The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet/sctp_input.c

Version: -  FREEBSD  -  FREEBSD11  -  FREEBSD10  -  FREEBSD9  -  FREEBSD92  -  FREEBSD91  -  FREEBSD90  -  FREEBSD8  -  FREEBSD82  -  FREEBSD81  -  FREEBSD80  -  FREEBSD7  -  FREEBSD74  -  FREEBSD73  -  FREEBSD72  -  FREEBSD71  -  FREEBSD70  -  FREEBSD6  -  FREEBSD64  -  FREEBSD63  -  FREEBSD62  -  FREEBSD61  -  FREEBSD60  -  FREEBSD5  -  FREEBSD55  -  FREEBSD54  -  FREEBSD53  -  FREEBSD52  -  FREEBSD51  -  FREEBSD50  -  FREEBSD4  -  FREEBSD3  -  FREEBSD22  -  linux-2.6  -  linux-2.4.22  -  MK83  -  MK84  -  PLAN9  -  DFBSD  -  NETBSD  -  NETBSD5  -  NETBSD4  -  NETBSD3  -  NETBSD20  -  OPENBSD  -  xnu-517  -  xnu-792  -  xnu-792.6.70  -  xnu-1228  -  xnu-1456.1.26  -  xnu-1699.24.8  -  xnu-2050.18.24  -  OPENSOLARIS  -  minix-3-1-1 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
    3  *
    4  * Redistribution and use in source and binary forms, with or without
    5  * modification, are permitted provided that the following conditions are met:
    6  *
    7  * a) Redistributions of source code must retain the above copyright notice,
    8  *   this list of conditions and the following disclaimer.
    9  *
   10  * b) Redistributions in binary form must reproduce the above copyright
   11  *    notice, this list of conditions and the following disclaimer in
   12  *   the documentation and/or other materials provided with the distribution.
   13  *
   14  * c) Neither the name of Cisco Systems, Inc. nor the names of its
   15  *    contributors may be used to endorse or promote products derived
   16  *    from this software without specific prior written permission.
   17  *
   18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
   19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
   20  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   21  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
   22  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
   23  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
   24  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
   25  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
   26  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
   27  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
   28  * THE POSSIBILITY OF SUCH DAMAGE.
   29  */
   30 
   31 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $   */
   32 
   33 #include <sys/cdefs.h>
   34 __FBSDID("$FreeBSD: stable/7/sys/netinet/sctp_input.c 199562 2009-11-19 22:59:35Z tuexen $");
   35 
   36 #include <netinet/sctp_os.h>
   37 #include <netinet/sctp_var.h>
   38 #include <netinet/sctp_sysctl.h>
   39 #include <netinet/sctp_pcb.h>
   40 #include <netinet/sctp_header.h>
   41 #include <netinet/sctputil.h>
   42 #include <netinet/sctp_output.h>
   43 #include <netinet/sctp_input.h>
   44 #include <netinet/sctp_auth.h>
   45 #include <netinet/sctp_indata.h>
   46 #include <netinet/sctp_asconf.h>
   47 #include <netinet/sctp_bsd_addr.h>
   48 #include <netinet/sctp_timer.h>
   49 #include <netinet/udp.h>
   50 
   51 
   52 
   53 static void
   54 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
   55 {
   56         struct sctp_nets *net;
   57 
   58         /*
   59          * This now not only stops all cookie timers it also stops any INIT
   60          * timers as well. This will make sure that the timers are stopped
   61          * in all collision cases.
   62          */
   63         SCTP_TCB_LOCK_ASSERT(stcb);
   64         TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
   65                 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
   66                         sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
   67                             stcb->sctp_ep,
   68                             stcb,
   69                             net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1);
   70                 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
   71                         sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
   72                             stcb->sctp_ep,
   73                             stcb,
   74                             net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2);
   75                 }
   76         }
   77 }
   78 
   79 /* INIT handler */
   80 static void
   81 sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
   82     struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
   83     struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, uint16_t port)
   84 {
   85         struct sctp_init *init;
   86         struct mbuf *op_err;
   87         uint32_t init_limit;
   88 
   89         SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n",
   90             stcb);
   91         if (stcb == NULL) {
   92                 SCTP_INP_RLOCK(inp);
   93                 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
   94                         goto outnow;
   95                 }
   96         }
   97         op_err = NULL;
   98         init = &cp->init;
   99         /* First are we accepting? */
  100         if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) {
  101                 SCTPDBG(SCTP_DEBUG_INPUT2,
  102                     "sctp_handle_init: Abort, so_qlimit:%d\n",
  103                     inp->sctp_socket->so_qlimit);
  104                 /*
  105                  * FIX ME ?? What about TCP model and we have a
  106                  * match/restart case? Actually no fix is needed. the lookup
  107                  * will always find the existing assoc so stcb would not be
  108                  * NULL. It may be questionable to do this since we COULD
  109                  * just send back the INIT-ACK and hope that the app did
  110                  * accept()'s by the time the COOKIE was sent. But there is
  111                  * a price to pay for COOKIE generation and I don't want to
  112                  * pay it on the chance that the app will actually do some
  113                  * accepts(). The App just looses and should NOT be in this
  114                  * state :-)
  115                  */
  116                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  117                     vrf_id, port);
  118                 if (stcb)
  119                         *abort_no_unlock = 1;
  120                 goto outnow;
  121         }
  122         if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
  123                 /* Invalid length */
  124                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  125                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  126                     vrf_id, port);
  127                 if (stcb)
  128                         *abort_no_unlock = 1;
  129                 goto outnow;
  130         }
  131         /* validate parameters */
  132         if (init->initiate_tag == 0) {
  133                 /* protocol error... send abort */
  134                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  135                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  136                     vrf_id, port);
  137                 if (stcb)
  138                         *abort_no_unlock = 1;
  139                 goto outnow;
  140         }
  141         if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
  142                 /* invalid parameter... send abort */
  143                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  144                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  145                     vrf_id, port);
  146                 if (stcb)
  147                         *abort_no_unlock = 1;
  148                 goto outnow;
  149         }
  150         if (init->num_inbound_streams == 0) {
  151                 /* protocol error... send abort */
  152                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  153                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  154                     vrf_id, port);
  155                 if (stcb)
  156                         *abort_no_unlock = 1;
  157                 goto outnow;
  158         }
  159         if (init->num_outbound_streams == 0) {
  160                 /* protocol error... send abort */
  161                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
  162                 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err,
  163                     vrf_id, port);
  164                 if (stcb)
  165                         *abort_no_unlock = 1;
  166                 goto outnow;
  167         }
  168         init_limit = offset + ntohs(cp->ch.chunk_length);
  169         if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
  170             init_limit)) {
  171                 /* auth parameter(s) error... send abort */
  172                 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, port);
  173                 if (stcb)
  174                         *abort_no_unlock = 1;
  175                 goto outnow;
  176         }
  177         /* send an INIT-ACK w/cookie */
  178         SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n");
  179         sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, port,
  180             ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED));
  181 outnow:
  182         if (stcb == NULL) {
  183                 SCTP_INP_RUNLOCK(inp);
  184         }
  185 }
  186 
  187 /*
  188  * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
  189  */
  190 
  191 int
  192 sctp_is_there_unsent_data(struct sctp_tcb *stcb)
  193 {
  194         int unsent_data = 0;
  195         struct sctp_stream_queue_pending *sp;
  196         struct sctp_stream_out *strq;
  197         struct sctp_association *asoc;
  198 
  199         /*
  200          * This function returns the number of streams that have true unsent
  201          * data on them. Note that as it looks through it will clean up any
  202          * places that have old data that has been sent but left at top of
  203          * stream queue.
  204          */
  205         asoc = &stcb->asoc;
  206         SCTP_TCB_SEND_LOCK(stcb);
  207         if (!TAILQ_EMPTY(&asoc->out_wheel)) {
  208                 /* Check to see if some data queued */
  209                 TAILQ_FOREACH(strq, &asoc->out_wheel, next_spoke) {
  210         is_there_another:
  211                         /* sa_ignore FREED_MEMORY */
  212                         sp = TAILQ_FIRST(&strq->outqueue);
  213                         if (sp == NULL) {
  214                                 continue;
  215                         }
  216                         if ((sp->msg_is_complete) &&
  217                             (sp->length == 0) &&
  218                             (sp->sender_all_done)) {
  219                                 /*
  220                                  * We are doing differed cleanup. Last time
  221                                  * through when we took all the data the
  222                                  * sender_all_done was not set.
  223                                  */
  224                                 if (sp->put_last_out == 0) {
  225                                         SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
  226                                         SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
  227                                             sp->sender_all_done,
  228                                             sp->length,
  229                                             sp->msg_is_complete,
  230                                             sp->put_last_out);
  231                                 }
  232                                 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
  233                                 TAILQ_REMOVE(&strq->outqueue, sp, next);
  234                                 sctp_free_remote_addr(sp->net);
  235                                 if (sp->data) {
  236                                         sctp_m_freem(sp->data);
  237                                         sp->data = NULL;
  238                                 }
  239                                 sctp_free_a_strmoq(stcb, sp);
  240                                 goto is_there_another;
  241                         } else {
  242                                 unsent_data++;
  243                                 continue;
  244                         }
  245                 }
  246         }
  247         SCTP_TCB_SEND_UNLOCK(stcb);
  248         return (unsent_data);
  249 }
  250 
  251 static int
  252 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb,
  253     struct sctp_nets *net)
  254 {
  255         struct sctp_init *init;
  256         struct sctp_association *asoc;
  257         struct sctp_nets *lnet;
  258         unsigned int i;
  259 
  260         init = &cp->init;
  261         asoc = &stcb->asoc;
  262         /* save off parameters */
  263         asoc->peer_vtag = ntohl(init->initiate_tag);
  264         asoc->peers_rwnd = ntohl(init->a_rwnd);
  265         if (TAILQ_FIRST(&asoc->nets)) {
  266                 /* update any ssthresh's that may have a default */
  267                 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
  268                         lnet->ssthresh = asoc->peers_rwnd;
  269 
  270                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) {
  271                                 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
  272                         }
  273                 }
  274         }
  275         SCTP_TCB_SEND_LOCK(stcb);
  276         if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
  277                 unsigned int newcnt;
  278                 struct sctp_stream_out *outs;
  279                 struct sctp_stream_queue_pending *sp;
  280 
  281                 /* cut back on number of streams */
  282                 newcnt = ntohs(init->num_inbound_streams);
  283                 /* This if is probably not needed but I am cautious */
  284                 if (asoc->strmout) {
  285                         /* First make sure no data chunks are trapped */
  286                         for (i = newcnt; i < asoc->pre_open_streams; i++) {
  287                                 outs = &asoc->strmout[i];
  288                                 sp = TAILQ_FIRST(&outs->outqueue);
  289                                 while (sp) {
  290                                         TAILQ_REMOVE(&outs->outqueue, sp,
  291                                             next);
  292                                         asoc->stream_queue_cnt--;
  293                                         sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
  294                                             stcb, SCTP_NOTIFY_DATAGRAM_UNSENT,
  295                                             sp, SCTP_SO_NOT_LOCKED);
  296                                         if (sp->data) {
  297                                                 sctp_m_freem(sp->data);
  298                                                 sp->data = NULL;
  299                                         }
  300                                         sctp_free_remote_addr(sp->net);
  301                                         sp->net = NULL;
  302                                         /* Free the chunk */
  303                                         SCTP_PRINTF("sp:%p tcb:%p weird free case\n",
  304                                             sp, stcb);
  305 
  306                                         sctp_free_a_strmoq(stcb, sp);
  307                                         /* sa_ignore FREED_MEMORY */
  308                                         sp = TAILQ_FIRST(&outs->outqueue);
  309                                 }
  310                         }
  311                 }
  312                 /* cut back the count and abandon the upper streams */
  313                 asoc->pre_open_streams = newcnt;
  314         }
  315         SCTP_TCB_SEND_UNLOCK(stcb);
  316         asoc->streamoutcnt = asoc->pre_open_streams;
  317         /* init tsn's */
  318         asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
  319         /* EY - nr_sack: initialize highest tsn in nr_mapping_array */
  320         asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
  321         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
  322                 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
  323         }
  324         /* This is the next one we expect */
  325         asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
  326 
  327         asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
  328         /*
  329          * EY 05/13/08 - nr_sack: initialize nr_mapping array's base tsn
  330          * like above
  331          */
  332         asoc->nr_mapping_array_base_tsn = ntohl(init->initial_tsn);
  333         asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in;
  334         asoc->last_echo_tsn = asoc->asconf_seq_in;
  335         asoc->advanced_peer_ack_point = asoc->last_acked_seq;
  336         /* open the requested streams */
  337 
  338         if (asoc->strmin != NULL) {
  339                 /* Free the old ones */
  340                 struct sctp_queued_to_read *ctl;
  341 
  342                 for (i = 0; i < asoc->streamincnt; i++) {
  343                         ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
  344                         while (ctl) {
  345                                 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next);
  346                                 sctp_free_remote_addr(ctl->whoFrom);
  347                                 ctl->whoFrom = NULL;
  348                                 sctp_m_freem(ctl->data);
  349                                 ctl->data = NULL;
  350                                 sctp_free_a_readq(stcb, ctl);
  351                                 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue);
  352                         }
  353                 }
  354                 SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
  355         }
  356         asoc->streamincnt = ntohs(init->num_outbound_streams);
  357         if (asoc->streamincnt > MAX_SCTP_STREAMS) {
  358                 asoc->streamincnt = MAX_SCTP_STREAMS;
  359         }
  360         SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
  361             sizeof(struct sctp_stream_in), SCTP_M_STRMI);
  362         if (asoc->strmin == NULL) {
  363                 /* we didn't get memory for the streams! */
  364                 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n");
  365                 return (-1);
  366         }
  367         for (i = 0; i < asoc->streamincnt; i++) {
  368                 asoc->strmin[i].stream_no = i;
  369                 asoc->strmin[i].last_sequence_delivered = 0xffff;
  370                 /*
  371                  * U-stream ranges will be set when the cookie is unpacked.
  372                  * Or for the INIT sender they are un set (if pr-sctp not
  373                  * supported) when the INIT-ACK arrives.
  374                  */
  375                 TAILQ_INIT(&asoc->strmin[i].inqueue);
  376                 asoc->strmin[i].delivery_started = 0;
  377         }
  378         /*
  379          * load_address_from_init will put the addresses into the
  380          * association when the COOKIE is processed or the INIT-ACK is
  381          * processed. Both types of COOKIE's existing and new call this
  382          * routine. It will remove addresses that are no longer in the
  383          * association (for the restarting case where addresses are
  384          * removed). Up front when the INIT arrives we will discard it if it
  385          * is a restart and new addresses have been added.
  386          */
  387         /* sa_ignore MEMLEAK */
  388         return (0);
  389 }
  390 
  391 /*
  392  * INIT-ACK message processing/consumption returns value < 0 on error
  393  */
  394 static int
  395 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
  396     struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
  397     struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id)
  398 {
  399         struct sctp_association *asoc;
  400         struct mbuf *op_err;
  401         int retval, abort_flag;
  402         uint32_t initack_limit;
  403         int nat_friendly = 0;
  404 
  405         /* First verify that we have no illegal param's */
  406         abort_flag = 0;
  407         op_err = NULL;
  408 
  409         op_err = sctp_arethere_unrecognized_parameters(m,
  410             (offset + sizeof(struct sctp_init_chunk)),
  411             &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly);
  412         if (abort_flag) {
  413                 /* Send an abort and notify peer */
  414                 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err, SCTP_SO_NOT_LOCKED);
  415                 *abort_no_unlock = 1;
  416                 return (-1);
  417         }
  418         asoc = &stcb->asoc;
  419         asoc->peer_supports_nat = (uint8_t) nat_friendly;
  420         /* process the peer's parameters in the INIT-ACK */
  421         retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net);
  422         if (retval < 0) {
  423                 return (retval);
  424         }
  425         initack_limit = offset + ntohs(cp->ch.chunk_length);
  426         /* load all addresses */
  427         if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen,
  428             (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh,
  429             NULL))) {
  430                 /* Huh, we should abort */
  431                 SCTPDBG(SCTP_DEBUG_INPUT1,
  432                     "Load addresses from INIT causes an abort %d\n",
  433                     retval);
  434                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
  435                     NULL, 0, net->port);
  436                 *abort_no_unlock = 1;
  437                 return (-1);
  438         }
  439         /* if the peer doesn't support asconf, flush the asconf queue */
  440         if (asoc->peer_supports_asconf == 0) {
  441                 struct sctp_asconf_addr *aparam;
  442 
  443                 while (!TAILQ_EMPTY(&asoc->asconf_queue)) {
  444                         /* sa_ignore FREED_MEMORY */
  445                         aparam = TAILQ_FIRST(&asoc->asconf_queue);
  446                         TAILQ_REMOVE(&asoc->asconf_queue, aparam, next);
  447                         SCTP_FREE(aparam, SCTP_M_ASC_ADDR);
  448                 }
  449         }
  450         stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
  451             stcb->asoc.local_hmacs);
  452         if (op_err) {
  453                 sctp_queue_op_err(stcb, op_err);
  454                 /* queuing will steal away the mbuf chain to the out queue */
  455                 op_err = NULL;
  456         }
  457         /* extract the cookie and queue it to "echo" it back... */
  458         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
  459                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
  460                     stcb->asoc.overall_error_count,
  461                     0,
  462                     SCTP_FROM_SCTP_INPUT,
  463                     __LINE__);
  464         }
  465         stcb->asoc.overall_error_count = 0;
  466         net->error_count = 0;
  467 
  468         /*
  469          * Cancel the INIT timer, We do this first before queueing the
  470          * cookie. We always cancel at the primary to assue that we are
  471          * canceling the timer started by the INIT which always goes to the
  472          * primary.
  473          */
  474         sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
  475             asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4);
  476 
  477         /* calculate the RTO */
  478         net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy);
  479 
  480         retval = sctp_send_cookie_echo(m, offset, stcb, net);
  481         if (retval < 0) {
  482                 /*
  483                  * No cookie, we probably should send a op error. But in any
  484                  * case if there is no cookie in the INIT-ACK, we can
  485                  * abandon the peer, its broke.
  486                  */
  487                 if (retval == -3) {
  488                         /* We abort with an error of missing mandatory param */
  489                         op_err =
  490                             sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM);
  491                         if (op_err) {
  492                                 /*
  493                                  * Expand beyond to include the mandatory
  494                                  * param cookie
  495                                  */
  496                                 struct sctp_inv_mandatory_param *mp;
  497 
  498                                 SCTP_BUF_LEN(op_err) =
  499                                     sizeof(struct sctp_inv_mandatory_param);
  500                                 mp = mtod(op_err,
  501                                     struct sctp_inv_mandatory_param *);
  502                                 /* Subtract the reserved param */
  503                                 mp->length =
  504                                     htons(sizeof(struct sctp_inv_mandatory_param) - 2);
  505                                 mp->num_param = htonl(1);
  506                                 mp->param = htons(SCTP_STATE_COOKIE);
  507                                 mp->resv = 0;
  508                         }
  509                         sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
  510                             sh, op_err, 0, net->port);
  511                         *abort_no_unlock = 1;
  512                 }
  513                 return (retval);
  514         }
  515         return (0);
  516 }
  517 
  518 static void
  519 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
  520     struct sctp_tcb *stcb, struct sctp_nets *net)
  521 {
  522         struct sockaddr_storage store;
  523         struct sockaddr_in *sin;
  524         struct sockaddr_in6 *sin6;
  525         struct sctp_nets *r_net;
  526         struct timeval tv;
  527         int req_prim = 0;
  528 
  529         if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
  530                 /* Invalid length */
  531                 return;
  532         }
  533         sin = (struct sockaddr_in *)&store;
  534         sin6 = (struct sockaddr_in6 *)&store;
  535 
  536         memset(&store, 0, sizeof(store));
  537         if (cp->heartbeat.hb_info.addr_family == AF_INET &&
  538             cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
  539                 sin->sin_family = cp->heartbeat.hb_info.addr_family;
  540                 sin->sin_len = cp->heartbeat.hb_info.addr_len;
  541                 sin->sin_port = stcb->rport;
  542                 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address,
  543                     sizeof(sin->sin_addr));
  544         } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 &&
  545             cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
  546                 sin6->sin6_family = cp->heartbeat.hb_info.addr_family;
  547                 sin6->sin6_len = cp->heartbeat.hb_info.addr_len;
  548                 sin6->sin6_port = stcb->rport;
  549                 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address,
  550                     sizeof(sin6->sin6_addr));
  551         } else {
  552                 return;
  553         }
  554         r_net = sctp_findnet(stcb, (struct sockaddr *)sin);
  555         if (r_net == NULL) {
  556                 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n");
  557                 return;
  558         }
  559         if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
  560             (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
  561             (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
  562                 /*
  563                  * If the its a HB and it's random value is correct when can
  564                  * confirm the destination.
  565                  */
  566                 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
  567                 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) {
  568                         stcb->asoc.primary_destination = r_net;
  569                         r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY;
  570                         r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY;
  571                         r_net = TAILQ_FIRST(&stcb->asoc.nets);
  572                         if (r_net != stcb->asoc.primary_destination) {
  573                                 /*
  574                                  * first one on the list is NOT the primary
  575                                  * sctp_cmpaddr() is much more efficent if
  576                                  * the primary is the first on the list,
  577                                  * make it so.
  578                                  */
  579                                 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
  580                                 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next);
  581                         }
  582                         req_prim = 1;
  583                 }
  584                 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
  585                     stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
  586         }
  587         r_net->error_count = 0;
  588         r_net->hb_responded = 1;
  589         tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
  590         tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
  591         if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) {
  592                 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE;
  593                 r_net->dest_state |= SCTP_ADDR_REACHABLE;
  594                 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
  595                     SCTP_HEARTBEAT_SUCCESS, (void *)r_net, SCTP_SO_NOT_LOCKED);
  596                 /* now was it the primary? if so restore */
  597                 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) {
  598                         (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net);
  599                 }
  600         }
  601         /*
  602          * JRS 5/14/07 - If CMT PF is on and the destination is in PF state,
  603          * set the destination to active state and set the cwnd to one or
  604          * two MTU's based on whether PF1 or PF2 is being used. If a T3
  605          * timer is running, for the destination, stop the timer because a
  606          * PF-heartbeat was received.
  607          */
  608         if (SCTP_BASE_SYSCTL(sctp_cmt_on_off) &&
  609             SCTP_BASE_SYSCTL(sctp_cmt_pf) &&
  610             (net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF) {
  611                 if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
  612                         sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
  613                             stcb, net,
  614                             SCTP_FROM_SCTP_INPUT + SCTP_LOC_5);
  615                 }
  616                 net->dest_state &= ~SCTP_ADDR_PF;
  617                 net->cwnd = net->mtu * SCTP_BASE_SYSCTL(sctp_cmt_pf);
  618                 SCTPDBG(SCTP_DEBUG_INPUT1, "Destination %p moved from PF to reachable with cwnd %d.\n",
  619                     net, net->cwnd);
  620         }
  621         /* Now lets do a RTO with this */
  622         r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy);
  623         /* Mobility adaptation */
  624         if (req_prim) {
  625                 if ((sctp_is_mobility_feature_on(stcb->sctp_ep,
  626                     SCTP_MOBILITY_BASE) ||
  627                     sctp_is_mobility_feature_on(stcb->sctp_ep,
  628                     SCTP_MOBILITY_FASTHANDOFF)) &&
  629                     sctp_is_mobility_feature_on(stcb->sctp_ep,
  630                     SCTP_MOBILITY_PRIM_DELETED)) {
  631 
  632                         sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER + SCTP_LOC_7);
  633                         if (sctp_is_mobility_feature_on(stcb->sctp_ep,
  634                             SCTP_MOBILITY_FASTHANDOFF)) {
  635                                 sctp_assoc_immediate_retrans(stcb,
  636                                     stcb->asoc.primary_destination);
  637                         }
  638                         if (sctp_is_mobility_feature_on(stcb->sctp_ep,
  639                             SCTP_MOBILITY_BASE)) {
  640                                 sctp_move_chunks_from_deleted_prim(stcb,
  641                                     stcb->asoc.primary_destination);
  642                         }
  643                         sctp_delete_prim_timer(stcb->sctp_ep, stcb,
  644                             stcb->asoc.deleted_primary);
  645                 }
  646         }
  647 }
  648 
  649 static int
  650 sctp_handle_nat_colliding_state(struct sctp_tcb *stcb)
  651 {
  652         /*
  653          * return 0 means we want you to proceed with the abort non-zero
  654          * means no abort processing
  655          */
  656         struct sctpasochead *head;
  657 
  658         if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) {
  659                 /* generate a new vtag and send init */
  660                 LIST_REMOVE(stcb, sctp_asocs);
  661                 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
  662                 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
  663                 /*
  664                  * put it in the bucket in the vtag hash of assoc's for the
  665                  * system
  666                  */
  667                 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
  668                 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
  669                 return (1);
  670         }
  671         if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED) {
  672                 /*
  673                  * treat like a case where the cookie expired i.e.: - dump
  674                  * current cookie. - generate a new vtag. - resend init.
  675                  */
  676                 /* generate a new vtag and send init */
  677                 LIST_REMOVE(stcb, sctp_asocs);
  678                 stcb->asoc.state &= ~SCTP_STATE_COOKIE_ECHOED;
  679                 stcb->asoc.state |= SCTP_STATE_COOKIE_WAIT;
  680                 sctp_stop_all_cookie_timers(stcb);
  681                 sctp_toss_old_cookies(stcb, &stcb->asoc);
  682                 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
  683                 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
  684                 /*
  685                  * put it in the bucket in the vtag hash of assoc's for the
  686                  * system
  687                  */
  688                 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
  689                 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
  690                 return (1);
  691         }
  692         return (0);
  693 }
  694 
  695 static int
  696 sctp_handle_nat_missing_state(struct sctp_tcb *stcb,
  697     struct sctp_nets *net)
  698 {
  699         /*
  700          * return 0 means we want you to proceed with the abort non-zero
  701          * means no abort processing
  702          */
  703         if (stcb->asoc.peer_supports_auth == 0) {
  704                 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n");
  705                 return (0);
  706         }
  707         sctp_asconf_send_nat_state_update(stcb, net);
  708         return (1);
  709 }
  710 
  711 
  712 static void
  713 sctp_handle_abort(struct sctp_abort_chunk *cp,
  714     struct sctp_tcb *stcb, struct sctp_nets *net)
  715 {
  716 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  717         struct socket *so;
  718 
  719 #endif
  720         uint16_t len;
  721 
  722         SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n");
  723         if (stcb == NULL)
  724                 return;
  725 
  726         len = ntohs(cp->ch.chunk_length);
  727         if (len > sizeof(struct sctp_chunkhdr)) {
  728                 /*
  729                  * Need to check the cause codes for our two magic nat
  730                  * aborts which don't kill the assoc necessarily.
  731                  */
  732                 struct sctp_abort_chunk *cpnext;
  733                 struct sctp_missing_nat_state *natc;
  734                 uint16_t cause;
  735 
  736                 cpnext = cp;
  737                 cpnext++;
  738                 natc = (struct sctp_missing_nat_state *)cpnext;
  739                 cause = ntohs(natc->cause);
  740                 if (cause == SCTP_CAUSE_NAT_COLLIDING_STATE) {
  741                         SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
  742                             cp->ch.chunk_flags);
  743                         if (sctp_handle_nat_colliding_state(stcb)) {
  744                                 return;
  745                         }
  746                 } else if (cause == SCTP_CAUSE_NAT_MISSING_STATE) {
  747                         SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
  748                             cp->ch.chunk_flags);
  749                         if (sctp_handle_nat_missing_state(stcb, net)) {
  750                                 return;
  751                         }
  752                 }
  753         }
  754         /* stop any receive timers */
  755         sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
  756         /* notify user of the abort and clean up... */
  757         sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED);
  758         /* free the tcb */
  759 #if defined(SCTP_PANIC_ON_ABORT)
  760         printf("stcb:%p state:%d rport:%d net:%p\n",
  761             stcb, stcb->asoc.state, stcb->rport, net);
  762         if (!(stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) {
  763                 panic("Received an ABORT");
  764         } else {
  765                 printf("No panic its in state %x closed\n", stcb->asoc.state);
  766         }
  767 #endif
  768         SCTP_STAT_INCR_COUNTER32(sctps_aborted);
  769         if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
  770             (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
  771                 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
  772         }
  773 #ifdef SCTP_ASOCLOG_OF_TSNS
  774         sctp_print_out_track_log(stcb);
  775 #endif
  776 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  777         so = SCTP_INP_SO(stcb->sctp_ep);
  778         atomic_add_int(&stcb->asoc.refcnt, 1);
  779         SCTP_TCB_UNLOCK(stcb);
  780         SCTP_SOCKET_LOCK(so, 1);
  781         SCTP_TCB_LOCK(stcb);
  782         atomic_subtract_int(&stcb->asoc.refcnt, 1);
  783 #endif
  784         stcb->asoc.state |= SCTP_STATE_WAS_ABORTED;
  785         (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
  786             SCTP_FROM_SCTP_INPUT + SCTP_LOC_6);
  787 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  788         SCTP_SOCKET_UNLOCK(so, 1);
  789 #endif
  790         SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n");
  791 }
  792 
  793 static void
  794 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
  795     struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
  796 {
  797         struct sctp_association *asoc;
  798         int some_on_streamwheel;
  799 
  800 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  801         struct socket *so;
  802 
  803 #endif
  804 
  805         SCTPDBG(SCTP_DEBUG_INPUT2,
  806             "sctp_handle_shutdown: handling SHUTDOWN\n");
  807         if (stcb == NULL)
  808                 return;
  809         asoc = &stcb->asoc;
  810         if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
  811             (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
  812                 return;
  813         }
  814         if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
  815                 /* Shutdown NOT the expected size */
  816                 return;
  817         } else {
  818                 sctp_update_acked(stcb, cp, net, abort_flag);
  819                 if (*abort_flag) {
  820                         return;
  821                 }
  822         }
  823         if (asoc->control_pdapi) {
  824                 /*
  825                  * With a normal shutdown we assume the end of last record.
  826                  */
  827                 SCTP_INP_READ_LOCK(stcb->sctp_ep);
  828                 asoc->control_pdapi->end_added = 1;
  829                 asoc->control_pdapi->pdapi_aborted = 1;
  830                 asoc->control_pdapi = NULL;
  831                 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
  832 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  833                 so = SCTP_INP_SO(stcb->sctp_ep);
  834                 atomic_add_int(&stcb->asoc.refcnt, 1);
  835                 SCTP_TCB_UNLOCK(stcb);
  836                 SCTP_SOCKET_LOCK(so, 1);
  837                 SCTP_TCB_LOCK(stcb);
  838                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
  839                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
  840                         /* assoc was freed while we were unlocked */
  841                         SCTP_SOCKET_UNLOCK(so, 1);
  842                         return;
  843                 }
  844 #endif
  845                 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
  846 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  847                 SCTP_SOCKET_UNLOCK(so, 1);
  848 #endif
  849         }
  850         /* goto SHUTDOWN_RECEIVED state to block new requests */
  851         if (stcb->sctp_socket) {
  852                 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
  853                     (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) &&
  854                     (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
  855                         SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED);
  856                         SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
  857                         /*
  858                          * notify upper layer that peer has initiated a
  859                          * shutdown
  860                          */
  861                         sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
  862 
  863                         /* reset time */
  864                         (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
  865                 }
  866         }
  867         if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
  868                 /*
  869                  * stop the shutdown timer, since we WILL move to
  870                  * SHUTDOWN-ACK-SENT.
  871                  */
  872                 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8);
  873         }
  874         /* Now is there unsent data on a stream somewhere? */
  875         some_on_streamwheel = sctp_is_there_unsent_data(stcb);
  876 
  877         if (!TAILQ_EMPTY(&asoc->send_queue) ||
  878             !TAILQ_EMPTY(&asoc->sent_queue) ||
  879             some_on_streamwheel) {
  880                 /* By returning we will push more data out */
  881                 return;
  882         } else {
  883                 /* no outstanding data to send, so move on... */
  884                 /* send SHUTDOWN-ACK */
  885                 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
  886                 /* move to SHUTDOWN-ACK-SENT state */
  887                 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
  888                     (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
  889                         SCTP_STAT_DECR_GAUGE32(sctps_currestab);
  890                 }
  891                 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
  892                 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
  893                 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net,
  894                     SCTP_FROM_SCTP_INPUT + SCTP_LOC_7);
  895                 /* start SHUTDOWN timer */
  896                 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
  897                     stcb, net);
  898         }
  899 }
  900 
  901 static void
  902 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp,
  903     struct sctp_tcb *stcb, struct sctp_nets *net)
  904 {
  905         struct sctp_association *asoc;
  906 
  907 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  908         struct socket *so;
  909 
  910         so = SCTP_INP_SO(stcb->sctp_ep);
  911 #endif
  912         SCTPDBG(SCTP_DEBUG_INPUT2,
  913             "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
  914         if (stcb == NULL)
  915                 return;
  916 
  917         asoc = &stcb->asoc;
  918         /* process according to association state */
  919         if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
  920             (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
  921                 /* unexpected SHUTDOWN-ACK... so ignore... */
  922                 SCTP_TCB_UNLOCK(stcb);
  923                 return;
  924         }
  925         if (asoc->control_pdapi) {
  926                 /*
  927                  * With a normal shutdown we assume the end of last record.
  928                  */
  929                 SCTP_INP_READ_LOCK(stcb->sctp_ep);
  930                 asoc->control_pdapi->end_added = 1;
  931                 asoc->control_pdapi->pdapi_aborted = 1;
  932                 asoc->control_pdapi = NULL;
  933                 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
  934 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  935                 atomic_add_int(&stcb->asoc.refcnt, 1);
  936                 SCTP_TCB_UNLOCK(stcb);
  937                 SCTP_SOCKET_LOCK(so, 1);
  938                 SCTP_TCB_LOCK(stcb);
  939                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
  940                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
  941                         /* assoc was freed while we were unlocked */
  942                         SCTP_SOCKET_UNLOCK(so, 1);
  943                         return;
  944                 }
  945 #endif
  946                 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
  947 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  948                 SCTP_SOCKET_UNLOCK(so, 1);
  949 #endif
  950         }
  951         /* are the queues empty? */
  952         if (!TAILQ_EMPTY(&asoc->send_queue) ||
  953             !TAILQ_EMPTY(&asoc->sent_queue) ||
  954             !TAILQ_EMPTY(&asoc->out_wheel)) {
  955                 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED);
  956         }
  957         /* stop the timer */
  958         sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9);
  959         /* send SHUTDOWN-COMPLETE */
  960         sctp_send_shutdown_complete(stcb, net);
  961         /* notify upper layer protocol */
  962         if (stcb->sctp_socket) {
  963                 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
  964                 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
  965                     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
  966                         /* Set the connected flag to disconnected */
  967                         stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
  968                 }
  969         }
  970         SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
  971         /* free the TCB but first save off the ep */
  972 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  973         atomic_add_int(&stcb->asoc.refcnt, 1);
  974         SCTP_TCB_UNLOCK(stcb);
  975         SCTP_SOCKET_LOCK(so, 1);
  976         SCTP_TCB_LOCK(stcb);
  977         atomic_subtract_int(&stcb->asoc.refcnt, 1);
  978 #endif
  979         (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
  980             SCTP_FROM_SCTP_INPUT + SCTP_LOC_10);
  981 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
  982         SCTP_SOCKET_UNLOCK(so, 1);
  983 #endif
  984 }
  985 
  986 /*
  987  * Skip past the param header and then we will find the chunk that caused the
  988  * problem. There are two possiblities ASCONF or FWD-TSN other than that and
  989  * our peer must be broken.
  990  */
  991 static void
  992 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
  993     struct sctp_nets *net)
  994 {
  995         struct sctp_chunkhdr *chk;
  996 
  997         chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr));
  998         switch (chk->chunk_type) {
  999         case SCTP_ASCONF_ACK:
 1000         case SCTP_ASCONF:
 1001                 sctp_asconf_cleanup(stcb, net);
 1002                 break;
 1003         case SCTP_FORWARD_CUM_TSN:
 1004                 stcb->asoc.peer_supports_prsctp = 0;
 1005                 break;
 1006         default:
 1007                 SCTPDBG(SCTP_DEBUG_INPUT2,
 1008                     "Peer does not support chunk type %d(%x)??\n",
 1009                     chk->chunk_type, (uint32_t) chk->chunk_type);
 1010                 break;
 1011         }
 1012 }
 1013 
 1014 /*
 1015  * Skip past the param header and then we will find the param that caused the
 1016  * problem.  There are a number of param's in a ASCONF OR the prsctp param
 1017  * these will turn of specific features.
 1018  */
 1019 static void
 1020 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
 1021 {
 1022         struct sctp_paramhdr *pbad;
 1023 
 1024         pbad = phdr + 1;
 1025         switch (ntohs(pbad->param_type)) {
 1026                 /* pr-sctp draft */
 1027         case SCTP_PRSCTP_SUPPORTED:
 1028                 stcb->asoc.peer_supports_prsctp = 0;
 1029                 break;
 1030         case SCTP_SUPPORTED_CHUNK_EXT:
 1031                 break;
 1032                 /* draft-ietf-tsvwg-addip-sctp */
 1033         case SCTP_HAS_NAT_SUPPORT:
 1034                 stcb->asoc.peer_supports_nat = 0;
 1035                 break;
 1036         case SCTP_ECN_NONCE_SUPPORTED:
 1037                 stcb->asoc.peer_supports_ecn_nonce = 0;
 1038                 stcb->asoc.ecn_nonce_allowed = 0;
 1039                 stcb->asoc.ecn_allowed = 0;
 1040                 break;
 1041         case SCTP_ADD_IP_ADDRESS:
 1042         case SCTP_DEL_IP_ADDRESS:
 1043         case SCTP_SET_PRIM_ADDR:
 1044                 stcb->asoc.peer_supports_asconf = 0;
 1045                 break;
 1046         case SCTP_SUCCESS_REPORT:
 1047         case SCTP_ERROR_CAUSE_IND:
 1048                 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n");
 1049                 SCTPDBG(SCTP_DEBUG_INPUT2,
 1050                     "Turning off ASCONF to this strange peer\n");
 1051                 stcb->asoc.peer_supports_asconf = 0;
 1052                 break;
 1053         default:
 1054                 SCTPDBG(SCTP_DEBUG_INPUT2,
 1055                     "Peer does not support param type %d(%x)??\n",
 1056                     pbad->param_type, (uint32_t) pbad->param_type);
 1057                 break;
 1058         }
 1059 }
 1060 
 1061 static int
 1062 sctp_handle_error(struct sctp_chunkhdr *ch,
 1063     struct sctp_tcb *stcb, struct sctp_nets *net)
 1064 {
 1065         int chklen;
 1066         struct sctp_paramhdr *phdr;
 1067         uint16_t error_type;
 1068         uint16_t error_len;
 1069         struct sctp_association *asoc;
 1070         int adjust;
 1071 
 1072 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1073         struct socket *so;
 1074 
 1075 #endif
 1076 
 1077         /* parse through all of the errors and process */
 1078         asoc = &stcb->asoc;
 1079         phdr = (struct sctp_paramhdr *)((caddr_t)ch +
 1080             sizeof(struct sctp_chunkhdr));
 1081         chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
 1082         while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
 1083                 /* Process an Error Cause */
 1084                 error_type = ntohs(phdr->param_type);
 1085                 error_len = ntohs(phdr->param_length);
 1086                 if ((error_len > chklen) || (error_len == 0)) {
 1087                         /* invalid param length for this param */
 1088                         SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n",
 1089                             chklen, error_len);
 1090                         return (0);
 1091                 }
 1092                 switch (error_type) {
 1093                 case SCTP_CAUSE_INVALID_STREAM:
 1094                 case SCTP_CAUSE_MISSING_PARAM:
 1095                 case SCTP_CAUSE_INVALID_PARAM:
 1096                 case SCTP_CAUSE_NO_USER_DATA:
 1097                         SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n",
 1098                             error_type);
 1099                         break;
 1100                 case SCTP_CAUSE_NAT_COLLIDING_STATE:
 1101                         SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
 1102                             ch->chunk_flags);
 1103                         if (sctp_handle_nat_colliding_state(stcb)) {
 1104                                 return (0);
 1105                         }
 1106                         break;
 1107                 case SCTP_CAUSE_NAT_MISSING_STATE:
 1108                         SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
 1109                             ch->chunk_flags);
 1110                         if (sctp_handle_nat_missing_state(stcb, net)) {
 1111                                 return (0);
 1112                         }
 1113                         break;
 1114                 case SCTP_CAUSE_STALE_COOKIE:
 1115                         /*
 1116                          * We only act if we have echoed a cookie and are
 1117                          * waiting.
 1118                          */
 1119                         if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
 1120                                 int *p;
 1121 
 1122                                 p = (int *)((caddr_t)phdr + sizeof(*phdr));
 1123                                 /* Save the time doubled */
 1124                                 asoc->cookie_preserve_req = ntohl(*p) << 1;
 1125                                 asoc->stale_cookie_count++;
 1126                                 if (asoc->stale_cookie_count >
 1127                                     asoc->max_init_times) {
 1128                                         sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED);
 1129                                         /* now free the asoc */
 1130 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1131                                         so = SCTP_INP_SO(stcb->sctp_ep);
 1132                                         atomic_add_int(&stcb->asoc.refcnt, 1);
 1133                                         SCTP_TCB_UNLOCK(stcb);
 1134                                         SCTP_SOCKET_LOCK(so, 1);
 1135                                         SCTP_TCB_LOCK(stcb);
 1136                                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 1137 #endif
 1138                                         (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
 1139                                             SCTP_FROM_SCTP_INPUT + SCTP_LOC_11);
 1140 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1141                                         SCTP_SOCKET_UNLOCK(so, 1);
 1142 #endif
 1143                                         return (-1);
 1144                                 }
 1145                                 /* blast back to INIT state */
 1146                                 sctp_toss_old_cookies(stcb, &stcb->asoc);
 1147                                 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
 1148                                 asoc->state |= SCTP_STATE_COOKIE_WAIT;
 1149                                 sctp_stop_all_cookie_timers(stcb);
 1150                                 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
 1151                         }
 1152                         break;
 1153                 case SCTP_CAUSE_UNRESOLVABLE_ADDR:
 1154                         /*
 1155                          * Nothing we can do here, we don't do hostname
 1156                          * addresses so if the peer does not like my IPv6
 1157                          * (or IPv4 for that matter) it does not matter. If
 1158                          * they don't support that type of address, they can
 1159                          * NOT possibly get that packet type... i.e. with no
 1160                          * IPv6 you can't recieve a IPv6 packet. so we can
 1161                          * safely ignore this one. If we ever added support
 1162                          * for HOSTNAME Addresses, then we would need to do
 1163                          * something here.
 1164                          */
 1165                         break;
 1166                 case SCTP_CAUSE_UNRECOG_CHUNK:
 1167                         sctp_process_unrecog_chunk(stcb, phdr, net);
 1168                         break;
 1169                 case SCTP_CAUSE_UNRECOG_PARAM:
 1170                         sctp_process_unrecog_param(stcb, phdr);
 1171                         break;
 1172                 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
 1173                         /*
 1174                          * We ignore this since the timer will drive out a
 1175                          * new cookie anyway and there timer will drive us
 1176                          * to send a SHUTDOWN_COMPLETE. We can't send one
 1177                          * here since we don't have their tag.
 1178                          */
 1179                         break;
 1180                 case SCTP_CAUSE_DELETING_LAST_ADDR:
 1181                 case SCTP_CAUSE_RESOURCE_SHORTAGE:
 1182                 case SCTP_CAUSE_DELETING_SRC_ADDR:
 1183                         /*
 1184                          * We should NOT get these here, but in a
 1185                          * ASCONF-ACK.
 1186                          */
 1187                         SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n",
 1188                             error_type);
 1189                         break;
 1190                 case SCTP_CAUSE_OUT_OF_RESC:
 1191                         /*
 1192                          * And what, pray tell do we do with the fact that
 1193                          * the peer is out of resources? Not really sure we
 1194                          * could do anything but abort. I suspect this
 1195                          * should have came WITH an abort instead of in a
 1196                          * OP-ERROR.
 1197                          */
 1198                         break;
 1199                 default:
 1200                         SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n",
 1201                             error_type);
 1202                         break;
 1203                 }
 1204                 adjust = SCTP_SIZE32(error_len);
 1205                 chklen -= adjust;
 1206                 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust);
 1207         }
 1208         return (0);
 1209 }
 1210 
 1211 static int
 1212 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
 1213     struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
 1214     struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id)
 1215 {
 1216         struct sctp_init_ack *init_ack;
 1217         struct mbuf *op_err;
 1218 
 1219         SCTPDBG(SCTP_DEBUG_INPUT2,
 1220             "sctp_handle_init_ack: handling INIT-ACK\n");
 1221 
 1222         if (stcb == NULL) {
 1223                 SCTPDBG(SCTP_DEBUG_INPUT2,
 1224                     "sctp_handle_init_ack: TCB is null\n");
 1225                 return (-1);
 1226         }
 1227         if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
 1228                 /* Invalid length */
 1229                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1230                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1231                     op_err, 0, net->port);
 1232                 *abort_no_unlock = 1;
 1233                 return (-1);
 1234         }
 1235         init_ack = &cp->init;
 1236         /* validate parameters */
 1237         if (init_ack->initiate_tag == 0) {
 1238                 /* protocol error... send an abort */
 1239                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1240                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1241                     op_err, 0, net->port);
 1242                 *abort_no_unlock = 1;
 1243                 return (-1);
 1244         }
 1245         if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
 1246                 /* protocol error... send an abort */
 1247                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1248                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1249                     op_err, 0, net->port);
 1250                 *abort_no_unlock = 1;
 1251                 return (-1);
 1252         }
 1253         if (init_ack->num_inbound_streams == 0) {
 1254                 /* protocol error... send an abort */
 1255                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1256                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1257                     op_err, 0, net->port);
 1258                 *abort_no_unlock = 1;
 1259                 return (-1);
 1260         }
 1261         if (init_ack->num_outbound_streams == 0) {
 1262                 /* protocol error... send an abort */
 1263                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
 1264                 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
 1265                     op_err, 0, net->port);
 1266                 *abort_no_unlock = 1;
 1267                 return (-1);
 1268         }
 1269         /* process according to association state... */
 1270         switch (stcb->asoc.state & SCTP_STATE_MASK) {
 1271         case SCTP_STATE_COOKIE_WAIT:
 1272                 /* this is the expected state for this chunk */
 1273                 /* process the INIT-ACK parameters */
 1274                 if (stcb->asoc.primary_destination->dest_state &
 1275                     SCTP_ADDR_UNCONFIRMED) {
 1276                         /*
 1277                          * The primary is where we sent the INIT, we can
 1278                          * always consider it confirmed when the INIT-ACK is
 1279                          * returned. Do this before we load addresses
 1280                          * though.
 1281                          */
 1282                         stcb->asoc.primary_destination->dest_state &=
 1283                             ~SCTP_ADDR_UNCONFIRMED;
 1284                         sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
 1285                             stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED);
 1286                 }
 1287                 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb,
 1288                     net, abort_no_unlock, vrf_id) < 0) {
 1289                         /* error in parsing parameters */
 1290                         return (-1);
 1291                 }
 1292                 /* update our state */
 1293                 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
 1294                 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED);
 1295 
 1296                 /* reset the RTO calc */
 1297                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 1298                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 1299                             stcb->asoc.overall_error_count,
 1300                             0,
 1301                             SCTP_FROM_SCTP_INPUT,
 1302                             __LINE__);
 1303                 }
 1304                 stcb->asoc.overall_error_count = 0;
 1305                 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
 1306                 /*
 1307                  * collapse the init timer back in case of a exponential
 1308                  * backoff
 1309                  */
 1310                 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
 1311                     stcb, net);
 1312                 /*
 1313                  * the send at the end of the inbound data processing will
 1314                  * cause the cookie to be sent
 1315                  */
 1316                 break;
 1317         case SCTP_STATE_SHUTDOWN_SENT:
 1318                 /* incorrect state... discard */
 1319                 break;
 1320         case SCTP_STATE_COOKIE_ECHOED:
 1321                 /* incorrect state... discard */
 1322                 break;
 1323         case SCTP_STATE_OPEN:
 1324                 /* incorrect state... discard */
 1325                 break;
 1326         case SCTP_STATE_EMPTY:
 1327         case SCTP_STATE_INUSE:
 1328         default:
 1329                 /* incorrect state... discard */
 1330                 return (-1);
 1331                 break;
 1332         }
 1333         SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
 1334         return (0);
 1335 }
 1336 
 1337 static struct sctp_tcb *
 1338 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
 1339     struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
 1340     struct sctp_inpcb *inp, struct sctp_nets **netp,
 1341     struct sockaddr *init_src, int *notification,
 1342     int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
 1343     uint32_t vrf_id, uint16_t port);
 1344 
 1345 
 1346 /*
 1347  * handle a state cookie for an existing association m: input packet mbuf
 1348  * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
 1349  * "split" mbuf and the cookie signature does not exist offset: offset into
 1350  * mbuf to the cookie-echo chunk
 1351  */
 1352 static struct sctp_tcb *
 1353 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
 1354     struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
 1355     struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp,
 1356     struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id,
 1357     uint32_t vrf_id, int auth_skipped, uint32_t auth_offset, uint32_t auth_len, uint16_t port)
 1358 {
 1359         struct sctp_association *asoc;
 1360         struct sctp_init_chunk *init_cp, init_buf;
 1361         struct sctp_init_ack_chunk *initack_cp, initack_buf;
 1362         struct sctp_nets *net;
 1363         struct mbuf *op_err;
 1364         struct sctp_paramhdr *ph;
 1365         int chk_length;
 1366         int init_offset, initack_offset, i;
 1367         int retval;
 1368         int spec_flag = 0;
 1369         uint32_t how_indx;
 1370 
 1371         net = *netp;
 1372         /* I know that the TCB is non-NULL from the caller */
 1373         asoc = &stcb->asoc;
 1374         for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) {
 1375                 if (asoc->cookie_how[how_indx] == 0)
 1376                         break;
 1377         }
 1378         if (how_indx < sizeof(asoc->cookie_how)) {
 1379                 asoc->cookie_how[how_indx] = 1;
 1380         }
 1381         if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
 1382                 /* SHUTDOWN came in after sending INIT-ACK */
 1383                 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
 1384                 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
 1385                     0, M_DONTWAIT, 1, MT_DATA);
 1386                 if (op_err == NULL) {
 1387                         /* FOOBAR */
 1388                         return (NULL);
 1389                 }
 1390                 /* pre-reserve some space */
 1391 #ifdef INET6
 1392                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
 1393 #else
 1394                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
 1395 #endif
 1396                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
 1397                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
 1398                 /* Set the len */
 1399                 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr);
 1400                 ph = mtod(op_err, struct sctp_paramhdr *);
 1401                 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN);
 1402                 ph->param_length = htons(sizeof(struct sctp_paramhdr));
 1403                 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag,
 1404                     vrf_id, net->port);
 1405                 if (how_indx < sizeof(asoc->cookie_how))
 1406                         asoc->cookie_how[how_indx] = 2;
 1407                 return (NULL);
 1408         }
 1409         /*
 1410          * find and validate the INIT chunk in the cookie (peer's info) the
 1411          * INIT should start after the cookie-echo header struct (chunk
 1412          * header, state cookie header struct)
 1413          */
 1414         init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
 1415 
 1416         init_cp = (struct sctp_init_chunk *)
 1417             sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
 1418             (uint8_t *) & init_buf);
 1419         if (init_cp == NULL) {
 1420                 /* could not pull a INIT chunk in cookie */
 1421                 return (NULL);
 1422         }
 1423         chk_length = ntohs(init_cp->ch.chunk_length);
 1424         if (init_cp->ch.chunk_type != SCTP_INITIATION) {
 1425                 return (NULL);
 1426         }
 1427         /*
 1428          * find and validate the INIT-ACK chunk in the cookie (my info) the
 1429          * INIT-ACK follows the INIT chunk
 1430          */
 1431         initack_offset = init_offset + SCTP_SIZE32(chk_length);
 1432         initack_cp = (struct sctp_init_ack_chunk *)
 1433             sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
 1434             (uint8_t *) & initack_buf);
 1435         if (initack_cp == NULL) {
 1436                 /* could not pull INIT-ACK chunk in cookie */
 1437                 return (NULL);
 1438         }
 1439         chk_length = ntohs(initack_cp->ch.chunk_length);
 1440         if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
 1441                 return (NULL);
 1442         }
 1443         if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
 1444             (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
 1445                 /*
 1446                  * case D in Section 5.2.4 Table 2: MMAA process accordingly
 1447                  * to get into the OPEN state
 1448                  */
 1449                 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
 1450                         /*-
 1451                          * Opps, this means that we somehow generated two vtag's
 1452                          * the same. I.e. we did:
 1453                          *  Us               Peer
 1454                          *   <---INIT(tag=a)------
 1455                          *   ----INIT-ACK(tag=t)-->
 1456                          *   ----INIT(tag=t)------> *1
 1457                          *   <---INIT-ACK(tag=a)---
 1458                          *   <----CE(tag=t)------------- *2
 1459                          *
 1460                          * At point *1 we should be generating a different
 1461                          * tag t'. Which means we would throw away the CE and send
 1462                          * ours instead. Basically this is case C (throw away side).
 1463                          */
 1464                         if (how_indx < sizeof(asoc->cookie_how))
 1465                                 asoc->cookie_how[how_indx] = 17;
 1466                         return (NULL);
 1467 
 1468                 }
 1469                 switch SCTP_GET_STATE
 1470                         (asoc) {
 1471                 case SCTP_STATE_COOKIE_WAIT:
 1472                 case SCTP_STATE_COOKIE_ECHOED:
 1473                         /*
 1474                          * INIT was sent but got a COOKIE_ECHO with the
 1475                          * correct tags... just accept it...but we must
 1476                          * process the init so that we can make sure we have
 1477                          * the right seq no's.
 1478                          */
 1479                         /* First we must process the INIT !! */
 1480                         retval = sctp_process_init(init_cp, stcb, net);
 1481                         if (retval < 0) {
 1482                                 if (how_indx < sizeof(asoc->cookie_how))
 1483                                         asoc->cookie_how[how_indx] = 3;
 1484                                 return (NULL);
 1485                         }
 1486                         /* we have already processed the INIT so no problem */
 1487                         sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
 1488                             net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12);
 1489                         sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13);
 1490                         /* update current state */
 1491                         if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
 1492                                 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
 1493                         else
 1494                                 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
 1495 
 1496                         SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 1497                         if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 1498                                 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 1499                                     stcb->sctp_ep, stcb, asoc->primary_destination);
 1500                         }
 1501                         SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 1502                         sctp_stop_all_cookie_timers(stcb);
 1503                         if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
 1504                             (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
 1505                             (inp->sctp_socket->so_qlimit == 0)
 1506                             ) {
 1507 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1508                                 struct socket *so;
 1509 
 1510 #endif
 1511                                 /*
 1512                                  * Here is where collision would go if we
 1513                                  * did a connect() and instead got a
 1514                                  * init/init-ack/cookie done before the
 1515                                  * init-ack came back..
 1516                                  */
 1517                                 stcb->sctp_ep->sctp_flags |=
 1518                                     SCTP_PCB_FLAGS_CONNECTED;
 1519 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1520                                 so = SCTP_INP_SO(stcb->sctp_ep);
 1521                                 atomic_add_int(&stcb->asoc.refcnt, 1);
 1522                                 SCTP_TCB_UNLOCK(stcb);
 1523                                 SCTP_SOCKET_LOCK(so, 1);
 1524                                 SCTP_TCB_LOCK(stcb);
 1525                                 atomic_add_int(&stcb->asoc.refcnt, -1);
 1526                                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
 1527                                         SCTP_SOCKET_UNLOCK(so, 1);
 1528                                         return (NULL);
 1529                                 }
 1530 #endif
 1531                                 soisconnected(stcb->sctp_socket);
 1532 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1533                                 SCTP_SOCKET_UNLOCK(so, 1);
 1534 #endif
 1535                         }
 1536                         /* notify upper layer */
 1537                         *notification = SCTP_NOTIFY_ASSOC_UP;
 1538                         /*
 1539                          * since we did not send a HB make sure we don't
 1540                          * double things
 1541                          */
 1542                         net->hb_responded = 1;
 1543                         net->RTO = sctp_calculate_rto(stcb, asoc, net,
 1544                             &cookie->time_entered, sctp_align_unsafe_makecopy);
 1545 
 1546                         if (stcb->asoc.sctp_autoclose_ticks &&
 1547                             (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
 1548                                 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
 1549                                     inp, stcb, NULL);
 1550                         }
 1551                         break;
 1552                 default:
 1553                         /*
 1554                          * we're in the OPEN state (or beyond), so peer must
 1555                          * have simply lost the COOKIE-ACK
 1556                          */
 1557                         break;
 1558                         }       /* end switch */
 1559                 sctp_stop_all_cookie_timers(stcb);
 1560                 /*
 1561                  * We ignore the return code here.. not sure if we should
 1562                  * somehow abort.. but we do have an existing asoc. This
 1563                  * really should not fail.
 1564                  */
 1565                 if (sctp_load_addresses_from_init(stcb, m, iphlen,
 1566                     init_offset + sizeof(struct sctp_init_chunk),
 1567                     initack_offset, sh, init_src)) {
 1568                         if (how_indx < sizeof(asoc->cookie_how))
 1569                                 asoc->cookie_how[how_indx] = 4;
 1570                         return (NULL);
 1571                 }
 1572                 /* respond with a COOKIE-ACK */
 1573                 sctp_toss_old_cookies(stcb, asoc);
 1574                 sctp_send_cookie_ack(stcb);
 1575                 if (how_indx < sizeof(asoc->cookie_how))
 1576                         asoc->cookie_how[how_indx] = 5;
 1577                 return (stcb);
 1578         }
 1579         if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
 1580             ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
 1581             cookie->tie_tag_my_vtag == 0 &&
 1582             cookie->tie_tag_peer_vtag == 0) {
 1583                 /*
 1584                  * case C in Section 5.2.4 Table 2: XMOO silently discard
 1585                  */
 1586                 if (how_indx < sizeof(asoc->cookie_how))
 1587                         asoc->cookie_how[how_indx] = 6;
 1588                 return (NULL);
 1589         }
 1590         /*
 1591          * If nat support, and the below and stcb is established, send back
 1592          * a ABORT(colliding state) if we are established.
 1593          */
 1594         if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) &&
 1595             (asoc->peer_supports_nat) &&
 1596             ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
 1597             ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
 1598             (asoc->peer_vtag == 0)))) {
 1599                 /*
 1600                  * Special case - Peer's support nat. We may have two init's
 1601                  * that we gave out the same tag on since one was not
 1602                  * established.. i.e. we get INIT from host-1 behind the nat
 1603                  * and we respond tag-a, we get a INIT from host-2 behind
 1604                  * the nat and we get tag-a again. Then we bring up host-1
 1605                  * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1).
 1606                  * Now we have colliding state. We must send an abort here
 1607                  * with colliding state indication.
 1608                  */
 1609                 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
 1610                     0, M_DONTWAIT, 1, MT_DATA);
 1611                 if (op_err == NULL) {
 1612                         /* FOOBAR */
 1613                         return (NULL);
 1614                 }
 1615                 /* pre-reserve some space */
 1616 #ifdef INET6
 1617                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
 1618 #else
 1619                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
 1620 #endif
 1621                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
 1622                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
 1623                 /* Set the len */
 1624                 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr);
 1625                 ph = mtod(op_err, struct sctp_paramhdr *);
 1626                 ph->param_type = htons(SCTP_CAUSE_NAT_COLLIDING_STATE);
 1627                 ph->param_length = htons(sizeof(struct sctp_paramhdr));
 1628                 sctp_send_abort(m, iphlen, sh, 0, op_err, vrf_id, port);
 1629                 return (NULL);
 1630         }
 1631         if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
 1632             ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
 1633             (asoc->peer_vtag == 0))) {
 1634                 /*
 1635                  * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
 1636                  * should be ok, re-accept peer info
 1637                  */
 1638                 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
 1639                         /*
 1640                          * Extension of case C. If we hit this, then the
 1641                          * random number generator returned the same vtag
 1642                          * when we first sent our INIT-ACK and when we later
 1643                          * sent our INIT. The side with the seq numbers that
 1644                          * are different will be the one that normnally
 1645                          * would have hit case C. This in effect "extends"
 1646                          * our vtags in this collision case to be 64 bits.
 1647                          * The same collision could occur aka you get both
 1648                          * vtag and seq number the same twice in a row.. but
 1649                          * is much less likely. If it did happen then we
 1650                          * would proceed through and bring up the assoc.. we
 1651                          * may end up with the wrong stream setup however..
 1652                          * which would be bad.. but there is no way to
 1653                          * tell.. until we send on a stream that does not
 1654                          * exist :-)
 1655                          */
 1656                         if (how_indx < sizeof(asoc->cookie_how))
 1657                                 asoc->cookie_how[how_indx] = 7;
 1658 
 1659                         return (NULL);
 1660                 }
 1661                 if (how_indx < sizeof(asoc->cookie_how))
 1662                         asoc->cookie_how[how_indx] = 8;
 1663                 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14);
 1664                 sctp_stop_all_cookie_timers(stcb);
 1665                 /*
 1666                  * since we did not send a HB make sure we don't double
 1667                  * things
 1668                  */
 1669                 net->hb_responded = 1;
 1670                 if (stcb->asoc.sctp_autoclose_ticks &&
 1671                     sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
 1672                         sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
 1673                             NULL);
 1674                 }
 1675                 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
 1676                 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
 1677 
 1678                 /* Note last_cwr_tsn? where is this used? */
 1679                 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
 1680                 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
 1681                         /*
 1682                          * Ok the peer probably discarded our data (if we
 1683                          * echoed a cookie+data). So anything on the
 1684                          * sent_queue should be marked for retransmit, we
 1685                          * may not get something to kick us so it COULD
 1686                          * still take a timeout to move these.. but it can't
 1687                          * hurt to mark them.
 1688                          */
 1689                         struct sctp_tmit_chunk *chk;
 1690 
 1691                         TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
 1692                                 if (chk->sent < SCTP_DATAGRAM_RESEND) {
 1693                                         chk->sent = SCTP_DATAGRAM_RESEND;
 1694                                         sctp_flight_size_decrease(chk);
 1695                                         sctp_total_flight_decrease(stcb, chk);
 1696                                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
 1697                                         spec_flag++;
 1698                                 }
 1699                         }
 1700 
 1701                 }
 1702                 /* process the INIT info (peer's info) */
 1703                 retval = sctp_process_init(init_cp, stcb, net);
 1704                 if (retval < 0) {
 1705                         if (how_indx < sizeof(asoc->cookie_how))
 1706                                 asoc->cookie_how[how_indx] = 9;
 1707                         return (NULL);
 1708                 }
 1709                 if (sctp_load_addresses_from_init(stcb, m, iphlen,
 1710                     init_offset + sizeof(struct sctp_init_chunk),
 1711                     initack_offset, sh, init_src)) {
 1712                         if (how_indx < sizeof(asoc->cookie_how))
 1713                                 asoc->cookie_how[how_indx] = 10;
 1714                         return (NULL);
 1715                 }
 1716                 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
 1717                     (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
 1718                         *notification = SCTP_NOTIFY_ASSOC_UP;
 1719 
 1720                         if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
 1721                             (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
 1722                             (inp->sctp_socket->so_qlimit == 0)) {
 1723 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1724                                 struct socket *so;
 1725 
 1726 #endif
 1727                                 stcb->sctp_ep->sctp_flags |=
 1728                                     SCTP_PCB_FLAGS_CONNECTED;
 1729 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1730                                 so = SCTP_INP_SO(stcb->sctp_ep);
 1731                                 atomic_add_int(&stcb->asoc.refcnt, 1);
 1732                                 SCTP_TCB_UNLOCK(stcb);
 1733                                 SCTP_SOCKET_LOCK(so, 1);
 1734                                 SCTP_TCB_LOCK(stcb);
 1735                                 atomic_add_int(&stcb->asoc.refcnt, -1);
 1736                                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
 1737                                         SCTP_SOCKET_UNLOCK(so, 1);
 1738                                         return (NULL);
 1739                                 }
 1740 #endif
 1741                                 soisconnected(stcb->sctp_socket);
 1742 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1743                                 SCTP_SOCKET_UNLOCK(so, 1);
 1744 #endif
 1745                         }
 1746                         if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
 1747                                 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
 1748                         else
 1749                                 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
 1750                         SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 1751                 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
 1752                         SCTP_STAT_INCR_COUNTER32(sctps_restartestab);
 1753                 } else {
 1754                         SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
 1755                 }
 1756                 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 1757                 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 1758                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 1759                             stcb->sctp_ep, stcb, asoc->primary_destination);
 1760                 }
 1761                 sctp_stop_all_cookie_timers(stcb);
 1762                 sctp_toss_old_cookies(stcb, asoc);
 1763                 sctp_send_cookie_ack(stcb);
 1764                 if (spec_flag) {
 1765                         /*
 1766                          * only if we have retrans set do we do this. What
 1767                          * this call does is get only the COOKIE-ACK out and
 1768                          * then when we return the normal call to
 1769                          * sctp_chunk_output will get the retrans out behind
 1770                          * this.
 1771                          */
 1772                         sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED);
 1773                 }
 1774                 if (how_indx < sizeof(asoc->cookie_how))
 1775                         asoc->cookie_how[how_indx] = 11;
 1776 
 1777                 return (stcb);
 1778         }
 1779         if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
 1780             ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
 1781             cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
 1782             cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
 1783             cookie->tie_tag_peer_vtag != 0) {
 1784                 struct sctpasochead *head;
 1785 
 1786                 if (asoc->peer_supports_nat) {
 1787                         /*
 1788                          * This is a gross gross hack. just call the
 1789                          * cookie_new code since we are allowing a duplicate
 1790                          * association. I hope this works...
 1791                          */
 1792                         return (sctp_process_cookie_new(m, iphlen, offset, sh, cookie, cookie_len,
 1793                             inp, netp, init_src, notification,
 1794                             auth_skipped, auth_offset, auth_len,
 1795                             vrf_id, port));
 1796                 }
 1797                 /*
 1798                  * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
 1799                  */
 1800                 /* temp code */
 1801                 if (how_indx < sizeof(asoc->cookie_how))
 1802                         asoc->cookie_how[how_indx] = 12;
 1803                 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15);
 1804                 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
 1805 
 1806                 *sac_assoc_id = sctp_get_associd(stcb);
 1807                 /* notify upper layer */
 1808                 *notification = SCTP_NOTIFY_ASSOC_RESTART;
 1809                 atomic_add_int(&stcb->asoc.refcnt, 1);
 1810                 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) &&
 1811                     (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
 1812                     (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
 1813                         SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 1814                 }
 1815                 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
 1816                         SCTP_STAT_INCR_GAUGE32(sctps_restartestab);
 1817                 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) {
 1818                         SCTP_STAT_INCR_GAUGE32(sctps_collisionestab);
 1819                 }
 1820                 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 1821                         SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 1822                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 1823                             stcb->sctp_ep, stcb, asoc->primary_destination);
 1824 
 1825                 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
 1826                         /* move to OPEN state, if not in SHUTDOWN_SENT */
 1827                         SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 1828                 }
 1829                 asoc->pre_open_streams =
 1830                     ntohs(initack_cp->init.num_outbound_streams);
 1831                 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
 1832                 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
 1833                 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
 1834 
 1835                 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
 1836                 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
 1837 
 1838                 asoc->str_reset_seq_in = asoc->init_seq_number;
 1839 
 1840                 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
 1841                 if (asoc->mapping_array) {
 1842                         memset(asoc->mapping_array, 0,
 1843                             asoc->mapping_array_size);
 1844                 }
 1845                 /* EY 05/13/08 - nr_sack version of the above if statement */
 1846                 if (asoc->nr_mapping_array && SCTP_BASE_SYSCTL(sctp_nr_sack_on_off)
 1847                     && asoc->peer_supports_nr_sack) {
 1848                         memset(asoc->nr_mapping_array, 0,
 1849                             asoc->nr_mapping_array_size);
 1850                 }
 1851                 SCTP_TCB_UNLOCK(stcb);
 1852                 SCTP_INP_INFO_WLOCK();
 1853                 SCTP_INP_WLOCK(stcb->sctp_ep);
 1854                 SCTP_TCB_LOCK(stcb);
 1855                 atomic_add_int(&stcb->asoc.refcnt, -1);
 1856                 /* send up all the data */
 1857                 SCTP_TCB_SEND_LOCK(stcb);
 1858 
 1859                 sctp_report_all_outbound(stcb, 1, SCTP_SO_NOT_LOCKED);
 1860                 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
 1861                         stcb->asoc.strmout[i].stream_no = i;
 1862                         stcb->asoc.strmout[i].next_sequence_sent = 0;
 1863                         stcb->asoc.strmout[i].last_msg_incomplete = 0;
 1864                 }
 1865                 /* process the INIT-ACK info (my info) */
 1866                 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
 1867                 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
 1868 
 1869                 /* pull from vtag hash */
 1870                 LIST_REMOVE(stcb, sctp_asocs);
 1871                 /* re-insert to new vtag position */
 1872                 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
 1873                     SCTP_BASE_INFO(hashasocmark))];
 1874                 /*
 1875                  * put it in the bucket in the vtag hash of assoc's for the
 1876                  * system
 1877                  */
 1878                 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
 1879 
 1880                 /* process the INIT info (peer's info) */
 1881                 SCTP_TCB_SEND_UNLOCK(stcb);
 1882                 SCTP_INP_WUNLOCK(stcb->sctp_ep);
 1883                 SCTP_INP_INFO_WUNLOCK();
 1884 
 1885                 retval = sctp_process_init(init_cp, stcb, net);
 1886                 if (retval < 0) {
 1887                         if (how_indx < sizeof(asoc->cookie_how))
 1888                                 asoc->cookie_how[how_indx] = 13;
 1889 
 1890                         return (NULL);
 1891                 }
 1892                 /*
 1893                  * since we did not send a HB make sure we don't double
 1894                  * things
 1895                  */
 1896                 net->hb_responded = 1;
 1897 
 1898                 if (sctp_load_addresses_from_init(stcb, m, iphlen,
 1899                     init_offset + sizeof(struct sctp_init_chunk),
 1900                     initack_offset, sh, init_src)) {
 1901                         if (how_indx < sizeof(asoc->cookie_how))
 1902                                 asoc->cookie_how[how_indx] = 14;
 1903 
 1904                         return (NULL);
 1905                 }
 1906                 /* respond with a COOKIE-ACK */
 1907                 sctp_stop_all_cookie_timers(stcb);
 1908                 sctp_toss_old_cookies(stcb, asoc);
 1909                 sctp_send_cookie_ack(stcb);
 1910                 if (how_indx < sizeof(asoc->cookie_how))
 1911                         asoc->cookie_how[how_indx] = 15;
 1912 
 1913                 return (stcb);
 1914         }
 1915         if (how_indx < sizeof(asoc->cookie_how))
 1916                 asoc->cookie_how[how_indx] = 16;
 1917         /* all other cases... */
 1918         return (NULL);
 1919 }
 1920 
 1921 
 1922 /*
 1923  * handle a state cookie for a new association m: input packet mbuf chain--
 1924  * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
 1925  * and the cookie signature does not exist offset: offset into mbuf to the
 1926  * cookie-echo chunk length: length of the cookie chunk to: where the init
 1927  * was from returns a new TCB
 1928  */
 1929 struct sctp_tcb *
 1930 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
 1931     struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
 1932     struct sctp_inpcb *inp, struct sctp_nets **netp,
 1933     struct sockaddr *init_src, int *notification,
 1934     int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
 1935     uint32_t vrf_id, uint16_t port)
 1936 {
 1937         struct sctp_tcb *stcb;
 1938         struct sctp_init_chunk *init_cp, init_buf;
 1939         struct sctp_init_ack_chunk *initack_cp, initack_buf;
 1940         struct sockaddr_storage sa_store;
 1941         struct sockaddr *initack_src = (struct sockaddr *)&sa_store;
 1942         struct sockaddr_in *sin;
 1943         struct sockaddr_in6 *sin6;
 1944         struct sctp_association *asoc;
 1945         int chk_length;
 1946         int init_offset, initack_offset, initack_limit;
 1947         int retval;
 1948         int error = 0;
 1949         uint32_t old_tag;
 1950         uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
 1951 
 1952 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 1953         struct socket *so;
 1954 
 1955         so = SCTP_INP_SO(inp);
 1956 #endif
 1957 
 1958         /*
 1959          * find and validate the INIT chunk in the cookie (peer's info) the
 1960          * INIT should start after the cookie-echo header struct (chunk
 1961          * header, state cookie header struct)
 1962          */
 1963         init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
 1964         init_cp = (struct sctp_init_chunk *)
 1965             sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
 1966             (uint8_t *) & init_buf);
 1967         if (init_cp == NULL) {
 1968                 /* could not pull a INIT chunk in cookie */
 1969                 SCTPDBG(SCTP_DEBUG_INPUT1,
 1970                     "process_cookie_new: could not pull INIT chunk hdr\n");
 1971                 return (NULL);
 1972         }
 1973         chk_length = ntohs(init_cp->ch.chunk_length);
 1974         if (init_cp->ch.chunk_type != SCTP_INITIATION) {
 1975                 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n");
 1976                 return (NULL);
 1977         }
 1978         initack_offset = init_offset + SCTP_SIZE32(chk_length);
 1979         /*
 1980          * find and validate the INIT-ACK chunk in the cookie (my info) the
 1981          * INIT-ACK follows the INIT chunk
 1982          */
 1983         initack_cp = (struct sctp_init_ack_chunk *)
 1984             sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
 1985             (uint8_t *) & initack_buf);
 1986         if (initack_cp == NULL) {
 1987                 /* could not pull INIT-ACK chunk in cookie */
 1988                 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n");
 1989                 return (NULL);
 1990         }
 1991         chk_length = ntohs(initack_cp->ch.chunk_length);
 1992         if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
 1993                 return (NULL);
 1994         }
 1995         /*
 1996          * NOTE: We can't use the INIT_ACK's chk_length to determine the
 1997          * "initack_limit" value.  This is because the chk_length field
 1998          * includes the length of the cookie, but the cookie is omitted when
 1999          * the INIT and INIT_ACK are tacked onto the cookie...
 2000          */
 2001         initack_limit = offset + cookie_len;
 2002 
 2003         /*
 2004          * now that we know the INIT/INIT-ACK are in place, create a new TCB
 2005          * and popluate
 2006          */
 2007 
 2008         /*
 2009          * Here we do a trick, we set in NULL for the proc/thread argument.
 2010          * We do this since in effect we only use the p argument when the
 2011          * socket is unbound and we must do an implicit bind. Since we are
 2012          * getting a cookie, we cannot be unbound.
 2013          */
 2014         stcb = sctp_aloc_assoc(inp, init_src, 0, &error,
 2015             ntohl(initack_cp->init.initiate_tag), vrf_id,
 2016             (struct thread *)NULL
 2017             );
 2018         if (stcb == NULL) {
 2019                 struct mbuf *op_err;
 2020 
 2021                 /* memory problem? */
 2022                 SCTPDBG(SCTP_DEBUG_INPUT1,
 2023                     "process_cookie_new: no room for another TCB!\n");
 2024                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
 2025 
 2026                 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
 2027                     sh, op_err, vrf_id, port);
 2028                 return (NULL);
 2029         }
 2030         /* get the correct sctp_nets */
 2031         if (netp)
 2032                 *netp = sctp_findnet(stcb, init_src);
 2033 
 2034         asoc = &stcb->asoc;
 2035         /* get scope variables out of cookie */
 2036         asoc->ipv4_local_scope = cookie->ipv4_scope;
 2037         asoc->site_scope = cookie->site_scope;
 2038         asoc->local_scope = cookie->local_scope;
 2039         asoc->loopback_scope = cookie->loopback_scope;
 2040 
 2041         if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) ||
 2042             (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) {
 2043                 struct mbuf *op_err;
 2044 
 2045                 /*
 2046                  * Houston we have a problem. The EP changed while the
 2047                  * cookie was in flight. Only recourse is to abort the
 2048                  * association.
 2049                  */
 2050                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2051                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
 2052                 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
 2053                     sh, op_err, vrf_id, port);
 2054 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2055                 SCTP_TCB_UNLOCK(stcb);
 2056                 SCTP_SOCKET_LOCK(so, 1);
 2057                 SCTP_TCB_LOCK(stcb);
 2058 #endif
 2059                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
 2060                     SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
 2061 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2062                 SCTP_SOCKET_UNLOCK(so, 1);
 2063 #endif
 2064                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2065                 return (NULL);
 2066         }
 2067         /* process the INIT-ACK info (my info) */
 2068         old_tag = asoc->my_vtag;
 2069         asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
 2070         asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
 2071         asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
 2072         asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
 2073         asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
 2074         asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
 2075         asoc->last_cwr_tsn = asoc->init_seq_number - 1;
 2076         asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
 2077         asoc->str_reset_seq_in = asoc->init_seq_number;
 2078 
 2079         asoc->advanced_peer_ack_point = asoc->last_acked_seq;
 2080 
 2081         /* process the INIT info (peer's info) */
 2082         if (netp)
 2083                 retval = sctp_process_init(init_cp, stcb, *netp);
 2084         else
 2085                 retval = 0;
 2086         if (retval < 0) {
 2087                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2088 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2089                 SCTP_TCB_UNLOCK(stcb);
 2090                 SCTP_SOCKET_LOCK(so, 1);
 2091                 SCTP_TCB_LOCK(stcb);
 2092 #endif
 2093                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16);
 2094 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2095                 SCTP_SOCKET_UNLOCK(so, 1);
 2096 #endif
 2097                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2098                 return (NULL);
 2099         }
 2100         /* load all addresses */
 2101         if (sctp_load_addresses_from_init(stcb, m, iphlen,
 2102             init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh,
 2103             init_src)) {
 2104                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2105 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2106                 SCTP_TCB_UNLOCK(stcb);
 2107                 SCTP_SOCKET_LOCK(so, 1);
 2108                 SCTP_TCB_LOCK(stcb);
 2109 #endif
 2110                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17);
 2111 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2112                 SCTP_SOCKET_UNLOCK(so, 1);
 2113 #endif
 2114                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2115                 return (NULL);
 2116         }
 2117         /*
 2118          * verify any preceding AUTH chunk that was skipped
 2119          */
 2120         /* pull the local authentication parameters from the cookie/init-ack */
 2121         sctp_auth_get_cookie_params(stcb, m,
 2122             initack_offset + sizeof(struct sctp_init_ack_chunk),
 2123             initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
 2124         if (auth_skipped) {
 2125                 struct sctp_auth_chunk *auth;
 2126 
 2127                 auth = (struct sctp_auth_chunk *)
 2128                     sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
 2129                 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
 2130                         /* auth HMAC failed, dump the assoc and packet */
 2131                         SCTPDBG(SCTP_DEBUG_AUTH1,
 2132                             "COOKIE-ECHO: AUTH failed\n");
 2133                         atomic_add_int(&stcb->asoc.refcnt, 1);
 2134 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2135                         SCTP_TCB_UNLOCK(stcb);
 2136                         SCTP_SOCKET_LOCK(so, 1);
 2137                         SCTP_TCB_LOCK(stcb);
 2138 #endif
 2139                         (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18);
 2140 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2141                         SCTP_SOCKET_UNLOCK(so, 1);
 2142 #endif
 2143                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2144                         return (NULL);
 2145                 } else {
 2146                         /* remaining chunks checked... good to go */
 2147                         stcb->asoc.authenticated = 1;
 2148                 }
 2149         }
 2150         /* update current state */
 2151         SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
 2152         SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 2153         if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 2154                 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 2155                     stcb->sctp_ep, stcb, asoc->primary_destination);
 2156         }
 2157         sctp_stop_all_cookie_timers(stcb);
 2158         SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
 2159         SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 2160 
 2161         /*
 2162          * if we're doing ASCONFs, check to see if we have any new local
 2163          * addresses that need to get added to the peer (eg. addresses
 2164          * changed while cookie echo in flight).  This needs to be done
 2165          * after we go to the OPEN state to do the correct asconf
 2166          * processing. else, make sure we have the correct addresses in our
 2167          * lists
 2168          */
 2169 
 2170         /* warning, we re-use sin, sin6, sa_store here! */
 2171         /* pull in local_address (our "from" address) */
 2172         if (cookie->laddr_type == SCTP_IPV4_ADDRESS) {
 2173                 /* source addr is IPv4 */
 2174                 sin = (struct sockaddr_in *)initack_src;
 2175                 memset(sin, 0, sizeof(*sin));
 2176                 sin->sin_family = AF_INET;
 2177                 sin->sin_len = sizeof(struct sockaddr_in);
 2178                 sin->sin_addr.s_addr = cookie->laddress[0];
 2179         } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) {
 2180                 /* source addr is IPv6 */
 2181                 sin6 = (struct sockaddr_in6 *)initack_src;
 2182                 memset(sin6, 0, sizeof(*sin6));
 2183                 sin6->sin6_family = AF_INET6;
 2184                 sin6->sin6_len = sizeof(struct sockaddr_in6);
 2185                 sin6->sin6_scope_id = cookie->scope_id;
 2186                 memcpy(&sin6->sin6_addr, cookie->laddress,
 2187                     sizeof(sin6->sin6_addr));
 2188         } else {
 2189                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2190 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2191                 SCTP_TCB_UNLOCK(stcb);
 2192                 SCTP_SOCKET_LOCK(so, 1);
 2193                 SCTP_TCB_LOCK(stcb);
 2194 #endif
 2195                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19);
 2196 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2197                 SCTP_SOCKET_UNLOCK(so, 1);
 2198 #endif
 2199                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2200                 return (NULL);
 2201         }
 2202 
 2203         /* set up to notify upper layer */
 2204         *notification = SCTP_NOTIFY_ASSOC_UP;
 2205         if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
 2206             (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
 2207             (inp->sctp_socket->so_qlimit == 0)) {
 2208                 /*
 2209                  * This is an endpoint that called connect() how it got a
 2210                  * cookie that is NEW is a bit of a mystery. It must be that
 2211                  * the INIT was sent, but before it got there.. a complete
 2212                  * INIT/INIT-ACK/COOKIE arrived. But of course then it
 2213                  * should have went to the other code.. not here.. oh well..
 2214                  * a bit of protection is worth having..
 2215                  */
 2216                 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
 2217 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2218                 atomic_add_int(&stcb->asoc.refcnt, 1);
 2219                 SCTP_TCB_UNLOCK(stcb);
 2220                 SCTP_SOCKET_LOCK(so, 1);
 2221                 SCTP_TCB_LOCK(stcb);
 2222                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2223                 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
 2224                         SCTP_SOCKET_UNLOCK(so, 1);
 2225                         return (NULL);
 2226                 }
 2227 #endif
 2228                 soisconnected(stcb->sctp_socket);
 2229 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2230                 SCTP_SOCKET_UNLOCK(so, 1);
 2231 #endif
 2232         } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
 2233             (inp->sctp_socket->so_qlimit)) {
 2234                 /*
 2235                  * We don't want to do anything with this one. Since it is
 2236                  * the listening guy. The timer will get started for
 2237                  * accepted connections in the caller.
 2238                  */
 2239                 ;
 2240         }
 2241         /* since we did not send a HB make sure we don't double things */
 2242         if ((netp) && (*netp))
 2243                 (*netp)->hb_responded = 1;
 2244 
 2245         if (stcb->asoc.sctp_autoclose_ticks &&
 2246             sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
 2247                 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
 2248         }
 2249         /* calculate the RTT */
 2250         (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
 2251         if ((netp) && (*netp)) {
 2252                 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
 2253                     &cookie->time_entered, sctp_align_unsafe_makecopy);
 2254         }
 2255         /* respond with a COOKIE-ACK */
 2256         sctp_send_cookie_ack(stcb);
 2257 
 2258         /*
 2259          * check the address lists for any ASCONFs that need to be sent
 2260          * AFTER the cookie-ack is sent
 2261          */
 2262         sctp_check_address_list(stcb, m,
 2263             initack_offset + sizeof(struct sctp_init_ack_chunk),
 2264             initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
 2265             initack_src, cookie->local_scope, cookie->site_scope,
 2266             cookie->ipv4_scope, cookie->loopback_scope);
 2267 
 2268 
 2269         return (stcb);
 2270 }
 2271 
 2272 /*
 2273  * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e
 2274  * we NEED to make sure we are not already using the vtag. If so we
 2275  * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit!
 2276         head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag,
 2277                                                             SCTP_BASE_INFO(hashasocmark))];
 2278         LIST_FOREACH(stcb, head, sctp_asocs) {
 2279                 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep))  {
 2280                        -- SEND ABORT - TRY AGAIN --
 2281                 }
 2282         }
 2283 */
 2284 
 2285 /*
 2286  * handles a COOKIE-ECHO message stcb: modified to either a new or left as
 2287  * existing (non-NULL) TCB
 2288  */
 2289 static struct mbuf *
 2290 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
 2291     struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
 2292     struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
 2293     int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
 2294     struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint16_t port)
 2295 {
 2296         struct sctp_state_cookie *cookie;
 2297         struct sockaddr_in6 sin6;
 2298         struct sockaddr_in sin;
 2299         struct sctp_tcb *l_stcb = *stcb;
 2300         struct sctp_inpcb *l_inp;
 2301         struct sockaddr *to;
 2302         sctp_assoc_t sac_restart_id;
 2303         struct sctp_pcb *ep;
 2304         struct mbuf *m_sig;
 2305         uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
 2306         uint8_t *sig;
 2307         uint8_t cookie_ok = 0;
 2308         unsigned int size_of_pkt, sig_offset, cookie_offset;
 2309         unsigned int cookie_len;
 2310         struct timeval now;
 2311         struct timeval time_expires;
 2312         struct sockaddr_storage dest_store;
 2313         struct sockaddr *localep_sa = (struct sockaddr *)&dest_store;
 2314         struct ip *iph;
 2315         int notification = 0;
 2316         struct sctp_nets *netl;
 2317         int had_a_existing_tcb = 0;
 2318 
 2319         SCTPDBG(SCTP_DEBUG_INPUT2,
 2320             "sctp_handle_cookie: handling COOKIE-ECHO\n");
 2321 
 2322         if (inp_p == NULL) {
 2323                 return (NULL);
 2324         }
 2325         /* First get the destination address setup too. */
 2326         iph = mtod(m, struct ip *);
 2327         switch (iph->ip_v) {
 2328         case IPVERSION:
 2329                 {
 2330                         /* its IPv4 */
 2331                         struct sockaddr_in *lsin;
 2332 
 2333                         lsin = (struct sockaddr_in *)(localep_sa);
 2334                         memset(lsin, 0, sizeof(*lsin));
 2335                         lsin->sin_family = AF_INET;
 2336                         lsin->sin_len = sizeof(*lsin);
 2337                         lsin->sin_port = sh->dest_port;
 2338                         lsin->sin_addr.s_addr = iph->ip_dst.s_addr;
 2339                         size_of_pkt = SCTP_GET_IPV4_LENGTH(iph);
 2340                         break;
 2341                 }
 2342 #ifdef INET6
 2343         case IPV6_VERSION >> 4:
 2344                 {
 2345                         /* its IPv6 */
 2346                         struct ip6_hdr *ip6;
 2347                         struct sockaddr_in6 *lsin6;
 2348 
 2349                         lsin6 = (struct sockaddr_in6 *)(localep_sa);
 2350                         memset(lsin6, 0, sizeof(*lsin6));
 2351                         lsin6->sin6_family = AF_INET6;
 2352                         lsin6->sin6_len = sizeof(struct sockaddr_in6);
 2353                         ip6 = mtod(m, struct ip6_hdr *);
 2354                         lsin6->sin6_port = sh->dest_port;
 2355                         lsin6->sin6_addr = ip6->ip6_dst;
 2356                         size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen;
 2357                         break;
 2358                 }
 2359 #endif
 2360         default:
 2361                 return (NULL);
 2362         }
 2363 
 2364         cookie = &cp->cookie;
 2365         cookie_offset = offset + sizeof(struct sctp_chunkhdr);
 2366         cookie_len = ntohs(cp->ch.chunk_length);
 2367 
 2368         if ((cookie->peerport != sh->src_port) &&
 2369             (cookie->myport != sh->dest_port) &&
 2370             (cookie->my_vtag != sh->v_tag)) {
 2371                 /*
 2372                  * invalid ports or bad tag.  Note that we always leave the
 2373                  * v_tag in the header in network order and when we stored
 2374                  * it in the my_vtag slot we also left it in network order.
 2375                  * This maintains the match even though it may be in the
 2376                  * opposite byte order of the machine :->
 2377                  */
 2378                 return (NULL);
 2379         }
 2380         if (cookie_len > size_of_pkt ||
 2381             cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
 2382             sizeof(struct sctp_init_chunk) +
 2383             sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
 2384                 /* cookie too long!  or too small */
 2385                 return (NULL);
 2386         }
 2387         /*
 2388          * split off the signature into its own mbuf (since it should not be
 2389          * calculated in the sctp_hmac_m() call).
 2390          */
 2391         sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
 2392         if (sig_offset > size_of_pkt) {
 2393                 /* packet not correct size! */
 2394                 /* XXX this may already be accounted for earlier... */
 2395                 return (NULL);
 2396         }
 2397         m_sig = m_split(m, sig_offset, M_DONTWAIT);
 2398         if (m_sig == NULL) {
 2399                 /* out of memory or ?? */
 2400                 return (NULL);
 2401         }
 2402 #ifdef SCTP_MBUF_LOGGING
 2403         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
 2404                 struct mbuf *mat;
 2405 
 2406                 mat = m_sig;
 2407                 while (mat) {
 2408                         if (SCTP_BUF_IS_EXTENDED(mat)) {
 2409                                 sctp_log_mb(mat, SCTP_MBUF_SPLIT);
 2410                         }
 2411                         mat = SCTP_BUF_NEXT(mat);
 2412                 }
 2413         }
 2414 #endif
 2415 
 2416         /*
 2417          * compute the signature/digest for the cookie
 2418          */
 2419         ep = &(*inp_p)->sctp_ep;
 2420         l_inp = *inp_p;
 2421         if (l_stcb) {
 2422                 SCTP_TCB_UNLOCK(l_stcb);
 2423         }
 2424         SCTP_INP_RLOCK(l_inp);
 2425         if (l_stcb) {
 2426                 SCTP_TCB_LOCK(l_stcb);
 2427         }
 2428         /* which cookie is it? */
 2429         if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
 2430             (ep->current_secret_number != ep->last_secret_number)) {
 2431                 /* it's the old cookie */
 2432                 (void)sctp_hmac_m(SCTP_HMAC,
 2433                     (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
 2434                     SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
 2435         } else {
 2436                 /* it's the current cookie */
 2437                 (void)sctp_hmac_m(SCTP_HMAC,
 2438                     (uint8_t *) ep->secret_key[(int)ep->current_secret_number],
 2439                     SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
 2440         }
 2441         /* get the signature */
 2442         SCTP_INP_RUNLOCK(l_inp);
 2443         sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig);
 2444         if (sig == NULL) {
 2445                 /* couldn't find signature */
 2446                 sctp_m_freem(m_sig);
 2447                 return (NULL);
 2448         }
 2449         /* compare the received digest with the computed digest */
 2450         if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
 2451                 /* try the old cookie? */
 2452                 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
 2453                     (ep->current_secret_number != ep->last_secret_number)) {
 2454                         /* compute digest with old */
 2455                         (void)sctp_hmac_m(SCTP_HMAC,
 2456                             (uint8_t *) ep->secret_key[(int)ep->last_secret_number],
 2457                             SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
 2458                         /* compare */
 2459                         if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
 2460                                 cookie_ok = 1;
 2461                 }
 2462         } else {
 2463                 cookie_ok = 1;
 2464         }
 2465 
 2466         /*
 2467          * Now before we continue we must reconstruct our mbuf so that
 2468          * normal processing of any other chunks will work.
 2469          */
 2470         {
 2471                 struct mbuf *m_at;
 2472 
 2473                 m_at = m;
 2474                 while (SCTP_BUF_NEXT(m_at) != NULL) {
 2475                         m_at = SCTP_BUF_NEXT(m_at);
 2476                 }
 2477                 SCTP_BUF_NEXT(m_at) = m_sig;
 2478         }
 2479 
 2480         if (cookie_ok == 0) {
 2481                 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n");
 2482                 SCTPDBG(SCTP_DEBUG_INPUT2,
 2483                     "offset = %u, cookie_offset = %u, sig_offset = %u\n",
 2484                     (uint32_t) offset, cookie_offset, sig_offset);
 2485                 return (NULL);
 2486         }
 2487         /*
 2488          * check the cookie timestamps to be sure it's not stale
 2489          */
 2490         (void)SCTP_GETTIME_TIMEVAL(&now);
 2491         /* Expire time is in Ticks, so we convert to seconds */
 2492         time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life);
 2493         time_expires.tv_usec = cookie->time_entered.tv_usec;
 2494         /*
 2495          * TODO sctp_constants.h needs alternative time macros when _KERNEL
 2496          * is undefined.
 2497          */
 2498         if (timevalcmp(&now, &time_expires, >)) {
 2499                 /* cookie is stale! */
 2500                 struct mbuf *op_err;
 2501                 struct sctp_stale_cookie_msg *scm;
 2502                 uint32_t tim;
 2503 
 2504                 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg),
 2505                     0, M_DONTWAIT, 1, MT_DATA);
 2506                 if (op_err == NULL) {
 2507                         /* FOOBAR */
 2508                         return (NULL);
 2509                 }
 2510                 /* pre-reserve some space */
 2511 #ifdef INET6
 2512                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
 2513 #else
 2514                 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
 2515 #endif
 2516                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
 2517                 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
 2518 
 2519                 /* Set the len */
 2520                 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg);
 2521                 scm = mtod(op_err, struct sctp_stale_cookie_msg *);
 2522                 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
 2523                 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
 2524                     (sizeof(uint32_t))));
 2525                 /* seconds to usec */
 2526                 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
 2527                 /* add in usec */
 2528                 if (tim == 0)
 2529                         tim = now.tv_usec - cookie->time_entered.tv_usec;
 2530                 scm->time_usec = htonl(tim);
 2531                 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag,
 2532                     vrf_id, port);
 2533                 return (NULL);
 2534         }
 2535         /*
 2536          * Now we must see with the lookup address if we have an existing
 2537          * asoc. This will only happen if we were in the COOKIE-WAIT state
 2538          * and a INIT collided with us and somewhere the peer sent the
 2539          * cookie on another address besides the single address our assoc
 2540          * had for him. In this case we will have one of the tie-tags set at
 2541          * least AND the address field in the cookie can be used to look it
 2542          * up.
 2543          */
 2544         to = NULL;
 2545         if (cookie->addr_type == SCTP_IPV6_ADDRESS) {
 2546                 memset(&sin6, 0, sizeof(sin6));
 2547                 sin6.sin6_family = AF_INET6;
 2548                 sin6.sin6_len = sizeof(sin6);
 2549                 sin6.sin6_port = sh->src_port;
 2550                 sin6.sin6_scope_id = cookie->scope_id;
 2551                 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
 2552                     sizeof(sin6.sin6_addr.s6_addr));
 2553                 to = (struct sockaddr *)&sin6;
 2554         } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) {
 2555                 memset(&sin, 0, sizeof(sin));
 2556                 sin.sin_family = AF_INET;
 2557                 sin.sin_len = sizeof(sin);
 2558                 sin.sin_port = sh->src_port;
 2559                 sin.sin_addr.s_addr = cookie->address[0];
 2560                 to = (struct sockaddr *)&sin;
 2561         } else {
 2562                 /* This should not happen */
 2563                 return (NULL);
 2564         }
 2565         if ((*stcb == NULL) && to) {
 2566                 /* Yep, lets check */
 2567                 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL);
 2568                 if (*stcb == NULL) {
 2569                         /*
 2570                          * We should have only got back the same inp. If we
 2571                          * got back a different ep we have a problem. The
 2572                          * original findep got back l_inp and now
 2573                          */
 2574                         if (l_inp != *inp_p) {
 2575                                 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n");
 2576                         }
 2577                 } else {
 2578                         if (*locked_tcb == NULL) {
 2579                                 /*
 2580                                  * In this case we found the assoc only
 2581                                  * after we locked the create lock. This
 2582                                  * means we are in a colliding case and we
 2583                                  * must make sure that we unlock the tcb if
 2584                                  * its one of the cases where we throw away
 2585                                  * the incoming packets.
 2586                                  */
 2587                                 *locked_tcb = *stcb;
 2588 
 2589                                 /*
 2590                                  * We must also increment the inp ref count
 2591                                  * since the ref_count flags was set when we
 2592                                  * did not find the TCB, now we found it
 2593                                  * which reduces the refcount.. we must
 2594                                  * raise it back out to balance it all :-)
 2595                                  */
 2596                                 SCTP_INP_INCR_REF((*stcb)->sctp_ep);
 2597                                 if ((*stcb)->sctp_ep != l_inp) {
 2598                                         SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n",
 2599                                             (*stcb)->sctp_ep, l_inp);
 2600                                 }
 2601                         }
 2602                 }
 2603         }
 2604         if (to == NULL)
 2605                 return (NULL);
 2606 
 2607         cookie_len -= SCTP_SIGNATURE_SIZE;
 2608         if (*stcb == NULL) {
 2609                 /* this is the "normal" case... get a new TCB */
 2610                 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie,
 2611                     cookie_len, *inp_p, netp, to, &notification,
 2612                     auth_skipped, auth_offset, auth_len, vrf_id, port);
 2613         } else {
 2614                 /* this is abnormal... cookie-echo on existing TCB */
 2615                 had_a_existing_tcb = 1;
 2616                 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh,
 2617                     cookie, cookie_len, *inp_p, *stcb, netp, to,
 2618                     &notification, &sac_restart_id, vrf_id, auth_skipped, auth_offset, auth_len, port);
 2619         }
 2620 
 2621         if (*stcb == NULL) {
 2622                 /* still no TCB... must be bad cookie-echo */
 2623                 return (NULL);
 2624         }
 2625         /*
 2626          * Ok, we built an association so confirm the address we sent the
 2627          * INIT-ACK to.
 2628          */
 2629         netl = sctp_findnet(*stcb, to);
 2630         /*
 2631          * This code should in theory NOT run but
 2632          */
 2633         if (netl == NULL) {
 2634                 /* TSNH! Huh, why do I need to add this address here? */
 2635                 int ret;
 2636 
 2637                 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE,
 2638                     SCTP_IN_COOKIE_PROC);
 2639                 netl = sctp_findnet(*stcb, to);
 2640         }
 2641         if (netl) {
 2642                 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
 2643                         netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
 2644                         (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
 2645                             netl);
 2646                         sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
 2647                             (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
 2648                 }
 2649         }
 2650         if (*stcb) {
 2651                 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p,
 2652                     *stcb, NULL);
 2653         }
 2654         if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
 2655                 if (!had_a_existing_tcb ||
 2656                     (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
 2657                         /*
 2658                          * If we have a NEW cookie or the connect never
 2659                          * reached the connected state during collision we
 2660                          * must do the TCP accept thing.
 2661                          */
 2662                         struct socket *so, *oso;
 2663                         struct sctp_inpcb *inp;
 2664 
 2665                         if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
 2666                                 /*
 2667                                  * For a restart we will keep the same
 2668                                  * socket, no need to do anything. I THINK!!
 2669                                  */
 2670                                 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id, SCTP_SO_NOT_LOCKED);
 2671                                 return (m);
 2672                         }
 2673                         oso = (*inp_p)->sctp_socket;
 2674                         atomic_add_int(&(*stcb)->asoc.refcnt, 1);
 2675                         SCTP_TCB_UNLOCK((*stcb));
 2676                         so = sonewconn(oso, 0
 2677                             );
 2678                         SCTP_TCB_LOCK((*stcb));
 2679                         atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
 2680 
 2681                         if (so == NULL) {
 2682                                 struct mbuf *op_err;
 2683 
 2684 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2685                                 struct socket *pcb_so;
 2686 
 2687 #endif
 2688                                 /* Too many sockets */
 2689                                 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n");
 2690                                 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
 2691                                 sctp_abort_association(*inp_p, NULL, m, iphlen,
 2692                                     sh, op_err, vrf_id, port);
 2693 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2694                                 pcb_so = SCTP_INP_SO(*inp_p);
 2695                                 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
 2696                                 SCTP_TCB_UNLOCK((*stcb));
 2697                                 SCTP_SOCKET_LOCK(pcb_so, 1);
 2698                                 SCTP_TCB_LOCK((*stcb));
 2699                                 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
 2700 #endif
 2701                                 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20);
 2702 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2703                                 SCTP_SOCKET_UNLOCK(pcb_so, 1);
 2704 #endif
 2705                                 return (NULL);
 2706                         }
 2707                         inp = (struct sctp_inpcb *)so->so_pcb;
 2708                         SCTP_INP_INCR_REF(inp);
 2709                         /*
 2710                          * We add the unbound flag here so that if we get an
 2711                          * soabort() before we get the move_pcb done, we
 2712                          * will properly cleanup.
 2713                          */
 2714                         inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
 2715                             SCTP_PCB_FLAGS_CONNECTED |
 2716                             SCTP_PCB_FLAGS_IN_TCPPOOL |
 2717                             SCTP_PCB_FLAGS_UNBOUND |
 2718                             (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
 2719                             SCTP_PCB_FLAGS_DONT_WAKE);
 2720                         inp->sctp_features = (*inp_p)->sctp_features;
 2721                         inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features;
 2722                         inp->sctp_socket = so;
 2723                         inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
 2724                         inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
 2725                         inp->sctp_context = (*inp_p)->sctp_context;
 2726                         inp->inp_starting_point_for_iterator = NULL;
 2727                         /*
 2728                          * copy in the authentication parameters from the
 2729                          * original endpoint
 2730                          */
 2731                         if (inp->sctp_ep.local_hmacs)
 2732                                 sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
 2733                         inp->sctp_ep.local_hmacs =
 2734                             sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
 2735                         if (inp->sctp_ep.local_auth_chunks)
 2736                                 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
 2737                         inp->sctp_ep.local_auth_chunks =
 2738                             sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);
 2739 
 2740                         /*
 2741                          * Now we must move it from one hash table to
 2742                          * another and get the tcb in the right place.
 2743                          */
 2744                         sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
 2745 
 2746                         atomic_add_int(&(*stcb)->asoc.refcnt, 1);
 2747                         SCTP_TCB_UNLOCK((*stcb));
 2748 
 2749                         sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb,
 2750                             0);
 2751                         SCTP_TCB_LOCK((*stcb));
 2752                         atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
 2753 
 2754 
 2755                         /*
 2756                          * now we must check to see if we were aborted while
 2757                          * the move was going on and the lock/unlock
 2758                          * happened.
 2759                          */
 2760                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 2761                                 /*
 2762                                  * yep it was, we leave the assoc attached
 2763                                  * to the socket since the sctp_inpcb_free()
 2764                                  * call will send an abort for us.
 2765                                  */
 2766                                 SCTP_INP_DECR_REF(inp);
 2767                                 return (NULL);
 2768                         }
 2769                         SCTP_INP_DECR_REF(inp);
 2770                         /* Switch over to the new guy */
 2771                         *inp_p = inp;
 2772                         sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 2773 
 2774                         /*
 2775                          * Pull it from the incomplete queue and wake the
 2776                          * guy
 2777                          */
 2778 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2779                         atomic_add_int(&(*stcb)->asoc.refcnt, 1);
 2780                         SCTP_TCB_UNLOCK((*stcb));
 2781                         SCTP_SOCKET_LOCK(so, 1);
 2782 #endif
 2783                         soisconnected(so);
 2784 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2785                         SCTP_TCB_LOCK((*stcb));
 2786                         atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
 2787                         SCTP_SOCKET_UNLOCK(so, 1);
 2788 #endif
 2789                         return (m);
 2790                 }
 2791         }
 2792         if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
 2793                 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 2794         }
 2795         return (m);
 2796 }
 2797 
 2798 static void
 2799 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp,
 2800     struct sctp_tcb *stcb, struct sctp_nets *net)
 2801 {
 2802         /* cp must not be used, others call this without a c-ack :-) */
 2803         struct sctp_association *asoc;
 2804 
 2805         SCTPDBG(SCTP_DEBUG_INPUT2,
 2806             "sctp_handle_cookie_ack: handling COOKIE-ACK\n");
 2807         if (stcb == NULL)
 2808                 return;
 2809 
 2810         asoc = &stcb->asoc;
 2811 
 2812         sctp_stop_all_cookie_timers(stcb);
 2813         /* process according to association state */
 2814         if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
 2815                 /* state change only needed when I am in right state */
 2816                 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
 2817                 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
 2818                 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
 2819                         sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
 2820                             stcb->sctp_ep, stcb, asoc->primary_destination);
 2821 
 2822                 }
 2823                 /* update RTO */
 2824                 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
 2825                 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
 2826                 if (asoc->overall_error_count == 0) {
 2827                         net->RTO = sctp_calculate_rto(stcb, asoc, net,
 2828                             &asoc->time_entered, sctp_align_safe_nocopy);
 2829                 }
 2830                 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
 2831                 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 2832                 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
 2833                     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
 2834 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2835                         struct socket *so;
 2836 
 2837 #endif
 2838                         stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
 2839 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2840                         so = SCTP_INP_SO(stcb->sctp_ep);
 2841                         atomic_add_int(&stcb->asoc.refcnt, 1);
 2842                         SCTP_TCB_UNLOCK(stcb);
 2843                         SCTP_SOCKET_LOCK(so, 1);
 2844                         SCTP_TCB_LOCK(stcb);
 2845                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 2846                         if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
 2847                                 SCTP_SOCKET_UNLOCK(so, 1);
 2848                                 return;
 2849                         }
 2850 #endif
 2851                         soisconnected(stcb->sctp_socket);
 2852 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 2853                         SCTP_SOCKET_UNLOCK(so, 1);
 2854 #endif
 2855                 }
 2856                 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
 2857                     stcb, net);
 2858                 /*
 2859                  * since we did not send a HB make sure we don't double
 2860                  * things
 2861                  */
 2862                 net->hb_responded = 1;
 2863 
 2864                 if (stcb->asoc.sctp_autoclose_ticks &&
 2865                     sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
 2866                         sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
 2867                             stcb->sctp_ep, stcb, NULL);
 2868                 }
 2869                 /*
 2870                  * send ASCONF if parameters are pending and ASCONFs are
 2871                  * allowed (eg. addresses changed when init/cookie echo were
 2872                  * in flight)
 2873                  */
 2874                 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
 2875                     (stcb->asoc.peer_supports_asconf) &&
 2876                     (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
 2877 #ifdef SCTP_TIMER_BASED_ASCONF
 2878                         sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
 2879                             stcb->sctp_ep, stcb,
 2880                             stcb->asoc.primary_destination);
 2881 #else
 2882                         sctp_send_asconf(stcb, stcb->asoc.primary_destination,
 2883                             SCTP_ADDR_NOT_LOCKED);
 2884 #endif
 2885                 }
 2886         }
 2887         /* Toss the cookie if I can */
 2888         sctp_toss_old_cookies(stcb, asoc);
 2889         if (!TAILQ_EMPTY(&asoc->sent_queue)) {
 2890                 /* Restart the timer if we have pending data */
 2891                 struct sctp_tmit_chunk *chk;
 2892 
 2893                 chk = TAILQ_FIRST(&asoc->sent_queue);
 2894                 if (chk) {
 2895                         sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
 2896                             stcb, chk->whoTo);
 2897                 }
 2898         }
 2899 }
 2900 
 2901 static void
 2902 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
 2903     struct sctp_tcb *stcb)
 2904 {
 2905         struct sctp_nets *net;
 2906         struct sctp_tmit_chunk *lchk;
 2907         uint32_t tsn;
 2908 
 2909         if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) {
 2910                 return;
 2911         }
 2912         SCTP_STAT_INCR(sctps_recvecne);
 2913         tsn = ntohl(cp->tsn);
 2914         /* ECN Nonce stuff: need a resync and disable the nonce sum check */
 2915         /* Also we make sure we disable the nonce_wait */
 2916         lchk = TAILQ_FIRST(&stcb->asoc.send_queue);
 2917         if (lchk == NULL) {
 2918                 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq;
 2919         } else {
 2920                 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq;
 2921         }
 2922         stcb->asoc.nonce_wait_for_ecne = 0;
 2923         stcb->asoc.nonce_sum_check = 0;
 2924 
 2925         /* Find where it was sent, if possible */
 2926         net = NULL;
 2927         lchk = TAILQ_FIRST(&stcb->asoc.sent_queue);
 2928         while (lchk) {
 2929                 if (lchk->rec.data.TSN_seq == tsn) {
 2930                         net = lchk->whoTo;
 2931                         break;
 2932                 }
 2933                 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ))
 2934                         break;
 2935                 lchk = TAILQ_NEXT(lchk, sctp_next);
 2936         }
 2937         if (net == NULL)
 2938                 /* default is we use the primary */
 2939                 net = stcb->asoc.primary_destination;
 2940 
 2941         if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) {
 2942                 /*
 2943                  * JRS - Use the congestion control given in the pluggable
 2944                  * CC module
 2945                  */
 2946                 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net);
 2947                 /*
 2948                  * we reduce once every RTT. So we will only lower cwnd at
 2949                  * the next sending seq i.e. the resync_tsn.
 2950                  */
 2951                 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn;
 2952         }
 2953         /*
 2954          * We always send a CWR this way if our previous one was lost our
 2955          * peer will get an update, or if it is not time again to reduce we
 2956          * still get the cwr to the peer.
 2957          */
 2958         sctp_send_cwr(stcb, net, tsn);
 2959 }
 2960 
 2961 static void
 2962 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb)
 2963 {
 2964         /*
 2965          * Here we get a CWR from the peer. We must look in the outqueue and
 2966          * make sure that we have a covered ECNE in teh control chunk part.
 2967          * If so remove it.
 2968          */
 2969         struct sctp_tmit_chunk *chk;
 2970         struct sctp_ecne_chunk *ecne;
 2971 
 2972         TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
 2973                 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
 2974                         continue;
 2975                 }
 2976                 /*
 2977                  * Look for and remove if it is the right TSN. Since there
 2978                  * is only ONE ECNE on the control queue at any one time we
 2979                  * don't need to worry about more than one!
 2980                  */
 2981                 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
 2982                 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn),
 2983                     MAX_TSN) || (cp->tsn == ecne->tsn)) {
 2984                         /* this covers this ECNE, we can remove it */
 2985                         stcb->asoc.ecn_echo_cnt_onq--;
 2986                         TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
 2987                             sctp_next);
 2988                         if (chk->data) {
 2989                                 sctp_m_freem(chk->data);
 2990                                 chk->data = NULL;
 2991                         }
 2992                         stcb->asoc.ctrl_queue_cnt--;
 2993                         sctp_free_a_chunk(stcb, chk);
 2994                         break;
 2995                 }
 2996         }
 2997 }
 2998 
 2999 static void
 3000 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp,
 3001     struct sctp_tcb *stcb, struct sctp_nets *net)
 3002 {
 3003         struct sctp_association *asoc;
 3004 
 3005 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 3006         struct socket *so;
 3007 
 3008 #endif
 3009 
 3010         SCTPDBG(SCTP_DEBUG_INPUT2,
 3011             "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
 3012         if (stcb == NULL)
 3013                 return;
 3014 
 3015         asoc = &stcb->asoc;
 3016         /* process according to association state */
 3017         if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
 3018                 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
 3019                 SCTPDBG(SCTP_DEBUG_INPUT2,
 3020                     "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n");
 3021                 SCTP_TCB_UNLOCK(stcb);
 3022                 return;
 3023         }
 3024         /* notify upper layer protocol */
 3025         if (stcb->sctp_socket) {
 3026                 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 3027                 /* are the queues empty? they should be */
 3028                 if (!TAILQ_EMPTY(&asoc->send_queue) ||
 3029                     !TAILQ_EMPTY(&asoc->sent_queue) ||
 3030                     !TAILQ_EMPTY(&asoc->out_wheel)) {
 3031                         sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED);
 3032                 }
 3033         }
 3034         /* stop the timer */
 3035         sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22);
 3036         SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
 3037         /* free the TCB */
 3038         SCTPDBG(SCTP_DEBUG_INPUT2,
 3039             "sctp_handle_shutdown_complete: calls free-asoc\n");
 3040 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 3041         so = SCTP_INP_SO(stcb->sctp_ep);
 3042         atomic_add_int(&stcb->asoc.refcnt, 1);
 3043         SCTP_TCB_UNLOCK(stcb);
 3044         SCTP_SOCKET_LOCK(so, 1);
 3045         SCTP_TCB_LOCK(stcb);
 3046         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 3047 #endif
 3048         (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23);
 3049 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 3050         SCTP_SOCKET_UNLOCK(so, 1);
 3051 #endif
 3052         return;
 3053 }
 3054 
 3055 static int
 3056 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
 3057     struct sctp_nets *net, uint8_t flg)
 3058 {
 3059         switch (desc->chunk_type) {
 3060                 case SCTP_DATA:
 3061                 /* find the tsn to resend (possibly */
 3062                 {
 3063                         uint32_t tsn;
 3064                         struct sctp_tmit_chunk *tp1;
 3065 
 3066                         tsn = ntohl(desc->tsn_ifany);
 3067                         tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
 3068                         while (tp1) {
 3069                                 if (tp1->rec.data.TSN_seq == tsn) {
 3070                                         /* found it */
 3071                                         break;
 3072                                 }
 3073                                 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn,
 3074                                     MAX_TSN)) {
 3075                                         /* not found */
 3076                                         tp1 = NULL;
 3077                                         break;
 3078                                 }
 3079                                 tp1 = TAILQ_NEXT(tp1, sctp_next);
 3080                         }
 3081                         if (tp1 == NULL) {
 3082                                 /*
 3083                                  * Do it the other way , aka without paying
 3084                                  * attention to queue seq order.
 3085                                  */
 3086                                 SCTP_STAT_INCR(sctps_pdrpdnfnd);
 3087                                 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
 3088                                 while (tp1) {
 3089                                         if (tp1->rec.data.TSN_seq == tsn) {
 3090                                                 /* found it */
 3091                                                 break;
 3092                                         }
 3093                                         tp1 = TAILQ_NEXT(tp1, sctp_next);
 3094                                 }
 3095                         }
 3096                         if (tp1 == NULL) {
 3097                                 SCTP_STAT_INCR(sctps_pdrptsnnf);
 3098                         }
 3099                         if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
 3100                                 uint8_t *ddp;
 3101 
 3102                                 if ((stcb->asoc.peers_rwnd == 0) &&
 3103                                     ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
 3104                                         SCTP_STAT_INCR(sctps_pdrpdiwnp);
 3105                                         return (0);
 3106                                 }
 3107                                 if (stcb->asoc.peers_rwnd == 0 &&
 3108                                     (flg & SCTP_FROM_MIDDLE_BOX)) {
 3109                                         SCTP_STAT_INCR(sctps_pdrpdizrw);
 3110                                         return (0);
 3111                                 }
 3112                                 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+
 3113                                     sizeof(struct sctp_data_chunk));
 3114                                 {
 3115                                         unsigned int iii;
 3116 
 3117                                         for (iii = 0; iii < sizeof(desc->data_bytes);
 3118                                             iii++) {
 3119                                                 if (ddp[iii] != desc->data_bytes[iii]) {
 3120                                                         SCTP_STAT_INCR(sctps_pdrpbadd);
 3121                                                         return (-1);
 3122                                                 }
 3123                                         }
 3124                                 }
 3125                                 /*
 3126                                  * We zero out the nonce so resync not
 3127                                  * needed
 3128                                  */
 3129                                 tp1->rec.data.ect_nonce = 0;
 3130 
 3131                                 if (tp1->do_rtt) {
 3132                                         /*
 3133                                          * this guy had a RTO calculation
 3134                                          * pending on it, cancel it
 3135                                          */
 3136                                         tp1->do_rtt = 0;
 3137                                 }
 3138                                 SCTP_STAT_INCR(sctps_pdrpmark);
 3139                                 if (tp1->sent != SCTP_DATAGRAM_RESEND)
 3140                                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
 3141                                 tp1->sent = SCTP_DATAGRAM_RESEND;
 3142                                 /*
 3143                                  * mark it as if we were doing a FR, since
 3144                                  * we will be getting gap ack reports behind
 3145                                  * the info from the router.
 3146                                  */
 3147                                 tp1->rec.data.doing_fast_retransmit = 1;
 3148                                 /*
 3149                                  * mark the tsn with what sequences can
 3150                                  * cause a new FR.
 3151                                  */
 3152                                 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
 3153                                         tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
 3154                                 } else {
 3155                                         tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
 3156                                 }
 3157 
 3158                                 /* restart the timer */
 3159                                 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
 3160                                     stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24);
 3161                                 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
 3162                                     stcb, tp1->whoTo);
 3163 
 3164                                 /* fix counts and things */
 3165                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
 3166                                         sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP,
 3167                                             tp1->whoTo->flight_size,
 3168                                             tp1->book_size,
 3169                                             (uintptr_t) stcb,
 3170                                             tp1->rec.data.TSN_seq);
 3171                                 }
 3172                                 sctp_flight_size_decrease(tp1);
 3173                                 sctp_total_flight_decrease(stcb, tp1);
 3174                         } {
 3175                                 /* audit code */
 3176                                 unsigned int audit;
 3177 
 3178                                 audit = 0;
 3179                                 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
 3180                                         if (tp1->sent == SCTP_DATAGRAM_RESEND)
 3181                                                 audit++;
 3182                                 }
 3183                                 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
 3184                                     sctp_next) {
 3185                                         if (tp1->sent == SCTP_DATAGRAM_RESEND)
 3186                                                 audit++;
 3187                                 }
 3188                                 if (audit != stcb->asoc.sent_queue_retran_cnt) {
 3189                                         SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n",
 3190                                             audit, stcb->asoc.sent_queue_retran_cnt);
 3191 #ifndef SCTP_AUDITING_ENABLED
 3192                                         stcb->asoc.sent_queue_retran_cnt = audit;
 3193 #endif
 3194                                 }
 3195                         }
 3196                 }
 3197                 break;
 3198         case SCTP_ASCONF:
 3199                 {
 3200                         struct sctp_tmit_chunk *asconf;
 3201 
 3202                         TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
 3203                             sctp_next) {
 3204                                 if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
 3205                                         break;
 3206                                 }
 3207                         }
 3208                         if (asconf) {
 3209                                 if (asconf->sent != SCTP_DATAGRAM_RESEND)
 3210                                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
 3211                                 asconf->sent = SCTP_DATAGRAM_RESEND;
 3212                                 asconf->snd_count--;
 3213                         }
 3214                 }
 3215                 break;
 3216         case SCTP_INITIATION:
 3217                 /* resend the INIT */
 3218                 stcb->asoc.dropped_special_cnt++;
 3219                 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
 3220                         /*
 3221                          * If we can get it in, in a few attempts we do
 3222                          * this, otherwise we let the timer fire.
 3223                          */
 3224                         sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
 3225                             stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25);
 3226                         sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
 3227                 }
 3228                 break;
 3229         case SCTP_SELECTIVE_ACK:
 3230                 /* resend the sack */
 3231                 sctp_send_sack(stcb);
 3232                 break;
 3233                 /* EY for nr_sacks */
 3234         case SCTP_NR_SELECTIVE_ACK:
 3235                 sctp_send_nr_sack(stcb);        /* EY resend the nr-sack */
 3236                 break;
 3237         case SCTP_HEARTBEAT_REQUEST:
 3238                 /* resend a demand HB */
 3239                 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) {
 3240                         /*
 3241                          * Only retransmit if we KNOW we wont destroy the
 3242                          * tcb
 3243                          */
 3244                         (void)sctp_send_hb(stcb, 1, net);
 3245                 }
 3246                 break;
 3247         case SCTP_SHUTDOWN:
 3248                 sctp_send_shutdown(stcb, net);
 3249                 break;
 3250         case SCTP_SHUTDOWN_ACK:
 3251                 sctp_send_shutdown_ack(stcb, net);
 3252                 break;
 3253         case SCTP_COOKIE_ECHO:
 3254                 {
 3255                         struct sctp_tmit_chunk *cookie;
 3256 
 3257                         cookie = NULL;
 3258                         TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
 3259                             sctp_next) {
 3260                                 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
 3261                                         break;
 3262                                 }
 3263                         }
 3264                         if (cookie) {
 3265                                 if (cookie->sent != SCTP_DATAGRAM_RESEND)
 3266                                         sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
 3267                                 cookie->sent = SCTP_DATAGRAM_RESEND;
 3268                                 sctp_stop_all_cookie_timers(stcb);
 3269                         }
 3270                 }
 3271                 break;
 3272         case SCTP_COOKIE_ACK:
 3273                 sctp_send_cookie_ack(stcb);
 3274                 break;
 3275         case SCTP_ASCONF_ACK:
 3276                 /* resend last asconf ack */
 3277                 sctp_send_asconf_ack(stcb);
 3278                 break;
 3279         case SCTP_FORWARD_CUM_TSN:
 3280                 send_forward_tsn(stcb, &stcb->asoc);
 3281                 break;
 3282                 /* can't do anything with these */
 3283         case SCTP_PACKET_DROPPED:
 3284         case SCTP_INITIATION_ACK:       /* this should not happen */
 3285         case SCTP_HEARTBEAT_ACK:
 3286         case SCTP_ABORT_ASSOCIATION:
 3287         case SCTP_OPERATION_ERROR:
 3288         case SCTP_SHUTDOWN_COMPLETE:
 3289         case SCTP_ECN_ECHO:
 3290         case SCTP_ECN_CWR:
 3291         default:
 3292                 break;
 3293         }
 3294         return (0);
 3295 }
 3296 
 3297 void
 3298 sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
 3299 {
 3300         int i;
 3301         uint16_t temp;
 3302 
 3303         /*
 3304          * We set things to 0xffff since this is the last delivered sequence
 3305          * and we will be sending in 0 after the reset.
 3306          */
 3307 
 3308         if (number_entries) {
 3309                 for (i = 0; i < number_entries; i++) {
 3310                         temp = ntohs(list[i]);
 3311                         if (temp >= stcb->asoc.streamincnt) {
 3312                                 continue;
 3313                         }
 3314                         stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff;
 3315                 }
 3316         } else {
 3317                 list = NULL;
 3318                 for (i = 0; i < stcb->asoc.streamincnt; i++) {
 3319                         stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
 3320                 }
 3321         }
 3322         sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
 3323 }
 3324 
 3325 static void
 3326 sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list)
 3327 {
 3328         int i;
 3329 
 3330         if (number_entries == 0) {
 3331                 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
 3332                         stcb->asoc.strmout[i].next_sequence_sent = 0;
 3333                 }
 3334         } else if (number_entries) {
 3335                 for (i = 0; i < number_entries; i++) {
 3336                         uint16_t temp;
 3337 
 3338                         temp = ntohs(list[i]);
 3339                         if (temp >= stcb->asoc.streamoutcnt) {
 3340                                 /* no such stream */
 3341                                 continue;
 3342                         }
 3343                         stcb->asoc.strmout[temp].next_sequence_sent = 0;
 3344                 }
 3345         }
 3346         sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
 3347 }
 3348 
 3349 
 3350 struct sctp_stream_reset_out_request *
 3351 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
 3352 {
 3353         struct sctp_association *asoc;
 3354         struct sctp_stream_reset_out_req *req;
 3355         struct sctp_stream_reset_out_request *r;
 3356         struct sctp_tmit_chunk *chk;
 3357         int len, clen;
 3358 
 3359         asoc = &stcb->asoc;
 3360         if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
 3361                 asoc->stream_reset_outstanding = 0;
 3362                 return (NULL);
 3363         }
 3364         if (stcb->asoc.str_reset == NULL) {
 3365                 asoc->stream_reset_outstanding = 0;
 3366                 return (NULL);
 3367         }
 3368         chk = stcb->asoc.str_reset;
 3369         if (chk->data == NULL) {
 3370                 return (NULL);
 3371         }
 3372         if (bchk) {
 3373                 /* he wants a copy of the chk pointer */
 3374                 *bchk = chk;
 3375         }
 3376         clen = chk->send_size;
 3377         req = mtod(chk->data, struct sctp_stream_reset_out_req *);
 3378         r = &req->sr_req;
 3379         if (ntohl(r->request_seq) == seq) {
 3380                 /* found it */
 3381                 return (r);
 3382         }
 3383         len = SCTP_SIZE32(ntohs(r->ph.param_length));
 3384         if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
 3385                 /* move to the next one, there can only be a max of two */
 3386                 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len);
 3387                 if (ntohl(r->request_seq) == seq) {
 3388                         return (r);
 3389                 }
 3390         }
 3391         /* that seq is not here */
 3392         return (NULL);
 3393 }
 3394 
 3395 static void
 3396 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
 3397 {
 3398         struct sctp_association *asoc;
 3399         struct sctp_tmit_chunk *chk = stcb->asoc.str_reset;
 3400 
 3401         if (stcb->asoc.str_reset == NULL) {
 3402                 return;
 3403         }
 3404         asoc = &stcb->asoc;
 3405 
 3406         sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26);
 3407         TAILQ_REMOVE(&asoc->control_send_queue,
 3408             chk,
 3409             sctp_next);
 3410         if (chk->data) {
 3411                 sctp_m_freem(chk->data);
 3412                 chk->data = NULL;
 3413         }
 3414         asoc->ctrl_queue_cnt--;
 3415         sctp_free_a_chunk(stcb, chk);
 3416         /* sa_ignore NO_NULL_CHK */
 3417         stcb->asoc.str_reset = NULL;
 3418 }
 3419 
 3420 
 3421 static int
 3422 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
 3423     uint32_t seq, uint32_t action,
 3424     struct sctp_stream_reset_response *respin)
 3425 {
 3426         uint16_t type;
 3427         int lparm_len;
 3428         struct sctp_association *asoc = &stcb->asoc;
 3429         struct sctp_tmit_chunk *chk;
 3430         struct sctp_stream_reset_out_request *srparam;
 3431         int number_entries;
 3432 
 3433         if (asoc->stream_reset_outstanding == 0) {
 3434                 /* duplicate */
 3435                 return (0);
 3436         }
 3437         if (seq == stcb->asoc.str_reset_seq_out) {
 3438                 srparam = sctp_find_stream_reset(stcb, seq, &chk);
 3439                 if (srparam) {
 3440                         stcb->asoc.str_reset_seq_out++;
 3441                         type = ntohs(srparam->ph.param_type);
 3442                         lparm_len = ntohs(srparam->ph.param_length);
 3443                         if (type == SCTP_STR_RESET_OUT_REQUEST) {
 3444                                 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
 3445                                 asoc->stream_reset_out_is_outstanding = 0;
 3446                                 if (asoc->stream_reset_outstanding)
 3447                                         asoc->stream_reset_outstanding--;
 3448                                 if (action == SCTP_STREAM_RESET_PERFORMED) {
 3449                                         /* do it */
 3450                                         sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams);
 3451                                 } else {
 3452                                         sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
 3453                                 }
 3454                         } else if (type == SCTP_STR_RESET_IN_REQUEST) {
 3455                                 /* Answered my request */
 3456                                 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
 3457                                 if (asoc->stream_reset_outstanding)
 3458                                         asoc->stream_reset_outstanding--;
 3459                                 if (action != SCTP_STREAM_RESET_PERFORMED) {
 3460                                         sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
 3461                                 }
 3462                         } else if (type == SCTP_STR_RESET_TSN_REQUEST) {
 3463                                 /**
 3464                                  * a) Adopt the new in tsn.
 3465                                  * b) reset the map
 3466                                  * c) Adopt the new out-tsn
 3467                                  */
 3468                                 struct sctp_stream_reset_response_tsn *resp;
 3469                                 struct sctp_forward_tsn_chunk fwdtsn;
 3470                                 int abort_flag = 0;
 3471 
 3472                                 if (respin == NULL) {
 3473                                         /* huh ? */
 3474                                         return (0);
 3475                                 }
 3476                                 if (action == SCTP_STREAM_RESET_PERFORMED) {
 3477                                         resp = (struct sctp_stream_reset_response_tsn *)respin;
 3478                                         asoc->stream_reset_outstanding--;
 3479                                         fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
 3480                                         fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
 3481                                         fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
 3482                                         sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
 3483                                         if (abort_flag) {
 3484                                                 return (1);
 3485                                         }
 3486                                         stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
 3487                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
 3488                                                 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
 3489                                         }
 3490                                         stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
 3491                                         stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
 3492                                         memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
 3493 
 3494                                         /*
 3495                                          * EY 05/13/08 - nr_sack: to keep
 3496                                          * nr_mapping array be consistent
 3497                                          * with mapping_array
 3498                                          */
 3499                                         if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack) {
 3500                                                 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
 3501                                                 stcb->asoc.nr_mapping_array_base_tsn = stcb->asoc.mapping_array_base_tsn;
 3502                                                 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.nr_mapping_array_size);
 3503                                         }
 3504                                         stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
 3505                                         stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;
 3506 
 3507                                         sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
 3508                                         sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
 3509 
 3510                                 }
 3511                         }
 3512                         /* get rid of the request and get the request flags */
 3513                         if (asoc->stream_reset_outstanding == 0) {
 3514                                 sctp_clean_up_stream_reset(stcb);
 3515                         }
 3516                 }
 3517         }
 3518         return (0);
 3519 }
 3520 
 3521 static void
 3522 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
 3523     struct sctp_tmit_chunk *chk,
 3524     struct sctp_stream_reset_in_request *req, int trunc)
 3525 {
 3526         uint32_t seq;
 3527         int len, i;
 3528         int number_entries;
 3529         uint16_t temp;
 3530 
 3531         /*
 3532          * peer wants me to send a str-reset to him for my outgoing seq's if
 3533          * seq_in is right.
 3534          */
 3535         struct sctp_association *asoc = &stcb->asoc;
 3536 
 3537         seq = ntohl(req->request_seq);
 3538         if (asoc->str_reset_seq_in == seq) {
 3539                 if (trunc) {
 3540                         /* Can't do it, since they exceeded our buffer size  */
 3541                         asoc->last_reset_action[1] = asoc->last_reset_action[0];
 3542                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
 3543                         sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
 3544                 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
 3545                         len = ntohs(req->ph.param_length);
 3546                         number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
 3547                         for (i = 0; i < number_entries; i++) {
 3548                                 temp = ntohs(req->list_of_streams[i]);
 3549                                 req->list_of_streams[i] = temp;
 3550                         }
 3551                         /* move the reset action back one */
 3552                         asoc->last_reset_action[1] = asoc->last_reset_action[0];
 3553                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
 3554                         sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams,
 3555                             asoc->str_reset_seq_out,
 3556                             seq, (asoc->sending_seq - 1));
 3557                         asoc->stream_reset_out_is_outstanding = 1;
 3558                         asoc->str_reset = chk;
 3559                         sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
 3560                         stcb->asoc.stream_reset_outstanding++;
 3561                 } else {
 3562                         /* Can't do it, since we have sent one out */
 3563                         asoc->last_reset_action[1] = asoc->last_reset_action[0];
 3564                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER;
 3565                         sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
 3566                 }
 3567                 asoc->str_reset_seq_in++;
 3568         } else if (asoc->str_reset_seq_in - 1 == seq) {
 3569                 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
 3570         } else if (asoc->str_reset_seq_in - 2 == seq) {
 3571                 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
 3572         } else {
 3573                 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
 3574         }
 3575 }
 3576 
 3577 static int
 3578 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
 3579     struct sctp_tmit_chunk *chk,
 3580     struct sctp_stream_reset_tsn_request *req)
 3581 {
 3582         /* reset all in and out and update the tsn */
 3583         /*
 3584          * A) reset my str-seq's on in and out. B) Select a receive next,
 3585          * and set cum-ack to it. Also process this selected number as a
 3586          * fwd-tsn as well. C) set in the response my next sending seq.
 3587          */
 3588         struct sctp_forward_tsn_chunk fwdtsn;
 3589         struct sctp_association *asoc = &stcb->asoc;
 3590         int abort_flag = 0;
 3591         uint32_t seq;
 3592 
 3593         seq = ntohl(req->request_seq);
 3594         if (asoc->str_reset_seq_in == seq) {
 3595                 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
 3596                 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
 3597                 fwdtsn.ch.chunk_flags = 0;
 3598                 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
 3599                 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
 3600                 if (abort_flag) {
 3601                         return (1);
 3602                 }
 3603                 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
 3604                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
 3605                         sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
 3606                 }
 3607                 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
 3608                 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1;
 3609                 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
 3610                 /*
 3611                  * EY 05/13/08 -nr_sack: to keep nr_mapping array consistent
 3612                  * with mapping array
 3613                  */
 3614                 if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack) {
 3615                         stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
 3616                         stcb->asoc.nr_mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1;
 3617                         memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.nr_mapping_array_size);
 3618                 }
 3619                 atomic_add_int(&stcb->asoc.sending_seq, 1);
 3620                 /* save off historical data for retrans */
 3621                 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0];
 3622                 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq;
 3623                 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0];
 3624                 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn;
 3625 
 3626                 sctp_add_stream_reset_result_tsn(chk,
 3627                     ntohl(req->request_seq),
 3628                     SCTP_STREAM_RESET_PERFORMED,
 3629                     stcb->asoc.sending_seq,
 3630                     stcb->asoc.mapping_array_base_tsn);
 3631                 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
 3632                 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
 3633                 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
 3634                 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
 3635 
 3636                 asoc->str_reset_seq_in++;
 3637         } else if (asoc->str_reset_seq_in - 1 == seq) {
 3638                 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
 3639                     stcb->asoc.last_sending_seq[0],
 3640                     stcb->asoc.last_base_tsnsent[0]
 3641                     );
 3642         } else if (asoc->str_reset_seq_in - 2 == seq) {
 3643                 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
 3644                     stcb->asoc.last_sending_seq[1],
 3645                     stcb->asoc.last_base_tsnsent[1]
 3646                     );
 3647         } else {
 3648                 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
 3649         }
 3650         return (0);
 3651 }
 3652 
 3653 static void
 3654 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
 3655     struct sctp_tmit_chunk *chk,
 3656     struct sctp_stream_reset_out_request *req, int trunc)
 3657 {
 3658         uint32_t seq, tsn;
 3659         int number_entries, len;
 3660         struct sctp_association *asoc = &stcb->asoc;
 3661 
 3662         seq = ntohl(req->request_seq);
 3663 
 3664         /* now if its not a duplicate we process it */
 3665         if (asoc->str_reset_seq_in == seq) {
 3666                 len = ntohs(req->ph.param_length);
 3667                 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
 3668                 /*
 3669                  * the sender is resetting, handle the list issue.. we must
 3670                  * a) verify if we can do the reset, if so no problem b) If
 3671                  * we can't do the reset we must copy the request. c) queue
 3672                  * it, and setup the data in processor to trigger it off
 3673                  * when needed and dequeue all the queued data.
 3674                  */
 3675                 tsn = ntohl(req->send_reset_at_tsn);
 3676 
 3677                 /* move the reset action back one */
 3678                 asoc->last_reset_action[1] = asoc->last_reset_action[0];
 3679                 if (trunc) {
 3680                         sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
 3681                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
 3682                 } else if ((tsn == asoc->cumulative_tsn) ||
 3683                     (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) {
 3684                         /* we can do it now */
 3685                         sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
 3686                         sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
 3687                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
 3688                 } else {
 3689                         /*
 3690                          * we must queue it up and thus wait for the TSN's
 3691                          * to arrive that are at or before tsn
 3692                          */
 3693                         struct sctp_stream_reset_list *liste;
 3694                         int siz;
 3695 
 3696                         siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
 3697                         SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
 3698                             siz, SCTP_M_STRESET);
 3699                         if (liste == NULL) {
 3700                                 /* gak out of memory */
 3701                                 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED);
 3702                                 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED;
 3703                                 return;
 3704                         }
 3705                         liste->tsn = tsn;
 3706                         liste->number_entries = number_entries;
 3707                         memcpy(&liste->req, req,
 3708                             (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t))));
 3709                         TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
 3710                         sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED);
 3711                         asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED;
 3712                 }
 3713                 asoc->str_reset_seq_in++;
 3714         } else if ((asoc->str_reset_seq_in - 1) == seq) {
 3715                 /*
 3716                  * one seq back, just echo back last action since my
 3717                  * response was lost.
 3718                  */
 3719                 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
 3720         } else if ((asoc->str_reset_seq_in - 2) == seq) {
 3721                 /*
 3722                  * two seq back, just echo back last action since my
 3723                  * response was lost.
 3724                  */
 3725                 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
 3726         } else {
 3727                 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO);
 3728         }
 3729 }
 3730 
 3731 #ifdef __GNUC__
 3732 __attribute__((noinline))
 3733 #endif
 3734         static int
 3735             sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
 3736         struct sctp_stream_reset_out_req *sr_req)
 3737 {
 3738         int chk_length, param_len, ptype;
 3739         struct sctp_paramhdr pstore;
 3740         uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
 3741 
 3742         uint32_t seq;
 3743         int num_req = 0;
 3744         int trunc = 0;
 3745         struct sctp_tmit_chunk *chk;
 3746         struct sctp_chunkhdr *ch;
 3747         struct sctp_paramhdr *ph;
 3748         int ret_code = 0;
 3749         int num_param = 0;
 3750 
 3751         /* now it may be a reset or a reset-response */
 3752         chk_length = ntohs(sr_req->ch.chunk_length);
 3753 
 3754         /* setup for adding the response */
 3755         sctp_alloc_a_chunk(stcb, chk);
 3756         if (chk == NULL) {
 3757                 return (ret_code);
 3758         }
 3759         chk->rec.chunk_id.id = SCTP_STREAM_RESET;
 3760         chk->rec.chunk_id.can_take_data = 0;
 3761         chk->asoc = &stcb->asoc;
 3762         chk->no_fr_allowed = 0;
 3763         chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
 3764         chk->book_size_scale = 0;
 3765         chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
 3766         if (chk->data == NULL) {
 3767 strres_nochunk:
 3768                 if (chk->data) {
 3769                         sctp_m_freem(chk->data);
 3770                         chk->data = NULL;
 3771                 }
 3772                 sctp_free_a_chunk(stcb, chk);
 3773                 return (ret_code);
 3774         }
 3775         SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
 3776 
 3777         /* setup chunk parameters */
 3778         chk->sent = SCTP_DATAGRAM_UNSENT;
 3779         chk->snd_count = 0;
 3780         chk->whoTo = stcb->asoc.primary_destination;
 3781         atomic_add_int(&chk->whoTo->ref_count, 1);
 3782 
 3783         ch = mtod(chk->data, struct sctp_chunkhdr *);
 3784         ch->chunk_type = SCTP_STREAM_RESET;
 3785         ch->chunk_flags = 0;
 3786         ch->chunk_length = htons(chk->send_size);
 3787         SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
 3788         offset += sizeof(struct sctp_chunkhdr);
 3789         while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
 3790                 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore);
 3791                 if (ph == NULL)
 3792                         break;
 3793                 param_len = ntohs(ph->param_length);
 3794                 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
 3795                         /* bad param */
 3796                         break;
 3797                 }
 3798                 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
 3799                     (uint8_t *) & cstore);
 3800                 ptype = ntohs(ph->param_type);
 3801                 num_param++;
 3802                 if (param_len > (int)sizeof(cstore)) {
 3803                         trunc = 1;
 3804                 } else {
 3805                         trunc = 0;
 3806                 }
 3807 
 3808                 if (num_param > SCTP_MAX_RESET_PARAMS) {
 3809                         /* hit the max of parameters already sorry.. */
 3810                         break;
 3811                 }
 3812                 if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
 3813                         struct sctp_stream_reset_out_request *req_out;
 3814 
 3815                         req_out = (struct sctp_stream_reset_out_request *)ph;
 3816                         num_req++;
 3817                         if (stcb->asoc.stream_reset_outstanding) {
 3818                                 seq = ntohl(req_out->response_seq);
 3819                                 if (seq == stcb->asoc.str_reset_seq_out) {
 3820                                         /* implicit ack */
 3821                                         (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL);
 3822                                 }
 3823                         }
 3824                         sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc);
 3825                 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
 3826                         struct sctp_stream_reset_in_request *req_in;
 3827 
 3828                         num_req++;
 3829 
 3830                         req_in = (struct sctp_stream_reset_in_request *)ph;
 3831 
 3832                         sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc);
 3833                 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
 3834                         struct sctp_stream_reset_tsn_request *req_tsn;
 3835 
 3836                         num_req++;
 3837                         req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
 3838 
 3839                         if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
 3840                                 ret_code = 1;
 3841                                 goto strres_nochunk;
 3842                         }
 3843                         /* no more */
 3844                         break;
 3845                 } else if (ptype == SCTP_STR_RESET_RESPONSE) {
 3846                         struct sctp_stream_reset_response *resp;
 3847                         uint32_t result;
 3848 
 3849                         resp = (struct sctp_stream_reset_response *)ph;
 3850                         seq = ntohl(resp->response_seq);
 3851                         result = ntohl(resp->result);
 3852                         if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
 3853                                 ret_code = 1;
 3854                                 goto strres_nochunk;
 3855                         }
 3856                 } else {
 3857                         break;
 3858                 }
 3859                 offset += SCTP_SIZE32(param_len);
 3860                 chk_length -= SCTP_SIZE32(param_len);
 3861         }
 3862         if (num_req == 0) {
 3863                 /* we have no response free the stuff */
 3864                 goto strres_nochunk;
 3865         }
 3866         /* ok we have a chunk to link in */
 3867         TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
 3868             chk,
 3869             sctp_next);
 3870         stcb->asoc.ctrl_queue_cnt++;
 3871         return (ret_code);
 3872 }
 3873 
 3874 /*
 3875  * Handle a router or endpoints report of a packet loss, there are two ways
 3876  * to handle this, either we get the whole packet and must disect it
 3877  * ourselves (possibly with truncation and or corruption) or it is a summary
 3878  * from a middle box that did the disectting for us.
 3879  */
 3880 static void
 3881 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
 3882     struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
 3883 {
 3884         uint32_t bottle_bw, on_queue;
 3885         uint16_t trunc_len;
 3886         unsigned int chlen;
 3887         unsigned int at;
 3888         struct sctp_chunk_desc desc;
 3889         struct sctp_chunkhdr *ch;
 3890 
 3891         chlen = ntohs(cp->ch.chunk_length);
 3892         chlen -= sizeof(struct sctp_pktdrop_chunk);
 3893         /* XXX possible chlen underflow */
 3894         if (chlen == 0) {
 3895                 ch = NULL;
 3896                 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
 3897                         SCTP_STAT_INCR(sctps_pdrpbwrpt);
 3898         } else {
 3899                 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
 3900                 chlen -= sizeof(struct sctphdr);
 3901                 /* XXX possible chlen underflow */
 3902                 memset(&desc, 0, sizeof(desc));
 3903         }
 3904         trunc_len = (uint16_t) ntohs(cp->trunc_len);
 3905         if (trunc_len > limit) {
 3906                 trunc_len = limit;
 3907         }
 3908         /* now the chunks themselves */
 3909         while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
 3910                 desc.chunk_type = ch->chunk_type;
 3911                 /* get amount we need to move */
 3912                 at = ntohs(ch->chunk_length);
 3913                 if (at < sizeof(struct sctp_chunkhdr)) {
 3914                         /* corrupt chunk, maybe at the end? */
 3915                         SCTP_STAT_INCR(sctps_pdrpcrupt);
 3916                         break;
 3917                 }
 3918                 if (trunc_len == 0) {
 3919                         /* we are supposed to have all of it */
 3920                         if (at > chlen) {
 3921                                 /* corrupt skip it */
 3922                                 SCTP_STAT_INCR(sctps_pdrpcrupt);
 3923                                 break;
 3924                         }
 3925                 } else {
 3926                         /* is there enough of it left ? */
 3927                         if (desc.chunk_type == SCTP_DATA) {
 3928                                 if (chlen < (sizeof(struct sctp_data_chunk) +
 3929                                     sizeof(desc.data_bytes))) {
 3930                                         break;
 3931                                 }
 3932                         } else {
 3933                                 if (chlen < sizeof(struct sctp_chunkhdr)) {
 3934                                         break;
 3935                                 }
 3936                         }
 3937                 }
 3938                 if (desc.chunk_type == SCTP_DATA) {
 3939                         /* can we get out the tsn? */
 3940                         if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
 3941                                 SCTP_STAT_INCR(sctps_pdrpmbda);
 3942 
 3943                         if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) {
 3944                                 /* yep */
 3945                                 struct sctp_data_chunk *dcp;
 3946                                 uint8_t *ddp;
 3947                                 unsigned int iii;
 3948 
 3949                                 dcp = (struct sctp_data_chunk *)ch;
 3950                                 ddp = (uint8_t *) (dcp + 1);
 3951                                 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
 3952                                         desc.data_bytes[iii] = ddp[iii];
 3953                                 }
 3954                                 desc.tsn_ifany = dcp->dp.tsn;
 3955                         } else {
 3956                                 /* nope we are done. */
 3957                                 SCTP_STAT_INCR(sctps_pdrpnedat);
 3958                                 break;
 3959                         }
 3960                 } else {
 3961                         if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
 3962                                 SCTP_STAT_INCR(sctps_pdrpmbct);
 3963                 }
 3964 
 3965                 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
 3966                         SCTP_STAT_INCR(sctps_pdrppdbrk);
 3967                         break;
 3968                 }
 3969                 if (SCTP_SIZE32(at) > chlen) {
 3970                         break;
 3971                 }
 3972                 chlen -= SCTP_SIZE32(at);
 3973                 if (chlen < sizeof(struct sctp_chunkhdr)) {
 3974                         /* done, none left */
 3975                         break;
 3976                 }
 3977                 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at));
 3978         }
 3979         /* Now update any rwnd --- possibly */
 3980         if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
 3981                 /* From a peer, we get a rwnd report */
 3982                 uint32_t a_rwnd;
 3983 
 3984                 SCTP_STAT_INCR(sctps_pdrpfehos);
 3985 
 3986                 bottle_bw = ntohl(cp->bottle_bw);
 3987                 on_queue = ntohl(cp->current_onq);
 3988                 if (bottle_bw && on_queue) {
 3989                         /* a rwnd report is in here */
 3990                         if (bottle_bw > on_queue)
 3991                                 a_rwnd = bottle_bw - on_queue;
 3992                         else
 3993                                 a_rwnd = 0;
 3994 
 3995                         if (a_rwnd == 0)
 3996                                 stcb->asoc.peers_rwnd = 0;
 3997                         else {
 3998                                 if (a_rwnd > stcb->asoc.total_flight) {
 3999                                         stcb->asoc.peers_rwnd =
 4000                                             a_rwnd - stcb->asoc.total_flight;
 4001                                 } else {
 4002                                         stcb->asoc.peers_rwnd = 0;
 4003                                 }
 4004                                 if (stcb->asoc.peers_rwnd <
 4005                                     stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
 4006                                         /* SWS sender side engages */
 4007                                         stcb->asoc.peers_rwnd = 0;
 4008                                 }
 4009                         }
 4010                 }
 4011         } else {
 4012                 SCTP_STAT_INCR(sctps_pdrpfmbox);
 4013         }
 4014 
 4015         /* now middle boxes in sat networks get a cwnd bump */
 4016         if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
 4017             (stcb->asoc.sat_t3_loss_recovery == 0) &&
 4018             (stcb->asoc.sat_network)) {
 4019                 /*
 4020                  * This is debateable but for sat networks it makes sense
 4021                  * Note if a T3 timer has went off, we will prohibit any
 4022                  * changes to cwnd until we exit the t3 loss recovery.
 4023                  */
 4024                 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb,
 4025                     net, cp, &bottle_bw, &on_queue);
 4026         }
 4027 }
 4028 
 4029 /*
 4030  * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
 4031  * still contain IP/SCTP header - stcb: is the tcb found for this packet -
 4032  * offset: offset into the mbuf chain to first chunkhdr - length: is the
 4033  * length of the complete packet outputs: - length: modified to remaining
 4034  * length after control processing - netp: modified to new sctp_nets after
 4035  * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
 4036  * bad packet,...) otherwise return the tcb for this packet
 4037  */
 4038 #ifdef __GNUC__
 4039 __attribute__((noinline))
 4040 #endif
 4041         static struct sctp_tcb *
 4042                  sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
 4043              struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
 4044              struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen,
 4045              uint32_t vrf_id, uint16_t port)
 4046 {
 4047         struct sctp_association *asoc;
 4048         uint32_t vtag_in;
 4049         int num_chunks = 0;     /* number of control chunks processed */
 4050         uint32_t chk_length;
 4051         int ret;
 4052         int abort_no_unlock = 0;
 4053 
 4054         /*
 4055          * How big should this be, and should it be alloc'd? Lets try the
 4056          * d-mtu-ceiling for now (2k) and that should hopefully work ...
 4057          * until we get into jumbo grams and such..
 4058          */
 4059         uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
 4060         struct sctp_tcb *locked_tcb = stcb;
 4061         int got_auth = 0;
 4062         uint32_t auth_offset = 0, auth_len = 0;
 4063         int auth_skipped = 0;
 4064         int asconf_cnt = 0;
 4065 
 4066 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4067         struct socket *so;
 4068 
 4069 #endif
 4070 
 4071         SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
 4072             iphlen, *offset, length, stcb);
 4073 
 4074         /* validate chunk header length... */
 4075         if (ntohs(ch->chunk_length) < sizeof(*ch)) {
 4076                 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n",
 4077                     ntohs(ch->chunk_length));
 4078                 if (locked_tcb) {
 4079                         SCTP_TCB_UNLOCK(locked_tcb);
 4080                 }
 4081                 return (NULL);
 4082         }
 4083         /*
 4084          * validate the verification tag
 4085          */
 4086         vtag_in = ntohl(sh->v_tag);
 4087 
 4088         if (locked_tcb) {
 4089                 SCTP_TCB_LOCK_ASSERT(locked_tcb);
 4090         }
 4091         if (ch->chunk_type == SCTP_INITIATION) {
 4092                 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n",
 4093                     ntohs(ch->chunk_length), vtag_in);
 4094                 if (vtag_in != 0) {
 4095                         /* protocol error- silently discard... */
 4096                         SCTP_STAT_INCR(sctps_badvtag);
 4097                         if (locked_tcb) {
 4098                                 SCTP_TCB_UNLOCK(locked_tcb);
 4099                         }
 4100                         return (NULL);
 4101                 }
 4102         } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
 4103                 /*
 4104                  * If there is no stcb, skip the AUTH chunk and process
 4105                  * later after a stcb is found (to validate the lookup was
 4106                  * valid.
 4107                  */
 4108                 if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
 4109                     (stcb == NULL) &&
 4110                     !SCTP_BASE_SYSCTL(sctp_auth_disable)) {
 4111                         /* save this chunk for later processing */
 4112                         auth_skipped = 1;
 4113                         auth_offset = *offset;
 4114                         auth_len = ntohs(ch->chunk_length);
 4115 
 4116                         /* (temporarily) move past this chunk */
 4117                         *offset += SCTP_SIZE32(auth_len);
 4118                         if (*offset >= length) {
 4119                                 /* no more data left in the mbuf chain */
 4120                                 *offset = length;
 4121                                 if (locked_tcb) {
 4122                                         SCTP_TCB_UNLOCK(locked_tcb);
 4123                                 }
 4124                                 return (NULL);
 4125                         }
 4126                         ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 4127                             sizeof(struct sctp_chunkhdr), chunk_buf);
 4128                 }
 4129                 if (ch == NULL) {
 4130                         /* Help */
 4131                         *offset = length;
 4132                         if (locked_tcb) {
 4133                                 SCTP_TCB_UNLOCK(locked_tcb);
 4134                         }
 4135                         return (NULL);
 4136                 }
 4137                 if (ch->chunk_type == SCTP_COOKIE_ECHO) {
 4138                         goto process_control_chunks;
 4139                 }
 4140                 /*
 4141                  * first check if it's an ASCONF with an unknown src addr we
 4142                  * need to look inside to find the association
 4143                  */
 4144                 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
 4145                         struct sctp_chunkhdr *asconf_ch = ch;
 4146                         uint32_t asconf_offset = 0, asconf_len = 0;
 4147 
 4148                         /* inp's refcount may be reduced */
 4149                         SCTP_INP_INCR_REF(inp);
 4150 
 4151                         asconf_offset = *offset;
 4152                         do {
 4153                                 asconf_len = ntohs(asconf_ch->chunk_length);
 4154                                 if (asconf_len < sizeof(struct sctp_asconf_paramhdr))
 4155                                         break;
 4156                                 stcb = sctp_findassociation_ep_asconf(m, iphlen,
 4157                                     *offset, sh, &inp, netp, vrf_id);
 4158                                 if (stcb != NULL)
 4159                                         break;
 4160                                 asconf_offset += SCTP_SIZE32(asconf_len);
 4161                                 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset,
 4162                                     sizeof(struct sctp_chunkhdr), chunk_buf);
 4163                         } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF);
 4164                         if (stcb == NULL) {
 4165                                 /*
 4166                                  * reduce inp's refcount if not reduced in
 4167                                  * sctp_findassociation_ep_asconf().
 4168                                  */
 4169                                 SCTP_INP_DECR_REF(inp);
 4170                         } else {
 4171                                 locked_tcb = stcb;
 4172                         }
 4173 
 4174                         /* now go back and verify any auth chunk to be sure */
 4175                         if (auth_skipped && (stcb != NULL)) {
 4176                                 struct sctp_auth_chunk *auth;
 4177 
 4178                                 auth = (struct sctp_auth_chunk *)
 4179                                     sctp_m_getptr(m, auth_offset,
 4180                                     auth_len, chunk_buf);
 4181                                 got_auth = 1;
 4182                                 auth_skipped = 0;
 4183                                 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
 4184                                     auth_offset)) {
 4185                                         /* auth HMAC failed so dump it */
 4186                                         *offset = length;
 4187                                         if (locked_tcb) {
 4188                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4189                                         }
 4190                                         return (NULL);
 4191                                 } else {
 4192                                         /* remaining chunks are HMAC checked */
 4193                                         stcb->asoc.authenticated = 1;
 4194                                 }
 4195                         }
 4196                 }
 4197                 if (stcb == NULL) {
 4198                         /* no association, so it's out of the blue... */
 4199                         sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL,
 4200                             vrf_id, port);
 4201                         *offset = length;
 4202                         if (locked_tcb) {
 4203                                 SCTP_TCB_UNLOCK(locked_tcb);
 4204                         }
 4205                         return (NULL);
 4206                 }
 4207                 asoc = &stcb->asoc;
 4208                 /* ABORT and SHUTDOWN can use either v_tag... */
 4209                 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
 4210                     (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
 4211                     (ch->chunk_type == SCTP_PACKET_DROPPED)) {
 4212                         if ((vtag_in == asoc->my_vtag) ||
 4213                             ((ch->chunk_flags & SCTP_HAD_NO_TCB) &&
 4214                             (vtag_in == asoc->peer_vtag))) {
 4215                                 /* this is valid */
 4216                         } else {
 4217                                 /* drop this packet... */
 4218                                 SCTP_STAT_INCR(sctps_badvtag);
 4219                                 if (locked_tcb) {
 4220                                         SCTP_TCB_UNLOCK(locked_tcb);
 4221                                 }
 4222                                 return (NULL);
 4223                         }
 4224                 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
 4225                         if (vtag_in != asoc->my_vtag) {
 4226                                 /*
 4227                                  * this could be a stale SHUTDOWN-ACK or the
 4228                                  * peer never got the SHUTDOWN-COMPLETE and
 4229                                  * is still hung; we have started a new asoc
 4230                                  * but it won't complete until the shutdown
 4231                                  * is completed
 4232                                  */
 4233                                 if (locked_tcb) {
 4234                                         SCTP_TCB_UNLOCK(locked_tcb);
 4235                                 }
 4236                                 sctp_handle_ootb(m, iphlen, *offset, sh, inp,
 4237                                     NULL, vrf_id, port);
 4238                                 return (NULL);
 4239                         }
 4240                 } else {
 4241                         /* for all other chunks, vtag must match */
 4242                         if (vtag_in != asoc->my_vtag) {
 4243                                 /* invalid vtag... */
 4244                                 SCTPDBG(SCTP_DEBUG_INPUT3,
 4245                                     "invalid vtag: %xh, expect %xh\n",
 4246                                     vtag_in, asoc->my_vtag);
 4247                                 SCTP_STAT_INCR(sctps_badvtag);
 4248                                 if (locked_tcb) {
 4249                                         SCTP_TCB_UNLOCK(locked_tcb);
 4250                                 }
 4251                                 *offset = length;
 4252                                 return (NULL);
 4253                         }
 4254                 }
 4255         }                       /* end if !SCTP_COOKIE_ECHO */
 4256         /*
 4257          * process all control chunks...
 4258          */
 4259         if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
 4260         /* EY */
 4261             (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) ||
 4262             (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
 4263             (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
 4264                 /* implied cookie-ack.. we must have lost the ack */
 4265                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4266                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4267                             stcb->asoc.overall_error_count,
 4268                             0,
 4269                             SCTP_FROM_SCTP_INPUT,
 4270                             __LINE__);
 4271                 }
 4272                 stcb->asoc.overall_error_count = 0;
 4273                 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
 4274                     *netp);
 4275         }
 4276 process_control_chunks:
 4277         while (IS_SCTP_CONTROL(ch)) {
 4278                 /* validate chunk length */
 4279                 chk_length = ntohs(ch->chunk_length);
 4280                 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n",
 4281                     ch->chunk_type, chk_length);
 4282                 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length);
 4283                 if (chk_length < sizeof(*ch) ||
 4284                     (*offset + (int)chk_length) > length) {
 4285                         *offset = length;
 4286                         if (locked_tcb) {
 4287                                 SCTP_TCB_UNLOCK(locked_tcb);
 4288                         }
 4289                         return (NULL);
 4290                 }
 4291                 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
 4292                 /*
 4293                  * INIT-ACK only gets the init ack "header" portion only
 4294                  * because we don't have to process the peer's COOKIE. All
 4295                  * others get a complete chunk.
 4296                  */
 4297                 if ((ch->chunk_type == SCTP_INITIATION_ACK) ||
 4298                     (ch->chunk_type == SCTP_INITIATION)) {
 4299                         /* get an init-ack chunk */
 4300                         ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 4301                             sizeof(struct sctp_init_ack_chunk), chunk_buf);
 4302                         if (ch == NULL) {
 4303                                 *offset = length;
 4304                                 if (locked_tcb) {
 4305                                         SCTP_TCB_UNLOCK(locked_tcb);
 4306                                 }
 4307                                 return (NULL);
 4308                         }
 4309                 } else {
 4310                         /* For cookies and all other chunks. */
 4311                         if (chk_length > sizeof(chunk_buf)) {
 4312                                 /*
 4313                                  * use just the size of the chunk buffer so
 4314                                  * the front part of our chunks fit in
 4315                                  * contiguous space up to the chunk buffer
 4316                                  * size (508 bytes). For chunks that need to
 4317                                  * get more than that they must use the
 4318                                  * sctp_m_getptr() function or other means
 4319                                  * (e.g. know how to parse mbuf chains).
 4320                                  * Cookies do this already.
 4321                                  */
 4322                                 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 4323                                     (sizeof(chunk_buf) - 4),
 4324                                     chunk_buf);
 4325                                 if (ch == NULL) {
 4326                                         *offset = length;
 4327                                         if (locked_tcb) {
 4328                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4329                                         }
 4330                                         return (NULL);
 4331                                 }
 4332                         } else {
 4333                                 /* We can fit it all */
 4334                                 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 4335                                     chk_length, chunk_buf);
 4336                                 if (ch == NULL) {
 4337                                         SCTP_PRINTF("sctp_process_control: Can't get the all data....\n");
 4338                                         *offset = length;
 4339                                         if (locked_tcb) {
 4340                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4341                                         }
 4342                                         return (NULL);
 4343                                 }
 4344                         }
 4345                 }
 4346                 num_chunks++;
 4347                 /* Save off the last place we got a control from */
 4348                 if (stcb != NULL) {
 4349                         if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) {
 4350                                 /*
 4351                                  * allow last_control to be NULL if
 4352                                  * ASCONF... ASCONF processing will find the
 4353                                  * right net later
 4354                                  */
 4355                                 if ((netp != NULL) && (*netp != NULL))
 4356                                         stcb->asoc.last_control_chunk_from = *netp;
 4357                         }
 4358                 }
 4359 #ifdef SCTP_AUDITING_ENABLED
 4360                 sctp_audit_log(0xB0, ch->chunk_type);
 4361 #endif
 4362 
 4363                 /* check to see if this chunk required auth, but isn't */
 4364                 if ((stcb != NULL) &&
 4365                     !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
 4366                     sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
 4367                     !stcb->asoc.authenticated) {
 4368                         /* "silently" ignore */
 4369                         SCTP_STAT_INCR(sctps_recvauthmissing);
 4370                         goto next_chunk;
 4371                 }
 4372                 switch (ch->chunk_type) {
 4373                 case SCTP_INITIATION:
 4374                         /* must be first and only chunk */
 4375                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n");
 4376                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 4377                                 /* We are not interested anymore? */
 4378                                 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
 4379                                         /*
 4380                                          * collision case where we are
 4381                                          * sending to them too
 4382                                          */
 4383                                         ;
 4384                                 } else {
 4385                                         if (locked_tcb) {
 4386                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4387                                         }
 4388                                         *offset = length;
 4389                                         return (NULL);
 4390                                 }
 4391                         }
 4392                         if ((chk_length > SCTP_LARGEST_INIT_ACCEPTED) ||
 4393                             (num_chunks > 1) ||
 4394                             (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) {
 4395                                 *offset = length;
 4396                                 if (locked_tcb) {
 4397                                         SCTP_TCB_UNLOCK(locked_tcb);
 4398                                 }
 4399                                 return (NULL);
 4400                         }
 4401                         if ((stcb != NULL) &&
 4402                             (SCTP_GET_STATE(&stcb->asoc) ==
 4403                             SCTP_STATE_SHUTDOWN_ACK_SENT)) {
 4404                                 sctp_send_shutdown_ack(stcb,
 4405                                     stcb->asoc.primary_destination);
 4406                                 *offset = length;
 4407                                 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
 4408                                 if (locked_tcb) {
 4409                                         SCTP_TCB_UNLOCK(locked_tcb);
 4410                                 }
 4411                                 return (NULL);
 4412                         }
 4413                         if (netp) {
 4414                                 sctp_handle_init(m, iphlen, *offset, sh,
 4415                                     (struct sctp_init_chunk *)ch, inp,
 4416                                     stcb, *netp, &abort_no_unlock, vrf_id, port);
 4417                         }
 4418                         if (abort_no_unlock)
 4419                                 return (NULL);
 4420 
 4421                         *offset = length;
 4422                         if (locked_tcb) {
 4423                                 SCTP_TCB_UNLOCK(locked_tcb);
 4424                         }
 4425                         return (NULL);
 4426                         break;
 4427                 case SCTP_PAD_CHUNK:
 4428                         break;
 4429                 case SCTP_INITIATION_ACK:
 4430                         /* must be first and only chunk */
 4431                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n");
 4432                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 4433                                 /* We are not interested anymore */
 4434                                 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
 4435                                         ;
 4436                                 } else {
 4437                                         if (locked_tcb) {
 4438                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4439                                         }
 4440                                         *offset = length;
 4441                                         if (stcb) {
 4442 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4443                                                 so = SCTP_INP_SO(inp);
 4444                                                 atomic_add_int(&stcb->asoc.refcnt, 1);
 4445                                                 SCTP_TCB_UNLOCK(stcb);
 4446                                                 SCTP_SOCKET_LOCK(so, 1);
 4447                                                 SCTP_TCB_LOCK(stcb);
 4448                                                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 4449 #endif
 4450                                                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
 4451 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4452                                                 SCTP_SOCKET_UNLOCK(so, 1);
 4453 #endif
 4454                                         }
 4455                                         return (NULL);
 4456                                 }
 4457                         }
 4458                         if ((num_chunks > 1) ||
 4459                             (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) {
 4460                                 *offset = length;
 4461                                 if (locked_tcb) {
 4462                                         SCTP_TCB_UNLOCK(locked_tcb);
 4463                                 }
 4464                                 return (NULL);
 4465                         }
 4466                         if ((netp) && (*netp)) {
 4467                                 ret = sctp_handle_init_ack(m, iphlen, *offset, sh,
 4468                                     (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id);
 4469                         } else {
 4470                                 ret = -1;
 4471                         }
 4472                         /*
 4473                          * Special case, I must call the output routine to
 4474                          * get the cookie echoed
 4475                          */
 4476                         if (abort_no_unlock)
 4477                                 return (NULL);
 4478 
 4479                         if ((stcb) && ret == 0)
 4480                                 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
 4481                         *offset = length;
 4482                         if (locked_tcb) {
 4483                                 SCTP_TCB_UNLOCK(locked_tcb);
 4484                         }
 4485                         return (NULL);
 4486                         break;
 4487                 case SCTP_SELECTIVE_ACK:
 4488                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n");
 4489                         SCTP_STAT_INCR(sctps_recvsacks);
 4490                         {
 4491                                 struct sctp_sack_chunk *sack;
 4492                                 int abort_now = 0;
 4493                                 uint32_t a_rwnd, cum_ack;
 4494                                 uint16_t num_seg;
 4495                                 int nonce_sum_flag;
 4496 
 4497                                 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_sack_chunk))) {
 4498                                         SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on sack chunk, too small\n");
 4499                                         *offset = length;
 4500                                         if (locked_tcb) {
 4501                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4502                                         }
 4503                                         return (NULL);
 4504                                 }
 4505                                 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
 4506                                         /*-
 4507                                          * If we have sent a shutdown-ack, we will pay no
 4508                                          * attention to a sack sent in to us since
 4509                                          * we don't care anymore.
 4510                                          */
 4511                                         break;
 4512                                 }
 4513                                 sack = (struct sctp_sack_chunk *)ch;
 4514                                 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM;
 4515                                 cum_ack = ntohl(sack->sack.cum_tsn_ack);
 4516                                 num_seg = ntohs(sack->sack.num_gap_ack_blks);
 4517                                 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd);
 4518                                 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
 4519                                     cum_ack,
 4520                                     num_seg,
 4521                                     a_rwnd
 4522                                     );
 4523                                 stcb->asoc.seen_a_sack_this_pkt = 1;
 4524                                 if ((stcb->asoc.pr_sctp_cnt == 0) &&
 4525                                     (num_seg == 0) &&
 4526                                     ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) ||
 4527                                     (cum_ack == stcb->asoc.last_acked_seq)) &&
 4528                                     (stcb->asoc.saw_sack_with_frags == 0) &&
 4529                                     (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
 4530                                     ) {
 4531                                         /*
 4532                                          * We have a SIMPLE sack having no
 4533                                          * prior segments and data on sent
 4534                                          * queue to be acked.. Use the
 4535                                          * faster path sack processing. We
 4536                                          * also allow window update sacks
 4537                                          * with no missing segments to go
 4538                                          * this way too.
 4539                                          */
 4540                                         sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag,
 4541                                             &abort_now);
 4542                                 } else {
 4543                                         if (netp && *netp)
 4544                                                 sctp_handle_sack(m, *offset,
 4545                                                     sack, stcb, *netp, &abort_now, chk_length, a_rwnd);
 4546                                 }
 4547                                 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
 4548                                     TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
 4549                                     (stcb->asoc.stream_queue_cnt == 0)) {
 4550                                         sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 4551                                 }
 4552                                 if (abort_now) {
 4553                                         /* ABORT signal from sack processing */
 4554                                         *offset = length;
 4555                                         return (NULL);
 4556                                 }
 4557                         }
 4558                         break;
 4559                         /*
 4560                          * EY - nr_sack:  If the received chunk is an
 4561                          * nr_sack chunk
 4562                          */
 4563                 case SCTP_NR_SELECTIVE_ACK:
 4564                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n");
 4565                         SCTP_STAT_INCR(sctps_recvsacks);
 4566                         {
 4567                                 struct sctp_nr_sack_chunk *nr_sack;
 4568                                 int abort_now = 0;
 4569                                 uint32_t a_rwnd, cum_ack;
 4570                                 uint16_t num_seg, num_nr_seg;
 4571                                 int nonce_sum_flag, all_bit;
 4572 
 4573                                 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_nr_sack_chunk))) {
 4574                                         SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on nr_sack chunk, too small\n");
 4575                         ignore_nr_sack:
 4576                                         *offset = length;
 4577                                         if (locked_tcb) {
 4578                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4579                                         }
 4580                                         return (NULL);
 4581                                 }
 4582                                 /*
 4583                                  * EY nr_sacks have not been negotiated but
 4584                                  * the peer end sent an nr_sack, silently
 4585                                  * discard the chunk
 4586                                  */
 4587                                 if (!(SCTP_BASE_SYSCTL(sctp_nr_sack_on_off) && stcb->asoc.peer_supports_nr_sack)) {
 4588                                         goto unknown_chunk;
 4589                                 }
 4590                                 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
 4591                                         /*-
 4592                                          * If we have sent a shutdown-ack, we will pay no
 4593                                          * attention to a sack sent in to us since
 4594                                          * we don't care anymore.
 4595                                          */
 4596                                         goto ignore_nr_sack;
 4597                                 }
 4598                                 nr_sack = (struct sctp_nr_sack_chunk *)ch;
 4599                                 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM;
 4600                                 all_bit = ch->chunk_flags & SCTP_NR_SACK_ALL_BIT;
 4601 
 4602                                 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack);
 4603                                 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks);
 4604                                 /*
 4605                                  * EY -if All bit  is set, then there are as
 4606                                  * many gaps as nr_gaps
 4607                                  */
 4608                                 if (all_bit) {
 4609                                         num_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
 4610                                 }
 4611                                 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
 4612                                 a_rwnd = (uint32_t) ntohl(nr_sack->nr_sack.a_rwnd);
 4613                                 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
 4614                                     cum_ack,
 4615                                     num_seg,
 4616                                     a_rwnd
 4617                                     );
 4618                                 stcb->asoc.seen_a_sack_this_pkt = 1;
 4619                                 if ((stcb->asoc.pr_sctp_cnt == 0) &&
 4620                                     (num_seg == 0) &&
 4621                                     ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) ||
 4622                                     (cum_ack == stcb->asoc.last_acked_seq)) &&
 4623                                     (stcb->asoc.saw_sack_with_frags == 0) &&
 4624                                     (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
 4625                                     ) {
 4626                                         /*
 4627                                          * We have a SIMPLE sack having no
 4628                                          * prior segments and data on sent
 4629                                          * queue to be acked.. Use the
 4630                                          * faster path sack processing. We
 4631                                          * also allow window update sacks
 4632                                          * with no missing segments to go
 4633                                          * this way too.
 4634                                          */
 4635                                         sctp_express_handle_nr_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag,
 4636                                             &abort_now);
 4637                                 } else {
 4638                                         if (netp && *netp)
 4639                                                 sctp_handle_nr_sack(m, *offset,
 4640                                                     nr_sack, stcb, *netp, &abort_now, chk_length, a_rwnd);
 4641                                 }
 4642                                 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
 4643                                     TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
 4644                                     (stcb->asoc.stream_queue_cnt == 0)) {
 4645                                         sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
 4646                                 }
 4647                                 if (abort_now) {
 4648                                         /* ABORT signal from sack processing */
 4649                                         *offset = length;
 4650                                         return (NULL);
 4651                                 }
 4652                         }
 4653                         break;
 4654 
 4655                 case SCTP_HEARTBEAT_REQUEST:
 4656                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n");
 4657                         if ((stcb) && netp && *netp) {
 4658                                 SCTP_STAT_INCR(sctps_recvheartbeat);
 4659                                 sctp_send_heartbeat_ack(stcb, m, *offset,
 4660                                     chk_length, *netp);
 4661 
 4662                                 /* He's alive so give him credit */
 4663                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4664                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4665                                             stcb->asoc.overall_error_count,
 4666                                             0,
 4667                                             SCTP_FROM_SCTP_INPUT,
 4668                                             __LINE__);
 4669                                 }
 4670                                 stcb->asoc.overall_error_count = 0;
 4671                         }
 4672                         break;
 4673                 case SCTP_HEARTBEAT_ACK:
 4674                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n");
 4675                         if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) {
 4676                                 /* Its not ours */
 4677                                 *offset = length;
 4678                                 if (locked_tcb) {
 4679                                         SCTP_TCB_UNLOCK(locked_tcb);
 4680                                 }
 4681                                 return (NULL);
 4682                         }
 4683                         /* He's alive so give him credit */
 4684                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4685                                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4686                                     stcb->asoc.overall_error_count,
 4687                                     0,
 4688                                     SCTP_FROM_SCTP_INPUT,
 4689                                     __LINE__);
 4690                         }
 4691                         stcb->asoc.overall_error_count = 0;
 4692                         SCTP_STAT_INCR(sctps_recvheartbeatack);
 4693                         if (netp && *netp)
 4694                                 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
 4695                                     stcb, *netp);
 4696                         break;
 4697                 case SCTP_ABORT_ASSOCIATION:
 4698                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n",
 4699                             stcb);
 4700                         if ((stcb) && netp && *netp)
 4701                                 sctp_handle_abort((struct sctp_abort_chunk *)ch,
 4702                                     stcb, *netp);
 4703                         *offset = length;
 4704                         return (NULL);
 4705                         break;
 4706                 case SCTP_SHUTDOWN:
 4707                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n",
 4708                             stcb);
 4709                         if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) {
 4710                                 *offset = length;
 4711                                 if (locked_tcb) {
 4712                                         SCTP_TCB_UNLOCK(locked_tcb);
 4713                                 }
 4714                                 return (NULL);
 4715                         }
 4716                         if (netp && *netp) {
 4717                                 int abort_flag = 0;
 4718 
 4719                                 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
 4720                                     stcb, *netp, &abort_flag);
 4721                                 if (abort_flag) {
 4722                                         *offset = length;
 4723                                         return (NULL);
 4724                                 }
 4725                         }
 4726                         break;
 4727                 case SCTP_SHUTDOWN_ACK:
 4728                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb);
 4729                         if ((stcb) && (netp) && (*netp))
 4730                                 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
 4731                         *offset = length;
 4732                         return (NULL);
 4733                         break;
 4734 
 4735                 case SCTP_OPERATION_ERROR:
 4736                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n");
 4737                         if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) {
 4738 
 4739                                 *offset = length;
 4740                                 return (NULL);
 4741                         }
 4742                         break;
 4743                 case SCTP_COOKIE_ECHO:
 4744                         SCTPDBG(SCTP_DEBUG_INPUT3,
 4745                             "SCTP_COOKIE-ECHO, stcb %p\n", stcb);
 4746                         if ((stcb) && (stcb->asoc.total_output_queue_size)) {
 4747                                 ;
 4748                         } else {
 4749                                 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 4750                                         /* We are not interested anymore */
 4751                                         *offset = length;
 4752                                         return (NULL);
 4753                                 }
 4754                         }
 4755                         /*
 4756                          * First are we accepting? We do this again here
 4757                          * sincen it is possible that a previous endpoint
 4758                          * WAS listening responded to a INIT-ACK and then
 4759                          * closed. We opened and bound.. and are now no
 4760                          * longer listening.
 4761                          */
 4762 
 4763                         if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) {
 4764                                 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
 4765                                     (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) {
 4766                                         struct mbuf *oper;
 4767                                         struct sctp_paramhdr *phdr;
 4768 
 4769                                         oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
 4770                                             0, M_DONTWAIT, 1, MT_DATA);
 4771                                         if (oper) {
 4772                                                 SCTP_BUF_LEN(oper) =
 4773                                                     sizeof(struct sctp_paramhdr);
 4774                                                 phdr = mtod(oper,
 4775                                                     struct sctp_paramhdr *);
 4776                                                 phdr->param_type =
 4777                                                     htons(SCTP_CAUSE_OUT_OF_RESC);
 4778                                                 phdr->param_length =
 4779                                                     htons(sizeof(struct sctp_paramhdr));
 4780                                         }
 4781                                         sctp_abort_association(inp, stcb, m,
 4782                                             iphlen, sh, oper, vrf_id, port);
 4783                                 }
 4784                                 *offset = length;
 4785                                 return (NULL);
 4786                         } else {
 4787                                 struct mbuf *ret_buf;
 4788                                 struct sctp_inpcb *linp;
 4789 
 4790                                 if (stcb) {
 4791                                         linp = NULL;
 4792                                 } else {
 4793                                         linp = inp;
 4794                                 }
 4795 
 4796                                 if (linp) {
 4797                                         SCTP_ASOC_CREATE_LOCK(linp);
 4798                                 }
 4799                                 if (netp) {
 4800                                         ret_buf =
 4801                                             sctp_handle_cookie_echo(m, iphlen,
 4802                                             *offset, sh,
 4803                                             (struct sctp_cookie_echo_chunk *)ch,
 4804                                             &inp, &stcb, netp,
 4805                                             auth_skipped,
 4806                                             auth_offset,
 4807                                             auth_len,
 4808                                             &locked_tcb,
 4809                                             vrf_id,
 4810                                             port);
 4811                                 } else {
 4812                                         ret_buf = NULL;
 4813                                 }
 4814                                 if (linp) {
 4815                                         SCTP_ASOC_CREATE_UNLOCK(linp);
 4816                                 }
 4817                                 if (ret_buf == NULL) {
 4818                                         if (locked_tcb) {
 4819                                                 SCTP_TCB_UNLOCK(locked_tcb);
 4820                                         }
 4821                                         SCTPDBG(SCTP_DEBUG_INPUT3,
 4822                                             "GAK, null buffer\n");
 4823                                         auth_skipped = 0;
 4824                                         *offset = length;
 4825                                         return (NULL);
 4826                                 }
 4827                                 /* if AUTH skipped, see if it verified... */
 4828                                 if (auth_skipped) {
 4829                                         got_auth = 1;
 4830                                         auth_skipped = 0;
 4831                                 }
 4832                                 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
 4833                                         /*
 4834                                          * Restart the timer if we have
 4835                                          * pending data
 4836                                          */
 4837                                         struct sctp_tmit_chunk *chk;
 4838 
 4839                                         chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
 4840                                         if (chk) {
 4841                                                 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
 4842                                                     stcb->sctp_ep, stcb,
 4843                                                     chk->whoTo);
 4844                                         }
 4845                                 }
 4846                         }
 4847                         break;
 4848                 case SCTP_COOKIE_ACK:
 4849                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb);
 4850                         if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) {
 4851                                 if (locked_tcb) {
 4852                                         SCTP_TCB_UNLOCK(locked_tcb);
 4853                                 }
 4854                                 return (NULL);
 4855                         }
 4856                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 4857                                 /* We are not interested anymore */
 4858                                 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
 4859                                         ;
 4860                                 } else if (stcb) {
 4861 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4862                                         so = SCTP_INP_SO(inp);
 4863                                         atomic_add_int(&stcb->asoc.refcnt, 1);
 4864                                         SCTP_TCB_UNLOCK(stcb);
 4865                                         SCTP_SOCKET_LOCK(so, 1);
 4866                                         SCTP_TCB_LOCK(stcb);
 4867                                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 4868 #endif
 4869                                         (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27);
 4870 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 4871                                         SCTP_SOCKET_UNLOCK(so, 1);
 4872 #endif
 4873                                         *offset = length;
 4874                                         return (NULL);
 4875                                 }
 4876                         }
 4877                         /* He's alive so give him credit */
 4878                         if ((stcb) && netp && *netp) {
 4879                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4880                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4881                                             stcb->asoc.overall_error_count,
 4882                                             0,
 4883                                             SCTP_FROM_SCTP_INPUT,
 4884                                             __LINE__);
 4885                                 }
 4886                                 stcb->asoc.overall_error_count = 0;
 4887                                 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
 4888                         }
 4889                         break;
 4890                 case SCTP_ECN_ECHO:
 4891                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n");
 4892                         /* He's alive so give him credit */
 4893                         if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) {
 4894                                 /* Its not ours */
 4895                                 if (locked_tcb) {
 4896                                         SCTP_TCB_UNLOCK(locked_tcb);
 4897                                 }
 4898                                 *offset = length;
 4899                                 return (NULL);
 4900                         }
 4901                         if (stcb) {
 4902                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4903                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4904                                             stcb->asoc.overall_error_count,
 4905                                             0,
 4906                                             SCTP_FROM_SCTP_INPUT,
 4907                                             __LINE__);
 4908                                 }
 4909                                 stcb->asoc.overall_error_count = 0;
 4910                                 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
 4911                                     stcb);
 4912                         }
 4913                         break;
 4914                 case SCTP_ECN_CWR:
 4915                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n");
 4916                         /* He's alive so give him credit */
 4917                         if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) {
 4918                                 /* Its not ours */
 4919                                 if (locked_tcb) {
 4920                                         SCTP_TCB_UNLOCK(locked_tcb);
 4921                                 }
 4922                                 *offset = length;
 4923                                 return (NULL);
 4924                         }
 4925                         if (stcb) {
 4926                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4927                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4928                                             stcb->asoc.overall_error_count,
 4929                                             0,
 4930                                             SCTP_FROM_SCTP_INPUT,
 4931                                             __LINE__);
 4932                                 }
 4933                                 stcb->asoc.overall_error_count = 0;
 4934                                 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb);
 4935                         }
 4936                         break;
 4937                 case SCTP_SHUTDOWN_COMPLETE:
 4938                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb);
 4939                         /* must be first and only chunk */
 4940                         if ((num_chunks > 1) ||
 4941                             (length - *offset > (int)SCTP_SIZE32(chk_length))) {
 4942                                 *offset = length;
 4943                                 if (locked_tcb) {
 4944                                         SCTP_TCB_UNLOCK(locked_tcb);
 4945                                 }
 4946                                 return (NULL);
 4947                         }
 4948                         if ((stcb) && netp && *netp) {
 4949                                 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
 4950                                     stcb, *netp);
 4951                         }
 4952                         *offset = length;
 4953                         return (NULL);
 4954                         break;
 4955                 case SCTP_ASCONF:
 4956                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n");
 4957                         /* He's alive so give him credit */
 4958                         if (stcb) {
 4959                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4960                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4961                                             stcb->asoc.overall_error_count,
 4962                                             0,
 4963                                             SCTP_FROM_SCTP_INPUT,
 4964                                             __LINE__);
 4965                                 }
 4966                                 stcb->asoc.overall_error_count = 0;
 4967                                 sctp_handle_asconf(m, *offset,
 4968                                     (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0);
 4969                                 asconf_cnt++;
 4970                         }
 4971                         break;
 4972                 case SCTP_ASCONF_ACK:
 4973                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n");
 4974                         if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
 4975                                 /* Its not ours */
 4976                                 if (locked_tcb) {
 4977                                         SCTP_TCB_UNLOCK(locked_tcb);
 4978                                 }
 4979                                 *offset = length;
 4980                                 return (NULL);
 4981                         }
 4982                         if ((stcb) && netp && *netp) {
 4983                                 /* He's alive so give him credit */
 4984                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 4985                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 4986                                             stcb->asoc.overall_error_count,
 4987                                             0,
 4988                                             SCTP_FROM_SCTP_INPUT,
 4989                                             __LINE__);
 4990                                 }
 4991                                 stcb->asoc.overall_error_count = 0;
 4992                                 sctp_handle_asconf_ack(m, *offset,
 4993                                     (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock);
 4994                                 if (abort_no_unlock)
 4995                                         return (NULL);
 4996                         }
 4997                         break;
 4998                 case SCTP_FORWARD_CUM_TSN:
 4999                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n");
 5000                         if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
 5001                                 /* Its not ours */
 5002                                 if (locked_tcb) {
 5003                                         SCTP_TCB_UNLOCK(locked_tcb);
 5004                                 }
 5005                                 *offset = length;
 5006                                 return (NULL);
 5007                         }
 5008                         /* He's alive so give him credit */
 5009                         if (stcb) {
 5010                                 int abort_flag = 0;
 5011 
 5012                                 stcb->asoc.overall_error_count = 0;
 5013                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 5014                                         sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 5015                                             stcb->asoc.overall_error_count,
 5016                                             0,
 5017                                             SCTP_FROM_SCTP_INPUT,
 5018                                             __LINE__);
 5019                                 }
 5020                                 *fwd_tsn_seen = 1;
 5021                                 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 5022                                         /* We are not interested anymore */
 5023 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 5024                                         so = SCTP_INP_SO(inp);
 5025                                         atomic_add_int(&stcb->asoc.refcnt, 1);
 5026                                         SCTP_TCB_UNLOCK(stcb);
 5027                                         SCTP_SOCKET_LOCK(so, 1);
 5028                                         SCTP_TCB_LOCK(stcb);
 5029                                         atomic_subtract_int(&stcb->asoc.refcnt, 1);
 5030 #endif
 5031                                         (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29);
 5032 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 5033                                         SCTP_SOCKET_UNLOCK(so, 1);
 5034 #endif
 5035                                         *offset = length;
 5036                                         return (NULL);
 5037                                 }
 5038                                 sctp_handle_forward_tsn(stcb,
 5039                                     (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset);
 5040                                 if (abort_flag) {
 5041                                         *offset = length;
 5042                                         return (NULL);
 5043                                 } else {
 5044                                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 5045                                                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 5046                                                     stcb->asoc.overall_error_count,
 5047                                                     0,
 5048                                                     SCTP_FROM_SCTP_INPUT,
 5049                                                     __LINE__);
 5050                                         }
 5051                                         stcb->asoc.overall_error_count = 0;
 5052                                 }
 5053 
 5054                         }
 5055                         break;
 5056                 case SCTP_STREAM_RESET:
 5057                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n");
 5058                         if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) {
 5059                                 /* Its not ours */
 5060                                 if (locked_tcb) {
 5061                                         SCTP_TCB_UNLOCK(locked_tcb);
 5062                                 }
 5063                                 *offset = length;
 5064                                 return (NULL);
 5065                         }
 5066                         if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
 5067                                 /* We are not interested anymore */
 5068 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 5069                                 so = SCTP_INP_SO(inp);
 5070                                 atomic_add_int(&stcb->asoc.refcnt, 1);
 5071                                 SCTP_TCB_UNLOCK(stcb);
 5072                                 SCTP_SOCKET_LOCK(so, 1);
 5073                                 SCTP_TCB_LOCK(stcb);
 5074                                 atomic_subtract_int(&stcb->asoc.refcnt, 1);
 5075 #endif
 5076                                 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_30);
 5077 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 5078                                 SCTP_SOCKET_UNLOCK(so, 1);
 5079 #endif
 5080                                 *offset = length;
 5081                                 return (NULL);
 5082                         }
 5083                         if (stcb->asoc.peer_supports_strreset == 0) {
 5084                                 /*
 5085                                  * hmm, peer should have announced this, but
 5086                                  * we will turn it on since he is sending us
 5087                                  * a stream reset.
 5088                                  */
 5089                                 stcb->asoc.peer_supports_strreset = 1;
 5090                         }
 5091                         if (sctp_handle_stream_reset(stcb, m, *offset, (struct sctp_stream_reset_out_req *)ch)) {
 5092                                 /* stop processing */
 5093                                 *offset = length;
 5094                                 return (NULL);
 5095                         }
 5096                         break;
 5097                 case SCTP_PACKET_DROPPED:
 5098                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n");
 5099                         /* re-get it all please */
 5100                         if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
 5101                                 /* Its not ours */
 5102                                 if (locked_tcb) {
 5103                                         SCTP_TCB_UNLOCK(locked_tcb);
 5104                                 }
 5105                                 *offset = length;
 5106                                 return (NULL);
 5107                         }
 5108                         if (ch && (stcb) && netp && (*netp)) {
 5109                                 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
 5110                                     stcb, *netp,
 5111                                     min(chk_length, (sizeof(chunk_buf) - 4)));
 5112 
 5113                         }
 5114                         break;
 5115 
 5116                 case SCTP_AUTHENTICATION:
 5117                         SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n");
 5118                         if (SCTP_BASE_SYSCTL(sctp_auth_disable))
 5119                                 goto unknown_chunk;
 5120 
 5121                         if (stcb == NULL) {
 5122                                 /* save the first AUTH for later processing */
 5123                                 if (auth_skipped == 0) {
 5124                                         auth_offset = *offset;
 5125                                         auth_len = chk_length;
 5126                                         auth_skipped = 1;
 5127                                 }
 5128                                 /* skip this chunk (temporarily) */
 5129                                 goto next_chunk;
 5130                         }
 5131                         if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
 5132                             (chk_length > (sizeof(struct sctp_auth_chunk) +
 5133                             SCTP_AUTH_DIGEST_LEN_MAX))) {
 5134                                 /* Its not ours */
 5135                                 if (locked_tcb) {
 5136                                         SCTP_TCB_UNLOCK(locked_tcb);
 5137                                 }
 5138                                 *offset = length;
 5139                                 return (NULL);
 5140                         }
 5141                         if (got_auth == 1) {
 5142                                 /* skip this chunk... it's already auth'd */
 5143                                 goto next_chunk;
 5144                         }
 5145                         got_auth = 1;
 5146                         if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch,
 5147                             m, *offset)) {
 5148                                 /* auth HMAC failed so dump the packet */
 5149                                 *offset = length;
 5150                                 return (stcb);
 5151                         } else {
 5152                                 /* remaining chunks are HMAC checked */
 5153                                 stcb->asoc.authenticated = 1;
 5154                         }
 5155                         break;
 5156 
 5157                 default:
 5158         unknown_chunk:
 5159                         /* it's an unknown chunk! */
 5160                         if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
 5161                                 struct mbuf *mm;
 5162                                 struct sctp_paramhdr *phd;
 5163 
 5164                                 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
 5165                                     0, M_DONTWAIT, 1, MT_DATA);
 5166                                 if (mm) {
 5167                                         phd = mtod(mm, struct sctp_paramhdr *);
 5168                                         /*
 5169                                          * We cheat and use param type since
 5170                                          * we did not bother to define a
 5171                                          * error cause struct. They are the
 5172                                          * same basic format with different
 5173                                          * names.
 5174                                          */
 5175                                         phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK);
 5176                                         phd->param_length = htons(chk_length + sizeof(*phd));
 5177                                         SCTP_BUF_LEN(mm) = sizeof(*phd);
 5178                                         SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length),
 5179                                             M_DONTWAIT);
 5180                                         if (SCTP_BUF_NEXT(mm)) {
 5181 #ifdef SCTP_MBUF_LOGGING
 5182                                                 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
 5183                                                         struct mbuf *mat;
 5184 
 5185                                                         mat = SCTP_BUF_NEXT(mm);
 5186                                                         while (mat) {
 5187                                                                 if (SCTP_BUF_IS_EXTENDED(mat)) {
 5188                                                                         sctp_log_mb(mat, SCTP_MBUF_ICOPY);
 5189                                                                 }
 5190                                                                 mat = SCTP_BUF_NEXT(mat);
 5191                                                         }
 5192                                                 }
 5193 #endif
 5194                                                 sctp_queue_op_err(stcb, mm);
 5195                                         } else {
 5196                                                 sctp_m_freem(mm);
 5197                                         }
 5198                                 }
 5199                         }
 5200                         if ((ch->chunk_type & 0x80) == 0) {
 5201                                 /* discard this packet */
 5202                                 *offset = length;
 5203                                 return (stcb);
 5204                         }       /* else skip this bad chunk and continue... */
 5205                         break;
 5206                 }               /* switch (ch->chunk_type) */
 5207 
 5208 
 5209 next_chunk:
 5210                 /* get the next chunk */
 5211                 *offset += SCTP_SIZE32(chk_length);
 5212                 if (*offset >= length) {
 5213                         /* no more data left in the mbuf chain */
 5214                         break;
 5215                 }
 5216                 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
 5217                     sizeof(struct sctp_chunkhdr), chunk_buf);
 5218                 if (ch == NULL) {
 5219                         if (locked_tcb) {
 5220                                 SCTP_TCB_UNLOCK(locked_tcb);
 5221                         }
 5222                         *offset = length;
 5223                         return (NULL);
 5224                 }
 5225         }                       /* while */
 5226 
 5227         if (asconf_cnt > 0 && stcb != NULL) {
 5228                 sctp_send_asconf_ack(stcb);
 5229         }
 5230         return (stcb);
 5231 }
 5232 
 5233 
 5234 /*
 5235  * Process the ECN bits we have something set so we must look to see if it is
 5236  * ECN(0) or ECN(1) or CE
 5237  */
 5238 static void
 5239 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net,
 5240     uint8_t ecn_bits)
 5241 {
 5242         if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
 5243                 ;
 5244         } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) {
 5245                 /*
 5246                  * we only add to the nonce sum for ECT1, ECT0 does not
 5247                  * change the NS bit (that we have yet to find a way to send
 5248                  * it yet).
 5249                  */
 5250 
 5251                 /* ECN Nonce stuff */
 5252                 stcb->asoc.receiver_nonce_sum++;
 5253                 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM;
 5254 
 5255                 /*
 5256                  * Drag up the last_echo point if cumack is larger since we
 5257                  * don't want the point falling way behind by more than
 5258                  * 2^^31 and then having it be incorrect.
 5259                  */
 5260                 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
 5261                     stcb->asoc.last_echo_tsn, MAX_TSN)) {
 5262                         stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
 5263                 }
 5264         } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) {
 5265                 /*
 5266                  * Drag up the last_echo point if cumack is larger since we
 5267                  * don't want the point falling way behind by more than
 5268                  * 2^^31 and then having it be incorrect.
 5269                  */
 5270                 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
 5271                     stcb->asoc.last_echo_tsn, MAX_TSN)) {
 5272                         stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
 5273                 }
 5274         }
 5275 }
 5276 
 5277 static void
 5278 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net,
 5279     uint32_t high_tsn, uint8_t ecn_bits)
 5280 {
 5281         if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
 5282                 /*
 5283                  * we possibly must notify the sender that a congestion
 5284                  * window reduction is in order. We do this by adding a ECNE
 5285                  * chunk to the output chunk queue. The incoming CWR will
 5286                  * remove this chunk.
 5287                  */
 5288                 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn,
 5289                     MAX_TSN)) {
 5290                         /* Yep, we need to add a ECNE */
 5291                         sctp_send_ecn_echo(stcb, net, high_tsn);
 5292                         stcb->asoc.last_echo_tsn = high_tsn;
 5293                 }
 5294         }
 5295 }
 5296 
 5297 #ifdef INVARIANTS
 5298 static void
 5299 sctp_validate_no_locks(struct sctp_inpcb *inp)
 5300 {
 5301         struct sctp_tcb *stcb;
 5302 
 5303         LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) {
 5304                 if (mtx_owned(&stcb->tcb_mtx)) {
 5305                         panic("Own lock on stcb at return from input");
 5306                 }
 5307         }
 5308 }
 5309 
 5310 #endif
 5311 
 5312 /*
 5313  * common input chunk processing (v4 and v6)
 5314  */
 5315 void
 5316 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset,
 5317     int length, struct sctphdr *sh, struct sctp_chunkhdr *ch,
 5318     struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
 5319     uint8_t ecn_bits, uint32_t vrf_id, uint16_t port)
 5320 {
 5321         /*
 5322          * Control chunk processing
 5323          */
 5324         uint32_t high_tsn;
 5325         int fwd_tsn_seen = 0, data_processed = 0;
 5326         struct mbuf *m = *mm;
 5327         int abort_flag = 0;
 5328         int un_sent;
 5329 
 5330         SCTP_STAT_INCR(sctps_recvdatagrams);
 5331 #ifdef SCTP_AUDITING_ENABLED
 5332         sctp_audit_log(0xE0, 1);
 5333         sctp_auditing(0, inp, stcb, net);
 5334 #endif
 5335 
 5336         SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n",
 5337             m, iphlen, offset, length, stcb);
 5338         if (stcb) {
 5339                 /* always clear this before beginning a packet */
 5340                 stcb->asoc.authenticated = 0;
 5341                 stcb->asoc.seen_a_sack_this_pkt = 0;
 5342                 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n",
 5343                     stcb, stcb->asoc.state);
 5344 
 5345                 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) ||
 5346                     (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) {
 5347                         /*-
 5348                          * If we hit here, we had a ref count
 5349                          * up when the assoc was aborted and the
 5350                          * timer is clearing out the assoc, we should
 5351                          * NOT respond to any packet.. its OOTB.
 5352                          */
 5353                         SCTP_TCB_UNLOCK(stcb);
 5354                         sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
 5355                             vrf_id, port);
 5356                         goto out_now;
 5357                 }
 5358         }
 5359         if (IS_SCTP_CONTROL(ch)) {
 5360                 /* process the control portion of the SCTP packet */
 5361                 /* sa_ignore NO_NULL_CHK */
 5362                 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch,
 5363                     inp, stcb, &net, &fwd_tsn_seen, vrf_id, port);
 5364                 if (stcb) {
 5365                         /*
 5366                          * This covers us if the cookie-echo was there and
 5367                          * it changes our INP.
 5368                          */
 5369                         inp = stcb->sctp_ep;
 5370                         if ((net) && (port)) {
 5371                                 if (net->port == 0) {
 5372                                         sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
 5373                                 }
 5374                                 net->port = port;
 5375                         }
 5376                 }
 5377         } else {
 5378                 /*
 5379                  * no control chunks, so pre-process DATA chunks (these
 5380                  * checks are taken care of by control processing)
 5381                  */
 5382 
 5383                 /*
 5384                  * if DATA only packet, and auth is required, then punt...
 5385                  * can't have authenticated without any AUTH (control)
 5386                  * chunks
 5387                  */
 5388                 if ((stcb != NULL) &&
 5389                     !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
 5390                     sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
 5391                         /* "silently" ignore */
 5392                         SCTP_STAT_INCR(sctps_recvauthmissing);
 5393                         SCTP_TCB_UNLOCK(stcb);
 5394                         goto out_now;
 5395                 }
 5396                 if (stcb == NULL) {
 5397                         /* out of the blue DATA chunk */
 5398                         sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
 5399                             vrf_id, port);
 5400                         goto out_now;
 5401                 }
 5402                 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
 5403                         /* v_tag mismatch! */
 5404                         SCTP_STAT_INCR(sctps_badvtag);
 5405                         SCTP_TCB_UNLOCK(stcb);
 5406                         goto out_now;
 5407                 }
 5408         }
 5409 
 5410         if (stcb == NULL) {
 5411                 /*
 5412                  * no valid TCB for this packet, or we found it's a bad
 5413                  * packet while processing control, or we're done with this
 5414                  * packet (done or skip rest of data), so we drop it...
 5415                  */
 5416                 goto out_now;
 5417         }
 5418         /*
 5419          * DATA chunk processing
 5420          */
 5421         /* plow through the data chunks while length > offset */
 5422 
 5423         /*
 5424          * Rest should be DATA only.  Check authentication state if AUTH for
 5425          * DATA is required.
 5426          */
 5427         if ((length > offset) &&
 5428             (stcb != NULL) &&
 5429             !SCTP_BASE_SYSCTL(sctp_auth_disable) &&
 5430             sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
 5431             !stcb->asoc.authenticated) {
 5432                 /* "silently" ignore */
 5433                 SCTP_STAT_INCR(sctps_recvauthmissing);
 5434                 SCTPDBG(SCTP_DEBUG_AUTH1,
 5435                     "Data chunk requires AUTH, skipped\n");
 5436                 goto trigger_send;
 5437         }
 5438         if (length > offset) {
 5439                 int retval;
 5440 
 5441                 /*
 5442                  * First check to make sure our state is correct. We would
 5443                  * not get here unless we really did have a tag, so we don't
 5444                  * abort if this happens, just dump the chunk silently.
 5445                  */
 5446                 switch (SCTP_GET_STATE(&stcb->asoc)) {
 5447                 case SCTP_STATE_COOKIE_ECHOED:
 5448                         /*
 5449                          * we consider data with valid tags in this state
 5450                          * shows us the cookie-ack was lost. Imply it was
 5451                          * there.
 5452                          */
 5453                         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
 5454                                 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
 5455                                     stcb->asoc.overall_error_count,
 5456                                     0,
 5457                                     SCTP_FROM_SCTP_INPUT,
 5458                                     __LINE__);
 5459                         }
 5460                         stcb->asoc.overall_error_count = 0;
 5461                         sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
 5462                         break;
 5463                 case SCTP_STATE_COOKIE_WAIT:
 5464                         /*
 5465                          * We consider OOTB any data sent during asoc setup.
 5466                          */
 5467                         sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL,
 5468                             vrf_id, port);
 5469                         SCTP_TCB_UNLOCK(stcb);
 5470                         goto out_now;
 5471                         /* sa_ignore NOTREACHED */
 5472                         break;
 5473                 case SCTP_STATE_EMPTY:  /* should not happen */
 5474                 case SCTP_STATE_INUSE:  /* should not happen */
 5475                 case SCTP_STATE_SHUTDOWN_RECEIVED:      /* This is a peer error */
 5476                 case SCTP_STATE_SHUTDOWN_ACK_SENT:
 5477                 default:
 5478                         SCTP_TCB_UNLOCK(stcb);
 5479                         goto out_now;
 5480                         /* sa_ignore NOTREACHED */
 5481                         break;
 5482                 case SCTP_STATE_OPEN:
 5483                 case SCTP_STATE_SHUTDOWN_SENT:
 5484                         break;
 5485                 }
 5486                 /* take care of ECN, part 1. */
 5487                 if (stcb->asoc.ecn_allowed &&
 5488                     (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
 5489                         sctp_process_ecn_marked_a(stcb, net, ecn_bits);
 5490                 }
 5491                 /* plow through the data chunks while length > offset */
 5492                 retval = sctp_process_data(mm, iphlen, &offset, length, sh,
 5493                     inp, stcb, net, &high_tsn);
 5494                 if (retval == 2) {
 5495                         /*
 5496                          * The association aborted, NO UNLOCK needed since
 5497                          * the association is destroyed.
 5498                          */
 5499                         goto out_now;
 5500                 }
 5501                 data_processed = 1;
 5502                 if (retval == 0) {
 5503                         /* take care of ecn part 2. */
 5504                         if (stcb->asoc.ecn_allowed &&
 5505                             (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) {
 5506                                 sctp_process_ecn_marked_b(stcb, net, high_tsn,
 5507                                     ecn_bits);
 5508                         }
 5509                 }
 5510                 /*
 5511                  * Anything important needs to have been m_copy'ed in
 5512                  * process_data
 5513                  */
 5514         }
 5515         if ((data_processed == 0) && (fwd_tsn_seen)) {
 5516                 int was_a_gap = 0;
 5517 
 5518                 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map,
 5519                     stcb->asoc.cumulative_tsn, MAX_TSN)) {
 5520                         /* there was a gap before this data was processed */
 5521                         was_a_gap = 1;
 5522                 }
 5523                 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag);
 5524                 if (abort_flag) {
 5525                         /* Again, we aborted so NO UNLOCK needed */
 5526                         goto out_now;
 5527                 }
 5528         }
 5529         /* trigger send of any chunks in queue... */
 5530 trigger_send:
 5531 #ifdef SCTP_AUDITING_ENABLED
 5532         sctp_audit_log(0xE0, 2);
 5533         sctp_auditing(1, inp, stcb, net);
 5534 #endif
 5535         SCTPDBG(SCTP_DEBUG_INPUT1,
 5536             "Check for chunk output prw:%d tqe:%d tf=%d\n",
 5537             stcb->asoc.peers_rwnd,
 5538             TAILQ_EMPTY(&stcb->asoc.control_send_queue),
 5539             stcb->asoc.total_flight);
 5540         un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
 5541 
 5542         if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) ||
 5543             ((un_sent) &&
 5544             (stcb->asoc.peers_rwnd > 0 ||
 5545             (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) {
 5546                 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n");
 5547                 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
 5548                 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n");
 5549         }
 5550 #ifdef SCTP_AUDITING_ENABLED
 5551         sctp_audit_log(0xE0, 3);
 5552         sctp_auditing(2, inp, stcb, net);
 5553 #endif
 5554         SCTP_TCB_UNLOCK(stcb);
 5555 out_now:
 5556 #ifdef INVARIANTS
 5557         sctp_validate_no_locks(inp);
 5558 #endif
 5559         return;
 5560 }
 5561 
 5562 #if 0
 5563 static void
 5564 sctp_print_mbuf_chain(struct mbuf *m)
 5565 {
 5566         for (; m; m = SCTP_BUF_NEXT(m)) {
 5567                 printf("%p: m_len = %ld\n", m, SCTP_BUF_LEN(m));
 5568                 if (SCTP_BUF_IS_EXTENDED(m))
 5569                         printf("%p: extend_size = %d\n", m, SCTP_BUF_EXTEND_SIZE(m));
 5570         }
 5571 }
 5572 
 5573 #endif
 5574 
 5575 void
 5576 sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port)
 5577 {
 5578 #ifdef SCTP_MBUF_LOGGING
 5579         struct mbuf *mat;
 5580 
 5581 #endif
 5582         struct mbuf *m;
 5583         int iphlen;
 5584         uint32_t vrf_id = 0;
 5585         uint8_t ecn_bits;
 5586         struct ip *ip;
 5587         struct sctphdr *sh;
 5588         struct sctp_inpcb *inp = NULL;
 5589 
 5590         uint32_t check, calc_check;
 5591         struct sctp_nets *net;
 5592         struct sctp_tcb *stcb = NULL;
 5593         struct sctp_chunkhdr *ch;
 5594         int refcount_up = 0;
 5595         int length, mlen, offset;
 5596 
 5597 
 5598         if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) {
 5599                 SCTP_RELEASE_PKT(i_pak);
 5600                 return;
 5601         }
 5602         mlen = SCTP_HEADER_LEN(i_pak);
 5603         iphlen = off;
 5604         m = SCTP_HEADER_TO_CHAIN(i_pak);
 5605 
 5606         net = NULL;
 5607         SCTP_STAT_INCR(sctps_recvpackets);
 5608         SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
 5609 
 5610 
 5611 #ifdef SCTP_MBUF_LOGGING
 5612         /* Log in any input mbufs */
 5613         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
 5614                 mat = m;
 5615                 while (mat) {
 5616                         if (SCTP_BUF_IS_EXTENDED(mat)) {
 5617                                 sctp_log_mb(mat, SCTP_MBUF_INPUT);
 5618                         }
 5619                         mat = SCTP_BUF_NEXT(mat);
 5620                 }
 5621         }
 5622 #endif
 5623 #ifdef  SCTP_PACKET_LOGGING
 5624         if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
 5625                 sctp_packet_log(m, mlen);
 5626 #endif
 5627         /*
 5628          * Must take out the iphlen, since mlen expects this (only effect lb
 5629          * case)
 5630          */
 5631         mlen -= iphlen;
 5632 
 5633         /*
 5634          * Get IP, SCTP, and first chunk header together in first mbuf.
 5635          */
 5636         ip = mtod(m, struct ip *);
 5637         offset = iphlen + sizeof(*sh) + sizeof(*ch);
 5638         if (SCTP_BUF_LEN(m) < offset) {
 5639                 if ((m = m_pullup(m, offset)) == 0) {
 5640                         SCTP_STAT_INCR(sctps_hdrops);
 5641                         return;
 5642                 }
 5643                 ip = mtod(m, struct ip *);
 5644         }
 5645         sh = (struct sctphdr *)((caddr_t)ip + iphlen);
 5646         ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh));
 5647         SCTPDBG(SCTP_DEBUG_INPUT1,
 5648             "sctp_input() length:%d iphlen:%d\n", mlen, iphlen);
 5649 
 5650         /* SCTP does not allow broadcasts or multicasts */
 5651         if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) {
 5652                 goto bad;
 5653         }
 5654         if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) {
 5655                 /*
 5656                  * We only look at broadcast if its a front state, All
 5657                  * others we will not have a tcb for anyway.
 5658                  */
 5659                 goto bad;
 5660         }
 5661         /* validate SCTP checksum */
 5662         check = sh->checksum;   /* save incoming checksum */
 5663         if ((check == 0) && (SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback)) &&
 5664             ((ip->ip_src.s_addr == ip->ip_dst.s_addr) ||
 5665             (SCTP_IS_IT_LOOPBACK(m)))
 5666             ) {
 5667                 goto sctp_skip_csum_4;
 5668         }
 5669         sh->checksum = 0;       /* prepare for calc */
 5670         calc_check = sctp_calculate_sum(m, &mlen, iphlen);
 5671         if (calc_check != check) {
 5672                 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x  m:%p mlen:%d iphlen:%d\n",
 5673                     calc_check, check, m, mlen, iphlen);
 5674 
 5675                 stcb = sctp_findassociation_addr(m, iphlen,
 5676                     offset - sizeof(*ch),
 5677                     sh, ch, &inp, &net,
 5678                     vrf_id);
 5679                 if ((net) && (port)) {
 5680                         if (net->port == 0) {
 5681                                 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
 5682                         }
 5683                         net->port = port;
 5684                 }
 5685                 if ((inp) && (stcb)) {
 5686                         sctp_send_packet_dropped(stcb, net, m, iphlen, 1);
 5687                         sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED);
 5688                 } else if ((inp != NULL) && (stcb == NULL)) {
 5689                         refcount_up = 1;
 5690                 }
 5691                 SCTP_STAT_INCR(sctps_badsum);
 5692                 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
 5693                 goto bad;
 5694         }
 5695         sh->checksum = calc_check;
 5696 sctp_skip_csum_4:
 5697         /* destination port of 0 is illegal, based on RFC2960. */
 5698         if (sh->dest_port == 0) {
 5699                 SCTP_STAT_INCR(sctps_hdrops);
 5700                 goto bad;
 5701         }
 5702         /* validate mbuf chain length with IP payload length */
 5703         if (mlen < (SCTP_GET_IPV4_LENGTH(ip) - iphlen)) {
 5704                 SCTP_STAT_INCR(sctps_hdrops);
 5705                 goto bad;
 5706         }
 5707         /*
 5708          * Locate pcb and tcb for datagram sctp_findassociation_addr() wants
 5709          * IP/SCTP/first chunk header...
 5710          */
 5711         stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch),
 5712             sh, ch, &inp, &net, vrf_id);
 5713         if ((net) && (port)) {
 5714                 if (net->port == 0) {
 5715                         sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr));
 5716                 }
 5717                 net->port = port;
 5718         }
 5719         /* inp's ref-count increased && stcb locked */
 5720         if (inp == NULL) {
 5721                 struct sctp_init_chunk *init_chk, chunk_buf;
 5722 
 5723                 SCTP_STAT_INCR(sctps_noport);
 5724 #ifdef ICMP_BANDLIM
 5725                 /*
 5726                  * we use the bandwidth limiting to protect against sending
 5727                  * too many ABORTS all at once. In this case these count the
 5728                  * same as an ICMP message.
 5729                  */
 5730                 if (badport_bandlim(0) < 0)
 5731                         goto bad;
 5732 #endif                          /* ICMP_BANDLIM */
 5733                 SCTPDBG(SCTP_DEBUG_INPUT1,
 5734                     "Sending a ABORT from packet entry!\n");
 5735                 if (ch->chunk_type == SCTP_INITIATION) {
 5736                         /*
 5737                          * we do a trick here to get the INIT tag, dig in
 5738                          * and get the tag from the INIT and put it in the
 5739                          * common header.
 5740                          */
 5741                         init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
 5742                             iphlen + sizeof(*sh), sizeof(*init_chk),
 5743                             (uint8_t *) & chunk_buf);
 5744                         if (init_chk != NULL)
 5745                                 sh->v_tag = init_chk->init.initiate_tag;
 5746                 }
 5747                 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
 5748                         sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id, port);
 5749                         goto bad;
 5750                 }
 5751                 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
 5752                         goto bad;
 5753                 }
 5754                 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION)
 5755                         sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, port);
 5756                 goto bad;
 5757         } else if (stcb == NULL) {
 5758                 refcount_up = 1;
 5759         }
 5760 #ifdef IPSEC
 5761         /*
 5762          * I very much doubt any of the IPSEC stuff will work but I have no
 5763          * idea, so I will leave it in place.
 5764          */
 5765         if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) {
 5766                 MODULE_GLOBAL(MOD_IPSEC, ipsec4stat).in_polvio++;
 5767                 SCTP_STAT_INCR(sctps_hdrops);
 5768                 goto bad;
 5769         }
 5770 #endif                          /* IPSEC */
 5771 
 5772         /*
 5773          * common chunk processing
 5774          */
 5775         length = ip->ip_len + iphlen;
 5776         offset -= sizeof(struct sctp_chunkhdr);
 5777 
 5778         ecn_bits = ip->ip_tos;
 5779 
 5780         /* sa_ignore NO_NULL_CHK */
 5781         sctp_common_input_processing(&m, iphlen, offset, length, sh, ch,
 5782             inp, stcb, net, ecn_bits, vrf_id, port);
 5783         /* inp's ref-count reduced && stcb unlocked */
 5784         if (m) {
 5785                 sctp_m_freem(m);
 5786         }
 5787         if ((inp) && (refcount_up)) {
 5788                 /* reduce ref-count */
 5789                 SCTP_INP_DECR_REF(inp);
 5790         }
 5791         return;
 5792 bad:
 5793         if (stcb) {
 5794                 SCTP_TCB_UNLOCK(stcb);
 5795         }
 5796         if ((inp) && (refcount_up)) {
 5797                 /* reduce ref-count */
 5798                 SCTP_INP_DECR_REF(inp);
 5799         }
 5800         if (m) {
 5801                 sctp_m_freem(m);
 5802         }
 5803         return;
 5804 }
 5805 void
 5806 sctp_input(i_pak, off)
 5807         struct mbuf *i_pak;
 5808         int off;
 5809 {
 5810         sctp_input_with_port(i_pak, off, 0);
 5811 }

Cache object: 33499695e304e2d6b41515de65ba6d3f


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.