The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet/sctp_input.c

Version: -  FREEBSD  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-2  -  FREEBSD-11-1  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-4  -  FREEBSD-10-3  -  FREEBSD-10-2  -  FREEBSD-10-1  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-3  -  FREEBSD-9-2  -  FREEBSD-9-1  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-4  -  FREEBSD-8-3  -  FREEBSD-8-2  -  FREEBSD-8-1  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-4  -  FREEBSD-7-3  -  FREEBSD-7-2  -  FREEBSD-7-1  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-4  -  FREEBSD-6-3  -  FREEBSD-6-2  -  FREEBSD-6-1  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-5  -  FREEBSD-5-4  -  FREEBSD-5-3  -  FREEBSD-5-2  -  FREEBSD-5-1  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
    3  *
    4  * Redistribution and use in source and binary forms, with or without
    5  * modification, are permitted provided that the following conditions are met:
    6  *
    7  * a) Redistributions of source code must retain the above copyright notice,
    8  *   this list of conditions and the following disclaimer.
    9  *
   10  * b) Redistributions in binary form must reproduce the above copyright
   11  *    notice, this list of conditions and the following disclaimer in
   12  *   the documentation and/or other materials provided with the distribution.
   13  *
   14  * c) Neither the name of Cisco Systems, Inc. nor the names of its
   15  *    contributors may be used to endorse or promote products derived
   16  *    from this software without specific prior written permission.
   17  *
   18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
   19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
   20  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   21  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
   22  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
   23  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
   24  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
   25  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
   26  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
   27  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
   28  * THE POSSIBILITY OF SUCH DAMAGE.
   29  */
   30 
   31 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $   */
   32 
   33 #include <sys/cdefs.h>
   34 __FBSDID("$FreeBSD$");
   35 
   36 #include <netinet/sctp_os.h>
   37 #include <netinet/sctp_var.h>
   38 #include <netinet/sctp_sysctl.h>
   39 #include <netinet/sctp_pcb.h>
   40 #include <netinet/sctp_header.h>
   41 #include <netinet/sctputil.h>
   42 #include <netinet/sctp_output.h>
   43 #include <netinet/sctp_input.h>
   44 #include <netinet/sctp_auth.h>
   45 #include <netinet/sctp_indata.h>
   46 #include <netinet/sctp_asconf.h>
   47 #include <netinet/sctp_bsd_addr.h>
   48 #include <netinet/sctp_timer.h>
   49 #include <netinet/udp.h>
   50 
   51 
   52 
   53 static void
   54 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
   55 {
   56         struct sctp_nets *net;
   57 
   58         /*
   59          * This now not only stops all cookie timers it also stops any INIT
   60          * timers as well. This will make sure that the timers are stopped
   61          * in all collision cases.
   62          */
   63         SCTP_TCB_LOCK_ASSERT(stcb);
   64         TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
   65                 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
   66                         sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
   67                             stcb->sctp_ep,
   68                             stcb,
   69                             net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1);
   70                 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
   71                         sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
   72                             stcb->sctp_ep,
   73                             stcb,
   74                             net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2);
   75                 }
   76         }
   77 }
   78 
   79 /* INIT handler */
   80 static void
   81 sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
   82     struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
   83     struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, uint16_t port)
   84 {
   85         struct sctp_init *init;
   86         struct mbuf *op_err;
   87         uint32_t init_limit;
   88 
   89         SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n",
   90             stcb);
   91         if (stcb == NULL) {
   92                 SCTP_INP_RLOCK(inp);
   93                 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
   94                         goto outnow;
   95                 }
   96         }
   97         op_err = NULL;
   98         init = &cp->init;
   99         /* First are we accepting? */
  100         if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) {
  101                 SCTPDBG(SCTP_DEBUG_INPUT2,
  102                     "sctp_handle_init: Abort, so_qlimit:%d\n",
  103                     inp->sctp_socket->so_qlimit);
  104                 /*
  105                  * FIX ME ?? What about TCP model and we have a
  106                  * match/restart case? Actually no fix is needed. the lookup
  107                  * will always find the existing assoc so stcb would not be
  108                  * NULL. It may be questionable to do this since we COULD
  109                  * just send back the INIT-ACK and hope that the app did
  110                  * accept()'s by the time the COOKIE was sent. But there is
  111                  * a price to pay for COOKIE generation and I don't want to
  112                  * pay it on the chance that the app will actually do some
  113                  * accepts(). The App just looses and should NOT be in this
  114                  * state :-)
  115                  */
  116                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  117                     vrf_id, port);
  118                 if (stcb)
  119                         *abort_no_unlock = 1;
  120                 goto outnow;
  121         }
  122         if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
  123                 /* Invalid length */
  124                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  125                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  126                     vrf_id, port);
  127                 if (stcb)
  128                         *abort_no_unlock = 1;
  129                 goto outnow;
  130         }
  131         /* validate parameters */
  132         if (init->initiate_tag == 0) {
  133                 /* protocol error... send abort */
  134                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  135                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  136                     vrf_id, port);
  137                 if (stcb)
  138                         *abort_no_unlock = 1;
  139                 goto outnow;
  140         }
  141         if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
  142                 /* invalid parameter... send abort */
  143                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  144                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  145                     vrf_id, port);
  146                 if (stcb)
  147                         *abort_no_unlock = 1;
  148                 goto outnow;
  149         }
  150         if (init->num_inbound_streams == 0) {
  151                 /* protocol error... send abort */
  152                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  153                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  154                     vrf_id, port);
  155                 if (stcb)
  156                         *abort_no_unlock = 1;
  157                 goto outnow;
  158         }
  159         if (init->num_outbound_streams == 0) {
  160                 /* protocol error... send abort */
  161                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  162                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  163                     vrf_id, port);
  164                 if (stcb)
  165                         *abort_no_unlock = 1;
  166                 goto outnow;
  167         }
  168         init_limit = offset + ntohs(cp->ch.chunk_length);
  169         if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
  170             init_limit)) {
  171                 /* auth parameter(s) error... send abort */
  172                 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, port);
  173                 if (stcb)
  174                         *abort_no_unlock = 1;
  175                 goto outnow;
  176         }
  177         /* send an INIT-ACK w/cookie */
  178         SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n");
  179         sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, port,
  180             ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED));
  181 outnow:
  182         if (stcb == NULL) {
  183                 SCTP_INP_RUNLOCK(inp);
  184         }
  185 }
  186 
  187 /*
  188  * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
  189  */
  190 
  191 int
  192 sctp_is_there_unsent_data(struct sctp_tcb *stcb)
  193 {
  194         int unsent_data = 0;
  195         struct sctp_stream_queue_pending *sp;
  196         struct sctp_stream_out *strq;
  197         struct sctp_association *asoc;
  198 
  199         /*
  200          * This function returns the number of streams that have true unsent
  201          * data on them. Note that as it looks through it will clean up any
  202          * places that have old data that has been sent but left at top of
  203          * stream queue.
  204          */
  205         asoc = &stcb->asoc;
  206         SCTP_TCB_SEND_LOCK(stcb);
  207         if (!TAILQ_EMPTY(&asoc->out_wheel)) {
  208                 /* Check to see if some data queued */
  209                 TAILQ_FOREACH(strq, &asoc->out_wheel, next_spoke) {
  210         is_there_another:
  211                         /* sa_ignore FREED_MEMORY */
  212                         sp = TAILQ_FIRST(&strq->outqueue);
  213                         if (sp == NULL) {
  214                                 continue;
  215                         }
  216                         if ((sp->msg_is_complete) &&
  217                             (sp->length == 0) &&
  218                             (sp->sender_all_done)) {
  219                                 /*
  220                                  * We are doing differed cleanup. Last time
  221                                  * through when we took all the data the
  222                                  * sender_all_done was not set.
  223                                  */
  224                                 if (sp->put_last_out == 0) {
  225                                         SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
  226                                         SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
  227                                             sp->sender_all_done,
  228                                             sp->length,
  229                                             sp->msg_is_complete,
  230                                             sp->put_last_out);
  231                                 }
  232                                 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
  233                                 TAILQ_REMOVE(&strq->outqueue, sp, next);
  234                                 sctp_free_remote_addr(sp->net);
  235                                 if (sp->data) {
  236                                         sctp_m_freem(sp->data);
  237                                         sp->data = NULL;
  238                                 }
  239                                 sctp_free_a_strmoq(stcb, sp);
  240                                 goto is_there_another;
  241                         } else {
  242                                 unsent_data++;
  243                                 continue;
  244                         }
  245                 }
  246         }
  247         SCTP_TCB_SEND_UNLOCK(stcb);
  248         return (unsent_data);
  249 }
  250 
  251 static int
  252 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb,
  253     struct sctp_nets *net)
  254 {
  255         struct sctp_init *init;
  256         struct sctp_association *asoc;
  257         struct sctp_nets *lnet;
  258         unsigned int i;
  259 
  260         init = &cp->init;
  261         asoc = &stcb->asoc;
  262         /* save off parameters */
  263         asoc->peer_vtag = ntohl(init->initiate_tag);
  264         asoc->peers_rwnd = ntohl(init->a_rwnd);
  265         if (TAILQ_FIRST(&asoc->nets)) {
  266                 /* update any ssthresh's that may have a default */
  267                 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
  268                         lnet->ssthresh = asoc->peers_rwnd;
  269 
  270                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) {
  271                                 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
  272                         }
  273                 }
  274         }
  275         SCTP_TCB_SEND_LOCK(stcb);
  276         if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
  277                 unsigned int newcnt;
  278                 struct sctp_stream_out *outs;
  279                 struct sctp_stream_queue_pending *sp;
  280 
  281                 /* cut back on number of streams */
  282                 newcnt = ntohs(init->num_inbound_streams);
  283                 /* This if is probably not needed but I am cautious */
  284                 if (asoc->strmout) {
  285                         /* First make sure no data chunks are trapped */
  286                         for (i = newcnt; i < asoc->pre_open_streams; i++) {
  287                                 outs = &asoc->strmout[i];
  288                                 sp = TAILQ_FIRST(&outs->outqueue);
  289                                 while (sp) {
  290                                         TAILQ_REMOVE(&outs->outqueue, sp,
  291                                             next);
  292                                         asoc->stream_queue_cnt--;
  293                                         sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
  294                                             stcb, SCTP_NOTIFY_DATAGRAM_UNSENT,
  295                                             sp, SCTP_SO_NOT_LOCKED);
  296                                         if (sp->data) {
  297                                                 sctp_m_freem(sp->data);
  298                                                 sp->data = NULL;
  299                                         }
  300                                         sctp_free_remote_addr(sp->net);
  301                                         sp->net = NULL;
  302                                         /* Free the chunk */
  303                                         SCTP_PRINTF("sp:%p tcb:%p weird free case\n",
  304                                             sp, stcb);
  305 
  306                                         sctp_free_a_strmoq(stcb, sp);
  307                                         /* sa_ignore FREED_MEMORY */
  308                                         sp = TAILQ_FIRST(&outs->outqueue);
  309                                 }
  310                         }
  311                 }
  312                 /* cut back the count and abandon the upper streams */
  313                 asoc->pre_open_streams = newcnt;
  314         }
  315         SCTP_TCB_SEND_UNLOCK(stcb);
  316         asoc->streamoutcnt = asoc->pre_open_streams;
  317         /* init tsn's */
  318         asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
  319         /* EY - nr_sack: initialize highest tsn in nr_mapping_array */
  320         asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
  321         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
  322                 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
  323         }
  324         /* This is the next one we expect */
  325         asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
  326 
  327         asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
  328         /*
  329          * EY 05/13/08 - nr_sack: initialize nr_mapping array's base tsn
  330          * like above
  331          */
  332         asoc->nr_mapping_array_base_tsn = ntohl(init->initial_tsn);
  333         asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in;
  334         asoc->last_echo_tsn = asoc->asconf_seq_in;
  335         asoc->advanced_peer_ack_point = asoc->last_acked_seq;
  336         /* open the requested streams */
  337 
  338         if (asoc->strmin != NULL) {
  339                 /* Free the old ones */
  340                 struct sctp_queued_to_read *ctl;
  341 
  342                 for (i = 0; i < asoc->streamincnt; i++) {
  343                         ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
  344                         while (ctl) {
  345                                 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next);
  346                                 sctp_free_remote_addr(ctl->whoFrom);
  347                                 ctl->whoFrom = NULL;
  348                                 sctp_m_freem(ctl->data);
  349                                 ctl->data = NULL;
  350                                 sctp_free_a_readq(stcb, ctl);
  351                                 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
  352                         }
  353                 }
  354                 SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
  355         }
  356         asoc->streamincnt = ntohs(init->num_outbound_streams);
  357         if (asoc->streamincnt > MAX_SCTP_STREAMS) {
  358                 asoc->streamincnt = MAX_SCTP_STREAMS;
  359         }
  360         SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
  361             sizeof(struct sctp_stream_in), SCTP_M_STRMI);
  362         if (asoc->strmin == NULL) {
  363                 /* we didn't get memory for the streams! */
  364                 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n");
  365                 return (-1);
  366         }
  367         for (i = 0; i < asoc->streamincnt; i++) {
  368                 asoc->strmin[i].stream_no = i;
  369                 asoc->strmin[i].last_sequence_delivered = 0xffff;
  370                 /*
  371                  * U-stream ranges will be set when the cookie is unpacked.
  372                  * Or for the INIT sender they are un set (if pr-sctp not
  373                  * supported) when the INIT-ACK arrives.
  374                  */
  375                 TAILQ_INIT(&asoc->strmin[i].inqueue);
  376                 asoc->strmin[i].delivery_started = 0;
  377         }
  378         /*
  379          * load_address_from_init will put the addresses into the
  380          * association when the COOKIE is processed or the INIT-ACK is
  381          * processed. Both types of COOKIE's existing and new call this
  382          * routine. It will remove addresses that are no longer in the
  383          * association (for the restarting case where addresses are
  384          * removed). Up front when the INIT arrives we will discard it if it
  385          * is a restart and new addresses have been added.
  386          */
  387         /* sa_ignore MEMLEAK */
  388         return (0);
  389 }
  390 
  391 /*
  392  * INIT-ACK message processing/consumption returns value < 0 on error
  393  */
  394 static int
  395 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
  396     struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
  397     struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id)
  398 {
  399         struct sctp_association *asoc;
  400         struct mbuf *op_err;
  401         int retval, abort_flag;
  402         uint32_t initack_limit;
  403         int nat_friendly = 0;
  404 
  405         /* First verify that we have no illegal param's */
  406         abort_flag = 0;
  407         op_err = NULL;
  408 
  409         op_err = sctp_arethere_unrecognized_parameters(m,
  410             (offset + sizeof(struct sctp_init_chunk)),
  411             &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly);
  412         if (abort_flag) {
  413                 /* Send an abort and notify peer */
  414                 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err, SCTP_SO_NOT_LOCKED);
  415                 *abort_no_unlock = 1;
  416                 return (-1);
  417         }
  418         asoc = &stcb->asoc;
  419         asoc->peer_supports_nat = (uint8_t) nat_friendly;
  420         /* process the peer's parameters in the INIT-ACK */
  421         retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net);
  422         if (retval < 0) {
  423                 return (retval);
  424         }
  425         initack_limit = offset + ntohs(cp->ch.chunk_length);
  426         /* load all addresses */
  427         if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen,
  428             (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh,
  429             NULL))) {
  430                 /* Huh, we should abort */
  431                 SCTPDBG(SCTP_DEBUG_INPUT1,
  432                     "Load addresses from INIT causes an abort %d\n",
  433                     retval);
  434                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
  435                     NULL, 0, net->port);
  436                 *abort_no_unlock = 1;
  437                 return (-1);
  438         }
  439         /* if the peer doesn't support asconf, flush the asconf queue */
  440         if (asoc->peer_supports_asconf == 0) {
  441                 struct sctp_asconf_addr *aparam;
  442 
  443                 while (!TAILQ_EMPTY(&asoc->asconf_queue)) {
  444                         /* sa_ignore FREED_MEMORY */
  445                         aparam = TAILQ_FIRST(&asoc->asconf_queue);
  446                         TAILQ_REMOVE(&asoc->asconf_queue, aparam, next);
  447                         SCTP_FREE(aparam, SCTP_M_ASC_ADDR);
  448                 }
  449         }
  450         stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
  451             stcb->asoc.local_hmacs);
  452         if (op_err) {
  453                 sctp_queue_op_err(stcb, op_err);
  454                 /* queuing will steal away the mbuf chain to the out queue */
  455                 op_err = NULL;
  456         }
  457         /* extract the cookie and queue it to "echo" it back... */
  458         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
  459                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
  460                     stcb->asoc.overall_error_count,
  461                     0,
  462                     SCTP_FROM_SCTP_INPUT,
  463                     __LINE__);
  464         }
  465         stcb->asoc.overall_error_count = 0;
  466         net->error_count = 0;
  467 
  468         /*
  469          * Cancel the INIT timer, We do this first before queueing the
  470          * cookie. We always cancel at the primary to assue that we are
  471          * canceling the timer started by the INIT which always goes to the
  472          * primary.
  473          */
  474         sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
  475             asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4);
  476 
  477         /* calculate the RTO */
  478         net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy);
  479 
  480         retval = sctp_send_cookie_echo(m, offset, stcb, net);
  481         if (retval < 0) {
  482                 /*
  483                  * No cookie, we probably should send a op error. But in any
  484                  * case if there is no cookie in the INIT-ACK, we can
  485                  * abandon the peer, its broke.
  486                  */
  487                 if (retval == -3) {
  488                         /* We abort with an error of missing mandatory param */
  489                         op_err =
  490                             sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM);
  491                         if (op_err) {
  492                                 /*
  493                                  * Expand beyond to include the mandatory
  494                                  * param cookie
  495                                  */
  496                                 struct sctp_inv_mandatory_param *mp;
  497 
  498                                 SCTP_BUF_LEN(op_err) =
  499                                     sizeof(struct sctp_inv_mandatory_param);
  500                                 mp = mtod(op_err,
  501                                     struct sctp_inv_mandatory_param *);
  502                                 /* Subtract the reserved param */
  503                                 mp->length =
  504                                     htons(sizeof(struct sctp_inv_mandatory_param) - 2);
  505                                 mp->num_param = htonl(1);
  506                                 mp->param = htons(SCTP_STATE_COOKIE);
  507                                 mp->resv = 0;
  508                         }
  509                         sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
  510                             sh, op_err, 0, net->port);
  511                         *abort_no_unlock = 1;
  512                 }
  513                 return (retval);
  514         }
  515         return (0);
  516 }
  517 
  518 static void
  519 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
  520     struct sctp_tcb *stcb, struct sctp_nets *net)
  521 {
  522         struct sockaddr_storage store;
  523         struct sockaddr_in *sin;
  524         struct sockaddr_in6 *sin6;
  525         struct sctp_nets *r_net;
  526         struct timeval tv;
  527         int req_prim = 0;
  528 
  529         if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
  530                 /* Invalid length */
  531                 return;
  532         }
  533         sin = (struct sockaddr_in *)&store;
  534         sin6 = (struct sockaddr_in6 *)&store;
  535 
  536         memset(&store, 0, sizeof(store));
  537         if (cp->heartbeat.hb_info.addr_family == AF_INET &&
  538             cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
  539                 sin->sin_family = cp->heartbeat.hb_info.addr_family;
  540                 sin->sin_len = cp->heartbeat.hb_info.addr_len;
  541                 sin->sin_port = stcb->rport;
  542                 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address,
  543                     sizeof(sin->sin_addr));
  544         } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 &&
  545             cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
  546                 sin6->sin6_family = cp->heartbeat.hb_info.addr_family;
  547                 sin6->sin6_len = cp->heartbeat.hb_info.addr_len;
  548                 sin6->sin6_port = stcb->rport;
  549                 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address,
  550                     sizeof(sin6->sin6_addr));
  551         } else {
  552                 return;
  553         }
  554         r_net = sctp_findnet(stcb, (struct sockaddr *)sin);
  555         if (r_net == NULL) {
  556                 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n");
  557                 return;
  558         }
  559         if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
  560             (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
  561             (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
  562                 /*
  563                  * If the its a HB and it's random value is correct when can
  564                  * confirm the destination.
  565                  */
  566                 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
  567                 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) {
  568                         stcb->asoc.primary_destination = r_net;
  569                         r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY;
  570                         r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY;
  571                         r_net = TAILQ_FIRST(&stcb->asoc.nets);
  572                         if (r_net != stcb->asoc.primary_destination) {
  573                                 /*
  574                                  * first one on the list is NOT the primary
  575                                  * sctp_cmpaddr() is much more efficent if
  576                                  * the primary is the first on the list,
  577                                  * make it so.
  578                                  */
  579                                 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
  580                                 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
  581                         }
  582                         req_prim = 1;
  583                 }
  584                 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
  585                     stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
  586         }
  587         r_net->error_count = 0;
  588         r_net->hb_responded = 1;
  589         tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
  590         tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
  591         if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) {
  592                 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE;
  593                 r_net->dest_state |= SCTP_ADDR_REACHABLE;
  594                 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
  595                     SCTP_HEARTBEAT_SUCCESS, (void *)r_net, SCTP_SO_NOT_LOCKED);
  596                 /* now was it the primary? if so restore */
  597                 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) {
  598                         (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net);
  599                 }
  600         }
  601         /*
  602          * JRS 5/14/07 - If CMT PF is on and the destination is in PF state,
  603          * set the destination to active state and set the cwnd to one or
  604          * two MTU's based on whether PF1 or PF2 is being used. If a T3
  605          * timer is running, for the destination, stop the timer because a
  606          * PF-heartbeat was received.
  607          */
  608         if (SCTP_BASE_SYSCTL(sctp_cmt_on_off) &&
  609             SCTP_BASE_SYSCTL(sctp_cmt_pf) &&
  610             (net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF) {
  611                 if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
  612                         sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
  613                             stcb, net,
  614                             SCTP_FROM_SCTP_INPUT + SCTP_LOC_5);
  615                 }
  616                 net->dest_state &= ~SCTP_ADDR_PF;
  617                 net->cwnd = net->mtu * SCTP_BASE_SYSCTL(sctp_cmt_pf);
  618                 SCTPDBG(SCTP_DEBUG_INPUT1, "Destination %p moved from PF to reachable with cwnd %d.\n",
  619                     net, net->cwnd);
  620         }
  621         /* Now lets do a RTO with this */
  622         r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy);
  623         /* Mobility adaptation */
  624         if (req_prim) {
  625                 if ((sctp_is_mobility_feature_on(stcb->sctp_ep,
  626                     SCTP_MOBILITY_BASE) ||
  627                     sctp_is_mobility_feature_on(stcb->sctp_ep,
  628                     SCTP_MOBILITY_FASTHANDOFF)) &&
  629                     sctp_is_mobility_feature_on(stcb->sctp_ep,
  630                     SCTP_MOBILITY_PRIM_DELETED)) {
  631 
  632                         sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER + SCTP_LOC_7);
  633                         if (sctp_is_mobility_feature_on(stcb->sctp_ep,
  634                             SCTP_MOBILITY_FASTHANDOFF)) {
  635                                 sctp_assoc_immediate_retrans(stcb,
  636                                     stcb->asoc.primary_destination);
  637                         }
  638                         if (sctp_is_mobility_feature_on(stcb->sctp_ep,
  639                             SCTP_MOBILITY_BASE)) {
  640                                 sctp_move_chunks_from_deleted_prim(stcb,
  641                                     stcb->asoc.primary_destination);
  642                         }
  643                         sctp_delete_prim_timer(stcb->sctp_ep, stcb,
  644                             stcb->asoc.deleted_primary);
  645                 }
  646         }
  647 }
  648 
  649 static int
  650 sctp_handle_nat_colliding_state(struct sctp_tcb *stcb)
  651 {
  652         /*
  653          * return 0 means we want you to proceed with the abort non-zero
  654          * means no abort processing
  655          */
  656         struct sctpasochead *head;
  657 
  658         if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) {
  659                 /* generate a new vtag and send init */
  660                 LIST_REMOVE(stcb, sctp_asocs);
  661                 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
  662                 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
  663                 /*
  664                  * put it in the bucket in the vtag hash of assoc's for the
  665                  * system
  666                  */
  667                 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
  668                 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
  669                 return (1);
  670         }
  671         if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED) {
  672                 /*
  673                  * treat like a case where the cookie expired i.e.: - dump
  674                  * current cookie. - generate a new vtag. - resend init.
  675                  */
  676                 /* generate a new vtag and send init */
  677                 LIST_REMOVE(stcb, sctp_asocs);
  678                 stcb->asoc.state &= ~SCTP_STATE_COOKIE_ECHOED;
  679                 stcb->asoc.state |= SCTP_STATE_COOKIE_WAIT;
  680                 sctp_stop_all_cookie_timers(stcb);
  681                 sctp_toss_old_cookies(stcb, &stcb->asoc);
  682                 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
  683                 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
  684                 /*
  685                  * put it in the bucket in the vtag hash of assoc's for the
  686                  * system
  687                  */
  688                 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
  689                 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
  690                 return (1);
  691         }
  692         return (0);
  693 }
  694 
  695 static int
  696 sctp_handle_nat_missing_state(struct sctp_tcb *stcb,
  697     struct sctp_nets *net)
  698 {
  699         /*
  700          * return 0 means we want you to proceed with the abort non-zero
  701          * means no abort processing
  702          */
  703         if (stcb->asoc.peer_supports_auth == 0) {
  704                 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n");
  705                 return (0);
  706         }
  707         sctp_asconf_send_nat_state_update(stcb, net);
  708         return (1);
  709 }
  710 
  711 
  712 static void
  713 sctp_handle_abort(struct sctp_abort_chunk *cp,
  714     struct sctp_tcb *stcb, struct sctp_nets *net)
  715 {
  716 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  717         struct socket *so;
  718 
  719 #endif
  720         uint16_t len;
  721 
  722         SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n");
  723         if (stcb == NULL)
  724                 return;
  725 
  726         len = ntohs(cp->ch.chunk_length);
  727         if (len > sizeof(struct sctp_chunkhdr)) {
  728                 /*
  729                  * Need to check the cause codes for our two magic nat
  730                  * aborts which don't kill the assoc necessarily.
  731                  */
  732                 struct sctp_abort_chunk *cpnext;
  733                 struct sctp_missing_nat_state *natc;
  734                 uint16_t cause;
  735 
  736                 cpnext = cp;
  737                 cpnext++;
  738                 natc = (struct sctp_missing_nat_state *)cpnext;
  739                 cause = ntohs(natc->cause);
  740                 if (cause == SCTP_CAUSE_NAT_COLLIDING_STATE) {
  741                         SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
  742                             cp->ch.chunk_flags);
  743                         if (sctp_handle_nat_colliding_state(stcb)) {
  744                                 return;
  745                         }
  746                 } else if (cause == SCTP_CAUSE_NAT_MISSING_STATE) {
  747                         SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
  748                             cp->ch.chunk_flags);
  749                         if (sctp_handle_nat_missing_state(stcb, net)) {
  750                                 return;
  751                         }
  752                 }
  753         }
  754         /* stop any receive timers */
  755         sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
  756         /* notify user of the abort and clean up... */
  757         sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED);
  758         /* free the tcb */
  759 #if defined(SCTP_PANIC_ON_ABORT)
  760         printf("stcb:%p state:%d rport:%d net:%p\n",
  761             stcb, stcb->asoc.state, stcb->rport, net);
  762         if (!(stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) {
  763                 panic("Received an ABORT");
  764         } else {
  765                 printf("No panic its in state %x closed\n", stcb->asoc.state);
  766         }
  767 #endif
  768         SCTP_STAT_INCR_COUNTER32(sctps_aborted);
  769         if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
  770             (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
  771                 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
  772         }
  773 #ifdef SCTP_ASOCLOG_OF_TSNS
  774         sctp_print_out_track_log(stcb);
  775 #endif
  776 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  777         so = SCTP_INP_SO(stcb->sctp_ep);
  778         atomic_add_int(&stcb->asoc.refcnt, 1);
  779         SCTP_TCB_UNLOCK(stcb);
  780         SCTP_SOCKET_LOCK(so, 1);
  781         SCTP_TCB_LOCK(stcb);
  782         atomic_subtract_int(&stcb->asoc.refcnt, 1);
  783 #endif
  784         stcb->asoc.state |= SCTP_STATE_WAS_ABORTED;
  785         (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
  786             SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
  787 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  788         SCTP_SOCKET_UNLOCK(so, 1);
  789 #endif
  790         SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n");
  791 }
  792 
  793 static void
  794 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
  795     struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
  796 {
  797         struct sctp_association *asoc;
  798         int some_on_streamwheel;
  799 
  800 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  801         struct socket *so;
  802 
  803 #endif
  804 
  805         SCTPDBG(SCTP_DEBUG_INPUT2,
  806             "sctp_handle_shutdown: handling SHUTDOWN\n");
  807         if (stcb == NULL)
  808                 return;
  809         asoc = &stcb->asoc;
  810         if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
  811             (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
  812                 return;
  813         }
  814         if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
  815                 /* Shutdown NOT the expected size */
  816                 return;
  817         } else {
  818                 sctp_update_acked(stcb, cp, net, abort_flag);
  819         }
  820         if (asoc->control_pdapi) {
  821                 /*
  822                  * With a normal shutdown we assume the end of last record.
  823                  */
  824                 SCTP_INP_READ_LOCK(stcb->sctp_ep);
  825                 asoc->control_pdapi->end_added = 1;
  826                 asoc->control_pdapi->pdapi_aborted = 1;
  827                 asoc->control_pdapi = NULL;
  828                 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
  829 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  830                 so = SCTP_INP_SO(stcb->sctp_ep);
  831                 atomic_add_int(&stcb->asoc.refcnt, 1);
  832                 SCTP_TCB_UNLOCK(stcb);
  833                 SCTP_SOCKET_LOCK(so, 1);
  834                 SCTP_TCB_LOCK(stcb);
  835                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
  836                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
  837                         /* assoc was freed while we were unlocked */
  838                         SCTP_SOCKET_UNLOCK(so, 1);
  839                         return;
  840                 }
  841 #endif
  842                 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
  843 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  844                 SCTP_SOCKET_UNLOCK(so, 1);
  845 #endif
  846         }
  847         /* goto SHUTDOWN_RECEIVED state to block new requests */
  848         if (stcb->sctp_socket) {
  849                 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
  850                     (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) &&
  851                     (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
  852                         SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED);
  853                         SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
  854                         /*
  855                          * notify upper layer that peer has initiated a
  856                          * shutdown
  857                          */
  858                         sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
  859 
  860                         /* reset time */
  861                         (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
  862                 }
  863         }
  864         if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
  865                 /*
  866                  * stop the shutdown timer, since we WILL move to
  867                  * SHUTDOWN-ACK-SENT.
  868                  */
  869                 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
  870         }
  871         /* Now is there unsent data on a stream somewhere? */
  872         some_on_streamwheel = sctp_is_there_unsent_data(stcb);
  873 
  874         if (!TAILQ_EMPTY(&asoc->send_queue) ||
  875             !TAILQ_EMPTY(&asoc->sent_queue) ||
  876             some_on_streamwheel) {
  877                 /* By returning we will push more data out */
  878                 return;
  879         } else {
  880                 /* no outstanding data to send, so move on... */
  881                 /* send SHUTDOWN-ACK */
  882                 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
  883                 /* move to SHUTDOWN-ACK-SENT state */
  884                 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
  885                     (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
  886                         SCTP_STAT_DECR_GAUGE32(sctps_currestab);
  887                 }
  888                 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
  889                 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
  890                 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net,
  891                     SCTP_FROM_SCTP_INPUT + SCTP_LOC_7);
  892                 /* start SHUTDOWN timer */
  893                 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
  894                     stcb, net);
  895         }
  896 }
  897 
  898 static void
  899 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp,
  900     struct sctp_tcb *stcb, struct sctp_nets *net)
  901 {
  902         struct sctp_association *asoc;
  903 
  904 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  905         struct socket *so;
  906 
  907         so = SCTP_INP_SO(stcb->sctp_ep);
  908 #endif
  909         SCTPDBG(SCTP_DEBUG_INPUT2,
  910             "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
  911         if (stcb == NULL)
  912                 return;
  913 
  914         asoc = &stcb->asoc;
  915         /* process according to association state */
  916         if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
  917             (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
  918                 /* unexpected SHUTDOWN-ACK... so ignore... */
  919                 SCTP_TCB_UNLOCK(stcb);
  920                 return;
  921         }
  922         if (asoc->control_pdapi) {
  923                 /*
  924                  * With a normal shutdown we assume the end of last record.
  925                  */
  926                 SCTP_INP_READ_LOCK(stcb->sctp_ep);
  927                 asoc->control_pdapi->end_added = 1;
  928                 asoc->control_pdapi->pdapi_aborted = 1;
  929                 asoc->control_pdapi = NULL;
  930                 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
  931 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  932                 atomic_add_int(&stcb->asoc.refcnt, 1);
  933                 SCTP_TCB_UNLOCK(stcb);
  934                 SCTP_SOCKET_LOCK(so, 1);
  935                 SCTP_TCB_LOCK(stcb);
  936                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
  937                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
  938                         /* assoc was freed while we were unlocked */
  939                         SCTP_SOCKET_UNLOCK(so, 1);
  940                         return;
  941                 }
  942 #endif
  943                 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
  944 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  945                 SCTP_SOCKET_UNLOCK(so, 1);
  946 #endif
  947         }
  948         /* are the queues empty? */
  949         if (!TAILQ_EMPTY(&asoc->send_queue) ||
  950             !TAILQ_EMPTY(&asoc->sent_queue) ||
  951             !TAILQ_EMPTY(&asoc->out_wheel)) {
  952                 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED);
  953         }
  954         /* stop the timer */
  955         sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9);
  956         /* send SHUTDOWN-COMPLETE */
  957         sctp_send_shutdown_complete(stcb, net);
  958         /* notify upper layer protocol */
  959         if (stcb->sctp_socket) {
  960                 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
  961                 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
  962                     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
  963                         /* Set the connected flag to disconnected */
  964                         stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
  965                 }
  966         }
  967         SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
  968         /* free the TCB but first save off the ep */
  969 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  970         atomic_add_int(&stcb->asoc.refcnt, 1);
  971         SCTP_TCB_UNLOCK(stcb);
  972         SCTP_SOCKET_LOCK(so, 1);
  973         SCTP_TCB_LOCK(stcb);
  974         atomic_subtract_int(&stcb->asoc.refcnt, 1);
  975 #endif
  976         (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
  977             SCTP_FROM_SCTP_INPUT + SCTP_LOC_10);
  978 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  979         SCTP_SOCKET_UNLOCK(so, 1);
  980 #endif
  981 }
  982 
  983 /*
  984  * Skip past the param header and then we will find the chunk that caused the
  985  * problem. There are two possiblities ASCONF or FWD-TSN other than that and
  986  * our peer must be broken.
  987  */
  988 static void
  989 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
  990     struct sctp_nets *net)
  991 {
  992         struct sctp_chunkhdr *chk;
  993 
  994         chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr));
  995         switch (chk->chunk_type) {
  996         case SCTP_ASCONF_ACK:
  997         case SCTP_ASCONF:
  998                 sctp_asconf_cleanup(stcb, net);
  999                 break;
 1000         case SCTP_FORWARD_CUM_TSN:
 1001                 stcb->asoc.peer_supports_prsctp = 0;
 1002                 break;
 1003         default:
 1004                 SCTPDBG(SCTP_DEBUG_INPUT2,
 1005                     "Peer does not support chunk type %d(%x)??\n",
 1006                     chk->chunk_type, (uint32_t) chk->chunk_type);
 1007                 break;
 1008         }
 1009 }
 1010 
 1011 /*
 1012  * Skip past the param header and then we will find the param that caused the
 1013  * problem.  There are a number of param's in a ASCONF OR the prsctp param
 1014  * these will turn of specific features.
 1015  */
 1016 static void
 1017 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
 1018 {
 1019         struct sctp_paramhdr *pbad;
 1020 
 1021         pbad = phdr + 1;
 1022         switch (ntohs(pbad->param_type)) {
 1023                 /* pr-sctp draft */
 1024         case SCTP_PRSCTP_SUPPORTED:
 1025                 stcb->asoc.peer_supports_prsctp = 0;
 1026                 break;
 1027         case SCTP_SUPPORTED_CHUNK_EXT:
 1028                 break;
 1029                 /* draft-ietf-tsvwg-addip-sctp */
 1030         case SCTP_HAS_NAT_SUPPORT:
 1031                 stcb->asoc.peer_supports_nat = 0;
 1032                 break;
 1033         case SCTP_ECN_NONCE_SUPPORTED:
 1034                 stcb->asoc.peer_supports_ecn_nonce = 0;
 1035                 stcb->asoc.ecn_nonce_allowed = 0;
 1036                 stcb->asoc.ecn_allowed = 0;
 1037                 break;
 1038         case SCTP_ADD_IP_ADDRESS:
 1039         case SCTP_DEL_IP_ADDRESS:
 1040         case SCTP_SET_PRIM_ADDR:
 1041                 stcb->asoc.peer_supports_asconf = 0;
 1042                 break;
 1043         case SCTP_SUCCESS_REPORT:
 1044         case SCTP_ERROR_CAUSE_IND:
 1045                 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n");
 1046                 SCTPDBG(SCTP_DEBUG_INPUT2,
 1047                     "Turning off ASCONF to this strange peer\n");
 1048                 stcb->asoc.peer_supports_asconf = 0;
 1049                 break;
 1050         default:
 1051                 SCTPDBG(SCTP_DEBUG_INPUT2,
 1052                     "Peer does not support param type %d(%x)??\n",
 1053                     pbad->param_type, (uint32_t) pbad->param_type);
 1054                 break;
 1055         }
 1056 }
 1057 
 1058 static int
 1059 sctp_handle_error(struct sctp_chunkhdr *ch,
 1060     struct sctp_tcb *stcb, struct sctp_nets *net)
 1061 {
 1062         int chklen;
 1063         struct sctp_paramhdr *phdr;
 1064         uint16_t error_type;
 1065         uint16_t error_len;
 1066         struct sctp_association *asoc;
 1067         int adjust;
 1068 
 1069 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1070         struct socket *so;
 1071 
 1072 #endif
 1073 
 1074         /* parse through all of the errors and process */
 1075         asoc = &stcb->asoc;
 1076         phdr = (struct sctp_paramhdr *)((caddr_t)ch +
 1077             sizeof(struct sctp_chunkhdr));
 1078         chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
 1079         while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
 1080                 /* Process an Error Cause */
 1081                 error_type = ntohs(phdr->param_type);
 1082                 error_len = ntohs(phdr->param_length);
 1083                 if ((error_len > chklen) || (error_len == 0)) {
 1084                         /* invalid param length for this param */
 1085                         SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n",
 1086                             chklen, error_len);
 1087                         return (0);
 1088                 }
 1089                 switch (error_type) {
 1090                 case SCTP_CAUSE_INVALID_STREAM:
 1091                 case SCTP_CAUSE_MISSING_PARAM:
 1092                 case SCTP_CAUSE_INVALID_PARAM:
 1093                 case SCTP_CAUSE_NO_USER_DATA:
 1094                         SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n",
 1095                             error_type);
 1096                         break;
 1097                 case SCTP_CAUSE_NAT_COLLIDING_STATE:
 1098                         SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
 1099                             ch->chunk_flags);
 1100                         if (sctp_handle_nat_colliding_state(stcb)) {
 1101                                 return (0);
 1102                         }
 1103                         break;
 1104                 case SCTP_CAUSE_NAT_MISSING_STATE:
 1105                         SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
 1106                             ch->chunk_flags);
 1107                         if (sctp_handle_nat_missing_state(stcb, net)) {
 1108                                 return (0);
 1109                         }
 1110                         break;
 1111                 case SCTP_CAUSE_STALE_COOKIE:
 1112                         /*
 1113                          * We only act if we have echoed a cookie and are
 1114                          * waiting.
 1115                          */
 1116                         if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
 1117                                 int *p;
 1118 
 1119                                 p = (int *)((caddr_t)phdr + sizeof(*phdr));
 1120                                 /* Save the time doubled */
 1121                                 asoc->cookie_preserve_req = ntohl(*p) << 1;
 1122                                 asoc->stale_cookie_count++;
 1123                                 if (asoc->stale_cookie_count >
 1124                                     asoc->max_init_times) {
 1125                                         sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED);
 1126                                         /* now free the asoc */
 1127 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1128                                         so = SCTP_INP_SO(stcb->sctp_ep);
 1129                                         atomic_add_int(&stcb->asoc.refcnt, 1);
 1130                                         SCTP_TCB_UNLOCK(stcb);
 1131                                         SCTP_SOCKET_LOCK(so, 1);
 1132                                         SCTP_TCB_LOCK(stcb);
 1133                                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 1134 #endif
 1135                                         (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
 1136                                             SCTP_FROM_SCTP_INPUT + SCTP_LOC_11);
 1137 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1138                                         SCTP_SOCKET_UNLOCK(so, 1);
 1139 #endif
 1140                                         return (-1);
 1141                                 }
 1142                                 /* blast back to INIT state */
 1143                                 sctp_toss_old_cookies(stcb, &stcb->asoc);
 1144                                 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
 1145                                 asoc->state |= SCTP_STATE_COOKIE_WAIT;
 1146                                 sctp_stop_all_cookie_timers(stcb);
 1147                                 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
 1148                         }
 1149                         break;
 1150                 case SCTP_CAUSE_UNRESOLVABLE_ADDR:
 1151                         /*
 1152                          * Nothing we can do here, we don't do hostname
 1153                          * addresses so if the peer does not like my IPv6
 1154                          * (or IPv4 for that matter) it does not matter. If
 1155                          * they don't support that type of address, they can
 1156                          * NOT possibly get that packet type... i.e. with no
 1157                          * IPv6 you can't recieve a IPv6 packet. so we can
 1158                          * safely ignore this one. If we ever added support
 1159                          * for HOSTNAME Addresses, then we would need to do
 1160                          * something here.
 1161                          */
 1162                         break;
 1163                 case SCTP_CAUSE_UNRECOG_CHUNK:
 1164                         sctp_process_unrecog_chunk(stcb, phdr, net);
 1165                         break;
 1166                 case SCTP_CAUSE_UNRECOG_PARAM:
 1167                         sctp_process_unrecog_param(stcb, phdr);
 1168                         break;
 1169                 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
 1170                         /*
 1171                          * We ignore this since the timer will drive out a
 1172                          * new cookie anyway and there timer will drive us
 1173                          * to send a SHUTDOWN_COMPLETE. We can't send one
 1174                          * here since we don't have their tag.
 1175                          */
 1176                         break;
 1177                 case SCTP_CAUSE_DELETING_LAST_ADDR:
 1178                 case SCTP_CAUSE_RESOURCE_SHORTAGE:
 1179                 case SCTP_CAUSE_DELETING_SRC_ADDR:
 1180                         /*
 1181                          * We should NOT get these here, but in a
 1182                          * ASCONF-ACK.
 1183                          */
 1184                         SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n",
 1185                             error_type);
 1186                         break;
 1187                 case SCTP_CAUSE_OUT_OF_RESC:
 1188                         /*
 1189                          * And what, pray tell do we do with the fact that
 1190                          * the peer is out of resources? Not really sure we
 1191                          * could do anything but abort. I suspect this
 1192                          * should have came WITH an abort instead of in a
 1193                          * OP-ERROR.
 1194                          */
 1195                         break;
 1196                 default:
 1197                         SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n",
 1198                             error_type);
 1199                         break;
 1200                 }
 1201                 adjust = SCTP_SIZE32(error_len);
 1202                 chklen -= adjust;
 1203                 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust);
 1204         }
 1205         return (0);
 1206 }
 1207 
 1208 static int
 1209 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
 1210     struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
 1211     struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id)
 1212 {
 1213         struct sctp_init_ack *init_ack;
 1214         struct mbuf *op_err;
 1215 
 1216         SCTPDBG(SCTP_DEBUG_INPUT2,
 1217             "sctp_handle_init_ack: handling INIT-ACK\n");
 1218 
 1219         if (stcb == NULL) {
 1220                 SCTPDBG(SCTP_DEBUG_INPUT2,
 1221                     "sctp_handle_init_ack: TCB is null\n");
 1222                 return (-1);
 1223         }
 1224         if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
 1225                 /* Invalid length */
 1226                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1227                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1228                     op_err, 0, net->port);
 1229                 *abort_no_unlock = 1;
 1230                 return (-1);
 1231         }
 1232         init_ack = &cp->init;
 1233         /* validate parameters */
 1234         if (init_ack->initiate_tag == 0) {
 1235                 /* protocol error... send an abort */
 1236                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1237                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1238                     op_err, 0, net->port);
 1239                 *abort_no_unlock = 1;
 1240                 return (-1);
 1241         }
 1242         if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
 1243                 /* protocol error... send an abort */
 1244                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1245                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1246                     op_err, 0, net->port);
 1247                 *abort_no_unlock = 1;
 1248                 return (-1);
 1249         }
 1250         if (init_ack->num_inbound_streams == 0) {
 1251                 /* protocol error... send an abort */
 1252                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1253                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1254                     op_err, 0, net->port);
 1255                 *abort_no_unlock = 1;
 1256                 return (-1);
 1257         }
 1258         if (init_ack->num_outbound_streams == 0) {
 1259                 /* protocol error... send an abort */
 1260                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1261                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1262                     op_err, 0, net->port);
 1263                 *abort_no_unlock = 1;
 1264                 return (-1);
 1265         }
 1266         /* process according to association state... */
 1267         switch (stcb->asoc.state & SCTP_STATE_MASK) {
 1268         case SCTP_STATE_COOKIE_WAIT:
 1269                 /* this is the expected state for this chunk */
 1270                 /* process the INIT-ACK parameters */
 1271                 if (stcb->asoc.primary_destination->dest_state &
 1272                     SCTP_ADDR_UNCONFIRMED) {
 1273                         /*
 1274                          * The primary is where we sent the INIT, we can
 1275                          * always consider it confirmed when the INIT-ACK is
 1276                          * returned. Do this before we load addresses
 1277                          * though.
 1278                          */
 1279                         stcb->asoc.primary_destination->dest_state &=
 1280                             ~SCTP_ADDR_UNCONFIRMED;
 1281                         sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
 1282                             stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED);
 1283                 }
 1284                 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb,
 1285                     net, abort_no_unlock, vrf_id) < 0) {
 1286                         /* error in parsing parameters */
 1287                         return (-1);
 1288                 }
 1289                 /* update our state */
 1290                 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
 1291                 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED);
 1292 
 1293                 /* reset the RTO calc */
 1294                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 1295                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 1296                             stcb->asoc.overall_error_count,
 1297                             0,
 1298                             SCTP_FROM_SCTP_INPUT,
 1299                             __LINE__);
 1300                 }
 1301                 stcb->asoc.overall_error_count = 0;
 1302                 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
 1303                 /*
 1304                  * collapse the init timer back in case of a exponential
 1305                  * backoff
 1306                  */
 1307                 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
 1308                     stcb, net);
 1309                 /*
 1310                  * the send at the end of the inbound data processing will
 1311                  * cause the cookie to be sent
 1312                  */
 1313                 break;
 1314         case SCTP_STATE_SHUTDOWN_SENT:
 1315                 /* incorrect state... discard */
 1316                 break;
 1317         case SCTP_STATE_COOKIE_ECHOED:
 1318                 /* incorrect state... discard */
 1319                 break;
 1320         case SCTP_STATE_OPEN:
 1321                 /* incorrect state... discard */
 1322                 break;
 1323         case SCTP_STATE_EMPTY:
 1324         case SCTP_STATE_INUSE:
 1325         default:
 1326                 /* incorrect state... discard */
 1327                 return (-1);
 1328                 break;
 1329         }
 1330         SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
 1331         return (0);
 1332 }
 1333 
 1334 static struct sctp_tcb *
 1335 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
 1336     struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
 1337     struct sctp_inpcb *inp, struct sctp_nets **netp,
 1338     struct sockaddr *init_src, int *notification,
 1339     int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
 1340     uint32_t vrf_id, uint16_t port);
 1341 
 1342 
 1343 /*
 1344  * handle a state cookie for an existing association m: input packet mbuf
 1345  * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
 1346  * "split" mbuf and the cookie signature does not exist offset: offset into
 1347  * mbuf to the cookie-echo chunk
 1348  */
 1349 static struct sctp_tcb *
 1350 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
 1351     struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
 1352     struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp,
 1353     struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id,
 1354     uint32_t vrf_id, int auth_skipped, uint32_t auth_offset, uint32_t auth_len, uint16_t port)
 1355 {
 1356         struct sctp_association *asoc;
 1357         struct sctp_init_chunk *init_cp, init_buf;
 1358         struct sctp_init_ack_chunk *initack_cp, initack_buf;
 1359         struct sctp_nets *net;
 1360         struct mbuf *op_err;
 1361         struct sctp_paramhdr *ph;
 1362         int chk_length;
 1363         int init_offset, initack_offset, i;
 1364         int retval;
 1365         int spec_flag = 0;
 1366         uint32_t how_indx;
 1367 
 1368         net = *netp;
 1369         /* I know that the TCB is non-NULL from the caller */
 1370         asoc = &stcb->asoc;
 1371         for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) {
 1372                 if (asoc->cookie_how[how_indx] == 0)
 1373                         break;
 1374         }
 1375         if (how_indx < sizeof(asoc->cookie_how)) {
 1376                 asoc->cookie_how[how_indx] = 1;
 1377         }
 1378         if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
 1379                 /* SHUTDOWN came in after sending INIT-ACK */
 1380                 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
 1381                 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
 1382                     0, M_DONTWAIT, 1, MT_DATA);
 1383                 if (op_err == NULL) {
 1384                         /* FOOBAR */
 1385                         return (NULL);
 1386                 }
 1387                 /* pre-reserve some space */
 1388 #ifdef INET6
 1389                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
 1390 #else
 1391                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
 1392 #endif
 1393                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
 1394                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
 1395                 /* Set the len */
 1396                 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr);
 1397                 ph = mtod(op_err, struct sctp_paramhdr *);
 1398                 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN);
 1399                 ph->param_length = htons(sizeof(struct sctp_paramhdr));
 1400                 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag,
 1401                     vrf_id, net->port);
 1402                 if (how_indx < sizeof(asoc->cookie_how))
 1403                         asoc->cookie_how[how_indx] = 2;
 1404                 return (NULL);
 1405         }
 1406         /*
 1407          * find and validate the INIT chunk in the cookie (peer's info) the
 1408          * INIT should start after the cookie-echo header struct (chunk
 1409          * header, state cookie header struct)
 1410          */
 1411         init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
 1412 
 1413         init_cp = (struct sctp_init_chunk *)
 1414             sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
 1415             (uint8_t *) & init_buf);
 1416         if (init_cp == NULL) {
 1417                 /* could not pull a INIT chunk in cookie */
 1418                 return (NULL);
 1419         }
 1420         chk_length = ntohs(init_cp->ch.chunk_length);
 1421         if (init_cp->ch.chunk_type != SCTP_INITIATION) {
 1422                 return (NULL);
 1423         }
 1424         /*
 1425          * find and validate the INIT-ACK chunk in the cookie (my info) the
 1426          * INIT-ACK follows the INIT chunk
 1427          */
 1428         initack_offset = init_offset + SCTP_SIZE32(chk_length);
 1429         initack_cp = (struct sctp_init_ack_chunk *)
 1430             sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
 1431             (uint8_t *) & initack_buf);
 1432         if (initack_cp == NULL) {
 1433                 /* could not pull INIT-ACK chunk in cookie */
 1434                 return (NULL);
 1435         }
 1436         chk_length = ntohs(initack_cp->ch.chunk_length);
 1437         if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
 1438                 return (NULL);
 1439         }
 1440         if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
 1441             (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
 1442                 /*
 1443                  * case D in Section 5.2.4 Table 2: MMAA process accordingly
 1444                  * to get into the OPEN state
 1445                  */
 1446                 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
 1447                         /*-
 1448                          * Opps, this means that we somehow generated two vtag's
 1449                          * the same. I.e. we did:
 1450                          *  Us               Peer
 1451                          *   <---INIT(tag=a)------
 1452                          *   ----INIT-ACK(tag=t)-->
 1453                          *   ----INIT(tag=t)------> *1
 1454                          *   <---INIT-ACK(tag=a)---
 1455                          *   <----CE(tag=t)------------- *2
 1456                          *
 1457                          * At point *1 we should be generating a different
 1458                          * tag t'. Which means we would throw away the CE and send
 1459                          * ours instead. Basically this is case C (throw away side).
 1460                          */
 1461                         if (how_indx < sizeof(asoc->cookie_how))
 1462                                 asoc->cookie_how[how_indx] = 17;
 1463                         return (NULL);
 1464 
 1465                 }
 1466                 switch SCTP_GET_STATE
 1467                         (asoc) {
 1468                 case SCTP_STATE_COOKIE_WAIT:
 1469                 case SCTP_STATE_COOKIE_ECHOED:
 1470                         /*
 1471                          * INIT was sent but got a COOKIE_ECHO with the
 1472                          * correct tags... just accept it...but we must
 1473                          * process the init so that we can make sure we have
 1474                          * the right seq no's.
 1475                          */
 1476                         /* First we must process the INIT !! */
 1477                         retval = sctp_process_init(init_cp, stcb, net);
 1478                         if (retval < 0) {
 1479                                 if (how_indx < sizeof(asoc->cookie_how))
 1480                                         asoc->cookie_how[how_indx] = 3;
 1481                                 return (NULL);
 1482                         }
 1483                         /* we have already processed the INIT so no problem */
 1484                         sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
 1485                             net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12);
 1486                         sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13);
 1487                         /* update current state */
 1488                         if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
 1489                                 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
 1490                         else
 1491                                 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
 1492 
 1493                         SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 1494                         if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 1495                                 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 1496                                     stcb->sctp_ep, stcb, asoc->primary_destination);
 1497                         }
 1498                         SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 1499                         sctp_stop_all_cookie_timers(stcb);
 1500                         if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
 1501                             (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
 1502                             (inp->sctp_socket->so_qlimit == 0)
 1503                             ) {
 1504 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1505                                 struct socket *so;
 1506 
 1507 #endif
 1508                                 /*
 1509                                  * Here is where collision would go if we
 1510                                  * did a connect() and instead got a
 1511                                  * init/init-ack/cookie done before the
 1512                                  * init-ack came back..
 1513                                  */
 1514                                 stcb->sctp_ep->sctp_flags |=
 1515                                     SCTP_PCB_FLAGS_CONNECTED;
 1516 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1517                                 so = SCTP_INP_SO(stcb->sctp_ep);
 1518                                 atomic_add_int(&stcb->asoc.refcnt, 1);
 1519                                 SCTP_TCB_UNLOCK(stcb);
 1520                                 SCTP_SOCKET_LOCK(so, 1);
 1521                                 SCTP_TCB_LOCK(stcb);
 1522                                 atomic_add_int(&stcb->asoc.refcnt, -1);
 1523                                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
 1524                                         SCTP_SOCKET_UNLOCK(so, 1);
 1525                                         return (NULL);
 1526                                 }
 1527 #endif
 1528                                 soisconnected(stcb->sctp_socket);
 1529 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1530                                 SCTP_SOCKET_UNLOCK(so, 1);
 1531 #endif
 1532                         }
 1533                         /* notify upper layer */
 1534                         *notification = SCTP_NOTIFY_ASSOC_UP;
 1535                         /*
 1536                          * since we did not send a HB make sure we don't
 1537                          * double things
 1538                          */
 1539                         net->hb_responded = 1;
 1540                         net->RTO = sctp_calculate_rto(stcb, asoc, net,
 1541                             &cookie->time_entered, sctp_align_unsafe_makecopy);
 1542 
 1543                         if (stcb->asoc.sctp_autoclose_ticks &&
 1544                             (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
 1545                                 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
 1546                                     inp, stcb, NULL);
 1547                         }
 1548                         break;
 1549                 default:
 1550                         /*
 1551                          * we're in the OPEN state (or beyond), so peer must
 1552                          * have simply lost the COOKIE-ACK
 1553                          */
 1554                         break;
 1555                         }       /* end switch */
 1556                 sctp_stop_all_cookie_timers(stcb);
 1557                 /*
 1558                  * We ignore the return code here.. not sure if we should
 1559                  * somehow abort.. but we do have an existing asoc. This
 1560                  * really should not fail.
 1561                  */
 1562                 if (sctp_load_addresses_from_init(stcb, m, iphlen,
 1563                     init_offset + sizeof(struct sctp_init_chunk),
 1564                     initack_offset, sh, init_src)) {
 1565                         if (how_indx < sizeof(asoc->cookie_how))
 1566                                 asoc->cookie_how[how_indx] = 4;
 1567                         return (NULL);
 1568                 }
 1569                 /* respond with a COOKIE-ACK */
 1570                 sctp_toss_old_cookies(stcb, asoc);
 1571                 sctp_send_cookie_ack(stcb);
 1572                 if (how_indx < sizeof(asoc->cookie_how))
 1573                         asoc->cookie_how[how_indx] = 5;
 1574                 return (stcb);
 1575         }
 1576         if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
 1577             ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
 1578             cookie->tie_tag_my_vtag == 0 &&
 1579             cookie->tie_tag_peer_vtag == 0) {
 1580                 /*
 1581                  * case C in Section 5.2.4 Table 2: XMOO silently discard
 1582                  */
 1583                 if (how_indx < sizeof(asoc->cookie_how))
 1584                         asoc->cookie_how[how_indx] = 6;
 1585                 return (NULL);
 1586         }
 1587         /*
 1588          * If nat support, and the below and stcb is established, send back
 1589          * a ABORT(colliding state) if we are established.
 1590          */
 1591         if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) &&
 1592             (asoc->peer_supports_nat) &&
 1593             ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
 1594             ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
 1595             (asoc->peer_vtag == 0)))) {
 1596                 /*
 1597                  * Special case - Peer's support nat. We may have two init's
 1598                  * that we gave out the same tag on since one was not
 1599                  * established.. i.e. we get INIT from host-1 behind the nat
 1600                  * and we respond tag-a, we get a INIT from host-2 behind
 1601                  * the nat and we get tag-a again. Then we bring up host-1
 1602                  * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1).
 1603                  * Now we have colliding state. We must send an abort here
 1604                  * with colliding state indication.
 1605                  */
 1606                 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
 1607                     0, M_DONTWAIT, 1, MT_DATA);
 1608                 if (op_err == NULL) {
 1609                         /* FOOBAR */
 1610                         return (NULL);
 1611                 }
 1612                 /* pre-reserve some space */
 1613 #ifdef INET6
 1614                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
 1615 #else
 1616                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
 1617 #endif
 1618                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
 1619                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
 1620                 /* Set the len */
 1621                 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr);
 1622                 ph = mtod(op_err, struct sctp_paramhdr *);
 1623                 ph->param_type = htons(SCTP_CAUSE_NAT_COLLIDING_STATE);
 1624                 ph->param_length = htons(sizeof(struct sctp_paramhdr));
 1625                 sctp_send_abort(m, iphlen, sh, 0, op_err, vrf_id, port);
 1626                 return (NULL);
 1627         }
 1628         if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
 1629             ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
 1630             (asoc->peer_vtag == 0))) {
 1631                 /*
 1632                  * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
 1633                  * should be ok, re-accept peer info
 1634                  */
 1635                 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
 1636                         /*
 1637                          * Extension of case C. If we hit this, then the
 1638                          * random number generator returned the same vtag
 1639                          * when we first sent our INIT-ACK and when we later
 1640                          * sent our INIT. The side with the seq numbers that
 1641                          * are different will be the one that normnally
 1642                          * would have hit case C. This in effect "extends"
 1643                          * our vtags in this collision case to be 64 bits.
 1644                          * The same collision could occur aka you get both
 1645                          * vtag and seq number the same twice in a row.. but
 1646                          * is much less likely. If it did happen then we
 1647                          * would proceed through and bring up the assoc.. we
 1648                          * may end up with the wrong stream setup however..
 1649                          * which would be bad.. but there is no way to
 1650                          * tell.. until we send on a stream that does not
 1651                          * exist :-)
 1652                          */
 1653                         if (how_indx < sizeof(asoc->cookie_how))
 1654                                 asoc->cookie_how[how_indx] = 7;
 1655 
 1656                         return (NULL);
 1657                 }
 1658                 if (how_indx < sizeof(asoc->cookie_how))
 1659                         asoc->cookie_how[how_indx] = 8;
 1660                 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14);
 1661                 sctp_stop_all_cookie_timers(stcb);
 1662                 /*
 1663                  * since we did not send a HB make sure we don't double
 1664                  * things
 1665                  */
 1666                 net->hb_responded = 1;
 1667                 if (stcb->asoc.sctp_autoclose_ticks &&
 1668                     sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
 1669                         sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
 1670                             NULL);
 1671                 }
 1672                 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
 1673                 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
 1674 
 1675                 /* Note last_cwr_tsn? where is this used? */
 1676                 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
 1677                 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
 1678                         /*
 1679                          * Ok the peer probably discarded our data (if we
 1680                          * echoed a cookie+data). So anything on the
 1681                          * sent_queue should be marked for retransmit, we
 1682                          * may not get something to kick us so it COULD
 1683                          * still take a timeout to move these.. but it can't
 1684                          * hurt to mark them.
 1685                          */
 1686                         struct sctp_tmit_chunk *chk;
 1687 
 1688                         TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
 1689                                 if (chk->sent < SCTP_DATAGRAM_RESEND) {
 1690                                         chk->sent = SCTP_DATAGRAM_RESEND;
 1691                                         sctp_flight_size_decrease(chk);
 1692                                         sctp_total_flight_decrease(stcb, chk);
 1693                                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
 1694                                         spec_flag++;
 1695                                 }
 1696                         }
 1697 
 1698                 }
 1699                 /* process the INIT info (peer's info) */
 1700                 retval = sctp_process_init(init_cp, stcb, net);
 1701                 if (retval < 0) {
 1702                         if (how_indx < sizeof(asoc->cookie_how))
 1703                                 asoc->cookie_how[how_indx] = 9;
 1704                         return (NULL);
 1705                 }
 1706                 if (sctp_load_addresses_from_init(stcb, m, iphlen,
 1707                     init_offset + sizeof(struct sctp_init_chunk),
 1708                     initack_offset, sh, init_src)) {
 1709                         if (how_indx < sizeof(asoc->cookie_how))
 1710                                 asoc->cookie_how[how_indx] = 10;
 1711                         return (NULL);
 1712                 }
 1713                 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
 1714                     (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
 1715                         *notification = SCTP_NOTIFY_ASSOC_UP;
 1716 
 1717                         if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
 1718                             (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
 1719                             (inp->sctp_socket->so_qlimit == 0)) {
 1720 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1721                                 struct socket *so;
 1722 
 1723 #endif
 1724                                 stcb->sctp_ep->sctp_flags |=
 1725                                     SCTP_PCB_FLAGS_CONNECTED;
 1726 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1727                                 so = SCTP_INP_SO(stcb->sctp_ep);
 1728                                 atomic_add_int(&stcb->asoc.refcnt, 1);
 1729                                 SCTP_TCB_UNLOCK(stcb);
 1730                                 SCTP_SOCKET_LOCK(so, 1);
 1731                                 SCTP_TCB_LOCK(stcb);
 1732                                 atomic_add_int(&stcb->asoc.refcnt, -1);
 1733                                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
 1734                                         SCTP_SOCKET_UNLOCK(so, 1);
 1735                                         return (NULL);
 1736                                 }
 1737 #endif
 1738                                 soisconnected(stcb->sctp_socket);
 1739 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1740                                 SCTP_SOCKET_UNLOCK(so, 1);
 1741 #endif
 1742                         }
 1743                         if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
 1744                                 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
 1745                         else
 1746                                 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
 1747                         SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 1748                 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
 1749                         SCTP_STAT_INCR_COUNTER32(sctps_restartestab);
 1750                 } else {
 1751                         SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
 1752                 }
 1753                 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 1754                 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 1755                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 1756                             stcb->sctp_ep, stcb, asoc->primary_destination);
 1757                 }
 1758                 sctp_stop_all_cookie_timers(stcb);
 1759                 sctp_toss_old_cookies(stcb, asoc);
 1760                 sctp_send_cookie_ack(stcb);
 1761                 if (spec_flag) {
 1762                         /*
 1763                          * only if we have retrans set do we do this. What
 1764                          * this call does is get only the COOKIE-ACK out and
 1765                          * then when we return the normal call to
 1766                          * sctp_chunk_output will get the retrans out behind
 1767                          * this.
 1768                          */
 1769                         sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED);
 1770                 }
 1771                 if (how_indx < sizeof(asoc->cookie_how))
 1772                         asoc->cookie_how[how_indx] = 11;
 1773 
 1774                 return (stcb);
 1775         }
 1776         if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
 1777             ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
 1778             cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
 1779             cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
 1780             cookie->tie_tag_peer_vtag != 0) {
 1781                 struct sctpasochead *head;
 1782 
 1783                 if (asoc->peer_supports_nat) {
 1784                         /*
 1785                          * This is a gross gross hack. just call the
 1786                          * cookie_new code since we are allowing a duplicate
 1787                          * association. I hope this works...
 1788                          */
 1789                         return (sctp_process_cookie_new(m, iphlen, offset, sh, cookie, cookie_len,
 1790                             inp, netp, init_src, notification,
 1791                             auth_skipped, auth_offset, auth_len,
 1792                             vrf_id, port));
 1793                 }
 1794                 /*
 1795                  * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
 1796                  */
 1797                 /* temp code */
 1798                 if (how_indx < sizeof(asoc->cookie_how))
 1799                         asoc->cookie_how[how_indx] = 12;
 1800                 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15);
 1801                 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
 1802 
 1803                 *sac_assoc_id = sctp_get_associd(stcb);
 1804                 /* notify upper layer */
 1805                 *notification = SCTP_NOTIFY_ASSOC_RESTART;
 1806                 atomic_add_int(&stcb->asoc.refcnt, 1);
 1807                 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) &&
 1808                     (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
 1809                     (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
 1810                         SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 1811                 }
 1812                 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
 1813                         SCTP_STAT_INCR_GAUGE32(sctps_restartestab);
 1814                 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) {
 1815                         SCTP_STAT_INCR_GAUGE32(sctps_collisionestab);
 1816                 }
 1817                 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 1818                         SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 1819                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 1820                             stcb->sctp_ep, stcb, asoc->primary_destination);
 1821 
 1822                 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
 1823                         /* move to OPEN state, if not in SHUTDOWN_SENT */
 1824                         SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 1825                 }
 1826                 asoc->pre_open_streams =
 1827                     ntohs(initack_cp->init.num_outbound_streams);
 1828                 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
 1829                 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
 1830                 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
 1831 
 1832                 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
 1833                 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
 1834 
 1835                 asoc->str_reset_seq_in = asoc->init_seq_number;
 1836 
 1837                 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
 1838                 if (asoc->mapping_array) {
 1839                         memset(asoc->mapping_array, 0,
 1840                             asoc->mapping_array_size);
 1841                 }
 1842                 /* EY 05/13/08 - nr_sack version of the above if statement */
 1843                 if (asoc->nr_mapping_array && SCTP_BASE_SYSCTL(sctp_nr_sack_on_off)
 1844                     && asoc->peer_supports_nr_sack) {
 1845                         memset(asoc->nr_mapping_array, 0,
 1846                             asoc->nr_mapping_array_size);
 1847                 }
 1848                 SCTP_TCB_UNLOCK(stcb);
 1849                 SCTP_INP_INFO_WLOCK();
 1850                 SCTP_INP_WLOCK(stcb->sctp_ep);
 1851                 SCTP_TCB_LOCK(stcb);
 1852                 atomic_add_int(&stcb->asoc.refcnt, -1);
 1853                 /* send up all the data */
 1854                 SCTP_TCB_SEND_LOCK(stcb);
 1855 
 1856                 sctp_report_all_outbound(stcb, 1, SCTP_SO_NOT_LOCKED);
 1857                 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
 1858                         stcb->asoc.strmout[i].stream_no = i;
 1859                         stcb->asoc.strmout[i].next_sequence_sent = 0;
 1860                         stcb->asoc.strmout[i].last_msg_incomplete = 0;
 1861                 }
 1862                 /* process the INIT-ACK info (my info) */
 1863                 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
 1864                 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
 1865 
 1866                 /* pull from vtag hash */
 1867                 LIST_REMOVE(stcb, sctp_asocs);
 1868                 /* re-insert to new vtag position */
 1869                 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
 1870                     SCTP_BASE_INFO(hashasocmark))];
 1871                 /*
 1872                  * put it in the bucket in the vtag hash of assoc's for the
 1873                  * system
 1874                  */
 1875                 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
 1876 
 1877                 /* process the INIT info (peer's info) */
 1878                 SCTP_TCB_SEND_UNLOCK(stcb);
 1879                 SCTP_INP_WUNLOCK(stcb->sctp_ep);
 1880                 SCTP_INP_INFO_WUNLOCK();
 1881 
 1882                 retval = sctp_process_init(init_cp, stcb, net);
 1883                 if (retval < 0) {
 1884                         if (how_indx < sizeof(asoc->cookie_how))
 1885                                 asoc->cookie_how[how_indx] = 13;
 1886 
 1887                         return (NULL);
 1888                 }
 1889                 /*
 1890                  * since we did not send a HB make sure we don't double
 1891                  * things
 1892                  */
 1893                 net->hb_responded = 1;
 1894 
 1895                 if (sctp_load_addresses_from_init(stcb, m, iphlen,
 1896                     init_offset + sizeof(struct sctp_init_chunk),
 1897                     initack_offset, sh, init_src)) {
 1898                         if (how_indx < sizeof(asoc->cookie_how))
 1899                                 asoc->cookie_how[how_indx] = 14;
 1900 
 1901                         return (NULL);
 1902                 }
 1903                 /* respond with a COOKIE-ACK */
 1904                 sctp_stop_all_cookie_timers(stcb);
 1905                 sctp_toss_old_cookies(stcb, asoc);
 1906                 sctp_send_cookie_ack(stcb);
 1907                 if (how_indx < sizeof(asoc->cookie_how))
 1908                         asoc->cookie_how[how_indx] = 15;
 1909 
 1910                 return (stcb);
 1911         }
 1912         if (how_indx < sizeof(asoc->cookie_how))
 1913                 asoc->cookie_how[how_indx] = 16;
 1914         /* all other cases... */
 1915         return (NULL);
 1916 }
 1917 
 1918 
 1919 /*
 1920  * handle a state cookie for a new association m: input packet mbuf chain--
 1921  * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
 1922  * and the cookie signature does not exist offset: offset into mbuf to the
 1923  * cookie-echo chunk length: length of the cookie chunk to: where the init
 1924  * was from returns a new TCB
 1925  */
 1926 struct sctp_tcb *
 1927 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
 1928     struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
 1929     struct sctp_inpcb *inp, struct sctp_nets **netp,
 1930     struct sockaddr *init_src, int *notification,
 1931     int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
 1932     uint32_t vrf_id, uint16_t port)
 1933 {
 1934         struct sctp_tcb *stcb;
 1935         struct sctp_init_chunk *init_cp, init_buf;
 1936         struct sctp_init_ack_chunk *initack_cp, initack_buf;
 1937         struct sockaddr_storage sa_store;
 1938         struct sockaddr *initack_src = (struct sockaddr *)&sa_store;
 1939         struct sockaddr_in *sin;
 1940         struct sockaddr_in6 *sin6;
 1941         struct sctp_association *asoc;
 1942         int chk_length;
 1943         int init_offset, initack_offset, initack_limit;
 1944         int retval;
 1945         int error = 0;
 1946         uint32_t old_tag;
 1947         uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
 1948 
 1949 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1950         struct socket *so;
 1951 
 1952         so = SCTP_INP_SO(inp);
 1953 #endif
 1954 
 1955         /*
 1956          * find and validate the INIT chunk in the cookie (peer's info) the
 1957          * INIT should start after the cookie-echo header struct (chunk
 1958          * header, state cookie header struct)
 1959          */
 1960         init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
 1961         init_cp = (struct sctp_init_chunk *)
 1962             sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
 1963             (uint8_t *) & init_buf);
 1964         if (init_cp == NULL) {
 1965                 /* could not pull a INIT chunk in cookie */
 1966                 SCTPDBG(SCTP_DEBUG_INPUT1,
 1967                     "process_cookie_new: could not pull INIT chunk hdr\n");
 1968                 return (NULL);
 1969         }
 1970         chk_length = ntohs(init_cp->ch.chunk_length);
 1971         if (init_cp->ch.chunk_type != SCTP_INITIATION) {
 1972                 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n");
 1973                 return (NULL);
 1974         }
 1975         initack_offset = init_offset + SCTP_SIZE32(chk_length);
 1976         /*
 1977          * find and validate the INIT-ACK chunk in the cookie (my info) the
 1978          * INIT-ACK follows the INIT chunk
 1979          */
 1980         initack_cp = (struct sctp_init_ack_chunk *)
 1981             sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
 1982             (uint8_t *) & initack_buf);
 1983         if (initack_cp == NULL) {
 1984                 /* could not pull INIT-ACK chunk in cookie */
 1985                 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n");
 1986                 return (NULL);
 1987         }
 1988         chk_length = ntohs(initack_cp->ch.chunk_length);
 1989         if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
 1990                 return (NULL);
 1991         }
 1992         /*
 1993          * NOTE: We can't use the INIT_ACK's chk_length to determine the
 1994          * "initack_limit" value.  This is because the chk_length field
 1995          * includes the length of the cookie, but the cookie is omitted when
 1996          * the INIT and INIT_ACK are tacked onto the cookie...
 1997          */
 1998         initack_limit = offset + cookie_len;
 1999 
 2000         /*
 2001          * now that we know the INIT/INIT-ACK are in place, create a new TCB
 2002          * and popluate
 2003          */
 2004 
 2005         /*
 2006          * Here we do a trick, we set in NULL for the proc/thread argument.
 2007          * We do this since in effect we only use the p argument when the
 2008          * socket is unbound and we must do an implicit bind. Since we are
 2009          * getting a cookie, we cannot be unbound.
 2010          */
 2011         stcb = sctp_aloc_assoc(inp, init_src, 0, &error,
 2012             ntohl(initack_cp->init.initiate_tag), vrf_id,
 2013             (struct thread *)NULL
 2014             );
 2015         if (stcb == NULL) {
 2016                 struct mbuf *op_err;
 2017 
 2018                 /* memory problem? */
 2019                 SCTPDBG(SCTP_DEBUG_INPUT1,
 2020                     "process_cookie_new: no room for another TCB!\n");
 2021                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
 2022 
 2023                 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
 2024                     sh, op_err, vrf_id, port);
 2025                 return (NULL);
 2026         }
 2027         /* get the correct sctp_nets */
 2028         if (netp)
 2029                 *netp = sctp_findnet(stcb, init_src);
 2030 
 2031         asoc = &stcb->asoc;
 2032         /* get scope variables out of cookie */
 2033         asoc->ipv4_local_scope = cookie->ipv4_scope;
 2034         asoc->site_scope = cookie->site_scope;
 2035         asoc->local_scope = cookie->local_scope;
 2036         asoc->loopback_scope = cookie->loopback_scope;
 2037 
 2038         if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) ||
 2039             (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) {
 2040                 struct mbuf *op_err;
 2041 
 2042                 /*
 2043                  * Houston we have a problem. The EP changed while the
 2044                  * cookie was in flight. Only recourse is to abort the
 2045                  * association.
 2046                  */
 2047                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2048                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
 2049                 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
 2050                     sh, op_err, vrf_id, port);
 2051 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2052                 SCTP_TCB_UNLOCK(stcb);
 2053                 SCTP_SOCKET_LOCK(so, 1);
 2054                 SCTP_TCB_LOCK(stcb);
 2055 #endif
 2056                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
 2057                     SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
 2058 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2059                 SCTP_SOCKET_UNLOCK(so, 1);
 2060 #endif
 2061                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2062                 return (NULL);
 2063         }
 2064         /* process the INIT-ACK info (my info) */
 2065         old_tag = asoc->my_vtag;
 2066         asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
 2067         asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
 2068         asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
 2069         asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
 2070         asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
 2071         asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
 2072         asoc->last_cwr_tsn = asoc->init_seq_number - 1;
 2073         asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
 2074         asoc->str_reset_seq_in = asoc->init_seq_number;
 2075 
 2076         asoc->advanced_peer_ack_point = asoc->last_acked_seq;
 2077 
 2078         /* process the INIT info (peer's info) */
 2079         if (netp)
 2080                 retval = sctp_process_init(init_cp, stcb, *netp);
 2081         else
 2082                 retval = 0;
 2083         if (retval < 0) {
 2084                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2085 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2086                 SCTP_TCB_UNLOCK(stcb);
 2087                 SCTP_SOCKET_LOCK(so, 1);
 2088                 SCTP_TCB_LOCK(stcb);
 2089 #endif
 2090                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
 2091 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2092                 SCTP_SOCKET_UNLOCK(so, 1);
 2093 #endif
 2094                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2095                 return (NULL);
 2096         }
 2097         /* load all addresses */
 2098         if (sctp_load_addresses_from_init(stcb, m, iphlen,
 2099             init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh,
 2100             init_src)) {
 2101                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2102 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2103                 SCTP_TCB_UNLOCK(stcb);
 2104                 SCTP_SOCKET_LOCK(so, 1);
 2105                 SCTP_TCB_LOCK(stcb);
 2106 #endif
 2107                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
 2108 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2109                 SCTP_SOCKET_UNLOCK(so, 1);
 2110 #endif
 2111                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2112                 return (NULL);
 2113         }
 2114         /*
 2115          * verify any preceding AUTH chunk that was skipped
 2116          */
 2117         /* pull the local authentication parameters from the cookie/init-ack */
 2118         sctp_auth_get_cookie_params(stcb, m,
 2119             initack_offset + sizeof(struct sctp_init_ack_chunk),
 2120             initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
 2121         if (auth_skipped) {
 2122                 struct sctp_auth_chunk *auth;
 2123 
 2124                 auth = (struct sctp_auth_chunk *)
 2125                     sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
 2126                 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
 2127                         /* auth HMAC failed, dump the assoc and packet */
 2128                         SCTPDBG(SCTP_DEBUG_AUTH1,
 2129                             "COOKIE-ECHO: AUTH failed\n");
 2130                         atomic_add_int(&stcb->asoc.refcnt, 1);
 2131 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2132                         SCTP_TCB_UNLOCK(stcb);
 2133                         SCTP_SOCKET_LOCK(so, 1);
 2134                         SCTP_TCB_LOCK(stcb);
 2135 #endif
 2136                         (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18);
 2137 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2138                         SCTP_SOCKET_UNLOCK(so, 1);
 2139 #endif
 2140                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2141                         return (NULL);
 2142                 } else {
 2143                         /* remaining chunks checked... good to go */
 2144                         stcb->asoc.authenticated = 1;
 2145                 }
 2146         }
 2147         /* update current state */
 2148         SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
 2149         SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 2150         if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 2151                 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 2152                     stcb->sctp_ep, stcb, asoc->primary_destination);
 2153         }
 2154         sctp_stop_all_cookie_timers(stcb);
 2155         SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
 2156         SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 2157 
 2158         /*
 2159          * if we're doing ASCONFs, check to see if we have any new local
 2160          * addresses that need to get added to the peer (eg. addresses
 2161          * changed while cookie echo in flight).  This needs to be done
 2162          * after we go to the OPEN state to do the correct asconf
 2163          * processing. else, make sure we have the correct addresses in our
 2164          * lists
 2165          */
 2166 
 2167         /* warning, we re-use sin, sin6, sa_store here! */
 2168         /* pull in local_address (our "from" address) */
 2169         if (cookie->laddr_type == SCTP_IPV4_ADDRESS) {
 2170                 /* source addr is IPv4 */
 2171                 sin = (struct sockaddr_in *)initack_src;
 2172                 memset(sin, 0, sizeof(*sin));
 2173                 sin->sin_family = AF_INET;
 2174                 sin->sin_len = sizeof(struct sockaddr_in);
 2175                 sin->sin_addr.s_addr = cookie->laddress[0];
 2176         } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) {
 2177                 /* source addr is IPv6 */
 2178                 sin6 = (struct sockaddr_in6 *)initack_src;
 2179                 memset(sin6, 0, sizeof(*sin6));
 2180                 sin6->sin6_family = AF_INET6;
 2181                 sin6->sin6_len = sizeof(struct sockaddr_in6);
 2182                 sin6->sin6_scope_id = cookie->scope_id;
 2183                 memcpy(&sin6->sin6_addr, cookie->laddress,
 2184                     sizeof(sin6->sin6_addr));
 2185         } else {
 2186                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2187 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2188                 SCTP_TCB_UNLOCK(stcb);
 2189                 SCTP_SOCKET_LOCK(so, 1);
 2190                 SCTP_TCB_LOCK(stcb);
 2191 #endif
 2192                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
 2193 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2194                 SCTP_SOCKET_UNLOCK(so, 1);
 2195 #endif
 2196                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2197                 return (NULL);
 2198         }
 2199 
 2200         /* set up to notify upper layer */
 2201         *notification = SCTP_NOTIFY_ASSOC_UP;
 2202         if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
 2203             (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
 2204             (inp->sctp_socket->so_qlimit == 0)) {
 2205                 /*
 2206                  * This is an endpoint that called connect() how it got a
 2207                  * cookie that is NEW is a bit of a mystery. It must be that
 2208                  * the INIT was sent, but before it got there.. a complete
 2209                  * INIT/INIT-ACK/COOKIE arrived. But of course then it
 2210                  * should have went to the other code.. not here.. oh well..
 2211                  * a bit of protection is worth having..
 2212                  */
 2213                 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
 2214 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2215                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2216                 SCTP_TCB_UNLOCK(stcb);
 2217                 SCTP_SOCKET_LOCK(so, 1);
 2218                 SCTP_TCB_LOCK(stcb);
 2219                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2220                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
 2221                         SCTP_SOCKET_UNLOCK(so, 1);
 2222                         return (NULL);
 2223                 }
 2224 #endif
 2225                 soisconnected(stcb->sctp_socket);
 2226 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2227                 SCTP_SOCKET_UNLOCK(so, 1);
 2228 #endif
 2229         } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
 2230             (inp->sctp_socket->so_qlimit)) {
 2231                 /*
 2232                  * We don't want to do anything with this one. Since it is
 2233                  * the listening guy. The timer will get started for
 2234                  * accepted connections in the caller.
 2235                  */
 2236                 ;
 2237         }
 2238         /* since we did not send a HB make sure we don't double things */
 2239         if ((netp) && (*netp))
 2240                 (*netp)->hb_responded = 1;
 2241 
 2242         if (stcb->asoc.sctp_autoclose_ticks &&
 2243             sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
 2244                 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
 2245         }
 2246         /* calculate the RTT */
 2247         (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
 2248         if ((netp) && (*netp)) {
 2249                 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
 2250                     &cookie->time_entered, sctp_align_unsafe_makecopy);
 2251         }
 2252         /* respond with a COOKIE-ACK */
 2253         sctp_send_cookie_ack(stcb);
 2254 
 2255         /*
 2256          * check the address lists for any ASCONFs that need to be sent
 2257          * AFTER the cookie-ack is sent
 2258          */
 2259         sctp_check_address_list(stcb, m,
 2260             initack_offset + sizeof(struct sctp_init_ack_chunk),
 2261             initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
 2262             initack_src, cookie->local_scope, cookie->site_scope,
 2263             cookie->ipv4_scope, cookie->loopback_scope);
 2264 
 2265 
 2266         return (stcb);
 2267 }
 2268 
 2269 /*
 2270  * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e
 2271  * we NEED to make sure we are not already using the vtag. If so we
 2272  * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit!
 2273         head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag,
 2274                                                             SCTP_BASE_INFO(hashasocmark))];
 2275         LIST_FOREACH(stcb, head, sctp_asocs) {
 2276                 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep))  {
 2277                        -- SEND ABORT - TRY AGAIN --
 2278                 }
 2279         }
 2280 */
 2281 
 2282 /*
 2283  * handles a COOKIE-ECHO message stcb: modified to either a new or left as
 2284  * existing (non-NULL) TCB
 2285  */
 2286 static struct mbuf *
 2287 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
 2288     struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
 2289     struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
 2290     int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
 2291     struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint16_t port)
 2292 {
 2293         struct sctp_state_cookie *cookie;
 2294         struct sockaddr_in6 sin6;
 2295         struct sockaddr_in sin;
 2296         struct sctp_tcb *l_stcb = *stcb;
 2297         struct sctp_inpcb *l_inp;
 2298         struct sockaddr *to;
 2299         sctp_assoc_t sac_restart_id;
 2300         struct sctp_pcb *ep;
 2301         struct mbuf *m_sig;
 2302         uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
 2303         uint8_t *sig;
 2304         uint8_t cookie_ok = 0;
 2305         unsigned int size_of_pkt, sig_offset, cookie_offset;
 2306         unsigned int cookie_len;
 2307         struct timeval now;
 2308         struct timeval time_expires;
 2309         struct sockaddr_storage dest_store;
 2310         struct sockaddr *localep_sa = (struct sockaddr *)&dest_store;
 2311         struct ip *iph;
 2312         int notification = 0;
 2313         struct sctp_nets *netl;
 2314         int had_a_existing_tcb = 0;
 2315 
 2316         SCTPDBG(SCTP_DEBUG_INPUT2,
 2317             "sctp_handle_cookie: handling COOKIE-ECHO\n");
 2318 
 2319         if (inp_p == NULL) {
 2320                 return (NULL);
 2321         }
 2322         /* First get the destination address setup too. */
 2323         iph = mtod(m, struct ip *);
 2324         switch (iph->ip_v) {
 2325         case IPVERSION:
 2326                 {
 2327                         /* its IPv4 */
 2328                         struct sockaddr_in *lsin;
 2329 
 2330                         lsin = (struct sockaddr_in *)(localep_sa);
 2331                         memset(lsin, 0, sizeof(*lsin));
 2332                         lsin->sin_family = AF_INET;
 2333                         lsin->sin_len = sizeof(*lsin);
 2334                         lsin->sin_port = sh->dest_port;
 2335                         lsin->sin_addr.s_addr = iph->ip_dst.s_addr;
 2336                         size_of_pkt = SCTP_GET_IPV4_LENGTH(iph);
 2337                         break;
 2338                 }
 2339 #ifdef INET6
 2340         case IPV6_VERSION >> 4:
 2341                 {
 2342                         /* its IPv6 */
 2343                         struct ip6_hdr *ip6;
 2344                         struct sockaddr_in6 *lsin6;
 2345 
 2346                         lsin6 = (struct sockaddr_in6 *)(localep_sa);
 2347                         memset(lsin6, 0, sizeof(*lsin6));
 2348                         lsin6->sin6_family = AF_INET6;
 2349                         lsin6->sin6_len = sizeof(struct sockaddr_in6);
 2350                         ip6 = mtod(m, struct ip6_hdr *);
 2351                         lsin6->sin6_port = sh->dest_port;
 2352                         lsin6->sin6_addr = ip6->ip6_dst;
 2353                         size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen;
 2354                         break;
 2355                 }
 2356 #endif
 2357         default:
 2358                 return (NULL);
 2359         }
 2360 
 2361         cookie = &cp->cookie;
 2362         cookie_offset = offset + sizeof(struct sctp_chunkhdr);
 2363         cookie_len = ntohs(cp->ch.chunk_length);
 2364 
 2365         if ((cookie->peerport != sh->src_port) &&
 2366             (cookie->myport != sh->dest_port) &&
 2367             (cookie->my_vtag != sh->v_tag)) {
 2368                 /*
 2369                  * invalid ports or bad tag.  Note that we always leave the
 2370                  * v_tag in the header in network order and when we stored
 2371                  * it in the my_vtag slot we also left it in network order.
 2372                  * This maintains the match even though it may be in the
 2373                  * opposite byte order of the machine :->
 2374                  */
 2375                 return (NULL);
 2376         }
 2377         if (cookie_len > size_of_pkt ||
 2378             cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
 2379             sizeof(struct sctp_init_chunk) +
 2380             sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
 2381                 /* cookie too long!  or too small */
 2382                 return (NULL);
 2383         }
 2384         /*
 2385          * split off the signature into its own mbuf (since it should not be
 2386          * calculated in the sctp_hmac_m() call).
 2387          */
 2388         sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
 2389         if (sig_offset > size_of_pkt) {
 2390                 /* packet not correct size! */
 2391                 /* XXX this may already be accounted for earlier... */
 2392                 return (NULL);
 2393         }
 2394         m_sig = m_split(m, sig_offset, M_DONTWAIT);
 2395         if (m_sig == NULL) {
 2396                 /* out of memory or ?? */
 2397                 return (NULL);
 2398         }
 2399 #ifdef SCTP_MBUF_LOGGING
 2400         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
 2401                 struct mbuf *mat;
 2402 
 2403                 mat = m_sig;
 2404                 while (mat) {
 2405                         if (SCTP_BUF_IS_EXTENDED(mat)) {
 2406                                 sctp_log_mb(mat, SCTP_MBUF_SPLIT);
 2407                         }
 2408                         mat = SCTP_BUF_NEXT(mat);
 2409                 }
 2410         }
 2411 #endif
 2412 
 2413         /*
 2414          * compute the signature/digest for the cookie
 2415          */
 2416         ep = &(*inp_p)->sctp_ep;
 2417         l_inp = *inp_p;
 2418         if (l_stcb) {
 2419                 SCTP_TCB_UNLOCK(l_stcb);
 2420         }
 2421         SCTP_INP_RLOCK(l_inp);
 2422         if (l_stcb) {
 2423                 SCTP_TCB_LOCK(l_stcb);
 2424         }
 2425         /* which cookie is it? */
 2426         if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
 2427             (ep->current_secret_number != ep->last_secret_number)) {
 2428                 /* it's the old cookie */
 2429                 (void)sctp_hmac_m(SCTP_HMAC,
 2430                     (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
 2431                     SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
 2432         } else {
 2433                 /* it's the current cookie */
 2434                 (void)sctp_hmac_m(SCTP_HMAC,
 2435                     (uint8_t *) ep->secret_key[(int)ep->current_secret_number],
 2436                     SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
 2437         }
 2438         /* get the signature */
 2439         SCTP_INP_RUNLOCK(l_inp);
 2440         sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig);
 2441         if (sig == NULL) {
 2442                 /* couldn't find signature */
 2443                 sctp_m_freem(m_sig);
 2444                 return (NULL);
 2445         }
 2446         /* compare the received digest with the computed digest */
 2447         if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
 2448                 /* try the old cookie? */
 2449                 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
 2450                     (ep->current_secret_number != ep->last_secret_number)) {
 2451                         /* compute digest with old */
 2452                         (void)sctp_hmac_m(SCTP_HMAC,
 2453                             (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
 2454                             SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
 2455                         /* compare */
 2456                         if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
 2457                                 cookie_ok = 1;
 2458                 }
 2459         } else {
 2460                 cookie_ok = 1;
 2461         }
 2462 
 2463         /*
 2464          * Now before we continue we must reconstruct our mbuf so that
 2465          * normal processing of any other chunks will work.
 2466          */
 2467         {
 2468                 struct mbuf *m_at;
 2469 
 2470                 m_at = m;
 2471                 while (SCTP_BUF_NEXT(m_at) != NULL) {
 2472                         m_at = SCTP_BUF_NEXT(m_at);
 2473                 }
 2474                 SCTP_BUF_NEXT(m_at) = m_sig;
 2475         }
 2476 
 2477         if (cookie_ok == 0) {
 2478                 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n");
 2479                 SCTPDBG(SCTP_DEBUG_INPUT2,
 2480                     "offset = %u, cookie_offset = %u, sig_offset = %u\n",
 2481                     (uint32_t) offset, cookie_offset, sig_offset);
 2482                 return (NULL);
 2483         }
 2484         /*
 2485          * check the cookie timestamps to be sure it's not stale
 2486          */
 2487         (void)SCTP_GETTIME_TIMEVAL(&now);
 2488         /* Expire time is in Ticks, so we convert to seconds */
 2489         time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life);
 2490         time_expires.tv_usec = cookie->time_entered.tv_usec;
 2491         /*
 2492          * TODO sctp_constants.h needs alternative time macros when _KERNEL
 2493          * is undefined.
 2494          */
 2495         if (timevalcmp(&now, &time_expires, >)) {
 2496                 /* cookie is stale! */
 2497                 struct mbuf *op_err;
 2498                 struct sctp_stale_cookie_msg *scm;
 2499                 uint32_t tim;
 2500 
 2501                 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg),
 2502                     0, M_DONTWAIT, 1, MT_DATA);
 2503                 if (op_err == NULL) {
 2504                         /* FOOBAR */
 2505                         return (NULL);
 2506                 }
 2507                 /* pre-reserve some space */
 2508 #ifdef INET6
 2509                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
 2510 #else
 2511                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
 2512 #endif
 2513                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
 2514                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
 2515 
 2516                 /* Set the len */
 2517                 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg);
 2518                 scm = mtod(op_err, struct sctp_stale_cookie_msg *);
 2519                 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
 2520                 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
 2521                     (sizeof(uint32_t))));
 2522                 /* seconds to usec */
 2523                 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
 2524                 /* add in usec */
 2525                 if (tim == 0)
 2526                         tim = now.tv_usec - cookie->time_entered.tv_usec;
 2527                 scm->time_usec = htonl(tim);
 2528                 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag,
 2529                     vrf_id, port);
 2530                 return (NULL);
 2531         }
 2532         /*
 2533          * Now we must see with the lookup address if we have an existing
 2534          * asoc. This will only happen if we were in the COOKIE-WAIT state
 2535          * and a INIT collided with us and somewhere the peer sent the
 2536          * cookie on another address besides the single address our assoc
 2537          * had for him. In this case we will have one of the tie-tags set at
 2538          * least AND the address field in the cookie can be used to look it
 2539          * up.
 2540          */
 2541         to = NULL;
 2542         if (cookie->addr_type == SCTP_IPV6_ADDRESS) {
 2543                 memset(&sin6, 0, sizeof(sin6));
 2544                 sin6.sin6_family = AF_INET6;
 2545                 sin6.sin6_len = sizeof(sin6);
 2546                 sin6.sin6_port = sh->src_port;
 2547                 sin6.sin6_scope_id = cookie->scope_id;
 2548                 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
 2549                     sizeof(sin6.sin6_addr.s6_addr));
 2550                 to = (struct sockaddr *)&sin6;
 2551         } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) {
 2552                 memset(&sin, 0, sizeof(sin));
 2553                 sin.sin_family = AF_INET;
 2554                 sin.sin_len = sizeof(sin);
 2555                 sin.sin_port = sh->src_port;
 2556                 sin.sin_addr.s_addr = cookie->address[0];
 2557                 to = (struct sockaddr *)&sin;
 2558         } else {
 2559                 /* This should not happen */
 2560                 return (NULL);
 2561         }
 2562         if ((*stcb == NULL) && to) {
 2563                 /* Yep, lets check */
 2564                 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL);
 2565                 if (*stcb == NULL) {
 2566                         /*
 2567                          * We should have only got back the same inp. If we
 2568                          * got back a different ep we have a problem. The
 2569                          * original findep got back l_inp and now
 2570                          */
 2571                         if (l_inp != *inp_p) {
 2572                                 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n");
 2573                         }
 2574                 } else {
 2575                         if (*locked_tcb == NULL) {
 2576                                 /*
 2577                                  * In this case we found the assoc only
 2578                                  * after we locked the create lock. This
 2579                                  * means we are in a colliding case and we
 2580                                  * must make sure that we unlock the tcb if
 2581                                  * its one of the cases where we throw away
 2582                                  * the incoming packets.
 2583                                  */
 2584                                 *locked_tcb = *stcb;
 2585 
 2586                                 /*
 2587                                  * We must also increment the inp ref count
 2588                                  * since the ref_count flags was set when we
 2589                                  * did not find the TCB, now we found it
 2590                                  * which reduces the refcount.. we must
 2591                                  * raise it back out to balance it all :-)
 2592                                  */
 2593                                 SCTP_INP_INCR_REF((*stcb)->sctp_ep);
 2594                                 if ((*stcb)->sctp_ep != l_inp) {
 2595                                         SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n",
 2596                                             (*stcb)->sctp_ep, l_inp);
 2597                                 }
 2598                         }
 2599                 }
 2600         }
 2601         if (to == NULL)
 2602                 return (NULL);
 2603 
 2604         cookie_len -= SCTP_SIGNATURE_SIZE;
 2605         if (*stcb == NULL) {
 2606                 /* this is the "normal" case... get a new TCB */
 2607                 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie,
 2608                     cookie_len, *inp_p, netp, to, &notification,
 2609                     auth_skipped, auth_offset, auth_len, vrf_id, port);
 2610         } else {
 2611                 /* this is abnormal... cookie-echo on existing TCB */
 2612                 had_a_existing_tcb = 1;
 2613                 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh,
 2614                     cookie, cookie_len, *inp_p, *stcb, netp, to,
 2615                     &notification, &sac_restart_id, vrf_id, auth_skipped, auth_offset, auth_len, port);
 2616         }
 2617 
 2618         if (*stcb == NULL) {
 2619                 /* still no TCB... must be bad cookie-echo */
 2620                 return (NULL);
 2621         }
 2622         /*
 2623          * Ok, we built an association so confirm the address we sent the
 2624          * INIT-ACK to.
 2625          */
 2626         netl = sctp_findnet(*stcb, to);
 2627         /*
 2628          * This code should in theory NOT run but
 2629          */
 2630         if (netl == NULL) {
 2631                 /* TSNH! Huh, why do I need to add this address here? */
 2632                 int ret;
 2633 
 2634                 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE,
 2635                     SCTP_IN_COOKIE_PROC);
 2636                 netl = sctp_findnet(*stcb, to);
 2637         }
 2638         if (netl) {
 2639                 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
 2640                         netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
 2641                         (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
 2642                             netl);
 2643                         sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
 2644                             (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
 2645                 }
 2646         }
 2647         if (*stcb) {
 2648                 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p,
 2649                     *stcb, NULL);
 2650         }
 2651         if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
 2652                 if (!had_a_existing_tcb ||
 2653                     (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
 2654                         /*
 2655                          * If we have a NEW cookie or the connect never
 2656                          * reached the connected state during collision we
 2657                          * must do the TCP accept thing.
 2658                          */
 2659                         struct socket *so, *oso;
 2660                         struct sctp_inpcb *inp;
 2661 
 2662                         if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
 2663                                 /*
 2664                                  * For a restart we will keep the same
 2665                                  * socket, no need to do anything. I THINK!!
 2666                                  */
 2667                                 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id, SCTP_SO_NOT_LOCKED);
 2668                                 return (m);
 2669                         }
 2670                         oso = (*inp_p)->sctp_socket;
 2671                         atomic_add_int(&(*stcb)->asoc.refcnt, 1);
 2672                         SCTP_TCB_UNLOCK((*stcb));
 2673                         so = sonewconn(oso, 0
 2674                             );
 2675                         SCTP_TCB_LOCK((*stcb));
 2676                         atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
 2677 
 2678                         if (so == NULL) {
 2679                                 struct mbuf *op_err;
 2680 
 2681 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2682                                 struct socket *pcb_so;
 2683 
 2684 #endif
 2685                                 /* Too many sockets */
 2686                                 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n");
 2687                                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
 2688                                 sctp_abort_association(*inp_p, NULL, m, iphlen,
 2689                                     sh, op_err, vrf_id, port);
 2690 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2691                                 pcb_so = SCTP_INP_SO(*inp_p);
 2692                                 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
 2693                                 SCTP_TCB_UNLOCK((*stcb));
 2694                                 SCTP_SOCKET_LOCK(pcb_so, 1);
 2695                                 SCTP_TCB_LOCK((*stcb));
 2696                                 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
 2697 #endif
 2698                                 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20);
 2699 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2700                                 SCTP_SOCKET_UNLOCK(pcb_so, 1);
 2701 #endif
 2702                                 return (NULL);
 2703                         }
 2704                         inp = (struct sctp_inpcb *)so->so_pcb;
 2705                         SCTP_INP_INCR_REF(inp);
 2706                         /*
 2707                          * We add the unbound flag here so that if we get an
 2708                          * soabort() before we get the move_pcb done, we
 2709                          * will properly cleanup.
 2710                          */
 2711                         inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
 2712                             SCTP_PCB_FLAGS_CONNECTED |
 2713                             SCTP_PCB_FLAGS_IN_TCPPOOL |
 2714                             SCTP_PCB_FLAGS_UNBOUND |
 2715                             (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
 2716                             SCTP_PCB_FLAGS_DONT_WAKE);
 2717                         inp->sctp_features = (*inp_p)->sctp_features;
 2718                         inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features;
 2719                         inp->sctp_socket = so;
 2720                         inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
 2721                         inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
 2722                         inp->sctp_context = (*inp_p)->sctp_context;
 2723                         inp->inp_starting_point_for_iterator = NULL;
 2724                         /*
 2725                          * copy in the authentication parameters from the
 2726                          * original endpoint
 2727                          */
 2728                         if (inp->sctp_ep.local_hmacs)
 2729                                 sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
 2730                         inp->sctp_ep.local_hmacs =
 2731                             sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
 2732                         if (inp->sctp_ep.local_auth_chunks)
 2733                                 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
 2734                         inp->sctp_ep.local_auth_chunks =
 2735                             sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);
 2736 
 2737                         /*
 2738                          * Now we must move it from one hash table to
 2739                          * another and get the tcb in the right place.
 2740                          */
 2741                         sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
 2742 
 2743                         atomic_add_int(&(*stcb)->asoc.refcnt, 1);
 2744                         SCTP_TCB_UNLOCK((*stcb));
 2745 
 2746                         sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb,
 2747                             0);
 2748                         SCTP_TCB_LOCK((*stcb));
 2749                         atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
 2750 
 2751 
 2752                         /*
 2753                          * now we must check to see if we were aborted while
 2754                          * the move was going on and the lock/unlock
 2755                          * happened.
 2756                          */
 2757                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 2758                                 /*
 2759                                  * yep it was, we leave the assoc attached
 2760                                  * to the socket since the sctp_inpcb_free()
 2761                                  * call will send an abort for us.
 2762                                  */
 2763                                 SCTP_INP_DECR_REF(inp);
 2764                                 return (NULL);
 2765                         }
 2766                         SCTP_INP_DECR_REF(inp);
 2767                         /* Switch over to the new guy */
 2768                         *inp_p = inp;
 2769                         sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 2770 
 2771                         /*
 2772                          * Pull it from the incomplete queue and wake the
 2773                          * guy
 2774                          */
 2775 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2776                         atomic_add_int(&(*stcb)->asoc.refcnt, 1);
 2777                         SCTP_TCB_UNLOCK((*stcb));
 2778                         SCTP_SOCKET_LOCK(so, 1);
 2779 #endif
 2780                         soisconnected(so);
 2781 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2782                         SCTP_TCB_LOCK((*stcb));
 2783                         atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
 2784                         SCTP_SOCKET_UNLOCK(so, 1);
 2785 #endif
 2786                         return (m);
 2787                 }
 2788         }
 2789         if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
 2790                 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 2791         }
 2792         return (m);
 2793 }
 2794 
 2795 static void
 2796 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp,
 2797     struct sctp_tcb *stcb, struct sctp_nets *net)
 2798 {
 2799         /* cp must not be used, others call this without a c-ack :-) */
 2800         struct sctp_association *asoc;
 2801 
 2802         SCTPDBG(SCTP_DEBUG_INPUT2,
 2803             "sctp_handle_cookie_ack: handling COOKIE-ACK\n");
 2804         if (stcb == NULL)
 2805                 return;
 2806 
 2807         asoc = &stcb->asoc;
 2808 
 2809         sctp_stop_all_cookie_timers(stcb);
 2810         /* process according to association state */
 2811         if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
 2812                 /* state change only needed when I am in right state */
 2813                 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
 2814                 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 2815                 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 2816                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 2817                             stcb->sctp_ep, stcb, asoc->primary_destination);
 2818 
 2819                 }
 2820                 /* update RTO */
 2821                 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
 2822                 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 2823                 if (asoc->overall_error_count == 0) {
 2824                         net->RTO = sctp_calculate_rto(stcb, asoc, net,
 2825                             &asoc->time_entered, sctp_align_safe_nocopy);
 2826                 }
 2827                 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
 2828                 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 2829                 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
 2830                     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
 2831 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2832                         struct socket *so;
 2833 
 2834 #endif
 2835                         stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
 2836 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2837                         so = SCTP_INP_SO(stcb->sctp_ep);
 2838                         atomic_add_int(&stcb->asoc.refcnt, 1);
 2839                         SCTP_TCB_UNLOCK(stcb);
 2840                         SCTP_SOCKET_LOCK(so, 1);
 2841                         SCTP_TCB_LOCK(stcb);
 2842                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2843                         if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
 2844                                 SCTP_SOCKET_UNLOCK(so, 1);
 2845                                 return;
 2846                         }
 2847 #endif
 2848                         soisconnected(stcb->sctp_socket);
 2849 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2850                         SCTP_SOCKET_UNLOCK(so, 1);
 2851 #endif
 2852                 }
 2853                 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
 2854                     stcb, net);
 2855                 /*
 2856                  * since we did not send a HB make sure we don't double
 2857                  * things
 2858                  */
 2859                 net->hb_responded = 1;
 2860 
 2861                 if (stcb->asoc.sctp_autoclose_ticks &&
 2862                     sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
 2863                         sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
 2864                             stcb->sctp_ep, stcb, NULL);
 2865                 }
 2866                 /*
 2867                  * send ASCONF if parameters are pending and ASCONFs are
 2868                  * allowed (eg. addresses changed when init/cookie echo were
 2869                  * in flight)
 2870                  */
 2871                 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
 2872                     (stcb->asoc.peer_supports_asconf) &&
 2873                     (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
 2874 #ifdef SCTP_TIMER_BASED_ASCONF
 2875                         sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
 2876                             stcb->sctp_ep, stcb,
 2877                             stcb->asoc.primary_destination);
 2878 #else
 2879                         sctp_send_asconf(stcb, stcb->asoc.primary_destination,
 2880                             SCTP_ADDR_NOT_LOCKED);
 2881 #endif
 2882                 }
 2883         }
 2884         /* Toss the cookie if I can */
 2885         sctp_toss_old_cookies(stcb, asoc);
 2886         if (!TAILQ_EMPTY(&asoc->sent_queue)) {
 2887                 /* Restart the timer if we have pending data */
 2888                 struct sctp_tmit_chunk *chk;
 2889 
 2890                 chk = TAILQ_FIRST(&asoc->sent_queue);
 2891                 if (chk) {
 2892                         sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
 2893                             stcb, chk->whoTo);
 2894                 }
 2895         }
 2896 }
 2897 
 2898 static void
 2899 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
 2900     struct sctp_tcb *stcb)
 2901 {
 2902         struct sctp_nets *net;
 2903         struct sctp_tmit_chunk *lchk;
 2904         uint32_t tsn;
 2905 
 2906         if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) {
 2907                 return;
 2908         }
 2909         SCTP_STAT_INCR(sctps_recvecne);
 2910         tsn = ntohl(cp->tsn);
 2911         /* ECN Nonce stuff: need a resync and disable the nonce sum check */
 2912         /* Also we make sure we disable the nonce_wait */
 2913         lchk = TAILQ_FIRST(&stcb->asoc.send_queue);
 2914         if (lchk == NULL) {
 2915                 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq;
 2916         } else {
 2917                 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq;
 2918         }
 2919         stcb->asoc.nonce_wait_for_ecne = 0;
 2920         stcb->asoc.nonce_sum_check = 0;
 2921 
 2922         /* Find where it was sent, if possible */
 2923         net = NULL;
 2924         lchk = TAILQ_FIRST(&stcb->asoc.sent_queue);
 2925         while (lchk) {
 2926                 if (lchk->rec.data.TSN_seq == tsn) {
 2927                         net = lchk->whoTo;
 2928                         break;
 2929                 }
 2930                 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ))
 2931                         break;
 2932                 lchk = TAILQ_NEXT(lchk, sctp_next);
 2933         }
 2934         if (net == NULL)
 2935                 /* default is we use the primary */
 2936                 net = stcb->asoc.primary_destination;
 2937 
 2938         if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) {
 2939                 /*
 2940                  * JRS - Use the congestion control given in the pluggable
 2941                  * CC module
 2942                  */
 2943                 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net);
 2944                 /*
 2945                  * we reduce once every RTT. So we will only lower cwnd at
 2946                  * the next sending seq i.e. the resync_tsn.
 2947                  */
 2948                 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn;
 2949         }
 2950         /*
 2951          * We always send a CWR this way if our previous one was lost our
 2952          * peer will get an update, or if it is not time again to reduce we
 2953          * still get the cwr to the peer.
 2954          */
 2955         sctp_send_cwr(stcb, net, tsn);
 2956 }
 2957 
 2958 static void
 2959 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb)
 2960 {
 2961         /*
 2962          * Here we get a CWR from the peer. We must look in the outqueue and
 2963          * make sure that we have a covered ECNE in teh control chunk part.
 2964          * If so remove it.
 2965          */
 2966         struct sctp_tmit_chunk *chk;
 2967         struct sctp_ecne_chunk *ecne;
 2968 
 2969         TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
 2970                 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
 2971                         continue;
 2972                 }
 2973                 /*
 2974                  * Look for and remove if it is the right TSN. Since there
 2975                  * is only ONE ECNE on the control queue at any one time we
 2976                  * don't need to worry about more than one!
 2977                  */
 2978                 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
 2979                 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn),
 2980                     MAX_TSN) || (cp->tsn == ecne->tsn)) {
 2981                         /* this covers this ECNE, we can remove it */
 2982                         stcb->asoc.ecn_echo_cnt_onq--;
 2983                         TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
 2984                             sctp_next);
 2985                         if (chk->data) {
 2986                                 sctp_m_freem(chk->data);
 2987                                 chk->data = NULL;
 2988                         }
 2989                         stcb->asoc.ctrl_queue_cnt--;
 2990                         sctp_free_a_chunk(stcb, chk);
 2991                         break;
 2992                 }
 2993         }
 2994 }
 2995 
 2996 static void
 2997 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp,
 2998     struct sctp_tcb *stcb, struct sctp_nets *net)
 2999 {
 3000         struct sctp_association *asoc;
 3001 
 3002 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 3003         struct socket *so;
 3004 
 3005 #endif
 3006 
 3007         SCTPDBG(SCTP_DEBUG_INPUT2,
 3008             "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
 3009         if (stcb == NULL)
 3010                 return;
 3011 
 3012         asoc = &stcb->asoc;
 3013         /* process according to association state */
 3014         if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
 3015                 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
 3016                 SCTPDBG(SCTP_DEBUG_INPUT2,
 3017                     "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n");
 3018                 SCTP_TCB_UNLOCK(stcb);
 3019                 return;
 3020         }
 3021         /* notify upper layer protocol */
 3022         if (stcb->sctp_socket) {
 3023                 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 3024                 /* are the queues empty? they should be */
 3025                 if (!TAILQ_EMPTY(&asoc->send_queue) ||
 3026                     !TAILQ_EMPTY(&asoc->sent_queue) ||
 3027                     !TAILQ_EMPTY(&asoc->out_wheel)) {
 3028                         sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED);
 3029                 }
 3030         }
 3031         /* stop the timer */
 3032         sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22);
 3033         SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
 3034         /* free the TCB */
 3035         SCTPDBG(SCTP_DEBUG_INPUT2,
 3036             "sctp_handle_shutdown_complete: calls free-asoc\n");
 3037 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 3038         so = SCTP_INP_SO(stcb->sctp_ep);
 3039         atomic_add_int(&stcb->asoc.refcnt, 1);
 3040         SCTP_TCB_UNLOCK(stcb);
 3041         SCTP_SOCKET_LOCK(so, 1);
 3042         SCTP_TCB_LOCK(stcb);
 3043         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 3044 #endif
 3045         (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23);
 3046 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 3047         SCTP_SOCKET_UNLOCK(so, 1);
 3048 #endif
 3049         return;
 3050 }
 3051 
 3052 static int
 3053 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
 3054     struct sctp_nets *net, uint8_t flg)
 3055 {
 3056         switch (desc->chunk_type) {
 3057                 case SCTP_DATA:
 3058                 /* find the tsn to resend (possibly */
 3059                 {
 3060                         uint32_t tsn;
 3061                         struct sctp_tmit_chunk *tp1;
 3062 
 3063                         tsn = ntohl(desc->tsn_ifany);
 3064                         tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
 3065                         while (tp1) {
 3066                                 if (tp1->rec.data.TSN_seq == tsn) {
 3067                                         /* found it */
 3068                                         break;
 3069                                 }
 3070                                 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn,
 3071                                     MAX_TSN)) {
 3072                                         /* not found */
 3073                                         tp1 = NULL;
 3074                                         break;
 3075                                 }
 3076                                 tp1 = TAILQ_NEXT(tp1, sctp_next);
 3077                         }
 3078                         if (tp1 == NULL) {
 3079                                 /*
 3080                                  * Do it the other way , aka without paying
 3081                                  * attention to queue seq order.
 3082                                  */
 3083                                 SCTP_STAT_INCR(sctps_pdrpdnfnd);
 3084                                 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
 3085                                 while (tp1) {
 3086                                         if (tp1->rec.data.TSN_seq == tsn) {
 3087                                                 /* found it */
 3088                                                 break;
 3089                                         }
 3090                                         tp1 = TAILQ_NEXT(tp1, sctp_next);
 3091                                 }
 3092                         }
 3093                         if (tp1 == NULL) {
 3094                                 SCTP_STAT_INCR(sctps_pdrptsnnf);
 3095                         }
 3096                         if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
 3097                                 uint8_t *ddp;
 3098 
 3099                                 if ((stcb->asoc.peers_rwnd == 0) &&
 3100                                     ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
 3101                                         SCTP_STAT_INCR(sctps_pdrpdiwnp);
 3102                                         return (0);
 3103                                 }
 3104                                 if (stcb->asoc.peers_rwnd == 0 &&
 3105                                     (flg & SCTP_FROM_MIDDLE_BOX)) {
 3106                                         SCTP_STAT_INCR(sctps_pdrpdizrw);
 3107                                         return (0);
 3108                                 }
 3109                                 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+
 3110                                     sizeof(struct sctp_data_chunk));
 3111                                 {
 3112                                         unsigned int iii;
 3113 
 3114                                         for (iii = 0; iii < sizeof(desc->data_bytes);
 3115                                             iii++) {
 3116                                                 if (ddp[iii] != desc->data_bytes[iii]) {
 3117                                                         SCTP_STAT_INCR(sctps_pdrpbadd);
 3118                                                         return (-1);
 3119                                                 }
 3120                                         }
 3121                                 }
 3122                                 /*
 3123                                  * We zero out the nonce so resync not
 3124                                  * needed
 3125                                  */
 3126                                 tp1->rec.data.ect_nonce = 0;
 3127 
 3128                                 if (tp1->do_rtt) {
 3129                                         /*
 3130                                          * this guy had a RTO calculation
 3131                                          * pending on it, cancel it
 3132                                          */
 3133                                         tp1->do_rtt = 0;
 3134                                 }
 3135                                 SCTP_STAT_INCR(sctps_pdrpmark);
 3136                                 if (tp1->sent != SCTP_DATAGRAM_RESEND)
 3137                                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
 3138                                 tp1->sent = SCTP_DATAGRAM_RESEND;
 3139                                 /*
 3140                                  * mark it as if we were doing a FR, since
 3141                                  * we will be getting gap ack reports behind
 3142                                  * the info from the router.
 3143                                  */
 3144                                 tp1->rec.data.doing_fast_retransmit = 1;
 3145                                 /*
 3146                                  * mark the tsn with what sequences can
 3147                                  * cause a new FR.
 3148                                  */
 3149                                 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
 3150                                         tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
 3151                                 } else {
 3152                                         tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
 3153                                 }
 3154 
 3155                                 /* restart the timer */
 3156                                 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
 3157                                     stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24);
 3158                                 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
 3159                                     stcb, tp1->whoTo);
 3160 
 3161                                 /* fix counts and things */
 3162                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
 3163                                         sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP,
 3164                                             tp1->whoTo->flight_size,
 3165                                             tp1->book_size,
 3166                                             (uintptr_t) stcb,
 3167                                             tp1->rec.data.TSN_seq);
 3168                                 }
 3169                                 sctp_flight_size_decrease(tp1);
 3170                                 sctp_total_flight_decrease(stcb, tp1);
 3171                         } {
 3172                                 /* audit code */
 3173                                 unsigned int audit;
 3174 
 3175                                 audit = 0;
 3176                                 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
 3177                                         if (tp1->sent == SCTP_DATAGRAM_RESEND)
 3178                                                 audit++;
 3179                                 }
 3180                                 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
 3181                                     sctp_next) {
 3182                                         if (tp1->sent == SCTP_DATAGRAM_RESEND)
 3183                                                 audit++;
 3184                                 }
 3185                                 if (audit != stcb->asoc.sent_queue_retran_cnt) {
 3186                                         SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n",
 3187                                             audit, stcb->asoc.sent_queue_retran_cnt);
 3188 #ifndef SCTP_AUDITING_ENABLED
 3189                                         stcb->asoc.sent_queue_retran_cnt = audit;
 3190 #endif
 3191                                 }
 3192                         }
 3193                 }
 3194                 break;
 3195         case SCTP_ASCONF:
 3196                 {
 3197                         struct sctp_tmit_chunk *asconf;
 3198 
 3199                         TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
 3200                             sctp_next) {
 3201                                 if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
 3202                                         break;
 3203                                 }
 3204                         }
 3205                         if (asconf) {
 3206                                 if (asconf->sent != SCTP_DATAGRAM_RESEND)
 3207                                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
 3208                                 asconf->sent = SCTP_DATAGRAM_RESEND;
 3209                                 asconf->snd_count--;
 3210                         }
 3211                 }
 3212                 break;
 3213         case SCTP_INITIATION:
 3214                 /* resend the INIT */
 3215                 stcb->asoc.dropped_special_cnt++;
 3216                 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
 3217                         /*
 3218                          * If we can get it in, in a few attempts we do
 3219                          * this, otherwise we let the timer fire.
 3220                          */
 3221                         sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
 3222                             stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25);
 3223                         sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
 3224                 }
 3225                 break;
 3226         case SCTP_SELECTIVE_ACK:
 3227                 /* resend the sack */
 3228                 sctp_send_sack(stcb);
 3229                 break;
 3230                 /* EY for nr_sacks */
 3231         case SCTP_NR_SELECTIVE_ACK:
 3232                 sctp_send_nr_sack(stcb);        /* EY resend the nr-sack */
 3233                 break;
 3234         case SCTP_HEARTBEAT_REQUEST:
 3235                 /* resend a demand HB */
 3236                 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) {
 3237                         /*
 3238                          * Only retransmit if we KNOW we wont destroy the
 3239                          * tcb
 3240                          */
 3241                         (void)sctp_send_hb(stcb, 1, net);
 3242                 }
 3243                 break;
 3244         case SCTP_SHUTDOWN:
 3245                 sctp_send_shutdown(stcb, net);
 3246                 break;
 3247         case SCTP_SHUTDOWN_ACK:
 3248                 sctp_send_shutdown_ack(stcb, net);
 3249                 break;
 3250         case SCTP_COOKIE_ECHO:
 3251                 {
 3252                         struct sctp_tmit_chunk *cookie;
 3253 
 3254                         cookie = NULL;
 3255                         TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
 3256                             sctp_next) {
 3257                                 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
 3258                                         break;
 3259                                 }
 3260                         }
 3261                         if (cookie) {
 3262                                 if (cookie->sent != SCTP_DATAGRAM_RESEND)
 3263                                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
 3264                                 cookie->sent = SCTP_DATAGRAM_RESEND;
 3265                                 sctp_stop_all_cookie_timers(stcb);
 3266                         }
 3267                 }
 3268                 break;
 3269         case SCTP_COOKIE_ACK:
 3270                 sctp_send_cookie_ack(stcb);
 3271                 break;
 3272         case SCTP_ASCONF_ACK:
 3273                 /* resend last asconf ack */
 3274                 sctp_send_asconf_ack(stcb);
 3275                 break;
 3276         case SCTP_FORWARD_CUM_TSN:
 3277                 send_forward_tsn(stcb, &stcb->asoc);
 3278                 break;
 3279                 /* can't do anything with these */
 3280         case SCTP_PACKET_DROPPED:
 3281         case SCTP_INITIATION_ACK:       /* this should not happen */
 3282         case SCTP_HEARTBEAT_ACK:
 3283         case SCTP_ABORT_ASSOCIATION:
 3284         case SCTP_OPERATION_ERROR:
 3285         case SCTP_SHUTDOWN_COMPLETE:
 3286         case SCTP_ECN_ECHO:
 3287         case SCTP_ECN_CWR:
 3288         default:
 3289                 break;
 3290         }
 3291         return (0);
 3292 }
 3293 
 3294 void
 3295 sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
 3296 {
 3297         int i;
 3298         uint16_t temp;
 3299 
 3300         /*
 3301          * We set things to 0xffff since this is the last delivered sequence
 3302          * and we will be sending in 0 after the reset.
 3303          */
 3304 
 3305         if (number_entries) {
 3306                 for (i = 0; i < number_entries; i++) {
 3307                         temp = ntohs(list[i]);
 3308                         if (temp >= stcb->asoc.streamincnt) {
 3309                                 continue;
 3310                         }
 3311                         stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff;
 3312                 }
 3313         } else {
 3314                 list = NULL;
 3315                 for (i = 0; i < stcb->asoc.streamincnt; i++) {
 3316                         stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
 3317                 }
 3318         }
 3319         sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
 3320 }
 3321 
 3322 static void
 3323 sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
 3324 {
 3325         int i;
 3326 
 3327         if (number_entries == 0) {
 3328                 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
 3329                         stcb->asoc.strmout[i].next_sequence_sent = 0;
 3330                 }
 3331         } else if (number_entries) {
 3332                 for (i = 0; i < number_entries; i++) {
 3333                         uint16_t temp;
 3334 
 3335                         temp = ntohs(list[i]);
 3336                         if (temp >= stcb->asoc.streamoutcnt) {
 3337                                 /* no such stream */
 3338                                 continue;
 3339                         }
 3340                         stcb->asoc.strmout[temp].next_sequence_sent = 0;
 3341                 }
 3342         }
 3343         sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
 3344 }
 3345 
 3346 
 3347 struct sctp_stream_reset_out_request *
 3348 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
 3349 {
 3350         struct sctp_association *asoc;
 3351         struct sctp_stream_reset_out_req *req;
 3352         struct sctp_stream_reset_out_request *r;
 3353         struct sctp_tmit_chunk *chk;
 3354         int len, clen;
 3355 
 3356         asoc = &stcb->asoc;
 3357         if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
 3358                 asoc->stream_reset_outstanding = 0;
 3359                 return (NULL);
 3360         }
 3361         if (stcb->asoc.str_reset == NULL) {
 3362                 asoc->stream_reset_outstanding = 0;
 3363                 return (NULL);
 3364         }
 3365         chk = stcb->asoc.str_reset;
 3366         if (chk->data == NULL) {
 3367                 return (NULL);
 3368         }
 3369         if (bchk) {
 3370                 /* he wants a copy of the chk pointer */
 3371                 *bchk = chk;
 3372         }
 3373         clen = chk->send_size;
 3374         req = mtod(chk->data, struct sctp_stream_reset_out_req *);
 3375         r = &req->sr_req;
 3376         if (ntohl(r->request_seq) == seq) {
 3377                 /* found it */
 3378                 return (r);
 3379         }
 3380         len = SCTP_SIZE32(ntohs(r->ph.param_length));
 3381         if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
 3382                 /* move to the next one, there can only be a max of two */
 3383                 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len);
 3384                 if (ntohl(r->request_seq) == seq) {
 3385                         return (r);
 3386                 }
 3387         }
 3388         /* that seq is not here */
 3389         return (NULL);
 3390 }
 3391 
 3392 static void
 3393 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
 3394 {
 3395         struct sctp_association *asoc;
 3396         struct sctp_tmit_chunk *chk = stcb->asoc.str_reset;
 3397 
 3398         if (stcb->asoc.str_reset == NULL) {
 3399                 return;
 3400         }
 3401         asoc = &stcb->asoc;
 3402 
 3403         sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26);
 3404         TAILQ_REMOVE(&asoc->control_send_queue,
 3405             chk,
 3406             sctp_next);
 3407         if (chk->data) {
 3408                 sctp_m_freem(chk->data);
 3409                 chk->data = NULL;
 3410         }
 3411         asoc->ctrl_queue_cnt--;
 3412         sctp_free_a_chunk(stcb, chk);
 3413         /* sa_ignore NO_NULL_CHK */
 3414         stcb->asoc.str_reset = NULL;
 3415 }
 3416 
 3417 
 3418 static int
 3419 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
 3420     uint32_t seq, uint32_t action,
 3421     struct sctp_stream_reset_response *respin)
 3422 {
 3423         uint16_t type;
 3424         int lparm_len;
 3425         struct sctp_association *asoc = &stcb->asoc;
 3426         struct sctp_tmit_chunk *chk;
 3427         struct sctp_stream_reset_out_request *srparam;
 3428         int number_entries;
 3429 
 3430         if (asoc->stream_reset_outstanding == 0) {
 3431                 /* duplicate */
 3432                 return (0);
 3433         }
 3434         if (seq == stcb->asoc.str_reset_seq_out) {
 3435                 srparam = sctp_find_stream_reset(stcb, seq, &chk);
 3436                 if (srparam) {
 3437                         stcb->asoc.str_reset_seq_out++;
 3438                         type = ntohs(srparam->ph.param_type);
 3439                         lparm_len = ntohs(srparam->ph.param_length);
 3440                         if (type == SCTP_STR_RESET_OUT_REQUEST) {
 3441                                 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
 3442                                 asoc->stream_reset_out_is_outstanding = 0;
 3443                                 if (asoc->stream_reset_outstanding)
 3444                                         asoc->stream_reset_outstanding--;
 3445                                 if (action == SCTP_STREAM_RESET_PERFORMED) {
 3446                                         /* do it */
 3447                                         sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams);
 3448                                 } else {
 3449                                         sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
 3450                                 }
 3451                         } else if (type == SCTP_STR_RESET_IN_REQUEST) {
 3452                                 /* Answered my request */
 3453                                 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
 3454                                 if (asoc->stream_reset_outstanding)
 3455                                         asoc->stream_reset_outstanding--;
 3456                                 if (action != SCTP_STREAM_RESET_PERFORMED) {
 3457                                         sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
 3458                                 }
 3459                         } else if (type == SCTP_STR_RESET_TSN_REQUEST) {
 3460                                 /**
 3461                                  * a) Adopt the new in tsn.
 3462                                  * b) reset the map
 3463                                  * c) Adopt the new out-tsn
 3464                                  */
 3465                                 struct sctp_stream_reset_response_tsn *resp;
 3466                                 struct sctp_forward_tsn_chunk fwdtsn;
 3467                                 int abort_flag = 0;
 3468 
 3469                                 if (respin == NULL) {
 3470                                         /* huh ? */
 3471                                         return (0);
 3472                                 }
 3473                                 if (action == SCTP_STREAM_RESET_PERFORMED) {
 3474                                         resp = (struct sctp_stream_reset_response_tsn *)respin;
 3475                                         asoc->stream_reset_outstanding--;
 3476                                         fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
 3477                                         fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
 3478                                         fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
 3479                                         sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
 3480                                         if (abort_flag) {
 3481                                                 return (1);
 3482                                         }
 3483                                         stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
 3484                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
 3485                                                 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
 3486                                         }
 3487                                         stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
 3488                                         stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
 3489                                         memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
 3490 
 3491                                         /*
 3492                                          * EY 05/13/08 - nr_sack: to keep
 3493                                          * nr_mapping array be consistent
 3494                                          * with mapping_array
 3495                                          */
 3496                                         if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack) {
 3497                                                 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
 3498                                                 stcb->asoc.nr_mapping_array_base_tsn = stcb->asoc.mapping_array_base_tsn;
 3499                                                 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.nr_mapping_array_size);
 3500                                         }
 3501                                         stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
 3502                                         stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;
 3503 
 3504                                         sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
 3505                                         sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
 3506 
 3507                                 }
 3508                         }
 3509                         /* get rid of the request and get the request flags */
 3510                         if (asoc->stream_reset_outstanding == 0) {
 3511                                 sctp_clean_up_stream_reset(stcb);
 3512                         }
 3513                 }
 3514         }
 3515         return (0);
 3516 }
 3517 
 3518 static void
 3519 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
 3520     struct sctp_tmit_chunk *chk,
 3521     struct sctp_stream_reset_in_request *req, int trunc)
 3522 {
 3523         uint32_t seq;
 3524         int len, i;
 3525         int number_entries;
 3526         uint16_t temp;
 3527 
 3528         /*
 3529          * peer wants me to send a str-reset to him for my outgoing seq's if
 3530          * seq_in is right.
 3531          */
 3532         struct sctp_association *asoc = &stcb->asoc;
 3533 
 3534         seq = ntohl(req->request_seq);
 3535         if (asoc->str_reset_seq_in == seq) {
 3536                 if (trunc) {
 3537                         /* Can't do it, since they exceeded our buffer size  */
 3538                         asoc->last_reset_action[1] = asoc->last_reset_action[0];
 3539                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
 3540                         sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
 3541                 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
 3542                         len = ntohs(req->ph.param_length);
 3543                         number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
 3544                         for (i = 0; i < number_entries; i++) {
 3545                                 temp = ntohs(req->list_of_streams[i]);
 3546                                 req->list_of_streams[i] = temp;
 3547                         }
 3548                         /* move the reset action back one */
 3549                         asoc->last_reset_action[1] = asoc->last_reset_action[0];
 3550                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
 3551                         sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams,
 3552                             asoc->str_reset_seq_out,
 3553                             seq, (asoc->sending_seq - 1));
 3554                         asoc->stream_reset_out_is_outstanding = 1;
 3555                         asoc->str_reset = chk;
 3556                         sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
 3557                         stcb->asoc.stream_reset_outstanding++;
 3558                 } else {
 3559                         /* Can't do it, since we have sent one out */
 3560                         asoc->last_reset_action[1] = asoc->last_reset_action[0];
 3561                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER;
 3562                         sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
 3563                 }
 3564                 asoc->str_reset_seq_in++;
 3565         } else if (asoc->str_reset_seq_in - 1 == seq) {
 3566                 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
 3567         } else if (asoc->str_reset_seq_in - 2 == seq) {
 3568                 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
 3569         } else {
 3570                 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
 3571         }
 3572 }
 3573 
 3574 static int
 3575 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
 3576     struct sctp_tmit_chunk *chk,
 3577     struct sctp_stream_reset_tsn_request *req)
 3578 {
 3579         /* reset all in and out and update the tsn */
 3580         /*
 3581          * A) reset my str-seq's on in and out. B) Select a receive next,
 3582          * and set cum-ack to it. Also process this selected number as a
 3583          * fwd-tsn as well. C) set in the response my next sending seq.
 3584          */
 3585         struct sctp_forward_tsn_chunk fwdtsn;
 3586         struct sctp_association *asoc = &stcb->asoc;
 3587         int abort_flag = 0;
 3588         uint32_t seq;
 3589 
 3590         seq = ntohl(req->request_seq);
 3591         if (asoc->str_reset_seq_in == seq) {
 3592                 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
 3593                 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
 3594                 fwdtsn.ch.chunk_flags = 0;
 3595                 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
 3596                 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
 3597                 if (abort_flag) {
 3598                         return (1);
 3599                 }
 3600                 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
 3601                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
 3602                         sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
 3603                 }
 3604                 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
 3605                 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1;
 3606                 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
 3607                 /*
 3608                  * EY 05/13/08 -nr_sack: to keep nr_mapping array consistent
 3609                  * with mapping array
 3610                  */
 3611                 if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack) {
 3612                         stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
 3613                         stcb->asoc.nr_mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1;
 3614                         memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.nr_mapping_array_size);
 3615                 }
 3616                 atomic_add_int(&stcb->asoc.sending_seq, 1);
 3617                 /* save off historical data for retrans */
 3618                 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0];
 3619                 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq;
 3620                 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0];
 3621                 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn;
 3622 
 3623                 sctp_add_stream_reset_result_tsn(chk,
 3624                     ntohl(req->request_seq),
 3625                     SCTP_STREAM_RESET_PERFORMED,
 3626                     stcb->asoc.sending_seq,
 3627                     stcb->asoc.mapping_array_base_tsn);
 3628                 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
 3629                 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
 3630                 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
 3631                 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
 3632 
 3633                 asoc->str_reset_seq_in++;
 3634         } else if (asoc->str_reset_seq_in - 1 == seq) {
 3635                 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
 3636                     stcb->asoc.last_sending_seq[0],
 3637                     stcb->asoc.last_base_tsnsent[0]
 3638                     );
 3639         } else if (asoc->str_reset_seq_in - 2 == seq) {
 3640                 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
 3641                     stcb->asoc.last_sending_seq[1],
 3642                     stcb->asoc.last_base_tsnsent[1]
 3643                     );
 3644         } else {
 3645                 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
 3646         }
 3647         return (0);
 3648 }
 3649 
 3650 static void
 3651 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
 3652     struct sctp_tmit_chunk *chk,
 3653     struct sctp_stream_reset_out_request *req, int trunc)
 3654 {
 3655         uint32_t seq, tsn;
 3656         int number_entries, len;
 3657         struct sctp_association *asoc = &stcb->asoc;
 3658 
 3659         seq = ntohl(req->request_seq);
 3660 
 3661         /* now if its not a duplicate we process it */
 3662         if (asoc->str_reset_seq_in == seq) {
 3663                 len = ntohs(req->ph.param_length);
 3664                 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
 3665                 /*
 3666                  * the sender is resetting, handle the list issue.. we must
 3667                  * a) verify if we can do the reset, if so no problem b) If
 3668                  * we can't do the reset we must copy the request. c) queue
 3669                  * it, and setup the data in processor to trigger it off
 3670                  * when needed and dequeue all the queued data.
 3671                  */
 3672                 tsn = ntohl(req->send_reset_at_tsn);
 3673 
 3674                 /* move the reset action back one */
 3675                 asoc->last_reset_action[1] = asoc->last_reset_action[0];
 3676                 if (trunc) {
 3677                         sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
 3678                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
 3679                 } else if ((tsn == asoc->cumulative_tsn) ||
 3680                     (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) {
 3681                         /* we can do it now */
 3682                         sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
 3683                         sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
 3684                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
 3685                 } else {
 3686                         /*
 3687                          * we must queue it up and thus wait for the TSN's
 3688                          * to arrive that are at or before tsn
 3689                          */
 3690                         struct sctp_stream_reset_list *liste;
 3691                         int siz;
 3692 
 3693                         siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
 3694                         SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
 3695                             siz, SCTP_M_STRESET);
 3696                         if (liste == NULL) {
 3697                                 /* gak out of memory */
 3698                                 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
 3699                                 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
 3700                                 return;
 3701                         }
 3702                         liste->tsn = tsn;
 3703                         liste->number_entries = number_entries;
 3704                         memcpy(&liste->req, req,
 3705                             (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t))));
 3706                         TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
 3707                         sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
 3708                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
 3709                 }
 3710                 asoc->str_reset_seq_in++;
 3711         } else if ((asoc->str_reset_seq_in - 1) == seq) {
 3712                 /*
 3713                  * one seq back, just echo back last action since my
 3714                  * response was lost.
 3715                  */
 3716                 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
 3717         } else if ((asoc->str_reset_seq_in - 2) == seq) {
 3718                 /*
 3719                  * two seq back, just echo back last action since my
 3720                  * response was lost.
 3721                  */
 3722                 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
 3723         } else {
 3724                 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
 3725         }
 3726 }
 3727 
 3728 #ifdef __GNUC__
 3729 __attribute__((noinline))
 3730 #endif
 3731         static int
 3732             sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
 3733         struct sctp_stream_reset_out_req *sr_req)
 3734 {
 3735         int chk_length, param_len, ptype;
 3736         struct sctp_paramhdr pstore;
 3737         uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
 3738 
 3739         uint32_t seq;
 3740         int num_req = 0;
 3741         int trunc = 0;
 3742         struct sctp_tmit_chunk *chk;
 3743         struct sctp_chunkhdr *ch;
 3744         struct sctp_paramhdr *ph;
 3745         int ret_code = 0;
 3746         int num_param = 0;
 3747 
 3748         /* now it may be a reset or a reset-response */
 3749         chk_length = ntohs(sr_req->ch.chunk_length);
 3750 
 3751         /* setup for adding the response */
 3752         sctp_alloc_a_chunk(stcb, chk);
 3753         if (chk == NULL) {
 3754                 return (ret_code);
 3755         }
 3756         chk->rec.chunk_id.id = SCTP_STREAM_RESET;
 3757         chk->rec.chunk_id.can_take_data = 0;
 3758         chk->asoc = &stcb->asoc;
 3759         chk->no_fr_allowed = 0;
 3760         chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
 3761         chk->book_size_scale = 0;
 3762         chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
 3763         if (chk->data == NULL) {
 3764 strres_nochunk:
 3765                 if (chk->data) {
 3766                         sctp_m_freem(chk->data);
 3767                         chk->data = NULL;
 3768                 }
 3769                 sctp_free_a_chunk(stcb, chk);
 3770                 return (ret_code);
 3771         }
 3772         SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
 3773 
 3774         /* setup chunk parameters */
 3775         chk->sent = SCTP_DATAGRAM_UNSENT;
 3776         chk->snd_count = 0;
 3777         chk->whoTo = stcb->asoc.primary_destination;
 3778         atomic_add_int(&chk->whoTo->ref_count, 1);
 3779 
 3780         ch = mtod(chk->data, struct sctp_chunkhdr *);
 3781         ch->chunk_type = SCTP_STREAM_RESET;
 3782         ch->chunk_flags = 0;
 3783         ch->chunk_length = htons(chk->send_size);
 3784         SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
 3785         offset += sizeof(struct sctp_chunkhdr);
 3786         while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
 3787                 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
 3788                 if (ph == NULL)
 3789                         break;
 3790                 param_len = ntohs(ph->param_length);
 3791                 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
 3792                         /* bad param */
 3793                         break;
 3794                 }
 3795                 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
 3796                     (uint8_t *) & cstore);
 3797                 ptype = ntohs(ph->param_type);
 3798                 num_param++;
 3799                 if (param_len > (int)sizeof(cstore)) {
 3800                         trunc = 1;
 3801                 } else {
 3802                         trunc = 0;
 3803                 }
 3804 
 3805                 if (num_param > SCTP_MAX_RESET_PARAMS) {
 3806                         /* hit the max of parameters already sorry.. */
 3807                         break;
 3808                 }
 3809                 if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
 3810                         struct sctp_stream_reset_out_request *req_out;
 3811 
 3812                         req_out = (struct sctp_stream_reset_out_request *)ph;
 3813                         num_req++;
 3814                         if (stcb->asoc.stream_reset_outstanding) {
 3815                                 seq = ntohl(req_out->response_seq);
 3816                                 if (seq == stcb->asoc.str_reset_seq_out) {
 3817                                         /* implicit ack */
 3818                                         (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL);
 3819                                 }
 3820                         }
 3821                         sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc);
 3822                 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
 3823                         struct sctp_stream_reset_in_request *req_in;
 3824 
 3825                         num_req++;
 3826 
 3827                         req_in = (struct sctp_stream_reset_in_request *)ph;
 3828 
 3829                         sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc);
 3830                 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
 3831                         struct sctp_stream_reset_tsn_request *req_tsn;
 3832 
 3833                         num_req++;
 3834                         req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
 3835 
 3836                         if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
 3837                                 ret_code = 1;
 3838                                 goto strres_nochunk;
 3839                         }
 3840                         /* no more */
 3841                         break;
 3842                 } else if (ptype == SCTP_STR_RESET_RESPONSE) {
 3843                         struct sctp_stream_reset_response *resp;
 3844                         uint32_t result;
 3845 
 3846                         resp = (struct sctp_stream_reset_response *)ph;
 3847                         seq = ntohl(resp->response_seq);
 3848                         result = ntohl(resp->result);
 3849                         if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
 3850                                 ret_code = 1;
 3851                                 goto strres_nochunk;
 3852                         }
 3853                 } else {
 3854                         break;
 3855                 }
 3856                 offset += SCTP_SIZE32(param_len);
 3857                 chk_length -= SCTP_SIZE32(param_len);
 3858         }
 3859         if (num_req == 0) {
 3860                 /* we have no response free the stuff */
 3861                 goto strres_nochunk;
 3862         }
 3863         /* ok we have a chunk to link in */
 3864         TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
 3865             chk,
 3866             sctp_next);
 3867         stcb->asoc.ctrl_queue_cnt++;
 3868         return (ret_code);
 3869 }
 3870 
 3871 /*
 3872  * Handle a router or endpoints report of a packet loss, there are two ways
 3873  * to handle this, either we get the whole packet and must disect it
 3874  * ourselves (possibly with truncation and or corruption) or it is a summary
 3875  * from a middle box that did the disectting for us.
 3876  */
 3877 static void
 3878 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
 3879     struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
 3880 {
 3881         uint32_t bottle_bw, on_queue;
 3882         uint16_t trunc_len;
 3883         unsigned int chlen;
 3884         unsigned int at;
 3885         struct sctp_chunk_desc desc;
 3886         struct sctp_chunkhdr *ch;
 3887 
 3888         chlen = ntohs(cp->ch.chunk_length);
 3889         chlen -= sizeof(struct sctp_pktdrop_chunk);
 3890         /* XXX possible chlen underflow */
 3891         if (chlen == 0) {
 3892                 ch = NULL;
 3893                 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
 3894                         SCTP_STAT_INCR(sctps_pdrpbwrpt);
 3895         } else {
 3896                 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
 3897                 chlen -= sizeof(struct sctphdr);
 3898                 /* XXX possible chlen underflow */
 3899                 memset(&desc, 0, sizeof(desc));
 3900         }
 3901         trunc_len = (uint16_t) ntohs(cp->trunc_len);
 3902         if (trunc_len > limit) {
 3903                 trunc_len = limit;
 3904         }
 3905         /* now the chunks themselves */
 3906         while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
 3907                 desc.chunk_type = ch->chunk_type;
 3908                 /* get amount we need to move */
 3909                 at = ntohs(ch->chunk_length);
 3910                 if (at < sizeof(struct sctp_chunkhdr)) {
 3911                         /* corrupt chunk, maybe at the end? */
 3912                         SCTP_STAT_INCR(sctps_pdrpcrupt);
 3913                         break;
 3914                 }
 3915                 if (trunc_len == 0) {
 3916                         /* we are supposed to have all of it */
 3917                         if (at > chlen) {
 3918                                 /* corrupt skip it */
 3919                                 SCTP_STAT_INCR(sctps_pdrpcrupt);
 3920                                 break;
 3921                         }
 3922                 } else {
 3923                         /* is there enough of it left ? */
 3924                         if (desc.chunk_type == SCTP_DATA) {
 3925                                 if (chlen < (sizeof(struct sctp_data_chunk) +
 3926                                     sizeof(desc.data_bytes))) {
 3927                                         break;
 3928                                 }
 3929                         } else {
 3930                                 if (chlen < sizeof(struct sctp_chunkhdr)) {
 3931                                         break;
 3932                                 }
 3933                         }
 3934                 }
 3935                 if (desc.chunk_type == SCTP_DATA) {
 3936                         /* can we get out the tsn? */
 3937                         if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
 3938                                 SCTP_STAT_INCR(sctps_pdrpmbda);
 3939 
 3940                         if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) {
 3941                                 /* yep */
 3942                                 struct sctp_data_chunk *dcp;
 3943                                 uint8_t *ddp;
 3944                                 unsigned int iii;
 3945 
 3946                                 dcp = (struct sctp_data_chunk *)ch;
 3947                                 ddp = (uint8_t *) (dcp + 1);
 3948                                 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
 3949                                         desc.data_bytes[iii] = ddp[iii];
 3950                                 }
 3951                                 desc.tsn_ifany = dcp->dp.tsn;
 3952                         } else {
 3953                                 /* nope we are done. */
 3954                                 SCTP_STAT_INCR(sctps_pdrpnedat);
 3955                                 break;
 3956                         }
 3957                 } else {
 3958                         if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
 3959                                 SCTP_STAT_INCR(sctps_pdrpmbct);
 3960                 }
 3961 
 3962                 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
 3963                         SCTP_STAT_INCR(sctps_pdrppdbrk);
 3964                         break;
 3965                 }
 3966                 if (SCTP_SIZE32(at) > chlen) {
 3967                         break;
 3968                 }
 3969                 chlen -= SCTP_SIZE32(at);
 3970                 if (chlen < sizeof(struct sctp_chunkhdr)) {
 3971                         /* done, none left */
 3972                         break;
 3973                 }
 3974                 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at));
 3975         }
 3976         /* Now update any rwnd --- possibly */
 3977         if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
 3978                 /* From a peer, we get a rwnd report */
 3979                 uint32_t a_rwnd;
 3980 
 3981                 SCTP_STAT_INCR(sctps_pdrpfehos);
 3982 
 3983                 bottle_bw = ntohl(cp->bottle_bw);
 3984                 on_queue = ntohl(cp->current_onq);
 3985                 if (bottle_bw && on_queue) {
 3986                         /* a rwnd report is in here */
 3987                         if (bottle_bw > on_queue)
 3988                                 a_rwnd = bottle_bw - on_queue;
 3989                         else
 3990                                 a_rwnd = 0;
 3991 
 3992                         if (a_rwnd == 0)
 3993                                 stcb->asoc.peers_rwnd = 0;
 3994                         else {
 3995                                 if (a_rwnd > stcb->asoc.total_flight) {
 3996                                         stcb->asoc.peers_rwnd =
 3997                                             a_rwnd - stcb->asoc.total_flight;
 3998                                 } else {
 3999                                         stcb->asoc.peers_rwnd = 0;
 4000                                 }
 4001                                 if (stcb->asoc.peers_rwnd <
 4002                                     stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
 4003                                         /* SWS sender side engages */
 4004                                         stcb->asoc.peers_rwnd = 0;
 4005                                 }
 4006                         }
 4007                 }
 4008         } else {
 4009                 SCTP_STAT_INCR(sctps_pdrpfmbox);
 4010         }
 4011 
 4012         /* now middle boxes in sat networks get a cwnd bump */
 4013         if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
 4014             (stcb->asoc.sat_t3_loss_recovery == 0) &&
 4015             (stcb->asoc.sat_network)) {
 4016                 /*
 4017                  * This is debateable but for sat networks it makes sense
 4018                  * Note if a T3 timer has went off, we will prohibit any
 4019                  * changes to cwnd until we exit the t3 loss recovery.
 4020                  */
 4021                 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb,
 4022                     net, cp, &bottle_bw, &on_queue);
 4023         }
 4024 }
 4025 
 4026 /*
 4027  * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
 4028  * still contain IP/SCTP header - stcb: is the tcb found for this packet -
 4029  * offset: offset into the mbuf chain to first chunkhdr - length: is the
 4030  * length of the complete packet outputs: - length: modified to remaining
 4031  * length after control processing - netp: modified to new sctp_nets after
 4032  * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
 4033  * bad packet,...) otherwise return the tcb for this packet
 4034  */
 4035 #ifdef __GNUC__
 4036 __attribute__((noinline))
 4037 #endif
 4038         static struct sctp_tcb *
 4039                  sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
 4040              struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
 4041              struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen,
 4042              uint32_t vrf_id, uint16_t port)
 4043 {
 4044         struct sctp_association *asoc;
 4045         uint32_t vtag_in;
 4046         int num_chunks = 0;     /* number of control chunks processed */
 4047         uint32_t chk_length;
 4048         int ret;
 4049         int abort_no_unlock = 0;
 4050 
 4051         /*
 4052          * How big should this be, and should it be alloc'd? Lets try the
 4053          * d-mtu-ceiling for now (2k) and that should hopefully work ...
 4054          * until we get into jumbo grams and such..
 4055          */
 4056         uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
 4057         struct sctp_tcb *locked_tcb = stcb;
 4058         int got_auth = 0;
 4059         uint32_t auth_offset = 0, auth_len = 0;
 4060         int auth_skipped = 0;
 4061         int asconf_cnt = 0;
 4062 
 4063 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4064         struct socket *so;
 4065 
 4066 #endif
 4067 
 4068         SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
 4069             iphlen, *offset, length, stcb);
 4070 
 4071         /* validate chunk header length... */
 4072         if (ntohs(ch->chunk_length) < sizeof(*ch)) {
 4073                 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n",
 4074                     ntohs(ch->chunk_length));
 4075                 if (locked_tcb) {
 4076                         SCTP_TCB_UNLOCK(locked_tcb);
 4077                 }
 4078                 return (NULL);
 4079         }
 4080         /*
 4081          * validate the verification tag
 4082          */
 4083         vtag_in = ntohl(sh->v_tag);
 4084 
 4085         if (locked_tcb) {
 4086                 SCTP_TCB_LOCK_ASSERT(locked_tcb);
 4087         }
 4088         if (ch->chunk_type == SCTP_INITIATION) {
 4089                 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n",
 4090                     ntohs(ch->chunk_length), vtag_in);
 4091                 if (vtag_in != 0) {
 4092                         /* protocol error- silently discard... */
 4093                         SCTP_STAT_INCR(sctps_badvtag);
 4094                         if (locked_tcb) {
 4095                                 SCTP_TCB_UNLOCK(locked_tcb);
 4096                         }
 4097                         return (NULL);
 4098                 }
 4099         } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
 4100                 /*
 4101                  * If there is no stcb, skip the AUTH chunk and process
 4102                  * later after a stcb is found (to validate the lookup was
 4103                  * valid.
 4104                  */
 4105                 if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
 4106                     (stcb == NULL) &&
 4107                     !SCTP_BASE_SYSCTL(sctp_auth_disable)) {
 4108                         /* save this chunk for later processing */
 4109                         auth_skipped = 1;
 4110                         auth_offset = *offset;
 4111                         auth_len = ntohs(ch->chunk_length);
 4112 
 4113                         /* (temporarily) move past this chunk */
 4114                         *offset += SCTP_SIZE32(auth_len);
 4115                         if (*offset >= length) {
 4116                                 /* no more data left in the mbuf chain */
 4117                                 *offset = length;
 4118                                 if (locked_tcb) {
 4119                                         SCTP_TCB_UNLOCK(locked_tcb);
 4120                                 }
 4121                                 return (NULL);
 4122                         }
 4123                         ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 4124                             sizeof(struct sctp_chunkhdr), chunk_buf);
 4125                 }
 4126                 if (ch == NULL) {
 4127                         /* Help */
 4128                         *offset = length;
 4129                         if (locked_tcb) {
 4130                                 SCTP_TCB_UNLOCK(locked_tcb);
 4131                         }
 4132                         return (NULL);
 4133                 }
 4134                 if (ch->chunk_type == SCTP_COOKIE_ECHO) {
 4135                         goto process_control_chunks;
 4136                 }
 4137                 /*
 4138                  * first check if it's an ASCONF with an unknown src addr we
 4139                  * need to look inside to find the association
 4140                  */
 4141                 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
 4142                         struct sctp_chunkhdr *asconf_ch = ch;
 4143                         uint32_t asconf_offset = 0, asconf_len = 0;
 4144 
 4145                         /* inp's refcount may be reduced */
 4146                         SCTP_INP_INCR_REF(inp);
 4147 
 4148                         asconf_offset = *offset;
 4149                         do {
 4150                                 asconf_len = ntohs(asconf_ch->chunk_length);
 4151                                 if (asconf_len < sizeof(struct sctp_asconf_paramhdr))
 4152                                         break;
 4153                                 stcb = sctp_findassociation_ep_asconf(m, iphlen,
 4154                                     *offset, sh, &inp, netp, vrf_id);
 4155                                 if (stcb != NULL)
 4156                                         break;
 4157                                 asconf_offset += SCTP_SIZE32(asconf_len);
 4158                                 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset,
 4159                                     sizeof(struct sctp_chunkhdr), chunk_buf);
 4160                         } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF);
 4161                         if (stcb == NULL) {
 4162                                 /*
 4163                                  * reduce inp's refcount if not reduced in
 4164                                  * sctp_findassociation_ep_asconf().
 4165                                  */
 4166                                 SCTP_INP_DECR_REF(inp);
 4167                         } else {
 4168                                 locked_tcb = stcb;
 4169                         }
 4170 
 4171                         /* now go back and verify any auth chunk to be sure */
 4172                         if (auth_skipped && (stcb != NULL)) {
 4173                                 struct sctp_auth_chunk *auth;
 4174 
 4175                                 auth = (struct sctp_auth_chunk *)
 4176                                     sctp_m_getptr(m, auth_offset,
 4177                                     auth_len, chunk_buf);
 4178                                 got_auth = 1;
 4179                                 auth_skipped = 0;
 4180                                 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
 4181                                     auth_offset)) {
 4182                                         /* auth HMAC failed so dump it */
 4183                                         *offset = length;
 4184                                         if (locked_tcb) {
 4185                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4186                                         }
 4187                                         return (NULL);
 4188                                 } else {
 4189                                         /* remaining chunks are HMAC checked */
 4190                                         stcb->asoc.authenticated = 1;
 4191                                 }
 4192                         }
 4193                 }
 4194                 if (stcb == NULL) {
 4195                         /* no association, so it's out of the blue... */
 4196                         sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL,
 4197                             vrf_id, port);
 4198                         *offset = length;
 4199                         if (locked_tcb) {
 4200                                 SCTP_TCB_UNLOCK(locked_tcb);
 4201                         }
 4202                         return (NULL);
 4203                 }
 4204                 asoc = &stcb->asoc;
 4205                 /* ABORT and SHUTDOWN can use either v_tag... */
 4206                 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
 4207                     (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
 4208                     (ch->chunk_type == SCTP_PACKET_DROPPED)) {
 4209                         if ((vtag_in == asoc->my_vtag) ||
 4210                             ((ch->chunk_flags & SCTP_HAD_NO_TCB) &&
 4211                             (vtag_in == asoc->peer_vtag))) {
 4212                                 /* this is valid */
 4213                         } else {
 4214                                 /* drop this packet... */
 4215                                 SCTP_STAT_INCR(sctps_badvtag);
 4216                                 if (locked_tcb) {
 4217                                         SCTP_TCB_UNLOCK(locked_tcb);
 4218                                 }
 4219                                 return (NULL);
 4220                         }
 4221                 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
 4222                         if (vtag_in != asoc->my_vtag) {
 4223                                 /*
 4224                                  * this could be a stale SHUTDOWN-ACK or the
 4225                                  * peer never got the SHUTDOWN-COMPLETE and
 4226                                  * is still hung; we have started a new asoc
 4227                                  * but it won't complete until the shutdown
 4228                                  * is completed
 4229                                  */
 4230                                 if (locked_tcb) {
 4231                                         SCTP_TCB_UNLOCK(locked_tcb);
 4232                                 }
 4233                                 sctp_handle_ootb(m, iphlen, *offset, sh, inp,
 4234                                     NULL, vrf_id, port);
 4235                                 return (NULL);
 4236                         }
 4237                 } else {
 4238                         /* for all other chunks, vtag must match */
 4239                         if (vtag_in != asoc->my_vtag) {
 4240                                 /* invalid vtag... */
 4241                                 SCTPDBG(SCTP_DEBUG_INPUT3,
 4242                                     "invalid vtag: %xh, expect %xh\n",
 4243                                     vtag_in, asoc->my_vtag);
 4244                                 SCTP_STAT_INCR(sctps_badvtag);
 4245                                 if (locked_tcb) {
 4246                                         SCTP_TCB_UNLOCK(locked_tcb);
 4247                                 }
 4248                                 *offset = length;
 4249                                 return (NULL);
 4250                         }
 4251                 }
 4252         }                       /* end if !SCTP_COOKIE_ECHO */
 4253         /*
 4254          * process all control chunks...
 4255          */
 4256         if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
 4257         /* EY */
 4258             (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) ||
 4259             (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
 4260             (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
 4261                 /* implied cookie-ack.. we must have lost the ack */
 4262                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4263                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4264                             stcb->asoc.overall_error_count,
 4265                             0,
 4266                             SCTP_FROM_SCTP_INPUT,
 4267                             __LINE__);
 4268                 }
 4269                 stcb->asoc.overall_error_count = 0;
 4270                 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
 4271                     *netp);
 4272         }
 4273 process_control_chunks:
 4274         while (IS_SCTP_CONTROL(ch)) {
 4275                 /* validate chunk length */
 4276                 chk_length = ntohs(ch->chunk_length);
 4277                 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n",
 4278                     ch->chunk_type, chk_length);
 4279                 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length);
 4280                 if (chk_length < sizeof(*ch) ||
 4281                     (*offset + (int)chk_length) > length) {
 4282                         *offset = length;
 4283                         if (locked_tcb) {
 4284                                 SCTP_TCB_UNLOCK(locked_tcb);
 4285                         }
 4286                         return (NULL);
 4287                 }
 4288                 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
 4289                 /*
 4290                  * INIT-ACK only gets the init ack "header" portion only
 4291                  * because we don't have to process the peer's COOKIE. All
 4292                  * others get a complete chunk.
 4293                  */
 4294                 if ((ch->chunk_type == SCTP_INITIATION_ACK) ||
 4295                     (ch->chunk_type == SCTP_INITIATION)) {
 4296                         /* get an init-ack chunk */
 4297                         ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 4298                             sizeof(struct sctp_init_ack_chunk), chunk_buf);
 4299                         if (ch == NULL) {
 4300                                 *offset = length;
 4301                                 if (locked_tcb) {
 4302                                         SCTP_TCB_UNLOCK(locked_tcb);
 4303                                 }
 4304                                 return (NULL);
 4305                         }
 4306                 } else {
 4307                         /* For cookies and all other chunks. */
 4308                         if (chk_length > sizeof(chunk_buf)) {
 4309                                 /*
 4310                                  * use just the size of the chunk buffer so
 4311                                  * the front part of our chunks fit in
 4312                                  * contiguous space up to the chunk buffer
 4313                                  * size (508 bytes). For chunks that need to
 4314                                  * get more than that they must use the
 4315                                  * sctp_m_getptr() function or other means
 4316                                  * (e.g. know how to parse mbuf chains).
 4317                                  * Cookies do this already.
 4318                                  */
 4319                                 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 4320                                     (sizeof(chunk_buf) - 4),
 4321                                     chunk_buf);
 4322                                 if (ch == NULL) {
 4323                                         *offset = length;
 4324                                         if (locked_tcb) {
 4325                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4326                                         }
 4327                                         return (NULL);
 4328                                 }
 4329                         } else {
 4330                                 /* We can fit it all */
 4331                                 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 4332                                     chk_length, chunk_buf);
 4333                                 if (ch == NULL) {
 4334                                         SCTP_PRINTF("sctp_process_control: Can't get the all data....\n");
 4335                                         *offset = length;
 4336                                         if (locked_tcb) {
 4337                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4338                                         }
 4339                                         return (NULL);
 4340                                 }
 4341                         }
 4342                 }
 4343                 num_chunks++;
 4344                 /* Save off the last place we got a control from */
 4345                 if (stcb != NULL) {
 4346                         if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) {
 4347                                 /*
 4348                                  * allow last_control to be NULL if
 4349                                  * ASCONF... ASCONF processing will find the
 4350                                  * right net later
 4351                                  */
 4352                                 if ((netp != NULL) && (*netp != NULL))
 4353                                         stcb->asoc.last_control_chunk_from = *netp;
 4354                         }
 4355                 }
 4356 #ifdef SCTP_AUDITING_ENABLED
 4357                 sctp_audit_log(0xB0, ch->chunk_type);
 4358 #endif
 4359 
 4360                 /* check to see if this chunk required auth, but isn't */
 4361                 if ((stcb != NULL) &&
 4362                     !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
 4363                     sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
 4364                     !stcb->asoc.authenticated) {
 4365                         /* "silently" ignore */
 4366                         SCTP_STAT_INCR(sctps_recvauthmissing);
 4367                         goto next_chunk;
 4368                 }
 4369                 switch (ch->chunk_type) {
 4370                 case SCTP_INITIATION:
 4371                         /* must be first and only chunk */
 4372                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n");
 4373                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 4374                                 /* We are not interested anymore? */
 4375                                 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
 4376                                         /*
 4377                                          * collision case where we are
 4378                                          * sending to them too
 4379                                          */
 4380                                         ;
 4381                                 } else {
 4382                                         if (locked_tcb) {
 4383                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4384                                         }
 4385                                         *offset = length;
 4386                                         return (NULL);
 4387                                 }
 4388                         }
 4389                         if ((chk_length > SCTP_LARGEST_INIT_ACCEPTED) ||
 4390                             (num_chunks > 1) ||
 4391                             (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) {
 4392                                 *offset = length;
 4393                                 if (locked_tcb) {
 4394                                         SCTP_TCB_UNLOCK(locked_tcb);
 4395                                 }
 4396                                 return (NULL);
 4397                         }
 4398                         if ((stcb != NULL) &&
 4399                             (SCTP_GET_STATE(&stcb->asoc) ==
 4400                             SCTP_STATE_SHUTDOWN_ACK_SENT)) {
 4401                                 sctp_send_shutdown_ack(stcb,
 4402                                     stcb->asoc.primary_destination);
 4403                                 *offset = length;
 4404                                 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
 4405                                 if (locked_tcb) {
 4406                                         SCTP_TCB_UNLOCK(locked_tcb);
 4407                                 }
 4408                                 return (NULL);
 4409                         }
 4410                         if (netp) {
 4411                                 sctp_handle_init(m, iphlen, *offset, sh,
 4412                                     (struct sctp_init_chunk *)ch, inp,
 4413                                     stcb, *netp, &abort_no_unlock, vrf_id, port);
 4414                         }
 4415                         if (abort_no_unlock)
 4416                                 return (NULL);
 4417 
 4418                         *offset = length;
 4419                         if (locked_tcb) {
 4420                                 SCTP_TCB_UNLOCK(locked_tcb);
 4421                         }
 4422                         return (NULL);
 4423                         break;
 4424                 case SCTP_PAD_CHUNK:
 4425                         break;
 4426                 case SCTP_INITIATION_ACK:
 4427                         /* must be first and only chunk */
 4428                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n");
 4429                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 4430                                 /* We are not interested anymore */
 4431                                 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
 4432                                         ;
 4433                                 } else {
 4434                                         if (locked_tcb) {
 4435                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4436                                         }
 4437                                         *offset = length;
 4438                                         if (stcb) {
 4439 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4440                                                 so = SCTP_INP_SO(inp);
 4441                                                 atomic_add_int(&stcb->asoc.refcnt, 1);
 4442                                                 SCTP_TCB_UNLOCK(stcb);
 4443                                                 SCTP_SOCKET_LOCK(so, 1);
 4444                                                 SCTP_TCB_LOCK(stcb);
 4445                                                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 4446 #endif
 4447                                                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
 4448 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4449                                                 SCTP_SOCKET_UNLOCK(so, 1);
 4450 #endif
 4451                                         }
 4452                                         return (NULL);
 4453                                 }
 4454                         }
 4455                         if ((num_chunks > 1) ||
 4456                             (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) {
 4457                                 *offset = length;
 4458                                 if (locked_tcb) {
 4459                                         SCTP_TCB_UNLOCK(locked_tcb);
 4460                                 }
 4461                                 return (NULL);
 4462                         }
 4463                         if ((netp) && (*netp)) {
 4464                                 ret = sctp_handle_init_ack(m, iphlen, *offset, sh,
 4465                                     (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id);
 4466                         } else {
 4467                                 ret = -1;
 4468                         }
 4469                         /*
 4470                          * Special case, I must call the output routine to
 4471                          * get the cookie echoed
 4472                          */
 4473                         if (abort_no_unlock)
 4474                                 return (NULL);
 4475 
 4476                         if ((stcb) && ret == 0)
 4477                                 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
 4478                         *offset = length;
 4479                         if (locked_tcb) {
 4480                                 SCTP_TCB_UNLOCK(locked_tcb);
 4481                         }
 4482                         return (NULL);
 4483                         break;
 4484                 case SCTP_SELECTIVE_ACK:
 4485                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n");
 4486                         SCTP_STAT_INCR(sctps_recvsacks);
 4487                         {
 4488                                 struct sctp_sack_chunk *sack;
 4489                                 int abort_now = 0;
 4490                                 uint32_t a_rwnd, cum_ack;
 4491                                 uint16_t num_seg;
 4492                                 int nonce_sum_flag;
 4493 
 4494                                 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_sack_chunk))) {
 4495                                         SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on sack chunk, too small\n");
 4496                                         *offset = length;
 4497                                         if (locked_tcb) {
 4498                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4499                                         }
 4500                                         return (NULL);
 4501                                 }
 4502                                 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
 4503                                         /*-
 4504                                          * If we have sent a shutdown-ack, we will pay no
 4505                                          * attention to a sack sent in to us since
 4506                                          * we don't care anymore.
 4507                                          */
 4508                                         break;
 4509                                 }
 4510                                 sack = (struct sctp_sack_chunk *)ch;
 4511                                 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM;
 4512                                 cum_ack = ntohl(sack->sack.cum_tsn_ack);
 4513                                 num_seg = ntohs(sack->sack.num_gap_ack_blks);
 4514                                 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd);
 4515                                 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
 4516                                     cum_ack,
 4517                                     num_seg,
 4518                                     a_rwnd
 4519                                     );
 4520                                 stcb->asoc.seen_a_sack_this_pkt = 1;
 4521                                 if ((stcb->asoc.pr_sctp_cnt == 0) &&
 4522                                     (num_seg == 0) &&
 4523                                     ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) ||
 4524                                     (cum_ack == stcb->asoc.last_acked_seq)) &&
 4525                                     (stcb->asoc.saw_sack_with_frags == 0) &&
 4526                                     (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
 4527                                     ) {
 4528                                         /*
 4529                                          * We have a SIMPLE sack having no
 4530                                          * prior segments and data on sent
 4531                                          * queue to be acked.. Use the
 4532                                          * faster path sack processing. We
 4533                                          * also allow window update sacks
 4534                                          * with no missing segments to go
 4535                                          * this way too.
 4536                                          */
 4537                                         sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag,
 4538                                             &abort_now);
 4539                                 } else {
 4540                                         if (netp && *netp)
 4541                                                 sctp_handle_sack(m, *offset,
 4542                                                     sack, stcb, *netp, &abort_now, chk_length, a_rwnd);
 4543                                 }
 4544                                 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
 4545                                     TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
 4546                                     (stcb->asoc.stream_queue_cnt == 0)) {
 4547                                         sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 4548                                 }
 4549                                 if (abort_now) {
 4550                                         /* ABORT signal from sack processing */
 4551                                         *offset = length;
 4552                                         return (NULL);
 4553                                 }
 4554                         }
 4555                         break;
 4556                         /*
 4557                          * EY - nr_sack:  If the received chunk is an
 4558                          * nr_sack chunk
 4559                          */
 4560                 case SCTP_NR_SELECTIVE_ACK:
 4561                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n");
 4562                         SCTP_STAT_INCR(sctps_recvsacks);
 4563                         {
 4564                                 struct sctp_nr_sack_chunk *nr_sack;
 4565                                 int abort_now = 0;
 4566                                 uint32_t a_rwnd, cum_ack;
 4567                                 uint16_t num_seg, num_nr_seg;
 4568                                 int nonce_sum_flag, all_bit;
 4569 
 4570                                 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_nr_sack_chunk))) {
 4571                                         SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on nr_sack chunk, too small\n");
 4572                         ignore_nr_sack:
 4573                                         *offset = length;
 4574                                         if (locked_tcb) {
 4575                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4576                                         }
 4577                                         return (NULL);
 4578                                 }
 4579                                 /*
 4580                                  * EY nr_sacks have not been negotiated but
 4581                                  * the peer end sent an nr_sack, silently
 4582                                  * discard the chunk
 4583                                  */
 4584                                 if (!(SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack)) {
 4585                                         goto unknown_chunk;
 4586                                 }
 4587                                 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
 4588                                         /*-
 4589                                          * If we have sent a shutdown-ack, we will pay no
 4590                                          * attention to a sack sent in to us since
 4591                                          * we don't care anymore.
 4592                                          */
 4593                                         goto ignore_nr_sack;
 4594                                 }
 4595                                 nr_sack = (struct sctp_nr_sack_chunk *)ch;
 4596                                 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM;
 4597                                 all_bit = ch->chunk_flags & SCTP_NR_SACK_ALL_BIT;
 4598 
 4599                                 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack);
 4600                                 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks);
 4601                                 /*
 4602                                  * EY -if All bit  is set, then there are as
 4603                                  * many gaps as nr_gaps
 4604                                  */
 4605                                 if (all_bit) {
 4606                                         num_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
 4607                                 }
 4608                                 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
 4609                                 a_rwnd = (uint32_t) ntohl(nr_sack->nr_sack.a_rwnd);
 4610                                 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
 4611                                     cum_ack,
 4612                                     num_seg,
 4613                                     a_rwnd
 4614                                     );
 4615                                 stcb->asoc.seen_a_sack_this_pkt = 1;
 4616                                 if ((stcb->asoc.pr_sctp_cnt == 0) &&
 4617                                     (num_seg == 0) &&
 4618                                     ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) ||
 4619                                     (cum_ack == stcb->asoc.last_acked_seq)) &&
 4620                                     (stcb->asoc.saw_sack_with_frags == 0) &&
 4621                                     (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
 4622                                     ) {
 4623                                         /*
 4624                                          * We have a SIMPLE sack having no
 4625                                          * prior segments and data on sent
 4626                                          * queue to be acked.. Use the
 4627                                          * faster path sack processing. We
 4628                                          * also allow window update sacks
 4629                                          * with no missing segments to go
 4630                                          * this way too.
 4631                                          */
 4632                                         sctp_express_handle_nr_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag,
 4633                                             &abort_now);
 4634                                 } else {
 4635                                         if (netp && *netp)
 4636                                                 sctp_handle_nr_sack(m, *offset,
 4637                                                     nr_sack, stcb, *netp, &abort_now, chk_length, a_rwnd);
 4638                                 }
 4639                                 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
 4640                                     TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
 4641                                     (stcb->asoc.stream_queue_cnt == 0)) {
 4642                                         sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 4643                                 }
 4644                                 if (abort_now) {
 4645                                         /* ABORT signal from sack processing */
 4646                                         *offset = length;
 4647                                         return (NULL);
 4648                                 }
 4649                         }
 4650                         break;
 4651 
 4652                 case SCTP_HEARTBEAT_REQUEST:
 4653                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n");
 4654                         if ((stcb) && netp && *netp) {
 4655                                 SCTP_STAT_INCR(sctps_recvheartbeat);
 4656                                 sctp_send_heartbeat_ack(stcb, m, *offset,
 4657                                     chk_length, *netp);
 4658 
 4659                                 /* He's alive so give him credit */
 4660                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4661                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4662                                             stcb->asoc.overall_error_count,
 4663                                             0,
 4664                                             SCTP_FROM_SCTP_INPUT,
 4665                                             __LINE__);
 4666                                 }
 4667                                 stcb->asoc.overall_error_count = 0;
 4668                         }
 4669                         break;
 4670                 case SCTP_HEARTBEAT_ACK:
 4671                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n");
 4672                         if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) {
 4673                                 /* Its not ours */
 4674                                 *offset = length;
 4675                                 if (locked_tcb) {
 4676                                         SCTP_TCB_UNLOCK(locked_tcb);
 4677                                 }
 4678                                 return (NULL);
 4679                         }
 4680                         /* He's alive so give him credit */
 4681                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4682                                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4683                                     stcb->asoc.overall_error_count,
 4684                                     0,
 4685                                     SCTP_FROM_SCTP_INPUT,
 4686                                     __LINE__);
 4687                         }
 4688                         stcb->asoc.overall_error_count = 0;
 4689                         SCTP_STAT_INCR(sctps_recvheartbeatack);
 4690                         if (netp && *netp)
 4691                                 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
 4692                                     stcb, *netp);
 4693                         break;
 4694                 case SCTP_ABORT_ASSOCIATION:
 4695                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n",
 4696                             stcb);
 4697                         if ((stcb) && netp && *netp)
 4698                                 sctp_handle_abort((struct sctp_abort_chunk *)ch,
 4699                                     stcb, *netp);
 4700                         *offset = length;
 4701                         return (NULL);
 4702                         break;
 4703                 case SCTP_SHUTDOWN:
 4704                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n",
 4705                             stcb);
 4706                         if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) {
 4707                                 *offset = length;
 4708                                 if (locked_tcb) {
 4709                                         SCTP_TCB_UNLOCK(locked_tcb);
 4710                                 }
 4711                                 return (NULL);
 4712                         }
 4713                         if (netp && *netp) {
 4714                                 int abort_flag = 0;
 4715 
 4716                                 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
 4717                                     stcb, *netp, &abort_flag);
 4718                                 if (abort_flag) {
 4719                                         *offset = length;
 4720                                         return (NULL);
 4721                                 }
 4722                         }
 4723                         break;
 4724                 case SCTP_SHUTDOWN_ACK:
 4725                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb);
 4726                         if ((stcb) && (netp) && (*netp))
 4727                                 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
 4728                         *offset = length;
 4729                         return (NULL);
 4730                         break;
 4731 
 4732                 case SCTP_OPERATION_ERROR:
 4733                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n");
 4734                         if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) {
 4735 
 4736                                 *offset = length;
 4737                                 return (NULL);
 4738                         }
 4739                         break;
 4740                 case SCTP_COOKIE_ECHO:
 4741                         SCTPDBG(SCTP_DEBUG_INPUT3,
 4742                             "SCTP_COOKIE-ECHO, stcb %p\n", stcb);
 4743                         if ((stcb) && (stcb->asoc.total_output_queue_size)) {
 4744                                 ;
 4745                         } else {
 4746                                 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 4747                                         /* We are not interested anymore */
 4748                                         *offset = length;
 4749                                         return (NULL);
 4750                                 }
 4751                         }
 4752                         /*
 4753                          * First are we accepting? We do this again here
 4754                          * sincen it is possible that a previous endpoint
 4755                          * WAS listening responded to a INIT-ACK and then
 4756                          * closed. We opened and bound.. and are now no
 4757                          * longer listening.
 4758                          */
 4759 
 4760                         if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) {
 4761                                 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
 4762                                     (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) {
 4763                                         struct mbuf *oper;
 4764                                         struct sctp_paramhdr *phdr;
 4765 
 4766                                         oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
 4767                                             0, M_DONTWAIT, 1, MT_DATA);
 4768                                         if (oper) {
 4769                                                 SCTP_BUF_LEN(oper) =
 4770                                                     sizeof(struct sctp_paramhdr);
 4771                                                 phdr = mtod(oper,
 4772                                                     struct sctp_paramhdr *);
 4773                                                 phdr->param_type =
 4774                                                     htons(SCTP_CAUSE_OUT_OF_RESC);
 4775                                                 phdr->param_length =
 4776                                                     htons(sizeof(struct sctp_paramhdr));
 4777                                         }
 4778                                         sctp_abort_association(inp, stcb, m,
 4779                                             iphlen, sh, oper, vrf_id, port);
 4780                                 }
 4781                                 *offset = length;
 4782                                 return (NULL);
 4783                         } else {
 4784                                 struct mbuf *ret_buf;
 4785                                 struct sctp_inpcb *linp;
 4786 
 4787                                 if (stcb) {
 4788                                         linp = NULL;
 4789                                 } else {
 4790                                         linp = inp;
 4791                                 }
 4792 
 4793                                 if (linp) {
 4794                                         SCTP_ASOC_CREATE_LOCK(linp);
 4795                                 }
 4796                                 if (netp) {
 4797                                         ret_buf =
 4798                                             sctp_handle_cookie_echo(m, iphlen,
 4799                                             *offset, sh,
 4800                                             (struct sctp_cookie_echo_chunk *)ch,
 4801                                             &inp, &stcb, netp,
 4802                                             auth_skipped,
 4803                                             auth_offset,
 4804                                             auth_len,
 4805                                             &locked_tcb,
 4806                                             vrf_id,
 4807                                             port);
 4808                                 } else {
 4809                                         ret_buf = NULL;
 4810                                 }
 4811                                 if (linp) {
 4812                                         SCTP_ASOC_CREATE_UNLOCK(linp);
 4813                                 }
 4814                                 if (ret_buf == NULL) {
 4815                                         if (locked_tcb) {
 4816                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4817                                         }
 4818                                         SCTPDBG(SCTP_DEBUG_INPUT3,
 4819                                             "GAK, null buffer\n");
 4820                                         auth_skipped = 0;
 4821                                         *offset = length;
 4822                                         return (NULL);
 4823                                 }
 4824                                 /* if AUTH skipped, see if it verified... */
 4825                                 if (auth_skipped) {
 4826                                         got_auth = 1;
 4827                                         auth_skipped = 0;
 4828                                 }
 4829                                 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
 4830                                         /*
 4831                                          * Restart the timer if we have
 4832                                          * pending data
 4833                                          */
 4834                                         struct sctp_tmit_chunk *chk;
 4835 
 4836                                         chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
 4837                                         if (chk) {
 4838                                                 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
 4839                                                     stcb->sctp_ep, stcb,
 4840                                                     chk->whoTo);
 4841                                         }
 4842                                 }
 4843                         }
 4844                         break;
 4845                 case SCTP_COOKIE_ACK:
 4846                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb);
 4847                         if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) {
 4848                                 if (locked_tcb) {
 4849                                         SCTP_TCB_UNLOCK(locked_tcb);
 4850                                 }
 4851                                 return (NULL);
 4852                         }
 4853                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 4854                                 /* We are not interested anymore */
 4855                                 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
 4856                                         ;
 4857                                 } else if (stcb) {
 4858 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4859                                         so = SCTP_INP_SO(inp);
 4860                                         atomic_add_int(&stcb->asoc.refcnt, 1);
 4861                                         SCTP_TCB_UNLOCK(stcb);
 4862                                         SCTP_SOCKET_LOCK(so, 1);
 4863                                         SCTP_TCB_LOCK(stcb);
 4864                                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 4865 #endif
 4866                                         (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
 4867 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4868                                         SCTP_SOCKET_UNLOCK(so, 1);
 4869 #endif
 4870                                         *offset = length;
 4871                                         return (NULL);
 4872                                 }
 4873                         }
 4874                         /* He's alive so give him credit */
 4875                         if ((stcb) && netp && *netp) {
 4876                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4877                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4878                                             stcb->asoc.overall_error_count,
 4879                                             0,
 4880                                             SCTP_FROM_SCTP_INPUT,
 4881                                             __LINE__);
 4882                                 }
 4883                                 stcb->asoc.overall_error_count = 0;
 4884                                 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
 4885                         }
 4886                         break;
 4887                 case SCTP_ECN_ECHO:
 4888                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n");
 4889                         /* He's alive so give him credit */
 4890                         if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) {
 4891                                 /* Its not ours */
 4892                                 if (locked_tcb) {
 4893                                         SCTP_TCB_UNLOCK(locked_tcb);
 4894                                 }
 4895                                 *offset = length;
 4896                                 return (NULL);
 4897                         }
 4898                         if (stcb) {
 4899                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4900                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4901                                             stcb->asoc.overall_error_count,
 4902                                             0,
 4903                                             SCTP_FROM_SCTP_INPUT,
 4904                                             __LINE__);
 4905                                 }
 4906                                 stcb->asoc.overall_error_count = 0;
 4907                                 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
 4908                                     stcb);
 4909                         }
 4910                         break;
 4911                 case SCTP_ECN_CWR:
 4912                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n");
 4913                         /* He's alive so give him credit */
 4914                         if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) {
 4915                                 /* Its not ours */
 4916                                 if (locked_tcb) {
 4917                                         SCTP_TCB_UNLOCK(locked_tcb);
 4918                                 }
 4919                                 *offset = length;
 4920                                 return (NULL);
 4921                         }
 4922                         if (stcb) {
 4923                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4924                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4925                                             stcb->asoc.overall_error_count,
 4926                                             0,
 4927                                             SCTP_FROM_SCTP_INPUT,
 4928                                             __LINE__);
 4929                                 }
 4930                                 stcb->asoc.overall_error_count = 0;
 4931                                 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb);
 4932                         }
 4933                         break;
 4934                 case SCTP_SHUTDOWN_COMPLETE:
 4935                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb);
 4936                         /* must be first and only chunk */
 4937                         if ((num_chunks > 1) ||
 4938                             (length - *offset > (int)SCTP_SIZE32(chk_length))) {
 4939                                 *offset = length;
 4940                                 if (locked_tcb) {
 4941                                         SCTP_TCB_UNLOCK(locked_tcb);
 4942                                 }
 4943                                 return (NULL);
 4944                         }
 4945                         if ((stcb) && netp && *netp) {
 4946                                 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
 4947                                     stcb, *netp);
 4948                         }
 4949                         *offset = length;
 4950                         return (NULL);
 4951                         break;
 4952                 case SCTP_ASCONF:
 4953                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n");
 4954                         /* He's alive so give him credit */
 4955                         if (stcb) {
 4956                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4957                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4958                                             stcb->asoc.overall_error_count,
 4959                                             0,
 4960                                             SCTP_FROM_SCTP_INPUT,
 4961                                             __LINE__);
 4962                                 }
 4963                                 stcb->asoc.overall_error_count = 0;
 4964                                 sctp_handle_asconf(m, *offset,
 4965                                     (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0);
 4966                                 asconf_cnt++;
 4967                         }
 4968                         break;
 4969                 case SCTP_ASCONF_ACK:
 4970                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n");
 4971                         if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
 4972                                 /* Its not ours */
 4973                                 if (locked_tcb) {
 4974                                         SCTP_TCB_UNLOCK(locked_tcb);
 4975                                 }
 4976                                 *offset = length;
 4977                                 return (NULL);
 4978                         }
 4979                         if ((stcb) && netp && *netp) {
 4980                                 /* He's alive so give him credit */
 4981                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4982                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4983                                             stcb->asoc.overall_error_count,
 4984                                             0,
 4985                                             SCTP_FROM_SCTP_INPUT,
 4986                                             __LINE__);
 4987                                 }
 4988                                 stcb->asoc.overall_error_count = 0;
 4989                                 sctp_handle_asconf_ack(m, *offset,
 4990                                     (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock);
 4991                                 if (abort_no_unlock)
 4992                                         return (NULL);
 4993                         }
 4994                         break;
 4995                 case SCTP_FORWARD_CUM_TSN:
 4996                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n");
 4997                         if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
 4998                                 /* Its not ours */
 4999                                 if (locked_tcb) {
 5000                                         SCTP_TCB_UNLOCK(locked_tcb);
 5001                                 }
 5002                                 *offset = length;
 5003                                 return (NULL);
 5004                         }
 5005                         /* He's alive so give him credit */
 5006                         if (stcb) {
 5007                                 int abort_flag = 0;
 5008 
 5009                                 stcb->asoc.overall_error_count = 0;
 5010                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 5011                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 5012                                             stcb->asoc.overall_error_count,
 5013                                             0,
 5014                                             SCTP_FROM_SCTP_INPUT,
 5015                                             __LINE__);
 5016                                 }
 5017                                 *fwd_tsn_seen = 1;
 5018                                 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 5019                                         /* We are not interested anymore */
 5020 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 5021                                         so = SCTP_INP_SO(inp);
 5022                                         atomic_add_int(&stcb->asoc.refcnt, 1);
 5023                                         SCTP_TCB_UNLOCK(stcb);
 5024                                         SCTP_SOCKET_LOCK(so, 1);
 5025                                         SCTP_TCB_LOCK(stcb);
 5026                                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 5027 #endif
 5028                                         (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29);
 5029 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 5030                                         SCTP_SOCKET_UNLOCK(so, 1);
 5031 #endif
 5032                                         *offset = length;
 5033                                         return (NULL);
 5034                                 }
 5035                                 sctp_handle_forward_tsn(stcb,
 5036                                     (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset);
 5037                                 if (abort_flag) {
 5038                                         *offset = length;
 5039                                         return (NULL);
 5040                                 } else {
 5041                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 5042                                                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 5043                                                     stcb->asoc.overall_error_count,
 5044                                                     0,
 5045                                                     SCTP_FROM_SCTP_INPUT,
 5046                                                     __LINE__);
 5047                                         }
 5048                                         stcb->asoc.overall_error_count = 0;
 5049                                 }
 5050 
 5051                         }
 5052                         break;
 5053                 case SCTP_STREAM_RESET:
 5054                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n");
 5055                         if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) {
 5056                                 /* Its not ours */
 5057                                 if (locked_tcb) {
 5058                                         SCTP_TCB_UNLOCK(locked_tcb);
 5059                                 }
 5060                                 *offset = length;
 5061                                 return (NULL);
 5062                         }
 5063                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 5064                                 /* We are not interested anymore */
 5065 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 5066                                 so = SCTP_INP_SO(inp);
 5067                                 atomic_add_int(&stcb->asoc.refcnt, 1);
 5068                                 SCTP_TCB_UNLOCK(stcb);
 5069                                 SCTP_SOCKET_LOCK(so, 1);
 5070                                 SCTP_TCB_LOCK(stcb);
 5071                                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 5072 #endif
 5073                                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_30);
 5074 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 5075                                 SCTP_SOCKET_UNLOCK(so, 1);
 5076 #endif
 5077                                 *offset = length;
 5078                                 return (NULL);
 5079                         }
 5080                         if (stcb->asoc.peer_supports_strreset == 0) {
 5081                                 /*
 5082                                  * hmm, peer should have announced this, but
 5083                                  * we will turn it on since he is sending us
 5084                                  * a stream reset.
 5085                                  */
 5086                                 stcb->asoc.peer_supports_strreset = 1;
 5087                         }
 5088                         if (sctp_handle_stream_reset(stcb, m, *offset, (struct sctp_stream_reset_out_req *)ch)) {
 5089                                 /* stop processing */
 5090                                 *offset = length;
 5091                                 return (NULL);
 5092                         }
 5093                         break;
 5094                 case SCTP_PACKET_DROPPED:
 5095                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n");
 5096                         /* re-get it all please */
 5097                         if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
 5098                                 /* Its not ours */
 5099                                 if (locked_tcb) {
 5100                                         SCTP_TCB_UNLOCK(locked_tcb);
 5101                                 }
 5102                                 *offset = length;
 5103                                 return (NULL);
 5104                         }
 5105                         if (ch && (stcb) && netp && (*netp)) {
 5106                                 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
 5107                                     stcb, *netp,
 5108                                     min(chk_length, (sizeof(chunk_buf) - 4)));
 5109 
 5110                         }
 5111                         break;
 5112 
 5113                 case SCTP_AUTHENTICATION:
 5114                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n");
 5115                         if (SCTP_BASE_SYSCTL(sctp_auth_disable))
 5116                                 goto unknown_chunk;
 5117 
 5118                         if (stcb == NULL) {
 5119                                 /* save the first AUTH for later processing */
 5120                                 if (auth_skipped == 0) {
 5121                                         auth_offset = *offset;
 5122                                         auth_len = chk_length;
 5123                                         auth_skipped = 1;
 5124                                 }
 5125                                 /* skip this chunk (temporarily) */
 5126                                 goto next_chunk;
 5127                         }
 5128                         if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
 5129                             (chk_length > (sizeof(struct sctp_auth_chunk) +
 5130                             SCTP_AUTH_DIGEST_LEN_MAX))) {
 5131                                 /* Its not ours */
 5132                                 if (locked_tcb) {
 5133                                         SCTP_TCB_UNLOCK(locked_tcb);
 5134                                 }
 5135                                 *offset = length;
 5136                                 return (NULL);
 5137                         }
 5138                         if (got_auth == 1) {
 5139                                 /* skip this chunk... it's already auth'd */
 5140                                 goto next_chunk;
 5141                         }
 5142                         got_auth = 1;
 5143                         if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch,
 5144                             m, *offset)) {
 5145                                 /* auth HMAC failed so dump the packet */
 5146                                 *offset = length;
 5147                                 return (stcb);
 5148                         } else {
 5149                                 /* remaining chunks are HMAC checked */
 5150                                 stcb->asoc.authenticated = 1;
 5151                         }
 5152                         break;
 5153 
 5154                 default:
 5155         unknown_chunk:
 5156                         /* it's an unknown chunk! */
 5157                         if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
 5158                                 struct mbuf *mm;
 5159                                 struct sctp_paramhdr *phd;
 5160 
 5161                                 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
 5162                                     0, M_DONTWAIT, 1, MT_DATA);
 5163                                 if (mm) {
 5164                                         phd = mtod(mm, struct sctp_paramhdr *);
 5165                                         /*
 5166                                          * We cheat and use param type since
 5167                                          * we did not bother to define a
 5168                                          * error cause struct. They are the
 5169                                          * same basic format with different
 5170                                          * names.
 5171                                          */
 5172                                         phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK);
 5173                                         phd->param_length = htons(chk_length + sizeof(*phd));
 5174                                         SCTP_BUF_LEN(mm) = sizeof(*phd);
 5175                                         SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length),
 5176                                             M_DONTWAIT);
 5177                                         if (SCTP_BUF_NEXT(mm)) {
 5178 #ifdef SCTP_MBUF_LOGGING
 5179                                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
 5180                                                         struct mbuf *mat;
 5181 
 5182                                                         mat = SCTP_BUF_NEXT(mm);
 5183                                                         while (mat) {
 5184                                                                 if (SCTP_BUF_IS_EXTENDED(mat)) {
 5185                                                                         sctp_log_mb(mat, SCTP_MBUF_ICOPY);
 5186                                                                 }
 5187                                                                 mat = SCTP_BUF_NEXT(mat);
 5188                                                         }
 5189                                                 }
 5190 #endif
 5191                                                 sctp_queue_op_err(stcb, mm);
 5192                                         } else {
 5193                                                 sctp_m_freem(mm);
 5194                                         }
 5195                                 }
 5196                         }
 5197                         if ((ch->chunk_type & 0x80) == 0) {
 5198                                 /* discard this packet */
 5199                                 *offset = length;
 5200                                 return (stcb);
 5201                         }       /* else skip this bad chunk and continue... */
 5202                         break;
 5203                 }               /* switch (ch->chunk_type) */
 5204 
 5205 
 5206 next_chunk:
 5207                 /* get the next chunk */
 5208                 *offset += SCTP_SIZE32(chk_length);
 5209                 if (*offset >= length) {
 5210                         /* no more data left in the mbuf chain */
 5211                         break;
 5212                 }
 5213                 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 5214                     sizeof(struct sctp_chunkhdr), chunk_buf);
 5215                 if (ch == NULL) {
 5216                         if (locked_tcb) {
 5217                                 SCTP_TCB_UNLOCK(locked_tcb);
 5218                         }
 5219                         *offset = length;
 5220                         return (NULL);
 5221                 }
 5222         }                       /* while */
 5223 
 5224         if (asconf_cnt > 0 && stcb != NULL) {
 5225                 sctp_send_asconf_ack(stcb);
 5226         }
 5227         return (stcb);
 5228 }
 5229 
 5230 
 5231 /*
 5232  * Process the ECN bits we have something set so we must look to see if it is
 5233  * ECN(0) or ECN(1) or CE
 5234  */
 5235 static void
 5236 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net,
 5237     uint8_t ecn_bits)
 5238 {
 5239         if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
 5240                 ;
 5241         } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) {
 5242                 /*
 5243                  * we only add to the nonce sum for ECT1, ECT0 does not
 5244                  * change the NS bit (that we have yet to find a way to send
 5245                  * it yet).
 5246                  */
 5247 
 5248                 /* ECN Nonce stuff */
 5249                 stcb->asoc.receiver_nonce_sum++;
 5250                 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM;
 5251 
 5252                 /*
 5253                  * Drag up the last_echo point if cumack is larger since we
 5254                  * don't want the point falling way behind by more than
 5255                  * 2^^31 and then having it be incorrect.
 5256                  */
 5257                 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
 5258                     stcb->asoc.last_echo_tsn, MAX_TSN)) {
 5259                         stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
 5260                 }
 5261         } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) {
 5262                 /*
 5263                  * Drag up the last_echo point if cumack is larger since we
 5264                  * don't want the point falling way behind by more than
 5265                  * 2^^31 and then having it be incorrect.
 5266                  */
 5267                 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
 5268                     stcb->asoc.last_echo_tsn, MAX_TSN)) {
 5269                         stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
 5270                 }
 5271         }
 5272 }
 5273 
 5274 static void
 5275 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net,
 5276     uint32_t high_tsn, uint8_t ecn_bits)
 5277 {
 5278         if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
 5279                 /*
 5280                  * we possibly must notify the sender that a congestion
 5281                  * window reduction is in order. We do this by adding a ECNE
 5282                  * chunk to the output chunk queue. The incoming CWR will
 5283                  * remove this chunk.
 5284                  */
 5285                 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn,
 5286                     MAX_TSN)) {
 5287                         /* Yep, we need to add a ECNE */
 5288                         sctp_send_ecn_echo(stcb, net, high_tsn);
 5289                         stcb->asoc.last_echo_tsn = high_tsn;
 5290                 }
 5291         }
 5292 }
 5293 
 5294 #ifdef INVARIANTS
 5295 static void
 5296 sctp_validate_no_locks(struct sctp_inpcb *inp)
 5297 {
 5298         struct sctp_tcb *stcb;
 5299 
 5300         LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
 5301                 if (mtx_owned(&stcb->tcb_mtx)) {
 5302                         panic("Own lock on stcb at return from input");
 5303                 }
 5304         }
 5305 }
 5306 
 5307 #endif
 5308 
 5309 /*
 5310  * common input chunk processing (v4 and v6)
 5311  */
 5312 void
 5313 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset,
 5314     int length, struct sctphdr *sh, struct sctp_chunkhdr *ch,
 5315     struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
 5316     uint8_t ecn_bits, uint32_t vrf_id, uint16_t port)
 5317 {
 5318         /*
 5319          * Control chunk processing
 5320          */
 5321         uint32_t high_tsn;
 5322         int fwd_tsn_seen = 0, data_processed = 0;
 5323         struct mbuf *m = *mm;
 5324         int abort_flag = 0;
 5325         int un_sent;
 5326 
 5327         SCTP_STAT_INCR(sctps_recvdatagrams);
 5328 #ifdef SCTP_AUDITING_ENABLED
 5329         sctp_audit_log(0xE0, 1);
 5330         sctp_auditing(0, inp, stcb, net);
 5331 #endif
 5332 
 5333         SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n",
 5334             m, iphlen, offset, length, stcb);
 5335         if (stcb) {
 5336                 /* always clear this before beginning a packet */
 5337                 stcb->asoc.authenticated = 0;
 5338                 stcb->asoc.seen_a_sack_this_pkt = 0;
 5339                 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n",
 5340                     stcb, stcb->asoc.state);
 5341 
 5342                 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) ||
 5343                     (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) {
 5344                         /*-
 5345                          * If we hit here, we had a ref count
 5346                          * up when the assoc was aborted and the
 5347                          * timer is clearing out the assoc, we should
 5348                          * NOT respond to any packet.. its OOTB.
 5349                          */
 5350                         SCTP_TCB_UNLOCK(stcb);
 5351                         sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
 5352                             vrf_id, port);
 5353                         goto out_now;
 5354                 }
 5355         }
 5356         if (IS_SCTP_CONTROL(ch)) {
 5357                 /* process the control portion of the SCTP packet */
 5358                 /* sa_ignore NO_NULL_CHK */
 5359                 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch,
 5360                     inp, stcb, &net, &fwd_tsn_seen, vrf_id, port);
 5361                 if (stcb) {
 5362                         /*
 5363                          * This covers us if the cookie-echo was there and
 5364                          * it changes our INP.
 5365                          */
 5366                         inp = stcb->sctp_ep;
 5367                         if ((net) && (port)) {
 5368                                 if (net->port == 0) {
 5369                                         sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
 5370                                 }
 5371                                 net->port = port;
 5372                         }
 5373                 }
 5374         } else {
 5375                 /*
 5376                  * no control chunks, so pre-process DATA chunks (these
 5377                  * checks are taken care of by control processing)
 5378                  */
 5379 
 5380                 /*
 5381                  * if DATA only packet, and auth is required, then punt...
 5382                  * can't have authenticated without any AUTH (control)
 5383                  * chunks
 5384                  */
 5385                 if ((stcb != NULL) &&
 5386                     !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
 5387                     sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
 5388                         /* "silently" ignore */
 5389                         SCTP_STAT_INCR(sctps_recvauthmissing);
 5390                         SCTP_TCB_UNLOCK(stcb);
 5391                         goto out_now;
 5392                 }
 5393                 if (stcb == NULL) {
 5394                         /* out of the blue DATA chunk */
 5395                         sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
 5396                             vrf_id, port);
 5397                         goto out_now;
 5398                 }
 5399                 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
 5400                         /* v_tag mismatch! */
 5401                         SCTP_STAT_INCR(sctps_badvtag);
 5402                         SCTP_TCB_UNLOCK(stcb);
 5403                         goto out_now;
 5404                 }
 5405         }
 5406 
 5407         if (stcb == NULL) {
 5408                 /*
 5409                  * no valid TCB for this packet, or we found it's a bad
 5410                  * packet while processing control, or we're done with this
 5411                  * packet (done or skip rest of data), so we drop it...
 5412                  */
 5413                 goto out_now;
 5414         }
 5415         /*
 5416          * DATA chunk processing
 5417          */
 5418         /* plow through the data chunks while length > offset */
 5419 
 5420         /*
 5421          * Rest should be DATA only.  Check authentication state if AUTH for
 5422          * DATA is required.
 5423          */
 5424         if ((length > offset) &&
 5425             (stcb != NULL) &&
 5426             !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
 5427             sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
 5428             !stcb->asoc.authenticated) {
 5429                 /* "silently" ignore */
 5430                 SCTP_STAT_INCR(sctps_recvauthmissing);
 5431                 SCTPDBG(SCTP_DEBUG_AUTH1,
 5432                     "Data chunk requires AUTH, skipped\n");
 5433                 goto trigger_send;
 5434         }
 5435         if (length > offset) {
 5436                 int retval;
 5437 
 5438                 /*
 5439                  * First check to make sure our state is correct. We would
 5440                  * not get here unless we really did have a tag, so we don't
 5441                  * abort if this happens, just dump the chunk silently.
 5442                  */
 5443                 switch (SCTP_GET_STATE(&stcb->asoc)) {
 5444                 case SCTP_STATE_COOKIE_ECHOED:
 5445                         /*
 5446                          * we consider data with valid tags in this state
 5447                          * shows us the cookie-ack was lost. Imply it was
 5448                          * there.
 5449                          */
 5450                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 5451                                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 5452                                     stcb->asoc.overall_error_count,
 5453                                     0,
 5454                                     SCTP_FROM_SCTP_INPUT,
 5455                                     __LINE__);
 5456                         }
 5457                         stcb->asoc.overall_error_count = 0;
 5458                         sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
 5459                         break;
 5460                 case SCTP_STATE_COOKIE_WAIT:
 5461                         /*
 5462                          * We consider OOTB any data sent during asoc setup.
 5463                          */
 5464                         sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
 5465                             vrf_id, port);
 5466                         SCTP_TCB_UNLOCK(stcb);
 5467                         goto out_now;
 5468                         /* sa_ignore NOTREACHED */
 5469                         break;
 5470                 case SCTP_STATE_EMPTY:  /* should not happen */
 5471                 case SCTP_STATE_INUSE:  /* should not happen */
 5472                 case SCTP_STATE_SHUTDOWN_RECEIVED:      /* This is a peer error */
 5473                 case SCTP_STATE_SHUTDOWN_ACK_SENT:
 5474                 default:
 5475                         SCTP_TCB_UNLOCK(stcb);
 5476                         goto out_now;
 5477                         /* sa_ignore NOTREACHED */
 5478                         break;
 5479                 case SCTP_STATE_OPEN:
 5480                 case SCTP_STATE_SHUTDOWN_SENT:
 5481                         break;
 5482                 }
 5483                 /* take care of ECN, part 1. */
 5484                 if (stcb->asoc.ecn_allowed &&
 5485                     (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
 5486                         sctp_process_ecn_marked_a(stcb, net, ecn_bits);
 5487                 }
 5488                 /* plow through the data chunks while length > offset */
 5489                 retval = sctp_process_data(mm, iphlen, &offset, length, sh,
 5490                     inp, stcb, net, &high_tsn);
 5491                 if (retval == 2) {
 5492                         /*
 5493                          * The association aborted, NO UNLOCK needed since
 5494                          * the association is destroyed.
 5495                          */
 5496                         goto out_now;
 5497                 }
 5498                 data_processed = 1;
 5499                 if (retval == 0) {
 5500                         /* take care of ecn part 2. */
 5501                         if (stcb->asoc.ecn_allowed &&
 5502                             (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
 5503                                 sctp_process_ecn_marked_b(stcb, net, high_tsn,
 5504                                     ecn_bits);
 5505                         }
 5506                 }
 5507                 /*
 5508                  * Anything important needs to have been m_copy'ed in
 5509                  * process_data
 5510                  */
 5511         }
 5512         if ((data_processed == 0) && (fwd_tsn_seen)) {
 5513                 int was_a_gap = 0;
 5514 
 5515                 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map,
 5516                     stcb->asoc.cumulative_tsn, MAX_TSN)) {
 5517                         /* there was a gap before this data was processed */
 5518                         was_a_gap = 1;
 5519                 }
 5520                 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag);
 5521                 if (abort_flag) {
 5522                         /* Again, we aborted so NO UNLOCK needed */
 5523                         goto out_now;
 5524                 }
 5525         }
 5526         /* trigger send of any chunks in queue... */
 5527 trigger_send:
 5528 #ifdef SCTP_AUDITING_ENABLED
 5529         sctp_audit_log(0xE0, 2);
 5530         sctp_auditing(1, inp, stcb, net);
 5531 #endif
 5532         SCTPDBG(SCTP_DEBUG_INPUT1,
 5533             "Check for chunk output prw:%d tqe:%d tf=%d\n",
 5534             stcb->asoc.peers_rwnd,
 5535             TAILQ_EMPTY(&stcb->asoc.control_send_queue),
 5536             stcb->asoc.total_flight);
 5537         un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
 5538 
 5539         if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) ||
 5540             ((un_sent) &&
 5541             (stcb->asoc.peers_rwnd > 0 ||
 5542             (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) {
 5543                 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n");
 5544                 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
 5545                 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n");
 5546         }
 5547 #ifdef SCTP_AUDITING_ENABLED
 5548         sctp_audit_log(0xE0, 3);
 5549         sctp_auditing(2, inp, stcb, net);
 5550 #endif
 5551         SCTP_TCB_UNLOCK(stcb);
 5552 out_now:
 5553 #ifdef INVARIANTS
 5554         sctp_validate_no_locks(inp);
 5555 #endif
 5556         return;
 5557 }
 5558 
 5559 #if 0
 5560 static void
 5561 sctp_print_mbuf_chain(struct mbuf *m)
 5562 {
 5563         for (; m; m = SCTP_BUF_NEXT(m)) {
 5564                 printf("%p: m_len = %ld\n", m, SCTP_BUF_LEN(m));
 5565                 if (SCTP_BUF_IS_EXTENDED(m))
 5566                         printf("%p: extend_size = %d\n", m, SCTP_BUF_EXTEND_SIZE(m));
 5567         }
 5568 }
 5569 
 5570 #endif
 5571 
 5572 void
 5573 sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port)
 5574 {
 5575 #ifdef SCTP_MBUF_LOGGING
 5576         struct mbuf *mat;
 5577 
 5578 #endif
 5579         struct mbuf *m;
 5580         int iphlen;
 5581         uint32_t vrf_id = 0;
 5582         uint8_t ecn_bits;
 5583         struct ip *ip;
 5584         struct sctphdr *sh;
 5585         struct sctp_inpcb *inp = NULL;
 5586 
 5587         uint32_t check, calc_check;
 5588         struct sctp_nets *net;
 5589         struct sctp_tcb *stcb = NULL;
 5590         struct sctp_chunkhdr *ch;
 5591         int refcount_up = 0;
 5592         int length, mlen, offset;
 5593 
 5594 
 5595         if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) {
 5596                 SCTP_RELEASE_PKT(i_pak);
 5597                 return;
 5598         }
 5599         mlen = SCTP_HEADER_LEN(i_pak);
 5600         iphlen = off;
 5601         m = SCTP_HEADER_TO_CHAIN(i_pak);
 5602 
 5603         net = NULL;
 5604         SCTP_STAT_INCR(sctps_recvpackets);
 5605         SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
 5606 
 5607 
 5608 #ifdef SCTP_MBUF_LOGGING
 5609         /* Log in any input mbufs */
 5610         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
 5611                 mat = m;
 5612                 while (mat) {
 5613                         if (SCTP_BUF_IS_EXTENDED(mat)) {
 5614                                 sctp_log_mb(mat, SCTP_MBUF_INPUT);
 5615                         }
 5616                         mat = SCTP_BUF_NEXT(mat);
 5617                 }
 5618         }
 5619 #endif
 5620 #ifdef  SCTP_PACKET_LOGGING
 5621         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
 5622                 sctp_packet_log(m, mlen);
 5623 #endif
 5624         /*
 5625          * Must take out the iphlen, since mlen expects this (only effect lb
 5626          * case)
 5627          */
 5628         mlen -= iphlen;
 5629 
 5630         /*
 5631          * Get IP, SCTP, and first chunk header together in first mbuf.
 5632          */
 5633         ip = mtod(m, struct ip *);
 5634         offset = iphlen + sizeof(*sh) + sizeof(*ch);
 5635         if (SCTP_BUF_LEN(m) < offset) {
 5636                 if ((m = m_pullup(m, offset)) == 0) {
 5637                         SCTP_STAT_INCR(sctps_hdrops);
 5638                         return;
 5639                 }
 5640                 ip = mtod(m, struct ip *);
 5641         }
 5642         sh = (struct sctphdr *)((caddr_t)ip + iphlen);
 5643         ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh));
 5644         SCTPDBG(SCTP_DEBUG_INPUT1,
 5645             "sctp_input() length:%d iphlen:%d\n", mlen, iphlen);
 5646 
 5647         /* SCTP does not allow broadcasts or multicasts */
 5648         if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
 5649                 goto bad;
 5650         }
 5651         if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) {
 5652                 /*
 5653                  * We only look at broadcast if its a front state, All
 5654                  * others we will not have a tcb for anyway.
 5655                  */
 5656                 goto bad;
 5657         }
 5658         /* validate SCTP checksum */
 5659         check = sh->checksum;   /* save incoming checksum */
 5660         if ((check == 0) && (SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback)) &&
 5661             ((ip->ip_src.s_addr == ip->ip_dst.s_addr) ||
 5662             (SCTP_IS_IT_LOOPBACK(m)))
 5663             ) {
 5664                 goto sctp_skip_csum_4;
 5665         }
 5666         sh->checksum = 0;       /* prepare for calc */
 5667         calc_check = sctp_calculate_sum(m, &mlen, iphlen);
 5668         if (calc_check != check) {
 5669                 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x  m:%p mlen:%d iphlen:%d\n",
 5670                     calc_check, check, m, mlen, iphlen);
 5671 
 5672                 stcb = sctp_findassociation_addr(m, iphlen,
 5673                     offset - sizeof(*ch),
 5674                     sh, ch, &inp, &net,
 5675                     vrf_id);
 5676                 if ((net) && (port)) {
 5677                         if (net->port == 0) {
 5678                                 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
 5679                         }
 5680                         net->port = port;
 5681                 }
 5682                 if ((inp) && (stcb)) {
 5683                         sctp_send_packet_dropped(stcb, net, m, iphlen, 1);
 5684                         sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED);
 5685                 } else if ((inp != NULL) && (stcb == NULL)) {
 5686                         refcount_up = 1;
 5687                 }
 5688                 SCTP_STAT_INCR(sctps_badsum);
 5689                 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
 5690                 goto bad;
 5691         }
 5692         sh->checksum = calc_check;
 5693 sctp_skip_csum_4:
 5694         /* destination port of 0 is illegal, based on RFC2960. */
 5695         if (sh->dest_port == 0) {
 5696                 SCTP_STAT_INCR(sctps_hdrops);
 5697                 goto bad;
 5698         }
 5699         /* validate mbuf chain length with IP payload length */
 5700         if (mlen < (SCTP_GET_IPV4_LENGTH(ip) - iphlen)) {
 5701                 SCTP_STAT_INCR(sctps_hdrops);
 5702                 goto bad;
 5703         }
 5704         /*
 5705          * Locate pcb and tcb for datagram sctp_findassociation_addr() wants
 5706          * IP/SCTP/first chunk header...
 5707          */
 5708         stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch),
 5709             sh, ch, &inp, &net, vrf_id);
 5710         if ((net) && (port)) {
 5711                 if (net->port == 0) {
 5712                         sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
 5713                 }
 5714                 net->port = port;
 5715         }
 5716         /* inp's ref-count increased && stcb locked */
 5717         if (inp == NULL) {
 5718                 struct sctp_init_chunk *init_chk, chunk_buf;
 5719 
 5720                 SCTP_STAT_INCR(sctps_noport);
 5721 #ifdef ICMP_BANDLIM
 5722                 /*
 5723                  * we use the bandwidth limiting to protect against sending
 5724                  * too many ABORTS all at once. In this case these count the
 5725                  * same as an ICMP message.
 5726                  */
 5727                 if (badport_bandlim(0) < 0)
 5728                         goto bad;
 5729 #endif                          /* ICMP_BANDLIM */
 5730                 SCTPDBG(SCTP_DEBUG_INPUT1,
 5731                     "Sending a ABORT from packet entry!\n");
 5732                 if (ch->chunk_type == SCTP_INITIATION) {
 5733                         /*
 5734                          * we do a trick here to get the INIT tag, dig in
 5735                          * and get the tag from the INIT and put it in the
 5736                          * common header.
 5737                          */
 5738                         init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
 5739                             iphlen + sizeof(*sh), sizeof(*init_chk),
 5740                             (uint8_t *) & chunk_buf);
 5741                         if (init_chk != NULL)
 5742                                 sh->v_tag = init_chk->init.initiate_tag;
 5743                 }
 5744                 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
 5745                         sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id, port);
 5746                         goto bad;
 5747                 }
 5748                 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
 5749                         goto bad;
 5750                 }
 5751                 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION)
 5752                         sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, port);
 5753                 goto bad;
 5754         } else if (stcb == NULL) {
 5755                 refcount_up = 1;
 5756         }
 5757 #ifdef IPSEC
 5758         /*
 5759          * I very much doubt any of the IPSEC stuff will work but I have no
 5760          * idea, so I will leave it in place.
 5761          */
 5762         if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) {
 5763                 MODULE_GLOBAL(MOD_IPSEC, ipsec4stat).in_polvio++;
 5764                 SCTP_STAT_INCR(sctps_hdrops);
 5765                 goto bad;
 5766         }
 5767 #endif                          /* IPSEC */
 5768 
 5769         /*
 5770          * common chunk processing
 5771          */
 5772         length = ip->ip_len + iphlen;
 5773         offset -= sizeof(struct sctp_chunkhdr);
 5774 
 5775         ecn_bits = ip->ip_tos;
 5776 
 5777         /* sa_ignore NO_NULL_CHK */
 5778         sctp_common_input_processing(&m, iphlen, offset, length, sh, ch,
 5779             inp, stcb, net, ecn_bits, vrf_id, port);
 5780         /* inp's ref-count reduced && stcb unlocked */
 5781         if (m) {
 5782                 sctp_m_freem(m);
 5783         }
 5784         if ((inp) && (refcount_up)) {
 5785                 /* reduce ref-count */
 5786                 SCTP_INP_DECR_REF(inp);
 5787         }
 5788         return;
 5789 bad:
 5790         if (stcb) {
 5791                 SCTP_TCB_UNLOCK(stcb);
 5792         }
 5793         if ((inp) && (refcount_up)) {
 5794                 /* reduce ref-count */
 5795                 SCTP_INP_DECR_REF(inp);
 5796         }
 5797         if (m) {
 5798                 sctp_m_freem(m);
 5799         }
 5800         return;
 5801 }
 5802 void
 5803 sctp_input(i_pak, off)
 5804         struct mbuf *i_pak;
 5805         int off;
 5806 {
 5807         sctp_input_with_port(i_pak, off, 0);
 5808 }

Cache object: 2a49c3e889282de18da58941a952578d


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.