1 /* $KAME: sctp_input.c,v 1.28 2005/04/21 18:36:21 nishida Exp $ */
2 /* $NetBSD: sctp_input.c,v 1.16 2022/04/08 10:27:04 andvar Exp $ */
3
4 /*
5 * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc,
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 #include <sys/cdefs.h>
34 __KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.16 2022/04/08 10:27:04 andvar Exp $");
35
36 #ifdef _KERNEL_OPT
37 #include "opt_ipsec.h"
38 #include "opt_inet.h"
39 #include "opt_sctp.h"
40 #endif /* _KERNEL_OPT */
41
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
45 #include <sys/mbuf.h>
46 #include <sys/socket.h>
47 #include <sys/socketvar.h>
48 #include <sys/sysctl.h>
49 #include <sys/domain.h>
50 #include <sys/protosw.h>
51 #include <sys/kernel.h>
52 #include <sys/errno.h>
53 #include <sys/syslog.h>
54
55 #include <machine/limits.h>
56 #include <machine/cpu.h>
57
58 #include <net/if.h>
59 #include <net/route.h>
60 #include <net/if_types.h>
61
62 #include <netinet/in.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <netinet/in_pcb.h>
66 #include <netinet/in_var.h>
67 #include <netinet/ip_var.h>
68
69 #ifdef INET6
70 #include <netinet/ip6.h>
71 #include <netinet6/ip6_var.h>
72 #endif /* INET6 */
73
74 #include <netinet/ip_icmp.h>
75 #include <netinet/icmp_var.h>
76 #include <netinet/sctp_var.h>
77 #include <netinet/sctp_pcb.h>
78 #include <netinet/sctp_header.h>
79 #include <netinet/sctputil.h>
80 #include <netinet/sctp_output.h>
81 #include <netinet/sctp_input.h>
82 #include <netinet/sctp_hashdriver.h>
83 #include <netinet/sctp_indata.h>
84 #include <netinet/sctp_asconf.h>
85
86 #ifdef IPSEC
87 #include <netipsec/ipsec.h>
88 #include <netipsec/key.h>
89 #endif /*IPSEC*/
90
91 #ifdef SCTP_DEBUG
92 extern u_int32_t sctp_debug_on;
93 #endif
94
95 /* INIT handler */
96 static void
97 sctp_handle_init(struct mbuf *m, int iphlen, int offset,
98 struct sctphdr *sh, struct sctp_init_chunk *cp, struct sctp_inpcb *inp,
99 struct sctp_tcb *stcb, struct sctp_nets *net)
100 {
101 struct sctp_init *init;
102 struct mbuf *op_err;
103 #ifdef SCTP_DEBUG
104 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
105 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb);
106 }
107 #endif
108 op_err = NULL;
109 init = &cp->init;
110 /* First are we accepting? */
111 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) ||
112 (inp->sctp_socket->so_qlimit == 0)) {
113 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
114 return;
115 }
116 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
117 /* Invalid length */
118 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
119 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
120 return;
121 }
122 /* validate parameters */
123 if (init->initiate_tag == 0) {
124 /* protocol error... send abort */
125 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
126 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
127 return;
128 }
129 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
130 /* invalid parameter... send abort */
131 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
132 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
133 return;
134 }
135 if (init->num_inbound_streams == 0) {
136 /* protocol error... send abort */
137 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
138 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
139 return;
140 }
141 if (init->num_outbound_streams == 0) {
142 /* protocol error... send abort */
143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err);
145 return;
146 }
147
148 /* send an INIT-ACK w/cookie */
149 #ifdef SCTP_DEBUG
150 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
151 printf("sctp_handle_init: sending INIT-ACK\n");
152 }
153 #endif
154
155 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp);
156 }
157
158 /*
159 * process peer "INIT/INIT-ACK" chunk
160 * returns value < 0 on error
161 */
162
163 static int
164 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb,
165 struct sctp_nets *net)
166 {
167 struct sctp_init *init;
168 struct sctp_association *asoc;
169 struct sctp_nets *lnet;
170 unsigned int i;
171
172 init = &cp->init;
173 asoc = &stcb->asoc;
174 /* save off parameters */
175 asoc->peer_vtag = ntohl(init->initiate_tag);
176 asoc->peers_rwnd = ntohl(init->a_rwnd);
177
178 if (TAILQ_FIRST(&asoc->nets)) {
179 /* update any ssthresh's that may have a default */
180 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
181 lnet->ssthresh = asoc->peers_rwnd;
182 }
183 }
184 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
185 unsigned int newcnt;
186 struct sctp_stream_out *outs;
187 struct sctp_tmit_chunk *chk;
188
189 /* cut back on number of streams */
190 newcnt = ntohs(init->num_inbound_streams);
191 /* This if is probably not needed but I am cautious */
192 if (asoc->strmout) {
193 /* First make sure no data chunks are trapped */
194 for (i=newcnt; i < asoc->pre_open_streams; i++) {
195 outs = &asoc->strmout[i];
196 chk = TAILQ_FIRST(&outs->outqueue);
197 while (chk) {
198 TAILQ_REMOVE(&outs->outqueue, chk,
199 sctp_next);
200 asoc->stream_queue_cnt--;
201 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL,
202 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT,
203 chk);
204 if (chk->data) {
205 sctp_m_freem(chk->data);
206 chk->data = NULL;
207 }
208 sctp_free_remote_addr(chk->whoTo);
209 chk->whoTo = NULL;
210 chk->asoc = NULL;
211 /* Free the chunk */
212 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
213 sctppcbinfo.ipi_count_chunk--;
214 if ((int)sctppcbinfo.ipi_count_chunk < 0) {
215 panic("Chunk count is negative");
216 }
217 sctppcbinfo.ipi_gencnt_chunk++;
218 chk = TAILQ_FIRST(&outs->outqueue);
219 }
220 }
221 }
222 /* cut back the count and abandon the upper streams */
223 asoc->pre_open_streams = newcnt;
224 }
225 asoc->streamincnt = ntohs(init->num_outbound_streams);
226 if (asoc->streamincnt > MAX_SCTP_STREAMS) {
227 asoc->streamincnt = MAX_SCTP_STREAMS;
228 }
229
230 asoc->streamoutcnt = asoc->pre_open_streams;
231 /* init tsn's */
232 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
233 #ifdef SCTP_MAP_LOGGING
234 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
235 #endif
236 /* This is the next one we expect */
237 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
238
239 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
240 asoc->cumulative_tsn = asoc->asconf_seq_in;
241 asoc->last_echo_tsn = asoc->asconf_seq_in;
242 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
243 /* open the requested streams */
244 if (asoc->strmin != NULL) {
245 /* Free the old ones */
246 free(asoc->strmin, M_PCB);
247 }
248 asoc->strmin = malloc(asoc->streamincnt * sizeof(struct sctp_stream_in),
249 M_PCB, M_NOWAIT);
250 if (asoc->strmin == NULL) {
251 /* we didn't get memory for the streams! */
252 #ifdef SCTP_DEBUG
253 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
254 printf("process_init: couldn't get memory for the streams!\n");
255 }
256 #endif
257 return (-1);
258 }
259 for (i = 0; i < asoc->streamincnt; i++) {
260 asoc->strmin[i].stream_no = i;
261 asoc->strmin[i].last_sequence_delivered = 0xffff;
262 /*
263 * U-stream ranges will be set when the cookie
264 * is unpacked. Or for the INIT sender they
265 * are un set (if pr-sctp not supported) when the
266 * INIT-ACK arrives.
267 */
268 TAILQ_INIT(&asoc->strmin[i].inqueue);
269 /*
270 * we are not on any wheel, pr-sctp streams
271 * will go on the wheel when they have data waiting
272 * for reorder.
273 */
274 asoc->strmin[i].next_spoke.tqe_next = 0;
275 asoc->strmin[i].next_spoke.tqe_prev = 0;
276 }
277
278 /*
279 * load_address_from_init will put the addresses into the
280 * association when the COOKIE is processed or the INIT-ACK
281 * is processed. Both types of COOKIE's existing and new
282 * call this routine. It will remove addresses that
283 * are no longer in the association (for the restarting
284 * case where addresses are removed). Up front when the
285 * INIT arrives we will discard it if it is a restart
286 * and new addresses have been added.
287 */
288 return (0);
289 }
290
291 /*
292 * INIT-ACK message processing/consumption
293 * returns value < 0 on error
294 */
295 static int
296 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
297 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
298 struct sctp_nets *net)
299 {
300 struct sctp_association *asoc;
301 struct mbuf *op_err;
302 int retval, abort_flag;
303 uint32_t initack_limit;
304 /* First verify that we have no illegal param's */
305 abort_flag = 0;
306 op_err = NULL;
307
308 op_err = sctp_arethere_unrecognized_parameters(m,
309 (offset+sizeof(struct sctp_init_chunk)) ,
310 &abort_flag, (struct sctp_chunkhdr *)cp);
311 if (abort_flag) {
312 /* Send an abort and notify peer */
313 if (op_err != NULL) {
314 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag);
315 } else {
316 /*
317 * Just notify (abort_assoc does this if
318 * we send an abort).
319 */
320 sctp_abort_notification(stcb, 0);
321 /*
322 * No sense in further INIT's since
323 * we will get the same param back
324 */
325 sctp_free_assoc(stcb->sctp_ep, stcb);
326 }
327 return (-1);
328 }
329 asoc = &stcb->asoc;
330 /* process the peer's parameters in the INIT-ACK */
331 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net);
332 if (retval < 0) {
333 return (retval);
334 }
335
336 initack_limit = offset + ntohs(cp->ch.chunk_length);
337 /* load all addresses */
338 if (sctp_load_addresses_from_init(stcb, m, iphlen,
339 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh,
340 NULL)) {
341 /* Huh, we should abort */
342 sctp_abort_notification(stcb, 0);
343 sctp_free_assoc(stcb->sctp_ep, stcb);
344 return (-1);
345 }
346 if (op_err) {
347 sctp_queue_op_err(stcb, op_err);
348 /* queuing will steal away the mbuf chain to the out queue */
349 op_err = NULL;
350 }
351 /* extract the cookie and queue it to "echo" it back... */
352 stcb->asoc.overall_error_count = 0;
353 net->error_count = 0;
354 retval = sctp_send_cookie_echo(m, offset, stcb, net);
355 if (retval < 0) {
356 /*
357 * No cookie, we probably should send a op error.
358 * But in any case if there is no cookie in the INIT-ACK,
359 * we can abandon the peer, its broke.
360 */
361 if (retval == -3) {
362 /* We abort with an error of missing mandatory param */
363 op_err =
364 sctp_generate_invmanparam(SCTP_CAUSE_MISS_PARAM);
365 if (op_err) {
366 /*
367 * Expand beyond to include the mandatory
368 * param cookie
369 */
370 struct sctp_inv_mandatory_param *mp;
371 op_err->m_len =
372 sizeof(struct sctp_inv_mandatory_param);
373 mp = mtod(op_err,
374 struct sctp_inv_mandatory_param *);
375 /* Subtract the reserved param */
376 mp->length =
377 htons(sizeof(struct sctp_inv_mandatory_param) - 2);
378 mp->num_param = htonl(1);
379 mp->param = htons(SCTP_STATE_COOKIE);
380 mp->resv = 0;
381 }
382 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
383 sh, op_err);
384 }
385 return (retval);
386 }
387
388 /*
389 * Cancel the INIT timer, We do this first before queueing
390 * the cookie. We always cancel at the primary to assume that
391 * we are canceling the timer started by the INIT which always
392 * goes to the primary.
393 */
394 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
395 asoc->primary_destination);
396
397 /* calculate the RTO */
398 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered);
399
400 return (0);
401 }
402
403 static void
404 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
405 struct sctp_tcb *stcb, struct sctp_nets *net)
406 {
407 struct sockaddr_storage store;
408 struct sockaddr_in *sin;
409 struct sockaddr_in6 *sin6;
410 struct sctp_nets *r_net;
411 struct timeval tv;
412
413 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
414 /* Invalid length */
415 return;
416 }
417
418 sin = (struct sockaddr_in *)&store;
419 sin6 = (struct sockaddr_in6 *)&store;
420
421 memset(&store, 0, sizeof(store));
422 if (cp->heartbeat.hb_info.addr_family == AF_INET &&
423 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
424 sin->sin_family = cp->heartbeat.hb_info.addr_family;
425 sin->sin_len = cp->heartbeat.hb_info.addr_len;
426 sin->sin_port = stcb->rport;
427 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address,
428 sizeof(sin->sin_addr));
429 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 &&
430 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
431 sin6->sin6_family = cp->heartbeat.hb_info.addr_family;
432 sin6->sin6_len = cp->heartbeat.hb_info.addr_len;
433 sin6->sin6_port = stcb->rport;
434 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address,
435 sizeof(sin6->sin6_addr));
436 } else {
437 #ifdef SCTP_DEBUG
438 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
439 printf("unsupported address family");
440 }
441 #endif
442 return;
443 }
444 r_net = sctp_findnet(stcb, (struct sockaddr *)sin);
445 if (r_net == NULL) {
446 #ifdef SCTP_DEBUG
447 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
448 printf("Huh? I can't find the address I sent it to, discard\n");
449 }
450 #endif
451 return;
452 }
453 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
454 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
455 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
456 /*
457 * If the its a HB and it's random value is correct when
458 * can confirm the destination.
459 */
460 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
461 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
462 stcb, 0, (void *)r_net);
463 }
464 r_net->error_count = 0;
465 r_net->hb_responded = 1;
466 tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
467 tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
468 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) {
469 r_net->dest_state = SCTP_ADDR_REACHABLE;
470 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
471 SCTP_HEARTBEAT_SUCCESS, (void *)r_net);
472
473 /* now was it the primary? if so restore */
474 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) {
475 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net);
476 }
477 }
478 /* Now lets do a RTO with this */
479 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv);
480 }
481
482 static void
483 sctp_handle_abort(struct sctp_abort_chunk *cp,
484 struct sctp_tcb *stcb, struct sctp_nets *net)
485 {
486
487 #ifdef SCTP_DEBUG
488 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
489 printf("sctp_handle_abort: handling ABORT\n");
490 }
491 #endif
492 if (stcb == NULL)
493 return;
494 /* verify that the destination addr is in the association */
495 /* ignore abort for addresses being deleted */
496
497 /* stop any receive timers */
498 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net);
499 /* notify user of the abort and clean up... */
500 sctp_abort_notification(stcb, 0);
501 /* free the tcb */
502 sctp_free_assoc(stcb->sctp_ep, stcb);
503 #ifdef SCTP_DEBUG
504 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
505 printf("sctp_handle_abort: finished\n");
506 }
507 #endif
508 }
509
510 static void
511 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
512 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
513 {
514 struct sctp_association *asoc;
515 int some_on_streamwheel;
516
517 #ifdef SCTP_DEBUG
518 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
519 printf("sctp_handle_shutdown: handling SHUTDOWN\n");
520 }
521 #endif
522 if (stcb == NULL)
523 return;
524
525 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) ||
526 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
527 return;
528 }
529
530 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
531 /* update current data status */
532 #ifdef SCTP_DEBUG
533 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
534 printf("Warning Shutdown NOT the expected size.. skipping (%d:%d)\n",
535 ntohs(cp->ch.chunk_length),
536 (int)sizeof(struct sctp_shutdown_chunk));
537 }
538 #endif
539 return;
540 } else {
541 sctp_update_acked(stcb, cp, net, abort_flag);
542 }
543 asoc = &stcb->asoc;
544 /* goto SHUTDOWN_RECEIVED state to block new requests */
545 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
546 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
547 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED;
548 #ifdef SCTP_DEBUG
549 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
550 printf("Moving to SHUTDOWN-RECEIVED state\n");
551 }
552 #endif
553 /* notify upper layer that peer has initiated a shutdown */
554 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL);
555
556 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
557 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
558
559 /* Set the flag so we cannot send more, we
560 * would call the function but we don't want to
561 * wake up the ulp necessarily.
562 */
563 #if defined(__FreeBSD__) && __FreeBSD_version >= 502115
564 stcb->sctp_ep->sctp_socket->so_rcv.sb_state |= SBS_CANTSENDMORE;
565 #else
566 stcb->sctp_ep->sctp_socket->so_state |= SS_CANTSENDMORE;
567 #endif
568 }
569 /* reset time */
570 SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
571 }
572 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
573 /*
574 * stop the shutdown timer, since we WILL move
575 * to SHUTDOWN-ACK-SENT.
576 */
577 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
578 }
579 /* Now are we there yet? */
580 some_on_streamwheel = 0;
581 if (!TAILQ_EMPTY(&asoc->out_wheel)) {
582 /* Check to see if some data queued */
583 struct sctp_stream_out *outs;
584 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) {
585 if (!TAILQ_EMPTY(&outs->outqueue)) {
586 some_on_streamwheel = 1;
587 break;
588 }
589 }
590 }
591 #ifdef SCTP_DEBUG
592 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
593 printf("some_on_streamwheel:%d send_q_empty:%d sent_q_empty:%d\n",
594 some_on_streamwheel,
595 !TAILQ_EMPTY(&asoc->send_queue),
596 !TAILQ_EMPTY(&asoc->sent_queue));
597 }
598 #endif
599 if (!TAILQ_EMPTY(&asoc->send_queue) ||
600 !TAILQ_EMPTY(&asoc->sent_queue) ||
601 some_on_streamwheel) {
602 /* By returning we will push more data out */
603 return;
604 } else {
605 /* no outstanding data to send, so move on... */
606 /* send SHUTDOWN-ACK */
607 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
608 /* move to SHUTDOWN-ACK-SENT state */
609 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT;
610 #ifdef SCTP_DEBUG
611 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
612 printf("moving to SHUTDOWN_ACK state\n");
613 }
614 #endif
615 /* start SHUTDOWN timer */
616 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
617 stcb, net);
618 }
619 }
620
621 static void
622 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp,
623 struct sctp_tcb *stcb, struct sctp_nets *net)
624 {
625 struct sctp_association *asoc;
626
627 #ifdef SCTP_DEBUG
628 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
629 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
630 }
631 #endif
632 if (stcb == NULL)
633 return;
634
635 asoc = &stcb->asoc;
636 /* process according to association state */
637 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
638 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
639 /* unexpected SHUTDOWN-ACK... so ignore... */
640 return;
641 }
642 /* are the queues empty? */
643 if (!TAILQ_EMPTY(&asoc->send_queue) ||
644 !TAILQ_EMPTY(&asoc->sent_queue) ||
645 !TAILQ_EMPTY(&asoc->out_wheel)) {
646 sctp_report_all_outbound(stcb);
647 }
648 /* stop the timer */
649 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
650 /* send SHUTDOWN-COMPLETE */
651 sctp_send_shutdown_complete(stcb, net);
652 /* notify upper layer protocol */
653 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL);
654 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
655 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
656 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
657 /* Set the connected flag to disconnected */
658 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
659 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0;
660 soisdisconnected(stcb->sctp_ep->sctp_socket);
661 }
662 /* free the TCB but first save off the ep */
663 sctp_free_assoc(stcb->sctp_ep, stcb);
664 }
665
666 /*
667 * Skip past the param header and then we will find the chunk that
668 * caused the problem. There are two possiblities ASCONF or FWD-TSN
669 * other than that and our peer must be broken.
670 */
671 static void
672 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
673 struct sctp_nets *net)
674 {
675 struct sctp_chunkhdr *chk;
676
677 chk = (struct sctp_chunkhdr *)((vaddr_t)phdr + sizeof(*phdr));
678 switch (chk->chunk_type) {
679 case SCTP_ASCONF_ACK:
680 #ifdef SCTP_DEBUG
681 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
682 printf("Strange peer, snds ASCONF but does not recongnize asconf-ack?\n");
683 }
684 #endif
685 /* FALLTHROUGH */
686 case SCTP_ASCONF:
687 #ifdef SCTP_DEBUG
688 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
689 printf("Peer does not support ASCONF/ASCONF-ACK chunks\n");
690 }
691 #endif /* SCTP_DEBUG */
692 sctp_asconf_cleanup(stcb, net);
693 break;
694 case SCTP_FORWARD_CUM_TSN:
695 stcb->asoc.peer_supports_prsctp = 0;
696 break;
697 default:
698 #ifdef SCTP_DEBUG
699 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
700 printf("Peer does not support chunk type %d(%x)??\n",
701 chk->chunk_type, (u_int)chk->chunk_type);
702 }
703 #endif
704 break;
705 }
706 }
707
708 /*
709 * Skip past the param header and then we will find the param that
710 * caused the problem. There are a number of param's in a ASCONF
711 * OR the prsctp param these will turn of specific features.
712 */
713 static void
714 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
715 {
716 struct sctp_paramhdr *pbad;
717
718 pbad = phdr + 1;
719 switch (ntohs(pbad->param_type)) {
720 /* pr-sctp draft */
721 case SCTP_PRSCTP_SUPPORTED:
722 stcb->asoc.peer_supports_prsctp = 0;
723 break;
724 case SCTP_SUPPORTED_CHUNK_EXT:
725 break;
726 /* draft-ietf-tsvwg-addip-sctp */
727 case SCTP_ECN_NONCE_SUPPORTED:
728 stcb->asoc.peer_supports_ecn_nonce = 0;
729 stcb->asoc.ecn_nonce_allowed = 0;
730 stcb->asoc.ecn_allowed = 0;
731 break;
732 case SCTP_ADD_IP_ADDRESS:
733 case SCTP_DEL_IP_ADDRESS:
734 stcb->asoc.peer_supports_asconf = 0;
735 break;
736 case SCTP_SET_PRIM_ADDR:
737 stcb->asoc.peer_supports_asconf_setprim = 0;
738 break;
739 case SCTP_SUCCESS_REPORT:
740 case SCTP_ERROR_CAUSE_IND:
741 #ifdef SCTP_DEBUG
742 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
743 printf("Huh, the peer does not support success? or error cause?\n");
744 printf("Turning off ASCONF to this strange peer\n");
745 }
746 #endif
747 stcb->asoc.peer_supports_asconf = 0;
748 stcb->asoc.peer_supports_asconf_setprim = 0;
749 break;
750 default:
751 #ifdef SCTP_DEBUG
752 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
753 printf("Peer does not support base param type %d(%x)??\n",
754 pbad->param_type, (u_int)pbad->param_type);
755 }
756 #endif
757 break;
758 }
759 }
760
761 static int
762 sctp_handle_error(struct sctp_chunkhdr *ch,
763 struct sctp_tcb *stcb, struct sctp_nets *net)
764 {
765 int chklen;
766 struct sctp_paramhdr *phdr;
767 uint16_t error_type;
768 uint16_t error_len;
769 struct sctp_association *asoc;
770
771 int adjust;
772 /* parse through all of the errors and process */
773 asoc = &stcb->asoc;
774 phdr = (struct sctp_paramhdr *)((vaddr_t)ch +
775 sizeof(struct sctp_chunkhdr));
776 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
777 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
778 /* Process an Error Cause */
779 error_type = ntohs(phdr->param_type);
780 error_len = ntohs(phdr->param_length);
781 if ((error_len > chklen) || (error_len == 0)) {
782 /* invalid param length for this param */
783 #ifdef SCTP_DEBUG
784 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
785 printf("Bogus length in error param- chunk left:%d errorlen:%d\n",
786 chklen, error_len);
787 }
788 #endif /* SCTP_DEBUG */
789 return (0);
790 }
791 switch (error_type) {
792 case SCTP_CAUSE_INV_STRM:
793 case SCTP_CAUSE_MISS_PARAM:
794 case SCTP_CAUSE_INVALID_PARAM:
795 case SCTP_CAUSE_NOUSER_DATA:
796 #ifdef SCTP_DEBUG
797 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
798 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n",
799 error_type);
800 }
801 #endif
802 break;
803 case SCTP_CAUSE_STALE_COOKIE:
804 /* We only act if we have echoed a cookie and are waiting. */
805 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
806 int *p;
807 p = (int *)((vaddr_t)phdr + sizeof(*phdr));
808 /* Save the time doubled */
809 asoc->cookie_preserve_req = ntohl(*p) << 1;
810 asoc->stale_cookie_count++;
811 if (asoc->stale_cookie_count >
812 asoc->max_init_times) {
813 sctp_abort_notification(stcb, 0);
814 /* now free the asoc */
815 sctp_free_assoc(stcb->sctp_ep, stcb);
816 return (-1);
817 }
818 /* blast back to INIT state */
819 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
820 asoc->state |= SCTP_STATE_COOKIE_WAIT;
821 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
822 stcb->sctp_ep, stcb, net);
823 sctp_send_initiate(stcb->sctp_ep, stcb);
824 }
825 break;
826 case SCTP_CAUSE_UNRESOLV_ADDR:
827 /*
828 * Nothing we can do here, we don't do hostname
829 * addresses so if the peer does not like my IPv6 (or
830 * IPv4 for that matter) it does not matter. If they
831 * don't support that type of address, they can NOT
832 * possibly get that packet type... i.e. with no IPv6
833 * you can't receive a IPv6 packet. so we can safely
834 * ignore this one. If we ever added support for
835 * HOSTNAME Addresses, then we would need to do
836 * something here.
837 */
838 break;
839 case SCTP_CAUSE_UNRECOG_CHUNK:
840 sctp_process_unrecog_chunk(stcb, phdr, net);
841 break;
842 case SCTP_CAUSE_UNRECOG_PARAM:
843 sctp_process_unrecog_param(stcb, phdr);
844 break;
845 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
846 /*
847 * We ignore this since the timer will drive out a new
848 * cookie anyway and there timer will drive us to send
849 * a SHUTDOWN_COMPLETE. We can't send one here since
850 * we don't have their tag.
851 */
852 break;
853 case SCTP_CAUSE_DELETEING_LAST_ADDR:
854 case SCTP_CAUSE_OPERATION_REFUSED:
855 case SCTP_CAUSE_DELETING_SRC_ADDR:
856 /* We should NOT get these here, but in a ASCONF-ACK. */
857 #ifdef SCTP_DEBUG
858 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
859 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n",
860 error_type);
861 }
862 #endif
863 break;
864 case SCTP_CAUSE_OUT_OF_RESC:
865 /*
866 * And what, pray tell do we do with the fact
867 * that the peer is out of resources? Not
868 * really sure we could do anything but abort.
869 * I suspect this should have came WITH an
870 * abort instead of in a OP-ERROR.
871 */
872 break;
873 default:
874 #ifdef SCTP_DEBUG
875 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
876 /* don't know what this error cause is... */
877 printf("sctp_handle_error: unknown error type = 0x%xh\n",
878 error_type);
879 }
880 #endif /* SCTP_DEBUG */
881 break;
882 }
883 adjust = SCTP_SIZE32(error_len);
884 chklen -= adjust;
885 phdr = (struct sctp_paramhdr *)((vaddr_t)phdr + adjust);
886 }
887 return (0);
888 }
889
890 static int
891 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh,
892 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
893 struct sctp_nets *net)
894 {
895 struct sctp_init_ack *init_ack;
896 int *state;
897 struct mbuf *op_err;
898
899 #ifdef SCTP_DEBUG
900 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
901 printf("sctp_handle_init_ack: handling INIT-ACK\n");
902 }
903 #endif
904 if (stcb == NULL) {
905 #ifdef SCTP_DEBUG
906 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
907 printf("sctp_handle_init_ack: TCB is null\n");
908 }
909 #endif
910 return (-1);
911 }
912 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
913 /* Invalid length */
914 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
915 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
916 op_err);
917 return (-1);
918 }
919 init_ack = &cp->init;
920 /* validate parameters */
921 if (init_ack->initiate_tag == 0) {
922 /* protocol error... send an abort */
923 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
924 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
925 op_err);
926 return (-1);
927 }
928 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
929 /* protocol error... send an abort */
930 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
931 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
932 op_err);
933 return (-1);
934 }
935 if (init_ack->num_inbound_streams == 0) {
936 /* protocol error... send an abort */
937 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
938 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
939 op_err);
940 return (-1);
941 }
942 if (init_ack->num_outbound_streams == 0) {
943 /* protocol error... send an abort */
944 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM);
945 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh,
946 op_err);
947 return (-1);
948 }
949
950 /* process according to association state... */
951 state = &stcb->asoc.state;
952 switch (*state & SCTP_STATE_MASK) {
953 case SCTP_STATE_COOKIE_WAIT:
954 /* this is the expected state for this chunk */
955 /* process the INIT-ACK parameters */
956 if (stcb->asoc.primary_destination->dest_state &
957 SCTP_ADDR_UNCONFIRMED) {
958 /*
959 * The primary is where we sent the INIT, we can
960 * always consider it confirmed when the INIT-ACK
961 * is returned. Do this before we load addresses
962 * though.
963 */
964 stcb->asoc.primary_destination->dest_state &=
965 ~SCTP_ADDR_UNCONFIRMED;
966 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
967 stcb, 0, (void *)stcb->asoc.primary_destination);
968 }
969 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net
970 ) < 0) {
971 /* error in parsing parameters */
972 #ifdef SCTP_DEBUG
973 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
974 printf("sctp_process_init_ack: error in msg, discarding\n");
975 }
976 #endif
977 return (-1);
978 }
979 /* update our state */
980 #ifdef SCTP_DEBUG
981 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
982 printf("moving to COOKIE-ECHOED state\n");
983 }
984 #endif
985 if (*state & SCTP_STATE_SHUTDOWN_PENDING) {
986 *state = SCTP_STATE_COOKIE_ECHOED |
987 SCTP_STATE_SHUTDOWN_PENDING;
988 } else {
989 *state = SCTP_STATE_COOKIE_ECHOED;
990 }
991
992 /* reset the RTO calc */
993 stcb->asoc.overall_error_count = 0;
994 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
995 /*
996 * collapse the init timer back in case of a exponential backoff
997 */
998 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
999 stcb, net);
1000 /*
1001 * the send at the end of the inbound data processing will
1002 * cause the cookie to be sent
1003 */
1004 break;
1005 case SCTP_STATE_SHUTDOWN_SENT:
1006 /* incorrect state... discard */
1007 break;
1008 case SCTP_STATE_COOKIE_ECHOED:
1009 /* incorrect state... discard */
1010 break;
1011 case SCTP_STATE_OPEN:
1012 /* incorrect state... discard */
1013 break;
1014 case SCTP_STATE_EMPTY:
1015 case SCTP_STATE_INUSE:
1016 default:
1017 /* incorrect state... discard */
1018 #ifdef SCTP_DEBUG
1019 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1020 printf("Leaving handle-init-ack default\n");
1021 }
1022 #endif
1023 return (-1);
1024 break;
1025 } /* end switch asoc state */
1026 #ifdef SCTP_DEBUG
1027 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1028 printf("Leaving handle-init-ack end\n");
1029 }
1030 #endif
1031 return (0);
1032 }
1033
1034
1035 /*
1036 * handle a state cookie for an existing association
1037 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk
1038 * note: this is a "split" mbuf and the cookie signature does not exist
1039 * offset: offset into mbuf to the cookie-echo chunk
1040 */
1041 static struct sctp_tcb *
1042 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1043 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1044 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
1045 struct sockaddr *init_src, int *notification)
1046 {
1047 struct sctp_association *asoc;
1048 struct sctp_init_chunk *init_cp, init_buf;
1049 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1050 int chk_length;
1051 int init_offset, initack_offset;
1052 int retval;
1053
1054 /* I know that the TCB is non-NULL from the caller */
1055 asoc = &stcb->asoc;
1056
1057 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1058 /* SHUTDOWN came in after sending INIT-ACK */
1059 struct mbuf *op_err;
1060 struct sctp_paramhdr *ph;
1061
1062 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1063 #ifdef SCTP_DEBUG
1064 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1065 printf("sctp_handle_cookie: got a cookie, while shutting down!\n");
1066 }
1067 #endif
1068 MGETHDR(op_err, M_DONTWAIT, MT_HEADER);
1069 if (op_err == NULL) {
1070 /* FOOBAR */
1071 return (NULL);
1072 }
1073 /* pre-reserve some space */
1074 op_err->m_data += sizeof(struct ip6_hdr);
1075 op_err->m_data += sizeof(struct sctphdr);
1076 op_err->m_data += sizeof(struct sctp_chunkhdr);
1077 /* Set the len */
1078 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr);
1079 ph = mtod(op_err, struct sctp_paramhdr *);
1080 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN);
1081 ph->param_length = htons(sizeof(struct sctp_paramhdr));
1082 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag);
1083 return (NULL);
1084 }
1085 /*
1086 * find and validate the INIT chunk in the cookie (peer's info)
1087 * the INIT should start after the cookie-echo header struct
1088 * (chunk header, state cookie header struct)
1089 */
1090 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1091
1092 init_cp = (struct sctp_init_chunk *)
1093 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1094 (u_int8_t *)&init_buf);
1095 if (init_cp == NULL) {
1096 /* could not pull a INIT chunk in cookie */
1097 #ifdef SCTP_DEBUG
1098 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1099 printf("process_cookie_existing: could not pull INIT chunk hdr\n");
1100 }
1101 #endif /* SCTP_DEBUG */
1102 return (NULL);
1103 }
1104 chk_length = ntohs(init_cp->ch.chunk_length);
1105 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1106 #ifdef SCTP_DEBUG
1107 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1108 printf("process_cookie_existing: could not find INIT chunk!\n");
1109 }
1110 #endif /* SCTP_DEBUG */
1111 return (NULL);
1112 }
1113
1114 /*
1115 * find and validate the INIT-ACK chunk in the cookie (my info)
1116 * the INIT-ACK follows the INIT chunk
1117 */
1118 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1119 initack_cp = (struct sctp_init_ack_chunk *)
1120 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1121 (u_int8_t *)&initack_buf);
1122 if (initack_cp == NULL) {
1123 /* could not pull INIT-ACK chunk in cookie */
1124 #ifdef SCTP_DEBUG
1125 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1126 printf("process_cookie_existing: could not pull INIT-ACK chunk hdr\n");
1127 }
1128 #endif /* SCTP_DEBUG */
1129 return (NULL);
1130 }
1131 chk_length = ntohs(initack_cp->ch.chunk_length);
1132 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1133 #ifdef SCTP_DEBUG
1134 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1135 printf("process_cookie_existing: could not find INIT-ACK chunk!\n");
1136 }
1137 #endif /* SCTP_DEBUG */
1138 return (NULL);
1139 }
1140 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1141 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1142 /*
1143 * case D in Section 5.2.4 Table 2: MMAA
1144 * process accordingly to get into the OPEN state
1145 */
1146 switch SCTP_GET_STATE(asoc) {
1147 case SCTP_STATE_COOKIE_WAIT:
1148 /*
1149 * INIT was sent, but got got a COOKIE_ECHO with
1150 * the correct tags... just accept it...
1151 */
1152 /* First we must process the INIT !! */
1153 retval = sctp_process_init(init_cp, stcb, net);
1154 if (retval < 0) {
1155 #ifdef SCTP_DEBUG
1156 printf("process_cookie_existing: INIT processing failed\n");
1157 #endif
1158 return (NULL);
1159 }
1160 /* FALLTHROUGH */
1161 /* intentional fall through to below... */
1162
1163 case SCTP_STATE_COOKIE_ECHOED:
1164 /* Duplicate INIT case */
1165 /* we have already processed the INIT so no problem */
1166 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1167 net);
1168 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1169 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb,
1170 net);
1171 /* update current state */
1172 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1173 asoc->state = SCTP_STATE_OPEN |
1174 SCTP_STATE_SHUTDOWN_PENDING;
1175 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) {
1176 /* if ok, move to OPEN state */
1177 asoc->state = SCTP_STATE_OPEN;
1178 }
1179 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1180 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1181 (!(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING))) {
1182 /*
1183 * Here is where collision would go if we did a
1184 * connect() and instead got a
1185 * init/init-ack/cookie done before the
1186 * init-ack came back..
1187 */
1188 stcb->sctp_ep->sctp_flags |=
1189 SCTP_PCB_FLAGS_CONNECTED;
1190 soisconnected(stcb->sctp_ep->sctp_socket);
1191 }
1192 /* notify upper layer */
1193 *notification = SCTP_NOTIFY_ASSOC_UP;
1194 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1195 net);
1196 /*
1197 * since we did not send a HB make sure we don't double
1198 * things
1199 */
1200 net->hb_responded = 1;
1201
1202 if (stcb->asoc.sctp_autoclose_ticks &&
1203 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1204 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1205 inp, stcb, NULL);
1206 }
1207 break;
1208 default:
1209 /*
1210 * we're in the OPEN state (or beyond), so peer
1211 * must have simply lost the COOKIE-ACK
1212 */
1213 break;
1214 } /* end switch */
1215
1216 /*
1217 * We ignore the return code here.. not sure if we should
1218 * somehow abort.. but we do have an existing asoc. This
1219 * really should not fail.
1220 */
1221 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1222 init_offset + sizeof(struct sctp_init_chunk),
1223 initack_offset, sh, init_src)) {
1224 #ifdef SCTP_DEBUG
1225 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1226 printf("Weird cookie load_address failure on cookie existing - 1\n");
1227 }
1228 #endif
1229 return (NULL);
1230 }
1231
1232 /* respond with a COOKIE-ACK */
1233 sctp_send_cookie_ack(stcb);
1234 return (stcb);
1235 } /* end if */
1236 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1237 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1238 cookie->tie_tag_my_vtag == 0 &&
1239 cookie->tie_tag_peer_vtag == 0) {
1240 /*
1241 * case C in Section 5.2.4 Table 2: XMOO
1242 * silently discard
1243 */
1244 return (NULL);
1245 }
1246 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag &&
1247 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag ||
1248 init_cp->init.initiate_tag == 0)) {
1249 /*
1250 * case B in Section 5.2.4 Table 2: MXAA or MOAA
1251 * my info should be ok, re-accept peer info
1252 */
1253 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1254 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1255 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
1256 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1257 /*
1258 * since we did not send a HB make sure we don't double things
1259 */
1260 net->hb_responded = 1;
1261 if (stcb->asoc.sctp_autoclose_ticks &&
1262 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1263 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1264 NULL);
1265 }
1266 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1267 asoc->pre_open_streams =
1268 ntohs(initack_cp->init.num_outbound_streams);
1269 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1270 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out =
1271 asoc->init_seq_number;
1272 asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1273 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1274 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1275 asoc->str_reset_seq_in = asoc->init_seq_number;
1276 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1277
1278 /* process the INIT info (peer's info) */
1279 retval = sctp_process_init(init_cp, stcb, net);
1280 if (retval < 0) {
1281 #ifdef SCTP_DEBUG
1282 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1283 printf("process_cookie_existing: INIT processing failed\n");
1284 }
1285 #endif
1286 return (NULL);
1287 }
1288 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1289 init_offset + sizeof(struct sctp_init_chunk),
1290 initack_offset, sh, init_src)) {
1291 #ifdef SCTP_DEBUG
1292 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1293 printf("Weird cookie load_address failure on cookie existing - 2\n");
1294 }
1295 #endif
1296 return (NULL);
1297 }
1298
1299 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
1300 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
1301 *notification = SCTP_NOTIFY_ASSOC_UP;
1302
1303 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1304 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1305 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1306 stcb->sctp_ep->sctp_flags |=
1307 SCTP_PCB_FLAGS_CONNECTED;
1308 soisconnected(stcb->sctp_ep->sctp_socket);
1309 }
1310 }
1311 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1312 asoc->state = SCTP_STATE_OPEN |
1313 SCTP_STATE_SHUTDOWN_PENDING;
1314 } else {
1315 asoc->state = SCTP_STATE_OPEN;
1316 }
1317 sctp_send_cookie_ack(stcb);
1318 return (stcb);
1319 }
1320
1321 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1322 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1323 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1324 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1325 cookie->tie_tag_peer_vtag != 0) {
1326 /*
1327 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1328 */
1329 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
1330 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
1331 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1332
1333 /* notify upper layer */
1334 *notification = SCTP_NOTIFY_ASSOC_RESTART;
1335
1336 /* send up all the data */
1337 sctp_report_all_outbound(stcb);
1338
1339 /* process the INIT-ACK info (my info) */
1340 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1341 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1342 asoc->pre_open_streams =
1343 ntohs(initack_cp->init.num_outbound_streams);
1344 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1345 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out =
1346 asoc->init_seq_number;
1347 asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1348 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1349 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1350 asoc->str_reset_seq_in = asoc->init_seq_number;
1351
1352 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1353 if (asoc->mapping_array)
1354 memset(asoc->mapping_array, 0,
1355 asoc->mapping_array_size);
1356 /* process the INIT info (peer's info) */
1357 retval = sctp_process_init(init_cp, stcb, net);
1358 if (retval < 0) {
1359 #ifdef SCTP_DEBUG
1360 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1361 printf("process_cookie_existing: INIT processing failed\n");
1362 }
1363 #endif
1364 return (NULL);
1365 }
1366
1367 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
1368 /*
1369 * since we did not send a HB make sure we don't double things
1370 */
1371 net->hb_responded = 1;
1372
1373 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1374 init_offset + sizeof(struct sctp_init_chunk),
1375 initack_offset, sh, init_src)) {
1376 #ifdef SCTP_DEBUG
1377 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1378 printf("Weird cookie load_address failure on cookie existing - 3\n");
1379 }
1380 #endif
1381 return (NULL);
1382 }
1383
1384 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1385 asoc->state = SCTP_STATE_OPEN |
1386 SCTP_STATE_SHUTDOWN_PENDING;
1387 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
1388 /* move to OPEN state, if not in SHUTDOWN_SENT */
1389 asoc->state = SCTP_STATE_OPEN;
1390 }
1391 /* respond with a COOKIE-ACK */
1392 sctp_send_cookie_ack(stcb);
1393
1394 return (stcb);
1395 }
1396 /* all other cases... */
1397 return (NULL);
1398 }
1399
1400 /*
1401 * handle a state cookie for a new association
1402 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk
1403 * note: this is a "split" mbuf and the cookie signature does not exist
1404 * offset: offset into mbuf to the cookie-echo chunk
1405 * length: length of the cookie chunk
1406 * to: where the init was from
1407 * returns a new TCB
1408 */
1409 static struct sctp_tcb *
1410 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1411 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1412 struct sctp_inpcb *inp, struct sctp_nets **netp,
1413 struct sockaddr *init_src, int *notification)
1414 {
1415 struct sctp_tcb *stcb;
1416 struct sctp_init_chunk *init_cp, init_buf;
1417 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1418 struct sockaddr_storage sa_store;
1419 struct sockaddr *initack_src = (struct sockaddr *)&sa_store;
1420 struct sockaddr_in *sin;
1421 struct sockaddr_in6 *sin6;
1422 struct sctp_association *asoc;
1423 int chk_length;
1424 int init_offset, initack_offset, initack_limit;
1425 int retval;
1426 int error = 0;
1427 /*
1428 * find and validate the INIT chunk in the cookie (peer's info)
1429 * the INIT should start after the cookie-echo header struct
1430 * (chunk header, state cookie header struct)
1431 */
1432 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
1433 init_cp = (struct sctp_init_chunk *)
1434 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1435 (u_int8_t *)&init_buf);
1436 if (init_cp == NULL) {
1437 /* could not pull a INIT chunk in cookie */
1438 #ifdef SCTP_DEBUG
1439 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1440 printf("process_cookie_new: could not pull INIT chunk hdr\n");
1441 }
1442 #endif /* SCTP_DEBUG */
1443 return (NULL);
1444 }
1445 chk_length = ntohs(init_cp->ch.chunk_length);
1446 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1447 #ifdef SCTP_DEBUG
1448 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1449 printf("HUH? process_cookie_new: could not find INIT chunk!\n");
1450 }
1451 #endif /* SCTP_DEBUG */
1452 return (NULL);
1453 }
1454
1455 initack_offset = init_offset + SCTP_SIZE32(chk_length);
1456 /*
1457 * find and validate the INIT-ACK chunk in the cookie (my info)
1458 * the INIT-ACK follows the INIT chunk
1459 */
1460 initack_cp = (struct sctp_init_ack_chunk *)
1461 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1462 (u_int8_t *)&initack_buf);
1463 if (initack_cp == NULL) {
1464 /* could not pull INIT-ACK chunk in cookie */
1465 #ifdef SCTP_DEBUG
1466 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1467 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n");
1468 }
1469 #endif /* SCTP_DEBUG */
1470 return (NULL);
1471 }
1472 chk_length = ntohs(initack_cp->ch.chunk_length);
1473 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1474 #ifdef SCTP_DEBUG
1475 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1476 u_int8_t *pp;
1477 pp = (u_int8_t *)initack_cp;
1478 printf("process_cookie_new: could not find INIT-ACK chunk!\n");
1479 printf("Found bytes %x %x %x %x at position %d\n",
1480 (u_int)pp[0], (u_int)pp[1], (u_int)pp[2],
1481 (u_int)pp[3], initack_offset);
1482 }
1483 #endif /* SCTP_DEBUG */
1484 return (NULL);
1485 }
1486 initack_limit = initack_offset + SCTP_SIZE32(chk_length);
1487
1488 /*
1489 * now that we know the INIT/INIT-ACK are in place,
1490 * create a new TCB and popluate
1491 */
1492 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, ntohl(initack_cp->init.initiate_tag));
1493 if (stcb == NULL) {
1494 struct mbuf *op_err;
1495 /* memory problem? */
1496 #ifdef SCTP_DEBUG
1497 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1498 printf("process_cookie_new: no room for another TCB!\n");
1499 }
1500 #endif /* SCTP_DEBUG */
1501 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1502 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
1503 sh, op_err);
1504 return (NULL);
1505 }
1506
1507 /* get the correct sctp_nets */
1508 *netp = sctp_findnet(stcb, init_src);
1509 asoc = &stcb->asoc;
1510 /* get scope variables out of cookie */
1511 asoc->ipv4_local_scope = cookie->ipv4_scope;
1512 asoc->site_scope = cookie->site_scope;
1513 asoc->local_scope = cookie->local_scope;
1514 asoc->loopback_scope = cookie->loopback_scope;
1515
1516 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) ||
1517 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) {
1518 struct mbuf *op_err;
1519 /*
1520 * Houston we have a problem. The EP changed while the cookie
1521 * was in flight. Only recourse is to abort the association.
1522 */
1523 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
1524 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
1525 sh, op_err);
1526 return (NULL);
1527 }
1528
1529 /* process the INIT-ACK info (my info) */
1530 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1531 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1532 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1533 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1534 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1535 asoc->t3timeout_highest_marked = asoc->asconf_seq_out;
1536 asoc->last_cwr_tsn = asoc->init_seq_number - 1;
1537 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1538 asoc->str_reset_seq_in = asoc->init_seq_number;
1539
1540 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1541
1542 /* process the INIT info (peer's info) */
1543 retval = sctp_process_init(init_cp, stcb, *netp);
1544 if (retval < 0) {
1545 #ifdef SCTP_DEBUG
1546 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1547 printf("process_cookie_new: INIT processing failed\n");
1548 }
1549 #endif
1550 sctp_free_assoc(inp, stcb);
1551 return (NULL);
1552 }
1553 /* load all addresses */
1554 if (sctp_load_addresses_from_init(stcb, m, iphlen,
1555 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh,
1556 init_src)) {
1557 sctp_free_assoc(inp, stcb);
1558 return (NULL);
1559 }
1560
1561 /* update current state */
1562 #ifdef SCTP_DEBUG
1563 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1564 printf("moving to OPEN state\n");
1565 }
1566 #endif
1567 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1568 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING;
1569 } else {
1570 asoc->state = SCTP_STATE_OPEN;
1571 }
1572 /* calculate the RTT */
1573 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
1574 &cookie->time_entered);
1575
1576 /*
1577 * if we're doing ASCONFs, check to see if we have any new
1578 * local addresses that need to get added to the peer (eg.
1579 * addresses changed while cookie echo in flight). This needs
1580 * to be done after we go to the OPEN state to do the correct
1581 * asconf processing.
1582 * else, make sure we have the correct addresses in our lists
1583 */
1584
1585 /* warning, we re-use sin, sin6, sa_store here! */
1586 /* pull in local_address (our "from" address) */
1587 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) {
1588 /* source addr is IPv4 */
1589 sin = (struct sockaddr_in *)initack_src;
1590 memset(sin, 0, sizeof(*sin));
1591 sin->sin_family = AF_INET;
1592 sin->sin_len = sizeof(struct sockaddr_in);
1593 sin->sin_addr.s_addr = cookie->laddress[0];
1594 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) {
1595 /* source addr is IPv6 */
1596 sin6 = (struct sockaddr_in6 *)initack_src;
1597 memset(sin6, 0, sizeof(*sin6));
1598 sin6->sin6_family = AF_INET6;
1599 sin6->sin6_len = sizeof(struct sockaddr_in6);
1600 sin6->sin6_scope_id = cookie->scope_id;
1601 memcpy(&sin6->sin6_addr, cookie->laddress,
1602 sizeof(sin6->sin6_addr));
1603 } else {
1604 sctp_free_assoc(inp, stcb);
1605 return (NULL);
1606 }
1607
1608 sctp_check_address_list(stcb, m, initack_offset +
1609 sizeof(struct sctp_init_ack_chunk), initack_limit,
1610 initack_src, cookie->local_scope, cookie->site_scope,
1611 cookie->ipv4_scope, cookie->loopback_scope);
1612
1613
1614 /* set up to notify upper layer */
1615 *notification = SCTP_NOTIFY_ASSOC_UP;
1616 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1617 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1618 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1619 /*
1620 * This is an endpoint that called connect()
1621 * how it got a cookie that is NEW is a bit of
1622 * a mystery. It must be that the INIT was sent, but
1623 * before it got there.. a complete INIT/INIT-ACK/COOKIE
1624 * arrived. But of course then it should have went to
1625 * the other code.. not here.. oh well.. a bit of protection
1626 * is worth having..
1627 */
1628 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
1629 soisconnected(stcb->sctp_ep->sctp_socket);
1630 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp);
1631 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
1632 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) {
1633 /*
1634 * We don't want to do anything with this
1635 * one. Since it is the listening guy. The timer will
1636 * get started for accepted connections in the caller.
1637 */
1638 ;
1639 } else {
1640 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp);
1641 }
1642 /* since we did not send a HB make sure we don't double things */
1643 (*netp)->hb_responded = 1;
1644
1645 if (stcb->asoc.sctp_autoclose_ticks &&
1646 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
1647 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
1648 }
1649
1650 /* respond with a COOKIE-ACK */
1651 sctp_send_cookie_ack(stcb);
1652
1653 return (stcb);
1654 }
1655
1656
1657 /*
1658 * handles a COOKIE-ECHO message
1659 * stcb: modified to either a new or left as existing (non-NULL) TCB
1660 */
1661 static struct mbuf *
1662 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
1663 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
1664 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp)
1665 {
1666 struct sctp_state_cookie *cookie;
1667 struct sockaddr_in6 sin6;
1668 struct sockaddr_in sin;
1669 struct sctp_tcb *l_stcb=*stcb;
1670 struct sctp_inpcb *l_inp;
1671 struct sockaddr *to;
1672 struct sctp_pcb *ep;
1673 struct mbuf *m_sig;
1674 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
1675 uint8_t *sig;
1676 uint8_t cookie_ok = 0;
1677 unsigned int size_of_pkt, sig_offset, cookie_offset;
1678 unsigned int cookie_len;
1679 struct timeval now;
1680 struct timeval time_expires;
1681 struct sockaddr_storage dest_store;
1682 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store;
1683 struct ip *iph;
1684 int notification = 0;
1685 struct sctp_nets *netl;
1686 int had_a_existing_tcb = 0;
1687
1688 #ifdef SCTP_DEBUG
1689 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1690 printf("sctp_handle_cookie: handling COOKIE-ECHO\n");
1691 }
1692 #endif
1693
1694 if (inp_p == NULL) {
1695 #ifdef SCTP_DEBUG
1696 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1697 printf("sctp_handle_cookie: null inp_p!\n");
1698 }
1699 #endif
1700 return (NULL);
1701 }
1702 /* First get the destination address setup too. */
1703 iph = mtod(m, struct ip *);
1704 if (iph->ip_v == IPVERSION) {
1705 /* its IPv4 */
1706 struct sockaddr_in *sin_d;
1707 sin_d = (struct sockaddr_in *)(localep_sa);
1708 memset(sin_d, 0, sizeof(*sin_d));
1709 sin_d->sin_family = AF_INET;
1710 sin_d->sin_len = sizeof(*sin_d);
1711 sin_d->sin_port = sh->dest_port;
1712 sin_d->sin_addr.s_addr = iph->ip_dst.s_addr ;
1713 } else if (iph->ip_v == (IPV6_VERSION >> 4)) {
1714 /* its IPv6 */
1715 struct ip6_hdr *ip6;
1716 struct sockaddr_in6 *sin6_d;
1717 sin6_d = (struct sockaddr_in6 *)(localep_sa);
1718 memset(sin6_d, 0, sizeof(*sin6_d));
1719 sin6_d->sin6_family = AF_INET6;
1720 sin6_d->sin6_len = sizeof(struct sockaddr_in6);
1721 ip6 = mtod(m, struct ip6_hdr *);
1722 sin6_d->sin6_port = sh->dest_port;
1723 sin6_d->sin6_addr = ip6->ip6_dst;
1724 } else {
1725 return (NULL);
1726 }
1727
1728 cookie = &cp->cookie;
1729 cookie_offset = offset + sizeof(struct sctp_chunkhdr);
1730 cookie_len = ntohs(cp->ch.chunk_length);
1731
1732 /* compute size of packet */
1733 if (m->m_flags & M_PKTHDR) {
1734 size_of_pkt = m->m_pkthdr.len;
1735 } else {
1736 /* Should have a pkt hdr really */
1737 struct mbuf *mat;
1738 mat = m;
1739 size_of_pkt = 0;
1740 while (mat != NULL) {
1741 size_of_pkt += mat->m_len;
1742 mat = mat->m_next;
1743 }
1744 }
1745 if (cookie_len > size_of_pkt ||
1746 cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
1747 sizeof(struct sctp_init_chunk) +
1748 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
1749 /* cookie too long! or too small */
1750 #ifdef SCTP_DEBUG
1751 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1752 printf("sctp_handle_cookie: cookie_len=%u, pkt size=%u\n", cookie_len, size_of_pkt);
1753 }
1754 #endif /* SCTP_DEBUG */
1755 return (NULL);
1756 }
1757
1758 if ((cookie->peerport != sh->src_port) &&
1759 (cookie->myport != sh->dest_port) &&
1760 (cookie->my_vtag != sh->v_tag)) {
1761 /*
1762 * invalid ports or bad tag. Note that we always leave
1763 * the v_tag in the header in network order and when we
1764 * stored it in the my_vtag slot we also left it in network
1765 * order. This maintians the match even though it may be in
1766 * the opposite byte order of the machine :->
1767 */
1768 return (NULL);
1769 }
1770
1771 /*
1772 * split off the signature into its own mbuf (since it
1773 * should not be calculated in the sctp_hash_digest_m() call).
1774 */
1775 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
1776 if (sig_offset > size_of_pkt) {
1777 /* packet not correct size! */
1778 /* XXX this may already be accounted for earlier... */
1779 #ifdef SCTP_DEBUG
1780 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1781 printf("sctp_handle_cookie: sig offset=%u, pkt size=%u\n", sig_offset, size_of_pkt);
1782 }
1783 #endif
1784 return (NULL);
1785 }
1786
1787 m_sig = m_split(m, sig_offset, M_DONTWAIT);
1788 if (m_sig == NULL) {
1789 /* out of memory or ?? */
1790 #ifdef SCTP_DEBUG
1791 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1792 printf("sctp_handle_cookie: couldn't m_split the signature\n");
1793 }
1794 #endif
1795 return (NULL);
1796 }
1797 /*
1798 * compute the signature/digest for the cookie
1799 */
1800 ep = &(*inp_p)->sctp_ep;
1801 l_inp = *inp_p;
1802 if (l_stcb) {
1803 SCTP_TCB_UNLOCK(l_stcb);
1804 }
1805 SCTP_INP_RLOCK(l_inp);
1806 if (l_stcb) {
1807 SCTP_TCB_LOCK(l_stcb);
1808 }
1809 /* which cookie is it? */
1810 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
1811 (ep->current_secret_number != ep->last_secret_number)) {
1812 /* it's the old cookie */
1813 #ifdef SCTP_DEBUG
1814 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1815 printf("sctp_handle_cookie: old cookie sig\n");
1816 }
1817 #endif
1818 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number],
1819 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1820 } else {
1821 /* it's the current cookie */
1822 #ifdef SCTP_DEBUG
1823 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1824 printf("sctp_handle_cookie: current cookie sig\n");
1825 }
1826 #endif
1827 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->current_secret_number],
1828 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1829 }
1830 /* get the signature */
1831 SCTP_INP_RUNLOCK(l_inp);
1832 sig = (u_int8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (u_int8_t *)&tmp_sig);
1833 if (sig == NULL) {
1834 /* couldn't find signature */
1835 #ifdef SCTP_DEBUG
1836 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
1837 printf("sctp_handle_cookie: couldn't pull the signature\n");
1838 }
1839 #endif
1840 return (NULL);
1841 }
1842 /* compare the received digest with the computed digest */
1843 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
1844 /* try the old cookie? */
1845 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
1846 (ep->current_secret_number != ep->last_secret_number)) {
1847 /* compute digest with old */
1848 #ifdef SCTP_DEBUG
1849 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1850 printf("sctp_handle_cookie: old cookie sig\n");
1851 }
1852 #endif
1853 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number],
1854 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig);
1855 /* compare */
1856 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
1857 cookie_ok = 1;
1858 }
1859 } else {
1860 cookie_ok = 1;
1861 }
1862
1863 /*
1864 * Now before we continue we must reconstruct our mbuf so
1865 * that normal processing of any other chunks will work.
1866 */
1867 {
1868 struct mbuf *m_at;
1869 m_at = m;
1870 while (m_at->m_next != NULL) {
1871 m_at = m_at->m_next;
1872 }
1873 m_at->m_next = m_sig;
1874 if (m->m_flags & M_PKTHDR) {
1875 /*
1876 * We should only do this if and only if the front
1877 * mbuf has a m_pkthdr... it should in theory.
1878 */
1879 if (m_sig->m_flags & M_PKTHDR) {
1880 /* Add back to the pkt hdr of main m chain */
1881 m->m_pkthdr.len += m_sig->m_len;
1882 } else {
1883 /*
1884 * Got a problem, no pkthdr in split chain.
1885 * TSNH but we will handle it just in case
1886 */
1887 int mmlen = 0;
1888 struct mbuf *lat;
1889 printf("Warning: Hitting m_split join TSNH code - fixed\n");
1890 lat = m_sig;
1891 while (lat) {
1892 mmlen += lat->m_len;
1893 lat = lat->m_next;
1894 }
1895 m->m_pkthdr.len += mmlen;
1896 }
1897 }
1898 }
1899
1900 if (cookie_ok == 0) {
1901 #ifdef SCTP_DEBUG
1902 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1903 printf("handle_cookie_echo: cookie signature validation failed!\n");
1904 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n",
1905 (u_int32_t)offset, cookie_offset, sig_offset);
1906 }
1907 #endif
1908 return (NULL);
1909 }
1910 #ifdef SCTP_DEBUG
1911 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
1912 printf("handle_cookie_echo: cookie signature validation passed\n");
1913 }
1914 #endif
1915
1916 /*
1917 * check the cookie timestamps to be sure it's not stale
1918 */
1919 SCTP_GETTIME_TIMEVAL(&now);
1920 /* Expire time is in Ticks, so we convert to seconds */
1921 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life;
1922 time_expires.tv_usec = cookie->time_entered.tv_usec;
1923 #ifndef __FreeBSD__
1924 if (timercmp(&now, &time_expires, >))
1925 #else
1926 if (timevalcmp(&now, &time_expires, >))
1927 #endif
1928 {
1929 /* cookie is stale! */
1930 struct mbuf *op_err;
1931 struct sctp_stale_cookie_msg *scm;
1932 u_int32_t tim;
1933 #ifdef SCTP_DEBUG
1934 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
1935 printf("sctp_handle_cookie: got a STALE cookie!\n");
1936 }
1937 #endif
1938 MGETHDR(op_err, M_DONTWAIT, MT_HEADER);
1939 if (op_err == NULL) {
1940 /* FOOBAR */
1941 return (NULL);
1942 }
1943 /* pre-reserve some space */
1944 op_err->m_data += sizeof(struct ip6_hdr);
1945 op_err->m_data += sizeof(struct sctphdr);
1946 op_err->m_data += sizeof(struct sctp_chunkhdr);
1947
1948 /* Set the len */
1949 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg);
1950 scm = mtod(op_err, struct sctp_stale_cookie_msg *);
1951 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
1952 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
1953 (sizeof(u_int32_t))));
1954 /* seconds to usec */
1955 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
1956 /* add in usec */
1957 if (tim == 0)
1958 tim = now.tv_usec - cookie->time_entered.tv_usec;
1959 scm->time_usec = htonl(tim);
1960 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag);
1961 return (NULL);
1962 }
1963 /*
1964 * Now we must see with the lookup address if we have an existing
1965 * asoc. This will only happen if we were in the COOKIE-WAIT state
1966 * and a INIT collided with us and somewhere the peer sent the
1967 * cookie on another address besides the single address our assoc
1968 * had for him. In this case we will have one of the tie-tags set
1969 * at least AND the address field in the cookie can be used to
1970 * look it up.
1971 */
1972 to = NULL;
1973 if (cookie->addr_type == SCTP_IPV6_ADDRESS) {
1974 memset(&sin6, 0, sizeof(sin6));
1975 sin6.sin6_family = AF_INET6;
1976 sin6.sin6_len = sizeof(sin6);
1977 sin6.sin6_port = sh->src_port;
1978 sin6.sin6_scope_id = cookie->scope_id;
1979 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
1980 sizeof(sin6.sin6_addr.s6_addr));
1981 to = (struct sockaddr *)&sin6;
1982 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) {
1983 memset(&sin, 0, sizeof(sin));
1984 sin.sin_family = AF_INET;
1985 sin.sin_len = sizeof(sin);
1986 sin.sin_port = sh->src_port;
1987 sin.sin_addr.s_addr = cookie->address[0];
1988 to = (struct sockaddr *)&sin;
1989 }
1990
1991 if ((*stcb == NULL) && to) {
1992 /* Yep, lets check */
1993 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL);
1994 if (*stcb == NULL) {
1995 /* We should have only got back the same inp. If we
1996 * got back a different ep we have a problem. The original
1997 * findep got back l_inp and now
1998 */
1999 if (l_inp != *inp_p) {
2000 printf("Bad problem find_ep got a diff inp then special_locate?\n");
2001 }
2002 }
2003 }
2004
2005 cookie_len -= SCTP_SIGNATURE_SIZE;
2006 if (*stcb == NULL) {
2007 /* this is the "normal" case... get a new TCB */
2008 #ifdef SCTP_DEBUG
2009 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2010 printf("sctp_handle_cookie: processing NEW cookie\n");
2011 }
2012 #endif
2013 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie,
2014 cookie_len, *inp_p, netp, to, ¬ification);
2015 /* now always decrement, since this is the normal
2016 * case.. we had no tcb when we entered.
2017 */
2018 } else {
2019 /* this is abnormal... cookie-echo on existing TCB */
2020 #ifdef SCTP_DEBUG
2021 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2022 printf("sctp_handle_cookie: processing EXISTING cookie\n");
2023 }
2024 #endif
2025 had_a_existing_tcb = 1;
2026 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh,
2027 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification);
2028 }
2029
2030 if (*stcb == NULL) {
2031 /* still no TCB... must be bad cookie-echo */
2032 #ifdef SCTP_DEBUG
2033 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2034 printf("handle_cookie_echo: ACK! don't have a TCB!\n");
2035 }
2036 #endif /* SCTP_DEBUG */
2037 return (NULL);
2038 }
2039
2040 /*
2041 * Ok, we built an association so confirm the address
2042 * we sent the INIT-ACK to.
2043 */
2044 netl = sctp_findnet(*stcb, to);
2045 /* This code should in theory NOT run but
2046 */
2047 if (netl == NULL) {
2048 #ifdef SCTP_DEBUG
2049 printf("TSNH! Huh, why do I need to add this address here?\n");
2050 #endif
2051 sctp_add_remote_addr(*stcb, to, 0, 100);
2052 netl = sctp_findnet(*stcb, to);
2053 }
2054 if (netl) {
2055 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
2056 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2057 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
2058 netl);
2059 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2060 (*stcb), 0, (void *)netl);
2061 }
2062 }
2063 #ifdef SCTP_DEBUG
2064 else {
2065 printf("Could not add source address for some reason\n");
2066 }
2067 #endif
2068
2069 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2070 if (!had_a_existing_tcb ||
2071 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2072 /*
2073 * If we have a NEW cookie or the connect never reached
2074 * the connected state during collision we must do the
2075 * TCP accept thing.
2076 */
2077 struct socket *so, *oso;
2078 struct sctp_inpcb *inp;
2079 if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2080 /*
2081 * For a restart we will keep the same socket,
2082 * no need to do anything. I THINK!!
2083 */
2084 sctp_ulp_notify(notification, *stcb, 0, NULL);
2085 return (m);
2086 }
2087 oso = (*inp_p)->sctp_socket;
2088 SCTP_TCB_UNLOCK((*stcb));
2089 so = sonewconn(oso, SS_ISCONNECTED);
2090 SCTP_INP_WLOCK((*stcb)->sctp_ep);
2091 SCTP_TCB_LOCK((*stcb));
2092 SCTP_INP_WUNLOCK((*stcb)->sctp_ep);
2093 if (so == NULL) {
2094 struct mbuf *op_err;
2095 /* Too many sockets */
2096 #ifdef SCTP_DEBUG
2097 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
2098 printf("process_cookie_new: no room for another socket!\n");
2099 }
2100 #endif /* SCTP_DEBUG */
2101 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC);
2102 sctp_abort_association(*inp_p, NULL, m, iphlen,
2103 sh, op_err);
2104 sctp_free_assoc(*inp_p, *stcb);
2105 return (NULL);
2106 }
2107 inp = (struct sctp_inpcb *)so->so_pcb;
2108 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2109 SCTP_PCB_FLAGS_CONNECTED |
2110 SCTP_PCB_FLAGS_IN_TCPPOOL |
2111 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2112 SCTP_PCB_FLAGS_DONT_WAKE);
2113 inp->sctp_socket = so;
2114
2115 /*
2116 * Now we must move it from one hash table to another
2117 * and get the tcb in the right place.
2118 */
2119 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2120
2121 /* Switch over to the new guy */
2122 *inp_p = inp;
2123
2124 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp,
2125 *stcb, *netp);
2126
2127 sctp_ulp_notify(notification, *stcb, 0, NULL);
2128 return (m);
2129 }
2130 }
2131 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
2132 sctp_ulp_notify(notification, *stcb, 0, NULL);
2133 }
2134 return (m);
2135 }
2136
2137 static void
2138 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp,
2139 struct sctp_tcb *stcb, struct sctp_nets *net)
2140 {
2141 /* cp must not be used, others call this without a c-ack :-) */
2142 struct sctp_association *asoc;
2143
2144 #ifdef SCTP_DEBUG
2145 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2146 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n");
2147 }
2148 #endif
2149 if (stcb == NULL)
2150 return;
2151
2152 asoc = &stcb->asoc;
2153
2154 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net);
2155
2156 /* process according to association state */
2157 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
2158 /* state change only needed when I am in right state */
2159 #ifdef SCTP_DEBUG
2160 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2161 printf("moving to OPEN state\n");
2162 }
2163 #endif
2164 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2165 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING;
2166 } else {
2167 asoc->state = SCTP_STATE_OPEN;
2168 }
2169
2170 /* update RTO */
2171 if (asoc->overall_error_count == 0) {
2172 net->RTO = sctp_calculate_rto(stcb, asoc, net,
2173 &asoc->time_entered);
2174 }
2175 SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
2176 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL);
2177 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2178 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2179 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2180 soisconnected(stcb->sctp_ep->sctp_socket);
2181 }
2182 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
2183 stcb, net);
2184 /* since we did not send a HB make sure we don't double things */
2185 net->hb_responded = 1;
2186
2187 if (stcb->asoc.sctp_autoclose_ticks &&
2188 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) {
2189 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
2190 stcb->sctp_ep, stcb, NULL);
2191 }
2192
2193 /*
2194 * set ASCONF timer if ASCONFs are pending and allowed
2195 * (eg. addresses changed when init/cookie echo in flight)
2196 */
2197 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DO_ASCONF) &&
2198 (stcb->asoc.peer_supports_asconf) &&
2199 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
2200 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
2201 stcb->sctp_ep, stcb,
2202 stcb->asoc.primary_destination);
2203 }
2204
2205 }
2206 /* Toss the cookie if I can */
2207 sctp_toss_old_cookies(asoc);
2208 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
2209 /* Restart the timer if we have pending data */
2210 struct sctp_tmit_chunk *chk;
2211 chk = TAILQ_FIRST(&asoc->sent_queue);
2212 if (chk) {
2213 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2214 stcb, chk->whoTo);
2215 }
2216 }
2217
2218 }
2219
2220 static void
2221 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
2222 struct sctp_tcb *stcb)
2223 {
2224 struct sctp_nets *net;
2225 struct sctp_tmit_chunk *lchk;
2226 u_int32_t tsn;
2227 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) {
2228 return;
2229 }
2230 sctp_pegs[SCTP_ECNE_RCVD]++;
2231 tsn = ntohl(cp->tsn);
2232 /* ECN Nonce stuff: need a resync and disable the nonce sum check */
2233 /* Also we make sure we disable the nonce_wait */
2234 lchk = TAILQ_FIRST(&stcb->asoc.send_queue);
2235 if (lchk == NULL) {
2236 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq;
2237 } else {
2238 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq;
2239 }
2240 stcb->asoc.nonce_wait_for_ecne = 0;
2241 stcb->asoc.nonce_sum_check = 0;
2242
2243 /* Find where it was sent, if possible */
2244 net = NULL;
2245 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue);
2246 while (lchk) {
2247 if (lchk->rec.data.TSN_seq == tsn) {
2248 net = lchk->whoTo;
2249 break;
2250 }
2251 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ))
2252 break;
2253 lchk = TAILQ_NEXT(lchk, sctp_next);
2254 }
2255 if (net == NULL)
2256 /* default is we use the primary */
2257 net = stcb->asoc.primary_destination;
2258
2259 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) {
2260 #ifdef SCTP_CWND_LOGGING
2261 int old_cwnd;
2262 #endif
2263 #ifdef SCTP_CWND_LOGGING
2264 old_cwnd = net->cwnd;
2265 #endif
2266 sctp_pegs[SCTP_CWR_PERFO]++;
2267 net->ssthresh = net->cwnd / 2;
2268 if (net->ssthresh < net->mtu) {
2269 net->ssthresh = net->mtu;
2270 /* here back off the timer as well, to slow us down */
2271 net->RTO <<= 2;
2272 }
2273 net->cwnd = net->ssthresh;
2274 #ifdef SCTP_CWND_LOGGING
2275 sctp_log_cwnd(net, (net->cwnd-old_cwnd), SCTP_CWND_LOG_FROM_SAT);
2276 #endif
2277 /* we reduce once every RTT. So we will only lower
2278 * cwnd at the next sending seq i.e. the resync_tsn.
2279 */
2280 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn;
2281 }
2282 /*
2283 * We always send a CWR this way if our previous one was lost
2284 * our peer will get an update, or if it is not time again
2285 * to reduce we still get the cwr to the peer.
2286 */
2287 sctp_send_cwr(stcb, net, tsn);
2288 }
2289
2290 static void
2291 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb)
2292 {
2293 /* Here we get a CWR from the peer. We must look in
2294 * the outqueue and make sure that we have a covered
2295 * ECNE in teh control chunk part. If so remove it.
2296 */
2297 struct sctp_tmit_chunk *chk;
2298 struct sctp_ecne_chunk *ecne;
2299
2300 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
2301 if (chk->rec.chunk_id != SCTP_ECN_ECHO) {
2302 continue;
2303 }
2304 /* Look for and remove if it is the right TSN. Since
2305 * there is only ONE ECNE on the control queue at
2306 * any one time we don't need to worry about more than
2307 * one!
2308 */
2309 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
2310 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn),
2311 MAX_TSN) || (cp->tsn == ecne->tsn)) {
2312 /* this covers this ECNE, we can remove it */
2313 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
2314 sctp_next);
2315 if (chk->data) {
2316 sctp_m_freem(chk->data);
2317 chk->data = NULL;
2318 }
2319 stcb->asoc.ctrl_queue_cnt--;
2320 sctp_free_remote_addr(chk->whoTo);
2321 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
2322 sctppcbinfo.ipi_count_chunk--;
2323 if ((int)sctppcbinfo.ipi_count_chunk < 0) {
2324 panic("Chunk count is negative");
2325 }
2326 sctppcbinfo.ipi_gencnt_chunk++;
2327 break;
2328 }
2329 }
2330 }
2331
2332 static void
2333 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp,
2334 struct sctp_tcb *stcb, struct sctp_nets *net)
2335 {
2336 struct sctp_association *asoc;
2337
2338 #ifdef SCTP_DEBUG
2339 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
2340 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
2341 }
2342 #endif
2343 if (stcb == NULL)
2344 return;
2345
2346 asoc = &stcb->asoc;
2347 /* process according to association state */
2348 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
2349 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
2350 return;
2351 }
2352 /* notify upper layer protocol */
2353 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL);
2354 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2355 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
2356 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED;
2357 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0;
2358 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0;
2359 soisdisconnected(stcb->sctp_ep->sctp_socket);
2360 }
2361 /* are the queues empty? they should be */
2362 if (!TAILQ_EMPTY(&asoc->send_queue) ||
2363 !TAILQ_EMPTY(&asoc->sent_queue) ||
2364 !TAILQ_EMPTY(&asoc->out_wheel)) {
2365 sctp_report_all_outbound(stcb);
2366 }
2367 /* stop the timer */
2368 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net);
2369 /* free the TCB */
2370 sctp_free_assoc(stcb->sctp_ep, stcb);
2371 return;
2372 }
2373
2374 static int
2375 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
2376 struct sctp_nets *net, u_int8_t flg)
2377 {
2378 switch (desc->chunk_type) {
2379 case SCTP_DATA:
2380 /* find the tsn to resend (possibly */
2381 {
2382 u_int32_t tsn;
2383 struct sctp_tmit_chunk *tp1;
2384 tsn = ntohl(desc->tsn_ifany);
2385 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2386 while (tp1) {
2387 if (tp1->rec.data.TSN_seq == tsn) {
2388 /* found it */
2389 break;
2390 }
2391 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn,
2392 MAX_TSN)) {
2393 /* not found */
2394 tp1 = NULL;
2395 break;
2396 }
2397 tp1 = TAILQ_NEXT(tp1, sctp_next);
2398 }
2399 if (tp1 == NULL) {
2400 /* Do it the other way */
2401 sctp_pegs[SCTP_PDRP_DNFND]++;
2402 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2403 while (tp1) {
2404 if (tp1->rec.data.TSN_seq == tsn) {
2405 /* found it */
2406 break;
2407 }
2408 tp1 = TAILQ_NEXT(tp1, sctp_next);
2409 }
2410 }
2411 if (tp1 == NULL) {
2412 sctp_pegs[SCTP_PDRP_TSNNF]++;
2413 }
2414 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
2415 u_int8_t *ddp;
2416 if (((tp1->rec.data.state_flags & SCTP_WINDOW_PROBE) == SCTP_WINDOW_PROBE) &&
2417 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
2418 sctp_pegs[SCTP_PDRP_DIWNP]++;
2419 return (0);
2420 }
2421 if (stcb->asoc.peers_rwnd == 0 &&
2422 (flg & SCTP_FROM_MIDDLE_BOX)) {
2423 sctp_pegs[SCTP_PDRP_DIZRW]++;
2424 return (0);
2425 }
2426 ddp = (u_int8_t *)(mtod(tp1->data, vaddr_t) +
2427 sizeof(struct sctp_data_chunk));
2428 {
2429 unsigned int iii;
2430 for (iii = 0; iii < sizeof(desc->data_bytes);
2431 iii++) {
2432 if (ddp[iii] != desc->data_bytes[iii]) {
2433 sctp_pegs[SCTP_PDRP_BADD]++;
2434 return (-1);
2435 }
2436 }
2437 }
2438 if (tp1->sent != SCTP_DATAGRAM_RESEND) {
2439 stcb->asoc.sent_queue_retran_cnt++;
2440 }
2441 /* We zero out the nonce so resync not needed */
2442 tp1->rec.data.ect_nonce = 0;
2443
2444 if (tp1->do_rtt) {
2445 /*
2446 * this guy had a RTO calculation pending on it,
2447 * cancel it
2448 */
2449 tp1->whoTo->rto_pending = 0;
2450 tp1->do_rtt = 0;
2451 }
2452 sctp_pegs[SCTP_PDRP_MARK]++;
2453 tp1->sent = SCTP_DATAGRAM_RESEND;
2454 /*
2455 * mark it as if we were doing a FR, since we
2456 * will be getting gap ack reports behind the
2457 * info from the router.
2458 */
2459 tp1->rec.data.doing_fast_retransmit = 1;
2460 /*
2461 * mark the tsn with what sequences can cause a new FR.
2462 */
2463 if (TAILQ_EMPTY(&stcb->asoc.send_queue) ) {
2464 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
2465 } else {
2466 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
2467 }
2468
2469 /* restart the timer */
2470 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2471 stcb, tp1->whoTo);
2472 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
2473 stcb, tp1->whoTo);
2474
2475 /* fix counts and things */
2476 sctp_flight_size_decrease(tp1);
2477 sctp_total_flight_decrease(stcb, tp1);
2478 tp1->snd_count--;
2479 }
2480 {
2481 /* audit code */
2482 unsigned int audit;
2483 audit = 0;
2484 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
2485 if (tp1->sent == SCTP_DATAGRAM_RESEND)
2486 audit++;
2487 }
2488 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
2489 sctp_next) {
2490 if (tp1->sent == SCTP_DATAGRAM_RESEND)
2491 audit++;
2492 }
2493 if (audit != stcb->asoc.sent_queue_retran_cnt) {
2494 printf("**Local Audit finds cnt:%d asoc cnt:%d\n",
2495 audit, stcb->asoc.sent_queue_retran_cnt);
2496 #ifndef SCTP_AUDITING_ENABLED
2497 stcb->asoc.sent_queue_retran_cnt = audit;
2498 #endif
2499 }
2500 }
2501 }
2502 break;
2503 case SCTP_ASCONF:
2504 {
2505 struct sctp_tmit_chunk *asconf;
2506 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
2507 sctp_next) {
2508 if (asconf->rec.chunk_id == SCTP_ASCONF) {
2509 break;
2510 }
2511 }
2512 if (asconf) {
2513 if (asconf->sent != SCTP_DATAGRAM_RESEND)
2514 stcb->asoc.sent_queue_retran_cnt++;
2515 asconf->sent = SCTP_DATAGRAM_RESEND;
2516 asconf->snd_count--;
2517 }
2518 }
2519 break;
2520 case SCTP_INITIATION:
2521 /* resend the INIT */
2522 stcb->asoc.dropped_special_cnt++;
2523 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
2524 /*
2525 * If we can get it in, in a few attempts we do this,
2526 * otherwise we let the timer fire.
2527 */
2528 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
2529 stcb, net);
2530 sctp_send_initiate(stcb->sctp_ep, stcb);
2531 }
2532 break;
2533 case SCTP_SELECTIVE_ACK:
2534 /* resend the sack */
2535 sctp_send_sack(stcb);
2536 break;
2537 case SCTP_HEARTBEAT_REQUEST:
2538 /* resend a demand HB */
2539 sctp_send_hb(stcb, 1, net);
2540 break;
2541 case SCTP_SHUTDOWN:
2542 #ifdef SCTP_DEBUG
2543 if (sctp_debug_on & SCTP_DEBUG_OUTPUT4) {
2544 printf("%s:%d sends a shutdown\n",
2545 __FILE__,
2546 __LINE__
2547 );
2548 }
2549 #endif
2550 sctp_send_shutdown(stcb, net);
2551 break;
2552 case SCTP_SHUTDOWN_ACK:
2553 sctp_send_shutdown_ack(stcb, net);
2554 break;
2555 case SCTP_COOKIE_ECHO:
2556 {
2557 struct sctp_tmit_chunk *cookie;
2558 cookie = NULL;
2559 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
2560 sctp_next) {
2561 if (cookie->rec.chunk_id == SCTP_COOKIE_ECHO) {
2562 break;
2563 }
2564 }
2565 if (cookie) {
2566 if (cookie->sent != SCTP_DATAGRAM_RESEND)
2567 stcb->asoc.sent_queue_retran_cnt++;
2568 cookie->sent = SCTP_DATAGRAM_RESEND;
2569 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net);
2570 }
2571 }
2572 break;
2573 case SCTP_COOKIE_ACK:
2574 sctp_send_cookie_ack(stcb);
2575 break;
2576 case SCTP_ASCONF_ACK:
2577 /* resend last asconf ack */
2578 sctp_send_asconf_ack(stcb, 1);
2579 break;
2580 case SCTP_FORWARD_CUM_TSN:
2581 send_forward_tsn(stcb, &stcb->asoc);
2582 break;
2583 /* can't do anything with these */
2584 case SCTP_PACKET_DROPPED:
2585 case SCTP_INITIATION_ACK: /* this should not happen */
2586 case SCTP_HEARTBEAT_ACK:
2587 case SCTP_ABORT_ASSOCIATION:
2588 case SCTP_OPERATION_ERROR:
2589 case SCTP_SHUTDOWN_COMPLETE:
2590 case SCTP_ECN_ECHO:
2591 case SCTP_ECN_CWR:
2592 default:
2593 break;
2594 }
2595 return (0);
2596 }
2597
2598 static void
2599 sctp_reset_in_stream(struct sctp_tcb *stcb,
2600 struct sctp_stream_reset_response *resp, int number_entries)
2601 {
2602 int i;
2603 uint16_t *list, temp;
2604
2605 /* We set things to 0xffff since this is the last delivered
2606 * sequence and we will be sending in 0 after the reset.
2607 */
2608
2609 if (resp->reset_flags & SCTP_RESET_PERFORMED) {
2610 if (number_entries) {
2611 list = resp->list_of_streams;
2612 for (i = 0; i < number_entries; i++) {
2613 temp = ntohs(list[i]);
2614 list[i] = temp;
2615 if (list[i] >= stcb->asoc.streamincnt) {
2616 printf("Invalid stream in-stream reset %d\n", list[i]);
2617 continue;
2618 }
2619 stcb->asoc.strmin[(list[i])].last_sequence_delivered = 0xffff;
2620 }
2621 } else {
2622 list = NULL;
2623 for (i = 0; i < stcb->asoc.streamincnt; i++) {
2624 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
2625 }
2626 }
2627 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list);
2628 }
2629 }
2630
2631 static void
2632 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
2633 {
2634 struct sctp_tmit_chunk *chk, *nchk;
2635 struct sctp_association *asoc;
2636
2637 asoc = &stcb->asoc;
2638
2639 for (chk = TAILQ_FIRST(&asoc->control_send_queue);
2640 chk; chk = nchk) {
2641 nchk = TAILQ_NEXT(chk, sctp_next);
2642 if (chk->rec.chunk_id == SCTP_STREAM_RESET) {
2643 struct sctp_stream_reset_req *strreq;
2644 strreq = mtod(chk->data, struct sctp_stream_reset_req *);
2645 if (strreq->sr_req.ph.param_type == ntohs(SCTP_STR_RESET_RESPONSE)) {
2646 /* we only clean up the request */
2647 continue;
2648 } else if (strreq->sr_req.ph.param_type != ntohs(SCTP_STR_RESET_REQUEST)) {
2649 printf("TSNH, an unknown stream reset request is in queue %x\n",
2650 (u_int)ntohs(strreq->sr_req.ph.param_type));
2651 continue;
2652 }
2653 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
2654 TAILQ_REMOVE(&asoc->control_send_queue,
2655 chk,
2656 sctp_next);
2657 if (chk->data) {
2658 sctp_m_freem(chk->data);
2659 chk->data = NULL;
2660 }
2661 asoc->ctrl_queue_cnt--;
2662 sctp_free_remote_addr(chk->whoTo);
2663 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk);
2664 sctppcbinfo.ipi_count_chunk--;
2665 if ((int)sctppcbinfo.ipi_count_chunk < 0) {
2666 panic("Chunk count is negative");
2667 }
2668 sctppcbinfo.ipi_gencnt_chunk++;
2669 /* we can only have one of these so we break */
2670 break;
2671 }
2672 }
2673 }
2674
2675
2676 void
2677 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
2678 struct sctp_stream_reset_response *resp)
2679 {
2680 uint32_t seq, tsn;
2681 int number_entries, param_length;
2682
2683 param_length = ntohs(resp->ph.param_length);
2684 seq = ntohl(resp->reset_req_seq_resp);
2685 if (seq == stcb->asoc.str_reset_seq_out) {
2686 sctp_clean_up_stream_reset(stcb);
2687 stcb->asoc.str_reset_seq_out++;
2688 stcb->asoc.stream_reset_outstanding = 0;
2689 tsn = ntohl(resp->reset_at_tsn);
2690 number_entries = (param_length - sizeof(struct sctp_stream_reset_response))/sizeof(uint16_t);
2691 tsn--;
2692 if ((tsn == stcb->asoc.cumulative_tsn) ||
2693 (compare_with_wrap(stcb->asoc.cumulative_tsn, tsn, MAX_TSN))) {
2694 /* no problem we are good to go */
2695 sctp_reset_in_stream(stcb, resp, number_entries);
2696 } else {
2697 /* So, we have a stream reset but there
2698 * is pending data. We need to copy
2699 * out the stream_reset and then queue
2700 * any data = or > resp->reset_at_tsn
2701 */
2702 if (stcb->asoc.pending_reply != NULL) {
2703 /* FIX ME FIX ME
2704 * This IS WRONG. We need
2705 * to queue each of these up
2706 * and only release the chunks
2707 * for each reset that the cum-ack
2708 * goes by. This is a short cut.
2709 */
2710 free(stcb->asoc.pending_reply, M_PCB);
2711 }
2712 stcb->asoc.pending_reply = malloc(param_length,
2713 M_PCB, M_NOWAIT);
2714 memcpy(stcb->asoc.pending_reply, resp, param_length);
2715 }
2716
2717 } else {
2718 /* duplicate */
2719 #ifdef SCTP_DEBUG
2720 printf("Duplicate old stream reset resp next:%x this one:%x\n",
2721 stcb->asoc.str_reset_seq_out, seq);
2722 #endif
2723 }
2724 }
2725
2726
2727 static void
2728 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_req *sr_req)
2729 {
2730 int chk_length, param_len;
2731 struct sctp_paramhdr *ph;
2732 /* now it may be a reset or a reset-response */
2733 struct sctp_stream_reset_request *req;
2734 struct sctp_stream_reset_response *resp;
2735 chk_length = ntohs(sr_req->ch.chunk_length);
2736
2737 ph = (struct sctp_paramhdr *)&sr_req->sr_req;
2738 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_request)) {
2739 param_len = ntohs(ph->param_length);
2740 if (ntohs(ph->param_type) == SCTP_STR_RESET_REQUEST) {
2741 /* this will send the ACK and do the reset if needed */
2742 req = (struct sctp_stream_reset_request *)ph;
2743 sctp_send_str_reset_ack(stcb, req);
2744 } else if (ntohs(ph->param_type) == SCTP_STR_RESET_RESPONSE) {
2745 /* Now here is a tricky one. We reset our receive side
2746 * of the streams. But what happens if the peers
2747 * next sending TSN is NOT equal to 1 minus our cumack?
2748 * And if his cumack is not equal to our next one out - 1
2749 * we have another problem if this is receprical.
2750 */
2751 resp = (struct sctp_stream_reset_response *)ph;
2752 sctp_handle_stream_reset_response(stcb, resp);
2753 }
2754 ph = (struct sctp_paramhdr *)((vaddr_t)ph + SCTP_SIZE32(param_len));
2755 chk_length -= SCTP_SIZE32(param_len);
2756 }
2757 }
2758
2759 /*
2760 * Handle a router or endpoints report of a packet loss, there
2761 * are two ways to handle this, either we get the whole packet
2762 * and must disect it ourselves (possibly with truncation and
2763 * or corruption) or it is a summary from a middle box that did
2764 * the disectting for us.
2765 */
2766 static void
2767 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
2768 struct sctp_tcb *stcb, struct sctp_nets *net)
2769 {
2770 u_int32_t bottle_bw, on_queue;
2771 u_int16_t trunc_len;
2772 unsigned int chlen;
2773 unsigned int at;
2774 struct sctp_chunk_desc desc;
2775 struct sctp_chunkhdr *ch;
2776
2777 chlen = ntohs(cp->ch.chunk_length);
2778 chlen -= sizeof(struct sctp_pktdrop_chunk);
2779 /* XXX possible chlen underflow */
2780 if (chlen == 0) {
2781 ch = NULL;
2782 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
2783 sctp_pegs[SCTP_PDRP_BWRPT]++;
2784 } else {
2785 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
2786 chlen -= sizeof(struct sctphdr);
2787 /* XXX possible chlen underflow */
2788 memset(&desc, 0, sizeof(desc));
2789 }
2790
2791 /* first update a rwnd possibly */
2792 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
2793 /* From a peer, we get a rwnd report */
2794 u_int32_t a_rwnd;
2795
2796 sctp_pegs[SCTP_PDRP_FEHOS]++;
2797
2798 bottle_bw = ntohl(cp->bottle_bw);
2799 on_queue = ntohl(cp->current_onq);
2800 if (bottle_bw && on_queue) {
2801 /* a rwnd report is in here */
2802 if (bottle_bw > on_queue)
2803 a_rwnd = bottle_bw - on_queue;
2804 else
2805 a_rwnd = 0;
2806
2807 if (a_rwnd <= 0)
2808 stcb->asoc.peers_rwnd = 0;
2809 else {
2810 if (a_rwnd > stcb->asoc.total_flight) {
2811 stcb->asoc.peers_rwnd =
2812 a_rwnd - stcb->asoc.total_flight;
2813 } else {
2814 stcb->asoc.peers_rwnd = 0;
2815 }
2816 if (stcb->asoc.peers_rwnd <
2817 stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
2818 /* SWS sender side engages */
2819 stcb->asoc.peers_rwnd = 0;
2820 }
2821 }
2822 }
2823 } else {
2824 sctp_pegs[SCTP_PDRP_FMBOX]++;
2825 }
2826 trunc_len = (u_int16_t)ntohs(cp->trunc_len);
2827 /* now the chunks themselves */
2828 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
2829 desc.chunk_type = ch->chunk_type;
2830 /* get amount we need to move */
2831 at = ntohs(ch->chunk_length);
2832 if (at < sizeof(struct sctp_chunkhdr)) {
2833 /* corrupt chunk, maybe at the end? */
2834 sctp_pegs[SCTP_PDRP_CRUPT]++;
2835 break;
2836 }
2837 if (trunc_len == 0) {
2838 /* we are supposed to have all of it */
2839 if (at > chlen) {
2840 /* corrupt skip it */
2841 sctp_pegs[SCTP_PDRP_CRUPT]++;
2842 break;
2843 }
2844 } else {
2845 /* is there enough of it left ? */
2846 if (desc.chunk_type == SCTP_DATA) {
2847 if (chlen < (sizeof(struct sctp_data_chunk) +
2848 sizeof(desc.data_bytes))) {
2849 break;
2850 }
2851 } else {
2852 if (chlen < sizeof(struct sctp_chunkhdr)) {
2853 break;
2854 }
2855 }
2856 }
2857 if (desc.chunk_type == SCTP_DATA) {
2858 /* can we get out the tsn? */
2859 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
2860 sctp_pegs[SCTP_PDRP_MB_DA]++;
2861
2862 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(u_int32_t)) ) {
2863 /* yep */
2864 struct sctp_data_chunk *dcp;
2865 u_int8_t *ddp;
2866 unsigned int iii;
2867 dcp = (struct sctp_data_chunk *)ch;
2868 ddp = (u_int8_t *)(dcp + 1);
2869 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
2870 desc.data_bytes[iii] = ddp[iii];
2871 }
2872 desc.tsn_ifany = dcp->dp.tsn;
2873 } else {
2874 /* nope we are done. */
2875 sctp_pegs[SCTP_PDRP_NEDAT]++;
2876 break;
2877 }
2878 } else {
2879 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
2880 sctp_pegs[SCTP_PDRP_MB_CT]++;
2881 }
2882
2883 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
2884 sctp_pegs[SCTP_PDRP_PDBRK]++;
2885 break;
2886 }
2887 if (SCTP_SIZE32(at) > chlen) {
2888 break;
2889 }
2890 chlen -= SCTP_SIZE32(at);
2891 if (chlen < sizeof(struct sctp_chunkhdr)) {
2892 /* done, none left */
2893 break;
2894 }
2895 ch = (struct sctp_chunkhdr *)((vaddr_t)ch + SCTP_SIZE32(at));
2896 }
2897
2898 /* now middle boxes in sat networks get a cwnd bump */
2899 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
2900 (stcb->asoc.sat_t3_loss_recovery == 0) &&
2901 (stcb->asoc.sat_network)) {
2902 /*
2903 * This is debateable but for sat networks it makes sense
2904 * Note if a T3 timer has went off, we will prohibit any
2905 * changes to cwnd until we exit the t3 loss recovery.
2906 */
2907 u_int32_t bw_avail;
2908 int rtt, incr;
2909 #ifdef SCTP_CWND_LOGGING
2910 int old_cwnd=net->cwnd;
2911 #endif
2912 /* need real RTT for this calc */
2913 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1;
2914 /* get bottle neck bw */
2915 bottle_bw = ntohl(cp->bottle_bw);
2916 /* and whats on queue */
2917 on_queue = ntohl(cp->current_onq);
2918 /*
2919 * adjust the on-queue if our flight is more it could be
2920 * that the router has not yet gotten data "in-flight" to it
2921 */
2922 if (on_queue < net->flight_size)
2923 on_queue = net->flight_size;
2924
2925 /* calculate the available space */
2926 bw_avail = (bottle_bw*rtt)/1000;
2927 if (bw_avail > bottle_bw) {
2928 /*
2929 * Cap the growth to no more than the bottle neck.
2930 * This can happen as RTT slides up due to queues.
2931 * It also means if you have more than a 1 second
2932 * RTT with a empty queue you will be limited to
2933 * the bottle_bw per second no matter if
2934 * other points have 1/2 the RTT and you could
2935 * get more out...
2936 */
2937 bw_avail = bottle_bw;
2938 }
2939
2940 if (on_queue > bw_avail) {
2941 /*
2942 * No room for anything else don't allow anything
2943 * else to be "added to the fire".
2944 */
2945 int seg_inflight, seg_onqueue, my_portion;
2946 net->partial_bytes_acked = 0;
2947
2948 /* how much are we over queue size? */
2949 incr = on_queue - bw_avail;
2950 if (stcb->asoc.seen_a_sack_this_pkt) {
2951 /* undo any cwnd adjustment that
2952 * the sack might have made
2953 */
2954 net->cwnd = net->prev_cwnd;
2955 }
2956
2957 /* Now how much of that is mine? */
2958 seg_inflight = net->flight_size / net->mtu;
2959 seg_onqueue = on_queue / net->mtu;
2960 my_portion = (incr * seg_inflight)/seg_onqueue;
2961
2962 /* Have I made an adjustment already */
2963 if (net->cwnd > net->flight_size) {
2964 /* for this flight I made an adjustment
2965 * we need to decrease the portion by a share
2966 * our previous adjustment.
2967 */
2968 int diff_adj;
2969 diff_adj = net->cwnd - net->flight_size;
2970 if (diff_adj > my_portion)
2971 my_portion = 0;
2972 else
2973 my_portion -= diff_adj;
2974 }
2975
2976 /* back down to the previous cwnd (assume
2977 * we have had a sack before this packet). minus
2978 * what ever portion of the overage is my fault.
2979 */
2980 net->cwnd -= my_portion;
2981
2982 /* we will NOT back down more than 1 MTU */
2983 if (net->cwnd <= net->mtu) {
2984 net->cwnd = net->mtu;
2985 }
2986 /* force into CA */
2987 net->ssthresh = net->cwnd - 1;
2988 } else {
2989 /*
2990 * Take 1/4 of the space left or
2991 * max burst up .. whichever is less.
2992 */
2993 incr = uimin((bw_avail - on_queue) >> 2,
2994 (int)stcb->asoc.max_burst * (int)net->mtu);
2995 net->cwnd += incr;
2996 }
2997 if (net->cwnd > bw_avail) {
2998 /* We can't exceed the pipe size */
2999 net->cwnd = bw_avail;
3000 }
3001 if (net->cwnd < net->mtu) {
3002 /* We always have 1 MTU */
3003 net->cwnd = net->mtu;
3004 }
3005 #ifdef SCTP_CWND_LOGGING
3006 if (net->cwnd - old_cwnd != 0) {
3007 /* log only changes */
3008 sctp_log_cwnd(net, (net->cwnd - old_cwnd),
3009 SCTP_CWND_LOG_FROM_SAT);
3010 }
3011 #endif
3012 }
3013 }
3014
3015 extern int sctp_strict_init;
3016
3017 /*
3018 * handles all control chunks in a packet
3019 * inputs:
3020 * - m: mbuf chain, assumed to still contain IP/SCTP header
3021 * - stcb: is the tcb found for this packet
3022 * - offset: offset into the mbuf chain to first chunkhdr
3023 * - length: is the length of the complete packet
3024 * outputs:
3025 * - length: modified to remaining length after control processing
3026 * - netp: modified to new sctp_nets after cookie-echo processing
3027 * - return NULL to discard the packet (ie. no asoc, bad packet,...)
3028 * otherwise return the tcb for this packet
3029 */
3030 static struct sctp_tcb *
3031 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
3032 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
3033 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen)
3034 {
3035 struct sctp_association *asoc;
3036 u_int32_t vtag_in;
3037 int num_chunks = 0; /* number of control chunks processed */
3038 int chk_length;
3039 int ret;
3040
3041 /*
3042 * How big should this be, and should it be alloc'd?
3043 * Lets try the d-mtu-ceiling for now (2k) and that should
3044 * hopefully work ... until we get into jumbo grams and such..
3045 */
3046 u_int8_t chunk_buf[DEFAULT_CHUNK_BUFFER];
3047 struct sctp_tcb *locked_tcb = stcb;
3048
3049 #ifdef SCTP_DEBUG
3050 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3051 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
3052 iphlen, *offset, length, stcb);
3053 }
3054 #endif /* SCTP_DEBUG */
3055
3056 /* validate chunk header length... */
3057 if (ntohs(ch->chunk_length) < sizeof(*ch)) {
3058 return (NULL);
3059 }
3060
3061 /*
3062 * validate the verification tag
3063 */
3064 #ifdef SCTP_DEBUG
3065 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3066 printf("sctp_process_control: validating vtags\n");
3067 }
3068 #endif /* SCTP_DEBUG */
3069 vtag_in = ntohl(sh->v_tag);
3070 if (ch->chunk_type == SCTP_INITIATION) {
3071 if (vtag_in != 0) {
3072 /* protocol error- silently discard... */
3073 #ifdef SCTP_DEBUG
3074 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3075 printf("sctp_process_control: INIT with vtag != 0\n");
3076 }
3077 #endif /* SCTP_DEBUG */
3078 sctp_pegs[SCTP_BAD_VTAGS]++;
3079 if (locked_tcb) {
3080 SCTP_TCB_UNLOCK(locked_tcb);
3081 }
3082 return (NULL);
3083 }
3084 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
3085 /*
3086 * first check if it's an ASCONF with an unknown src addr
3087 * we need to look inside to find the association
3088 */
3089 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
3090 stcb = sctp_findassociation_ep_asconf(m, iphlen,
3091 *offset, sh, &inp, netp);
3092 }
3093 if (stcb == NULL) {
3094 /* no association, so it's out of the blue... */
3095 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL);
3096 #ifdef SCTP_DEBUG
3097 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3098 printf("sctp_process_control: handling OOTB packet, chunk type=%xh\n",
3099 ch->chunk_type);
3100 }
3101 #endif /* SCTP_DEBUG */
3102 *offset = length;
3103 if (locked_tcb) {
3104 SCTP_TCB_UNLOCK(locked_tcb);
3105 }
3106 return (NULL);
3107 }
3108 asoc = &stcb->asoc;
3109 /* ABORT and SHUTDOWN can use either v_tag... */
3110 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
3111 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
3112 (ch->chunk_type == SCTP_PACKET_DROPPED)) {
3113 if ((vtag_in == asoc->my_vtag) ||
3114 ((ch->chunk_flags & SCTP_HAD_NO_TCB) &&
3115 (vtag_in == asoc->peer_vtag))) {
3116 /* this is valid */
3117 } else {
3118 /* drop this packet... */
3119 sctp_pegs[SCTP_BAD_VTAGS]++;
3120 if (locked_tcb) {
3121 SCTP_TCB_UNLOCK(locked_tcb);
3122 }
3123 return (NULL);
3124 }
3125 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
3126 if (vtag_in != asoc->my_vtag) {
3127 /*
3128 * this could be a stale SHUTDOWN-ACK or the
3129 * peer never got the SHUTDOWN-COMPLETE and
3130 * is still hung; we have started a new asoc
3131 * but it won't complete until the shutdown is
3132 * completed
3133 */
3134 if (locked_tcb) {
3135 SCTP_TCB_UNLOCK(locked_tcb);
3136 }
3137 sctp_handle_ootb(m, iphlen, *offset, sh, inp,
3138 NULL);
3139 return (NULL);
3140 }
3141 } else {
3142 /* for all other chunks, vtag must match */
3143
3144 if (vtag_in != asoc->my_vtag) {
3145 /* invalid vtag... */
3146 #ifdef SCTP_DEBUG
3147 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3148 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag);
3149 }
3150 #endif /* SCTP_DEBUG */
3151 sctp_pegs[SCTP_BAD_VTAGS]++;
3152 if (locked_tcb) {
3153 SCTP_TCB_UNLOCK(locked_tcb);
3154 }
3155 *offset = length;
3156 return (NULL);
3157 }
3158 }
3159 } /* end if !SCTP_COOKIE_ECHO */
3160
3161 #ifdef SCTP_DEBUG
3162 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3163 printf("sctp_process_control: vtags ok, processing ctrl chunks\n");
3164 }
3165 #endif /* SCTP_DEBUG */
3166
3167 /*
3168 * process all control chunks...
3169 */
3170 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
3171 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
3172 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
3173 /* implied cookie-ack.. we must have lost the ack */
3174 stcb->asoc.overall_error_count = 0;
3175 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp);
3176 }
3177
3178 while (IS_SCTP_CONTROL(ch)) {
3179 /* validate chunk length */
3180 chk_length = ntohs(ch->chunk_length);
3181 #ifdef SCTP_DEBUG
3182 if (sctp_debug_on & SCTP_DEBUG_INPUT2) {
3183 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", ch->chunk_type, chk_length);
3184 }
3185 #endif /* SCTP_DEBUG */
3186 if ((size_t)chk_length < sizeof(*ch) ||
3187 (*offset + chk_length) > length) {
3188 #ifdef SCTP_DEBUG
3189 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3190 printf("sctp_process_control: chunk length invalid! *offset:%u, chk_length:%u > length:%u\n",
3191 *offset, chk_length, length);
3192 }
3193 #endif /* SCTP_DEBUG */
3194 *offset = length;
3195 if (locked_tcb) {
3196 SCTP_TCB_UNLOCK(locked_tcb);
3197 }
3198 return (NULL);
3199 }
3200
3201 /*
3202 * INIT-ACK only gets the init ack "header" portion only
3203 * because we don't have to process the peer's COOKIE.
3204 * All others get a complete chunk.
3205 */
3206 if (ch->chunk_type == SCTP_INITIATION_ACK) {
3207 /* get an init-ack chunk */
3208 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3209 sizeof(struct sctp_init_ack), chunk_buf);
3210 if (ch == NULL) {
3211 *offset = length;
3212 if (locked_tcb) {
3213 SCTP_TCB_UNLOCK(locked_tcb);
3214 }
3215 return (NULL);
3216 }
3217 } else {
3218 /* get a complete chunk... */
3219 if ((size_t)chk_length > sizeof(chunk_buf)) {
3220 struct mbuf *oper;
3221 struct sctp_paramhdr *phdr;
3222 oper = NULL;
3223 MGETHDR(oper, M_DONTWAIT, MT_HEADER);
3224 if (oper) {
3225 /* pre-reserve some space */
3226 oper->m_data +=
3227 sizeof(struct sctp_chunkhdr);
3228 phdr =
3229 mtod(oper, struct sctp_paramhdr *);
3230 phdr->param_type =
3231 htons(SCTP_CAUSE_OUT_OF_RESC);
3232 phdr->param_length =
3233 htons(sizeof(struct sctp_paramhdr));
3234 sctp_queue_op_err(stcb, oper);
3235 }
3236 if (locked_tcb) {
3237 SCTP_TCB_UNLOCK(locked_tcb);
3238 }
3239 return (NULL);
3240 }
3241 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3242 chk_length, chunk_buf);
3243 if (ch == NULL) {
3244 printf("sctp_process_control: Can't get the all data....\n");
3245 *offset = length;
3246 if (locked_tcb) {
3247 SCTP_TCB_UNLOCK(locked_tcb);
3248 }
3249 return (NULL);
3250 }
3251
3252 }
3253 num_chunks++;
3254 /* Save off the last place we got a control from */
3255 if ((*netp) && stcb) {
3256 stcb->asoc.last_control_chunk_from = *netp;
3257 }
3258 #ifdef SCTP_AUDITING_ENABLED
3259 sctp_audit_log(0xB0, ch->chunk_type);
3260 #endif
3261 switch (ch->chunk_type) {
3262 case SCTP_INITIATION:
3263 /* must be first and only chunk */
3264 #ifdef SCTP_DEBUG
3265 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3266 printf("SCTP_INIT\n");
3267 }
3268 #endif /* SCTP_DEBUG */
3269 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3270 /* We are not interested anymore */
3271 if (locked_tcb) {
3272 SCTP_TCB_UNLOCK(locked_tcb);
3273 }
3274 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3275 /* finish the job now */
3276 sctp_inpcb_free(inp, 1);
3277 }
3278 *offset = length;
3279 return (NULL);
3280 }
3281 if ((num_chunks > 1) ||
3282 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) {
3283 *offset = length;
3284 if (locked_tcb) {
3285 SCTP_TCB_UNLOCK(locked_tcb);
3286 }
3287 return (NULL);
3288 }
3289 if ((stcb != NULL) &&
3290 (SCTP_GET_STATE(&stcb->asoc) ==
3291 SCTP_STATE_SHUTDOWN_ACK_SENT)) {
3292 sctp_send_shutdown_ack(stcb,
3293 stcb->asoc.primary_destination);
3294 *offset = length;
3295 if (locked_tcb) {
3296 SCTP_TCB_UNLOCK(locked_tcb);
3297 }
3298 return (NULL);
3299 }
3300 sctp_handle_init(m, iphlen, *offset, sh,
3301 (struct sctp_init_chunk *)ch, inp, stcb, *netp);
3302 *offset = length;
3303 if (locked_tcb) {
3304 SCTP_TCB_UNLOCK(locked_tcb);
3305 }
3306 return (NULL);
3307 break;
3308 case SCTP_INITIATION_ACK:
3309 /* must be first and only chunk */
3310 #ifdef SCTP_DEBUG
3311 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3312 printf("SCTP_INIT-ACK\n");
3313 }
3314 #endif /* SCTP_DEBUG */
3315 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3316 /* We are not interested anymore */
3317 if (locked_tcb) {
3318 SCTP_TCB_UNLOCK(locked_tcb);
3319 }
3320 *offset = length;
3321 if (stcb) {
3322 sctp_free_assoc(inp, stcb);
3323 } else {
3324 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3325 /* finish the job now */
3326 sctp_inpcb_free(inp, 1);
3327 }
3328 }
3329 return (NULL);
3330 }
3331 if ((num_chunks > 1) ||
3332 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) {
3333 #ifdef SCTP_DEBUG
3334 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3335 printf("Length is %d rounded chk_length:%d .. dropping\n",
3336 length - *offset,
3337 SCTP_SIZE32(chk_length));
3338 }
3339 #endif
3340 *offset = length;
3341 if (locked_tcb) {
3342 SCTP_TCB_UNLOCK(locked_tcb);
3343 }
3344 return (NULL);
3345 }
3346 ret = sctp_handle_init_ack(m, iphlen, *offset, sh,
3347 (struct sctp_init_ack_chunk *)ch, stcb, *netp);
3348 /*
3349 * Special case, I must call the output routine
3350 * to get the cookie echoed
3351 */
3352 if ((stcb) && ret == 0)
3353 sctp_chunk_output(stcb->sctp_ep, stcb, 2);
3354 *offset = length;
3355 #ifdef SCTP_DEBUG
3356 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3357 printf("All done INIT-ACK processing\n");
3358 }
3359 #endif
3360 if (locked_tcb) {
3361 SCTP_TCB_UNLOCK(locked_tcb);
3362 }
3363 return (NULL);
3364 break;
3365 case SCTP_SELECTIVE_ACK:
3366 #ifdef SCTP_DEBUG
3367 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3368 printf("SCTP_SACK\n");
3369 }
3370 #endif /* SCTP_DEBUG */
3371 sctp_pegs[SCTP_PEG_SACKS_SEEN]++;
3372 {
3373 int abort_now = 0;
3374 stcb->asoc.seen_a_sack_this_pkt = 1;
3375 sctp_handle_sack((struct sctp_sack_chunk *)ch,
3376 stcb, *netp, &abort_now);
3377 if (abort_now) {
3378 /* ABORT signal from sack processing */
3379 *offset = length;
3380 return (NULL);
3381 }
3382 }
3383 break;
3384 case SCTP_HEARTBEAT_REQUEST:
3385 #ifdef SCTP_DEBUG
3386 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3387 printf("SCTP_HEARTBEAT\n");
3388 }
3389 #endif /* SCTP_DEBUG */
3390 sctp_pegs[SCTP_HB_RECV]++;
3391 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length,
3392 *netp);
3393
3394 /* He's alive so give him credit */
3395 stcb->asoc.overall_error_count = 0;
3396 break;
3397 case SCTP_HEARTBEAT_ACK:
3398 #ifdef SCTP_DEBUG
3399 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3400 printf("SCTP_HEARTBEAT-ACK\n");
3401 }
3402 #endif /* SCTP_DEBUG */
3403
3404 /* He's alive so give him credit */
3405 stcb->asoc.overall_error_count = 0;
3406
3407 sctp_pegs[SCTP_HB_ACK_RECV]++;
3408 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
3409 stcb, *netp);
3410 break;
3411 case SCTP_ABORT_ASSOCIATION:
3412 #ifdef SCTP_DEBUG
3413 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3414 printf("SCTP_ABORT\n");
3415 }
3416 #endif /* SCTP_DEBUG */
3417 sctp_handle_abort((struct sctp_abort_chunk *)ch,
3418 stcb, *netp);
3419 *offset = length;
3420 return (NULL);
3421 break;
3422 case SCTP_SHUTDOWN:
3423 #ifdef SCTP_DEBUG
3424 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3425 printf("SCTP_SHUTDOWN\n");
3426 }
3427 #endif /* SCTP_DEBUG */
3428 {
3429 int abort_flag = 0;
3430 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
3431 stcb, *netp, &abort_flag);
3432 if (abort_flag) {
3433 *offset = length;
3434 return (NULL);
3435 }
3436 }
3437 break;
3438 case SCTP_SHUTDOWN_ACK:
3439 #ifdef SCTP_DEBUG
3440 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3441 printf("SCTP_SHUTDOWN-ACK\n");
3442 }
3443 #endif /* SCTP_DEBUG */
3444 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
3445 *offset = length;
3446 return (NULL);
3447 break;
3448 case SCTP_OPERATION_ERROR:
3449 #ifdef SCTP_DEBUG
3450 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3451 printf("SCTP_OP-ERR\n");
3452 }
3453 #endif /* SCTP_DEBUG */
3454 if (sctp_handle_error(ch, stcb, *netp) < 0) {
3455 *offset = length;
3456 return (NULL);
3457 }
3458 break;
3459 case SCTP_COOKIE_ECHO:
3460 #ifdef SCTP_DEBUG
3461 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3462 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb);
3463 }
3464 #endif /* SCTP_DEBUG */
3465 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3466 /* We are not interested anymore */
3467 *offset = length;
3468 if (stcb) {
3469 sctp_free_assoc(inp, stcb);
3470 } else {
3471 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) {
3472 /* finish the job now */
3473 sctp_inpcb_free(inp, 1);
3474 }
3475 }
3476 return (NULL);
3477 }
3478 /*
3479 * First are we accepting?
3480 * We do this again here since it is possible
3481 * that a previous endpoint WAS listening responded to
3482 * a INIT-ACK and then closed. We opened and bound..
3483 * and are now no longer listening.
3484 */
3485 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) ||
3486 (inp->sctp_socket->so_qlimit == 0)) {
3487 sctp_abort_association(inp, stcb, m, iphlen, sh,
3488 NULL);
3489 *offset = length;
3490 return (NULL);
3491 } else if (inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) {
3492 /* we are accepting so check limits like TCP */
3493 if (inp->sctp_socket->so_qlen >
3494 inp->sctp_socket->so_qlimit) {
3495 /* no space */
3496 struct mbuf *oper;
3497 struct sctp_paramhdr *phdr;
3498 oper = NULL;
3499 MGETHDR(oper, M_DONTWAIT, MT_HEADER);
3500 if (oper) {
3501 oper->m_len =
3502 oper->m_pkthdr.len =
3503 sizeof(struct sctp_paramhdr);
3504 phdr = mtod(oper,
3505 struct sctp_paramhdr *);
3506 phdr->param_type =
3507 htons(SCTP_CAUSE_OUT_OF_RESC);
3508 phdr->param_length =
3509 htons(sizeof(struct sctp_paramhdr));
3510 }
3511 sctp_abort_association(inp, stcb, m,
3512 iphlen, sh, oper);
3513 *offset = length;
3514 return (NULL);
3515 }
3516 }
3517 {
3518 struct mbuf *ret_buf;
3519 ret_buf = sctp_handle_cookie_echo(m, iphlen,
3520 *offset, sh,
3521 (struct sctp_cookie_echo_chunk *)ch, &inp,
3522 &stcb, netp);
3523 #ifdef SCTP_DEBUG
3524 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3525 printf("ret_buf:%p length:%d off:%d\n",
3526 ret_buf, length, *offset);
3527 }
3528 #endif /* SCTP_DEBUG */
3529
3530 if (ret_buf == NULL) {
3531 if (locked_tcb) {
3532 SCTP_TCB_UNLOCK(locked_tcb);
3533 }
3534 #ifdef SCTP_DEBUG
3535 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3536 printf("GAK, null buffer\n");
3537 }
3538 #endif /* SCTP_DEBUG */
3539 *offset = length;
3540 return (NULL);
3541 }
3542 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
3543 /*
3544 * Restart the timer if we have pending
3545 * data
3546 */
3547 struct sctp_tmit_chunk *chk;
3548 chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
3549 if (chk) {
3550 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
3551 stcb->sctp_ep, stcb,
3552 chk->whoTo);
3553 }
3554 }
3555 }
3556 break;
3557 case SCTP_COOKIE_ACK:
3558 #ifdef SCTP_DEBUG
3559 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3560 printf("SCTP_COOKIE-ACK\n");
3561 }
3562 #endif /* SCTP_DEBUG */
3563
3564 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
3565 /* We are not interested anymore */
3566 sctp_free_assoc(inp, stcb);
3567 *offset = length;
3568 return (NULL);
3569 }
3570 /* He's alive so give him credit */
3571 stcb->asoc.overall_error_count = 0;
3572 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch,
3573 stcb, *netp);
3574 break;
3575 case SCTP_ECN_ECHO:
3576 #ifdef SCTP_DEBUG
3577 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3578 printf("SCTP_ECN-ECHO\n");
3579 }
3580 #endif /* SCTP_DEBUG */
3581 /* He's alive so give him credit */
3582 stcb->asoc.overall_error_count = 0;
3583 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
3584 stcb);
3585 break;
3586 case SCTP_ECN_CWR:
3587 #ifdef SCTP_DEBUG
3588 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3589 printf("SCTP_ECN-CWR\n");
3590 }
3591 #endif /* SCTP_DEBUG */
3592 /* He's alive so give him credit */
3593 stcb->asoc.overall_error_count = 0;
3594
3595 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb);
3596 break;
3597 case SCTP_SHUTDOWN_COMPLETE:
3598 #ifdef SCTP_DEBUG
3599 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3600 printf("SCTP_SHUTDOWN-COMPLETE\n");
3601 }
3602 #endif /* SCTP_DEBUG */
3603 /* must be first and only chunk */
3604 if ((num_chunks > 1) ||
3605 (length - *offset > SCTP_SIZE32(chk_length))) {
3606 *offset = length;
3607 if (locked_tcb) {
3608 SCTP_TCB_UNLOCK(locked_tcb);
3609 }
3610 return (NULL);
3611 }
3612 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
3613 stcb, *netp);
3614 *offset = length;
3615 return (NULL);
3616 break;
3617 case SCTP_ASCONF:
3618 #ifdef SCTP_DEBUG
3619 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3620 printf("SCTP_ASCONF\n");
3621 }
3622 #endif /* SCTP_DEBUG */
3623 /* He's alive so give him credit */
3624 stcb->asoc.overall_error_count = 0;
3625
3626 sctp_handle_asconf(m, *offset,
3627 (struct sctp_asconf_chunk *)ch, stcb, *netp);
3628 break;
3629 case SCTP_ASCONF_ACK:
3630 #ifdef SCTP_DEBUG
3631 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3632 printf("SCTP_ASCONF-ACK\n");
3633 }
3634 #endif /* SCTP_DEBUG */
3635 /* He's alive so give him credit */
3636 stcb->asoc.overall_error_count = 0;
3637
3638 sctp_handle_asconf_ack(m, *offset,
3639 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp);
3640 break;
3641 case SCTP_FORWARD_CUM_TSN:
3642 #ifdef SCTP_DEBUG
3643 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3644 printf("SCTP_FWD-TSN\n");
3645 }
3646 #endif /* SCTP_DEBUG */
3647 /* He's alive so give him credit */
3648 {
3649 int abort_flag = 0;
3650 stcb->asoc.overall_error_count = 0;
3651 *fwd_tsn_seen = 1;
3652 sctp_handle_forward_tsn(stcb,
3653 (struct sctp_forward_tsn_chunk *)ch, &abort_flag);
3654 if (abort_flag) {
3655 *offset = length;
3656 return (NULL);
3657 } else {
3658 stcb->asoc.overall_error_count = 0;
3659 }
3660
3661 }
3662 break;
3663 case SCTP_STREAM_RESET:
3664 #ifdef SCTP_DEBUG
3665 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3666 printf("SCTP_STREAM_RESET\n");
3667 }
3668 #endif /* SCTP_DEBUG */
3669 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3670 chk_length, chunk_buf);
3671 if (stcb->asoc.peer_supports_strreset == 0) {
3672 /* hmm, peer should have annonced this, but
3673 * we will turn it on since he is sending us
3674 * a stream reset.
3675 */
3676 stcb->asoc.peer_supports_strreset = 1;
3677 }
3678 sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_req *)ch);
3679 break;
3680 case SCTP_PACKET_DROPPED:
3681 #ifdef SCTP_DEBUG
3682 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3683 printf("SCTP_PACKET_DROPPED\n");
3684 }
3685 #endif /* SCTP_DEBUG */
3686 /* re-get it all please */
3687 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3688 chk_length, chunk_buf);
3689
3690 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
3691 stcb, *netp);
3692
3693
3694 break;
3695 default:
3696 /* it's an unknown chunk! */
3697 if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
3698 struct mbuf *mm;
3699 struct sctp_paramhdr *phd;
3700 MGETHDR(mm, M_DONTWAIT, MT_HEADER);
3701 if (mm) {
3702 phd = mtod(mm, struct sctp_paramhdr *);
3703 /* We cheat and use param type since we
3704 * did not bother to define a error
3705 * cause struct.
3706 * They are the same basic format with
3707 * different names.
3708 */
3709 phd->param_type =
3710 htons(SCTP_CAUSE_UNRECOG_CHUNK);
3711 phd->param_length =
3712 htons(chk_length + sizeof(*phd));
3713 mm->m_len = sizeof(*phd);
3714 mm->m_next = sctp_m_copym(m, *offset,
3715 SCTP_SIZE32(chk_length),
3716 M_DONTWAIT);
3717 if (mm->m_next) {
3718 mm->m_pkthdr.len =
3719 SCTP_SIZE32(chk_length) +
3720 sizeof(*phd);
3721 sctp_queue_op_err(stcb, mm);
3722 } else {
3723 sctp_m_freem(mm);
3724 #ifdef SCTP_DEBUG
3725 if (sctp_debug_on &
3726 SCTP_DEBUG_INPUT1) {
3727 printf("Gak can't copy the chunk into operr %d bytes\n",
3728 chk_length);
3729 }
3730 #endif
3731 }
3732 }
3733 #ifdef SCTP_DEBUG
3734 else {
3735 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
3736 printf("Gak can't mgethdr for op-err of unrec chunk\n");
3737 }
3738 }
3739 #endif
3740 }
3741 if ((ch->chunk_type & 0x80) == 0) {
3742 /* discard this packet */
3743 *offset = length;
3744 return (stcb);
3745 } /* else skip this bad chunk and continue... */
3746 break;
3747 } /* switch (ch->chunk_type) */
3748 /* get the next chunk */
3749 *offset += SCTP_SIZE32(chk_length);
3750 if (*offset >= length) {
3751 /* no more data left in the mbuf chain */
3752 break;
3753 }
3754 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
3755 sizeof(struct sctp_chunkhdr), chunk_buf);
3756 if (ch == NULL) {
3757 if (locked_tcb) {
3758 SCTP_TCB_UNLOCK(locked_tcb);
3759 }
3760 *offset = length;
3761 return (NULL);
3762 }
3763 } /* while */
3764 return (stcb);
3765 }
3766
3767
3768 /*
3769 * Process the ECN bits we have something set so
3770 * we must look to see if it is ECN(0) or ECN(1) or CE
3771 */
3772 static void
3773 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net,
3774 u_int8_t ecn_bits)
3775 {
3776 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
3777 ;
3778 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) {
3779 /*
3780 * we only add to the nonce sum for ECT1, ECT0
3781 * does not change the NS bit (that we have
3782 * yet to find a way to send it yet).
3783 */
3784
3785 /* ECN Nonce stuff */
3786 stcb->asoc.receiver_nonce_sum++;
3787 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM;
3788
3789 /*
3790 * Drag up the last_echo point if cumack is larger since we
3791 * don't want the point falling way behind by more than 2^^31
3792 * and then having it be incorrect.
3793 */
3794 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
3795 stcb->asoc.last_echo_tsn, MAX_TSN)) {
3796 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
3797 }
3798 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) {
3799 /*
3800 * Drag up the last_echo point if cumack is larger since we
3801 * don't want the point falling way behind by more than 2^^31
3802 * and then having it be incorrect.
3803 */
3804 if (compare_with_wrap(stcb->asoc.cumulative_tsn,
3805 stcb->asoc.last_echo_tsn, MAX_TSN)) {
3806 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn;
3807 }
3808 }
3809 }
3810
3811 static void
3812 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net,
3813 u_int32_t high_tsn, u_int8_t ecn_bits)
3814 {
3815 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) {
3816 /*
3817 * we possibly must notify the sender that a congestion
3818 * window reduction is in order. We do this
3819 * by adding a ECNE chunk to the output chunk
3820 * queue. The incoming CWR will remove this chunk.
3821 */
3822 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn,
3823 MAX_TSN)) {
3824 /* Yep, we need to add a ECNE */
3825 sctp_send_ecn_echo(stcb, net, high_tsn);
3826 stcb->asoc.last_echo_tsn = high_tsn;
3827 }
3828 }
3829 }
3830
3831 /*
3832 * common input chunk processing (v4 and v6)
3833 */
3834 int
3835 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset,
3836 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch,
3837 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net,
3838 u_int8_t ecn_bits)
3839 {
3840 /*
3841 * Control chunk processing
3842 */
3843 u_int32_t high_tsn;
3844 int fwd_tsn_seen = 0, data_processed = 0;
3845 struct mbuf *m = *mm;
3846 int abort_flag = 0;
3847
3848 sctp_pegs[SCTP_DATAGRAMS_RCVD]++;
3849 #ifdef SCTP_AUDITING_ENABLED
3850 sctp_audit_log(0xE0, 1);
3851 sctp_auditing(0, inp, stcb, net);
3852 #endif
3853
3854 #ifdef SCTP_DEBUG
3855 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3856 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d\n",
3857 m, iphlen, offset, length);
3858 }
3859 #endif /* SCTP_DEBUG */
3860 if (IS_SCTP_CONTROL(ch)) {
3861 /* process the control portion of the SCTP packet */
3862 #ifdef SCTP_DEBUG
3863 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3864 printf("Processing control\n");
3865 }
3866 #endif /* SCTP_DEBUG */
3867
3868 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch,
3869 inp, stcb, &net, &fwd_tsn_seen);
3870 } else {
3871 /*
3872 * no control chunks, so pre-process DATA chunks
3873 * (these checks are taken care of by control processing)
3874 */
3875 #ifdef SCTP_DEBUG
3876 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3877 printf("No control present\n");
3878 }
3879 #endif /* SCTP_DEBUG */
3880
3881 if (stcb == NULL) {
3882 /* out of the blue DATA chunk */
3883 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL);
3884 return (1);
3885 }
3886 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
3887 /* v_tag mismatch! */
3888 sctp_pegs[SCTP_BAD_VTAGS]++;
3889 SCTP_TCB_UNLOCK(stcb);
3890 return (1);
3891 }
3892 }
3893 if (stcb == NULL) {
3894 /*
3895 * no valid TCB for this packet,
3896 * or we found it's a bad packet while processing control,
3897 * or we're done with this packet (done or skip rest of data),
3898 * so we drop it...
3899 */
3900 return (1);
3901 }
3902 #ifdef SCTP_DEBUG
3903 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3904 printf("Ok, control finished time to look for data (%d) offset:%d\n",
3905 length, offset);
3906 }
3907 #endif /* SCTP_DEBUG */
3908 /*
3909 * DATA chunk processing
3910 */
3911 /* plow through the data chunks while length > offset */
3912 stcb->asoc.seen_a_sack_this_pkt = 0;
3913
3914 if (length > offset) {
3915 int retval;
3916 /*
3917 * First check to make sure our state is correct.
3918 * We would not get here unless we really did have a
3919 * tag, so we don't abort if this happens, just
3920 * dump the chunk silently.
3921 */
3922 switch (SCTP_GET_STATE(&stcb->asoc)) {
3923 case SCTP_STATE_COOKIE_ECHOED:
3924 /*
3925 * we consider data with valid tags in
3926 * this state shows us the cookie-ack was lost.
3927 * Imply it was there.
3928 */
3929 stcb->asoc.overall_error_count = 0;
3930 sctp_handle_cookie_ack(
3931 (struct sctp_cookie_ack_chunk *)ch, stcb, net);
3932 break;
3933 case SCTP_STATE_COOKIE_WAIT:
3934 /*
3935 * We consider OOTB any data sent during asoc setup.
3936 */
3937 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL);
3938 SCTP_TCB_UNLOCK(stcb);
3939 return (1);
3940 break;
3941 case SCTP_STATE_EMPTY: /* should not happen */
3942 case SCTP_STATE_INUSE: /* should not happen */
3943 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */
3944 case SCTP_STATE_SHUTDOWN_ACK_SENT:
3945 default:
3946 #ifdef SCTP_DEBUG
3947 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
3948 printf("Got data in invalid state %d.. dropping\n", stcb->asoc.state);
3949 }
3950 #endif
3951 SCTP_TCB_UNLOCK(stcb);
3952 return (1);
3953 break;
3954 case SCTP_STATE_OPEN:
3955 case SCTP_STATE_SHUTDOWN_SENT:
3956 break;
3957 }
3958 /* take care of ECN, part 1. */
3959 if (stcb->asoc.ecn_allowed &&
3960 (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) {
3961 sctp_process_ecn_marked_a(stcb, net, ecn_bits);
3962 }
3963 /* plow through the data chunks while length > offset */
3964 retval = sctp_process_data(mm, iphlen, &offset, length, sh,
3965 inp, stcb, net, &high_tsn);
3966 if (retval == 2) {
3967 /* The association aborted, NO UNLOCK needed
3968 * since the association is destroyed.
3969 */
3970 return (0);
3971 }
3972
3973 data_processed = 1;
3974 if (retval == 0) {
3975 /* take care of ecn part 2. */
3976 if (stcb->asoc.ecn_allowed && (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) {
3977 sctp_process_ecn_marked_b(stcb, net, high_tsn, ecn_bits);
3978
3979 }
3980 }
3981
3982 /*
3983 * Anything important needs to have been m_copy'ed in
3984 * process_data
3985 */
3986 }
3987 if ((data_processed == 0) && (fwd_tsn_seen)) {
3988 int was_a_gap = 0;
3989 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map,
3990 stcb->asoc.cumulative_tsn, MAX_TSN)) {
3991 /* there was a gap before this data was processed */
3992 was_a_gap = 1;
3993 }
3994 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag);
3995 if (abort_flag) {
3996 /* Again, we aborted so NO UNLOCK needed */
3997 return (0);
3998 }
3999 }
4000 /* trigger send of any chunks in queue... */
4001 #ifdef SCTP_AUDITING_ENABLED
4002 sctp_audit_log(0xE0, 2);
4003 sctp_auditing(1, inp, stcb, net);
4004 #endif
4005 #ifdef SCTP_DEBUG
4006 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4007 printf("Check for chunk output prw:%d tqe:%d tf=%d\n",
4008 stcb->asoc.peers_rwnd,
4009 TAILQ_EMPTY(&stcb->asoc.control_send_queue),
4010 stcb->asoc.total_flight);
4011 }
4012 #endif
4013 if (stcb->asoc.peers_rwnd > 0 ||
4014 !TAILQ_EMPTY(&stcb->asoc.control_send_queue) ||
4015 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)) {
4016 #ifdef SCTP_DEBUG
4017 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4018 printf("Calling chunk OUTPUT\n");
4019 }
4020 #endif
4021 sctp_chunk_output(inp, stcb, 3);
4022 #ifdef SCTP_DEBUG
4023 if (sctp_debug_on & SCTP_DEBUG_INPUT3) {
4024 printf("chunk OUTPUT returns\n");
4025 }
4026 #endif
4027 }
4028
4029 #ifdef SCTP_AUDITING_ENABLED
4030 sctp_audit_log(0xE0, 3);
4031 sctp_auditing(2, inp, stcb, net);
4032 #endif
4033 SCTP_TCB_UNLOCK(stcb);
4034 return (0);
4035 }
4036
4037 #if defined(__OpenBSD__)
4038 static void
4039 sctp_saveopt(struct sctp_inpcb *inp, struct mbuf **mp, struct ip *ip,
4040 struct mbuf *m)
4041 {
4042 if (inp->ip_inp.inp.inp_flags & INP_RECVDSTADDR) {
4043 *mp = sbcreatecontrol((vaddr_t) &ip->ip_dst,
4044 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP);
4045 if (*mp)
4046 mp = &(*mp)->m_next;
4047 }
4048 }
4049 #endif
4050
4051 extern int sctp_no_csum_on_loopback;
4052
4053 void
4054 sctp_input(struct mbuf *m, int off, int proto)
4055 {
4056 int iphlen;
4057 u_int8_t ecn_bits;
4058 struct ip *ip;
4059 struct sctphdr *sh;
4060 struct sctp_inpcb *inp = NULL;
4061 struct mbuf *opts = 0;
4062 /*#ifdef INET6*/
4063 /* Don't think this is needed */
4064 /* struct ip6_recvpktopts opts6;*/
4065 /*#endif INET6 */
4066
4067 u_int32_t check, calc_check;
4068 struct sctp_nets *net;
4069 struct sctp_tcb *stcb = NULL;
4070 struct sctp_chunkhdr *ch;
4071 int refcount_up = 0;
4072 int length, mlen, offset;
4073
4074 iphlen = off;
4075
4076 net = NULL;
4077 sctp_pegs[SCTP_INPKTS]++;
4078 #ifdef SCTP_DEBUG
4079 /*if (sctp_debug_on & SCTP_DEBUG_INPUT1) {*/
4080 printf("V4 input gets a packet iphlen:%d pktlen:%d\n", iphlen, m->m_pkthdr.len);
4081 /*}*/
4082 #endif
4083 /*#ifdef INET6*/
4084 /* Don't think this is needed */
4085 /* bzero(&opts6, sizeof(opts6));*/
4086 /*#endif INET6 */
4087
4088 /*
4089 * Strip IP options, we don't allow any in or out.
4090 */
4091 if ((size_t)iphlen > sizeof(struct ip)) {
4092 printf("sctp_input: got options\n");
4093 #if 0 /* XXX */
4094 ip_stripoptions(m, (struct mbuf *)0);
4095 #endif
4096 iphlen = sizeof(struct ip);
4097 }
4098
4099 /*
4100 * Get IP, SCTP, and first chunk header together in first mbuf.
4101 */
4102 ip = mtod(m, struct ip *);
4103 offset = iphlen + sizeof(*sh) + sizeof(*ch);
4104 if (m->m_len < offset) {
4105 if ((m = m_pullup(m, offset)) == 0) {
4106 sctp_pegs[SCTP_HDR_DROPS]++;
4107 return;
4108 }
4109 ip = mtod(m, struct ip *);
4110 }
4111 sh = (struct sctphdr *)((vaddr_t)ip + iphlen);
4112 ch = (struct sctp_chunkhdr *)((vaddr_t)sh + sizeof(*sh));
4113
4114 /* SCTP does not allow broadcasts or multicasts */
4115 if (IN_MULTICAST(ip->ip_dst.s_addr))
4116 {
4117 sctp_pegs[SCTP_IN_MCAST]++;
4118 goto bad;
4119 }
4120 if (in_broadcast(ip->ip_dst, m_get_rcvif_NOMPSAFE(m))) {
4121 sctp_pegs[SCTP_IN_MCAST]++;
4122 goto bad;
4123 }
4124
4125 /* destination port of 0 is illegal, based on RFC2960. */
4126 if (sh->dest_port == 0) {
4127 sctp_pegs[SCTP_HDR_DROPS]++;
4128 goto bad;
4129 }
4130
4131 /* validate SCTP checksum */
4132 if ((sctp_no_csum_on_loopback == 0) ||
4133 (m_get_rcvif_NOMPSAFE(m) == NULL) ||
4134 (m_get_rcvif_NOMPSAFE(m)->if_type != IFT_LOOP)) {
4135 /* we do NOT validate things from the loopback if the
4136 * sysctl is set to 1.
4137 */
4138 check = sh->checksum; /* save incoming checksum */
4139 if ((check == 0) && (sctp_no_csum_on_loopback)) {
4140 /* special hook for where we got a local address
4141 * somehow routed across a non IFT_LOOP type interface
4142 */
4143 if (ip->ip_src.s_addr == ip->ip_dst.s_addr)
4144 goto sctp_skip_csum_4;
4145 }
4146 sh->checksum = 0; /* prepare for calc */
4147 calc_check = sctp_calculate_sum(m, &mlen, iphlen);
4148 if (calc_check != check) {
4149 #ifdef SCTP_DEBUG
4150 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4151 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n",
4152 calc_check, check, m, mlen, iphlen);
4153 }
4154 #endif
4155
4156 stcb = sctp_findassociation_addr(m, iphlen,
4157 offset - sizeof(*ch),
4158 sh, ch, &inp, &net);
4159 if ((inp) && (stcb)) {
4160 sctp_send_packet_dropped(stcb, net, m, iphlen,
4161 1);
4162 sctp_chunk_output(inp, stcb, 2);
4163 } else if ((inp != NULL) && (stcb == NULL)) {
4164 refcount_up = 1;
4165 }
4166 sctp_pegs[SCTP_BAD_CSUM]++;
4167 goto bad;
4168 }
4169 sh->checksum = calc_check;
4170 } else {
4171 sctp_skip_csum_4:
4172 mlen = m->m_pkthdr.len;
4173 }
4174 /* validate mbuf chain length with IP payload length */
4175 #if defined(__NetBSD__) || defined(__OpenBSD__)
4176 /* Open BSD gives us the len in network order, fix it */
4177 NTOHS(ip->ip_len);
4178 #endif
4179 if (mlen < (ip->ip_len - iphlen)) {
4180 sctp_pegs[SCTP_HDR_DROPS]++;
4181 goto bad;
4182 }
4183
4184 /*
4185 * Locate pcb and tcb for datagram
4186 * sctp_findassociation_addr() wants IP/SCTP/first chunk header...
4187 */
4188 #ifdef SCTP_DEBUG
4189 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4190 printf("V4 find association\n");
4191 }
4192 #endif
4193
4194 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch),
4195 sh, ch, &inp, &net);
4196 /* inp's ref-count increased && stcb locked */
4197 if (inp == NULL) {
4198 struct sctp_init_chunk *init_chk, chunk_buf;
4199
4200 sctp_pegs[SCTP_NOPORTS]++;
4201 #ifdef ICMP_BANDLIM
4202 /*
4203 * we use the bandwidth limiting to protect against
4204 * sending too many ABORTS all at once. In this case
4205 * these count the same as an ICMP message.
4206 */
4207 if (badport_bandlim(0) < 0)
4208 goto bad;
4209 #endif /* ICMP_BANDLIM */
4210 #ifdef SCTP_DEBUG
4211 if (sctp_debug_on & SCTP_DEBUG_INPUT1) {
4212 printf("Sending a ABORT from packet entry!\n");
4213 }
4214 #endif
4215 if (ch->chunk_type == SCTP_INITIATION) {
4216 /* we do a trick here to get the INIT tag,
4217 * dig in and get the tag from the INIT and
4218 * put it in the common header.
4219 */
4220 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m,
4221 iphlen + sizeof(*sh), sizeof(*init_chk),
4222 (u_int8_t *)&chunk_buf);
4223 if (init_chk != NULL)
4224 sh->v_tag = init_chk->init.initiate_tag;
4225 }
4226 sctp_send_abort(m, iphlen, sh, 0, NULL);
4227 goto bad;
4228 } else if (stcb == NULL) {
4229 refcount_up = 1;
4230 }
4231 #ifdef IPSEC
4232 /*
4233 * I very much doubt any of the IPSEC stuff will work but I have
4234 * no idea, so I will leave it in place.
4235 */
4236 if (ipsec_used && ipsec_in_reject(m, (struct inpcb *)inp)) {
4237 #if 0
4238 ipsecstat.in_polvio++;
4239 #endif
4240 sctp_pegs[SCTP_HDR_DROPS]++;
4241 goto bad;
4242 }
4243 #endif /* IPSEC */
4244
4245 /*
4246 * Construct sockaddr format source address.
4247 * Stuff source address and datagram in user buffer.
4248 */
4249 if ((inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS)
4250 || (inp->sctp_socket->so_options & SO_TIMESTAMP)
4251 ) {
4252 ip_savecontrol((struct inpcb *)inp, &opts, ip, m);
4253 }
4254
4255 /*
4256 * common chunk processing
4257 */
4258 length = ip->ip_len - (ip->ip_hl << 2) + iphlen;
4259 offset -= sizeof(struct sctp_chunkhdr);
4260
4261 ecn_bits = ip->ip_tos;
4262 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch,
4263 inp, stcb, net, ecn_bits);
4264 /* inp's ref-count reduced && stcb unlocked */
4265 if (m) {
4266 sctp_m_freem(m);
4267 }
4268 if (opts)
4269 sctp_m_freem(opts);
4270
4271 if ((inp) && (refcount_up)) {
4272 /* reduce ref-count */
4273 SCTP_INP_WLOCK(inp);
4274 SCTP_INP_DECR_REF(inp);
4275 SCTP_INP_WUNLOCK(inp);
4276 }
4277
4278 return;
4279 bad:
4280 if (stcb) {
4281 SCTP_TCB_UNLOCK(stcb);
4282 }
4283
4284 if ((inp) && (refcount_up)) {
4285 /* reduce ref-count */
4286 SCTP_INP_WLOCK(inp);
4287 SCTP_INP_DECR_REF(inp);
4288 SCTP_INP_WUNLOCK(inp);
4289 }
4290
4291 if (m) {
4292 sctp_m_freem(m);
4293 }
4294 if (opts)
4295 sctp_m_freem(opts);
4296 return;
4297 }
Cache object: 2de476e40dedf8aa428b7979c87bac6e
|