1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
5 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
6 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions are met:
10 *
11 * a) Redistributions of source code must retain the above copyright notice,
12 * this list of conditions and the following disclaimer.
13 *
14 * b) Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the distribution.
17 *
18 * c) Neither the name of Cisco Systems, Inc. nor the names of its
19 * contributors may be used to endorse or promote products derived
20 * from this software without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
24 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
26 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
27 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
28 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
29 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
30 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
31 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
32 * THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD$");
37
38 #include <netinet/sctp_os.h>
39 #include <netinet/sctp_var.h>
40 #include <netinet/sctp_sysctl.h>
41 #include <netinet/sctp_pcb.h>
42 #include <netinet/sctp_header.h>
43 #include <netinet/sctputil.h>
44 #include <netinet/sctp_output.h>
45 #include <netinet/sctp_input.h>
46 #include <netinet/sctp_auth.h>
47 #include <netinet/sctp_indata.h>
48 #include <netinet/sctp_asconf.h>
49 #include <netinet/sctp_bsd_addr.h>
50 #include <netinet/sctp_timer.h>
51 #include <netinet/sctp_crc32.h>
52 #include <netinet/sctp_kdtrace.h>
53 #if defined(INET) || defined(INET6)
54 #include <netinet/udp.h>
55 #endif
56 #include <sys/smp.h>
57
58 static void
59 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
60 {
61 struct sctp_nets *net;
62
63 /*
64 * This now not only stops all cookie timers it also stops any INIT
65 * timers as well. This will make sure that the timers are stopped
66 * in all collision cases.
67 */
68 SCTP_TCB_LOCK_ASSERT(stcb);
69 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
70 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
71 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
72 stcb->sctp_ep,
73 stcb,
74 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1);
75 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
76 sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
77 stcb->sctp_ep,
78 stcb,
79 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2);
80 }
81 }
82 }
83
84 /* INIT handler */
85 static void
86 sctp_handle_init(struct mbuf *m, int iphlen, int offset,
87 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
88 struct sctp_init_chunk *cp, struct sctp_inpcb *inp,
89 struct sctp_tcb *stcb, struct sctp_nets *net,
90 uint8_t mflowtype, uint32_t mflowid,
91 uint32_t vrf_id, uint16_t port)
92 {
93 struct sctp_init *init;
94 struct mbuf *op_err;
95
96 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n",
97 (void *)stcb);
98 if (stcb == NULL) {
99 SCTP_INP_RLOCK(inp);
100 }
101 /* Validate parameters */
102 init = &cp->init;
103 if (ntohl(init->initiate_tag) == 0) {
104 goto outnow;
105 }
106 if ((ntohl(init->a_rwnd) < SCTP_MIN_RWND) ||
107 (ntohs(init->num_inbound_streams) == 0) ||
108 (ntohs(init->num_outbound_streams) == 0)) {
109 /* protocol error... send abort */
110 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
111 sctp_send_abort(m, iphlen, src, dst, sh, init->initiate_tag, op_err,
112 mflowtype, mflowid, inp->fibnum,
113 vrf_id, port);
114 goto outnow;
115 }
116 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
117 offset + ntohs(cp->ch.chunk_length))) {
118 /* auth parameter(s) error... send abort */
119 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
120 "Problem with AUTH parameters");
121 sctp_send_abort(m, iphlen, src, dst, sh, init->initiate_tag, op_err,
122 mflowtype, mflowid, inp->fibnum,
123 vrf_id, port);
124 goto outnow;
125 }
126 /* We are only accepting if we have a listening socket. */
127 if ((stcb == NULL) &&
128 ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
129 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
130 (!SCTP_IS_LISTENING(inp)))) {
131 /*
132 * FIX ME ?? What about TCP model and we have a
133 * match/restart case? Actually no fix is needed. the lookup
134 * will always find the existing assoc so stcb would not be
135 * NULL. It may be questionable to do this since we COULD
136 * just send back the INIT-ACK and hope that the app did
137 * accept()'s by the time the COOKIE was sent. But there is
138 * a price to pay for COOKIE generation and I don't want to
139 * pay it on the chance that the app will actually do some
140 * accepts(). The App just looses and should NOT be in this
141 * state :-)
142 */
143 if (SCTP_BASE_SYSCTL(sctp_blackhole) == 0) {
144 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
145 "No listener");
146 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
147 mflowtype, mflowid, inp->fibnum,
148 vrf_id, port);
149 }
150 goto outnow;
151 }
152 if ((stcb != NULL) &&
153 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT)) {
154 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending SHUTDOWN-ACK\n");
155 sctp_send_shutdown_ack(stcb, NULL);
156 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
157 } else {
158 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n");
159 sctp_send_initiate_ack(inp, stcb, net, m, iphlen, offset,
160 src, dst, sh, cp,
161 mflowtype, mflowid,
162 vrf_id, port);
163 }
164 outnow:
165 if (stcb == NULL) {
166 SCTP_INP_RUNLOCK(inp);
167 }
168 }
169
170 /*
171 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
172 */
173
174 int
175 sctp_is_there_unsent_data(struct sctp_tcb *stcb, int so_locked)
176 {
177 int unsent_data;
178 unsigned int i;
179 struct sctp_stream_queue_pending *sp;
180 struct sctp_association *asoc;
181
182 SCTP_TCB_LOCK_ASSERT(stcb);
183
184 /*
185 * This function returns if any stream has true unsent data on it.
186 * Note that as it looks through it will clean up any places that
187 * have old data that has been sent but left at top of stream queue.
188 */
189 asoc = &stcb->asoc;
190 unsent_data = 0;
191 if (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
192 /* Check to see if some data queued */
193 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
194 /* sa_ignore FREED_MEMORY */
195 sp = TAILQ_FIRST(&stcb->asoc.strmout[i].outqueue);
196 if (sp == NULL) {
197 continue;
198 }
199 if ((sp->msg_is_complete) &&
200 (sp->length == 0) &&
201 (sp->sender_all_done)) {
202 /*
203 * We are doing differed cleanup. Last time
204 * through when we took all the data the
205 * sender_all_done was not set.
206 */
207 if (sp->put_last_out == 0) {
208 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
209 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
210 sp->sender_all_done,
211 sp->length,
212 sp->msg_is_complete,
213 sp->put_last_out);
214 }
215 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
216 TAILQ_REMOVE(&stcb->asoc.strmout[i].outqueue, sp, next);
217 stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, &asoc->strmout[i], sp);
218 if (sp->net) {
219 sctp_free_remote_addr(sp->net);
220 sp->net = NULL;
221 }
222 if (sp->data) {
223 sctp_m_freem(sp->data);
224 sp->data = NULL;
225 }
226 sctp_free_a_strmoq(stcb, sp, so_locked);
227 if (!TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) {
228 unsent_data++;
229 }
230 } else {
231 unsent_data++;
232 }
233 if (unsent_data > 0) {
234 break;
235 }
236 }
237 }
238 return (unsent_data);
239 }
240
241 static int
242 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb)
243 {
244 struct sctp_init *init;
245 struct sctp_association *asoc;
246 struct sctp_nets *lnet;
247 unsigned int i;
248
249 SCTP_TCB_LOCK_ASSERT(stcb);
250
251 init = &cp->init;
252 asoc = &stcb->asoc;
253 /* save off parameters */
254 asoc->peer_vtag = ntohl(init->initiate_tag);
255 asoc->peers_rwnd = ntohl(init->a_rwnd);
256 /* init tsn's */
257 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
258
259 if (!TAILQ_EMPTY(&asoc->nets)) {
260 /* update any ssthresh's that may have a default */
261 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
262 lnet->ssthresh = asoc->peers_rwnd;
263 if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) {
264 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
265 }
266 }
267 }
268 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
269 unsigned int newcnt;
270 struct sctp_stream_out *outs;
271 struct sctp_stream_queue_pending *sp, *nsp;
272 struct sctp_tmit_chunk *chk, *nchk;
273
274 /* abandon the upper streams */
275 newcnt = ntohs(init->num_inbound_streams);
276 TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
277 if (chk->rec.data.sid >= newcnt) {
278 TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next);
279 asoc->send_queue_cnt--;
280 if (asoc->strmout[chk->rec.data.sid].chunks_on_queues > 0) {
281 asoc->strmout[chk->rec.data.sid].chunks_on_queues--;
282 #ifdef INVARIANTS
283 } else {
284 panic("No chunks on the queues for sid %u.", chk->rec.data.sid);
285 #endif
286 }
287 if (chk->data != NULL) {
288 sctp_free_bufspace(stcb, asoc, chk, 1);
289 sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb,
290 0, chk, SCTP_SO_NOT_LOCKED);
291 if (chk->data) {
292 sctp_m_freem(chk->data);
293 chk->data = NULL;
294 }
295 }
296 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
297 /* sa_ignore FREED_MEMORY */
298 }
299 }
300 if (asoc->strmout) {
301 for (i = newcnt; i < asoc->pre_open_streams; i++) {
302 outs = &asoc->strmout[i];
303 TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) {
304 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
305 TAILQ_REMOVE(&outs->outqueue, sp, next);
306 stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, outs, sp);
307 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
308 stcb, 0, sp, SCTP_SO_NOT_LOCKED);
309 if (sp->data) {
310 sctp_m_freem(sp->data);
311 sp->data = NULL;
312 }
313 if (sp->net) {
314 sctp_free_remote_addr(sp->net);
315 sp->net = NULL;
316 }
317 /* Free the chunk */
318 sctp_free_a_strmoq(stcb, sp, SCTP_SO_NOT_LOCKED);
319 /* sa_ignore FREED_MEMORY */
320 }
321 outs->state = SCTP_STREAM_CLOSED;
322 }
323 }
324 /* cut back the count */
325 asoc->pre_open_streams = newcnt;
326 }
327 asoc->streamoutcnt = asoc->pre_open_streams;
328 if (asoc->strmout) {
329 for (i = 0; i < asoc->streamoutcnt; i++) {
330 asoc->strmout[i].state = SCTP_STREAM_OPEN;
331 }
332 }
333 /* EY - nr_sack: initialize highest tsn in nr_mapping_array */
334 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
335 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
336 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
337 }
338 /* This is the next one we expect */
339 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
340
341 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
342 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in;
343
344 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
345 /* open the requested streams */
346
347 if (asoc->strmin != NULL) {
348 /* Free the old ones */
349 for (i = 0; i < asoc->streamincnt; i++) {
350 sctp_clean_up_stream(stcb, &asoc->strmin[i].inqueue);
351 sctp_clean_up_stream(stcb, &asoc->strmin[i].uno_inqueue);
352 }
353 SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
354 }
355 if (asoc->max_inbound_streams > ntohs(init->num_outbound_streams)) {
356 asoc->streamincnt = ntohs(init->num_outbound_streams);
357 } else {
358 asoc->streamincnt = asoc->max_inbound_streams;
359 }
360 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
361 sizeof(struct sctp_stream_in), SCTP_M_STRMI);
362 if (asoc->strmin == NULL) {
363 /* we didn't get memory for the streams! */
364 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n");
365 return (-1);
366 }
367 for (i = 0; i < asoc->streamincnt; i++) {
368 asoc->strmin[i].sid = i;
369 asoc->strmin[i].last_mid_delivered = 0xffffffff;
370 TAILQ_INIT(&asoc->strmin[i].inqueue);
371 TAILQ_INIT(&asoc->strmin[i].uno_inqueue);
372 asoc->strmin[i].pd_api_started = 0;
373 asoc->strmin[i].delivery_started = 0;
374 }
375 /*
376 * load_address_from_init will put the addresses into the
377 * association when the COOKIE is processed or the INIT-ACK is
378 * processed. Both types of COOKIE's existing and new call this
379 * routine. It will remove addresses that are no longer in the
380 * association (for the restarting case where addresses are
381 * removed). Up front when the INIT arrives we will discard it if it
382 * is a restart and new addresses have been added.
383 */
384 /* sa_ignore MEMLEAK */
385 return (0);
386 }
387
388 /*
389 * INIT-ACK message processing/consumption returns value < 0 on error
390 */
391 static int
392 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
393 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
394 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
395 struct sctp_nets *net, int *abort_no_unlock,
396 uint8_t mflowtype, uint32_t mflowid,
397 uint32_t vrf_id)
398 {
399 struct sctp_association *asoc;
400 struct mbuf *op_err;
401 int retval, abort_flag, cookie_found;
402 int initack_limit;
403 int nat_friendly = 0;
404
405 /* First verify that we have no illegal param's */
406 abort_flag = 0;
407 cookie_found = 0;
408
409 op_err = sctp_arethere_unrecognized_parameters(m,
410 (offset + sizeof(struct sctp_init_chunk)),
411 &abort_flag, (struct sctp_chunkhdr *)cp,
412 &nat_friendly, &cookie_found);
413 if (abort_flag) {
414 /* Send an abort and notify peer */
415 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
416 src, dst, sh, op_err,
417 mflowtype, mflowid,
418 vrf_id, net->port);
419 *abort_no_unlock = 1;
420 return (-1);
421 }
422 if (!cookie_found) {
423 uint16_t len;
424
425 /* Only report the missing cookie parameter */
426 if (op_err != NULL) {
427 sctp_m_freem(op_err);
428 }
429 len = (uint16_t)(sizeof(struct sctp_error_missing_param) + sizeof(uint16_t));
430 /* We abort with an error of missing mandatory param */
431 op_err = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
432 if (op_err != NULL) {
433 struct sctp_error_missing_param *cause;
434
435 SCTP_BUF_LEN(op_err) = len;
436 cause = mtod(op_err, struct sctp_error_missing_param *);
437 /* Subtract the reserved param */
438 cause->cause.code = htons(SCTP_CAUSE_MISSING_PARAM);
439 cause->cause.length = htons(len);
440 cause->num_missing_params = htonl(1);
441 cause->type[0] = htons(SCTP_STATE_COOKIE);
442 }
443 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
444 src, dst, sh, op_err,
445 mflowtype, mflowid,
446 vrf_id, net->port);
447 *abort_no_unlock = 1;
448 return (-3);
449 }
450 asoc = &stcb->asoc;
451 asoc->peer_supports_nat = (uint8_t)nat_friendly;
452 /* process the peer's parameters in the INIT-ACK */
453 if (sctp_process_init((struct sctp_init_chunk *)cp, stcb) < 0) {
454 if (op_err != NULL) {
455 sctp_m_freem(op_err);
456 }
457 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
458 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n");
459 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
460 src, dst, sh, op_err,
461 mflowtype, mflowid,
462 vrf_id, net->port);
463 *abort_no_unlock = 1;
464 return (-1);
465 }
466 initack_limit = offset + ntohs(cp->ch.chunk_length);
467 /* load all addresses */
468 if ((retval = sctp_load_addresses_from_init(stcb, m,
469 offset + sizeof(struct sctp_init_chunk),
470 initack_limit, src, dst, NULL, stcb->asoc.port)) < 0) {
471 if (op_err != NULL) {
472 sctp_m_freem(op_err);
473 }
474 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
475 "Problem with address parameters");
476 SCTPDBG(SCTP_DEBUG_INPUT1,
477 "Load addresses from INIT causes an abort %d\n",
478 retval);
479 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
480 src, dst, sh, op_err,
481 mflowtype, mflowid,
482 vrf_id, net->port);
483 *abort_no_unlock = 1;
484 return (-1);
485 }
486 /* if the peer doesn't support asconf, flush the asconf queue */
487 if (asoc->asconf_supported == 0) {
488 struct sctp_asconf_addr *param, *nparam;
489
490 TAILQ_FOREACH_SAFE(param, &asoc->asconf_queue, next, nparam) {
491 TAILQ_REMOVE(&asoc->asconf_queue, param, next);
492 SCTP_FREE(param, SCTP_M_ASC_ADDR);
493 }
494 }
495
496 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
497 stcb->asoc.local_hmacs);
498 if (op_err) {
499 sctp_queue_op_err(stcb, op_err);
500 /* queuing will steal away the mbuf chain to the out queue */
501 op_err = NULL;
502 }
503 /* extract the cookie and queue it to "echo" it back... */
504 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
505 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
506 stcb->asoc.overall_error_count,
507 0,
508 SCTP_FROM_SCTP_INPUT,
509 __LINE__);
510 }
511 stcb->asoc.overall_error_count = 0;
512 net->error_count = 0;
513
514 /*
515 * Cancel the INIT timer, We do this first before queueing the
516 * cookie. We always cancel at the primary to assume that we are
517 * canceling the timer started by the INIT which always goes to the
518 * primary.
519 */
520 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
521 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3);
522
523 /* calculate the RTO */
524 sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered,
525 SCTP_RTT_FROM_NON_DATA);
526 retval = sctp_send_cookie_echo(m, offset, initack_limit, stcb, net);
527 return (retval);
528 }
529
530 static void
531 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
532 struct sctp_tcb *stcb, struct sctp_nets *net)
533 {
534 union sctp_sockstore store;
535 struct sctp_nets *r_net, *f_net;
536 struct timeval tv;
537 int req_prim = 0;
538 uint16_t old_error_counter;
539
540 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
541 /* Invalid length */
542 return;
543 }
544
545 memset(&store, 0, sizeof(store));
546 switch (cp->heartbeat.hb_info.addr_family) {
547 #ifdef INET
548 case AF_INET:
549 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
550 store.sin.sin_family = cp->heartbeat.hb_info.addr_family;
551 store.sin.sin_len = cp->heartbeat.hb_info.addr_len;
552 store.sin.sin_port = stcb->rport;
553 memcpy(&store.sin.sin_addr, cp->heartbeat.hb_info.address,
554 sizeof(store.sin.sin_addr));
555 } else {
556 return;
557 }
558 break;
559 #endif
560 #ifdef INET6
561 case AF_INET6:
562 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
563 store.sin6.sin6_family = cp->heartbeat.hb_info.addr_family;
564 store.sin6.sin6_len = cp->heartbeat.hb_info.addr_len;
565 store.sin6.sin6_port = stcb->rport;
566 memcpy(&store.sin6.sin6_addr, cp->heartbeat.hb_info.address, sizeof(struct in6_addr));
567 } else {
568 return;
569 }
570 break;
571 #endif
572 default:
573 return;
574 }
575 r_net = sctp_findnet(stcb, &store.sa);
576 if (r_net == NULL) {
577 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n");
578 return;
579 }
580 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
581 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
582 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
583 /*
584 * If the its a HB and it's random value is correct when can
585 * confirm the destination.
586 */
587 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
588 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) {
589 stcb->asoc.primary_destination = r_net;
590 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY;
591 f_net = TAILQ_FIRST(&stcb->asoc.nets);
592 if (f_net != r_net) {
593 /*
594 * first one on the list is NOT the primary
595 * sctp_cmpaddr() is much more efficient if
596 * the primary is the first on the list,
597 * make it so.
598 */
599 TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next);
600 TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next);
601 }
602 req_prim = 1;
603 }
604 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
605 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
606 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb,
607 r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4);
608 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net);
609 }
610 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
611 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
612 stcb->asoc.overall_error_count,
613 0,
614 SCTP_FROM_SCTP_INPUT,
615 __LINE__);
616 }
617 stcb->asoc.overall_error_count = 0;
618 old_error_counter = r_net->error_count;
619 r_net->error_count = 0;
620 r_net->hb_responded = 1;
621 tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
622 tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
623 /* Now lets do a RTO with this */
624 sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv,
625 SCTP_RTT_FROM_NON_DATA);
626 if ((r_net->dest_state & SCTP_ADDR_REACHABLE) == 0) {
627 r_net->dest_state |= SCTP_ADDR_REACHABLE;
628 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
629 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
630 }
631 if (r_net->dest_state & SCTP_ADDR_PF) {
632 r_net->dest_state &= ~SCTP_ADDR_PF;
633 stcb->asoc.cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
634 }
635 if (old_error_counter > 0) {
636 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
637 stcb, r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5);
638 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net);
639 }
640 if (r_net == stcb->asoc.primary_destination) {
641 if (stcb->asoc.alternate) {
642 /* release the alternate, primary is good */
643 sctp_free_remote_addr(stcb->asoc.alternate);
644 stcb->asoc.alternate = NULL;
645 }
646 }
647 /* Mobility adaptation */
648 if (req_prim) {
649 if ((sctp_is_mobility_feature_on(stcb->sctp_ep,
650 SCTP_MOBILITY_BASE) ||
651 sctp_is_mobility_feature_on(stcb->sctp_ep,
652 SCTP_MOBILITY_FASTHANDOFF)) &&
653 sctp_is_mobility_feature_on(stcb->sctp_ep,
654 SCTP_MOBILITY_PRIM_DELETED)) {
655 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED,
656 stcb->sctp_ep, stcb, NULL,
657 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
658 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
659 SCTP_MOBILITY_FASTHANDOFF)) {
660 sctp_assoc_immediate_retrans(stcb,
661 stcb->asoc.primary_destination);
662 }
663 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
664 SCTP_MOBILITY_BASE)) {
665 sctp_move_chunks_from_net(stcb,
666 stcb->asoc.deleted_primary);
667 }
668 sctp_delete_prim_timer(stcb->sctp_ep, stcb);
669 }
670 }
671 }
672
673 static int
674 sctp_handle_nat_colliding_state(struct sctp_tcb *stcb)
675 {
676 /*
677 * Return 0 means we want you to proceed with the abort non-zero
678 * means no abort processing.
679 */
680 uint32_t new_vtag;
681 struct sctpasochead *head;
682
683 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
684 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
685 atomic_add_int(&stcb->asoc.refcnt, 1);
686 SCTP_TCB_UNLOCK(stcb);
687 SCTP_INP_INFO_WLOCK();
688 SCTP_TCB_LOCK(stcb);
689 atomic_subtract_int(&stcb->asoc.refcnt, 1);
690 } else {
691 return (0);
692 }
693 new_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
694 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) {
695 /* generate a new vtag and send init */
696 LIST_REMOVE(stcb, sctp_asocs);
697 stcb->asoc.my_vtag = new_vtag;
698 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
699 /*
700 * put it in the bucket in the vtag hash of assoc's for the
701 * system
702 */
703 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
704 SCTP_INP_INFO_WUNLOCK();
705 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
706 return (1);
707 } else {
708 /*
709 * treat like a case where the cookie expired i.e.: - dump
710 * current cookie. - generate a new vtag. - resend init.
711 */
712 /* generate a new vtag and send init */
713 LIST_REMOVE(stcb, sctp_asocs);
714 SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
715 sctp_stop_all_cookie_timers(stcb);
716 sctp_toss_old_cookies(stcb, &stcb->asoc);
717 stcb->asoc.my_vtag = new_vtag;
718 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
719 /*
720 * put it in the bucket in the vtag hash of assoc's for the
721 * system
722 */
723 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
724 SCTP_INP_INFO_WUNLOCK();
725 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
726 return (1);
727 }
728 return (0);
729 }
730
731 static int
732 sctp_handle_nat_missing_state(struct sctp_tcb *stcb,
733 struct sctp_nets *net)
734 {
735 /*
736 * return 0 means we want you to proceed with the abort non-zero
737 * means no abort processing
738 */
739 if (stcb->asoc.auth_supported == 0) {
740 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n");
741 return (0);
742 }
743 sctp_asconf_send_nat_state_update(stcb, net);
744 return (1);
745 }
746
747 /* Returns 1 if the stcb was aborted, 0 otherwise */
748 static int
749 sctp_handle_abort(struct sctp_abort_chunk *abort,
750 struct sctp_tcb *stcb, struct sctp_nets *net)
751 {
752 uint16_t len;
753 uint16_t error;
754
755 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n");
756 if (stcb == NULL)
757 return (0);
758
759 len = ntohs(abort->ch.chunk_length);
760 if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_error_cause)) {
761 /*
762 * Need to check the cause codes for our two magic nat
763 * aborts which don't kill the assoc necessarily.
764 */
765 struct sctp_error_cause *cause;
766
767 cause = (struct sctp_error_cause *)(abort + 1);
768 error = ntohs(cause->code);
769 if (error == SCTP_CAUSE_NAT_COLLIDING_STATE) {
770 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state, ABORT flags:%x\n",
771 abort->ch.chunk_flags);
772 if (sctp_handle_nat_colliding_state(stcb)) {
773 return (0);
774 }
775 } else if (error == SCTP_CAUSE_NAT_MISSING_STATE) {
776 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state, ABORT flags:%x\n",
777 abort->ch.chunk_flags);
778 if (sctp_handle_nat_missing_state(stcb, net)) {
779 return (0);
780 }
781 }
782 } else {
783 error = 0;
784 }
785 /* stop any receive timers */
786 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, NULL,
787 SCTP_FROM_SCTP_INPUT + SCTP_LOC_7);
788 /* notify user of the abort and clean up... */
789 sctp_abort_notification(stcb, true, false, error, abort, SCTP_SO_NOT_LOCKED);
790 /* free the tcb */
791 SCTP_STAT_INCR_COUNTER32(sctps_aborted);
792 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
793 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
794 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
795 }
796 #ifdef SCTP_ASOCLOG_OF_TSNS
797 sctp_print_out_track_log(stcb);
798 #endif
799 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
800 SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
801 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n");
802 return (1);
803 }
804
805 static void
806 sctp_start_net_timers(struct sctp_tcb *stcb)
807 {
808 uint32_t cnt_hb_sent;
809 struct sctp_nets *net;
810
811 cnt_hb_sent = 0;
812 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
813 /*
814 * For each network start: 1) A pmtu timer. 2) A HB timer 3)
815 * If the dest in unconfirmed send a hb as well if under
816 * max_hb_burst have been sent.
817 */
818 sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, stcb->sctp_ep, stcb, net);
819 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
820 if ((net->dest_state & SCTP_ADDR_UNCONFIRMED) &&
821 (cnt_hb_sent < SCTP_BASE_SYSCTL(sctp_hb_maxburst))) {
822 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
823 cnt_hb_sent++;
824 }
825 }
826 if (cnt_hb_sent) {
827 sctp_chunk_output(stcb->sctp_ep, stcb,
828 SCTP_OUTPUT_FROM_COOKIE_ACK,
829 SCTP_SO_NOT_LOCKED);
830 }
831 }
832
833 static void
834 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
835 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
836 {
837 struct sctp_association *asoc;
838 int some_on_streamwheel;
839 int old_state;
840
841 SCTPDBG(SCTP_DEBUG_INPUT2,
842 "sctp_handle_shutdown: handling SHUTDOWN\n");
843 if (stcb == NULL)
844 return;
845 asoc = &stcb->asoc;
846 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
847 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
848 return;
849 }
850 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
851 /* Shutdown NOT the expected size */
852 return;
853 }
854 old_state = SCTP_GET_STATE(stcb);
855 sctp_update_acked(stcb, cp, abort_flag);
856 if (*abort_flag) {
857 return;
858 }
859 if (asoc->control_pdapi) {
860 /*
861 * With a normal shutdown we assume the end of last record.
862 */
863 SCTP_INP_READ_LOCK(stcb->sctp_ep);
864 if (asoc->control_pdapi->on_strm_q) {
865 struct sctp_stream_in *strm;
866
867 strm = &asoc->strmin[asoc->control_pdapi->sinfo_stream];
868 if (asoc->control_pdapi->on_strm_q == SCTP_ON_UNORDERED) {
869 /* Unordered */
870 TAILQ_REMOVE(&strm->uno_inqueue, asoc->control_pdapi, next_instrm);
871 asoc->control_pdapi->on_strm_q = 0;
872 } else if (asoc->control_pdapi->on_strm_q == SCTP_ON_ORDERED) {
873 /* Ordered */
874 TAILQ_REMOVE(&strm->inqueue, asoc->control_pdapi, next_instrm);
875 asoc->control_pdapi->on_strm_q = 0;
876 #ifdef INVARIANTS
877 } else {
878 panic("Unknown state on ctrl:%p on_strm_q:%d",
879 asoc->control_pdapi,
880 asoc->control_pdapi->on_strm_q);
881 #endif
882 }
883 }
884 asoc->control_pdapi->end_added = 1;
885 asoc->control_pdapi->pdapi_aborted = 1;
886 asoc->control_pdapi = NULL;
887 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
888 if (stcb->sctp_socket) {
889 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
890 }
891 }
892 /* goto SHUTDOWN_RECEIVED state to block new requests */
893 if (stcb->sctp_socket) {
894 if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
895 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) &&
896 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT)) {
897 SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_RECEIVED);
898 /*
899 * notify upper layer that peer has initiated a
900 * shutdown
901 */
902 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
903
904 /* reset time */
905 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
906 }
907 }
908 if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_SENT) {
909 /*
910 * stop the shutdown timer, since we WILL move to
911 * SHUTDOWN-ACK-SENT.
912 */
913 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
914 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9);
915 }
916 /* Now is there unsent data on a stream somewhere? */
917 some_on_streamwheel = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED);
918
919 if (!TAILQ_EMPTY(&asoc->send_queue) ||
920 !TAILQ_EMPTY(&asoc->sent_queue) ||
921 some_on_streamwheel) {
922 /* By returning we will push more data out */
923 return;
924 } else {
925 /* no outstanding data to send, so move on... */
926 /* send SHUTDOWN-ACK */
927 /* move to SHUTDOWN-ACK-SENT state */
928 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) ||
929 (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
930 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
931 }
932 if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
933 SCTP_SET_STATE(stcb, SCTP_STATE_SHUTDOWN_ACK_SENT);
934 sctp_stop_timers_for_shutdown(stcb);
935 sctp_send_shutdown_ack(stcb, net);
936 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
937 stcb->sctp_ep, stcb, net);
938 } else if (old_state == SCTP_STATE_SHUTDOWN_ACK_SENT) {
939 sctp_send_shutdown_ack(stcb, net);
940 }
941 }
942 }
943
944 static void
945 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp SCTP_UNUSED,
946 struct sctp_tcb *stcb,
947 struct sctp_nets *net)
948 {
949 struct sctp_association *asoc;
950
951 SCTPDBG(SCTP_DEBUG_INPUT2,
952 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
953 if (stcb == NULL)
954 return;
955
956 asoc = &stcb->asoc;
957 /* process according to association state */
958 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
959 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
960 /* unexpected SHUTDOWN-ACK... do OOTB handling... */
961 sctp_send_shutdown_complete(stcb, net, 1);
962 SCTP_TCB_UNLOCK(stcb);
963 return;
964 }
965 if ((SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) &&
966 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
967 /* unexpected SHUTDOWN-ACK... so ignore... */
968 SCTP_TCB_UNLOCK(stcb);
969 return;
970 }
971 if (asoc->control_pdapi) {
972 /*
973 * With a normal shutdown we assume the end of last record.
974 */
975 SCTP_INP_READ_LOCK(stcb->sctp_ep);
976 asoc->control_pdapi->end_added = 1;
977 asoc->control_pdapi->pdapi_aborted = 1;
978 asoc->control_pdapi = NULL;
979 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
980 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
981 }
982 #ifdef INVARIANTS
983 if (!TAILQ_EMPTY(&asoc->send_queue) ||
984 !TAILQ_EMPTY(&asoc->sent_queue) ||
985 sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED)) {
986 panic("Queues are not empty when handling SHUTDOWN-ACK");
987 }
988 #endif
989 /* stop the timer */
990 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net,
991 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10);
992 /* send SHUTDOWN-COMPLETE */
993 sctp_send_shutdown_complete(stcb, net, 0);
994 /* notify upper layer protocol */
995 if (stcb->sctp_socket) {
996 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
997 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
998 SCTP_SB_CLEAR(stcb->sctp_socket->so_snd);
999 }
1000 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
1001 }
1002 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
1003 /* free the TCB but first save off the ep */
1004 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
1005 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11);
1006 }
1007
1008 static void
1009 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, uint8_t chunk_type)
1010 {
1011 switch (chunk_type) {
1012 case SCTP_ASCONF_ACK:
1013 case SCTP_ASCONF:
1014 sctp_asconf_cleanup(stcb);
1015 break;
1016 case SCTP_IFORWARD_CUM_TSN:
1017 case SCTP_FORWARD_CUM_TSN:
1018 stcb->asoc.prsctp_supported = 0;
1019 break;
1020 default:
1021 SCTPDBG(SCTP_DEBUG_INPUT2,
1022 "Peer does not support chunk type %d (0x%x).\n",
1023 chunk_type, chunk_type);
1024 break;
1025 }
1026 }
1027
1028 /*
1029 * Skip past the param header and then we will find the param that caused the
1030 * problem. There are a number of param's in a ASCONF OR the prsctp param
1031 * these will turn of specific features.
1032 * XXX: Is this the right thing to do?
1033 */
1034 static void
1035 sctp_process_unrecog_param(struct sctp_tcb *stcb, uint16_t parameter_type)
1036 {
1037 switch (parameter_type) {
1038 /* pr-sctp draft */
1039 case SCTP_PRSCTP_SUPPORTED:
1040 stcb->asoc.prsctp_supported = 0;
1041 break;
1042 case SCTP_SUPPORTED_CHUNK_EXT:
1043 break;
1044 /* draft-ietf-tsvwg-addip-sctp */
1045 case SCTP_HAS_NAT_SUPPORT:
1046 stcb->asoc.peer_supports_nat = 0;
1047 break;
1048 case SCTP_ADD_IP_ADDRESS:
1049 case SCTP_DEL_IP_ADDRESS:
1050 case SCTP_SET_PRIM_ADDR:
1051 stcb->asoc.asconf_supported = 0;
1052 break;
1053 case SCTP_SUCCESS_REPORT:
1054 case SCTP_ERROR_CAUSE_IND:
1055 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n");
1056 SCTPDBG(SCTP_DEBUG_INPUT2,
1057 "Turning off ASCONF to this strange peer\n");
1058 stcb->asoc.asconf_supported = 0;
1059 break;
1060 default:
1061 SCTPDBG(SCTP_DEBUG_INPUT2,
1062 "Peer does not support param type %d (0x%x)??\n",
1063 parameter_type, parameter_type);
1064 break;
1065 }
1066 }
1067
1068 static int
1069 sctp_handle_error(struct sctp_chunkhdr *ch,
1070 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
1071 {
1072 struct sctp_error_cause *cause;
1073 struct sctp_association *asoc;
1074 uint32_t remaining_length, adjust;
1075 uint16_t code, cause_code, cause_length;
1076
1077 /* parse through all of the errors and process */
1078 asoc = &stcb->asoc;
1079 cause = (struct sctp_error_cause *)((caddr_t)ch +
1080 sizeof(struct sctp_chunkhdr));
1081 remaining_length = ntohs(ch->chunk_length);
1082 if (remaining_length > limit) {
1083 remaining_length = limit;
1084 }
1085 if (remaining_length >= sizeof(struct sctp_chunkhdr)) {
1086 remaining_length -= sizeof(struct sctp_chunkhdr);
1087 } else {
1088 remaining_length = 0;
1089 }
1090 code = 0;
1091 while (remaining_length >= sizeof(struct sctp_error_cause)) {
1092 /* Process an Error Cause */
1093 cause_code = ntohs(cause->code);
1094 cause_length = ntohs(cause->length);
1095 if ((cause_length > remaining_length) || (cause_length == 0)) {
1096 /* Invalid cause length, possibly due to truncation. */
1097 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in cause - bytes left: %u cause length: %u\n",
1098 remaining_length, cause_length);
1099 return (0);
1100 }
1101 if (code == 0) {
1102 /* report the first error cause */
1103 code = cause_code;
1104 }
1105 switch (cause_code) {
1106 case SCTP_CAUSE_INVALID_STREAM:
1107 case SCTP_CAUSE_MISSING_PARAM:
1108 case SCTP_CAUSE_INVALID_PARAM:
1109 case SCTP_CAUSE_NO_USER_DATA:
1110 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %u back? We have a bug :/ (or do they?)\n",
1111 cause_code);
1112 break;
1113 case SCTP_CAUSE_NAT_COLLIDING_STATE:
1114 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state, ERROR flags: %x\n",
1115 ch->chunk_flags);
1116 if (sctp_handle_nat_colliding_state(stcb)) {
1117 return (0);
1118 }
1119 break;
1120 case SCTP_CAUSE_NAT_MISSING_STATE:
1121 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state, ERROR flags: %x\n",
1122 ch->chunk_flags);
1123 if (sctp_handle_nat_missing_state(stcb, net)) {
1124 return (0);
1125 }
1126 break;
1127 case SCTP_CAUSE_STALE_COOKIE:
1128 /*
1129 * We only act if we have echoed a cookie and are
1130 * waiting.
1131 */
1132 if ((cause_length >= sizeof(struct sctp_error_stale_cookie)) &&
1133 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
1134 struct sctp_error_stale_cookie *stale_cookie;
1135
1136 stale_cookie = (struct sctp_error_stale_cookie *)cause;
1137 /* stable_time is in usec, convert to msec. */
1138 asoc->cookie_preserve_req = ntohl(stale_cookie->stale_time) / 1000;
1139 /* Double it to be more robust on RTX. */
1140 asoc->cookie_preserve_req *= 2;
1141 asoc->stale_cookie_count++;
1142 if (asoc->stale_cookie_count >
1143 asoc->max_init_times) {
1144 sctp_abort_notification(stcb, false, true, 0, NULL, SCTP_SO_NOT_LOCKED);
1145 /* now free the asoc */
1146 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
1147 SCTP_FROM_SCTP_INPUT + SCTP_LOC_12);
1148 return (-1);
1149 }
1150 /* blast back to INIT state */
1151 sctp_toss_old_cookies(stcb, &stcb->asoc);
1152 SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_WAIT);
1153 sctp_stop_all_cookie_timers(stcb);
1154 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
1155 }
1156 break;
1157 case SCTP_CAUSE_UNRESOLVABLE_ADDR:
1158 /*
1159 * Nothing we can do here, we don't do hostname
1160 * addresses so if the peer does not like my IPv6
1161 * (or IPv4 for that matter) it does not matter. If
1162 * they don't support that type of address, they can
1163 * NOT possibly get that packet type... i.e. with no
1164 * IPv6 you can't receive a IPv6 packet. so we can
1165 * safely ignore this one. If we ever added support
1166 * for HOSTNAME Addresses, then we would need to do
1167 * something here.
1168 */
1169 break;
1170 case SCTP_CAUSE_UNRECOG_CHUNK:
1171 if (cause_length >= sizeof(struct sctp_error_unrecognized_chunk)) {
1172 struct sctp_error_unrecognized_chunk *unrec_chunk;
1173
1174 unrec_chunk = (struct sctp_error_unrecognized_chunk *)cause;
1175 sctp_process_unrecog_chunk(stcb, unrec_chunk->ch.chunk_type);
1176 }
1177 break;
1178 case SCTP_CAUSE_UNRECOG_PARAM:
1179 /* XXX: We only consider the first parameter */
1180 if (cause_length >= sizeof(struct sctp_error_cause) + sizeof(struct sctp_paramhdr)) {
1181 struct sctp_paramhdr *unrec_parameter;
1182
1183 unrec_parameter = (struct sctp_paramhdr *)(cause + 1);
1184 sctp_process_unrecog_param(stcb, ntohs(unrec_parameter->param_type));
1185 }
1186 break;
1187 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
1188 /*
1189 * We ignore this since the timer will drive out a
1190 * new cookie anyway and there timer will drive us
1191 * to send a SHUTDOWN_COMPLETE. We can't send one
1192 * here since we don't have their tag.
1193 */
1194 break;
1195 case SCTP_CAUSE_DELETING_LAST_ADDR:
1196 case SCTP_CAUSE_RESOURCE_SHORTAGE:
1197 case SCTP_CAUSE_DELETING_SRC_ADDR:
1198 /*
1199 * We should NOT get these here, but in a
1200 * ASCONF-ACK.
1201 */
1202 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a error cause with code %u.\n",
1203 cause_code);
1204 break;
1205 case SCTP_CAUSE_OUT_OF_RESC:
1206 /*
1207 * And what, pray tell do we do with the fact that
1208 * the peer is out of resources? Not really sure we
1209 * could do anything but abort. I suspect this
1210 * should have came WITH an abort instead of in a
1211 * OP-ERROR.
1212 */
1213 break;
1214 default:
1215 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown code 0x%x\n",
1216 cause_code);
1217 break;
1218 }
1219 adjust = SCTP_SIZE32(cause_length);
1220 if (remaining_length >= adjust) {
1221 remaining_length -= adjust;
1222 } else {
1223 remaining_length = 0;
1224 }
1225 cause = (struct sctp_error_cause *)((caddr_t)cause + adjust);
1226 }
1227 sctp_ulp_notify(SCTP_NOTIFY_REMOTE_ERROR, stcb, code, ch, SCTP_SO_NOT_LOCKED);
1228 return (0);
1229 }
1230
1231 static int
1232 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
1233 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
1234 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
1235 struct sctp_nets *net, int *abort_no_unlock,
1236 uint8_t mflowtype, uint32_t mflowid,
1237 uint32_t vrf_id)
1238 {
1239 struct sctp_init_ack *init_ack;
1240 struct mbuf *op_err;
1241
1242 SCTPDBG(SCTP_DEBUG_INPUT2,
1243 "sctp_handle_init_ack: handling INIT-ACK\n");
1244
1245 if (stcb == NULL) {
1246 SCTPDBG(SCTP_DEBUG_INPUT2,
1247 "sctp_handle_init_ack: TCB is null\n");
1248 return (-1);
1249 }
1250 /* Only process the INIT-ACK chunk in COOKIE WAIT state. */
1251 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) {
1252 init_ack = &cp->init;
1253 /* Validate parameters. */
1254 if ((ntohl(init_ack->initiate_tag) == 0) ||
1255 (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) ||
1256 (ntohs(init_ack->num_inbound_streams) == 0) ||
1257 (ntohs(init_ack->num_outbound_streams) == 0)) {
1258 /* One of the mandatory parameters is illegal. */
1259 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1260 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1261 src, dst, sh, op_err,
1262 mflowtype, mflowid,
1263 vrf_id, net->port);
1264 *abort_no_unlock = 1;
1265 return (-1);
1266 }
1267 if (stcb->asoc.primary_destination->dest_state &
1268 SCTP_ADDR_UNCONFIRMED) {
1269 /*
1270 * The primary is where we sent the INIT, we can
1271 * always consider it confirmed when the INIT-ACK is
1272 * returned. Do this before we load addresses
1273 * though.
1274 */
1275 stcb->asoc.primary_destination->dest_state &=
1276 ~SCTP_ADDR_UNCONFIRMED;
1277 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
1278 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED);
1279 }
1280 if (sctp_process_init_ack(m, iphlen, offset, src, dst, sh, cp, stcb,
1281 net, abort_no_unlock,
1282 mflowtype, mflowid,
1283 vrf_id) < 0) {
1284 /* error in parsing parameters */
1285 return (-1);
1286 }
1287 /* Update our state. */
1288 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
1289 SCTP_SET_STATE(stcb, SCTP_STATE_COOKIE_ECHOED);
1290
1291 /* Reset the RTO calculation. */
1292 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
1293 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
1294 stcb->asoc.overall_error_count,
1295 0,
1296 SCTP_FROM_SCTP_INPUT,
1297 __LINE__);
1298 }
1299 stcb->asoc.overall_error_count = 0;
1300 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
1301 /*
1302 * Collapse the init timer back in case of a exponential
1303 * backoff.
1304 */
1305 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
1306 stcb, net);
1307 /*
1308 * The output routine at the end of the inbound data
1309 * processing will cause the cookie to be sent.
1310 */
1311 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
1312 return (0);
1313 } else {
1314 return (-1);
1315 }
1316 }
1317
1318 static struct sctp_tcb *
1319 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1320 struct sockaddr *src, struct sockaddr *dst,
1321 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1322 struct sctp_inpcb *inp, struct sctp_nets **netp,
1323 struct sockaddr *init_src, int *notification,
1324 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1325 uint8_t mflowtype, uint32_t mflowid,
1326 uint32_t vrf_id, uint16_t port);
1327
1328 /*
1329 * handle a state cookie for an existing association m: input packet mbuf
1330 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
1331 * "split" mbuf and the cookie signature does not exist offset: offset into
1332 * mbuf to the cookie-echo chunk
1333 */
1334 static struct sctp_tcb *
1335 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1336 struct sockaddr *src, struct sockaddr *dst,
1337 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1338 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp,
1339 struct sockaddr *init_src, int *notification,
1340 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1341 uint8_t mflowtype, uint32_t mflowid,
1342 uint32_t vrf_id, uint16_t port)
1343 {
1344 struct sctp_association *asoc;
1345 struct sctp_init_chunk *init_cp, init_buf;
1346 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1347 struct sctp_asconf_addr *aparam, *naparam;
1348 struct sctp_asconf_ack *aack, *naack;
1349 struct sctp_tmit_chunk *chk, *nchk;
1350 struct sctp_stream_reset_list *strrst, *nstrrst;
1351 struct sctp_queued_to_read *sq, *nsq;
1352 struct sctp_nets *net;
1353 struct mbuf *op_err;
1354 struct timeval old;
1355 int init_offset, initack_offset, i;
1356 int retval;
1357 int spec_flag = 0;
1358 uint32_t how_indx;
1359 #if defined(SCTP_DETAILED_STR_STATS)
1360 int j;
1361 #endif
1362
1363 net = *netp;
1364 /* I know that the TCB is non-NULL from the caller */
1365 asoc = &stcb->asoc;
1366 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) {
1367 if (asoc->cookie_how[how_indx] == 0)
1368 break;
1369 }
1370 if (how_indx < sizeof(asoc->cookie_how)) {
1371 asoc->cookie_how[how_indx] = 1;
1372 }
1373 if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1374 /* SHUTDOWN came in after sending INIT-ACK */
1375 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1376 op_err = sctp_generate_cause(SCTP_CAUSE_COOKIE_IN_SHUTDOWN, "");
1377 sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err,
1378 mflowtype, mflowid, inp->fibnum,
1379 vrf_id, net->port);
1380 if (how_indx < sizeof(asoc->cookie_how))
1381 asoc->cookie_how[how_indx] = 2;
1382 SCTP_TCB_UNLOCK(stcb);
1383 return (NULL);
1384 }
1385 /*
1386 * find and validate the INIT chunk in the cookie (peer's info) the
1387 * INIT should start after the cookie-echo header struct (chunk
1388 * header, state cookie header struct)
1389 */
1390 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1391
1392 init_cp = (struct sctp_init_chunk *)
1393 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1394 (uint8_t *)&init_buf);
1395 if (init_cp == NULL) {
1396 /* could not pull a INIT chunk in cookie */
1397 SCTP_TCB_UNLOCK(stcb);
1398 return (NULL);
1399 }
1400 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1401 SCTP_TCB_UNLOCK(stcb);
1402 return (NULL);
1403 }
1404 /*
1405 * find and validate the INIT-ACK chunk in the cookie (my info) the
1406 * INIT-ACK follows the INIT chunk
1407 */
1408 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length));
1409 initack_cp = (struct sctp_init_ack_chunk *)
1410 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1411 (uint8_t *)&initack_buf);
1412 if (initack_cp == NULL) {
1413 /* could not pull INIT-ACK chunk in cookie */
1414 SCTP_TCB_UNLOCK(stcb);
1415 return (NULL);
1416 }
1417 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1418 SCTP_TCB_UNLOCK(stcb);
1419 return (NULL);
1420 }
1421 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1422 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1423 /*
1424 * case D in Section 5.2.4 Table 2: MMAA process accordingly
1425 * to get into the OPEN state
1426 */
1427 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1428 /*-
1429 * Opps, this means that we somehow generated two vtag's
1430 * the same. I.e. we did:
1431 * Us Peer
1432 * <---INIT(tag=a)------
1433 * ----INIT-ACK(tag=t)-->
1434 * ----INIT(tag=t)------> *1
1435 * <---INIT-ACK(tag=a)---
1436 * <----CE(tag=t)------------- *2
1437 *
1438 * At point *1 we should be generating a different
1439 * tag t'. Which means we would throw away the CE and send
1440 * ours instead. Basically this is case C (throw away side).
1441 */
1442 if (how_indx < sizeof(asoc->cookie_how))
1443 asoc->cookie_how[how_indx] = 17;
1444 SCTP_TCB_UNLOCK(stcb);
1445 return (NULL);
1446 }
1447 switch (SCTP_GET_STATE(stcb)) {
1448 case SCTP_STATE_COOKIE_WAIT:
1449 case SCTP_STATE_COOKIE_ECHOED:
1450 /*
1451 * INIT was sent but got a COOKIE_ECHO with the
1452 * correct tags... just accept it...but we must
1453 * process the init so that we can make sure we have
1454 * the right seq no's.
1455 */
1456 /* First we must process the INIT !! */
1457 if (sctp_process_init(init_cp, stcb) < 0) {
1458 if (how_indx < sizeof(asoc->cookie_how))
1459 asoc->cookie_how[how_indx] = 3;
1460 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
1461 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n");
1462 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1463 src, dst, sh, op_err,
1464 mflowtype, mflowid,
1465 vrf_id, net->port);
1466 return (NULL);
1467 }
1468 /* we have already processed the INIT so no problem */
1469 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp,
1470 stcb, net,
1471 SCTP_FROM_SCTP_INPUT + SCTP_LOC_13);
1472 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp,
1473 stcb, net,
1474 SCTP_FROM_SCTP_INPUT + SCTP_LOC_14);
1475 /* update current state */
1476 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)
1477 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1478 else
1479 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1480
1481 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
1482 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1483 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1484 stcb->sctp_ep, stcb, NULL);
1485 }
1486 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1487 sctp_stop_all_cookie_timers(stcb);
1488 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1489 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1490 (!SCTP_IS_LISTENING(inp))) {
1491 /*
1492 * Here is where collision would go if we
1493 * did a connect() and instead got a
1494 * init/init-ack/cookie done before the
1495 * init-ack came back..
1496 */
1497 sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
1498 soisconnected(stcb->sctp_socket);
1499 }
1500 /* notify upper layer */
1501 *notification = SCTP_NOTIFY_ASSOC_UP;
1502 /*
1503 * since we did not send a HB make sure we don't
1504 * double things
1505 */
1506 old.tv_sec = cookie->time_entered.tv_sec;
1507 old.tv_usec = cookie->time_entered.tv_usec;
1508 net->hb_responded = 1;
1509 sctp_calculate_rto(stcb, asoc, net, &old,
1510 SCTP_RTT_FROM_NON_DATA);
1511
1512 if (stcb->asoc.sctp_autoclose_ticks &&
1513 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
1514 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1515 inp, stcb, NULL);
1516 }
1517 break;
1518 default:
1519 /*
1520 * we're in the OPEN state (or beyond), so peer must
1521 * have simply lost the COOKIE-ACK
1522 */
1523 break;
1524 } /* end switch */
1525 sctp_stop_all_cookie_timers(stcb);
1526 if ((retval = sctp_load_addresses_from_init(stcb, m,
1527 init_offset + sizeof(struct sctp_init_chunk),
1528 initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) {
1529 if (how_indx < sizeof(asoc->cookie_how))
1530 asoc->cookie_how[how_indx] = 4;
1531 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
1532 "Problem with address parameters");
1533 SCTPDBG(SCTP_DEBUG_INPUT1,
1534 "Load addresses from INIT causes an abort %d\n",
1535 retval);
1536 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1537 src, dst, sh, op_err,
1538 mflowtype, mflowid,
1539 vrf_id, net->port);
1540 return (NULL);
1541 }
1542 /* respond with a COOKIE-ACK */
1543 sctp_toss_old_cookies(stcb, asoc);
1544 sctp_send_cookie_ack(stcb);
1545 if (how_indx < sizeof(asoc->cookie_how))
1546 asoc->cookie_how[how_indx] = 5;
1547 return (stcb);
1548 }
1549
1550 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1551 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1552 cookie->tie_tag_my_vtag == 0 &&
1553 cookie->tie_tag_peer_vtag == 0) {
1554 /*
1555 * case C in Section 5.2.4 Table 2: XMOO silently discard
1556 */
1557 if (how_indx < sizeof(asoc->cookie_how))
1558 asoc->cookie_how[how_indx] = 6;
1559 SCTP_TCB_UNLOCK(stcb);
1560 return (NULL);
1561 }
1562 /*
1563 * If nat support, and the below and stcb is established, send back
1564 * a ABORT(colliding state) if we are established.
1565 */
1566 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) &&
1567 (asoc->peer_supports_nat) &&
1568 ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1569 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
1570 (asoc->peer_vtag == 0)))) {
1571 /*
1572 * Special case - Peer's support nat. We may have two init's
1573 * that we gave out the same tag on since one was not
1574 * established.. i.e. we get INIT from host-1 behind the nat
1575 * and we respond tag-a, we get a INIT from host-2 behind
1576 * the nat and we get tag-a again. Then we bring up host-1
1577 * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1).
1578 * Now we have colliding state. We must send an abort here
1579 * with colliding state indication.
1580 */
1581 op_err = sctp_generate_cause(SCTP_CAUSE_NAT_COLLIDING_STATE, "");
1582 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
1583 mflowtype, mflowid, inp->fibnum,
1584 vrf_id, port);
1585 SCTP_TCB_UNLOCK(stcb);
1586 return (NULL);
1587 }
1588 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1589 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
1590 (asoc->peer_vtag == 0))) {
1591 /*
1592 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
1593 * should be ok, re-accept peer info
1594 */
1595 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1596 /*
1597 * Extension of case C. If we hit this, then the
1598 * random number generator returned the same vtag
1599 * when we first sent our INIT-ACK and when we later
1600 * sent our INIT. The side with the seq numbers that
1601 * are different will be the one that normally would
1602 * have hit case C. This in effect "extends" our
1603 * vtags in this collision case to be 64 bits. The
1604 * same collision could occur aka you get both vtag
1605 * and seq number the same twice in a row.. but is
1606 * much less likely. If it did happen then we would
1607 * proceed through and bring up the assoc.. we may
1608 * end up with the wrong stream setup however..
1609 * which would be bad.. but there is no way to
1610 * tell.. until we send on a stream that does not
1611 * exist :-)
1612 */
1613 if (how_indx < sizeof(asoc->cookie_how))
1614 asoc->cookie_how[how_indx] = 7;
1615
1616 SCTP_TCB_UNLOCK(stcb);
1617 return (NULL);
1618 }
1619 if (how_indx < sizeof(asoc->cookie_how))
1620 asoc->cookie_how[how_indx] = 8;
1621 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net,
1622 SCTP_FROM_SCTP_INPUT + SCTP_LOC_15);
1623 sctp_stop_all_cookie_timers(stcb);
1624 /*
1625 * since we did not send a HB make sure we don't double
1626 * things
1627 */
1628 net->hb_responded = 1;
1629 if (stcb->asoc.sctp_autoclose_ticks &&
1630 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
1631 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1632 NULL);
1633 }
1634 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1635 if (asoc->pre_open_streams < asoc->streamoutcnt) {
1636 asoc->pre_open_streams = asoc->streamoutcnt;
1637 }
1638
1639 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
1640 /*
1641 * Ok the peer probably discarded our data (if we
1642 * echoed a cookie+data). So anything on the
1643 * sent_queue should be marked for retransmit, we
1644 * may not get something to kick us so it COULD
1645 * still take a timeout to move these.. but it can't
1646 * hurt to mark them.
1647 */
1648
1649 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
1650 if (chk->sent < SCTP_DATAGRAM_RESEND) {
1651 chk->sent = SCTP_DATAGRAM_RESEND;
1652 sctp_flight_size_decrease(chk);
1653 sctp_total_flight_decrease(stcb, chk);
1654 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
1655 spec_flag++;
1656 }
1657 }
1658 }
1659 /* process the INIT info (peer's info) */
1660 if (sctp_process_init(init_cp, stcb) < 0) {
1661 if (how_indx < sizeof(asoc->cookie_how))
1662 asoc->cookie_how[how_indx] = 9;
1663 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
1664 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n");
1665 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1666 src, dst, sh, op_err,
1667 mflowtype, mflowid,
1668 vrf_id, net->port);
1669 return (NULL);
1670 }
1671 if ((retval = sctp_load_addresses_from_init(stcb, m,
1672 init_offset + sizeof(struct sctp_init_chunk),
1673 initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) {
1674 if (how_indx < sizeof(asoc->cookie_how))
1675 asoc->cookie_how[how_indx] = 10;
1676 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
1677 "Problem with address parameters");
1678 SCTPDBG(SCTP_DEBUG_INPUT1,
1679 "Load addresses from INIT causes an abort %d\n",
1680 retval);
1681 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1682 src, dst, sh, op_err,
1683 mflowtype, mflowid,
1684 vrf_id, net->port);
1685 return (NULL);
1686 }
1687 if ((SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_WAIT) ||
1688 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
1689 *notification = SCTP_NOTIFY_ASSOC_UP;
1690
1691 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1692 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1693 (!SCTP_IS_LISTENING(inp))) {
1694 sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
1695 soisconnected(stcb->sctp_socket);
1696 }
1697 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)
1698 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1699 else
1700 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1701 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1702 } else if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
1703 SCTP_STAT_INCR_COUNTER32(sctps_restartestab);
1704 } else {
1705 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1706 }
1707 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
1708 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1709 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1710 stcb->sctp_ep, stcb, NULL);
1711 }
1712 sctp_stop_all_cookie_timers(stcb);
1713 sctp_toss_old_cookies(stcb, asoc);
1714 sctp_send_cookie_ack(stcb);
1715 if (spec_flag) {
1716 /*
1717 * only if we have retrans set do we do this. What
1718 * this call does is get only the COOKIE-ACK out and
1719 * then when we return the normal call to
1720 * sctp_chunk_output will get the retrans out behind
1721 * this.
1722 */
1723 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED);
1724 }
1725 if (how_indx < sizeof(asoc->cookie_how))
1726 asoc->cookie_how[how_indx] = 11;
1727
1728 return (stcb);
1729 }
1730 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1731 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1732 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1733 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1734 cookie->tie_tag_peer_vtag != 0) {
1735 struct sctpasochead *head;
1736
1737 if (asoc->peer_supports_nat) {
1738 struct sctp_tcb *local_stcb;
1739
1740 /*
1741 * This is a gross gross hack. Just call the
1742 * cookie_new code since we are allowing a duplicate
1743 * association. I hope this works...
1744 */
1745 local_stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst,
1746 sh, cookie, cookie_len,
1747 inp, netp, init_src, notification,
1748 auth_skipped, auth_offset, auth_len,
1749 mflowtype, mflowid,
1750 vrf_id, port);
1751 if (local_stcb == NULL) {
1752 SCTP_TCB_UNLOCK(stcb);
1753 }
1754 return (local_stcb);
1755 }
1756 /*
1757 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1758 */
1759 /* temp code */
1760 if (how_indx < sizeof(asoc->cookie_how))
1761 asoc->cookie_how[how_indx] = 12;
1762 sctp_stop_association_timers(stcb, false);
1763 /* notify upper layer */
1764 *notification = SCTP_NOTIFY_ASSOC_RESTART;
1765 atomic_add_int(&stcb->asoc.refcnt, 1);
1766 if ((SCTP_GET_STATE(stcb) != SCTP_STATE_OPEN) &&
1767 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
1768 (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT)) {
1769 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1770 }
1771 if (SCTP_GET_STATE(stcb) == SCTP_STATE_OPEN) {
1772 SCTP_STAT_INCR_GAUGE32(sctps_restartestab);
1773 } else if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) {
1774 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab);
1775 }
1776 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1777 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
1778 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1779 stcb->sctp_ep, stcb, NULL);
1780
1781 } else if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_SENT) {
1782 /* move to OPEN state, if not in SHUTDOWN_SENT */
1783 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
1784 }
1785 if (asoc->pre_open_streams < asoc->streamoutcnt) {
1786 asoc->pre_open_streams = asoc->streamoutcnt;
1787 }
1788 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1789 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1790 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
1791 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1792 asoc->str_reset_seq_in = asoc->init_seq_number;
1793 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1794 asoc->send_sack = 1;
1795 asoc->data_pkts_seen = 0;
1796 asoc->last_data_chunk_from = NULL;
1797 asoc->last_control_chunk_from = NULL;
1798 asoc->last_net_cmt_send_started = NULL;
1799 if (asoc->mapping_array) {
1800 memset(asoc->mapping_array, 0,
1801 asoc->mapping_array_size);
1802 }
1803 if (asoc->nr_mapping_array) {
1804 memset(asoc->nr_mapping_array, 0,
1805 asoc->mapping_array_size);
1806 }
1807 SCTP_TCB_UNLOCK(stcb);
1808 SCTP_INP_INFO_WLOCK();
1809 SCTP_INP_WLOCK(stcb->sctp_ep);
1810 SCTP_TCB_LOCK(stcb);
1811 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1812 /* send up all the data */
1813 sctp_report_all_outbound(stcb, 0, SCTP_SO_LOCKED);
1814 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
1815 stcb->asoc.strmout[i].chunks_on_queues = 0;
1816 #if defined(SCTP_DETAILED_STR_STATS)
1817 for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
1818 asoc->strmout[i].abandoned_sent[j] = 0;
1819 asoc->strmout[i].abandoned_unsent[j] = 0;
1820 }
1821 #else
1822 asoc->strmout[i].abandoned_sent[0] = 0;
1823 asoc->strmout[i].abandoned_unsent[0] = 0;
1824 #endif
1825 stcb->asoc.strmout[i].next_mid_ordered = 0;
1826 stcb->asoc.strmout[i].next_mid_unordered = 0;
1827 stcb->asoc.strmout[i].sid = i;
1828 stcb->asoc.strmout[i].last_msg_incomplete = 0;
1829 }
1830 TAILQ_FOREACH_SAFE(strrst, &asoc->resetHead, next_resp, nstrrst) {
1831 TAILQ_REMOVE(&asoc->resetHead, strrst, next_resp);
1832 SCTP_FREE(strrst, SCTP_M_STRESET);
1833 }
1834 TAILQ_FOREACH_SAFE(sq, &asoc->pending_reply_queue, next, nsq) {
1835 TAILQ_REMOVE(&asoc->pending_reply_queue, sq, next);
1836 if (sq->data) {
1837 sctp_m_freem(sq->data);
1838 sq->data = NULL;
1839 }
1840 sctp_free_remote_addr(sq->whoFrom);
1841 sq->whoFrom = NULL;
1842 sq->stcb = NULL;
1843 sctp_free_a_readq(stcb, sq);
1844 }
1845 TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
1846 TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
1847 if (chk->data) {
1848 sctp_m_freem(chk->data);
1849 chk->data = NULL;
1850 }
1851 if (chk->holds_key_ref)
1852 sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
1853 sctp_free_remote_addr(chk->whoTo);
1854 SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
1855 SCTP_DECR_CHK_COUNT();
1856 }
1857 asoc->ctrl_queue_cnt = 0;
1858 asoc->str_reset = NULL;
1859 asoc->stream_reset_outstanding = 0;
1860 TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
1861 TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
1862 if (chk->data) {
1863 sctp_m_freem(chk->data);
1864 chk->data = NULL;
1865 }
1866 if (chk->holds_key_ref)
1867 sctp_auth_key_release(stcb, chk->auth_keyid, SCTP_SO_LOCKED);
1868 sctp_free_remote_addr(chk->whoTo);
1869 SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_chunk), chk);
1870 SCTP_DECR_CHK_COUNT();
1871 }
1872 TAILQ_FOREACH_SAFE(aparam, &asoc->asconf_queue, next, naparam) {
1873 TAILQ_REMOVE(&asoc->asconf_queue, aparam, next);
1874 SCTP_FREE(aparam, SCTP_M_ASC_ADDR);
1875 }
1876 TAILQ_FOREACH_SAFE(aack, &asoc->asconf_ack_sent, next, naack) {
1877 TAILQ_REMOVE(&asoc->asconf_ack_sent, aack, next);
1878 if (aack->data != NULL) {
1879 sctp_m_freem(aack->data);
1880 }
1881 SCTP_ZONE_FREE(SCTP_BASE_INFO(ipi_zone_asconf_ack), aack);
1882 }
1883
1884 /* process the INIT-ACK info (my info) */
1885 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1886 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1887
1888 /* pull from vtag hash */
1889 LIST_REMOVE(stcb, sctp_asocs);
1890 /* re-insert to new vtag position */
1891 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
1892 SCTP_BASE_INFO(hashasocmark))];
1893 /*
1894 * put it in the bucket in the vtag hash of assoc's for the
1895 * system
1896 */
1897 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
1898
1899 SCTP_INP_WUNLOCK(stcb->sctp_ep);
1900 SCTP_INP_INFO_WUNLOCK();
1901 asoc->total_flight = 0;
1902 asoc->total_flight_count = 0;
1903 /* process the INIT info (peer's info) */
1904 if (sctp_process_init(init_cp, stcb) < 0) {
1905 if (how_indx < sizeof(asoc->cookie_how))
1906 asoc->cookie_how[how_indx] = 13;
1907 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
1908 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_init() failed\n");
1909 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1910 src, dst, sh, op_err,
1911 mflowtype, mflowid,
1912 vrf_id, net->port);
1913 return (NULL);
1914 }
1915 /*
1916 * since we did not send a HB make sure we don't double
1917 * things
1918 */
1919 net->hb_responded = 1;
1920
1921 if ((retval = sctp_load_addresses_from_init(stcb, m,
1922 init_offset + sizeof(struct sctp_init_chunk),
1923 initack_offset, src, dst, init_src, stcb->asoc.port)) < 0) {
1924 if (how_indx < sizeof(asoc->cookie_how))
1925 asoc->cookie_how[how_indx] = 14;
1926 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
1927 "Problem with address parameters");
1928 SCTPDBG(SCTP_DEBUG_INPUT1,
1929 "Load addresses from INIT causes an abort %d\n",
1930 retval);
1931 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1932 src, dst, sh, op_err,
1933 mflowtype, mflowid,
1934 vrf_id, net->port);
1935 return (NULL);
1936 }
1937 /* respond with a COOKIE-ACK */
1938 sctp_send_cookie_ack(stcb);
1939 if (how_indx < sizeof(asoc->cookie_how))
1940 asoc->cookie_how[how_indx] = 15;
1941 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE) &&
1942 (asoc->sctp_autoclose_ticks > 0)) {
1943 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
1944 }
1945 return (stcb);
1946 }
1947 if (how_indx < sizeof(asoc->cookie_how))
1948 asoc->cookie_how[how_indx] = 16;
1949 /* all other cases... */
1950 SCTP_TCB_UNLOCK(stcb);
1951 return (NULL);
1952 }
1953
1954 /*
1955 * handle a state cookie for a new association m: input packet mbuf chain--
1956 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
1957 * and the cookie signature does not exist offset: offset into mbuf to the
1958 * cookie-echo chunk length: length of the cookie chunk to: where the init
1959 * was from returns a new TCB
1960 */
1961 static struct sctp_tcb *
1962 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1963 struct sockaddr *src, struct sockaddr *dst,
1964 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1965 struct sctp_inpcb *inp, struct sctp_nets **netp,
1966 struct sockaddr *init_src, int *notification,
1967 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1968 uint8_t mflowtype, uint32_t mflowid,
1969 uint32_t vrf_id, uint16_t port)
1970 {
1971 struct sctp_tcb *stcb;
1972 struct sctp_init_chunk *init_cp, init_buf;
1973 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1974 union sctp_sockstore store;
1975 struct sctp_association *asoc;
1976 int init_offset, initack_offset, initack_limit;
1977 int error = 0;
1978 uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
1979
1980 /*
1981 * find and validate the INIT chunk in the cookie (peer's info) the
1982 * INIT should start after the cookie-echo header struct (chunk
1983 * header, state cookie header struct)
1984 */
1985 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
1986 init_cp = (struct sctp_init_chunk *)
1987 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1988 (uint8_t *)&init_buf);
1989 if (init_cp == NULL) {
1990 /* could not pull a INIT chunk in cookie */
1991 SCTPDBG(SCTP_DEBUG_INPUT1,
1992 "process_cookie_new: could not pull INIT chunk hdr\n");
1993 return (NULL);
1994 }
1995 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1996 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n");
1997 return (NULL);
1998 }
1999 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length));
2000 /*
2001 * find and validate the INIT-ACK chunk in the cookie (my info) the
2002 * INIT-ACK follows the INIT chunk
2003 */
2004 initack_cp = (struct sctp_init_ack_chunk *)
2005 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
2006 (uint8_t *)&initack_buf);
2007 if (initack_cp == NULL) {
2008 /* could not pull INIT-ACK chunk in cookie */
2009 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n");
2010 return (NULL);
2011 }
2012 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
2013 return (NULL);
2014 }
2015 /*
2016 * NOTE: We can't use the INIT_ACK's chk_length to determine the
2017 * "initack_limit" value. This is because the chk_length field
2018 * includes the length of the cookie, but the cookie is omitted when
2019 * the INIT and INIT_ACK are tacked onto the cookie...
2020 */
2021 initack_limit = offset + cookie_len;
2022
2023 /*
2024 * now that we know the INIT/INIT-ACK are in place, create a new TCB
2025 * and populate
2026 */
2027
2028 /*
2029 * Here we do a trick, we set in NULL for the proc/thread argument.
2030 * We do this since in effect we only use the p argument when the
2031 * socket is unbound and we must do an implicit bind. Since we are
2032 * getting a cookie, we cannot be unbound.
2033 */
2034 stcb = sctp_aloc_assoc(inp, init_src, &error,
2035 ntohl(initack_cp->init.initiate_tag),
2036 ntohl(initack_cp->init.initial_tsn), vrf_id,
2037 ntohs(initack_cp->init.num_outbound_streams),
2038 port,
2039 (struct thread *)NULL,
2040 SCTP_DONT_INITIALIZE_AUTH_PARAMS);
2041 if (stcb == NULL) {
2042 struct mbuf *op_err;
2043
2044 /* memory problem? */
2045 SCTPDBG(SCTP_DEBUG_INPUT1,
2046 "process_cookie_new: no room for another TCB!\n");
2047 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2048 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
2049 src, dst, sh, op_err,
2050 mflowtype, mflowid,
2051 vrf_id, port);
2052 return (NULL);
2053 }
2054 asoc = &stcb->asoc;
2055 /* get scope variables out of cookie */
2056 asoc->scope.ipv4_local_scope = cookie->ipv4_scope;
2057 asoc->scope.site_scope = cookie->site_scope;
2058 asoc->scope.local_scope = cookie->local_scope;
2059 asoc->scope.loopback_scope = cookie->loopback_scope;
2060
2061 if ((asoc->scope.ipv4_addr_legal != cookie->ipv4_addr_legal) ||
2062 (asoc->scope.ipv6_addr_legal != cookie->ipv6_addr_legal)) {
2063 struct mbuf *op_err;
2064
2065 /*
2066 * Houston we have a problem. The EP changed while the
2067 * cookie was in flight. Only recourse is to abort the
2068 * association.
2069 */
2070 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2071 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
2072 src, dst, sh, op_err,
2073 mflowtype, mflowid,
2074 vrf_id, port);
2075 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2076 SCTP_FROM_SCTP_INPUT + SCTP_LOC_18);
2077 return (NULL);
2078 }
2079 /* process the INIT-ACK info (my info) */
2080 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
2081
2082 /* process the INIT info (peer's info) */
2083 if (sctp_process_init(init_cp, stcb) < 0) {
2084 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2085 SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
2086 return (NULL);
2087 }
2088 /* load all addresses */
2089 if (sctp_load_addresses_from_init(stcb, m,
2090 init_offset + sizeof(struct sctp_init_chunk),
2091 initack_offset, src, dst, init_src, port) < 0) {
2092 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2093 SCTP_FROM_SCTP_INPUT + SCTP_LOC_20);
2094 return (NULL);
2095 }
2096 /*
2097 * verify any preceding AUTH chunk that was skipped
2098 */
2099 /* pull the local authentication parameters from the cookie/init-ack */
2100 sctp_auth_get_cookie_params(stcb, m,
2101 initack_offset + sizeof(struct sctp_init_ack_chunk),
2102 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
2103 if (auth_skipped) {
2104 struct sctp_auth_chunk *auth;
2105
2106 if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
2107 auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
2108 } else {
2109 auth = NULL;
2110 }
2111 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
2112 /* auth HMAC failed, dump the assoc and packet */
2113 SCTPDBG(SCTP_DEBUG_AUTH1,
2114 "COOKIE-ECHO: AUTH failed\n");
2115 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2116 SCTP_FROM_SCTP_INPUT + SCTP_LOC_21);
2117 return (NULL);
2118 } else {
2119 /* remaining chunks checked... good to go */
2120 stcb->asoc.authenticated = 1;
2121 }
2122 }
2123
2124 /*
2125 * if we're doing ASCONFs, check to see if we have any new local
2126 * addresses that need to get added to the peer (eg. addresses
2127 * changed while cookie echo in flight). This needs to be done
2128 * after we go to the OPEN state to do the correct asconf
2129 * processing. else, make sure we have the correct addresses in our
2130 * lists
2131 */
2132
2133 /* warning, we re-use sin, sin6, sa_store here! */
2134 /* pull in local_address (our "from" address) */
2135 switch (cookie->laddr_type) {
2136 #ifdef INET
2137 case SCTP_IPV4_ADDRESS:
2138 /* source addr is IPv4 */
2139 memset(&store.sin, 0, sizeof(struct sockaddr_in));
2140 store.sin.sin_family = AF_INET;
2141 store.sin.sin_len = sizeof(struct sockaddr_in);
2142 store.sin.sin_addr.s_addr = cookie->laddress[0];
2143 break;
2144 #endif
2145 #ifdef INET6
2146 case SCTP_IPV6_ADDRESS:
2147 /* source addr is IPv6 */
2148 memset(&store.sin6, 0, sizeof(struct sockaddr_in6));
2149 store.sin6.sin6_family = AF_INET6;
2150 store.sin6.sin6_len = sizeof(struct sockaddr_in6);
2151 store.sin6.sin6_scope_id = cookie->scope_id;
2152 memcpy(&store.sin6.sin6_addr, cookie->laddress, sizeof(struct in6_addr));
2153 break;
2154 #endif
2155 default:
2156 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2157 SCTP_FROM_SCTP_INPUT + SCTP_LOC_22);
2158 return (NULL);
2159 }
2160
2161 /* update current state */
2162 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
2163 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
2164 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2165 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2166 stcb->sctp_ep, stcb, NULL);
2167 }
2168 sctp_stop_all_cookie_timers(stcb);
2169 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
2170 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2171
2172 /* set up to notify upper layer */
2173 *notification = SCTP_NOTIFY_ASSOC_UP;
2174 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2175 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
2176 (!SCTP_IS_LISTENING(inp))) {
2177 /*
2178 * This is an endpoint that called connect() how it got a
2179 * cookie that is NEW is a bit of a mystery. It must be that
2180 * the INIT was sent, but before it got there.. a complete
2181 * INIT/INIT-ACK/COOKIE arrived. But of course then it
2182 * should have went to the other code.. not here.. oh well..
2183 * a bit of protection is worth having..
2184 *
2185 * XXXMJ unlocked
2186 */
2187 sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
2188 soisconnected(stcb->sctp_socket);
2189 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
2190 (SCTP_IS_LISTENING(inp))) {
2191 /*
2192 * We don't want to do anything with this one. Since it is
2193 * the listening guy. The timer will get started for
2194 * accepted connections in the caller.
2195 */
2196 ;
2197 }
2198 if (stcb->asoc.sctp_autoclose_ticks &&
2199 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2200 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
2201 }
2202 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
2203 *netp = sctp_findnet(stcb, init_src);
2204 if (*netp != NULL) {
2205 struct timeval old;
2206
2207 /*
2208 * Since we did not send a HB, make sure we don't double
2209 * things.
2210 */
2211 (*netp)->hb_responded = 1;
2212 /* Calculate the RTT. */
2213 old.tv_sec = cookie->time_entered.tv_sec;
2214 old.tv_usec = cookie->time_entered.tv_usec;
2215 sctp_calculate_rto(stcb, asoc, *netp, &old, SCTP_RTT_FROM_NON_DATA);
2216 }
2217 /* respond with a COOKIE-ACK */
2218 sctp_send_cookie_ack(stcb);
2219
2220 /*
2221 * check the address lists for any ASCONFs that need to be sent
2222 * AFTER the cookie-ack is sent
2223 */
2224 sctp_check_address_list(stcb, m,
2225 initack_offset + sizeof(struct sctp_init_ack_chunk),
2226 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
2227 &store.sa, cookie->local_scope, cookie->site_scope,
2228 cookie->ipv4_scope, cookie->loopback_scope);
2229
2230 return (stcb);
2231 }
2232
2233 /*
2234 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e
2235 * we NEED to make sure we are not already using the vtag. If so we
2236 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit!
2237 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag,
2238 SCTP_BASE_INFO(hashasocmark))];
2239 LIST_FOREACH(stcb, head, sctp_asocs) {
2240 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) {
2241 -- SEND ABORT - TRY AGAIN --
2242 }
2243 }
2244 */
2245
2246 /*
2247 * handles a COOKIE-ECHO message stcb: modified to either a new or left as
2248 * existing (non-NULL) TCB
2249 */
2250 static struct mbuf *
2251 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
2252 struct sockaddr *src, struct sockaddr *dst,
2253 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
2254 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
2255 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
2256 struct sctp_tcb **locked_tcb,
2257 uint8_t mflowtype, uint32_t mflowid,
2258 uint32_t vrf_id, uint16_t port)
2259 {
2260 struct sctp_state_cookie *cookie;
2261 struct sctp_tcb *l_stcb = *stcb;
2262 struct sctp_inpcb *l_inp;
2263 struct sockaddr *to;
2264 struct sctp_pcb *ep;
2265 struct mbuf *m_sig;
2266 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
2267 uint8_t *sig;
2268 uint8_t cookie_ok = 0;
2269 unsigned int sig_offset, cookie_offset;
2270 unsigned int cookie_len;
2271 struct timeval now;
2272 struct timeval time_entered, time_expires;
2273 int notification = 0;
2274 struct sctp_nets *netl;
2275 int had_a_existing_tcb = 0;
2276 int send_int_conf = 0;
2277 #ifdef INET
2278 struct sockaddr_in sin;
2279 #endif
2280 #ifdef INET6
2281 struct sockaddr_in6 sin6;
2282 #endif
2283
2284 SCTPDBG(SCTP_DEBUG_INPUT2,
2285 "sctp_handle_cookie: handling COOKIE-ECHO\n");
2286
2287 if (inp_p == NULL) {
2288 return (NULL);
2289 }
2290 cookie = &cp->cookie;
2291 cookie_offset = offset + sizeof(struct sctp_chunkhdr);
2292 cookie_len = ntohs(cp->ch.chunk_length);
2293
2294 if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
2295 sizeof(struct sctp_init_chunk) +
2296 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
2297 /* cookie too small */
2298 return (NULL);
2299 }
2300 if ((cookie->peerport != sh->src_port) ||
2301 (cookie->myport != sh->dest_port) ||
2302 (cookie->my_vtag != sh->v_tag)) {
2303 /*
2304 * invalid ports or bad tag. Note that we always leave the
2305 * v_tag in the header in network order and when we stored
2306 * it in the my_vtag slot we also left it in network order.
2307 * This maintains the match even though it may be in the
2308 * opposite byte order of the machine :->
2309 */
2310 return (NULL);
2311 }
2312 /*
2313 * split off the signature into its own mbuf (since it should not be
2314 * calculated in the sctp_hmac_m() call).
2315 */
2316 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
2317 m_sig = m_split(m, sig_offset, M_NOWAIT);
2318 if (m_sig == NULL) {
2319 /* out of memory or ?? */
2320 return (NULL);
2321 }
2322 #ifdef SCTP_MBUF_LOGGING
2323 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
2324 sctp_log_mbc(m_sig, SCTP_MBUF_SPLIT);
2325 }
2326 #endif
2327
2328 /*
2329 * compute the signature/digest for the cookie
2330 */
2331 if (l_stcb != NULL) {
2332 atomic_add_int(&l_stcb->asoc.refcnt, 1);
2333 SCTP_TCB_UNLOCK(l_stcb);
2334 }
2335 l_inp = *inp_p;
2336 SCTP_INP_RLOCK(l_inp);
2337 if (l_stcb != NULL) {
2338 SCTP_TCB_LOCK(l_stcb);
2339 atomic_subtract_int(&l_stcb->asoc.refcnt, 1);
2340 }
2341 if (l_inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE | SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
2342 SCTP_INP_RUNLOCK(l_inp);
2343 sctp_m_freem(m_sig);
2344 return (NULL);
2345 }
2346 ep = &(*inp_p)->sctp_ep;
2347 /* which cookie is it? */
2348 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
2349 (ep->current_secret_number != ep->last_secret_number)) {
2350 /* it's the old cookie */
2351 (void)sctp_hmac_m(SCTP_HMAC,
2352 (uint8_t *)ep->secret_key[(int)ep->last_secret_number],
2353 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2354 } else {
2355 /* it's the current cookie */
2356 (void)sctp_hmac_m(SCTP_HMAC,
2357 (uint8_t *)ep->secret_key[(int)ep->current_secret_number],
2358 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2359 }
2360 /* get the signature */
2361 SCTP_INP_RUNLOCK(l_inp);
2362 sig = (uint8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *)&tmp_sig);
2363 if (sig == NULL) {
2364 /* couldn't find signature */
2365 sctp_m_freem(m_sig);
2366 return (NULL);
2367 }
2368 /* compare the received digest with the computed digest */
2369 if (timingsafe_bcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
2370 /* try the old cookie? */
2371 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
2372 (ep->current_secret_number != ep->last_secret_number)) {
2373 /* compute digest with old */
2374 (void)sctp_hmac_m(SCTP_HMAC,
2375 (uint8_t *)ep->secret_key[(int)ep->last_secret_number],
2376 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2377 /* compare */
2378 if (timingsafe_bcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
2379 cookie_ok = 1;
2380 }
2381 } else {
2382 cookie_ok = 1;
2383 }
2384
2385 /*
2386 * Now before we continue we must reconstruct our mbuf so that
2387 * normal processing of any other chunks will work.
2388 */
2389 {
2390 struct mbuf *m_at;
2391
2392 m_at = m;
2393 while (SCTP_BUF_NEXT(m_at) != NULL) {
2394 m_at = SCTP_BUF_NEXT(m_at);
2395 }
2396 SCTP_BUF_NEXT(m_at) = m_sig;
2397 }
2398
2399 if (cookie_ok == 0) {
2400 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n");
2401 SCTPDBG(SCTP_DEBUG_INPUT2,
2402 "offset = %u, cookie_offset = %u, sig_offset = %u\n",
2403 (uint32_t)offset, cookie_offset, sig_offset);
2404 return (NULL);
2405 }
2406
2407 if (sctp_ticks_to_msecs(cookie->cookie_life) > SCTP_MAX_COOKIE_LIFE) {
2408 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: Invalid cookie lifetime\n");
2409 return (NULL);
2410 }
2411 time_entered.tv_sec = cookie->time_entered.tv_sec;
2412 time_entered.tv_usec = cookie->time_entered.tv_usec;
2413 if ((time_entered.tv_sec < 0) ||
2414 (time_entered.tv_usec < 0) ||
2415 (time_entered.tv_usec >= 1000000)) {
2416 /* Invalid time stamp. Cookie must have been modified. */
2417 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: Invalid time stamp\n");
2418 return (NULL);
2419 }
2420 (void)SCTP_GETTIME_TIMEVAL(&now);
2421 if (timevalcmp(&now, &time_entered, <)) {
2422 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie generated in the future!\n");
2423 return (NULL);
2424 }
2425 /*
2426 * Check the cookie timestamps to be sure it's not stale.
2427 * cookie_life is in ticks, so we convert to seconds.
2428 */
2429 time_expires.tv_sec = time_entered.tv_sec + sctp_ticks_to_secs(cookie->cookie_life);
2430 time_expires.tv_usec = time_entered.tv_usec;
2431 if (timevalcmp(&now, &time_expires, >)) {
2432 /* cookie is stale! */
2433 struct mbuf *op_err;
2434 struct sctp_error_stale_cookie *cause;
2435 struct timeval diff;
2436 uint32_t staleness;
2437
2438 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_stale_cookie),
2439 0, M_NOWAIT, 1, MT_DATA);
2440 if (op_err == NULL) {
2441 /* FOOBAR */
2442 return (NULL);
2443 }
2444 /* Set the len */
2445 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_stale_cookie);
2446 cause = mtod(op_err, struct sctp_error_stale_cookie *);
2447 cause->cause.code = htons(SCTP_CAUSE_STALE_COOKIE);
2448 cause->cause.length = htons(sizeof(struct sctp_error_stale_cookie));
2449 diff = now;
2450 timevalsub(&diff, &time_expires);
2451 if ((uint32_t)diff.tv_sec > UINT32_MAX / 1000000) {
2452 staleness = UINT32_MAX;
2453 } else {
2454 staleness = (uint32_t)diff.tv_sec * 1000000;
2455 }
2456 if (UINT32_MAX - staleness >= (uint32_t)diff.tv_usec) {
2457 staleness += (uint32_t)diff.tv_usec;
2458 } else {
2459 staleness = UINT32_MAX;
2460 }
2461 cause->stale_time = htonl(staleness);
2462 sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err,
2463 mflowtype, mflowid, l_inp->fibnum,
2464 vrf_id, port);
2465 return (NULL);
2466 }
2467 /*
2468 * Now we must see with the lookup address if we have an existing
2469 * asoc. This will only happen if we were in the COOKIE-WAIT state
2470 * and a INIT collided with us and somewhere the peer sent the
2471 * cookie on another address besides the single address our assoc
2472 * had for him. In this case we will have one of the tie-tags set at
2473 * least AND the address field in the cookie can be used to look it
2474 * up.
2475 */
2476 to = NULL;
2477 switch (cookie->addr_type) {
2478 #ifdef INET6
2479 case SCTP_IPV6_ADDRESS:
2480 memset(&sin6, 0, sizeof(sin6));
2481 sin6.sin6_family = AF_INET6;
2482 sin6.sin6_len = sizeof(sin6);
2483 sin6.sin6_port = sh->src_port;
2484 sin6.sin6_scope_id = cookie->scope_id;
2485 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
2486 sizeof(sin6.sin6_addr.s6_addr));
2487 to = (struct sockaddr *)&sin6;
2488 break;
2489 #endif
2490 #ifdef INET
2491 case SCTP_IPV4_ADDRESS:
2492 memset(&sin, 0, sizeof(sin));
2493 sin.sin_family = AF_INET;
2494 sin.sin_len = sizeof(sin);
2495 sin.sin_port = sh->src_port;
2496 sin.sin_addr.s_addr = cookie->address[0];
2497 to = (struct sockaddr *)&sin;
2498 break;
2499 #endif
2500 default:
2501 /* This should not happen */
2502 return (NULL);
2503 }
2504 if (*stcb == NULL) {
2505 /* Yep, lets check */
2506 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, dst, NULL);
2507 if (*stcb == NULL) {
2508 /*
2509 * We should have only got back the same inp. If we
2510 * got back a different ep we have a problem. The
2511 * original findep got back l_inp and now
2512 */
2513 if (l_inp != *inp_p) {
2514 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n");
2515 }
2516 } else {
2517 if (*locked_tcb == NULL) {
2518 /*
2519 * In this case we found the assoc only
2520 * after we locked the create lock. This
2521 * means we are in a colliding case and we
2522 * must make sure that we unlock the tcb if
2523 * its one of the cases where we throw away
2524 * the incoming packets.
2525 */
2526 *locked_tcb = *stcb;
2527
2528 /*
2529 * We must also increment the inp ref count
2530 * since the ref_count flags was set when we
2531 * did not find the TCB, now we found it
2532 * which reduces the refcount.. we must
2533 * raise it back out to balance it all :-)
2534 */
2535 SCTP_INP_INCR_REF((*stcb)->sctp_ep);
2536 if ((*stcb)->sctp_ep != l_inp) {
2537 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n",
2538 (void *)(*stcb)->sctp_ep, (void *)l_inp);
2539 }
2540 }
2541 }
2542 }
2543
2544 cookie_len -= SCTP_SIGNATURE_SIZE;
2545 if (*stcb == NULL) {
2546 /* this is the "normal" case... get a new TCB */
2547 *stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst, sh,
2548 cookie, cookie_len, *inp_p,
2549 netp, to, ¬ification,
2550 auth_skipped, auth_offset, auth_len,
2551 mflowtype, mflowid,
2552 vrf_id, port);
2553 } else {
2554 /* this is abnormal... cookie-echo on existing TCB */
2555 had_a_existing_tcb = 1;
2556 *stcb = sctp_process_cookie_existing(m, iphlen, offset,
2557 src, dst, sh,
2558 cookie, cookie_len, *inp_p, *stcb, netp, to,
2559 ¬ification, auth_skipped, auth_offset, auth_len,
2560 mflowtype, mflowid,
2561 vrf_id, port);
2562 if (*stcb == NULL) {
2563 *locked_tcb = NULL;
2564 }
2565 }
2566
2567 if (*stcb == NULL) {
2568 /* still no TCB... must be bad cookie-echo */
2569 return (NULL);
2570 }
2571 if (*netp != NULL) {
2572 (*netp)->flowtype = mflowtype;
2573 (*netp)->flowid = mflowid;
2574 }
2575 /*
2576 * Ok, we built an association so confirm the address we sent the
2577 * INIT-ACK to.
2578 */
2579 netl = sctp_findnet(*stcb, to);
2580 /*
2581 * This code should in theory NOT run but
2582 */
2583 if (netl == NULL) {
2584 /* TSNH! Huh, why do I need to add this address here? */
2585 if (sctp_add_remote_addr(*stcb, to, NULL, port,
2586 SCTP_DONOT_SETSCOPE, SCTP_IN_COOKIE_PROC)) {
2587 return (NULL);
2588 }
2589 netl = sctp_findnet(*stcb, to);
2590 }
2591 if (netl) {
2592 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
2593 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2594 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
2595 netl);
2596 send_int_conf = 1;
2597 }
2598 }
2599 sctp_start_net_timers(*stcb);
2600 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2601 if (!had_a_existing_tcb ||
2602 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2603 /*
2604 * If we have a NEW cookie or the connect never
2605 * reached the connected state during collision we
2606 * must do the TCP accept thing.
2607 */
2608 struct socket *so, *oso;
2609 struct sctp_inpcb *inp;
2610
2611 if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2612 /*
2613 * For a restart we will keep the same
2614 * socket, no need to do anything. I THINK!!
2615 */
2616 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2617 if (send_int_conf) {
2618 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2619 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2620 }
2621 return (m);
2622 }
2623 oso = (*inp_p)->sctp_socket;
2624 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2625 SCTP_TCB_UNLOCK((*stcb));
2626 CURVNET_SET(oso->so_vnet);
2627 so = sonewconn(oso, 0
2628 );
2629 CURVNET_RESTORE();
2630 SCTP_TCB_LOCK((*stcb));
2631 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2632
2633 if (so == NULL) {
2634 struct mbuf *op_err;
2635
2636 /* Too many sockets */
2637 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n");
2638 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2639 sctp_abort_association(*inp_p, NULL, m, iphlen,
2640 src, dst, sh, op_err,
2641 mflowtype, mflowid,
2642 vrf_id, port);
2643 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC,
2644 SCTP_FROM_SCTP_INPUT + SCTP_LOC_23);
2645 return (NULL);
2646 }
2647 inp = (struct sctp_inpcb *)so->so_pcb;
2648 SCTP_INP_INCR_REF(inp);
2649 /*
2650 * We add the unbound flag here so that if we get an
2651 * soabort() before we get the move_pcb done, we
2652 * will properly cleanup.
2653 */
2654 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2655 SCTP_PCB_FLAGS_CONNECTED |
2656 SCTP_PCB_FLAGS_IN_TCPPOOL |
2657 SCTP_PCB_FLAGS_UNBOUND |
2658 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2659 SCTP_PCB_FLAGS_DONT_WAKE);
2660 inp->sctp_features = (*inp_p)->sctp_features;
2661 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features;
2662 inp->sctp_socket = so;
2663 inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
2664 inp->max_cwnd = (*inp_p)->max_cwnd;
2665 inp->sctp_cmt_on_off = (*inp_p)->sctp_cmt_on_off;
2666 inp->ecn_supported = (*inp_p)->ecn_supported;
2667 inp->prsctp_supported = (*inp_p)->prsctp_supported;
2668 inp->auth_supported = (*inp_p)->auth_supported;
2669 inp->asconf_supported = (*inp_p)->asconf_supported;
2670 inp->reconfig_supported = (*inp_p)->reconfig_supported;
2671 inp->nrsack_supported = (*inp_p)->nrsack_supported;
2672 inp->pktdrop_supported = (*inp_p)->pktdrop_supported;
2673 inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
2674 inp->sctp_context = (*inp_p)->sctp_context;
2675 inp->local_strreset_support = (*inp_p)->local_strreset_support;
2676 inp->fibnum = (*inp_p)->fibnum;
2677 /*
2678 * copy in the authentication parameters from the
2679 * original endpoint
2680 */
2681 if (inp->sctp_ep.local_hmacs)
2682 sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
2683 inp->sctp_ep.local_hmacs =
2684 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
2685 if (inp->sctp_ep.local_auth_chunks)
2686 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
2687 inp->sctp_ep.local_auth_chunks =
2688 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);
2689
2690 /*
2691 * Now we must move it from one hash table to
2692 * another and get the tcb in the right place.
2693 */
2694
2695 /*
2696 * This is where the one-2-one socket is put into
2697 * the accept state waiting for the accept!
2698 */
2699 if (*stcb) {
2700 SCTP_ADD_SUBSTATE(*stcb, SCTP_STATE_IN_ACCEPT_QUEUE);
2701 }
2702 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2703
2704 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2705 SCTP_TCB_UNLOCK((*stcb));
2706
2707 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb,
2708 0);
2709 SCTP_TCB_LOCK((*stcb));
2710 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2711
2712 /*
2713 * now we must check to see if we were aborted while
2714 * the move was going on and the lock/unlock
2715 * happened.
2716 */
2717 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
2718 /*
2719 * yep it was, we leave the assoc attached
2720 * to the socket since the sctp_inpcb_free()
2721 * call will send an abort for us.
2722 */
2723 SCTP_INP_DECR_REF(inp);
2724 return (NULL);
2725 }
2726 SCTP_INP_DECR_REF(inp);
2727 /* Switch over to the new guy */
2728 *inp_p = inp;
2729 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2730 if (send_int_conf) {
2731 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2732 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2733 }
2734
2735 /*
2736 * Pull it from the incomplete queue and wake the
2737 * guy
2738 */
2739 soisconnected(so);
2740 return (m);
2741 }
2742 }
2743 if (notification) {
2744 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2745 }
2746 if (send_int_conf) {
2747 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2748 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2749 }
2750 return (m);
2751 }
2752
2753 static void
2754 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp SCTP_UNUSED,
2755 struct sctp_tcb *stcb, struct sctp_nets *net)
2756 {
2757 /* cp must not be used, others call this without a c-ack :-) */
2758 struct sctp_association *asoc;
2759 struct sctp_tmit_chunk *chk;
2760
2761 SCTPDBG(SCTP_DEBUG_INPUT2,
2762 "sctp_handle_cookie_ack: handling COOKIE-ACK\n");
2763 if ((stcb == NULL) || (net == NULL)) {
2764 return;
2765 }
2766
2767 asoc = &stcb->asoc;
2768 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
2769 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
2770 asoc->overall_error_count,
2771 0,
2772 SCTP_FROM_SCTP_INPUT,
2773 __LINE__);
2774 }
2775 asoc->overall_error_count = 0;
2776 sctp_stop_all_cookie_timers(stcb);
2777 /* process according to association state */
2778 if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED) {
2779 /* state change only needed when I am in right state */
2780 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
2781 SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
2782 sctp_start_net_timers(stcb);
2783 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2784 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2785 stcb->sctp_ep, stcb, NULL);
2786 }
2787 /* update RTO */
2788 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
2789 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2790 if (asoc->overall_error_count == 0) {
2791 sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered,
2792 SCTP_RTT_FROM_NON_DATA);
2793 }
2794 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
2795 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2796 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2797 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2798 sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
2799 if ((stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) == 0) {
2800 soisconnected(stcb->sctp_socket);
2801 }
2802 }
2803 /*
2804 * since we did not send a HB make sure we don't double
2805 * things
2806 */
2807 net->hb_responded = 1;
2808
2809 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2810 /*
2811 * We don't need to do the asconf thing, nor hb or
2812 * autoclose if the socket is closed.
2813 */
2814 goto closed_socket;
2815 }
2816
2817 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
2818 stcb, net);
2819
2820 if (stcb->asoc.sctp_autoclose_ticks &&
2821 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2822 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
2823 stcb->sctp_ep, stcb, NULL);
2824 }
2825 /*
2826 * send ASCONF if parameters are pending and ASCONFs are
2827 * allowed (eg. addresses changed when init/cookie echo were
2828 * in flight)
2829 */
2830 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
2831 (stcb->asoc.asconf_supported == 1) &&
2832 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
2833 #ifdef SCTP_TIMER_BASED_ASCONF
2834 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
2835 stcb->sctp_ep, stcb,
2836 stcb->asoc.primary_destination);
2837 #else
2838 sctp_send_asconf(stcb, stcb->asoc.primary_destination,
2839 SCTP_ADDR_NOT_LOCKED);
2840 #endif
2841 }
2842 }
2843 closed_socket:
2844 /* Toss the cookie if I can */
2845 sctp_toss_old_cookies(stcb, asoc);
2846 /* Restart the timer if we have pending data */
2847 TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
2848 if (chk->whoTo != NULL) {
2849 break;
2850 }
2851 }
2852 if (chk != NULL) {
2853 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo);
2854 }
2855 }
2856
2857 static void
2858 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
2859 struct sctp_tcb *stcb)
2860 {
2861 struct sctp_nets *net;
2862 struct sctp_tmit_chunk *lchk;
2863 struct sctp_ecne_chunk bkup;
2864 uint8_t override_bit;
2865 uint32_t tsn, window_data_tsn;
2866 int len;
2867 unsigned int pkt_cnt;
2868
2869 len = ntohs(cp->ch.chunk_length);
2870 if (len == sizeof(struct old_sctp_ecne_chunk)) {
2871 /* Its the old format */
2872 memcpy(&bkup, cp, sizeof(struct old_sctp_ecne_chunk));
2873 bkup.num_pkts_since_cwr = htonl(1);
2874 cp = &bkup;
2875 }
2876 SCTP_STAT_INCR(sctps_recvecne);
2877 tsn = ntohl(cp->tsn);
2878 pkt_cnt = ntohl(cp->num_pkts_since_cwr);
2879 lchk = TAILQ_LAST(&stcb->asoc.send_queue, sctpchunk_listhead);
2880 if (lchk == NULL) {
2881 window_data_tsn = stcb->asoc.sending_seq - 1;
2882 } else {
2883 window_data_tsn = lchk->rec.data.tsn;
2884 }
2885
2886 /* Find where it was sent to if possible. */
2887 net = NULL;
2888 TAILQ_FOREACH(lchk, &stcb->asoc.sent_queue, sctp_next) {
2889 if (lchk->rec.data.tsn == tsn) {
2890 net = lchk->whoTo;
2891 net->ecn_prev_cwnd = lchk->rec.data.cwnd_at_send;
2892 break;
2893 }
2894 if (SCTP_TSN_GT(lchk->rec.data.tsn, tsn)) {
2895 break;
2896 }
2897 }
2898 if (net == NULL) {
2899 /*
2900 * What to do. A previous send of a CWR was possibly lost.
2901 * See how old it is, we may have it marked on the actual
2902 * net.
2903 */
2904 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
2905 if (tsn == net->last_cwr_tsn) {
2906 /* Found him, send it off */
2907 break;
2908 }
2909 }
2910 if (net == NULL) {
2911 /*
2912 * If we reach here, we need to send a special CWR
2913 * that says hey, we did this a long time ago and
2914 * you lost the response.
2915 */
2916 net = TAILQ_FIRST(&stcb->asoc.nets);
2917 if (net == NULL) {
2918 /* TSNH */
2919 return;
2920 }
2921 override_bit = SCTP_CWR_REDUCE_OVERRIDE;
2922 } else {
2923 override_bit = 0;
2924 }
2925 } else {
2926 override_bit = 0;
2927 }
2928 if (SCTP_TSN_GT(tsn, net->cwr_window_tsn) &&
2929 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) {
2930 /*
2931 * JRS - Use the congestion control given in the pluggable
2932 * CC module
2933 */
2934 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 0, pkt_cnt);
2935 /*
2936 * We reduce once every RTT. So we will only lower cwnd at
2937 * the next sending seq i.e. the window_data_tsn
2938 */
2939 net->cwr_window_tsn = window_data_tsn;
2940 net->ecn_ce_pkt_cnt += pkt_cnt;
2941 net->lost_cnt = pkt_cnt;
2942 net->last_cwr_tsn = tsn;
2943 } else {
2944 override_bit |= SCTP_CWR_IN_SAME_WINDOW;
2945 if (SCTP_TSN_GT(tsn, net->last_cwr_tsn) &&
2946 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) {
2947 /*
2948 * Another loss in the same window update how many
2949 * marks/packets lost we have had.
2950 */
2951 int cnt = 1;
2952
2953 if (pkt_cnt > net->lost_cnt) {
2954 /* Should be the case */
2955 cnt = (pkt_cnt - net->lost_cnt);
2956 net->ecn_ce_pkt_cnt += cnt;
2957 }
2958 net->lost_cnt = pkt_cnt;
2959 net->last_cwr_tsn = tsn;
2960 /*
2961 * Most CC functions will ignore this call, since we
2962 * are in-window yet of the initial CE the peer saw.
2963 */
2964 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 1, cnt);
2965 }
2966 }
2967 /*
2968 * We always send a CWR this way if our previous one was lost our
2969 * peer will get an update, or if it is not time again to reduce we
2970 * still get the cwr to the peer. Note we set the override when we
2971 * could not find the TSN on the chunk or the destination network.
2972 */
2973 sctp_send_cwr(stcb, net, net->last_cwr_tsn, override_bit);
2974 }
2975
2976 static void
2977 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb, struct sctp_nets *net)
2978 {
2979 /*
2980 * Here we get a CWR from the peer. We must look in the outqueue and
2981 * make sure that we have a covered ECNE in the control chunk part.
2982 * If so remove it.
2983 */
2984 struct sctp_tmit_chunk *chk, *nchk;
2985 struct sctp_ecne_chunk *ecne;
2986 int override;
2987 uint32_t cwr_tsn;
2988
2989 cwr_tsn = ntohl(cp->tsn);
2990 override = cp->ch.chunk_flags & SCTP_CWR_REDUCE_OVERRIDE;
2991 TAILQ_FOREACH_SAFE(chk, &stcb->asoc.control_send_queue, sctp_next, nchk) {
2992 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
2993 continue;
2994 }
2995 if ((override == 0) && (chk->whoTo != net)) {
2996 /* Must be from the right src unless override is set */
2997 continue;
2998 }
2999 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
3000 if (SCTP_TSN_GE(cwr_tsn, ntohl(ecne->tsn))) {
3001 /* this covers this ECNE, we can remove it */
3002 stcb->asoc.ecn_echo_cnt_onq--;
3003 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
3004 sctp_next);
3005 stcb->asoc.ctrl_queue_cnt--;
3006 sctp_m_freem(chk->data);
3007 chk->data = NULL;
3008 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
3009 if (override == 0) {
3010 break;
3011 }
3012 }
3013 }
3014 }
3015
3016 static void
3017 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp SCTP_UNUSED,
3018 struct sctp_tcb *stcb, struct sctp_nets *net)
3019 {
3020
3021 SCTPDBG(SCTP_DEBUG_INPUT2,
3022 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
3023 if (stcb == NULL)
3024 return;
3025
3026 /* process according to association state */
3027 if (SCTP_GET_STATE(stcb) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
3028 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
3029 SCTPDBG(SCTP_DEBUG_INPUT2,
3030 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n");
3031 SCTP_TCB_UNLOCK(stcb);
3032 return;
3033 }
3034 /* notify upper layer protocol */
3035 if (stcb->sctp_socket) {
3036 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
3037 }
3038 #ifdef INVARIANTS
3039 if (!TAILQ_EMPTY(&stcb->asoc.send_queue) ||
3040 !TAILQ_EMPTY(&stcb->asoc.sent_queue) ||
3041 sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED)) {
3042 panic("Queues are not empty when handling SHUTDOWN-COMPLETE");
3043 }
3044 #endif
3045 /* stop the timer */
3046 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net,
3047 SCTP_FROM_SCTP_INPUT + SCTP_LOC_24);
3048 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
3049 /* free the TCB */
3050 SCTPDBG(SCTP_DEBUG_INPUT2,
3051 "sctp_handle_shutdown_complete: calls free-asoc\n");
3052 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
3053 SCTP_FROM_SCTP_INPUT + SCTP_LOC_25);
3054 return;
3055 }
3056
3057 static int
3058 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
3059 struct sctp_nets *net, uint8_t flg)
3060 {
3061 switch (desc->chunk_type) {
3062 case SCTP_DATA:
3063 case SCTP_IDATA:
3064 /* find the tsn to resend (possibly) */
3065 {
3066 uint32_t tsn;
3067 struct sctp_tmit_chunk *tp1;
3068
3069 tsn = ntohl(desc->tsn_ifany);
3070 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3071 if (tp1->rec.data.tsn == tsn) {
3072 /* found it */
3073 break;
3074 }
3075 if (SCTP_TSN_GT(tp1->rec.data.tsn, tsn)) {
3076 /* not found */
3077 tp1 = NULL;
3078 break;
3079 }
3080 }
3081 if (tp1 == NULL) {
3082 /*
3083 * Do it the other way , aka without paying
3084 * attention to queue seq order.
3085 */
3086 SCTP_STAT_INCR(sctps_pdrpdnfnd);
3087 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3088 if (tp1->rec.data.tsn == tsn) {
3089 /* found it */
3090 break;
3091 }
3092 }
3093 }
3094 if (tp1 == NULL) {
3095 SCTP_STAT_INCR(sctps_pdrptsnnf);
3096 }
3097 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
3098 if (((flg & SCTP_BADCRC) == 0) &&
3099 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
3100 return (0);
3101 }
3102 if ((stcb->asoc.peers_rwnd == 0) &&
3103 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
3104 SCTP_STAT_INCR(sctps_pdrpdiwnp);
3105 return (0);
3106 }
3107 if (stcb->asoc.peers_rwnd == 0 &&
3108 (flg & SCTP_FROM_MIDDLE_BOX)) {
3109 SCTP_STAT_INCR(sctps_pdrpdizrw);
3110 return (0);
3111 }
3112 if ((uint32_t)SCTP_BUF_LEN(tp1->data) <
3113 SCTP_DATA_CHUNK_OVERHEAD(stcb) + SCTP_NUM_DB_TO_VERIFY) {
3114 /* Payload not matching. */
3115 SCTP_STAT_INCR(sctps_pdrpbadd);
3116 return (-1);
3117 }
3118 if (memcmp(mtod(tp1->data, caddr_t)+SCTP_DATA_CHUNK_OVERHEAD(stcb),
3119 desc->data_bytes, SCTP_NUM_DB_TO_VERIFY) != 0) {
3120 /* Payload not matching. */
3121 SCTP_STAT_INCR(sctps_pdrpbadd);
3122 return (-1);
3123 }
3124 if (tp1->do_rtt) {
3125 /*
3126 * this guy had a RTO calculation
3127 * pending on it, cancel it
3128 */
3129 if (tp1->whoTo->rto_needed == 0) {
3130 tp1->whoTo->rto_needed = 1;
3131 }
3132 tp1->do_rtt = 0;
3133 }
3134 SCTP_STAT_INCR(sctps_pdrpmark);
3135 if (tp1->sent != SCTP_DATAGRAM_RESEND)
3136 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3137 /*
3138 * mark it as if we were doing a FR, since
3139 * we will be getting gap ack reports behind
3140 * the info from the router.
3141 */
3142 tp1->rec.data.doing_fast_retransmit = 1;
3143 /*
3144 * mark the tsn with what sequences can
3145 * cause a new FR.
3146 */
3147 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
3148 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
3149 } else {
3150 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.tsn;
3151 }
3152
3153 /* restart the timer */
3154 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3155 stcb, tp1->whoTo,
3156 SCTP_FROM_SCTP_INPUT + SCTP_LOC_26);
3157 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3158 stcb, tp1->whoTo);
3159
3160 /* fix counts and things */
3161 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3162 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP,
3163 tp1->whoTo->flight_size,
3164 tp1->book_size,
3165 (uint32_t)(uintptr_t)stcb,
3166 tp1->rec.data.tsn);
3167 }
3168 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3169 sctp_flight_size_decrease(tp1);
3170 sctp_total_flight_decrease(stcb, tp1);
3171 }
3172 tp1->sent = SCTP_DATAGRAM_RESEND;
3173 } {
3174 /* audit code */
3175 unsigned int audit;
3176
3177 audit = 0;
3178 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3179 if (tp1->sent == SCTP_DATAGRAM_RESEND)
3180 audit++;
3181 }
3182 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
3183 sctp_next) {
3184 if (tp1->sent == SCTP_DATAGRAM_RESEND)
3185 audit++;
3186 }
3187 if (audit != stcb->asoc.sent_queue_retran_cnt) {
3188 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n",
3189 audit, stcb->asoc.sent_queue_retran_cnt);
3190 #ifndef SCTP_AUDITING_ENABLED
3191 stcb->asoc.sent_queue_retran_cnt = audit;
3192 #endif
3193 }
3194 }
3195 }
3196 break;
3197 case SCTP_ASCONF:
3198 {
3199 struct sctp_tmit_chunk *asconf;
3200
3201 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
3202 sctp_next) {
3203 if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
3204 break;
3205 }
3206 }
3207 if (asconf) {
3208 if (asconf->sent != SCTP_DATAGRAM_RESEND)
3209 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3210 asconf->sent = SCTP_DATAGRAM_RESEND;
3211 asconf->snd_count--;
3212 }
3213 }
3214 break;
3215 case SCTP_INITIATION:
3216 /* resend the INIT */
3217 stcb->asoc.dropped_special_cnt++;
3218 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
3219 /*
3220 * If we can get it in, in a few attempts we do
3221 * this, otherwise we let the timer fire.
3222 */
3223 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
3224 stcb, net,
3225 SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
3226 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
3227 }
3228 break;
3229 case SCTP_SELECTIVE_ACK:
3230 case SCTP_NR_SELECTIVE_ACK:
3231 /* resend the sack */
3232 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
3233 break;
3234 case SCTP_HEARTBEAT_REQUEST:
3235 /* resend a demand HB */
3236 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) {
3237 /*
3238 * Only retransmit if we KNOW we wont destroy the
3239 * tcb
3240 */
3241 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
3242 }
3243 break;
3244 case SCTP_SHUTDOWN:
3245 sctp_send_shutdown(stcb, net);
3246 break;
3247 case SCTP_SHUTDOWN_ACK:
3248 sctp_send_shutdown_ack(stcb, net);
3249 break;
3250 case SCTP_COOKIE_ECHO:
3251 {
3252 struct sctp_tmit_chunk *cookie;
3253
3254 cookie = NULL;
3255 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
3256 sctp_next) {
3257 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
3258 break;
3259 }
3260 }
3261 if (cookie) {
3262 if (cookie->sent != SCTP_DATAGRAM_RESEND)
3263 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3264 cookie->sent = SCTP_DATAGRAM_RESEND;
3265 sctp_stop_all_cookie_timers(stcb);
3266 }
3267 }
3268 break;
3269 case SCTP_COOKIE_ACK:
3270 sctp_send_cookie_ack(stcb);
3271 break;
3272 case SCTP_ASCONF_ACK:
3273 /* resend last asconf ack */
3274 sctp_send_asconf_ack(stcb);
3275 break;
3276 case SCTP_IFORWARD_CUM_TSN:
3277 case SCTP_FORWARD_CUM_TSN:
3278 send_forward_tsn(stcb, &stcb->asoc);
3279 break;
3280 /* can't do anything with these */
3281 case SCTP_PACKET_DROPPED:
3282 case SCTP_INITIATION_ACK: /* this should not happen */
3283 case SCTP_HEARTBEAT_ACK:
3284 case SCTP_ABORT_ASSOCIATION:
3285 case SCTP_OPERATION_ERROR:
3286 case SCTP_SHUTDOWN_COMPLETE:
3287 case SCTP_ECN_ECHO:
3288 case SCTP_ECN_CWR:
3289 default:
3290 break;
3291 }
3292 return (0);
3293 }
3294
3295 void
3296 sctp_reset_in_stream(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list)
3297 {
3298 uint32_t i;
3299 uint16_t temp;
3300
3301 /*
3302 * We set things to 0xffffffff since this is the last delivered
3303 * sequence and we will be sending in 0 after the reset.
3304 */
3305
3306 if (number_entries) {
3307 for (i = 0; i < number_entries; i++) {
3308 temp = ntohs(list[i]);
3309 if (temp >= stcb->asoc.streamincnt) {
3310 continue;
3311 }
3312 stcb->asoc.strmin[temp].last_mid_delivered = 0xffffffff;
3313 }
3314 } else {
3315 list = NULL;
3316 for (i = 0; i < stcb->asoc.streamincnt; i++) {
3317 stcb->asoc.strmin[i].last_mid_delivered = 0xffffffff;
3318 }
3319 }
3320 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3321 }
3322
3323 static void
3324 sctp_reset_out_streams(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list)
3325 {
3326 uint32_t i;
3327 uint16_t temp;
3328
3329 if (number_entries > 0) {
3330 for (i = 0; i < number_entries; i++) {
3331 temp = ntohs(list[i]);
3332 if (temp >= stcb->asoc.streamoutcnt) {
3333 /* no such stream */
3334 continue;
3335 }
3336 stcb->asoc.strmout[temp].next_mid_ordered = 0;
3337 stcb->asoc.strmout[temp].next_mid_unordered = 0;
3338 }
3339 } else {
3340 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3341 stcb->asoc.strmout[i].next_mid_ordered = 0;
3342 stcb->asoc.strmout[i].next_mid_unordered = 0;
3343 }
3344 }
3345 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3346 }
3347
3348 static void
3349 sctp_reset_clear_pending(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list)
3350 {
3351 uint32_t i;
3352 uint16_t temp;
3353
3354 if (number_entries > 0) {
3355 for (i = 0; i < number_entries; i++) {
3356 temp = ntohs(list[i]);
3357 if (temp >= stcb->asoc.streamoutcnt) {
3358 /* no such stream */
3359 continue;
3360 }
3361 stcb->asoc.strmout[temp].state = SCTP_STREAM_OPEN;
3362 }
3363 } else {
3364 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3365 stcb->asoc.strmout[i].state = SCTP_STREAM_OPEN;
3366 }
3367 }
3368 }
3369
3370 struct sctp_stream_reset_request *
3371 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
3372 {
3373 struct sctp_association *asoc;
3374 struct sctp_chunkhdr *ch;
3375 struct sctp_stream_reset_request *r;
3376 struct sctp_tmit_chunk *chk;
3377 int len, clen;
3378
3379 asoc = &stcb->asoc;
3380 chk = asoc->str_reset;
3381 if (TAILQ_EMPTY(&asoc->control_send_queue) ||
3382 (chk == NULL)) {
3383 asoc->stream_reset_outstanding = 0;
3384 return (NULL);
3385 }
3386 if (chk->data == NULL) {
3387 return (NULL);
3388 }
3389 if (bchk != NULL) {
3390 /* he wants a copy of the chk pointer */
3391 *bchk = chk;
3392 }
3393 clen = chk->send_size;
3394 ch = mtod(chk->data, struct sctp_chunkhdr *);
3395 r = (struct sctp_stream_reset_request *)(ch + 1);
3396 if (ntohl(r->request_seq) == seq) {
3397 /* found it */
3398 return (r);
3399 }
3400 len = SCTP_SIZE32(ntohs(r->ph.param_length));
3401 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
3402 /* move to the next one, there can only be a max of two */
3403 r = (struct sctp_stream_reset_request *)((caddr_t)r + len);
3404 if (ntohl(r->request_seq) == seq) {
3405 return (r);
3406 }
3407 }
3408 /* that seq is not here */
3409 return (NULL);
3410 }
3411
3412 static void
3413 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
3414 {
3415 struct sctp_association *asoc;
3416 struct sctp_tmit_chunk *chk;
3417
3418 asoc = &stcb->asoc;
3419 chk = asoc->str_reset;
3420 if (chk == NULL) {
3421 return;
3422 }
3423 asoc->str_reset = NULL;
3424 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb,
3425 NULL, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28);
3426 TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
3427 asoc->ctrl_queue_cnt--;
3428 if (chk->data) {
3429 sctp_m_freem(chk->data);
3430 chk->data = NULL;
3431 }
3432 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
3433 }
3434
3435 static int
3436 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
3437 uint32_t seq, uint32_t action,
3438 struct sctp_stream_reset_response *respin)
3439 {
3440 uint16_t type;
3441 int lparam_len;
3442 struct sctp_association *asoc = &stcb->asoc;
3443 struct sctp_tmit_chunk *chk;
3444 struct sctp_stream_reset_request *req_param;
3445 struct sctp_stream_reset_out_request *req_out_param;
3446 struct sctp_stream_reset_in_request *req_in_param;
3447 uint32_t number_entries;
3448
3449 if (asoc->stream_reset_outstanding == 0) {
3450 /* duplicate */
3451 return (0);
3452 }
3453 if (seq == stcb->asoc.str_reset_seq_out) {
3454 req_param = sctp_find_stream_reset(stcb, seq, &chk);
3455 if (req_param != NULL) {
3456 stcb->asoc.str_reset_seq_out++;
3457 type = ntohs(req_param->ph.param_type);
3458 lparam_len = ntohs(req_param->ph.param_length);
3459 if (type == SCTP_STR_RESET_OUT_REQUEST) {
3460 int no_clear = 0;
3461
3462 req_out_param = (struct sctp_stream_reset_out_request *)req_param;
3463 number_entries = (lparam_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
3464 asoc->stream_reset_out_is_outstanding = 0;
3465 if (asoc->stream_reset_outstanding)
3466 asoc->stream_reset_outstanding--;
3467 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3468 /* do it */
3469 sctp_reset_out_streams(stcb, number_entries, req_out_param->list_of_streams);
3470 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3471 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED);
3472 } else if (action == SCTP_STREAM_RESET_RESULT_IN_PROGRESS) {
3473 /*
3474 * Set it up so we don't stop
3475 * retransmitting
3476 */
3477 asoc->stream_reset_outstanding++;
3478 stcb->asoc.str_reset_seq_out--;
3479 asoc->stream_reset_out_is_outstanding = 1;
3480 no_clear = 1;
3481 } else {
3482 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED);
3483 }
3484 if (no_clear == 0) {
3485 sctp_reset_clear_pending(stcb, number_entries, req_out_param->list_of_streams);
3486 }
3487 } else if (type == SCTP_STR_RESET_IN_REQUEST) {
3488 req_in_param = (struct sctp_stream_reset_in_request *)req_param;
3489 number_entries = (lparam_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
3490 if (asoc->stream_reset_outstanding)
3491 asoc->stream_reset_outstanding--;
3492 if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3493 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_IN, stcb,
3494 number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED);
3495 } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) {
3496 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb,
3497 number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED);
3498 }
3499 } else if (type == SCTP_STR_RESET_ADD_OUT_STREAMS) {
3500 /* Ok we now may have more streams */
3501 int num_stream;
3502
3503 num_stream = stcb->asoc.strm_pending_add_size;
3504 if (num_stream > (stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt)) {
3505 /* TSNH */
3506 num_stream = stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt;
3507 }
3508 stcb->asoc.strm_pending_add_size = 0;
3509 if (asoc->stream_reset_outstanding)
3510 asoc->stream_reset_outstanding--;
3511 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3512 /* Put the new streams into effect */
3513 int i;
3514
3515 for (i = asoc->streamoutcnt; i < (asoc->streamoutcnt + num_stream); i++) {
3516 asoc->strmout[i].state = SCTP_STREAM_OPEN;
3517 }
3518 asoc->streamoutcnt += num_stream;
3519 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0);
3520 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3521 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3522 SCTP_STREAM_CHANGE_DENIED);
3523 } else {
3524 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3525 SCTP_STREAM_CHANGE_FAILED);
3526 }
3527 } else if (type == SCTP_STR_RESET_ADD_IN_STREAMS) {
3528 if (asoc->stream_reset_outstanding)
3529 asoc->stream_reset_outstanding--;
3530 if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3531 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3532 SCTP_STREAM_CHANGE_DENIED);
3533 } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) {
3534 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3535 SCTP_STREAM_CHANGE_FAILED);
3536 }
3537 } else if (type == SCTP_STR_RESET_TSN_REQUEST) {
3538 /**
3539 * a) Adopt the new in tsn.
3540 * b) reset the map
3541 * c) Adopt the new out-tsn
3542 */
3543 struct sctp_stream_reset_response_tsn *resp;
3544 struct sctp_forward_tsn_chunk fwdtsn;
3545 int abort_flag = 0;
3546
3547 if (respin == NULL) {
3548 /* huh ? */
3549 return (0);
3550 }
3551 if (ntohs(respin->ph.param_length) < sizeof(struct sctp_stream_reset_response_tsn)) {
3552 return (0);
3553 }
3554 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3555 resp = (struct sctp_stream_reset_response_tsn *)respin;
3556 asoc->stream_reset_outstanding--;
3557 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3558 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3559 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
3560 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3561 if (abort_flag) {
3562 return (1);
3563 }
3564 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
3565 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
3566 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
3567 }
3568
3569 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
3570 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
3571 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
3572
3573 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
3574 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size);
3575
3576 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
3577 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;
3578
3579 sctp_reset_out_streams(stcb, 0, (uint16_t *)NULL);
3580 sctp_reset_in_stream(stcb, 0, (uint16_t *)NULL);
3581 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1), 0);
3582 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3583 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1),
3584 SCTP_ASSOC_RESET_DENIED);
3585 } else {
3586 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1),
3587 SCTP_ASSOC_RESET_FAILED);
3588 }
3589 }
3590 /* get rid of the request and get the request flags */
3591 if (asoc->stream_reset_outstanding == 0) {
3592 sctp_clean_up_stream_reset(stcb);
3593 }
3594 }
3595 }
3596 if (asoc->stream_reset_outstanding == 0) {
3597 sctp_send_stream_reset_out_if_possible(stcb, SCTP_SO_NOT_LOCKED);
3598 }
3599 return (0);
3600 }
3601
3602 static void
3603 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
3604 struct sctp_tmit_chunk *chk,
3605 struct sctp_stream_reset_in_request *req, int trunc)
3606 {
3607 uint32_t seq;
3608 int len, i;
3609 int number_entries;
3610 uint16_t temp;
3611
3612 /*
3613 * peer wants me to send a str-reset to him for my outgoing seq's if
3614 * seq_in is right.
3615 */
3616 struct sctp_association *asoc = &stcb->asoc;
3617
3618 seq = ntohl(req->request_seq);
3619 if (asoc->str_reset_seq_in == seq) {
3620 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3621 if ((asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ) == 0) {
3622 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3623 } else if (trunc) {
3624 /* Can't do it, since they exceeded our buffer size */
3625 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3626 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
3627 len = ntohs(req->ph.param_length);
3628 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
3629 if (number_entries) {
3630 for (i = 0; i < number_entries; i++) {
3631 temp = ntohs(req->list_of_streams[i]);
3632 if (temp >= stcb->asoc.streamoutcnt) {
3633 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3634 goto bad_boy;
3635 }
3636 req->list_of_streams[i] = temp;
3637 }
3638 for (i = 0; i < number_entries; i++) {
3639 if (stcb->asoc.strmout[req->list_of_streams[i]].state == SCTP_STREAM_OPEN) {
3640 stcb->asoc.strmout[req->list_of_streams[i]].state = SCTP_STREAM_RESET_PENDING;
3641 }
3642 }
3643 } else {
3644 /* Its all */
3645 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3646 if (stcb->asoc.strmout[i].state == SCTP_STREAM_OPEN)
3647 stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_PENDING;
3648 }
3649 }
3650 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3651 } else {
3652 /* Can't do it, since we have sent one out */
3653 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS;
3654 }
3655 bad_boy:
3656 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3657 asoc->str_reset_seq_in++;
3658 } else if (asoc->str_reset_seq_in - 1 == seq) {
3659 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3660 } else if (asoc->str_reset_seq_in - 2 == seq) {
3661 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3662 } else {
3663 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3664 }
3665 sctp_send_stream_reset_out_if_possible(stcb, SCTP_SO_NOT_LOCKED);
3666 }
3667
3668 static int
3669 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
3670 struct sctp_tmit_chunk *chk,
3671 struct sctp_stream_reset_tsn_request *req)
3672 {
3673 /* reset all in and out and update the tsn */
3674 /*
3675 * A) reset my str-seq's on in and out. B) Select a receive next,
3676 * and set cum-ack to it. Also process this selected number as a
3677 * fwd-tsn as well. C) set in the response my next sending seq.
3678 */
3679 struct sctp_forward_tsn_chunk fwdtsn;
3680 struct sctp_association *asoc = &stcb->asoc;
3681 int abort_flag = 0;
3682 uint32_t seq;
3683
3684 seq = ntohl(req->request_seq);
3685 if (asoc->str_reset_seq_in == seq) {
3686 asoc->last_reset_action[1] = stcb->asoc.last_reset_action[0];
3687 if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) {
3688 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3689 } else {
3690 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3691 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3692 fwdtsn.ch.chunk_flags = 0;
3693 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
3694 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3695 if (abort_flag) {
3696 return (1);
3697 }
3698 asoc->highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
3699 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
3700 sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
3701 }
3702 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->highest_tsn_inside_map;
3703 asoc->mapping_array_base_tsn = asoc->highest_tsn_inside_map + 1;
3704 memset(asoc->mapping_array, 0, asoc->mapping_array_size);
3705 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
3706 memset(asoc->nr_mapping_array, 0, asoc->mapping_array_size);
3707 atomic_add_int(&asoc->sending_seq, 1);
3708 /* save off historical data for retrans */
3709 asoc->last_sending_seq[1] = asoc->last_sending_seq[0];
3710 asoc->last_sending_seq[0] = asoc->sending_seq;
3711 asoc->last_base_tsnsent[1] = asoc->last_base_tsnsent[0];
3712 asoc->last_base_tsnsent[0] = asoc->mapping_array_base_tsn;
3713 sctp_reset_out_streams(stcb, 0, (uint16_t *)NULL);
3714 sctp_reset_in_stream(stcb, 0, (uint16_t *)NULL);
3715 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3716 sctp_notify_stream_reset_tsn(stcb, asoc->sending_seq, (asoc->mapping_array_base_tsn + 1), 0);
3717 }
3718 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3719 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]);
3720 asoc->str_reset_seq_in++;
3721 } else if (asoc->str_reset_seq_in - 1 == seq) {
3722 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3723 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]);
3724 } else if (asoc->str_reset_seq_in - 2 == seq) {
3725 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
3726 asoc->last_sending_seq[1], asoc->last_base_tsnsent[1]);
3727 } else {
3728 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3729 }
3730 return (0);
3731 }
3732
3733 static void
3734 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
3735 struct sctp_tmit_chunk *chk,
3736 struct sctp_stream_reset_out_request *req, int trunc)
3737 {
3738 uint32_t seq, tsn;
3739 int number_entries, len;
3740 struct sctp_association *asoc = &stcb->asoc;
3741
3742 seq = ntohl(req->request_seq);
3743
3744 /* now if its not a duplicate we process it */
3745 if (asoc->str_reset_seq_in == seq) {
3746 len = ntohs(req->ph.param_length);
3747 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
3748 /*
3749 * the sender is resetting, handle the list issue.. we must
3750 * a) verify if we can do the reset, if so no problem b) If
3751 * we can't do the reset we must copy the request. c) queue
3752 * it, and setup the data in processor to trigger it off
3753 * when needed and dequeue all the queued data.
3754 */
3755 tsn = ntohl(req->send_reset_at_tsn);
3756
3757 /* move the reset action back one */
3758 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3759 if ((asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ) == 0) {
3760 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3761 } else if (trunc) {
3762 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3763 } else if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
3764 /* we can do it now */
3765 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
3766 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3767 } else {
3768 /*
3769 * we must queue it up and thus wait for the TSN's
3770 * to arrive that are at or before tsn
3771 */
3772 struct sctp_stream_reset_list *liste;
3773 int siz;
3774
3775 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
3776 SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
3777 siz, SCTP_M_STRESET);
3778 if (liste == NULL) {
3779 /* gak out of memory */
3780 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3781 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3782 return;
3783 }
3784 liste->seq = seq;
3785 liste->tsn = tsn;
3786 liste->number_entries = number_entries;
3787 memcpy(&liste->list_of_streams, req->list_of_streams, number_entries * sizeof(uint16_t));
3788 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
3789 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_IN_PROGRESS;
3790 }
3791 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3792 asoc->str_reset_seq_in++;
3793 } else if ((asoc->str_reset_seq_in - 1) == seq) {
3794 /*
3795 * one seq back, just echo back last action since my
3796 * response was lost.
3797 */
3798 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3799 } else if ((asoc->str_reset_seq_in - 2) == seq) {
3800 /*
3801 * two seq back, just echo back last action since my
3802 * response was lost.
3803 */
3804 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3805 } else {
3806 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3807 }
3808 }
3809
3810 static void
3811 sctp_handle_str_reset_add_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
3812 struct sctp_stream_reset_add_strm *str_add)
3813 {
3814 /*
3815 * Peer is requesting to add more streams. If its within our
3816 * max-streams we will allow it.
3817 */
3818 uint32_t num_stream, i;
3819 uint32_t seq;
3820 struct sctp_association *asoc = &stcb->asoc;
3821 struct sctp_queued_to_read *ctl, *nctl;
3822
3823 /* Get the number. */
3824 seq = ntohl(str_add->request_seq);
3825 num_stream = ntohs(str_add->number_of_streams);
3826 /* Now what would be the new total? */
3827 if (asoc->str_reset_seq_in == seq) {
3828 num_stream += stcb->asoc.streamincnt;
3829 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
3830 if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) {
3831 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3832 } else if ((num_stream > stcb->asoc.max_inbound_streams) ||
3833 (num_stream > 0xffff)) {
3834 /* We must reject it they ask for to many */
3835 denied:
3836 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3837 } else {
3838 /* Ok, we can do that :-) */
3839 struct sctp_stream_in *oldstrm;
3840
3841 /* save off the old */
3842 oldstrm = stcb->asoc.strmin;
3843 SCTP_MALLOC(stcb->asoc.strmin, struct sctp_stream_in *,
3844 (num_stream * sizeof(struct sctp_stream_in)),
3845 SCTP_M_STRMI);
3846 if (stcb->asoc.strmin == NULL) {
3847 stcb->asoc.strmin = oldstrm;
3848 goto denied;
3849 }
3850 /* copy off the old data */
3851 for (i = 0; i < stcb->asoc.streamincnt; i++) {
3852 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue);
3853 TAILQ_INIT(&stcb->asoc.strmin[i].uno_inqueue);
3854 stcb->asoc.strmin[i].sid = i;
3855 stcb->asoc.strmin[i].last_mid_delivered = oldstrm[i].last_mid_delivered;
3856 stcb->asoc.strmin[i].delivery_started = oldstrm[i].delivery_started;
3857 stcb->asoc.strmin[i].pd_api_started = oldstrm[i].pd_api_started;
3858 /* now anything on those queues? */
3859 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].inqueue, next_instrm, nctl) {
3860 TAILQ_REMOVE(&oldstrm[i].inqueue, ctl, next_instrm);
3861 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].inqueue, ctl, next_instrm);
3862 }
3863 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].uno_inqueue, next_instrm, nctl) {
3864 TAILQ_REMOVE(&oldstrm[i].uno_inqueue, ctl, next_instrm);
3865 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].uno_inqueue, ctl, next_instrm);
3866 }
3867 }
3868 /* Init the new streams */
3869 for (i = stcb->asoc.streamincnt; i < num_stream; i++) {
3870 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue);
3871 TAILQ_INIT(&stcb->asoc.strmin[i].uno_inqueue);
3872 stcb->asoc.strmin[i].sid = i;
3873 stcb->asoc.strmin[i].last_mid_delivered = 0xffffffff;
3874 stcb->asoc.strmin[i].pd_api_started = 0;
3875 stcb->asoc.strmin[i].delivery_started = 0;
3876 }
3877 SCTP_FREE(oldstrm, SCTP_M_STRMI);
3878 /* update the size */
3879 stcb->asoc.streamincnt = num_stream;
3880 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3881 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0);
3882 }
3883 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3884 asoc->str_reset_seq_in++;
3885 } else if ((asoc->str_reset_seq_in - 1) == seq) {
3886 /*
3887 * one seq back, just echo back last action since my
3888 * response was lost.
3889 */
3890 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3891 } else if ((asoc->str_reset_seq_in - 2) == seq) {
3892 /*
3893 * two seq back, just echo back last action since my
3894 * response was lost.
3895 */
3896 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3897 } else {
3898 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3899 }
3900 }
3901
3902 static void
3903 sctp_handle_str_reset_add_out_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
3904 struct sctp_stream_reset_add_strm *str_add)
3905 {
3906 /*
3907 * Peer is requesting to add more streams. If its within our
3908 * max-streams we will allow it.
3909 */
3910 uint16_t num_stream;
3911 uint32_t seq;
3912 struct sctp_association *asoc = &stcb->asoc;
3913
3914 /* Get the number. */
3915 seq = ntohl(str_add->request_seq);
3916 num_stream = ntohs(str_add->number_of_streams);
3917 /* Now what would be the new total? */
3918 if (asoc->str_reset_seq_in == seq) {
3919 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
3920 if ((asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ) == 0) {
3921 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3922 } else if (stcb->asoc.stream_reset_outstanding) {
3923 /* We must reject it we have something pending */
3924 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS;
3925 } else {
3926 /* Ok, we can do that :-) */
3927 int mychk;
3928
3929 mychk = stcb->asoc.streamoutcnt;
3930 mychk += num_stream;
3931 if (mychk < 0x10000) {
3932 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3933 if (sctp_send_str_reset_req(stcb, 0, NULL, 0, 0, 1, num_stream, 0, 1)) {
3934 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3935 }
3936 } else {
3937 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3938 }
3939 }
3940 sctp_add_stream_reset_result(chk, seq, stcb->asoc.last_reset_action[0]);
3941 asoc->str_reset_seq_in++;
3942 } else if ((asoc->str_reset_seq_in - 1) == seq) {
3943 /*
3944 * one seq back, just echo back last action since my
3945 * response was lost.
3946 */
3947 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3948 } else if ((asoc->str_reset_seq_in - 2) == seq) {
3949 /*
3950 * two seq back, just echo back last action since my
3951 * response was lost.
3952 */
3953 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3954 } else {
3955 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3956 }
3957 }
3958
3959 #ifdef __GNUC__
3960 __attribute__((noinline))
3961 #endif
3962 static int
3963 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
3964 struct sctp_chunkhdr *ch_req)
3965 {
3966 uint16_t remaining_length, param_len, ptype;
3967 struct sctp_paramhdr pstore;
3968 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
3969 uint32_t seq = 0;
3970 int num_req = 0;
3971 int trunc = 0;
3972 struct sctp_tmit_chunk *chk;
3973 struct sctp_chunkhdr *ch;
3974 struct sctp_paramhdr *ph;
3975 int ret_code = 0;
3976 int num_param = 0;
3977
3978 /* now it may be a reset or a reset-response */
3979 remaining_length = ntohs(ch_req->chunk_length) - sizeof(struct sctp_chunkhdr);
3980
3981 /* setup for adding the response */
3982 sctp_alloc_a_chunk(stcb, chk);
3983 if (chk == NULL) {
3984 return (ret_code);
3985 }
3986 chk->copy_by_ref = 0;
3987 chk->rec.chunk_id.id = SCTP_STREAM_RESET;
3988 chk->rec.chunk_id.can_take_data = 0;
3989 chk->flags = 0;
3990 chk->asoc = &stcb->asoc;
3991 chk->no_fr_allowed = 0;
3992 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
3993 chk->book_size_scale = 0;
3994 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
3995 if (chk->data == NULL) {
3996 strres_nochunk:
3997 if (chk->data) {
3998 sctp_m_freem(chk->data);
3999 chk->data = NULL;
4000 }
4001 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
4002 return (ret_code);
4003 }
4004 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
4005
4006 /* setup chunk parameters */
4007 chk->sent = SCTP_DATAGRAM_UNSENT;
4008 chk->snd_count = 0;
4009 chk->whoTo = NULL;
4010
4011 ch = mtod(chk->data, struct sctp_chunkhdr *);
4012 ch->chunk_type = SCTP_STREAM_RESET;
4013 ch->chunk_flags = 0;
4014 ch->chunk_length = htons(chk->send_size);
4015 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
4016 offset += sizeof(struct sctp_chunkhdr);
4017 while (remaining_length >= sizeof(struct sctp_paramhdr)) {
4018 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *)&pstore);
4019 if (ph == NULL) {
4020 /* TSNH */
4021 break;
4022 }
4023 param_len = ntohs(ph->param_length);
4024 if ((param_len > remaining_length) ||
4025 (param_len < (sizeof(struct sctp_paramhdr) + sizeof(uint32_t)))) {
4026 /* bad parameter length */
4027 break;
4028 }
4029 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, sizeof(cstore)),
4030 (uint8_t *)&cstore);
4031 if (ph == NULL) {
4032 /* TSNH */
4033 break;
4034 }
4035 ptype = ntohs(ph->param_type);
4036 num_param++;
4037 if (param_len > sizeof(cstore)) {
4038 trunc = 1;
4039 } else {
4040 trunc = 0;
4041 }
4042 if (num_param > SCTP_MAX_RESET_PARAMS) {
4043 /* hit the max of parameters already sorry.. */
4044 break;
4045 }
4046 if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
4047 struct sctp_stream_reset_out_request *req_out;
4048
4049 if (param_len < sizeof(struct sctp_stream_reset_out_request)) {
4050 break;
4051 }
4052 req_out = (struct sctp_stream_reset_out_request *)ph;
4053 num_req++;
4054 if (stcb->asoc.stream_reset_outstanding) {
4055 seq = ntohl(req_out->response_seq);
4056 if (seq == stcb->asoc.str_reset_seq_out) {
4057 /* implicit ack */
4058 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_RESULT_PERFORMED, NULL);
4059 }
4060 }
4061 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc);
4062 } else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) {
4063 struct sctp_stream_reset_add_strm *str_add;
4064
4065 if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
4066 break;
4067 }
4068 str_add = (struct sctp_stream_reset_add_strm *)ph;
4069 num_req++;
4070 sctp_handle_str_reset_add_strm(stcb, chk, str_add);
4071 } else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) {
4072 struct sctp_stream_reset_add_strm *str_add;
4073
4074 if (param_len < sizeof(struct sctp_stream_reset_add_strm)) {
4075 break;
4076 }
4077 str_add = (struct sctp_stream_reset_add_strm *)ph;
4078 num_req++;
4079 sctp_handle_str_reset_add_out_strm(stcb, chk, str_add);
4080 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
4081 struct sctp_stream_reset_in_request *req_in;
4082
4083 num_req++;
4084 req_in = (struct sctp_stream_reset_in_request *)ph;
4085 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc);
4086 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
4087 struct sctp_stream_reset_tsn_request *req_tsn;
4088
4089 num_req++;
4090 req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
4091 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
4092 ret_code = 1;
4093 goto strres_nochunk;
4094 }
4095 /* no more */
4096 break;
4097 } else if (ptype == SCTP_STR_RESET_RESPONSE) {
4098 struct sctp_stream_reset_response *resp;
4099 uint32_t result;
4100
4101 if (param_len < sizeof(struct sctp_stream_reset_response)) {
4102 break;
4103 }
4104 resp = (struct sctp_stream_reset_response *)ph;
4105 seq = ntohl(resp->response_seq);
4106 result = ntohl(resp->result);
4107 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
4108 ret_code = 1;
4109 goto strres_nochunk;
4110 }
4111 } else {
4112 break;
4113 }
4114 offset += SCTP_SIZE32(param_len);
4115 if (remaining_length >= SCTP_SIZE32(param_len)) {
4116 remaining_length -= SCTP_SIZE32(param_len);
4117 } else {
4118 remaining_length = 0;
4119 }
4120 }
4121 if (num_req == 0) {
4122 /* we have no response free the stuff */
4123 goto strres_nochunk;
4124 }
4125 /* ok we have a chunk to link in */
4126 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
4127 chk,
4128 sctp_next);
4129 stcb->asoc.ctrl_queue_cnt++;
4130 return (ret_code);
4131 }
4132
4133 /*
4134 * Handle a router or endpoints report of a packet loss, there are two ways
4135 * to handle this, either we get the whole packet and must disect it
4136 * ourselves (possibly with truncation and or corruption) or it is a summary
4137 * from a middle box that did the disecting for us.
4138 */
4139 static void
4140 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
4141 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
4142 {
4143 struct sctp_chunk_desc desc;
4144 struct sctp_chunkhdr *chk_hdr;
4145 struct sctp_data_chunk *data_chunk;
4146 struct sctp_idata_chunk *idata_chunk;
4147 uint32_t bottle_bw, on_queue;
4148 uint32_t offset, chk_len;
4149 uint16_t pktdrp_len;
4150 uint8_t pktdrp_flags;
4151
4152 KASSERT(sizeof(struct sctp_pktdrop_chunk) <= limit,
4153 ("PKTDROP chunk too small"));
4154 pktdrp_flags = cp->ch.chunk_flags;
4155 pktdrp_len = ntohs(cp->ch.chunk_length);
4156 KASSERT(limit <= pktdrp_len, ("Inconsistent limit"));
4157 if (pktdrp_flags & SCTP_PACKET_TRUNCATED) {
4158 if (ntohs(cp->trunc_len) <= pktdrp_len - sizeof(struct sctp_pktdrop_chunk)) {
4159 /* The peer plays games with us. */
4160 return;
4161 }
4162 }
4163 limit -= sizeof(struct sctp_pktdrop_chunk);
4164 offset = 0;
4165 if (offset == limit) {
4166 if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) {
4167 SCTP_STAT_INCR(sctps_pdrpbwrpt);
4168 }
4169 } else if (offset + sizeof(struct sctphdr) > limit) {
4170 /* Only a partial SCTP common header. */
4171 SCTP_STAT_INCR(sctps_pdrpcrupt);
4172 offset = limit;
4173 } else {
4174 /* XXX: Check embedded SCTP common header. */
4175 offset += sizeof(struct sctphdr);
4176 }
4177 /* Now parse through the chunks themselves. */
4178 while (offset < limit) {
4179 if (offset + sizeof(struct sctp_chunkhdr) > limit) {
4180 SCTP_STAT_INCR(sctps_pdrpcrupt);
4181 break;
4182 }
4183 chk_hdr = (struct sctp_chunkhdr *)(cp->data + offset);
4184 desc.chunk_type = chk_hdr->chunk_type;
4185 /* get amount we need to move */
4186 chk_len = (uint32_t)ntohs(chk_hdr->chunk_length);
4187 if (chk_len < sizeof(struct sctp_chunkhdr)) {
4188 /* Someone is lying... */
4189 break;
4190 }
4191 if (desc.chunk_type == SCTP_DATA) {
4192 if (stcb->asoc.idata_supported) {
4193 /* Some is playing games with us. */
4194 break;
4195 }
4196 if (chk_len <= sizeof(struct sctp_data_chunk)) {
4197 /* Some is playing games with us. */
4198 break;
4199 }
4200 if (chk_len < sizeof(struct sctp_data_chunk) + SCTP_NUM_DB_TO_VERIFY) {
4201 /*
4202 * Not enough data bytes available in the
4203 * chunk.
4204 */
4205 SCTP_STAT_INCR(sctps_pdrpnedat);
4206 goto next_chunk;
4207 }
4208 if (offset + sizeof(struct sctp_data_chunk) + SCTP_NUM_DB_TO_VERIFY > limit) {
4209 /* Not enough data in buffer. */
4210 break;
4211 }
4212 data_chunk = (struct sctp_data_chunk *)(cp->data + offset);
4213 memcpy(desc.data_bytes, data_chunk + 1, SCTP_NUM_DB_TO_VERIFY);
4214 desc.tsn_ifany = data_chunk->dp.tsn;
4215 if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) {
4216 SCTP_STAT_INCR(sctps_pdrpmbda);
4217 }
4218 } else if (desc.chunk_type == SCTP_IDATA) {
4219 if (!stcb->asoc.idata_supported) {
4220 /* Some is playing games with us. */
4221 break;
4222 }
4223 if (chk_len <= sizeof(struct sctp_idata_chunk)) {
4224 /* Some is playing games with us. */
4225 break;
4226 }
4227 if (chk_len < sizeof(struct sctp_idata_chunk) + SCTP_NUM_DB_TO_VERIFY) {
4228 /*
4229 * Not enough data bytes available in the
4230 * chunk.
4231 */
4232 SCTP_STAT_INCR(sctps_pdrpnedat);
4233 goto next_chunk;
4234 }
4235 if (offset + sizeof(struct sctp_idata_chunk) + SCTP_NUM_DB_TO_VERIFY > limit) {
4236 /* Not enough data in buffer. */
4237 break;
4238 }
4239 idata_chunk = (struct sctp_idata_chunk *)(cp->data + offset);
4240 memcpy(desc.data_bytes, idata_chunk + 1, SCTP_NUM_DB_TO_VERIFY);
4241 desc.tsn_ifany = idata_chunk->dp.tsn;
4242 if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) {
4243 SCTP_STAT_INCR(sctps_pdrpmbda);
4244 }
4245 } else {
4246 if (pktdrp_flags & SCTP_FROM_MIDDLE_BOX) {
4247 SCTP_STAT_INCR(sctps_pdrpmbct);
4248 }
4249 }
4250 if (process_chunk_drop(stcb, &desc, net, pktdrp_flags)) {
4251 SCTP_STAT_INCR(sctps_pdrppdbrk);
4252 break;
4253 }
4254 next_chunk:
4255 offset += SCTP_SIZE32(chk_len);
4256 }
4257 /* Now update any rwnd --- possibly */
4258 if ((pktdrp_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
4259 /* From a peer, we get a rwnd report */
4260 uint32_t a_rwnd;
4261
4262 SCTP_STAT_INCR(sctps_pdrpfehos);
4263
4264 bottle_bw = ntohl(cp->bottle_bw);
4265 on_queue = ntohl(cp->current_onq);
4266 if (bottle_bw && on_queue) {
4267 /* a rwnd report is in here */
4268 if (bottle_bw > on_queue)
4269 a_rwnd = bottle_bw - on_queue;
4270 else
4271 a_rwnd = 0;
4272
4273 if (a_rwnd == 0)
4274 stcb->asoc.peers_rwnd = 0;
4275 else {
4276 if (a_rwnd > stcb->asoc.total_flight) {
4277 stcb->asoc.peers_rwnd =
4278 a_rwnd - stcb->asoc.total_flight;
4279 } else {
4280 stcb->asoc.peers_rwnd = 0;
4281 }
4282 if (stcb->asoc.peers_rwnd <
4283 stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4284 /* SWS sender side engages */
4285 stcb->asoc.peers_rwnd = 0;
4286 }
4287 }
4288 }
4289 } else {
4290 SCTP_STAT_INCR(sctps_pdrpfmbox);
4291 }
4292
4293 /* now middle boxes in sat networks get a cwnd bump */
4294 if ((pktdrp_flags & SCTP_FROM_MIDDLE_BOX) &&
4295 (stcb->asoc.sat_t3_loss_recovery == 0) &&
4296 (stcb->asoc.sat_network)) {
4297 /*
4298 * This is debatable but for sat networks it makes sense
4299 * Note if a T3 timer has went off, we will prohibit any
4300 * changes to cwnd until we exit the t3 loss recovery.
4301 */
4302 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb,
4303 net, cp, &bottle_bw, &on_queue);
4304 }
4305 }
4306
4307 /*
4308 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
4309 * still contain IP/SCTP header - stcb: is the tcb found for this packet -
4310 * offset: offset into the mbuf chain to first chunkhdr - length: is the
4311 * length of the complete packet outputs: - length: modified to remaining
4312 * length after control processing - netp: modified to new sctp_nets after
4313 * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
4314 * bad packet,...) otherwise return the tcb for this packet
4315 */
4316 #ifdef __GNUC__
4317 __attribute__((noinline))
4318 #endif
4319 static struct sctp_tcb *
4320 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
4321 struct sockaddr *src, struct sockaddr *dst,
4322 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
4323 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen,
4324 uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
4325 uint32_t vrf_id, uint16_t port)
4326 {
4327 struct sctp_association *asoc;
4328 struct mbuf *op_err;
4329 char msg[SCTP_DIAG_INFO_LEN];
4330 uint32_t vtag_in;
4331 int num_chunks = 0; /* number of control chunks processed */
4332 uint32_t chk_length, contiguous;
4333 int ret;
4334 int abort_no_unlock = 0;
4335 int ecne_seen = 0;
4336 int abort_flag;
4337
4338 /*
4339 * How big should this be, and should it be alloc'd? Lets try the
4340 * d-mtu-ceiling for now (2k) and that should hopefully work ...
4341 * until we get into jumbo grams and such..
4342 */
4343 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
4344 int got_auth = 0;
4345 uint32_t auth_offset = 0, auth_len = 0;
4346 int auth_skipped = 0;
4347 int asconf_cnt = 0;
4348
4349 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
4350 iphlen, *offset, length, (void *)stcb);
4351
4352 if (stcb) {
4353 SCTP_TCB_LOCK_ASSERT(stcb);
4354 }
4355 /* validate chunk header length... */
4356 if (ntohs(ch->chunk_length) < sizeof(*ch)) {
4357 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n",
4358 ntohs(ch->chunk_length));
4359 *offset = length;
4360 return (stcb);
4361 }
4362 /*
4363 * validate the verification tag
4364 */
4365 vtag_in = ntohl(sh->v_tag);
4366
4367 if (ch->chunk_type == SCTP_INITIATION) {
4368 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n",
4369 ntohs(ch->chunk_length), vtag_in);
4370 if (vtag_in != 0) {
4371 /* protocol error- silently discard... */
4372 SCTP_STAT_INCR(sctps_badvtag);
4373 if (stcb != NULL) {
4374 SCTP_TCB_UNLOCK(stcb);
4375 }
4376 return (NULL);
4377 }
4378 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
4379 /*
4380 * If there is no stcb, skip the AUTH chunk and process
4381 * later after a stcb is found (to validate the lookup was
4382 * valid.
4383 */
4384 if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
4385 (stcb == NULL) &&
4386 (inp->auth_supported == 1)) {
4387 /* save this chunk for later processing */
4388 auth_skipped = 1;
4389 auth_offset = *offset;
4390 auth_len = ntohs(ch->chunk_length);
4391
4392 /* (temporarily) move past this chunk */
4393 *offset += SCTP_SIZE32(auth_len);
4394 if (*offset >= length) {
4395 /* no more data left in the mbuf chain */
4396 *offset = length;
4397 return (NULL);
4398 }
4399 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4400 sizeof(struct sctp_chunkhdr), chunk_buf);
4401 }
4402 if (ch == NULL) {
4403 /* Help */
4404 *offset = length;
4405 return (stcb);
4406 }
4407 if (ch->chunk_type == SCTP_COOKIE_ECHO) {
4408 goto process_control_chunks;
4409 }
4410 /*
4411 * first check if it's an ASCONF with an unknown src addr we
4412 * need to look inside to find the association
4413 */
4414 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
4415 struct sctp_chunkhdr *asconf_ch = ch;
4416 uint32_t asconf_offset = 0, asconf_len = 0;
4417
4418 /* inp's refcount may be reduced */
4419 SCTP_INP_INCR_REF(inp);
4420
4421 asconf_offset = *offset;
4422 do {
4423 asconf_len = ntohs(asconf_ch->chunk_length);
4424 if (asconf_len < sizeof(struct sctp_asconf_paramhdr))
4425 break;
4426 stcb = sctp_findassociation_ep_asconf(m,
4427 *offset,
4428 dst,
4429 sh, &inp, netp, vrf_id);
4430 if (stcb != NULL)
4431 break;
4432 asconf_offset += SCTP_SIZE32(asconf_len);
4433 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset,
4434 sizeof(struct sctp_chunkhdr), chunk_buf);
4435 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF);
4436 if (stcb == NULL) {
4437 /*
4438 * reduce inp's refcount if not reduced in
4439 * sctp_findassociation_ep_asconf().
4440 */
4441 SCTP_INP_DECR_REF(inp);
4442 }
4443
4444 /* now go back and verify any auth chunk to be sure */
4445 if (auth_skipped && (stcb != NULL)) {
4446 struct sctp_auth_chunk *auth;
4447
4448 if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
4449 auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf);
4450 got_auth = 1;
4451 auth_skipped = 0;
4452 } else {
4453 auth = NULL;
4454 }
4455 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
4456 auth_offset)) {
4457 /* auth HMAC failed so dump it */
4458 *offset = length;
4459 return (stcb);
4460 } else {
4461 /* remaining chunks are HMAC checked */
4462 stcb->asoc.authenticated = 1;
4463 }
4464 }
4465 }
4466 if (stcb == NULL) {
4467 SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
4468 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
4469 msg);
4470 /* no association, so it's out of the blue... */
4471 sctp_handle_ootb(m, iphlen, *offset, src, dst, sh, inp, op_err,
4472 mflowtype, mflowid, inp->fibnum,
4473 vrf_id, port);
4474 *offset = length;
4475 return (NULL);
4476 }
4477 asoc = &stcb->asoc;
4478 /* ABORT and SHUTDOWN can use either v_tag... */
4479 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
4480 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
4481 (ch->chunk_type == SCTP_PACKET_DROPPED)) {
4482 /* Take the T-bit always into account. */
4483 if ((((ch->chunk_flags & SCTP_HAD_NO_TCB) == 0) &&
4484 (vtag_in == asoc->my_vtag)) ||
4485 (((ch->chunk_flags & SCTP_HAD_NO_TCB) == SCTP_HAD_NO_TCB) &&
4486 (asoc->peer_vtag != htonl(0)) &&
4487 (vtag_in == asoc->peer_vtag))) {
4488 /* this is valid */
4489 } else {
4490 /* drop this packet... */
4491 SCTP_STAT_INCR(sctps_badvtag);
4492 if (stcb != NULL) {
4493 SCTP_TCB_UNLOCK(stcb);
4494 }
4495 return (NULL);
4496 }
4497 } else {
4498 /* for all other chunks, vtag must match */
4499 if (vtag_in != asoc->my_vtag) {
4500 /* invalid vtag... */
4501 SCTPDBG(SCTP_DEBUG_INPUT3,
4502 "invalid vtag: %xh, expect %xh\n",
4503 vtag_in, asoc->my_vtag);
4504 SCTP_STAT_INCR(sctps_badvtag);
4505 if (stcb != NULL) {
4506 SCTP_TCB_UNLOCK(stcb);
4507 }
4508 *offset = length;
4509 return (NULL);
4510 }
4511 }
4512 } /* end if !SCTP_COOKIE_ECHO */
4513 /*
4514 * process all control chunks...
4515 */
4516 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
4517 (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) ||
4518 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
4519 (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)) {
4520 /* implied cookie-ack.. we must have lost the ack */
4521 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
4522 *netp);
4523 }
4524
4525 process_control_chunks:
4526 while (IS_SCTP_CONTROL(ch)) {
4527 /* validate chunk length */
4528 chk_length = ntohs(ch->chunk_length);
4529 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n",
4530 ch->chunk_type, chk_length);
4531 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length);
4532 if (chk_length < sizeof(*ch) ||
4533 (*offset + (int)chk_length) > length) {
4534 *offset = length;
4535 return (stcb);
4536 }
4537 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
4538 /*
4539 * INIT and INIT-ACK only gets the init ack "header" portion
4540 * only because we don't have to process the peer's COOKIE.
4541 * All others get a complete chunk.
4542 */
4543 switch (ch->chunk_type) {
4544 case SCTP_INITIATION:
4545 contiguous = sizeof(struct sctp_init_chunk);
4546 break;
4547 case SCTP_INITIATION_ACK:
4548 contiguous = sizeof(struct sctp_init_ack_chunk);
4549 break;
4550 default:
4551 contiguous = min(chk_length, sizeof(chunk_buf));
4552 break;
4553 }
4554 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4555 contiguous,
4556 chunk_buf);
4557 if (ch == NULL) {
4558 *offset = length;
4559 return (stcb);
4560 }
4561
4562 num_chunks++;
4563 /* Save off the last place we got a control from */
4564 if (stcb != NULL) {
4565 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) {
4566 /*
4567 * allow last_control to be NULL if
4568 * ASCONF... ASCONF processing will find the
4569 * right net later
4570 */
4571 if ((netp != NULL) && (*netp != NULL))
4572 stcb->asoc.last_control_chunk_from = *netp;
4573 }
4574 }
4575 #ifdef SCTP_AUDITING_ENABLED
4576 sctp_audit_log(0xB0, ch->chunk_type);
4577 #endif
4578
4579 /* check to see if this chunk required auth, but isn't */
4580 if ((stcb != NULL) &&
4581 sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
4582 !stcb->asoc.authenticated) {
4583 /* "silently" ignore */
4584 SCTP_STAT_INCR(sctps_recvauthmissing);
4585 goto next_chunk;
4586 }
4587 switch (ch->chunk_type) {
4588 case SCTP_INITIATION:
4589 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n");
4590 /* The INIT chunk must be the only chunk. */
4591 if ((num_chunks > 1) ||
4592 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
4593 /*
4594 * RFC 4960bis requires stopping the
4595 * processing of the packet.
4596 */
4597 *offset = length;
4598 return (stcb);
4599 }
4600 /* Honor our resource limit. */
4601 if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) {
4602 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
4603 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
4604 mflowtype, mflowid, inp->fibnum,
4605 vrf_id, port);
4606 *offset = length;
4607 if (stcb != NULL) {
4608 SCTP_TCB_UNLOCK(stcb);
4609 }
4610 return (NULL);
4611 }
4612 sctp_handle_init(m, iphlen, *offset, src, dst, sh,
4613 (struct sctp_init_chunk *)ch, inp,
4614 stcb, *netp,
4615 mflowtype, mflowid,
4616 vrf_id, port);
4617 *offset = length;
4618 if (stcb != NULL) {
4619 SCTP_TCB_UNLOCK(stcb);
4620 }
4621 return (NULL);
4622 break;
4623 case SCTP_PAD_CHUNK:
4624 break;
4625 case SCTP_INITIATION_ACK:
4626 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT_ACK\n");
4627 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4628 /* We are not interested anymore */
4629 if ((stcb != NULL) && (stcb->asoc.total_output_queue_size)) {
4630 ;
4631 } else {
4632 *offset = length;
4633 if (stcb != NULL) {
4634 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
4635 SCTP_FROM_SCTP_INPUT + SCTP_LOC_29);
4636 }
4637 return (NULL);
4638 }
4639 }
4640 /* The INIT-ACK chunk must be the only chunk. */
4641 if ((num_chunks > 1) ||
4642 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
4643 *offset = length;
4644 return (stcb);
4645 }
4646 if ((netp != NULL) && (*netp != NULL)) {
4647 ret = sctp_handle_init_ack(m, iphlen, *offset,
4648 src, dst, sh,
4649 (struct sctp_init_ack_chunk *)ch,
4650 stcb, *netp,
4651 &abort_no_unlock,
4652 mflowtype, mflowid,
4653 vrf_id);
4654 } else {
4655 ret = -1;
4656 }
4657 *offset = length;
4658 if (abort_no_unlock) {
4659 return (NULL);
4660 }
4661 /*
4662 * Special case, I must call the output routine to
4663 * get the cookie echoed
4664 */
4665 if ((stcb != NULL) && (ret == 0)) {
4666 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
4667 }
4668 return (stcb);
4669 break;
4670 case SCTP_SELECTIVE_ACK:
4671 case SCTP_NR_SELECTIVE_ACK:
4672 {
4673 int abort_now = 0;
4674 uint32_t a_rwnd, cum_ack;
4675 uint16_t num_seg, num_nr_seg, num_dup;
4676 uint8_t flags;
4677 int offset_seg, offset_dup;
4678
4679 SCTPDBG(SCTP_DEBUG_INPUT3, "%s\n",
4680 ch->chunk_type == SCTP_SELECTIVE_ACK ? "SCTP_SACK" : "SCTP_NR_SACK");
4681 SCTP_STAT_INCR(sctps_recvsacks);
4682 if (stcb == NULL) {
4683 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing %s chunk\n",
4684 (ch->chunk_type == SCTP_SELECTIVE_ACK) ? "SCTP_SACK" : "SCTP_NR_SACK");
4685 break;
4686 }
4687 if (ch->chunk_type == SCTP_SELECTIVE_ACK) {
4688 if (chk_length < sizeof(struct sctp_sack_chunk)) {
4689 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on SACK chunk, too small\n");
4690 break;
4691 }
4692 } else {
4693 if (stcb->asoc.nrsack_supported == 0) {
4694 goto unknown_chunk;
4695 }
4696 if (chk_length < sizeof(struct sctp_nr_sack_chunk)) {
4697 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR_SACK chunk, too small\n");
4698 break;
4699 }
4700 }
4701 if (SCTP_GET_STATE(stcb) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
4702 /*-
4703 * If we have sent a shutdown-ack, we will pay no
4704 * attention to a sack sent in to us since
4705 * we don't care anymore.
4706 */
4707 break;
4708 }
4709 flags = ch->chunk_flags;
4710 if (ch->chunk_type == SCTP_SELECTIVE_ACK) {
4711 struct sctp_sack_chunk *sack;
4712
4713 sack = (struct sctp_sack_chunk *)ch;
4714 cum_ack = ntohl(sack->sack.cum_tsn_ack);
4715 num_seg = ntohs(sack->sack.num_gap_ack_blks);
4716 num_nr_seg = 0;
4717 num_dup = ntohs(sack->sack.num_dup_tsns);
4718 a_rwnd = ntohl(sack->sack.a_rwnd);
4719 if (sizeof(struct sctp_sack_chunk) +
4720 num_seg * sizeof(struct sctp_gap_ack_block) +
4721 num_dup * sizeof(uint32_t) != chk_length) {
4722 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of SACK chunk\n");
4723 break;
4724 }
4725 offset_seg = *offset + sizeof(struct sctp_sack_chunk);
4726 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block);
4727 } else {
4728 struct sctp_nr_sack_chunk *nr_sack;
4729
4730 nr_sack = (struct sctp_nr_sack_chunk *)ch;
4731 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack);
4732 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks);
4733 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
4734 num_dup = ntohs(nr_sack->nr_sack.num_dup_tsns);
4735 a_rwnd = ntohl(nr_sack->nr_sack.a_rwnd);
4736 if (sizeof(struct sctp_nr_sack_chunk) +
4737 (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block) +
4738 num_dup * sizeof(uint32_t) != chk_length) {
4739 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of NR_SACK chunk\n");
4740 break;
4741 }
4742 offset_seg = *offset + sizeof(struct sctp_nr_sack_chunk);
4743 offset_dup = offset_seg + (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block);
4744 }
4745 SCTPDBG(SCTP_DEBUG_INPUT3, "%s process cum_ack:%x num_seg:%d a_rwnd:%d\n",
4746 (ch->chunk_type == SCTP_SELECTIVE_ACK) ? "SCTP_SACK" : "SCTP_NR_SACK",
4747 cum_ack, num_seg, a_rwnd);
4748 stcb->asoc.seen_a_sack_this_pkt = 1;
4749 if ((stcb->asoc.pr_sctp_cnt == 0) &&
4750 (num_seg == 0) && (num_nr_seg == 0) &&
4751 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) &&
4752 (stcb->asoc.saw_sack_with_frags == 0) &&
4753 (stcb->asoc.saw_sack_with_nr_frags == 0) &&
4754 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))) {
4755 /*
4756 * We have a SIMPLE sack having no
4757 * prior segments and data on sent
4758 * queue to be acked. Use the faster
4759 * path sack processing. We also
4760 * allow window update sacks with no
4761 * missing segments to go this way
4762 * too.
4763 */
4764 sctp_express_handle_sack(stcb, cum_ack, a_rwnd,
4765 &abort_now, ecne_seen);
4766 } else {
4767 if ((netp != NULL) && (*netp != NULL)) {
4768 sctp_handle_sack(m, offset_seg, offset_dup, stcb,
4769 num_seg, num_nr_seg, num_dup, &abort_now, flags,
4770 cum_ack, a_rwnd, ecne_seen);
4771 }
4772 }
4773 if (abort_now) {
4774 /* ABORT signal from sack processing */
4775 *offset = length;
4776 return (NULL);
4777 }
4778 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
4779 TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
4780 (stcb->asoc.stream_queue_cnt == 0)) {
4781 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
4782 }
4783 break;
4784 }
4785 case SCTP_HEARTBEAT_REQUEST:
4786 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n");
4787 if ((stcb != NULL) && (netp != NULL) && (*netp != NULL)) {
4788 SCTP_STAT_INCR(sctps_recvheartbeat);
4789 sctp_send_heartbeat_ack(stcb, m, *offset,
4790 chk_length, *netp);
4791 }
4792 break;
4793 case SCTP_HEARTBEAT_ACK:
4794 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT_ACK\n");
4795 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) {
4796 /* Its not ours */
4797 break;
4798 }
4799 SCTP_STAT_INCR(sctps_recvheartbeatack);
4800 if ((netp != NULL) && (*netp != NULL)) {
4801 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
4802 stcb, *netp);
4803 }
4804 break;
4805 case SCTP_ABORT_ASSOCIATION:
4806 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n",
4807 (void *)stcb);
4808 *offset = length;
4809 if ((stcb != NULL) && (netp != NULL) && (*netp != NULL)) {
4810 if (sctp_handle_abort((struct sctp_abort_chunk *)ch, stcb, *netp)) {
4811 return (NULL);
4812 } else {
4813 return (stcb);
4814 }
4815 } else {
4816 return (NULL);
4817 }
4818 break;
4819 case SCTP_SHUTDOWN:
4820 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n",
4821 (void *)stcb);
4822 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) {
4823 break;
4824 }
4825 if ((netp != NULL) && (*netp != NULL)) {
4826 abort_flag = 0;
4827 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
4828 stcb, *netp, &abort_flag);
4829 if (abort_flag) {
4830 *offset = length;
4831 return (NULL);
4832 }
4833 }
4834 break;
4835 case SCTP_SHUTDOWN_ACK:
4836 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN_ACK, stcb %p\n", (void *)stcb);
4837 if ((chk_length == sizeof(struct sctp_shutdown_ack_chunk)) &&
4838 (stcb != NULL) && (netp != NULL) && (*netp != NULL)) {
4839 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
4840 *offset = length;
4841 return (NULL);
4842 }
4843 break;
4844 case SCTP_OPERATION_ERROR:
4845 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP_ERR\n");
4846 if ((stcb != NULL) && (netp != NULL) && (*netp != NULL) &&
4847 sctp_handle_error(ch, stcb, *netp, contiguous) < 0) {
4848 *offset = length;
4849 return (NULL);
4850 }
4851 break;
4852 case SCTP_COOKIE_ECHO:
4853 SCTPDBG(SCTP_DEBUG_INPUT3,
4854 "SCTP_COOKIE_ECHO, stcb %p\n", (void *)stcb);
4855 if ((stcb != NULL) && (stcb->asoc.total_output_queue_size > 0)) {
4856 ;
4857 } else {
4858 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4859 /* We are not interested anymore */
4860 abend:
4861 if (stcb != NULL) {
4862 SCTP_TCB_UNLOCK(stcb);
4863 }
4864 *offset = length;
4865 return (NULL);
4866 }
4867 }
4868 /*-
4869 * First are we accepting? We do this again here
4870 * since it is possible that a previous endpoint WAS
4871 * listening responded to a INIT-ACK and then
4872 * closed. We opened and bound.. and are now no
4873 * longer listening.
4874 *
4875 * XXXGL: notes on checking listen queue length.
4876 * 1) SCTP_IS_LISTENING() doesn't necessarily mean
4877 * SOLISTENING(), because a listening "UDP type"
4878 * socket isn't listening in terms of the socket
4879 * layer. It is a normal data flow socket, that
4880 * can fork off new connections. Thus, we should
4881 * look into sol_qlen only in case we are !UDP.
4882 * 2) Checking sol_qlen in general requires locking
4883 * the socket, and this code lacks that.
4884 */
4885 if ((stcb == NULL) &&
4886 (!SCTP_IS_LISTENING(inp) ||
4887 (((inp->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE) == 0) &&
4888 inp->sctp_socket->sol_qlen >= inp->sctp_socket->sol_qlimit))) {
4889 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
4890 (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) {
4891 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
4892 sctp_abort_association(inp, stcb, m, iphlen,
4893 src, dst, sh, op_err,
4894 mflowtype, mflowid,
4895 vrf_id, port);
4896 }
4897 *offset = length;
4898 return (NULL);
4899 } else {
4900 struct mbuf *ret_buf;
4901 struct sctp_inpcb *linp;
4902 struct sctp_tmit_chunk *chk;
4903
4904 if (inp->sctp_flags & (SCTP_PCB_FLAGS_SOCKET_GONE |
4905 SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
4906 goto abend;
4907 }
4908
4909 if (stcb) {
4910 linp = NULL;
4911 } else {
4912 linp = inp;
4913 }
4914
4915 if (linp != NULL) {
4916 SCTP_ASOC_CREATE_LOCK(linp);
4917 }
4918
4919 if (netp != NULL) {
4920 struct sctp_tcb *locked_stcb;
4921
4922 locked_stcb = stcb;
4923 ret_buf =
4924 sctp_handle_cookie_echo(m, iphlen,
4925 *offset,
4926 src, dst,
4927 sh,
4928 (struct sctp_cookie_echo_chunk *)ch,
4929 &inp, &stcb, netp,
4930 auth_skipped,
4931 auth_offset,
4932 auth_len,
4933 &locked_stcb,
4934 mflowtype,
4935 mflowid,
4936 vrf_id,
4937 port);
4938 if ((locked_stcb != NULL) && (locked_stcb != stcb)) {
4939 SCTP_TCB_UNLOCK(locked_stcb);
4940 }
4941 if (stcb != NULL) {
4942 SCTP_TCB_LOCK_ASSERT(stcb);
4943 }
4944 } else {
4945 ret_buf = NULL;
4946 }
4947 if (linp != NULL) {
4948 SCTP_ASOC_CREATE_UNLOCK(linp);
4949 }
4950 if (ret_buf == NULL) {
4951 if (stcb != NULL) {
4952 SCTP_TCB_UNLOCK(stcb);
4953 }
4954 SCTPDBG(SCTP_DEBUG_INPUT3,
4955 "GAK, null buffer\n");
4956 *offset = length;
4957 return (NULL);
4958 }
4959 /* if AUTH skipped, see if it verified... */
4960 if (auth_skipped) {
4961 got_auth = 1;
4962 auth_skipped = 0;
4963 }
4964 /* Restart the timer if we have pending data */
4965 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
4966 if (chk->whoTo != NULL) {
4967 break;
4968 }
4969 }
4970 if (chk != NULL) {
4971 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo);
4972 }
4973 }
4974 break;
4975 case SCTP_COOKIE_ACK:
4976 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE_ACK, stcb %p\n", (void *)stcb);
4977 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) {
4978 break;
4979 }
4980 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4981 /* We are not interested anymore */
4982 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4983 ;
4984 } else if (stcb) {
4985 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
4986 SCTP_FROM_SCTP_INPUT + SCTP_LOC_30);
4987 *offset = length;
4988 return (NULL);
4989 }
4990 }
4991 if ((netp != NULL) && (*netp != NULL)) {
4992 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
4993 }
4994 break;
4995 case SCTP_ECN_ECHO:
4996 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN_ECHO\n");
4997 if (stcb == NULL) {
4998 break;
4999 }
5000 if (stcb->asoc.ecn_supported == 0) {
5001 goto unknown_chunk;
5002 }
5003 if ((chk_length != sizeof(struct sctp_ecne_chunk)) &&
5004 (chk_length != sizeof(struct old_sctp_ecne_chunk))) {
5005 break;
5006 }
5007 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, stcb);
5008 ecne_seen = 1;
5009 break;
5010 case SCTP_ECN_CWR:
5011 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN_CWR\n");
5012 if (stcb == NULL) {
5013 break;
5014 }
5015 if (stcb->asoc.ecn_supported == 0) {
5016 goto unknown_chunk;
5017 }
5018 if (chk_length != sizeof(struct sctp_cwr_chunk)) {
5019 break;
5020 }
5021 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb, *netp);
5022 break;
5023 case SCTP_SHUTDOWN_COMPLETE:
5024 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN_COMPLETE, stcb %p\n", (void *)stcb);
5025 /* must be first and only chunk */
5026 if ((num_chunks > 1) ||
5027 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
5028 *offset = length;
5029 return (stcb);
5030 }
5031 if ((chk_length == sizeof(struct sctp_shutdown_complete_chunk)) &&
5032 (stcb != NULL) && (netp != NULL) && (*netp != NULL)) {
5033 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
5034 stcb, *netp);
5035 *offset = length;
5036 return (NULL);
5037 }
5038 break;
5039 case SCTP_ASCONF:
5040 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n");
5041 if (stcb != NULL) {
5042 if (stcb->asoc.asconf_supported == 0) {
5043 goto unknown_chunk;
5044 }
5045 sctp_handle_asconf(m, *offset, src,
5046 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0);
5047 asconf_cnt++;
5048 }
5049 break;
5050 case SCTP_ASCONF_ACK:
5051 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF_ACK\n");
5052 if (stcb == NULL) {
5053 break;
5054 }
5055 if (stcb->asoc.asconf_supported == 0) {
5056 goto unknown_chunk;
5057 }
5058 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
5059 break;
5060 }
5061 if ((netp != NULL) && (*netp != NULL)) {
5062 /* He's alive so give him credit */
5063 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5064 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5065 stcb->asoc.overall_error_count,
5066 0,
5067 SCTP_FROM_SCTP_INPUT,
5068 __LINE__);
5069 }
5070 stcb->asoc.overall_error_count = 0;
5071 sctp_handle_asconf_ack(m, *offset,
5072 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock);
5073 if (abort_no_unlock)
5074 return (NULL);
5075 }
5076 break;
5077 case SCTP_FORWARD_CUM_TSN:
5078 case SCTP_IFORWARD_CUM_TSN:
5079 SCTPDBG(SCTP_DEBUG_INPUT3, "%s\n",
5080 ch->chunk_type == SCTP_FORWARD_CUM_TSN ? "FORWARD_TSN" : "I_FORWARD_TSN");
5081 if (stcb == NULL) {
5082 break;
5083 }
5084 if (stcb->asoc.prsctp_supported == 0) {
5085 goto unknown_chunk;
5086 }
5087 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
5088 break;
5089 }
5090 if (((stcb->asoc.idata_supported == 1) && (ch->chunk_type == SCTP_FORWARD_CUM_TSN)) ||
5091 ((stcb->asoc.idata_supported == 0) && (ch->chunk_type == SCTP_IFORWARD_CUM_TSN))) {
5092 if (ch->chunk_type == SCTP_FORWARD_CUM_TSN) {
5093 SCTP_SNPRINTF(msg, sizeof(msg), "%s", "FORWARD-TSN chunk received when I-FORWARD-TSN was negotiated");
5094 } else {
5095 SCTP_SNPRINTF(msg, sizeof(msg), "%s", "I-FORWARD-TSN chunk received when FORWARD-TSN was negotiated");
5096 }
5097 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
5098 sctp_abort_an_association(inp, stcb, op_err, false, SCTP_SO_NOT_LOCKED);
5099 *offset = length;
5100 return (NULL);
5101 }
5102 *fwd_tsn_seen = 1;
5103 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5104 /* We are not interested anymore */
5105 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
5106 SCTP_FROM_SCTP_INPUT + SCTP_LOC_31);
5107 *offset = length;
5108 return (NULL);
5109 }
5110 /*
5111 * For sending a SACK this looks like DATA chunks.
5112 */
5113 stcb->asoc.last_data_chunk_from = stcb->asoc.last_control_chunk_from;
5114 abort_flag = 0;
5115 sctp_handle_forward_tsn(stcb,
5116 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset);
5117 if (abort_flag) {
5118 *offset = length;
5119 return (NULL);
5120 }
5121 break;
5122 case SCTP_STREAM_RESET:
5123 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n");
5124 if (stcb == NULL) {
5125 break;
5126 }
5127 if (stcb->asoc.reconfig_supported == 0) {
5128 goto unknown_chunk;
5129 }
5130 if (chk_length < sizeof(struct sctp_stream_reset_tsn_req)) {
5131 break;
5132 }
5133 if (sctp_handle_stream_reset(stcb, m, *offset, ch)) {
5134 /* stop processing */
5135 *offset = length;
5136 return (NULL);
5137 }
5138 break;
5139 case SCTP_PACKET_DROPPED:
5140 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n");
5141 if (stcb == NULL) {
5142 break;
5143 }
5144 if (stcb->asoc.pktdrop_supported == 0) {
5145 goto unknown_chunk;
5146 }
5147 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
5148 break;
5149 }
5150 if ((netp != NULL) && (*netp != NULL)) {
5151 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
5152 stcb, *netp,
5153 min(chk_length, contiguous));
5154 }
5155 break;
5156 case SCTP_AUTHENTICATION:
5157 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n");
5158 if (stcb == NULL) {
5159 /* save the first AUTH for later processing */
5160 if (auth_skipped == 0) {
5161 auth_offset = *offset;
5162 auth_len = chk_length;
5163 auth_skipped = 1;
5164 }
5165 /* skip this chunk (temporarily) */
5166 break;
5167 }
5168 if (stcb->asoc.auth_supported == 0) {
5169 goto unknown_chunk;
5170 }
5171 if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
5172 (chk_length > (sizeof(struct sctp_auth_chunk) +
5173 SCTP_AUTH_DIGEST_LEN_MAX))) {
5174 /* Its not ours */
5175 *offset = length;
5176 return (stcb);
5177 }
5178 if (got_auth == 1) {
5179 /* skip this chunk... it's already auth'd */
5180 break;
5181 }
5182 got_auth = 1;
5183 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, m, *offset)) {
5184 /* auth HMAC failed so dump the packet */
5185 *offset = length;
5186 return (stcb);
5187 } else {
5188 /* remaining chunks are HMAC checked */
5189 stcb->asoc.authenticated = 1;
5190 }
5191 break;
5192
5193 default:
5194 unknown_chunk:
5195 /* it's an unknown chunk! */
5196 if ((ch->chunk_type & 0x40) &&
5197 (stcb != NULL) &&
5198 (SCTP_GET_STATE(stcb) != SCTP_STATE_EMPTY) &&
5199 (SCTP_GET_STATE(stcb) != SCTP_STATE_INUSE) &&
5200 (SCTP_GET_STATE(stcb) != SCTP_STATE_COOKIE_WAIT)) {
5201 struct sctp_gen_error_cause *cause;
5202 int len;
5203
5204 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause),
5205 0, M_NOWAIT, 1, MT_DATA);
5206 if (op_err != NULL) {
5207 len = min(SCTP_SIZE32(chk_length), (uint32_t)(length - *offset));
5208 cause = mtod(op_err, struct sctp_gen_error_cause *);
5209 cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK);
5210 cause->length = htons((uint16_t)(len + sizeof(struct sctp_gen_error_cause)));
5211 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
5212 SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, len, M_NOWAIT);
5213 if (SCTP_BUF_NEXT(op_err) != NULL) {
5214 #ifdef SCTP_MBUF_LOGGING
5215 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
5216 sctp_log_mbc(SCTP_BUF_NEXT(op_err), SCTP_MBUF_ICOPY);
5217 }
5218 #endif
5219 sctp_queue_op_err(stcb, op_err);
5220 } else {
5221 sctp_m_freem(op_err);
5222 }
5223 }
5224 }
5225 if ((ch->chunk_type & 0x80) == 0) {
5226 /* discard this packet */
5227 *offset = length;
5228 return (stcb);
5229 } /* else skip this bad chunk and continue... */
5230 break;
5231 } /* switch (ch->chunk_type) */
5232
5233 next_chunk:
5234 /* get the next chunk */
5235 *offset += SCTP_SIZE32(chk_length);
5236 if (*offset >= length) {
5237 /* no more data left in the mbuf chain */
5238 break;
5239 }
5240 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
5241 sizeof(struct sctp_chunkhdr), chunk_buf);
5242 if (ch == NULL) {
5243 *offset = length;
5244 return (stcb);
5245 }
5246 } /* while */
5247
5248 if ((asconf_cnt > 0) && (stcb != NULL)) {
5249 sctp_send_asconf_ack(stcb);
5250 }
5251 return (stcb);
5252 }
5253
5254 /*
5255 * common input chunk processing (v4 and v6)
5256 */
5257 void
5258 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, int length,
5259 struct sockaddr *src, struct sockaddr *dst,
5260 struct sctphdr *sh, struct sctp_chunkhdr *ch,
5261 uint8_t compute_crc,
5262 uint8_t ecn_bits,
5263 uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
5264 uint32_t vrf_id, uint16_t port)
5265 {
5266 uint32_t high_tsn;
5267 int fwd_tsn_seen = 0, data_processed = 0;
5268 struct mbuf *m = *mm, *op_err;
5269 char msg[SCTP_DIAG_INFO_LEN];
5270 int un_sent;
5271 int cnt_ctrl_ready = 0;
5272 struct sctp_inpcb *inp = NULL, *inp_decr = NULL;
5273 struct sctp_tcb *stcb = NULL;
5274 struct sctp_nets *net = NULL;
5275
5276 SCTP_STAT_INCR(sctps_recvdatagrams);
5277 #ifdef SCTP_AUDITING_ENABLED
5278 sctp_audit_log(0xE0, 1);
5279 sctp_auditing(0, inp, stcb, net);
5280 #endif
5281 if (compute_crc != 0) {
5282 uint32_t check, calc_check;
5283
5284 check = sh->checksum;
5285 sh->checksum = 0;
5286 calc_check = sctp_calculate_cksum(m, iphlen);
5287 sh->checksum = check;
5288 if (calc_check != check) {
5289 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n",
5290 calc_check, check, (void *)m, length, iphlen);
5291 stcb = sctp_findassociation_addr(m, offset, src, dst,
5292 sh, ch, &inp, &net, vrf_id);
5293 #if defined(INET) || defined(INET6)
5294 if ((ch->chunk_type != SCTP_INITIATION) &&
5295 (net != NULL) && (net->port != port)) {
5296 if (net->port == 0) {
5297 /* UDP encapsulation turned on. */
5298 net->mtu -= sizeof(struct udphdr);
5299 if (stcb->asoc.smallest_mtu > net->mtu) {
5300 sctp_pathmtu_adjustment(stcb, net->mtu, true);
5301 }
5302 } else if (port == 0) {
5303 /* UDP encapsulation turned off. */
5304 net->mtu += sizeof(struct udphdr);
5305 /* XXX Update smallest_mtu */
5306 }
5307 net->port = port;
5308 }
5309 #endif
5310 if (net != NULL) {
5311 net->flowtype = mflowtype;
5312 net->flowid = mflowid;
5313 }
5314 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
5315 if ((inp != NULL) && (stcb != NULL)) {
5316 sctp_send_packet_dropped(stcb, net, m, length, iphlen, 1);
5317 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED);
5318 } else if ((inp != NULL) && (stcb == NULL)) {
5319 inp_decr = inp;
5320 }
5321 SCTP_STAT_INCR(sctps_badsum);
5322 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
5323 goto out;
5324 }
5325 }
5326 /* Destination port of 0 is illegal, based on RFC4960. */
5327 if (sh->dest_port == 0) {
5328 SCTP_STAT_INCR(sctps_hdrops);
5329 goto out;
5330 }
5331 stcb = sctp_findassociation_addr(m, offset, src, dst,
5332 sh, ch, &inp, &net, vrf_id);
5333 #if defined(INET) || defined(INET6)
5334 if ((ch->chunk_type != SCTP_INITIATION) &&
5335 (net != NULL) && (net->port != port)) {
5336 if (net->port == 0) {
5337 /* UDP encapsulation turned on. */
5338 net->mtu -= sizeof(struct udphdr);
5339 if (stcb->asoc.smallest_mtu > net->mtu) {
5340 sctp_pathmtu_adjustment(stcb, net->mtu, true);
5341 }
5342 } else if (port == 0) {
5343 /* UDP encapsulation turned off. */
5344 net->mtu += sizeof(struct udphdr);
5345 /* XXX Update smallest_mtu */
5346 }
5347 net->port = port;
5348 }
5349 #endif
5350 if (net != NULL) {
5351 net->flowtype = mflowtype;
5352 net->flowid = mflowid;
5353 }
5354 if (inp == NULL) {
5355 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
5356 SCTP_STAT_INCR(sctps_noport);
5357 if (badport_bandlim(BANDLIM_SCTP_OOTB) < 0) {
5358 goto out;
5359 }
5360 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
5361 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
5362 sctp_send_shutdown_complete2(src, dst, sh,
5363 mflowtype, mflowid, fibnum,
5364 vrf_id, port);
5365 goto out;
5366 }
5367 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
5368 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
5369 goto out;
5370 }
5371 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) {
5372 if ((SCTP_BASE_SYSCTL(sctp_blackhole) == 0) ||
5373 ((SCTP_BASE_SYSCTL(sctp_blackhole) == 1) &&
5374 (ch->chunk_type != SCTP_INIT))) {
5375 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5376 "Out of the blue");
5377 sctp_send_abort(m, iphlen, src, dst,
5378 sh, 0, op_err,
5379 mflowtype, mflowid, fibnum,
5380 vrf_id, port);
5381 }
5382 }
5383 goto out;
5384 } else if (stcb == NULL) {
5385 inp_decr = inp;
5386 }
5387 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n",
5388 (void *)m, iphlen, offset, length, (void *)stcb);
5389 if (stcb) {
5390 /* always clear this before beginning a packet */
5391 stcb->asoc.authenticated = 0;
5392 stcb->asoc.seen_a_sack_this_pkt = 0;
5393 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n",
5394 (void *)stcb, stcb->asoc.state);
5395
5396 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) ||
5397 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) {
5398 /*-
5399 * If we hit here, we had a ref count
5400 * up when the assoc was aborted and the
5401 * timer is clearing out the assoc, we should
5402 * NOT respond to any packet.. its OOTB.
5403 */
5404 SCTP_TCB_UNLOCK(stcb);
5405 stcb = NULL;
5406 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
5407 SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
5408 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5409 msg);
5410 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
5411 mflowtype, mflowid, inp->fibnum,
5412 vrf_id, port);
5413 goto out;
5414 }
5415 }
5416 if (IS_SCTP_CONTROL(ch)) {
5417 /* process the control portion of the SCTP packet */
5418 /* sa_ignore NO_NULL_CHK */
5419 stcb = sctp_process_control(m, iphlen, &offset, length,
5420 src, dst, sh, ch,
5421 inp, stcb, &net, &fwd_tsn_seen,
5422 mflowtype, mflowid, fibnum,
5423 vrf_id, port);
5424 if (stcb) {
5425 /*
5426 * This covers us if the cookie-echo was there and
5427 * it changes our INP.
5428 */
5429 inp = stcb->sctp_ep;
5430 #if defined(INET) || defined(INET6)
5431 if ((ch->chunk_type != SCTP_INITIATION) &&
5432 (net != NULL) && (net->port != port)) {
5433 if (net->port == 0) {
5434 /* UDP encapsulation turned on. */
5435 net->mtu -= sizeof(struct udphdr);
5436 if (stcb->asoc.smallest_mtu > net->mtu) {
5437 sctp_pathmtu_adjustment(stcb, net->mtu, true);
5438 }
5439 } else if (port == 0) {
5440 /* UDP encapsulation turned off. */
5441 net->mtu += sizeof(struct udphdr);
5442 /* XXX Update smallest_mtu */
5443 }
5444 net->port = port;
5445 }
5446 #endif
5447 }
5448 } else {
5449 /*
5450 * no control chunks, so pre-process DATA chunks (these
5451 * checks are taken care of by control processing)
5452 */
5453
5454 /*
5455 * if DATA only packet, and auth is required, then punt...
5456 * can't have authenticated without any AUTH (control)
5457 * chunks
5458 */
5459 if ((stcb != NULL) &&
5460 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
5461 /* "silently" ignore */
5462 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
5463 SCTP_STAT_INCR(sctps_recvauthmissing);
5464 goto out;
5465 }
5466 if (stcb == NULL) {
5467 /* out of the blue DATA chunk */
5468 SCTP_PROBE5(receive, NULL, NULL, m, NULL, sh);
5469 SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
5470 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5471 msg);
5472 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
5473 mflowtype, mflowid, fibnum,
5474 vrf_id, port);
5475 goto out;
5476 }
5477 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
5478 /* v_tag mismatch! */
5479 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
5480 SCTP_STAT_INCR(sctps_badvtag);
5481 goto out;
5482 }
5483 }
5484
5485 SCTP_PROBE5(receive, NULL, stcb, m, stcb, sh);
5486 if (stcb == NULL) {
5487 /*
5488 * no valid TCB for this packet, or we found it's a bad
5489 * packet while processing control, or we're done with this
5490 * packet (done or skip rest of data), so we drop it...
5491 */
5492 goto out;
5493 }
5494
5495 /*
5496 * DATA chunk processing
5497 */
5498 /* plow through the data chunks while length > offset */
5499
5500 /*
5501 * Rest should be DATA only. Check authentication state if AUTH for
5502 * DATA is required.
5503 */
5504 if ((length > offset) &&
5505 (stcb != NULL) &&
5506 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
5507 !stcb->asoc.authenticated) {
5508 /* "silently" ignore */
5509 SCTP_STAT_INCR(sctps_recvauthmissing);
5510 SCTPDBG(SCTP_DEBUG_AUTH1,
5511 "Data chunk requires AUTH, skipped\n");
5512 goto trigger_send;
5513 }
5514 if (length > offset) {
5515 int retval;
5516
5517 /*
5518 * First check to make sure our state is correct. We would
5519 * not get here unless we really did have a tag, so we don't
5520 * abort if this happens, just dump the chunk silently.
5521 */
5522 switch (SCTP_GET_STATE(stcb)) {
5523 case SCTP_STATE_COOKIE_ECHOED:
5524 /*
5525 * we consider data with valid tags in this state
5526 * shows us the cookie-ack was lost. Imply it was
5527 * there.
5528 */
5529 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
5530 break;
5531 case SCTP_STATE_COOKIE_WAIT:
5532 /*
5533 * We consider OOTB any data sent during asoc setup.
5534 */
5535 SCTP_SNPRINTF(msg, sizeof(msg), "OOTB, %s:%d at %s", __FILE__, __LINE__, __func__);
5536 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5537 msg);
5538 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
5539 mflowtype, mflowid, inp->fibnum,
5540 vrf_id, port);
5541 goto out;
5542 /* sa_ignore NOTREACHED */
5543 break;
5544 case SCTP_STATE_EMPTY: /* should not happen */
5545 case SCTP_STATE_INUSE: /* should not happen */
5546 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */
5547 case SCTP_STATE_SHUTDOWN_ACK_SENT:
5548 default:
5549 goto out;
5550 /* sa_ignore NOTREACHED */
5551 break;
5552 case SCTP_STATE_OPEN:
5553 case SCTP_STATE_SHUTDOWN_SENT:
5554 break;
5555 }
5556 /* plow through the data chunks while length > offset */
5557 retval = sctp_process_data(mm, iphlen, &offset, length,
5558 inp, stcb, net, &high_tsn);
5559 if (retval == 2) {
5560 /*
5561 * The association aborted, NO UNLOCK needed since
5562 * the association is destroyed.
5563 */
5564 stcb = NULL;
5565 goto out;
5566 }
5567 if (retval == 0) {
5568 data_processed = 1;
5569 }
5570 /*
5571 * Anything important needs to have been m_copy'ed in
5572 * process_data
5573 */
5574 }
5575
5576 /* take care of ecn */
5577 if ((data_processed == 1) &&
5578 (stcb->asoc.ecn_supported == 1) &&
5579 ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS)) {
5580 /* Yep, we need to add a ECNE */
5581 sctp_send_ecn_echo(stcb, net, high_tsn);
5582 }
5583
5584 if ((data_processed == 0) && (fwd_tsn_seen)) {
5585 int was_a_gap;
5586 uint32_t highest_tsn;
5587
5588 if (SCTP_TSN_GT(stcb->asoc.highest_tsn_inside_nr_map, stcb->asoc.highest_tsn_inside_map)) {
5589 highest_tsn = stcb->asoc.highest_tsn_inside_nr_map;
5590 } else {
5591 highest_tsn = stcb->asoc.highest_tsn_inside_map;
5592 }
5593 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
5594 stcb->asoc.send_sack = 1;
5595 sctp_sack_check(stcb, was_a_gap);
5596 } else if (fwd_tsn_seen) {
5597 stcb->asoc.send_sack = 1;
5598 }
5599 /* trigger send of any chunks in queue... */
5600 trigger_send:
5601 #ifdef SCTP_AUDITING_ENABLED
5602 sctp_audit_log(0xE0, 2);
5603 sctp_auditing(1, inp, stcb, net);
5604 #endif
5605 SCTPDBG(SCTP_DEBUG_INPUT1,
5606 "Check for chunk output prw:%d tqe:%d tf=%d\n",
5607 stcb->asoc.peers_rwnd,
5608 TAILQ_EMPTY(&stcb->asoc.control_send_queue),
5609 stcb->asoc.total_flight);
5610 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
5611 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
5612 cnt_ctrl_ready = stcb->asoc.ctrl_queue_cnt - stcb->asoc.ecn_echo_cnt_onq;
5613 }
5614 if (!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue) ||
5615 cnt_ctrl_ready ||
5616 stcb->asoc.trigger_reset ||
5617 ((un_sent > 0) &&
5618 (stcb->asoc.peers_rwnd > 0 || stcb->asoc.total_flight == 0))) {
5619 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n");
5620 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
5621 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n");
5622 }
5623 #ifdef SCTP_AUDITING_ENABLED
5624 sctp_audit_log(0xE0, 3);
5625 sctp_auditing(2, inp, stcb, net);
5626 #endif
5627 out:
5628 if (stcb != NULL) {
5629 SCTP_TCB_UNLOCK(stcb);
5630 }
5631 if (inp_decr != NULL) {
5632 /* reduce ref-count */
5633 SCTP_INP_WLOCK(inp_decr);
5634 SCTP_INP_DECR_REF(inp_decr);
5635 SCTP_INP_WUNLOCK(inp_decr);
5636 }
5637 return;
5638 }
5639
5640 #ifdef INET
5641 void
5642 sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port)
5643 {
5644 struct mbuf *m;
5645 int iphlen;
5646 uint32_t vrf_id = 0;
5647 uint8_t ecn_bits;
5648 struct sockaddr_in src, dst;
5649 struct ip *ip;
5650 struct sctphdr *sh;
5651 struct sctp_chunkhdr *ch;
5652 int length, offset;
5653 uint8_t compute_crc;
5654 uint32_t mflowid;
5655 uint8_t mflowtype;
5656 uint16_t fibnum;
5657
5658 iphlen = off;
5659 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) {
5660 SCTP_RELEASE_PKT(i_pak);
5661 return;
5662 }
5663 m = SCTP_HEADER_TO_CHAIN(i_pak);
5664 #ifdef SCTP_MBUF_LOGGING
5665 /* Log in any input mbufs */
5666 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
5667 sctp_log_mbc(m, SCTP_MBUF_INPUT);
5668 }
5669 #endif
5670 #ifdef SCTP_PACKET_LOGGING
5671 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
5672 sctp_packet_log(m);
5673 }
5674 #endif
5675 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
5676 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%b.\n",
5677 m->m_pkthdr.len,
5678 if_name(m->m_pkthdr.rcvif),
5679 (int)m->m_pkthdr.csum_flags, CSUM_BITS);
5680 mflowid = m->m_pkthdr.flowid;
5681 mflowtype = M_HASHTYPE_GET(m);
5682 fibnum = M_GETFIB(m);
5683 SCTP_STAT_INCR(sctps_recvpackets);
5684 SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
5685 /* Get IP, SCTP, and first chunk header together in the first mbuf. */
5686 offset = iphlen + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5687 if (SCTP_BUF_LEN(m) < offset) {
5688 if ((m = m_pullup(m, offset)) == NULL) {
5689 SCTP_STAT_INCR(sctps_hdrops);
5690 return;
5691 }
5692 }
5693 ip = mtod(m, struct ip *);
5694 sh = (struct sctphdr *)((caddr_t)ip + iphlen);
5695 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(struct sctphdr));
5696 offset -= sizeof(struct sctp_chunkhdr);
5697 memset(&src, 0, sizeof(struct sockaddr_in));
5698 src.sin_family = AF_INET;
5699 src.sin_len = sizeof(struct sockaddr_in);
5700 src.sin_port = sh->src_port;
5701 src.sin_addr = ip->ip_src;
5702 memset(&dst, 0, sizeof(struct sockaddr_in));
5703 dst.sin_family = AF_INET;
5704 dst.sin_len = sizeof(struct sockaddr_in);
5705 dst.sin_port = sh->dest_port;
5706 dst.sin_addr = ip->ip_dst;
5707 length = ntohs(ip->ip_len);
5708 /* Validate mbuf chain length with IP payload length. */
5709 if (SCTP_HEADER_LEN(m) != length) {
5710 SCTPDBG(SCTP_DEBUG_INPUT1,
5711 "sctp_input() length:%d reported length:%d\n", length, SCTP_HEADER_LEN(m));
5712 SCTP_STAT_INCR(sctps_hdrops);
5713 goto out;
5714 }
5715 /* SCTP does not allow broadcasts or multicasts */
5716 if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) {
5717 goto out;
5718 }
5719 if (SCTP_IS_IT_BROADCAST(dst.sin_addr, m)) {
5720 goto out;
5721 }
5722 ecn_bits = ip->ip_tos;
5723 if (m->m_pkthdr.csum_flags & CSUM_SCTP_VALID) {
5724 SCTP_STAT_INCR(sctps_recvhwcrc);
5725 compute_crc = 0;
5726 } else {
5727 SCTP_STAT_INCR(sctps_recvswcrc);
5728 compute_crc = 1;
5729 }
5730 sctp_common_input_processing(&m, iphlen, offset, length,
5731 (struct sockaddr *)&src,
5732 (struct sockaddr *)&dst,
5733 sh, ch,
5734 compute_crc,
5735 ecn_bits,
5736 mflowtype, mflowid, fibnum,
5737 vrf_id, port);
5738 out:
5739 if (m) {
5740 sctp_m_freem(m);
5741 }
5742 return;
5743 }
5744
5745 #if defined(SCTP_MCORE_INPUT) && defined(SMP)
5746 extern int *sctp_cpuarry;
5747 #endif
5748
5749 int
5750 sctp_input(struct mbuf **mp, int *offp, int proto SCTP_UNUSED)
5751 {
5752 struct mbuf *m;
5753 int off;
5754
5755 m = *mp;
5756 off = *offp;
5757 #if defined(SCTP_MCORE_INPUT) && defined(SMP)
5758 if (mp_ncpus > 1) {
5759 struct ip *ip;
5760 struct sctphdr *sh;
5761 int offset;
5762 int cpu_to_use;
5763 uint32_t flowid, tag;
5764
5765 if (M_HASHTYPE_GET(m) != M_HASHTYPE_NONE) {
5766 flowid = m->m_pkthdr.flowid;
5767 } else {
5768 /*
5769 * No flow id built by lower layers fix it so we
5770 * create one.
5771 */
5772 offset = off + sizeof(struct sctphdr);
5773 if (SCTP_BUF_LEN(m) < offset) {
5774 if ((m = m_pullup(m, offset)) == NULL) {
5775 SCTP_STAT_INCR(sctps_hdrops);
5776 return (IPPROTO_DONE);
5777 }
5778 }
5779 ip = mtod(m, struct ip *);
5780 sh = (struct sctphdr *)((caddr_t)ip + off);
5781 tag = htonl(sh->v_tag);
5782 flowid = tag ^ ntohs(sh->dest_port) ^ ntohs(sh->src_port);
5783 m->m_pkthdr.flowid = flowid;
5784 M_HASHTYPE_SET(m, M_HASHTYPE_OPAQUE_HASH);
5785 }
5786 cpu_to_use = sctp_cpuarry[flowid % mp_ncpus];
5787 sctp_queue_to_mcore(m, off, cpu_to_use);
5788 return (IPPROTO_DONE);
5789 }
5790 #endif
5791 sctp_input_with_port(m, off, 0);
5792 return (IPPROTO_DONE);
5793 }
5794 #endif
Cache object: fb97046d316953881155d36c714ce55f
|