Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet/sctp_input.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 2 3 /* 4 * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc, 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #if !(defined(__OpenBSD__) || defined(__APPLE__)) 33 #include "opt_ipsec.h" 34 #endif 35 #if defined(__FreeBSD__) || defined(__DragonFly__) 36 #include "opt_compat.h" 37 #include "opt_inet6.h" 38 #include "opt_inet.h" 39 #endif 40 #if defined(__NetBSD__) 41 #include "opt_inet.h" 42 #endif 43 #ifdef __APPLE__ 44 #include <sctp.h> 45 #elif !defined(__OpenBSD__) 46 #include "opt_sctp.h" 47 #endif 48 49 #include <sys/param.h> 50 #include <sys/systm.h> 51 #include <sys/malloc.h> 52 #include <sys/mbuf.h> 53 #include <sys/socket.h> 54 #include <sys/socketvar.h> 55 #include <sys/socketvar2.h> 56 #include <sys/sysctl.h> 57 #include <sys/domain.h> 58 #include <sys/protosw.h> 59 #include <sys/kernel.h> 60 #include <sys/errno.h> 61 #include <sys/syslog.h> 62 #include <sys/thread2.h> 63 64 #if (defined(__FreeBSD__) && __FreeBSD_version >= 500000) 65 #include <sys/limits.h> 66 #else 67 #include <machine/limits.h> 68 #endif 69 #include <machine/cpu.h> 70 71 #include <net/if.h> 72 #include <net/route.h> 73 #include <net/if_types.h> 74 75 #include <netinet/in.h> 76 #include <netinet/in_systm.h> 77 #include <netinet/ip.h> 78 #include <netinet/in_pcb.h> 79 #include <netinet/in_var.h> 80 #include <netinet/ip_var.h> 81 82 #ifdef INET6 83 #include <netinet/ip6.h> 84 #include <netinet6/ip6_var.h> 85 #endif /* INET6 */ 86 87 #include <netinet/ip_icmp.h> 88 #include <netinet/icmp_var.h> 89 #include <netinet/sctp_var.h> 90 #include <netinet/sctp_pcb.h> 91 #include <netinet/sctp_header.h> 92 #include <netinet/sctputil.h> 93 #include <netinet/sctp_output.h> 94 #include <netinet/sctp_input.h> 95 #include <netinet/sctp_hashdriver.h> 96 #include <netinet/sctp_indata.h> 97 #include <netinet/sctp_asconf.h> 98 99 #ifdef __APPLE__ 100 #include <stdarg.h> 101 #elif !defined(__FreeBSD__) 102 #include <machine/stdarg.h> 103 #endif 104 105 #ifdef IPSEC 106 #ifndef __OpenBSD__ 107 #include <netinet6/ipsec.h> 108 #include <netproto/key/key.h> 109 #else 110 #undef IPSEC 111 #endif 112 #endif /*IPSEC*/ 113 114 #include <net/net_osdep.h> 115 116 #ifdef SCTP_DEBUG 117 extern u_int32_t sctp_debug_on; 118 #endif 119 120 /* INIT handler */ 121 static void 122 sctp_handle_init(struct mbuf *m, int iphlen, int offset, 123 struct sctphdr *sh, struct sctp_init_chunk *cp, struct sctp_inpcb *inp, 124 struct sctp_tcb *stcb, struct sctp_nets *net) 125 { 126 struct sctp_init *init; 127 struct mbuf *op_err; 128 #ifdef SCTP_DEBUG 129 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 130 kprintf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 131 } 132 #endif 133 op_err = NULL; 134 init = &cp->init; 135 /* First are we accepting? */ 136 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 137 (inp->sctp_socket->so_qlimit == 0)) { 138 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 139 return; 140 } 141 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 142 /* Invalid length */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 145 return; 146 } 147 /* validate parameters */ 148 if (init->initiate_tag == 0) { 149 /* protocol error... send abort */ 150 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 151 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 152 return; 153 } 154 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 155 /* invalid parameter... send abort */ 156 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 157 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 158 return; 159 } 160 if (init->num_inbound_streams == 0) { 161 /* protocol error... send abort */ 162 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 163 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 164 return; 165 } 166 if (init->num_outbound_streams == 0) { 167 /* protocol error... send abort */ 168 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 169 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 170 return; 171 } 172 173 /* send an INIT-ACK w/cookie */ 174 #ifdef SCTP_DEBUG 175 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 176 kprintf("sctp_handle_init: sending INIT-ACK\n"); 177 } 178 #endif 179 180 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 181 } 182 183 /* 184 * process peer "INIT/INIT-ACK" chunk 185 * returns value < 0 on error 186 */ 187 188 static int 189 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 190 struct sctp_nets *net) 191 { 192 struct sctp_init *init; 193 struct sctp_association *asoc; 194 struct sctp_nets *lnet; 195 unsigned int i; 196 197 init = &cp->init; 198 asoc = &stcb->asoc; 199 /* save off parameters */ 200 asoc->peer_vtag = ntohl(init->initiate_tag); 201 asoc->peers_rwnd = ntohl(init->a_rwnd); 202 203 if (TAILQ_FIRST(&asoc->nets)) { 204 /* update any ssthresh's that may have a default */ 205 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 206 lnet->ssthresh = asoc->peers_rwnd; 207 } 208 } 209 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 210 unsigned int newcnt; 211 struct sctp_stream_out *outs; 212 struct sctp_tmit_chunk *chk; 213 214 /* cut back on number of streams */ 215 newcnt = ntohs(init->num_inbound_streams); 216 /* This if is probably not needed but I am cautious */ 217 if (asoc->strmout) { 218 /* First make sure no data chunks are trapped */ 219 for (i=newcnt; i < asoc->pre_open_streams; i++) { 220 outs = &asoc->strmout[i]; 221 chk = TAILQ_FIRST(&outs->outqueue); 222 while (chk) { 223 TAILQ_REMOVE(&outs->outqueue, chk, 224 sctp_next); 225 asoc->stream_queue_cnt--; 226 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL, 227 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 228 chk); 229 if (chk->data) { 230 sctp_m_freem(chk->data); 231 chk->data = NULL; 232 } 233 sctp_free_remote_addr(chk->whoTo); 234 chk->whoTo = NULL; 235 chk->asoc = NULL; 236 /* Free the chunk */ 237 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 238 sctppcbinfo.ipi_count_chunk--; 239 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 240 panic("Chunk count is negative"); 241 } 242 sctppcbinfo.ipi_gencnt_chunk++; 243 chk = TAILQ_FIRST(&outs->outqueue); 244 } 245 } 246 } 247 /* cut back the count and abandon the upper streams */ 248 asoc->pre_open_streams = newcnt; 249 } 250 asoc->streamincnt = ntohs(init->num_outbound_streams); 251 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 252 asoc->streamincnt = MAX_SCTP_STREAMS; 253 } 254 255 asoc->streamoutcnt = asoc->pre_open_streams; 256 /* init tsn's */ 257 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 258 #ifdef SCTP_MAP_LOGGING 259 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 260 #endif 261 /* This is the next one we expect */ 262 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 263 264 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 265 asoc->cumulative_tsn = asoc->asconf_seq_in; 266 asoc->last_echo_tsn = asoc->asconf_seq_in; 267 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 268 /* open the requested streams */ 269 if (asoc->strmin != NULL) { 270 /* Free the old ones */ 271 kfree(asoc->strmin, M_PCB); 272 } 273 asoc->strmin = kmalloc(asoc->streamincnt * sizeof(struct sctp_stream_in), 274 M_PCB, M_NOWAIT); 275 if (asoc->strmin == NULL) { 276 /* we didn't get memory for the streams! */ 277 #ifdef SCTP_DEBUG 278 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 279 kprintf("process_init: couldn't get memory for the streams!\n"); 280 } 281 #endif 282 return (-1); 283 } 284 for (i = 0; i < asoc->streamincnt; i++) { 285 asoc->strmin[i].stream_no = i; 286 asoc->strmin[i].last_sequence_delivered = 0xffff; 287 /* 288 * U-stream ranges will be set when the cookie 289 * is unpacked. Or for the INIT sender they 290 * are un set (if pr-sctp not supported) when the 291 * INIT-ACK arrives. 292 */ 293 TAILQ_INIT(&asoc->strmin[i].inqueue); 294 /* 295 * we are not on any wheel, pr-sctp streams 296 * will go on the wheel when they have data waiting 297 * for reorder. 298 */ 299 asoc->strmin[i].next_spoke.tqe_next = 0; 300 asoc->strmin[i].next_spoke.tqe_prev = 0; 301 } 302 303 /* 304 * load_address_from_init will put the addresses into the 305 * association when the COOKIE is processed or the INIT-ACK 306 * is processed. Both types of COOKIE's existing and new 307 * call this routine. It will remove addresses that 308 * are no longer in the association (for the restarting 309 * case where addresses are removed). Up front when the 310 * INIT arrives we will discard it if it is a restart 311 * and new addresses have been added. 312 */ 313 return (0); 314 } 315 316 /* 317 * INIT-ACK message processing/consumption 318 * returns value < 0 on error 319 */ 320 static int 321 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 322 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 323 struct sctp_nets *net) 324 { 325 struct sctp_association *asoc; 326 struct mbuf *op_err; 327 int retval, abort_flag; 328 uint32_t initack_limit; 329 /* First verify that we have no illegal param's */ 330 abort_flag = 0; 331 op_err = NULL; 332 333 op_err = sctp_arethere_unrecognized_parameters(m, 334 (offset+sizeof(struct sctp_init_chunk)) , 335 &abort_flag, (struct sctp_chunkhdr *)cp); 336 if (abort_flag) { 337 /* Send an abort and notify peer */ 338 if (op_err != NULL) { 339 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 340 } else { 341 /* 342 * Just notify (abort_assoc does this if 343 * we send an abort). 344 */ 345 sctp_abort_notification(stcb, 0); 346 /* 347 * No sense in further INIT's since 348 * we will get the same param back 349 */ 350 sctp_free_assoc(stcb->sctp_ep, stcb); 351 } 352 return (-1); 353 } 354 asoc = &stcb->asoc; 355 /* process the peer's parameters in the INIT-ACK */ 356 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 357 if (retval < 0) { 358 return (retval); 359 } 360 361 initack_limit = offset + ntohs(cp->ch.chunk_length); 362 /* load all addresses */ 363 if (sctp_load_addresses_from_init(stcb, m, iphlen, 364 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 365 NULL)) { 366 /* Huh, we should abort */ 367 sctp_abort_notification(stcb, 0); 368 sctp_free_assoc(stcb->sctp_ep, stcb); 369 return (-1); 370 } 371 if (op_err) { 372 sctp_queue_op_err(stcb, op_err); 373 /* queuing will steal away the mbuf chain to the out queue */ 374 op_err = NULL; 375 } 376 /* extract the cookie and queue it to "echo" it back... */ 377 stcb->asoc.overall_error_count = 0; 378 net->error_count = 0; 379 retval = sctp_send_cookie_echo(m, offset, stcb, net); 380 if (retval < 0) { 381 /* 382 * No cookie, we probably should send a op error. 383 * But in any case if there is no cookie in the INIT-ACK, 384 * we can abandon the peer, its broke. 385 */ 386 if (retval == -3) { 387 /* We abort with an error of missing mandatory param */ 388 struct mbuf *op_err; 389 op_err = 390 sctp_generate_invmanparam(SCTP_CAUSE_MISS_PARAM); 391 if (op_err) { 392 /* 393 * Expand beyond to include the mandatory 394 * param cookie 395 */ 396 struct sctp_inv_mandatory_param *mp; 397 op_err->m_len = 398 sizeof(struct sctp_inv_mandatory_param); 399 mp = mtod(op_err, 400 struct sctp_inv_mandatory_param *); 401 /* Subtract the reserved param */ 402 mp->length = 403 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 404 mp->num_param = htonl(1); 405 mp->param = htons(SCTP_STATE_COOKIE); 406 mp->resv = 0; 407 } 408 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 409 sh, op_err); 410 } 411 return (retval); 412 } 413 414 /* 415 * Cancel the INIT timer, We do this first before queueing 416 * the cookie. We always cancel at the primary to assue that 417 * we are canceling the timer started by the INIT which always 418 * goes to the primary. 419 */ 420 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 421 asoc->primary_destination); 422 423 /* calculate the RTO */ 424 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 425 426 return (0); 427 } 428 429 static void 430 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 431 struct sctp_tcb *stcb, struct sctp_nets *net) 432 { 433 struct sockaddr_storage store; 434 struct sockaddr_in *sin; 435 struct sockaddr_in6 *sin6; 436 struct sctp_nets *r_net; 437 struct timeval tv; 438 439 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 440 /* Invalid length */ 441 return; 442 } 443 444 sin = (struct sockaddr_in *)&store; 445 sin6 = (struct sockaddr_in6 *)&store; 446 447 memset(&store, 0, sizeof(store)); 448 if (cp->heartbeat.hb_info.addr_family == AF_INET && 449 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 450 sin->sin_family = cp->heartbeat.hb_info.addr_family; 451 sin->sin_len = cp->heartbeat.hb_info.addr_len; 452 sin->sin_port = stcb->rport; 453 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 454 sizeof(sin->sin_addr)); 455 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 456 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 457 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 458 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 459 sin6->sin6_port = stcb->rport; 460 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 461 sizeof(sin6->sin6_addr)); 462 } else { 463 #ifdef SCTP_DEBUG 464 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 465 kprintf("unsupported address family"); 466 } 467 #endif 468 return; 469 } 470 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 471 if (r_net == NULL) { 472 #ifdef SCTP_DEBUG 473 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 474 kprintf("Huh? I can't find the address I sent it to, discard\n"); 475 } 476 #endif 477 return; 478 } 479 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 480 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 481 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 482 /* 483 * If the its a HB and it's random value is correct when 484 * can confirm the destination. 485 */ 486 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 487 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 488 stcb, 0, (void *)r_net); 489 } 490 r_net->error_count = 0; 491 r_net->hb_responded = 1; 492 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 493 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 494 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 495 r_net->dest_state = SCTP_ADDR_REACHABLE; 496 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 497 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 498 499 /* now was it the primary? if so restore */ 500 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 501 sctp_set_primary_addr(stcb, NULL, r_net); 502 } 503 } 504 /* Now lets do a RTO with this */ 505 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 506 } 507 508 static void 509 sctp_handle_abort(struct sctp_abort_chunk *cp, 510 struct sctp_tcb *stcb, struct sctp_nets *net) 511 { 512 #ifdef SCTP_DEBUG 513 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 514 kprintf("sctp_handle_abort: handling ABORT\n"); 515 } 516 #endif 517 if (stcb == NULL) 518 return; 519 /* verify that the destination addr is in the association */ 520 /* ignore abort for addresses being deleted */ 521 522 /* stop any receive timers */ 523 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net); 524 /* notify user of the abort and clean up... */ 525 sctp_abort_notification(stcb, 0); 526 /* free the tcb */ 527 sctp_free_assoc(stcb->sctp_ep, stcb); 528 #ifdef SCTP_DEBUG 529 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 530 kprintf("sctp_handle_abort: finished\n"); 531 } 532 #endif 533 } 534 535 static void 536 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 537 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 538 { 539 struct sctp_association *asoc; 540 int some_on_streamwheel; 541 542 #ifdef SCTP_DEBUG 543 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 544 kprintf("sctp_handle_shutdown: handling SHUTDOWN\n"); 545 } 546 #endif 547 if (stcb == NULL) 548 return; 549 550 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) || 551 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 552 return; 553 } 554 555 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 556 /* update current data status */ 557 #ifdef SCTP_DEBUG 558 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 559 kprintf("Warning Shutdown NOT the expected size.. skipping (%d:%d)\n", 560 ntohs(cp->ch.chunk_length), 561 (int)sizeof(struct sctp_shutdown_chunk)); 562 } 563 #endif 564 return; 565 } else { 566 sctp_update_acked(stcb, cp, net, abort_flag); 567 } 568 asoc = &stcb->asoc; 569 /* goto SHUTDOWN_RECEIVED state to block new requests */ 570 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 571 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 572 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 573 #ifdef SCTP_DEBUG 574 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 575 kprintf("Moving to SHUTDOWN-RECEIVED state\n"); 576 } 577 #endif 578 /* notify upper layer that peer has initiated a shutdown */ 579 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 580 581 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 582 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 583 584 /* Set the flag so we cannot send more, we 585 * would call the function but we don't want to 586 * wake up the ulp necessarily. 587 */ 588 #if defined(__FreeBSD__) && __FreeBSD_version >= 502115 589 stcb->sctp_ep->sctp_socket->so_rcv.sb_state |= SBS_CANTSENDMORE; 590 #else 591 sosetstate(stcb->sctp_ep->sctp_socket, SS_CANTSENDMORE); 592 #endif 593 } 594 /* reset time */ 595 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 596 } 597 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 598 /* 599 * stop the shutdown timer, since we WILL move 600 * to SHUTDOWN-ACK-SENT. 601 */ 602 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 603 } 604 /* Now are we there yet? */ 605 some_on_streamwheel = 0; 606 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 607 /* Check to see if some data queued */ 608 struct sctp_stream_out *outs; 609 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 610 if (!TAILQ_EMPTY(&outs->outqueue)) { 611 some_on_streamwheel = 1; 612 break; 613 } 614 } 615 } 616 #ifdef SCTP_DEBUG 617 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 618 kprintf("some_on_streamwheel:%d send_q_empty:%d sent_q_empty:%d\n", 619 some_on_streamwheel, 620 !TAILQ_EMPTY(&asoc->send_queue), 621 !TAILQ_EMPTY(&asoc->sent_queue)); 622 } 623 #endif 624 if (!TAILQ_EMPTY(&asoc->send_queue) || 625 !TAILQ_EMPTY(&asoc->sent_queue) || 626 some_on_streamwheel) { 627 /* By returning we will push more data out */ 628 return; 629 } else { 630 /* no outstanding data to send, so move on... */ 631 /* send SHUTDOWN-ACK */ 632 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 633 /* move to SHUTDOWN-ACK-SENT state */ 634 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 635 #ifdef SCTP_DEBUG 636 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 637 kprintf("moving to SHUTDOWN_ACK state\n"); 638 } 639 #endif 640 /* start SHUTDOWN timer */ 641 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 642 stcb, net); 643 } 644 } 645 646 static void 647 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 648 struct sctp_tcb *stcb, struct sctp_nets *net) 649 { 650 struct sctp_association *asoc; 651 652 #ifdef SCTP_DEBUG 653 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 654 kprintf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 655 } 656 #endif 657 if (stcb == NULL) 658 return; 659 660 asoc = &stcb->asoc; 661 /* process according to association state */ 662 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 663 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 664 /* unexpected SHUTDOWN-ACK... so ignore... */ 665 return; 666 } 667 /* are the queues empty? */ 668 if (!TAILQ_EMPTY(&asoc->send_queue) || 669 !TAILQ_EMPTY(&asoc->sent_queue) || 670 !TAILQ_EMPTY(&asoc->out_wheel)) { 671 sctp_report_all_outbound(stcb); 672 } 673 /* stop the timer */ 674 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 675 /* send SHUTDOWN-COMPLETE */ 676 sctp_send_shutdown_complete(stcb, net); 677 /* notify upper layer protocol */ 678 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 679 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 680 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 681 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 682 /* Set the connected flag to disconnected */ 683 stcb->sctp_ep->sctp_socket->so_snd.ssb_cc = 0; 684 stcb->sctp_ep->sctp_socket->so_snd.ssb_mbcnt = 0; 685 soisdisconnected(stcb->sctp_ep->sctp_socket); 686 } 687 /* free the TCB but first save off the ep */ 688 sctp_free_assoc(stcb->sctp_ep, stcb); 689 } 690 691 /* 692 * Skip past the param header and then we will find the chunk that 693 * caused the problem. There are two possiblities ASCONF or FWD-TSN 694 * other than that and our peer must be broken. 695 */ 696 static void 697 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 698 struct sctp_nets *net) 699 { 700 struct sctp_chunkhdr *chk; 701 702 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 703 switch (chk->chunk_type) { 704 case SCTP_ASCONF_ACK: 705 #ifdef SCTP_DEBUG 706 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 707 kprintf("Strange peer, snds ASCONF but does not recognize asconf-ack?\n"); 708 } 709 #endif 710 case SCTP_ASCONF: 711 #ifdef SCTP_DEBUG 712 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 713 kprintf("Peer does not support ASCONF/ASCONF-ACK chunks\n"); 714 } 715 #endif /* SCTP_DEBUG */ 716 sctp_asconf_cleanup(stcb, net); 717 break; 718 case SCTP_FORWARD_CUM_TSN: 719 stcb->asoc.peer_supports_prsctp = 0; 720 break; 721 default: 722 #ifdef SCTP_DEBUG 723 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 724 kprintf("Peer does not support chunk type %d(%x)??\n", 725 chk->chunk_type, (u_int)chk->chunk_type); 726 } 727 #endif 728 break; 729 } 730 } 731 732 /* 733 * Skip past the param header and then we will find the param that 734 * caused the problem. There are a number of param's in a ASCONF 735 * OR the prsctp param these will turn of specific features. 736 */ 737 static void 738 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 739 { 740 struct sctp_paramhdr *pbad; 741 742 pbad = phdr + 1; 743 switch (ntohs(pbad->param_type)) { 744 /* pr-sctp draft */ 745 case SCTP_PRSCTP_SUPPORTED: 746 stcb->asoc.peer_supports_prsctp = 0; 747 break; 748 case SCTP_SUPPORTED_CHUNK_EXT: 749 break; 750 /* draft-ietf-tsvwg-addip-sctp */ 751 case SCTP_ECN_NONCE_SUPPORTED: 752 stcb->asoc.peer_supports_ecn_nonce = 0; 753 stcb->asoc.ecn_nonce_allowed = 0; 754 stcb->asoc.ecn_allowed = 0; 755 break; 756 case SCTP_ADD_IP_ADDRESS: 757 case SCTP_DEL_IP_ADDRESS: 758 stcb->asoc.peer_supports_asconf = 0; 759 break; 760 case SCTP_SET_PRIM_ADDR: 761 stcb->asoc.peer_supports_asconf_setprim = 0; 762 break; 763 case SCTP_SUCCESS_REPORT: 764 case SCTP_ERROR_CAUSE_IND: 765 #ifdef SCTP_DEBUG 766 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 767 kprintf("Huh, the peer does not support success? or error cause?\n"); 768 kprintf("Turning off ASCONF to this strange peer\n"); 769 } 770 #endif 771 stcb->asoc.peer_supports_asconf = 0; 772 stcb->asoc.peer_supports_asconf_setprim = 0; 773 break; 774 default: 775 #ifdef SCTP_DEBUG 776 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 777 kprintf("Peer does not support base param type %d(%x)??\n", 778 pbad->param_type, (u_int)pbad->param_type); 779 } 780 #endif 781 break; 782 } 783 } 784 785 static int 786 sctp_handle_error(struct sctp_chunkhdr *ch, 787 struct sctp_tcb *stcb, struct sctp_nets *net) 788 { 789 int chklen; 790 struct sctp_paramhdr *phdr; 791 uint16_t error_type; 792 uint16_t error_len; 793 struct sctp_association *asoc; 794 795 int adjust; 796 /* parse through all of the errors and process */ 797 asoc = &stcb->asoc; 798 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 799 sizeof(struct sctp_chunkhdr)); 800 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 801 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 802 /* Process an Error Cause */ 803 error_type = ntohs(phdr->param_type); 804 error_len = ntohs(phdr->param_length); 805 if ((error_len > chklen) || (error_len == 0)) { 806 /* invalid param length for this param */ 807 #ifdef SCTP_DEBUG 808 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 809 kprintf("Bogus length in error param- chunk left:%d errorlen:%d\n", 810 chklen, error_len); 811 } 812 #endif /* SCTP_DEBUG */ 813 return (0); 814 } 815 switch (error_type) { 816 case SCTP_CAUSE_INV_STRM: 817 case SCTP_CAUSE_MISS_PARAM: 818 case SCTP_CAUSE_INVALID_PARAM: 819 case SCTP_CAUSE_NOUSER_DATA: 820 #ifdef SCTP_DEBUG 821 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 822 kprintf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 823 error_type); 824 } 825 #endif 826 break; 827 case SCTP_CAUSE_STALE_COOKIE: 828 /* We only act if we have echoed a cookie and are waiting. */ 829 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 830 int *p; 831 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 832 /* Save the time doubled */ 833 asoc->cookie_preserve_req = ntohl(*p) << 1; 834 asoc->stale_cookie_count++; 835 if (asoc->stale_cookie_count > 836 asoc->max_init_times) { 837 sctp_abort_notification(stcb, 0); 838 /* now free the asoc */ 839 sctp_free_assoc(stcb->sctp_ep, stcb); 840 return (-1); 841 } 842 /* blast back to INIT state */ 843 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 844 asoc->state |= SCTP_STATE_COOKIE_WAIT; 845 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 846 stcb->sctp_ep, stcb, net); 847 sctp_send_initiate(stcb->sctp_ep, stcb); 848 } 849 break; 850 case SCTP_CAUSE_UNRESOLV_ADDR: 851 /* 852 * Nothing we can do here, we don't do hostname 853 * addresses so if the peer does not like my IPv6 (or 854 * IPv4 for that matter) it does not matter. If they 855 * don't support that type of address, they can NOT 856 * possibly get that packet type... i.e. with no IPv6 857 * you can't recieve a IPv6 packet. so we can safely 858 * ignore this one. If we ever added support for 859 * HOSTNAME Addresses, then we would need to do 860 * something here. 861 */ 862 break; 863 case SCTP_CAUSE_UNRECOG_CHUNK: 864 sctp_process_unrecog_chunk(stcb, phdr, net); 865 break; 866 case SCTP_CAUSE_UNRECOG_PARAM: 867 sctp_process_unrecog_param(stcb, phdr); 868 break; 869 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 870 /* 871 * We ignore this since the timer will drive out a new 872 * cookie anyway and there timer will drive us to send 873 * a SHUTDOWN_COMPLETE. We can't send one here since 874 * we don't have their tag. 875 */ 876 break; 877 case SCTP_CAUSE_DELETEING_LAST_ADDR: 878 case SCTP_CAUSE_OPERATION_REFUSED: 879 case SCTP_CAUSE_DELETING_SRC_ADDR: 880 /* We should NOT get these here, but in a ASCONF-ACK. */ 881 #ifdef SCTP_DEBUG 882 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 883 kprintf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 884 error_type); 885 } 886 #endif 887 break; 888 case SCTP_CAUSE_OUT_OF_RESC: 889 /* 890 * And what, pray tell do we do with the fact 891 * that the peer is out of resources? Not 892 * really sure we could do anything but abort. 893 * I suspect this should have came WITH an 894 * abort instead of in a OP-ERROR. 895 */ 896 break; 897 default: 898 #ifdef SCTP_DEBUG 899 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 900 /* don't know what this error cause is... */ 901 kprintf("sctp_handle_error: unknown error type = 0x%xh\n", 902 error_type); 903 } 904 #endif /* SCTP_DEBUG */ 905 break; 906 } 907 adjust = SCTP_SIZE32(error_len); 908 chklen -= adjust; 909 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 910 } 911 return (0); 912 } 913 914 static int 915 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 916 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 917 struct sctp_nets *net) 918 { 919 struct sctp_init_ack *init_ack; 920 int *state; 921 struct mbuf *op_err; 922 923 #ifdef SCTP_DEBUG 924 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 925 kprintf("sctp_handle_init_ack: handling INIT-ACK\n"); 926 } 927 #endif 928 if (stcb == NULL) { 929 #ifdef SCTP_DEBUG 930 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 931 kprintf("sctp_handle_init_ack: TCB is null\n"); 932 } 933 #endif 934 return (-1); 935 } 936 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 937 /* Invalid length */ 938 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 939 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 940 op_err); 941 return (-1); 942 } 943 init_ack = &cp->init; 944 /* validate parameters */ 945 if (init_ack->initiate_tag == 0) { 946 /* protocol error... send an abort */ 947 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 948 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 949 op_err); 950 return (-1); 951 } 952 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 953 /* protocol error... send an abort */ 954 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 955 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 956 op_err); 957 return (-1); 958 } 959 if (init_ack->num_inbound_streams == 0) { 960 /* protocol error... send an abort */ 961 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 962 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 963 op_err); 964 return (-1); 965 } 966 if (init_ack->num_outbound_streams == 0) { 967 /* protocol error... send an abort */ 968 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 969 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 970 op_err); 971 return (-1); 972 } 973 974 /* process according to association state... */ 975 state = &stcb->asoc.state; 976 switch (*state & SCTP_STATE_MASK) { 977 case SCTP_STATE_COOKIE_WAIT: 978 /* this is the expected state for this chunk */ 979 /* process the INIT-ACK parameters */ 980 if (stcb->asoc.primary_destination->dest_state & 981 SCTP_ADDR_UNCONFIRMED) { 982 /* 983 * The primary is where we sent the INIT, we can 984 * always consider it confirmed when the INIT-ACK 985 * is returned. Do this before we load addresses 986 * though. 987 */ 988 stcb->asoc.primary_destination->dest_state &= 989 ~SCTP_ADDR_UNCONFIRMED; 990 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 991 stcb, 0, (void *)stcb->asoc.primary_destination); 992 } 993 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 994 ) < 0) { 995 /* error in parsing parameters */ 996 #ifdef SCTP_DEBUG 997 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 998 kprintf("sctp_process_init_ack: error in msg, discarding\n"); 999 } 1000 #endif 1001 return (-1); 1002 } 1003 /* update our state */ 1004 #ifdef SCTP_DEBUG 1005 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1006 kprintf("moving to COOKIE-ECHOED state\n"); 1007 } 1008 #endif 1009 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1010 *state = SCTP_STATE_COOKIE_ECHOED | 1011 SCTP_STATE_SHUTDOWN_PENDING; 1012 } else { 1013 *state = SCTP_STATE_COOKIE_ECHOED; 1014 } 1015 1016 /* reset the RTO calc */ 1017 stcb->asoc.overall_error_count = 0; 1018 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1019 /* 1020 * collapse the init timer back in case of a exponential backoff 1021 */ 1022 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1023 stcb, net); 1024 /* 1025 * the send at the end of the inbound data processing will 1026 * cause the cookie to be sent 1027 */ 1028 break; 1029 case SCTP_STATE_SHUTDOWN_SENT: 1030 /* incorrect state... discard */ 1031 break; 1032 case SCTP_STATE_COOKIE_ECHOED: 1033 /* incorrect state... discard */ 1034 break; 1035 case SCTP_STATE_OPEN: 1036 /* incorrect state... discard */ 1037 break; 1038 case SCTP_STATE_EMPTY: 1039 case SCTP_STATE_INUSE: 1040 default: 1041 /* incorrect state... discard */ 1042 #ifdef SCTP_DEBUG 1043 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1044 kprintf("Leaving handle-init-ack default\n"); 1045 } 1046 #endif 1047 return (-1); 1048 break; 1049 } /* end switch asoc state */ 1050 #ifdef SCTP_DEBUG 1051 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1052 kprintf("Leaving handle-init-ack end\n"); 1053 } 1054 #endif 1055 return (0); 1056 } 1057 1058 1059 /* 1060 * handle a state cookie for an existing association 1061 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1062 * note: this is a "split" mbuf and the cookie signature does not exist 1063 * offset: offset into mbuf to the cookie-echo chunk 1064 */ 1065 static struct sctp_tcb * 1066 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1067 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1068 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1069 struct sockaddr *init_src, int *notification) 1070 { 1071 struct sctp_association *asoc; 1072 struct sctp_init_chunk *init_cp, init_buf; 1073 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1074 int chk_length; 1075 int init_offset, initack_offset; 1076 int retval; 1077 1078 /* I know that the TCB is non-NULL from the caller */ 1079 asoc = &stcb->asoc; 1080 1081 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1082 /* SHUTDOWN came in after sending INIT-ACK */ 1083 struct mbuf *op_err; 1084 struct sctp_paramhdr *ph; 1085 1086 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1087 #ifdef SCTP_DEBUG 1088 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1089 kprintf("sctp_handle_cookie: got a cookie, while shutting down!\n"); 1090 } 1091 #endif 1092 MGETHDR(op_err, MB_DONTWAIT, MT_HEADER); 1093 if (op_err == NULL) { 1094 /* FOOBAR */ 1095 return (NULL); 1096 } 1097 /* pre-reserve some space */ 1098 op_err->m_data += sizeof(struct ip6_hdr); 1099 op_err->m_data += sizeof(struct sctphdr); 1100 op_err->m_data += sizeof(struct sctp_chunkhdr); 1101 /* Set the len */ 1102 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); 1103 ph = mtod(op_err, struct sctp_paramhdr *); 1104 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1105 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1106 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1107 return (NULL); 1108 } 1109 /* 1110 * find and validate the INIT chunk in the cookie (peer's info) 1111 * the INIT should start after the cookie-echo header struct 1112 * (chunk header, state cookie header struct) 1113 */ 1114 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1115 1116 init_cp = (struct sctp_init_chunk *) 1117 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1118 (u_int8_t *)&init_buf); 1119 if (init_cp == NULL) { 1120 /* could not pull a INIT chunk in cookie */ 1121 #ifdef SCTP_DEBUG 1122 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1123 kprintf("process_cookie_existing: could not pull INIT chunk hdr\n"); 1124 } 1125 #endif /* SCTP_DEBUG */ 1126 return (NULL); 1127 } 1128 chk_length = ntohs(init_cp->ch.chunk_length); 1129 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1130 #ifdef SCTP_DEBUG 1131 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1132 kprintf("process_cookie_existing: could not find INIT chunk!\n"); 1133 } 1134 #endif /* SCTP_DEBUG */ 1135 return (NULL); 1136 } 1137 1138 /* 1139 * find and validate the INIT-ACK chunk in the cookie (my info) 1140 * the INIT-ACK follows the INIT chunk 1141 */ 1142 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1143 initack_cp = (struct sctp_init_ack_chunk *) 1144 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1145 (u_int8_t *)&initack_buf); 1146 if (initack_cp == NULL) { 1147 /* could not pull INIT-ACK chunk in cookie */ 1148 #ifdef SCTP_DEBUG 1149 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1150 kprintf("process_cookie_existing: could not pull INIT-ACK chunk hdr\n"); 1151 } 1152 #endif /* SCTP_DEBUG */ 1153 return (NULL); 1154 } 1155 chk_length = ntohs(initack_cp->ch.chunk_length); 1156 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1157 #ifdef SCTP_DEBUG 1158 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1159 kprintf("process_cookie_existing: could not find INIT-ACK chunk!\n"); 1160 } 1161 #endif /* SCTP_DEBUG */ 1162 return (NULL); 1163 } 1164 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1165 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1166 /* 1167 * case D in Section 5.2.4 Table 2: MMAA 1168 * process accordingly to get into the OPEN state 1169 */ 1170 switch SCTP_GET_STATE(asoc) { 1171 case SCTP_STATE_COOKIE_WAIT: 1172 /* 1173 * INIT was sent, but got got a COOKIE_ECHO with 1174 * the correct tags... just accept it... 1175 */ 1176 /* First we must process the INIT !! */ 1177 retval = sctp_process_init(init_cp, stcb, net); 1178 if (retval < 0) { 1179 #ifdef SCTP_DEBUG 1180 kprintf("process_cookie_existing: INIT processing failed\n"); 1181 #endif 1182 return (NULL); 1183 } 1184 /* intentional fall through to below... */ 1185 1186 case SCTP_STATE_COOKIE_ECHOED: 1187 /* Duplicate INIT case */ 1188 /* we have already processed the INIT so no problem */ 1189 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1190 net); 1191 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1192 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, 1193 net); 1194 /* update current state */ 1195 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1196 asoc->state = SCTP_STATE_OPEN | 1197 SCTP_STATE_SHUTDOWN_PENDING; 1198 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1199 /* if ok, move to OPEN state */ 1200 asoc->state = SCTP_STATE_OPEN; 1201 } 1202 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1203 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1204 (!(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING))) { 1205 /* 1206 * Here is where collision would go if we did a 1207 * connect() and instead got a 1208 * init/init-ack/cookie done before the 1209 * init-ack came back.. 1210 */ 1211 stcb->sctp_ep->sctp_flags |= 1212 SCTP_PCB_FLAGS_CONNECTED; 1213 soisconnected(stcb->sctp_ep->sctp_socket); 1214 } 1215 /* notify upper layer */ 1216 *notification = SCTP_NOTIFY_ASSOC_UP; 1217 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1218 net); 1219 /* 1220 * since we did not send a HB make sure we don't double 1221 * things 1222 */ 1223 net->hb_responded = 1; 1224 1225 if (stcb->asoc.sctp_autoclose_ticks && 1226 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1227 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1228 inp, stcb, NULL); 1229 } 1230 break; 1231 default: 1232 /* 1233 * we're in the OPEN state (or beyond), so peer 1234 * must have simply lost the COOKIE-ACK 1235 */ 1236 break; 1237 } /* end switch */ 1238 1239 /* 1240 * We ignore the return code here.. not sure if we should 1241 * somehow abort.. but we do have an existing asoc. This 1242 * really should not fail. 1243 */ 1244 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1245 init_offset + sizeof(struct sctp_init_chunk), 1246 initack_offset, sh, init_src)) { 1247 #ifdef SCTP_DEBUG 1248 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1249 kprintf("Weird cookie load_address failure on cookie existing - 1\n"); 1250 } 1251 #endif 1252 return (NULL); 1253 } 1254 1255 /* respond with a COOKIE-ACK */ 1256 sctp_send_cookie_ack(stcb); 1257 return (stcb); 1258 } /* end if */ 1259 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1260 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1261 cookie->tie_tag_my_vtag == 0 && 1262 cookie->tie_tag_peer_vtag == 0) { 1263 /* 1264 * case C in Section 5.2.4 Table 2: XMOO 1265 * silently discard 1266 */ 1267 return (NULL); 1268 } 1269 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1270 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1271 init_cp->init.initiate_tag == 0)) { 1272 /* 1273 * case B in Section 5.2.4 Table 2: MXAA or MOAA 1274 * my info should be ok, re-accept peer info 1275 */ 1276 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1277 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1278 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1279 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1280 /* 1281 * since we did not send a HB make sure we don't double things 1282 */ 1283 net->hb_responded = 1; 1284 if (stcb->asoc.sctp_autoclose_ticks && 1285 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1286 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1287 NULL); 1288 } 1289 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1290 asoc->pre_open_streams = 1291 ntohs(initack_cp->init.num_outbound_streams); 1292 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1293 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1294 asoc->init_seq_number; 1295 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1296 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1297 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1298 asoc->str_reset_seq_in = asoc->init_seq_number; 1299 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1300 1301 /* process the INIT info (peer's info) */ 1302 retval = sctp_process_init(init_cp, stcb, net); 1303 if (retval < 0) { 1304 #ifdef SCTP_DEBUG 1305 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1306 kprintf("process_cookie_existing: INIT processing failed\n"); 1307 } 1308 #endif 1309 return (NULL); 1310 } 1311 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1312 init_offset + sizeof(struct sctp_init_chunk), 1313 initack_offset, sh, init_src)) { 1314 #ifdef SCTP_DEBUG 1315 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1316 kprintf("Weird cookie load_address failure on cookie existing - 2\n"); 1317 } 1318 #endif 1319 return (NULL); 1320 } 1321 1322 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1323 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1324 *notification = SCTP_NOTIFY_ASSOC_UP; 1325 1326 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1327 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1328 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1329 stcb->sctp_ep->sctp_flags |= 1330 SCTP_PCB_FLAGS_CONNECTED; 1331 soisconnected(stcb->sctp_ep->sctp_socket); 1332 } 1333 } 1334 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1335 asoc->state = SCTP_STATE_OPEN | 1336 SCTP_STATE_SHUTDOWN_PENDING; 1337 } else { 1338 asoc->state = SCTP_STATE_OPEN; 1339 } 1340 sctp_send_cookie_ack(stcb); 1341 return (stcb); 1342 } 1343 1344 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1345 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1346 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1347 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1348 cookie->tie_tag_peer_vtag != 0) { 1349 /* 1350 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1351 */ 1352 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1353 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1354 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1355 1356 /* notify upper layer */ 1357 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1358 1359 /* send up all the data */ 1360 sctp_report_all_outbound(stcb); 1361 1362 /* process the INIT-ACK info (my info) */ 1363 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1364 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1365 asoc->pre_open_streams = 1366 ntohs(initack_cp->init.num_outbound_streams); 1367 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1368 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1369 asoc->init_seq_number; 1370 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1371 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1372 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1373 asoc->str_reset_seq_in = asoc->init_seq_number; 1374 1375 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1376 if (asoc->mapping_array) 1377 memset(asoc->mapping_array, 0, 1378 asoc->mapping_array_size); 1379 /* process the INIT info (peer's info) */ 1380 retval = sctp_process_init(init_cp, stcb, net); 1381 if (retval < 0) { 1382 #ifdef SCTP_DEBUG 1383 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1384 kprintf("process_cookie_existing: INIT processing failed\n"); 1385 } 1386 #endif 1387 return (NULL); 1388 } 1389 1390 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1391 /* 1392 * since we did not send a HB make sure we don't double things 1393 */ 1394 net->hb_responded = 1; 1395 1396 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1397 init_offset + sizeof(struct sctp_init_chunk), 1398 initack_offset, sh, init_src)) { 1399 #ifdef SCTP_DEBUG 1400 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1401 kprintf("Weird cookie load_address failure on cookie existing - 3\n"); 1402 } 1403 #endif 1404 return (NULL); 1405 } 1406 1407 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1408 asoc->state = SCTP_STATE_OPEN | 1409 SCTP_STATE_SHUTDOWN_PENDING; 1410 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1411 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1412 asoc->state = SCTP_STATE_OPEN; 1413 } 1414 /* respond with a COOKIE-ACK */ 1415 sctp_send_cookie_ack(stcb); 1416 1417 return (stcb); 1418 } 1419 /* all other cases... */ 1420 return (NULL); 1421 } 1422 1423 /* 1424 * handle a state cookie for a new association 1425 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1426 * note: this is a "split" mbuf and the cookie signature does not exist 1427 * offset: offset into mbuf to the cookie-echo chunk 1428 * length: length of the cookie chunk 1429 * to: where the init was from 1430 * returns a new TCB 1431 */ 1432 static struct sctp_tcb * 1433 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1434 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1435 struct sctp_inpcb *inp, struct sctp_nets **netp, 1436 struct sockaddr *init_src, int *notification) 1437 { 1438 struct sctp_tcb *stcb; 1439 struct sctp_init_chunk *init_cp, init_buf; 1440 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1441 struct sockaddr_storage sa_store; 1442 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1443 struct sockaddr_in *sin; 1444 struct sockaddr_in6 *sin6; 1445 struct sctp_association *asoc; 1446 int chk_length; 1447 int init_offset, initack_offset, initack_limit; 1448 int retval; 1449 int error = 0; 1450 /* 1451 * find and validate the INIT chunk in the cookie (peer's info) 1452 * the INIT should start after the cookie-echo header struct 1453 * (chunk header, state cookie header struct) 1454 */ 1455 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1456 init_cp = (struct sctp_init_chunk *) 1457 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1458 (u_int8_t *)&init_buf); 1459 if (init_cp == NULL) { 1460 /* could not pull a INIT chunk in cookie */ 1461 #ifdef SCTP_DEBUG 1462 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1463 kprintf("process_cookie_new: could not pull INIT chunk hdr\n"); 1464 } 1465 #endif /* SCTP_DEBUG */ 1466 return (NULL); 1467 } 1468 chk_length = ntohs(init_cp->ch.chunk_length); 1469 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1470 #ifdef SCTP_DEBUG 1471 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1472 kprintf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1473 } 1474 #endif /* SCTP_DEBUG */ 1475 return (NULL); 1476 } 1477 1478 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1479 /* 1480 * find and validate the INIT-ACK chunk in the cookie (my info) 1481 * the INIT-ACK follows the INIT chunk 1482 */ 1483 initack_cp = (struct sctp_init_ack_chunk *) 1484 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1485 (u_int8_t *)&initack_buf); 1486 if (initack_cp == NULL) { 1487 /* could not pull INIT-ACK chunk in cookie */ 1488 #ifdef SCTP_DEBUG 1489 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1490 kprintf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1491 } 1492 #endif /* SCTP_DEBUG */ 1493 return (NULL); 1494 } 1495 chk_length = ntohs(initack_cp->ch.chunk_length); 1496 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1497 #ifdef SCTP_DEBUG 1498 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1499 u_int8_t *pp; 1500 pp = (u_int8_t *)initack_cp; 1501 kprintf("process_cookie_new: could not find INIT-ACK chunk!\n"); 1502 kprintf("Found bytes %x %x %x %x at position %d\n", 1503 (u_int)pp[0], (u_int)pp[1], (u_int)pp[2], 1504 (u_int)pp[3], initack_offset); 1505 } 1506 #endif /* SCTP_DEBUG */ 1507 return (NULL); 1508 } 1509 initack_limit = initack_offset + SCTP_SIZE32(chk_length); 1510 1511 /* 1512 * now that we know the INIT/INIT-ACK are in place, 1513 * create a new TCB and popluate 1514 */ 1515 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, ntohl(initack_cp->init.initiate_tag)); 1516 if (stcb == NULL) { 1517 struct mbuf *op_err; 1518 /* memory problem? */ 1519 #ifdef SCTP_DEBUG 1520 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1521 kprintf("process_cookie_new: no room for another TCB!\n"); 1522 } 1523 #endif /* SCTP_DEBUG */ 1524 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1525 sctp_abort_association(inp, NULL, m, iphlen, 1526 sh, op_err); 1527 return (NULL); 1528 } 1529 1530 /* get the correct sctp_nets */ 1531 *netp = sctp_findnet(stcb, init_src); 1532 asoc = &stcb->asoc; 1533 /* get scope variables out of cookie */ 1534 asoc->ipv4_local_scope = cookie->ipv4_scope; 1535 asoc->site_scope = cookie->site_scope; 1536 asoc->local_scope = cookie->local_scope; 1537 asoc->loopback_scope = cookie->loopback_scope; 1538 1539 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1540 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1541 struct mbuf *op_err; 1542 /* 1543 * Houston we have a problem. The EP changed while the cookie 1544 * was in flight. Only recourse is to abort the association. 1545 */ 1546 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1547 sctp_abort_association(inp, NULL, m, iphlen, 1548 sh, op_err); 1549 return (NULL); 1550 } 1551 1552 /* process the INIT-ACK info (my info) */ 1553 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1554 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1555 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1556 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1557 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1558 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1559 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1560 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1561 asoc->str_reset_seq_in = asoc->init_seq_number; 1562 1563 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1564 1565 /* process the INIT info (peer's info) */ 1566 retval = sctp_process_init(init_cp, stcb, *netp); 1567 if (retval < 0) { 1568 #ifdef SCTP_DEBUG 1569 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1570 kprintf("process_cookie_new: INIT processing failed\n"); 1571 } 1572 #endif 1573 sctp_free_assoc(inp, stcb); 1574 return (NULL); 1575 } 1576 /* load all addresses */ 1577 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1578 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1579 init_src)) { 1580 sctp_free_assoc(inp, stcb); 1581 return (NULL); 1582 } 1583 1584 /* update current state */ 1585 #ifdef SCTP_DEBUG 1586 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1587 kprintf("moving to OPEN state\n"); 1588 } 1589 #endif 1590 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1591 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1592 } else { 1593 asoc->state = SCTP_STATE_OPEN; 1594 } 1595 /* calculate the RTT */ 1596 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1597 &cookie->time_entered); 1598 1599 /* 1600 * if we're doing ASCONFs, check to see if we have any new 1601 * local addresses that need to get added to the peer (eg. 1602 * addresses changed while cookie echo in flight). This needs 1603 * to be done after we go to the OPEN state to do the correct 1604 * asconf processing. 1605 * else, make sure we have the correct addresses in our lists 1606 */ 1607 1608 /* warning, we re-use sin, sin6, sa_store here! */ 1609 /* pull in local_address (our "from" address) */ 1610 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1611 /* source addr is IPv4 */ 1612 sin = (struct sockaddr_in *)initack_src; 1613 memset(sin, 0, sizeof(*sin)); 1614 sin->sin_family = AF_INET; 1615 sin->sin_len = sizeof(struct sockaddr_in); 1616 sin->sin_addr.s_addr = cookie->laddress[0]; 1617 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1618 /* source addr is IPv6 */ 1619 sin6 = (struct sockaddr_in6 *)initack_src; 1620 memset(sin6, 0, sizeof(*sin6)); 1621 sin6->sin6_family = AF_INET6; 1622 sin6->sin6_len = sizeof(struct sockaddr_in6); 1623 sin6->sin6_scope_id = cookie->scope_id; 1624 memcpy(&sin6->sin6_addr, cookie->laddress, 1625 sizeof(sin6->sin6_addr)); 1626 } else { 1627 sctp_free_assoc(inp, stcb); 1628 return (NULL); 1629 } 1630 1631 sctp_check_address_list(stcb, m, initack_offset + 1632 sizeof(struct sctp_init_ack_chunk), initack_limit, 1633 initack_src, cookie->local_scope, cookie->site_scope, 1634 cookie->ipv4_scope, cookie->loopback_scope); 1635 1636 1637 /* set up to notify upper layer */ 1638 *notification = SCTP_NOTIFY_ASSOC_UP; 1639 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1640 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1641 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1642 /* 1643 * This is an endpoint that called connect() 1644 * how it got a cookie that is NEW is a bit of 1645 * a mystery. It must be that the INIT was sent, but 1646 * before it got there.. a complete INIT/INIT-ACK/COOKIE 1647 * arrived. But of course then it should have went to 1648 * the other code.. not here.. oh well.. a bit of protection 1649 * is worth having.. 1650 */ 1651 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1652 soisconnected(stcb->sctp_ep->sctp_socket); 1653 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1654 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1655 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1656 /* 1657 * We don't want to do anything with this 1658 * one. Since it is the listening guy. The timer will 1659 * get started for accepted connections in the caller. 1660 */ 1661 ; 1662 } else { 1663 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1664 } 1665 /* since we did not send a HB make sure we don't double things */ 1666 (*netp)->hb_responded = 1; 1667 1668 if (stcb->asoc.sctp_autoclose_ticks && 1669 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1670 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1671 } 1672 1673 /* respond with a COOKIE-ACK */ 1674 sctp_send_cookie_ack(stcb); 1675 1676 return (stcb); 1677 } 1678 1679 1680 /* 1681 * handles a COOKIE-ECHO message 1682 * stcb: modified to either a new or left as existing (non-NULL) TCB 1683 */ 1684 static struct mbuf * 1685 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1686 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1687 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp) 1688 { 1689 struct sctp_state_cookie *cookie; 1690 struct sockaddr_in6 sin6; 1691 struct sockaddr_in sin; 1692 struct sctp_tcb *l_stcb=*stcb; 1693 struct sctp_inpcb *l_inp; 1694 struct sockaddr *to; 1695 struct sctp_pcb *ep; 1696 struct mbuf *m_sig; 1697 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1698 uint8_t *sig; 1699 uint8_t cookie_ok = 0; 1700 unsigned int size_of_pkt, sig_offset, cookie_offset; 1701 unsigned int cookie_len; 1702 struct timeval now; 1703 struct timeval time_expires; 1704 struct sockaddr_storage dest_store; 1705 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1706 struct ip *iph; 1707 int notification = 0; 1708 struct sctp_nets *netl; 1709 int had_a_existing_tcb = 0; 1710 1711 #ifdef SCTP_DEBUG 1712 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1713 kprintf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1714 } 1715 #endif 1716 1717 if (inp_p == NULL) { 1718 #ifdef SCTP_DEBUG 1719 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1720 kprintf("sctp_handle_cookie: null inp_p!\n"); 1721 } 1722 #endif 1723 return (NULL); 1724 } 1725 /* First get the destination address setup too. */ 1726 iph = mtod(m, struct ip *); 1727 if (iph->ip_v == IPVERSION) { 1728 /* its IPv4 */ 1729 struct sockaddr_in *sin; 1730 sin = (struct sockaddr_in *)(localep_sa); 1731 memset(sin, 0, sizeof(*sin)); 1732 sin->sin_family = AF_INET; 1733 sin->sin_len = sizeof(*sin); 1734 sin->sin_port = sh->dest_port; 1735 sin->sin_addr.s_addr = iph->ip_dst.s_addr ; 1736 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1737 /* its IPv6 */ 1738 struct ip6_hdr *ip6; 1739 struct sockaddr_in6 *sin6; 1740 sin6 = (struct sockaddr_in6 *)(localep_sa); 1741 memset(sin6, 0, sizeof(*sin6)); 1742 sin6->sin6_family = AF_INET6; 1743 sin6->sin6_len = sizeof(struct sockaddr_in6); 1744 ip6 = mtod(m, struct ip6_hdr *); 1745 sin6->sin6_port = sh->dest_port; 1746 sin6->sin6_addr = ip6->ip6_dst; 1747 } else { 1748 return (NULL); 1749 } 1750 1751 cookie = &cp->cookie; 1752 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1753 cookie_len = ntohs(cp->ch.chunk_length); 1754 1755 if ((cookie->peerport != sh->src_port) && 1756 (cookie->myport != sh->dest_port) && 1757 (cookie->my_vtag != sh->v_tag)) { 1758 /* 1759 * invalid ports or bad tag. Note that we always leave 1760 * the v_tag in the header in network order and when we 1761 * stored it in the my_vtag slot we also left it in network 1762 * order. This maintians the match even though it may be in 1763 * the opposite byte order of the machine :-> 1764 */ 1765 return (NULL); 1766 } 1767 1768 /* compute size of packet */ 1769 if (m->m_flags & M_PKTHDR) { 1770 size_of_pkt = m->m_pkthdr.len; 1771 } else { 1772 /* Should have a pkt hdr really */ 1773 struct mbuf *mat; 1774 mat = m; 1775 size_of_pkt = 0; 1776 while (mat != NULL) { 1777 size_of_pkt += mat->m_len; 1778 mat = mat->m_next; 1779 } 1780 } 1781 if (cookie_len > size_of_pkt || 1782 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1783 sizeof(struct sctp_init_chunk) + 1784 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1785 /* cookie too long! or too small */ 1786 #ifdef SCTP_DEBUG 1787 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1788 kprintf("sctp_handle_cookie: cookie_len=%u, pkt size=%u\n", cookie_len, size_of_pkt); 1789 } 1790 #endif /* SCTP_DEBUG */ 1791 return (NULL); 1792 } 1793 /* 1794 * split off the signature into its own mbuf (since it 1795 * should not be calculated in the sctp_hash_digest_m() call). 1796 */ 1797 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1798 if (sig_offset > size_of_pkt) { 1799 /* packet not correct size! */ 1800 /* XXX this may already be accounted for earlier... */ 1801 #ifdef SCTP_DEBUG 1802 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1803 kprintf("sctp_handle_cookie: sig offset=%u, pkt size=%u\n", sig_offset, size_of_pkt); 1804 } 1805 #endif 1806 return (NULL); 1807 } 1808 1809 m_sig = m_split(m, sig_offset, MB_DONTWAIT); 1810 if (m_sig == NULL) { 1811 /* out of memory or ?? */ 1812 #ifdef SCTP_DEBUG 1813 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1814 kprintf("sctp_handle_cookie: couldn't m_split the signature\n"); 1815 } 1816 #endif 1817 return (NULL); 1818 } 1819 /* 1820 * compute the signature/digest for the cookie 1821 */ 1822 ep = &(*inp_p)->sctp_ep; 1823 l_inp = *inp_p; 1824 if (l_stcb) { 1825 SCTP_TCB_UNLOCK(l_stcb); 1826 } 1827 SCTP_INP_RLOCK(l_inp); 1828 if (l_stcb) { 1829 SCTP_TCB_LOCK(l_stcb); 1830 } 1831 /* which cookie is it? */ 1832 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1833 (ep->current_secret_number != ep->last_secret_number)) { 1834 /* it's the old cookie */ 1835 #ifdef SCTP_DEBUG 1836 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1837 kprintf("sctp_handle_cookie: old cookie sig\n"); 1838 } 1839 #endif 1840 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1841 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1842 } else { 1843 /* it's the current cookie */ 1844 #ifdef SCTP_DEBUG 1845 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1846 kprintf("sctp_handle_cookie: current cookie sig\n"); 1847 } 1848 #endif 1849 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->current_secret_number], 1850 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1851 } 1852 /* get the signature */ 1853 SCTP_INP_RUNLOCK(l_inp); 1854 sig = (u_int8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (u_int8_t *)&tmp_sig); 1855 if (sig == NULL) { 1856 /* couldn't find signature */ 1857 #ifdef SCTP_DEBUG 1858 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1859 kprintf("sctp_handle_cookie: couldn't pull the signature\n"); 1860 } 1861 #endif 1862 return (NULL); 1863 } 1864 /* compare the received digest with the computed digest */ 1865 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1866 /* try the old cookie? */ 1867 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1868 (ep->current_secret_number != ep->last_secret_number)) { 1869 /* compute digest with old */ 1870 #ifdef SCTP_DEBUG 1871 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1872 kprintf("sctp_handle_cookie: old cookie sig\n"); 1873 } 1874 #endif 1875 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1876 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1877 /* compare */ 1878 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1879 cookie_ok = 1; 1880 } 1881 } else { 1882 cookie_ok = 1; 1883 } 1884 1885 /* 1886 * Now before we continue we must reconstruct our mbuf so 1887 * that normal processing of any other chunks will work. 1888 */ 1889 { 1890 struct mbuf *m_at; 1891 m_at = m; 1892 while (m_at->m_next != NULL) { 1893 m_at = m_at->m_next; 1894 } 1895 m_at->m_next = m_sig; 1896 if (m->m_flags & M_PKTHDR) { 1897 /* 1898 * We should only do this if and only if the front 1899 * mbuf has a m_pkthdr... it should in theory. 1900 */ 1901 if (m_sig->m_flags & M_PKTHDR) { 1902 /* Add back to the pkt hdr of main m chain */ 1903 m->m_pkthdr.len += m_sig->m_len; 1904 } else { 1905 /* 1906 * Got a problem, no pkthdr in split chain. 1907 * TSNH but we will handle it just in case 1908 */ 1909 int mmlen = 0; 1910 struct mbuf *lat; 1911 kprintf("Warning: Hitting m_split join TSNH code - fixed\n"); 1912 lat = m_sig; 1913 while (lat) { 1914 mmlen += lat->m_len; 1915 lat = lat->m_next; 1916 } 1917 m->m_pkthdr.len += mmlen; 1918 } 1919 } 1920 } 1921 1922 if (cookie_ok == 0) { 1923 #ifdef SCTP_DEBUG 1924 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1925 kprintf("handle_cookie_echo: cookie signature validation failed!\n"); 1926 kprintf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1927 (u_int32_t)offset, cookie_offset, sig_offset); 1928 } 1929 #endif 1930 return (NULL); 1931 } 1932 #ifdef SCTP_DEBUG 1933 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1934 kprintf("handle_cookie_echo: cookie signature validation passed\n"); 1935 } 1936 #endif 1937 1938 /* 1939 * check the cookie timestamps to be sure it's not stale 1940 */ 1941 SCTP_GETTIME_TIMEVAL(&now); 1942 /* Expire time is in Ticks, so we convert to seconds */ 1943 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1944 time_expires.tv_usec = cookie->time_entered.tv_usec; 1945 #ifndef __FreeBSD__ 1946 if (timercmp(&now, &time_expires, >)) 1947 #else 1948 if (timevalcmp(&now, &time_expires, >)) 1949 #endif 1950 { 1951 /* cookie is stale! */ 1952 struct mbuf *op_err; 1953 struct sctp_stale_cookie_msg *scm; 1954 u_int32_t tim; 1955 #ifdef SCTP_DEBUG 1956 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 1957 kprintf("sctp_handle_cookie: got a STALE cookie!\n"); 1958 } 1959 #endif 1960 MGETHDR(op_err, MB_DONTWAIT, MT_HEADER); 1961 if (op_err == NULL) { 1962 /* FOOBAR */ 1963 return (NULL); 1964 } 1965 /* pre-reserve some space */ 1966 op_err->m_data += sizeof(struct ip6_hdr); 1967 op_err->m_data += sizeof(struct sctphdr); 1968 op_err->m_data += sizeof(struct sctp_chunkhdr); 1969 1970 /* Set the len */ 1971 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); 1972 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1973 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1974 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1975 (sizeof(u_int32_t)))); 1976 /* seconds to usec */ 1977 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1978 /* add in usec */ 1979 if (tim == 0) 1980 tim = now.tv_usec - cookie->time_entered.tv_usec; 1981 scm->time_usec = htonl(tim); 1982 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1983 return (NULL); 1984 } 1985 /* 1986 * Now we must see with the lookup address if we have an existing 1987 * asoc. This will only happen if we were in the COOKIE-WAIT state 1988 * and a INIT collided with us and somewhere the peer sent the 1989 * cookie on another address besides the single address our assoc 1990 * had for him. In this case we will have one of the tie-tags set 1991 * at least AND the address field in the cookie can be used to 1992 * look it up. 1993 */ 1994 to = NULL; 1995 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1996 memset(&sin6, 0, sizeof(sin6)); 1997 sin6.sin6_family = AF_INET6; 1998 sin6.sin6_len = sizeof(sin6); 1999 sin6.sin6_port = sh->src_port; 2000 sin6.sin6_scope_id = cookie->scope_id; 2001 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2002 sizeof(sin6.sin6_addr.s6_addr)); 2003 to = (struct sockaddr *)&sin6; 2004 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2005 memset(&sin, 0, sizeof(sin)); 2006 sin.sin_family = AF_INET; 2007 sin.sin_len = sizeof(sin); 2008 sin.sin_port = sh->src_port; 2009 sin.sin_addr.s_addr = cookie->address[0]; 2010 to = (struct sockaddr *)&sin; 2011 } 2012 2013 if ((*stcb == NULL) && to) { 2014 /* Yep, lets check */ 2015 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2016 if (*stcb == NULL) { 2017 /* We should have only got back the same inp. If we 2018 * got back a different ep we have a problem. The original 2019 * findep got back l_inp and now 2020 */ 2021 if (l_inp != *inp_p) { 2022 kprintf("Bad problem find_ep got a diff inp then special_locate?\n"); 2023 } 2024 } 2025 } 2026 2027 cookie_len -= SCTP_SIGNATURE_SIZE; 2028 if (*stcb == NULL) { 2029 /* this is the "normal" case... get a new TCB */ 2030 #ifdef SCTP_DEBUG 2031 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2032 kprintf("sctp_handle_cookie: processing NEW cookie\n"); 2033 } 2034 #endif 2035 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2036 cookie_len, *inp_p, netp, to, ¬ification); 2037 /* now always decrement, since this is the normal 2038 * case.. we had no tcb when we entered. 2039 */ 2040 } else { 2041 /* this is abnormal... cookie-echo on existing TCB */ 2042 #ifdef SCTP_DEBUG 2043 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2044 kprintf("sctp_handle_cookie: processing EXISTING cookie\n"); 2045 } 2046 #endif 2047 had_a_existing_tcb = 1; 2048 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2049 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification); 2050 } 2051 2052 if (*stcb == NULL) { 2053 /* still no TCB... must be bad cookie-echo */ 2054 #ifdef SCTP_DEBUG 2055 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2056 kprintf("handle_cookie_echo: ACK! don't have a TCB!\n"); 2057 } 2058 #endif /* SCTP_DEBUG */ 2059 return (NULL); 2060 } 2061 2062 /* 2063 * Ok, we built an association so confirm the address 2064 * we sent the INIT-ACK to. 2065 */ 2066 netl = sctp_findnet(*stcb, to); 2067 /* This code should in theory NOT run but 2068 */ 2069 if (netl == NULL) { 2070 int ret; 2071 #ifdef SCTP_DEBUG 2072 kprintf("TSNH! Huh, why do I need to add this address here?\n"); 2073 #endif 2074 ret = sctp_add_remote_addr(*stcb, to, 0, 100); 2075 netl = sctp_findnet(*stcb, to); 2076 } 2077 if (netl) { 2078 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2079 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2080 sctp_set_primary_addr((*stcb), NULL, 2081 netl); 2082 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2083 (*stcb), 0, (void *)netl); 2084 } 2085 } 2086 #ifdef SCTP_DEBUG 2087 else { 2088 kprintf("Could not add source address for some reason\n"); 2089 } 2090 #endif 2091 2092 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2093 if (!had_a_existing_tcb || 2094 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2095 /* 2096 * If we have a NEW cookie or the connect never reached 2097 * the connected state during collision we must do the 2098 * TCP accept thing. 2099 */ 2100 struct socket *so, *oso; 2101 struct sctp_inpcb *inp; 2102 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2103 /* 2104 * For a restart we will keep the same socket, 2105 * no need to do anything. I THINK!! 2106 */ 2107 sctp_ulp_notify(notification, *stcb, 0, NULL); 2108 return (m); 2109 } 2110 oso = (*inp_p)->sctp_socket; 2111 SCTP_TCB_UNLOCK((*stcb)); 2112 so = sonewconn(oso, SS_ISCONNECTED); 2113 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2114 SCTP_TCB_LOCK((*stcb)); 2115 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2116 if (so == NULL) { 2117 struct mbuf *op_err; 2118 /* Too many sockets */ 2119 #ifdef SCTP_DEBUG 2120 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2121 kprintf("process_cookie_new: no room for another socket!\n"); 2122 } 2123 #endif /* SCTP_DEBUG */ 2124 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2125 sctp_abort_association(*inp_p, NULL, m, iphlen, 2126 sh, op_err); 2127 sctp_free_assoc(*inp_p, *stcb); 2128 return (NULL); 2129 } 2130 inp = (struct sctp_inpcb *)so->so_pcb; 2131 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2132 SCTP_PCB_FLAGS_CONNECTED | 2133 SCTP_PCB_FLAGS_IN_TCPPOOL | 2134 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2135 SCTP_PCB_FLAGS_DONT_WAKE); 2136 inp->sctp_socket = so; 2137 2138 /* 2139 * Now we must move it from one hash table to another 2140 * and get the tcb in the right place. 2141 */ 2142 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2143 2144 /* Switch over to the new guy */ 2145 *inp_p = inp; 2146 2147 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, 2148 *stcb, *netp); 2149 2150 sctp_ulp_notify(notification, *stcb, 0, NULL); 2151 return (m); 2152 } 2153 } 2154 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2155 sctp_ulp_notify(notification, *stcb, 0, NULL); 2156 } 2157 return (m); 2158 } 2159 2160 static void 2161 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2162 struct sctp_tcb *stcb, struct sctp_nets *net) 2163 { 2164 /* cp must not be used, others call this without a c-ack :-) */ 2165 struct sctp_association *asoc; 2166 2167 #ifdef SCTP_DEBUG 2168 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2169 kprintf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2170 } 2171 #endif 2172 if (stcb == NULL) 2173 return; 2174 2175 asoc = &stcb->asoc; 2176 2177 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2178 2179 /* process according to association state */ 2180 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2181 /* state change only needed when I am in right state */ 2182 #ifdef SCTP_DEBUG 2183 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2184 kprintf("moving to OPEN state\n"); 2185 } 2186 #endif 2187 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2188 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2189 } else { 2190 asoc->state = SCTP_STATE_OPEN; 2191 } 2192 2193 /* update RTO */ 2194 if (asoc->overall_error_count == 0) { 2195 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2196 &asoc->time_entered); 2197 } 2198 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2199 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2200 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2201 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2202 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2203 soisconnected(stcb->sctp_ep->sctp_socket); 2204 } 2205 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2206 stcb, net); 2207 /* since we did not send a HB make sure we don't double things */ 2208 net->hb_responded = 1; 2209 2210 if (stcb->asoc.sctp_autoclose_ticks && 2211 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 2212 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2213 stcb->sctp_ep, stcb, NULL); 2214 } 2215 2216 /* 2217 * set ASCONF timer if ASCONFs are pending and allowed 2218 * (eg. addresses changed when init/cookie echo in flight) 2219 */ 2220 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DO_ASCONF) && 2221 (stcb->asoc.peer_supports_asconf) && 2222 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2223 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2224 stcb->sctp_ep, stcb, 2225 stcb->asoc.primary_destination); 2226 } 2227 2228 } 2229 /* Toss the cookie if I can */ 2230 sctp_toss_old_cookies(asoc); 2231 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2232 /* Restart the timer if we have pending data */ 2233 struct sctp_tmit_chunk *chk; 2234 chk = TAILQ_FIRST(&asoc->sent_queue); 2235 if (chk) { 2236 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2237 stcb, chk->whoTo); 2238 } 2239 } 2240 2241 } 2242 2243 static void 2244 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2245 struct sctp_tcb *stcb) 2246 { 2247 struct sctp_nets *net; 2248 struct sctp_tmit_chunk *lchk; 2249 u_int32_t tsn; 2250 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2251 return; 2252 } 2253 sctp_pegs[SCTP_ECNE_RCVD]++; 2254 tsn = ntohl(cp->tsn); 2255 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2256 /* Also we make sure we disable the nonce_wait */ 2257 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2258 if (lchk == NULL) { 2259 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2260 } else { 2261 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2262 } 2263 stcb->asoc.nonce_wait_for_ecne = 0; 2264 stcb->asoc.nonce_sum_check = 0; 2265 2266 /* Find where it was sent, if possible */ 2267 net = NULL; 2268 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2269 while (lchk) { 2270 if (lchk->rec.data.TSN_seq == tsn) { 2271 net = lchk->whoTo; 2272 break; 2273 } 2274 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2275 break; 2276 lchk = TAILQ_NEXT(lchk, sctp_next); 2277 } 2278 if (net == NULL) 2279 /* default is we use the primary */ 2280 net = stcb->asoc.primary_destination; 2281 2282 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2283 #ifdef SCTP_CWND_LOGGING 2284 int old_cwnd; 2285 #endif 2286 #ifdef SCTP_CWND_LOGGING 2287 old_cwnd = net->cwnd; 2288 #endif 2289 sctp_pegs[SCTP_CWR_PERFO]++; 2290 net->ssthresh = net->cwnd / 2; 2291 if (net->ssthresh < net->mtu) { 2292 net->ssthresh = net->mtu; 2293 /* here back off the timer as well, to slow us down */ 2294 net->RTO <<= 2; 2295 } 2296 net->cwnd = net->ssthresh; 2297 #ifdef SCTP_CWND_LOGGING 2298 sctp_log_cwnd(net, (net->cwnd-old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2299 #endif 2300 /* we reduce once every RTT. So we will only lower 2301 * cwnd at the next sending seq i.e. the resync_tsn. 2302 */ 2303 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2304 } 2305 /* 2306 * We always send a CWR this way if our previous one was lost 2307 * our peer will get an update, or if it is not time again 2308 * to reduce we still get the cwr to the peer. 2309 */ 2310 sctp_send_cwr(stcb, net, tsn); 2311 } 2312 2313 static void 2314 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2315 { 2316 /* Here we get a CWR from the peer. We must look in 2317 * the outqueue and make sure that we have a covered 2318 * ECNE in teh control chunk part. If so remove it. 2319 */ 2320 struct sctp_tmit_chunk *chk; 2321 struct sctp_ecne_chunk *ecne; 2322 2323 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2324 if (chk->rec.chunk_id != SCTP_ECN_ECHO) { 2325 continue; 2326 } 2327 /* Look for and remove if it is the right TSN. Since 2328 * there is only ONE ECNE on the control queue at 2329 * any one time we don't need to worry about more than 2330 * one! 2331 */ 2332 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2333 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2334 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2335 /* this covers this ECNE, we can remove it */ 2336 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2337 sctp_next); 2338 if (chk->data) { 2339 sctp_m_freem(chk->data); 2340 chk->data = NULL; 2341 } 2342 stcb->asoc.ctrl_queue_cnt--; 2343 sctp_free_remote_addr(chk->whoTo); 2344 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2345 sctppcbinfo.ipi_count_chunk--; 2346 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2347 panic("Chunk count is negative"); 2348 } 2349 sctppcbinfo.ipi_gencnt_chunk++; 2350 break; 2351 } 2352 } 2353 } 2354 2355 static void 2356 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2357 struct sctp_tcb *stcb, struct sctp_nets *net) 2358 { 2359 struct sctp_association *asoc; 2360 2361 #ifdef SCTP_DEBUG 2362 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2363 kprintf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2364 } 2365 #endif 2366 if (stcb == NULL) 2367 return; 2368 2369 asoc = &stcb->asoc; 2370 /* process according to association state */ 2371 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2372 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2373 return; 2374 } 2375 /* notify upper layer protocol */ 2376 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2377 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2378 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2379 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 2380 stcb->sctp_ep->sctp_socket->so_snd.ssb_cc = 0; 2381 stcb->sctp_ep->sctp_socket->so_snd.ssb_mbcnt = 0; 2382 soisdisconnected(stcb->sctp_ep->sctp_socket); 2383 } 2384 /* are the queues empty? they should be */ 2385 if (!TAILQ_EMPTY(&asoc->send_queue) || 2386 !TAILQ_EMPTY(&asoc->sent_queue) || 2387 !TAILQ_EMPTY(&asoc->out_wheel)) { 2388 sctp_report_all_outbound(stcb); 2389 } 2390 /* stop the timer */ 2391 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 2392 /* free the TCB */ 2393 sctp_free_assoc(stcb->sctp_ep, stcb); 2394 return; 2395 } 2396 2397 static int 2398 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2399 struct sctp_nets *net, u_int8_t flg) 2400 { 2401 switch (desc->chunk_type) { 2402 case SCTP_DATA: 2403 /* find the tsn to resend (possibly */ 2404 { 2405 u_int32_t tsn; 2406 struct sctp_tmit_chunk *tp1; 2407 tsn = ntohl(desc->tsn_ifany); 2408 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2409 while (tp1) { 2410 if (tp1->rec.data.TSN_seq == tsn) { 2411 /* found it */ 2412 break; 2413 } 2414 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2415 MAX_TSN)) { 2416 /* not found */ 2417 tp1 = NULL; 2418 break; 2419 } 2420 tp1 = TAILQ_NEXT(tp1, sctp_next); 2421 } 2422 if (tp1 == NULL) { 2423 /* Do it the other way */ 2424 sctp_pegs[SCTP_PDRP_DNFND]++; 2425 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2426 while (tp1) { 2427 if (tp1->rec.data.TSN_seq == tsn) { 2428 /* found it */ 2429 break; 2430 } 2431 tp1 = TAILQ_NEXT(tp1, sctp_next); 2432 } 2433 } 2434 if (tp1 == NULL) { 2435 sctp_pegs[SCTP_PDRP_TSNNF]++; 2436 } 2437 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2438 u_int8_t *ddp; 2439 if (((tp1->rec.data.state_flags & SCTP_WINDOW_PROBE) == SCTP_WINDOW_PROBE) && 2440 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2441 sctp_pegs[SCTP_PDRP_DIWNP]++; 2442 return (0); 2443 } 2444 if (stcb->asoc.peers_rwnd == 0 && 2445 (flg & SCTP_FROM_MIDDLE_BOX)) { 2446 sctp_pegs[SCTP_PDRP_DIZRW]++; 2447 return (0); 2448 } 2449 ddp = (u_int8_t *)(mtod(tp1->data, caddr_t) + 2450 sizeof(struct sctp_data_chunk)); 2451 { 2452 unsigned int iii; 2453 for (iii = 0; iii < sizeof(desc->data_bytes); 2454 iii++) { 2455 if (ddp[iii] != desc->data_bytes[iii]) { 2456 sctp_pegs[SCTP_PDRP_BADD]++; 2457 return (-1); 2458 } 2459 } 2460 } 2461 if (tp1->sent != SCTP_DATAGRAM_RESEND) { 2462 stcb->asoc.sent_queue_retran_cnt++; 2463 } 2464 /* We zero out the nonce so resync not needed */ 2465 tp1->rec.data.ect_nonce = 0; 2466 2467 if (tp1->do_rtt) { 2468 /* 2469 * this guy had a RTO calculation pending on it, 2470 * cancel it 2471 */ 2472 tp1->whoTo->rto_pending = 0; 2473 tp1->do_rtt = 0; 2474 } 2475 sctp_pegs[SCTP_PDRP_MARK]++; 2476 tp1->sent = SCTP_DATAGRAM_RESEND; 2477 /* 2478 * mark it as if we were doing a FR, since we 2479 * will be getting gap ack reports behind the 2480 * info from the router. 2481 */ 2482 tp1->rec.data.doing_fast_retransmit = 1; 2483 /* 2484 * mark the tsn with what sequences can cause a new FR. 2485 */ 2486 if (TAILQ_EMPTY(&stcb->asoc.send_queue) ) { 2487 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2488 } else { 2489 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2490 } 2491 2492 /* restart the timer */ 2493 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2494 stcb, tp1->whoTo); 2495 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2496 stcb, tp1->whoTo); 2497 2498 /* fix counts and things */ 2499 tp1->whoTo->flight_size -= tp1->send_size; 2500 if (tp1->whoTo->flight_size < 0) { 2501 tp1->whoTo->flight_size = 0; 2502 } 2503 stcb->asoc.total_flight -= tp1->book_size; 2504 if (stcb->asoc.total_flight < 0) { 2505 stcb->asoc.total_flight = 0; 2506 } 2507 stcb->asoc.total_flight_count--; 2508 if (stcb->asoc.total_flight_count < 0) { 2509 stcb->asoc.total_flight_count = 0; 2510 } 2511 tp1->snd_count--; 2512 } 2513 { 2514 /* audit code */ 2515 unsigned int audit; 2516 audit = 0; 2517 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2518 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2519 audit++; 2520 } 2521 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2522 sctp_next) { 2523 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2524 audit++; 2525 } 2526 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2527 kprintf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2528 audit, stcb->asoc.sent_queue_retran_cnt); 2529 #ifndef SCTP_AUDITING_ENABLED 2530 stcb->asoc.sent_queue_retran_cnt = audit; 2531 #endif 2532 } 2533 } 2534 } 2535 break; 2536 case SCTP_ASCONF: 2537 { 2538 struct sctp_tmit_chunk *asconf; 2539 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2540 sctp_next) { 2541 if (asconf->rec.chunk_id == SCTP_ASCONF) { 2542 break; 2543 } 2544 } 2545 if (asconf) { 2546 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2547 stcb->asoc.sent_queue_retran_cnt++; 2548 asconf->sent = SCTP_DATAGRAM_RESEND; 2549 asconf->snd_count--; 2550 } 2551 } 2552 break; 2553 case SCTP_INITIATION: 2554 /* resend the INIT */ 2555 stcb->asoc.dropped_special_cnt++; 2556 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2557 /* 2558 * If we can get it in, in a few attempts we do this, 2559 * otherwise we let the timer fire. 2560 */ 2561 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2562 stcb, net); 2563 sctp_send_initiate(stcb->sctp_ep, stcb); 2564 } 2565 break; 2566 case SCTP_SELECTIVE_ACK: 2567 /* resend the sack */ 2568 sctp_send_sack(stcb); 2569 break; 2570 case SCTP_HEARTBEAT_REQUEST: 2571 /* resend a demand HB */ 2572 sctp_send_hb(stcb, 1, net); 2573 break; 2574 case SCTP_SHUTDOWN: 2575 #ifdef SCTP_DEBUG 2576 if (sctp_debug_on & SCTP_DEBUG_OUTPUT4) { 2577 kprintf("%s:%d sends a shutdown\n", 2578 __FILE__, 2579 __LINE__ 2580 ); 2581 } 2582 #endif 2583 sctp_send_shutdown(stcb, net); 2584 break; 2585 case SCTP_SHUTDOWN_ACK: 2586 sctp_send_shutdown_ack(stcb, net); 2587 break; 2588 case SCTP_COOKIE_ECHO: 2589 { 2590 struct sctp_tmit_chunk *cookie; 2591 cookie = NULL; 2592 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2593 sctp_next) { 2594 if (cookie->rec.chunk_id == SCTP_COOKIE_ECHO) { 2595 break; 2596 } 2597 } 2598 if (cookie) { 2599 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2600 stcb->asoc.sent_queue_retran_cnt++; 2601 cookie->sent = SCTP_DATAGRAM_RESEND; 2602 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2603 } 2604 } 2605 break; 2606 case SCTP_COOKIE_ACK: 2607 sctp_send_cookie_ack(stcb); 2608 break; 2609 case SCTP_ASCONF_ACK: 2610 /* resend last asconf ack */ 2611 sctp_send_asconf_ack(stcb, 1); 2612 break; 2613 case SCTP_FORWARD_CUM_TSN: 2614 send_forward_tsn(stcb, &stcb->asoc); 2615 break; 2616 /* can't do anything with these */ 2617 case SCTP_PACKET_DROPPED: 2618 case SCTP_INITIATION_ACK: /* this should not happen */ 2619 case SCTP_HEARTBEAT_ACK: 2620 case SCTP_ABORT_ASSOCIATION: 2621 case SCTP_OPERATION_ERROR: 2622 case SCTP_SHUTDOWN_COMPLETE: 2623 case SCTP_ECN_ECHO: 2624 case SCTP_ECN_CWR: 2625 default: 2626 break; 2627 } 2628 return (0); 2629 } 2630 2631 static void 2632 sctp_reset_in_stream(struct sctp_tcb *stcb, 2633 struct sctp_stream_reset_response *resp, int number_entries) 2634 { 2635 int i; 2636 uint16_t *list, temp; 2637 2638 /* We set things to 0xffff since this is the last delivered 2639 * sequence and we will be sending in 0 after the reset. 2640 */ 2641 2642 if (resp->reset_flags & SCTP_RESET_PERFORMED) { 2643 if (number_entries) { 2644 list = resp->list_of_streams; 2645 for (i = 0; i < number_entries; i++) { 2646 temp = ntohs(list[i]); 2647 list[i] = temp; 2648 if (list[i] >= stcb->asoc.streamincnt) { 2649 kprintf("Invalid stream in-stream reset %d\n", list[i]); 2650 continue; 2651 } 2652 stcb->asoc.strmin[(list[i])].last_sequence_delivered = 0xffff; 2653 } 2654 } else { 2655 list = NULL; 2656 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2657 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2658 } 2659 } 2660 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2661 } 2662 } 2663 2664 static void 2665 sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2666 { 2667 struct sctp_tmit_chunk *chk, *nchk; 2668 struct sctp_association *asoc; 2669 2670 asoc = &stcb->asoc; 2671 2672 for (chk = TAILQ_FIRST(&asoc->control_send_queue); 2673 chk; chk = nchk) { 2674 nchk = TAILQ_NEXT(chk, sctp_next); 2675 if (chk->rec.chunk_id == SCTP_STREAM_RESET) { 2676 struct sctp_stream_reset_req *strreq; 2677 strreq = mtod(chk->data, struct sctp_stream_reset_req *); 2678 if (strreq->sr_req.ph.param_type == ntohs(SCTP_STR_RESET_RESPONSE)) { 2679 /* we only clean up the request */ 2680 continue; 2681 } else if (strreq->sr_req.ph.param_type != ntohs(SCTP_STR_RESET_REQUEST)) { 2682 kprintf("TSNH, an unknown stream reset request is in queue %x\n", 2683 (u_int)ntohs(strreq->sr_req.ph.param_type)); 2684 continue; 2685 } 2686 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2687 TAILQ_REMOVE(&asoc->control_send_queue, 2688 chk, 2689 sctp_next); 2690 if (chk->data) { 2691 sctp_m_freem(chk->data); 2692 chk->data = NULL; 2693 } 2694 asoc->ctrl_queue_cnt--; 2695 sctp_free_remote_addr(chk->whoTo); 2696 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2697 sctppcbinfo.ipi_count_chunk--; 2698 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2699 panic("Chunk count is negative"); 2700 } 2701 sctppcbinfo.ipi_gencnt_chunk++; 2702 /* we can only have one of these so we break */ 2703 break; 2704 } 2705 } 2706 } 2707 2708 2709 void 2710 sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2711 struct sctp_stream_reset_response *resp) 2712 { 2713 uint32_t seq, tsn; 2714 int number_entries, param_length; 2715 2716 param_length = ntohs(resp->ph.param_length); 2717 seq = ntohl(resp->reset_req_seq_resp); 2718 if (seq == stcb->asoc.str_reset_seq_out) { 2719 sctp_clean_up_stream_reset(stcb); 2720 stcb->asoc.str_reset_seq_out++; 2721 stcb->asoc.stream_reset_outstanding = 0; 2722 tsn = ntohl(resp->reset_at_tsn); 2723 number_entries = (param_length - sizeof(struct sctp_stream_reset_response))/sizeof(uint16_t); 2724 tsn--; 2725 if ((tsn == stcb->asoc.cumulative_tsn) || 2726 (compare_with_wrap(stcb->asoc.cumulative_tsn, tsn, MAX_TSN))) { 2727 /* no problem we are good to go */ 2728 sctp_reset_in_stream(stcb, resp, number_entries); 2729 } else { 2730 /* So, we have a stream reset but there 2731 * is pending data. We need to copy 2732 * out the stream_reset and then queue 2733 * any data = or > resp->reset_at_tsn 2734 */ 2735 if (stcb->asoc.pending_reply != NULL) { 2736 /* FIX ME FIX ME 2737 * This IS WRONG. We need 2738 * to queue each of these up 2739 * and only release the chunks 2740 * for each reset that the cum-ack 2741 * goes by. This is a short cut. 2742 */ 2743 kfree(stcb->asoc.pending_reply, M_PCB); 2744 stcb->asoc.pending_reply = NULL; 2745 } 2746 stcb->asoc.pending_reply = kmalloc(param_length, M_PCB, 2747 M_NOWAIT); 2748 if (stcb->asoc.pending_reply == NULL) 2749 return; /* XXX */ 2750 memcpy(stcb->asoc.pending_reply, resp, param_length); 2751 } 2752 2753 } else { 2754 /* duplicate */ 2755 #ifdef SCTP_DEBUG 2756 kprintf("Duplicate old stream reset resp next:%x this one:%x\n", 2757 stcb->asoc.str_reset_seq_out, seq); 2758 #endif 2759 } 2760 } 2761 2762 2763 static void 2764 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_req *sr_req) 2765 { 2766 int chk_length, param_len; 2767 struct sctp_paramhdr *ph; 2768 /* now it may be a reset or a reset-response */ 2769 struct sctp_stream_reset_request *req; 2770 struct sctp_stream_reset_response *resp; 2771 chk_length = ntohs(sr_req->ch.chunk_length); 2772 2773 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 2774 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_request)) { 2775 param_len = ntohs(ph->param_length); 2776 if (ntohs(ph->param_type) == SCTP_STR_RESET_REQUEST) { 2777 /* this will send the ACK and do the reset if needed */ 2778 req = (struct sctp_stream_reset_request *)ph; 2779 sctp_send_str_reset_ack(stcb, req); 2780 } else if (ntohs(ph->param_type) == SCTP_STR_RESET_RESPONSE) { 2781 /* Now here is a tricky one. We reset our receive side 2782 * of the streams. But what happens if the peers 2783 * next sending TSN is NOT equal to 1 minus our cumack? 2784 * And if his cumack is not equal to our next one out - 1 2785 * we have another problem if this is receprical. 2786 */ 2787 resp = (struct sctp_stream_reset_response *)ph; 2788 sctp_handle_stream_reset_response(stcb, resp); 2789 } 2790 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 2791 chk_length -= SCTP_SIZE32(param_len); 2792 } 2793 } 2794 2795 /* 2796 * Handle a router or endpoints report of a packet loss, there 2797 * are two ways to handle this, either we get the whole packet 2798 * and must disect it ourselves (possibly with truncation and 2799 * or corruption) or it is a summary from a middle box that did 2800 * the disectting for us. 2801 */ 2802 static void 2803 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 2804 struct sctp_tcb *stcb, struct sctp_nets *net) 2805 { 2806 u_int32_t bottle_bw, on_queue; 2807 u_int16_t trunc_len; 2808 unsigned int chlen; 2809 unsigned int at; 2810 struct sctp_chunk_desc desc; 2811 struct sctp_chunkhdr *ch; 2812 2813 chlen = ntohs(cp->ch.chunk_length); 2814 chlen -= sizeof(struct sctp_pktdrop_chunk); 2815 /* XXX possible chlen underflow */ 2816 if (chlen == 0) { 2817 ch = NULL; 2818 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 2819 sctp_pegs[SCTP_PDRP_BWRPT]++; 2820 } else { 2821 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 2822 chlen -= sizeof(struct sctphdr); 2823 /* XXX possible chlen underflow */ 2824 memset(&desc, 0, sizeof(desc)); 2825 } 2826 2827 /* first update a rwnd possibly */ 2828 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 2829 /* From a peer, we get a rwnd report */ 2830 u_int32_t a_rwnd; 2831 2832 sctp_pegs[SCTP_PDRP_FEHOS]++; 2833 2834 bottle_bw = ntohl(cp->bottle_bw); 2835 on_queue = ntohl(cp->current_onq); 2836 if (bottle_bw && on_queue) { 2837 /* a rwnd report is in here */ 2838 if (bottle_bw > on_queue) 2839 a_rwnd = bottle_bw - on_queue; 2840 else 2841 a_rwnd = 0; 2842 2843 if (a_rwnd <= 0) 2844 stcb->asoc.peers_rwnd = 0; 2845 else { 2846 if (a_rwnd > stcb->asoc.total_flight) { 2847 stcb->asoc.peers_rwnd = 2848 a_rwnd - stcb->asoc.total_flight; 2849 } else { 2850 stcb->asoc.peers_rwnd = 0; 2851 } 2852 if (stcb->asoc.peers_rwnd < 2853 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 2854 /* SWS sender side engages */ 2855 stcb->asoc.peers_rwnd = 0; 2856 } 2857 } 2858 } 2859 } else { 2860 sctp_pegs[SCTP_PDRP_FMBOX]++; 2861 } 2862 trunc_len = (u_int16_t)ntohs(cp->trunc_len); 2863 /* now the chunks themselves */ 2864 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 2865 desc.chunk_type = ch->chunk_type; 2866 /* get amount we need to move */ 2867 at = ntohs(ch->chunk_length); 2868 if (at < sizeof(struct sctp_chunkhdr)) { 2869 /* corrupt chunk, maybe at the end? */ 2870 sctp_pegs[SCTP_PDRP_CRUPT]++; 2871 break; 2872 } 2873 if (trunc_len == 0) { 2874 /* we are supposed to have all of it */ 2875 if (at > chlen) { 2876 /* corrupt skip it */ 2877 sctp_pegs[SCTP_PDRP_CRUPT]++; 2878 break; 2879 } 2880 } else { 2881 /* is there enough of it left ? */ 2882 if (desc.chunk_type == SCTP_DATA) { 2883 if (chlen < (sizeof(struct sctp_data_chunk) + 2884 sizeof(desc.data_bytes))) { 2885 break; 2886 } 2887 } else { 2888 if (chlen < sizeof(struct sctp_chunkhdr)) { 2889 break; 2890 } 2891 } 2892 } 2893 if (desc.chunk_type == SCTP_DATA) { 2894 /* can we get out the tsn? */ 2895 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2896 sctp_pegs[SCTP_PDRP_MB_DA]++; 2897 2898 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(u_int32_t)) ) { 2899 /* yep */ 2900 struct sctp_data_chunk *dcp; 2901 u_int8_t *ddp; 2902 unsigned int iii; 2903 dcp = (struct sctp_data_chunk *)ch; 2904 ddp = (u_int8_t *)(dcp + 1); 2905 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 2906 desc.data_bytes[iii] = ddp[iii]; 2907 } 2908 desc.tsn_ifany = dcp->dp.tsn; 2909 } else { 2910 /* nope we are done. */ 2911 sctp_pegs[SCTP_PDRP_NEDAT]++; 2912 break; 2913 } 2914 } else { 2915 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2916 sctp_pegs[SCTP_PDRP_MB_CT]++; 2917 } 2918 2919 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 2920 sctp_pegs[SCTP_PDRP_PDBRK]++; 2921 break; 2922 } 2923 if (SCTP_SIZE32(at) > chlen) { 2924 break; 2925 } 2926 chlen -= SCTP_SIZE32(at); 2927 if (chlen < sizeof(struct sctp_chunkhdr)) { 2928 /* done, none left */ 2929 break; 2930 } 2931 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 2932 } 2933 2934 /* now middle boxes in sat networks get a cwnd bump */ 2935 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 2936 (stcb->asoc.sat_t3_loss_recovery == 0) && 2937 (stcb->asoc.sat_network)) { 2938 /* 2939 * This is debateable but for sat networks it makes sense 2940 * Note if a T3 timer has went off, we will prohibit any 2941 * changes to cwnd until we exit the t3 loss recovery. 2942 */ 2943 u_int32_t bw_avail; 2944 int rtt, incr; 2945 #ifdef SCTP_CWND_LOGGING 2946 int old_cwnd=net->cwnd; 2947 #endif 2948 /* need real RTT for this calc */ 2949 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 2950 /* get bottle neck bw */ 2951 bottle_bw = ntohl(cp->bottle_bw); 2952 /* and whats on queue */ 2953 on_queue = ntohl(cp->current_onq); 2954 /* 2955 * adjust the on-queue if our flight is more it could be 2956 * that the router has not yet gotten data "in-flight" to it 2957 */ 2958 if (on_queue < net->flight_size) 2959 on_queue = net->flight_size; 2960 2961 /* calculate the available space */ 2962 bw_avail = (bottle_bw*rtt)/1000; 2963 if (bw_avail > bottle_bw) { 2964 /* 2965 * Cap the growth to no more than the bottle neck. 2966 * This can happen as RTT slides up due to queues. 2967 * It also means if you have more than a 1 second 2968 * RTT with a empty queue you will be limited to 2969 * the bottle_bw per second no matter if 2970 * other points have 1/2 the RTT and you could 2971 * get more out... 2972 */ 2973 bw_avail = bottle_bw; 2974 } 2975 2976 if (on_queue > bw_avail) { 2977 /* 2978 * No room for anything else don't allow anything 2979 * else to be "added to the fire". 2980 */ 2981 int seg_inflight, seg_onqueue, my_portion; 2982 net->partial_bytes_acked = 0; 2983 2984 /* how much are we over queue size? */ 2985 incr = on_queue - bw_avail; 2986 if (stcb->asoc.seen_a_sack_this_pkt) { 2987 /* undo any cwnd adjustment that 2988 * the sack might have made 2989 */ 2990 net->cwnd = net->prev_cwnd; 2991 } 2992 2993 /* Now how much of that is mine? */ 2994 seg_inflight = net->flight_size / net->mtu; 2995 seg_onqueue = on_queue / net->mtu; 2996 my_portion = (incr * seg_inflight)/seg_onqueue; 2997 2998 /* Have I made an adjustment already */ 2999 if (net->cwnd > net->flight_size) { 3000 /* for this flight I made an adjustment 3001 * we need to decrease the portion by a share 3002 * our previous adjustment. 3003 */ 3004 int diff_adj; 3005 diff_adj = net->cwnd - net->flight_size; 3006 if (diff_adj > my_portion) 3007 my_portion = 0; 3008 else 3009 my_portion -= diff_adj; 3010 } 3011 3012 /* back down to the previous cwnd (assume 3013 * we have had a sack before this packet). minus 3014 * what ever portion of the overage is my fault. 3015 */ 3016 net->cwnd -= my_portion; 3017 3018 /* we will NOT back down more than 1 MTU */ 3019 if (net->cwnd <= net->mtu) { 3020 net->cwnd = net->mtu; 3021 } 3022 /* force into CA */ 3023 net->ssthresh = net->cwnd - 1; 3024 } else { 3025 /* 3026 * Take 1/4 of the space left or 3027 * max burst up .. whichever is less. 3028 */ 3029 incr = min((bw_avail - on_queue) >> 2, 3030 (int)stcb->asoc.max_burst * (int)net->mtu); 3031 net->cwnd += incr; 3032 } 3033 if (net->cwnd > bw_avail) { 3034 /* We can't exceed the pipe size */ 3035 net->cwnd = bw_avail; 3036 } 3037 if (net->cwnd < net->mtu) { 3038 /* We always have 1 MTU */ 3039 net->cwnd = net->mtu; 3040 } 3041 #ifdef SCTP_CWND_LOGGING 3042 if (net->cwnd - old_cwnd != 0) { 3043 /* log only changes */ 3044 sctp_log_cwnd(net, (net->cwnd - old_cwnd), 3045 SCTP_CWND_LOG_FROM_SAT); 3046 } 3047 #endif 3048 } 3049 } 3050 3051 extern int sctp_strict_init; 3052 3053 /* 3054 * handles all control chunks in a packet 3055 * inputs: 3056 * - m: mbuf chain, assumed to still contain IP/SCTP header 3057 * - stcb: is the tcb found for this packet 3058 * - offset: offset into the mbuf chain to first chunkhdr 3059 * - length: is the length of the complete packet 3060 * outputs: 3061 * - length: modified to remaining length after control processing 3062 * - netp: modified to new sctp_nets after cookie-echo processing 3063 * - return NULL to discard the packet (ie. no asoc, bad packet,...) 3064 * otherwise return the tcb for this packet 3065 */ 3066 static struct sctp_tcb * 3067 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3068 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3069 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3070 { 3071 struct sctp_association *asoc; 3072 u_int32_t vtag_in; 3073 int num_chunks = 0; /* number of control chunks processed */ 3074 int chk_length; 3075 int ret; 3076 3077 /* 3078 * How big should this be, and should it be alloc'd? 3079 * Lets try the d-mtu-ceiling for now (2k) and that should 3080 * hopefully work ... until we get into jumbo grams and such.. 3081 */ 3082 u_int8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3083 struct sctp_tcb *locked_tcb = stcb; 3084 3085 #ifdef SCTP_DEBUG 3086 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3087 kprintf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3088 iphlen, *offset, length, stcb); 3089 } 3090 #endif /* SCTP_DEBUG */ 3091 3092 /* validate chunk header length... */ 3093 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3094 return (NULL); 3095 } 3096 3097 /* 3098 * validate the verification tag 3099 */ 3100 #ifdef SCTP_DEBUG 3101 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3102 kprintf("sctp_process_control: validating vtags\n"); 3103 } 3104 #endif /* SCTP_DEBUG */ 3105 vtag_in = ntohl(sh->v_tag); 3106 if (ch->chunk_type == SCTP_INITIATION) { 3107 if (vtag_in != 0) { 3108 /* protocol error- silently discard... */ 3109 #ifdef SCTP_DEBUG 3110 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3111 kprintf("sctp_process_control: INIT with vtag != 0\n"); 3112 } 3113 #endif /* SCTP_DEBUG */ 3114 sctp_pegs[SCTP_BAD_VTAGS]++; 3115 if (locked_tcb) 3116 SCTP_TCB_UNLOCK(locked_tcb); 3117 return (NULL); 3118 } 3119 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3120 /* 3121 * first check if it's an ASCONF with an unknown src addr 3122 * we need to look inside to find the association 3123 */ 3124 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3125 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3126 *offset, sh, &inp, netp); 3127 } 3128 if (stcb == NULL) { 3129 /* no association, so it's out of the blue... */ 3130 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3131 #ifdef SCTP_DEBUG 3132 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3133 kprintf("sctp_process_control: handling OOTB packet, chunk type=%xh\n", 3134 ch->chunk_type); 3135 } 3136 #endif /* SCTP_DEBUG */ 3137 *offset = length; 3138 if (locked_tcb) 3139 SCTP_TCB_UNLOCK(locked_tcb); 3140 return (NULL); 3141 } 3142 asoc = &stcb->asoc; 3143 /* ABORT and SHUTDOWN can use either v_tag... */ 3144 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3145 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3146 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3147 if ((vtag_in == asoc->my_vtag) || 3148 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3149 (vtag_in == asoc->peer_vtag))) { 3150 /* this is valid */ 3151 } else { 3152 /* drop this packet... */ 3153 sctp_pegs[SCTP_BAD_VTAGS]++; 3154 if (locked_tcb) 3155 SCTP_TCB_UNLOCK(locked_tcb); 3156 return (NULL); 3157 } 3158 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3159 if (vtag_in != asoc->my_vtag) { 3160 /* 3161 * this could be a stale SHUTDOWN-ACK or the 3162 * peer never got the SHUTDOWN-COMPLETE and 3163 * is still hung; we have started a new asoc 3164 * but it won't complete until the shutdown is 3165 * completed 3166 */ 3167 if (locked_tcb) 3168 SCTP_TCB_UNLOCK(locked_tcb); 3169 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3170 NULL); 3171 return (NULL); 3172 } 3173 } else { 3174 /* for all other chunks, vtag must match */ 3175 3176 if (vtag_in != asoc->my_vtag) { 3177 /* invalid vtag... */ 3178 #ifdef SCTP_DEBUG 3179 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3180 kprintf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3181 } 3182 #endif /* SCTP_DEBUG */ 3183 sctp_pegs[SCTP_BAD_VTAGS]++; 3184 if (locked_tcb) 3185 SCTP_TCB_UNLOCK(locked_tcb); 3186 *offset = length; 3187 return (NULL); 3188 } 3189 } 3190 } /* end if !SCTP_COOKIE_ECHO */ 3191 3192 #ifdef SCTP_DEBUG 3193 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3194 kprintf("sctp_process_control: vtags ok, processing ctrl chunks\n"); 3195 } 3196 #endif /* SCTP_DEBUG */ 3197 3198 /* 3199 * process all control chunks... 3200 */ 3201 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3202 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3203 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3204 /* implied cookie-ack.. we must have lost the ack */ 3205 stcb->asoc.overall_error_count = 0; 3206 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 3207 } 3208 3209 while (IS_SCTP_CONTROL(ch)) { 3210 /* validate chunk length */ 3211 chk_length = ntohs(ch->chunk_length); 3212 #ifdef SCTP_DEBUG 3213 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3214 kprintf("sctp_process_control: processing a chunk type=%u, len=%u\n", ch->chunk_type, chk_length); 3215 } 3216 #endif /* SCTP_DEBUG */ 3217 if ((size_t)chk_length < sizeof(*ch) || 3218 (*offset + chk_length) > length) { 3219 #ifdef SCTP_DEBUG 3220 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3221 kprintf("sctp_process_control: chunk length invalid! *offset:%u, chk_length:%u > length:%u\n", 3222 *offset, length, chk_length); 3223 } 3224 #endif /* SCTP_DEBUG */ 3225 *offset = length; 3226 if (locked_tcb) 3227 SCTP_TCB_UNLOCK(locked_tcb); 3228 return (NULL); 3229 } 3230 3231 /* 3232 * INIT-ACK only gets the init ack "header" portion only 3233 * because we don't have to process the peer's COOKIE. 3234 * All others get a complete chunk. 3235 */ 3236 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3237 /* get an init-ack chunk */ 3238 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3239 sizeof(struct sctp_init_ack), chunk_buf); 3240 if (ch == NULL) { 3241 *offset = length; 3242 if (locked_tcb) 3243 SCTP_TCB_UNLOCK(locked_tcb); 3244 return (NULL); 3245 } 3246 } else { 3247 /* get a complete chunk... */ 3248 if ((size_t)chk_length > sizeof(chunk_buf)) { 3249 struct mbuf *oper; 3250 struct sctp_paramhdr *phdr; 3251 oper = NULL; 3252 MGETHDR(oper, MB_DONTWAIT, MT_HEADER); 3253 if (oper) { 3254 /* pre-reserve some space */ 3255 oper->m_data += 3256 sizeof(struct sctp_chunkhdr); 3257 phdr = 3258 mtod(oper, struct sctp_paramhdr *); 3259 phdr->param_type = 3260 htons(SCTP_CAUSE_OUT_OF_RESC); 3261 phdr->param_length = 3262 htons(sizeof(struct sctp_paramhdr)); 3263 sctp_queue_op_err(stcb, oper); 3264 } 3265 if (locked_tcb) 3266 SCTP_TCB_UNLOCK(locked_tcb); 3267 return (NULL); 3268 } 3269 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3270 chk_length, chunk_buf); 3271 if (ch == NULL) { 3272 kprintf("sctp_process_control: Can't get the all data....\n"); 3273 *offset = length; 3274 if (locked_tcb) 3275 SCTP_TCB_UNLOCK(locked_tcb); 3276 return (NULL); 3277 } 3278 3279 } 3280 num_chunks++; 3281 /* Save off the last place we got a control from */ 3282 if ((*netp) && stcb) { 3283 stcb->asoc.last_control_chunk_from = *netp; 3284 } 3285 #ifdef SCTP_AUDITING_ENABLED 3286 sctp_audit_log(0xB0, ch->chunk_type); 3287 #endif 3288 switch (ch->chunk_type) { 3289 case SCTP_INITIATION: 3290 /* must be first and only chunk */ 3291 #ifdef SCTP_DEBUG 3292 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3293 kprintf("SCTP_INIT\n"); 3294 } 3295 #endif /* SCTP_DEBUG */ 3296 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3297 /* We are not interested anymore */ 3298 if (locked_tcb) 3299 SCTP_TCB_UNLOCK(locked_tcb); 3300 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3301 /* finish the job now */ 3302 sctp_inpcb_free(inp, 1); 3303 } 3304 *offset = length; 3305 return (NULL); 3306 } 3307 if ((num_chunks > 1) || 3308 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3309 *offset = length; 3310 if (locked_tcb) 3311 SCTP_TCB_UNLOCK(locked_tcb); 3312 return (NULL); 3313 } 3314 if ((stcb != NULL) && 3315 (SCTP_GET_STATE(&stcb->asoc) == 3316 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3317 sctp_send_shutdown_ack(stcb, 3318 stcb->asoc.primary_destination); 3319 *offset = length; 3320 if (locked_tcb) 3321 SCTP_TCB_UNLOCK(locked_tcb); 3322 return (NULL); 3323 } 3324 sctp_handle_init(m, iphlen, *offset, sh, 3325 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3326 *offset = length; 3327 if (locked_tcb) 3328 SCTP_TCB_UNLOCK(locked_tcb); 3329 return (NULL); 3330 break; 3331 case SCTP_INITIATION_ACK: 3332 /* must be first and only chunk */ 3333 #ifdef SCTP_DEBUG 3334 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3335 kprintf("SCTP_INIT-ACK\n"); 3336 } 3337 #endif /* SCTP_DEBUG */ 3338 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3339 /* We are not interested anymore */ 3340 if (locked_tcb) 3341 SCTP_TCB_UNLOCK(locked_tcb); 3342 *offset = length; 3343 if (stcb) { 3344 sctp_free_assoc(inp, stcb); 3345 } else { 3346 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3347 /* finish the job now */ 3348 sctp_inpcb_free(inp, 1); 3349 } 3350 } 3351 return (NULL); 3352 } 3353 if ((num_chunks > 1) || 3354 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3355 #ifdef SCTP_DEBUG 3356 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3357 kprintf("Length is %d rounded chk_length:%d .. dropping\n", 3358 length - *offset, 3359 SCTP_SIZE32(chk_length)); 3360 } 3361 #endif 3362 *offset = length; 3363 if (locked_tcb) 3364 SCTP_TCB_UNLOCK(locked_tcb); 3365 return (NULL); 3366 } 3367 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3368 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3369 /* 3370 * Special case, I must call the output routine 3371 * to get the cookie echoed 3372 */ 3373 if ((stcb) && ret == 0) 3374 sctp_chunk_output(stcb->sctp_ep, stcb, 2); 3375 *offset = length; 3376 #ifdef SCTP_DEBUG 3377 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3378 kprintf("All done INIT-ACK processing\n"); 3379 } 3380 #endif 3381 if (locked_tcb) 3382 SCTP_TCB_UNLOCK(locked_tcb); 3383 return (NULL); 3384 break; 3385 case SCTP_SELECTIVE_ACK: 3386 #ifdef SCTP_DEBUG 3387 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3388 kprintf("SCTP_SACK\n"); 3389 } 3390 #endif /* SCTP_DEBUG */ 3391 sctp_pegs[SCTP_PEG_SACKS_SEEN]++; 3392 { 3393 int abort_now = 0; 3394 stcb->asoc.seen_a_sack_this_pkt = 1; 3395 sctp_handle_sack((struct sctp_sack_chunk *)ch, 3396 stcb, *netp, &abort_now); 3397 if (abort_now) { 3398 /* ABORT signal from sack processing */ 3399 *offset = length; 3400 return (NULL); 3401 } 3402 } 3403 break; 3404 case SCTP_HEARTBEAT_REQUEST: 3405 #ifdef SCTP_DEBUG 3406 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3407 kprintf("SCTP_HEARTBEAT\n"); 3408 } 3409 #endif /* SCTP_DEBUG */ 3410 sctp_pegs[SCTP_HB_RECV]++; 3411 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3412 *netp); 3413 3414 /* He's alive so give him credit */ 3415 stcb->asoc.overall_error_count = 0; 3416 break; 3417 case SCTP_HEARTBEAT_ACK: 3418 #ifdef SCTP_DEBUG 3419 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3420 kprintf("SCTP_HEARTBEAT-ACK\n"); 3421 } 3422 #endif /* SCTP_DEBUG */ 3423 3424 /* He's alive so give him credit */ 3425 stcb->asoc.overall_error_count = 0; 3426 3427 sctp_pegs[SCTP_HB_ACK_RECV]++; 3428 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3429 stcb, *netp); 3430 break; 3431 case SCTP_ABORT_ASSOCIATION: 3432 #ifdef SCTP_DEBUG 3433 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3434 kprintf("SCTP_ABORT\n"); 3435 } 3436 #endif /* SCTP_DEBUG */ 3437 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3438 stcb, *netp); 3439 *offset = length; 3440 return (NULL); 3441 break; 3442 case SCTP_SHUTDOWN: 3443 #ifdef SCTP_DEBUG 3444 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3445 kprintf("SCTP_SHUTDOWN\n"); 3446 } 3447 #endif /* SCTP_DEBUG */ 3448 { 3449 int abort_flag = 0; 3450 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3451 stcb, *netp, &abort_flag); 3452 if (abort_flag) { 3453 *offset = length; 3454 return (NULL); 3455 } 3456 } 3457 break; 3458 case SCTP_SHUTDOWN_ACK: 3459 #ifdef SCTP_DEBUG 3460 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3461 kprintf("SCTP_SHUTDOWN-ACK\n"); 3462 } 3463 #endif /* SCTP_DEBUG */ 3464 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3465 *offset = length; 3466 return (NULL); 3467 break; 3468 case SCTP_OPERATION_ERROR: 3469 #ifdef SCTP_DEBUG 3470 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3471 kprintf("SCTP_OP-ERR\n"); 3472 } 3473 #endif /* SCTP_DEBUG */ 3474 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3475 *offset = length; 3476 return (NULL); 3477 } 3478 break; 3479 case SCTP_COOKIE_ECHO: 3480 #ifdef SCTP_DEBUG 3481 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3482 kprintf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3483 } 3484 #endif /* SCTP_DEBUG */ 3485 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3486 /* We are not interested anymore */ 3487 *offset = length; 3488 if (stcb) { 3489 sctp_free_assoc(inp, stcb); 3490 } else { 3491 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3492 /* finish the job now */ 3493 sctp_inpcb_free(inp, 1); 3494 } 3495 } 3496 return (NULL); 3497 } 3498 /* 3499 * First are we accepting? 3500 * We do this again here since it is possible 3501 * that a previous endpoint WAS listening responded to 3502 * a INIT-ACK and then closed. We opened and bound.. 3503 * and are now no longer listening. 3504 */ 3505 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 3506 (inp->sctp_socket->so_qlimit == 0)) { 3507 sctp_abort_association(inp, stcb, m, iphlen, sh, 3508 NULL); 3509 *offset = length; 3510 return (NULL); 3511 } else if (inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) { 3512 /* we are accepting so check limits like TCP */ 3513 if (inp->sctp_socket->so_qlen > 3514 inp->sctp_socket->so_qlimit) { 3515 /* no space */ 3516 struct mbuf *oper; 3517 struct sctp_paramhdr *phdr; 3518 oper = NULL; 3519 MGETHDR(oper, MB_DONTWAIT, MT_HEADER); 3520 if (oper) { 3521 oper->m_len = 3522 oper->m_pkthdr.len = 3523 sizeof(struct sctp_paramhdr); 3524 phdr = mtod(oper, 3525 struct sctp_paramhdr *); 3526 phdr->param_type = 3527 htons(SCTP_CAUSE_OUT_OF_RESC); 3528 phdr->param_length = 3529 htons(sizeof(struct sctp_paramhdr)); 3530 } 3531 sctp_abort_association(inp, stcb, m, 3532 iphlen, sh, oper); 3533 *offset = length; 3534 return (NULL); 3535 } 3536 } 3537 { 3538 struct mbuf *ret_buf; 3539 ret_buf = sctp_handle_cookie_echo(m, iphlen, 3540 *offset, sh, 3541 (struct sctp_cookie_echo_chunk *)ch, &inp, 3542 &stcb, netp); 3543 #ifdef SCTP_DEBUG 3544 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3545 kprintf("ret_buf:%p length:%d off:%d\n", 3546 ret_buf, length, *offset); 3547 } 3548 #endif /* SCTP_DEBUG */ 3549 3550 if (ret_buf == NULL) { 3551 if (locked_tcb) { 3552 SCTP_TCB_UNLOCK(locked_tcb); 3553 } 3554 #ifdef SCTP_DEBUG 3555 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3556 kprintf("GAK, null buffer\n"); 3557 } 3558 #endif /* SCTP_DEBUG */ 3559 *offset = length; 3560 return (NULL); 3561 } 3562 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 3563 /* 3564 * Restart the timer if we have pending 3565 * data 3566 */ 3567 struct sctp_tmit_chunk *chk; 3568 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 3569 if (chk) { 3570 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 3571 stcb->sctp_ep, stcb, 3572 chk->whoTo); 3573 } 3574 } 3575 } 3576 break; 3577 case SCTP_COOKIE_ACK: 3578 #ifdef SCTP_DEBUG 3579 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3580 kprintf("SCTP_COOKIE-ACK\n"); 3581 } 3582 #endif /* SCTP_DEBUG */ 3583 3584 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3585 /* We are not interested anymore */ 3586 sctp_free_assoc(inp, stcb); 3587 *offset = length; 3588 return (NULL); 3589 } 3590 /* He's alive so give him credit */ 3591 stcb->asoc.overall_error_count = 0; 3592 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, 3593 stcb, *netp); 3594 break; 3595 case SCTP_ECN_ECHO: 3596 #ifdef SCTP_DEBUG 3597 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3598 kprintf("SCTP_ECN-ECHO\n"); 3599 } 3600 #endif /* SCTP_DEBUG */ 3601 /* He's alive so give him credit */ 3602 stcb->asoc.overall_error_count = 0; 3603 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 3604 stcb); 3605 break; 3606 case SCTP_ECN_CWR: 3607 #ifdef SCTP_DEBUG 3608 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3609 kprintf("SCTP_ECN-CWR\n"); 3610 } 3611 #endif /* SCTP_DEBUG */ 3612 /* He's alive so give him credit */ 3613 stcb->asoc.overall_error_count = 0; 3614 3615 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 3616 break; 3617 case SCTP_SHUTDOWN_COMPLETE: 3618 #ifdef SCTP_DEBUG 3619 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3620 kprintf("SCTP_SHUTDOWN-COMPLETE\n"); 3621 } 3622 #endif /* SCTP_DEBUG */ 3623 /* must be first and only chunk */ 3624 if ((num_chunks > 1) || 3625 (length - *offset > SCTP_SIZE32(chk_length))) { 3626 *offset = length; 3627 if (locked_tcb) 3628 SCTP_TCB_UNLOCK(locked_tcb); 3629 3630 return (NULL); 3631 } 3632 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 3633 stcb, *netp); 3634 *offset = length; 3635 return (NULL); 3636 break; 3637 case SCTP_ASCONF: 3638 #ifdef SCTP_DEBUG 3639 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3640 kprintf("SCTP_ASCONF\n"); 3641 } 3642 #endif /* SCTP_DEBUG */ 3643 /* He's alive so give him credit */ 3644 stcb->asoc.overall_error_count = 0; 3645 3646 sctp_handle_asconf(m, *offset, 3647 (struct sctp_asconf_chunk *)ch, stcb, *netp); 3648 break; 3649 case SCTP_ASCONF_ACK: 3650 #ifdef SCTP_DEBUG 3651 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3652 kprintf("SCTP_ASCONF-ACK\n"); 3653 } 3654 #endif /* SCTP_DEBUG */ 3655 /* He's alive so give him credit */ 3656 stcb->asoc.overall_error_count = 0; 3657 3658 sctp_handle_asconf_ack(m, *offset, 3659 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 3660 break; 3661 case SCTP_FORWARD_CUM_TSN: 3662 #ifdef SCTP_DEBUG 3663 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3664 kprintf("SCTP_FWD-TSN\n"); 3665 } 3666 #endif /* SCTP_DEBUG */ 3667 /* He's alive so give him credit */ 3668 { 3669 int abort_flag = 0; 3670 stcb->asoc.overall_error_count = 0; 3671 *fwd_tsn_seen = 1; 3672 sctp_handle_forward_tsn(stcb, 3673 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 3674 if (abort_flag) { 3675 *offset = length; 3676 return (NULL); 3677 } else { 3678 stcb->asoc.overall_error_count = 0; 3679 } 3680 3681 } 3682 break; 3683 case SCTP_STREAM_RESET: 3684 #ifdef SCTP_DEBUG 3685 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3686 kprintf("SCTP_STREAM_RESET\n"); 3687 } 3688 #endif /* SCTP_DEBUG */ 3689 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3690 chk_length, chunk_buf); 3691 if (stcb->asoc.peer_supports_strreset == 0) { 3692 /* hmm, peer should have annonced this, but 3693 * we will turn it on since he is sending us 3694 * a stream reset. 3695 */ 3696 stcb->asoc.peer_supports_strreset = 1; 3697 } 3698 sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_req *)ch); 3699 break; 3700 case SCTP_PACKET_DROPPED: 3701 #ifdef SCTP_DEBUG 3702 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3703 kprintf("SCTP_PACKET_DROPPED\n"); 3704 } 3705 #endif /* SCTP_DEBUG */ 3706 /* re-get it all please */ 3707 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3708 chk_length, chunk_buf); 3709 3710 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 3711 stcb, *netp); 3712 3713 3714 break; 3715 default: 3716 /* it's an unknown chunk! */ 3717 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 3718 struct mbuf *mm; 3719 struct sctp_paramhdr *phd; 3720 MGETHDR(mm, MB_DONTWAIT, MT_HEADER); 3721 if (mm) { 3722 phd = mtod(mm, struct sctp_paramhdr *); 3723 /* We cheat and use param type since we 3724 * did not bother to define a error 3725 * cause struct. 3726 * They are the same basic format with 3727 * different names. 3728 */ 3729 phd->param_type = 3730 htons(SCTP_CAUSE_UNRECOG_CHUNK); 3731 phd->param_length = 3732 htons(chk_length + sizeof(*phd)); 3733 mm->m_len = sizeof(*phd); 3734 mm->m_next = sctp_m_copym(m, *offset, 3735 SCTP_SIZE32(chk_length), 3736 MB_DONTWAIT); 3737 if (mm->m_next) { 3738 mm->m_pkthdr.len = 3739 SCTP_SIZE32(chk_length) + 3740 sizeof(*phd); 3741 sctp_queue_op_err(stcb, mm); 3742 } else { 3743 sctp_m_freem(mm); 3744 #ifdef SCTP_DEBUG 3745 if (sctp_debug_on & 3746 SCTP_DEBUG_INPUT1) { 3747 kprintf("Gak can't copy the chunk into operr %d bytes\n", 3748 chk_length); 3749 } 3750 #endif 3751 } 3752 } 3753 #ifdef SCTP_DEBUG 3754 else { 3755 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3756 kprintf("Gak can't mgethdr for op-err of unrec chunk\n"); 3757 } 3758 } 3759 #endif 3760 } 3761 if ((ch->chunk_type & 0x80) == 0) { 3762 /* discard this packet */ 3763 *offset = length; 3764 return (stcb); 3765 } /* else skip this bad chunk and continue... */ 3766 break; 3767 } /* switch (ch->chunk_type) */ 3768 /* get the next chunk */ 3769 *offset += SCTP_SIZE32(chk_length); 3770 if (*offset >= length) { 3771 /* no more data left in the mbuf chain */ 3772 break; 3773 } 3774 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3775 sizeof(struct sctp_chunkhdr), chunk_buf); 3776 if (ch == NULL) { 3777 if (locked_tcb) 3778 SCTP_TCB_UNLOCK(locked_tcb); 3779 *offset = length; 3780 return (NULL); 3781 } 3782 } /* while */ 3783 return (stcb); 3784 } 3785 3786 3787 /* 3788 * Process the ECN bits we have something set so 3789 * we must look to see if it is ECN(0) or ECN(1) or CE 3790 */ 3791 static void 3792 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 3793 u_int8_t ecn_bits) 3794 { 3795 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3796 ; 3797 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 3798 /* 3799 * we only add to the nonce sum for ECT1, ECT0 3800 * does not change the NS bit (that we have 3801 * yet to find a way to send it yet). 3802 */ 3803 3804 /* ECN Nonce stuff */ 3805 stcb->asoc.receiver_nonce_sum++; 3806 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 3807 3808 /* 3809 * Drag up the last_echo point if cumack is larger since we 3810 * don't want the point falling way behind by more than 2^^31 3811 * and then having it be incorrect. 3812 */ 3813 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3814 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3815 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3816 } 3817 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 3818 /* 3819 * Drag up the last_echo point if cumack is larger since we 3820 * don't want the point falling way behind by more than 2^^31 3821 * and then having it be incorrect. 3822 */ 3823 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3824 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3825 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3826 } 3827 } 3828 } 3829 3830 static void 3831 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 3832 u_int32_t high_tsn, u_int8_t ecn_bits) 3833 { 3834 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3835 /* 3836 * we possibly must notify the sender that a congestion 3837 * window reduction is in order. We do this 3838 * by adding a ECNE chunk to the output chunk 3839 * queue. The incoming CWR will remove this chunk. 3840 */ 3841 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 3842 MAX_TSN)) { 3843 /* Yep, we need to add a ECNE */ 3844 sctp_send_ecn_echo(stcb, net, high_tsn); 3845 stcb->asoc.last_echo_tsn = high_tsn; 3846 } 3847 } 3848 } 3849 3850 /* 3851 * common input chunk processing (v4 and v6) 3852 */ 3853 int 3854 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 3855 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 3856 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 3857 u_int8_t ecn_bits) 3858 { 3859 /* 3860 * Control chunk processing 3861 */ 3862 u_int32_t high_tsn; 3863 int fwd_tsn_seen = 0, data_processed = 0; 3864 struct mbuf *m = *mm; 3865 int abort_flag = 0; 3866 3867 sctp_pegs[SCTP_DATAGRAMS_RCVD]++; 3868 #ifdef SCTP_AUDITING_ENABLED 3869 sctp_audit_log(0xE0, 1); 3870 sctp_auditing(0, inp, stcb, net); 3871 #endif 3872 3873 #ifdef SCTP_DEBUG 3874 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3875 kprintf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 3876 m, iphlen, offset); 3877 } 3878 #endif /* SCTP_DEBUG */ 3879 if (IS_SCTP_CONTROL(ch)) { 3880 /* process the control portion of the SCTP packet */ 3881 #ifdef SCTP_DEBUG 3882 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3883 kprintf("Processing control\n"); 3884 } 3885 #endif /* SCTP_DEBUG */ 3886 3887 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 3888 inp, stcb, &net, &fwd_tsn_seen); 3889 } else { 3890 /* 3891 * no control chunks, so pre-process DATA chunks 3892 * (these checks are taken care of by control processing) 3893 */ 3894 #ifdef SCTP_DEBUG 3895 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3896 kprintf("No control present\n"); 3897 } 3898 #endif /* SCTP_DEBUG */ 3899 3900 if (stcb == NULL) { 3901 /* out of the blue DATA chunk */ 3902 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3903 return (1); 3904 } 3905 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 3906 /* v_tag mismatch! */ 3907 sctp_pegs[SCTP_BAD_VTAGS]++; 3908 SCTP_TCB_UNLOCK(stcb); 3909 return (1); 3910 } 3911 } 3912 if (stcb == NULL) { 3913 /* 3914 * no valid TCB for this packet, 3915 * or we found it's a bad packet while processing control, 3916 * or we're done with this packet (done or skip rest of data), 3917 * so we drop it... 3918 */ 3919 return (1); 3920 } 3921 #ifdef SCTP_DEBUG 3922 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3923 kprintf("Ok, control finished time to look for data (%d) offset:%d\n", 3924 length, offset); 3925 } 3926 #endif /* SCTP_DEBUG */ 3927 /* 3928 * DATA chunk processing 3929 */ 3930 /* plow through the data chunks while length > offset */ 3931 stcb->asoc.seen_a_sack_this_pkt = 0; 3932 3933 if (length > offset) { 3934 int retval; 3935 /* 3936 * First check to make sure our state is correct. 3937 * We would not get here unless we really did have a 3938 * tag, so we don't abort if this happens, just 3939 * dump the chunk silently. 3940 */ 3941 switch (SCTP_GET_STATE(&stcb->asoc)) { 3942 case SCTP_STATE_COOKIE_ECHOED: 3943 /* 3944 * we consider data with valid tags in 3945 * this state shows us the cookie-ack was lost. 3946 * Imply it was there. 3947 */ 3948 stcb->asoc.overall_error_count = 0; 3949 sctp_handle_cookie_ack( 3950 (struct sctp_cookie_ack_chunk *)ch, stcb, net); 3951 break; 3952 case SCTP_STATE_COOKIE_WAIT: 3953 /* 3954 * We consider OOTB any data sent during asoc setup. 3955 */ 3956 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3957 SCTP_TCB_UNLOCK(stcb); 3958 return (1); 3959 break; 3960 case SCTP_STATE_EMPTY: /* should not happen */ 3961 case SCTP_STATE_INUSE: /* should not happen */ 3962 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 3963 case SCTP_STATE_SHUTDOWN_ACK_SENT: 3964 default: 3965 #ifdef SCTP_DEBUG 3966 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3967 kprintf("Got data in invalid state %d.. dropping\n", stcb->asoc.state); 3968 } 3969 #endif 3970 SCTP_TCB_UNLOCK(stcb); 3971 return (1); 3972 break; 3973 case SCTP_STATE_OPEN: 3974 case SCTP_STATE_SHUTDOWN_SENT: 3975 break; 3976 } 3977 /* take care of ECN, part 1. */ 3978 if (stcb->asoc.ecn_allowed && 3979 (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3980 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 3981 } 3982 /* plow through the data chunks while length > offset */ 3983 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 3984 inp, stcb, net, &high_tsn); 3985 if (retval == 2) { 3986 /* The association aborted, NO UNLOCK needed 3987 * since the association is destroyed. 3988 */ 3989 return (0); 3990 } 3991 3992 data_processed = 1; 3993 if (retval == 0) { 3994 /* take care of ecn part 2. */ 3995 if (stcb->asoc.ecn_allowed && (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3996 sctp_process_ecn_marked_b(stcb, net, high_tsn, ecn_bits); 3997 3998 } 3999 } 4000 4001 /* 4002 * Anything important needs to have been m_copy'ed in 4003 * process_data 4004 */ 4005 } 4006 if ((data_processed == 0) && (fwd_tsn_seen)) { 4007 int was_a_gap = 0; 4008 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4009 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4010 /* there was a gap before this data was processed */ 4011 was_a_gap = 1; 4012 } 4013 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4014 if (abort_flag) { 4015 /* Again, we aborted so NO UNLOCK needed */ 4016 return (0); 4017 } 4018 } 4019 /* trigger send of any chunks in queue... */ 4020 #ifdef SCTP_AUDITING_ENABLED 4021 sctp_audit_log(0xE0, 2); 4022 sctp_auditing(1, inp, stcb, net); 4023 #endif 4024 #ifdef SCTP_DEBUG 4025 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4026 kprintf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4027 stcb->asoc.peers_rwnd, 4028 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4029 stcb->asoc.total_flight); 4030 } 4031 #endif 4032 if (stcb->asoc.peers_rwnd > 0 || 4033 !TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4034 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)) { 4035 #ifdef SCTP_DEBUG 4036 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4037 kprintf("Calling chunk OUTPUT\n"); 4038 } 4039 #endif 4040 sctp_chunk_output(inp, stcb, 3); 4041 #ifdef SCTP_DEBUG 4042 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4043 kprintf("chunk OUTPUT returns\n"); 4044 } 4045 #endif 4046 } 4047 4048 #ifdef SCTP_AUDITING_ENABLED 4049 sctp_audit_log(0xE0, 3); 4050 sctp_auditing(2, inp, stcb, net); 4051 #endif 4052 SCTP_TCB_UNLOCK(stcb); 4053 return (0); 4054 } 4055 4056 #if defined(__OpenBSD__) 4057 static void 4058 sctp_saveopt(struct sctp_inpcb *inp, struct mbuf **mp, struct ip *ip, 4059 struct mbuf *m) 4060 { 4061 if (inp->ip_inp.inp.inp_flags & INP_RECVDSTADDR) { 4062 *mp = sbcreatecontrol((caddr_t) &ip->ip_dst, 4063 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP); 4064 if (*mp) 4065 mp = &(*mp)->m_next; 4066 } 4067 } 4068 #endif 4069 4070 extern int sctp_no_csum_on_loopback; 4071 4072 int 4073 sctp_input(struct mbuf **mp, int *offp, int proto) 4074 { 4075 int iphlen; 4076 struct mbuf *m = *mp; 4077 u_int8_t ecn_bits; 4078 struct ip *ip; 4079 struct sctphdr *sh; 4080 struct sctp_inpcb *inp = NULL; 4081 struct mbuf *opts = NULL; 4082 /*#ifdef INET6*/ 4083 /* Don't think this is needed */ 4084 /* struct ip6_recvpktopts opts6;*/ 4085 /*#endif INET6 */ 4086 4087 u_int32_t check, calc_check; 4088 struct sctp_nets *net; 4089 struct sctp_tcb *stcb = NULL; 4090 struct sctp_chunkhdr *ch; 4091 int refcount_up = 0; 4092 int length, mlen, offset; 4093 #if defined(__OpenBSD__) && defined(IPSEC) 4094 struct inpcb *i_inp; 4095 struct m_tag *mtag; 4096 struct tdb_ident *tdbi; 4097 struct tdb *tdb; 4098 int error; 4099 #endif 4100 4101 iphlen = *offp; 4102 net = NULL; 4103 sctp_pegs[SCTP_INPKTS]++; 4104 #ifdef SCTP_DEBUG 4105 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4106 kprintf("V4 input gets a packet iphlen:%d pktlen:%d\n", iphlen, m->m_pkthdr.len); 4107 } 4108 #endif 4109 /*#ifdef INET6*/ 4110 /* Don't think this is needed */ 4111 /* bzero(&opts6, sizeof(opts6));*/ 4112 /*#endif INET6 */ 4113 4114 /* 4115 * Strip IP options, we don't allow any in or out. 4116 */ 4117 if ((size_t)iphlen > sizeof(struct ip)) { 4118 ip_stripoptions(m); 4119 iphlen = sizeof(struct ip); 4120 } 4121 4122 /* 4123 * Get IP, SCTP, and first chunk header together in first mbuf. 4124 */ 4125 ip = mtod(m, struct ip *); 4126 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4127 if (m->m_len < offset) { 4128 if ((m = m_pullup(m, offset)) == NULL) { 4129 sctp_pegs[SCTP_HDR_DROPS]++; 4130 return(IPPROTO_DONE); 4131 } 4132 ip = mtod(m, struct ip *); 4133 } 4134 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4135 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4136 4137 /* SCTP does not allow broadcasts or multicasts */ 4138 #if defined(__NetBSD__) || defined(__OpenBSD__) 4139 if (IN_MULTICAST(ip->ip_dst.s_addr)) 4140 #else 4141 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) 4142 #endif 4143 { 4144 sctp_pegs[SCTP_IN_MCAST]++; 4145 goto bad; 4146 } 4147 if (in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) { 4148 sctp_pegs[SCTP_IN_MCAST]++; 4149 goto bad; 4150 } 4151 4152 /* destination port of 0 is illegal, based on RFC2960. */ 4153 if (sh->dest_port == 0) { 4154 sctp_pegs[SCTP_HDR_DROPS]++; 4155 goto bad; 4156 } 4157 4158 /* validate SCTP checksum */ 4159 if ((sctp_no_csum_on_loopback == 0) || 4160 (m->m_pkthdr.rcvif == NULL) || 4161 (m->m_pkthdr.rcvif->if_type != IFT_LOOP)) { 4162 /* we do NOT validate things from the loopback if the 4163 * sysctl is set to 1. 4164 */ 4165 check = sh->checksum; /* save incoming checksum */ 4166 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4167 /* special hook for where we got a local address 4168 * somehow routed across a non IFT_LOOP type interface 4169 */ 4170 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4171 goto sctp_skip_csum_4; 4172 } 4173 sh->checksum = 0; /* prepare for calc */ 4174 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4175 if (calc_check != check) { 4176 #ifdef SCTP_DEBUG 4177 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4178 kprintf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4179 calc_check, check, m, mlen, iphlen); 4180 } 4181 #endif 4182 4183 stcb = sctp_findassociation_addr(m, iphlen, 4184 offset - sizeof(*ch), 4185 sh, ch, &inp, &net); 4186 if ((inp) && (stcb)) { 4187 sctp_send_packet_dropped(stcb, net, m, iphlen, 4188 1); 4189 sctp_chunk_output(inp, stcb, 2); 4190 } else if ((inp != NULL) && (stcb == NULL)) { 4191 refcount_up = 1; 4192 } 4193 sctp_pegs[SCTP_BAD_CSUM]++; 4194 goto bad; 4195 } 4196 sh->checksum = calc_check; 4197 } else { 4198 sctp_skip_csum_4: 4199 mlen = m->m_pkthdr.len; 4200 } 4201 /* validate mbuf chain length with IP payload length */ 4202 #if defined(__NetBSD__) || defined(__OpenBSD__) 4203 /* Open BSD gives us the len in network order, fix it */ 4204 NTOHS(ip->ip_len); 4205 #endif 4206 if (mlen < (ip->ip_len - iphlen)) { 4207 sctp_pegs[SCTP_HDR_DROPS]++; 4208 goto bad; 4209 } 4210 4211 /* 4212 * Locate pcb and tcb for datagram 4213 * sctp_findassociation_addr() wants IP/SCTP/first chunk header... 4214 */ 4215 #ifdef SCTP_DEBUG 4216 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4217 kprintf("V4 find association\n"); 4218 } 4219 #endif 4220 4221 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4222 sh, ch, &inp, &net); 4223 /* inp's ref-count increased && stcb locked */ 4224 if (inp == NULL) { 4225 struct sctp_init_chunk *init_chk, chunk_buf; 4226 4227 sctp_pegs[SCTP_NOPORTS]++; 4228 #ifdef ICMP_BANDLIM 4229 /* 4230 * we use the bandwidth limiting to protect against 4231 * sending too many ABORTS all at once. In this case 4232 * these count the same as an ICMP message. 4233 */ 4234 if (badport_bandlim(0) < 0) 4235 goto bad; 4236 #endif /* ICMP_BANDLIM */ 4237 #ifdef SCTP_DEBUG 4238 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4239 kprintf("Sending a ABORT from packet entry!\n"); 4240 } 4241 #endif 4242 if (ch->chunk_type == SCTP_INITIATION) { 4243 /* we do a trick here to get the INIT tag, 4244 * dig in and get the tag from the INIT and 4245 * put it in the common header. 4246 */ 4247 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4248 iphlen + sizeof(*sh), sizeof(*init_chk), 4249 (u_int8_t *)&chunk_buf); 4250 if (init_chk != NULL) 4251 sh->v_tag = init_chk->init.initiate_tag; 4252 } 4253 sctp_send_abort(m, iphlen, sh, 0, NULL); 4254 goto bad; 4255 } else if (stcb == NULL) { 4256 refcount_up = 1; 4257 } 4258 #ifdef IPSEC 4259 /* 4260 * I very much doubt any of the IPSEC stuff will work but I have 4261 * no idea, so I will leave it in place. 4262 */ 4263 4264 #ifdef __OpenBSD__ 4265 /* FIX ME: this don't work... :) */ 4266 { 4267 /* Find most recent IPsec tag */ 4268 i_inp = &inp->ip_inp.inp; 4269 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 4270 s = splnet(); 4271 if (mtag != NULL) { 4272 tdbi = (struct tdb_ident *)(mtag + 1); 4273 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); 4274 } else 4275 tdb = NULL; 4276 ipsp_spd_lookup(m, af, iphlen, &error, IPSP_DIRECTION_IN, 4277 tdb, i_inp); 4278 if (error) { 4279 splx(s); 4280 sctp_pegs[SCTP_HDR_DROPS]++; 4281 goto bad; 4282 } 4283 4284 /* Latch SA */ 4285 if (i_inp->inp_tdb_in != tdb) { 4286 if (tdb) { 4287 tdb_add_inp(tdb, i_inp, 1); 4288 if (i_inp->inp_ipo == NULL) { 4289 i_inp->inp_ipo = ipsec_add_policy(i_inp, af, 4290 IPSP_DIRECTION_OUT); 4291 if (i_inp->inp_ipo == NULL) { 4292 splx(s); 4293 sctp_pegs[SCTP_HDR_DROPS]++; 4294 goto bad; 4295 } 4296 } 4297 if (i_inp->inp_ipo->ipo_dstid == NULL && 4298 tdb->tdb_srcid != NULL) { 4299 i_inp->inp_ipo->ipo_dstid = tdb->tdb_srcid; 4300 tdb->tdb_srcid->ref_count++; 4301 } 4302 if (i_inp->inp_ipsec_remotecred == NULL && 4303 tdb->tdb_remote_cred != NULL) { 4304 i_inp->inp_ipsec_remotecred = 4305 tdb->tdb_remote_cred; 4306 tdb->tdb_remote_cred->ref_count++; 4307 } 4308 if (i_inp->inp_ipsec_remoteauth == NULL && 4309 tdb->tdb_remote_auth != NULL) { 4310 i_inp->inp_ipsec_remoteauth = 4311 tdb->tdb_remote_auth; 4312 tdb->tdb_remote_auth->ref_count++; 4313 } 4314 } else { /* Just reset */ 4315 TAILQ_REMOVE(&i_inp->inp_tdb_in->tdb_inp_in, i_inp, 4316 inp_tdb_in_next); 4317 i_inp->inp_tdb_in = NULL; 4318 } 4319 } 4320 splx(s); 4321 } 4322 #else 4323 if (ipsec4_in_reject_so(m, inp->ip_inp.inp.inp_socket)) { 4324 ipsecstat.in_polvio++; 4325 sctp_pegs[SCTP_HDR_DROPS]++; 4326 goto bad; 4327 } 4328 #endif 4329 #endif /* IPSEC */ 4330 4331 /* 4332 * Construct sockaddr format source address. 4333 * Stuff source address and datagram in user buffer. 4334 */ 4335 if ((inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS) 4336 #ifndef __OpenBSD__ 4337 || (inp->sctp_socket->so_options & SO_TIMESTAMP) 4338 #endif 4339 ) { 4340 #ifdef __OpenBSD__ 4341 sctp_saveopt(inp, &opts, ip, m); 4342 #else 4343 ip_savecontrol((struct inpcb *)inp, &opts, ip, m); 4344 #endif 4345 } 4346 4347 /* 4348 * common chunk processing 4349 */ 4350 #if defined(__FreeBSD__) || defined(__APPLE__) || defined(__DragonFly__) 4351 length = ip->ip_len + iphlen; 4352 #else 4353 length = ip->ip_len - (ip->ip_hl << 2) + iphlen; 4354 #endif 4355 offset -= sizeof(struct sctp_chunkhdr); 4356 4357 ecn_bits = ip->ip_tos; 4358 crit_enter(); 4359 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4360 inp, stcb, net, ecn_bits); 4361 /* inp's ref-count reduced && stcb unlocked */ 4362 crit_exit(); 4363 if (m) { 4364 sctp_m_freem(m); 4365 } 4366 if (opts) 4367 sctp_m_freem(opts); 4368 4369 if ((inp) && (refcount_up)) { 4370 /* reduce ref-count */ 4371 SCTP_INP_WLOCK(inp); 4372 SCTP_INP_DECR_REF(inp); 4373 SCTP_INP_WUNLOCK(inp); 4374 } 4375 4376 return(IPPROTO_DONE); 4377 bad: 4378 if (stcb) 4379 SCTP_TCB_UNLOCK(stcb); 4380 4381 if ((inp) && (refcount_up)) { 4382 /* reduce ref-count */ 4383 SCTP_INP_WLOCK(inp); 4384 SCTP_INP_DECR_REF(inp); 4385 SCTP_INP_WUNLOCK(inp); 4386 } 4387 4388 if (m) { 4389 sctp_m_freem(m); 4390 } 4391 if (opts) 4392 sctp_m_freem(opts); 4393 return(IPPROTO_DONE); 4394 }
Cache object: 72a38b8f8c14ce536b928e5eee06b017
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]