->whoTo->flight_size, 3164 tp1->book_size, 3165 (uint32_t)(uintptr_t)stcb, 3166 tp1->rec.data.tsn); 3167 } 3168 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3169 sctp_flight_size_decrease(tp1); 3170 sctp_total_flight_decrease(stcb, tp1); 3171 } 3172 tp1->sent = SCTP_DATAGRAM_RESEND; 3173 } { 3174 /* audit code */ 3175 unsigned int audit; 3176 3177 audit = 0; 3178 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3179 if (tp1->sent == SCTP_DATAGRAM_RESEND) 3180 audit++; 3181 } 3182 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 3183 sctp_next) { 3184 if (tp1->sent == SCTP_DATAGRAM_RESEND) 3185 audit++; 3186 } 3187 if (audit != stcb->asoc.sent_queue_retran_cnt) { 3188 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n", 3189 audit, stcb->asoc.sent_queue_retran_cnt); 3190 #ifndef SCTP_AUDITING_ENABLED 3191 stcb->asoc.sent_queue_retran_cnt = audit; 3192 #endif 3193 } 3194 } 3195 } 3196 break; 3197 case SCTP_ASCONF: 3198 { 3199 struct sctp_tmit_chunk *asconf; 3200 3201 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 3202 sctp_next) { 3203 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 3204 break; 3205 } 3206 } 3207 if (asconf) { 3208 if (asconf->sent != SCTP_DATAGRAM_RESEND) 3209 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3210 asconf->sent = SCTP_DATAGRAM_RESEND; 3211 asconf->snd_count--; 3212 } 3213 } 3214 break; 3215 case SCTP_INITIATION: 3216 /* resend the INIT */ 3217 stcb->asoc.dropped_special_cnt++; 3218 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 3219 /* 3220 * If we can get it in, in a few attempts we do 3221 * this, otherwise we let the timer fire. 3222 */ 3223 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 3224 stcb, net, 3225 SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 3226 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 3227 } 3228 break; 3229 case SCTP_SELECTIVE_ACK: 3230 case SCTP_NR_SELECTIVE_ACK: 3231 /* resend the sack */ 3232 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED); 3233 break; 3234 case SCTP_HEARTBEAT_REQUEST: 3235 /* resend a demand HB */ 3236 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) { 3237 /* 3238 * Only retransmit if we KNOW we wont destroy the 3239 * tcb 3240 */ 3241 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED); 3242 } 3243 break; 3244 case SCTP_SHUTDOWN: 3245 sctp_send_shutdown(stcb, net); 3246 break; 3247 case SCTP_SHUTDOWN_ACK: 3248 sctp_send_shutdown_ack(stcb, net); 3249 break; 3250 case SCTP_COOKIE_ECHO: 3251 { 3252 struct sctp_tmit_chunk *cookie; 3253 3254 cookie = NULL; 3255 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 3256 sctp_next) { 3257 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 3258 break; 3259 } 3260 } 3261 if (cookie) { 3262 if (cookie->sent != SCTP_DATAGRAM_RESEND) 3263 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3264 cookie->sent = SCTP_DATAGRAM_RESEND; 3265 sctp_stop_all_cookie_timers(stcb); 3266 } 3267 } 3268 break; 3269 case SCTP_COOKIE_ACK: 3270 sctp_send_cookie_ack(stcb); 3271 break; 3272 case SCTP_ASCONF_ACK: 3273 /* resend last asconf ack */ 3274 sctp_send_asconf_ack(stcb); 3275 break; 3276 case SCTP_IFORWARD_CUM_TSN: 3277 case SCTP_FORWARD_CUM_TSN: 3278 send_forward_tsn(stcb, &stcb->asoc); 3279 break; 3280 /* can't do anything with these */ 3281 case SCTP_PACKET_DROPPED: 3282 case SCTP_INITIATION_ACK: /* this should not happen */ 3283 case SCTP_HEARTBEAT_ACK: 3284 case SCTP_ABORT_ASSOCIATION: 3285 case SCTP_OPERATION_ERROR: 3286 case SCTP_SHUTDOWN_COMPLETE: 3287 case SCTP_ECN_ECHO: 3288 case SCTP_ECN_CWR: 3289 default: 3290 break; 3291 } 3292 return (0); 3293 } 3294 3295 void 3296 sctp_reset_in_stream(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list) 3297 { 3298 uint32_t i; 3299 uint16_t temp; 3300 3301 /* 3302 * We set things to 0xffffffff since this is the last delivered 3303 * sequence and we will be sending in 0 after the reset. 3304 */ 3305 3306 if (number_entries) { 3307 for (i = 0; i < number_entries; i++) { 3308 temp = ntohs(list[i]); 3309 if (temp >= stcb->asoc.streamincnt) { 3310 continue; 3311 } 3312 stcb->asoc.strmin[temp].last_mid_delivered = 0xffffffff; 3313 } 3314 } else { 3315 list = NULL; 3316 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3317 stcb->asoc.strmin[i].last_mid_delivered = 0xffffffff; 3318 } 3319 } 3320 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3321 } 3322 3323 static void 3324 sctp_reset_out_streams(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list) 3325 { 3326 uint32_t i; 3327 uint16_t temp; 3328 3329 if (number_entries > 0) { 3330 for (i = 0; i < number_entries; i++) { 3331 temp = ntohs(list[i]); 3332 if (temp >= stcb->asoc.streamoutcnt) { 3333 /* no such stream */ 3334 continue; 3335 } 3336 stcb->asoc.strmout[temp].next_mid_ordered = 0; 3337 stcb->asoc.strmout[temp].next_mid_unordered = 0; 3338 } 3339 } else { 3340 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 3341 stcb->asoc.strmout[i].next_mid_ordered = 0; 3342 stcb->asoc.strmout[i].next_mid_unordered = 0; 3343 } 3344 } 3345 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3346 } 3347 3348 static void 3349 sctp_reset_clear_pending(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list) 3350 { 3351 uint32_t i; 3352 uint16_t temp; 3353 3354 if (number_entries > 0) { 3355 for (i = 0; i < number_entries; i++) { 3356 temp = ntohs(list[i]); 3357 if (temp >= stcb->asoc.streamoutcnt) { 3358 /* no such stream */ 3359 continue; 3360 } 3361 stcb->asoc.strmout[temp].state = SCTP_STREAM_OPEN; 3362 } 3363 } else { 3364 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 3365 stcb->asoc.strmout[i].state = SCTP_STREAM_OPEN; 3366 } 3367 } 3368 } 3369 3370 struct sctp_stream_reset_request * 3371 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 3372 { 3373 struct sctp_association *asoc; 3374 struct sctp_chunkhdr *ch; 3375 struct sctp_stream_reset_request *r; 3376 struct sctp_tmit_chunk *chk; 3377 int len, clen; 3378 3379 asoc = &stcb->asoc; 3380 chk = asoc->str_reset; 3381 if (TAILQ_EMPTY(&asoc->control_send_queue) || 3382 (chk == NULL)) { 3383 asoc->stream_reset_outstanding = 0; 3384 return (NULL); 3385 } 3386 if (chk->data == NULL) { 3387 return (NULL); 3388 } 3389 if (bchk != NULL) { 3390 /* he wants a copy of the chk pointer */ 3391 *bchk = chk; 3392 } 3393 clen = chk->send_size; 3394 ch = mtod(chk->data, struct sctp_chunkhdr *); 3395 r = (struct sctp_stream_reset_request *)(ch + 1); 3396 if (ntohl(r->request_seq) == seq) { 3397 /* found it */ 3398 return (r); 3399 } 3400 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 3401 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 3402 /* move to the next one, there can only be a max of two */ 3403 r = (struct sctp_stream_reset_request *)((caddr_t)r + len); 3404 if (ntohl(r->request_seq) == seq) { 3405 return (r); 3406 } 3407 } 3408 /* that seq is not here */ 3409 return (NULL); 3410 } 3411 3412 static void 3413 sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 3414 { 3415 struct sctp_association *asoc; 3416 struct sctp_tmit_chunk *chk; 3417 3418 asoc = &stcb->asoc; 3419 chk = asoc->str_reset; 3420 if (chk == NULL) { 3421 return; 3422 } 3423 asoc->str_reset = NULL; 3424 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, 3425 NULL, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 3426 TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next); 3427 asoc->ctrl_queue_cnt--; 3428 if (chk->data) { 3429 sctp_m_freem(chk->data); 3430 chk->data = NULL; 3431 } 3432 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 3433 } 3434 3435 static int 3436 sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 3437 uint32_t seq, uint32_t action, 3438 struct sctp_stream_reset_response *respin) 3439 { 3440 uint16_t type; 3441 int lparam_len; 3442 struct sctp_association *asoc = &stcb->asoc; 3443 struct sctp_tmit_chunk *chk; 3444 struct sctp_stream_reset_request *req_param; 3445 struct sctp_stream_reset_out_request *req_out_param; 3446 struct sctp_stream_reset_in_request *req_in_param; 3447 uint32_t number_entries; 3448 3449 if (asoc->stream_reset_outstanding == 0) { 3450 /* duplicate */ 3451 return (0); 3452 } 3453 if (seq == stcb->asoc.str_reset_seq_out) { 3454 req_param = sctp_find_stream_reset(stcb, seq, &chk); 3455 if (req_param != NULL) { 3456 stcb->asoc.str_reset_seq_out++; 3457 type = ntohs(req_param->ph.param_type); 3458 lparam_len = ntohs(req_param->ph.param_length); 3459 if (type == SCTP_STR_RESET_OUT_REQUEST) { 3460 int no_clear = 0; 3461 3462 req_out_param = (struct sctp_stream_reset_out_request *)req_param; 3463 number_entries = (lparam_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 3464 asoc->stream_reset_out_is_outstanding = 0; 3465 if (asoc->stream_reset_outstanding) 3466 asoc->stream_reset_outstanding--; 3467 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) { 3468 /* do it */ 3469 sctp_reset_out_streams(stcb, number_entries, req_out_param->list_of_streams); 3470 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) { 3471 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED); 3472 } else if (action == SCTP_STREAM_RESET_RESULT_IN_PROGRESS) { 3473 /* 3474 * Set it up so we don't stop 3475 * retransmitting 3476 */ 3477 asoc->stream_reset_outstanding++; 3478 stcb->asoc.str_reset_seq_out--; 3479 asoc->stream_reset_out_is_outstanding = 1; 3480 no_clear = 1; 3481 } else { 3482 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED); 3483 } 3484 if (no_clear == 0) { 3485 sctp_reset_clear_pending(stcb, number_entries, req_out_param->list_of_streams); 3486 } 3487 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 3488 req_in_param = (struct sctp_stream_reset_in_request *)req_param; 3489 number_entries = (lparam_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 3490 if (asoc->stream_reset_outstanding) 3491 asoc->stream_reset_outstanding--; 3492 if (action == SCTP_STREAM_RESET_RESULT_DENIED) { 3493 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_IN, stcb, 3494 number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED); 3495 } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) { 3496 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, 3497 number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED); 3498 } 3499 } else if (type == SCTP_STR_RESET_ADD_OUT_STREAMS) { 3500 /* Ok we now may have more streams */ 3501 int num_stream; 3502 3503 num_stream = stcb->asoc.strm_pending_add_size; 3504 if (num_stream > (stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt)) { 3505 /* TSNH */ 3506 num_stream = stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt; 3507 } 3508 stcb->asoc.strm_pending_add_size = 0; 3509 if (asoc->stream_reset_outstanding) 3510 asoc->stream_reset_outstanding--; 3511 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) { 3512 /* Put the new streams into effect */ 3513 int i; 3514 3515 for (i = asoc->streamoutcnt; i < (asoc->streamoutcnt + num_stream); i++) { 3516 asoc->strmout[i].state = SCTP_STREAM_OPEN; 3517 } 3518 asoc->streamoutcnt += num_stream; 3519 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0); 3520 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) { 3521 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 3522 SCTP_STREAM_CHANGE_DENIED); 3523 } else { 3524 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 3525 SCTP_STREAM_CHANGE_FAILED); 3526 } 3527 } else if (type == SCTP_STR_RESET_ADD_IN_STREAMS) { 3528 if (asoc->stream_reset_outstanding) 3529 asoc->stream_reset_outstanding--; 3530 if (action == SCTP_STREAM_RESET_RESULT_DENIED) { 3531 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 3532 SCTP_STREAM_CHANGE_DENIED); 3533 } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) { 3534 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 3535 SCTP_STREAM_CHANGE_FAILED); 3536 } 3537 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 3538 /** 3539 * a) Adopt the new in tsn. 3540 * b) reset the map 3541 * c) Adopt the new out-tsn 3542 */ 3543 struct sctp_stream_reset_response_tsn *resp; 3544 struct sctp_forward_tsn_chunk fwdtsn; 3545 int abort_flag = 0; 3546 3547 if (respin == NULL) { 3548 /* huh ? */ 3549 return (0); 3550 } 3551 if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) { 3552 return (0); 3553 } 3554 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) { 3555 resp = (struct sctp_stream_reset_response_tsn *)respin; 3556 asoc->stream_reset_outstanding--; 3557 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3558 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3559 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 3560 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3561 if (abort_flag) { 3562 return (1); 3563 } 3564 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 3565 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 3566 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 3567 } 3568 3569 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3570 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 3571 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3572 3573 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map; 3574 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 3575 3576 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 3577 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 3578 3579 sctp_reset_out_streams(stcb, 0, (uint16_t *)NULL); 3580 sctp_reset_in_stream(stcb, 0, (uint16_t *)NULL); 3581 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1), 0); 3582 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) { 3583 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1), 3584 SCTP_ASSOC_RESET_DENIED); 3585 } else { 3586 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1), 3587 SCTP_ASSOC_RESET_FAILED); 3588 } 3589 } 3590 /* get rid of the request and get the request flags */ 3591 if (asoc->stream_reset_outstanding == 0) { 3592 sctp_clean_up_stream_reset(stcb); 3593 } 3594 } 3595 } 3596 if (asoc->stream_reset_outstanding == 0) { 3597 sctp_send_stream_reset_out_if_possible(stcb, SCTP_SO_NOT_LOCKED); 3598 } 3599 return (0); 3600 } 3601 3602 static void 3603 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 3604 struct sctp_tmit_chunk *chk, 3605 struct sctp_stream_reset_in_request *req, int trunc) 3606 { 3607 uint32_t seq; 3608 int len, i; 3609 int number_entries; 3610 uint16_t temp; 3611 3612 /* 3613 * peer wants me to send a str-reset to him for my outgoing seq's if 3614 * seq_in is right. 3615 */ 3616 struct sctp_association *asoc = &stcb->asoc; 3617 3618 seq = ntohl(req->request_seq); 3619 if (asoc->str_reset_seq_in == seq) { 3620 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3621 if ((asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ) == 0) { 3622 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3623 } else if (trunc) { 3624 /* Can't do it, since they exceeded our buffer size */ 3625 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3626 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 3627 len = ntohs(req->ph.param_length); 3628 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 3629 if (number_entries) { 3630 for (i = 0; i < number_entries; i++) { 3631 temp = ntohs(req->list_of_streams[i]); 3632 if (temp >= stcb->asoc.streamoutcnt) { 3633 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3634 goto bad_boy; 3635 } 3636 req->list_of_streams[i] = temp; 3637 } 3638 for (i = 0; i < number_entries; i++) { 3639 if (stcb->asoc.strmout[req->list_of_streams[i]].state == SCTP_STREAM_OPEN) { 3640 stcb->asoc.strmout[req->list_of_streams[i]].state = SCTP_STREAM_RESET_PENDING; 3641 } 3642 } 3643 } else { 3644 /* Its all */ 3645 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 3646 if (stcb->asoc.strmout[i].state == SCTP_STREAM_OPEN) 3647 stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_PENDING; 3648 } 3649 } 3650 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED; 3651 } else { 3652 /* Can't do it, since we have sent one out */ 3653 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS; 3654 } 3655 bad_boy: 3656 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3657 asoc->str_reset_seq_in++; 3658 } else if (asoc->str_reset_seq_in - 1 == seq) { 3659 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3660 } else if (asoc->str_reset_seq_in - 2 == seq) { 3661 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3662 } else { 3663 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO); 3664 } 3665 sctp_send_stream_reset_out_if_possible(stcb, SCTP_SO_NOT_LOCKED); 3666 } 3667 3668 static int 3669 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 3670 struct sctp_tmit_chunk *chk, 3671 struct sctp_stream_reset_tsn_request *req) 3672 { 3673 /* reset all in and out and update the tsn */ 3674 /* 3675 * A) reset my str-seq's on in and out. B) Select a receive next, 3676 * and set cum-ack to it. Also process this selected number as a 3677 * fwd-tsn as well. C) set in the response my next sending seq. 3678 */ 3679 struct sctp_forward_tsn_chunk fwdtsn; 3680 struct sctp_association *asoc = &stcb->asoc; 3681 int abort_flag = 0; 3682 uint32_t seq; 3683 3684 seq = ntohl(req->request_seq); 3685 if (asoc->str_reset_seq_in == seq) { 3686 asoc->last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3687 if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) { 3688 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3689 } else { 3690 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3691 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3692 fwdtsn.ch.chunk_flags = 0; 3693 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3694 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3695 if (abort_flag) { 3696 return (1); 3697 } 3698 asoc->highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3699 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 3700 sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 3701 } 3702 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->highest_tsn_inside_map; 3703 asoc->mapping_array_base_tsn = asoc->highest_tsn_inside_map + 1; 3704 memset(asoc->mapping_array, 0, asoc->mapping_array_size); 3705 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map; 3706 memset(asoc->nr_mapping_array, 0, asoc->mapping_array_size); 3707 atomic_add_int(&asoc->sending_seq, 1); 3708 /* save off historical data for retrans */ 3709 asoc->last_sending_seq[1] = asoc->last_sending_seq[0]; 3710 asoc->last_sending_seq[0] = asoc->sending_seq; 3711 asoc->last_base_tsnsent[1] = asoc->last_base_tsnsent[0]; 3712 asoc->last_base_tsnsent[0] = asoc->mapping_array_base_tsn; 3713 sctp_reset_out_streams(stcb, 0, (uint16_t *)NULL); 3714 sctp_reset_in_stream(stcb, 0, (uint16_t *)NULL); 3715 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED; 3716 sctp_notify_stream_reset_tsn(stcb, asoc->sending_seq, (asoc->mapping_array_base_tsn + 1), 0); 3717 } 3718 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3719 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]); 3720 asoc->str_reset_seq_in++; 3721 } else if (asoc->str_reset_seq_in - 1 == seq) { 3722 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3723 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]); 3724 } else if (asoc->str_reset_seq_in - 2 == seq) { 3725 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3726 asoc->last_sending_seq[1], asoc->last_base_tsnsent[1]); 3727 } else { 3728 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO); 3729 } 3730 return (0); 3731 } 3732 3733 static void 3734 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3735 struct sctp_tmit_chunk *chk, 3736 struct sctp_stream_reset_out_request *req, int trunc) 3737 { 3738 uint32_t seq, tsn; 3739 int number_entries, len; 3740 struct sctp_association *asoc = &stcb->asoc; 3741 3742 seq = ntohl(req->request_seq); 3743 3744 /* now if its not a duplicate we process it */ 3745 if (asoc->str_reset_seq_in == seq) { 3746 len = ntohs(req->ph.param_length); 3747 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3748 /* 3749 * the sender is resetting, handle the list issue.. we must 3750 * a) verify if we can do the reset, if so no problem b) If 3751 * we can't do the reset we must copy the request. c) queue 3752 * it, and setup the data in processor to trigger it off 3753 * when needed and dequeue all the queued data. 3754 */ 3755 tsn = ntohl(req->send_reset_at_tsn); 3756 3757 /* move the reset action back one */ 3758 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3759 if ((asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ) == 0) { 3760 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3761 } else if (trunc) { 3762 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3763 } else if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) { 3764 /* we can do it now */ 3765 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3766 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED; 3767 } else { 3768 /* 3769 * we must queue it up and thus wait for the TSN's 3770 * to arrive that are at or before tsn 3771 */ 3772 struct sctp_stream_reset_list *liste; 3773 int siz; 3774 3775 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3776 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3777 siz, SCTP_M_STRESET); 3778 if (liste == NULL) { 3779 /* gak out of memory */ 3780 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3781 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3782 return; 3783 } 3784 liste->seq = seq; 3785 liste->tsn = tsn; 3786 liste->number_entries = number_entries; 3787 memcpy(&liste->list_of_streams, req->list_of_streams, number_entries * sizeof(uint16_t)); 3788 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3789 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_IN_PROGRESS; 3790 } 3791 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3792 asoc->str_reset_seq_in++; 3793 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3794 /* 3795 * one seq back, just echo back last action since my 3796 * response was lost. 3797 */ 3798 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3799 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3800 /* 3801 * two seq back, just echo back last action since my 3802 * response was lost. 3803 */ 3804 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3805 } else { 3806 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO); 3807 } 3808 } 3809 3810 static void 3811 sctp_handle_str_reset_add_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk, 3812 struct sctp_stream_reset_add_strm *str_add) 3813 { 3814 /* 3815 * Peer is requesting to add more streams. If its within our 3816 * max-streams we will allow it. 3817 */ 3818 uint32_t num_stream, i; 3819 uint32_t seq; 3820 struct sctp_association *asoc = &stcb->asoc; 3821 struct sctp_queued_to_read *ctl, *nctl; 3822 3823 /* Get the number. */ 3824 seq = ntohl(str_add->request_seq); 3825 num_stream = ntohs(str_add->number_of_streams); 3826 /* Now what would be the new total? */ 3827 if (asoc->str_reset_seq_in == seq) { 3828 num_stream += stcb->asoc.streamincnt; 3829 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3830 if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) { 3831 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3832 } else if ((num_stream > stcb->asoc.max_inbound_streams) || 3833 (num_stream > 0xffff)) { 3834 /* We must reject it they ask for to many */ 3835 denied: 3836 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3837 } else { 3838 /* Ok, we can do that :-) */ 3839 struct sctp_stream_in *oldstrm; 3840 3841 /* save off the old */ 3842 oldstrm = stcb->asoc.strmin; 3843 SCTP_MALLOC(stcb->asoc.strmin, struct sctp_stream_in *, 3844 (num_stream * sizeof(struct sctp_stream_in)), 3845 SCTP_M_STRMI); 3846 if (stcb->asoc.strmin == NULL) { 3847 stcb->asoc.strmin = oldstrm; 3848 goto denied; 3849 } 3850 /* copy off the old data */ 3851 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3852 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue); 3853 TAILQ_INIT(&stcb->asoc.strmin[i].uno_inqueue); 3854 stcb->asoc.strmin[i].sid = i; 3855 stcb->asoc.strmin[i].last_mid_delivered = oldstrm[i].last_mid_delivered; 3856 stcb->asoc.strmin[i].delivery_started = oldstrm[i].delivery_started; 3857 stcb->asoc.strmin[i].pd_api_started = oldstrm[i].pd_api_started; 3858 /* now anything on those queues? */ 3859 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].inqueue, next_instrm, nctl) { 3860 TAILQ_REMOVE(&oldstrm[i].inqueue, ctl, next_instrm); 3861 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].inqueue, ctl, next_instrm); 3862 } 3863 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].uno_inqueue, next_instrm, nctl) { 3864 TAILQ_REMOVE(&oldstrm[i].uno_inqueue, ctl, next_instrm); 3865 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].uno_inqueue, ctl, next_instrm); 3866 } 3867 } 3868 /* Init the new streams */ 3869 for (i = stcb->asoc.streamincnt; i < num_stream; i++) { 3870 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue); 3871 TAILQ_INIT(&stcb->asoc.strmin[i].uno_inqueue); 3872 stcb->asoc.strmin[i].sid = i; 3873 stcb->asoc.strmin[i].last_mid_delivered = 0xffffffff; 3874 stcb->asoc.strmin[i].pd_api_started = 0; 3875 stcb->asoc.strmin[i].delivery_started = 0; 3876 } 3877 SCTP_FREE(oldstrm, SCTP_M_STRMI); 3878 /* update the size */ 3879 stcb->asoc.streamincnt = num_stream; 3880 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED; 3881 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0); 3882 } 3883 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3884 asoc->str_reset_seq_in++; 3885 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3886 /* 3887 * one seq back, just echo back last action since my 3888 * response was lost. 3889 */ 3890 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3891 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3892 /* 3893 * two seq back, just echo back last action since my 3894 * response was lost. 3895 */ 3896 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3897 } else { 3898 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO); 3899 } 3900 } 3901 3902 static void 3903 sctp_handle_str_reset_add_out_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk, 3904 struct sctp_stream_reset_add_strm *str_add) 3905 { 3906 /* 3907 * Peer is requesting to add more streams. If its within our 3908 * max-streams we will allow it. 3909 */ 3910 uint16_t num_stream; 3911 uint32_t seq; 3912 struct sctp_association *asoc = &stcb->asoc; 3913 3914 /* Get the number. */ 3915 seq = ntohl(str_add->request_seq); 3916 num_stream = ntohs(str_add->number_of_streams); 3917 /* Now what would be the new total? */ 3918 if (asoc->str_reset_seq_in == seq) { 3919 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3920 if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) { 3921 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3922 } else if (stcb->asoc.stream_reset_outstanding) { 3923 /* We must reject it we have something pending */ 3924 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS; 3925 } else { 3926 /* Ok, we can do that :-) */ 3927 int mychk; 3928 3929 mychk = stcb->asoc.streamoutcnt; 3930 mychk += num_stream; 3931 if (mychk < 0x10000) { 3932 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED; 3933 if (sctp_send_str_reset_req(stcb, 0, NULL, 0, 0, 1, num_stream, 0, 1)) { 3934 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3935 } 3936 } else { 3937 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED; 3938 } 3939 } 3940 sctp_add_stream_reset_result(chk, seq, stcb->asoc.last_reset_action[0]); 3941 asoc->str_reset_seq_in++; 3942 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3943 /* 3944 * one seq back, just echo back last action since my 3945 * response was lost. 3946 */ 3947 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3948 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3949 /* 3950 * two seq back, just echo back last action since my 3951 * response was lost. 3952 */ 3953 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3954 } else { 3955 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO); 3956 } 3957 } 3958 3959 #ifdef __GNUC__ 3960 __attribute__((noinline)) 3961 #endif 3962 static int 3963 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset, 3964 struct sctp_chunkhdr *ch_req) 3965 { 3966 uint16_t remaining_length, param_len, ptype; 3967 struct sctp_paramhdr pstore; 3968 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE]; 3969 uint32_t seq = 0; 3970 int num_req = 0; 3971 int trunc = 0; 3972 struct sctp_tmit_chunk *chk; 3973 struct sctp_chunkhdr *ch; 3974 struct sctp_paramhdr *ph; 3975 int ret_code = 0; 3976 int num_param = 0; 3977 3978 /* now it may be a reset or a reset-response */ 3979 remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr); 3980 3981 /* setup for adding the response */ 3982 sctp_alloc_a_chunk(stcb, chk); 3983 if (chk == NULL) { 3984 return (ret_code); 3985 } 3986 chk->copy_by_ref = 0; 3987 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3988 chk->rec.chunk_id.can_take_data = 0; 3989 chk->flags = 0; 3990 chk->asoc = &stcb->asoc; 3991 chk->no_fr_allowed = 0; 3992 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3993 chk->book_size_scale = 0; 3994 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA); 3995 if (chk->data == NULL) { 3996 strres_nochunk: 3997 if (chk->data) { 3998 sctp_m_freem(chk->data); 3999 chk->data = NULL; 4000 } 4001 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 4002 return (ret_code); 4003 } 4004 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 4005 4006 /* setup chunk parameters */ 4007 chk->sent = SCTP_DATAGRAM_UNSENT; 4008 chk->snd_count = 0; 4009 chk->whoTo = NULL; 4010 4011 ch = mtod(chk->data, struct sctp_chunkhdr *); 4012 ch->chunk_type = SCTP_STREAM_RESET; 4013 ch->chunk_flags = 0; 4014 ch->chunk_length = htons(chk->send_size); 4015 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 4016 offset += sizeof(struct sctp_chunkhdr); 4017 while (remaining_length >= sizeof(struct sctp_paramhdr)) { 4018 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *)&pstore); 4019 if (ph == NULL) { 4020 /* TSNH */ 4021 break; 4022 } 4023 param_len = ntohs(ph->param_length); 4024 if ((param_len > remaining_length) || 4025 (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) { 4026 /* bad parameter length */ 4027 break; 4028 } 4029 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)), 4030 (uint8_t *)&cstore); 4031 if (ph == NULL) { 4032 /* TSNH */ 4033 break; 4034 } 4035 ptype = ntohs(ph->param_type); 4036 num_param++; 4037 if (param_len > sizeof(cstore)) { 4038 trunc = 1; 4039 } else { 4040 trunc = 0; 4041 } 4042 if (num_param > SCTP_MAX_RESET_PARAMS) { 4043 /* hit the max of parameters already sorry.. */ 4044 break; 4045 } 4046 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 4047 struct sctp_stream_reset_out_request *req_out; 4048 4049 if (param_len < sizeof(struct sctp_stream_reset_out_request)) { 4050 break; 4051 } 4052 req_out = (struct sctp_stream_reset_out_request *)ph; 4053 num_req++; 4054 if (stcb->asoc.stream_reset_outstanding) { 4055 seq = ntohl(req_out->response_seq); 4056 if (seq == stcb->asoc.str_reset_seq_out) { 4057 /* implicit ack */ 4058 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_RESULT_PERFORMED, NULL); 4059 } 4060 } 4061 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc); 4062 } else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) { 4063 struct sctp_stream_reset_add_strm *str_add; 4064 4065 if (param_len < sizeof(struct sctp_stream_reset_add_strm)) { 4066 break; 4067 } 4068 str_add = (struct sctp_stream_reset_add_strm *)ph; 4069 num_req++; 4070 sctp_handle_str_reset_add_strm(stcb, chk, str_add); 4071 } else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) { 4072 struct sctp_stream_reset_add_strm *str_add; 4073 4074 if (param_len < sizeof(struct sctp_stream_reset_add_strm)) { 4075 break; 4076 } 4077 str_add = (struct sctp_stream_reset_add_strm *)ph; 4078 num_req++; 4079 sctp_handle_str_reset_add_out_strm(stcb, chk, str_add); 4080 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 4081 struct sctp_stream_reset_in_request *req_in; 4082 4083 num_req++; 4084 req_in = (struct sctp_stream_reset_in_request *)ph; 4085 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc); 4086 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 4087 struct sctp_stream_reset_tsn_request *req_tsn; 4088 4089 num_req++; 4090 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 4091 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 4092 ret_code = 1; 4093 goto strres_nochunk; 4094 } 4095 /* no more */ 4096 break; 4097 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 4098 struct sctp_stream_reset_response *resp; 4099 uint32_t result; 4100 4101 if (param_len < sizeof(struct sctp_stream_reset_response)) { 4102 break; 4103 } 4104 resp = (struct sctp_stream_reset_response *)ph; 4105 seq = ntohl(resp->response_seq); 4106 result = ntohl(resp->result); 4107 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 4108 ret_code = 1; 4109 goto strres_nochunk; 4110 } 4111 } else { 4112 break; 4113 } 4114 offset += SCTP_SIZE32(param_len); 4115 if (remaining_length >= SCTP_SIZE32(param_len)) { 4116 remaining_length -= SCTP_SIZE32(param_len); 4117 } else { 4118 remaining_length = 0; 4119 } 4120 } 4121 if (num_req == 0) { 4122 /* we have no response free the stuff */ 4123 goto strres_nochunk; 4124 } 4125 /* ok we have a chunk to link in */ 4126 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 4127 chk, 4128 sctp_next); 4129 stcb->asoc.ctrl_queue_cnt++; 4130 return (ret_code); 4131 } 4132 4133 /* 4134 * Handle a router or endpoints report of a packet loss, there are two ways 4135 * to handle this, either we get the whole packet and must disect it 4136 * ourselves (possibly with truncation and or corruption) or it is a summary 4137 * from a middle box that did the disecting for us. 4138 */ 4139 static void 4140 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 4141 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit) 4142 { 4143 struct sctp_chunk_desc desc; 4144 struct sctp_chunkhdr *chk_hdr; 4145 struct sctp_data_chunk *data_chunk; 4146 struct sctp_idata_chunk *idata_chunk; 4147 uint32_t bottle_bw, on_queue; 4148 uint32_t offset, chk_len; 4149 uint16_t pktdrp_len; 4150 uint8_t pktdrp_flags; 4151 4152 KASSERT(sizeof(struct sctp_pktdrop_chunk) <= limit, 4153 ("PKTDROP chunk too small")); 4154 pktdrp_flags = cp->ch.chunk_flags; 4155 pktdrp_len = ntohs(cp->ch.chunk_length); 4156 KASSERT(limit <= pktdrp_len, ("Inconsistent limit")); 4157 if (pktdrp_flags & SCTP_PACKET_TRUNCATED) { 4158 if (ntohs(cp->trunc_len) <= pktdrp_len - sizeof(struct sctp_pktdrop_chunk)) { 4159 /* The peer plays games with us. */ 4160 return; 4161 } 4162 } 4163 limit -= sizeof(struct sctp_pktdrop_chunk); 4164 offset = 0; 4165 if (offset == limit) { 4166 if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) { 4167 SCTP_STAT_INCR(sctps_pdrpbwrpt); 4168 } 4169 } else if (offset + sizeof(struct sctphdr) > limit) { 4170 /* Only a partial SCTP common header. */ 4171 SCTP_STAT_INCR(sctps_pdrpcrupt); 4172 offset = limit; 4173 } else { 4174 /* XXX: Check embedded SCTP common header. */ 4175 offset += sizeof(struct sctphdr); 4176 } 4177 /* Now parse through the chunks themselves. */ 4178 while (offset < limit) { 4179 if (offset + sizeof(struct sctp_chunkhdr) > limit) { 4180 SCTP_STAT_INCR(sctps_pdrpcrupt); 4181 break; 4182 } 4183 chk_hdr = (struct sctp_chunkhdr *)(cp->data + offset); 4184 desc.chunk_type = chk_hdr->chunk_type; 4185 /* get amount we need to move */ 4186 chk_len = (uint32_t)ntohs(chk_hdr->chunk_length); 4187 if (chk_len < sizeof(struct sctp_chunkhdr)) { 4188 /* Someone is lying... */ 4189 break; 4190 } 4191 if (desc.chunk_type == SCTP_DATA) { 4192 if (stcb->asoc.idata_supported) { 4193 /* Some is playing games with us. */ 4194 break; 4195 } 4196 if (chk_len <= sizeof(struct sctp_data_chunk)) { 4197 /* Some is playing games with us. */ 4198 break; 4199 } 4200 if (chk_len < sizeof(struct sctp_data_chunk) + SCTP_NUM_DB_TO_VERIFY) { 4201 /* 4202 * Not enough data bytes available in the 4203 * chunk. 4204 */ 4205 SCTP_STAT_INCR(sctps_pdrpnedat); 4206 goto next_chunk; 4207 } 4208 if (offset + sizeof(struct sctp_data_chunk) + SCTP_NUM_DB_TO_VERIFY > limit) { 4209 /* Not enough data in buffer. */ 4210 break; 4211 } 4212 data_chunk = (struct sctp_data_chunk *)(cp->data + offset); 4213 memcpy(desc.data_bytes, data_chunk + 1, SCTP_NUM_DB_TO_VERIFY); 4214 desc.tsn_ifany = data_chunk->dp.tsn; 4215 if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) { 4216 SCTP_STAT_INCR(sctps_pdrpmbda); 4217 } 4218 } else if (desc.chunk_type == SCTP_IDATA) { 4219 if (!stcb->asoc.idata_supported) { 4220 /* Some is playing games with us. */ 4221 break; 4222 } 4223 if (chk_len <= sizeof(struct sctp_idata_chunk)) { 4224 /* Some is playing games with us. */ 4225 break; 4226 } 4227 if (chk_len < sizeof(struct sctp_idata_chunk) + SCTP_NUM_DB_TO_VERIFY) { 4228 /* 4229 * Not enough data bytes available in the 4230 * chunk. 4231 */ 4232 SCTP_STAT_INCR(sctps_pdrpnedat); 4233 goto next_chunk; 4234 } 4235 if (offset + sizeof(struct sctp_idata_chunk) + SCTP_NUM_DB_TO_VERIFY > limit) { 4236 /* Not enough data in buffer. */ 4237 break; 4238 } 4239 idata_chunk = (struct sctp_idata_chunk *)(cp->data + offset); 4240 memcpy(desc.data_bytes, idata_chunk + 1, SCTP_NUM_DB_TO_VERIFY); 4241 desc.tsn_ifany = idata_chunk->dp.tsn; 4242 if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) { 4243 SCTP_STAT_INCR(sctps_pdrpmbda); 4244 } 4245 } else { 4246 if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) { 4247 SCTP_STAT_INCR(sctps_pdrpmbct); 4248 } 4249 } 4250 if (process_chunk_drop(stcb, &desc, net, pktdrp_flags)) { 4251 SCTP_STAT_INCR(sctps_pdrppdbrk); 4252 break; 4253 } 4254 next_chunk: 4255 offset += SCTP_SIZE32(chk_len); 4256 } 4257 /* Now update any rwnd --- possibly */ 4258 if ((pktdrp_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 4259 /* From a peer, we get a rwnd report */ 4260 uint32_t a_rwnd; 4261 4262 SCTP_STAT_INCR(sctps_pdrpfehos); 4263 4264 bottle_bw = ntohl(cp->bottle_bw); 4265 on_queue = ntohl(cp->current_onq); 4266 if (bottle_bw && on_queue) { 4267 /* a rwnd report is in here */ 4268 if (bottle_bw > on_queue) 4269 a_rwnd = bottle_bw - on_queue; 4270 else 4271 a_rwnd = 0; 4272 4273 if (a_rwnd == 0) 4274 stcb->asoc.peers_rwnd = 0; 4275 else { 4276 if (a_rwnd > stcb->asoc.total_flight) { 4277 stcb->asoc.peers_rwnd = 4278 a_rwnd - stcb->asoc.total_flight; 4279 } else { 4280 stcb->asoc.peers_rwnd = 0; 4281 } 4282 if (stcb->asoc.peers_rwnd < 4283 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4284 /* SWS sender side engages */ 4285 stcb->asoc.peers_rwnd = 0; 4286 } 4287 } 4288 } 4289 } else { 4290 SCTP_STAT_INCR(sctps_pdrpfmbox); 4291 } 4292 4293 /* now middle boxes in sat networks get a cwnd bump */ 4294 if ((pktdrp_flags & SCTP_FROM_MIDDLE_BOX) && 4295 (stcb->asoc.sat_t3_loss_recovery == 0) && 4296 (stcb->asoc.sat_network)) { 4297 /* 4298 * This is debatable but for sat networks it makes sense 4299 * Note if a T3 timer has went off, we will prohibit any 4300 * changes to cwnd until we exit the t3 loss recovery. 4301 */ 4302 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb, 4303 net, cp, &bottle_bw, &on_queue); 4304 } 4305 } 4306 4307 /* 4308 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 4309 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 4310 * offset: offset into the mbuf chain to first chunkhdr - length: is the 4311 * length of the complete packet outputs: - length: modified to remaining 4312 * length after control processing - netp: modified to new sctp_nets after 4313 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 4314 * bad packet,...) otherwise return the tcb for this packet 4315 */ 4316 #ifdef __GNUC__ 4317 __attribute__((noinline)) 4318 #endif 4319 static struct sctp_tcb * 4320 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 4321 struct sockaddr *src, struct sockaddr *dst, 4322 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 4323 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen, 4324 uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum, 4325 uint32_t vrf_id, uint16_t port) 4326 { 4327 struct sctp_association *asoc; 4328 struct mbuf *op_err; 4329 char msg[SCTP_DIAG_INFO_LEN]; 4330 uint32_t vtag_in; 4331 int num_chunks = 0; /* number of control chunks processed */ 4332 uint32_t chk_length, contiguous; 4333 int ret; 4334 int abort_no_unlock = 0; 4335 int ecne_seen = 0; 4336 int abort_flag; 4337 4338 /* 4339 * How big should this be, and should it be alloc'd? Lets try the 4340 * d-mtu-ceiling for now (2k) and that should hopefully work ... 4341 * until we get into jumbo grams and such.. 4342 */ 4343 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 4344 int got_auth = 0; 4345 uint32_t auth_offset = 0, auth_len = 0; 4346 int auth_skipped = 0; 4347 int asconf_cnt = 0; 4348 4349 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 4350 iphlen, *offset, length, (void *)stcb); 4351 4352 if (stcb) { 4353 SCTP_TCB_LOCK_ASSERT(stcb); 4354 } 4355 /* validate chunk header length... */ 4356 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 4357 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n", 4358 ntohs(ch->chunk_length)); 4359 *offset = length; 4360 return (stcb); 4361 } 4362 /* 4363 * validate the verification tag 4364 */ 4365 vtag_in = ntohl(sh->v_tag); 4366 4367 if (ch->chunk_type == SCTP_INITIATION) { 4368 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n", 4369 ntohs(ch->chunk_length), vtag_in); 4370 if (vtag_in != 0) { 4371 /* protocol error- silently discard... */ 4372 SCTP_STAT_INCR(sctps_badvtag); 4373 if (stcb != NULL) { 4374 SCTP_TCB_UNLOCK(stcb); 4375 } 4376 return (NULL); 4377 } 4378 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 4379 /* 4380 * If there is no stcb, skip the AUTH chunk and process 4381 * later after a stcb is found (to validate the lookup was 4382 * valid. 4383 */ 4384 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 4385 (stcb == NULL) && 4386 (inp->auth_supported == 1)) { 4387 /* save this chunk for later processing */ 4388 auth_skipped = 1; 4389 auth_offset = *offset; 4390 auth_len = ntohs(ch->chunk_length); 4391 4392 /* (temporarily) move past this chunk */ 4393 *offset += SCTP_SIZE32(auth_len); 4394 if (*offset >= length) { 4395 /* no more data left in the mbuf chain */ 4396 *offset = length; 4397 return (NULL); 4398 } 4399 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4400 sizeof(struct sctp_chunkhdr), chunk_buf); 4401 } 4402 if (ch == NULL) { 4403 /* Help */ 4404 *offset = length; 4405 return (stcb); 4406 } 4407 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 4408 goto process_control_chunks; 4409 } 4410 /* 4411 * first check if it's an ASCONF with an unknown src addr we 4412 * need to look inside to find the association 4413 */ 4414 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 4415 struct sctp_chunkhdr *asconf_ch = ch; 4416 uint32_t asconf_offset = 0, asconf_len = 0; 4417 4418 /* inp's refcount may be reduced */ 4419 SCTP_INP_INCR_REF(inp); 4420 4421 asconf_offset = *offset; 4422 do { 4423 asconf_len = ntohs(asconf_ch->chunk_length); 4424 if (asconf_len < sizeof(struct sctp_asconf_paramhdr)) 4425 break; 4426 stcb = sctp_findassociation_ep_asconf(m, 4427 *offset, 4428 dst, 4429 sh, &inp, netp, vrf_id); 4430 if (stcb != NULL) 4431 break; 4432 asconf_offset += SCTP_SIZE32(asconf_len); 4433 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset, 4434 sizeof(struct sctp_chunkhdr), chunk_buf); 4435 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF); 4436 if (stcb == NULL) { 4437 /* 4438 * reduce inp's refcount if not reduced in 4439 * sctp_findassociation_ep_asconf(). 4440 */ 4441 SCTP_INP_DECR_REF(inp); 4442 } 4443 4444 /* now go back and verify any auth chunk to be sure */ 4445 if (auth_skipped && (stcb != NULL)) { 4446 struct sctp_auth_chunk *auth; 4447 4448 if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) { 4449 auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); 4450 got_auth = 1; 4451 auth_skipped = 0; 4452 } else { 4453 auth = NULL; 4454 } 4455 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, 4456 auth_offset)) { 4457 /* auth HMAC failed so dump it */ 4458 *offset = length; 4459 return (stcb); 4460 } else { 4461 /* remaining chunks are HMAC checked */ 4462 stcb->asoc.authenticated = 1; 4463 } 4464 } 4465 } 4466 if (stcb == NULL) { 4467 SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__); 4468 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 4469 msg); 4470 /* no association, so it's out of the blue... */ 4471 sctp_handle_ootb(m, iphlen, *offset, src, dst, sh, inp, op_err, 4472 mflowtype, mflowid, inp->fibnum, 4473 vrf_id, port); 4474 *offset = length; 4475 return (NULL); 4476 } 4477 asoc = &stcb->asoc; 4478 /* ABORT and SHUTDOWN can use either v_tag... */ 4479 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 4480 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 4481 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 4482 /* Take the T-bit always into account. */ 4483 if ((((ch->chunk_flags & SCTP_HAD_NO_TCB) == 0) && 4484 (vtag_in == asoc->my_vtag)) || 4485 (((ch->chunk_flags & SCTP_HAD_NO_TCB) == SCTP_HAD_NO_TCB) && 4486 (asoc->peer_vtag != htonl(0)) && 4487 (vtag_in == asoc->peer_vtag))) { 4488 /* this is valid */ 4489 } else { 4490 /* drop this packet... */ 4491 SCTP_STAT_INCR(sctps_badvtag); 4492 if (stcb != NULL) { 4493 SCTP_TCB_UNLOCK(stcb); 4494 } 4495 return (NULL); 4496 } 4497 } else { 4498 /* for all other chunks, vtag must match */ 4499 if (vtag_in != asoc->my_vtag) { 4500 /* invalid vtag... */ 4501 SCTPDBG(SCTP_DEBUG_INPUT3, 4502 "invalid vtag: %xh, expect %xh\n", 4503 vtag_in, asoc->my_vtag); 4504 SCTP_STAT_INCR(sctps_badvtag); 4505 if (stcb != NULL) { 4506 SCTP_TCB_UNLOCK(stcb); 4507 } 4508 *offset = length; 4509 return (NULL); 4510 } 4511 } 4512 } /* end if !SCTP_COOKIE_ECHO */ 4513 /* 4514 * process all control chunks... 4515 */ 4516 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 4517 (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) || 4518 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 4519 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) { 4520 /* implied cookie-ack.. we must have lost the ack */ 4521 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 4522 *netp); 4523 } 4524 4525 process_control_chunks: 4526 while (IS_SCTP_CONTROL(ch)) { 4527 /* validate chunk length */ 4528 chk_length = ntohs(ch->chunk_length); 4529 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n", 4530 ch->chunk_type, chk_length); 4531 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length); 4532 if (chk_length < sizeof(*ch) || 4533 (*offset + (int)chk_length) > length) { 4534 *offset = length; 4535 return (stcb); 4536 } 4537 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 4538 /* 4539 * INIT and INIT-ACK only gets the init ack "header" portion 4540 * only because we don't have to process the peer's COOKIE. 4541 * All others get a complete chunk. 4542 */ 4543 switch (ch->chunk_type) { 4544 case SCTP_INITIATION: 4545 contiguous = sizeof(struct sctp_init_chunk); 4546 break; 4547 case SCTP_INITIATION_ACK: 4548 contiguous = sizeof(struct sctp_init_ack_chunk); 4549 break; 4550 default: 4551 contiguous = min(chk_length, sizeof(chunk_buf)); 4552 break; 4553 } 4554 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4555 contiguous, 4556 chunk_buf); 4557 if (ch == NULL) { 4558 *offset = length; 4559 return (stcb); 4560 } 4561 4562 num_chunks++; 4563 /* Save off the last place we got a control from */ 4564 if (stcb != NULL) { 4565 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) { 4566 /* 4567 * allow last_control to be NULL if 4568 * ASCONF... ASCONF processing will find the 4569 * right net later 4570 */ 4571 if ((netp != NULL) && (*netp != NULL)) 4572 stcb->asoc.last_control_chunk_from = *netp; 4573 } 4574 } 4575 #ifdef SCTP_AUDITING_ENABLED 4576 sctp_audit_log(0xB0, ch->chunk_type); 4577 #endif 4578 4579 /* check to see if this chunk required auth, but isn't */ 4580 if ((stcb != NULL) && 4581 sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) && 4582 !stcb->asoc.authenticated) { 4583 /* "silently" ignore */ 4584 SCTP_STAT_INCR(sctps_recvauthmissing); 4585 goto next_chunk; 4586 } 4587 switch (ch->chunk_type) { 4588 case SCTP_INITIATION: 4589 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n"); 4590 /* The INIT chunk must be the only chunk. */ 4591 if ((num_chunks > 1) || 4592 (length - *offset > (int)SCTP_SIZE32(chk_length))) { 4593 /* 4594 * RFC 4960bis requires stopping the 4595 * processing of the packet. 4596 */ 4597 *offset = length; 4598 return (stcb); 4599 } 4600 /* Honor our resource limit. */ 4601 if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) { 4602 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 4603 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err, 4604 mflowtype, mflowid, inp->fibnum, 4605 vrf_id, port); 4606 *offset = length; 4607 if (stcb != NULL) { 4608 SCTP_TCB_UNLOCK(stcb); 4609 } 4610 return (NULL); 4611 } 4612 sctp_handle_init(m, iphlen, *offset, src, dst, sh, 4613 (struct sctp_init_chunk *)ch, inp, 4614 stcb, *netp, 4615 mflowtype, mflowid, 4616 vrf_id, port); 4617 *offset = length; 4618 if (stcb != NULL) { 4619 SCTP_TCB_UNLOCK(stcb); 4620 } 4621 return (NULL); 4622 break; 4623 case SCTP_PAD_CHUNK: 4624 break; 4625 case SCTP_INITIATION_ACK: 4626 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT_ACK\n"); 4627 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4628 /* We are not interested anymore */ 4629 if ((stcb != NULL) && (stcb->asoc.total_output_queue_size)) { 4630 ; 4631 } else { 4632 *offset = length; 4633 if (stcb != NULL) { 4634 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 4635 SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4636 } 4637 return (NULL); 4638 } 4639 } 4640 /* The INIT-ACK chunk must be the only chunk. */ 4641 if ((num_chunks > 1) || 4642 (length - *offset > (int)SCTP_SIZE32(chk_length))) { 4643 *offset = length; 4644 return (stcb); 4645 } 4646 if ((netp != NULL) && (*netp != NULL)) { 4647 ret = sctp_handle_init_ack(m, iphlen, *offset, 4648 src, dst, sh, 4649 (struct sctp_init_ack_chunk *)ch, 4650 stcb, *netp, 4651 &abort_no_unlock, 4652 mflowtype, mflowid, 4653 vrf_id); 4654 } else { 4655 ret = -1; 4656 } 4657 *offset = length; 4658 if (abort_no_unlock) { 4659 return (NULL); 4660 } 4661 /* 4662 * Special case, I must call the output routine to 4663 * get the cookie echoed 4664 */ 4665 if ((stcb != NULL) && (ret == 0)) { 4666 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 4667 } 4668 return (stcb); 4669 break; 4670 case SCTP_SELECTIVE_ACK: 4671 case SCTP_NR_SELECTIVE_ACK: 4672 { 4673 int abort_now = 0; 4674 uint32_t a_rwnd, cum_ack; 4675 uint16_t num_seg, num_nr_seg, num_dup; 4676 uint8_t flags; 4677 int offset_seg, offset_dup; 4678 4679 SCTPDBG(SCTP_DEBUG_INPUT3, "%s\n", 4680 ch->chunk_type == SCTP_SELECTIVE_ACK ? "SCTP_SACK" : "SCTP_NR_SACK"); 4681 SCTP_STAT_INCR(sctps_recvsacks); 4682 if (stcb == NULL) { 4683 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing %s chunk\n", 4684 (ch->chunk_type == SCTP_SELECTIVE_ACK) ? "SCTP_SACK" : "SCTP_NR_SACK"); 4685 break; 4686 } 4687 if (ch->chunk_type == SCTP_SELECTIVE_ACK) { 4688 if (chk_length < sizeof(struct sctp_sack_chunk)) { 4689 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on SACK chunk, too small\n"); 4690 break; 4691 } 4692 } else { 4693 if (stcb->asoc.nrsack_supported == 0) { 4694 goto unknown_chunk; 4695 } 4696 if (chk_length < sizeof(struct sctp_nr_sack_chunk)) { 4697 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR_SACK chunk, too small\n"); 4698 break; 4699 } 4700 } 4701 if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 4702 /*- 4703 * If we have sent a shutdown-ack, we will pay no 4704 * attention to a sack sent in to us since 4705 * we don't care anymore. 4706 */ 4707 break; 4708 } 4709 flags = ch->chunk_flags; 4710 if (ch->chunk_type == SCTP_SELECTIVE_ACK) { 4711 struct sctp_sack_chunk *sack; 4712 4713 sack = (struct sctp_sack_chunk *)ch; 4714 cum_ack = ntohl(sack->sack.cum_tsn_ack); 4715 num_seg = ntohs(sack->sack.num_gap_ack_blks); 4716 num_nr_seg = 0; 4717 num_dup = ntohs(sack->sack.num_dup_tsns); 4718 a_rwnd = ntohl(sack->sack.a_rwnd); 4719 if (sizeof(struct sctp_sack_chunk) + 4720 num_seg * sizeof(struct sctp_gap_ack_block) + 4721 num_dup * sizeof(uint32_t) != chk_length) { 4722 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of SACK chunk\n"); 4723 break; 4724 } 4725 offset_seg = *offset + sizeof(struct sctp_sack_chunk); 4726 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block); 4727 } else { 4728 struct sctp_nr_sack_chunk *nr_sack; 4729 4730 nr_sack = (struct sctp_nr_sack_chunk *)ch; 4731 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack); 4732 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks); 4733 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks); 4734 num_dup = ntohs(nr_sack->nr_sack.num_dup_tsns); 4735 a_rwnd = ntohl(nr_sack->nr_sack.a_rwnd); 4736 if (sizeof(struct sctp_nr_sack_chunk) + 4737 (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block) + 4738 num_dup * sizeof(uint32_t) != chk_length) { 4739 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of NR_SACK chunk\n"); 4740 break; 4741 } 4742 offset_seg = *offset + sizeof(struct sctp_nr_sack_chunk); 4743 offset_dup = offset_seg + (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block); 4744 } 4745 SCTPDBG(SCTP_DEBUG_INPUT3, "%s process cum_ack:%x num_seg:%d a_rwnd:%d\n", 4746 (ch->chunk_type == SCTP_SELECTIVE_ACK) ? "SCTP_SACK" : "SCTP_NR_SACK", 4747 cum_ack, num_seg, a_rwnd); 4748 stcb->asoc.seen_a_sack_this_pkt = 1; 4749 if ((stcb->asoc.pr_sctp_cnt == 0) && 4750 (num_seg == 0) && (num_nr_seg == 0) && 4751 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) && 4752 (stcb->asoc.saw_sack_with_frags == 0) && 4753 (stcb->asoc.saw_sack_with_nr_frags == 0) && 4754 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))) { 4755 /* 4756 * We have a SIMPLE sack having no 4757 * prior segments and data on sent 4758 * queue to be acked. Use the faster 4759 * path sack processing. We also 4760 * allow window update sacks with no 4761 * missing segments to go this way 4762 * too. 4763 */ 4764 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, 4765 &abort_now, ecne_seen); 4766 } else { 4767 if ((netp != NULL) && (*netp != NULL)) { 4768 sctp_handle_sack(m, offset_seg, offset_dup, stcb, 4769 num_seg, num_nr_seg, num_dup, &abort_now, flags, 4770 cum_ack, a_rwnd, ecne_seen); 4771 } 4772 } 4773 if (abort_now) { 4774 /* ABORT signal from sack processing */ 4775 *offset = length; 4776 return (NULL); 4777 } 4778 if (TAILQ_EMPTY(&stcb->asoc.send_queue) && 4779 TAILQ_EMPTY(&stcb->asoc.sent_queue) && 4780 (stcb->asoc.stream_queue_cnt == 0)) { 4781 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 4782 } 4783 break; 4784 } 4785 case SCTP_HEARTBEAT_REQUEST: 4786 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n"); 4787 if ((stcb != NULL) && (netp != NULL) && (*netp != NULL)) { 4788 SCTP_STAT_INCR(sctps_recvheartbeat); 4789 sctp_send_heartbeat_ack(stcb, m, *offset, 4790 chk_length, *netp); 4791 } 4792 break; 4793 case SCTP_HEARTBEAT_ACK: 4794 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT_ACK\n"); 4795 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) { 4796 /* Its not ours */ 4797 break; 4798 } 4799 SCTP_STAT_INCR(sctps_recvheartbeatack); 4800 if ((netp != NULL) && (*netp != NULL)) { 4801 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 4802 stcb, *netp); 4803 } 4804 break; 4805 case SCTP_ABORT_ASSOCIATION: 4806 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n", 4807 (void *)stcb); 4808 *offset = length; 4809 if ((stcb != NULL) && (netp != NULL) && (*netp != NULL)) { 4810 if (sctp_handle_abort((struct sctp_abort_chunk *)ch, stcb, *netp)) { 4811 return (NULL); 4812 } else { 4813 return (stcb); 4814 } 4815 } else { 4816 return (NULL); 4817 } 4818 break; 4819 case SCTP_SHUTDOWN: 4820 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n", 4821 (void *)stcb); 4822 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) { 4823 break; 4824 } 4825 if ((netp != NULL) && (*netp != NULL)) { 4826 abort_flag = 0; 4827 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 4828 stcb, *netp, &abort_flag); 4829 if (abort_flag) { 4830 *offset = length; 4831 return (NULL); 4832 } 4833 } 4834 break; 4835 case SCTP_SHUTDOWN_ACK: 4836 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN_ACK, stcb %p\n", (void *)stcb); 4837 if ((chk_length == sizeof(struct sctp_shutdown_ack_chunk)) && 4838 (stcb != NULL) && (netp != NULL) && (*netp != NULL)) { 4839 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4840 *offset = length; 4841 return (NULL); 4842 } 4843 break; 4844 case SCTP_OPERATION_ERROR: 4845 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP_ERR\n"); 4846 if ((stcb != NULL) && (netp != NULL) && (*netp != NULL) && 4847 sctp_handle_error(ch, stcb, *netp, contiguous) < 0) { 4848 *offset = length; 4849 return (NULL); 4850 } 4851 break; 4852 case SCTP_COOKIE_ECHO: 4853 SCTPDBG(SCTP_DEBUG_INPUT3, 4854 "SCTP_COOKIE_ECHO, stcb %p\n", (void *)stcb); 4855 if ((stcb != NULL) && (stcb->asoc.total_output_queue_size > 0)) { 4856 ; 4857 } else { 4858 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4859 /* We are not interested anymore */ 4860 abend: 4861 if (stcb != NULL) { 4862 SCTP_TCB_UNLOCK(stcb); 4863 } 4864 *offset = length; 4865 return (NULL); 4866 } 4867 } 4868 /*- 4869 * First are we accepting? We do this again here 4870 * since it is possible that a previous endpoint WAS 4871 * listening responded to a INIT-ACK and then 4872 * closed. We opened and bound.. and are now no 4873 * longer listening. 4874 * 4875 * XXXGL: notes on checking listen queue length. 4876 * 1) SCTP_IS_LISTENING() doesn't necessarily mean 4877 * SOLISTENING(), because a listening "UDP type" 4878 * socket isn't listening in terms of the socket 4879 * layer. It is a normal data flow socket, that 4880 * can fork off new connections. Thus, we should 4881 * look into sol_qlen only in case we are !UDP. 4882 * 2) Checking sol_qlen in general requires locking 4883 * the socket, and this code lacks that. 4884 */ 4885 if ((stcb == NULL) && 4886 (!SCTP_IS_LISTENING(inp) || 4887 (((inp->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE) == 0) && 4888 inp->sctp_socket->sol_qlen >= inp->sctp_socket->sol_qlimit))) { 4889 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 4890 (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) { 4891 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 4892 sctp_abort_association(inp, stcb, m, iphlen, 4893 src, dst, sh, op_err, 4894 mflowtype, mflowid, 4895 vrf_id, port); 4896 } 4897 *offset = length; 4898 return (NULL); 4899 } else { 4900 struct mbuf *ret_buf; 4901 struct sctp_inpcb *linp; 4902 struct sctp_tmit_chunk *chk; 4903 4904 if (inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE | 4905 SCTP_PCB_FLAGS_SOCKET_ALLGONE)) { 4906 goto abend; 4907 } 4908 4909 if (stcb) { 4910 linp = NULL; 4911 } else { 4912 linp = inp; 4913 } 4914 4915 if (linp != NULL) { 4916 SCTP_ASOC_CREATE_LOCK(linp); 4917 } 4918 4919 if (netp != NULL) { 4920 struct sctp_tcb *locked_stcb; 4921 4922 locked_stcb = stcb; 4923 ret_buf = 4924 sctp_handle_cookie_echo(m, iphlen, 4925 *offset, 4926 src, dst, 4927 sh, 4928 (struct sctp_cookie_echo_chunk *)ch, 4929 &inp, &stcb, netp, 4930 auth_skipped, 4931 auth_offset, 4932 auth_len, 4933 &locked_stcb, 4934 mflowtype, 4935 mflowid, 4936 vrf_id, 4937 port); 4938 if ((locked_stcb != NULL) && (locked_stcb != stcb)) { 4939 SCTP_TCB_UNLOCK(locked_stcb); 4940 } 4941 if (stcb != NULL) { 4942 SCTP_TCB_LOCK_ASSERT(stcb); 4943 } 4944 } else { 4945 ret_buf = NULL; 4946 } 4947 if (linp != NULL) { 4948 SCTP_ASOC_CREATE_UNLOCK(linp); 4949 } 4950 if (ret_buf == NULL) { 4951 if (stcb != NULL) { 4952 SCTP_TCB_UNLOCK(stcb); 4953 } 4954 SCTPDBG(SCTP_DEBUG_INPUT3, 4955 "GAK, null buffer\n"); 4956 *offset = length; 4957 return (NULL); 4958 } 4959 /* if AUTH skipped, see if it verified... */ 4960 if (auth_skipped) { 4961 got_auth = 1; 4962 auth_skipped = 0; 4963 } 4964 /* Restart the timer if we have pending data */ 4965 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 4966 if (chk->whoTo != NULL) { 4967 break; 4968 } 4969 } 4970 if (chk != NULL) { 4971 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo); 4972 } 4973 } 4974 break; 4975 case SCTP_COOKIE_ACK: 4976 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE_ACK, stcb %p\n", (void *)stcb); 4977 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) { 4978 break; 4979 } 4980 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4981 /* We are not interested anymore */ 4982 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4983 ; 4984 } else if (stcb) { 4985 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 4986 SCTP_FROM_SCTP_INPUT + SCTP_LOC_30); 4987 *offset = length; 4988 return (NULL); 4989 } 4990 } 4991 if ((netp != NULL) && (*netp != NULL)) { 4992 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4993 } 4994 break; 4995 case SCTP_ECN_ECHO: 4996 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN_ECHO\n"); 4997 if (stcb == NULL) { 4998 break; 4999 } 5000 if (stcb->asoc.ecn_supported == 0) { 5001 goto unknown_chunk; 5002 } 5003 if ((chk_length != sizeof(struct sctp_ecne_chunk)) && 5004 (chk_length != sizeof(struct old_sctp_ecne_chunk))) { 5005 break; 5006 } 5007 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, stcb); 5008 ecne_seen = 1; 5009 break; 5010 case SCTP_ECN_CWR: 5011 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN_CWR\n"); 5012 if (stcb == NULL) { 5013 break; 5014 } 5015 if (stcb->asoc.ecn_supported == 0) { 5016 goto unknown_chunk; 5017 } 5018 if (chk_length != sizeof(struct sctp_cwr_chunk)) { 5019 break; 5020 } 5021 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb, *netp); 5022 break; 5023 case SCTP_SHUTDOWN_COMPLETE: 5024 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN_COMPLETE, stcb %p\n", (void *)stcb); 5025 /* must be first and only chunk */ 5026 if ((num_chunks > 1) || 5027 (length - *offset > (int)SCTP_SIZE32(chk_length))) { 5028 *offset = length; 5029 return (stcb); 5030 } 5031 if ((chk_length == sizeof(struct sctp_shutdown_complete_chunk)) && 5032 (stcb != NULL) && (netp != NULL) && (*netp != NULL)) { 5033 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 5034 stcb, *netp); 5035 *offset = length; 5036 return (NULL); 5037 } 5038 break; 5039 case SCTP_ASCONF: 5040 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n"); 5041 if (stcb != NULL) { 5042 if (stcb->asoc.asconf_supported == 0) { 5043 goto unknown_chunk; 5044 } 5045 sctp_handle_asconf(m, *offset, src, 5046 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0); 5047 asconf_cnt++; 5048 } 5049 break; 5050 case SCTP_ASCONF_ACK: 5051 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF_ACK\n"); 5052 if (stcb == NULL) { 5053 break; 5054 } 5055 if (stcb->asoc.asconf_supported == 0) { 5056 goto unknown_chunk; 5057 } 5058 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) { 5059 break; 5060 } 5061 if ((netp != NULL) && (*netp != NULL)) { 5062 /* He's alive so give him credit */ 5063 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5064 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5065 stcb->asoc.overall_error_count, 5066 0, 5067 SCTP_FROM_SCTP_INPUT, 5068 __LINE__); 5069 } 5070 stcb->asoc.overall_error_count = 0; 5071 sctp_handle_asconf_ack(m, *offset, 5072 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 5073 if (abort_no_unlock) 5074 return (NULL); 5075 } 5076 break; 5077 case SCTP_FORWARD_CUM_TSN: 5078 case SCTP_IFORWARD_CUM_TSN: 5079 SCTPDBG(SCTP_DEBUG_INPUT3, "%s\n", 5080 ch->chunk_type == SCTP_FORWARD_CUM_TSN ? "FORWARD_TSN" : "I_FORWARD_TSN"); 5081 if (stcb == NULL) { 5082 break; 5083 } 5084 if (stcb->asoc.prsctp_supported == 0) { 5085 goto unknown_chunk; 5086 } 5087 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { 5088 break; 5089 } 5090 if (((stcb->asoc.idata_supported == 1) && (ch->chunk_type == SCTP_FORWARD_CUM_TSN)) || 5091 ((stcb->asoc.idata_supported == 0) && (ch->chunk_type == SCTP_IFORWARD_CUM_TSN))) { 5092 if (ch->chunk_type == SCTP_FORWARD_CUM_TSN) { 5093 SCTP_SNPRINTF(msg, sizeof(msg), "%s", "FORWARD-TSN chunk received when I-FORWARD-TSN was negotiated"); 5094 } else { 5095 SCTP_SNPRINTF(msg, sizeof(msg), "%s", "I-FORWARD-TSN chunk received when FORWARD-TSN was negotiated"); 5096 } 5097 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 5098 sctp_abort_an_association(inp, stcb, op_err, false, SCTP_SO_NOT_LOCKED); 5099 *offset = length; 5100 return (NULL); 5101 } 5102 *fwd_tsn_seen = 1; 5103 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5104 /* We are not interested anymore */ 5105 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 5106 SCTP_FROM_SCTP_INPUT + SCTP_LOC_31); 5107 *offset = length; 5108 return (NULL); 5109 } 5110 /* 5111 * For sending a SACK this looks like DATA chunks. 5112 */ 5113 stcb->asoc.last_data_chunk_from = stcb->asoc.last_control_chunk_from; 5114 abort_flag = 0; 5115 sctp_handle_forward_tsn(stcb, 5116 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset); 5117 if (abort_flag) { 5118 *offset = length; 5119 return (NULL); 5120 } 5121 break; 5122 case SCTP_STREAM_RESET: 5123 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n"); 5124 if (stcb == NULL) { 5125 break; 5126 } 5127 if (stcb->asoc.reconfig_supported == 0) { 5128 goto unknown_chunk; 5129 } 5130 if (chk_length < sizeof(struct sctp_stream_reset_tsn_req)) { 5131 break; 5132 } 5133 if (sctp_handle_stream_reset(stcb, m, *offset, ch)) { 5134 /* stop processing */ 5135 *offset = length; 5136 return (NULL); 5137 } 5138 break; 5139 case SCTP_PACKET_DROPPED: 5140 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n"); 5141 if (stcb == NULL) { 5142 break; 5143 } 5144 if (stcb->asoc.pktdrop_supported == 0) { 5145 goto unknown_chunk; 5146 } 5147 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) { 5148 break; 5149 } 5150 if ((netp != NULL) && (*netp != NULL)) { 5151 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 5152 stcb, *netp, 5153 min(chk_length, contiguous)); 5154 } 5155 break; 5156 case SCTP_AUTHENTICATION: 5157 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n"); 5158 if (stcb == NULL) { 5159 /* save the first AUTH for later processing */ 5160 if (auth_skipped == 0) { 5161 auth_offset = *offset; 5162 auth_len = chk_length; 5163 auth_skipped = 1; 5164 } 5165 /* skip this chunk (temporarily) */ 5166 break; 5167 } 5168 if (stcb->asoc.auth_supported == 0) { 5169 goto unknown_chunk; 5170 } 5171 if ((chk_length < (sizeof(struct sctp_auth_chunk))) || 5172 (chk_length > (sizeof(struct sctp_auth_chunk) + 5173 SCTP_AUTH_DIGEST_LEN_MAX))) { 5174 /* Its not ours */ 5175 *offset = length; 5176 return (stcb); 5177 } 5178 if (got_auth == 1) { 5179 /* skip this chunk... it's already auth'd */ 5180 break; 5181 } 5182 got_auth = 1; 5183 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, m, *offset)) { 5184 /* auth HMAC failed so dump the packet */ 5185 *offset = length; 5186 return (stcb); 5187 } else { 5188 /* remaining chunks are HMAC checked */ 5189 stcb->asoc.authenticated = 1; 5190 } 5191 break; 5192 5193 default: 5194 unknown_chunk: 5195 /* it's an unknown chunk! */ 5196 if ((ch->chunk_type & 0x40) && 5197 (stcb != NULL) && 5198 (SCTP_GET_STATE(stcb) != SCTP_STATE_EMPTY) && 5199 (SCTP_GET_STATE(stcb) != SCTP_STATE_INUSE) && 5200 (SCTP_GET_STATE(stcb) != SCTP_STATE_COOKIE_WAIT)) { 5201 struct sctp_gen_error_cause *cause; 5202 int len; 5203 5204 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause), 5205 0, M_NOWAIT, 1, MT_DATA); 5206 if (op_err != NULL) { 5207 len = min(SCTP_SIZE32(chk_length), (uint32_t)(length - *offset)); 5208 cause = mtod(op_err, struct sctp_gen_error_cause *); 5209 cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK); 5210 cause->length = htons((uint16_t)(len + sizeof(struct sctp_gen_error_cause))); 5211 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause); 5212 SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, len, M_NOWAIT); 5213 if (SCTP_BUF_NEXT(op_err) != NULL) { 5214 #ifdef SCTP_MBUF_LOGGING 5215 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 5216 sctp_log_mbc(SCTP_BUF_NEXT(op_err), SCTP_MBUF_ICOPY); 5217 } 5218 #endif 5219 sctp_queue_op_err(stcb, op_err); 5220 } else { 5221 sctp_m_freem(op_err); 5222 } 5223 } 5224 } 5225 if ((ch->chunk_type & 0x80) == 0) { 5226 /* discard this packet */ 5227 *offset = length; 5228 return (stcb); 5229 } /* else skip this bad chunk and continue... */ 5230 break; 5231 } /* switch (ch->chunk_type) */ 5232 5233 next_chunk: 5234 /* get the next chunk */ 5235 *offset += SCTP_SIZE32(chk_length); 5236 if (*offset >= length) { 5237 /* no more data left in the mbuf chain */ 5238 break; 5239 } 5240 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 5241 sizeof(struct sctp_chunkhdr), chunk_buf); 5242 if (ch == NULL) { 5243 *offset = length; 5244 return (stcb); 5245 } 5246 } /* while */ 5247 5248 if ((asconf_cnt > 0) && (stcb != NULL)) { 5249 sctp_send_asconf_ack(stcb); 5250 } 5251 return (stcb); 5252 } 5253 5254 /* 5255 * common input chunk processing (v4 and v6) 5256 */ 5257 void 5258 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, int length, 5259 struct sockaddr *src, struct sockaddr *dst, 5260 struct sctphdr *sh, struct sctp_chunkhdr *ch, 5261 uint8_t compute_crc, 5262 uint8_t ecn_bits, 5263 uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum, 5264 uint32_t vrf_id, uint16_t port) 5265 { 5266 uint32_t high_tsn; 5267 int fwd_tsn_seen = 0, data_processed = 0; 5268 struct mbuf *m = *mm, *op_err; 5269 char msg[SCTP_DIAG_INFO_LEN]; 5270 int un_sent; 5271 int cnt_ctrl_ready = 0; 5272 struct sctp_inpcb *inp = NULL, *inp_decr = NULL; 5273 struct sctp_tcb *stcb = NULL; 5274 struct sctp_nets *net = NULL; 5275 5276 SCTP_STAT_INCR(sctps_recvdatagrams); 5277 #ifdef SCTP_AUDITING_ENABLED 5278 sctp_audit_log(0xE0, 1); 5279 sctp_auditing(0, inp, stcb, net); 5280 #endif 5281 if (compute_crc != 0) { 5282 uint32_t check, calc_check; 5283 5284 check = sh->checksum; 5285 sh->checksum = 0; 5286 calc_check = sctp_calculate_cksum(m, iphlen); 5287 sh->checksum = check; 5288 if (calc_check != check) { 5289 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 5290 calc_check, check, (void *)m, length, iphlen); 5291 stcb = sctp_findassociation_addr(m, offset, src, dst, 5292 sh, ch, &inp, &net, vrf_id); 5293 #if defined(INET) || defined(INET6) 5294 if ((ch->chunk_type != SCTP_INITIATION) && 5295 (net != NULL) && (net->port != port)) { 5296 if (net->port == 0) { 5297 /* UDP encapsulation turned on. */ 5298 net->mtu -= sizeof(struct udphdr); 5299 if (stcb->asoc.smallest_mtu > net->mtu) { 5300 sctp_pathmtu_adjustment(stcb, net->mtu, true); 5301 } 5302 } else if (port == 0) { 5303 /* UDP encapsulation turned off. */ 5304 net->mtu += sizeof(struct udphdr); 5305 /* XXX Update smallest_mtu */ 5306 } 5307 net->port = port; 5308 } 5309 #endif 5310 if (net != NULL) { 5311 net->flowtype = mflowtype; 5312 net->flowid = mflowid; 5313 } 5314 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh); 5315 if ((inp != NULL) && (stcb != NULL)) { 5316 sctp_send_packet_dropped(stcb, net, m, length, iphlen, 1); 5317 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED); 5318 } else if ((inp != NULL) && (stcb == NULL)) { 5319 inp_decr = inp; 5320 } 5321 SCTP_STAT_INCR(sctps_badsum); 5322 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 5323 goto out; 5324 } 5325 } 5326 /* Destination port of 0 is illegal, based on RFC4960. */ 5327 if (sh->dest_port == 0) { 5328 SCTP_STAT_INCR(sctps_hdrops); 5329 goto out; 5330 } 5331 stcb = sctp_findassociation_addr(m, offset, src, dst, 5332 sh, ch, &inp, &net, vrf_id); 5333 #if defined(INET) || defined(INET6) 5334 if ((ch->chunk_type != SCTP_INITIATION) && 5335 (net != NULL) && (net->port != port)) { 5336 if (net->port == 0) { 5337 /* UDP encapsulation turned on. */ 5338 net->mtu -= sizeof(struct udphdr); 5339 if (stcb->asoc.smallest_mtu > net->mtu) { 5340 sctp_pathmtu_adjustment(stcb, net->mtu, true); 5341 } 5342 } else if (port == 0) { 5343 /* UDP encapsulation turned off. */ 5344 net->mtu += sizeof(struct udphdr); 5345 /* XXX Update smallest_mtu */ 5346 } 5347 net->port = port; 5348 } 5349 #endif 5350 if (net != NULL) { 5351 net->flowtype = mflowtype; 5352 net->flowid = mflowid; 5353 } 5354 if (inp == NULL) { 5355 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh); 5356 SCTP_STAT_INCR(sctps_noport); 5357 if (badport_bandlim(BANDLIM_SCTP_OOTB) < 0) { 5358 goto out; 5359 } 5360 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 5361 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 5362 sctp_send_shutdown_complete2(src, dst, sh, 5363 mflowtype, mflowid, fibnum, 5364 vrf_id, port); 5365 goto out; 5366 } 5367 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 5368 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 5369 goto out; 5370 } 5371 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) { 5372 if ((SCTP_BASE_SYSCTL(sctp_blackhole) == 0) || 5373 ((SCTP_BASE_SYSCTL(sctp_blackhole) == 1) && 5374 (ch->chunk_type != SCTP_INIT))) { 5375 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 5376 "Out of the blue"); 5377 sctp_send_abort(m, iphlen, src, dst, 5378 sh, 0, op_err, 5379 mflowtype, mflowid, fibnum, 5380 vrf_id, port); 5381 } 5382 } 5383 goto out; 5384 } else if (stcb == NULL) { 5385 inp_decr = inp; 5386 } 5387 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n", 5388 (void *)m, iphlen, offset, length, (void *)stcb); 5389 if (stcb) { 5390 /* always clear this before beginning a packet */ 5391 stcb->asoc.authenticated = 0; 5392 stcb->asoc.seen_a_sack_this_pkt = 0; 5393 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n", 5394 (void *)stcb, stcb->asoc.state); 5395 5396 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) || 5397 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) { 5398 /*- 5399 * If we hit here, we had a ref count 5400 * up when the assoc was aborted and the 5401 * timer is clearing out the assoc, we should 5402 * NOT respond to any packet.. its OOTB. 5403 */ 5404 SCTP_TCB_UNLOCK(stcb); 5405 stcb = NULL; 5406 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh); 5407 SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__); 5408 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 5409 msg); 5410 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err, 5411 mflowtype, mflowid, inp->fibnum, 5412 vrf_id, port); 5413 goto out; 5414 } 5415 } 5416 if (IS_SCTP_CONTROL(ch)) { 5417 /* process the control portion of the SCTP packet */ 5418 /* sa_ignore NO_NULL_CHK */ 5419 stcb = sctp_process_control(m, iphlen, &offset, length, 5420 src, dst, sh, ch, 5421 inp, stcb, &net, &fwd_tsn_seen, 5422 mflowtype, mflowid, fibnum, 5423 vrf_id, port); 5424 if (stcb) { 5425 /* 5426 * This covers us if the cookie-echo was there and 5427 * it changes our INP. 5428 */ 5429 inp = stcb->sctp_ep; 5430 #if defined(INET) || defined(INET6) 5431 if ((ch->chunk_type != SCTP_INITIATION) && 5432 (net != NULL) && (net->port != port)) { 5433 if (net->port == 0) { 5434 /* UDP encapsulation turned on. */ 5435 net->mtu -= sizeof(struct udphdr); 5436 if (stcb->asoc.smallest_mtu > net->mtu) { 5437 sctp_pathmtu_adjustment(stcb, net->mtu, true); 5438 } 5439 } else if (port == 0) { 5440 /* UDP encapsulation turned off. */ 5441 net->mtu += sizeof(struct udphdr); 5442 /* XXX Update smallest_mtu */ 5443 } 5444 net->port = port; 5445 } 5446 #endif 5447 } 5448 } else { 5449 /* 5450 * no control chunks, so pre-process DATA chunks (these 5451 * checks are taken care of by control processing) 5452 */ 5453 5454 /* 5455 * if DATA only packet, and auth is required, then punt... 5456 * can't have authenticated without any AUTH (control) 5457 * chunks 5458 */ 5459 if ((stcb != NULL) && 5460 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) { 5461 /* "silently" ignore */ 5462 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh); 5463 SCTP_STAT_INCR(sctps_recvauthmissing); 5464 goto out; 5465 } 5466 if (stcb == NULL) { 5467 /* out of the blue DATA chunk */ 5468 SCTP_PROBE5(receive, NULL, NULL, m, NULL, sh); 5469 SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__); 5470 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 5471 msg); 5472 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err, 5473 mflowtype, mflowid, fibnum, 5474 vrf_id, port); 5475 goto out; 5476 } 5477 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 5478 /* v_tag mismatch! */ 5479 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh); 5480 SCTP_STAT_INCR(sctps_badvtag); 5481 goto out; 5482 } 5483 } 5484 5485 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh); 5486 if (stcb == NULL) { 5487 /* 5488 * no valid TCB for this packet, or we found it's a bad 5489 * packet while processing control, or we're done with this 5490 * packet (done or skip rest of data), so we drop it... 5491 */ 5492 goto out; 5493 } 5494 5495 /* 5496 * DATA chunk processing 5497 */ 5498 /* plow through the data chunks while length > offset */ 5499 5500 /* 5501 * Rest should be DATA only. Check authentication state if AUTH for 5502 * DATA is required. 5503 */ 5504 if ((length > offset) && 5505 (stcb != NULL) && 5506 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) && 5507 !stcb->asoc.authenticated) { 5508 /* "silently" ignore */ 5509 SCTP_STAT_INCR(sctps_recvauthmissing); 5510 SCTPDBG(SCTP_DEBUG_AUTH1, 5511 "Data chunk requires AUTH, skipped\n"); 5512 goto trigger_send; 5513 } 5514 if (length > offset) { 5515 int retval; 5516 5517 /* 5518 * First check to make sure our state is correct. We would 5519 * not get here unless we really did have a tag, so we don't 5520 * abort if this happens, just dump the chunk silently. 5521 */ 5522 switch (SCTP_GET_STATE(stcb)) { 5523 case SCTP_STATE_COOKIE_ECHOED: 5524 /* 5525 * we consider data with valid tags in this state 5526 * shows us the cookie-ack was lost. Imply it was 5527 * there. 5528 */ 5529 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 5530 break; 5531 case SCTP_STATE_COOKIE_WAIT: 5532 /* 5533 * We consider OOTB any data sent during asoc setup. 5534 */ 5535 SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__); 5536 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code), 5537 msg); 5538 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err, 5539 mflowtype, mflowid, inp->fibnum, 5540 vrf_id, port); 5541 goto out; 5542 /* sa_ignore NOTREACHED */ 5543 break; 5544 case SCTP_STATE_EMPTY: /* should not happen */ 5545 case SCTP_STATE_INUSE: /* should not happen */ 5546 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 5547 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5548 default: 5549 goto out; 5550 /* sa_ignore NOTREACHED */ 5551 break; 5552 case SCTP_STATE_OPEN: 5553 case SCTP_STATE_SHUTDOWN_SENT: 5554 break; 5555 } 5556 /* plow through the data chunks while length > offset */ 5557 retval = sctp_process_data(mm, iphlen, &offset, length, 5558 inp, stcb, net, &high_tsn); 5559 if (retval == 2) { 5560 /* 5561 * The association aborted, NO UNLOCK needed since 5562 * the association is destroyed. 5563 */ 5564 stcb = NULL; 5565 goto out; 5566 } 5567 if (retval == 0) { 5568 data_processed = 1; 5569 } 5570 /* 5571 * Anything important needs to have been m_copy'ed in 5572 * process_data 5573 */ 5574 } 5575 5576 /* take care of ecn */ 5577 if ((data_processed == 1) && 5578 (stcb->asoc.ecn_supported == 1) && 5579 ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS)) { 5580 /* Yep, we need to add a ECNE */ 5581 sctp_send_ecn_echo(stcb, net, high_tsn); 5582 } 5583 5584 if ((data_processed == 0) && (fwd_tsn_seen)) { 5585 int was_a_gap; 5586 uint32_t highest_tsn; 5587 5588 if (SCTP_TSN_GT(stcb->asoc.highest_tsn_inside_nr_map, stcb->asoc.highest_tsn_inside_map)) { 5589 highest_tsn = stcb->asoc.highest_tsn_inside_nr_map; 5590 } else { 5591 highest_tsn = stcb->asoc.highest_tsn_inside_map; 5592 } 5593 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn); 5594 stcb->asoc.send_sack = 1; 5595 sctp_sack_check(stcb, was_a_gap); 5596 } else if (fwd_tsn_seen) { 5597 stcb->asoc.send_sack = 1; 5598 } 5599 /* trigger send of any chunks in queue... */ 5600 trigger_send: 5601 #ifdef SCTP_AUDITING_ENABLED 5602 sctp_audit_log(0xE0, 2); 5603 sctp_auditing(1, inp, stcb, net); 5604 #endif 5605 SCTPDBG(SCTP_DEBUG_INPUT1, 5606 "Check for chunk output prw:%d tqe:%d tf=%d\n", 5607 stcb->asoc.peers_rwnd, 5608 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 5609 stcb->asoc.total_flight); 5610 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 5611 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 5612 cnt_ctrl_ready = stcb->asoc.ctrl_queue_cnt - stcb->asoc.ecn_echo_cnt_onq; 5613 } 5614 if (!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue) || 5615 cnt_ctrl_ready || 5616 stcb->asoc.trigger_reset || 5617 ((un_sent > 0) && 5618 (stcb->asoc.peers_rwnd > 0 || stcb->asoc.total_flight == 0))) { 5619 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n"); 5620 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 5621 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n"); 5622 } 5623 #ifdef SCTP_AUDITING_ENABLED 5624 sctp_audit_log(0xE0, 3); 5625 sctp_auditing(2, inp, stcb, net); 5626 #endif 5627 out: 5628 if (stcb != NULL) { 5629 SCTP_TCB_UNLOCK(stcb); 5630 } 5631 if (inp_decr != NULL) { 5632 /* reduce ref-count */ 5633 SCTP_INP_WLOCK(inp_decr); 5634 SCTP_INP_DECR_REF(inp_decr); 5635 SCTP_INP_WUNLOCK(inp_decr); 5636 } 5637 return; 5638 } 5639 5640 #ifdef INET 5641 void 5642 sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port) 5643 { 5644 struct mbuf *m; 5645 int iphlen; 5646 uint32_t vrf_id = 0; 5647 uint8_t ecn_bits; 5648 struct sockaddr_in src, dst; 5649 struct ip *ip; 5650 struct sctphdr *sh; 5651 struct sctp_chunkhdr *ch; 5652 int length, offset; 5653 uint8_t compute_crc; 5654 uint32_t mflowid; 5655 uint8_t mflowtype; 5656 uint16_t fibnum; 5657 5658 iphlen = off; 5659 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) { 5660 SCTP_RELEASE_PKT(i_pak); 5661 return; 5662 } 5663 m = SCTP_HEADER_TO_CHAIN(i_pak); 5664 #ifdef SCTP_MBUF_LOGGING 5665 /* Log in any input mbufs */ 5666 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 5667 sctp_log_mbc(m, SCTP_MBUF_INPUT); 5668 } 5669 #endif 5670 #ifdef SCTP_PACKET_LOGGING 5671 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) { 5672 sctp_packet_log(m); 5673 } 5674 #endif 5675 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD, 5676 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%b.\n", 5677 m->m_pkthdr.len, 5678 if_name(m->m_pkthdr.rcvif), 5679 (int)m->m_pkthdr.csum_flags, CSUM_BITS); 5680 mflowid = m->m_pkthdr.flowid; 5681 mflowtype = M_HASHTYPE_GET(m); 5682 fibnum = M_GETFIB(m); 5683 SCTP_STAT_INCR(sctps_recvpackets); 5684 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 5685 /* Get IP, SCTP, and first chunk header together in the first mbuf. */ 5686 offset = iphlen + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr); 5687 if (SCTP_BUF_LEN(m) < offset) { 5688 if ((m = m_pullup(m, offset)) == NULL) { 5689 SCTP_STAT_INCR(sctps_hdrops); 5690 return; 5691 } 5692 } 5693 ip = mtod(m, struct ip *); 5694 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 5695 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(struct sctphdr)); 5696 offset -= sizeof(struct sctp_chunkhdr); 5697 memset(&src, 0, sizeof(struct sockaddr_in)); 5698 src.sin_family = AF_INET; 5699 src.sin_len = sizeof(struct sockaddr_in); 5700 src.sin_port = sh->src_port; 5701 src.sin_addr = ip->ip_src; 5702 memset(&dst, 0, sizeof(struct sockaddr_in)); 5703 dst.sin_family = AF_INET; 5704 dst.sin_len = sizeof(struct sockaddr_in); 5705 dst.sin_port = sh->dest_port; 5706 dst.sin_addr = ip->ip_dst; 5707 length = ntohs(ip->ip_len); 5708 /* Validate mbuf chain length with IP payload length. */ 5709 if (SCTP_HEADER_LEN(m) != length) { 5710 SCTPDBG(SCTP_DEBUG_INPUT1, 5711 "sctp_input() length:%d reported length:%d\n", length, SCTP_HEADER_LEN(m)); 5712 SCTP_STAT_INCR(sctps_hdrops); 5713 goto out; 5714 } 5715 /* SCTP does not allow broadcasts or multicasts */ 5716 if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) { 5717 goto out; 5718 } 5719 if (SCTP_IS_IT_BROADCAST(dst.sin_addr, m)) { 5720 goto out; 5721 } 5722 ecn_bits = ip->ip_tos; 5723 if (m->m_pkthdr.csum_flags & CSUM_SCTP_VALID) { 5724 SCTP_STAT_INCR(sctps_recvhwcrc); 5725 compute_crc = 0; 5726 } else { 5727 SCTP_STAT_INCR(sctps_recvswcrc); 5728 compute_crc = 1; 5729 } 5730 sctp_common_input_processing(&m, iphlen, offset, length, 5731 (struct sockaddr *)&src, 5732 (struct sockaddr *)&dst, 5733 sh, ch, 5734 compute_crc, 5735 ecn_bits, 5736 mflowtype, mflowid, fibnum, 5737 vrf_id, port); 5738 out: 5739 if (m) { 5740 sctp_m_freem(m); 5741 } 5742 return; 5743 } 5744 5745 #if defined(SCTP_MCORE_INPUT) && defined(SMP) 5746 extern int *sctp_cpuarry; 5747 #endif 5748 5749 int 5750 sctp_input(struct mbuf **mp, int *offp, int proto SCTP_UNUSED) 5751 { 5752 struct mbuf *m; 5753 int off; 5754 5755 m = *mp; 5756 off = *offp; 5757 #if defined(SCTP_MCORE_INPUT) && defined(SMP) 5758 if (mp_ncpus > 1) { 5759 struct ip *ip; 5760 struct sctphdr *sh; 5761 int offset; 5762 int cpu_to_use; 5763 uint32_t flowid, tag; 5764 5765 if (M_HASHTYPE_GET(m) != M_HASHTYPE_NONE) { 5766 flowid = m->m_pkthdr.flowid; 5767 } else { 5768 /* 5769 * No flow id built by lower layers fix it so we 5770 * create one. 5771 */ 5772 offset = off + sizeof(struct sctphdr); 5773 if (SCTP_BUF_LEN(m) < offset) { 5774 if ((m = m_pullup(m, offset)) == NULL) { 5775 SCTP_STAT_INCR(sctps_hdrops); 5776 return (IPPROTO_DONE); 5777 } 5778 } 5779 ip = mtod(m, struct ip *); 5780 sh = (struct sctphdr *)((caddr_t)ip + off); 5781 tag = htonl(sh->v_tag); 5782 flowid = tag ^ ntohs(sh->dest_port) ^ ntohs(sh->src_port); 5783 m->m_pkthdr.flowid = flowid; 5784 M_HASHTYPE_SET(m, M_HASHTYPE_OPAQUE_HASH); 5785 } 5786 cpu_to_use = sctp_cpuarry[flowid % mp_ncpus]; 5787 sctp_queue_to_mcore(m, off, cpu_to_use); 5788 return (IPPROTO_DONE); 5789 } 5790 #endif 5791 sctp_input_with_port(m, off, 0); 5792 return (IPPROTO_DONE); 5793 } 5794 #endif
Cache object: fb97046d316953881155d36c714ce55f
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]