1 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */
2
3 /*
4 * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc,
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #if !(defined(__OpenBSD__) || defined(__APPLE__))
33 #include "opt_ipsec.h"
34 #endif
35 #if defined(__FreeBSD__) || defined(__DragonFly__)
36 #include "opt_compat.h"
37 #include "opt_inet6.h"
38 #include "opt_inet.h"
39 #endif
40 #if defined(__NetBSD__)
41 #include "opt_inet.h"
42 #endif
43 #ifdef __APPLE__
44 #include <sctp.h>
45 #elif !defined(__OpenBSD__)
46 #include "opt_sctp.h"
47 #endif
48
49 #include <sys/param.h>
50 #include <sys/systm.h>
51 #include <sys/malloc.h>
52 #include <sys/mbuf.h>
53 #include <sys/socket.h>
54 #include <sys/socketvar.h>
55 #include <sys/socketvar2.h>
56 #include <sys/sysctl.h>
57 #include <sys/domain.h>
58 #include <sys/protosw.h>
59 #include <sys/kernel.h>
60 #include <sys/errno.h>
61 #include <sys/syslog.h>
62 #include <sys/thread2.h>
63
64 #if (defined(__FreeBSD__) && __FreeBSD_version >= 500000)
65 #include <sys/limits.h>
66 #else
67 #include <machine/limits.h>
68 #endif
69 #include <machine/cpu.h>
70
71 #include <net/if.h>
72 #include <net/route.h>
73 #include <net/if_types.h>
74
75 #include <netinet/in.h>
76 #include <netinet/in_systm.h>
77 #include <netinet/ip.h>
78 #include <netinet/in_pcb.h>
79 #include <netinet/in_var.h>
80 #include <netinet/ip_var.h>
81
82 #ifdef INET6
83 #include <netinet/ip6.h>
84 #include <netinet6/ip6_var.h>
85 #endif /* INET6 */
86
87 #include <netinet/ip_icmp.h>
88 #include <netinet/icmp_var.h>
89 #include <netinet/sctp_var.h>
90 #include <netinet/sctp_pcb.h>
91 #include <netinet/sctp_header.h>
92 #include <netinet/sctputil.h>
93 #include <netinet/sctp_output.h>
94 #include <netinet/sctp_input.h>
95 #include <netinet/sctp_hashdriver.h>
96 #include <netinet/sctp_indata.h>
97 #include <netinet/sctp_asconf.h>
98
99 #ifdef __APPLE__
100 #include <stdarg.h>
101 #elif !defined(__FreeBSD__)
102 #include <machine/stdarg.h>
103 #endif
104
105 #ifdef IPSEC
106 #ifndef __OpenBSD__
107 #include <netinet6/ipsec.h>
108 #include <netproto/key/key.h>
109 #else
110 #undef IPSEC
111 #endif
112 #endif /*IPSEC*/
113
114 #include <net/net_osdep.h>
115
116 #ifdef SCTP_DEBUG
117 extern u_int32_t sctp_debug_on;
118 #endif
119
120 /* INIT handler */
121 static void
122 sctp_handle_init(struct mbuf *m, int iphlen, int offset,
123 struct sctphdr *sh, struct sctp_init_chunk *cp, struct sctp_inpcb *inp,
124 struct sctp_tcb *stcb, struct sctp_nets *net)
125 {
126 struct sctp_init *init;
127 struct mbuf *op_err;
128 #ifdef SCTP_DEBUG
129 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
130 kprintf("sctp_handle_init: handling INIT tcb:%p\n", stcb);
131 }
132 #endif
133 op_err = NULL;
134 init = &cp->init;
135 /* First are we accepting? */
136 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) ||
137 (inp->sctp_socket->so_qlimit == 0)) {
138 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
139 return;
140 }
141 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
142 /* Invalid length */
143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
145 return;
146 }
147 /* validate parameters */
148 if (init->initiate_tag == 0) {
149 /* protocol error... send abort */
150 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
151 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
152 return;
153 }
154 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
155 /* invalid parameter... send abort */
156 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
157 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
158 return;
159 }
160 if (init->num_inbound_streams == 0) {
161 /* protocol error... send abort */
162 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
163 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
164 return;
165 }
166 if (init->num_outbound_streams == 0) {
167 /* protocol error... send abort */
168 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
169 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
170 return;
171 }
172
173 /* send an INIT-ACK w/cookie */
174 #ifdef SCTP_DEBUG
175 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
176 kprintf("sctp_handle_init: sending INIT-ACK\n");
177 }
178 #endif
179
180 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp);
181 }
182
183 /*
184 * process peer "INIT/INIT-ACK" chunk
185 * returns value < 0 on error
186 */
187
188 static int
189 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb,
190 struct sctp_nets *net)
191 {
192 struct sctp_init *init;
193 struct sctp_association *asoc;
194 struct sctp_nets *lnet;
195 unsigned int i;
196
197 init = &cp->init;
198 asoc = &stcb->asoc;
199 /* save off parameters */
200 asoc->peer_vtag = ntohl(init->initiate_tag);
201 asoc->peers_rwnd = ntohl(init->a_rwnd);
202
203 if (TAILQ_FIRST(&asoc->nets)) {
204 /* update any ssthresh's that may have a default */
205 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
206 lnet->ssthresh = asoc->peers_rwnd;
207 }
208 }
209 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
210 unsigned int newcnt;
211 struct sctp_stream_out *outs;
212 struct sctp_tmit_chunk *chk;
213
214 /* cut back on number of streams */
215 newcnt = ntohs(init->num_inbound_streams);
216 /* This if is probably not needed but I am cautious */
217 if (asoc->strmout) {
218 /* First make sure no data chunks are trapped */
219 for (i=newcnt; i < asoc->pre_open_streams; i++) {
220 outs = &asoc->strmout[i];
221 chk = TAILQ_FIRST(&outs->outqueue);
222 while (chk) {
223 TAILQ_REMOVE(&outs->outqueue, chk,
224 sctp_next);
225 asoc->stream_queue_cnt--;
226 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL,
227 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT,
228 chk);
229 if (chk->data) {
230 sctp_m_freem(chk->data);
231 chk->data = NULL;
232 }
233 sctp_free_remote_addr(chk->whoTo);
234 chk->whoTo = NULL;
235 chk->asoc = NULL;
236 /* Free the chunk */
237 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
238 sctppcbinfo.ipi_count_chunk--;
239 if ((int)sctppcbinfo.ipi_count_chunk < 0) {
240 panic("Chunk count is negative");
241 }
242 sctppcbinfo.ipi_gencnt_chunk++;
243 chk = TAILQ_FIRST(&outs->outqueue);
244 }
245 }
246 }
247 /* cut back the count and abandon the upper streams */
248 asoc->pre_open_streams = newcnt;
249 }
250 asoc->streamincnt = ntohs(init->num_outbound_streams);
251 if (asoc->streamincnt > MAX_SCTP_STREAMS) {
252 asoc->streamincnt = MAX_SCTP_STREAMS;
253 }
254
255 asoc->streamoutcnt = asoc->pre_open_streams;
256 /* init tsn's */
257 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
258 #ifdef SCTP_MAP_LOGGING
259 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
260 #endif
261 /* This is the next one we expect */
262 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
263
264 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
265 asoc->cumulative_tsn = asoc->asconf_seq_in;
266 asoc->last_echo_tsn = asoc->asconf_seq_in;
267 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
268 /* open the requested streams */
269 if (asoc->strmin != NULL) {
270 /* Free the old ones */
271 kfree(asoc->strmin, M_PCB);
272 }
273 asoc->strmin = kmalloc(asoc->streamincnt * sizeof(struct sctp_stream_in),
274 M_PCB, M_NOWAIT);
275 if (asoc->strmin == NULL) {
276 /* we didn't get memory for the streams! */
277 #ifdef SCTP_DEBUG
278 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
279 kprintf("process_init: couldn't get memory for the streams!\n");
280 }
281 #endif
282 return (-1);
283 }
284 for (i = 0; i < asoc->streamincnt; i++) {
285 asoc->strmin[i].stream_no = i;
286 asoc->strmin[i].last_sequence_delivered = 0xffff;
287 /*
288 * U-stream ranges will be set when the cookie
289 * is unpacked. Or for the INIT sender they
290 * are un set (if pr-sctp not supported) when the
291 * INIT-ACK arrives.
292 */
293 TAILQ_INIT(&asoc->strmin[i].inqueue);
294 /*
295 * we are not on any wheel, pr-sctp streams
296 * will go on the wheel when they have data waiting
297 * for reorder.
298 */
299 asoc->strmin[i].next_spoke.tqe_next = 0;
300 asoc->strmin[i].next_spoke.tqe_prev = 0;
301 }
302
303 /*
304 * load_address_from_init will put the addresses into the
305 * association when the COOKIE is processed or the INIT-ACK
306 * is processed. Both types of COOKIE's existing and new
307 * call this routine. It will remove addresses that
308 * are no longer in the association (for the restarting
309 * case where addresses are removed). Up front when the
310 * INIT arrives we will discard it if it is a restart
311 * and new addresses have been added.
312 */
313 return (0);
314 }
315
316 /*
317 * INIT-ACK message processing/consumption
318 * returns value < 0 on error
319 */
320 static int
321 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
322 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
323 struct sctp_nets *net)
324 {
325 struct sctp_association *asoc;
326 struct mbuf *op_err;
327 int retval, abort_flag;
328 uint32_t initack_limit;
329 /* First verify that we have no illegal param's */
330 abort_flag = 0;
331 op_err = NULL;
332
333 op_err = sctp_arethere_unrecognized_parameters(m,
334 (offset+sizeof(struct sctp_init_chunk)) ,
335 &abort_flag, (struct sctp_chunkhdr *)cp);
336 if (abort_flag) {
337 /* Send an abort and notify peer */
338 if (op_err != NULL) {
339 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag);
340 } else {
341 /*
342 * Just notify (abort_assoc does this if
343 * we send an abort).
344 */
345 sctp_abort_notification(stcb, 0);
346 /*
347 * No sense in further INIT's since
348 * we will get the same param back
349 */
350 sctp_free_assoc(stcb->sctp_ep, stcb);
351 }
352 return (-1);
353 }
354 asoc = &stcb->asoc;
355 /* process the peer's parameters in the INIT-ACK */
356 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net);
357 if (retval < 0) {
358 return (retval);
359 }
360
361 initack_limit = offset + ntohs(cp->ch.chunk_length);
362 /* load all addresses */
363 if (sctp_load_addresses_from_init(stcb, m, iphlen,
364 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh,
365 NULL)) {
366 /* Huh, we should abort */
367 sctp_abort_notification(stcb, 0);
368 sctp_free_assoc(stcb->sctp_ep, stcb);
369 return (-1);
370 }
371 if (op_err) {
372 sctp_queue_op_err(stcb, op_err);
373 /* queuing will steal away the mbuf chain to the out queue */
374 op_err = NULL;
375 }
376 /* extract the cookie and queue it to "echo" it back... */
377 stcb->asoc.overall_error_count = 0;
378 net->error_count = 0;
379 retval = sctp_send_cookie_echo(m, offset, stcb, net);
380 if (retval < 0) {
381 /*
382 * No cookie, we probably should send a op error.
383 * But in any case if there is no cookie in the INIT-ACK,
384 * we can abandon the peer, its broke.
385 */
386 if (retval == -3) {
387 /* We abort with an error of missing mandatory param */
388 struct mbuf *op_err;
389 op_err =
390 sctp_generate_invmanparam(SCTP_CAUSE_MISS_PARAM);
391 if (op_err) {
392 /*
393 * Expand beyond to include the mandatory
394 * param cookie
395 */
396 struct sctp_inv_mandatory_param *mp;
397 op_err->m_len =
398 sizeof(struct sctp_inv_mandatory_param);
399 mp = mtod(op_err,
400 struct sctp_inv_mandatory_param *);
401 /* Subtract the reserved param */
402 mp->length =
403 htons(sizeof(struct sctp_inv_mandatory_param) - 2);
404 mp->num_param = htonl(1);
405 mp->param = htons(SCTP_STATE_COOKIE);
406 mp->resv = 0;
407 }
408 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
409 sh, op_err);
410 }
411 return (retval);
412 }
413
414 /*
415 * Cancel the INIT timer, We do this first before queueing
416 * the cookie. We always cancel at the primary to assue that
417 * we are canceling the timer started by the INIT which always
418 * goes to the primary.
419 */
420 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
421 asoc->primary_destination);
422
423 /* calculate the RTO */
424 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered);
425
426 return (0);
427 }
428
429 static void
430 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
431 struct sctp_tcb *stcb, struct sctp_nets *net)
432 {
433 struct sockaddr_storage store;
434 struct sockaddr_in *sin;
435 struct sockaddr_in6 *sin6;
436 struct sctp_nets *r_net;
437 struct timeval tv;
438
439 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
440 /* Invalid length */
441 return;
442 }
443
444 sin = (struct sockaddr_in *)&store;
445 sin6 = (struct sockaddr_in6 *)&store;
446
447 memset(&store, 0, sizeof(store));
448 if (cp->heartbeat.hb_info.addr_family == AF_INET &&
449 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
450 sin->sin_family = cp->heartbeat.hb_info.addr_family;
451 sin->sin_len = cp->heartbeat.hb_info.addr_len;
452 sin->sin_port = stcb->rport;
453 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address,
454 sizeof(sin->sin_addr));
455 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 &&
456 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
457 sin6->sin6_family = cp->heartbeat.hb_info.addr_family;
458 sin6->sin6_len = cp->heartbeat.hb_info.addr_len;
459 sin6->sin6_port = stcb->rport;
460 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address,
461 sizeof(sin6->sin6_addr));
462 } else {
463 #ifdef SCTP_DEBUG
464 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
465 kprintf("unsupported address family");
466 }
467 #endif
468 return;
469 }
470 r_net = sctp_findnet(stcb, (struct sockaddr *)sin);
471 if (r_net == NULL) {
472 #ifdef SCTP_DEBUG
473 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
474 kprintf("Huh? I can't find the address I sent it to, discard\n");
475 }
476 #endif
477 return;
478 }
479 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
480 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
481 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
482 /*
483 * If the its a HB and it's random value is correct when
484 * can confirm the destination.
485 */
486 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
487 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
488 stcb, 0, (void *)r_net);
489 }
490 r_net->error_count = 0;
491 r_net->hb_responded = 1;
492 tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
493 tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
494 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) {
495 r_net->dest_state = SCTP_ADDR_REACHABLE;
496 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
497 SCTP_HEARTBEAT_SUCCESS, (void *)r_net);
498
499 /* now was it the primary? if so restore */
500 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) {
501 sctp_set_primary_addr(stcb, NULL, r_net);
502 }
503 }
504 /* Now lets do a RTO with this */
505 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv);
506 }
507
508 static void
509 sctp_handle_abort(struct sctp_abort_chunk *cp,
510 struct sctp_tcb *stcb, struct sctp_nets *net)
511 {
512 #ifdef SCTP_DEBUG
513 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
514 kprintf("sctp_handle_abort: handling ABORT\n");
515 }
516 #endif
517 if (stcb == NULL)
518 return;
519 /* verify that the destination addr is in the association */
520 /* ignore abort for addresses being deleted */
521
522 /* stop any receive timers */
523 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net);
524 /* notify user of the abort and clean up... */
525 sctp_abort_notification(stcb, 0);
526 /* free the tcb */
527 sctp_free_assoc(stcb->sctp_ep, stcb);
528 #ifdef SCTP_DEBUG
529 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
530 kprintf("sctp_handle_abort: finished\n");
531 }
532 #endif
533 }
534
535 static void
536 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
537 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
538 {
539 struct sctp_association *asoc;
540 int some_on_streamwheel;
541
542 #ifdef SCTP_DEBUG
543 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
544 kprintf("sctp_handle_shutdown: handling SHUTDOWN\n");
545 }
546 #endif
547 if (stcb == NULL)
548 return;
549
550 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) ||
551 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
552 return;
553 }
554
555 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
556 /* update current data status */
557 #ifdef SCTP_DEBUG
558 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
559 kprintf("Warning Shutdown NOT the expected size.. skipping (%d:%d)\n",
560 ntohs(cp->ch.chunk_length),
561 (int)sizeof(struct sctp_shutdown_chunk));
562 }
563 #endif
564 return;
565 } else {
566 sctp_update_acked(stcb, cp, net, abort_flag);
567 }
568 asoc = &stcb->asoc;
569 /* goto SHUTDOWN_RECEIVED state to block new requests */
570 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
571 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
572 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED;
573 #ifdef SCTP_DEBUG
574 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
575 kprintf("Moving to SHUTDOWN-RECEIVED state\n");
576 }
577 #endif
578 /* notify upper layer that peer has initiated a shutdown */
579 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL);
580
581 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
582 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
583
584 /* Set the flag so we cannot send more, we
585 * would call the function but we don't want to
586 * wake up the ulp necessarily.
587 */
588 #if defined(__FreeBSD__) && __FreeBSD_version >= 502115
589 stcb->sctp_ep->sctp_socket->so_rcv.sb_state |= SBS_CANTSENDMORE;
590 #else
591 sosetstate(stcb->sctp_ep->sctp_socket, SS_CANTSENDMORE);
592 #endif
593 }
594 /* reset time */
595 SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
596 }
597 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
598 /*
599 * stop the shutdown timer, since we WILL move
600 * to SHUTDOWN-ACK-SENT.
601 */
602 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
603 }
604 /* Now are we there yet? */
605 some_on_streamwheel = 0;
606 if (!TAILQ_EMPTY(&asoc->out_wheel)) {
607 /* Check to see if some data queued */
608 struct sctp_stream_out *outs;
609 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) {
610 if (!TAILQ_EMPTY(&outs->outqueue)) {
611 some_on_streamwheel = 1;
612 break;
613 }
614 }
615 }
616 #ifdef SCTP_DEBUG
617 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
618 kprintf("some_on_streamwheel:%d send_q_empty:%d sent_q_empty:%d\n",
619 some_on_streamwheel,
620 !TAILQ_EMPTY(&asoc->send_queue),
621 !TAILQ_EMPTY(&asoc->sent_queue));
622 }
623 #endif
624 if (!TAILQ_EMPTY(&asoc->send_queue) ||
625 !TAILQ_EMPTY(&asoc->sent_queue) ||
626 some_on_streamwheel) {
627 /* By returning we will push more data out */
628 return;
629 } else {
630 /* no outstanding data to send, so move on... */
631 /* send SHUTDOWN-ACK */
632 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
633 /* move to SHUTDOWN-ACK-SENT state */
634 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT;
635 #ifdef SCTP_DEBUG
636 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
637 kprintf("moving to SHUTDOWN_ACK state\n");
638 }
639 #endif
640 /* start SHUTDOWN timer */
641 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
642 stcb, net);
643 }
644 }
645
646 static void
647 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp,
648 struct sctp_tcb *stcb, struct sctp_nets *net)
649 {
650 struct sctp_association *asoc;
651
652 #ifdef SCTP_DEBUG
653 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
654 kprintf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
655 }
656 #endif
657 if (stcb == NULL)
658 return;
659
660 asoc = &stcb->asoc;
661 /* process according to association state */
662 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
663 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
664 /* unexpected SHUTDOWN-ACK... so ignore... */
665 return;
666 }
667 /* are the queues empty? */
668 if (!TAILQ_EMPTY(&asoc->send_queue) ||
669 !TAILQ_EMPTY(&asoc->sent_queue) ||
670 !TAILQ_EMPTY(&asoc->out_wheel)) {
671 sctp_report_all_outbound(stcb);
672 }
673 /* stop the timer */
674 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
675 /* send SHUTDOWN-COMPLETE */
676 sctp_send_shutdown_complete(stcb, net);
677 /* notify upper layer protocol */
678 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL);
679 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
680 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
681 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
682 /* Set the connected flag to disconnected */
683 stcb->sctp_ep->sctp_socket->so_snd.ssb_cc = 0;
684 stcb->sctp_ep->sctp_socket->so_snd.ssb_mbcnt = 0;
685 soisdisconnected(stcb->sctp_ep->sctp_socket);
686 }
687 /* free the TCB but first save off the ep */
688 sctp_free_assoc(stcb->sctp_ep, stcb);
689 }
690
691 /*
692 * Skip past the param header and then we will find the chunk that
693 * caused the problem. There are two possiblities ASCONF or FWD-TSN
694 * other than that and our peer must be broken.
695 */
696 static void
697 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
698 struct sctp_nets *net)
699 {
700 struct sctp_chunkhdr *chk;
701
702 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr));
703 switch (chk->chunk_type) {
704 case SCTP_ASCONF_ACK:
705 #ifdef SCTP_DEBUG
706 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
707 kprintf("Strange peer, snds ASCONF but does not recognize asconf-ack?\n");
708 }
709 #endif
710 case SCTP_ASCONF:
711 #ifdef SCTP_DEBUG
712 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
713 kprintf("Peer does not support ASCONF/ASCONF-ACK chunks\n");
714 }
715 #endif /* SCTP_DEBUG */
716 sctp_asconf_cleanup(stcb, net);
717 break;
718 case SCTP_FORWARD_CUM_TSN:
719 stcb->asoc.peer_supports_prsctp = 0;
720 break;
721 default:
722 #ifdef SCTP_DEBUG
723 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
724 kprintf("Peer does not support chunk type %d(%x)??\n",
725 chk->chunk_type, (u_int)chk->chunk_type);
726 }
727 #endif
728 break;
729 }
730 }
731
732 /*
733 * Skip past the param header and then we will find the param that
734 * caused the problem. There are a number of param's in a ASCONF
735 * OR the prsctp param these will turn of specific features.
736 */
737 static void
738 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
739 {
740 struct sctp_paramhdr *pbad;
741
742 pbad = phdr + 1;
743 switch (ntohs(pbad->param_type)) {
744 /* pr-sctp draft */
745 case SCTP_PRSCTP_SUPPORTED:
746 stcb->asoc.peer_supports_prsctp = 0;
747 break;
748 case SCTP_SUPPORTED_CHUNK_EXT:
749 break;
750 /* draft-ietf-tsvwg-addip-sctp */
751 case SCTP_ECN_NONCE_SUPPORTED:
752 stcb->asoc.peer_supports_ecn_nonce = 0;
753 stcb->asoc.ecn_nonce_allowed = 0;
754 stcb->asoc.ecn_allowed = 0;
755 break;
756 case SCTP_ADD_IP_ADDRESS:
757 case SCTP_DEL_IP_ADDRESS:
758 stcb->asoc.peer_supports_asconf = 0;
759 break;
760 case SCTP_SET_PRIM_ADDR:
761 stcb->asoc.peer_supports_asconf_setprim = 0;
762 break;
763 case SCTP_SUCCESS_REPORT:
764 case SCTP_ERROR_CAUSE_IND:
765 #ifdef SCTP_DEBUG
766 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
767 kprintf("Huh, the peer does not support success? or error cause?\n");
768 kprintf("Turning off ASCONF to this strange peer\n");
769 }
770 #endif
771 stcb->asoc.peer_supports_asconf = 0;
772 stcb->asoc.peer_supports_asconf_setprim = 0;
773 break;
774 default:
775 #ifdef SCTP_DEBUG
776 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
777 kprintf("Peer does not support base param type %d(%x)??\n",
778 pbad->param_type, (u_int)pbad->param_type);
779 }
780 #endif
781 break;
782 }
783 }
784
785 static int
786 sctp_handle_error(struct sctp_chunkhdr *ch,
787 struct sctp_tcb *stcb, struct sctp_nets *net)
788 {
789 int chklen;
790 struct sctp_paramhdr *phdr;
791 uint16_t error_type;
792 uint16_t error_len;
793 struct sctp_association *asoc;
794
795 int adjust;
796 /* parse through all of the errors and process */
797 asoc = &stcb->asoc;
798 phdr = (struct sctp_paramhdr *)((caddr_t)ch +
799 sizeof(struct sctp_chunkhdr));
800 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
801 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
802 /* Process an Error Cause */
803 error_type = ntohs(phdr->param_type);
804 error_len = ntohs(phdr->param_length);
805 if ((error_len > chklen) || (error_len == 0)) {
806 /* invalid param length for this param */
807 #ifdef SCTP_DEBUG
808 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
809 kprintf("Bogus length in error param- chunk left:%d errorlen:%d\n",
810 chklen, error_len);
811 }
812 #endif /* SCTP_DEBUG */
813 return (0);
814 }
815 switch (error_type) {
816 case SCTP_CAUSE_INV_STRM:
817 case SCTP_CAUSE_MISS_PARAM:
818 case SCTP_CAUSE_INVALID_PARAM:
819 case SCTP_CAUSE_NOUSER_DATA:
820 #ifdef SCTP_DEBUG
821 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
822 kprintf("Software error we got a %d back? We have a bug :/ (or do they?)\n",
823 error_type);
824 }
825 #endif
826 break;
827 case SCTP_CAUSE_STALE_COOKIE:
828 /* We only act if we have echoed a cookie and are waiting. */
829 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
830 int *p;
831 p = (int *)((caddr_t)phdr + sizeof(*phdr));
832 /* Save the time doubled */
833 asoc->cookie_preserve_req = ntohl(*p) << 1;
834 asoc->stale_cookie_count++;
835 if (asoc->stale_cookie_count >
836 asoc->max_init_times) {
837 sctp_abort_notification(stcb, 0);
838 /* now free the asoc */
839 sctp_free_assoc(stcb->sctp_ep, stcb);
840 return (-1);
841 }
842 /* blast back to INIT state */
843 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
844 asoc->state |= SCTP_STATE_COOKIE_WAIT;
845 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
846 stcb->sctp_ep, stcb, net);
847 sctp_send_initiate(stcb->sctp_ep, stcb);
848 }
849 break;
850 case SCTP_CAUSE_UNRESOLV_ADDR:
851 /*
852 * Nothing we can do here, we don't do hostname
853 * addresses so if the peer does not like my IPv6 (or
854 * IPv4 for that matter) it does not matter. If they
855 * don't support that type of address, they can NOT
856 * possibly get that packet type... i.e. with no IPv6
857 * you can't recieve a IPv6 packet. so we can safely
858 * ignore this one. If we ever added support for
859 * HOSTNAME Addresses, then we would need to do
860 * something here.
861 */
862 break;
863 case SCTP_CAUSE_UNRECOG_CHUNK:
864 sctp_process_unrecog_chunk(stcb, phdr, net);
865 break;
866 case SCTP_CAUSE_UNRECOG_PARAM:
867 sctp_process_unrecog_param(stcb, phdr);
868 break;
869 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
870 /*
871 * We ignore this since the timer will drive out a new
872 * cookie anyway and there timer will drive us to send
873 * a SHUTDOWN_COMPLETE. We can't send one here since
874 * we don't have their tag.
875 */
876 break;
877 case SCTP_CAUSE_DELETEING_LAST_ADDR:
878 case SCTP_CAUSE_OPERATION_REFUSED:
879 case SCTP_CAUSE_DELETING_SRC_ADDR:
880 /* We should NOT get these here, but in a ASCONF-ACK. */
881 #ifdef SCTP_DEBUG
882 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
883 kprintf("Peer sends ASCONF errors in a Operational Error?<%d>?\n",
884 error_type);
885 }
886 #endif
887 break;
888 case SCTP_CAUSE_OUT_OF_RESC:
889 /*
890 * And what, pray tell do we do with the fact
891 * that the peer is out of resources? Not
892 * really sure we could do anything but abort.
893 * I suspect this should have came WITH an
894 * abort instead of in a OP-ERROR.
895 */
896 break;
897 default:
898 #ifdef SCTP_DEBUG
899 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
900 /* don't know what this error cause is... */
901 kprintf("sctp_handle_error: unknown error type = 0x%xh\n",
902 error_type);
903 }
904 #endif /* SCTP_DEBUG */
905 break;
906 }
907 adjust = SCTP_SIZE32(error_len);
908 chklen -= adjust;
909 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust);
910 }
911 return (0);
912 }
913
914 static int
915 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
916 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
917 struct sctp_nets *net)
918 {
919 struct sctp_init_ack *init_ack;
920 int *state;
921 struct mbuf *op_err;
922
923 #ifdef SCTP_DEBUG
924 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
925 kprintf("sctp_handle_init_ack: handling INIT-ACK\n");
926 }
927 #endif
928 if (stcb == NULL) {
929 #ifdef SCTP_DEBUG
930 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
931 kprintf("sctp_handle_init_ack: TCB is null\n");
932 }
933 #endif
934 return (-1);
935 }
936 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
937 /* Invalid length */
938 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
939 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
940 op_err);
941 return (-1);
942 }
943 init_ack = &cp->init;
944 /* validate parameters */
945 if (init_ack->initiate_tag == 0) {
946 /* protocol error... send an abort */
947 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
948 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
949 op_err);
950 return (-1);
951 }
952 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
953 /* protocol error... send an abort */
954 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
955 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
956 op_err);
957 return (-1);
958 }
959 if (init_ack->num_inbound_streams == 0) {
960 /* protocol error... send an abort */
961 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
962 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
963 op_err);
964 return (-1);
965 }
966 if (init_ack->num_outbound_streams == 0) {
967 /* protocol error... send an abort */
968 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
969 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
970 op_err);
971 return (-1);
972 }
973
974 /* process according to association state... */
975 state = &stcb->asoc.state;
976 switch (*state & SCTP_STATE_MASK) {
977 case SCTP_STATE_COOKIE_WAIT:
978 /* this is the expected state for this chunk */
979 /* process the INIT-ACK parameters */
980 if (stcb->asoc.primary_destination->dest_state &
981 SCTP_ADDR_UNCONFIRMED) {
982 /*
983 * The primary is where we sent the INIT, we can
984 * always consider it confirmed when the INIT-ACK
985 * is returned. Do this before we load addresses
986 * though.
987 */
988 stcb->asoc.primary_destination->dest_state &=
989 ~SCTP_ADDR_UNCONFIRMED;
990 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
991 stcb, 0, (void *)stcb->asoc.primary_destination);
992 }
993 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net
994 ) < 0) {
995 /* error in parsing parameters */
996 #ifdef SCTP_DEBUG
997 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
998 kprintf("sctp_process_init_ack: error in msg, discarding\n");
999 }
1000 #endif
1001 return (-1);
1002 }
1003 /* update our state */
1004 #ifdef SCTP_DEBUG
1005 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1006 kprintf("moving to COOKIE-ECHOED state\n");
1007 }
1008 #endif
1009 if (*state & SCTP_STATE_SHUTDOWN_PENDING) {
1010 *state = SCTP_STATE_COOKIE_ECHOED |
1011 SCTP_STATE_SHUTDOWN_PENDING;
1012 } else {
1013 *state = SCTP_STATE_COOKIE_ECHOED;
1014 }
1015
1016 /* reset the RTO calc */
1017 stcb->asoc.overall_error_count = 0;
1018 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
1019 /*
1020 * collapse the init timer back in case of a exponential backoff
1021 */
1022 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
1023 stcb, net);
1024 /*
1025 * the send at the end of the inbound data processing will
1026 * cause the cookie to be sent
1027 */
1028 break;
1029 case SCTP_STATE_SHUTDOWN_SENT:
1030 /* incorrect state... discard */
1031 break;
1032 case SCTP_STATE_COOKIE_ECHOED:
1033 /* incorrect state... discard */
1034 break;
1035 case SCTP_STATE_OPEN:
1036 /* incorrect state... discard */
1037 break;
1038 case SCTP_STATE_EMPTY:
1039 case SCTP_STATE_INUSE:
1040 default:
1041 /* incorrect state... discard */
1042 #ifdef SCTP_DEBUG
1043 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1044 kprintf("Leaving handle-init-ack default\n");
1045 }
1046 #endif
1047 return (-1);
1048 break;
1049 } /* end switch asoc state */
1050 #ifdef SCTP_DEBUG
1051 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1052 kprintf("Leaving handle-init-ack end\n");
1053 }
1054 #endif
1055 return (0);
1056 }
1057
1058
1059 /*
1060 * handle a state cookie for an existing association
1061 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk
1062 * note: this is a "split" mbuf and the cookie signature does not exist
1063 * offset: offset into mbuf to the cookie-echo chunk
1064 */
1065 static struct sctp_tcb *
1066 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1067 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1068 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
1069 struct sockaddr *init_src, int *notification)
1070 {
1071 struct sctp_association *asoc;
1072 struct sctp_init_chunk *init_cp, init_buf;
1073 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1074 int chk_length;
1075 int init_offset, initack_offset;
1076 int retval;
1077
1078 /* I know that the TCB is non-NULL from the caller */
1079 asoc = &stcb->asoc;
1080
1081 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1082 /* SHUTDOWN came in after sending INIT-ACK */
1083 struct mbuf *op_err;
1084 struct sctp_paramhdr *ph;
1085
1086 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1087 #ifdef SCTP_DEBUG
1088 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1089 kprintf("sctp_handle_cookie: got a cookie, while shutting down!\n");
1090 }
1091 #endif
1092 MGETHDR(op_err, MB_DONTWAIT, MT_HEADER);
1093 if (op_err == NULL) {
1094 /* FOOBAR */
1095 return (NULL);
1096 }
1097 /* pre-reserve some space */
1098 op_err->m_data += sizeof(struct ip6_hdr);
1099 op_err->m_data += sizeof(struct sctphdr);
1100 op_err->m_data += sizeof(struct sctp_chunkhdr);
1101 /* Set the len */
1102 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr);
1103 ph = mtod(op_err, struct sctp_paramhdr *);
1104 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN);
1105 ph->param_length = htons(sizeof(struct sctp_paramhdr));
1106 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag);
1107 return (NULL);
1108 }
1109 /*
1110 * find and validate the INIT chunk in the cookie (peer's info)
1111 * the INIT should start after the cookie-echo header struct
1112 * (chunk header, state cookie header struct)
1113 */
1114 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1115
1116 init_cp = (struct sctp_init_chunk *)
1117 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1118 (u_int8_t *)&init_buf);
1119 if (init_cp == NULL) {
1120 /* could not pull a INIT chunk in cookie */
1121 #ifdef SCTP_DEBUG
1122 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1123 kprintf("process_cookie_existing: could not pull INIT chunk hdr\n");
1124 }
1125 #endif /* SCTP_DEBUG */
1126 return (NULL);
1127 }
1128 chk_length = ntohs(init_cp->ch.chunk_length);
1129 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1130 #ifdef SCTP_DEBUG
1131 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1132 kprintf("process_cookie_existing: could not find INIT chunk!\n");
1133 }
1134 #endif /* SCTP_DEBUG */
1135 return (NULL);
1136 }
1137
1138 /*
1139 * find and validate the INIT-ACK chunk in the cookie (my info)
1140 * the INIT-ACK follows the INIT chunk
1141 */
1142 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1143 initack_cp = (struct sctp_init_ack_chunk *)
1144 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1145 (u_int8_t *)&initack_buf);
1146 if (initack_cp == NULL) {
1147 /* could not pull INIT-ACK chunk in cookie */
1148 #ifdef SCTP_DEBUG
1149 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1150 kprintf("process_cookie_existing: could not pull INIT-ACK chunk hdr\n");
1151 }
1152 #endif /* SCTP_DEBUG */
1153 return (NULL);
1154 }
1155 chk_length = ntohs(initack_cp->ch.chunk_length);
1156 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1157 #ifdef SCTP_DEBUG
1158 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1159 kprintf("process_cookie_existing: could not find INIT-ACK chunk!\n");
1160 }
1161 #endif /* SCTP_DEBUG */
1162 return (NULL);
1163 }
1164 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1165 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1166 /*
1167 * case D in Section 5.2.4 Table 2: MMAA
1168 * process accordingly to get into the OPEN state
1169 */
1170 switch SCTP_GET_STATE(asoc) {
1171 case SCTP_STATE_COOKIE_WAIT:
1172 /*
1173 * INIT was sent, but got got a COOKIE_ECHO with
1174 * the correct tags... just accept it...
1175 */
1176 /* First we must process the INIT !! */
1177 retval = sctp_process_init(init_cp, stcb, net);
1178 if (retval < 0) {
1179 #ifdef SCTP_DEBUG
1180 kprintf("process_cookie_existing: INIT processing failed\n");
1181 #endif
1182 return (NULL);
1183 }
1184 /* intentional fall through to below... */
1185
1186 case SCTP_STATE_COOKIE_ECHOED:
1187 /* Duplicate INIT case */
1188 /* we have already processed the INIT so no problem */
1189 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1190 net);
1191 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1192 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb,
1193 net);
1194 /* update current state */
1195 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1196 asoc->state = SCTP_STATE_OPEN |
1197 SCTP_STATE_SHUTDOWN_PENDING;
1198 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) {
1199 /* if ok, move to OPEN state */
1200 asoc->state = SCTP_STATE_OPEN;
1201 }
1202 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1203 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1204 (!(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING))) {
1205 /*
1206 * Here is where collision would go if we did a
1207 * connect() and instead got a
1208 * init/init-ack/cookie done before the
1209 * init-ack came back..
1210 */
1211 stcb->sctp_ep->sctp_flags |=
1212 SCTP_PCB_FLAGS_CONNECTED;
1213 soisconnected(stcb->sctp_ep->sctp_socket);
1214 }
1215 /* notify upper layer */
1216 *notification = SCTP_NOTIFY_ASSOC_UP;
1217 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1218 net);
1219 /*
1220 * since we did not send a HB make sure we don't double
1221 * things
1222 */
1223 net->hb_responded = 1;
1224
1225 if (stcb->asoc.sctp_autoclose_ticks &&
1226 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1227 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1228 inp, stcb, NULL);
1229 }
1230 break;
1231 default:
1232 /*
1233 * we're in the OPEN state (or beyond), so peer
1234 * must have simply lost the COOKIE-ACK
1235 */
1236 break;
1237 } /* end switch */
1238
1239 /*
1240 * We ignore the return code here.. not sure if we should
1241 * somehow abort.. but we do have an existing asoc. This
1242 * really should not fail.
1243 */
1244 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1245 init_offset + sizeof(struct sctp_init_chunk),
1246 initack_offset, sh, init_src)) {
1247 #ifdef SCTP_DEBUG
1248 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1249 kprintf("Weird cookie load_address failure on cookie existing - 1\n");
1250 }
1251 #endif
1252 return (NULL);
1253 }
1254
1255 /* respond with a COOKIE-ACK */
1256 sctp_send_cookie_ack(stcb);
1257 return (stcb);
1258 } /* end if */
1259 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1260 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1261 cookie->tie_tag_my_vtag == 0 &&
1262 cookie->tie_tag_peer_vtag == 0) {
1263 /*
1264 * case C in Section 5.2.4 Table 2: XMOO
1265 * silently discard
1266 */
1267 return (NULL);
1268 }
1269 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag &&
1270 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag ||
1271 init_cp->init.initiate_tag == 0)) {
1272 /*
1273 * case B in Section 5.2.4 Table 2: MXAA or MOAA
1274 * my info should be ok, re-accept peer info
1275 */
1276 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1277 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1278 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
1279 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1280 /*
1281 * since we did not send a HB make sure we don't double things
1282 */
1283 net->hb_responded = 1;
1284 if (stcb->asoc.sctp_autoclose_ticks &&
1285 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1286 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1287 NULL);
1288 }
1289 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1290 asoc->pre_open_streams =
1291 ntohs(initack_cp->init.num_outbound_streams);
1292 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1293 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out =
1294 asoc->init_seq_number;
1295 asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1296 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1297 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1298 asoc->str_reset_seq_in = asoc->init_seq_number;
1299 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1300
1301 /* process the INIT info (peer's info) */
1302 retval = sctp_process_init(init_cp, stcb, net);
1303 if (retval < 0) {
1304 #ifdef SCTP_DEBUG
1305 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1306 kprintf("process_cookie_existing: INIT processing failed\n");
1307 }
1308 #endif
1309 return (NULL);
1310 }
1311 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1312 init_offset + sizeof(struct sctp_init_chunk),
1313 initack_offset, sh, init_src)) {
1314 #ifdef SCTP_DEBUG
1315 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1316 kprintf("Weird cookie load_address failure on cookie existing - 2\n");
1317 }
1318 #endif
1319 return (NULL);
1320 }
1321
1322 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
1323 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
1324 *notification = SCTP_NOTIFY_ASSOC_UP;
1325
1326 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1327 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1328 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1329 stcb->sctp_ep->sctp_flags |=
1330 SCTP_PCB_FLAGS_CONNECTED;
1331 soisconnected(stcb->sctp_ep->sctp_socket);
1332 }
1333 }
1334 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1335 asoc->state = SCTP_STATE_OPEN |
1336 SCTP_STATE_SHUTDOWN_PENDING;
1337 } else {
1338 asoc->state = SCTP_STATE_OPEN;
1339 }
1340 sctp_send_cookie_ack(stcb);
1341 return (stcb);
1342 }
1343
1344 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1345 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1346 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1347 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1348 cookie->tie_tag_peer_vtag != 0) {
1349 /*
1350 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1351 */
1352 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1353 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
1354 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1355
1356 /* notify upper layer */
1357 *notification = SCTP_NOTIFY_ASSOC_RESTART;
1358
1359 /* send up all the data */
1360 sctp_report_all_outbound(stcb);
1361
1362 /* process the INIT-ACK info (my info) */
1363 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1364 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1365 asoc->pre_open_streams =
1366 ntohs(initack_cp->init.num_outbound_streams);
1367 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1368 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out =
1369 asoc->init_seq_number;
1370 asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1371 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1372 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1373 asoc->str_reset_seq_in = asoc->init_seq_number;
1374
1375 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1376 if (asoc->mapping_array)
1377 memset(asoc->mapping_array, 0,
1378 asoc->mapping_array_size);
1379 /* process the INIT info (peer's info) */
1380 retval = sctp_process_init(init_cp, stcb, net);
1381 if (retval < 0) {
1382 #ifdef SCTP_DEBUG
1383 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1384 kprintf("process_cookie_existing: INIT processing failed\n");
1385 }
1386 #endif
1387 return (NULL);
1388 }
1389
1390 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1391 /*
1392 * since we did not send a HB make sure we don't double things
1393 */
1394 net->hb_responded = 1;
1395
1396 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1397 init_offset + sizeof(struct sctp_init_chunk),
1398 initack_offset, sh, init_src)) {
1399 #ifdef SCTP_DEBUG
1400 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1401 kprintf("Weird cookie load_address failure on cookie existing - 3\n");
1402 }
1403 #endif
1404 return (NULL);
1405 }
1406
1407 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1408 asoc->state = SCTP_STATE_OPEN |
1409 SCTP_STATE_SHUTDOWN_PENDING;
1410 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
1411 /* move to OPEN state, if not in SHUTDOWN_SENT */
1412 asoc->state = SCTP_STATE_OPEN;
1413 }
1414 /* respond with a COOKIE-ACK */
1415 sctp_send_cookie_ack(stcb);
1416
1417 return (stcb);
1418 }
1419 /* all other cases... */
1420 return (NULL);
1421 }
1422
1423 /*
1424 * handle a state cookie for a new association
1425 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk
1426 * note: this is a "split" mbuf and the cookie signature does not exist
1427 * offset: offset into mbuf to the cookie-echo chunk
1428 * length: length of the cookie chunk
1429 * to: where the init was from
1430 * returns a new TCB
1431 */
1432 static struct sctp_tcb *
1433 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1434 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1435 struct sctp_inpcb *inp, struct sctp_nets **netp,
1436 struct sockaddr *init_src, int *notification)
1437 {
1438 struct sctp_tcb *stcb;
1439 struct sctp_init_chunk *init_cp, init_buf;
1440 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1441 struct sockaddr_storage sa_store;
1442 struct sockaddr *initack_src = (struct sockaddr *)&sa_store;
1443 struct sockaddr_in *sin;
1444 struct sockaddr_in6 *sin6;
1445 struct sctp_association *asoc;
1446 int chk_length;
1447 int init_offset, initack_offset, initack_limit;
1448 int retval;
1449 int error = 0;
1450 /*
1451 * find and validate the INIT chunk in the cookie (peer's info)
1452 * the INIT should start after the cookie-echo header struct
1453 * (chunk header, state cookie header struct)
1454 */
1455 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
1456 init_cp = (struct sctp_init_chunk *)
1457 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1458 (u_int8_t *)&init_buf);
1459 if (init_cp == NULL) {
1460 /* could not pull a INIT chunk in cookie */
1461 #ifdef SCTP_DEBUG
1462 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1463 kprintf("process_cookie_new: could not pull INIT chunk hdr\n");
1464 }
1465 #endif /* SCTP_DEBUG */
1466 return (NULL);
1467 }
1468 chk_length = ntohs(init_cp->ch.chunk_length);
1469 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1470 #ifdef SCTP_DEBUG
1471 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1472 kprintf("HUH? process_cookie_new: could not find INIT chunk!\n");
1473 }
1474 #endif /* SCTP_DEBUG */
1475 return (NULL);
1476 }
1477
1478 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1479 /*
1480 * find and validate the INIT-ACK chunk in the cookie (my info)
1481 * the INIT-ACK follows the INIT chunk
1482 */
1483 initack_cp = (struct sctp_init_ack_chunk *)
1484 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1485 (u_int8_t *)&initack_buf);
1486 if (initack_cp == NULL) {
1487 /* could not pull INIT-ACK chunk in cookie */
1488 #ifdef SCTP_DEBUG
1489 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1490 kprintf("process_cookie_new: could not pull INIT-ACK chunk hdr\n");
1491 }
1492 #endif /* SCTP_DEBUG */
1493 return (NULL);
1494 }
1495 chk_length = ntohs(initack_cp->ch.chunk_length);
1496 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1497 #ifdef SCTP_DEBUG
1498 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1499 u_int8_t *pp;
1500 pp = (u_int8_t *)initack_cp;
1501 kprintf("process_cookie_new: could not find INIT-ACK chunk!\n");
1502 kprintf("Found bytes %x %x %x %x at position %d\n",
1503 (u_int)pp[0], (u_int)pp[1], (u_int)pp[2],
1504 (u_int)pp[3], initack_offset);
1505 }
1506 #endif /* SCTP_DEBUG */
1507 return (NULL);
1508 }
1509 initack_limit = initack_offset + SCTP_SIZE32(chk_length);
1510
1511 /*
1512 * now that we know the INIT/INIT-ACK are in place,
1513 * create a new TCB and popluate
1514 */
1515 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, ntohl(initack_cp->init.initiate_tag));
1516 if (stcb == NULL) {
1517 struct mbuf *op_err;
1518 /* memory problem? */
1519 #ifdef SCTP_DEBUG
1520 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1521 kprintf("process_cookie_new: no room for another TCB!\n");
1522 }
1523 #endif /* SCTP_DEBUG */
1524 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1525 sctp_abort_association(inp, NULL, m, iphlen,
1526 sh, op_err);
1527 return (NULL);
1528 }
1529
1530 /* get the correct sctp_nets */
1531 *netp = sctp_findnet(stcb, init_src);
1532 asoc = &stcb->asoc;
1533 /* get scope variables out of cookie */
1534 asoc->ipv4_local_scope = cookie->ipv4_scope;
1535 asoc->site_scope = cookie->site_scope;
1536 asoc->local_scope = cookie->local_scope;
1537 asoc->loopback_scope = cookie->loopback_scope;
1538
1539 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) ||
1540 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) {
1541 struct mbuf *op_err;
1542 /*
1543 * Houston we have a problem. The EP changed while the cookie
1544 * was in flight. Only recourse is to abort the association.
1545 */
1546 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1547 sctp_abort_association(inp, NULL, m, iphlen,
1548 sh, op_err);
1549 return (NULL);
1550 }
1551
1552 /* process the INIT-ACK info (my info) */
1553 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1554 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1555 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1556 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1557 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1558 asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1559 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1560 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1561 asoc->str_reset_seq_in = asoc->init_seq_number;
1562
1563 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1564
1565 /* process the INIT info (peer's info) */
1566 retval = sctp_process_init(init_cp, stcb, *netp);
1567 if (retval < 0) {
1568 #ifdef SCTP_DEBUG
1569 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1570 kprintf("process_cookie_new: INIT processing failed\n");
1571 }
1572 #endif
1573 sctp_free_assoc(inp, stcb);
1574 return (NULL);
1575 }
1576 /* load all addresses */
1577 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1578 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh,
1579 init_src)) {
1580 sctp_free_assoc(inp, stcb);
1581 return (NULL);
1582 }
1583
1584 /* update current state */
1585 #ifdef SCTP_DEBUG
1586 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1587 kprintf("moving to OPEN state\n");
1588 }
1589 #endif
1590 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1591 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING;
1592 } else {
1593 asoc->state = SCTP_STATE_OPEN;
1594 }
1595 /* calculate the RTT */
1596 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
1597 &cookie->time_entered);
1598
1599 /*
1600 * if we're doing ASCONFs, check to see if we have any new
1601 * local addresses that need to get added to the peer (eg.
1602 * addresses changed while cookie echo in flight). This needs
1603 * to be done after we go to the OPEN state to do the correct
1604 * asconf processing.
1605 * else, make sure we have the correct addresses in our lists
1606 */
1607
1608 /* warning, we re-use sin, sin6, sa_store here! */
1609 /* pull in local_address (our "from" address) */
1610 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) {
1611 /* source addr is IPv4 */
1612 sin = (struct sockaddr_in *)initack_src;
1613 memset(sin, 0, sizeof(*sin));
1614 sin->sin_family = AF_INET;
1615 sin->sin_len = sizeof(struct sockaddr_in);
1616 sin->sin_addr.s_addr = cookie->laddress[0];
1617 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) {
1618 /* source addr is IPv6 */
1619 sin6 = (struct sockaddr_in6 *)initack_src;
1620 memset(sin6, 0, sizeof(*sin6));
1621 sin6->sin6_family = AF_INET6;
1622 sin6->sin6_len = sizeof(struct sockaddr_in6);
1623 sin6->sin6_scope_id = cookie->scope_id;
1624 memcpy(&sin6->sin6_addr, cookie->laddress,
1625 sizeof(sin6->sin6_addr));
1626 } else {
1627 sctp_free_assoc(inp, stcb);
1628 return (NULL);
1629 }
1630
1631 sctp_check_address_list(stcb, m, initack_offset +
1632 sizeof(struct sctp_init_ack_chunk), initack_limit,
1633 initack_src, cookie->local_scope, cookie->site_scope,
1634 cookie->ipv4_scope, cookie->loopback_scope);
1635
1636
1637 /* set up to notify upper layer */
1638 *notification = SCTP_NOTIFY_ASSOC_UP;
1639 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1640 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1641 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1642 /*
1643 * This is an endpoint that called connect()
1644 * how it got a cookie that is NEW is a bit of
1645 * a mystery. It must be that the INIT was sent, but
1646 * before it got there.. a complete INIT/INIT-ACK/COOKIE
1647 * arrived. But of course then it should have went to
1648 * the other code.. not here.. oh well.. a bit of protection
1649 * is worth having..
1650 */
1651 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
1652 soisconnected(stcb->sctp_ep->sctp_socket);
1653 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp);
1654 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
1655 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1656 /*
1657 * We don't want to do anything with this
1658 * one. Since it is the listening guy. The timer will
1659 * get started for accepted connections in the caller.
1660 */
1661 ;
1662 } else {
1663 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp);
1664 }
1665 /* since we did not send a HB make sure we don't double things */
1666 (*netp)->hb_responded = 1;
1667
1668 if (stcb->asoc.sctp_autoclose_ticks &&
1669 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1670 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
1671 }
1672
1673 /* respond with a COOKIE-ACK */
1674 sctp_send_cookie_ack(stcb);
1675
1676 return (stcb);
1677 }
1678
1679
1680 /*
1681 * handles a COOKIE-ECHO message
1682 * stcb: modified to either a new or left as existing (non-NULL) TCB
1683 */
1684 static struct mbuf *
1685 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
1686 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
1687 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp)
1688 {
1689 struct sctp_state_cookie *cookie;
1690 struct sockaddr_in6 sin6;
1691 struct sockaddr_in sin;
1692 struct sctp_tcb *l_stcb=*stcb;
1693 struct sctp_inpcb *l_inp;
1694 struct sockaddr *to;
1695 struct sctp_pcb *ep;
1696 struct mbuf *m_sig;
1697 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
1698 uint8_t *sig;
1699 uint8_t cookie_ok = 0;
1700 unsigned int size_of_pkt, sig_offset, cookie_offset;
1701 unsigned int cookie_len;
1702 struct timeval now;
1703 struct timeval time_expires;
1704 struct sockaddr_storage dest_store;
1705 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store;
1706 struct ip *iph;
1707 int notification = 0;
1708 struct sctp_nets *netl;
1709 int had_a_existing_tcb = 0;
1710
1711 #ifdef SCTP_DEBUG
1712 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1713 kprintf("sctp_handle_cookie: handling COOKIE-ECHO\n");
1714 }
1715 #endif
1716
1717 if (inp_p == NULL) {
1718 #ifdef SCTP_DEBUG
1719 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1720 kprintf("sctp_handle_cookie: null inp_p!\n");
1721 }
1722 #endif
1723 return (NULL);
1724 }
1725 /* First get the destination address setup too. */
1726 iph = mtod(m, struct ip *);
1727 if (iph->ip_v == IPVERSION) {
1728 /* its IPv4 */
1729 struct sockaddr_in *sin;
1730 sin = (struct sockaddr_in *)(localep_sa);
1731 memset(sin, 0, sizeof(*sin));
1732 sin->sin_family = AF_INET;
1733 sin->sin_len = sizeof(*sin);
1734 sin->sin_port = sh->dest_port;
1735 sin->sin_addr.s_addr = iph->ip_dst.s_addr ;
1736 } else if (iph->ip_v == (IPV6_VERSION >> 4)) {
1737 /* its IPv6 */
1738 struct ip6_hdr *ip6;
1739 struct sockaddr_in6 *sin6;
1740 sin6 = (struct sockaddr_in6 *)(localep_sa);
1741 memset(sin6, 0, sizeof(*sin6));
1742 sin6->sin6_family = AF_INET6;
1743 sin6->sin6_len = sizeof(struct sockaddr_in6);
1744 ip6 = mtod(m, struct ip6_hdr *);
1745 sin6->sin6_port = sh->dest_port;
1746 sin6->sin6_addr = ip6->ip6_dst;
1747 } else {
1748 return (NULL);
1749 }
1750
1751 cookie = &cp->cookie;
1752 cookie_offset = offset + sizeof(struct sctp_chunkhdr);
1753 cookie_len = ntohs(cp->ch.chunk_length);
1754
1755 if ((cookie->peerport != sh->src_port) &&
1756 (cookie->myport != sh->dest_port) &&
1757 (cookie->my_vtag != sh->v_tag)) {
1758 /*
1759 * invalid ports or bad tag. Note that we always leave
1760 * the v_tag in the header in network order and when we
1761 * stored it in the my_vtag slot we also left it in network
1762 * order. This maintians the match even though it may be in
1763 * the opposite byte order of the machine :->
1764 */
1765 return (NULL);
1766 }
1767
1768 /* compute size of packet */
1769 if (m->m_flags & M_PKTHDR) {
1770 size_of_pkt = m->m_pkthdr.len;
1771 } else {
1772 /* Should have a pkt hdr really */
1773 struct mbuf *mat;
1774 mat = m;
1775 size_of_pkt = 0;
1776 while (mat != NULL) {
1777 size_of_pkt += mat->m_len;
1778 mat = mat->m_next;
1779 }
1780 }
1781 if (cookie_len > size_of_pkt ||
1782 cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
1783 sizeof(struct sctp_init_chunk) +
1784 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
1785 /* cookie too long! or too small */
1786 #ifdef SCTP_DEBUG
1787 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1788 kprintf("sctp_handle_cookie: cookie_len=%u, pkt size=%u\n", cookie_len, size_of_pkt);
1789 }
1790 #endif /* SCTP_DEBUG */
1791 return (NULL);
1792 }
1793 /*
1794 * split off the signature into its own mbuf (since it
1795 * should not be calculated in the sctp_hash_digest_m() call).
1796 */
1797 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
1798 if (sig_offset > size_of_pkt) {
1799 /* packet not correct size! */
1800 /* XXX this may already be accounted for earlier... */
1801 #ifdef SCTP_DEBUG
1802 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1803 kprintf("sctp_handle_cookie: sig offset=%u, pkt size=%u\n", sig_offset, size_of_pkt);
1804 }
1805 #endif
1806 return (NULL);
1807 }
1808
1809 m_sig = m_split(m, sig_offset, MB_DONTWAIT);
1810 if (m_sig == NULL) {
1811 /* out of memory or ?? */
1812 #ifdef SCTP_DEBUG
1813 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1814 kprintf("sctp_handle_cookie: couldn't m_split the signature\n");
1815 }
1816 #endif
1817 return (NULL);
1818 }
1819 /*
1820 * compute the signature/digest for the cookie
1821 */
1822 ep = &(*inp_p)->sctp_ep;
1823 l_inp = *inp_p;
1824 if (l_stcb) {
1825 SCTP_TCB_UNLOCK(l_stcb);
1826 }
1827 SCTP_INP_RLOCK(l_inp);
1828 if (l_stcb) {
1829 SCTP_TCB_LOCK(l_stcb);
1830 }
1831 /* which cookie is it? */
1832 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
1833 (ep->current_secret_number != ep->last_secret_number)) {
1834 /* it's the old cookie */
1835 #ifdef SCTP_DEBUG
1836 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1837 kprintf("sctp_handle_cookie: old cookie sig\n");
1838 }
1839 #endif
1840 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number],
1841 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1842 } else {
1843 /* it's the current cookie */
1844 #ifdef SCTP_DEBUG
1845 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1846 kprintf("sctp_handle_cookie: current cookie sig\n");
1847 }
1848 #endif
1849 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->current_secret_number],
1850 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1851 }
1852 /* get the signature */
1853 SCTP_INP_RUNLOCK(l_inp);
1854 sig = (u_int8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (u_int8_t *)&tmp_sig);
1855 if (sig == NULL) {
1856 /* couldn't find signature */
1857 #ifdef SCTP_DEBUG
1858 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1859 kprintf("sctp_handle_cookie: couldn't pull the signature\n");
1860 }
1861 #endif
1862 return (NULL);
1863 }
1864 /* compare the received digest with the computed digest */
1865 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
1866 /* try the old cookie? */
1867 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
1868 (ep->current_secret_number != ep->last_secret_number)) {
1869 /* compute digest with old */
1870 #ifdef SCTP_DEBUG
1871 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1872 kprintf("sctp_handle_cookie: old cookie sig\n");
1873 }
1874 #endif
1875 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number],
1876 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1877 /* compare */
1878 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
1879 cookie_ok = 1;
1880 }
1881 } else {
1882 cookie_ok = 1;
1883 }
1884
1885 /*
1886 * Now before we continue we must reconstruct our mbuf so
1887 * that normal processing of any other chunks will work.
1888 */
1889 {
1890 struct mbuf *m_at;
1891 m_at = m;
1892 while (m_at->m_next != NULL) {
1893 m_at = m_at->m_next;
1894 }
1895 m_at->m_next = m_sig;
1896 if (m->m_flags & M_PKTHDR) {
1897 /*
1898 * We should only do this if and only if the front
1899 * mbuf has a m_pkthdr... it should in theory.
1900 */
1901 if (m_sig->m_flags & M_PKTHDR) {
1902 /* Add back to the pkt hdr of main m chain */
1903 m->m_pkthdr.len += m_sig->m_len;
1904 } else {
1905 /*
1906 * Got a problem, no pkthdr in split chain.
1907 * TSNH but we will handle it just in case
1908 */
1909 int mmlen = 0;
1910 struct mbuf *lat;
1911 kprintf("Warning: Hitting m_split join TSNH code - fixed\n");
1912 lat = m_sig;
1913 while (lat) {
1914 mmlen += lat->m_len;
1915 lat = lat->m_next;
1916 }
1917 m->m_pkthdr.len += mmlen;
1918 }
1919 }
1920 }
1921
1922 if (cookie_ok == 0) {
1923 #ifdef SCTP_DEBUG
1924 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1925 kprintf("handle_cookie_echo: cookie signature validation failed!\n");
1926 kprintf("offset = %u, cookie_offset = %u, sig_offset = %u\n",
1927 (u_int32_t)offset, cookie_offset, sig_offset);
1928 }
1929 #endif
1930 return (NULL);
1931 }
1932 #ifdef SCTP_DEBUG
1933 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1934 kprintf("handle_cookie_echo: cookie signature validation passed\n");
1935 }
1936 #endif
1937
1938 /*
1939 * check the cookie timestamps to be sure it's not stale
1940 */
1941 SCTP_GETTIME_TIMEVAL(&now);
1942 /* Expire time is in Ticks, so we convert to seconds */
1943 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life;
1944 time_expires.tv_usec = cookie->time_entered.tv_usec;
1945 #ifndef __FreeBSD__
1946 if (timercmp(&now, &time_expires, >))
1947 #else
1948 if (timevalcmp(&now, &time_expires, >))
1949 #endif
1950 {
1951 /* cookie is stale! */
1952 struct mbuf *op_err;
1953 struct sctp_stale_cookie_msg *scm;
1954 u_int32_t tim;
1955 #ifdef SCTP_DEBUG
1956 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
1957 kprintf("sctp_handle_cookie: got a STALE cookie!\n");
1958 }
1959 #endif
1960 MGETHDR(op_err, MB_DONTWAIT, MT_HEADER);
1961 if (op_err == NULL) {
1962 /* FOOBAR */
1963 return (NULL);
1964 }
1965 /* pre-reserve some space */
1966 op_err->m_data += sizeof(struct ip6_hdr);
1967 op_err->m_data += sizeof(struct sctphdr);
1968 op_err->m_data += sizeof(struct sctp_chunkhdr);
1969
1970 /* Set the len */
1971 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg);
1972 scm = mtod(op_err, struct sctp_stale_cookie_msg *);
1973 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
1974 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
1975 (sizeof(u_int32_t))));
1976 /* seconds to usec */
1977 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
1978 /* add in usec */
1979 if (tim == 0)
1980 tim = now.tv_usec - cookie->time_entered.tv_usec;
1981 scm->time_usec = htonl(tim);
1982 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag);
1983 return (NULL);
1984 }
1985 /*
1986 * Now we must see with the lookup address if we have an existing
1987 * asoc. This will only happen if we were in the COOKIE-WAIT state
1988 * and a INIT collided with us and somewhere the peer sent the
1989 * cookie on another address besides the single address our assoc
1990 * had for him. In this case we will have one of the tie-tags set
1991 * at least AND the address field in the cookie can be used to
1992 * look it up.
1993 */
1994 to = NULL;
1995 if (cookie->addr_type == SCTP_IPV6_ADDRESS) {
1996 memset(&sin6, 0, sizeof(sin6));
1997 sin6.sin6_family = AF_INET6;
1998 sin6.sin6_len = sizeof(sin6);
1999 sin6.sin6_port = sh->src_port;
2000 sin6.sin6_scope_id = cookie->scope_id;
2001 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
2002 sizeof(sin6.sin6_addr.s6_addr));
2003 to = (struct sockaddr *)&sin6;
2004 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) {
2005 memset(&sin, 0, sizeof(sin));
2006 sin.sin_family = AF_INET;
2007 sin.sin_len = sizeof(sin);
2008 sin.sin_port = sh->src_port;
2009 sin.sin_addr.s_addr = cookie->address[0];
2010 to = (struct sockaddr *)&sin;
2011 }
2012
2013 if ((*stcb == NULL) && to) {
2014 /* Yep, lets check */
2015 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL);
2016 if (*stcb == NULL) {
2017 /* We should have only got back the same inp. If we
2018 * got back a different ep we have a problem. The original
2019 * findep got back l_inp and now
2020 */
2021 if (l_inp != *inp_p) {
2022 kprintf("Bad problem find_ep got a diff inp then special_locate?\n");
2023 }
2024 }
2025 }
2026
2027 cookie_len -= SCTP_SIGNATURE_SIZE;
2028 if (*stcb == NULL) {
2029 /* this is the "normal" case... get a new TCB */
2030 #ifdef SCTP_DEBUG
2031 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2032 kprintf("sctp_handle_cookie: processing NEW cookie\n");
2033 }
2034 #endif
2035 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie,
2036 cookie_len, *inp_p, netp, to, ¬ification);
2037 /* now always decrement, since this is the normal
2038 * case.. we had no tcb when we entered.
2039 */
2040 } else {
2041 /* this is abnormal... cookie-echo on existing TCB */
2042 #ifdef SCTP_DEBUG
2043 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2044 kprintf("sctp_handle_cookie: processing EXISTING cookie\n");
2045 }
2046 #endif
2047 had_a_existing_tcb = 1;
2048 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh,
2049 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification);
2050 }
2051
2052 if (*stcb == NULL) {
2053 /* still no TCB... must be bad cookie-echo */
2054 #ifdef SCTP_DEBUG
2055 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2056 kprintf("handle_cookie_echo: ACK! don't have a TCB!\n");
2057 }
2058 #endif /* SCTP_DEBUG */
2059 return (NULL);
2060 }
2061
2062 /*
2063 * Ok, we built an association so confirm the address
2064 * we sent the INIT-ACK to.
2065 */
2066 netl = sctp_findnet(*stcb, to);
2067 /* This code should in theory NOT run but
2068 */
2069 if (netl == NULL) {
2070 int ret;
2071 #ifdef SCTP_DEBUG
2072 kprintf("TSNH! Huh, why do I need to add this address here?\n");
2073 #endif
2074 ret = sctp_add_remote_addr(*stcb, to, 0, 100);
2075 netl = sctp_findnet(*stcb, to);
2076 }
2077 if (netl) {
2078 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
2079 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2080 sctp_set_primary_addr((*stcb), NULL,
2081 netl);
2082 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2083 (*stcb), 0, (void *)netl);
2084 }
2085 }
2086 #ifdef SCTP_DEBUG
2087 else {
2088 kprintf("Could not add source address for some reason\n");
2089 }
2090 #endif
2091
2092 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2093 if (!had_a_existing_tcb ||
2094 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2095 /*
2096 * If we have a NEW cookie or the connect never reached
2097 * the connected state during collision we must do the
2098 * TCP accept thing.
2099 */
2100 struct socket *so, *oso;
2101 struct sctp_inpcb *inp;
2102 if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2103 /*
2104 * For a restart we will keep the same socket,
2105 * no need to do anything. I THINK!!
2106 */
2107 sctp_ulp_notify(notification, *stcb, 0, NULL);
2108 return (m);
2109 }
2110 oso = (*inp_p)->sctp_socket;
2111 SCTP_TCB_UNLOCK((*stcb));
2112 so = sonewconn(oso, SS_ISCONNECTED);
2113 SCTP_INP_WLOCK((*stcb)->sctp_ep);
2114 SCTP_TCB_LOCK((*stcb));
2115 SCTP_INP_WUNLOCK((*stcb)->sctp_ep);
2116 if (so == NULL) {
2117 struct mbuf *op_err;
2118 /* Too many sockets */
2119 #ifdef SCTP_DEBUG
2120 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
2121 kprintf("process_cookie_new: no room for another socket!\n");
2122 }
2123 #endif /* SCTP_DEBUG */
2124 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
2125 sctp_abort_association(*inp_p, NULL, m, iphlen,
2126 sh, op_err);
2127 sctp_free_assoc(*inp_p, *stcb);
2128 return (NULL);
2129 }
2130 inp = (struct sctp_inpcb *)so->so_pcb;
2131 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2132 SCTP_PCB_FLAGS_CONNECTED |
2133 SCTP_PCB_FLAGS_IN_TCPPOOL |
2134 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2135 SCTP_PCB_FLAGS_DONT_WAKE);
2136 inp->sctp_socket = so;
2137
2138 /*
2139 * Now we must move it from one hash table to another
2140 * and get the tcb in the right place.
2141 */
2142 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2143
2144 /* Switch over to the new guy */
2145 *inp_p = inp;
2146
2147 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp,
2148 *stcb, *netp);
2149
2150 sctp_ulp_notify(notification, *stcb, 0, NULL);
2151 return (m);
2152 }
2153 }
2154 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
2155 sctp_ulp_notify(notification, *stcb, 0, NULL);
2156 }
2157 return (m);
2158 }
2159
2160 static void
2161 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp,
2162 struct sctp_tcb *stcb, struct sctp_nets *net)
2163 {
2164 /* cp must not be used, others call this without a c-ack :-) */
2165 struct sctp_association *asoc;
2166
2167 #ifdef SCTP_DEBUG
2168 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2169 kprintf("sctp_handle_cookie_ack: handling COOKIE-ACK\n");
2170 }
2171 #endif
2172 if (stcb == NULL)
2173 return;
2174
2175 asoc = &stcb->asoc;
2176
2177 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net);
2178
2179 /* process according to association state */
2180 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
2181 /* state change only needed when I am in right state */
2182 #ifdef SCTP_DEBUG
2183 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2184 kprintf("moving to OPEN state\n");
2185 }
2186 #endif
2187 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2188 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING;
2189 } else {
2190 asoc->state = SCTP_STATE_OPEN;
2191 }
2192
2193 /* update RTO */
2194 if (asoc->overall_error_count == 0) {
2195 net->RTO = sctp_calculate_rto(stcb, asoc, net,
2196 &asoc->time_entered);
2197 }
2198 SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
2199 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL);
2200 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2201 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2202 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2203 soisconnected(stcb->sctp_ep->sctp_socket);
2204 }
2205 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
2206 stcb, net);
2207 /* since we did not send a HB make sure we don't double things */
2208 net->hb_responded = 1;
2209
2210 if (stcb->asoc.sctp_autoclose_ticks &&
2211 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
2212 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
2213 stcb->sctp_ep, stcb, NULL);
2214 }
2215
2216 /*
2217 * set ASCONF timer if ASCONFs are pending and allowed
2218 * (eg. addresses changed when init/cookie echo in flight)
2219 */
2220 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DO_ASCONF) &&
2221 (stcb->asoc.peer_supports_asconf) &&
2222 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
2223 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
2224 stcb->sctp_ep, stcb,
2225 stcb->asoc.primary_destination);
2226 }
2227
2228 }
2229 /* Toss the cookie if I can */
2230 sctp_toss_old_cookies(asoc);
2231 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
2232 /* Restart the timer if we have pending data */
2233 struct sctp_tmit_chunk *chk;
2234 chk = TAILQ_FIRST(&asoc->sent_queue);
2235 if (chk) {
2236 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2237 stcb, chk->whoTo);
2238 }
2239 }
2240
2241 }
2242
2243 static void
2244 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
2245 struct sctp_tcb *stcb)
2246 {
2247 struct sctp_nets *net;
2248 struct sctp_tmit_chunk *lchk;
2249 u_int32_t tsn;
2250 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) {
2251 return;
2252 }
2253 sctp_pegs[SCTP_ECNE_RCVD]++;
2254 tsn = ntohl(cp->tsn);
2255 /* ECN Nonce stuff: need a resync and disable the nonce sum check */
2256 /* Also we make sure we disable the nonce_wait */
2257 lchk = TAILQ_FIRST(&stcb->asoc.send_queue);
2258 if (lchk == NULL) {
2259 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq;
2260 } else {
2261 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq;
2262 }
2263 stcb->asoc.nonce_wait_for_ecne = 0;
2264 stcb->asoc.nonce_sum_check = 0;
2265
2266 /* Find where it was sent, if possible */
2267 net = NULL;
2268 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue);
2269 while (lchk) {
2270 if (lchk->rec.data.TSN_seq == tsn) {
2271 net = lchk->whoTo;
2272 break;
2273 }
2274 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ))
2275 break;
2276 lchk = TAILQ_NEXT(lchk, sctp_next);
2277 }
2278 if (net == NULL)
2279 /* default is we use the primary */
2280 net = stcb->asoc.primary_destination;
2281
2282 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) {
2283 #ifdef SCTP_CWND_LOGGING
2284 int old_cwnd;
2285 #endif
2286 #ifdef SCTP_CWND_LOGGING
2287 old_cwnd = net->cwnd;
2288 #endif
2289 sctp_pegs[SCTP_CWR_PERFO]++;
2290 net->ssthresh = net->cwnd / 2;
2291 if (net->ssthresh < net->mtu) {
2292 net->ssthresh = net->mtu;
2293 /* here back off the timer as well, to slow us down */
2294 net->RTO <<= 2;
2295 }
2296 net->cwnd = net->ssthresh;
2297 #ifdef SCTP_CWND_LOGGING
2298 sctp_log_cwnd(net, (net->cwnd-old_cwnd), SCTP_CWND_LOG_FROM_SAT);
2299 #endif
2300 /* we reduce once every RTT. So we will only lower
2301 * cwnd at the next sending seq i.e. the resync_tsn.
2302 */
2303 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn;
2304 }
2305 /*
2306 * We always send a CWR this way if our previous one was lost
2307 * our peer will get an update, or if it is not time again
2308 * to reduce we still get the cwr to the peer.
2309 */
2310 sctp_send_cwr(stcb, net, tsn);
2311 }
2312
2313 static void
2314 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb)
2315 {
2316 /* Here we get a CWR from the peer. We must look in
2317 * the outqueue and make sure that we have a covered
2318 * ECNE in teh control chunk part. If so remove it.
2319 */
2320 struct sctp_tmit_chunk *chk;
2321 struct sctp_ecne_chunk *ecne;
2322
2323 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
2324 if (chk->rec.chunk_id != SCTP_ECN_ECHO) {
2325 continue;
2326 }
2327 /* Look for and remove if it is the right TSN. Since
2328 * there is only ONE ECNE on the control queue at
2329 * any one time we don't need to worry about more than
2330 * one!
2331 */
2332 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
2333 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn),
2334 MAX_TSN) || (cp->tsn == ecne->tsn)) {
2335 /* this covers this ECNE, we can remove it */
2336 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
2337 sctp_next);
2338 if (chk->data) {
2339 sctp_m_freem(chk->data);
2340 chk->data = NULL;
2341 }
2342 stcb->asoc.ctrl_queue_cnt--;
2343 sctp_free_remote_addr(chk->whoTo);
2344 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
2345 sctppcbinfo.ipi_count_chunk--;
2346 if ((int)sctppcbinfo.ipi_count_chunk < 0) {
2347 panic("Chunk count is negative");
2348 }
2349 sctppcbinfo.ipi_gencnt_chunk++;
2350 break;
2351 }
2352 }
2353 }
2354
2355 static void
2356 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp,
2357 struct sctp_tcb *stcb, struct sctp_nets *net)
2358 {
2359 struct sctp_association *asoc;
2360
2361 #ifdef SCTP_DEBUG
2362 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2363 kprintf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
2364 }
2365 #endif
2366 if (stcb == NULL)
2367 return;
2368
2369 asoc = &stcb->asoc;
2370 /* process according to association state */
2371 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
2372 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
2373 return;
2374 }
2375 /* notify upper layer protocol */
2376 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL);
2377 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2378 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2379 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
2380 stcb->sctp_ep->sctp_socket->so_snd.ssb_cc = 0;
2381 stcb->sctp_ep->sctp_socket->so_snd.ssb_mbcnt = 0;
2382 soisdisconnected(stcb->sctp_ep->sctp_socket);
2383 }
2384 /* are the queues empty? they should be */
2385 if (!TAILQ_EMPTY(&asoc->send_queue) ||
2386 !TAILQ_EMPTY(&asoc->sent_queue) ||
2387 !TAILQ_EMPTY(&asoc->out_wheel)) {
2388 sctp_report_all_outbound(stcb);
2389 }
2390 /* stop the timer */
2391 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
2392 /* free the TCB */
2393 sctp_free_assoc(stcb->sctp_ep, stcb);
2394 return;
2395 }
2396
2397 static int
2398 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
2399 struct sctp_nets *net, u_int8_t flg)
2400 {
2401 switch (desc->chunk_type) {
2402 case SCTP_DATA:
2403 /* find the tsn to resend (possibly */
2404 {
2405 u_int32_t tsn;
2406 struct sctp_tmit_chunk *tp1;
2407 tsn = ntohl(desc->tsn_ifany);
2408 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2409 while (tp1) {
2410 if (tp1->rec.data.TSN_seq == tsn) {
2411 /* found it */
2412 break;
2413 }
2414 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn,
2415 MAX_TSN)) {
2416 /* not found */
2417 tp1 = NULL;
2418 break;
2419 }
2420 tp1 = TAILQ_NEXT(tp1, sctp_next);
2421 }
2422 if (tp1 == NULL) {
2423 /* Do it the other way */
2424 sctp_pegs[SCTP_PDRP_DNFND]++;
2425 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2426 while (tp1) {
2427 if (tp1->rec.data.TSN_seq == tsn) {
2428 /* found it */
2429 break;
2430 }
2431 tp1 = TAILQ_NEXT(tp1, sctp_next);
2432 }
2433 }
2434 if (tp1 == NULL) {
2435 sctp_pegs[SCTP_PDRP_TSNNF]++;
2436 }
2437 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
2438 u_int8_t *ddp;
2439 if (((tp1->rec.data.state_flags & SCTP_WINDOW_PROBE) == SCTP_WINDOW_PROBE) &&
2440 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
2441 sctp_pegs[SCTP_PDRP_DIWNP]++;
2442 return (0);
2443 }
2444 if (stcb->asoc.peers_rwnd == 0 &&
2445 (flg & SCTP_FROM_MIDDLE_BOX)) {
2446 sctp_pegs[SCTP_PDRP_DIZRW]++;
2447 return (0);
2448 }
2449 ddp = (u_int8_t *)(mtod(tp1->data, caddr_t) +
2450 sizeof(struct sctp_data_chunk));
2451 {
2452 unsigned int iii;
2453 for (iii = 0; iii < sizeof(desc->data_bytes);
2454 iii++) {
2455 if (ddp[iii] != desc->data_bytes[iii]) {
2456 sctp_pegs[SCTP_PDRP_BADD]++;
2457 return (-1);
2458 }
2459 }
2460 }
2461 if (tp1->sent != SCTP_DATAGRAM_RESEND) {
2462 stcb->asoc.sent_queue_retran_cnt++;
2463 }
2464 /* We zero out the nonce so resync not needed */
2465 tp1->rec.data.ect_nonce = 0;
2466
2467 if (tp1->do_rtt) {
2468 /*
2469 * this guy had a RTO calculation pending on it,
2470 * cancel it
2471 */
2472 tp1->whoTo->rto_pending = 0;
2473 tp1->do_rtt = 0;
2474 }
2475 sctp_pegs[SCTP_PDRP_MARK]++;
2476 tp1->sent = SCTP_DATAGRAM_RESEND;
2477 /*
2478 * mark it as if we were doing a FR, since we
2479 * will be getting gap ack reports behind the
2480 * info from the router.
2481 */
2482 tp1->rec.data.doing_fast_retransmit = 1;
2483 /*
2484 * mark the tsn with what sequences can cause a new FR.
2485 */
2486 if (TAILQ_EMPTY(&stcb->asoc.send_queue) ) {
2487 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
2488 } else {
2489 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
2490 }
2491
2492 /* restart the timer */
2493 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2494 stcb, tp1->whoTo);
2495 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2496 stcb, tp1->whoTo);
2497
2498 /* fix counts and things */
2499 tp1->whoTo->flight_size -= tp1->send_size;
2500 if (tp1->whoTo->flight_size < 0) {
2501 tp1->whoTo->flight_size = 0;
2502 }
2503 stcb->asoc.total_flight -= tp1->book_size;
2504 if (stcb->asoc.total_flight < 0) {
2505 stcb->asoc.total_flight = 0;
2506 }
2507 stcb->asoc.total_flight_count--;
2508 if (stcb->asoc.total_flight_count < 0) {
2509 stcb->asoc.total_flight_count = 0;
2510 }
2511 tp1->snd_count--;
2512 }
2513 {
2514 /* audit code */
2515 unsigned int audit;
2516 audit = 0;
2517 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
2518 if (tp1->sent == SCTP_DATAGRAM_RESEND)
2519 audit++;
2520 }
2521 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
2522 sctp_next) {
2523 if (tp1->sent == SCTP_DATAGRAM_RESEND)
2524 audit++;
2525 }
2526 if (audit != stcb->asoc.sent_queue_retran_cnt) {
2527 kprintf("**Local Audit finds cnt:%d asoc cnt:%d\n",
2528 audit, stcb->asoc.sent_queue_retran_cnt);
2529 #ifndef SCTP_AUDITING_ENABLED
2530 stcb->asoc.sent_queue_retran_cnt = audit;
2531 #endif
2532 }
2533 }
2534 }
2535 break;
2536 case SCTP_ASCONF:
2537 {
2538 struct sctp_tmit_chunk *asconf;
2539 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
2540 sctp_next) {
2541 if (asconf->rec.chunk_id == SCTP_ASCONF) {
2542 break;
2543 }
2544 }
2545 if (asconf) {
2546 if (asconf->sent != SCTP_DATAGRAM_RESEND)
2547 stcb->asoc.sent_queue_retran_cnt++;
2548 asconf->sent = SCTP_DATAGRAM_RESEND;
2549 asconf->snd_count--;
2550 }
2551 }
2552 break;
2553 case SCTP_INITIATION:
2554 /* resend the INIT */
2555 stcb->asoc.dropped_special_cnt++;
2556 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
2557 /*
2558 * If we can get it in, in a few attempts we do this,
2559 * otherwise we let the timer fire.
2560 */
2561 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
2562 stcb, net);
2563 sctp_send_initiate(stcb->sctp_ep, stcb);
2564 }
2565 break;
2566 case SCTP_SELECTIVE_ACK:
2567 /* resend the sack */
2568 sctp_send_sack(stcb);
2569 break;
2570 case SCTP_HEARTBEAT_REQUEST:
2571 /* resend a demand HB */
2572 sctp_send_hb(stcb, 1, net);
2573 break;
2574 case SCTP_SHUTDOWN:
2575 #ifdef SCTP_DEBUG
2576 if (sctp_debug_on & SCTP_DEBUG_OUTPUT4) {
2577 kprintf("%s:%d sends a shutdown\n",
2578 __FILE__,
2579 __LINE__
2580 );
2581 }
2582 #endif
2583 sctp_send_shutdown(stcb, net);
2584 break;
2585 case SCTP_SHUTDOWN_ACK:
2586 sctp_send_shutdown_ack(stcb, net);
2587 break;
2588 case SCTP_COOKIE_ECHO:
2589 {
2590 struct sctp_tmit_chunk *cookie;
2591 cookie = NULL;
2592 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
2593 sctp_next) {
2594 if (cookie->rec.chunk_id == SCTP_COOKIE_ECHO) {
2595 break;
2596 }
2597 }
2598 if (cookie) {
2599 if (cookie->sent != SCTP_DATAGRAM_RESEND)
2600 stcb->asoc.sent_queue_retran_cnt++;
2601 cookie->sent = SCTP_DATAGRAM_RESEND;
2602 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net);
2603 }
2604 }
2605 break;
2606 case SCTP_COOKIE_ACK:
2607 sctp_send_cookie_ack(stcb);
2608 break;
2609 case SCTP_ASCONF_ACK:
2610 /* resend last asconf ack */
2611 sctp_send_asconf_ack(stcb, 1);
2612 break;
2613 case SCTP_FORWARD_CUM_TSN:
2614 send_forward_tsn(stcb, &stcb->asoc);
2615 break;
2616 /* can't do anything with these */
2617 case SCTP_PACKET_DROPPED:
2618 case SCTP_INITIATION_ACK: /* this should not happen */
2619 case SCTP_HEARTBEAT_ACK:
2620 case SCTP_ABORT_ASSOCIATION:
2621 case SCTP_OPERATION_ERROR:
2622 case SCTP_SHUTDOWN_COMPLETE:
2623 case SCTP_ECN_ECHO:
2624 case SCTP_ECN_CWR:
2625 default:
2626 break;
2627 }
2628 return (0);
2629 }
2630
2631 static void
2632 sctp_reset_in_stream(struct sctp_tcb *stcb,
2633 struct sctp_stream_reset_response *resp, int number_entries)
2634 {
2635 int i;
2636 uint16_t *list, temp;
2637
2638 /* We set things to 0xffff since this is the last delivered
2639 * sequence and we will be sending in 0 after the reset.
2640 */
2641
2642 if (resp->reset_flags & SCTP_RESET_PERFORMED) {
2643 if (number_entries) {
2644 list = resp->list_of_streams;
2645 for (i = 0; i < number_entries; i++) {
2646 temp = ntohs(list[i]);
2647 list[i] = temp;
2648 if (list[i] >= stcb->asoc.streamincnt) {
2649 kprintf("Invalid stream in-stream reset %d\n", list[i]);
2650 continue;
2651 }
2652 stcb->asoc.strmin[(list[i])].last_sequence_delivered = 0xffff;
2653 }
2654 } else {
2655 list = NULL;
2656 for (i = 0; i < stcb->asoc.streamincnt; i++) {
2657 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
2658 }
2659 }
2660 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list);
2661 }
2662 }
2663
2664 static void
2665 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
2666 {
2667 struct sctp_tmit_chunk *chk, *nchk;
2668 struct sctp_association *asoc;
2669
2670 asoc = &stcb->asoc;
2671
2672 for (chk = TAILQ_FIRST(&asoc->control_send_queue);
2673 chk; chk = nchk) {
2674 nchk = TAILQ_NEXT(chk, sctp_next);
2675 if (chk->rec.chunk_id == SCTP_STREAM_RESET) {
2676 struct sctp_stream_reset_req *strreq;
2677 strreq = mtod(chk->data, struct sctp_stream_reset_req *);
2678 if (strreq->sr_req.ph.param_type == ntohs(SCTP_STR_RESET_RESPONSE)) {
2679 /* we only clean up the request */
2680 continue;
2681 } else if (strreq->sr_req.ph.param_type != ntohs(SCTP_STR_RESET_REQUEST)) {
2682 kprintf("TSNH, an unknown stream reset request is in queue %x\n",
2683 (u_int)ntohs(strreq->sr_req.ph.param_type));
2684 continue;
2685 }
2686 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
2687 TAILQ_REMOVE(&asoc->control_send_queue,
2688 chk,
2689 sctp_next);
2690 if (chk->data) {
2691 sctp_m_freem(chk->data);
2692 chk->data = NULL;
2693 }
2694 asoc->ctrl_queue_cnt--;
2695 sctp_free_remote_addr(chk->whoTo);
2696 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
2697 sctppcbinfo.ipi_count_chunk--;
2698 if ((int)sctppcbinfo.ipi_count_chunk < 0) {
2699 panic("Chunk count is negative");
2700 }
2701 sctppcbinfo.ipi_gencnt_chunk++;
2702 /* we can only have one of these so we break */
2703 break;
2704 }
2705 }
2706 }
2707
2708
2709 void
2710 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
2711 struct sctp_stream_reset_response *resp)
2712 {
2713 uint32_t seq, tsn;
2714 int number_entries, param_length;
2715
2716 param_length = ntohs(resp->ph.param_length);
2717 seq = ntohl(resp->reset_req_seq_resp);
2718 if (seq == stcb->asoc.str_reset_seq_out) {
2719 sctp_clean_up_stream_reset(stcb);
2720 stcb->asoc.str_reset_seq_out++;
2721 stcb->asoc.stream_reset_outstanding = 0;
2722 tsn = ntohl(resp->reset_at_tsn);
2723 number_entries = (param_length - sizeof(struct sctp_stream_reset_response))/sizeof(uint16_t);
2724 tsn--;
2725 if ((tsn == stcb->asoc.cumulative_tsn) ||
2726 (compare_with_wrap(stcb->asoc.cumulative_tsn, tsn, MAX_TSN))) {
2727 /* no problem we are good to go */
2728 sctp_reset_in_stream(stcb, resp, number_entries);
2729 } else {
2730 /* So, we have a stream reset but there
2731 * is pending data. We need to copy
2732 * out the stream_reset and then queue
2733 * any data = or > resp->reset_at_tsn
2734 */
2735 if (stcb->asoc.pending_reply != NULL) {
2736 /* FIX ME FIX ME
2737 * This IS WRONG. We need
2738 * to queue each of these up
2739 * and only release the chunks
2740 * for each reset that the cum-ack
2741 * goes by. This is a short cut.
2742 */
2743 kfree(stcb->asoc.pending_reply, M_PCB);
2744 stcb->asoc.pending_reply = NULL;
2745 }
2746 stcb->asoc.pending_reply = kmalloc(param_length, M_PCB,
2747 M_NOWAIT);
2748 if (stcb->asoc.pending_reply == NULL)
2749 return; /* XXX */
2750 memcpy(stcb->asoc.pending_reply, resp, param_length);
2751 }
2752
2753 } else {
2754 /* duplicate */
2755 #ifdef SCTP_DEBUG
2756 kprintf("Duplicate old stream reset resp next:%x this one:%x\n",
2757 stcb->asoc.str_reset_seq_out, seq);
2758 #endif
2759 }
2760 }
2761
2762
2763 static void
2764 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_req *sr_req)
2765 {
2766 int chk_length, param_len;
2767 struct sctp_paramhdr *ph;
2768 /* now it may be a reset or a reset-response */
2769 struct sctp_stream_reset_request *req;
2770 struct sctp_stream_reset_response *resp;
2771 chk_length = ntohs(sr_req->ch.chunk_length);
2772
2773 ph = (struct sctp_paramhdr *)&sr_req->sr_req;
2774 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_request)) {
2775 param_len = ntohs(ph->param_length);
2776 if (ntohs(ph->param_type) == SCTP_STR_RESET_REQUEST) {
2777 /* this will send the ACK and do the reset if needed */
2778 req = (struct sctp_stream_reset_request *)ph;
2779 sctp_send_str_reset_ack(stcb, req);
2780 } else if (ntohs(ph->param_type) == SCTP_STR_RESET_RESPONSE) {
2781 /* Now here is a tricky one. We reset our receive side
2782 * of the streams. But what happens if the peers
2783 * next sending TSN is NOT equal to 1 minus our cumack?
2784 * And if his cumack is not equal to our next one out - 1
2785 * we have another problem if this is receprical.
2786 */
2787 resp = (struct sctp_stream_reset_response *)ph;
2788 sctp_handle_stream_reset_response(stcb, resp);
2789 }
2790 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len));
2791 chk_length -= SCTP_SIZE32(param_len);
2792 }
2793 }
2794
2795 /*
2796 * Handle a router or endpoints report of a packet loss, there
2797 * are two ways to handle this, either we get the whole packet
2798 * and must disect it ourselves (possibly with truncation and
2799 * or corruption) or it is a summary from a middle box that did
2800 * the disectting for us.
2801 */
2802 static void
2803 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
2804 struct sctp_tcb *stcb, struct sctp_nets *net)
2805 {
2806 u_int32_t bottle_bw, on_queue;
2807 u_int16_t trunc_len;
2808 unsigned int chlen;
2809 unsigned int at;
2810 struct sctp_chunk_desc desc;
2811 struct sctp_chunkhdr *ch;
2812
2813 chlen = ntohs(cp->ch.chunk_length);
2814 chlen -= sizeof(struct sctp_pktdrop_chunk);
2815 /* XXX possible chlen underflow */
2816 if (chlen == 0) {
2817 ch = NULL;
2818 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
2819 sctp_pegs[SCTP_PDRP_BWRPT]++;
2820 } else {
2821 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
2822 chlen -= sizeof(struct sctphdr);
2823 /* XXX possible chlen underflow */
2824 memset(&desc, 0, sizeof(desc));
2825 }
2826
2827 /* first update a rwnd possibly */
2828 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
2829 /* From a peer, we get a rwnd report */
2830 u_int32_t a_rwnd;
2831
2832 sctp_pegs[SCTP_PDRP_FEHOS]++;
2833
2834 bottle_bw = ntohl(cp->bottle_bw);
2835 on_queue = ntohl(cp->current_onq);
2836 if (bottle_bw && on_queue) {
2837 /* a rwnd report is in here */
2838 if (bottle_bw > on_queue)
2839 a_rwnd = bottle_bw - on_queue;
2840 else
2841 a_rwnd = 0;
2842
2843 if (a_rwnd <= 0)
2844 stcb->asoc.peers_rwnd = 0;
2845 else {
2846 if (a_rwnd > stcb->asoc.total_flight) {
2847 stcb->asoc.peers_rwnd =
2848 a_rwnd - stcb->asoc.total_flight;
2849 } else {
2850 stcb->asoc.peers_rwnd = 0;
2851 }
2852 if (stcb->asoc.peers_rwnd <
2853 stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
2854 /* SWS sender side engages */
2855 stcb->asoc.peers_rwnd = 0;
2856 }
2857 }
2858 }
2859 } else {
2860 sctp_pegs[SCTP_PDRP_FMBOX]++;
2861 }
2862 trunc_len = (u_int16_t)ntohs(cp->trunc_len);
2863 /* now the chunks themselves */
2864 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
2865 desc.chunk_type = ch->chunk_type;
2866 /* get amount we need to move */
2867 at = ntohs(ch->chunk_length);
2868 if (at < sizeof(struct sctp_chunkhdr)) {
2869 /* corrupt chunk, maybe at the end? */
2870 sctp_pegs[SCTP_PDRP_CRUPT]++;
2871 break;
2872 }
2873 if (trunc_len == 0) {
2874 /* we are supposed to have all of it */
2875 if (at > chlen) {
2876 /* corrupt skip it */
2877 sctp_pegs[SCTP_PDRP_CRUPT]++;
2878 break;
2879 }
2880 } else {
2881 /* is there enough of it left ? */
2882 if (desc.chunk_type == SCTP_DATA) {
2883 if (chlen < (sizeof(struct sctp_data_chunk) +
2884 sizeof(desc.data_bytes))) {
2885 break;
2886 }
2887 } else {
2888 if (chlen < sizeof(struct sctp_chunkhdr)) {
2889 break;
2890 }
2891 }
2892 }
2893 if (desc.chunk_type == SCTP_DATA) {
2894 /* can we get out the tsn? */
2895 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
2896 sctp_pegs[SCTP_PDRP_MB_DA]++;
2897
2898 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(u_int32_t)) ) {
2899 /* yep */
2900 struct sctp_data_chunk *dcp;
2901 u_int8_t *ddp;
2902 unsigned int iii;
2903 dcp = (struct sctp_data_chunk *)ch;
2904 ddp = (u_int8_t *)(dcp + 1);
2905 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
2906 desc.data_bytes[iii] = ddp[iii];
2907 }
2908 desc.tsn_ifany = dcp->dp.tsn;
2909 } else {
2910 /* nope we are done. */
2911 sctp_pegs[SCTP_PDRP_NEDAT]++;
2912 break;
2913 }
2914 } else {
2915 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
2916 sctp_pegs[SCTP_PDRP_MB_CT]++;
2917 }
2918
2919 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
2920 sctp_pegs[SCTP_PDRP_PDBRK]++;
2921 break;
2922 }
2923 if (SCTP_SIZE32(at) > chlen) {
2924 break;
2925 }
2926 chlen -= SCTP_SIZE32(at);
2927 if (chlen < sizeof(struct sctp_chunkhdr)) {
2928 /* done, none left */
2929 break;
2930 }
2931 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at));
2932 }
2933
2934 /* now middle boxes in sat networks get a cwnd bump */
2935 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
2936 (stcb->asoc.sat_t3_loss_recovery == 0) &&
2937 (stcb->asoc.sat_network)) {
2938 /*
2939 * This is debateable but for sat networks it makes sense
2940 * Note if a T3 timer has went off, we will prohibit any
2941 * changes to cwnd until we exit the t3 loss recovery.
2942 */
2943 u_int32_t bw_avail;
2944 int rtt, incr;
2945 #ifdef SCTP_CWND_LOGGING
2946 int old_cwnd=net->cwnd;
2947 #endif
2948 /* need real RTT for this calc */
2949 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1;
2950 /* get bottle neck bw */
2951 bottle_bw = ntohl(cp->bottle_bw);
2952 /* and whats on queue */
2953 on_queue = ntohl(cp->current_onq);
2954 /*
2955 * adjust the on-queue if our flight is more it could be
2956 * that the router has not yet gotten data "in-flight" to it
2957 */
2958 if (on_queue < net->flight_size)
2959 on_queue = net->flight_size;
2960
2961 /* calculate the available space */
2962 bw_avail = (bottle_bw*rtt)/1000;
2963 if (bw_avail > bottle_bw) {
2964 /*
2965 * Cap the growth to no more than the bottle neck.
2966 * This can happen as RTT slides up due to queues.
2967 * It also means if you have more than a 1 second
2968 * RTT with a empty queue you will be limited to
2969 * the bottle_bw per second no matter if
2970 * other points have 1/2 the RTT and you could
2971 * get more out...
2972 */
2973 bw_avail = bottle_bw;
2974 }
2975
2976 if (on_queue > bw_avail) {
2977 /*
2978 * No room for anything else don't allow anything
2979 * else to be "added to the fire".
2980 */
2981 int seg_inflight, seg_onqueue, my_portion;
2982 net->partial_bytes_acked = 0;
2983
2984 /* how much are we over queue size? */
2985 incr = on_queue - bw_avail;
2986 if (stcb->asoc.seen_a_sack_this_pkt) {
2987 /* undo any cwnd adjustment that
2988 * the sack might have made
2989 */
2990 net->cwnd = net->prev_cwnd;
2991 }
2992
2993 /* Now how much of that is mine? */
2994 seg_inflight = net->flight_size / net->mtu;
2995 seg_onqueue = on_queue / net->mtu;
2996 my_portion = (incr * seg_inflight)/seg_onqueue;
2997
2998 /* Have I made an adjustment already */
2999 if (net->cwnd > net->flight_size) {
3000 /* for this flight I made an adjustment
3001 * we need to decrease the portion by a share
3002 * our previous adjustment.
3003 */
3004 int diff_adj;
3005 diff_adj = net->cwnd - net->flight_size;
3006 if (diff_adj > my_portion)
3007 my_portion = 0;
3008 else
3009 my_portion -= diff_adj;
3010 }
3011
3012 /* back down to the previous cwnd (assume
3013 * we have had a sack before this packet). minus
3014 * what ever portion of the overage is my fault.
3015 */
3016 net->cwnd -= my_portion;
3017
3018 /* we will NOT back down more than 1 MTU */
3019 if (net->cwnd <= net->mtu) {
3020 net->cwnd = net->mtu;
3021 }
3022 /* force into CA */
3023 net->ssthresh = net->cwnd - 1;
3024 } else {
3025 /*
3026 * Take 1/4 of the space left or
3027 * max burst up .. whichever is less.
3028 */
3029 incr = min((bw_avail - on_queue) >> 2,
3030 (int)stcb->asoc.max_burst * (int)net->mtu);
3031 net->cwnd += incr;
3032 }
3033 if (net->cwnd > bw_avail) {
3034 /* We can't exceed the pipe size */
3035 net->cwnd = bw_avail;
3036 }
3037 if (net->cwnd < net->mtu) {
3038 /* We always have 1 MTU */
3039 net->cwnd = net->mtu;
3040 }
3041 #ifdef SCTP_CWND_LOGGING
3042 if (net->cwnd - old_cwnd != 0) {
3043 /* log only changes */
3044 sctp_log_cwnd(net, (net->cwnd - old_cwnd),
3045 SCTP_CWND_LOG_FROM_SAT);
3046 }
3047 #endif
3048 }
3049 }
3050
3051 extern int sctp_strict_init;
3052
3053 /*
3054 * handles all control chunks in a packet
3055 * inputs:
3056 * - m: mbuf chain, assumed to still contain IP/SCTP header
3057 * - stcb: is the tcb found for this packet
3058 * - offset: offset into the mbuf chain to first chunkhdr
3059 * - length: is the length of the complete packet
3060 * outputs:
3061 * - length: modified to remaining length after control processing
3062 * - netp: modified to new sctp_nets after cookie-echo processing
3063 * - return NULL to discard the packet (ie. no asoc, bad packet,...)
3064 * otherwise return the tcb for this packet
3065 */
3066 static struct sctp_tcb *
3067 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
3068 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
3069 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen)
3070 {
3071 struct sctp_association *asoc;
3072 u_int32_t vtag_in;
3073 int num_chunks = 0; /* number of control chunks processed */
3074 int chk_length;
3075 int ret;
3076
3077 /*
3078 * How big should this be, and should it be alloc'd?
3079 * Lets try the d-mtu-ceiling for now (2k) and that should
3080 * hopefully work ... until we get into jumbo grams and such..
3081 */
3082 u_int8_t chunk_buf[DEFAULT_CHUNK_BUFFER];
3083 struct sctp_tcb *locked_tcb = stcb;
3084
3085 #ifdef SCTP_DEBUG
3086 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3087 kprintf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
3088 iphlen, *offset, length, stcb);
3089 }
3090 #endif /* SCTP_DEBUG */
3091
3092 /* validate chunk header length... */
3093 if (ntohs(ch->chunk_length) < sizeof(*ch)) {
3094 return (NULL);
3095 }
3096
3097 /*
3098 * validate the verification tag
3099 */
3100 #ifdef SCTP_DEBUG
3101 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3102 kprintf("sctp_process_control: validating vtags\n");
3103 }
3104 #endif /* SCTP_DEBUG */
3105 vtag_in = ntohl(sh->v_tag);
3106 if (ch->chunk_type == SCTP_INITIATION) {
3107 if (vtag_in != 0) {
3108 /* protocol error- silently discard... */
3109 #ifdef SCTP_DEBUG
3110 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3111 kprintf("sctp_process_control: INIT with vtag != 0\n");
3112 }
3113 #endif /* SCTP_DEBUG */
3114 sctp_pegs[SCTP_BAD_VTAGS]++;
3115 if (locked_tcb)
3116 SCTP_TCB_UNLOCK(locked_tcb);
3117 return (NULL);
3118 }
3119 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
3120 /*
3121 * first check if it's an ASCONF with an unknown src addr
3122 * we need to look inside to find the association
3123 */
3124 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
3125 stcb = sctp_findassociation_ep_asconf(m, iphlen,
3126 *offset, sh, &inp, netp);
3127 }
3128 if (stcb == NULL) {
3129 /* no association, so it's out of the blue... */
3130 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL);
3131 #ifdef SCTP_DEBUG
3132 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3133 kprintf("sctp_process_control: handling OOTB packet, chunk type=%xh\n",
3134 ch->chunk_type);
3135 }
3136 #endif /* SCTP_DEBUG */
3137 *offset = length;
3138 if (locked_tcb)
3139 SCTP_TCB_UNLOCK(locked_tcb);
3140 return (NULL);
3141 }
3142 asoc = &stcb->asoc;
3143 /* ABORT and SHUTDOWN can use either v_tag... */
3144 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
3145 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
3146 (ch->chunk_type == SCTP_PACKET_DROPPED)) {
3147 if ((vtag_in == asoc->my_vtag) ||
3148 ((ch->chunk_flags & SCTP_HAD_NO_TCB) &&
3149 (vtag_in == asoc->peer_vtag))) {
3150 /* this is valid */
3151 } else {
3152 /* drop this packet... */
3153 sctp_pegs[SCTP_BAD_VTAGS]++;
3154 if (locked_tcb)
3155 SCTP_TCB_UNLOCK(locked_tcb);
3156 return (NULL);
3157 }
3158 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
3159 if (vtag_in != asoc->my_vtag) {
3160 /*
3161 * this could be a stale SHUTDOWN-ACK or the
3162 * peer never got the SHUTDOWN-COMPLETE and
3163 * is still hung; we have started a new asoc
3164 * but it won't complete until the shutdown is
3165 * completed
3166 */
3167 if (locked_tcb)
3168 SCTP_TCB_UNLOCK(locked_tcb);
3169 sctp_handle_ootb(m, iphlen, *offset, sh, inp,
3170 NULL);
3171 return (NULL);
3172 }
3173 } else {
3174 /* for all other chunks, vtag must match */
3175
3176 if (vtag_in != asoc->my_vtag) {
3177 /* invalid vtag... */
3178 #ifdef SCTP_DEBUG
3179 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3180 kprintf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag);
3181 }
3182 #endif /* SCTP_DEBUG */
3183 sctp_pegs[SCTP_BAD_VTAGS]++;
3184 if (locked_tcb)
3185 SCTP_TCB_UNLOCK(locked_tcb);
3186 *offset = length;
3187 return (NULL);
3188 }
3189 }
3190 } /* end if !SCTP_COOKIE_ECHO */
3191
3192 #ifdef SCTP_DEBUG
3193 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3194 kprintf("sctp_process_control: vtags ok, processing ctrl chunks\n");
3195 }
3196 #endif /* SCTP_DEBUG */
3197
3198 /*
3199 * process all control chunks...
3200 */
3201 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
3202 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
3203 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
3204 /* implied cookie-ack.. we must have lost the ack */
3205 stcb->asoc.overall_error_count = 0;
3206 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
3207 }
3208
3209 while (IS_SCTP_CONTROL(ch)) {
3210 /* validate chunk length */
3211 chk_length = ntohs(ch->chunk_length);
3212 #ifdef SCTP_DEBUG
3213 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
3214 kprintf("sctp_process_control: processing a chunk type=%u, len=%u\n", ch->chunk_type, chk_length);
3215 }
3216 #endif /* SCTP_DEBUG */
3217 if ((size_t)chk_length < sizeof(*ch) ||
3218 (*offset + chk_length) > length) {
3219 #ifdef SCTP_DEBUG
3220 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3221 kprintf("sctp_process_control: chunk length invalid! *offset:%u, chk_length:%u > length:%u\n",
3222 *offset, length, chk_length);
3223 }
3224 #endif /* SCTP_DEBUG */
3225 *offset = length;
3226 if (locked_tcb)
3227 SCTP_TCB_UNLOCK(locked_tcb);
3228 return (NULL);
3229 }
3230
3231 /*
3232 * INIT-ACK only gets the init ack "header" portion only
3233 * because we don't have to process the peer's COOKIE.
3234 * All others get a complete chunk.
3235 */
3236 if (ch->chunk_type == SCTP_INITIATION_ACK) {
3237 /* get an init-ack chunk */
3238 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3239 sizeof(struct sctp_init_ack), chunk_buf);
3240 if (ch == NULL) {
3241 *offset = length;
3242 if (locked_tcb)
3243 SCTP_TCB_UNLOCK(locked_tcb);
3244 return (NULL);
3245 }
3246 } else {
3247 /* get a complete chunk... */
3248 if ((size_t)chk_length > sizeof(chunk_buf)) {
3249 struct mbuf *oper;
3250 struct sctp_paramhdr *phdr;
3251 oper = NULL;
3252 MGETHDR(oper, MB_DONTWAIT, MT_HEADER);
3253 if (oper) {
3254 /* pre-reserve some space */
3255 oper->m_data +=
3256 sizeof(struct sctp_chunkhdr);
3257 phdr =
3258 mtod(oper, struct sctp_paramhdr *);
3259 phdr->param_type =
3260 htons(SCTP_CAUSE_OUT_OF_RESC);
3261 phdr->param_length =
3262 htons(sizeof(struct sctp_paramhdr));
3263 sctp_queue_op_err(stcb, oper);
3264 }
3265 if (locked_tcb)
3266 SCTP_TCB_UNLOCK(locked_tcb);
3267 return (NULL);
3268 }
3269 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3270 chk_length, chunk_buf);
3271 if (ch == NULL) {
3272 kprintf("sctp_process_control: Can't get the all data....\n");
3273 *offset = length;
3274 if (locked_tcb)
3275 SCTP_TCB_UNLOCK(locked_tcb);
3276 return (NULL);
3277 }
3278
3279 }
3280 num_chunks++;
3281 /* Save off the last place we got a control from */
3282 if ((*netp) && stcb) {
3283 stcb->asoc.last_control_chunk_from = *netp;
3284 }
3285 #ifdef SCTP_AUDITING_ENABLED
3286 sctp_audit_log(0xB0, ch->chunk_type);
3287 #endif
3288 switch (ch->chunk_type) {
3289 case SCTP_INITIATION:
3290 /* must be first and only chunk */
3291 #ifdef SCTP_DEBUG
3292 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3293 kprintf("SCTP_INIT\n");
3294 }
3295 #endif /* SCTP_DEBUG */
3296 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3297 /* We are not interested anymore */
3298 if (locked_tcb)
3299 SCTP_TCB_UNLOCK(locked_tcb);
3300 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3301 /* finish the job now */
3302 sctp_inpcb_free(inp, 1);
3303 }
3304 *offset = length;
3305 return (NULL);
3306 }
3307 if ((num_chunks > 1) ||
3308 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) {
3309 *offset = length;
3310 if (locked_tcb)
3311 SCTP_TCB_UNLOCK(locked_tcb);
3312 return (NULL);
3313 }
3314 if ((stcb != NULL) &&
3315 (SCTP_GET_STATE(&stcb->asoc) ==
3316 SCTP_STATE_SHUTDOWN_ACK_SENT)) {
3317 sctp_send_shutdown_ack(stcb,
3318 stcb->asoc.primary_destination);
3319 *offset = length;
3320 if (locked_tcb)
3321 SCTP_TCB_UNLOCK(locked_tcb);
3322 return (NULL);
3323 }
3324 sctp_handle_init(m, iphlen, *offset, sh,
3325 (struct sctp_init_chunk *)ch, inp, stcb, *netp);
3326 *offset = length;
3327 if (locked_tcb)
3328 SCTP_TCB_UNLOCK(locked_tcb);
3329 return (NULL);
3330 break;
3331 case SCTP_INITIATION_ACK:
3332 /* must be first and only chunk */
3333 #ifdef SCTP_DEBUG
3334 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3335 kprintf("SCTP_INIT-ACK\n");
3336 }
3337 #endif /* SCTP_DEBUG */
3338 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3339 /* We are not interested anymore */
3340 if (locked_tcb)
3341 SCTP_TCB_UNLOCK(locked_tcb);
3342 *offset = length;
3343 if (stcb) {
3344 sctp_free_assoc(inp, stcb);
3345 } else {
3346 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3347 /* finish the job now */
3348 sctp_inpcb_free(inp, 1);
3349 }
3350 }
3351 return (NULL);
3352 }
3353 if ((num_chunks > 1) ||
3354 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) {
3355 #ifdef SCTP_DEBUG
3356 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3357 kprintf("Length is %d rounded chk_length:%d .. dropping\n",
3358 length - *offset,
3359 SCTP_SIZE32(chk_length));
3360 }
3361 #endif
3362 *offset = length;
3363 if (locked_tcb)
3364 SCTP_TCB_UNLOCK(locked_tcb);
3365 return (NULL);
3366 }
3367 ret = sctp_handle_init_ack(m, iphlen, *offset, sh,
3368 (struct sctp_init_ack_chunk *)ch, stcb, *netp);
3369 /*
3370 * Special case, I must call the output routine
3371 * to get the cookie echoed
3372 */
3373 if ((stcb) && ret == 0)
3374 sctp_chunk_output(stcb->sctp_ep, stcb, 2);
3375 *offset = length;
3376 #ifdef SCTP_DEBUG
3377 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3378 kprintf("All done INIT-ACK processing\n");
3379 }
3380 #endif
3381 if (locked_tcb)
3382 SCTP_TCB_UNLOCK(locked_tcb);
3383 return (NULL);
3384 break;
3385 case SCTP_SELECTIVE_ACK:
3386 #ifdef SCTP_DEBUG
3387 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3388 kprintf("SCTP_SACK\n");
3389 }
3390 #endif /* SCTP_DEBUG */
3391 sctp_pegs[SCTP_PEG_SACKS_SEEN]++;
3392 {
3393 int abort_now = 0;
3394 stcb->asoc.seen_a_sack_this_pkt = 1;
3395 sctp_handle_sack((struct sctp_sack_chunk *)ch,
3396 stcb, *netp, &abort_now);
3397 if (abort_now) {
3398 /* ABORT signal from sack processing */
3399 *offset = length;
3400 return (NULL);
3401 }
3402 }
3403 break;
3404 case SCTP_HEARTBEAT_REQUEST:
3405 #ifdef SCTP_DEBUG
3406 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3407 kprintf("SCTP_HEARTBEAT\n");
3408 }
3409 #endif /* SCTP_DEBUG */
3410 sctp_pegs[SCTP_HB_RECV]++;
3411 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length,
3412 *netp);
3413
3414 /* He's alive so give him credit */
3415 stcb->asoc.overall_error_count = 0;
3416 break;
3417 case SCTP_HEARTBEAT_ACK:
3418 #ifdef SCTP_DEBUG
3419 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3420 kprintf("SCTP_HEARTBEAT-ACK\n");
3421 }
3422 #endif /* SCTP_DEBUG */
3423
3424 /* He's alive so give him credit */
3425 stcb->asoc.overall_error_count = 0;
3426
3427 sctp_pegs[SCTP_HB_ACK_RECV]++;
3428 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
3429 stcb, *netp);
3430 break;
3431 case SCTP_ABORT_ASSOCIATION:
3432 #ifdef SCTP_DEBUG
3433 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3434 kprintf("SCTP_ABORT\n");
3435 }
3436 #endif /* SCTP_DEBUG */
3437 sctp_handle_abort((struct sctp_abort_chunk *)ch,
3438 stcb, *netp);
3439 *offset = length;
3440 return (NULL);
3441 break;
3442 case SCTP_SHUTDOWN:
3443 #ifdef SCTP_DEBUG
3444 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3445 kprintf("SCTP_SHUTDOWN\n");
3446 }
3447 #endif /* SCTP_DEBUG */
3448 {
3449 int abort_flag = 0;
3450 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
3451 stcb, *netp, &abort_flag);
3452 if (abort_flag) {
3453 *offset = length;
3454 return (NULL);
3455 }
3456 }
3457 break;
3458 case SCTP_SHUTDOWN_ACK:
3459 #ifdef SCTP_DEBUG
3460 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3461 kprintf("SCTP_SHUTDOWN-ACK\n");
3462 }
3463 #endif /* SCTP_DEBUG */
3464 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
3465 *offset = length;
3466 return (NULL);
3467 break;
3468 case SCTP_OPERATION_ERROR:
3469 #ifdef SCTP_DEBUG
3470 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3471 kprintf("SCTP_OP-ERR\n");
3472 }
3473 #endif /* SCTP_DEBUG */
3474 if (sctp_handle_error(ch, stcb, *netp) < 0) {
3475 *offset = length;
3476 return (NULL);
3477 }
3478 break;
3479 case SCTP_COOKIE_ECHO:
3480 #ifdef SCTP_DEBUG
3481 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3482 kprintf("SCTP_COOKIE-ECHO stcb is %p\n", stcb);
3483 }
3484 #endif /* SCTP_DEBUG */
3485 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3486 /* We are not interested anymore */
3487 *offset = length;
3488 if (stcb) {
3489 sctp_free_assoc(inp, stcb);
3490 } else {
3491 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3492 /* finish the job now */
3493 sctp_inpcb_free(inp, 1);
3494 }
3495 }
3496 return (NULL);
3497 }
3498 /*
3499 * First are we accepting?
3500 * We do this again here since it is possible
3501 * that a previous endpoint WAS listening responded to
3502 * a INIT-ACK and then closed. We opened and bound..
3503 * and are now no longer listening.
3504 */
3505 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) ||
3506 (inp->sctp_socket->so_qlimit == 0)) {
3507 sctp_abort_association(inp, stcb, m, iphlen, sh,
3508 NULL);
3509 *offset = length;
3510 return (NULL);
3511 } else if (inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) {
3512 /* we are accepting so check limits like TCP */
3513 if (inp->sctp_socket->so_qlen >
3514 inp->sctp_socket->so_qlimit) {
3515 /* no space */
3516 struct mbuf *oper;
3517 struct sctp_paramhdr *phdr;
3518 oper = NULL;
3519 MGETHDR(oper, MB_DONTWAIT, MT_HEADER);
3520 if (oper) {
3521 oper->m_len =
3522 oper->m_pkthdr.len =
3523 sizeof(struct sctp_paramhdr);
3524 phdr = mtod(oper,
3525 struct sctp_paramhdr *);
3526 phdr->param_type =
3527 htons(SCTP_CAUSE_OUT_OF_RESC);
3528 phdr->param_length =
3529 htons(sizeof(struct sctp_paramhdr));
3530 }
3531 sctp_abort_association(inp, stcb, m,
3532 iphlen, sh, oper);
3533 *offset = length;
3534 return (NULL);
3535 }
3536 }
3537 {
3538 struct mbuf *ret_buf;
3539 ret_buf = sctp_handle_cookie_echo(m, iphlen,
3540 *offset, sh,
3541 (struct sctp_cookie_echo_chunk *)ch, &inp,
3542 &stcb, netp);
3543 #ifdef SCTP_DEBUG
3544 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3545 kprintf("ret_buf:%p length:%d off:%d\n",
3546 ret_buf, length, *offset);
3547 }
3548 #endif /* SCTP_DEBUG */
3549
3550 if (ret_buf == NULL) {
3551 if (locked_tcb) {
3552 SCTP_TCB_UNLOCK(locked_tcb);
3553 }
3554 #ifdef SCTP_DEBUG
3555 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3556 kprintf("GAK, null buffer\n");
3557 }
3558 #endif /* SCTP_DEBUG */
3559 *offset = length;
3560 return (NULL);
3561 }
3562 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
3563 /*
3564 * Restart the timer if we have pending
3565 * data
3566 */
3567 struct sctp_tmit_chunk *chk;
3568 chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
3569 if (chk) {
3570 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
3571 stcb->sctp_ep, stcb,
3572 chk->whoTo);
3573 }
3574 }
3575 }
3576 break;
3577 case SCTP_COOKIE_ACK:
3578 #ifdef SCTP_DEBUG
3579 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3580 kprintf("SCTP_COOKIE-ACK\n");
3581 }
3582 #endif /* SCTP_DEBUG */
3583
3584 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3585 /* We are not interested anymore */
3586 sctp_free_assoc(inp, stcb);
3587 *offset = length;
3588 return (NULL);
3589 }
3590 /* He's alive so give him credit */
3591 stcb->asoc.overall_error_count = 0;
3592 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch,
3593 stcb, *netp);
3594 break;
3595 case SCTP_ECN_ECHO:
3596 #ifdef SCTP_DEBUG
3597 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3598 kprintf("SCTP_ECN-ECHO\n");
3599 }
3600 #endif /* SCTP_DEBUG */
3601 /* He's alive so give him credit */
3602 stcb->asoc.overall_error_count = 0;
3603 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
3604 stcb);
3605 break;
3606 case SCTP_ECN_CWR:
3607 #ifdef SCTP_DEBUG
3608 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3609 kprintf("SCTP_ECN-CWR\n");
3610 }
3611 #endif /* SCTP_DEBUG */
3612 /* He's alive so give him credit */
3613 stcb->asoc.overall_error_count = 0;
3614
3615 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb);
3616 break;
3617 case SCTP_SHUTDOWN_COMPLETE:
3618 #ifdef SCTP_DEBUG
3619 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3620 kprintf("SCTP_SHUTDOWN-COMPLETE\n");
3621 }
3622 #endif /* SCTP_DEBUG */
3623 /* must be first and only chunk */
3624 if ((num_chunks > 1) ||
3625 (length - *offset > SCTP_SIZE32(chk_length))) {
3626 *offset = length;
3627 if (locked_tcb)
3628 SCTP_TCB_UNLOCK(locked_tcb);
3629
3630 return (NULL);
3631 }
3632 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
3633 stcb, *netp);
3634 *offset = length;
3635 return (NULL);
3636 break;
3637 case SCTP_ASCONF:
3638 #ifdef SCTP_DEBUG
3639 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3640 kprintf("SCTP_ASCONF\n");
3641 }
3642 #endif /* SCTP_DEBUG */
3643 /* He's alive so give him credit */
3644 stcb->asoc.overall_error_count = 0;
3645
3646 sctp_handle_asconf(m, *offset,
3647 (struct sctp_asconf_chunk *)ch, stcb, *netp);
3648 break;
3649 case SCTP_ASCONF_ACK:
3650 #ifdef SCTP_DEBUG
3651 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3652 kprintf("SCTP_ASCONF-ACK\n");
3653 }
3654 #endif /* SCTP_DEBUG */
3655 /* He's alive so give him credit */
3656 stcb->asoc.overall_error_count = 0;
3657
3658 sctp_handle_asconf_ack(m, *offset,
3659 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp);
3660 break;
3661 case SCTP_FORWARD_CUM_TSN:
3662 #ifdef SCTP_DEBUG
3663 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3664 kprintf("SCTP_FWD-TSN\n");
3665 }
3666 #endif /* SCTP_DEBUG */
3667 /* He's alive so give him credit */
3668 {
3669 int abort_flag = 0;
3670 stcb->asoc.overall_error_count = 0;
3671 *fwd_tsn_seen = 1;
3672 sctp_handle_forward_tsn(stcb,
3673 (struct sctp_forward_tsn_chunk *)ch, &abort_flag);
3674 if (abort_flag) {
3675 *offset = length;
3676 return (NULL);
3677 } else {
3678 stcb->asoc.overall_error_count = 0;
3679 }
3680
3681 }
3682 break;
3683 case SCTP_STREAM_RESET:
3684 #ifdef SCTP_DEBUG
3685 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3686 kprintf("SCTP_STREAM_RESET\n");
3687 }
3688 #endif /* SCTP_DEBUG */
3689 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3690 chk_length, chunk_buf);
3691 if (stcb->asoc.peer_supports_strreset == 0) {
3692 /* hmm, peer should have annonced this, but
3693 * we will turn it on since he is sending us
3694 * a stream reset.
3695 */
3696 stcb->asoc.peer_supports_strreset = 1;
3697 }
3698 sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_req *)ch);
3699 break;
3700 case SCTP_PACKET_DROPPED:
3701 #ifdef SCTP_DEBUG
3702 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3703 kprintf("SCTP_PACKET_DROPPED\n");
3704 }
3705 #endif /* SCTP_DEBUG */
3706 /* re-get it all please */
3707 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3708 chk_length, chunk_buf);
3709
3710 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
3711 stcb, *netp);
3712
3713
3714 break;
3715 default:
3716 /* it's an unknown chunk! */
3717 if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
3718 struct mbuf *mm;
3719 struct sctp_paramhdr *phd;
3720 MGETHDR(mm, MB_DONTWAIT, MT_HEADER);
3721 if (mm) {
3722 phd = mtod(mm, struct sctp_paramhdr *);
3723 /* We cheat and use param type since we
3724 * did not bother to define a error
3725 * cause struct.
3726 * They are the same basic format with
3727 * different names.
3728 */
3729 phd->param_type =
3730 htons(SCTP_CAUSE_UNRECOG_CHUNK);
3731 phd->param_length =
3732 htons(chk_length + sizeof(*phd));
3733 mm->m_len = sizeof(*phd);
3734 mm->m_next = sctp_m_copym(m, *offset,
3735 SCTP_SIZE32(chk_length),
3736 MB_DONTWAIT);
3737 if (mm->m_next) {
3738 mm->m_pkthdr.len =
3739 SCTP_SIZE32(chk_length) +
3740 sizeof(*phd);
3741 sctp_queue_op_err(stcb, mm);
3742 } else {
3743 sctp_m_freem(mm);
3744 #ifdef SCTP_DEBUG
3745 if (sctp_debug_on &
3746 SCTP_DEBUG_INPUT1) {
3747 kprintf("Gak can't copy the chunk into operr %d bytes\n",
3748 chk_length);
3749 }
3750 #endif
3751 }
3752 }
3753 #ifdef SCTP_DEBUG
3754 else {
3755 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3756 kprintf("Gak can't mgethdr for op-err of unrec chunk\n");
3757 }
3758 }
3759 #endif
3760 }
3761 if ((ch->chunk_type & 0x80) == 0) {
3762 /* discard this packet */
3763 *offset = length;
3764 return (stcb);
3765 } /* else skip this bad chunk and continue... */
3766 break;
3767 } /* switch (ch->chunk_type) */
3768 /* get the next chunk */
3769 *offset += SCTP_SIZE32(chk_length);
3770 if (*offset >= length) {
3771 /* no more data left in the mbuf chain */
3772 break;
3773 }
3774 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3775 sizeof(struct sctp_chunkhdr), chunk_buf);
3776 if (ch == NULL) {
3777 if (locked_tcb)
3778 SCTP_TCB_UNLOCK(locked_tcb);
3779 *offset = length;
3780 return (NULL);
3781 }
3782 } /* while */
3783 return (stcb);
3784 }
3785
3786
3787 /*
3788 * Process the ECN bits we have something set so
3789 * we must look to see if it is ECN(0) or ECN(1) or CE
3790 */
3791 static void
3792 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net,
3793 u_int8_t ecn_bits)
3794 {
3795 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
3796 ;
3797 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) {
3798 /*
3799 * we only add to the nonce sum for ECT1, ECT0
3800 * does not change the NS bit (that we have
3801 * yet to find a way to send it yet).
3802 */
3803
3804 /* ECN Nonce stuff */
3805 stcb->asoc.receiver_nonce_sum++;
3806 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM;
3807
3808 /*
3809 * Drag up the last_echo point if cumack is larger since we
3810 * don't want the point falling way behind by more than 2^^31
3811 * and then having it be incorrect.
3812 */
3813 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
3814 stcb->asoc.last_echo_tsn, MAX_TSN)) {
3815 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
3816 }
3817 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) {
3818 /*
3819 * Drag up the last_echo point if cumack is larger since we
3820 * don't want the point falling way behind by more than 2^^31
3821 * and then having it be incorrect.
3822 */
3823 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
3824 stcb->asoc.last_echo_tsn, MAX_TSN)) {
3825 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
3826 }
3827 }
3828 }
3829
3830 static void
3831 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net,
3832 u_int32_t high_tsn, u_int8_t ecn_bits)
3833 {
3834 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
3835 /*
3836 * we possibly must notify the sender that a congestion
3837 * window reduction is in order. We do this
3838 * by adding a ECNE chunk to the output chunk
3839 * queue. The incoming CWR will remove this chunk.
3840 */
3841 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn,
3842 MAX_TSN)) {
3843 /* Yep, we need to add a ECNE */
3844 sctp_send_ecn_echo(stcb, net, high_tsn);
3845 stcb->asoc.last_echo_tsn = high_tsn;
3846 }
3847 }
3848 }
3849
3850 /*
3851 * common input chunk processing (v4 and v6)
3852 */
3853 int
3854 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset,
3855 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch,
3856 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
3857 u_int8_t ecn_bits)
3858 {
3859 /*
3860 * Control chunk processing
3861 */
3862 u_int32_t high_tsn;
3863 int fwd_tsn_seen = 0, data_processed = 0;
3864 struct mbuf *m = *mm;
3865 int abort_flag = 0;
3866
3867 sctp_pegs[SCTP_DATAGRAMS_RCVD]++;
3868 #ifdef SCTP_AUDITING_ENABLED
3869 sctp_audit_log(0xE0, 1);
3870 sctp_auditing(0, inp, stcb, net);
3871 #endif
3872
3873 #ifdef SCTP_DEBUG
3874 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3875 kprintf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n",
3876 m, iphlen, offset);
3877 }
3878 #endif /* SCTP_DEBUG */
3879 if (IS_SCTP_CONTROL(ch)) {
3880 /* process the control portion of the SCTP packet */
3881 #ifdef SCTP_DEBUG
3882 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3883 kprintf("Processing control\n");
3884 }
3885 #endif /* SCTP_DEBUG */
3886
3887 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch,
3888 inp, stcb, &net, &fwd_tsn_seen);
3889 } else {
3890 /*
3891 * no control chunks, so pre-process DATA chunks
3892 * (these checks are taken care of by control processing)
3893 */
3894 #ifdef SCTP_DEBUG
3895 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3896 kprintf("No control present\n");
3897 }
3898 #endif /* SCTP_DEBUG */
3899
3900 if (stcb == NULL) {
3901 /* out of the blue DATA chunk */
3902 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL);
3903 return (1);
3904 }
3905 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
3906 /* v_tag mismatch! */
3907 sctp_pegs[SCTP_BAD_VTAGS]++;
3908 SCTP_TCB_UNLOCK(stcb);
3909 return (1);
3910 }
3911 }
3912 if (stcb == NULL) {
3913 /*
3914 * no valid TCB for this packet,
3915 * or we found it's a bad packet while processing control,
3916 * or we're done with this packet (done or skip rest of data),
3917 * so we drop it...
3918 */
3919 return (1);
3920 }
3921 #ifdef SCTP_DEBUG
3922 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3923 kprintf("Ok, control finished time to look for data (%d) offset:%d\n",
3924 length, offset);
3925 }
3926 #endif /* SCTP_DEBUG */
3927 /*
3928 * DATA chunk processing
3929 */
3930 /* plow through the data chunks while length > offset */
3931 stcb->asoc.seen_a_sack_this_pkt = 0;
3932
3933 if (length > offset) {
3934 int retval;
3935 /*
3936 * First check to make sure our state is correct.
3937 * We would not get here unless we really did have a
3938 * tag, so we don't abort if this happens, just
3939 * dump the chunk silently.
3940 */
3941 switch (SCTP_GET_STATE(&stcb->asoc)) {
3942 case SCTP_STATE_COOKIE_ECHOED:
3943 /*
3944 * we consider data with valid tags in
3945 * this state shows us the cookie-ack was lost.
3946 * Imply it was there.
3947 */
3948 stcb->asoc.overall_error_count = 0;
3949 sctp_handle_cookie_ack(
3950 (struct sctp_cookie_ack_chunk *)ch, stcb, net);
3951 break;
3952 case SCTP_STATE_COOKIE_WAIT:
3953 /*
3954 * We consider OOTB any data sent during asoc setup.
3955 */
3956 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL);
3957 SCTP_TCB_UNLOCK(stcb);
3958 return (1);
3959 break;
3960 case SCTP_STATE_EMPTY: /* should not happen */
3961 case SCTP_STATE_INUSE: /* should not happen */
3962 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */
3963 case SCTP_STATE_SHUTDOWN_ACK_SENT:
3964 default:
3965 #ifdef SCTP_DEBUG
3966 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3967 kprintf("Got data in invalid state %d.. dropping\n", stcb->asoc.state);
3968 }
3969 #endif
3970 SCTP_TCB_UNLOCK(stcb);
3971 return (1);
3972 break;
3973 case SCTP_STATE_OPEN:
3974 case SCTP_STATE_SHUTDOWN_SENT:
3975 break;
3976 }
3977 /* take care of ECN, part 1. */
3978 if (stcb->asoc.ecn_allowed &&
3979 (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) {
3980 sctp_process_ecn_marked_a(stcb, net, ecn_bits);
3981 }
3982 /* plow through the data chunks while length > offset */
3983 retval = sctp_process_data(mm, iphlen, &offset, length, sh,
3984 inp, stcb, net, &high_tsn);
3985 if (retval == 2) {
3986 /* The association aborted, NO UNLOCK needed
3987 * since the association is destroyed.
3988 */
3989 return (0);
3990 }
3991
3992 data_processed = 1;
3993 if (retval == 0) {
3994 /* take care of ecn part 2. */
3995 if (stcb->asoc.ecn_allowed && (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) {
3996 sctp_process_ecn_marked_b(stcb, net, high_tsn, ecn_bits);
3997
3998 }
3999 }
4000
4001 /*
4002 * Anything important needs to have been m_copy'ed in
4003 * process_data
4004 */
4005 }
4006 if ((data_processed == 0) && (fwd_tsn_seen)) {
4007 int was_a_gap = 0;
4008 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map,
4009 stcb->asoc.cumulative_tsn, MAX_TSN)) {
4010 /* there was a gap before this data was processed */
4011 was_a_gap = 1;
4012 }
4013 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag);
4014 if (abort_flag) {
4015 /* Again, we aborted so NO UNLOCK needed */
4016 return (0);
4017 }
4018 }
4019 /* trigger send of any chunks in queue... */
4020 #ifdef SCTP_AUDITING_ENABLED
4021 sctp_audit_log(0xE0, 2);
4022 sctp_auditing(1, inp, stcb, net);
4023 #endif
4024 #ifdef SCTP_DEBUG
4025 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4026 kprintf("Check for chunk output prw:%d tqe:%d tf=%d\n",
4027 stcb->asoc.peers_rwnd,
4028 TAILQ_EMPTY(&stcb->asoc.control_send_queue),
4029 stcb->asoc.total_flight);
4030 }
4031 #endif
4032 if (stcb->asoc.peers_rwnd > 0 ||
4033 !TAILQ_EMPTY(&stcb->asoc.control_send_queue) ||
4034 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)) {
4035 #ifdef SCTP_DEBUG
4036 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4037 kprintf("Calling chunk OUTPUT\n");
4038 }
4039 #endif
4040 sctp_chunk_output(inp, stcb, 3);
4041 #ifdef SCTP_DEBUG
4042 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4043 kprintf("chunk OUTPUT returns\n");
4044 }
4045 #endif
4046 }
4047
4048 #ifdef SCTP_AUDITING_ENABLED
4049 sctp_audit_log(0xE0, 3);
4050 sctp_auditing(2, inp, stcb, net);
4051 #endif
4052 SCTP_TCB_UNLOCK(stcb);
4053 return (0);
4054 }
4055
4056 #if defined(__OpenBSD__)
4057 static void
4058 sctp_saveopt(struct sctp_inpcb *inp, struct mbuf **mp, struct ip *ip,
4059 struct mbuf *m)
4060 {
4061 if (inp->ip_inp.inp.inp_flags & INP_RECVDSTADDR) {
4062 *mp = sbcreatecontrol((caddr_t) &ip->ip_dst,
4063 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
4064 if (*mp)
4065 mp = &(*mp)->m_next;
4066 }
4067 }
4068 #endif
4069
4070 extern int sctp_no_csum_on_loopback;
4071
4072 int
4073 sctp_input(struct mbuf **mp, int *offp, int proto)
4074 {
4075 int iphlen;
4076 struct mbuf *m = *mp;
4077 u_int8_t ecn_bits;
4078 struct ip *ip;
4079 struct sctphdr *sh;
4080 struct sctp_inpcb *inp = NULL;
4081 struct mbuf *opts = NULL;
4082 /*#ifdef INET6*/
4083 /* Don't think this is needed */
4084 /* struct ip6_recvpktopts opts6;*/
4085 /*#endif INET6 */
4086
4087 u_int32_t check, calc_check;
4088 struct sctp_nets *net;
4089 struct sctp_tcb *stcb = NULL;
4090 struct sctp_chunkhdr *ch;
4091 int refcount_up = 0;
4092 int length, mlen, offset;
4093 #if defined(__OpenBSD__) && defined(IPSEC)
4094 struct inpcb *i_inp;
4095 struct m_tag *mtag;
4096 struct tdb_ident *tdbi;
4097 struct tdb *tdb;
4098 int error;
4099 #endif
4100
4101 iphlen = *offp;
4102 net = NULL;
4103 sctp_pegs[SCTP_INPKTS]++;
4104 #ifdef SCTP_DEBUG
4105 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4106 kprintf("V4 input gets a packet iphlen:%d pktlen:%d\n", iphlen, m->m_pkthdr.len);
4107 }
4108 #endif
4109 /*#ifdef INET6*/
4110 /* Don't think this is needed */
4111 /* bzero(&opts6, sizeof(opts6));*/
4112 /*#endif INET6 */
4113
4114 /*
4115 * Strip IP options, we don't allow any in or out.
4116 */
4117 if ((size_t)iphlen > sizeof(struct ip)) {
4118 ip_stripoptions(m);
4119 iphlen = sizeof(struct ip);
4120 }
4121
4122 /*
4123 * Get IP, SCTP, and first chunk header together in first mbuf.
4124 */
4125 ip = mtod(m, struct ip *);
4126 offset = iphlen + sizeof(*sh) + sizeof(*ch);
4127 if (m->m_len < offset) {
4128 if ((m = m_pullup(m, offset)) == NULL) {
4129 sctp_pegs[SCTP_HDR_DROPS]++;
4130 return(IPPROTO_DONE);
4131 }
4132 ip = mtod(m, struct ip *);
4133 }
4134 sh = (struct sctphdr *)((caddr_t)ip + iphlen);
4135 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh));
4136
4137 /* SCTP does not allow broadcasts or multicasts */
4138 #if defined(__NetBSD__) || defined(__OpenBSD__)
4139 if (IN_MULTICAST(ip->ip_dst.s_addr))
4140 #else
4141 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr)))
4142 #endif
4143 {
4144 sctp_pegs[SCTP_IN_MCAST]++;
4145 goto bad;
4146 }
4147 if (in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) {
4148 sctp_pegs[SCTP_IN_MCAST]++;
4149 goto bad;
4150 }
4151
4152 /* destination port of 0 is illegal, based on RFC2960. */
4153 if (sh->dest_port == 0) {
4154 sctp_pegs[SCTP_HDR_DROPS]++;
4155 goto bad;
4156 }
4157
4158 /* validate SCTP checksum */
4159 if ((sctp_no_csum_on_loopback == 0) ||
4160 (m->m_pkthdr.rcvif == NULL) ||
4161 (m->m_pkthdr.rcvif->if_type != IFT_LOOP)) {
4162 /* we do NOT validate things from the loopback if the
4163 * sysctl is set to 1.
4164 */
4165 check = sh->checksum; /* save incoming checksum */
4166 if ((check == 0) && (sctp_no_csum_on_loopback)) {
4167 /* special hook for where we got a local address
4168 * somehow routed across a non IFT_LOOP type interface
4169 */
4170 if (ip->ip_src.s_addr == ip->ip_dst.s_addr)
4171 goto sctp_skip_csum_4;
4172 }
4173 sh->checksum = 0; /* prepare for calc */
4174 calc_check = sctp_calculate_sum(m, &mlen, iphlen);
4175 if (calc_check != check) {
4176 #ifdef SCTP_DEBUG
4177 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4178 kprintf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n",
4179 calc_check, check, m, mlen, iphlen);
4180 }
4181 #endif
4182
4183 stcb = sctp_findassociation_addr(m, iphlen,
4184 offset - sizeof(*ch),
4185 sh, ch, &inp, &net);
4186 if ((inp) && (stcb)) {
4187 sctp_send_packet_dropped(stcb, net, m, iphlen,
4188 1);
4189 sctp_chunk_output(inp, stcb, 2);
4190 } else if ((inp != NULL) && (stcb == NULL)) {
4191 refcount_up = 1;
4192 }
4193 sctp_pegs[SCTP_BAD_CSUM]++;
4194 goto bad;
4195 }
4196 sh->checksum = calc_check;
4197 } else {
4198 sctp_skip_csum_4:
4199 mlen = m->m_pkthdr.len;
4200 }
4201 /* validate mbuf chain length with IP payload length */
4202 #if defined(__NetBSD__) || defined(__OpenBSD__)
4203 /* Open BSD gives us the len in network order, fix it */
4204 NTOHS(ip->ip_len);
4205 #endif
4206 if (mlen < (ip->ip_len - iphlen)) {
4207 sctp_pegs[SCTP_HDR_DROPS]++;
4208 goto bad;
4209 }
4210
4211 /*
4212 * Locate pcb and tcb for datagram
4213 * sctp_findassociation_addr() wants IP/SCTP/first chunk header...
4214 */
4215 #ifdef SCTP_DEBUG
4216 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4217 kprintf("V4 find association\n");
4218 }
4219 #endif
4220
4221 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch),
4222 sh, ch, &inp, &net);
4223 /* inp's ref-count increased && stcb locked */
4224 if (inp == NULL) {
4225 struct sctp_init_chunk *init_chk, chunk_buf;
4226
4227 sctp_pegs[SCTP_NOPORTS]++;
4228 #ifdef ICMP_BANDLIM
4229 /*
4230 * we use the bandwidth limiting to protect against
4231 * sending too many ABORTS all at once. In this case
4232 * these count the same as an ICMP message.
4233 */
4234 if (badport_bandlim(0) < 0)
4235 goto bad;
4236 #endif /* ICMP_BANDLIM */
4237 #ifdef SCTP_DEBUG
4238 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4239 kprintf("Sending a ABORT from packet entry!\n");
4240 }
4241 #endif
4242 if (ch->chunk_type == SCTP_INITIATION) {
4243 /* we do a trick here to get the INIT tag,
4244 * dig in and get the tag from the INIT and
4245 * put it in the common header.
4246 */
4247 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
4248 iphlen + sizeof(*sh), sizeof(*init_chk),
4249 (u_int8_t *)&chunk_buf);
4250 if (init_chk != NULL)
4251 sh->v_tag = init_chk->init.initiate_tag;
4252 }
4253 sctp_send_abort(m, iphlen, sh, 0, NULL);
4254 goto bad;
4255 } else if (stcb == NULL) {
4256 refcount_up = 1;
4257 }
4258 #ifdef IPSEC
4259 /*
4260 * I very much doubt any of the IPSEC stuff will work but I have
4261 * no idea, so I will leave it in place.
4262 */
4263
4264 #ifdef __OpenBSD__
4265 /* FIX ME: this don't work... :) */
4266 {
4267 /* Find most recent IPsec tag */
4268 i_inp = &inp->ip_inp.inp;
4269 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
4270 s = splnet();
4271 if (mtag != NULL) {
4272 tdbi = (struct tdb_ident *)(mtag + 1);
4273 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto);
4274 } else
4275 tdb = NULL;
4276 ipsp_spd_lookup(m, af, iphlen, &error, IPSP_DIRECTION_IN,
4277 tdb, i_inp);
4278 if (error) {
4279 splx(s);
4280 sctp_pegs[SCTP_HDR_DROPS]++;
4281 goto bad;
4282 }
4283
4284 /* Latch SA */
4285 if (i_inp->inp_tdb_in != tdb) {
4286 if (tdb) {
4287 tdb_add_inp(tdb, i_inp, 1);
4288 if (i_inp->inp_ipo == NULL) {
4289 i_inp->inp_ipo = ipsec_add_policy(i_inp, af,
4290 IPSP_DIRECTION_OUT);
4291 if (i_inp->inp_ipo == NULL) {
4292 splx(s);
4293 sctp_pegs[SCTP_HDR_DROPS]++;
4294 goto bad;
4295 }
4296 }
4297 if (i_inp->inp_ipo->ipo_dstid == NULL &&
4298 tdb->tdb_srcid != NULL) {
4299 i_inp->inp_ipo->ipo_dstid = tdb->tdb_srcid;
4300 tdb->tdb_srcid->ref_count++;
4301 }
4302 if (i_inp->inp_ipsec_remotecred == NULL &&
4303 tdb->tdb_remote_cred != NULL) {
4304 i_inp->inp_ipsec_remotecred =
4305 tdb->tdb_remote_cred;
4306 tdb->tdb_remote_cred->ref_count++;
4307 }
4308 if (i_inp->inp_ipsec_remoteauth == NULL &&
4309 tdb->tdb_remote_auth != NULL) {
4310 i_inp->inp_ipsec_remoteauth =
4311 tdb->tdb_remote_auth;
4312 tdb->tdb_remote_auth->ref_count++;
4313 }
4314 } else { /* Just reset */
4315 TAILQ_REMOVE(&i_inp->inp_tdb_in->tdb_inp_in, i_inp,
4316 inp_tdb_in_next);
4317 i_inp->inp_tdb_in = NULL;
4318 }
4319 }
4320 splx(s);
4321 }
4322 #else
4323 if (ipsec4_in_reject_so(m, inp->ip_inp.inp.inp_socket)) {
4324 ipsecstat.in_polvio++;
4325 sctp_pegs[SCTP_HDR_DROPS]++;
4326 goto bad;
4327 }
4328 #endif
4329 #endif /* IPSEC */
4330
4331 /*
4332 * Construct sockaddr format source address.
4333 * Stuff source address and datagram in user buffer.
4334 */
4335 if ((inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS)
4336 #ifndef __OpenBSD__
4337 || (inp->sctp_socket->so_options & SO_TIMESTAMP)
4338 #endif
4339 ) {
4340 #ifdef __OpenBSD__
4341 sctp_saveopt(inp, &opts, ip, m);
4342 #else
4343 ip_savecontrol((struct inpcb *)inp, &opts, ip, m);
4344 #endif
4345 }
4346
4347 /*
4348 * common chunk processing
4349 */
4350 #if defined(__FreeBSD__) || defined(__APPLE__) || defined(__DragonFly__)
4351 length = ip->ip_len + iphlen;
4352 #else
4353 length = ip->ip_len - (ip->ip_hl << 2) + iphlen;
4354 #endif
4355 offset -= sizeof(struct sctp_chunkhdr);
4356
4357 ecn_bits = ip->ip_tos;
4358 crit_enter();
4359 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch,
4360 inp, stcb, net, ecn_bits);
4361 /* inp's ref-count reduced && stcb unlocked */
4362 crit_exit();
4363 if (m) {
4364 sctp_m_freem(m);
4365 }
4366 if (opts)
4367 sctp_m_freem(opts);
4368
4369 if ((inp) && (refcount_up)) {
4370 /* reduce ref-count */
4371 SCTP_INP_WLOCK(inp);
4372 SCTP_INP_DECR_REF(inp);
4373 SCTP_INP_WUNLOCK(inp);
4374 }
4375
4376 return(IPPROTO_DONE);
4377 bad:
4378 if (stcb)
4379 SCTP_TCB_UNLOCK(stcb);
4380
4381 if ((inp) && (refcount_up)) {
4382 /* reduce ref-count */
4383 SCTP_INP_WLOCK(inp);
4384 SCTP_INP_DECR_REF(inp);
4385 SCTP_INP_WUNLOCK(inp);
4386 }
4387
4388 if (m) {
4389 sctp_m_freem(m);
4390 }
4391 if (opts)
4392 sctp_m_freem(opts);
4393 return(IPPROTO_DONE);
4394 }
Cache object: 72a38b8f8c14ce536b928e5eee06b017
|