sctp_output.c revision 294216 
1/*-
2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * a) Redistributions of source code must retain the above copyright notice,
10 *    this list of conditions and the following disclaimer.
11 *
12 * b) Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in
14 *    the documentation and/or other materials provided with the distribution.
15 *
16 * c) Neither the name of Cisco Systems, Inc. nor the names of its
17 *    contributors may be used to endorse or promote products derived
18 *    from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30 * THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33#include <sys/cdefs.h>
34__FBSDID("$FreeBSD: stable/10/sys/netinet/sctp_output.c 294216 2016-01-17 12:18:01Z tuexen $");
35
36#include <netinet/sctp_os.h>
37#include <sys/proc.h>
38#include <netinet/sctp_var.h>
39#include <netinet/sctp_sysctl.h>
40#include <netinet/sctp_header.h>
41#include <netinet/sctp_pcb.h>
42#include <netinet/sctputil.h>
43#include <netinet/sctp_output.h>
44#include <netinet/sctp_uio.h>
45#include <netinet/sctputil.h>
46#include <netinet/sctp_auth.h>
47#include <netinet/sctp_timer.h>
48#include <netinet/sctp_asconf.h>
49#include <netinet/sctp_indata.h>
50#include <netinet/sctp_bsd_addr.h>
51#include <netinet/sctp_input.h>
52#include <netinet/sctp_crc32.h>
53#if defined(INET) || defined(INET6)
54#include <netinet/udp.h>
55#endif
56#include <netinet/udp_var.h>
57#include <machine/in_cksum.h>
58
59
60
61#define SCTP_MAX_GAPS_INARRAY 4
62struct sack_track {
63	uint8_t right_edge;	/* mergable on the right edge */
64	uint8_t left_edge;	/* mergable on the left edge */
65	uint8_t num_entries;
66	uint8_t spare;
67	struct sctp_gap_ack_block gaps[SCTP_MAX_GAPS_INARRAY];
68};
69
70struct sack_track sack_array[256] = {
71	{0, 0, 0, 0,		/* 0x00 */
72		{{0, 0},
73		{0, 0},
74		{0, 0},
75		{0, 0}
76		}
77	},
78	{1, 0, 1, 0,		/* 0x01 */
79		{{0, 0},
80		{0, 0},
81		{0, 0},
82		{0, 0}
83		}
84	},
85	{0, 0, 1, 0,		/* 0x02 */
86		{{1, 1},
87		{0, 0},
88		{0, 0},
89		{0, 0}
90		}
91	},
92	{1, 0, 1, 0,		/* 0x03 */
93		{{0, 1},
94		{0, 0},
95		{0, 0},
96		{0, 0}
97		}
98	},
99	{0, 0, 1, 0,		/* 0x04 */
100		{{2, 2},
101		{0, 0},
102		{0, 0},
103		{0, 0}
104		}
105	},
106	{1, 0, 2, 0,		/* 0x05 */
107		{{0, 0},
108		{2, 2},
109		{0, 0},
110		{0, 0}
111		}
112	},
113	{0, 0, 1, 0,		/* 0x06 */
114		{{1, 2},
115		{0, 0},
116		{0, 0},
117		{0, 0}
118		}
119	},
120	{1, 0, 1, 0,		/* 0x07 */
121		{{0, 2},
122		{0, 0},
123		{0, 0},
124		{0, 0}
125		}
126	},
127	{0, 0, 1, 0,		/* 0x08 */
128		{{3, 3},
129		{0, 0},
130		{0, 0},
131		{0, 0}
132		}
133	},
134	{1, 0, 2, 0,		/* 0x09 */
135		{{0, 0},
136		{3, 3},
137		{0, 0},
138		{0, 0}
139		}
140	},
141	{0, 0, 2, 0,		/* 0x0a */
142		{{1, 1},
143		{3, 3},
144		{0, 0},
145		{0, 0}
146		}
147	},
148	{1, 0, 2, 0,		/* 0x0b */
149		{{0, 1},
150		{3, 3},
151		{0, 0},
152		{0, 0}
153		}
154	},
155	{0, 0, 1, 0,		/* 0x0c */
156		{{2, 3},
157		{0, 0},
158		{0, 0},
159		{0, 0}
160		}
161	},
162	{1, 0, 2, 0,		/* 0x0d */
163		{{0, 0},
164		{2, 3},
165		{0, 0},
166		{0, 0}
167		}
168	},
169	{0, 0, 1, 0,		/* 0x0e */
170		{{1, 3},
171		{0, 0},
172		{0, 0},
173		{0, 0}
174		}
175	},
176	{1, 0, 1, 0,		/* 0x0f */
177		{{0, 3},
178		{0, 0},
179		{0, 0},
180		{0, 0}
181		}
182	},
183	{0, 0, 1, 0,		/* 0x10 */
184		{{4, 4},
185		{0, 0},
186		{0, 0},
187		{0, 0}
188		}
189	},
190	{1, 0, 2, 0,		/* 0x11 */
191		{{0, 0},
192		{4, 4},
193		{0, 0},
194		{0, 0}
195		}
196	},
197	{0, 0, 2, 0,		/* 0x12 */
198		{{1, 1},
199		{4, 4},
200		{0, 0},
201		{0, 0}
202		}
203	},
204	{1, 0, 2, 0,		/* 0x13 */
205		{{0, 1},
206		{4, 4},
207		{0, 0},
208		{0, 0}
209		}
210	},
211	{0, 0, 2, 0,		/* 0x14 */
212		{{2, 2},
213		{4, 4},
214		{0, 0},
215		{0, 0}
216		}
217	},
218	{1, 0, 3, 0,		/* 0x15 */
219		{{0, 0},
220		{2, 2},
221		{4, 4},
222		{0, 0}
223		}
224	},
225	{0, 0, 2, 0,		/* 0x16 */
226		{{1, 2},
227		{4, 4},
228		{0, 0},
229		{0, 0}
230		}
231	},
232	{1, 0, 2, 0,		/* 0x17 */
233		{{0, 2},
234		{4, 4},
235		{0, 0},
236		{0, 0}
237		}
238	},
239	{0, 0, 1, 0,		/* 0x18 */
240		{{3, 4},
241		{0, 0},
242		{0, 0},
243		{0, 0}
244		}
245	},
246	{1, 0, 2, 0,		/* 0x19 */
247		{{0, 0},
248		{3, 4},
249		{0, 0},
250		{0, 0}
251		}
252	},
253	{0, 0, 2, 0,		/* 0x1a */
254		{{1, 1},
255		{3, 4},
256		{0, 0},
257		{0, 0}
258		}
259	},
260	{1, 0, 2, 0,		/* 0x1b */
261		{{0, 1},
262		{3, 4},
263		{0, 0},
264		{0, 0}
265		}
266	},
267	{0, 0, 1, 0,		/* 0x1c */
268		{{2, 4},
269		{0, 0},
270		{0, 0},
271		{0, 0}
272		}
273	},
274	{1, 0, 2, 0,		/* 0x1d */
275		{{0, 0},
276		{2, 4},
277		{0, 0},
278		{0, 0}
279		}
280	},
281	{0, 0, 1, 0,		/* 0x1e */
282		{{1, 4},
283		{0, 0},
284		{0, 0},
285		{0, 0}
286		}
287	},
288	{1, 0, 1, 0,		/* 0x1f */
289		{{0, 4},
290		{0, 0},
291		{0, 0},
292		{0, 0}
293		}
294	},
295	{0, 0, 1, 0,		/* 0x20 */
296		{{5, 5},
297		{0, 0},
298		{0, 0},
299		{0, 0}
300		}
301	},
302	{1, 0, 2, 0,		/* 0x21 */
303		{{0, 0},
304		{5, 5},
305		{0, 0},
306		{0, 0}
307		}
308	},
309	{0, 0, 2, 0,		/* 0x22 */
310		{{1, 1},
311		{5, 5},
312		{0, 0},
313		{0, 0}
314		}
315	},
316	{1, 0, 2, 0,		/* 0x23 */
317		{{0, 1},
318		{5, 5},
319		{0, 0},
320		{0, 0}
321		}
322	},
323	{0, 0, 2, 0,		/* 0x24 */
324		{{2, 2},
325		{5, 5},
326		{0, 0},
327		{0, 0}
328		}
329	},
330	{1, 0, 3, 0,		/* 0x25 */
331		{{0, 0},
332		{2, 2},
333		{5, 5},
334		{0, 0}
335		}
336	},
337	{0, 0, 2, 0,		/* 0x26 */
338		{{1, 2},
339		{5, 5},
340		{0, 0},
341		{0, 0}
342		}
343	},
344	{1, 0, 2, 0,		/* 0x27 */
345		{{0, 2},
346		{5, 5},
347		{0, 0},
348		{0, 0}
349		}
350	},
351	{0, 0, 2, 0,		/* 0x28 */
352		{{3, 3},
353		{5, 5},
354		{0, 0},
355		{0, 0}
356		}
357	},
358	{1, 0, 3, 0,		/* 0x29 */
359		{{0, 0},
360		{3, 3},
361		{5, 5},
362		{0, 0}
363		}
364	},
365	{0, 0, 3, 0,		/* 0x2a */
366		{{1, 1},
367		{3, 3},
368		{5, 5},
369		{0, 0}
370		}
371	},
372	{1, 0, 3, 0,		/* 0x2b */
373		{{0, 1},
374		{3, 3},
375		{5, 5},
376		{0, 0}
377		}
378	},
379	{0, 0, 2, 0,		/* 0x2c */
380		{{2, 3},
381		{5, 5},
382		{0, 0},
383		{0, 0}
384		}
385	},
386	{1, 0, 3, 0,		/* 0x2d */
387		{{0, 0},
388		{2, 3},
389		{5, 5},
390		{0, 0}
391		}
392	},
393	{0, 0, 2, 0,		/* 0x2e */
394		{{1, 3},
395		{5, 5},
396		{0, 0},
397		{0, 0}
398		}
399	},
400	{1, 0, 2, 0,		/* 0x2f */
401		{{0, 3},
402		{5, 5},
403		{0, 0},
404		{0, 0}
405		}
406	},
407	{0, 0, 1, 0,		/* 0x30 */
408		{{4, 5},
409		{0, 0},
410		{0, 0},
411		{0, 0}
412		}
413	},
414	{1, 0, 2, 0,		/* 0x31 */
415		{{0, 0},
416		{4, 5},
417		{0, 0},
418		{0, 0}
419		}
420	},
421	{0, 0, 2, 0,		/* 0x32 */
422		{{1, 1},
423		{4, 5},
424		{0, 0},
425		{0, 0}
426		}
427	},
428	{1, 0, 2, 0,		/* 0x33 */
429		{{0, 1},
430		{4, 5},
431		{0, 0},
432		{0, 0}
433		}
434	},
435	{0, 0, 2, 0,		/* 0x34 */
436		{{2, 2},
437		{4, 5},
438		{0, 0},
439		{0, 0}
440		}
441	},
442	{1, 0, 3, 0,		/* 0x35 */
443		{{0, 0},
444		{2, 2},
445		{4, 5},
446		{0, 0}
447		}
448	},
449	{0, 0, 2, 0,		/* 0x36 */
450		{{1, 2},
451		{4, 5},
452		{0, 0},
453		{0, 0}
454		}
455	},
456	{1, 0, 2, 0,		/* 0x37 */
457		{{0, 2},
458		{4, 5},
459		{0, 0},
460		{0, 0}
461		}
462	},
463	{0, 0, 1, 0,		/* 0x38 */
464		{{3, 5},
465		{0, 0},
466		{0, 0},
467		{0, 0}
468		}
469	},
470	{1, 0, 2, 0,		/* 0x39 */
471		{{0, 0},
472		{3, 5},
473		{0, 0},
474		{0, 0}
475		}
476	},
477	{0, 0, 2, 0,		/* 0x3a */
478		{{1, 1},
479		{3, 5},
480		{0, 0},
481		{0, 0}
482		}
483	},
484	{1, 0, 2, 0,		/* 0x3b */
485		{{0, 1},
486		{3, 5},
487		{0, 0},
488		{0, 0}
489		}
490	},
491	{0, 0, 1, 0,		/* 0x3c */
492		{{2, 5},
493		{0, 0},
494		{0, 0},
495		{0, 0}
496		}
497	},
498	{1, 0, 2, 0,		/* 0x3d */
499		{{0, 0},
500		{2, 5},
501		{0, 0},
502		{0, 0}
503		}
504	},
505	{0, 0, 1, 0,		/* 0x3e */
506		{{1, 5},
507		{0, 0},
508		{0, 0},
509		{0, 0}
510		}
511	},
512	{1, 0, 1, 0,		/* 0x3f */
513		{{0, 5},
514		{0, 0},
515		{0, 0},
516		{0, 0}
517		}
518	},
519	{0, 0, 1, 0,		/* 0x40 */
520		{{6, 6},
521		{0, 0},
522		{0, 0},
523		{0, 0}
524		}
525	},
526	{1, 0, 2, 0,		/* 0x41 */
527		{{0, 0},
528		{6, 6},
529		{0, 0},
530		{0, 0}
531		}
532	},
533	{0, 0, 2, 0,		/* 0x42 */
534		{{1, 1},
535		{6, 6},
536		{0, 0},
537		{0, 0}
538		}
539	},
540	{1, 0, 2, 0,		/* 0x43 */
541		{{0, 1},
542		{6, 6},
543		{0, 0},
544		{0, 0}
545		}
546	},
547	{0, 0, 2, 0,		/* 0x44 */
548		{{2, 2},
549		{6, 6},
550		{0, 0},
551		{0, 0}
552		}
553	},
554	{1, 0, 3, 0,		/* 0x45 */
555		{{0, 0},
556		{2, 2},
557		{6, 6},
558		{0, 0}
559		}
560	},
561	{0, 0, 2, 0,		/* 0x46 */
562		{{1, 2},
563		{6, 6},
564		{0, 0},
565		{0, 0}
566		}
567	},
568	{1, 0, 2, 0,		/* 0x47 */
569		{{0, 2},
570		{6, 6},
571		{0, 0},
572		{0, 0}
573		}
574	},
575	{0, 0, 2, 0,		/* 0x48 */
576		{{3, 3},
577		{6, 6},
578		{0, 0},
579		{0, 0}
580		}
581	},
582	{1, 0, 3, 0,		/* 0x49 */
583		{{0, 0},
584		{3, 3},
585		{6, 6},
586		{0, 0}
587		}
588	},
589	{0, 0, 3, 0,		/* 0x4a */
590		{{1, 1},
591		{3, 3},
592		{6, 6},
593		{0, 0}
594		}
595	},
596	{1, 0, 3, 0,		/* 0x4b */
597		{{0, 1},
598		{3, 3},
599		{6, 6},
600		{0, 0}
601		}
602	},
603	{0, 0, 2, 0,		/* 0x4c */
604		{{2, 3},
605		{6, 6},
606		{0, 0},
607		{0, 0}
608		}
609	},
610	{1, 0, 3, 0,		/* 0x4d */
611		{{0, 0},
612		{2, 3},
613		{6, 6},
614		{0, 0}
615		}
616	},
617	{0, 0, 2, 0,		/* 0x4e */
618		{{1, 3},
619		{6, 6},
620		{0, 0},
621		{0, 0}
622		}
623	},
624	{1, 0, 2, 0,		/* 0x4f */
625		{{0, 3},
626		{6, 6},
627		{0, 0},
628		{0, 0}
629		}
630	},
631	{0, 0, 2, 0,		/* 0x50 */
632		{{4, 4},
633		{6, 6},
634		{0, 0},
635		{0, 0}
636		}
637	},
638	{1, 0, 3, 0,		/* 0x51 */
639		{{0, 0},
640		{4, 4},
641		{6, 6},
642		{0, 0}
643		}
644	},
645	{0, 0, 3, 0,		/* 0x52 */
646		{{1, 1},
647		{4, 4},
648		{6, 6},
649		{0, 0}
650		}
651	},
652	{1, 0, 3, 0,		/* 0x53 */
653		{{0, 1},
654		{4, 4},
655		{6, 6},
656		{0, 0}
657		}
658	},
659	{0, 0, 3, 0,		/* 0x54 */
660		{{2, 2},
661		{4, 4},
662		{6, 6},
663		{0, 0}
664		}
665	},
666	{1, 0, 4, 0,		/* 0x55 */
667		{{0, 0},
668		{2, 2},
669		{4, 4},
670		{6, 6}
671		}
672	},
673	{0, 0, 3, 0,		/* 0x56 */
674		{{1, 2},
675		{4, 4},
676		{6, 6},
677		{0, 0}
678		}
679	},
680	{1, 0, 3, 0,		/* 0x57 */
681		{{0, 2},
682		{4, 4},
683		{6, 6},
684		{0, 0}
685		}
686	},
687	{0, 0, 2, 0,		/* 0x58 */
688		{{3, 4},
689		{6, 6},
690		{0, 0},
691		{0, 0}
692		}
693	},
694	{1, 0, 3, 0,		/* 0x59 */
695		{{0, 0},
696		{3, 4},
697		{6, 6},
698		{0, 0}
699		}
700	},
701	{0, 0, 3, 0,		/* 0x5a */
702		{{1, 1},
703		{3, 4},
704		{6, 6},
705		{0, 0}
706		}
707	},
708	{1, 0, 3, 0,		/* 0x5b */
709		{{0, 1},
710		{3, 4},
711		{6, 6},
712		{0, 0}
713		}
714	},
715	{0, 0, 2, 0,		/* 0x5c */
716		{{2, 4},
717		{6, 6},
718		{0, 0},
719		{0, 0}
720		}
721	},
722	{1, 0, 3, 0,		/* 0x5d */
723		{{0, 0},
724		{2, 4},
725		{6, 6},
726		{0, 0}
727		}
728	},
729	{0, 0, 2, 0,		/* 0x5e */
730		{{1, 4},
731		{6, 6},
732		{0, 0},
733		{0, 0}
734		}
735	},
736	{1, 0, 2, 0,		/* 0x5f */
737		{{0, 4},
738		{6, 6},
739		{0, 0},
740		{0, 0}
741		}
742	},
743	{0, 0, 1, 0,		/* 0x60 */
744		{{5, 6},
745		{0, 0},
746		{0, 0},
747		{0, 0}
748		}
749	},
750	{1, 0, 2, 0,		/* 0x61 */
751		{{0, 0},
752		{5, 6},
753		{0, 0},
754		{0, 0}
755		}
756	},
757	{0, 0, 2, 0,		/* 0x62 */
758		{{1, 1},
759		{5, 6},
760		{0, 0},
761		{0, 0}
762		}
763	},
764	{1, 0, 2, 0,		/* 0x63 */
765		{{0, 1},
766		{5, 6},
767		{0, 0},
768		{0, 0}
769		}
770	},
771	{0, 0, 2, 0,		/* 0x64 */
772		{{2, 2},
773		{5, 6},
774		{0, 0},
775		{0, 0}
776		}
777	},
778	{1, 0, 3, 0,		/* 0x65 */
779		{{0, 0},
780		{2, 2},
781		{5, 6},
782		{0, 0}
783		}
784	},
785	{0, 0, 2, 0,		/* 0x66 */
786		{{1, 2},
787		{5, 6},
788		{0, 0},
789		{0, 0}
790		}
791	},
792	{1, 0, 2, 0,		/* 0x67 */
793		{{0, 2},
794		{5, 6},
795		{0, 0},
796		{0, 0}
797		}
798	},
799	{0, 0, 2, 0,		/* 0x68 */
800		{{3, 3},
801		{5, 6},
802		{0, 0},
803		{0, 0}
804		}
805	},
806	{1, 0, 3, 0,		/* 0x69 */
807		{{0, 0},
808		{3, 3},
809		{5, 6},
810		{0, 0}
811		}
812	},
813	{0, 0, 3, 0,		/* 0x6a */
814		{{1, 1},
815		{3, 3},
816		{5, 6},
817		{0, 0}
818		}
819	},
820	{1, 0, 3, 0,		/* 0x6b */
821		{{0, 1},
822		{3, 3},
823		{5, 6},
824		{0, 0}
825		}
826	},
827	{0, 0, 2, 0,		/* 0x6c */
828		{{2, 3},
829		{5, 6},
830		{0, 0},
831		{0, 0}
832		}
833	},
834	{1, 0, 3, 0,		/* 0x6d */
835		{{0, 0},
836		{2, 3},
837		{5, 6},
838		{0, 0}
839		}
840	},
841	{0, 0, 2, 0,		/* 0x6e */
842		{{1, 3},
843		{5, 6},
844		{0, 0},
845		{0, 0}
846		}
847	},
848	{1, 0, 2, 0,		/* 0x6f */
849		{{0, 3},
850		{5, 6},
851		{0, 0},
852		{0, 0}
853		}
854	},
855	{0, 0, 1, 0,		/* 0x70 */
856		{{4, 6},
857		{0, 0},
858		{0, 0},
859		{0, 0}
860		}
861	},
862	{1, 0, 2, 0,		/* 0x71 */
863		{{0, 0},
864		{4, 6},
865		{0, 0},
866		{0, 0}
867		}
868	},
869	{0, 0, 2, 0,		/* 0x72 */
870		{{1, 1},
871		{4, 6},
872		{0, 0},
873		{0, 0}
874		}
875	},
876	{1, 0, 2, 0,		/* 0x73 */
877		{{0, 1},
878		{4, 6},
879		{0, 0},
880		{0, 0}
881		}
882	},
883	{0, 0, 2, 0,		/* 0x74 */
884		{{2, 2},
885		{4, 6},
886		{0, 0},
887		{0, 0}
888		}
889	},
890	{1, 0, 3, 0,		/* 0x75 */
891		{{0, 0},
892		{2, 2},
893		{4, 6},
894		{0, 0}
895		}
896	},
897	{0, 0, 2, 0,		/* 0x76 */
898		{{1, 2},
899		{4, 6},
900		{0, 0},
901		{0, 0}
902		}
903	},
904	{1, 0, 2, 0,		/* 0x77 */
905		{{0, 2},
906		{4, 6},
907		{0, 0},
908		{0, 0}
909		}
910	},
911	{0, 0, 1, 0,		/* 0x78 */
912		{{3, 6},
913		{0, 0},
914		{0, 0},
915		{0, 0}
916		}
917	},
918	{1, 0, 2, 0,		/* 0x79 */
919		{{0, 0},
920		{3, 6},
921		{0, 0},
922		{0, 0}
923		}
924	},
925	{0, 0, 2, 0,		/* 0x7a */
926		{{1, 1},
927		{3, 6},
928		{0, 0},
929		{0, 0}
930		}
931	},
932	{1, 0, 2, 0,		/* 0x7b */
933		{{0, 1},
934		{3, 6},
935		{0, 0},
936		{0, 0}
937		}
938	},
939	{0, 0, 1, 0,		/* 0x7c */
940		{{2, 6},
941		{0, 0},
942		{0, 0},
943		{0, 0}
944		}
945	},
946	{1, 0, 2, 0,		/* 0x7d */
947		{{0, 0},
948		{2, 6},
949		{0, 0},
950		{0, 0}
951		}
952	},
953	{0, 0, 1, 0,		/* 0x7e */
954		{{1, 6},
955		{0, 0},
956		{0, 0},
957		{0, 0}
958		}
959	},
960	{1, 0, 1, 0,		/* 0x7f */
961		{{0, 6},
962		{0, 0},
963		{0, 0},
964		{0, 0}
965		}
966	},
967	{0, 1, 1, 0,		/* 0x80 */
968		{{7, 7},
969		{0, 0},
970		{0, 0},
971		{0, 0}
972		}
973	},
974	{1, 1, 2, 0,		/* 0x81 */
975		{{0, 0},
976		{7, 7},
977		{0, 0},
978		{0, 0}
979		}
980	},
981	{0, 1, 2, 0,		/* 0x82 */
982		{{1, 1},
983		{7, 7},
984		{0, 0},
985		{0, 0}
986		}
987	},
988	{1, 1, 2, 0,		/* 0x83 */
989		{{0, 1},
990		{7, 7},
991		{0, 0},
992		{0, 0}
993		}
994	},
995	{0, 1, 2, 0,		/* 0x84 */
996		{{2, 2},
997		{7, 7},
998		{0, 0},
999		{0, 0}
1000		}
1001	},
1002	{1, 1, 3, 0,		/* 0x85 */
1003		{{0, 0},
1004		{2, 2},
1005		{7, 7},
1006		{0, 0}
1007		}
1008	},
1009	{0, 1, 2, 0,		/* 0x86 */
1010		{{1, 2},
1011		{7, 7},
1012		{0, 0},
1013		{0, 0}
1014		}
1015	},
1016	{1, 1, 2, 0,		/* 0x87 */
1017		{{0, 2},
1018		{7, 7},
1019		{0, 0},
1020		{0, 0}
1021		}
1022	},
1023	{0, 1, 2, 0,		/* 0x88 */
1024		{{3, 3},
1025		{7, 7},
1026		{0, 0},
1027		{0, 0}
1028		}
1029	},
1030	{1, 1, 3, 0,		/* 0x89 */
1031		{{0, 0},
1032		{3, 3},
1033		{7, 7},
1034		{0, 0}
1035		}
1036	},
1037	{0, 1, 3, 0,		/* 0x8a */
1038		{{1, 1},
1039		{3, 3},
1040		{7, 7},
1041		{0, 0}
1042		}
1043	},
1044	{1, 1, 3, 0,		/* 0x8b */
1045		{{0, 1},
1046		{3, 3},
1047		{7, 7},
1048		{0, 0}
1049		}
1050	},
1051	{0, 1, 2, 0,		/* 0x8c */
1052		{{2, 3},
1053		{7, 7},
1054		{0, 0},
1055		{0, 0}
1056		}
1057	},
1058	{1, 1, 3, 0,		/* 0x8d */
1059		{{0, 0},
1060		{2, 3},
1061		{7, 7},
1062		{0, 0}
1063		}
1064	},
1065	{0, 1, 2, 0,		/* 0x8e */
1066		{{1, 3},
1067		{7, 7},
1068		{0, 0},
1069		{0, 0}
1070		}
1071	},
1072	{1, 1, 2, 0,		/* 0x8f */
1073		{{0, 3},
1074		{7, 7},
1075		{0, 0},
1076		{0, 0}
1077		}
1078	},
1079	{0, 1, 2, 0,		/* 0x90 */
1080		{{4, 4},
1081		{7, 7},
1082		{0, 0},
1083		{0, 0}
1084		}
1085	},
1086	{1, 1, 3, 0,		/* 0x91 */
1087		{{0, 0},
1088		{4, 4},
1089		{7, 7},
1090		{0, 0}
1091		}
1092	},
1093	{0, 1, 3, 0,		/* 0x92 */
1094		{{1, 1},
1095		{4, 4},
1096		{7, 7},
1097		{0, 0}
1098		}
1099	},
1100	{1, 1, 3, 0,		/* 0x93 */
1101		{{0, 1},
1102		{4, 4},
1103		{7, 7},
1104		{0, 0}
1105		}
1106	},
1107	{0, 1, 3, 0,		/* 0x94 */
1108		{{2, 2},
1109		{4, 4},
1110		{7, 7},
1111		{0, 0}
1112		}
1113	},
1114	{1, 1, 4, 0,		/* 0x95 */
1115		{{0, 0},
1116		{2, 2},
1117		{4, 4},
1118		{7, 7}
1119		}
1120	},
1121	{0, 1, 3, 0,		/* 0x96 */
1122		{{1, 2},
1123		{4, 4},
1124		{7, 7},
1125		{0, 0}
1126		}
1127	},
1128	{1, 1, 3, 0,		/* 0x97 */
1129		{{0, 2},
1130		{4, 4},
1131		{7, 7},
1132		{0, 0}
1133		}
1134	},
1135	{0, 1, 2, 0,		/* 0x98 */
1136		{{3, 4},
1137		{7, 7},
1138		{0, 0},
1139		{0, 0}
1140		}
1141	},
1142	{1, 1, 3, 0,		/* 0x99 */
1143		{{0, 0},
1144		{3, 4},
1145		{7, 7},
1146		{0, 0}
1147		}
1148	},
1149	{0, 1, 3, 0,		/* 0x9a */
1150		{{1, 1},
1151		{3, 4},
1152		{7, 7},
1153		{0, 0}
1154		}
1155	},
1156	{1, 1, 3, 0,		/* 0x9b */
1157		{{0, 1},
1158		{3, 4},
1159		{7, 7},
1160		{0, 0}
1161		}
1162	},
1163	{0, 1, 2, 0,		/* 0x9c */
1164		{{2, 4},
1165		{7, 7},
1166		{0, 0},
1167		{0, 0}
1168		}
1169	},
1170	{1, 1, 3, 0,		/* 0x9d */
1171		{{0, 0},
1172		{2, 4},
1173		{7, 7},
1174		{0, 0}
1175		}
1176	},
1177	{0, 1, 2, 0,		/* 0x9e */
1178		{{1, 4},
1179		{7, 7},
1180		{0, 0},
1181		{0, 0}
1182		}
1183	},
1184	{1, 1, 2, 0,		/* 0x9f */
1185		{{0, 4},
1186		{7, 7},
1187		{0, 0},
1188		{0, 0}
1189		}
1190	},
1191	{0, 1, 2, 0,		/* 0xa0 */
1192		{{5, 5},
1193		{7, 7},
1194		{0, 0},
1195		{0, 0}
1196		}
1197	},
1198	{1, 1, 3, 0,		/* 0xa1 */
1199		{{0, 0},
1200		{5, 5},
1201		{7, 7},
1202		{0, 0}
1203		}
1204	},
1205	{0, 1, 3, 0,		/* 0xa2 */
1206		{{1, 1},
1207		{5, 5},
1208		{7, 7},
1209		{0, 0}
1210		}
1211	},
1212	{1, 1, 3, 0,		/* 0xa3 */
1213		{{0, 1},
1214		{5, 5},
1215		{7, 7},
1216		{0, 0}
1217		}
1218	},
1219	{0, 1, 3, 0,		/* 0xa4 */
1220		{{2, 2},
1221		{5, 5},
1222		{7, 7},
1223		{0, 0}
1224		}
1225	},
1226	{1, 1, 4, 0,		/* 0xa5 */
1227		{{0, 0},
1228		{2, 2},
1229		{5, 5},
1230		{7, 7}
1231		}
1232	},
1233	{0, 1, 3, 0,		/* 0xa6 */
1234		{{1, 2},
1235		{5, 5},
1236		{7, 7},
1237		{0, 0}
1238		}
1239	},
1240	{1, 1, 3, 0,		/* 0xa7 */
1241		{{0, 2},
1242		{5, 5},
1243		{7, 7},
1244		{0, 0}
1245		}
1246	},
1247	{0, 1, 3, 0,		/* 0xa8 */
1248		{{3, 3},
1249		{5, 5},
1250		{7, 7},
1251		{0, 0}
1252		}
1253	},
1254	{1, 1, 4, 0,		/* 0xa9 */
1255		{{0, 0},
1256		{3, 3},
1257		{5, 5},
1258		{7, 7}
1259		}
1260	},
1261	{0, 1, 4, 0,		/* 0xaa */
1262		{{1, 1},
1263		{3, 3},
1264		{5, 5},
1265		{7, 7}
1266		}
1267	},
1268	{1, 1, 4, 0,		/* 0xab */
1269		{{0, 1},
1270		{3, 3},
1271		{5, 5},
1272		{7, 7}
1273		}
1274	},
1275	{0, 1, 3, 0,		/* 0xac */
1276		{{2, 3},
1277		{5, 5},
1278		{7, 7},
1279		{0, 0}
1280		}
1281	},
1282	{1, 1, 4, 0,		/* 0xad */
1283		{{0, 0},
1284		{2, 3},
1285		{5, 5},
1286		{7, 7}
1287		}
1288	},
1289	{0, 1, 3, 0,		/* 0xae */
1290		{{1, 3},
1291		{5, 5},
1292		{7, 7},
1293		{0, 0}
1294		}
1295	},
1296	{1, 1, 3, 0,		/* 0xaf */
1297		{{0, 3},
1298		{5, 5},
1299		{7, 7},
1300		{0, 0}
1301		}
1302	},
1303	{0, 1, 2, 0,		/* 0xb0 */
1304		{{4, 5},
1305		{7, 7},
1306		{0, 0},
1307		{0, 0}
1308		}
1309	},
1310	{1, 1, 3, 0,		/* 0xb1 */
1311		{{0, 0},
1312		{4, 5},
1313		{7, 7},
1314		{0, 0}
1315		}
1316	},
1317	{0, 1, 3, 0,		/* 0xb2 */
1318		{{1, 1},
1319		{4, 5},
1320		{7, 7},
1321		{0, 0}
1322		}
1323	},
1324	{1, 1, 3, 0,		/* 0xb3 */
1325		{{0, 1},
1326		{4, 5},
1327		{7, 7},
1328		{0, 0}
1329		}
1330	},
1331	{0, 1, 3, 0,		/* 0xb4 */
1332		{{2, 2},
1333		{4, 5},
1334		{7, 7},
1335		{0, 0}
1336		}
1337	},
1338	{1, 1, 4, 0,		/* 0xb5 */
1339		{{0, 0},
1340		{2, 2},
1341		{4, 5},
1342		{7, 7}
1343		}
1344	},
1345	{0, 1, 3, 0,		/* 0xb6 */
1346		{{1, 2},
1347		{4, 5},
1348		{7, 7},
1349		{0, 0}
1350		}
1351	},
1352	{1, 1, 3, 0,		/* 0xb7 */
1353		{{0, 2},
1354		{4, 5},
1355		{7, 7},
1356		{0, 0}
1357		}
1358	},
1359	{0, 1, 2, 0,		/* 0xb8 */
1360		{{3, 5},
1361		{7, 7},
1362		{0, 0},
1363		{0, 0}
1364		}
1365	},
1366	{1, 1, 3, 0,		/* 0xb9 */
1367		{{0, 0},
1368		{3, 5},
1369		{7, 7},
1370		{0, 0}
1371		}
1372	},
1373	{0, 1, 3, 0,		/* 0xba */
1374		{{1, 1},
1375		{3, 5},
1376		{7, 7},
1377		{0, 0}
1378		}
1379	},
1380	{1, 1, 3, 0,		/* 0xbb */
1381		{{0, 1},
1382		{3, 5},
1383		{7, 7},
1384		{0, 0}
1385		}
1386	},
1387	{0, 1, 2, 0,		/* 0xbc */
1388		{{2, 5},
1389		{7, 7},
1390		{0, 0},
1391		{0, 0}
1392		}
1393	},
1394	{1, 1, 3, 0,		/* 0xbd */
1395		{{0, 0},
1396		{2, 5},
1397		{7, 7},
1398		{0, 0}
1399		}
1400	},
1401	{0, 1, 2, 0,		/* 0xbe */
1402		{{1, 5},
1403		{7, 7},
1404		{0, 0},
1405		{0, 0}
1406		}
1407	},
1408	{1, 1, 2, 0,		/* 0xbf */
1409		{{0, 5},
1410		{7, 7},
1411		{0, 0},
1412		{0, 0}
1413		}
1414	},
1415	{0, 1, 1, 0,		/* 0xc0 */
1416		{{6, 7},
1417		{0, 0},
1418		{0, 0},
1419		{0, 0}
1420		}
1421	},
1422	{1, 1, 2, 0,		/* 0xc1 */
1423		{{0, 0},
1424		{6, 7},
1425		{0, 0},
1426		{0, 0}
1427		}
1428	},
1429	{0, 1, 2, 0,		/* 0xc2 */
1430		{{1, 1},
1431		{6, 7},
1432		{0, 0},
1433		{0, 0}
1434		}
1435	},
1436	{1, 1, 2, 0,		/* 0xc3 */
1437		{{0, 1},
1438		{6, 7},
1439		{0, 0},
1440		{0, 0}
1441		}
1442	},
1443	{0, 1, 2, 0,		/* 0xc4 */
1444		{{2, 2},
1445		{6, 7},
1446		{0, 0},
1447		{0, 0}
1448		}
1449	},
1450	{1, 1, 3, 0,		/* 0xc5 */
1451		{{0, 0},
1452		{2, 2},
1453		{6, 7},
1454		{0, 0}
1455		}
1456	},
1457	{0, 1, 2, 0,		/* 0xc6 */
1458		{{1, 2},
1459		{6, 7},
1460		{0, 0},
1461		{0, 0}
1462		}
1463	},
1464	{1, 1, 2, 0,		/* 0xc7 */
1465		{{0, 2},
1466		{6, 7},
1467		{0, 0},
1468		{0, 0}
1469		}
1470	},
1471	{0, 1, 2, 0,		/* 0xc8 */
1472		{{3, 3},
1473		{6, 7},
1474		{0, 0},
1475		{0, 0}
1476		}
1477	},
1478	{1, 1, 3, 0,		/* 0xc9 */
1479		{{0, 0},
1480		{3, 3},
1481		{6, 7},
1482		{0, 0}
1483		}
1484	},
1485	{0, 1, 3, 0,		/* 0xca */
1486		{{1, 1},
1487		{3, 3},
1488		{6, 7},
1489		{0, 0}
1490		}
1491	},
1492	{1, 1, 3, 0,		/* 0xcb */
1493		{{0, 1},
1494		{3, 3},
1495		{6, 7},
1496		{0, 0}
1497		}
1498	},
1499	{0, 1, 2, 0,		/* 0xcc */
1500		{{2, 3},
1501		{6, 7},
1502		{0, 0},
1503		{0, 0}
1504		}
1505	},
1506	{1, 1, 3, 0,		/* 0xcd */
1507		{{0, 0},
1508		{2, 3},
1509		{6, 7},
1510		{0, 0}
1511		}
1512	},
1513	{0, 1, 2, 0,		/* 0xce */
1514		{{1, 3},
1515		{6, 7},
1516		{0, 0},
1517		{0, 0}
1518		}
1519	},
1520	{1, 1, 2, 0,		/* 0xcf */
1521		{{0, 3},
1522		{6, 7},
1523		{0, 0},
1524		{0, 0}
1525		}
1526	},
1527	{0, 1, 2, 0,		/* 0xd0 */
1528		{{4, 4},
1529		{6, 7},
1530		{0, 0},
1531		{0, 0}
1532		}
1533	},
1534	{1, 1, 3, 0,		/* 0xd1 */
1535		{{0, 0},
1536		{4, 4},
1537		{6, 7},
1538		{0, 0}
1539		}
1540	},
1541	{0, 1, 3, 0,		/* 0xd2 */
1542		{{1, 1},
1543		{4, 4},
1544		{6, 7},
1545		{0, 0}
1546		}
1547	},
1548	{1, 1, 3, 0,		/* 0xd3 */
1549		{{0, 1},
1550		{4, 4},
1551		{6, 7},
1552		{0, 0}
1553		}
1554	},
1555	{0, 1, 3, 0,		/* 0xd4 */
1556		{{2, 2},
1557		{4, 4},
1558		{6, 7},
1559		{0, 0}
1560		}
1561	},
1562	{1, 1, 4, 0,		/* 0xd5 */
1563		{{0, 0},
1564		{2, 2},
1565		{4, 4},
1566		{6, 7}
1567		}
1568	},
1569	{0, 1, 3, 0,		/* 0xd6 */
1570		{{1, 2},
1571		{4, 4},
1572		{6, 7},
1573		{0, 0}
1574		}
1575	},
1576	{1, 1, 3, 0,		/* 0xd7 */
1577		{{0, 2},
1578		{4, 4},
1579		{6, 7},
1580		{0, 0}
1581		}
1582	},
1583	{0, 1, 2, 0,		/* 0xd8 */
1584		{{3, 4},
1585		{6, 7},
1586		{0, 0},
1587		{0, 0}
1588		}
1589	},
1590	{1, 1, 3, 0,		/* 0xd9 */
1591		{{0, 0},
1592		{3, 4},
1593		{6, 7},
1594		{0, 0}
1595		}
1596	},
1597	{0, 1, 3, 0,		/* 0xda */
1598		{{1, 1},
1599		{3, 4},
1600		{6, 7},
1601		{0, 0}
1602		}
1603	},
1604	{1, 1, 3, 0,		/* 0xdb */
1605		{{0, 1},
1606		{3, 4},
1607		{6, 7},
1608		{0, 0}
1609		}
1610	},
1611	{0, 1, 2, 0,		/* 0xdc */
1612		{{2, 4},
1613		{6, 7},
1614		{0, 0},
1615		{0, 0}
1616		}
1617	},
1618	{1, 1, 3, 0,		/* 0xdd */
1619		{{0, 0},
1620		{2, 4},
1621		{6, 7},
1622		{0, 0}
1623		}
1624	},
1625	{0, 1, 2, 0,		/* 0xde */
1626		{{1, 4},
1627		{6, 7},
1628		{0, 0},
1629		{0, 0}
1630		}
1631	},
1632	{1, 1, 2, 0,		/* 0xdf */
1633		{{0, 4},
1634		{6, 7},
1635		{0, 0},
1636		{0, 0}
1637		}
1638	},
1639	{0, 1, 1, 0,		/* 0xe0 */
1640		{{5, 7},
1641		{0, 0},
1642		{0, 0},
1643		{0, 0}
1644		}
1645	},
1646	{1, 1, 2, 0,		/* 0xe1 */
1647		{{0, 0},
1648		{5, 7},
1649		{0, 0},
1650		{0, 0}
1651		}
1652	},
1653	{0, 1, 2, 0,		/* 0xe2 */
1654		{{1, 1},
1655		{5, 7},
1656		{0, 0},
1657		{0, 0}
1658		}
1659	},
1660	{1, 1, 2, 0,		/* 0xe3 */
1661		{{0, 1},
1662		{5, 7},
1663		{0, 0},
1664		{0, 0}
1665		}
1666	},
1667	{0, 1, 2, 0,		/* 0xe4 */
1668		{{2, 2},
1669		{5, 7},
1670		{0, 0},
1671		{0, 0}
1672		}
1673	},
1674	{1, 1, 3, 0,		/* 0xe5 */
1675		{{0, 0},
1676		{2, 2},
1677		{5, 7},
1678		{0, 0}
1679		}
1680	},
1681	{0, 1, 2, 0,		/* 0xe6 */
1682		{{1, 2},
1683		{5, 7},
1684		{0, 0},
1685		{0, 0}
1686		}
1687	},
1688	{1, 1, 2, 0,		/* 0xe7 */
1689		{{0, 2},
1690		{5, 7},
1691		{0, 0},
1692		{0, 0}
1693		}
1694	},
1695	{0, 1, 2, 0,		/* 0xe8 */
1696		{{3, 3},
1697		{5, 7},
1698		{0, 0},
1699		{0, 0}
1700		}
1701	},
1702	{1, 1, 3, 0,		/* 0xe9 */
1703		{{0, 0},
1704		{3, 3},
1705		{5, 7},
1706		{0, 0}
1707		}
1708	},
1709	{0, 1, 3, 0,		/* 0xea */
1710		{{1, 1},
1711		{3, 3},
1712		{5, 7},
1713		{0, 0}
1714		}
1715	},
1716	{1, 1, 3, 0,		/* 0xeb */
1717		{{0, 1},
1718		{3, 3},
1719		{5, 7},
1720		{0, 0}
1721		}
1722	},
1723	{0, 1, 2, 0,		/* 0xec */
1724		{{2, 3},
1725		{5, 7},
1726		{0, 0},
1727		{0, 0}
1728		}
1729	},
1730	{1, 1, 3, 0,		/* 0xed */
1731		{{0, 0},
1732		{2, 3},
1733		{5, 7},
1734		{0, 0}
1735		}
1736	},
1737	{0, 1, 2, 0,		/* 0xee */
1738		{{1, 3},
1739		{5, 7},
1740		{0, 0},
1741		{0, 0}
1742		}
1743	},
1744	{1, 1, 2, 0,		/* 0xef */
1745		{{0, 3},
1746		{5, 7},
1747		{0, 0},
1748		{0, 0}
1749		}
1750	},
1751	{0, 1, 1, 0,		/* 0xf0 */
1752		{{4, 7},
1753		{0, 0},
1754		{0, 0},
1755		{0, 0}
1756		}
1757	},
1758	{1, 1, 2, 0,		/* 0xf1 */
1759		{{0, 0},
1760		{4, 7},
1761		{0, 0},
1762		{0, 0}
1763		}
1764	},
1765	{0, 1, 2, 0,		/* 0xf2 */
1766		{{1, 1},
1767		{4, 7},
1768		{0, 0},
1769		{0, 0}
1770		}
1771	},
1772	{1, 1, 2, 0,		/* 0xf3 */
1773		{{0, 1},
1774		{4, 7},
1775		{0, 0},
1776		{0, 0}
1777		}
1778	},
1779	{0, 1, 2, 0,		/* 0xf4 */
1780		{{2, 2},
1781		{4, 7},
1782		{0, 0},
1783		{0, 0}
1784		}
1785	},
1786	{1, 1, 3, 0,		/* 0xf5 */
1787		{{0, 0},
1788		{2, 2},
1789		{4, 7},
1790		{0, 0}
1791		}
1792	},
1793	{0, 1, 2, 0,		/* 0xf6 */
1794		{{1, 2},
1795		{4, 7},
1796		{0, 0},
1797		{0, 0}
1798		}
1799	},
1800	{1, 1, 2, 0,		/* 0xf7 */
1801		{{0, 2},
1802		{4, 7},
1803		{0, 0},
1804		{0, 0}
1805		}
1806	},
1807	{0, 1, 1, 0,		/* 0xf8 */
1808		{{3, 7},
1809		{0, 0},
1810		{0, 0},
1811		{0, 0}
1812		}
1813	},
1814	{1, 1, 2, 0,		/* 0xf9 */
1815		{{0, 0},
1816		{3, 7},
1817		{0, 0},
1818		{0, 0}
1819		}
1820	},
1821	{0, 1, 2, 0,		/* 0xfa */
1822		{{1, 1},
1823		{3, 7},
1824		{0, 0},
1825		{0, 0}
1826		}
1827	},
1828	{1, 1, 2, 0,		/* 0xfb */
1829		{{0, 1},
1830		{3, 7},
1831		{0, 0},
1832		{0, 0}
1833		}
1834	},
1835	{0, 1, 1, 0,		/* 0xfc */
1836		{{2, 7},
1837		{0, 0},
1838		{0, 0},
1839		{0, 0}
1840		}
1841	},
1842	{1, 1, 2, 0,		/* 0xfd */
1843		{{0, 0},
1844		{2, 7},
1845		{0, 0},
1846		{0, 0}
1847		}
1848	},
1849	{0, 1, 1, 0,		/* 0xfe */
1850		{{1, 7},
1851		{0, 0},
1852		{0, 0},
1853		{0, 0}
1854		}
1855	},
1856	{1, 1, 1, 0,		/* 0xff */
1857		{{0, 7},
1858		{0, 0},
1859		{0, 0},
1860		{0, 0}
1861		}
1862	}
1863};
1864
1865
1866int
1867sctp_is_address_in_scope(struct sctp_ifa *ifa,
1868    struct sctp_scoping *scope,
1869    int do_update)
1870{
1871	if ((scope->loopback_scope == 0) &&
1872	    (ifa->ifn_p) && SCTP_IFN_IS_IFT_LOOP(ifa->ifn_p)) {
1873		/*
1874		 * skip loopback if not in scope *
1875		 */
1876		return (0);
1877	}
1878	switch (ifa->address.sa.sa_family) {
1879#ifdef INET
1880	case AF_INET:
1881		if (scope->ipv4_addr_legal) {
1882			struct sockaddr_in *sin;
1883
1884			sin = &ifa->address.sin;
1885			if (sin->sin_addr.s_addr == 0) {
1886				/* not in scope , unspecified */
1887				return (0);
1888			}
1889			if ((scope->ipv4_local_scope == 0) &&
1890			    (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
1891				/* private address not in scope */
1892				return (0);
1893			}
1894		} else {
1895			return (0);
1896		}
1897		break;
1898#endif
1899#ifdef INET6
1900	case AF_INET6:
1901		if (scope->ipv6_addr_legal) {
1902			struct sockaddr_in6 *sin6;
1903
1904			/*
1905			 * Must update the flags,  bummer, which means any
1906			 * IFA locks must now be applied HERE <->
1907			 */
1908			if (do_update) {
1909				sctp_gather_internal_ifa_flags(ifa);
1910			}
1911			if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
1912				return (0);
1913			}
1914			/* ok to use deprecated addresses? */
1915			sin6 = &ifa->address.sin6;
1916			if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1917				/* skip unspecifed addresses */
1918				return (0);
1919			}
1920			if (	/* (local_scope == 0) && */
1921			    (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))) {
1922				return (0);
1923			}
1924			if ((scope->site_scope == 0) &&
1925			    (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1926				return (0);
1927			}
1928		} else {
1929			return (0);
1930		}
1931		break;
1932#endif
1933	default:
1934		return (0);
1935	}
1936	return (1);
1937}
1938
1939static struct mbuf *
1940sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t * len)
1941{
1942#if defined(INET) || defined(INET6)
1943	struct sctp_paramhdr *parmh;
1944	struct mbuf *mret;
1945	uint16_t plen;
1946
1947#endif
1948
1949	switch (ifa->address.sa.sa_family) {
1950#ifdef INET
1951	case AF_INET:
1952		plen = (uint16_t) sizeof(struct sctp_ipv4addr_param);
1953		break;
1954#endif
1955#ifdef INET6
1956	case AF_INET6:
1957		plen = (uint16_t) sizeof(struct sctp_ipv6addr_param);
1958		break;
1959#endif
1960	default:
1961		return (m);
1962	}
1963#if defined(INET) || defined(INET6)
1964	if (M_TRAILINGSPACE(m) >= plen) {
1965		/* easy side we just drop it on the end */
1966		parmh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m)));
1967		mret = m;
1968	} else {
1969		/* Need more space */
1970		mret = m;
1971		while (SCTP_BUF_NEXT(mret) != NULL) {
1972			mret = SCTP_BUF_NEXT(mret);
1973		}
1974		SCTP_BUF_NEXT(mret) = sctp_get_mbuf_for_msg(plen, 0, M_NOWAIT, 1, MT_DATA);
1975		if (SCTP_BUF_NEXT(mret) == NULL) {
1976			/* We are hosed, can't add more addresses */
1977			return (m);
1978		}
1979		mret = SCTP_BUF_NEXT(mret);
1980		parmh = mtod(mret, struct sctp_paramhdr *);
1981	}
1982	/* now add the parameter */
1983	switch (ifa->address.sa.sa_family) {
1984#ifdef INET
1985	case AF_INET:
1986		{
1987			struct sctp_ipv4addr_param *ipv4p;
1988			struct sockaddr_in *sin;
1989
1990			sin = &ifa->address.sin;
1991			ipv4p = (struct sctp_ipv4addr_param *)parmh;
1992			parmh->param_type = htons(SCTP_IPV4_ADDRESS);
1993			parmh->param_length = htons(plen);
1994			ipv4p->addr = sin->sin_addr.s_addr;
1995			SCTP_BUF_LEN(mret) += plen;
1996			break;
1997		}
1998#endif
1999#ifdef INET6
2000	case AF_INET6:
2001		{
2002			struct sctp_ipv6addr_param *ipv6p;
2003			struct sockaddr_in6 *sin6;
2004
2005			sin6 = &ifa->address.sin6;
2006			ipv6p = (struct sctp_ipv6addr_param *)parmh;
2007			parmh->param_type = htons(SCTP_IPV6_ADDRESS);
2008			parmh->param_length = htons(plen);
2009			memcpy(ipv6p->addr, &sin6->sin6_addr,
2010			    sizeof(ipv6p->addr));
2011			/* clear embedded scope in the address */
2012			in6_clearscope((struct in6_addr *)ipv6p->addr);
2013			SCTP_BUF_LEN(mret) += plen;
2014			break;
2015		}
2016#endif
2017	default:
2018		return (m);
2019	}
2020	if (len != NULL) {
2021		*len += plen;
2022	}
2023	return (mret);
2024#endif
2025}
2026
2027
2028struct mbuf *
2029sctp_add_addresses_to_i_ia(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2030    struct sctp_scoping *scope,
2031    struct mbuf *m_at, int cnt_inits_to,
2032    uint16_t * padding_len, uint16_t * chunk_len)
2033{
2034	struct sctp_vrf *vrf = NULL;
2035	int cnt, limit_out = 0, total_count;
2036	uint32_t vrf_id;
2037
2038	vrf_id = inp->def_vrf_id;
2039	SCTP_IPI_ADDR_RLOCK();
2040	vrf = sctp_find_vrf(vrf_id);
2041	if (vrf == NULL) {
2042		SCTP_IPI_ADDR_RUNLOCK();
2043		return (m_at);
2044	}
2045	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
2046		struct sctp_ifa *sctp_ifap;
2047		struct sctp_ifn *sctp_ifnp;
2048
2049		cnt = cnt_inits_to;
2050		if (vrf->total_ifa_count > SCTP_COUNT_LIMIT) {
2051			limit_out = 1;
2052			cnt = SCTP_ADDRESS_LIMIT;
2053			goto skip_count;
2054		}
2055		LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2056			if ((scope->loopback_scope == 0) &&
2057			    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2058				/*
2059				 * Skip loopback devices if loopback_scope
2060				 * not set
2061				 */
2062				continue;
2063			}
2064			LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2065#ifdef INET
2066				if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2067				    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2068				    &sctp_ifap->address.sin.sin_addr) != 0)) {
2069					continue;
2070				}
2071#endif
2072#ifdef INET6
2073				if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2074				    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2075				    &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2076					continue;
2077				}
2078#endif
2079				if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2080					continue;
2081				}
2082				if (sctp_is_address_in_scope(sctp_ifap, scope, 1) == 0) {
2083					continue;
2084				}
2085				cnt++;
2086				if (cnt > SCTP_ADDRESS_LIMIT) {
2087					break;
2088				}
2089			}
2090			if (cnt > SCTP_ADDRESS_LIMIT) {
2091				break;
2092			}
2093		}
2094skip_count:
2095		if (cnt > 1) {
2096			total_count = 0;
2097			LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2098				cnt = 0;
2099				if ((scope->loopback_scope == 0) &&
2100				    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2101					/*
2102					 * Skip loopback devices if
2103					 * loopback_scope not set
2104					 */
2105					continue;
2106				}
2107				LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2108#ifdef INET
2109					if ((sctp_ifap->address.sa.sa_family == AF_INET) &&
2110					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2111					    &sctp_ifap->address.sin.sin_addr) != 0)) {
2112						continue;
2113					}
2114#endif
2115#ifdef INET6
2116					if ((sctp_ifap->address.sa.sa_family == AF_INET6) &&
2117					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2118					    &sctp_ifap->address.sin6.sin6_addr) != 0)) {
2119						continue;
2120					}
2121#endif
2122					if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2123						continue;
2124					}
2125					if (sctp_is_address_in_scope(sctp_ifap,
2126					    scope, 0) == 0) {
2127						continue;
2128					}
2129					if ((chunk_len != NULL) &&
2130					    (padding_len != NULL) &&
2131					    (*padding_len > 0)) {
2132						memset(mtod(m_at, caddr_t)+*chunk_len, 0, *padding_len);
2133						SCTP_BUF_LEN(m_at) += *padding_len;
2134						*chunk_len += *padding_len;
2135						*padding_len = 0;
2136					}
2137					m_at = sctp_add_addr_to_mbuf(m_at, sctp_ifap, chunk_len);
2138					if (limit_out) {
2139						cnt++;
2140						total_count++;
2141						if (cnt >= 2) {
2142							/*
2143							 * two from each
2144							 * address
2145							 */
2146							break;
2147						}
2148						if (total_count > SCTP_ADDRESS_LIMIT) {
2149							/* No more addresses */
2150							break;
2151						}
2152					}
2153				}
2154			}
2155		}
2156	} else {
2157		struct sctp_laddr *laddr;
2158
2159		cnt = cnt_inits_to;
2160		/* First, how many ? */
2161		LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2162			if (laddr->ifa == NULL) {
2163				continue;
2164			}
2165			if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2166				/*
2167				 * Address being deleted by the system, dont
2168				 * list.
2169				 */
2170				continue;
2171			if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2172				/*
2173				 * Address being deleted on this ep don't
2174				 * list.
2175				 */
2176				continue;
2177			}
2178			if (sctp_is_address_in_scope(laddr->ifa,
2179			    scope, 1) == 0) {
2180				continue;
2181			}
2182			cnt++;
2183		}
2184		/*
2185		 * To get through a NAT we only list addresses if we have
2186		 * more than one. That way if you just bind a single address
2187		 * we let the source of the init dictate our address.
2188		 */
2189		if (cnt > 1) {
2190			cnt = cnt_inits_to;
2191			LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2192				if (laddr->ifa == NULL) {
2193					continue;
2194				}
2195				if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
2196					continue;
2197				}
2198				if (sctp_is_address_in_scope(laddr->ifa,
2199				    scope, 0) == 0) {
2200					continue;
2201				}
2202				if ((chunk_len != NULL) &&
2203				    (padding_len != NULL) &&
2204				    (*padding_len > 0)) {
2205					memset(mtod(m_at, caddr_t)+*chunk_len, 0, *padding_len);
2206					SCTP_BUF_LEN(m_at) += *padding_len;
2207					*chunk_len += *padding_len;
2208					*padding_len = 0;
2209				}
2210				m_at = sctp_add_addr_to_mbuf(m_at, laddr->ifa, chunk_len);
2211				cnt++;
2212				if (cnt >= SCTP_ADDRESS_LIMIT) {
2213					break;
2214				}
2215			}
2216		}
2217	}
2218	SCTP_IPI_ADDR_RUNLOCK();
2219	return (m_at);
2220}
2221
2222static struct sctp_ifa *
2223sctp_is_ifa_addr_preferred(struct sctp_ifa *ifa,
2224    uint8_t dest_is_loop,
2225    uint8_t dest_is_priv,
2226    sa_family_t fam)
2227{
2228	uint8_t dest_is_global = 0;
2229
2230	/* dest_is_priv is true if destination is a private address */
2231	/* dest_is_loop is true if destination is a loopback addresses */
2232
2233	/**
2234	 * Here we determine if its a preferred address. A preferred address
2235	 * means it is the same scope or higher scope then the destination.
2236	 * L = loopback, P = private, G = global
2237	 * -----------------------------------------
2238	 *    src    |  dest | result
2239	 *  ----------------------------------------
2240	 *     L     |    L  |    yes
2241	 *  -----------------------------------------
2242	 *     P     |    L  |    yes-v4 no-v6
2243	 *  -----------------------------------------
2244	 *     G     |    L  |    yes-v4 no-v6
2245	 *  -----------------------------------------
2246	 *     L     |    P  |    no
2247	 *  -----------------------------------------
2248	 *     P     |    P  |    yes
2249	 *  -----------------------------------------
2250	 *     G     |    P  |    no
2251	 *   -----------------------------------------
2252	 *     L     |    G  |    no
2253	 *   -----------------------------------------
2254	 *     P     |    G  |    no
2255	 *    -----------------------------------------
2256	 *     G     |    G  |    yes
2257	 *    -----------------------------------------
2258	 */
2259
2260	if (ifa->address.sa.sa_family != fam) {
2261		/* forget mis-matched family */
2262		return (NULL);
2263	}
2264	if ((dest_is_priv == 0) && (dest_is_loop == 0)) {
2265		dest_is_global = 1;
2266	}
2267	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Is destination preferred:");
2268	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ifa->address.sa);
2269	/* Ok the address may be ok */
2270#ifdef INET6
2271	if (fam == AF_INET6) {
2272		/* ok to use deprecated addresses? no lets not! */
2273		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2274			SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:1\n");
2275			return (NULL);
2276		}
2277		if (ifa->src_is_priv && !ifa->src_is_loop) {
2278			if (dest_is_loop) {
2279				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:2\n");
2280				return (NULL);
2281			}
2282		}
2283		if (ifa->src_is_glob) {
2284			if (dest_is_loop) {
2285				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:3\n");
2286				return (NULL);
2287			}
2288		}
2289	}
2290#endif
2291	/*
2292	 * Now that we know what is what, implement or table this could in
2293	 * theory be done slicker (it used to be), but this is
2294	 * straightforward and easier to validate :-)
2295	 */
2296	SCTPDBG(SCTP_DEBUG_OUTPUT3, "src_loop:%d src_priv:%d src_glob:%d\n",
2297	    ifa->src_is_loop, ifa->src_is_priv, ifa->src_is_glob);
2298	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dest_loop:%d dest_priv:%d dest_glob:%d\n",
2299	    dest_is_loop, dest_is_priv, dest_is_global);
2300
2301	if ((ifa->src_is_loop) && (dest_is_priv)) {
2302		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:4\n");
2303		return (NULL);
2304	}
2305	if ((ifa->src_is_glob) && (dest_is_priv)) {
2306		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:5\n");
2307		return (NULL);
2308	}
2309	if ((ifa->src_is_loop) && (dest_is_global)) {
2310		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:6\n");
2311		return (NULL);
2312	}
2313	if ((ifa->src_is_priv) && (dest_is_global)) {
2314		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:7\n");
2315		return (NULL);
2316	}
2317	SCTPDBG(SCTP_DEBUG_OUTPUT3, "YES\n");
2318	/* its a preferred address */
2319	return (ifa);
2320}
2321
2322static struct sctp_ifa *
2323sctp_is_ifa_addr_acceptable(struct sctp_ifa *ifa,
2324    uint8_t dest_is_loop,
2325    uint8_t dest_is_priv,
2326    sa_family_t fam)
2327{
2328	uint8_t dest_is_global = 0;
2329
2330	/**
2331	 * Here we determine if its a acceptable address. A acceptable
2332	 * address means it is the same scope or higher scope but we can
2333	 * allow for NAT which means its ok to have a global dest and a
2334	 * private src.
2335	 *
2336	 * L = loopback, P = private, G = global
2337	 * -----------------------------------------
2338	 *  src    |  dest | result
2339	 * -----------------------------------------
2340	 *   L     |   L   |    yes
2341	 *  -----------------------------------------
2342	 *   P     |   L   |    yes-v4 no-v6
2343	 *  -----------------------------------------
2344	 *   G     |   L   |    yes
2345	 * -----------------------------------------
2346	 *   L     |   P   |    no
2347	 * -----------------------------------------
2348	 *   P     |   P   |    yes
2349	 * -----------------------------------------
2350	 *   G     |   P   |    yes - May not work
2351	 * -----------------------------------------
2352	 *   L     |   G   |    no
2353	 * -----------------------------------------
2354	 *   P     |   G   |    yes - May not work
2355	 * -----------------------------------------
2356	 *   G     |   G   |    yes
2357	 * -----------------------------------------
2358	 */
2359
2360	if (ifa->address.sa.sa_family != fam) {
2361		/* forget non matching family */
2362		SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa_fam:%d fam:%d\n",
2363		    ifa->address.sa.sa_family, fam);
2364		return (NULL);
2365	}
2366	/* Ok the address may be ok */
2367	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, &ifa->address.sa);
2368	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst_is_loop:%d dest_is_priv:%d\n",
2369	    dest_is_loop, dest_is_priv);
2370	if ((dest_is_loop == 0) && (dest_is_priv == 0)) {
2371		dest_is_global = 1;
2372	}
2373#ifdef INET6
2374	if (fam == AF_INET6) {
2375		/* ok to use deprecated addresses? */
2376		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2377			return (NULL);
2378		}
2379		if (ifa->src_is_priv) {
2380			/* Special case, linklocal to loop */
2381			if (dest_is_loop)
2382				return (NULL);
2383		}
2384	}
2385#endif
2386	/*
2387	 * Now that we know what is what, implement our table. This could in
2388	 * theory be done slicker (it used to be), but this is
2389	 * straightforward and easier to validate :-)
2390	 */
2391	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_priv:%d\n",
2392	    ifa->src_is_loop,
2393	    dest_is_priv);
2394	if ((ifa->src_is_loop == 1) && (dest_is_priv)) {
2395		return (NULL);
2396	}
2397	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_glob:%d\n",
2398	    ifa->src_is_loop,
2399	    dest_is_global);
2400	if ((ifa->src_is_loop == 1) && (dest_is_global)) {
2401		return (NULL);
2402	}
2403	SCTPDBG(SCTP_DEBUG_OUTPUT3, "address is acceptable\n");
2404	/* its an acceptable address */
2405	return (ifa);
2406}
2407
2408int
2409sctp_is_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
2410{
2411	struct sctp_laddr *laddr;
2412
2413	if (stcb == NULL) {
2414		/* There are no restrictions, no TCB :-) */
2415		return (0);
2416	}
2417	LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
2418		if (laddr->ifa == NULL) {
2419			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2420			    __func__);
2421			continue;
2422		}
2423		if (laddr->ifa == ifa) {
2424			/* Yes it is on the list */
2425			return (1);
2426		}
2427	}
2428	return (0);
2429}
2430
2431
2432int
2433sctp_is_addr_in_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
2434{
2435	struct sctp_laddr *laddr;
2436
2437	if (ifa == NULL)
2438		return (0);
2439	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2440		if (laddr->ifa == NULL) {
2441			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2442			    __func__);
2443			continue;
2444		}
2445		if ((laddr->ifa == ifa) && laddr->action == 0)
2446			/* same pointer */
2447			return (1);
2448	}
2449	return (0);
2450}
2451
2452
2453
2454static struct sctp_ifa *
2455sctp_choose_boundspecific_inp(struct sctp_inpcb *inp,
2456    sctp_route_t * ro,
2457    uint32_t vrf_id,
2458    int non_asoc_addr_ok,
2459    uint8_t dest_is_priv,
2460    uint8_t dest_is_loop,
2461    sa_family_t fam)
2462{
2463	struct sctp_laddr *laddr, *starting_point;
2464	void *ifn;
2465	int resettotop = 0;
2466	struct sctp_ifn *sctp_ifn;
2467	struct sctp_ifa *sctp_ifa, *sifa;
2468	struct sctp_vrf *vrf;
2469	uint32_t ifn_index;
2470
2471	vrf = sctp_find_vrf(vrf_id);
2472	if (vrf == NULL)
2473		return (NULL);
2474
2475	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2476	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2477	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2478	/*
2479	 * first question, is the ifn we will emit on in our list, if so, we
2480	 * want such an address. Note that we first looked for a preferred
2481	 * address.
2482	 */
2483	if (sctp_ifn) {
2484		/* is a preferred one on the interface we route out? */
2485		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2486#ifdef INET
2487			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2488			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2489			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2490				continue;
2491			}
2492#endif
2493#ifdef INET6
2494			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2495			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2496			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2497				continue;
2498			}
2499#endif
2500			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2501			    (non_asoc_addr_ok == 0))
2502				continue;
2503			sifa = sctp_is_ifa_addr_preferred(sctp_ifa,
2504			    dest_is_loop,
2505			    dest_is_priv, fam);
2506			if (sifa == NULL)
2507				continue;
2508			if (sctp_is_addr_in_ep(inp, sifa)) {
2509				atomic_add_int(&sifa->refcount, 1);
2510				return (sifa);
2511			}
2512		}
2513	}
2514	/*
2515	 * ok, now we now need to find one on the list of the addresses. We
2516	 * can't get one on the emitting interface so let's find first a
2517	 * preferred one. If not that an acceptable one otherwise... we
2518	 * return NULL.
2519	 */
2520	starting_point = inp->next_addr_touse;
2521once_again:
2522	if (inp->next_addr_touse == NULL) {
2523		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2524		resettotop = 1;
2525	}
2526	for (laddr = inp->next_addr_touse; laddr;
2527	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2528		if (laddr->ifa == NULL) {
2529			/* address has been removed */
2530			continue;
2531		}
2532		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2533			/* address is being deleted */
2534			continue;
2535		}
2536		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop,
2537		    dest_is_priv, fam);
2538		if (sifa == NULL)
2539			continue;
2540		atomic_add_int(&sifa->refcount, 1);
2541		return (sifa);
2542	}
2543	if (resettotop == 0) {
2544		inp->next_addr_touse = NULL;
2545		goto once_again;
2546	}
2547	inp->next_addr_touse = starting_point;
2548	resettotop = 0;
2549once_again_too:
2550	if (inp->next_addr_touse == NULL) {
2551		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2552		resettotop = 1;
2553	}
2554	/* ok, what about an acceptable address in the inp */
2555	for (laddr = inp->next_addr_touse; laddr;
2556	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2557		if (laddr->ifa == NULL) {
2558			/* address has been removed */
2559			continue;
2560		}
2561		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2562			/* address is being deleted */
2563			continue;
2564		}
2565		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2566		    dest_is_priv, fam);
2567		if (sifa == NULL)
2568			continue;
2569		atomic_add_int(&sifa->refcount, 1);
2570		return (sifa);
2571	}
2572	if (resettotop == 0) {
2573		inp->next_addr_touse = NULL;
2574		goto once_again_too;
2575	}
2576	/*
2577	 * no address bound can be a source for the destination we are in
2578	 * trouble
2579	 */
2580	return (NULL);
2581}
2582
2583
2584
2585static struct sctp_ifa *
2586sctp_choose_boundspecific_stcb(struct sctp_inpcb *inp,
2587    struct sctp_tcb *stcb,
2588    sctp_route_t * ro,
2589    uint32_t vrf_id,
2590    uint8_t dest_is_priv,
2591    uint8_t dest_is_loop,
2592    int non_asoc_addr_ok,
2593    sa_family_t fam)
2594{
2595	struct sctp_laddr *laddr, *starting_point;
2596	void *ifn;
2597	struct sctp_ifn *sctp_ifn;
2598	struct sctp_ifa *sctp_ifa, *sifa;
2599	uint8_t start_at_beginning = 0;
2600	struct sctp_vrf *vrf;
2601	uint32_t ifn_index;
2602
2603	/*
2604	 * first question, is the ifn we will emit on in our list, if so, we
2605	 * want that one.
2606	 */
2607	vrf = sctp_find_vrf(vrf_id);
2608	if (vrf == NULL)
2609		return (NULL);
2610
2611	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2612	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2613	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2614
2615	/*
2616	 * first question, is the ifn we will emit on in our list?  If so,
2617	 * we want that one. First we look for a preferred. Second, we go
2618	 * for an acceptable.
2619	 */
2620	if (sctp_ifn) {
2621		/* first try for a preferred address on the ep */
2622		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2623#ifdef INET
2624			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2625			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2626			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2627				continue;
2628			}
2629#endif
2630#ifdef INET6
2631			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2632			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2633			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2634				continue;
2635			}
2636#endif
2637			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2638				continue;
2639			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2640				sifa = sctp_is_ifa_addr_preferred(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2641				if (sifa == NULL)
2642					continue;
2643				if (((non_asoc_addr_ok == 0) &&
2644				    (sctp_is_addr_restricted(stcb, sifa))) ||
2645				    (non_asoc_addr_ok &&
2646				    (sctp_is_addr_restricted(stcb, sifa)) &&
2647				    (!sctp_is_addr_pending(stcb, sifa)))) {
2648					/* on the no-no list */
2649					continue;
2650				}
2651				atomic_add_int(&sifa->refcount, 1);
2652				return (sifa);
2653			}
2654		}
2655		/* next try for an acceptable address on the ep */
2656		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2657#ifdef INET
2658			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
2659			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2660			    &sctp_ifa->address.sin.sin_addr) != 0)) {
2661				continue;
2662			}
2663#endif
2664#ifdef INET6
2665			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
2666			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2667			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
2668				continue;
2669			}
2670#endif
2671			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2672				continue;
2673			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2674				sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2675				if (sifa == NULL)
2676					continue;
2677				if (((non_asoc_addr_ok == 0) &&
2678				    (sctp_is_addr_restricted(stcb, sifa))) ||
2679				    (non_asoc_addr_ok &&
2680				    (sctp_is_addr_restricted(stcb, sifa)) &&
2681				    (!sctp_is_addr_pending(stcb, sifa)))) {
2682					/* on the no-no list */
2683					continue;
2684				}
2685				atomic_add_int(&sifa->refcount, 1);
2686				return (sifa);
2687			}
2688		}
2689
2690	}
2691	/*
2692	 * if we can't find one like that then we must look at all addresses
2693	 * bound to pick one at first preferable then secondly acceptable.
2694	 */
2695	starting_point = stcb->asoc.last_used_address;
2696sctp_from_the_top:
2697	if (stcb->asoc.last_used_address == NULL) {
2698		start_at_beginning = 1;
2699		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2700	}
2701	/* search beginning with the last used address */
2702	for (laddr = stcb->asoc.last_used_address; laddr;
2703	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2704		if (laddr->ifa == NULL) {
2705			/* address has been removed */
2706			continue;
2707		}
2708		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2709			/* address is being deleted */
2710			continue;
2711		}
2712		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop, dest_is_priv, fam);
2713		if (sifa == NULL)
2714			continue;
2715		if (((non_asoc_addr_ok == 0) &&
2716		    (sctp_is_addr_restricted(stcb, sifa))) ||
2717		    (non_asoc_addr_ok &&
2718		    (sctp_is_addr_restricted(stcb, sifa)) &&
2719		    (!sctp_is_addr_pending(stcb, sifa)))) {
2720			/* on the no-no list */
2721			continue;
2722		}
2723		stcb->asoc.last_used_address = laddr;
2724		atomic_add_int(&sifa->refcount, 1);
2725		return (sifa);
2726	}
2727	if (start_at_beginning == 0) {
2728		stcb->asoc.last_used_address = NULL;
2729		goto sctp_from_the_top;
2730	}
2731	/* now try for any higher scope than the destination */
2732	stcb->asoc.last_used_address = starting_point;
2733	start_at_beginning = 0;
2734sctp_from_the_top2:
2735	if (stcb->asoc.last_used_address == NULL) {
2736		start_at_beginning = 1;
2737		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2738	}
2739	/* search beginning with the last used address */
2740	for (laddr = stcb->asoc.last_used_address; laddr;
2741	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2742		if (laddr->ifa == NULL) {
2743			/* address has been removed */
2744			continue;
2745		}
2746		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2747			/* address is being deleted */
2748			continue;
2749		}
2750		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2751		    dest_is_priv, fam);
2752		if (sifa == NULL)
2753			continue;
2754		if (((non_asoc_addr_ok == 0) &&
2755		    (sctp_is_addr_restricted(stcb, sifa))) ||
2756		    (non_asoc_addr_ok &&
2757		    (sctp_is_addr_restricted(stcb, sifa)) &&
2758		    (!sctp_is_addr_pending(stcb, sifa)))) {
2759			/* on the no-no list */
2760			continue;
2761		}
2762		stcb->asoc.last_used_address = laddr;
2763		atomic_add_int(&sifa->refcount, 1);
2764		return (sifa);
2765	}
2766	if (start_at_beginning == 0) {
2767		stcb->asoc.last_used_address = NULL;
2768		goto sctp_from_the_top2;
2769	}
2770	return (NULL);
2771}
2772
2773static struct sctp_ifa *
2774sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn *ifn,
2775    struct sctp_inpcb *inp,
2776    struct sctp_tcb *stcb,
2777    int non_asoc_addr_ok,
2778    uint8_t dest_is_loop,
2779    uint8_t dest_is_priv,
2780    int addr_wanted,
2781    sa_family_t fam,
2782    sctp_route_t * ro
2783)
2784{
2785	struct sctp_ifa *ifa, *sifa;
2786	int num_eligible_addr = 0;
2787
2788#ifdef INET6
2789	struct sockaddr_in6 sin6, lsa6;
2790
2791	if (fam == AF_INET6) {
2792		memcpy(&sin6, &ro->ro_dst, sizeof(struct sockaddr_in6));
2793		(void)sa6_recoverscope(&sin6);
2794	}
2795#endif				/* INET6 */
2796	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2797#ifdef INET
2798		if ((ifa->address.sa.sa_family == AF_INET) &&
2799		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2800		    &ifa->address.sin.sin_addr) != 0)) {
2801			continue;
2802		}
2803#endif
2804#ifdef INET6
2805		if ((ifa->address.sa.sa_family == AF_INET6) &&
2806		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2807		    &ifa->address.sin6.sin6_addr) != 0)) {
2808			continue;
2809		}
2810#endif
2811		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2812		    (non_asoc_addr_ok == 0))
2813			continue;
2814		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2815		    dest_is_priv, fam);
2816		if (sifa == NULL)
2817			continue;
2818#ifdef INET6
2819		if (fam == AF_INET6 &&
2820		    dest_is_loop &&
2821		    sifa->src_is_loop && sifa->src_is_priv) {
2822			/*
2823			 * don't allow fe80::1 to be a src on loop ::1, we
2824			 * don't list it to the peer so we will get an
2825			 * abort.
2826			 */
2827			continue;
2828		}
2829		if (fam == AF_INET6 &&
2830		    IN6_IS_ADDR_LINKLOCAL(&sifa->address.sin6.sin6_addr) &&
2831		    IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
2832			/*
2833			 * link-local <-> link-local must belong to the same
2834			 * scope.
2835			 */
2836			memcpy(&lsa6, &sifa->address.sin6, sizeof(struct sockaddr_in6));
2837			(void)sa6_recoverscope(&lsa6);
2838			if (sin6.sin6_scope_id != lsa6.sin6_scope_id) {
2839				continue;
2840			}
2841		}
2842#endif				/* INET6 */
2843
2844		/*
2845		 * Check if the IPv6 address matches to next-hop. In the
2846		 * mobile case, old IPv6 address may be not deleted from the
2847		 * interface. Then, the interface has previous and new
2848		 * addresses.  We should use one corresponding to the
2849		 * next-hop.  (by micchie)
2850		 */
2851#ifdef INET6
2852		if (stcb && fam == AF_INET6 &&
2853		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2854			if (sctp_v6src_match_nexthop(&sifa->address.sin6, ro)
2855			    == 0) {
2856				continue;
2857			}
2858		}
2859#endif
2860#ifdef INET
2861		/* Avoid topologically incorrect IPv4 address */
2862		if (stcb && fam == AF_INET &&
2863		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2864			if (sctp_v4src_match_nexthop(sifa, ro) == 0) {
2865				continue;
2866			}
2867		}
2868#endif
2869		if (stcb) {
2870			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2871				continue;
2872			}
2873			if (((non_asoc_addr_ok == 0) &&
2874			    (sctp_is_addr_restricted(stcb, sifa))) ||
2875			    (non_asoc_addr_ok &&
2876			    (sctp_is_addr_restricted(stcb, sifa)) &&
2877			    (!sctp_is_addr_pending(stcb, sifa)))) {
2878				/*
2879				 * It is restricted for some reason..
2880				 * probably not yet added.
2881				 */
2882				continue;
2883			}
2884		}
2885		if (num_eligible_addr >= addr_wanted) {
2886			return (sifa);
2887		}
2888		num_eligible_addr++;
2889	}
2890	return (NULL);
2891}
2892
2893
2894static int
2895sctp_count_num_preferred_boundall(struct sctp_ifn *ifn,
2896    struct sctp_inpcb *inp,
2897    struct sctp_tcb *stcb,
2898    int non_asoc_addr_ok,
2899    uint8_t dest_is_loop,
2900    uint8_t dest_is_priv,
2901    sa_family_t fam)
2902{
2903	struct sctp_ifa *ifa, *sifa;
2904	int num_eligible_addr = 0;
2905
2906	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2907#ifdef INET
2908		if ((ifa->address.sa.sa_family == AF_INET) &&
2909		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
2910		    &ifa->address.sin.sin_addr) != 0)) {
2911			continue;
2912		}
2913#endif
2914#ifdef INET6
2915		if ((ifa->address.sa.sa_family == AF_INET6) &&
2916		    (stcb != NULL) &&
2917		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
2918		    &ifa->address.sin6.sin6_addr) != 0)) {
2919			continue;
2920		}
2921#endif
2922		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2923		    (non_asoc_addr_ok == 0)) {
2924			continue;
2925		}
2926		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2927		    dest_is_priv, fam);
2928		if (sifa == NULL) {
2929			continue;
2930		}
2931		if (stcb) {
2932			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2933				continue;
2934			}
2935			if (((non_asoc_addr_ok == 0) &&
2936			    (sctp_is_addr_restricted(stcb, sifa))) ||
2937			    (non_asoc_addr_ok &&
2938			    (sctp_is_addr_restricted(stcb, sifa)) &&
2939			    (!sctp_is_addr_pending(stcb, sifa)))) {
2940				/*
2941				 * It is restricted for some reason..
2942				 * probably not yet added.
2943				 */
2944				continue;
2945			}
2946		}
2947		num_eligible_addr++;
2948	}
2949	return (num_eligible_addr);
2950}
2951
2952static struct sctp_ifa *
2953sctp_choose_boundall(struct sctp_inpcb *inp,
2954    struct sctp_tcb *stcb,
2955    struct sctp_nets *net,
2956    sctp_route_t * ro,
2957    uint32_t vrf_id,
2958    uint8_t dest_is_priv,
2959    uint8_t dest_is_loop,
2960    int non_asoc_addr_ok,
2961    sa_family_t fam)
2962{
2963	int cur_addr_num = 0, num_preferred = 0;
2964	void *ifn;
2965	struct sctp_ifn *sctp_ifn, *looked_at = NULL, *emit_ifn;
2966	struct sctp_ifa *sctp_ifa, *sifa;
2967	uint32_t ifn_index;
2968	struct sctp_vrf *vrf;
2969
2970#ifdef INET
2971	int retried = 0;
2972
2973#endif
2974
2975	/*-
2976	 * For boundall we can use any address in the association.
2977	 * If non_asoc_addr_ok is set we can use any address (at least in
2978	 * theory). So we look for preferred addresses first. If we find one,
2979	 * we use it. Otherwise we next try to get an address on the
2980	 * interface, which we should be able to do (unless non_asoc_addr_ok
2981	 * is false and we are routed out that way). In these cases where we
2982	 * can't use the address of the interface we go through all the
2983	 * ifn's looking for an address we can use and fill that in. Punting
2984	 * means we send back address 0, which will probably cause problems
2985	 * actually since then IP will fill in the address of the route ifn,
2986	 * which means we probably already rejected it.. i.e. here comes an
2987	 * abort :-<.
2988	 */
2989	vrf = sctp_find_vrf(vrf_id);
2990	if (vrf == NULL)
2991		return (NULL);
2992
2993	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2994	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2995	SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifn from route:%p ifn_index:%d\n", ifn, ifn_index);
2996	emit_ifn = looked_at = sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2997	if (sctp_ifn == NULL) {
2998		/* ?? We don't have this guy ?? */
2999		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No ifn emit interface?\n");
3000		goto bound_all_plan_b;
3001	}
3002	SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifn_index:%d name:%s is emit interface\n",
3003	    ifn_index, sctp_ifn->ifn_name);
3004
3005	if (net) {
3006		cur_addr_num = net->indx_of_eligible_next_to_use;
3007	}
3008	num_preferred = sctp_count_num_preferred_boundall(sctp_ifn,
3009	    inp, stcb,
3010	    non_asoc_addr_ok,
3011	    dest_is_loop,
3012	    dest_is_priv, fam);
3013	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Found %d preferred source addresses for intf:%s\n",
3014	    num_preferred, sctp_ifn->ifn_name);
3015	if (num_preferred == 0) {
3016		/*
3017		 * no eligible addresses, we must use some other interface
3018		 * address if we can find one.
3019		 */
3020		goto bound_all_plan_b;
3021	}
3022	/*
3023	 * Ok we have num_eligible_addr set with how many we can use, this
3024	 * may vary from call to call due to addresses being deprecated
3025	 * etc..
3026	 */
3027	if (cur_addr_num >= num_preferred) {
3028		cur_addr_num = 0;
3029	}
3030	/*
3031	 * select the nth address from the list (where cur_addr_num is the
3032	 * nth) and 0 is the first one, 1 is the second one etc...
3033	 */
3034	SCTPDBG(SCTP_DEBUG_OUTPUT2, "cur_addr_num:%d\n", cur_addr_num);
3035
3036	sctp_ifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3037	    dest_is_priv, cur_addr_num, fam, ro);
3038
3039	/* if sctp_ifa is NULL something changed??, fall to plan b. */
3040	if (sctp_ifa) {
3041		atomic_add_int(&sctp_ifa->refcount, 1);
3042		if (net) {
3043			/* save off where the next one we will want */
3044			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3045		}
3046		return (sctp_ifa);
3047	}
3048	/*
3049	 * plan_b: Look at all interfaces and find a preferred address. If
3050	 * no preferred fall through to plan_c.
3051	 */
3052bound_all_plan_b:
3053	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan B\n");
3054	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3055		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Examine interface %s\n",
3056		    sctp_ifn->ifn_name);
3057		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3058			/* wrong base scope */
3059			SCTPDBG(SCTP_DEBUG_OUTPUT2, "skip\n");
3060			continue;
3061		}
3062		if ((sctp_ifn == looked_at) && looked_at) {
3063			/* already looked at this guy */
3064			SCTPDBG(SCTP_DEBUG_OUTPUT2, "already seen\n");
3065			continue;
3066		}
3067		num_preferred = sctp_count_num_preferred_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok,
3068		    dest_is_loop, dest_is_priv, fam);
3069		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3070		    "Found ifn:%p %d preferred source addresses\n",
3071		    ifn, num_preferred);
3072		if (num_preferred == 0) {
3073			/* None on this interface. */
3074			SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefered -- skipping to next\n");
3075			continue;
3076		}
3077		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3078		    "num preferred:%d on interface:%p cur_addr_num:%d\n",
3079		    num_preferred, (void *)sctp_ifn, cur_addr_num);
3080
3081		/*
3082		 * Ok we have num_eligible_addr set with how many we can
3083		 * use, this may vary from call to call due to addresses
3084		 * being deprecated etc..
3085		 */
3086		if (cur_addr_num >= num_preferred) {
3087			cur_addr_num = 0;
3088		}
3089		sifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, inp, stcb, non_asoc_addr_ok, dest_is_loop,
3090		    dest_is_priv, cur_addr_num, fam, ro);
3091		if (sifa == NULL)
3092			continue;
3093		if (net) {
3094			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3095			SCTPDBG(SCTP_DEBUG_OUTPUT2, "we selected %d\n",
3096			    cur_addr_num);
3097			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Source:");
3098			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
3099			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Dest:");
3100			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &net->ro._l_addr.sa);
3101		}
3102		atomic_add_int(&sifa->refcount, 1);
3103		return (sifa);
3104	}
3105#ifdef INET
3106again_with_private_addresses_allowed:
3107#endif
3108	/* plan_c: do we have an acceptable address on the emit interface */
3109	sifa = NULL;
3110	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan C: find acceptable on interface\n");
3111	if (emit_ifn == NULL) {
3112		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jump to Plan D - no emit_ifn\n");
3113		goto plan_d;
3114	}
3115	LIST_FOREACH(sctp_ifa, &emit_ifn->ifalist, next_ifa) {
3116		SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifa:%p\n", (void *)sctp_ifa);
3117#ifdef INET
3118		if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3119		    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3120		    &sctp_ifa->address.sin.sin_addr) != 0)) {
3121			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jailed\n");
3122			continue;
3123		}
3124#endif
3125#ifdef INET6
3126		if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3127		    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3128		    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3129			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Jailed\n");
3130			continue;
3131		}
3132#endif
3133		if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3134		    (non_asoc_addr_ok == 0)) {
3135			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Defer\n");
3136			continue;
3137		}
3138		sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop,
3139		    dest_is_priv, fam);
3140		if (sifa == NULL) {
3141			SCTPDBG(SCTP_DEBUG_OUTPUT2, "IFA not acceptable\n");
3142			continue;
3143		}
3144		if (stcb) {
3145			if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3146				SCTPDBG(SCTP_DEBUG_OUTPUT2, "NOT in scope\n");
3147				sifa = NULL;
3148				continue;
3149			}
3150			if (((non_asoc_addr_ok == 0) &&
3151			    (sctp_is_addr_restricted(stcb, sifa))) ||
3152			    (non_asoc_addr_ok &&
3153			    (sctp_is_addr_restricted(stcb, sifa)) &&
3154			    (!sctp_is_addr_pending(stcb, sifa)))) {
3155				/*
3156				 * It is restricted for some reason..
3157				 * probably not yet added.
3158				 */
3159				SCTPDBG(SCTP_DEBUG_OUTPUT2, "Its resticted\n");
3160				sifa = NULL;
3161				continue;
3162			}
3163		}
3164		atomic_add_int(&sifa->refcount, 1);
3165		goto out;
3166	}
3167plan_d:
3168	/*
3169	 * plan_d: We are in trouble. No preferred address on the emit
3170	 * interface. And not even a preferred address on all interfaces. Go
3171	 * out and see if we can find an acceptable address somewhere
3172	 * amongst all interfaces.
3173	 */
3174	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan D looked_at is %p\n", (void *)looked_at);
3175	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3176		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3177			/* wrong base scope */
3178			continue;
3179		}
3180		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3181#ifdef INET
3182			if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3183			    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3184			    &sctp_ifa->address.sin.sin_addr) != 0)) {
3185				continue;
3186			}
3187#endif
3188#ifdef INET6
3189			if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3190			    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3191			    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3192				continue;
3193			}
3194#endif
3195			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3196			    (non_asoc_addr_ok == 0))
3197				continue;
3198			sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3199			    dest_is_loop,
3200			    dest_is_priv, fam);
3201			if (sifa == NULL)
3202				continue;
3203			if (stcb) {
3204				if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3205					sifa = NULL;
3206					continue;
3207				}
3208				if (((non_asoc_addr_ok == 0) &&
3209				    (sctp_is_addr_restricted(stcb, sifa))) ||
3210				    (non_asoc_addr_ok &&
3211				    (sctp_is_addr_restricted(stcb, sifa)) &&
3212				    (!sctp_is_addr_pending(stcb, sifa)))) {
3213					/*
3214					 * It is restricted for some
3215					 * reason.. probably not yet added.
3216					 */
3217					sifa = NULL;
3218					continue;
3219				}
3220			}
3221			goto out;
3222		}
3223	}
3224#ifdef INET
3225	if ((retried == 0) && (stcb->asoc.scope.ipv4_local_scope == 0)) {
3226		stcb->asoc.scope.ipv4_local_scope = 1;
3227		retried = 1;
3228		goto again_with_private_addresses_allowed;
3229	} else if (retried == 1) {
3230		stcb->asoc.scope.ipv4_local_scope = 0;
3231	}
3232#endif
3233out:
3234#ifdef INET
3235	if (sifa) {
3236		if (retried == 1) {
3237			LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3238				if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3239					/* wrong base scope */
3240					continue;
3241				}
3242				LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3243					struct sctp_ifa *tmp_sifa;
3244
3245#ifdef INET
3246					if ((sctp_ifa->address.sa.sa_family == AF_INET) &&
3247					    (prison_check_ip4(inp->ip_inp.inp.inp_cred,
3248					    &sctp_ifa->address.sin.sin_addr) != 0)) {
3249						continue;
3250					}
3251#endif
3252#ifdef INET6
3253					if ((sctp_ifa->address.sa.sa_family == AF_INET6) &&
3254					    (prison_check_ip6(inp->ip_inp.inp.inp_cred,
3255					    &sctp_ifa->address.sin6.sin6_addr) != 0)) {
3256						continue;
3257					}
3258#endif
3259					if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3260					    (non_asoc_addr_ok == 0))
3261						continue;
3262					tmp_sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3263					    dest_is_loop,
3264					    dest_is_priv, fam);
3265					if (tmp_sifa == NULL) {
3266						continue;
3267					}
3268					if (tmp_sifa == sifa) {
3269						continue;
3270					}
3271					if (stcb) {
3272						if (sctp_is_address_in_scope(tmp_sifa,
3273						    &stcb->asoc.scope, 0) == 0) {
3274							continue;
3275						}
3276						if (((non_asoc_addr_ok == 0) &&
3277						    (sctp_is_addr_restricted(stcb, tmp_sifa))) ||
3278						    (non_asoc_addr_ok &&
3279						    (sctp_is_addr_restricted(stcb, tmp_sifa)) &&
3280						    (!sctp_is_addr_pending(stcb, tmp_sifa)))) {
3281							/*
3282							 * It is restricted
3283							 * for some reason..
3284							 * probably not yet
3285							 * added.
3286							 */
3287							continue;
3288						}
3289					}
3290					if ((tmp_sifa->address.sin.sin_family == AF_INET) &&
3291					    (IN4_ISPRIVATE_ADDRESS(&(tmp_sifa->address.sin.sin_addr)))) {
3292						sctp_add_local_addr_restricted(stcb, tmp_sifa);
3293					}
3294				}
3295			}
3296		}
3297		atomic_add_int(&sifa->refcount, 1);
3298	}
3299#endif
3300	return (sifa);
3301}
3302
3303
3304
3305/* tcb may be NULL */
3306struct sctp_ifa *
3307sctp_source_address_selection(struct sctp_inpcb *inp,
3308    struct sctp_tcb *stcb,
3309    sctp_route_t * ro,
3310    struct sctp_nets *net,
3311    int non_asoc_addr_ok, uint32_t vrf_id)
3312{
3313	struct sctp_ifa *answer;
3314	uint8_t dest_is_priv, dest_is_loop;
3315	sa_family_t fam;
3316
3317#ifdef INET
3318	struct sockaddr_in *to = (struct sockaddr_in *)&ro->ro_dst;
3319
3320#endif
3321#ifdef INET6
3322	struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&ro->ro_dst;
3323
3324#endif
3325
3326	/**
3327	 * Rules: - Find the route if needed, cache if I can. - Look at
3328	 * interface address in route, Is it in the bound list. If so we
3329	 * have the best source. - If not we must rotate amongst the
3330	 * addresses.
3331	 *
3332	 * Cavets and issues
3333	 *
3334	 * Do we need to pay attention to scope. We can have a private address
3335	 * or a global address we are sourcing or sending to. So if we draw
3336	 * it out
3337	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3338	 * For V4
3339	 * ------------------------------------------
3340	 *      source     *      dest  *  result
3341	 * -----------------------------------------
3342	 * <a>  Private    *    Global  *  NAT
3343	 * -----------------------------------------
3344	 * <b>  Private    *    Private *  No problem
3345	 * -----------------------------------------
3346	 * <c>  Global     *    Private *  Huh, How will this work?
3347	 * -----------------------------------------
3348	 * <d>  Global     *    Global  *  No Problem
3349	 *------------------------------------------
3350	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3351	 * For V6
3352	 *------------------------------------------
3353	 *      source     *      dest  *  result
3354	 * -----------------------------------------
3355	 * <a>  Linklocal  *    Global  *
3356	 * -----------------------------------------
3357	 * <b>  Linklocal  * Linklocal  *  No problem
3358	 * -----------------------------------------
3359	 * <c>  Global     * Linklocal  *  Huh, How will this work?
3360	 * -----------------------------------------
3361	 * <d>  Global     *    Global  *  No Problem
3362	 *------------------------------------------
3363	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3364	 *
3365	 * And then we add to that what happens if there are multiple addresses
3366	 * assigned to an interface. Remember the ifa on a ifn is a linked
3367	 * list of addresses. So one interface can have more than one IP
3368	 * address. What happens if we have both a private and a global
3369	 * address? Do we then use context of destination to sort out which
3370	 * one is best? And what about NAT's sending P->G may get you a NAT
3371	 * translation, or should you select the G thats on the interface in
3372	 * preference.
3373	 *
3374	 * Decisions:
3375	 *
3376	 * - count the number of addresses on the interface.
3377	 * - if it is one, no problem except case <c>.
3378	 *   For <a> we will assume a NAT out there.
3379	 * - if there are more than one, then we need to worry about scope P
3380	 *   or G. We should prefer G -> G and P -> P if possible.
3381	 *   Then as a secondary fall back to mixed types G->P being a last
3382	 *   ditch one.
3383	 * - The above all works for bound all, but bound specific we need to
3384	 *   use the same concept but instead only consider the bound
3385	 *   addresses. If the bound set is NOT assigned to the interface then
3386	 *   we must use rotation amongst the bound addresses..
3387	 */
3388	if (ro->ro_rt == NULL) {
3389		/*
3390		 * Need a route to cache.
3391		 */
3392		SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
3393	}
3394	if (ro->ro_rt == NULL) {
3395		return (NULL);
3396	}
3397	fam = ro->ro_dst.sa_family;
3398	dest_is_priv = dest_is_loop = 0;
3399	/* Setup our scopes for the destination */
3400	switch (fam) {
3401#ifdef INET
3402	case AF_INET:
3403		/* Scope based on outbound address */
3404		if (IN4_ISLOOPBACK_ADDRESS(&to->sin_addr)) {
3405			dest_is_loop = 1;
3406			if (net != NULL) {
3407				/* mark it as local */
3408				net->addr_is_local = 1;
3409			}
3410		} else if ((IN4_ISPRIVATE_ADDRESS(&to->sin_addr))) {
3411			dest_is_priv = 1;
3412		}
3413		break;
3414#endif
3415#ifdef INET6
3416	case AF_INET6:
3417		/* Scope based on outbound address */
3418		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr) ||
3419		    SCTP_ROUTE_IS_REAL_LOOP(ro)) {
3420			/*
3421			 * If the address is a loopback address, which
3422			 * consists of "::1" OR "fe80::1%lo0", we are
3423			 * loopback scope. But we don't use dest_is_priv
3424			 * (link local addresses).
3425			 */
3426			dest_is_loop = 1;
3427			if (net != NULL) {
3428				/* mark it as local */
3429				net->addr_is_local = 1;
3430			}
3431		} else if (IN6_IS_ADDR_LINKLOCAL(&to6->sin6_addr)) {
3432			dest_is_priv = 1;
3433		}
3434		break;
3435#endif
3436	}
3437	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Select source addr for:");
3438	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&ro->ro_dst);
3439	SCTP_IPI_ADDR_RLOCK();
3440	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
3441		/*
3442		 * Bound all case
3443		 */
3444		answer = sctp_choose_boundall(inp, stcb, net, ro, vrf_id,
3445		    dest_is_priv, dest_is_loop,
3446		    non_asoc_addr_ok, fam);
3447		SCTP_IPI_ADDR_RUNLOCK();
3448		return (answer);
3449	}
3450	/*
3451	 * Subset bound case
3452	 */
3453	if (stcb) {
3454		answer = sctp_choose_boundspecific_stcb(inp, stcb, ro,
3455		    vrf_id, dest_is_priv,
3456		    dest_is_loop,
3457		    non_asoc_addr_ok, fam);
3458	} else {
3459		answer = sctp_choose_boundspecific_inp(inp, ro, vrf_id,
3460		    non_asoc_addr_ok,
3461		    dest_is_priv,
3462		    dest_is_loop, fam);
3463	}
3464	SCTP_IPI_ADDR_RUNLOCK();
3465	return (answer);
3466}
3467
3468static int
3469sctp_find_cmsg(int c_type, void *data, struct mbuf *control, size_t cpsize)
3470{
3471	struct cmsghdr cmh;
3472	int tlen, at, found;
3473	struct sctp_sndinfo sndinfo;
3474	struct sctp_prinfo prinfo;
3475	struct sctp_authinfo authinfo;
3476
3477	tlen = SCTP_BUF_LEN(control);
3478	at = 0;
3479	found = 0;
3480	/*
3481	 * Independent of how many mbufs, find the c_type inside the control
3482	 * structure and copy out the data.
3483	 */
3484	while (at < tlen) {
3485		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3486			/* There is not enough room for one more. */
3487			return (found);
3488		}
3489		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3490		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3491			/* We dont't have a complete CMSG header. */
3492			return (found);
3493		}
3494		if (((int)cmh.cmsg_len + at) > tlen) {
3495			/* We don't have the complete CMSG. */
3496			return (found);
3497		}
3498		if ((cmh.cmsg_level == IPPROTO_SCTP) &&
3499		    ((c_type == cmh.cmsg_type) ||
3500		    ((c_type == SCTP_SNDRCV) &&
3501		    ((cmh.cmsg_type == SCTP_SNDINFO) ||
3502		    (cmh.cmsg_type == SCTP_PRINFO) ||
3503		    (cmh.cmsg_type == SCTP_AUTHINFO))))) {
3504			if (c_type == cmh.cmsg_type) {
3505				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < cpsize) {
3506					return (found);
3507				}
3508				/* It is exactly what we want. Copy it out. */
3509				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), cpsize, (caddr_t)data);
3510				return (1);
3511			} else {
3512				struct sctp_sndrcvinfo *sndrcvinfo;
3513
3514				sndrcvinfo = (struct sctp_sndrcvinfo *)data;
3515				if (found == 0) {
3516					if (cpsize < sizeof(struct sctp_sndrcvinfo)) {
3517						return (found);
3518					}
3519					memset(sndrcvinfo, 0, sizeof(struct sctp_sndrcvinfo));
3520				}
3521				switch (cmh.cmsg_type) {
3522				case SCTP_SNDINFO:
3523					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_sndinfo)) {
3524						return (found);
3525					}
3526					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_sndinfo), (caddr_t)&sndinfo);
3527					sndrcvinfo->sinfo_stream = sndinfo.snd_sid;
3528					sndrcvinfo->sinfo_flags = sndinfo.snd_flags;
3529					sndrcvinfo->sinfo_ppid = sndinfo.snd_ppid;
3530					sndrcvinfo->sinfo_context = sndinfo.snd_context;
3531					sndrcvinfo->sinfo_assoc_id = sndinfo.snd_assoc_id;
3532					break;
3533				case SCTP_PRINFO:
3534					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_prinfo)) {
3535						return (found);
3536					}
3537					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_prinfo), (caddr_t)&prinfo);
3538					if (prinfo.pr_policy != SCTP_PR_SCTP_NONE) {
3539						sndrcvinfo->sinfo_timetolive = prinfo.pr_value;
3540					} else {
3541						sndrcvinfo->sinfo_timetolive = 0;
3542					}
3543					sndrcvinfo->sinfo_flags |= prinfo.pr_policy;
3544					break;
3545				case SCTP_AUTHINFO:
3546					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_authinfo)) {
3547						return (found);
3548					}
3549					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_authinfo), (caddr_t)&authinfo);
3550					sndrcvinfo->sinfo_keynumber_valid = 1;
3551					sndrcvinfo->sinfo_keynumber = authinfo.auth_keynumber;
3552					break;
3553				default:
3554					return (found);
3555				}
3556				found = 1;
3557			}
3558		}
3559		at += CMSG_ALIGN(cmh.cmsg_len);
3560	}
3561	return (found);
3562}
3563
3564static int
3565sctp_process_cmsgs_for_init(struct sctp_tcb *stcb, struct mbuf *control, int *error)
3566{
3567	struct cmsghdr cmh;
3568	int tlen, at;
3569	struct sctp_initmsg initmsg;
3570
3571#ifdef INET
3572	struct sockaddr_in sin;
3573
3574#endif
3575#ifdef INET6
3576	struct sockaddr_in6 sin6;
3577
3578#endif
3579
3580	tlen = SCTP_BUF_LEN(control);
3581	at = 0;
3582	while (at < tlen) {
3583		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3584			/* There is not enough room for one more. */
3585			*error = EINVAL;
3586			return (1);
3587		}
3588		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3589		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3590			/* We dont't have a complete CMSG header. */
3591			*error = EINVAL;
3592			return (1);
3593		}
3594		if (((int)cmh.cmsg_len + at) > tlen) {
3595			/* We don't have the complete CMSG. */
3596			*error = EINVAL;
3597			return (1);
3598		}
3599		if (cmh.cmsg_level == IPPROTO_SCTP) {
3600			switch (cmh.cmsg_type) {
3601			case SCTP_INIT:
3602				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_initmsg)) {
3603					*error = EINVAL;
3604					return (1);
3605				}
3606				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_initmsg), (caddr_t)&initmsg);
3607				if (initmsg.sinit_max_attempts)
3608					stcb->asoc.max_init_times = initmsg.sinit_max_attempts;
3609				if (initmsg.sinit_num_ostreams)
3610					stcb->asoc.pre_open_streams = initmsg.sinit_num_ostreams;
3611				if (initmsg.sinit_max_instreams)
3612					stcb->asoc.max_inbound_streams = initmsg.sinit_max_instreams;
3613				if (initmsg.sinit_max_init_timeo)
3614					stcb->asoc.initial_init_rto_max = initmsg.sinit_max_init_timeo;
3615				if (stcb->asoc.streamoutcnt < stcb->asoc.pre_open_streams) {
3616					struct sctp_stream_out *tmp_str;
3617					unsigned int i;
3618
3619#if defined(SCTP_DETAILED_STR_STATS)
3620					int j;
3621
3622#endif
3623
3624					/* Default is NOT correct */
3625					SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, default:%d pre_open:%d\n",
3626					    stcb->asoc.streamoutcnt, stcb->asoc.pre_open_streams);
3627					SCTP_TCB_UNLOCK(stcb);
3628					SCTP_MALLOC(tmp_str,
3629					    struct sctp_stream_out *,
3630					    (stcb->asoc.pre_open_streams * sizeof(struct sctp_stream_out)),
3631					    SCTP_M_STRMO);
3632					SCTP_TCB_LOCK(stcb);
3633					if (tmp_str != NULL) {
3634						SCTP_FREE(stcb->asoc.strmout, SCTP_M_STRMO);
3635						stcb->asoc.strmout = tmp_str;
3636						stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt = stcb->asoc.pre_open_streams;
3637					} else {
3638						stcb->asoc.pre_open_streams = stcb->asoc.streamoutcnt;
3639					}
3640					for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3641						TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
3642						stcb->asoc.strmout[i].chunks_on_queues = 0;
3643						stcb->asoc.strmout[i].next_sequence_send = 0;
3644#if defined(SCTP_DETAILED_STR_STATS)
3645						for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
3646							stcb->asoc.strmout[i].abandoned_sent[j] = 0;
3647							stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
3648						}
3649#else
3650						stcb->asoc.strmout[i].abandoned_sent[0] = 0;
3651						stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
3652#endif
3653						stcb->asoc.strmout[i].stream_no = i;
3654						stcb->asoc.strmout[i].last_msg_incomplete = 0;
3655						stcb->asoc.strmout[i].state = SCTP_STREAM_OPENING;
3656						stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], NULL);
3657					}
3658				}
3659				break;
3660#ifdef INET
3661			case SCTP_DSTADDRV4:
3662				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in_addr)) {
3663					*error = EINVAL;
3664					return (1);
3665				}
3666				memset(&sin, 0, sizeof(struct sockaddr_in));
3667				sin.sin_family = AF_INET;
3668				sin.sin_len = sizeof(struct sockaddr_in);
3669				sin.sin_port = stcb->rport;
3670				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3671				if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3672				    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3673				    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3674					*error = EINVAL;
3675					return (1);
3676				}
3677				if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL,
3678				    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3679					*error = ENOBUFS;
3680					return (1);
3681				}
3682				break;
3683#endif
3684#ifdef INET6
3685			case SCTP_DSTADDRV6:
3686				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in6_addr)) {
3687					*error = EINVAL;
3688					return (1);
3689				}
3690				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3691				sin6.sin6_family = AF_INET6;
3692				sin6.sin6_len = sizeof(struct sockaddr_in6);
3693				sin6.sin6_port = stcb->rport;
3694				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3695				if (IN6_IS_ADDR_UNSPECIFIED(&sin6.sin6_addr) ||
3696				    IN6_IS_ADDR_MULTICAST(&sin6.sin6_addr)) {
3697					*error = EINVAL;
3698					return (1);
3699				}
3700#ifdef INET
3701				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3702					in6_sin6_2_sin(&sin, &sin6);
3703					if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3704					    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3705					    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3706						*error = EINVAL;
3707						return (1);
3708					}
3709					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL,
3710					    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3711						*error = ENOBUFS;
3712						return (1);
3713					}
3714				} else
3715#endif
3716					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin6, NULL,
3717				    SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3718					*error = ENOBUFS;
3719					return (1);
3720				}
3721				break;
3722#endif
3723			default:
3724				break;
3725			}
3726		}
3727		at += CMSG_ALIGN(cmh.cmsg_len);
3728	}
3729	return (0);
3730}
3731
3732static struct sctp_tcb *
3733sctp_findassociation_cmsgs(struct sctp_inpcb **inp_p,
3734    uint16_t port,
3735    struct mbuf *control,
3736    struct sctp_nets **net_p,
3737    int *error)
3738{
3739	struct cmsghdr cmh;
3740	int tlen, at;
3741	struct sctp_tcb *stcb;
3742	struct sockaddr *addr;
3743
3744#ifdef INET
3745	struct sockaddr_in sin;
3746
3747#endif
3748#ifdef INET6
3749	struct sockaddr_in6 sin6;
3750
3751#endif
3752
3753	tlen = SCTP_BUF_LEN(control);
3754	at = 0;
3755	while (at < tlen) {
3756		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3757			/* There is not enough room for one more. */
3758			*error = EINVAL;
3759			return (NULL);
3760		}
3761		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3762		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3763			/* We dont't have a complete CMSG header. */
3764			*error = EINVAL;
3765			return (NULL);
3766		}
3767		if (((int)cmh.cmsg_len + at) > tlen) {
3768			/* We don't have the complete CMSG. */
3769			*error = EINVAL;
3770			return (NULL);
3771		}
3772		if (cmh.cmsg_level == IPPROTO_SCTP) {
3773			switch (cmh.cmsg_type) {
3774#ifdef INET
3775			case SCTP_DSTADDRV4:
3776				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in_addr)) {
3777					*error = EINVAL;
3778					return (NULL);
3779				}
3780				memset(&sin, 0, sizeof(struct sockaddr_in));
3781				sin.sin_family = AF_INET;
3782				sin.sin_len = sizeof(struct sockaddr_in);
3783				sin.sin_port = port;
3784				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3785				addr = (struct sockaddr *)&sin;
3786				break;
3787#endif
3788#ifdef INET6
3789			case SCTP_DSTADDRV6:
3790				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in6_addr)) {
3791					*error = EINVAL;
3792					return (NULL);
3793				}
3794				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3795				sin6.sin6_family = AF_INET6;
3796				sin6.sin6_len = sizeof(struct sockaddr_in6);
3797				sin6.sin6_port = port;
3798				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3799#ifdef INET
3800				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3801					in6_sin6_2_sin(&sin, &sin6);
3802					addr = (struct sockaddr *)&sin;
3803				} else
3804#endif
3805					addr = (struct sockaddr *)&sin6;
3806				break;
3807#endif
3808			default:
3809				addr = NULL;
3810				break;
3811			}
3812			if (addr) {
3813				stcb = sctp_findassociation_ep_addr(inp_p, addr, net_p, NULL, NULL);
3814				if (stcb != NULL) {
3815					return (stcb);
3816				}
3817			}
3818		}
3819		at += CMSG_ALIGN(cmh.cmsg_len);
3820	}
3821	return (NULL);
3822}
3823
3824static struct mbuf *
3825sctp_add_cookie(struct mbuf *init, int init_offset,
3826    struct mbuf *initack, int initack_offset, struct sctp_state_cookie *stc_in, uint8_t ** signature)
3827{
3828	struct mbuf *copy_init, *copy_initack, *m_at, *sig, *mret;
3829	struct sctp_state_cookie *stc;
3830	struct sctp_paramhdr *ph;
3831	uint8_t *foo;
3832	int sig_offset;
3833	uint16_t cookie_sz;
3834
3835	mret = sctp_get_mbuf_for_msg((sizeof(struct sctp_state_cookie) +
3836	    sizeof(struct sctp_paramhdr)), 0,
3837	    M_NOWAIT, 1, MT_DATA);
3838	if (mret == NULL) {
3839		return (NULL);
3840	}
3841	copy_init = SCTP_M_COPYM(init, init_offset, M_COPYALL, M_NOWAIT);
3842	if (copy_init == NULL) {
3843		sctp_m_freem(mret);
3844		return (NULL);
3845	}
3846#ifdef SCTP_MBUF_LOGGING
3847	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3848		sctp_log_mbc(copy_init, SCTP_MBUF_ICOPY);
3849	}
3850#endif
3851	copy_initack = SCTP_M_COPYM(initack, initack_offset, M_COPYALL,
3852	    M_NOWAIT);
3853	if (copy_initack == NULL) {
3854		sctp_m_freem(mret);
3855		sctp_m_freem(copy_init);
3856		return (NULL);
3857	}
3858#ifdef SCTP_MBUF_LOGGING
3859	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3860		sctp_log_mbc(copy_initack, SCTP_MBUF_ICOPY);
3861	}
3862#endif
3863	/* easy side we just drop it on the end */
3864	ph = mtod(mret, struct sctp_paramhdr *);
3865	SCTP_BUF_LEN(mret) = sizeof(struct sctp_state_cookie) +
3866	    sizeof(struct sctp_paramhdr);
3867	stc = (struct sctp_state_cookie *)((caddr_t)ph +
3868	    sizeof(struct sctp_paramhdr));
3869	ph->param_type = htons(SCTP_STATE_COOKIE);
3870	ph->param_length = 0;	/* fill in at the end */
3871	/* Fill in the stc cookie data */
3872	memcpy(stc, stc_in, sizeof(struct sctp_state_cookie));
3873
3874	/* tack the INIT and then the INIT-ACK onto the chain */
3875	cookie_sz = 0;
3876	for (m_at = mret; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3877		cookie_sz += SCTP_BUF_LEN(m_at);
3878		if (SCTP_BUF_NEXT(m_at) == NULL) {
3879			SCTP_BUF_NEXT(m_at) = copy_init;
3880			break;
3881		}
3882	}
3883	for (m_at = copy_init; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3884		cookie_sz += SCTP_BUF_LEN(m_at);
3885		if (SCTP_BUF_NEXT(m_at) == NULL) {
3886			SCTP_BUF_NEXT(m_at) = copy_initack;
3887			break;
3888		}
3889	}
3890	for (m_at = copy_initack; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3891		cookie_sz += SCTP_BUF_LEN(m_at);
3892		if (SCTP_BUF_NEXT(m_at) == NULL) {
3893			break;
3894		}
3895	}
3896	sig = sctp_get_mbuf_for_msg(SCTP_SECRET_SIZE, 0, M_NOWAIT, 1, MT_DATA);
3897	if (sig == NULL) {
3898		/* no space, so free the entire chain */
3899		sctp_m_freem(mret);
3900		return (NULL);
3901	}
3902	SCTP_BUF_LEN(sig) = 0;
3903	SCTP_BUF_NEXT(m_at) = sig;
3904	sig_offset = 0;
3905	foo = (uint8_t *) (mtod(sig, caddr_t)+sig_offset);
3906	memset(foo, 0, SCTP_SIGNATURE_SIZE);
3907	*signature = foo;
3908	SCTP_BUF_LEN(sig) += SCTP_SIGNATURE_SIZE;
3909	cookie_sz += SCTP_SIGNATURE_SIZE;
3910	ph->param_length = htons(cookie_sz);
3911	return (mret);
3912}
3913
3914
3915static uint8_t
3916sctp_get_ect(struct sctp_tcb *stcb)
3917{
3918	if ((stcb != NULL) && (stcb->asoc.ecn_supported == 1)) {
3919		return (SCTP_ECT0_BIT);
3920	} else {
3921		return (0);
3922	}
3923}
3924
3925#if defined(INET) || defined(INET6)
3926static void
3927sctp_handle_no_route(struct sctp_tcb *stcb,
3928    struct sctp_nets *net,
3929    int so_locked)
3930{
3931	SCTPDBG(SCTP_DEBUG_OUTPUT1, "dropped packet - no valid source addr\n");
3932
3933	if (net) {
3934		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Destination was ");
3935		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT1, &net->ro._l_addr.sa);
3936		if (net->dest_state & SCTP_ADDR_CONFIRMED) {
3937			if ((net->dest_state & SCTP_ADDR_REACHABLE) && stcb) {
3938				SCTPDBG(SCTP_DEBUG_OUTPUT1, "no route takes interface %p down\n", (void *)net);
3939				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_DOWN,
3940				    stcb, 0,
3941				    (void *)net,
3942				    so_locked);
3943				net->dest_state &= ~SCTP_ADDR_REACHABLE;
3944				net->dest_state &= ~SCTP_ADDR_PF;
3945			}
3946		}
3947		if (stcb) {
3948			if (net == stcb->asoc.primary_destination) {
3949				/* need a new primary */
3950				struct sctp_nets *alt;
3951
3952				alt = sctp_find_alternate_net(stcb, net, 0);
3953				if (alt != net) {
3954					if (stcb->asoc.alternate) {
3955						sctp_free_remote_addr(stcb->asoc.alternate);
3956					}
3957					stcb->asoc.alternate = alt;
3958					atomic_add_int(&stcb->asoc.alternate->ref_count, 1);
3959					if (net->ro._s_addr) {
3960						sctp_free_ifa(net->ro._s_addr);
3961						net->ro._s_addr = NULL;
3962					}
3963					net->src_addr_selected = 0;
3964				}
3965			}
3966		}
3967	}
3968}
3969
3970#endif
3971
3972static int
3973sctp_lowlevel_chunk_output(struct sctp_inpcb *inp,
3974    struct sctp_tcb *stcb,	/* may be NULL */
3975    struct sctp_nets *net,
3976    struct sockaddr *to,
3977    struct mbuf *m,
3978    uint32_t auth_offset,
3979    struct sctp_auth_chunk *auth,
3980    uint16_t auth_keyid,
3981    int nofragment_flag,
3982    int ecn_ok,
3983    int out_of_asoc_ok,
3984    uint16_t src_port,
3985    uint16_t dest_port,
3986    uint32_t v_tag,
3987    uint16_t port,
3988    union sctp_sockstore *over_addr,
3989    uint8_t mflowtype, uint32_t mflowid,
3990#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3991    int so_locked SCTP_UNUSED
3992#else
3993    int so_locked
3994#endif
3995)
3996/* nofragment_flag to tell if IP_DF should be set (IPv4 only) */
3997{
3998	/**
3999	 * Given a mbuf chain (via SCTP_BUF_NEXT()) that holds a packet header
4000	 * WITH an SCTPHDR but no IP header, endpoint inp and sa structure:
4001	 * - fill in the HMAC digest of any AUTH chunk in the packet.
4002	 * - calculate and fill in the SCTP checksum.
4003	 * - prepend an IP address header.
4004	 * - if boundall use INADDR_ANY.
4005	 * - if boundspecific do source address selection.
4006	 * - set fragmentation option for ipV4.
4007	 * - On return from IP output, check/adjust mtu size of output
4008	 *   interface and smallest_mtu size as well.
4009	 */
4010	/* Will need ifdefs around this */
4011	struct mbuf *newm;
4012	struct sctphdr *sctphdr;
4013	int packet_length;
4014	int ret;
4015
4016#if defined(INET) || defined(INET6)
4017	uint32_t vrf_id;
4018
4019#endif
4020#if defined(INET) || defined(INET6)
4021	struct mbuf *o_pak;
4022	sctp_route_t *ro = NULL;
4023	struct udphdr *udp = NULL;
4024
4025#endif
4026	uint8_t tos_value;
4027
4028#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4029	struct socket *so = NULL;
4030
4031#endif
4032
4033	if ((net) && (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)) {
4034		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4035		sctp_m_freem(m);
4036		return (EFAULT);
4037	}
4038#if defined(INET) || defined(INET6)
4039	if (stcb) {
4040		vrf_id = stcb->asoc.vrf_id;
4041	} else {
4042		vrf_id = inp->def_vrf_id;
4043	}
4044#endif
4045	/* fill in the HMAC digest for any AUTH chunk in the packet */
4046	if ((auth != NULL) && (stcb != NULL)) {
4047		sctp_fill_hmac_digest_m(m, auth_offset, auth, stcb, auth_keyid);
4048	}
4049	if (net) {
4050		tos_value = net->dscp;
4051	} else if (stcb) {
4052		tos_value = stcb->asoc.default_dscp;
4053	} else {
4054		tos_value = inp->sctp_ep.default_dscp;
4055	}
4056
4057	switch (to->sa_family) {
4058#ifdef INET
4059	case AF_INET:
4060		{
4061			struct ip *ip = NULL;
4062			sctp_route_t iproute;
4063			int len;
4064
4065			len = SCTP_MIN_V4_OVERHEAD;
4066			if (port) {
4067				len += sizeof(struct udphdr);
4068			}
4069			newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4070			if (newm == NULL) {
4071				sctp_m_freem(m);
4072				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4073				return (ENOMEM);
4074			}
4075			SCTP_ALIGN_TO_END(newm, len);
4076			SCTP_BUF_LEN(newm) = len;
4077			SCTP_BUF_NEXT(newm) = m;
4078			m = newm;
4079			if (net != NULL) {
4080				m->m_pkthdr.flowid = net->flowid;
4081				M_HASHTYPE_SET(m, net->flowtype);
4082			} else {
4083				m->m_pkthdr.flowid = mflowid;
4084				M_HASHTYPE_SET(m, mflowtype);
4085			}
4086			packet_length = sctp_calculate_len(m);
4087			ip = mtod(m, struct ip *);
4088			ip->ip_v = IPVERSION;
4089			ip->ip_hl = (sizeof(struct ip) >> 2);
4090			if (tos_value == 0) {
4091				/*
4092				 * This means especially, that it is not set
4093				 * at the SCTP layer. So use the value from
4094				 * the IP layer.
4095				 */
4096				tos_value = inp->ip_inp.inp.inp_ip_tos;
4097			}
4098			tos_value &= 0xfc;
4099			if (ecn_ok) {
4100				tos_value |= sctp_get_ect(stcb);
4101			}
4102			if ((nofragment_flag) && (port == 0)) {
4103				ip->ip_off = htons(IP_DF);
4104			} else {
4105				ip->ip_off = htons(0);
4106			}
4107			/* FreeBSD has a function for ip_id's */
4108			ip->ip_id = ip_newid();
4109
4110			ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
4111			ip->ip_len = htons(packet_length);
4112			ip->ip_tos = tos_value;
4113			if (port) {
4114				ip->ip_p = IPPROTO_UDP;
4115			} else {
4116				ip->ip_p = IPPROTO_SCTP;
4117			}
4118			ip->ip_sum = 0;
4119			if (net == NULL) {
4120				ro = &iproute;
4121				memset(&iproute, 0, sizeof(iproute));
4122				memcpy(&ro->ro_dst, to, to->sa_len);
4123			} else {
4124				ro = (sctp_route_t *) & net->ro;
4125			}
4126			/* Now the address selection part */
4127			ip->ip_dst.s_addr = ((struct sockaddr_in *)to)->sin_addr.s_addr;
4128
4129			/* call the routine to select the src address */
4130			if (net && out_of_asoc_ok == 0) {
4131				if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
4132					sctp_free_ifa(net->ro._s_addr);
4133					net->ro._s_addr = NULL;
4134					net->src_addr_selected = 0;
4135					if (ro->ro_rt) {
4136						RTFREE(ro->ro_rt);
4137						ro->ro_rt = NULL;
4138					}
4139				}
4140				if (net->src_addr_selected == 0) {
4141					/* Cache the source address */
4142					net->ro._s_addr = sctp_source_address_selection(inp, stcb,
4143					    ro, net, 0,
4144					    vrf_id);
4145					net->src_addr_selected = 1;
4146				}
4147				if (net->ro._s_addr == NULL) {
4148					/* No route to host */
4149					net->src_addr_selected = 0;
4150					sctp_handle_no_route(stcb, net, so_locked);
4151					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4152					sctp_m_freem(m);
4153					return (EHOSTUNREACH);
4154				}
4155				ip->ip_src = net->ro._s_addr->address.sin.sin_addr;
4156			} else {
4157				if (over_addr == NULL) {
4158					struct sctp_ifa *_lsrc;
4159
4160					_lsrc = sctp_source_address_selection(inp, stcb, ro,
4161					    net,
4162					    out_of_asoc_ok,
4163					    vrf_id);
4164					if (_lsrc == NULL) {
4165						sctp_handle_no_route(stcb, net, so_locked);
4166						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4167						sctp_m_freem(m);
4168						return (EHOSTUNREACH);
4169					}
4170					ip->ip_src = _lsrc->address.sin.sin_addr;
4171					sctp_free_ifa(_lsrc);
4172				} else {
4173					ip->ip_src = over_addr->sin.sin_addr;
4174					SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
4175				}
4176			}
4177			if (port) {
4178				if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4179					sctp_handle_no_route(stcb, net, so_locked);
4180					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4181					sctp_m_freem(m);
4182					return (EHOSTUNREACH);
4183				}
4184				udp = (struct udphdr *)((caddr_t)ip + sizeof(struct ip));
4185				udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4186				udp->uh_dport = port;
4187				udp->uh_ulen = htons(packet_length - sizeof(struct ip));
4188				if (V_udp_cksum) {
4189					udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4190				} else {
4191					udp->uh_sum = 0;
4192				}
4193				sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4194			} else {
4195				sctphdr = (struct sctphdr *)((caddr_t)ip + sizeof(struct ip));
4196			}
4197
4198			sctphdr->src_port = src_port;
4199			sctphdr->dest_port = dest_port;
4200			sctphdr->v_tag = v_tag;
4201			sctphdr->checksum = 0;
4202
4203			/*
4204			 * If source address selection fails and we find no
4205			 * route then the ip_output should fail as well with
4206			 * a NO_ROUTE_TO_HOST type error. We probably should
4207			 * catch that somewhere and abort the association
4208			 * right away (assuming this is an INIT being sent).
4209			 */
4210			if (ro->ro_rt == NULL) {
4211				/*
4212				 * src addr selection failed to find a route
4213				 * (or valid source addr), so we can't get
4214				 * there from here (yet)!
4215				 */
4216				sctp_handle_no_route(stcb, net, so_locked);
4217				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4218				sctp_m_freem(m);
4219				return (EHOSTUNREACH);
4220			}
4221			if (ro != &iproute) {
4222				memcpy(&iproute, ro, sizeof(*ro));
4223			}
4224			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv4 output routine from low level src addr:%x\n",
4225			    (uint32_t) (ntohl(ip->ip_src.s_addr)));
4226			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Destination is %x\n",
4227			    (uint32_t) (ntohl(ip->ip_dst.s_addr)));
4228			SCTPDBG(SCTP_DEBUG_OUTPUT3, "RTP route is %p through\n",
4229			    (void *)ro->ro_rt);
4230
4231			if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4232				/* failed to prepend data, give up */
4233				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4234				sctp_m_freem(m);
4235				return (ENOMEM);
4236			}
4237			SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4238			if (port) {
4239#if defined(SCTP_WITH_NO_CSUM)
4240				SCTP_STAT_INCR(sctps_sendnocrc);
4241#else
4242				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip) + sizeof(struct udphdr));
4243				SCTP_STAT_INCR(sctps_sendswcrc);
4244#endif
4245				if (V_udp_cksum) {
4246					SCTP_ENABLE_UDP_CSUM(o_pak);
4247				}
4248			} else {
4249#if defined(SCTP_WITH_NO_CSUM)
4250				SCTP_STAT_INCR(sctps_sendnocrc);
4251#else
4252				m->m_pkthdr.csum_flags = CSUM_SCTP;
4253				m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4254				SCTP_STAT_INCR(sctps_sendhwcrc);
4255#endif
4256			}
4257#ifdef SCTP_PACKET_LOGGING
4258			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4259				sctp_packet_log(o_pak);
4260#endif
4261			/* send it out.  table id is taken from stcb */
4262#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4263			if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4264				so = SCTP_INP_SO(inp);
4265				SCTP_SOCKET_UNLOCK(so, 0);
4266			}
4267#endif
4268			SCTP_IP_OUTPUT(ret, o_pak, ro, stcb, vrf_id);
4269#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4270			if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4271				atomic_add_int(&stcb->asoc.refcnt, 1);
4272				SCTP_TCB_UNLOCK(stcb);
4273				SCTP_SOCKET_LOCK(so, 0);
4274				SCTP_TCB_LOCK(stcb);
4275				atomic_subtract_int(&stcb->asoc.refcnt, 1);
4276			}
4277#endif
4278			SCTP_STAT_INCR(sctps_sendpackets);
4279			SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4280			if (ret)
4281				SCTP_STAT_INCR(sctps_senderrors);
4282
4283			SCTPDBG(SCTP_DEBUG_OUTPUT3, "IP output returns %d\n", ret);
4284			if (net == NULL) {
4285				/* free tempy routes */
4286				RO_RTFREE(ro);
4287			} else {
4288				/*
4289				 * PMTU check versus smallest asoc MTU goes
4290				 * here
4291				 */
4292				if ((ro->ro_rt != NULL) &&
4293				    (net->ro._s_addr)) {
4294					uint32_t mtu;
4295
4296					mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4297					if (net->port) {
4298						mtu -= sizeof(struct udphdr);
4299					}
4300					if (mtu && (stcb->asoc.smallest_mtu > mtu)) {
4301						sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4302						net->mtu = mtu;
4303					}
4304				} else if (ro->ro_rt == NULL) {
4305					/* route was freed */
4306					if (net->ro._s_addr &&
4307					    net->src_addr_selected) {
4308						sctp_free_ifa(net->ro._s_addr);
4309						net->ro._s_addr = NULL;
4310					}
4311					net->src_addr_selected = 0;
4312				}
4313			}
4314			return (ret);
4315		}
4316#endif
4317#ifdef INET6
4318	case AF_INET6:
4319		{
4320			uint32_t flowlabel, flowinfo;
4321			struct ip6_hdr *ip6h;
4322			struct route_in6 ip6route;
4323			struct ifnet *ifp;
4324			struct sockaddr_in6 *sin6, tmp, *lsa6, lsa6_tmp;
4325			int prev_scope = 0;
4326			struct sockaddr_in6 lsa6_storage;
4327			int error;
4328			u_short prev_port = 0;
4329			int len;
4330
4331			if (net) {
4332				flowlabel = net->flowlabel;
4333			} else if (stcb) {
4334				flowlabel = stcb->asoc.default_flowlabel;
4335			} else {
4336				flowlabel = inp->sctp_ep.default_flowlabel;
4337			}
4338			if (flowlabel == 0) {
4339				/*
4340				 * This means especially, that it is not set
4341				 * at the SCTP layer. So use the value from
4342				 * the IP layer.
4343				 */
4344				flowlabel = ntohl(((struct in6pcb *)inp)->in6p_flowinfo);
4345			}
4346			flowlabel &= 0x000fffff;
4347			len = SCTP_MIN_OVERHEAD;
4348			if (port) {
4349				len += sizeof(struct udphdr);
4350			}
4351			newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4352			if (newm == NULL) {
4353				sctp_m_freem(m);
4354				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4355				return (ENOMEM);
4356			}
4357			SCTP_ALIGN_TO_END(newm, len);
4358			SCTP_BUF_LEN(newm) = len;
4359			SCTP_BUF_NEXT(newm) = m;
4360			m = newm;
4361			if (net != NULL) {
4362				m->m_pkthdr.flowid = net->flowid;
4363				M_HASHTYPE_SET(m, net->flowtype);
4364			} else {
4365				m->m_pkthdr.flowid = mflowid;
4366				M_HASHTYPE_SET(m, mflowtype);
4367			}
4368			packet_length = sctp_calculate_len(m);
4369
4370			ip6h = mtod(m, struct ip6_hdr *);
4371			/* protect *sin6 from overwrite */
4372			sin6 = (struct sockaddr_in6 *)to;
4373			tmp = *sin6;
4374			sin6 = &tmp;
4375
4376			/* KAME hack: embed scopeid */
4377			if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4378				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4379				return (EINVAL);
4380			}
4381			if (net == NULL) {
4382				memset(&ip6route, 0, sizeof(ip6route));
4383				ro = (sctp_route_t *) & ip6route;
4384				memcpy(&ro->ro_dst, sin6, sin6->sin6_len);
4385			} else {
4386				ro = (sctp_route_t *) & net->ro;
4387			}
4388			/*
4389			 * We assume here that inp_flow is in host byte
4390			 * order within the TCB!
4391			 */
4392			if (tos_value == 0) {
4393				/*
4394				 * This means especially, that it is not set
4395				 * at the SCTP layer. So use the value from
4396				 * the IP layer.
4397				 */
4398				tos_value = (ntohl(((struct in6pcb *)inp)->in6p_flowinfo) >> 20) & 0xff;
4399			}
4400			tos_value &= 0xfc;
4401			if (ecn_ok) {
4402				tos_value |= sctp_get_ect(stcb);
4403			}
4404			flowinfo = 0x06;
4405			flowinfo <<= 8;
4406			flowinfo |= tos_value;
4407			flowinfo <<= 20;
4408			flowinfo |= flowlabel;
4409			ip6h->ip6_flow = htonl(flowinfo);
4410			if (port) {
4411				ip6h->ip6_nxt = IPPROTO_UDP;
4412			} else {
4413				ip6h->ip6_nxt = IPPROTO_SCTP;
4414			}
4415			ip6h->ip6_plen = (packet_length - sizeof(struct ip6_hdr));
4416			ip6h->ip6_dst = sin6->sin6_addr;
4417
4418			/*
4419			 * Add SRC address selection here: we can only reuse
4420			 * to a limited degree the kame src-addr-sel, since
4421			 * we can try their selection but it may not be
4422			 * bound.
4423			 */
4424			bzero(&lsa6_tmp, sizeof(lsa6_tmp));
4425			lsa6_tmp.sin6_family = AF_INET6;
4426			lsa6_tmp.sin6_len = sizeof(lsa6_tmp);
4427			lsa6 = &lsa6_tmp;
4428			if (net && out_of_asoc_ok == 0) {
4429				if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
4430					sctp_free_ifa(net->ro._s_addr);
4431					net->ro._s_addr = NULL;
4432					net->src_addr_selected = 0;
4433					if (ro->ro_rt) {
4434						RTFREE(ro->ro_rt);
4435						ro->ro_rt = NULL;
4436					}
4437				}
4438				if (net->src_addr_selected == 0) {
4439					sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4440					/* KAME hack: embed scopeid */
4441					if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4442						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4443						return (EINVAL);
4444					}
4445					/* Cache the source address */
4446					net->ro._s_addr = sctp_source_address_selection(inp,
4447					    stcb,
4448					    ro,
4449					    net,
4450					    0,
4451					    vrf_id);
4452					(void)sa6_recoverscope(sin6);
4453					net->src_addr_selected = 1;
4454				}
4455				if (net->ro._s_addr == NULL) {
4456					SCTPDBG(SCTP_DEBUG_OUTPUT3, "V6:No route to host\n");
4457					net->src_addr_selected = 0;
4458					sctp_handle_no_route(stcb, net, so_locked);
4459					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4460					sctp_m_freem(m);
4461					return (EHOSTUNREACH);
4462				}
4463				lsa6->sin6_addr = net->ro._s_addr->address.sin6.sin6_addr;
4464			} else {
4465				sin6 = (struct sockaddr_in6 *)&ro->ro_dst;
4466				/* KAME hack: embed scopeid */
4467				if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
4468					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4469					return (EINVAL);
4470				}
4471				if (over_addr == NULL) {
4472					struct sctp_ifa *_lsrc;
4473
4474					_lsrc = sctp_source_address_selection(inp, stcb, ro,
4475					    net,
4476					    out_of_asoc_ok,
4477					    vrf_id);
4478					if (_lsrc == NULL) {
4479						sctp_handle_no_route(stcb, net, so_locked);
4480						SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4481						sctp_m_freem(m);
4482						return (EHOSTUNREACH);
4483					}
4484					lsa6->sin6_addr = _lsrc->address.sin6.sin6_addr;
4485					sctp_free_ifa(_lsrc);
4486				} else {
4487					lsa6->sin6_addr = over_addr->sin6.sin6_addr;
4488					SCTP_RTALLOC(ro, vrf_id, inp->fibnum);
4489				}
4490				(void)sa6_recoverscope(sin6);
4491			}
4492			lsa6->sin6_port = inp->sctp_lport;
4493
4494			if (ro->ro_rt == NULL) {
4495				/*
4496				 * src addr selection failed to find a route
4497				 * (or valid source addr), so we can't get
4498				 * there from here!
4499				 */
4500				sctp_handle_no_route(stcb, net, so_locked);
4501				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4502				sctp_m_freem(m);
4503				return (EHOSTUNREACH);
4504			}
4505			/*
4506			 * XXX: sa6 may not have a valid sin6_scope_id in
4507			 * the non-SCOPEDROUTING case.
4508			 */
4509			bzero(&lsa6_storage, sizeof(lsa6_storage));
4510			lsa6_storage.sin6_family = AF_INET6;
4511			lsa6_storage.sin6_len = sizeof(lsa6_storage);
4512			lsa6_storage.sin6_addr = lsa6->sin6_addr;
4513			if ((error = sa6_recoverscope(&lsa6_storage)) != 0) {
4514				SCTPDBG(SCTP_DEBUG_OUTPUT3, "recover scope fails error %d\n", error);
4515				sctp_m_freem(m);
4516				return (error);
4517			}
4518			/* XXX */
4519			lsa6_storage.sin6_addr = lsa6->sin6_addr;
4520			lsa6_storage.sin6_port = inp->sctp_lport;
4521			lsa6 = &lsa6_storage;
4522			ip6h->ip6_src = lsa6->sin6_addr;
4523
4524			if (port) {
4525				if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4526					sctp_handle_no_route(stcb, net, so_locked);
4527					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4528					sctp_m_freem(m);
4529					return (EHOSTUNREACH);
4530				}
4531				udp = (struct udphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4532				udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4533				udp->uh_dport = port;
4534				udp->uh_ulen = htons(packet_length - sizeof(struct ip6_hdr));
4535				udp->uh_sum = 0;
4536				sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4537			} else {
4538				sctphdr = (struct sctphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4539			}
4540
4541			sctphdr->src_port = src_port;
4542			sctphdr->dest_port = dest_port;
4543			sctphdr->v_tag = v_tag;
4544			sctphdr->checksum = 0;
4545
4546			/*
4547			 * We set the hop limit now since there is a good
4548			 * chance that our ro pointer is now filled
4549			 */
4550			ip6h->ip6_hlim = SCTP_GET_HLIM(inp, ro);
4551			ifp = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
4552
4553#ifdef SCTP_DEBUG
4554			/* Copy to be sure something bad is not happening */
4555			sin6->sin6_addr = ip6h->ip6_dst;
4556			lsa6->sin6_addr = ip6h->ip6_src;
4557#endif
4558
4559			SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv6 output routine from low level\n");
4560			SCTPDBG(SCTP_DEBUG_OUTPUT3, "src: ");
4561			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)lsa6);
4562			SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst: ");
4563			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)sin6);
4564			if (net) {
4565				sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4566				/*
4567				 * preserve the port and scope for link
4568				 * local send
4569				 */
4570				prev_scope = sin6->sin6_scope_id;
4571				prev_port = sin6->sin6_port;
4572			}
4573			if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4574				/* failed to prepend data, give up */
4575				sctp_m_freem(m);
4576				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4577				return (ENOMEM);
4578			}
4579			SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4580			if (port) {
4581#if defined(SCTP_WITH_NO_CSUM)
4582				SCTP_STAT_INCR(sctps_sendnocrc);
4583#else
4584				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
4585				SCTP_STAT_INCR(sctps_sendswcrc);
4586#endif
4587				if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), packet_length - sizeof(struct ip6_hdr))) == 0) {
4588					udp->uh_sum = 0xffff;
4589				}
4590			} else {
4591#if defined(SCTP_WITH_NO_CSUM)
4592				SCTP_STAT_INCR(sctps_sendnocrc);
4593#else
4594				m->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
4595				m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4596				SCTP_STAT_INCR(sctps_sendhwcrc);
4597#endif
4598			}
4599			/* send it out. table id is taken from stcb */
4600#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4601			if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4602				so = SCTP_INP_SO(inp);
4603				SCTP_SOCKET_UNLOCK(so, 0);
4604			}
4605#endif
4606#ifdef SCTP_PACKET_LOGGING
4607			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4608				sctp_packet_log(o_pak);
4609#endif
4610			SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, &ifp, stcb, vrf_id);
4611#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4612			if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4613				atomic_add_int(&stcb->asoc.refcnt, 1);
4614				SCTP_TCB_UNLOCK(stcb);
4615				SCTP_SOCKET_LOCK(so, 0);
4616				SCTP_TCB_LOCK(stcb);
4617				atomic_subtract_int(&stcb->asoc.refcnt, 1);
4618			}
4619#endif
4620			if (net) {
4621				/* for link local this must be done */
4622				sin6->sin6_scope_id = prev_scope;
4623				sin6->sin6_port = prev_port;
4624			}
4625			SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
4626			SCTP_STAT_INCR(sctps_sendpackets);
4627			SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4628			if (ret) {
4629				SCTP_STAT_INCR(sctps_senderrors);
4630			}
4631			if (net == NULL) {
4632				/* Now if we had a temp route free it */
4633				RO_RTFREE(ro);
4634			} else {
4635				/*
4636				 * PMTU check versus smallest asoc MTU goes
4637				 * here
4638				 */
4639				if (ro->ro_rt == NULL) {
4640					/* Route was freed */
4641					if (net->ro._s_addr &&
4642					    net->src_addr_selected) {
4643						sctp_free_ifa(net->ro._s_addr);
4644						net->ro._s_addr = NULL;
4645					}
4646					net->src_addr_selected = 0;
4647				}
4648				if ((ro->ro_rt != NULL) &&
4649				    (net->ro._s_addr)) {
4650					uint32_t mtu;
4651
4652					mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4653					if (mtu &&
4654					    (stcb->asoc.smallest_mtu > mtu)) {
4655						sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4656						net->mtu = mtu;
4657						if (net->port) {
4658							net->mtu -= sizeof(struct udphdr);
4659						}
4660					}
4661				} else if (ifp) {
4662					if (ND_IFINFO(ifp)->linkmtu &&
4663					    (stcb->asoc.smallest_mtu > ND_IFINFO(ifp)->linkmtu)) {
4664						sctp_mtu_size_reset(inp,
4665						    &stcb->asoc,
4666						    ND_IFINFO(ifp)->linkmtu);
4667					}
4668				}
4669			}
4670			return (ret);
4671		}
4672#endif
4673	default:
4674		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
4675		    ((struct sockaddr *)to)->sa_family);
4676		sctp_m_freem(m);
4677		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4678		return (EFAULT);
4679	}
4680}
4681
4682
4683void
4684sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked
4685#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
4686    SCTP_UNUSED
4687#endif
4688)
4689{
4690	struct mbuf *m, *m_last;
4691	struct sctp_nets *net;
4692	struct sctp_init_chunk *init;
4693	struct sctp_supported_addr_param *sup_addr;
4694	struct sctp_adaptation_layer_indication *ali;
4695	struct sctp_supported_chunk_types_param *pr_supported;
4696	struct sctp_paramhdr *ph;
4697	int cnt_inits_to = 0;
4698	int ret;
4699	uint16_t num_ext, chunk_len, padding_len, parameter_len;
4700
4701	/* INIT's always go to the primary (and usually ONLY address) */
4702	net = stcb->asoc.primary_destination;
4703	if (net == NULL) {
4704		net = TAILQ_FIRST(&stcb->asoc.nets);
4705		if (net == NULL) {
4706			/* TSNH */
4707			return;
4708		}
4709		/* we confirm any address we send an INIT to */
4710		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4711		(void)sctp_set_primary_addr(stcb, NULL, net);
4712	} else {
4713		/* we confirm any address we send an INIT to */
4714		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4715	}
4716	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT\n");
4717#ifdef INET6
4718	if (net->ro._l_addr.sa.sa_family == AF_INET6) {
4719		/*
4720		 * special hook, if we are sending to link local it will not
4721		 * show up in our private address count.
4722		 */
4723		if (IN6_IS_ADDR_LINKLOCAL(&net->ro._l_addr.sin6.sin6_addr))
4724			cnt_inits_to = 1;
4725	}
4726#endif
4727	if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4728		/* This case should not happen */
4729		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - failed timer?\n");
4730		return;
4731	}
4732	/* start the INIT timer */
4733	sctp_timer_start(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
4734
4735	m = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_NOWAIT, 1, MT_DATA);
4736	if (m == NULL) {
4737		/* No memory, INIT timer will re-attempt. */
4738		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - mbuf?\n");
4739		return;
4740	}
4741	chunk_len = (uint16_t) sizeof(struct sctp_init_chunk);
4742	padding_len = 0;
4743	/* Now lets put the chunk header in place */
4744	init = mtod(m, struct sctp_init_chunk *);
4745	/* now the chunk header */
4746	init->ch.chunk_type = SCTP_INITIATION;
4747	init->ch.chunk_flags = 0;
4748	/* fill in later from mbuf we build */
4749	init->ch.chunk_length = 0;
4750	/* place in my tag */
4751	init->init.initiate_tag = htonl(stcb->asoc.my_vtag);
4752	/* set up some of the credits. */
4753	init->init.a_rwnd = htonl(max(inp->sctp_socket ? SCTP_SB_LIMIT_RCV(inp->sctp_socket) : 0,
4754	    SCTP_MINIMAL_RWND));
4755	init->init.num_outbound_streams = htons(stcb->asoc.pre_open_streams);
4756	init->init.num_inbound_streams = htons(stcb->asoc.max_inbound_streams);
4757	init->init.initial_tsn = htonl(stcb->asoc.init_seq_number);
4758
4759	/* Adaptation layer indication parameter */
4760	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
4761		parameter_len = (uint16_t) sizeof(struct sctp_adaptation_layer_indication);
4762		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t)+chunk_len);
4763		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
4764		ali->ph.param_length = htons(parameter_len);
4765		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
4766		chunk_len += parameter_len;
4767	}
4768	/* ECN parameter */
4769	if (stcb->asoc.ecn_supported == 1) {
4770		parameter_len = (uint16_t) sizeof(struct sctp_paramhdr);
4771		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4772		ph->param_type = htons(SCTP_ECN_CAPABLE);
4773		ph->param_length = htons(parameter_len);
4774		chunk_len += parameter_len;
4775	}
4776	/* PR-SCTP supported parameter */
4777	if (stcb->asoc.prsctp_supported == 1) {
4778		parameter_len = (uint16_t) sizeof(struct sctp_paramhdr);
4779		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4780		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
4781		ph->param_length = htons(parameter_len);
4782		chunk_len += parameter_len;
4783	}
4784	/* Add NAT friendly parameter. */
4785	if (SCTP_BASE_SYSCTL(sctp_inits_include_nat_friendly)) {
4786		parameter_len = (uint16_t) sizeof(struct sctp_paramhdr);
4787		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
4788		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
4789		ph->param_length = htons(parameter_len);
4790		chunk_len += parameter_len;
4791	}
4792	/* And now tell the peer which extensions we support */
4793	num_ext = 0;
4794	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t)+chunk_len);
4795	if (stcb->asoc.prsctp_supported == 1) {
4796		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
4797	}
4798	if (stcb->asoc.auth_supported == 1) {
4799		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
4800	}
4801	if (stcb->asoc.asconf_supported == 1) {
4802		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
4803		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
4804	}
4805	if (stcb->asoc.reconfig_supported == 1) {
4806		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
4807	}
4808	if (stcb->asoc.nrsack_supported == 1) {
4809		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
4810	}
4811	if (stcb->asoc.pktdrop_supported == 1) {
4812		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
4813	}
4814	if (num_ext > 0) {
4815		parameter_len = (uint16_t) sizeof(struct sctp_supported_chunk_types_param) + num_ext;
4816		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
4817		pr_supported->ph.param_length = htons(parameter_len);
4818		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4819		chunk_len += parameter_len;
4820	}
4821	/* add authentication parameters */
4822	if (stcb->asoc.auth_supported) {
4823		/* attach RANDOM parameter, if available */
4824		if (stcb->asoc.authinfo.random != NULL) {
4825			struct sctp_auth_random *randp;
4826
4827			if (padding_len > 0) {
4828				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4829				chunk_len += padding_len;
4830				padding_len = 0;
4831			}
4832			randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+chunk_len);
4833			parameter_len = (uint16_t) sizeof(struct sctp_auth_random) + stcb->asoc.authinfo.random_len;
4834			/* random key already contains the header */
4835			memcpy(randp, stcb->asoc.authinfo.random->key, parameter_len);
4836			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4837			chunk_len += parameter_len;
4838		}
4839		/* add HMAC_ALGO parameter */
4840		if (stcb->asoc.local_hmacs != NULL) {
4841			struct sctp_auth_hmac_algo *hmacs;
4842
4843			if (padding_len > 0) {
4844				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4845				chunk_len += padding_len;
4846				padding_len = 0;
4847			}
4848			hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+chunk_len);
4849			parameter_len = (uint16_t) (sizeof(struct sctp_auth_hmac_algo) +
4850			    stcb->asoc.local_hmacs->num_algo * sizeof(uint16_t));
4851			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
4852			hmacs->ph.param_length = htons(parameter_len);
4853			sctp_serialize_hmaclist(stcb->asoc.local_hmacs, (uint8_t *) hmacs->hmac_ids);
4854			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4855			chunk_len += parameter_len;
4856		}
4857		/* add CHUNKS parameter */
4858		if (stcb->asoc.local_auth_chunks != NULL) {
4859			struct sctp_auth_chunk_list *chunks;
4860
4861			if (padding_len > 0) {
4862				memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4863				chunk_len += padding_len;
4864				padding_len = 0;
4865			}
4866			chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+chunk_len);
4867			parameter_len = (uint16_t) (sizeof(struct sctp_auth_chunk_list) +
4868			    sctp_auth_get_chklist_size(stcb->asoc.local_auth_chunks));
4869			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
4870			chunks->ph.param_length = htons(parameter_len);
4871			sctp_serialize_auth_chunks(stcb->asoc.local_auth_chunks, chunks->chunk_types);
4872			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
4873			chunk_len += parameter_len;
4874		}
4875	}
4876	/* now any cookie time extensions */
4877	if (stcb->asoc.cookie_preserve_req) {
4878		struct sctp_cookie_perserve_param *cookie_preserve;
4879
4880		if (padding_len > 0) {
4881			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4882			chunk_len += padding_len;
4883			padding_len = 0;
4884		}
4885		parameter_len = (uint16_t) sizeof(struct sctp_cookie_perserve_param);
4886		cookie_preserve = (struct sctp_cookie_perserve_param *)(mtod(m, caddr_t)+chunk_len);
4887		cookie_preserve->ph.param_type = htons(SCTP_COOKIE_PRESERVE);
4888		cookie_preserve->ph.param_length = htons(parameter_len);
4889		cookie_preserve->time = htonl(stcb->asoc.cookie_preserve_req);
4890		stcb->asoc.cookie_preserve_req = 0;
4891		chunk_len += parameter_len;
4892	}
4893	if (stcb->asoc.scope.ipv4_addr_legal || stcb->asoc.scope.ipv6_addr_legal) {
4894		uint8_t i;
4895
4896		if (padding_len > 0) {
4897			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
4898			chunk_len += padding_len;
4899			padding_len = 0;
4900		}
4901		parameter_len = (uint16_t) sizeof(struct sctp_paramhdr);
4902		if (stcb->asoc.scope.ipv4_addr_legal) {
4903			parameter_len += (uint16_t) sizeof(uint16_t);
4904		}
4905		if (stcb->asoc.scope.ipv6_addr_legal) {
4906			parameter_len += (uint16_t) sizeof(uint16_t);
4907		}
4908		sup_addr = (struct sctp_supported_addr_param *)(mtod(m, caddr_t)+chunk_len);
4909		sup_addr->ph.param_type = htons(SCTP_SUPPORTED_ADDRTYPE);
4910		sup_addr->ph.param_length = htons(parameter_len);
4911		i = 0;
4912		if (stcb->asoc.scope.ipv4_addr_legal) {
4913			sup_addr->addr_type[i++] = htons(SCTP_IPV4_ADDRESS);
4914		}
4915		if (stcb->asoc.scope.ipv6_addr_legal) {
4916			sup_addr->addr_type[i++] = htons(SCTP_IPV6_ADDRESS);
4917		}
4918		padding_len = 4 - 2 * i;
4919		chunk_len += parameter_len;
4920	}
4921	SCTP_BUF_LEN(m) = chunk_len;
4922	/* now the addresses */
4923	/*
4924	 * To optimize this we could put the scoping stuff into a structure
4925	 * and remove the individual uint8's from the assoc structure. Then
4926	 * we could just sifa in the address within the stcb. But for now
4927	 * this is a quick hack to get the address stuff teased apart.
4928	 */
4929	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &stcb->asoc.scope,
4930	    m, cnt_inits_to,
4931	    &padding_len, &chunk_len);
4932
4933	init->ch.chunk_length = htons(chunk_len);
4934	if (padding_len > 0) {
4935		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
4936			sctp_m_freem(m);
4937			return;
4938		}
4939	}
4940	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - calls lowlevel_output\n");
4941	ret = sctp_lowlevel_chunk_output(inp, stcb, net,
4942	    (struct sockaddr *)&net->ro._l_addr,
4943	    m, 0, NULL, 0, 0, 0, 0,
4944	    inp->sctp_lport, stcb->rport, htonl(0),
4945	    net->port, NULL,
4946	    0, 0,
4947	    so_locked);
4948	SCTPDBG(SCTP_DEBUG_OUTPUT4, "lowlevel_output - %d\n", ret);
4949	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
4950	(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
4951}
4952
4953struct mbuf *
4954sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
4955    int param_offset, int *abort_processing, struct sctp_chunkhdr *cp, int *nat_friendly)
4956{
4957	/*
4958	 * Given a mbuf containing an INIT or INIT-ACK with the param_offset
4959	 * being equal to the beginning of the params i.e. (iphlen +
4960	 * sizeof(struct sctp_init_msg) parse through the parameters to the
4961	 * end of the mbuf verifying that all parameters are known.
4962	 *
4963	 * For unknown parameters build and return a mbuf with
4964	 * UNRECOGNIZED_PARAMETER errors. If the flags indicate to stop
4965	 * processing this chunk stop, and set *abort_processing to 1.
4966	 *
4967	 * By having param_offset be pre-set to where parameters begin it is
4968	 * hoped that this routine may be reused in the future by new
4969	 * features.
4970	 */
4971	struct sctp_paramhdr *phdr, params;
4972
4973	struct mbuf *mat, *op_err;
4974	char tempbuf[SCTP_PARAM_BUFFER_SIZE];
4975	int at, limit, pad_needed;
4976	uint16_t ptype, plen, padded_size;
4977	int err_at;
4978
4979	*abort_processing = 0;
4980	mat = in_initpkt;
4981	err_at = 0;
4982	limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
4983	at = param_offset;
4984	op_err = NULL;
4985	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
4986	phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
4987	while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
4988		ptype = ntohs(phdr->param_type);
4989		plen = ntohs(phdr->param_length);
4990		if ((plen > limit) || (plen < sizeof(struct sctp_paramhdr))) {
4991			/* wacked parameter */
4992			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error %d\n", plen);
4993			goto invalid_size;
4994		}
4995		limit -= SCTP_SIZE32(plen);
4996		/*-
4997		 * All parameters for all chunks that we know/understand are
4998		 * listed here. We process them other places and make
4999		 * appropriate stop actions per the upper bits. However this
5000		 * is the generic routine processor's can call to get back
5001		 * an operr.. to either incorporate (init-ack) or send.
5002		 */
5003		padded_size = SCTP_SIZE32(plen);
5004		switch (ptype) {
5005			/* Param's with variable size */
5006		case SCTP_HEARTBEAT_INFO:
5007		case SCTP_STATE_COOKIE:
5008		case SCTP_UNRECOG_PARAM:
5009		case SCTP_ERROR_CAUSE_IND:
5010			/* ok skip fwd */
5011			at += padded_size;
5012			break;
5013			/* Param's with variable size within a range */
5014		case SCTP_CHUNK_LIST:
5015		case SCTP_SUPPORTED_CHUNK_EXT:
5016			if (padded_size > (sizeof(struct sctp_supported_chunk_types_param) + (sizeof(uint8_t) * SCTP_MAX_SUPPORTED_EXT))) {
5017				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error chklist %d\n", plen);
5018				goto invalid_size;
5019			}
5020			at += padded_size;
5021			break;
5022		case SCTP_SUPPORTED_ADDRTYPE:
5023			if (padded_size > SCTP_MAX_ADDR_PARAMS_SIZE) {
5024				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error supaddrtype %d\n", plen);
5025				goto invalid_size;
5026			}
5027			at += padded_size;
5028			break;
5029		case SCTP_RANDOM:
5030			if (padded_size > (sizeof(struct sctp_auth_random) + SCTP_RANDOM_MAX_SIZE)) {
5031				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error random %d\n", plen);
5032				goto invalid_size;
5033			}
5034			at += padded_size;
5035			break;
5036		case SCTP_SET_PRIM_ADDR:
5037		case SCTP_DEL_IP_ADDRESS:
5038		case SCTP_ADD_IP_ADDRESS:
5039			if ((padded_size != sizeof(struct sctp_asconf_addrv4_param)) &&
5040			    (padded_size != sizeof(struct sctp_asconf_addr_param))) {
5041				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error setprim %d\n", plen);
5042				goto invalid_size;
5043			}
5044			at += padded_size;
5045			break;
5046			/* Param's with a fixed size */
5047		case SCTP_IPV4_ADDRESS:
5048			if (padded_size != sizeof(struct sctp_ipv4addr_param)) {
5049				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv4 addr %d\n", plen);
5050				goto invalid_size;
5051			}
5052			at += padded_size;
5053			break;
5054		case SCTP_IPV6_ADDRESS:
5055			if (padded_size != sizeof(struct sctp_ipv6addr_param)) {
5056				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv6 addr %d\n", plen);
5057				goto invalid_size;
5058			}
5059			at += padded_size;
5060			break;
5061		case SCTP_COOKIE_PRESERVE:
5062			if (padded_size != sizeof(struct sctp_cookie_perserve_param)) {
5063				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error cookie-preserve %d\n", plen);
5064				goto invalid_size;
5065			}
5066			at += padded_size;
5067			break;
5068		case SCTP_HAS_NAT_SUPPORT:
5069			*nat_friendly = 1;
5070			/* fall through */
5071		case SCTP_PRSCTP_SUPPORTED:
5072			if (padded_size != sizeof(struct sctp_paramhdr)) {
5073				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error prsctp/nat support %d\n", plen);
5074				goto invalid_size;
5075			}
5076			at += padded_size;
5077			break;
5078		case SCTP_ECN_CAPABLE:
5079			if (padded_size != sizeof(struct sctp_paramhdr)) {
5080				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecn %d\n", plen);
5081				goto invalid_size;
5082			}
5083			at += padded_size;
5084			break;
5085		case SCTP_ULP_ADAPTATION:
5086			if (padded_size != sizeof(struct sctp_adaptation_layer_indication)) {
5087				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error adapatation %d\n", plen);
5088				goto invalid_size;
5089			}
5090			at += padded_size;
5091			break;
5092		case SCTP_SUCCESS_REPORT:
5093			if (padded_size != sizeof(struct sctp_asconf_paramhdr)) {
5094				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error success %d\n", plen);
5095				goto invalid_size;
5096			}
5097			at += padded_size;
5098			break;
5099		case SCTP_HOSTNAME_ADDRESS:
5100			{
5101				/* We can NOT handle HOST NAME addresses!! */
5102				int l_len;
5103
5104				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
5105				*abort_processing = 1;
5106				if (op_err == NULL) {
5107					/* Ok need to try to get a mbuf */
5108#ifdef INET6
5109					l_len = SCTP_MIN_OVERHEAD;
5110#else
5111					l_len = SCTP_MIN_V4_OVERHEAD;
5112#endif
5113					l_len += sizeof(struct sctp_chunkhdr);
5114					l_len += plen;
5115					l_len += sizeof(struct sctp_paramhdr);
5116					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5117					if (op_err) {
5118						SCTP_BUF_LEN(op_err) = 0;
5119						/*
5120						 * pre-reserve space for ip
5121						 * and sctp header  and
5122						 * chunk hdr
5123						 */
5124#ifdef INET6
5125						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5126#else
5127						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5128#endif
5129						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5130						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5131					}
5132				}
5133				if (op_err) {
5134					/* If we have space */
5135					struct sctp_paramhdr s;
5136
5137					if (err_at % 4) {
5138						uint32_t cpthis = 0;
5139
5140						pad_needed = 4 - (err_at % 4);
5141						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5142						err_at += pad_needed;
5143					}
5144					s.param_type = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
5145					s.param_length = htons(sizeof(s) + plen);
5146					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5147					err_at += sizeof(s);
5148					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf), plen));
5149					if (phdr == NULL) {
5150						sctp_m_freem(op_err);
5151						/*
5152						 * we are out of memory but
5153						 * we still need to have a
5154						 * look at what to do (the
5155						 * system is in trouble
5156						 * though).
5157						 */
5158						return (NULL);
5159					}
5160					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
5161				}
5162				return (op_err);
5163				break;
5164			}
5165		default:
5166			/*
5167			 * we do not recognize the parameter figure out what
5168			 * we do.
5169			 */
5170			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Hit default param %x\n", ptype);
5171			if ((ptype & 0x4000) == 0x4000) {
5172				/* Report bit is set?? */
5173				SCTPDBG(SCTP_DEBUG_OUTPUT1, "report op err\n");
5174				if (op_err == NULL) {
5175					int l_len;
5176
5177					/* Ok need to try to get an mbuf */
5178#ifdef INET6
5179					l_len = SCTP_MIN_OVERHEAD;
5180#else
5181					l_len = SCTP_MIN_V4_OVERHEAD;
5182#endif
5183					l_len += sizeof(struct sctp_chunkhdr);
5184					l_len += plen;
5185					l_len += sizeof(struct sctp_paramhdr);
5186					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5187					if (op_err) {
5188						SCTP_BUF_LEN(op_err) = 0;
5189#ifdef INET6
5190						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5191#else
5192						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5193#endif
5194						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5195						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5196					}
5197				}
5198				if (op_err) {
5199					/* If we have space */
5200					struct sctp_paramhdr s;
5201
5202					if (err_at % 4) {
5203						uint32_t cpthis = 0;
5204
5205						pad_needed = 4 - (err_at % 4);
5206						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5207						err_at += pad_needed;
5208					}
5209					s.param_type = htons(SCTP_UNRECOG_PARAM);
5210					s.param_length = htons(sizeof(s) + plen);
5211					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5212					err_at += sizeof(s);
5213					if (plen > sizeof(tempbuf)) {
5214						plen = sizeof(tempbuf);
5215					}
5216					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf), plen));
5217					if (phdr == NULL) {
5218						sctp_m_freem(op_err);
5219						/*
5220						 * we are out of memory but
5221						 * we still need to have a
5222						 * look at what to do (the
5223						 * system is in trouble
5224						 * though).
5225						 */
5226						op_err = NULL;
5227						goto more_processing;
5228					}
5229					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
5230					err_at += plen;
5231				}
5232			}
5233	more_processing:
5234			if ((ptype & 0x8000) == 0x0000) {
5235				SCTPDBG(SCTP_DEBUG_OUTPUT1, "stop proc\n");
5236				return (op_err);
5237			} else {
5238				/* skip this chunk and continue processing */
5239				SCTPDBG(SCTP_DEBUG_OUTPUT1, "move on\n");
5240				at += SCTP_SIZE32(plen);
5241			}
5242			break;
5243
5244		}
5245		phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5246	}
5247	return (op_err);
5248invalid_size:
5249	SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
5250	*abort_processing = 1;
5251	if ((op_err == NULL) && phdr) {
5252		int l_len;
5253
5254#ifdef INET6
5255		l_len = SCTP_MIN_OVERHEAD;
5256#else
5257		l_len = SCTP_MIN_V4_OVERHEAD;
5258#endif
5259		l_len += sizeof(struct sctp_chunkhdr);
5260		l_len += (2 * sizeof(struct sctp_paramhdr));
5261		op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5262		if (op_err) {
5263			SCTP_BUF_LEN(op_err) = 0;
5264#ifdef INET6
5265			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5266#else
5267			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5268#endif
5269			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5270			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5271		}
5272	}
5273	if ((op_err) && phdr) {
5274		struct sctp_paramhdr s;
5275
5276		if (err_at % 4) {
5277			uint32_t cpthis = 0;
5278
5279			pad_needed = 4 - (err_at % 4);
5280			m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5281			err_at += pad_needed;
5282		}
5283		s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
5284		s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr));
5285		m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5286		err_at += sizeof(s);
5287		/* Only copy back the p-hdr that caused the issue */
5288		m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr);
5289	}
5290	return (op_err);
5291}
5292
5293static int
5294sctp_are_there_new_addresses(struct sctp_association *asoc,
5295    struct mbuf *in_initpkt, int offset, struct sockaddr *src)
5296{
5297	/*
5298	 * Given a INIT packet, look through the packet to verify that there
5299	 * are NO new addresses. As we go through the parameters add reports
5300	 * of any un-understood parameters that require an error.  Also we
5301	 * must return (1) to drop the packet if we see a un-understood
5302	 * parameter that tells us to drop the chunk.
5303	 */
5304	struct sockaddr *sa_touse;
5305	struct sockaddr *sa;
5306	struct sctp_paramhdr *phdr, params;
5307	uint16_t ptype, plen;
5308	uint8_t fnd;
5309	struct sctp_nets *net;
5310
5311#ifdef INET
5312	struct sockaddr_in sin4, *sa4;
5313
5314#endif
5315#ifdef INET6
5316	struct sockaddr_in6 sin6, *sa6;
5317
5318#endif
5319
5320#ifdef INET
5321	memset(&sin4, 0, sizeof(sin4));
5322	sin4.sin_family = AF_INET;
5323	sin4.sin_len = sizeof(sin4);
5324#endif
5325#ifdef INET6
5326	memset(&sin6, 0, sizeof(sin6));
5327	sin6.sin6_family = AF_INET6;
5328	sin6.sin6_len = sizeof(sin6);
5329#endif
5330	/* First what about the src address of the pkt ? */
5331	fnd = 0;
5332	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5333		sa = (struct sockaddr *)&net->ro._l_addr;
5334		if (sa->sa_family == src->sa_family) {
5335#ifdef INET
5336			if (sa->sa_family == AF_INET) {
5337				struct sockaddr_in *src4;
5338
5339				sa4 = (struct sockaddr_in *)sa;
5340				src4 = (struct sockaddr_in *)src;
5341				if (sa4->sin_addr.s_addr == src4->sin_addr.s_addr) {
5342					fnd = 1;
5343					break;
5344				}
5345			}
5346#endif
5347#ifdef INET6
5348			if (sa->sa_family == AF_INET6) {
5349				struct sockaddr_in6 *src6;
5350
5351				sa6 = (struct sockaddr_in6 *)sa;
5352				src6 = (struct sockaddr_in6 *)src;
5353				if (SCTP6_ARE_ADDR_EQUAL(sa6, src6)) {
5354					fnd = 1;
5355					break;
5356				}
5357			}
5358#endif
5359		}
5360	}
5361	if (fnd == 0) {
5362		/* New address added! no need to look futher. */
5363		return (1);
5364	}
5365	/* Ok so far lets munge through the rest of the packet */
5366	offset += sizeof(struct sctp_init_chunk);
5367	phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5368	while (phdr) {
5369		sa_touse = NULL;
5370		ptype = ntohs(phdr->param_type);
5371		plen = ntohs(phdr->param_length);
5372		switch (ptype) {
5373#ifdef INET
5374		case SCTP_IPV4_ADDRESS:
5375			{
5376				struct sctp_ipv4addr_param *p4, p4_buf;
5377
5378				phdr = sctp_get_next_param(in_initpkt, offset,
5379				    (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
5380				if (plen != sizeof(struct sctp_ipv4addr_param) ||
5381				    phdr == NULL) {
5382					return (1);
5383				}
5384				p4 = (struct sctp_ipv4addr_param *)phdr;
5385				sin4.sin_addr.s_addr = p4->addr;
5386				sa_touse = (struct sockaddr *)&sin4;
5387				break;
5388			}
5389#endif
5390#ifdef INET6
5391		case SCTP_IPV6_ADDRESS:
5392			{
5393				struct sctp_ipv6addr_param *p6, p6_buf;
5394
5395				phdr = sctp_get_next_param(in_initpkt, offset,
5396				    (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
5397				if (plen != sizeof(struct sctp_ipv6addr_param) ||
5398				    phdr == NULL) {
5399					return (1);
5400				}
5401				p6 = (struct sctp_ipv6addr_param *)phdr;
5402				memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
5403				    sizeof(p6->addr));
5404				sa_touse = (struct sockaddr *)&sin6;
5405				break;
5406			}
5407#endif
5408		default:
5409			sa_touse = NULL;
5410			break;
5411		}
5412		if (sa_touse) {
5413			/* ok, sa_touse points to one to check */
5414			fnd = 0;
5415			TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5416				sa = (struct sockaddr *)&net->ro._l_addr;
5417				if (sa->sa_family != sa_touse->sa_family) {
5418					continue;
5419				}
5420#ifdef INET
5421				if (sa->sa_family == AF_INET) {
5422					sa4 = (struct sockaddr_in *)sa;
5423					if (sa4->sin_addr.s_addr ==
5424					    sin4.sin_addr.s_addr) {
5425						fnd = 1;
5426						break;
5427					}
5428				}
5429#endif
5430#ifdef INET6
5431				if (sa->sa_family == AF_INET6) {
5432					sa6 = (struct sockaddr_in6 *)sa;
5433					if (SCTP6_ARE_ADDR_EQUAL(
5434					    sa6, &sin6)) {
5435						fnd = 1;
5436						break;
5437					}
5438				}
5439#endif
5440			}
5441			if (!fnd) {
5442				/* New addr added! no need to look further */
5443				return (1);
5444			}
5445		}
5446		offset += SCTP_SIZE32(plen);
5447		phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5448	}
5449	return (0);
5450}
5451
5452/*
5453 * Given a MBUF chain that was sent into us containing an INIT. Build a
5454 * INIT-ACK with COOKIE and send back. We assume that the in_initpkt has done
5455 * a pullup to include IPv6/4header, SCTP header and initial part of INIT
5456 * message (i.e. the struct sctp_init_msg).
5457 */
5458void
5459sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
5460    struct mbuf *init_pkt, int iphlen, int offset,
5461    struct sockaddr *src, struct sockaddr *dst,
5462    struct sctphdr *sh, struct sctp_init_chunk *init_chk,
5463    uint8_t mflowtype, uint32_t mflowid,
5464    uint32_t vrf_id, uint16_t port, int hold_inp_lock)
5465{
5466	struct sctp_association *asoc;
5467	struct mbuf *m, *m_tmp, *m_last, *m_cookie, *op_err;
5468	struct sctp_init_ack_chunk *initack;
5469	struct sctp_adaptation_layer_indication *ali;
5470	struct sctp_supported_chunk_types_param *pr_supported;
5471	struct sctp_paramhdr *ph;
5472	union sctp_sockstore *over_addr;
5473	struct sctp_scoping scp;
5474
5475#ifdef INET
5476	struct sockaddr_in *dst4 = (struct sockaddr_in *)dst;
5477	struct sockaddr_in *src4 = (struct sockaddr_in *)src;
5478	struct sockaddr_in *sin;
5479
5480#endif
5481#ifdef INET6
5482	struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)dst;
5483	struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)src;
5484	struct sockaddr_in6 *sin6;
5485
5486#endif
5487	struct sockaddr *to;
5488	struct sctp_state_cookie stc;
5489	struct sctp_nets *net = NULL;
5490	uint8_t *signature = NULL;
5491	int cnt_inits_to = 0;
5492	uint16_t his_limit, i_want;
5493	int abort_flag;
5494	int nat_friendly = 0;
5495	struct socket *so;
5496	uint16_t num_ext, chunk_len, padding_len, parameter_len;
5497
5498	if (stcb) {
5499		asoc = &stcb->asoc;
5500	} else {
5501		asoc = NULL;
5502	}
5503	if ((asoc != NULL) &&
5504	    (SCTP_GET_STATE(asoc) != SCTP_STATE_COOKIE_WAIT) &&
5505	    (sctp_are_there_new_addresses(asoc, init_pkt, offset, src))) {
5506		/* new addresses, out of here in non-cookie-wait states */
5507		/*
5508		 * Send a ABORT, we don't add the new address error clause
5509		 * though we even set the T bit and copy in the 0 tag.. this
5510		 * looks no different than if no listener was present.
5511		 */
5512		op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5513		    "Address added");
5514		sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
5515		    mflowtype, mflowid, inp->fibnum,
5516		    vrf_id, port);
5517		return;
5518	}
5519	abort_flag = 0;
5520	op_err = sctp_arethere_unrecognized_parameters(init_pkt,
5521	    (offset + sizeof(struct sctp_init_chunk)),
5522	    &abort_flag, (struct sctp_chunkhdr *)init_chk, &nat_friendly);
5523	if (abort_flag) {
5524do_a_abort:
5525		if (op_err == NULL) {
5526			char msg[SCTP_DIAG_INFO_LEN];
5527
5528			snprintf(msg, sizeof(msg), "%s:%d at %s", __FILE__, __LINE__, __func__);
5529			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5530			    msg);
5531		}
5532		sctp_send_abort(init_pkt, iphlen, src, dst, sh,
5533		    init_chk->init.initiate_tag, op_err,
5534		    mflowtype, mflowid, inp->fibnum,
5535		    vrf_id, port);
5536		return;
5537	}
5538	m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
5539	if (m == NULL) {
5540		/* No memory, INIT timer will re-attempt. */
5541		if (op_err)
5542			sctp_m_freem(op_err);
5543		return;
5544	}
5545	chunk_len = (uint16_t) sizeof(struct sctp_init_ack_chunk);
5546	padding_len = 0;
5547
5548	/*
5549	 * We might not overwrite the identification[] completely and on
5550	 * some platforms time_entered will contain some padding. Therefore
5551	 * zero out the cookie to avoid putting uninitialized memory on the
5552	 * wire.
5553	 */
5554	memset(&stc, 0, sizeof(struct sctp_state_cookie));
5555
5556	/* the time I built cookie */
5557	(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
5558
5559	/* populate any tie tags */
5560	if (asoc != NULL) {
5561		/* unlock before tag selections */
5562		stc.tie_tag_my_vtag = asoc->my_vtag_nonce;
5563		stc.tie_tag_peer_vtag = asoc->peer_vtag_nonce;
5564		stc.cookie_life = asoc->cookie_life;
5565		net = asoc->primary_destination;
5566	} else {
5567		stc.tie_tag_my_vtag = 0;
5568		stc.tie_tag_peer_vtag = 0;
5569		/* life I will award this cookie */
5570		stc.cookie_life = inp->sctp_ep.def_cookie_life;
5571	}
5572
5573	/* copy in the ports for later check */
5574	stc.myport = sh->dest_port;
5575	stc.peerport = sh->src_port;
5576
5577	/*
5578	 * If we wanted to honor cookie life extentions, we would add to
5579	 * stc.cookie_life. For now we should NOT honor any extension
5580	 */
5581	stc.site_scope = stc.local_scope = stc.loopback_scope = 0;
5582	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5583		stc.ipv6_addr_legal = 1;
5584		if (SCTP_IPV6_V6ONLY(inp)) {
5585			stc.ipv4_addr_legal = 0;
5586		} else {
5587			stc.ipv4_addr_legal = 1;
5588		}
5589	} else {
5590		stc.ipv6_addr_legal = 0;
5591		stc.ipv4_addr_legal = 1;
5592	}
5593	stc.ipv4_scope = 0;
5594	if (net == NULL) {
5595		to = src;
5596		switch (dst->sa_family) {
5597#ifdef INET
5598		case AF_INET:
5599			{
5600				/* lookup address */
5601				stc.address[0] = src4->sin_addr.s_addr;
5602				stc.address[1] = 0;
5603				stc.address[2] = 0;
5604				stc.address[3] = 0;
5605				stc.addr_type = SCTP_IPV4_ADDRESS;
5606				/* local from address */
5607				stc.laddress[0] = dst4->sin_addr.s_addr;
5608				stc.laddress[1] = 0;
5609				stc.laddress[2] = 0;
5610				stc.laddress[3] = 0;
5611				stc.laddr_type = SCTP_IPV4_ADDRESS;
5612				/* scope_id is only for v6 */
5613				stc.scope_id = 0;
5614				if ((IN4_ISPRIVATE_ADDRESS(&src4->sin_addr)) ||
5615				    (IN4_ISPRIVATE_ADDRESS(&dst4->sin_addr))) {
5616					stc.ipv4_scope = 1;
5617				}
5618				/* Must use the address in this case */
5619				if (sctp_is_address_on_local_host(src, vrf_id)) {
5620					stc.loopback_scope = 1;
5621					stc.ipv4_scope = 1;
5622					stc.site_scope = 1;
5623					stc.local_scope = 0;
5624				}
5625				break;
5626			}
5627#endif
5628#ifdef INET6
5629		case AF_INET6:
5630			{
5631				stc.addr_type = SCTP_IPV6_ADDRESS;
5632				memcpy(&stc.address, &src6->sin6_addr, sizeof(struct in6_addr));
5633				stc.scope_id = in6_getscope(&src6->sin6_addr);
5634				if (sctp_is_address_on_local_host(src, vrf_id)) {
5635					stc.loopback_scope = 1;
5636					stc.local_scope = 0;
5637					stc.site_scope = 1;
5638					stc.ipv4_scope = 1;
5639				} else if (IN6_IS_ADDR_LINKLOCAL(&src6->sin6_addr) ||
5640				    IN6_IS_ADDR_LINKLOCAL(&dst6->sin6_addr)) {
5641					/*
5642					 * If the new destination or source
5643					 * is a LINK_LOCAL we must have
5644					 * common both site and local scope.
5645					 * Don't set local scope though
5646					 * since we must depend on the
5647					 * source to be added implicitly. We
5648					 * cannot assure just because we
5649					 * share one link that all links are
5650					 * common.
5651					 */
5652					stc.local_scope = 0;
5653					stc.site_scope = 1;
5654					stc.ipv4_scope = 1;
5655					/*
5656					 * we start counting for the private
5657					 * address stuff at 1. since the
5658					 * link local we source from won't
5659					 * show up in our scoped count.
5660					 */
5661					cnt_inits_to = 1;
5662					/*
5663					 * pull out the scope_id from
5664					 * incoming pkt
5665					 */
5666				} else if (IN6_IS_ADDR_SITELOCAL(&src6->sin6_addr) ||
5667				    IN6_IS_ADDR_SITELOCAL(&dst6->sin6_addr)) {
5668					/*
5669					 * If the new destination or source
5670					 * is SITE_LOCAL then we must have
5671					 * site scope in common.
5672					 */
5673					stc.site_scope = 1;
5674				}
5675				memcpy(&stc.laddress, &dst6->sin6_addr, sizeof(struct in6_addr));
5676				stc.laddr_type = SCTP_IPV6_ADDRESS;
5677				break;
5678			}
5679#endif
5680		default:
5681			/* TSNH */
5682			goto do_a_abort;
5683			break;
5684		}
5685	} else {
5686		/* set the scope per the existing tcb */
5687
5688#ifdef INET6
5689		struct sctp_nets *lnet;
5690
5691#endif
5692
5693		stc.loopback_scope = asoc->scope.loopback_scope;
5694		stc.ipv4_scope = asoc->scope.ipv4_local_scope;
5695		stc.site_scope = asoc->scope.site_scope;
5696		stc.local_scope = asoc->scope.local_scope;
5697#ifdef INET6
5698		/* Why do we not consider IPv4 LL addresses? */
5699		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
5700			if (lnet->ro._l_addr.sin6.sin6_family == AF_INET6) {
5701				if (IN6_IS_ADDR_LINKLOCAL(&lnet->ro._l_addr.sin6.sin6_addr)) {
5702					/*
5703					 * if we have a LL address, start
5704					 * counting at 1.
5705					 */
5706					cnt_inits_to = 1;
5707				}
5708			}
5709		}
5710#endif
5711		/* use the net pointer */
5712		to = (struct sockaddr *)&net->ro._l_addr;
5713		switch (to->sa_family) {
5714#ifdef INET
5715		case AF_INET:
5716			sin = (struct sockaddr_in *)to;
5717			stc.address[0] = sin->sin_addr.s_addr;
5718			stc.address[1] = 0;
5719			stc.address[2] = 0;
5720			stc.address[3] = 0;
5721			stc.addr_type = SCTP_IPV4_ADDRESS;
5722			if (net->src_addr_selected == 0) {
5723				/*
5724				 * strange case here, the INIT should have
5725				 * did the selection.
5726				 */
5727				net->ro._s_addr = sctp_source_address_selection(inp,
5728				    stcb, (sctp_route_t *) & net->ro,
5729				    net, 0, vrf_id);
5730				if (net->ro._s_addr == NULL)
5731					return;
5732
5733				net->src_addr_selected = 1;
5734
5735			}
5736			stc.laddress[0] = net->ro._s_addr->address.sin.sin_addr.s_addr;
5737			stc.laddress[1] = 0;
5738			stc.laddress[2] = 0;
5739			stc.laddress[3] = 0;
5740			stc.laddr_type = SCTP_IPV4_ADDRESS;
5741			/* scope_id is only for v6 */
5742			stc.scope_id = 0;
5743			break;
5744#endif
5745#ifdef INET6
5746		case AF_INET6:
5747			sin6 = (struct sockaddr_in6 *)to;
5748			memcpy(&stc.address, &sin6->sin6_addr,
5749			    sizeof(struct in6_addr));
5750			stc.addr_type = SCTP_IPV6_ADDRESS;
5751			stc.scope_id = sin6->sin6_scope_id;
5752			if (net->src_addr_selected == 0) {
5753				/*
5754				 * strange case here, the INIT should have
5755				 * done the selection.
5756				 */
5757				net->ro._s_addr = sctp_source_address_selection(inp,
5758				    stcb, (sctp_route_t *) & net->ro,
5759				    net, 0, vrf_id);
5760				if (net->ro._s_addr == NULL)
5761					return;
5762
5763				net->src_addr_selected = 1;
5764			}
5765			memcpy(&stc.laddress, &net->ro._s_addr->address.sin6.sin6_addr,
5766			    sizeof(struct in6_addr));
5767			stc.laddr_type = SCTP_IPV6_ADDRESS;
5768			break;
5769#endif
5770		}
5771	}
5772	/* Now lets put the SCTP header in place */
5773	initack = mtod(m, struct sctp_init_ack_chunk *);
5774	/* Save it off for quick ref */
5775	stc.peers_vtag = init_chk->init.initiate_tag;
5776	/* who are we */
5777	memcpy(stc.identification, SCTP_VERSION_STRING,
5778	    min(strlen(SCTP_VERSION_STRING), sizeof(stc.identification)));
5779	memset(stc.reserved, 0, SCTP_RESERVE_SPACE);
5780	/* now the chunk header */
5781	initack->ch.chunk_type = SCTP_INITIATION_ACK;
5782	initack->ch.chunk_flags = 0;
5783	/* fill in later from mbuf we build */
5784	initack->ch.chunk_length = 0;
5785	/* place in my tag */
5786	if ((asoc != NULL) &&
5787	    ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
5788	    (SCTP_GET_STATE(asoc) == SCTP_STATE_INUSE) ||
5789	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED))) {
5790		/* re-use the v-tags and init-seq here */
5791		initack->init.initiate_tag = htonl(asoc->my_vtag);
5792		initack->init.initial_tsn = htonl(asoc->init_seq_number);
5793	} else {
5794		uint32_t vtag, itsn;
5795
5796		if (hold_inp_lock) {
5797			SCTP_INP_INCR_REF(inp);
5798			SCTP_INP_RUNLOCK(inp);
5799		}
5800		if (asoc) {
5801			atomic_add_int(&asoc->refcnt, 1);
5802			SCTP_TCB_UNLOCK(stcb);
5803	new_tag:
5804			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5805			if ((asoc->peer_supports_nat) && (vtag == asoc->my_vtag)) {
5806				/*
5807				 * Got a duplicate vtag on some guy behind a
5808				 * nat make sure we don't use it.
5809				 */
5810				goto new_tag;
5811			}
5812			initack->init.initiate_tag = htonl(vtag);
5813			/* get a TSN to use too */
5814			itsn = sctp_select_initial_TSN(&inp->sctp_ep);
5815			initack->init.initial_tsn = htonl(itsn);
5816			SCTP_TCB_LOCK(stcb);
5817			atomic_add_int(&asoc->refcnt, -1);
5818		} else {
5819			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5820			initack->init.initiate_tag = htonl(vtag);
5821			/* get a TSN to use too */
5822			initack->init.initial_tsn = htonl(sctp_select_initial_TSN(&inp->sctp_ep));
5823		}
5824		if (hold_inp_lock) {
5825			SCTP_INP_RLOCK(inp);
5826			SCTP_INP_DECR_REF(inp);
5827		}
5828	}
5829	/* save away my tag to */
5830	stc.my_vtag = initack->init.initiate_tag;
5831
5832	/* set up some of the credits. */
5833	so = inp->sctp_socket;
5834	if (so == NULL) {
5835		/* memory problem */
5836		sctp_m_freem(m);
5837		return;
5838	} else {
5839		initack->init.a_rwnd = htonl(max(SCTP_SB_LIMIT_RCV(so), SCTP_MINIMAL_RWND));
5840	}
5841	/* set what I want */
5842	his_limit = ntohs(init_chk->init.num_inbound_streams);
5843	/* choose what I want */
5844	if (asoc != NULL) {
5845		if (asoc->streamoutcnt > asoc->pre_open_streams) {
5846			i_want = asoc->streamoutcnt;
5847		} else {
5848			i_want = asoc->pre_open_streams;
5849		}
5850	} else {
5851		i_want = inp->sctp_ep.pre_open_stream_count;
5852	}
5853	if (his_limit < i_want) {
5854		/* I Want more :< */
5855		initack->init.num_outbound_streams = init_chk->init.num_inbound_streams;
5856	} else {
5857		/* I can have what I want :> */
5858		initack->init.num_outbound_streams = htons(i_want);
5859	}
5860	/* tell him his limit. */
5861	initack->init.num_inbound_streams =
5862	    htons(inp->sctp_ep.max_open_streams_intome);
5863
5864	/* adaptation layer indication parameter */
5865	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
5866		parameter_len = (uint16_t) sizeof(struct sctp_adaptation_layer_indication);
5867		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t)+chunk_len);
5868		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
5869		ali->ph.param_length = htons(parameter_len);
5870		ali->indication = htonl(inp->sctp_ep.adaptation_layer_indicator);
5871		chunk_len += parameter_len;
5872	}
5873	/* ECN parameter */
5874	if (((asoc != NULL) && (asoc->ecn_supported == 1)) ||
5875	    ((asoc == NULL) && (inp->ecn_supported == 1))) {
5876		parameter_len = (uint16_t) sizeof(struct sctp_paramhdr);
5877		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5878		ph->param_type = htons(SCTP_ECN_CAPABLE);
5879		ph->param_length = htons(parameter_len);
5880		chunk_len += parameter_len;
5881	}
5882	/* PR-SCTP supported parameter */
5883	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
5884	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
5885		parameter_len = (uint16_t) sizeof(struct sctp_paramhdr);
5886		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5887		ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
5888		ph->param_length = htons(parameter_len);
5889		chunk_len += parameter_len;
5890	}
5891	/* Add NAT friendly parameter */
5892	if (nat_friendly) {
5893		parameter_len = (uint16_t) sizeof(struct sctp_paramhdr);
5894		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+chunk_len);
5895		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
5896		ph->param_length = htons(parameter_len);
5897		chunk_len += parameter_len;
5898	}
5899	/* And now tell the peer which extensions we support */
5900	num_ext = 0;
5901	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t)+chunk_len);
5902	if (((asoc != NULL) && (asoc->prsctp_supported == 1)) ||
5903	    ((asoc == NULL) && (inp->prsctp_supported == 1))) {
5904		pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
5905	}
5906	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
5907	    ((asoc == NULL) && (inp->auth_supported == 1))) {
5908		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
5909	}
5910	if (((asoc != NULL) && (asoc->asconf_supported == 1)) ||
5911	    ((asoc == NULL) && (inp->asconf_supported == 1))) {
5912		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
5913		pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
5914	}
5915	if (((asoc != NULL) && (asoc->reconfig_supported == 1)) ||
5916	    ((asoc == NULL) && (inp->reconfig_supported == 1))) {
5917		pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
5918	}
5919	if (((asoc != NULL) && (asoc->nrsack_supported == 1)) ||
5920	    ((asoc == NULL) && (inp->nrsack_supported == 1))) {
5921		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
5922	}
5923	if (((asoc != NULL) && (asoc->pktdrop_supported == 1)) ||
5924	    ((asoc == NULL) && (inp->pktdrop_supported == 1))) {
5925		pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
5926	}
5927	if (num_ext > 0) {
5928		parameter_len = (uint16_t) sizeof(struct sctp_supported_chunk_types_param) + num_ext;
5929		pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
5930		pr_supported->ph.param_length = htons(parameter_len);
5931		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5932		chunk_len += parameter_len;
5933	}
5934	/* add authentication parameters */
5935	if (((asoc != NULL) && (asoc->auth_supported == 1)) ||
5936	    ((asoc == NULL) && (inp->auth_supported == 1))) {
5937		struct sctp_auth_random *randp;
5938		struct sctp_auth_hmac_algo *hmacs;
5939		struct sctp_auth_chunk_list *chunks;
5940
5941		if (padding_len > 0) {
5942			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
5943			chunk_len += padding_len;
5944			padding_len = 0;
5945		}
5946		/* generate and add RANDOM parameter */
5947		randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+chunk_len);
5948		parameter_len = (uint16_t) sizeof(struct sctp_auth_random) +
5949		    SCTP_AUTH_RANDOM_SIZE_DEFAULT;
5950		randp->ph.param_type = htons(SCTP_RANDOM);
5951		randp->ph.param_length = htons(parameter_len);
5952		SCTP_READ_RANDOM(randp->random_data, SCTP_AUTH_RANDOM_SIZE_DEFAULT);
5953		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5954		chunk_len += parameter_len;
5955
5956		if (padding_len > 0) {
5957			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
5958			chunk_len += padding_len;
5959			padding_len = 0;
5960		}
5961		/* add HMAC_ALGO parameter */
5962		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+chunk_len);
5963		parameter_len = (uint16_t) sizeof(struct sctp_auth_hmac_algo) +
5964		    sctp_serialize_hmaclist(inp->sctp_ep.local_hmacs,
5965		    (uint8_t *) hmacs->hmac_ids);
5966		hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
5967		hmacs->ph.param_length = htons(parameter_len);
5968		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5969		chunk_len += parameter_len;
5970
5971		if (padding_len > 0) {
5972			memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
5973			chunk_len += padding_len;
5974			padding_len = 0;
5975		}
5976		/* add CHUNKS parameter */
5977		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+chunk_len);
5978		parameter_len = (uint16_t) sizeof(struct sctp_auth_chunk_list) +
5979		    sctp_serialize_auth_chunks(inp->sctp_ep.local_auth_chunks,
5980		    chunks->chunk_types);
5981		chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
5982		chunks->ph.param_length = htons(parameter_len);
5983		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5984		chunk_len += parameter_len;
5985	}
5986	SCTP_BUF_LEN(m) = chunk_len;
5987	m_last = m;
5988	/* now the addresses */
5989	/*
5990	 * To optimize this we could put the scoping stuff into a structure
5991	 * and remove the individual uint8's from the stc structure. Then we
5992	 * could just sifa in the address within the stc.. but for now this
5993	 * is a quick hack to get the address stuff teased apart.
5994	 */
5995	scp.ipv4_addr_legal = stc.ipv4_addr_legal;
5996	scp.ipv6_addr_legal = stc.ipv6_addr_legal;
5997	scp.loopback_scope = stc.loopback_scope;
5998	scp.ipv4_local_scope = stc.ipv4_scope;
5999	scp.local_scope = stc.local_scope;
6000	scp.site_scope = stc.site_scope;
6001	m_last = sctp_add_addresses_to_i_ia(inp, stcb, &scp, m_last,
6002	    cnt_inits_to,
6003	    &padding_len, &chunk_len);
6004	/* padding_len can only be positive, if no addresses have been added */
6005	if (padding_len > 0) {
6006		memset(mtod(m, caddr_t)+chunk_len, 0, padding_len);
6007		chunk_len += padding_len;
6008		SCTP_BUF_LEN(m) += padding_len;
6009		padding_len = 0;
6010	}
6011	/* tack on the operational error if present */
6012	if (op_err) {
6013		parameter_len = 0;
6014		for (m_tmp = op_err; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6015			parameter_len += SCTP_BUF_LEN(m_tmp);
6016		}
6017		padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6018		SCTP_BUF_NEXT(m_last) = op_err;
6019		while (SCTP_BUF_NEXT(m_last) != NULL) {
6020			m_last = SCTP_BUF_NEXT(m_last);
6021		}
6022		chunk_len += parameter_len;
6023	}
6024	if (padding_len > 0) {
6025		m_last = sctp_add_pad_tombuf(m_last, padding_len);
6026		if (m_last == NULL) {
6027			/* Houston we have a problem, no space */
6028			sctp_m_freem(m);
6029			return;
6030		}
6031		chunk_len += padding_len;
6032		padding_len = 0;
6033	}
6034	/* Now we must build a cookie */
6035	m_cookie = sctp_add_cookie(init_pkt, offset, m, 0, &stc, &signature);
6036	if (m_cookie == NULL) {
6037		/* memory problem */
6038		sctp_m_freem(m);
6039		return;
6040	}
6041	/* Now append the cookie to the end and update the space/size */
6042	SCTP_BUF_NEXT(m_last) = m_cookie;
6043	parameter_len = 0;
6044	for (m_tmp = m_cookie; m_tmp != NULL; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6045		parameter_len += SCTP_BUF_LEN(m_tmp);
6046		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
6047			m_last = m_tmp;
6048		}
6049	}
6050	padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
6051	chunk_len += parameter_len;
6052
6053	/*
6054	 * Place in the size, but we don't include the last pad (if any) in
6055	 * the INIT-ACK.
6056	 */
6057	initack->ch.chunk_length = htons(chunk_len);
6058
6059	/*
6060	 * Time to sign the cookie, we don't sign over the cookie signature
6061	 * though thus we set trailer.
6062	 */
6063	(void)sctp_hmac_m(SCTP_HMAC,
6064	    (uint8_t *) inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
6065	    SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
6066	    (uint8_t *) signature, SCTP_SIGNATURE_SIZE);
6067	/*
6068	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
6069	 * here since the timer will drive a retranmission.
6070	 */
6071	if (padding_len > 0) {
6072		if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
6073			sctp_m_freem(m);
6074			return;
6075		}
6076	}
6077	if (stc.loopback_scope) {
6078		over_addr = (union sctp_sockstore *)dst;
6079	} else {
6080		over_addr = NULL;
6081	}
6082
6083	(void)sctp_lowlevel_chunk_output(inp, NULL, NULL, to, m, 0, NULL, 0, 0,
6084	    0, 0,
6085	    inp->sctp_lport, sh->src_port, init_chk->init.initiate_tag,
6086	    port, over_addr,
6087	    mflowtype, mflowid,
6088	    SCTP_SO_NOT_LOCKED);
6089	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
6090}
6091
6092
6093static void
6094sctp_prune_prsctp(struct sctp_tcb *stcb,
6095    struct sctp_association *asoc,
6096    struct sctp_sndrcvinfo *srcv,
6097    int dataout)
6098{
6099	int freed_spc = 0;
6100	struct sctp_tmit_chunk *chk, *nchk;
6101
6102	SCTP_TCB_LOCK_ASSERT(stcb);
6103	if ((asoc->prsctp_supported) &&
6104	    (asoc->sent_queue_cnt_removeable > 0)) {
6105		TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
6106			/*
6107			 * Look for chunks marked with the PR_SCTP flag AND
6108			 * the buffer space flag. If the one being sent is
6109			 * equal or greater priority then purge the old one
6110			 * and free some space.
6111			 */
6112			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6113				/*
6114				 * This one is PR-SCTP AND buffer space
6115				 * limited type
6116				 */
6117				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
6118					/*
6119					 * Lower numbers equates to higher
6120					 * priority so if the one we are
6121					 * looking at has a larger or equal
6122					 * priority we want to drop the data
6123					 * and NOT retransmit it.
6124					 */
6125					if (chk->data) {
6126						/*
6127						 * We release the book_size
6128						 * if the mbuf is here
6129						 */
6130						int ret_spc;
6131						uint8_t sent;
6132
6133						if (chk->sent > SCTP_DATAGRAM_UNSENT)
6134							sent = 1;
6135						else
6136							sent = 0;
6137						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6138						    sent,
6139						    SCTP_SO_LOCKED);
6140						freed_spc += ret_spc;
6141						if (freed_spc >= dataout) {
6142							return;
6143						}
6144					}	/* if chunk was present */
6145				}	/* if of sufficent priority */
6146			}	/* if chunk has enabled */
6147		}		/* tailqforeach */
6148
6149		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
6150			/* Here we must move to the sent queue and mark */
6151			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6152				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
6153					if (chk->data) {
6154						/*
6155						 * We release the book_size
6156						 * if the mbuf is here
6157						 */
6158						int ret_spc;
6159
6160						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6161						    0, SCTP_SO_LOCKED);
6162
6163						freed_spc += ret_spc;
6164						if (freed_spc >= dataout) {
6165							return;
6166						}
6167					}	/* end if chk->data */
6168				}	/* end if right class */
6169			}	/* end if chk pr-sctp */
6170		}		/* tailqforeachsafe (chk) */
6171	}			/* if enabled in asoc */
6172}
6173
6174int
6175sctp_get_frag_point(struct sctp_tcb *stcb,
6176    struct sctp_association *asoc)
6177{
6178	int siz, ovh;
6179
6180	/*
6181	 * For endpoints that have both v6 and v4 addresses we must reserve
6182	 * room for the ipv6 header, for those that are only dealing with V4
6183	 * we use a larger frag point.
6184	 */
6185	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
6186		ovh = SCTP_MED_OVERHEAD;
6187	} else {
6188		ovh = SCTP_MED_V4_OVERHEAD;
6189	}
6190
6191	if (stcb->asoc.sctp_frag_point > asoc->smallest_mtu)
6192		siz = asoc->smallest_mtu - ovh;
6193	else
6194		siz = (stcb->asoc.sctp_frag_point - ovh);
6195	/*
6196	 * if (siz > (MCLBYTES-sizeof(struct sctp_data_chunk))) {
6197	 */
6198	/* A data chunk MUST fit in a cluster */
6199	/* siz = (MCLBYTES - sizeof(struct sctp_data_chunk)); */
6200	/* } */
6201
6202	/* adjust for an AUTH chunk if DATA requires auth */
6203	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks))
6204		siz -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
6205
6206	if (siz % 4) {
6207		/* make it an even word boundary please */
6208		siz -= (siz % 4);
6209	}
6210	return (siz);
6211}
6212
6213static void
6214sctp_set_prsctp_policy(struct sctp_stream_queue_pending *sp)
6215{
6216	/*
6217	 * We assume that the user wants PR_SCTP_TTL if the user provides a
6218	 * positive lifetime but does not specify any PR_SCTP policy.
6219	 */
6220	if (PR_SCTP_ENABLED(sp->sinfo_flags)) {
6221		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6222	} else if (sp->timetolive > 0) {
6223		sp->sinfo_flags |= SCTP_PR_SCTP_TTL;
6224		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6225	} else {
6226		return;
6227	}
6228	switch (PR_SCTP_POLICY(sp->sinfo_flags)) {
6229	case CHUNK_FLAGS_PR_SCTP_BUF:
6230		/*
6231		 * Time to live is a priority stored in tv_sec when doing
6232		 * the buffer drop thing.
6233		 */
6234		sp->ts.tv_sec = sp->timetolive;
6235		sp->ts.tv_usec = 0;
6236		break;
6237	case CHUNK_FLAGS_PR_SCTP_TTL:
6238		{
6239			struct timeval tv;
6240
6241			(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6242			tv.tv_sec = sp->timetolive / 1000;
6243			tv.tv_usec = (sp->timetolive * 1000) % 1000000;
6244			/*
6245			 * TODO sctp_constants.h needs alternative time
6246			 * macros when _KERNEL is undefined.
6247			 */
6248			timevaladd(&sp->ts, &tv);
6249		}
6250		break;
6251	case CHUNK_FLAGS_PR_SCTP_RTX:
6252		/*
6253		 * Time to live is a the number or retransmissions stored in
6254		 * tv_sec.
6255		 */
6256		sp->ts.tv_sec = sp->timetolive;
6257		sp->ts.tv_usec = 0;
6258		break;
6259	default:
6260		SCTPDBG(SCTP_DEBUG_USRREQ1,
6261		    "Unknown PR_SCTP policy %u.\n",
6262		    PR_SCTP_POLICY(sp->sinfo_flags));
6263		break;
6264	}
6265}
6266
6267static int
6268sctp_msg_append(struct sctp_tcb *stcb,
6269    struct sctp_nets *net,
6270    struct mbuf *m,
6271    struct sctp_sndrcvinfo *srcv, int hold_stcb_lock)
6272{
6273	int error = 0;
6274	struct mbuf *at;
6275	struct sctp_stream_queue_pending *sp = NULL;
6276	struct sctp_stream_out *strm;
6277
6278	/*
6279	 * Given an mbuf chain, put it into the association send queue and
6280	 * place it on the wheel
6281	 */
6282	if (srcv->sinfo_stream >= stcb->asoc.streamoutcnt) {
6283		/* Invalid stream number */
6284		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6285		error = EINVAL;
6286		goto out_now;
6287	}
6288	if ((stcb->asoc.stream_locked) &&
6289	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
6290		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6291		error = EINVAL;
6292		goto out_now;
6293	}
6294	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
6295	/* Now can we send this? */
6296	if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
6297	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
6298	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
6299	    (stcb->asoc.state & SCTP_STATE_SHUTDOWN_PENDING)) {
6300		/* got data while shutting down */
6301		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
6302		error = ECONNRESET;
6303		goto out_now;
6304	}
6305	sctp_alloc_a_strmoq(stcb, sp);
6306	if (sp == NULL) {
6307		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6308		error = ENOMEM;
6309		goto out_now;
6310	}
6311	sp->sinfo_flags = srcv->sinfo_flags;
6312	sp->timetolive = srcv->sinfo_timetolive;
6313	sp->ppid = srcv->sinfo_ppid;
6314	sp->context = srcv->sinfo_context;
6315	if (sp->sinfo_flags & SCTP_ADDR_OVER) {
6316		sp->net = net;
6317		atomic_add_int(&sp->net->ref_count, 1);
6318	} else {
6319		sp->net = NULL;
6320	}
6321	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6322	sp->stream = srcv->sinfo_stream;
6323	sp->msg_is_complete = 1;
6324	sp->sender_all_done = 1;
6325	sp->some_taken = 0;
6326	sp->data = m;
6327	sp->tail_mbuf = NULL;
6328	sctp_set_prsctp_policy(sp);
6329	/*
6330	 * We could in theory (for sendall) sifa the length in, but we would
6331	 * still have to hunt through the chain since we need to setup the
6332	 * tail_mbuf
6333	 */
6334	sp->length = 0;
6335	for (at = m; at; at = SCTP_BUF_NEXT(at)) {
6336		if (SCTP_BUF_NEXT(at) == NULL)
6337			sp->tail_mbuf = at;
6338		sp->length += SCTP_BUF_LEN(at);
6339	}
6340	if (srcv->sinfo_keynumber_valid) {
6341		sp->auth_keyid = srcv->sinfo_keynumber;
6342	} else {
6343		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
6344	}
6345	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
6346		sctp_auth_key_acquire(stcb, sp->auth_keyid);
6347		sp->holds_key_ref = 1;
6348	}
6349	if (hold_stcb_lock == 0) {
6350		SCTP_TCB_SEND_LOCK(stcb);
6351	}
6352	sctp_snd_sb_alloc(stcb, sp->length);
6353	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
6354	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
6355	stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, &stcb->asoc, strm, sp, 1);
6356	m = NULL;
6357	if (hold_stcb_lock == 0) {
6358		SCTP_TCB_SEND_UNLOCK(stcb);
6359	}
6360out_now:
6361	if (m) {
6362		sctp_m_freem(m);
6363	}
6364	return (error);
6365}
6366
6367
6368static struct mbuf *
6369sctp_copy_mbufchain(struct mbuf *clonechain,
6370    struct mbuf *outchain,
6371    struct mbuf **endofchain,
6372    int can_take_mbuf,
6373    int sizeofcpy,
6374    uint8_t copy_by_ref)
6375{
6376	struct mbuf *m;
6377	struct mbuf *appendchain;
6378	caddr_t cp;
6379	int len;
6380
6381	if (endofchain == NULL) {
6382		/* error */
6383error_out:
6384		if (outchain)
6385			sctp_m_freem(outchain);
6386		return (NULL);
6387	}
6388	if (can_take_mbuf) {
6389		appendchain = clonechain;
6390	} else {
6391		if (!copy_by_ref &&
6392		    (sizeofcpy <= (int)((((SCTP_BASE_SYSCTL(sctp_mbuf_threshold_count) - 1) * MLEN) + MHLEN)))
6393		    ) {
6394			/* Its not in a cluster */
6395			if (*endofchain == NULL) {
6396				/* lets get a mbuf cluster */
6397				if (outchain == NULL) {
6398					/* This is the general case */
6399			new_mbuf:
6400					outchain = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6401					if (outchain == NULL) {
6402						goto error_out;
6403					}
6404					SCTP_BUF_LEN(outchain) = 0;
6405					*endofchain = outchain;
6406					/* get the prepend space */
6407					SCTP_BUF_RESV_UF(outchain, (SCTP_FIRST_MBUF_RESV + 4));
6408				} else {
6409					/*
6410					 * We really should not get a NULL
6411					 * in endofchain
6412					 */
6413					/* find end */
6414					m = outchain;
6415					while (m) {
6416						if (SCTP_BUF_NEXT(m) == NULL) {
6417							*endofchain = m;
6418							break;
6419						}
6420						m = SCTP_BUF_NEXT(m);
6421					}
6422					/* sanity */
6423					if (*endofchain == NULL) {
6424						/*
6425						 * huh, TSNH XXX maybe we
6426						 * should panic
6427						 */
6428						sctp_m_freem(outchain);
6429						goto new_mbuf;
6430					}
6431				}
6432				/* get the new end of length */
6433				len = M_TRAILINGSPACE(*endofchain);
6434			} else {
6435				/* how much is left at the end? */
6436				len = M_TRAILINGSPACE(*endofchain);
6437			}
6438			/* Find the end of the data, for appending */
6439			cp = (mtod((*endofchain), caddr_t)+SCTP_BUF_LEN((*endofchain)));
6440
6441			/* Now lets copy it out */
6442			if (len >= sizeofcpy) {
6443				/* It all fits, copy it in */
6444				m_copydata(clonechain, 0, sizeofcpy, cp);
6445				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6446			} else {
6447				/* fill up the end of the chain */
6448				if (len > 0) {
6449					m_copydata(clonechain, 0, len, cp);
6450					SCTP_BUF_LEN((*endofchain)) += len;
6451					/* now we need another one */
6452					sizeofcpy -= len;
6453				}
6454				m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6455				if (m == NULL) {
6456					/* We failed */
6457					goto error_out;
6458				}
6459				SCTP_BUF_NEXT((*endofchain)) = m;
6460				*endofchain = m;
6461				cp = mtod((*endofchain), caddr_t);
6462				m_copydata(clonechain, len, sizeofcpy, cp);
6463				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6464			}
6465			return (outchain);
6466		} else {
6467			/* copy the old fashion way */
6468			appendchain = SCTP_M_COPYM(clonechain, 0, M_COPYALL, M_NOWAIT);
6469#ifdef SCTP_MBUF_LOGGING
6470			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6471				sctp_log_mbc(appendchain, SCTP_MBUF_ICOPY);
6472			}
6473#endif
6474		}
6475	}
6476	if (appendchain == NULL) {
6477		/* error */
6478		if (outchain)
6479			sctp_m_freem(outchain);
6480		return (NULL);
6481	}
6482	if (outchain) {
6483		/* tack on to the end */
6484		if (*endofchain != NULL) {
6485			SCTP_BUF_NEXT(((*endofchain))) = appendchain;
6486		} else {
6487			m = outchain;
6488			while (m) {
6489				if (SCTP_BUF_NEXT(m) == NULL) {
6490					SCTP_BUF_NEXT(m) = appendchain;
6491					break;
6492				}
6493				m = SCTP_BUF_NEXT(m);
6494			}
6495		}
6496		/*
6497		 * save off the end and update the end-chain postion
6498		 */
6499		m = appendchain;
6500		while (m) {
6501			if (SCTP_BUF_NEXT(m) == NULL) {
6502				*endofchain = m;
6503				break;
6504			}
6505			m = SCTP_BUF_NEXT(m);
6506		}
6507		return (outchain);
6508	} else {
6509		/* save off the end and update the end-chain postion */
6510		m = appendchain;
6511		while (m) {
6512			if (SCTP_BUF_NEXT(m) == NULL) {
6513				*endofchain = m;
6514				break;
6515			}
6516			m = SCTP_BUF_NEXT(m);
6517		}
6518		return (appendchain);
6519	}
6520}
6521
6522static int
6523sctp_med_chunk_output(struct sctp_inpcb *inp,
6524    struct sctp_tcb *stcb,
6525    struct sctp_association *asoc,
6526    int *num_out,
6527    int *reason_code,
6528    int control_only, int from_where,
6529    struct timeval *now, int *now_filled, int frag_point, int so_locked
6530#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
6531    SCTP_UNUSED
6532#endif
6533);
6534
6535static void
6536sctp_sendall_iterator(struct sctp_inpcb *inp, struct sctp_tcb *stcb, void *ptr,
6537    uint32_t val SCTP_UNUSED)
6538{
6539	struct sctp_copy_all *ca;
6540	struct mbuf *m;
6541	int ret = 0;
6542	int added_control = 0;
6543	int un_sent, do_chunk_output = 1;
6544	struct sctp_association *asoc;
6545	struct sctp_nets *net;
6546
6547	ca = (struct sctp_copy_all *)ptr;
6548	if (ca->m == NULL) {
6549		return;
6550	}
6551	if (ca->inp != inp) {
6552		/* TSNH */
6553		return;
6554	}
6555	if (ca->sndlen > 0) {
6556		m = SCTP_M_COPYM(ca->m, 0, M_COPYALL, M_NOWAIT);
6557		if (m == NULL) {
6558			/* can't copy so we are done */
6559			ca->cnt_failed++;
6560			return;
6561		}
6562#ifdef SCTP_MBUF_LOGGING
6563		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6564			sctp_log_mbc(m, SCTP_MBUF_ICOPY);
6565		}
6566#endif
6567	} else {
6568		m = NULL;
6569	}
6570	SCTP_TCB_LOCK_ASSERT(stcb);
6571	if (stcb->asoc.alternate) {
6572		net = stcb->asoc.alternate;
6573	} else {
6574		net = stcb->asoc.primary_destination;
6575	}
6576	if (ca->sndrcv.sinfo_flags & SCTP_ABORT) {
6577		/* Abort this assoc with m as the user defined reason */
6578		if (m != NULL) {
6579			SCTP_BUF_PREPEND(m, sizeof(struct sctp_paramhdr), M_NOWAIT);
6580		} else {
6581			m = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
6582			    0, M_NOWAIT, 1, MT_DATA);
6583			SCTP_BUF_LEN(m) = sizeof(struct sctp_paramhdr);
6584		}
6585		if (m != NULL) {
6586			struct sctp_paramhdr *ph;
6587
6588			ph = mtod(m, struct sctp_paramhdr *);
6589			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
6590			ph->param_length = htons(sizeof(struct sctp_paramhdr) + ca->sndlen);
6591		}
6592		/*
6593		 * We add one here to keep the assoc from dis-appearing on
6594		 * us.
6595		 */
6596		atomic_add_int(&stcb->asoc.refcnt, 1);
6597		sctp_abort_an_association(inp, stcb, m, SCTP_SO_NOT_LOCKED);
6598		/*
6599		 * sctp_abort_an_association calls sctp_free_asoc() free
6600		 * association will NOT free it since we incremented the
6601		 * refcnt .. we do this to prevent it being freed and things
6602		 * getting tricky since we could end up (from free_asoc)
6603		 * calling inpcb_free which would get a recursive lock call
6604		 * to the iterator lock.. But as a consequence of that the
6605		 * stcb will return to us un-locked.. since free_asoc
6606		 * returns with either no TCB or the TCB unlocked, we must
6607		 * relock.. to unlock in the iterator timer :-0
6608		 */
6609		SCTP_TCB_LOCK(stcb);
6610		atomic_add_int(&stcb->asoc.refcnt, -1);
6611		goto no_chunk_output;
6612	} else {
6613		if (m) {
6614			ret = sctp_msg_append(stcb, net, m,
6615			    &ca->sndrcv, 1);
6616		}
6617		asoc = &stcb->asoc;
6618		if (ca->sndrcv.sinfo_flags & SCTP_EOF) {
6619			/* shutdown this assoc */
6620			int cnt;
6621
6622			cnt = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED);
6623
6624			if (TAILQ_EMPTY(&asoc->send_queue) &&
6625			    TAILQ_EMPTY(&asoc->sent_queue) &&
6626			    (cnt == 0)) {
6627				if (asoc->locked_on_sending) {
6628					goto abort_anyway;
6629				}
6630				/*
6631				 * there is nothing queued to send, so I'm
6632				 * done...
6633				 */
6634				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
6635				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6636				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6637					/*
6638					 * only send SHUTDOWN the first time
6639					 * through
6640					 */
6641					if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
6642						SCTP_STAT_DECR_GAUGE32(sctps_currestab);
6643					}
6644					SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
6645					SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
6646					sctp_stop_timers_for_shutdown(stcb);
6647					sctp_send_shutdown(stcb, net);
6648					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
6649					    net);
6650					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6651					    asoc->primary_destination);
6652					added_control = 1;
6653					do_chunk_output = 0;
6654				}
6655			} else {
6656				/*
6657				 * we still got (or just got) data to send,
6658				 * so set SHUTDOWN_PENDING
6659				 */
6660				/*
6661				 * XXX sockets draft says that SCTP_EOF
6662				 * should be sent with no data.  currently,
6663				 * we will allow user data to be sent first
6664				 * and move to SHUTDOWN-PENDING
6665				 */
6666				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
6667				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6668				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6669					if (asoc->locked_on_sending) {
6670						/*
6671						 * Locked to send out the
6672						 * data
6673						 */
6674						struct sctp_stream_queue_pending *sp;
6675
6676						sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
6677						if (sp) {
6678							if ((sp->length == 0) && (sp->msg_is_complete == 0))
6679								asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
6680						}
6681					}
6682					asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
6683					if (TAILQ_EMPTY(&asoc->send_queue) &&
6684					    TAILQ_EMPTY(&asoc->sent_queue) &&
6685					    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
6686						struct mbuf *op_err;
6687						char msg[SCTP_DIAG_INFO_LEN];
6688
6689				abort_anyway:
6690						snprintf(msg, sizeof(msg),
6691						    "%s:%d at %s", __FILE__, __LINE__, __func__);
6692						op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
6693						    msg);
6694						atomic_add_int(&stcb->asoc.refcnt, 1);
6695						sctp_abort_an_association(stcb->sctp_ep, stcb,
6696						    op_err, SCTP_SO_NOT_LOCKED);
6697						atomic_add_int(&stcb->asoc.refcnt, -1);
6698						goto no_chunk_output;
6699					}
6700					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6701					    asoc->primary_destination);
6702				}
6703			}
6704
6705		}
6706	}
6707	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
6708	    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
6709
6710	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
6711	    (stcb->asoc.total_flight > 0) &&
6712	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
6713		do_chunk_output = 0;
6714	}
6715	if (do_chunk_output)
6716		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_NOT_LOCKED);
6717	else if (added_control) {
6718		int num_out, reason, now_filled = 0;
6719		struct timeval now;
6720		int frag_point;
6721
6722		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
6723		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
6724		    &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_NOT_LOCKED);
6725	}
6726no_chunk_output:
6727	if (ret) {
6728		ca->cnt_failed++;
6729	} else {
6730		ca->cnt_sent++;
6731	}
6732}
6733
6734static void
6735sctp_sendall_completes(void *ptr, uint32_t val SCTP_UNUSED)
6736{
6737	struct sctp_copy_all *ca;
6738
6739	ca = (struct sctp_copy_all *)ptr;
6740	/*
6741	 * Do a notify here? Kacheong suggests that the notify be done at
6742	 * the send time.. so you would push up a notification if any send
6743	 * failed. Don't know if this is feasable since the only failures we
6744	 * have is "memory" related and if you cannot get an mbuf to send
6745	 * the data you surely can't get an mbuf to send up to notify the
6746	 * user you can't send the data :->
6747	 */
6748
6749	/* now free everything */
6750	sctp_m_freem(ca->m);
6751	SCTP_FREE(ca, SCTP_M_COPYAL);
6752}
6753
6754static struct mbuf *
6755sctp_copy_out_all(struct uio *uio, int len)
6756{
6757	struct mbuf *ret, *at;
6758	int left, willcpy, cancpy, error;
6759
6760	ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAITOK, 1, MT_DATA);
6761	if (ret == NULL) {
6762		/* TSNH */
6763		return (NULL);
6764	}
6765	left = len;
6766	SCTP_BUF_LEN(ret) = 0;
6767	/* save space for the data chunk header */
6768	cancpy = M_TRAILINGSPACE(ret);
6769	willcpy = min(cancpy, left);
6770	at = ret;
6771	while (left > 0) {
6772		/* Align data to the end */
6773		error = uiomove(mtod(at, caddr_t), willcpy, uio);
6774		if (error) {
6775	err_out_now:
6776			sctp_m_freem(at);
6777			return (NULL);
6778		}
6779		SCTP_BUF_LEN(at) = willcpy;
6780		SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0;
6781		left -= willcpy;
6782		if (left > 0) {
6783			SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 1, MT_DATA);
6784			if (SCTP_BUF_NEXT(at) == NULL) {
6785				goto err_out_now;
6786			}
6787			at = SCTP_BUF_NEXT(at);
6788			SCTP_BUF_LEN(at) = 0;
6789			cancpy = M_TRAILINGSPACE(at);
6790			willcpy = min(cancpy, left);
6791		}
6792	}
6793	return (ret);
6794}
6795
6796static int
6797sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
6798    struct sctp_sndrcvinfo *srcv)
6799{
6800	int ret;
6801	struct sctp_copy_all *ca;
6802
6803	SCTP_MALLOC(ca, struct sctp_copy_all *, sizeof(struct sctp_copy_all),
6804	    SCTP_M_COPYAL);
6805	if (ca == NULL) {
6806		sctp_m_freem(m);
6807		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6808		return (ENOMEM);
6809	}
6810	memset(ca, 0, sizeof(struct sctp_copy_all));
6811
6812	ca->inp = inp;
6813	if (srcv) {
6814		memcpy(&ca->sndrcv, srcv, sizeof(struct sctp_nonpad_sndrcvinfo));
6815	}
6816	/*
6817	 * take off the sendall flag, it would be bad if we failed to do
6818	 * this :-0
6819	 */
6820	ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL;
6821	/* get length and mbuf chain */
6822	if (uio) {
6823		ca->sndlen = uio->uio_resid;
6824		ca->m = sctp_copy_out_all(uio, ca->sndlen);
6825		if (ca->m == NULL) {
6826			SCTP_FREE(ca, SCTP_M_COPYAL);
6827			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6828			return (ENOMEM);
6829		}
6830	} else {
6831		/* Gather the length of the send */
6832		struct mbuf *mat;
6833
6834		ca->sndlen = 0;
6835		for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) {
6836			ca->sndlen += SCTP_BUF_LEN(mat);
6837		}
6838	}
6839	ret = sctp_initiate_iterator(NULL, sctp_sendall_iterator, NULL,
6840	    SCTP_PCB_ANY_FLAGS, SCTP_PCB_ANY_FEATURES,
6841	    SCTP_ASOC_ANY_STATE,
6842	    (void *)ca, 0,
6843	    sctp_sendall_completes, inp, 1);
6844	if (ret) {
6845		SCTP_PRINTF("Failed to initiate iterator for sendall\n");
6846		SCTP_FREE(ca, SCTP_M_COPYAL);
6847		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
6848		return (EFAULT);
6849	}
6850	return (0);
6851}
6852
6853
6854void
6855sctp_toss_old_cookies(struct sctp_tcb *stcb, struct sctp_association *asoc)
6856{
6857	struct sctp_tmit_chunk *chk, *nchk;
6858
6859	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
6860		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
6861			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
6862			if (chk->data) {
6863				sctp_m_freem(chk->data);
6864				chk->data = NULL;
6865			}
6866			asoc->ctrl_queue_cnt--;
6867			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
6868		}
6869	}
6870}
6871
6872void
6873sctp_toss_old_asconf(struct sctp_tcb *stcb)
6874{
6875	struct sctp_association *asoc;
6876	struct sctp_tmit_chunk *chk, *nchk;
6877	struct sctp_asconf_chunk *acp;
6878
6879	asoc = &stcb->asoc;
6880	TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
6881		/* find SCTP_ASCONF chunk in queue */
6882		if (chk->rec.chunk_id.id == SCTP_ASCONF) {
6883			if (chk->data) {
6884				acp = mtod(chk->data, struct sctp_asconf_chunk *);
6885				if (SCTP_TSN_GT(ntohl(acp->serial_number), asoc->asconf_seq_out_acked)) {
6886					/* Not Acked yet */
6887					break;
6888				}
6889			}
6890			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
6891			if (chk->data) {
6892				sctp_m_freem(chk->data);
6893				chk->data = NULL;
6894			}
6895			asoc->ctrl_queue_cnt--;
6896			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
6897		}
6898	}
6899}
6900
6901
6902static void
6903sctp_clean_up_datalist(struct sctp_tcb *stcb,
6904    struct sctp_association *asoc,
6905    struct sctp_tmit_chunk **data_list,
6906    int bundle_at,
6907    struct sctp_nets *net)
6908{
6909	int i;
6910	struct sctp_tmit_chunk *tp1;
6911
6912	for (i = 0; i < bundle_at; i++) {
6913		/* off of the send queue */
6914		TAILQ_REMOVE(&asoc->send_queue, data_list[i], sctp_next);
6915		asoc->send_queue_cnt--;
6916		if (i > 0) {
6917			/*
6918			 * Any chunk NOT 0 you zap the time chunk 0 gets
6919			 * zapped or set based on if a RTO measurment is
6920			 * needed.
6921			 */
6922			data_list[i]->do_rtt = 0;
6923		}
6924		/* record time */
6925		data_list[i]->sent_rcv_time = net->last_sent_time;
6926		data_list[i]->rec.data.cwnd_at_send = net->cwnd;
6927		data_list[i]->rec.data.fast_retran_tsn = data_list[i]->rec.data.TSN_seq;
6928		if (data_list[i]->whoTo == NULL) {
6929			data_list[i]->whoTo = net;
6930			atomic_add_int(&net->ref_count, 1);
6931		}
6932		/* on to the sent queue */
6933		tp1 = TAILQ_LAST(&asoc->sent_queue, sctpchunk_listhead);
6934		if ((tp1) && SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
6935			struct sctp_tmit_chunk *tpp;
6936
6937			/* need to move back */
6938	back_up_more:
6939			tpp = TAILQ_PREV(tp1, sctpchunk_listhead, sctp_next);
6940			if (tpp == NULL) {
6941				TAILQ_INSERT_BEFORE(tp1, data_list[i], sctp_next);
6942				goto all_done;
6943			}
6944			tp1 = tpp;
6945			if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
6946				goto back_up_more;
6947			}
6948			TAILQ_INSERT_AFTER(&asoc->sent_queue, tp1, data_list[i], sctp_next);
6949		} else {
6950			TAILQ_INSERT_TAIL(&asoc->sent_queue,
6951			    data_list[i],
6952			    sctp_next);
6953		}
6954all_done:
6955		/* This does not lower until the cum-ack passes it */
6956		asoc->sent_queue_cnt++;
6957		if ((asoc->peers_rwnd <= 0) &&
6958		    (asoc->total_flight == 0) &&
6959		    (bundle_at == 1)) {
6960			/* Mark the chunk as being a window probe */
6961			SCTP_STAT_INCR(sctps_windowprobed);
6962		}
6963#ifdef SCTP_AUDITING_ENABLED
6964		sctp_audit_log(0xC2, 3);
6965#endif
6966		data_list[i]->sent = SCTP_DATAGRAM_SENT;
6967		data_list[i]->snd_count = 1;
6968		data_list[i]->rec.data.chunk_was_revoked = 0;
6969		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
6970			sctp_misc_ints(SCTP_FLIGHT_LOG_UP,
6971			    data_list[i]->whoTo->flight_size,
6972			    data_list[i]->book_size,
6973			    (uintptr_t) data_list[i]->whoTo,
6974			    data_list[i]->rec.data.TSN_seq);
6975		}
6976		sctp_flight_size_increase(data_list[i]);
6977		sctp_total_flight_increase(stcb, data_list[i]);
6978		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
6979			sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
6980			    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
6981		}
6982		asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
6983		    (uint32_t) (data_list[i]->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
6984		if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
6985			/* SWS sender side engages */
6986			asoc->peers_rwnd = 0;
6987		}
6988	}
6989	if (asoc->cc_functions.sctp_cwnd_update_packet_transmitted) {
6990		(*asoc->cc_functions.sctp_cwnd_update_packet_transmitted) (stcb, net);
6991	}
6992}
6993
6994static void
6995sctp_clean_up_ctl(struct sctp_tcb *stcb, struct sctp_association *asoc, int so_locked
6996#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
6997    SCTP_UNUSED
6998#endif
6999)
7000{
7001	struct sctp_tmit_chunk *chk, *nchk;
7002
7003	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7004		if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7005		    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
7006		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
7007		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
7008		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) ||
7009		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
7010		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
7011		    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
7012		    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
7013		    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
7014		    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
7015		    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
7016			/* Stray chunks must be cleaned up */
7017	clean_up_anyway:
7018			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
7019			if (chk->data) {
7020				sctp_m_freem(chk->data);
7021				chk->data = NULL;
7022			}
7023			asoc->ctrl_queue_cnt--;
7024			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)
7025				asoc->fwd_tsn_cnt--;
7026			sctp_free_a_chunk(stcb, chk, so_locked);
7027		} else if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
7028			/* special handling, we must look into the param */
7029			if (chk != asoc->str_reset) {
7030				goto clean_up_anyway;
7031			}
7032		}
7033	}
7034}
7035
7036
7037static int
7038sctp_can_we_split_this(struct sctp_tcb *stcb,
7039    uint32_t length,
7040    uint32_t goal_mtu, uint32_t frag_point, int eeor_on)
7041{
7042	/*
7043	 * Make a decision on if I should split a msg into multiple parts.
7044	 * This is only asked of incomplete messages.
7045	 */
7046	if (eeor_on) {
7047		/*
7048		 * If we are doing EEOR we need to always send it if its the
7049		 * entire thing, since it might be all the guy is putting in
7050		 * the hopper.
7051		 */
7052		if (goal_mtu >= length) {
7053			/*-
7054			 * If we have data outstanding,
7055			 * we get another chance when the sack
7056			 * arrives to transmit - wait for more data
7057			 */
7058			if (stcb->asoc.total_flight == 0) {
7059				/*
7060				 * If nothing is in flight, we zero the
7061				 * packet counter.
7062				 */
7063				return (length);
7064			}
7065			return (0);
7066
7067		} else {
7068			/* You can fill the rest */
7069			return (goal_mtu);
7070		}
7071	}
7072	/*-
7073	 * For those strange folk that make the send buffer
7074	 * smaller than our fragmentation point, we can't
7075	 * get a full msg in so we have to allow splitting.
7076	 */
7077	if (SCTP_SB_LIMIT_SND(stcb->sctp_socket) < frag_point) {
7078		return (length);
7079	}
7080	if ((length <= goal_mtu) ||
7081	    ((length - goal_mtu) < SCTP_BASE_SYSCTL(sctp_min_residual))) {
7082		/* Sub-optimial residual don't split in non-eeor mode. */
7083		return (0);
7084	}
7085	/*
7086	 * If we reach here length is larger than the goal_mtu. Do we wish
7087	 * to split it for the sake of packet putting together?
7088	 */
7089	if (goal_mtu >= min(SCTP_BASE_SYSCTL(sctp_min_split_point), frag_point)) {
7090		/* Its ok to split it */
7091		return (min(goal_mtu, frag_point));
7092	}
7093	/* Nope, can't split */
7094	return (0);
7095
7096}
7097
7098static uint32_t
7099sctp_move_to_outqueue(struct sctp_tcb *stcb,
7100    struct sctp_stream_out *strq,
7101    uint32_t goal_mtu,
7102    uint32_t frag_point,
7103    int *locked,
7104    int *giveup,
7105    int eeor_mode,
7106    int *bail,
7107    int so_locked
7108#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7109    SCTP_UNUSED
7110#endif
7111)
7112{
7113	/* Move from the stream to the send_queue keeping track of the total */
7114	struct sctp_association *asoc;
7115	struct sctp_stream_queue_pending *sp;
7116	struct sctp_tmit_chunk *chk;
7117	struct sctp_data_chunk *dchkh;
7118	uint32_t to_move, length;
7119	uint8_t rcv_flags = 0;
7120	uint8_t some_taken;
7121	uint8_t send_lock_up = 0;
7122
7123	SCTP_TCB_LOCK_ASSERT(stcb);
7124	asoc = &stcb->asoc;
7125one_more_time:
7126	/* sa_ignore FREED_MEMORY */
7127	sp = TAILQ_FIRST(&strq->outqueue);
7128	if (sp == NULL) {
7129		*locked = 0;
7130		if (send_lock_up == 0) {
7131			SCTP_TCB_SEND_LOCK(stcb);
7132			send_lock_up = 1;
7133		}
7134		sp = TAILQ_FIRST(&strq->outqueue);
7135		if (sp) {
7136			goto one_more_time;
7137		}
7138		if (strq->last_msg_incomplete) {
7139			SCTP_PRINTF("Huh? Stream:%d lm_in_c=%d but queue is NULL\n",
7140			    strq->stream_no,
7141			    strq->last_msg_incomplete);
7142			strq->last_msg_incomplete = 0;
7143		}
7144		to_move = 0;
7145		if (send_lock_up) {
7146			SCTP_TCB_SEND_UNLOCK(stcb);
7147			send_lock_up = 0;
7148		}
7149		goto out_of;
7150	}
7151	if ((sp->msg_is_complete) && (sp->length == 0)) {
7152		if (sp->sender_all_done) {
7153			/*
7154			 * We are doing differed cleanup. Last time through
7155			 * when we took all the data the sender_all_done was
7156			 * not set.
7157			 */
7158			if ((sp->put_last_out == 0) && (sp->discard_rest == 0)) {
7159				SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
7160				SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
7161				    sp->sender_all_done,
7162				    sp->length,
7163				    sp->msg_is_complete,
7164				    sp->put_last_out,
7165				    send_lock_up);
7166			}
7167			if ((TAILQ_NEXT(sp, next) == NULL) && (send_lock_up == 0)) {
7168				SCTP_TCB_SEND_LOCK(stcb);
7169				send_lock_up = 1;
7170			}
7171			atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7172			TAILQ_REMOVE(&strq->outqueue, sp, next);
7173			if ((strq->state == SCTP_STREAM_RESET_PENDING) &&
7174			    (strq->chunks_on_queues == 0) &&
7175			    TAILQ_EMPTY(&strq->outqueue)) {
7176				stcb->asoc.trigger_reset = 1;
7177			}
7178			stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp, send_lock_up);
7179			if (sp->net) {
7180				sctp_free_remote_addr(sp->net);
7181				sp->net = NULL;
7182			}
7183			if (sp->data) {
7184				sctp_m_freem(sp->data);
7185				sp->data = NULL;
7186			}
7187			sctp_free_a_strmoq(stcb, sp, so_locked);
7188			/* we can't be locked to it */
7189			*locked = 0;
7190			stcb->asoc.locked_on_sending = NULL;
7191			if (send_lock_up) {
7192				SCTP_TCB_SEND_UNLOCK(stcb);
7193				send_lock_up = 0;
7194			}
7195			/* back to get the next msg */
7196			goto one_more_time;
7197		} else {
7198			/*
7199			 * sender just finished this but still holds a
7200			 * reference
7201			 */
7202			*locked = 1;
7203			*giveup = 1;
7204			to_move = 0;
7205			goto out_of;
7206		}
7207	} else {
7208		/* is there some to get */
7209		if (sp->length == 0) {
7210			/* no */
7211			*locked = 1;
7212			*giveup = 1;
7213			to_move = 0;
7214			goto out_of;
7215		} else if (sp->discard_rest) {
7216			if (send_lock_up == 0) {
7217				SCTP_TCB_SEND_LOCK(stcb);
7218				send_lock_up = 1;
7219			}
7220			/* Whack down the size */
7221			atomic_subtract_int(&stcb->asoc.total_output_queue_size, sp->length);
7222			if ((stcb->sctp_socket != NULL) && \
7223			    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
7224			    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL))) {
7225				atomic_subtract_int(&stcb->sctp_socket->so_snd.sb_cc, sp->length);
7226			}
7227			if (sp->data) {
7228				sctp_m_freem(sp->data);
7229				sp->data = NULL;
7230				sp->tail_mbuf = NULL;
7231			}
7232			sp->length = 0;
7233			sp->some_taken = 1;
7234			*locked = 1;
7235			*giveup = 1;
7236			to_move = 0;
7237			goto out_of;
7238		}
7239	}
7240	some_taken = sp->some_taken;
7241	if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
7242		sp->msg_is_complete = 1;
7243	}
7244re_look:
7245	length = sp->length;
7246	if (sp->msg_is_complete) {
7247		/* The message is complete */
7248		to_move = min(length, frag_point);
7249		if (to_move == length) {
7250			/* All of it fits in the MTU */
7251			if (sp->some_taken) {
7252				rcv_flags |= SCTP_DATA_LAST_FRAG;
7253				sp->put_last_out = 1;
7254			} else {
7255				rcv_flags |= SCTP_DATA_NOT_FRAG;
7256				sp->put_last_out = 1;
7257			}
7258		} else {
7259			/* Not all of it fits, we fragment */
7260			if (sp->some_taken == 0) {
7261				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7262			}
7263			sp->some_taken = 1;
7264		}
7265	} else {
7266		to_move = sctp_can_we_split_this(stcb, length, goal_mtu, frag_point, eeor_mode);
7267		if (to_move) {
7268			/*-
7269			 * We use a snapshot of length in case it
7270			 * is expanding during the compare.
7271			 */
7272			uint32_t llen;
7273
7274			llen = length;
7275			if (to_move >= llen) {
7276				to_move = llen;
7277				if (send_lock_up == 0) {
7278					/*-
7279					 * We are taking all of an incomplete msg
7280					 * thus we need a send lock.
7281					 */
7282					SCTP_TCB_SEND_LOCK(stcb);
7283					send_lock_up = 1;
7284					if (sp->msg_is_complete) {
7285						/*
7286						 * the sender finished the
7287						 * msg
7288						 */
7289						goto re_look;
7290					}
7291				}
7292			}
7293			if (sp->some_taken == 0) {
7294				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7295				sp->some_taken = 1;
7296			}
7297		} else {
7298			/* Nothing to take. */
7299			if (sp->some_taken) {
7300				*locked = 1;
7301			}
7302			*giveup = 1;
7303			to_move = 0;
7304			goto out_of;
7305		}
7306	}
7307
7308	/* If we reach here, we can copy out a chunk */
7309	sctp_alloc_a_chunk(stcb, chk);
7310	if (chk == NULL) {
7311		/* No chunk memory */
7312		*giveup = 1;
7313		to_move = 0;
7314		goto out_of;
7315	}
7316	/*
7317	 * Setup for unordered if needed by looking at the user sent info
7318	 * flags.
7319	 */
7320	if (sp->sinfo_flags & SCTP_UNORDERED) {
7321		rcv_flags |= SCTP_DATA_UNORDERED;
7322	}
7323	if ((SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) && ((sp->sinfo_flags & SCTP_EOF) == SCTP_EOF)) ||
7324	    ((sp->sinfo_flags & SCTP_SACK_IMMEDIATELY) == SCTP_SACK_IMMEDIATELY)) {
7325		rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
7326	}
7327	/* clear out the chunk before setting up */
7328	memset(chk, 0, sizeof(*chk));
7329	chk->rec.data.rcv_flags = rcv_flags;
7330
7331	if (to_move >= length) {
7332		/* we think we can steal the whole thing */
7333		if ((sp->sender_all_done == 0) && (send_lock_up == 0)) {
7334			SCTP_TCB_SEND_LOCK(stcb);
7335			send_lock_up = 1;
7336		}
7337		if (to_move < sp->length) {
7338			/* bail, it changed */
7339			goto dont_do_it;
7340		}
7341		chk->data = sp->data;
7342		chk->last_mbuf = sp->tail_mbuf;
7343		/* register the stealing */
7344		sp->data = sp->tail_mbuf = NULL;
7345	} else {
7346		struct mbuf *m;
7347
7348dont_do_it:
7349		chk->data = SCTP_M_COPYM(sp->data, 0, to_move, M_NOWAIT);
7350		chk->last_mbuf = NULL;
7351		if (chk->data == NULL) {
7352			sp->some_taken = some_taken;
7353			sctp_free_a_chunk(stcb, chk, so_locked);
7354			*bail = 1;
7355			to_move = 0;
7356			goto out_of;
7357		}
7358#ifdef SCTP_MBUF_LOGGING
7359		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
7360			sctp_log_mbc(chk->data, SCTP_MBUF_ICOPY);
7361		}
7362#endif
7363		/* Pull off the data */
7364		m_adj(sp->data, to_move);
7365		/* Now lets work our way down and compact it */
7366		m = sp->data;
7367		while (m && (SCTP_BUF_LEN(m) == 0)) {
7368			sp->data = SCTP_BUF_NEXT(m);
7369			SCTP_BUF_NEXT(m) = NULL;
7370			if (sp->tail_mbuf == m) {
7371				/*-
7372				 * Freeing tail? TSNH since
7373				 * we supposedly were taking less
7374				 * than the sp->length.
7375				 */
7376#ifdef INVARIANTS
7377				panic("Huh, freing tail? - TSNH");
7378#else
7379				SCTP_PRINTF("Huh, freeing tail? - TSNH\n");
7380				sp->tail_mbuf = sp->data = NULL;
7381				sp->length = 0;
7382#endif
7383
7384			}
7385			sctp_m_free(m);
7386			m = sp->data;
7387		}
7388	}
7389	if (SCTP_BUF_IS_EXTENDED(chk->data)) {
7390		chk->copy_by_ref = 1;
7391	} else {
7392		chk->copy_by_ref = 0;
7393	}
7394	/*
7395	 * get last_mbuf and counts of mb useage This is ugly but hopefully
7396	 * its only one mbuf.
7397	 */
7398	if (chk->last_mbuf == NULL) {
7399		chk->last_mbuf = chk->data;
7400		while (SCTP_BUF_NEXT(chk->last_mbuf) != NULL) {
7401			chk->last_mbuf = SCTP_BUF_NEXT(chk->last_mbuf);
7402		}
7403	}
7404	if (to_move > length) {
7405		/*- This should not happen either
7406		 * since we always lower to_move to the size
7407		 * of sp->length if its larger.
7408		 */
7409#ifdef INVARIANTS
7410		panic("Huh, how can to_move be larger?");
7411#else
7412		SCTP_PRINTF("Huh, how can to_move be larger?\n");
7413		sp->length = 0;
7414#endif
7415	} else {
7416		atomic_subtract_int(&sp->length, to_move);
7417	}
7418	if (M_LEADINGSPACE(chk->data) < (int)sizeof(struct sctp_data_chunk)) {
7419		/* Not enough room for a chunk header, get some */
7420		struct mbuf *m;
7421
7422		m = sctp_get_mbuf_for_msg(1, 0, M_NOWAIT, 0, MT_DATA);
7423		if (m == NULL) {
7424			/*
7425			 * we're in trouble here. _PREPEND below will free
7426			 * all the data if there is no leading space, so we
7427			 * must put the data back and restore.
7428			 */
7429			if (send_lock_up == 0) {
7430				SCTP_TCB_SEND_LOCK(stcb);
7431				send_lock_up = 1;
7432			}
7433			if (sp->data == NULL) {
7434				/* unsteal the data */
7435				sp->data = chk->data;
7436				sp->tail_mbuf = chk->last_mbuf;
7437			} else {
7438				struct mbuf *m_tmp;
7439
7440				/* reassemble the data */
7441				m_tmp = sp->data;
7442				sp->data = chk->data;
7443				SCTP_BUF_NEXT(chk->last_mbuf) = m_tmp;
7444			}
7445			sp->some_taken = some_taken;
7446			atomic_add_int(&sp->length, to_move);
7447			chk->data = NULL;
7448			*bail = 1;
7449			sctp_free_a_chunk(stcb, chk, so_locked);
7450			to_move = 0;
7451			goto out_of;
7452		} else {
7453			SCTP_BUF_LEN(m) = 0;
7454			SCTP_BUF_NEXT(m) = chk->data;
7455			chk->data = m;
7456			M_ALIGN(chk->data, 4);
7457		}
7458	}
7459	SCTP_BUF_PREPEND(chk->data, sizeof(struct sctp_data_chunk), M_NOWAIT);
7460	if (chk->data == NULL) {
7461		/* HELP, TSNH since we assured it would not above? */
7462#ifdef INVARIANTS
7463		panic("prepend failes HELP?");
7464#else
7465		SCTP_PRINTF("prepend fails HELP?\n");
7466		sctp_free_a_chunk(stcb, chk, so_locked);
7467#endif
7468		*bail = 1;
7469		to_move = 0;
7470		goto out_of;
7471	}
7472	sctp_snd_sb_alloc(stcb, sizeof(struct sctp_data_chunk));
7473	chk->book_size = chk->send_size = (to_move + sizeof(struct sctp_data_chunk));
7474	chk->book_size_scale = 0;
7475	chk->sent = SCTP_DATAGRAM_UNSENT;
7476
7477	chk->flags = 0;
7478	chk->asoc = &stcb->asoc;
7479	chk->pad_inplace = 0;
7480	chk->no_fr_allowed = 0;
7481	chk->rec.data.stream_seq = strq->next_sequence_send;
7482	if ((rcv_flags & SCTP_DATA_LAST_FRAG) &&
7483	    !(rcv_flags & SCTP_DATA_UNORDERED)) {
7484		strq->next_sequence_send++;
7485	}
7486	chk->rec.data.stream_number = sp->stream;
7487	chk->rec.data.payloadtype = sp->ppid;
7488	chk->rec.data.context = sp->context;
7489	chk->rec.data.doing_fast_retransmit = 0;
7490
7491	chk->rec.data.timetodrop = sp->ts;
7492	chk->flags = sp->act_flags;
7493
7494	if (sp->net) {
7495		chk->whoTo = sp->net;
7496		atomic_add_int(&chk->whoTo->ref_count, 1);
7497	} else
7498		chk->whoTo = NULL;
7499
7500	if (sp->holds_key_ref) {
7501		chk->auth_keyid = sp->auth_keyid;
7502		sctp_auth_key_acquire(stcb, chk->auth_keyid);
7503		chk->holds_key_ref = 1;
7504	}
7505	chk->rec.data.TSN_seq = atomic_fetchadd_int(&asoc->sending_seq, 1);
7506	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_OUTQ) {
7507		sctp_misc_ints(SCTP_STRMOUT_LOG_SEND,
7508		    (uintptr_t) stcb, sp->length,
7509		    (uint32_t) ((chk->rec.data.stream_number << 16) | chk->rec.data.stream_seq),
7510		    chk->rec.data.TSN_seq);
7511	}
7512	dchkh = mtod(chk->data, struct sctp_data_chunk *);
7513	/*
7514	 * Put the rest of the things in place now. Size was done earlier in
7515	 * previous loop prior to padding.
7516	 */
7517
7518#ifdef SCTP_ASOCLOG_OF_TSNS
7519	SCTP_TCB_LOCK_ASSERT(stcb);
7520	if (asoc->tsn_out_at >= SCTP_TSN_LOG_SIZE) {
7521		asoc->tsn_out_at = 0;
7522		asoc->tsn_out_wrapped = 1;
7523	}
7524	asoc->out_tsnlog[asoc->tsn_out_at].tsn = chk->rec.data.TSN_seq;
7525	asoc->out_tsnlog[asoc->tsn_out_at].strm = chk->rec.data.stream_number;
7526	asoc->out_tsnlog[asoc->tsn_out_at].seq = chk->rec.data.stream_seq;
7527	asoc->out_tsnlog[asoc->tsn_out_at].sz = chk->send_size;
7528	asoc->out_tsnlog[asoc->tsn_out_at].flgs = chk->rec.data.rcv_flags;
7529	asoc->out_tsnlog[asoc->tsn_out_at].stcb = (void *)stcb;
7530	asoc->out_tsnlog[asoc->tsn_out_at].in_pos = asoc->tsn_out_at;
7531	asoc->out_tsnlog[asoc->tsn_out_at].in_out = 2;
7532	asoc->tsn_out_at++;
7533#endif
7534
7535	dchkh->ch.chunk_type = SCTP_DATA;
7536	dchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7537	dchkh->dp.tsn = htonl(chk->rec.data.TSN_seq);
7538	dchkh->dp.stream_id = htons(strq->stream_no);
7539	dchkh->dp.stream_sequence = htons(chk->rec.data.stream_seq);
7540	dchkh->dp.protocol_id = chk->rec.data.payloadtype;
7541	dchkh->ch.chunk_length = htons(chk->send_size);
7542	/* Now advance the chk->send_size by the actual pad needed. */
7543	if (chk->send_size < SCTP_SIZE32(chk->book_size)) {
7544		/* need a pad */
7545		struct mbuf *lm;
7546		int pads;
7547
7548		pads = SCTP_SIZE32(chk->book_size) - chk->send_size;
7549		lm = sctp_pad_lastmbuf(chk->data, pads, chk->last_mbuf);
7550		if (lm != NULL) {
7551			chk->last_mbuf = lm;
7552			chk->pad_inplace = 1;
7553		}
7554		chk->send_size += pads;
7555	}
7556	if (PR_SCTP_ENABLED(chk->flags)) {
7557		asoc->pr_sctp_cnt++;
7558	}
7559	if (sp->msg_is_complete && (sp->length == 0) && (sp->sender_all_done)) {
7560		/* All done pull and kill the message */
7561		atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7562		if (sp->put_last_out == 0) {
7563			SCTP_PRINTF("Gak, put out entire msg with NO end!-2\n");
7564			SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
7565			    sp->sender_all_done,
7566			    sp->length,
7567			    sp->msg_is_complete,
7568			    sp->put_last_out,
7569			    send_lock_up);
7570		}
7571		if ((send_lock_up == 0) && (TAILQ_NEXT(sp, next) == NULL)) {
7572			SCTP_TCB_SEND_LOCK(stcb);
7573			send_lock_up = 1;
7574		}
7575		TAILQ_REMOVE(&strq->outqueue, sp, next);
7576		if ((strq->state == SCTP_STREAM_RESET_PENDING) &&
7577		    (strq->chunks_on_queues == 0) &&
7578		    TAILQ_EMPTY(&strq->outqueue)) {
7579			stcb->asoc.trigger_reset = 1;
7580		}
7581		stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp, send_lock_up);
7582		if (sp->net) {
7583			sctp_free_remote_addr(sp->net);
7584			sp->net = NULL;
7585		}
7586		if (sp->data) {
7587			sctp_m_freem(sp->data);
7588			sp->data = NULL;
7589		}
7590		sctp_free_a_strmoq(stcb, sp, so_locked);
7591
7592		/* we can't be locked to it */
7593		*locked = 0;
7594		stcb->asoc.locked_on_sending = NULL;
7595	} else {
7596		/* more to go, we are locked */
7597		*locked = 1;
7598	}
7599	asoc->chunks_on_out_queue++;
7600	strq->chunks_on_queues++;
7601	TAILQ_INSERT_TAIL(&asoc->send_queue, chk, sctp_next);
7602	asoc->send_queue_cnt++;
7603out_of:
7604	if (send_lock_up) {
7605		SCTP_TCB_SEND_UNLOCK(stcb);
7606	}
7607	return (to_move);
7608}
7609
7610
7611static void
7612sctp_fill_outqueue(struct sctp_tcb *stcb,
7613    struct sctp_nets *net, int frag_point, int eeor_mode, int *quit_now, int so_locked
7614#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7615    SCTP_UNUSED
7616#endif
7617)
7618{
7619	struct sctp_association *asoc;
7620	struct sctp_stream_out *strq;
7621	int goal_mtu, moved_how_much, total_moved = 0, bail = 0;
7622	int locked, giveup;
7623
7624	SCTP_TCB_LOCK_ASSERT(stcb);
7625	asoc = &stcb->asoc;
7626	switch (net->ro._l_addr.sa.sa_family) {
7627#ifdef INET
7628	case AF_INET:
7629		goal_mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
7630		break;
7631#endif
7632#ifdef INET6
7633	case AF_INET6:
7634		goal_mtu = net->mtu - SCTP_MIN_OVERHEAD;
7635		break;
7636#endif
7637	default:
7638		/* TSNH */
7639		goal_mtu = net->mtu;
7640		break;
7641	}
7642	/* Need an allowance for the data chunk header too */
7643	goal_mtu -= sizeof(struct sctp_data_chunk);
7644
7645	/* must make even word boundary */
7646	goal_mtu &= 0xfffffffc;
7647	if (asoc->locked_on_sending) {
7648		/* We are stuck on one stream until the message completes. */
7649		strq = asoc->locked_on_sending;
7650		locked = 1;
7651	} else {
7652		strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7653		locked = 0;
7654	}
7655	while ((goal_mtu > 0) && strq) {
7656		giveup = 0;
7657		bail = 0;
7658		moved_how_much = sctp_move_to_outqueue(stcb, strq, goal_mtu, frag_point, &locked,
7659		    &giveup, eeor_mode, &bail, so_locked);
7660		if (moved_how_much)
7661			stcb->asoc.ss_functions.sctp_ss_scheduled(stcb, net, asoc, strq, moved_how_much);
7662
7663		if (locked) {
7664			asoc->locked_on_sending = strq;
7665			if ((moved_how_much == 0) || (giveup) || bail)
7666				/* no more to move for now */
7667				break;
7668		} else {
7669			asoc->locked_on_sending = NULL;
7670			if ((giveup) || bail) {
7671				break;
7672			}
7673			strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7674			if (strq == NULL) {
7675				break;
7676			}
7677		}
7678		total_moved += moved_how_much;
7679		goal_mtu -= (moved_how_much + sizeof(struct sctp_data_chunk));
7680		goal_mtu &= 0xfffffffc;
7681	}
7682	if (bail)
7683		*quit_now = 1;
7684
7685	stcb->asoc.ss_functions.sctp_ss_packet_done(stcb, net, asoc);
7686
7687	if (total_moved == 0) {
7688		if ((stcb->asoc.sctp_cmt_on_off == 0) &&
7689		    (net == stcb->asoc.primary_destination)) {
7690			/* ran dry for primary network net */
7691			SCTP_STAT_INCR(sctps_primary_randry);
7692		} else if (stcb->asoc.sctp_cmt_on_off > 0) {
7693			/* ran dry with CMT on */
7694			SCTP_STAT_INCR(sctps_cmt_randry);
7695		}
7696	}
7697}
7698
7699void
7700sctp_fix_ecn_echo(struct sctp_association *asoc)
7701{
7702	struct sctp_tmit_chunk *chk;
7703
7704	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7705		if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
7706			chk->sent = SCTP_DATAGRAM_UNSENT;
7707		}
7708	}
7709}
7710
7711void
7712sctp_move_chunks_from_net(struct sctp_tcb *stcb, struct sctp_nets *net)
7713{
7714	struct sctp_association *asoc;
7715	struct sctp_tmit_chunk *chk;
7716	struct sctp_stream_queue_pending *sp;
7717	unsigned int i;
7718
7719	if (net == NULL) {
7720		return;
7721	}
7722	asoc = &stcb->asoc;
7723	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
7724		TAILQ_FOREACH(sp, &stcb->asoc.strmout[i].outqueue, next) {
7725			if (sp->net == net) {
7726				sctp_free_remote_addr(sp->net);
7727				sp->net = NULL;
7728			}
7729		}
7730	}
7731	TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
7732		if (chk->whoTo == net) {
7733			sctp_free_remote_addr(chk->whoTo);
7734			chk->whoTo = NULL;
7735		}
7736	}
7737}
7738
7739int
7740sctp_med_chunk_output(struct sctp_inpcb *inp,
7741    struct sctp_tcb *stcb,
7742    struct sctp_association *asoc,
7743    int *num_out,
7744    int *reason_code,
7745    int control_only, int from_where,
7746    struct timeval *now, int *now_filled, int frag_point, int so_locked
7747#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7748    SCTP_UNUSED
7749#endif
7750)
7751{
7752	/**
7753	 * Ok this is the generic chunk service queue. we must do the
7754	 * following: - Service the stream queue that is next, moving any
7755	 * message (note I must get a complete message i.e. FIRST/MIDDLE and
7756	 * LAST to the out queue in one pass) and assigning TSN's - Check to
7757	 * see if the cwnd/rwnd allows any output, if so we go ahead and
7758	 * fomulate and send the low level chunks. Making sure to combine
7759	 * any control in the control chunk queue also.
7760	 */
7761	struct sctp_nets *net, *start_at, *sack_goes_to = NULL, *old_start_at = NULL;
7762	struct mbuf *outchain, *endoutchain;
7763	struct sctp_tmit_chunk *chk, *nchk;
7764
7765	/* temp arrays for unlinking */
7766	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
7767	int no_fragmentflg, error;
7768	unsigned int max_rwnd_per_dest, max_send_per_dest;
7769	int one_chunk, hbflag, skip_data_for_this_net;
7770	int asconf, cookie, no_out_cnt;
7771	int bundle_at, ctl_cnt, no_data_chunks, eeor_mode;
7772	unsigned int mtu, r_mtu, omtu, mx_mtu, to_out;
7773	int tsns_sent = 0;
7774	uint32_t auth_offset = 0;
7775	struct sctp_auth_chunk *auth = NULL;
7776	uint16_t auth_keyid;
7777	int override_ok = 1;
7778	int skip_fill_up = 0;
7779	int data_auth_reqd = 0;
7780
7781	/*
7782	 * JRS 5/14/07 - Add flag for whether a heartbeat is sent to the
7783	 * destination.
7784	 */
7785	int quit_now = 0;
7786
7787	*num_out = 0;
7788	*reason_code = 0;
7789	auth_keyid = stcb->asoc.authinfo.active_keyid;
7790	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
7791	    (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED) ||
7792	    (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
7793		eeor_mode = 1;
7794	} else {
7795		eeor_mode = 0;
7796	}
7797	ctl_cnt = no_out_cnt = asconf = cookie = 0;
7798	/*
7799	 * First lets prime the pump. For each destination, if there is room
7800	 * in the flight size, attempt to pull an MTU's worth out of the
7801	 * stream queues into the general send_queue
7802	 */
7803#ifdef SCTP_AUDITING_ENABLED
7804	sctp_audit_log(0xC2, 2);
7805#endif
7806	SCTP_TCB_LOCK_ASSERT(stcb);
7807	hbflag = 0;
7808	if (control_only)
7809		no_data_chunks = 1;
7810	else
7811		no_data_chunks = 0;
7812
7813	/* Nothing to possible to send? */
7814	if ((TAILQ_EMPTY(&asoc->control_send_queue) ||
7815	    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) &&
7816	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7817	    TAILQ_EMPTY(&asoc->send_queue) &&
7818	    stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
7819nothing_to_send:
7820		*reason_code = 9;
7821		return (0);
7822	}
7823	if (asoc->peers_rwnd == 0) {
7824		/* No room in peers rwnd */
7825		*reason_code = 1;
7826		if (asoc->total_flight > 0) {
7827			/* we are allowed one chunk in flight */
7828			no_data_chunks = 1;
7829		}
7830	}
7831	if (stcb->asoc.ecn_echo_cnt_onq) {
7832		/* Record where a sack goes, if any */
7833		if (no_data_chunks &&
7834		    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) {
7835			/* Nothing but ECNe to send - we don't do that */
7836			goto nothing_to_send;
7837		}
7838		TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7839			if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7840			    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
7841				sack_goes_to = chk->whoTo;
7842				break;
7843			}
7844		}
7845	}
7846	max_rwnd_per_dest = ((asoc->peers_rwnd + asoc->total_flight) / asoc->numnets);
7847	if (stcb->sctp_socket)
7848		max_send_per_dest = SCTP_SB_LIMIT_SND(stcb->sctp_socket) / asoc->numnets;
7849	else
7850		max_send_per_dest = 0;
7851	if (no_data_chunks == 0) {
7852		/* How many non-directed chunks are there? */
7853		TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
7854			if (chk->whoTo == NULL) {
7855				/*
7856				 * We already have non-directed chunks on
7857				 * the queue, no need to do a fill-up.
7858				 */
7859				skip_fill_up = 1;
7860				break;
7861			}
7862		}
7863
7864	}
7865	if ((no_data_chunks == 0) &&
7866	    (skip_fill_up == 0) &&
7867	    (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc))) {
7868		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
7869			/*
7870			 * This for loop we are in takes in each net, if
7871			 * its's got space in cwnd and has data sent to it
7872			 * (when CMT is off) then it calls
7873			 * sctp_fill_outqueue for the net. This gets data on
7874			 * the send queue for that network.
7875			 *
7876			 * In sctp_fill_outqueue TSN's are assigned and data is
7877			 * copied out of the stream buffers. Note mostly
7878			 * copy by reference (we hope).
7879			 */
7880			net->window_probe = 0;
7881			if ((net != stcb->asoc.alternate) &&
7882			    ((net->dest_state & SCTP_ADDR_PF) ||
7883			    (!(net->dest_state & SCTP_ADDR_REACHABLE)) ||
7884			    (net->dest_state & SCTP_ADDR_UNCONFIRMED))) {
7885				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7886					sctp_log_cwnd(stcb, net, 1,
7887					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7888				}
7889				continue;
7890			}
7891			if ((stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) &&
7892			    (net->flight_size == 0)) {
7893				(*stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) (stcb, net);
7894			}
7895			if (net->flight_size >= net->cwnd) {
7896				/* skip this network, no room - can't fill */
7897				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7898					sctp_log_cwnd(stcb, net, 3,
7899					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7900				}
7901				continue;
7902			}
7903			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7904				sctp_log_cwnd(stcb, net, 4, SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7905			}
7906			sctp_fill_outqueue(stcb, net, frag_point, eeor_mode, &quit_now, so_locked);
7907			if (quit_now) {
7908				/* memory alloc failure */
7909				no_data_chunks = 1;
7910				break;
7911			}
7912		}
7913	}
7914	/* now service each destination and send out what we can for it */
7915	/* Nothing to send? */
7916	if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7917	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7918	    TAILQ_EMPTY(&asoc->send_queue)) {
7919		*reason_code = 8;
7920		return (0);
7921	}
7922	if (asoc->sctp_cmt_on_off > 0) {
7923		/* get the last start point */
7924		start_at = asoc->last_net_cmt_send_started;
7925		if (start_at == NULL) {
7926			/* null so to beginning */
7927			start_at = TAILQ_FIRST(&asoc->nets);
7928		} else {
7929			start_at = TAILQ_NEXT(asoc->last_net_cmt_send_started, sctp_next);
7930			if (start_at == NULL) {
7931				start_at = TAILQ_FIRST(&asoc->nets);
7932			}
7933		}
7934		asoc->last_net_cmt_send_started = start_at;
7935	} else {
7936		start_at = TAILQ_FIRST(&asoc->nets);
7937	}
7938	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7939		if (chk->whoTo == NULL) {
7940			if (asoc->alternate) {
7941				chk->whoTo = asoc->alternate;
7942			} else {
7943				chk->whoTo = asoc->primary_destination;
7944			}
7945			atomic_add_int(&chk->whoTo->ref_count, 1);
7946		}
7947	}
7948	old_start_at = NULL;
7949again_one_more_time:
7950	for (net = start_at; net != NULL; net = TAILQ_NEXT(net, sctp_next)) {
7951		/* how much can we send? */
7952		/* SCTPDBG("Examine for sending net:%x\n", (uint32_t)net); */
7953		if (old_start_at && (old_start_at == net)) {
7954			/* through list ocmpletely. */
7955			break;
7956		}
7957		tsns_sent = 0xa;
7958		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7959		    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7960		    (net->flight_size >= net->cwnd)) {
7961			/*
7962			 * Nothing on control or asconf and flight is full,
7963			 * we can skip even in the CMT case.
7964			 */
7965			continue;
7966		}
7967		bundle_at = 0;
7968		endoutchain = outchain = NULL;
7969		no_fragmentflg = 1;
7970		one_chunk = 0;
7971		if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
7972			skip_data_for_this_net = 1;
7973		} else {
7974			skip_data_for_this_net = 0;
7975		}
7976		if ((net->ro.ro_rt) && (net->ro.ro_rt->rt_ifp)) {
7977			/*
7978			 * if we have a route and an ifp check to see if we
7979			 * have room to send to this guy
7980			 */
7981			struct ifnet *ifp;
7982
7983			ifp = net->ro.ro_rt->rt_ifp;
7984			if ((ifp->if_snd.ifq_len + 2) >= ifp->if_snd.ifq_maxlen) {
7985				SCTP_STAT_INCR(sctps_ifnomemqueued);
7986				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
7987					sctp_log_maxburst(stcb, net, ifp->if_snd.ifq_len, ifp->if_snd.ifq_maxlen, SCTP_MAX_IFP_APPLIED);
7988				}
7989				continue;
7990			}
7991		}
7992		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
7993#ifdef INET
7994		case AF_INET:
7995			mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
7996			break;
7997#endif
7998#ifdef INET6
7999		case AF_INET6:
8000			mtu = net->mtu - SCTP_MIN_OVERHEAD;
8001			break;
8002#endif
8003		default:
8004			/* TSNH */
8005			mtu = net->mtu;
8006			break;
8007		}
8008		mx_mtu = mtu;
8009		to_out = 0;
8010		if (mtu > asoc->peers_rwnd) {
8011			if (asoc->total_flight > 0) {
8012				/* We have a packet in flight somewhere */
8013				r_mtu = asoc->peers_rwnd;
8014			} else {
8015				/* We are always allowed to send one MTU out */
8016				one_chunk = 1;
8017				r_mtu = mtu;
8018			}
8019		} else {
8020			r_mtu = mtu;
8021		}
8022		error = 0;
8023		/************************/
8024		/* ASCONF transmission */
8025		/************************/
8026		/* Now first lets go through the asconf queue */
8027		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
8028			if (chk->rec.chunk_id.id != SCTP_ASCONF) {
8029				continue;
8030			}
8031			if (chk->whoTo == NULL) {
8032				if (asoc->alternate == NULL) {
8033					if (asoc->primary_destination != net) {
8034						break;
8035					}
8036				} else {
8037					if (asoc->alternate != net) {
8038						break;
8039					}
8040				}
8041			} else {
8042				if (chk->whoTo != net) {
8043					break;
8044				}
8045			}
8046			if (chk->data == NULL) {
8047				break;
8048			}
8049			if (chk->sent != SCTP_DATAGRAM_UNSENT &&
8050			    chk->sent != SCTP_DATAGRAM_RESEND) {
8051				break;
8052			}
8053			/*
8054			 * if no AUTH is yet included and this chunk
8055			 * requires it, make sure to account for it.  We
8056			 * don't apply the size until the AUTH chunk is
8057			 * actually added below in case there is no room for
8058			 * this chunk. NOTE: we overload the use of "omtu"
8059			 * here
8060			 */
8061			if ((auth == NULL) &&
8062			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8063			    stcb->asoc.peer_auth_chunks)) {
8064				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8065			} else
8066				omtu = 0;
8067			/* Here we do NOT factor the r_mtu */
8068			if ((chk->send_size < (int)(mtu - omtu)) ||
8069			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8070				/*
8071				 * We probably should glom the mbuf chain
8072				 * from the chk->data for control but the
8073				 * problem is it becomes yet one more level
8074				 * of tracking to do if for some reason
8075				 * output fails. Then I have got to
8076				 * reconstruct the merged control chain.. el
8077				 * yucko.. for now we take the easy way and
8078				 * do the copy
8079				 */
8080				/*
8081				 * Add an AUTH chunk, if chunk requires it
8082				 * save the offset into the chain for AUTH
8083				 */
8084				if ((auth == NULL) &&
8085				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8086				    stcb->asoc.peer_auth_chunks))) {
8087					outchain = sctp_add_auth_chunk(outchain,
8088					    &endoutchain,
8089					    &auth,
8090					    &auth_offset,
8091					    stcb,
8092					    chk->rec.chunk_id.id);
8093					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8094				}
8095				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8096				    (int)chk->rec.chunk_id.can_take_data,
8097				    chk->send_size, chk->copy_by_ref);
8098				if (outchain == NULL) {
8099					*reason_code = 8;
8100					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8101					return (ENOMEM);
8102				}
8103				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8104				/* update our MTU size */
8105				if (mtu > (chk->send_size + omtu))
8106					mtu -= (chk->send_size + omtu);
8107				else
8108					mtu = 0;
8109				to_out += (chk->send_size + omtu);
8110				/* Do clear IP_DF ? */
8111				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8112					no_fragmentflg = 0;
8113				}
8114				if (chk->rec.chunk_id.can_take_data)
8115					chk->data = NULL;
8116				/*
8117				 * set hb flag since we can use these for
8118				 * RTO
8119				 */
8120				hbflag = 1;
8121				asconf = 1;
8122				/*
8123				 * should sysctl this: don't bundle data
8124				 * with ASCONF since it requires AUTH
8125				 */
8126				no_data_chunks = 1;
8127				chk->sent = SCTP_DATAGRAM_SENT;
8128				if (chk->whoTo == NULL) {
8129					chk->whoTo = net;
8130					atomic_add_int(&net->ref_count, 1);
8131				}
8132				chk->snd_count++;
8133				if (mtu == 0) {
8134					/*
8135					 * Ok we are out of room but we can
8136					 * output without effecting the
8137					 * flight size since this little guy
8138					 * is a control only packet.
8139					 */
8140					sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8141					/*
8142					 * do NOT clear the asconf flag as
8143					 * it is used to do appropriate
8144					 * source address selection.
8145					 */
8146					if (*now_filled == 0) {
8147						(void)SCTP_GETTIME_TIMEVAL(now);
8148						*now_filled = 1;
8149					}
8150					net->last_sent_time = *now;
8151					hbflag = 0;
8152					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8153					    (struct sockaddr *)&net->ro._l_addr,
8154					    outchain, auth_offset, auth,
8155					    stcb->asoc.authinfo.active_keyid,
8156					    no_fragmentflg, 0, asconf,
8157					    inp->sctp_lport, stcb->rport,
8158					    htonl(stcb->asoc.peer_vtag),
8159					    net->port, NULL,
8160					    0, 0,
8161					    so_locked))) {
8162						/*
8163						 * error, we could not
8164						 * output
8165						 */
8166						SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8167						if (from_where == 0) {
8168							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8169						}
8170						if (error == ENOBUFS) {
8171							asoc->ifp_had_enobuf = 1;
8172							SCTP_STAT_INCR(sctps_lowlevelerr);
8173						}
8174						/* error, could not output */
8175						if (error == EHOSTUNREACH) {
8176							/*
8177							 * Destination went
8178							 * unreachable
8179							 * during this send
8180							 */
8181							sctp_move_chunks_from_net(stcb, net);
8182						}
8183						*reason_code = 7;
8184						break;
8185					} else {
8186						asoc->ifp_had_enobuf = 0;
8187					}
8188					/*
8189					 * increase the number we sent, if a
8190					 * cookie is sent we don't tell them
8191					 * any was sent out.
8192					 */
8193					outchain = endoutchain = NULL;
8194					auth = NULL;
8195					auth_offset = 0;
8196					if (!no_out_cnt)
8197						*num_out += ctl_cnt;
8198					/* recalc a clean slate and setup */
8199					switch (net->ro._l_addr.sa.sa_family) {
8200#ifdef INET
8201					case AF_INET:
8202						mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8203						break;
8204#endif
8205#ifdef INET6
8206					case AF_INET6:
8207						mtu = net->mtu - SCTP_MIN_OVERHEAD;
8208						break;
8209#endif
8210					default:
8211						/* TSNH */
8212						mtu = net->mtu;
8213						break;
8214					}
8215					to_out = 0;
8216					no_fragmentflg = 1;
8217				}
8218			}
8219		}
8220		if (error != 0) {
8221			/* try next net */
8222			continue;
8223		}
8224		/************************/
8225		/* Control transmission */
8226		/************************/
8227		/* Now first lets go through the control queue */
8228		TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
8229			if ((sack_goes_to) &&
8230			    (chk->rec.chunk_id.id == SCTP_ECN_ECHO) &&
8231			    (chk->whoTo != sack_goes_to)) {
8232				/*
8233				 * if we have a sack in queue, and we are
8234				 * looking at an ecn echo that is NOT queued
8235				 * to where the sack is going..
8236				 */
8237				if (chk->whoTo == net) {
8238					/*
8239					 * Don't transmit it to where its
8240					 * going (current net)
8241					 */
8242					continue;
8243				} else if (sack_goes_to == net) {
8244					/*
8245					 * But do transmit it to this
8246					 * address
8247					 */
8248					goto skip_net_check;
8249				}
8250			}
8251			if (chk->whoTo == NULL) {
8252				if (asoc->alternate == NULL) {
8253					if (asoc->primary_destination != net) {
8254						continue;
8255					}
8256				} else {
8257					if (asoc->alternate != net) {
8258						continue;
8259					}
8260				}
8261			} else {
8262				if (chk->whoTo != net) {
8263					continue;
8264				}
8265			}
8266	skip_net_check:
8267			if (chk->data == NULL) {
8268				continue;
8269			}
8270			if (chk->sent != SCTP_DATAGRAM_UNSENT) {
8271				/*
8272				 * It must be unsent. Cookies and ASCONF's
8273				 * hang around but there timers will force
8274				 * when marked for resend.
8275				 */
8276				continue;
8277			}
8278			/*
8279			 * if no AUTH is yet included and this chunk
8280			 * requires it, make sure to account for it.  We
8281			 * don't apply the size until the AUTH chunk is
8282			 * actually added below in case there is no room for
8283			 * this chunk. NOTE: we overload the use of "omtu"
8284			 * here
8285			 */
8286			if ((auth == NULL) &&
8287			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8288			    stcb->asoc.peer_auth_chunks)) {
8289				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8290			} else
8291				omtu = 0;
8292			/* Here we do NOT factor the r_mtu */
8293			if ((chk->send_size <= (int)(mtu - omtu)) ||
8294			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8295				/*
8296				 * We probably should glom the mbuf chain
8297				 * from the chk->data for control but the
8298				 * problem is it becomes yet one more level
8299				 * of tracking to do if for some reason
8300				 * output fails. Then I have got to
8301				 * reconstruct the merged control chain.. el
8302				 * yucko.. for now we take the easy way and
8303				 * do the copy
8304				 */
8305				/*
8306				 * Add an AUTH chunk, if chunk requires it
8307				 * save the offset into the chain for AUTH
8308				 */
8309				if ((auth == NULL) &&
8310				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8311				    stcb->asoc.peer_auth_chunks))) {
8312					outchain = sctp_add_auth_chunk(outchain,
8313					    &endoutchain,
8314					    &auth,
8315					    &auth_offset,
8316					    stcb,
8317					    chk->rec.chunk_id.id);
8318					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8319				}
8320				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8321				    (int)chk->rec.chunk_id.can_take_data,
8322				    chk->send_size, chk->copy_by_ref);
8323				if (outchain == NULL) {
8324					*reason_code = 8;
8325					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8326					return (ENOMEM);
8327				}
8328				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8329				/* update our MTU size */
8330				if (mtu > (chk->send_size + omtu))
8331					mtu -= (chk->send_size + omtu);
8332				else
8333					mtu = 0;
8334				to_out += (chk->send_size + omtu);
8335				/* Do clear IP_DF ? */
8336				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8337					no_fragmentflg = 0;
8338				}
8339				if (chk->rec.chunk_id.can_take_data)
8340					chk->data = NULL;
8341				/* Mark things to be removed, if needed */
8342				if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8343				    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
8344				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
8345				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
8346				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
8347				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
8348				    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
8349				    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
8350				    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
8351				    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
8352				    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
8353					if (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) {
8354						hbflag = 1;
8355					}
8356					/* remove these chunks at the end */
8357					if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8358					    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
8359						/* turn off the timer */
8360						if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
8361							sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
8362							    inp, stcb, net,
8363							    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_1);
8364						}
8365					}
8366					ctl_cnt++;
8367				} else {
8368					/*
8369					 * Other chunks, since they have
8370					 * timers running (i.e. COOKIE) we
8371					 * just "trust" that it gets sent or
8372					 * retransmitted.
8373					 */
8374					ctl_cnt++;
8375					if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
8376						cookie = 1;
8377						no_out_cnt = 1;
8378					} else if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
8379						/*
8380						 * Increment ecne send count
8381						 * here this means we may be
8382						 * over-zealous in our
8383						 * counting if the send
8384						 * fails, but its the best
8385						 * place to do it (we used
8386						 * to do it in the queue of
8387						 * the chunk, but that did
8388						 * not tell how many times
8389						 * it was sent.
8390						 */
8391						SCTP_STAT_INCR(sctps_sendecne);
8392					}
8393					chk->sent = SCTP_DATAGRAM_SENT;
8394					if (chk->whoTo == NULL) {
8395						chk->whoTo = net;
8396						atomic_add_int(&net->ref_count, 1);
8397					}
8398					chk->snd_count++;
8399				}
8400				if (mtu == 0) {
8401					/*
8402					 * Ok we are out of room but we can
8403					 * output without effecting the
8404					 * flight size since this little guy
8405					 * is a control only packet.
8406					 */
8407					if (asconf) {
8408						sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8409						/*
8410						 * do NOT clear the asconf
8411						 * flag as it is used to do
8412						 * appropriate source
8413						 * address selection.
8414						 */
8415					}
8416					if (cookie) {
8417						sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8418						cookie = 0;
8419					}
8420					/* Only HB or ASCONF advances time */
8421					if (hbflag) {
8422						if (*now_filled == 0) {
8423							(void)SCTP_GETTIME_TIMEVAL(now);
8424							*now_filled = 1;
8425						}
8426						net->last_sent_time = *now;
8427						hbflag = 0;
8428					}
8429					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8430					    (struct sockaddr *)&net->ro._l_addr,
8431					    outchain,
8432					    auth_offset, auth,
8433					    stcb->asoc.authinfo.active_keyid,
8434					    no_fragmentflg, 0, asconf,
8435					    inp->sctp_lport, stcb->rport,
8436					    htonl(stcb->asoc.peer_vtag),
8437					    net->port, NULL,
8438					    0, 0,
8439					    so_locked))) {
8440						/*
8441						 * error, we could not
8442						 * output
8443						 */
8444						SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8445						if (from_where == 0) {
8446							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8447						}
8448						if (error == ENOBUFS) {
8449							asoc->ifp_had_enobuf = 1;
8450							SCTP_STAT_INCR(sctps_lowlevelerr);
8451						}
8452						if (error == EHOSTUNREACH) {
8453							/*
8454							 * Destination went
8455							 * unreachable
8456							 * during this send
8457							 */
8458							sctp_move_chunks_from_net(stcb, net);
8459						}
8460						*reason_code = 7;
8461						break;
8462					} else {
8463						asoc->ifp_had_enobuf = 0;
8464					}
8465					/*
8466					 * increase the number we sent, if a
8467					 * cookie is sent we don't tell them
8468					 * any was sent out.
8469					 */
8470					outchain = endoutchain = NULL;
8471					auth = NULL;
8472					auth_offset = 0;
8473					if (!no_out_cnt)
8474						*num_out += ctl_cnt;
8475					/* recalc a clean slate and setup */
8476					switch (net->ro._l_addr.sa.sa_family) {
8477#ifdef INET
8478					case AF_INET:
8479						mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8480						break;
8481#endif
8482#ifdef INET6
8483					case AF_INET6:
8484						mtu = net->mtu - SCTP_MIN_OVERHEAD;
8485						break;
8486#endif
8487					default:
8488						/* TSNH */
8489						mtu = net->mtu;
8490						break;
8491					}
8492					to_out = 0;
8493					no_fragmentflg = 1;
8494				}
8495			}
8496		}
8497		if (error != 0) {
8498			/* try next net */
8499			continue;
8500		}
8501		/* JRI: if dest is in PF state, do not send data to it */
8502		if ((asoc->sctp_cmt_on_off > 0) &&
8503		    (net != stcb->asoc.alternate) &&
8504		    (net->dest_state & SCTP_ADDR_PF)) {
8505			goto no_data_fill;
8506		}
8507		if (net->flight_size >= net->cwnd) {
8508			goto no_data_fill;
8509		}
8510		if ((asoc->sctp_cmt_on_off > 0) &&
8511		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_RECV_BUFFER_SPLITTING) &&
8512		    (net->flight_size > max_rwnd_per_dest)) {
8513			goto no_data_fill;
8514		}
8515		/*
8516		 * We need a specific accounting for the usage of the send
8517		 * buffer. We also need to check the number of messages per
8518		 * net. For now, this is better than nothing and it disabled
8519		 * by default...
8520		 */
8521		if ((asoc->sctp_cmt_on_off > 0) &&
8522		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_SEND_BUFFER_SPLITTING) &&
8523		    (max_send_per_dest > 0) &&
8524		    (net->flight_size > max_send_per_dest)) {
8525			goto no_data_fill;
8526		}
8527		/*********************/
8528		/* Data transmission */
8529		/*********************/
8530		/*
8531		 * if AUTH for DATA is required and no AUTH has been added
8532		 * yet, account for this in the mtu now... if no data can be
8533		 * bundled, this adjustment won't matter anyways since the
8534		 * packet will be going out...
8535		 */
8536		data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA,
8537		    stcb->asoc.peer_auth_chunks);
8538		if (data_auth_reqd && (auth == NULL)) {
8539			mtu -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8540		}
8541		/* now lets add any data within the MTU constraints */
8542		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8543#ifdef INET
8544		case AF_INET:
8545			if (net->mtu > SCTP_MIN_V4_OVERHEAD)
8546				omtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8547			else
8548				omtu = 0;
8549			break;
8550#endif
8551#ifdef INET6
8552		case AF_INET6:
8553			if (net->mtu > SCTP_MIN_OVERHEAD)
8554				omtu = net->mtu - SCTP_MIN_OVERHEAD;
8555			else
8556				omtu = 0;
8557			break;
8558#endif
8559		default:
8560			/* TSNH */
8561			omtu = 0;
8562			break;
8563		}
8564		if ((((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
8565		    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) &&
8566		    (skip_data_for_this_net == 0)) ||
8567		    (cookie)) {
8568			TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
8569				if (no_data_chunks) {
8570					/* let only control go out */
8571					*reason_code = 1;
8572					break;
8573				}
8574				if (net->flight_size >= net->cwnd) {
8575					/* skip this net, no room for data */
8576					*reason_code = 2;
8577					break;
8578				}
8579				if ((chk->whoTo != NULL) &&
8580				    (chk->whoTo != net)) {
8581					/* Don't send the chunk on this net */
8582					continue;
8583				}
8584				if (asoc->sctp_cmt_on_off == 0) {
8585					if ((asoc->alternate) &&
8586					    (asoc->alternate != net) &&
8587					    (chk->whoTo == NULL)) {
8588						continue;
8589					} else if ((net != asoc->primary_destination) &&
8590						    (asoc->alternate == NULL) &&
8591					    (chk->whoTo == NULL)) {
8592						continue;
8593					}
8594				}
8595				if ((chk->send_size > omtu) && ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) == 0)) {
8596					/*-
8597					 * strange, we have a chunk that is
8598					 * to big for its destination and
8599					 * yet no fragment ok flag.
8600					 * Something went wrong when the
8601					 * PMTU changed...we did not mark
8602					 * this chunk for some reason?? I
8603					 * will fix it here by letting IP
8604					 * fragment it for now and printing
8605					 * a warning. This really should not
8606					 * happen ...
8607					 */
8608					SCTP_PRINTF("Warning chunk of %d bytes > mtu:%d and yet PMTU disc missed\n",
8609					    chk->send_size, mtu);
8610					chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
8611				}
8612				if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
8613				    ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) == SCTP_STATE_SHUTDOWN_PENDING)) {
8614					struct sctp_data_chunk *dchkh;
8615
8616					dchkh = mtod(chk->data, struct sctp_data_chunk *);
8617					dchkh->ch.chunk_flags |= SCTP_DATA_SACK_IMMEDIATELY;
8618				}
8619				if (((chk->send_size <= mtu) && (chk->send_size <= r_mtu)) ||
8620				    ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) && (chk->send_size <= asoc->peers_rwnd))) {
8621					/* ok we will add this one */
8622
8623					/*
8624					 * Add an AUTH chunk, if chunk
8625					 * requires it, save the offset into
8626					 * the chain for AUTH
8627					 */
8628					if (data_auth_reqd) {
8629						if (auth == NULL) {
8630							outchain = sctp_add_auth_chunk(outchain,
8631							    &endoutchain,
8632							    &auth,
8633							    &auth_offset,
8634							    stcb,
8635							    SCTP_DATA);
8636							auth_keyid = chk->auth_keyid;
8637							override_ok = 0;
8638							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8639						} else if (override_ok) {
8640							/*
8641							 * use this data's
8642							 * keyid
8643							 */
8644							auth_keyid = chk->auth_keyid;
8645							override_ok = 0;
8646						} else if (auth_keyid != chk->auth_keyid) {
8647							/*
8648							 * different keyid,
8649							 * so done bundling
8650							 */
8651							break;
8652						}
8653					}
8654					outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain, 0,
8655					    chk->send_size, chk->copy_by_ref);
8656					if (outchain == NULL) {
8657						SCTPDBG(SCTP_DEBUG_OUTPUT3, "No memory?\n");
8658						if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
8659							sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8660						}
8661						*reason_code = 3;
8662						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8663						return (ENOMEM);
8664					}
8665					/* upate our MTU size */
8666					/* Do clear IP_DF ? */
8667					if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8668						no_fragmentflg = 0;
8669					}
8670					/* unsigned subtraction of mtu */
8671					if (mtu > chk->send_size)
8672						mtu -= chk->send_size;
8673					else
8674						mtu = 0;
8675					/* unsigned subtraction of r_mtu */
8676					if (r_mtu > chk->send_size)
8677						r_mtu -= chk->send_size;
8678					else
8679						r_mtu = 0;
8680
8681					to_out += chk->send_size;
8682					if ((to_out > mx_mtu) && no_fragmentflg) {
8683#ifdef INVARIANTS
8684						panic("Exceeding mtu of %d out size is %d", mx_mtu, to_out);
8685#else
8686						SCTP_PRINTF("Exceeding mtu of %d out size is %d\n",
8687						    mx_mtu, to_out);
8688#endif
8689					}
8690					chk->window_probe = 0;
8691					data_list[bundle_at++] = chk;
8692					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
8693						break;
8694					}
8695					if (chk->sent == SCTP_DATAGRAM_UNSENT) {
8696						if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
8697							SCTP_STAT_INCR_COUNTER64(sctps_outorderchunks);
8698						} else {
8699							SCTP_STAT_INCR_COUNTER64(sctps_outunorderchunks);
8700						}
8701						if (((chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) == SCTP_DATA_LAST_FRAG) &&
8702						    ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0))
8703							/*
8704							 * Count number of
8705							 * user msg's that
8706							 * were fragmented
8707							 * we do this by
8708							 * counting when we
8709							 * see a LAST
8710							 * fragment only.
8711							 */
8712							SCTP_STAT_INCR_COUNTER64(sctps_fragusrmsgs);
8713					}
8714					if ((mtu == 0) || (r_mtu == 0) || (one_chunk)) {
8715						if ((one_chunk) && (stcb->asoc.total_flight == 0)) {
8716							data_list[0]->window_probe = 1;
8717							net->window_probe = 1;
8718						}
8719						break;
8720					}
8721				} else {
8722					/*
8723					 * Must be sent in order of the
8724					 * TSN's (on a network)
8725					 */
8726					break;
8727				}
8728			}	/* for (chunk gather loop for this net) */
8729		}		/* if asoc.state OPEN */
8730no_data_fill:
8731		/* Is there something to send for this destination? */
8732		if (outchain) {
8733			/* We may need to start a control timer or two */
8734			if (asconf) {
8735				sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp,
8736				    stcb, net);
8737				/*
8738				 * do NOT clear the asconf flag as it is
8739				 * used to do appropriate source address
8740				 * selection.
8741				 */
8742			}
8743			if (cookie) {
8744				sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8745				cookie = 0;
8746			}
8747			/* must start a send timer if data is being sent */
8748			if (bundle_at && (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
8749				/*
8750				 * no timer running on this destination
8751				 * restart it.
8752				 */
8753				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8754			}
8755			if (bundle_at || hbflag) {
8756				/* For data/asconf and hb set time */
8757				if (*now_filled == 0) {
8758					(void)SCTP_GETTIME_TIMEVAL(now);
8759					*now_filled = 1;
8760				}
8761				net->last_sent_time = *now;
8762			}
8763			/* Now send it, if there is anything to send :> */
8764			if ((error = sctp_lowlevel_chunk_output(inp,
8765			    stcb,
8766			    net,
8767			    (struct sockaddr *)&net->ro._l_addr,
8768			    outchain,
8769			    auth_offset,
8770			    auth,
8771			    auth_keyid,
8772			    no_fragmentflg,
8773			    bundle_at,
8774			    asconf,
8775			    inp->sctp_lport, stcb->rport,
8776			    htonl(stcb->asoc.peer_vtag),
8777			    net->port, NULL,
8778			    0, 0,
8779			    so_locked))) {
8780				/* error, we could not output */
8781				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8782				if (from_where == 0) {
8783					SCTP_STAT_INCR(sctps_lowlevelerrusr);
8784				}
8785				if (error == ENOBUFS) {
8786					SCTP_STAT_INCR(sctps_lowlevelerr);
8787					asoc->ifp_had_enobuf = 1;
8788				}
8789				if (error == EHOSTUNREACH) {
8790					/*
8791					 * Destination went unreachable
8792					 * during this send
8793					 */
8794					sctp_move_chunks_from_net(stcb, net);
8795				}
8796				*reason_code = 6;
8797				/*-
8798				 * I add this line to be paranoid. As far as
8799				 * I can tell the continue, takes us back to
8800				 * the top of the for, but just to make sure
8801				 * I will reset these again here.
8802				 */
8803				ctl_cnt = bundle_at = 0;
8804				continue;	/* This takes us back to the
8805						 * for() for the nets. */
8806			} else {
8807				asoc->ifp_had_enobuf = 0;
8808			}
8809			endoutchain = NULL;
8810			auth = NULL;
8811			auth_offset = 0;
8812			if (!no_out_cnt) {
8813				*num_out += (ctl_cnt + bundle_at);
8814			}
8815			if (bundle_at) {
8816				/* setup for a RTO measurement */
8817				tsns_sent = data_list[0]->rec.data.TSN_seq;
8818				/* fill time if not already filled */
8819				if (*now_filled == 0) {
8820					(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
8821					*now_filled = 1;
8822					*now = asoc->time_last_sent;
8823				} else {
8824					asoc->time_last_sent = *now;
8825				}
8826				if (net->rto_needed) {
8827					data_list[0]->do_rtt = 1;
8828					net->rto_needed = 0;
8829				}
8830				SCTP_STAT_INCR_BY(sctps_senddata, bundle_at);
8831				sctp_clean_up_datalist(stcb, asoc, data_list, bundle_at, net);
8832			}
8833			if (one_chunk) {
8834				break;
8835			}
8836		}
8837		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8838			sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_SEND);
8839		}
8840	}
8841	if (old_start_at == NULL) {
8842		old_start_at = start_at;
8843		start_at = TAILQ_FIRST(&asoc->nets);
8844		if (old_start_at)
8845			goto again_one_more_time;
8846	}
8847	/*
8848	 * At the end there should be no NON timed chunks hanging on this
8849	 * queue.
8850	 */
8851	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8852		sctp_log_cwnd(stcb, net, *num_out, SCTP_CWND_LOG_FROM_SEND);
8853	}
8854	if ((*num_out == 0) && (*reason_code == 0)) {
8855		*reason_code = 4;
8856	} else {
8857		*reason_code = 5;
8858	}
8859	sctp_clean_up_ctl(stcb, asoc, so_locked);
8860	return (0);
8861}
8862
8863void
8864sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err)
8865{
8866	/*-
8867	 * Prepend a OPERATIONAL_ERROR chunk header and put on the end of
8868	 * the control chunk queue.
8869	 */
8870	struct sctp_chunkhdr *hdr;
8871	struct sctp_tmit_chunk *chk;
8872	struct mbuf *mat, *last_mbuf;
8873	uint32_t chunk_length;
8874	uint16_t padding_length;
8875
8876	SCTP_TCB_LOCK_ASSERT(stcb);
8877	SCTP_BUF_PREPEND(op_err, sizeof(struct sctp_chunkhdr), M_NOWAIT);
8878	if (op_err == NULL) {
8879		return;
8880	}
8881	last_mbuf = NULL;
8882	chunk_length = 0;
8883	for (mat = op_err; mat != NULL; mat = SCTP_BUF_NEXT(mat)) {
8884		chunk_length += SCTP_BUF_LEN(mat);
8885		if (SCTP_BUF_NEXT(mat) == NULL) {
8886			last_mbuf = mat;
8887		}
8888	}
8889	if (chunk_length > SCTP_MAX_CHUNK_LENGTH) {
8890		sctp_m_freem(op_err);
8891		return;
8892	}
8893	padding_length = chunk_length % 4;
8894	if (padding_length != 0) {
8895		padding_length = 4 - padding_length;
8896	}
8897	if (padding_length != 0) {
8898		if (sctp_add_pad_tombuf(last_mbuf, padding_length) == NULL) {
8899			sctp_m_freem(op_err);
8900			return;
8901		}
8902	}
8903	sctp_alloc_a_chunk(stcb, chk);
8904	if (chk == NULL) {
8905		/* no memory */
8906		sctp_m_freem(op_err);
8907		return;
8908	}
8909	chk->copy_by_ref = 0;
8910	chk->send_size = (uint16_t) chunk_length;
8911	chk->sent = SCTP_DATAGRAM_UNSENT;
8912	chk->snd_count = 0;
8913	chk->asoc = &stcb->asoc;
8914	chk->data = op_err;
8915	chk->whoTo = NULL;
8916	hdr = mtod(op_err, struct sctp_chunkhdr *);
8917	hdr->chunk_type = SCTP_OPERATION_ERROR;
8918	hdr->chunk_flags = 0;
8919	hdr->chunk_length = htons(chk->send_size);
8920	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8921	chk->asoc->ctrl_queue_cnt++;
8922}
8923
8924int
8925sctp_send_cookie_echo(struct mbuf *m,
8926    int offset,
8927    struct sctp_tcb *stcb,
8928    struct sctp_nets *net)
8929{
8930	/*-
8931	 * pull out the cookie and put it at the front of the control chunk
8932	 * queue.
8933	 */
8934	int at;
8935	struct mbuf *cookie;
8936	struct sctp_paramhdr parm, *phdr;
8937	struct sctp_chunkhdr *hdr;
8938	struct sctp_tmit_chunk *chk;
8939	uint16_t ptype, plen;
8940
8941	SCTP_TCB_LOCK_ASSERT(stcb);
8942	/* First find the cookie in the param area */
8943	cookie = NULL;
8944	at = offset + sizeof(struct sctp_init_chunk);
8945	for (;;) {
8946		phdr = sctp_get_next_param(m, at, &parm, sizeof(parm));
8947		if (phdr == NULL) {
8948			return (-3);
8949		}
8950		ptype = ntohs(phdr->param_type);
8951		plen = ntohs(phdr->param_length);
8952		if (ptype == SCTP_STATE_COOKIE) {
8953			int pad;
8954
8955			/* found the cookie */
8956			if ((pad = (plen % 4))) {
8957				plen += 4 - pad;
8958			}
8959			cookie = SCTP_M_COPYM(m, at, plen, M_NOWAIT);
8960			if (cookie == NULL) {
8961				/* No memory */
8962				return (-2);
8963			}
8964#ifdef SCTP_MBUF_LOGGING
8965			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
8966				sctp_log_mbc(cookie, SCTP_MBUF_ICOPY);
8967			}
8968#endif
8969			break;
8970		}
8971		at += SCTP_SIZE32(plen);
8972	}
8973	/* ok, we got the cookie lets change it into a cookie echo chunk */
8974	/* first the change from param to cookie */
8975	hdr = mtod(cookie, struct sctp_chunkhdr *);
8976	hdr->chunk_type = SCTP_COOKIE_ECHO;
8977	hdr->chunk_flags = 0;
8978	/* get the chunk stuff now and place it in the FRONT of the queue */
8979	sctp_alloc_a_chunk(stcb, chk);
8980	if (chk == NULL) {
8981		/* no memory */
8982		sctp_m_freem(cookie);
8983		return (-5);
8984	}
8985	chk->copy_by_ref = 0;
8986	chk->rec.chunk_id.id = SCTP_COOKIE_ECHO;
8987	chk->rec.chunk_id.can_take_data = 0;
8988	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
8989	chk->send_size = plen;
8990	chk->sent = SCTP_DATAGRAM_UNSENT;
8991	chk->snd_count = 0;
8992	chk->asoc = &stcb->asoc;
8993	chk->data = cookie;
8994	chk->whoTo = net;
8995	atomic_add_int(&chk->whoTo->ref_count, 1);
8996	TAILQ_INSERT_HEAD(&chk->asoc->control_send_queue, chk, sctp_next);
8997	chk->asoc->ctrl_queue_cnt++;
8998	return (0);
8999}
9000
9001void
9002sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
9003    struct mbuf *m,
9004    int offset,
9005    int chk_length,
9006    struct sctp_nets *net)
9007{
9008	/*
9009	 * take a HB request and make it into a HB ack and send it.
9010	 */
9011	struct mbuf *outchain;
9012	struct sctp_chunkhdr *chdr;
9013	struct sctp_tmit_chunk *chk;
9014
9015
9016	if (net == NULL)
9017		/* must have a net pointer */
9018		return;
9019
9020	outchain = SCTP_M_COPYM(m, offset, chk_length, M_NOWAIT);
9021	if (outchain == NULL) {
9022		/* gak out of memory */
9023		return;
9024	}
9025#ifdef SCTP_MBUF_LOGGING
9026	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9027		sctp_log_mbc(outchain, SCTP_MBUF_ICOPY);
9028	}
9029#endif
9030	chdr = mtod(outchain, struct sctp_chunkhdr *);
9031	chdr->chunk_type = SCTP_HEARTBEAT_ACK;
9032	chdr->chunk_flags = 0;
9033	if (chk_length % 4) {
9034		/* need pad */
9035		uint32_t cpthis = 0;
9036		int padlen;
9037
9038		padlen = 4 - (chk_length % 4);
9039		m_copyback(outchain, chk_length, padlen, (caddr_t)&cpthis);
9040	}
9041	sctp_alloc_a_chunk(stcb, chk);
9042	if (chk == NULL) {
9043		/* no memory */
9044		sctp_m_freem(outchain);
9045		return;
9046	}
9047	chk->copy_by_ref = 0;
9048	chk->rec.chunk_id.id = SCTP_HEARTBEAT_ACK;
9049	chk->rec.chunk_id.can_take_data = 1;
9050	chk->flags = 0;
9051	chk->send_size = chk_length;
9052	chk->sent = SCTP_DATAGRAM_UNSENT;
9053	chk->snd_count = 0;
9054	chk->asoc = &stcb->asoc;
9055	chk->data = outchain;
9056	chk->whoTo = net;
9057	atomic_add_int(&chk->whoTo->ref_count, 1);
9058	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9059	chk->asoc->ctrl_queue_cnt++;
9060}
9061
9062void
9063sctp_send_cookie_ack(struct sctp_tcb *stcb)
9064{
9065	/* formulate and queue a cookie-ack back to sender */
9066	struct mbuf *cookie_ack;
9067	struct sctp_chunkhdr *hdr;
9068	struct sctp_tmit_chunk *chk;
9069
9070	SCTP_TCB_LOCK_ASSERT(stcb);
9071
9072	cookie_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
9073	if (cookie_ack == NULL) {
9074		/* no mbuf's */
9075		return;
9076	}
9077	SCTP_BUF_RESV_UF(cookie_ack, SCTP_MIN_OVERHEAD);
9078	sctp_alloc_a_chunk(stcb, chk);
9079	if (chk == NULL) {
9080		/* no memory */
9081		sctp_m_freem(cookie_ack);
9082		return;
9083	}
9084	chk->copy_by_ref = 0;
9085	chk->rec.chunk_id.id = SCTP_COOKIE_ACK;
9086	chk->rec.chunk_id.can_take_data = 1;
9087	chk->flags = 0;
9088	chk->send_size = sizeof(struct sctp_chunkhdr);
9089	chk->sent = SCTP_DATAGRAM_UNSENT;
9090	chk->snd_count = 0;
9091	chk->asoc = &stcb->asoc;
9092	chk->data = cookie_ack;
9093	if (chk->asoc->last_control_chunk_from != NULL) {
9094		chk->whoTo = chk->asoc->last_control_chunk_from;
9095		atomic_add_int(&chk->whoTo->ref_count, 1);
9096	} else {
9097		chk->whoTo = NULL;
9098	}
9099	hdr = mtod(cookie_ack, struct sctp_chunkhdr *);
9100	hdr->chunk_type = SCTP_COOKIE_ACK;
9101	hdr->chunk_flags = 0;
9102	hdr->chunk_length = htons(chk->send_size);
9103	SCTP_BUF_LEN(cookie_ack) = chk->send_size;
9104	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9105	chk->asoc->ctrl_queue_cnt++;
9106	return;
9107}
9108
9109
9110void
9111sctp_send_shutdown_ack(struct sctp_tcb *stcb, struct sctp_nets *net)
9112{
9113	/* formulate and queue a SHUTDOWN-ACK back to the sender */
9114	struct mbuf *m_shutdown_ack;
9115	struct sctp_shutdown_ack_chunk *ack_cp;
9116	struct sctp_tmit_chunk *chk;
9117
9118	m_shutdown_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_ack_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9119	if (m_shutdown_ack == NULL) {
9120		/* no mbuf's */
9121		return;
9122	}
9123	SCTP_BUF_RESV_UF(m_shutdown_ack, SCTP_MIN_OVERHEAD);
9124	sctp_alloc_a_chunk(stcb, chk);
9125	if (chk == NULL) {
9126		/* no memory */
9127		sctp_m_freem(m_shutdown_ack);
9128		return;
9129	}
9130	chk->copy_by_ref = 0;
9131	chk->rec.chunk_id.id = SCTP_SHUTDOWN_ACK;
9132	chk->rec.chunk_id.can_take_data = 1;
9133	chk->flags = 0;
9134	chk->send_size = sizeof(struct sctp_chunkhdr);
9135	chk->sent = SCTP_DATAGRAM_UNSENT;
9136	chk->snd_count = 0;
9137	chk->flags = 0;
9138	chk->asoc = &stcb->asoc;
9139	chk->data = m_shutdown_ack;
9140	chk->whoTo = net;
9141	if (chk->whoTo) {
9142		atomic_add_int(&chk->whoTo->ref_count, 1);
9143	}
9144	ack_cp = mtod(m_shutdown_ack, struct sctp_shutdown_ack_chunk *);
9145	ack_cp->ch.chunk_type = SCTP_SHUTDOWN_ACK;
9146	ack_cp->ch.chunk_flags = 0;
9147	ack_cp->ch.chunk_length = htons(chk->send_size);
9148	SCTP_BUF_LEN(m_shutdown_ack) = chk->send_size;
9149	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9150	chk->asoc->ctrl_queue_cnt++;
9151	return;
9152}
9153
9154void
9155sctp_send_shutdown(struct sctp_tcb *stcb, struct sctp_nets *net)
9156{
9157	/* formulate and queue a SHUTDOWN to the sender */
9158	struct mbuf *m_shutdown;
9159	struct sctp_shutdown_chunk *shutdown_cp;
9160	struct sctp_tmit_chunk *chk;
9161
9162	m_shutdown = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9163	if (m_shutdown == NULL) {
9164		/* no mbuf's */
9165		return;
9166	}
9167	SCTP_BUF_RESV_UF(m_shutdown, SCTP_MIN_OVERHEAD);
9168	sctp_alloc_a_chunk(stcb, chk);
9169	if (chk == NULL) {
9170		/* no memory */
9171		sctp_m_freem(m_shutdown);
9172		return;
9173	}
9174	chk->copy_by_ref = 0;
9175	chk->rec.chunk_id.id = SCTP_SHUTDOWN;
9176	chk->rec.chunk_id.can_take_data = 1;
9177	chk->flags = 0;
9178	chk->send_size = sizeof(struct sctp_shutdown_chunk);
9179	chk->sent = SCTP_DATAGRAM_UNSENT;
9180	chk->snd_count = 0;
9181	chk->flags = 0;
9182	chk->asoc = &stcb->asoc;
9183	chk->data = m_shutdown;
9184	chk->whoTo = net;
9185	if (chk->whoTo) {
9186		atomic_add_int(&chk->whoTo->ref_count, 1);
9187	}
9188	shutdown_cp = mtod(m_shutdown, struct sctp_shutdown_chunk *);
9189	shutdown_cp->ch.chunk_type = SCTP_SHUTDOWN;
9190	shutdown_cp->ch.chunk_flags = 0;
9191	shutdown_cp->ch.chunk_length = htons(chk->send_size);
9192	shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
9193	SCTP_BUF_LEN(m_shutdown) = chk->send_size;
9194	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9195	chk->asoc->ctrl_queue_cnt++;
9196	return;
9197}
9198
9199void
9200sctp_send_asconf(struct sctp_tcb *stcb, struct sctp_nets *net, int addr_locked)
9201{
9202	/*
9203	 * formulate and queue an ASCONF to the peer. ASCONF parameters
9204	 * should be queued on the assoc queue.
9205	 */
9206	struct sctp_tmit_chunk *chk;
9207	struct mbuf *m_asconf;
9208	int len;
9209
9210	SCTP_TCB_LOCK_ASSERT(stcb);
9211
9212	if ((!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue)) &&
9213	    (!sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS))) {
9214		/* can't send a new one if there is one in flight already */
9215		return;
9216	}
9217	/* compose an ASCONF chunk, maximum length is PMTU */
9218	m_asconf = sctp_compose_asconf(stcb, &len, addr_locked);
9219	if (m_asconf == NULL) {
9220		return;
9221	}
9222	sctp_alloc_a_chunk(stcb, chk);
9223	if (chk == NULL) {
9224		/* no memory */
9225		sctp_m_freem(m_asconf);
9226		return;
9227	}
9228	chk->copy_by_ref = 0;
9229	chk->rec.chunk_id.id = SCTP_ASCONF;
9230	chk->rec.chunk_id.can_take_data = 0;
9231	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9232	chk->data = m_asconf;
9233	chk->send_size = len;
9234	chk->sent = SCTP_DATAGRAM_UNSENT;
9235	chk->snd_count = 0;
9236	chk->asoc = &stcb->asoc;
9237	chk->whoTo = net;
9238	if (chk->whoTo) {
9239		atomic_add_int(&chk->whoTo->ref_count, 1);
9240	}
9241	TAILQ_INSERT_TAIL(&chk->asoc->asconf_send_queue, chk, sctp_next);
9242	chk->asoc->ctrl_queue_cnt++;
9243	return;
9244}
9245
9246void
9247sctp_send_asconf_ack(struct sctp_tcb *stcb)
9248{
9249	/*
9250	 * formulate and queue a asconf-ack back to sender. the asconf-ack
9251	 * must be stored in the tcb.
9252	 */
9253	struct sctp_tmit_chunk *chk;
9254	struct sctp_asconf_ack *ack, *latest_ack;
9255	struct mbuf *m_ack;
9256	struct sctp_nets *net = NULL;
9257
9258	SCTP_TCB_LOCK_ASSERT(stcb);
9259	/* Get the latest ASCONF-ACK */
9260	latest_ack = TAILQ_LAST(&stcb->asoc.asconf_ack_sent, sctp_asconf_ackhead);
9261	if (latest_ack == NULL) {
9262		return;
9263	}
9264	if (latest_ack->last_sent_to != NULL &&
9265	    latest_ack->last_sent_to == stcb->asoc.last_control_chunk_from) {
9266		/* we're doing a retransmission */
9267		net = sctp_find_alternate_net(stcb, stcb->asoc.last_control_chunk_from, 0);
9268		if (net == NULL) {
9269			/* no alternate */
9270			if (stcb->asoc.last_control_chunk_from == NULL) {
9271				if (stcb->asoc.alternate) {
9272					net = stcb->asoc.alternate;
9273				} else {
9274					net = stcb->asoc.primary_destination;
9275				}
9276			} else {
9277				net = stcb->asoc.last_control_chunk_from;
9278			}
9279		}
9280	} else {
9281		/* normal case */
9282		if (stcb->asoc.last_control_chunk_from == NULL) {
9283			if (stcb->asoc.alternate) {
9284				net = stcb->asoc.alternate;
9285			} else {
9286				net = stcb->asoc.primary_destination;
9287			}
9288		} else {
9289			net = stcb->asoc.last_control_chunk_from;
9290		}
9291	}
9292	latest_ack->last_sent_to = net;
9293
9294	TAILQ_FOREACH(ack, &stcb->asoc.asconf_ack_sent, next) {
9295		if (ack->data == NULL) {
9296			continue;
9297		}
9298		/* copy the asconf_ack */
9299		m_ack = SCTP_M_COPYM(ack->data, 0, M_COPYALL, M_NOWAIT);
9300		if (m_ack == NULL) {
9301			/* couldn't copy it */
9302			return;
9303		}
9304#ifdef SCTP_MBUF_LOGGING
9305		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9306			sctp_log_mbc(m_ack, SCTP_MBUF_ICOPY);
9307		}
9308#endif
9309
9310		sctp_alloc_a_chunk(stcb, chk);
9311		if (chk == NULL) {
9312			/* no memory */
9313			if (m_ack)
9314				sctp_m_freem(m_ack);
9315			return;
9316		}
9317		chk->copy_by_ref = 0;
9318		chk->rec.chunk_id.id = SCTP_ASCONF_ACK;
9319		chk->rec.chunk_id.can_take_data = 1;
9320		chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9321		chk->whoTo = net;
9322		if (chk->whoTo) {
9323			atomic_add_int(&chk->whoTo->ref_count, 1);
9324		}
9325		chk->data = m_ack;
9326		chk->send_size = ack->len;
9327		chk->sent = SCTP_DATAGRAM_UNSENT;
9328		chk->snd_count = 0;
9329		chk->asoc = &stcb->asoc;
9330
9331		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9332		chk->asoc->ctrl_queue_cnt++;
9333	}
9334	return;
9335}
9336
9337
9338static int
9339sctp_chunk_retransmission(struct sctp_inpcb *inp,
9340    struct sctp_tcb *stcb,
9341    struct sctp_association *asoc,
9342    int *cnt_out, struct timeval *now, int *now_filled, int *fr_done, int so_locked
9343#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
9344    SCTP_UNUSED
9345#endif
9346)
9347{
9348	/*-
9349	 * send out one MTU of retransmission. If fast_retransmit is
9350	 * happening we ignore the cwnd. Otherwise we obey the cwnd and
9351	 * rwnd. For a Cookie or Asconf in the control chunk queue we
9352	 * retransmit them by themselves.
9353	 *
9354	 * For data chunks we will pick out the lowest TSN's in the sent_queue
9355	 * marked for resend and bundle them all together (up to a MTU of
9356	 * destination). The address to send to should have been
9357	 * selected/changed where the retransmission was marked (i.e. in FR
9358	 * or t3-timeout routines).
9359	 */
9360	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
9361	struct sctp_tmit_chunk *chk, *fwd;
9362	struct mbuf *m, *endofchain;
9363	struct sctp_nets *net = NULL;
9364	uint32_t tsns_sent = 0;
9365	int no_fragmentflg, bundle_at, cnt_thru;
9366	unsigned int mtu;
9367	int error, i, one_chunk, fwd_tsn, ctl_cnt, tmr_started;
9368	struct sctp_auth_chunk *auth = NULL;
9369	uint32_t auth_offset = 0;
9370	uint16_t auth_keyid;
9371	int override_ok = 1;
9372	int data_auth_reqd = 0;
9373	uint32_t dmtu = 0;
9374
9375	SCTP_TCB_LOCK_ASSERT(stcb);
9376	tmr_started = ctl_cnt = bundle_at = error = 0;
9377	no_fragmentflg = 1;
9378	fwd_tsn = 0;
9379	*cnt_out = 0;
9380	fwd = NULL;
9381	endofchain = m = NULL;
9382	auth_keyid = stcb->asoc.authinfo.active_keyid;
9383#ifdef SCTP_AUDITING_ENABLED
9384	sctp_audit_log(0xC3, 1);
9385#endif
9386	if ((TAILQ_EMPTY(&asoc->sent_queue)) &&
9387	    (TAILQ_EMPTY(&asoc->control_send_queue))) {
9388		SCTPDBG(SCTP_DEBUG_OUTPUT1, "SCTP hits empty queue with cnt set to %d?\n",
9389		    asoc->sent_queue_retran_cnt);
9390		asoc->sent_queue_cnt = 0;
9391		asoc->sent_queue_cnt_removeable = 0;
9392		/* send back 0/0 so we enter normal transmission */
9393		*cnt_out = 0;
9394		return (0);
9395	}
9396	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9397		if ((chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) ||
9398		    (chk->rec.chunk_id.id == SCTP_STREAM_RESET) ||
9399		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)) {
9400			if (chk->sent != SCTP_DATAGRAM_RESEND) {
9401				continue;
9402			}
9403			if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
9404				if (chk != asoc->str_reset) {
9405					/*
9406					 * not eligible for retran if its
9407					 * not ours
9408					 */
9409					continue;
9410				}
9411			}
9412			ctl_cnt++;
9413			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
9414				fwd_tsn = 1;
9415			}
9416			/*
9417			 * Add an AUTH chunk, if chunk requires it save the
9418			 * offset into the chain for AUTH
9419			 */
9420			if ((auth == NULL) &&
9421			    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
9422			    stcb->asoc.peer_auth_chunks))) {
9423				m = sctp_add_auth_chunk(m, &endofchain,
9424				    &auth, &auth_offset,
9425				    stcb,
9426				    chk->rec.chunk_id.id);
9427				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9428			}
9429			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9430			break;
9431		}
9432	}
9433	one_chunk = 0;
9434	cnt_thru = 0;
9435	/* do we have control chunks to retransmit? */
9436	if (m != NULL) {
9437		/* Start a timer no matter if we suceed or fail */
9438		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
9439			sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, chk->whoTo);
9440		} else if (chk->rec.chunk_id.id == SCTP_ASCONF)
9441			sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, chk->whoTo);
9442		chk->snd_count++;	/* update our count */
9443		if ((error = sctp_lowlevel_chunk_output(inp, stcb, chk->whoTo,
9444		    (struct sockaddr *)&chk->whoTo->ro._l_addr, m,
9445		    auth_offset, auth, stcb->asoc.authinfo.active_keyid,
9446		    no_fragmentflg, 0, 0,
9447		    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9448		    chk->whoTo->port, NULL,
9449		    0, 0,
9450		    so_locked))) {
9451			SCTP_STAT_INCR(sctps_lowlevelerr);
9452			return (error);
9453		}
9454		endofchain = NULL;
9455		auth = NULL;
9456		auth_offset = 0;
9457		/*
9458		 * We don't want to mark the net->sent time here since this
9459		 * we use this for HB and retrans cannot measure RTT
9460		 */
9461		/* (void)SCTP_GETTIME_TIMEVAL(&chk->whoTo->last_sent_time); */
9462		*cnt_out += 1;
9463		chk->sent = SCTP_DATAGRAM_SENT;
9464		sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
9465		if (fwd_tsn == 0) {
9466			return (0);
9467		} else {
9468			/* Clean up the fwd-tsn list */
9469			sctp_clean_up_ctl(stcb, asoc, so_locked);
9470			return (0);
9471		}
9472	}
9473	/*
9474	 * Ok, it is just data retransmission we need to do or that and a
9475	 * fwd-tsn with it all.
9476	 */
9477	if (TAILQ_EMPTY(&asoc->sent_queue)) {
9478		return (SCTP_RETRAN_DONE);
9479	}
9480	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) ||
9481	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT)) {
9482		/* not yet open, resend the cookie and that is it */
9483		return (1);
9484	}
9485#ifdef SCTP_AUDITING_ENABLED
9486	sctp_auditing(20, inp, stcb, NULL);
9487#endif
9488	data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks);
9489	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
9490		if (chk->sent != SCTP_DATAGRAM_RESEND) {
9491			/* No, not sent to this net or not ready for rtx */
9492			continue;
9493		}
9494		if (chk->data == NULL) {
9495			SCTP_PRINTF("TSN:%x chk->snd_count:%d chk->sent:%d can't retran - no data\n",
9496			    chk->rec.data.TSN_seq, chk->snd_count, chk->sent);
9497			continue;
9498		}
9499		if ((SCTP_BASE_SYSCTL(sctp_max_retran_chunk)) &&
9500		    (chk->snd_count >= SCTP_BASE_SYSCTL(sctp_max_retran_chunk))) {
9501			struct mbuf *op_err;
9502			char msg[SCTP_DIAG_INFO_LEN];
9503
9504			snprintf(msg, sizeof(msg), "TSN %8.8x retransmitted %d times, giving up",
9505			    chk->rec.data.TSN_seq, chk->snd_count);
9506			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
9507			    msg);
9508			atomic_add_int(&stcb->asoc.refcnt, 1);
9509			sctp_abort_an_association(stcb->sctp_ep, stcb, op_err,
9510			    so_locked);
9511			SCTP_TCB_LOCK(stcb);
9512			atomic_subtract_int(&stcb->asoc.refcnt, 1);
9513			return (SCTP_RETRAN_EXIT);
9514		}
9515		/* pick up the net */
9516		net = chk->whoTo;
9517		switch (net->ro._l_addr.sa.sa_family) {
9518#ifdef INET
9519		case AF_INET:
9520			mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
9521			break;
9522#endif
9523#ifdef INET6
9524		case AF_INET6:
9525			mtu = net->mtu - SCTP_MIN_OVERHEAD;
9526			break;
9527#endif
9528		default:
9529			/* TSNH */
9530			mtu = net->mtu;
9531			break;
9532		}
9533
9534		if ((asoc->peers_rwnd < mtu) && (asoc->total_flight > 0)) {
9535			/* No room in peers rwnd */
9536			uint32_t tsn;
9537
9538			tsn = asoc->last_acked_seq + 1;
9539			if (tsn == chk->rec.data.TSN_seq) {
9540				/*
9541				 * we make a special exception for this
9542				 * case. The peer has no rwnd but is missing
9543				 * the lowest chunk.. which is probably what
9544				 * is holding up the rwnd.
9545				 */
9546				goto one_chunk_around;
9547			}
9548			return (1);
9549		}
9550one_chunk_around:
9551		if (asoc->peers_rwnd < mtu) {
9552			one_chunk = 1;
9553			if ((asoc->peers_rwnd == 0) &&
9554			    (asoc->total_flight == 0)) {
9555				chk->window_probe = 1;
9556				chk->whoTo->window_probe = 1;
9557			}
9558		}
9559#ifdef SCTP_AUDITING_ENABLED
9560		sctp_audit_log(0xC3, 2);
9561#endif
9562		bundle_at = 0;
9563		m = NULL;
9564		net->fast_retran_ip = 0;
9565		if (chk->rec.data.doing_fast_retransmit == 0) {
9566			/*
9567			 * if no FR in progress skip destination that have
9568			 * flight_size > cwnd.
9569			 */
9570			if (net->flight_size >= net->cwnd) {
9571				continue;
9572			}
9573		} else {
9574			/*
9575			 * Mark the destination net to have FR recovery
9576			 * limits put on it.
9577			 */
9578			*fr_done = 1;
9579			net->fast_retran_ip = 1;
9580		}
9581
9582		/*
9583		 * if no AUTH is yet included and this chunk requires it,
9584		 * make sure to account for it.  We don't apply the size
9585		 * until the AUTH chunk is actually added below in case
9586		 * there is no room for this chunk.
9587		 */
9588		if (data_auth_reqd && (auth == NULL)) {
9589			dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9590		} else
9591			dmtu = 0;
9592
9593		if ((chk->send_size <= (mtu - dmtu)) ||
9594		    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
9595			/* ok we will add this one */
9596			if (data_auth_reqd) {
9597				if (auth == NULL) {
9598					m = sctp_add_auth_chunk(m,
9599					    &endofchain,
9600					    &auth,
9601					    &auth_offset,
9602					    stcb,
9603					    SCTP_DATA);
9604					auth_keyid = chk->auth_keyid;
9605					override_ok = 0;
9606					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9607				} else if (override_ok) {
9608					auth_keyid = chk->auth_keyid;
9609					override_ok = 0;
9610				} else if (chk->auth_keyid != auth_keyid) {
9611					/* different keyid, so done bundling */
9612					break;
9613				}
9614			}
9615			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9616			if (m == NULL) {
9617				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9618				return (ENOMEM);
9619			}
9620			/* Do clear IP_DF ? */
9621			if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9622				no_fragmentflg = 0;
9623			}
9624			/* upate our MTU size */
9625			if (mtu > (chk->send_size + dmtu))
9626				mtu -= (chk->send_size + dmtu);
9627			else
9628				mtu = 0;
9629			data_list[bundle_at++] = chk;
9630			if (one_chunk && (asoc->total_flight <= 0)) {
9631				SCTP_STAT_INCR(sctps_windowprobed);
9632			}
9633		}
9634		if (one_chunk == 0) {
9635			/*
9636			 * now are there anymore forward from chk to pick
9637			 * up?
9638			 */
9639			for (fwd = TAILQ_NEXT(chk, sctp_next); fwd != NULL; fwd = TAILQ_NEXT(fwd, sctp_next)) {
9640				if (fwd->sent != SCTP_DATAGRAM_RESEND) {
9641					/* Nope, not for retran */
9642					continue;
9643				}
9644				if (fwd->whoTo != net) {
9645					/* Nope, not the net in question */
9646					continue;
9647				}
9648				if (data_auth_reqd && (auth == NULL)) {
9649					dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9650				} else
9651					dmtu = 0;
9652				if (fwd->send_size <= (mtu - dmtu)) {
9653					if (data_auth_reqd) {
9654						if (auth == NULL) {
9655							m = sctp_add_auth_chunk(m,
9656							    &endofchain,
9657							    &auth,
9658							    &auth_offset,
9659							    stcb,
9660							    SCTP_DATA);
9661							auth_keyid = fwd->auth_keyid;
9662							override_ok = 0;
9663							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9664						} else if (override_ok) {
9665							auth_keyid = fwd->auth_keyid;
9666							override_ok = 0;
9667						} else if (fwd->auth_keyid != auth_keyid) {
9668							/*
9669							 * different keyid,
9670							 * so done bundling
9671							 */
9672							break;
9673						}
9674					}
9675					m = sctp_copy_mbufchain(fwd->data, m, &endofchain, 0, fwd->send_size, fwd->copy_by_ref);
9676					if (m == NULL) {
9677						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9678						return (ENOMEM);
9679					}
9680					/* Do clear IP_DF ? */
9681					if (fwd->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9682						no_fragmentflg = 0;
9683					}
9684					/* upate our MTU size */
9685					if (mtu > (fwd->send_size + dmtu))
9686						mtu -= (fwd->send_size + dmtu);
9687					else
9688						mtu = 0;
9689					data_list[bundle_at++] = fwd;
9690					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
9691						break;
9692					}
9693				} else {
9694					/* can't fit so we are done */
9695					break;
9696				}
9697			}
9698		}
9699		/* Is there something to send for this destination? */
9700		if (m) {
9701			/*
9702			 * No matter if we fail/or suceed we should start a
9703			 * timer. A failure is like a lost IP packet :-)
9704			 */
9705			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9706				/*
9707				 * no timer running on this destination
9708				 * restart it.
9709				 */
9710				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9711				tmr_started = 1;
9712			}
9713			/* Now lets send it, if there is anything to send :> */
9714			if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
9715			    (struct sockaddr *)&net->ro._l_addr, m,
9716			    auth_offset, auth, auth_keyid,
9717			    no_fragmentflg, 0, 0,
9718			    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9719			    net->port, NULL,
9720			    0, 0,
9721			    so_locked))) {
9722				/* error, we could not output */
9723				SCTP_STAT_INCR(sctps_lowlevelerr);
9724				return (error);
9725			}
9726			endofchain = NULL;
9727			auth = NULL;
9728			auth_offset = 0;
9729			/* For HB's */
9730			/*
9731			 * We don't want to mark the net->sent time here
9732			 * since this we use this for HB and retrans cannot
9733			 * measure RTT
9734			 */
9735			/* (void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time); */
9736
9737			/* For auto-close */
9738			cnt_thru++;
9739			if (*now_filled == 0) {
9740				(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
9741				*now = asoc->time_last_sent;
9742				*now_filled = 1;
9743			} else {
9744				asoc->time_last_sent = *now;
9745			}
9746			*cnt_out += bundle_at;
9747#ifdef SCTP_AUDITING_ENABLED
9748			sctp_audit_log(0xC4, bundle_at);
9749#endif
9750			if (bundle_at) {
9751				tsns_sent = data_list[0]->rec.data.TSN_seq;
9752			}
9753			for (i = 0; i < bundle_at; i++) {
9754				SCTP_STAT_INCR(sctps_sendretransdata);
9755				data_list[i]->sent = SCTP_DATAGRAM_SENT;
9756				/*
9757				 * When we have a revoked data, and we
9758				 * retransmit it, then we clear the revoked
9759				 * flag since this flag dictates if we
9760				 * subtracted from the fs
9761				 */
9762				if (data_list[i]->rec.data.chunk_was_revoked) {
9763					/* Deflate the cwnd */
9764					data_list[i]->whoTo->cwnd -= data_list[i]->book_size;
9765					data_list[i]->rec.data.chunk_was_revoked = 0;
9766				}
9767				data_list[i]->snd_count++;
9768				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
9769				/* record the time */
9770				data_list[i]->sent_rcv_time = asoc->time_last_sent;
9771				if (data_list[i]->book_size_scale) {
9772					/*
9773					 * need to double the book size on
9774					 * this one
9775					 */
9776					data_list[i]->book_size_scale = 0;
9777					/*
9778					 * Since we double the booksize, we
9779					 * must also double the output queue
9780					 * size, since this get shrunk when
9781					 * we free by this amount.
9782					 */
9783					atomic_add_int(&((asoc)->total_output_queue_size), data_list[i]->book_size);
9784					data_list[i]->book_size *= 2;
9785
9786
9787				} else {
9788					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
9789						sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
9790						    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
9791					}
9792					asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
9793					    (uint32_t) (data_list[i]->send_size +
9794					    SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
9795				}
9796				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
9797					sctp_misc_ints(SCTP_FLIGHT_LOG_UP_RSND,
9798					    data_list[i]->whoTo->flight_size,
9799					    data_list[i]->book_size,
9800					    (uintptr_t) data_list[i]->whoTo,
9801					    data_list[i]->rec.data.TSN_seq);
9802				}
9803				sctp_flight_size_increase(data_list[i]);
9804				sctp_total_flight_increase(stcb, data_list[i]);
9805				if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
9806					/* SWS sender side engages */
9807					asoc->peers_rwnd = 0;
9808				}
9809				if ((i == 0) &&
9810				    (data_list[i]->rec.data.doing_fast_retransmit)) {
9811					SCTP_STAT_INCR(sctps_sendfastretrans);
9812					if ((data_list[i] == TAILQ_FIRST(&asoc->sent_queue)) &&
9813					    (tmr_started == 0)) {
9814						/*-
9815						 * ok we just fast-retrans'd
9816						 * the lowest TSN, i.e the
9817						 * first on the list. In
9818						 * this case we want to give
9819						 * some more time to get a
9820						 * SACK back without a
9821						 * t3-expiring.
9822						 */
9823						sctp_timer_stop(SCTP_TIMER_TYPE_SEND, inp, stcb, net,
9824						    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_2);
9825						sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9826					}
9827				}
9828			}
9829			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9830				sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_RESEND);
9831			}
9832#ifdef SCTP_AUDITING_ENABLED
9833			sctp_auditing(21, inp, stcb, NULL);
9834#endif
9835		} else {
9836			/* None will fit */
9837			return (1);
9838		}
9839		if (asoc->sent_queue_retran_cnt <= 0) {
9840			/* all done we have no more to retran */
9841			asoc->sent_queue_retran_cnt = 0;
9842			break;
9843		}
9844		if (one_chunk) {
9845			/* No more room in rwnd */
9846			return (1);
9847		}
9848		/* stop the for loop here. we sent out a packet */
9849		break;
9850	}
9851	return (0);
9852}
9853
9854static void
9855sctp_timer_validation(struct sctp_inpcb *inp,
9856    struct sctp_tcb *stcb,
9857    struct sctp_association *asoc)
9858{
9859	struct sctp_nets *net;
9860
9861	/* Validate that a timer is running somewhere */
9862	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
9863		if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9864			/* Here is a timer */
9865			return;
9866		}
9867	}
9868	SCTP_TCB_LOCK_ASSERT(stcb);
9869	/* Gak, we did not have a timer somewhere */
9870	SCTPDBG(SCTP_DEBUG_OUTPUT3, "Deadlock avoided starting timer on a dest at retran\n");
9871	if (asoc->alternate) {
9872		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->alternate);
9873	} else {
9874		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->primary_destination);
9875	}
9876	return;
9877}
9878
9879void
9880sctp_chunk_output(struct sctp_inpcb *inp,
9881    struct sctp_tcb *stcb,
9882    int from_where,
9883    int so_locked
9884#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
9885    SCTP_UNUSED
9886#endif
9887)
9888{
9889	/*-
9890	 * Ok this is the generic chunk service queue. we must do the
9891	 * following:
9892	 * - See if there are retransmits pending, if so we must
9893	 *   do these first.
9894	 * - Service the stream queue that is next, moving any
9895	 *   message (note I must get a complete message i.e.
9896	 *   FIRST/MIDDLE and LAST to the out queue in one pass) and assigning
9897	 *   TSN's
9898	 * - Check to see if the cwnd/rwnd allows any output, if so we
9899	 *   go ahead and fomulate and send the low level chunks. Making sure
9900	 *   to combine any control in the control chunk queue also.
9901	 */
9902	struct sctp_association *asoc;
9903	struct sctp_nets *net;
9904	int error = 0, num_out, tot_out = 0, ret = 0, reason_code;
9905	unsigned int burst_cnt = 0;
9906	struct timeval now;
9907	int now_filled = 0;
9908	int nagle_on;
9909	int frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
9910	int un_sent = 0;
9911	int fr_done;
9912	unsigned int tot_frs = 0;
9913
9914	asoc = &stcb->asoc;
9915do_it_again:
9916	/* The Nagle algorithm is only applied when handling a send call. */
9917	if (from_where == SCTP_OUTPUT_FROM_USR_SEND) {
9918		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NODELAY)) {
9919			nagle_on = 0;
9920		} else {
9921			nagle_on = 1;
9922		}
9923	} else {
9924		nagle_on = 0;
9925	}
9926	SCTP_TCB_LOCK_ASSERT(stcb);
9927
9928	un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
9929
9930	if ((un_sent <= 0) &&
9931	    (TAILQ_EMPTY(&asoc->control_send_queue)) &&
9932	    (TAILQ_EMPTY(&asoc->asconf_send_queue)) &&
9933	    (asoc->sent_queue_retran_cnt == 0) &&
9934	    (asoc->trigger_reset == 0)) {
9935		/* Nothing to do unless there is something to be sent left */
9936		return;
9937	}
9938	/*
9939	 * Do we have something to send, data or control AND a sack timer
9940	 * running, if so piggy-back the sack.
9941	 */
9942	if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
9943		sctp_send_sack(stcb, so_locked);
9944		(void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
9945	}
9946	while (asoc->sent_queue_retran_cnt) {
9947		/*-
9948		 * Ok, it is retransmission time only, we send out only ONE
9949		 * packet with a single call off to the retran code.
9950		 */
9951		if (from_where == SCTP_OUTPUT_FROM_COOKIE_ACK) {
9952			/*-
9953			 * Special hook for handling cookiess discarded
9954			 * by peer that carried data. Send cookie-ack only
9955			 * and then the next call with get the retran's.
9956			 */
9957			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
9958			    from_where,
9959			    &now, &now_filled, frag_point, so_locked);
9960			return;
9961		} else if (from_where != SCTP_OUTPUT_FROM_HB_TMR) {
9962			/* if its not from a HB then do it */
9963			fr_done = 0;
9964			ret = sctp_chunk_retransmission(inp, stcb, asoc, &num_out, &now, &now_filled, &fr_done, so_locked);
9965			if (fr_done) {
9966				tot_frs++;
9967			}
9968		} else {
9969			/*
9970			 * its from any other place, we don't allow retran
9971			 * output (only control)
9972			 */
9973			ret = 1;
9974		}
9975		if (ret > 0) {
9976			/* Can't send anymore */
9977			/*-
9978			 * now lets push out control by calling med-level
9979			 * output once. this assures that we WILL send HB's
9980			 * if queued too.
9981			 */
9982			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
9983			    from_where,
9984			    &now, &now_filled, frag_point, so_locked);
9985#ifdef SCTP_AUDITING_ENABLED
9986			sctp_auditing(8, inp, stcb, NULL);
9987#endif
9988			sctp_timer_validation(inp, stcb, asoc);
9989			return;
9990		}
9991		if (ret < 0) {
9992			/*-
9993			 * The count was off.. retran is not happening so do
9994			 * the normal retransmission.
9995			 */
9996#ifdef SCTP_AUDITING_ENABLED
9997			sctp_auditing(9, inp, stcb, NULL);
9998#endif
9999			if (ret == SCTP_RETRAN_EXIT) {
10000				return;
10001			}
10002			break;
10003		}
10004		if (from_where == SCTP_OUTPUT_FROM_T3) {
10005			/* Only one transmission allowed out of a timeout */
10006#ifdef SCTP_AUDITING_ENABLED
10007			sctp_auditing(10, inp, stcb, NULL);
10008#endif
10009			/* Push out any control */
10010			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1, from_where,
10011			    &now, &now_filled, frag_point, so_locked);
10012			return;
10013		}
10014		if ((asoc->fr_max_burst > 0) && (tot_frs >= asoc->fr_max_burst)) {
10015			/* Hit FR burst limit */
10016			return;
10017		}
10018		if ((num_out == 0) && (ret == 0)) {
10019			/* No more retrans to send */
10020			break;
10021		}
10022	}
10023#ifdef SCTP_AUDITING_ENABLED
10024	sctp_auditing(12, inp, stcb, NULL);
10025#endif
10026	/* Check for bad destinations, if they exist move chunks around. */
10027	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10028		if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
10029			/*-
10030			 * if possible move things off of this address we
10031			 * still may send below due to the dormant state but
10032			 * we try to find an alternate address to send to
10033			 * and if we have one we move all queued data on the
10034			 * out wheel to this alternate address.
10035			 */
10036			if (net->ref_count > 1)
10037				sctp_move_chunks_from_net(stcb, net);
10038		} else {
10039			/*-
10040			 * if ((asoc->sat_network) || (net->addr_is_local))
10041			 * { burst_limit = asoc->max_burst *
10042			 * SCTP_SAT_NETWORK_BURST_INCR; }
10043			 */
10044			if (asoc->max_burst > 0) {
10045				if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst)) {
10046					if ((net->flight_size + (asoc->max_burst * net->mtu)) < net->cwnd) {
10047						/*
10048						 * JRS - Use the congestion
10049						 * control given in the
10050						 * congestion control module
10051						 */
10052						asoc->cc_functions.sctp_cwnd_update_after_output(stcb, net, asoc->max_burst);
10053						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10054							sctp_log_maxburst(stcb, net, 0, asoc->max_burst, SCTP_MAX_BURST_APPLIED);
10055						}
10056						SCTP_STAT_INCR(sctps_maxburstqueued);
10057					}
10058					net->fast_retran_ip = 0;
10059				} else {
10060					if (net->flight_size == 0) {
10061						/*
10062						 * Should be decaying the
10063						 * cwnd here
10064						 */
10065						;
10066					}
10067				}
10068			}
10069		}
10070
10071	}
10072	burst_cnt = 0;
10073	do {
10074		error = sctp_med_chunk_output(inp, stcb, asoc, &num_out,
10075		    &reason_code, 0, from_where,
10076		    &now, &now_filled, frag_point, so_locked);
10077		if (error) {
10078			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Error %d was returned from med-c-op\n", error);
10079			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10080				sctp_log_maxburst(stcb, asoc->primary_destination, error, burst_cnt, SCTP_MAX_BURST_ERROR_STOP);
10081			}
10082			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10083				sctp_log_cwnd(stcb, NULL, error, SCTP_SEND_NOW_COMPLETES);
10084				sctp_log_cwnd(stcb, NULL, 0xdeadbeef, SCTP_SEND_NOW_COMPLETES);
10085			}
10086			break;
10087		}
10088		SCTPDBG(SCTP_DEBUG_OUTPUT3, "m-c-o put out %d\n", num_out);
10089
10090		tot_out += num_out;
10091		burst_cnt++;
10092		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10093			sctp_log_cwnd(stcb, NULL, num_out, SCTP_SEND_NOW_COMPLETES);
10094			if (num_out == 0) {
10095				sctp_log_cwnd(stcb, NULL, reason_code, SCTP_SEND_NOW_COMPLETES);
10096			}
10097		}
10098		if (nagle_on) {
10099			/*
10100			 * When the Nagle algorithm is used, look at how
10101			 * much is unsent, then if its smaller than an MTU
10102			 * and we have data in flight we stop, except if we
10103			 * are handling a fragmented user message.
10104			 */
10105			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
10106			    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
10107			if ((un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD)) &&
10108			    (stcb->asoc.total_flight > 0) &&
10109			    ((stcb->asoc.locked_on_sending == NULL) ||
10110			    sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
10111				break;
10112			}
10113		}
10114		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
10115		    TAILQ_EMPTY(&asoc->send_queue) &&
10116		    stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
10117			/* Nothing left to send */
10118			break;
10119		}
10120		if ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) <= 0) {
10121			/* Nothing left to send */
10122			break;
10123		}
10124	} while (num_out &&
10125	    ((asoc->max_burst == 0) ||
10126	    SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) ||
10127	    (burst_cnt < asoc->max_burst)));
10128
10129	if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) == 0) {
10130		if ((asoc->max_burst > 0) && (burst_cnt >= asoc->max_burst)) {
10131			SCTP_STAT_INCR(sctps_maxburstqueued);
10132			asoc->burst_limit_applied = 1;
10133			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10134				sctp_log_maxburst(stcb, asoc->primary_destination, 0, burst_cnt, SCTP_MAX_BURST_APPLIED);
10135			}
10136		} else {
10137			asoc->burst_limit_applied = 0;
10138		}
10139	}
10140	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10141		sctp_log_cwnd(stcb, NULL, tot_out, SCTP_SEND_NOW_COMPLETES);
10142	}
10143	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, we have put out %d chunks\n",
10144	    tot_out);
10145
10146	/*-
10147	 * Now we need to clean up the control chunk chain if a ECNE is on
10148	 * it. It must be marked as UNSENT again so next call will continue
10149	 * to send it until such time that we get a CWR, to remove it.
10150	 */
10151	if (stcb->asoc.ecn_echo_cnt_onq)
10152		sctp_fix_ecn_echo(asoc);
10153
10154	if (stcb->asoc.trigger_reset) {
10155		if (sctp_send_stream_reset_out_if_possible(stcb, so_locked) == 0) {
10156			goto do_it_again;
10157		}
10158	}
10159	return;
10160}
10161
10162
10163int
10164sctp_output(
10165    struct sctp_inpcb *inp,
10166    struct mbuf *m,
10167    struct sockaddr *addr,
10168    struct mbuf *control,
10169    struct thread *p,
10170    int flags)
10171{
10172	if (inp == NULL) {
10173		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10174		return (EINVAL);
10175	}
10176	if (inp->sctp_socket == NULL) {
10177		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10178		return (EINVAL);
10179	}
10180	return (sctp_sosend(inp->sctp_socket,
10181	    addr,
10182	    (struct uio *)NULL,
10183	    m,
10184	    control,
10185	    flags, p
10186	    ));
10187}
10188
10189void
10190send_forward_tsn(struct sctp_tcb *stcb,
10191    struct sctp_association *asoc)
10192{
10193	struct sctp_tmit_chunk *chk;
10194	struct sctp_forward_tsn_chunk *fwdtsn;
10195	uint32_t advance_peer_ack_point;
10196
10197	SCTP_TCB_LOCK_ASSERT(stcb);
10198	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10199		if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
10200			/* mark it to unsent */
10201			chk->sent = SCTP_DATAGRAM_UNSENT;
10202			chk->snd_count = 0;
10203			/* Do we correct its output location? */
10204			if (chk->whoTo) {
10205				sctp_free_remote_addr(chk->whoTo);
10206				chk->whoTo = NULL;
10207			}
10208			goto sctp_fill_in_rest;
10209		}
10210	}
10211	/* Ok if we reach here we must build one */
10212	sctp_alloc_a_chunk(stcb, chk);
10213	if (chk == NULL) {
10214		return;
10215	}
10216	asoc->fwd_tsn_cnt++;
10217	chk->copy_by_ref = 0;
10218	chk->rec.chunk_id.id = SCTP_FORWARD_CUM_TSN;
10219	chk->rec.chunk_id.can_take_data = 0;
10220	chk->flags = 0;
10221	chk->asoc = asoc;
10222	chk->whoTo = NULL;
10223	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
10224	if (chk->data == NULL) {
10225		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
10226		return;
10227	}
10228	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10229	chk->sent = SCTP_DATAGRAM_UNSENT;
10230	chk->snd_count = 0;
10231	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
10232	asoc->ctrl_queue_cnt++;
10233sctp_fill_in_rest:
10234	/*-
10235	 * Here we go through and fill out the part that deals with
10236	 * stream/seq of the ones we skip.
10237	 */
10238	SCTP_BUF_LEN(chk->data) = 0;
10239	{
10240		struct sctp_tmit_chunk *at, *tp1, *last;
10241		struct sctp_strseq *strseq;
10242		unsigned int cnt_of_space, i, ovh;
10243		unsigned int space_needed;
10244		unsigned int cnt_of_skipped = 0;
10245
10246		TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
10247			if ((at->sent != SCTP_FORWARD_TSN_SKIP) &&
10248			    (at->sent != SCTP_DATAGRAM_NR_ACKED)) {
10249				/* no more to look at */
10250				break;
10251			}
10252			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
10253				/* We don't report these */
10254				continue;
10255			}
10256			cnt_of_skipped++;
10257		}
10258		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
10259		    (cnt_of_skipped * sizeof(struct sctp_strseq)));
10260
10261		cnt_of_space = M_TRAILINGSPACE(chk->data);
10262
10263		if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
10264			ovh = SCTP_MIN_OVERHEAD;
10265		} else {
10266			ovh = SCTP_MIN_V4_OVERHEAD;
10267		}
10268		if (cnt_of_space > (asoc->smallest_mtu - ovh)) {
10269			/* trim to a mtu size */
10270			cnt_of_space = asoc->smallest_mtu - ovh;
10271		}
10272		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10273			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10274			    0xff, 0, cnt_of_skipped,
10275			    asoc->advanced_peer_ack_point);
10276
10277		}
10278		advance_peer_ack_point = asoc->advanced_peer_ack_point;
10279		if (cnt_of_space < space_needed) {
10280			/*-
10281			 * ok we must trim down the chunk by lowering the
10282			 * advance peer ack point.
10283			 */
10284			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10285				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10286				    0xff, 0xff, cnt_of_space,
10287				    space_needed);
10288			}
10289			cnt_of_skipped = cnt_of_space - sizeof(struct sctp_forward_tsn_chunk);
10290			cnt_of_skipped /= sizeof(struct sctp_strseq);
10291			/*-
10292			 * Go through and find the TSN that will be the one
10293			 * we report.
10294			 */
10295			at = TAILQ_FIRST(&asoc->sent_queue);
10296			if (at != NULL) {
10297				for (i = 0; i < cnt_of_skipped; i++) {
10298					tp1 = TAILQ_NEXT(at, sctp_next);
10299					if (tp1 == NULL) {
10300						break;
10301					}
10302					at = tp1;
10303				}
10304			}
10305			if (at && SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10306				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10307				    0xff, cnt_of_skipped, at->rec.data.TSN_seq,
10308				    asoc->advanced_peer_ack_point);
10309			}
10310			last = at;
10311			/*-
10312			 * last now points to last one I can report, update
10313			 * peer ack point
10314			 */
10315			if (last)
10316				advance_peer_ack_point = last->rec.data.TSN_seq;
10317			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
10318			    cnt_of_skipped * sizeof(struct sctp_strseq);
10319		}
10320		chk->send_size = space_needed;
10321		/* Setup the chunk */
10322		fwdtsn = mtod(chk->data, struct sctp_forward_tsn_chunk *);
10323		fwdtsn->ch.chunk_length = htons(chk->send_size);
10324		fwdtsn->ch.chunk_flags = 0;
10325		fwdtsn->ch.chunk_type = SCTP_FORWARD_CUM_TSN;
10326		fwdtsn->new_cumulative_tsn = htonl(advance_peer_ack_point);
10327		SCTP_BUF_LEN(chk->data) = chk->send_size;
10328		fwdtsn++;
10329		/*-
10330		 * Move pointer to after the fwdtsn and transfer to the
10331		 * strseq pointer.
10332		 */
10333		strseq = (struct sctp_strseq *)fwdtsn;
10334		/*-
10335		 * Now populate the strseq list. This is done blindly
10336		 * without pulling out duplicate stream info. This is
10337		 * inefficent but won't harm the process since the peer will
10338		 * look at these in sequence and will thus release anything.
10339		 * It could mean we exceed the PMTU and chop off some that
10340		 * we could have included.. but this is unlikely (aka 1432/4
10341		 * would mean 300+ stream seq's would have to be reported in
10342		 * one FWD-TSN. With a bit of work we can later FIX this to
10343		 * optimize and pull out duplcates.. but it does add more
10344		 * overhead. So for now... not!
10345		 */
10346		at = TAILQ_FIRST(&asoc->sent_queue);
10347		for (i = 0; i < cnt_of_skipped; i++) {
10348			tp1 = TAILQ_NEXT(at, sctp_next);
10349			if (tp1 == NULL)
10350				break;
10351			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
10352				/* We don't report these */
10353				i--;
10354				at = tp1;
10355				continue;
10356			}
10357			if (at->rec.data.TSN_seq == advance_peer_ack_point) {
10358				at->rec.data.fwd_tsn_cnt = 0;
10359			}
10360			strseq->stream = ntohs(at->rec.data.stream_number);
10361			strseq->sequence = ntohs(at->rec.data.stream_seq);
10362			strseq++;
10363			at = tp1;
10364		}
10365	}
10366	return;
10367}
10368
10369void
10370sctp_send_sack(struct sctp_tcb *stcb, int so_locked
10371#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
10372    SCTP_UNUSED
10373#endif
10374)
10375{
10376	/*-
10377	 * Queue up a SACK or NR-SACK in the control queue.
10378	 * We must first check to see if a SACK or NR-SACK is
10379	 * somehow on the control queue.
10380	 * If so, we will take and and remove the old one.
10381	 */
10382	struct sctp_association *asoc;
10383	struct sctp_tmit_chunk *chk, *a_chk;
10384	struct sctp_sack_chunk *sack;
10385	struct sctp_nr_sack_chunk *nr_sack;
10386	struct sctp_gap_ack_block *gap_descriptor;
10387	struct sack_track *selector;
10388	int mergeable = 0;
10389	int offset;
10390	caddr_t limit;
10391	uint32_t *dup;
10392	int limit_reached = 0;
10393	unsigned int i, siz, j;
10394	unsigned int num_gap_blocks = 0, num_nr_gap_blocks = 0, space;
10395	int num_dups = 0;
10396	int space_req;
10397	uint32_t highest_tsn;
10398	uint8_t flags;
10399	uint8_t type;
10400	uint8_t tsn_map;
10401
10402	if (stcb->asoc.nrsack_supported == 1) {
10403		type = SCTP_NR_SELECTIVE_ACK;
10404	} else {
10405		type = SCTP_SELECTIVE_ACK;
10406	}
10407	a_chk = NULL;
10408	asoc = &stcb->asoc;
10409	SCTP_TCB_LOCK_ASSERT(stcb);
10410	if (asoc->last_data_chunk_from == NULL) {
10411		/* Hmm we never received anything */
10412		return;
10413	}
10414	sctp_slide_mapping_arrays(stcb);
10415	sctp_set_rwnd(stcb, asoc);
10416	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10417		if (chk->rec.chunk_id.id == type) {
10418			/* Hmm, found a sack already on queue, remove it */
10419			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
10420			asoc->ctrl_queue_cnt--;
10421			a_chk = chk;
10422			if (a_chk->data) {
10423				sctp_m_freem(a_chk->data);
10424				a_chk->data = NULL;
10425			}
10426			if (a_chk->whoTo) {
10427				sctp_free_remote_addr(a_chk->whoTo);
10428				a_chk->whoTo = NULL;
10429			}
10430			break;
10431		}
10432	}
10433	if (a_chk == NULL) {
10434		sctp_alloc_a_chunk(stcb, a_chk);
10435		if (a_chk == NULL) {
10436			/* No memory so we drop the idea, and set a timer */
10437			if (stcb->asoc.delayed_ack) {
10438				sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10439				    stcb->sctp_ep, stcb, NULL,
10440				    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_3);
10441				sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10442				    stcb->sctp_ep, stcb, NULL);
10443			} else {
10444				stcb->asoc.send_sack = 1;
10445			}
10446			return;
10447		}
10448		a_chk->copy_by_ref = 0;
10449		a_chk->rec.chunk_id.id = type;
10450		a_chk->rec.chunk_id.can_take_data = 1;
10451	}
10452	/* Clear our pkt counts */
10453	asoc->data_pkts_seen = 0;
10454
10455	a_chk->flags = 0;
10456	a_chk->asoc = asoc;
10457	a_chk->snd_count = 0;
10458	a_chk->send_size = 0;	/* fill in later */
10459	a_chk->sent = SCTP_DATAGRAM_UNSENT;
10460	a_chk->whoTo = NULL;
10461
10462	if (!(asoc->last_data_chunk_from->dest_state & SCTP_ADDR_REACHABLE)) {
10463		/*-
10464		 * Ok, the destination for the SACK is unreachable, lets see if
10465		 * we can select an alternate to asoc->last_data_chunk_from
10466		 */
10467		a_chk->whoTo = sctp_find_alternate_net(stcb, asoc->last_data_chunk_from, 0);
10468		if (a_chk->whoTo == NULL) {
10469			/* Nope, no alternate */
10470			a_chk->whoTo = asoc->last_data_chunk_from;
10471		}
10472	} else {
10473		a_chk->whoTo = asoc->last_data_chunk_from;
10474	}
10475	if (a_chk->whoTo) {
10476		atomic_add_int(&a_chk->whoTo->ref_count, 1);
10477	}
10478	if (SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->highest_tsn_inside_nr_map)) {
10479		highest_tsn = asoc->highest_tsn_inside_map;
10480	} else {
10481		highest_tsn = asoc->highest_tsn_inside_nr_map;
10482	}
10483	if (highest_tsn == asoc->cumulative_tsn) {
10484		/* no gaps */
10485		if (type == SCTP_SELECTIVE_ACK) {
10486			space_req = sizeof(struct sctp_sack_chunk);
10487		} else {
10488			space_req = sizeof(struct sctp_nr_sack_chunk);
10489		}
10490	} else {
10491		/* gaps get a cluster */
10492		space_req = MCLBYTES;
10493	}
10494	/* Ok now lets formulate a MBUF with our sack */
10495	a_chk->data = sctp_get_mbuf_for_msg(space_req, 0, M_NOWAIT, 1, MT_DATA);
10496	if ((a_chk->data == NULL) ||
10497	    (a_chk->whoTo == NULL)) {
10498		/* rats, no mbuf memory */
10499		if (a_chk->data) {
10500			/* was a problem with the destination */
10501			sctp_m_freem(a_chk->data);
10502			a_chk->data = NULL;
10503		}
10504		sctp_free_a_chunk(stcb, a_chk, so_locked);
10505		/* sa_ignore NO_NULL_CHK */
10506		if (stcb->asoc.delayed_ack) {
10507			sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10508			    stcb->sctp_ep, stcb, NULL,
10509			    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_4);
10510			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10511			    stcb->sctp_ep, stcb, NULL);
10512		} else {
10513			stcb->asoc.send_sack = 1;
10514		}
10515		return;
10516	}
10517	/* ok, lets go through and fill it in */
10518	SCTP_BUF_RESV_UF(a_chk->data, SCTP_MIN_OVERHEAD);
10519	space = M_TRAILINGSPACE(a_chk->data);
10520	if (space > (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD)) {
10521		space = (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD);
10522	}
10523	limit = mtod(a_chk->data, caddr_t);
10524	limit += space;
10525
10526	flags = 0;
10527
10528	if ((asoc->sctp_cmt_on_off > 0) &&
10529	    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
10530		/*-
10531		 * CMT DAC algorithm: If 2 (i.e., 0x10) packets have been
10532		 * received, then set high bit to 1, else 0. Reset
10533		 * pkts_rcvd.
10534		 */
10535		flags |= (asoc->cmt_dac_pkts_rcvd << 6);
10536		asoc->cmt_dac_pkts_rcvd = 0;
10537	}
10538#ifdef SCTP_ASOCLOG_OF_TSNS
10539	stcb->asoc.cumack_logsnt[stcb->asoc.cumack_log_atsnt] = asoc->cumulative_tsn;
10540	stcb->asoc.cumack_log_atsnt++;
10541	if (stcb->asoc.cumack_log_atsnt >= SCTP_TSN_LOG_SIZE) {
10542		stcb->asoc.cumack_log_atsnt = 0;
10543	}
10544#endif
10545	/* reset the readers interpretation */
10546	stcb->freed_by_sorcv_sincelast = 0;
10547
10548	if (type == SCTP_SELECTIVE_ACK) {
10549		sack = mtod(a_chk->data, struct sctp_sack_chunk *);
10550		nr_sack = NULL;
10551		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)sack + sizeof(struct sctp_sack_chunk));
10552		if (highest_tsn > asoc->mapping_array_base_tsn) {
10553			siz = (((highest_tsn - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10554		} else {
10555			siz = (((MAX_TSN - highest_tsn) + 1) + highest_tsn + 7) / 8;
10556		}
10557	} else {
10558		sack = NULL;
10559		nr_sack = mtod(a_chk->data, struct sctp_nr_sack_chunk *);
10560		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)nr_sack + sizeof(struct sctp_nr_sack_chunk));
10561		if (asoc->highest_tsn_inside_map > asoc->mapping_array_base_tsn) {
10562			siz = (((asoc->highest_tsn_inside_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10563		} else {
10564			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_map + 7) / 8;
10565		}
10566	}
10567
10568	if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10569		offset = 1;
10570	} else {
10571		offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10572	}
10573	if (((type == SCTP_SELECTIVE_ACK) &&
10574	    SCTP_TSN_GT(highest_tsn, asoc->cumulative_tsn)) ||
10575	    ((type == SCTP_NR_SELECTIVE_ACK) &&
10576	    SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->cumulative_tsn))) {
10577		/* we have a gap .. maybe */
10578		for (i = 0; i < siz; i++) {
10579			tsn_map = asoc->mapping_array[i];
10580			if (type == SCTP_SELECTIVE_ACK) {
10581				tsn_map |= asoc->nr_mapping_array[i];
10582			}
10583			if (i == 0) {
10584				/*
10585				 * Clear all bits corresponding to TSNs
10586				 * smaller or equal to the cumulative TSN.
10587				 */
10588				tsn_map &= (~0 << (1 - offset));
10589			}
10590			selector = &sack_array[tsn_map];
10591			if (mergeable && selector->right_edge) {
10592				/*
10593				 * Backup, left and right edges were ok to
10594				 * merge.
10595				 */
10596				num_gap_blocks--;
10597				gap_descriptor--;
10598			}
10599			if (selector->num_entries == 0)
10600				mergeable = 0;
10601			else {
10602				for (j = 0; j < selector->num_entries; j++) {
10603					if (mergeable && selector->right_edge) {
10604						/*
10605						 * do a merge by NOT setting
10606						 * the left side
10607						 */
10608						mergeable = 0;
10609					} else {
10610						/*
10611						 * no merge, set the left
10612						 * side
10613						 */
10614						mergeable = 0;
10615						gap_descriptor->start = htons((selector->gaps[j].start + offset));
10616					}
10617					gap_descriptor->end = htons((selector->gaps[j].end + offset));
10618					num_gap_blocks++;
10619					gap_descriptor++;
10620					if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10621						/* no more room */
10622						limit_reached = 1;
10623						break;
10624					}
10625				}
10626				if (selector->left_edge) {
10627					mergeable = 1;
10628				}
10629			}
10630			if (limit_reached) {
10631				/* Reached the limit stop */
10632				break;
10633			}
10634			offset += 8;
10635		}
10636	}
10637	if ((type == SCTP_NR_SELECTIVE_ACK) &&
10638	    (limit_reached == 0)) {
10639
10640		mergeable = 0;
10641
10642		if (asoc->highest_tsn_inside_nr_map > asoc->mapping_array_base_tsn) {
10643			siz = (((asoc->highest_tsn_inside_nr_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10644		} else {
10645			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_nr_map + 7) / 8;
10646		}
10647
10648		if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10649			offset = 1;
10650		} else {
10651			offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10652		}
10653		if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->cumulative_tsn)) {
10654			/* we have a gap .. maybe */
10655			for (i = 0; i < siz; i++) {
10656				tsn_map = asoc->nr_mapping_array[i];
10657				if (i == 0) {
10658					/*
10659					 * Clear all bits corresponding to
10660					 * TSNs smaller or equal to the
10661					 * cumulative TSN.
10662					 */
10663					tsn_map &= (~0 << (1 - offset));
10664				}
10665				selector = &sack_array[tsn_map];
10666				if (mergeable && selector->right_edge) {
10667					/*
10668					 * Backup, left and right edges were
10669					 * ok to merge.
10670					 */
10671					num_nr_gap_blocks--;
10672					gap_descriptor--;
10673				}
10674				if (selector->num_entries == 0)
10675					mergeable = 0;
10676				else {
10677					for (j = 0; j < selector->num_entries; j++) {
10678						if (mergeable && selector->right_edge) {
10679							/*
10680							 * do a merge by NOT
10681							 * setting the left
10682							 * side
10683							 */
10684							mergeable = 0;
10685						} else {
10686							/*
10687							 * no merge, set the
10688							 * left side
10689							 */
10690							mergeable = 0;
10691							gap_descriptor->start = htons((selector->gaps[j].start + offset));
10692						}
10693						gap_descriptor->end = htons((selector->gaps[j].end + offset));
10694						num_nr_gap_blocks++;
10695						gap_descriptor++;
10696						if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10697							/* no more room */
10698							limit_reached = 1;
10699							break;
10700						}
10701					}
10702					if (selector->left_edge) {
10703						mergeable = 1;
10704					}
10705				}
10706				if (limit_reached) {
10707					/* Reached the limit stop */
10708					break;
10709				}
10710				offset += 8;
10711			}
10712		}
10713	}
10714	/* now we must add any dups we are going to report. */
10715	if ((limit_reached == 0) && (asoc->numduptsns)) {
10716		dup = (uint32_t *) gap_descriptor;
10717		for (i = 0; i < asoc->numduptsns; i++) {
10718			*dup = htonl(asoc->dup_tsns[i]);
10719			dup++;
10720			num_dups++;
10721			if (((caddr_t)dup + sizeof(uint32_t)) > limit) {
10722				/* no more room */
10723				break;
10724			}
10725		}
10726		asoc->numduptsns = 0;
10727	}
10728	/*
10729	 * now that the chunk is prepared queue it to the control chunk
10730	 * queue.
10731	 */
10732	if (type == SCTP_SELECTIVE_ACK) {
10733		a_chk->send_size = sizeof(struct sctp_sack_chunk) +
10734		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10735		    num_dups * sizeof(int32_t);
10736		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10737		sack->sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10738		sack->sack.a_rwnd = htonl(asoc->my_rwnd);
10739		sack->sack.num_gap_ack_blks = htons(num_gap_blocks);
10740		sack->sack.num_dup_tsns = htons(num_dups);
10741		sack->ch.chunk_type = type;
10742		sack->ch.chunk_flags = flags;
10743		sack->ch.chunk_length = htons(a_chk->send_size);
10744	} else {
10745		a_chk->send_size = sizeof(struct sctp_nr_sack_chunk) +
10746		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10747		    num_dups * sizeof(int32_t);
10748		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10749		nr_sack->nr_sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10750		nr_sack->nr_sack.a_rwnd = htonl(asoc->my_rwnd);
10751		nr_sack->nr_sack.num_gap_ack_blks = htons(num_gap_blocks);
10752		nr_sack->nr_sack.num_nr_gap_ack_blks = htons(num_nr_gap_blocks);
10753		nr_sack->nr_sack.num_dup_tsns = htons(num_dups);
10754		nr_sack->nr_sack.reserved = 0;
10755		nr_sack->ch.chunk_type = type;
10756		nr_sack->ch.chunk_flags = flags;
10757		nr_sack->ch.chunk_length = htons(a_chk->send_size);
10758	}
10759	TAILQ_INSERT_TAIL(&asoc->control_send_queue, a_chk, sctp_next);
10760	asoc->my_last_reported_rwnd = asoc->my_rwnd;
10761	asoc->ctrl_queue_cnt++;
10762	asoc->send_sack = 0;
10763	SCTP_STAT_INCR(sctps_sendsacks);
10764	return;
10765}
10766
10767void
10768sctp_send_abort_tcb(struct sctp_tcb *stcb, struct mbuf *operr, int so_locked
10769#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
10770    SCTP_UNUSED
10771#endif
10772)
10773{
10774	struct mbuf *m_abort, *m, *m_last;
10775	struct mbuf *m_out, *m_end = NULL;
10776	struct sctp_abort_chunk *abort;
10777	struct sctp_auth_chunk *auth = NULL;
10778	struct sctp_nets *net;
10779	uint32_t vtag;
10780	uint32_t auth_offset = 0;
10781	uint16_t cause_len, chunk_len, padding_len;
10782
10783	SCTP_TCB_LOCK_ASSERT(stcb);
10784	/*-
10785	 * Add an AUTH chunk, if chunk requires it and save the offset into
10786	 * the chain for AUTH
10787	 */
10788	if (sctp_auth_is_required_chunk(SCTP_ABORT_ASSOCIATION,
10789	    stcb->asoc.peer_auth_chunks)) {
10790		m_out = sctp_add_auth_chunk(NULL, &m_end, &auth, &auth_offset,
10791		    stcb, SCTP_ABORT_ASSOCIATION);
10792		SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10793	} else {
10794		m_out = NULL;
10795	}
10796	m_abort = sctp_get_mbuf_for_msg(sizeof(struct sctp_abort_chunk), 0, M_NOWAIT, 1, MT_HEADER);
10797	if (m_abort == NULL) {
10798		if (m_out) {
10799			sctp_m_freem(m_out);
10800		}
10801		if (operr) {
10802			sctp_m_freem(operr);
10803		}
10804		return;
10805	}
10806	/* link in any error */
10807	SCTP_BUF_NEXT(m_abort) = operr;
10808	cause_len = 0;
10809	m_last = NULL;
10810	for (m = operr; m; m = SCTP_BUF_NEXT(m)) {
10811		cause_len += (uint16_t) SCTP_BUF_LEN(m);
10812		if (SCTP_BUF_NEXT(m) == NULL) {
10813			m_last = m;
10814		}
10815	}
10816	SCTP_BUF_LEN(m_abort) = sizeof(struct sctp_abort_chunk);
10817	chunk_len = (uint16_t) sizeof(struct sctp_abort_chunk) + cause_len;
10818	padding_len = SCTP_SIZE32(chunk_len) - chunk_len;
10819	if (m_out == NULL) {
10820		/* NO Auth chunk prepended, so reserve space in front */
10821		SCTP_BUF_RESV_UF(m_abort, SCTP_MIN_OVERHEAD);
10822		m_out = m_abort;
10823	} else {
10824		/* Put AUTH chunk at the front of the chain */
10825		SCTP_BUF_NEXT(m_end) = m_abort;
10826	}
10827	if (stcb->asoc.alternate) {
10828		net = stcb->asoc.alternate;
10829	} else {
10830		net = stcb->asoc.primary_destination;
10831	}
10832	/* Fill in the ABORT chunk header. */
10833	abort = mtod(m_abort, struct sctp_abort_chunk *);
10834	abort->ch.chunk_type = SCTP_ABORT_ASSOCIATION;
10835	if (stcb->asoc.peer_vtag == 0) {
10836		/* This happens iff the assoc is in COOKIE-WAIT state. */
10837		vtag = stcb->asoc.my_vtag;
10838		abort->ch.chunk_flags = SCTP_HAD_NO_TCB;
10839	} else {
10840		vtag = stcb->asoc.peer_vtag;
10841		abort->ch.chunk_flags = 0;
10842	}
10843	abort->ch.chunk_length = htons(chunk_len);
10844	/* Add padding, if necessary. */
10845	if (padding_len > 0) {
10846		if ((m_last == NULL) ||
10847		    (sctp_add_pad_tombuf(m_last, padding_len) == NULL)) {
10848			sctp_m_freem(m_out);
10849			return;
10850		}
10851	}
10852	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
10853	    (struct sockaddr *)&net->ro._l_addr,
10854	    m_out, auth_offset, auth, stcb->asoc.authinfo.active_keyid, 1, 0, 0,
10855	    stcb->sctp_ep->sctp_lport, stcb->rport, htonl(vtag),
10856	    stcb->asoc.primary_destination->port, NULL,
10857	    0, 0,
10858	    so_locked);
10859	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10860}
10861
10862void
10863sctp_send_shutdown_complete(struct sctp_tcb *stcb,
10864    struct sctp_nets *net,
10865    int reflect_vtag)
10866{
10867	/* formulate and SEND a SHUTDOWN-COMPLETE */
10868	struct mbuf *m_shutdown_comp;
10869	struct sctp_shutdown_complete_chunk *shutdown_complete;
10870	uint32_t vtag;
10871	uint8_t flags;
10872
10873	m_shutdown_comp = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
10874	if (m_shutdown_comp == NULL) {
10875		/* no mbuf's */
10876		return;
10877	}
10878	if (reflect_vtag) {
10879		flags = SCTP_HAD_NO_TCB;
10880		vtag = stcb->asoc.my_vtag;
10881	} else {
10882		flags = 0;
10883		vtag = stcb->asoc.peer_vtag;
10884	}
10885	shutdown_complete = mtod(m_shutdown_comp, struct sctp_shutdown_complete_chunk *);
10886	shutdown_complete->ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
10887	shutdown_complete->ch.chunk_flags = flags;
10888	shutdown_complete->ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
10889	SCTP_BUF_LEN(m_shutdown_comp) = sizeof(struct sctp_shutdown_complete_chunk);
10890	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
10891	    (struct sockaddr *)&net->ro._l_addr,
10892	    m_shutdown_comp, 0, NULL, 0, 1, 0, 0,
10893	    stcb->sctp_ep->sctp_lport, stcb->rport,
10894	    htonl(vtag),
10895	    net->port, NULL,
10896	    0, 0,
10897	    SCTP_SO_NOT_LOCKED);
10898	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10899	return;
10900}
10901
10902static void
10903sctp_send_resp_msg(struct sockaddr *src, struct sockaddr *dst,
10904    struct sctphdr *sh, uint32_t vtag,
10905    uint8_t type, struct mbuf *cause,
10906    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
10907    uint32_t vrf_id, uint16_t port)
10908{
10909	struct mbuf *o_pak;
10910	struct mbuf *mout;
10911	struct sctphdr *shout;
10912	struct sctp_chunkhdr *ch;
10913
10914#if defined(INET) || defined(INET6)
10915	struct udphdr *udp;
10916	int ret;
10917
10918#endif
10919	int len, cause_len, padding_len;
10920
10921#ifdef INET
10922	struct sockaddr_in *src_sin, *dst_sin;
10923	struct ip *ip;
10924
10925#endif
10926#ifdef INET6
10927	struct sockaddr_in6 *src_sin6, *dst_sin6;
10928	struct ip6_hdr *ip6;
10929
10930#endif
10931
10932	/* Compute the length of the cause and add final padding. */
10933	cause_len = 0;
10934	if (cause != NULL) {
10935		struct mbuf *m_at, *m_last = NULL;
10936
10937		for (m_at = cause; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
10938			if (SCTP_BUF_NEXT(m_at) == NULL)
10939				m_last = m_at;
10940			cause_len += SCTP_BUF_LEN(m_at);
10941		}
10942		padding_len = cause_len % 4;
10943		if (padding_len != 0) {
10944			padding_len = 4 - padding_len;
10945		}
10946		if (padding_len != 0) {
10947			if (sctp_add_pad_tombuf(m_last, padding_len) == NULL) {
10948				sctp_m_freem(cause);
10949				return;
10950			}
10951		}
10952	} else {
10953		padding_len = 0;
10954	}
10955	/* Get an mbuf for the header. */
10956	len = sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
10957	switch (dst->sa_family) {
10958#ifdef INET
10959	case AF_INET:
10960		len += sizeof(struct ip);
10961		break;
10962#endif
10963#ifdef INET6
10964	case AF_INET6:
10965		len += sizeof(struct ip6_hdr);
10966		break;
10967#endif
10968	default:
10969		break;
10970	}
10971#if defined(INET) || defined(INET6)
10972	if (port) {
10973		len += sizeof(struct udphdr);
10974	}
10975#endif
10976	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_NOWAIT, 1, MT_DATA);
10977	if (mout == NULL) {
10978		if (cause) {
10979			sctp_m_freem(cause);
10980		}
10981		return;
10982	}
10983	SCTP_BUF_RESV_UF(mout, max_linkhdr);
10984	SCTP_BUF_LEN(mout) = len;
10985	SCTP_BUF_NEXT(mout) = cause;
10986	M_SETFIB(mout, fibnum);
10987	mout->m_pkthdr.flowid = mflowid;
10988	M_HASHTYPE_SET(mout, mflowtype);
10989#ifdef INET
10990	ip = NULL;
10991#endif
10992#ifdef INET6
10993	ip6 = NULL;
10994#endif
10995	switch (dst->sa_family) {
10996#ifdef INET
10997	case AF_INET:
10998		src_sin = (struct sockaddr_in *)src;
10999		dst_sin = (struct sockaddr_in *)dst;
11000		ip = mtod(mout, struct ip *);
11001		ip->ip_v = IPVERSION;
11002		ip->ip_hl = (sizeof(struct ip) >> 2);
11003		ip->ip_tos = 0;
11004		ip->ip_id = ip_newid();
11005		ip->ip_off = 0;
11006		ip->ip_ttl = MODULE_GLOBAL(ip_defttl);
11007		if (port) {
11008			ip->ip_p = IPPROTO_UDP;
11009		} else {
11010			ip->ip_p = IPPROTO_SCTP;
11011		}
11012		ip->ip_src.s_addr = dst_sin->sin_addr.s_addr;
11013		ip->ip_dst.s_addr = src_sin->sin_addr.s_addr;
11014		ip->ip_sum = 0;
11015		len = sizeof(struct ip);
11016		shout = (struct sctphdr *)((caddr_t)ip + len);
11017		break;
11018#endif
11019#ifdef INET6
11020	case AF_INET6:
11021		src_sin6 = (struct sockaddr_in6 *)src;
11022		dst_sin6 = (struct sockaddr_in6 *)dst;
11023		ip6 = mtod(mout, struct ip6_hdr *);
11024		ip6->ip6_flow = htonl(0x60000000);
11025		if (V_ip6_auto_flowlabel) {
11026			ip6->ip6_flow |= (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
11027		}
11028		ip6->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11029		if (port) {
11030			ip6->ip6_nxt = IPPROTO_UDP;
11031		} else {
11032			ip6->ip6_nxt = IPPROTO_SCTP;
11033		}
11034		ip6->ip6_src = dst_sin6->sin6_addr;
11035		ip6->ip6_dst = src_sin6->sin6_addr;
11036		len = sizeof(struct ip6_hdr);
11037		shout = (struct sctphdr *)((caddr_t)ip6 + len);
11038		break;
11039#endif
11040	default:
11041		len = 0;
11042		shout = mtod(mout, struct sctphdr *);
11043		break;
11044	}
11045#if defined(INET) || defined(INET6)
11046	if (port) {
11047		if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
11048			sctp_m_freem(mout);
11049			return;
11050		}
11051		udp = (struct udphdr *)shout;
11052		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11053		udp->uh_dport = port;
11054		udp->uh_sum = 0;
11055		udp->uh_ulen = htons(sizeof(struct udphdr) +
11056		    sizeof(struct sctphdr) +
11057		    sizeof(struct sctp_chunkhdr) +
11058		    cause_len + padding_len);
11059		len += sizeof(struct udphdr);
11060		shout = (struct sctphdr *)((caddr_t)shout + sizeof(struct udphdr));
11061	} else {
11062		udp = NULL;
11063	}
11064#endif
11065	shout->src_port = sh->dest_port;
11066	shout->dest_port = sh->src_port;
11067	shout->checksum = 0;
11068	if (vtag) {
11069		shout->v_tag = htonl(vtag);
11070	} else {
11071		shout->v_tag = sh->v_tag;
11072	}
11073	len += sizeof(struct sctphdr);
11074	ch = (struct sctp_chunkhdr *)((caddr_t)shout + sizeof(struct sctphdr));
11075	ch->chunk_type = type;
11076	if (vtag) {
11077		ch->chunk_flags = 0;
11078	} else {
11079		ch->chunk_flags = SCTP_HAD_NO_TCB;
11080	}
11081	ch->chunk_length = htons(sizeof(struct sctp_chunkhdr) + cause_len);
11082	len += sizeof(struct sctp_chunkhdr);
11083	len += cause_len + padding_len;
11084
11085	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11086		sctp_m_freem(mout);
11087		return;
11088	}
11089	SCTP_ATTACH_CHAIN(o_pak, mout, len);
11090	switch (dst->sa_family) {
11091#ifdef INET
11092	case AF_INET:
11093		if (port) {
11094			if (V_udp_cksum) {
11095				udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11096			} else {
11097				udp->uh_sum = 0;
11098			}
11099		}
11100		ip->ip_len = htons(len);
11101		if (port) {
11102#if defined(SCTP_WITH_NO_CSUM)
11103			SCTP_STAT_INCR(sctps_sendnocrc);
11104#else
11105			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip) + sizeof(struct udphdr));
11106			SCTP_STAT_INCR(sctps_sendswcrc);
11107#endif
11108			if (V_udp_cksum) {
11109				SCTP_ENABLE_UDP_CSUM(o_pak);
11110			}
11111		} else {
11112#if defined(SCTP_WITH_NO_CSUM)
11113			SCTP_STAT_INCR(sctps_sendnocrc);
11114#else
11115			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11116			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11117			SCTP_STAT_INCR(sctps_sendhwcrc);
11118#endif
11119		}
11120#ifdef SCTP_PACKET_LOGGING
11121		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11122			sctp_packet_log(o_pak);
11123		}
11124#endif
11125		SCTP_IP_OUTPUT(ret, o_pak, NULL, NULL, vrf_id);
11126		break;
11127#endif
11128#ifdef INET6
11129	case AF_INET6:
11130		ip6->ip6_plen = len - sizeof(struct ip6_hdr);
11131		if (port) {
11132#if defined(SCTP_WITH_NO_CSUM)
11133			SCTP_STAT_INCR(sctps_sendnocrc);
11134#else
11135			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11136			SCTP_STAT_INCR(sctps_sendswcrc);
11137#endif
11138			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11139				udp->uh_sum = 0xffff;
11140			}
11141		} else {
11142#if defined(SCTP_WITH_NO_CSUM)
11143			SCTP_STAT_INCR(sctps_sendnocrc);
11144#else
11145			mout->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
11146			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11147			SCTP_STAT_INCR(sctps_sendhwcrc);
11148#endif
11149		}
11150#ifdef SCTP_PACKET_LOGGING
11151		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11152			sctp_packet_log(o_pak);
11153		}
11154#endif
11155		SCTP_IP6_OUTPUT(ret, o_pak, NULL, NULL, NULL, vrf_id);
11156		break;
11157#endif
11158	default:
11159		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
11160		    dst->sa_family);
11161		sctp_m_freem(mout);
11162		SCTP_LTRACE_ERR_RET_PKT(mout, NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
11163		return;
11164	}
11165	SCTP_STAT_INCR(sctps_sendpackets);
11166	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11167	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11168	return;
11169}
11170
11171void
11172sctp_send_shutdown_complete2(struct sockaddr *src, struct sockaddr *dst,
11173    struct sctphdr *sh,
11174    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
11175    uint32_t vrf_id, uint16_t port)
11176{
11177	sctp_send_resp_msg(src, dst, sh, 0, SCTP_SHUTDOWN_COMPLETE, NULL,
11178	    mflowtype, mflowid, fibnum,
11179	    vrf_id, port);
11180}
11181
11182void
11183sctp_send_hb(struct sctp_tcb *stcb, struct sctp_nets *net, int so_locked
11184#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
11185    SCTP_UNUSED
11186#endif
11187)
11188{
11189	struct sctp_tmit_chunk *chk;
11190	struct sctp_heartbeat_chunk *hb;
11191	struct timeval now;
11192
11193	SCTP_TCB_LOCK_ASSERT(stcb);
11194	if (net == NULL) {
11195		return;
11196	}
11197	(void)SCTP_GETTIME_TIMEVAL(&now);
11198	switch (net->ro._l_addr.sa.sa_family) {
11199#ifdef INET
11200	case AF_INET:
11201		break;
11202#endif
11203#ifdef INET6
11204	case AF_INET6:
11205		break;
11206#endif
11207	default:
11208		return;
11209	}
11210	sctp_alloc_a_chunk(stcb, chk);
11211	if (chk == NULL) {
11212		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak, can't get a chunk for hb\n");
11213		return;
11214	}
11215	chk->copy_by_ref = 0;
11216	chk->rec.chunk_id.id = SCTP_HEARTBEAT_REQUEST;
11217	chk->rec.chunk_id.can_take_data = 1;
11218	chk->flags = 0;
11219	chk->asoc = &stcb->asoc;
11220	chk->send_size = sizeof(struct sctp_heartbeat_chunk);
11221
11222	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11223	if (chk->data == NULL) {
11224		sctp_free_a_chunk(stcb, chk, so_locked);
11225		return;
11226	}
11227	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11228	SCTP_BUF_LEN(chk->data) = chk->send_size;
11229	chk->sent = SCTP_DATAGRAM_UNSENT;
11230	chk->snd_count = 0;
11231	chk->whoTo = net;
11232	atomic_add_int(&chk->whoTo->ref_count, 1);
11233	/* Now we have a mbuf that we can fill in with the details */
11234	hb = mtod(chk->data, struct sctp_heartbeat_chunk *);
11235	memset(hb, 0, sizeof(struct sctp_heartbeat_chunk));
11236	/* fill out chunk header */
11237	hb->ch.chunk_type = SCTP_HEARTBEAT_REQUEST;
11238	hb->ch.chunk_flags = 0;
11239	hb->ch.chunk_length = htons(chk->send_size);
11240	/* Fill out hb parameter */
11241	hb->heartbeat.hb_info.ph.param_type = htons(SCTP_HEARTBEAT_INFO);
11242	hb->heartbeat.hb_info.ph.param_length = htons(sizeof(struct sctp_heartbeat_info_param));
11243	hb->heartbeat.hb_info.time_value_1 = now.tv_sec;
11244	hb->heartbeat.hb_info.time_value_2 = now.tv_usec;
11245	/* Did our user request this one, put it in */
11246	hb->heartbeat.hb_info.addr_family = (uint8_t) net->ro._l_addr.sa.sa_family;
11247	hb->heartbeat.hb_info.addr_len = net->ro._l_addr.sa.sa_len;
11248	if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
11249		/*
11250		 * we only take from the entropy pool if the address is not
11251		 * confirmed.
11252		 */
11253		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11254		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11255	} else {
11256		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = 0;
11257		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = 0;
11258	}
11259	switch (net->ro._l_addr.sa.sa_family) {
11260#ifdef INET
11261	case AF_INET:
11262		memcpy(hb->heartbeat.hb_info.address,
11263		    &net->ro._l_addr.sin.sin_addr,
11264		    sizeof(net->ro._l_addr.sin.sin_addr));
11265		break;
11266#endif
11267#ifdef INET6
11268	case AF_INET6:
11269		memcpy(hb->heartbeat.hb_info.address,
11270		    &net->ro._l_addr.sin6.sin6_addr,
11271		    sizeof(net->ro._l_addr.sin6.sin6_addr));
11272		break;
11273#endif
11274	default:
11275		if (chk->data) {
11276			sctp_m_freem(chk->data);
11277			chk->data = NULL;
11278		}
11279		sctp_free_a_chunk(stcb, chk, so_locked);
11280		return;
11281		break;
11282	}
11283	net->hb_responded = 0;
11284	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11285	stcb->asoc.ctrl_queue_cnt++;
11286	SCTP_STAT_INCR(sctps_sendheartbeat);
11287	return;
11288}
11289
11290void
11291sctp_send_ecn_echo(struct sctp_tcb *stcb, struct sctp_nets *net,
11292    uint32_t high_tsn)
11293{
11294	struct sctp_association *asoc;
11295	struct sctp_ecne_chunk *ecne;
11296	struct sctp_tmit_chunk *chk;
11297
11298	if (net == NULL) {
11299		return;
11300	}
11301	asoc = &stcb->asoc;
11302	SCTP_TCB_LOCK_ASSERT(stcb);
11303	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11304		if ((chk->rec.chunk_id.id == SCTP_ECN_ECHO) && (net == chk->whoTo)) {
11305			/* found a previous ECN_ECHO update it if needed */
11306			uint32_t cnt, ctsn;
11307
11308			ecne = mtod(chk->data, struct sctp_ecne_chunk *);
11309			ctsn = ntohl(ecne->tsn);
11310			if (SCTP_TSN_GT(high_tsn, ctsn)) {
11311				ecne->tsn = htonl(high_tsn);
11312				SCTP_STAT_INCR(sctps_queue_upd_ecne);
11313			}
11314			cnt = ntohl(ecne->num_pkts_since_cwr);
11315			cnt++;
11316			ecne->num_pkts_since_cwr = htonl(cnt);
11317			return;
11318		}
11319	}
11320	/* nope could not find one to update so we must build one */
11321	sctp_alloc_a_chunk(stcb, chk);
11322	if (chk == NULL) {
11323		return;
11324	}
11325	SCTP_STAT_INCR(sctps_queue_upd_ecne);
11326	chk->copy_by_ref = 0;
11327	chk->rec.chunk_id.id = SCTP_ECN_ECHO;
11328	chk->rec.chunk_id.can_take_data = 0;
11329	chk->flags = 0;
11330	chk->asoc = &stcb->asoc;
11331	chk->send_size = sizeof(struct sctp_ecne_chunk);
11332	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11333	if (chk->data == NULL) {
11334		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11335		return;
11336	}
11337	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11338	SCTP_BUF_LEN(chk->data) = chk->send_size;
11339	chk->sent = SCTP_DATAGRAM_UNSENT;
11340	chk->snd_count = 0;
11341	chk->whoTo = net;
11342	atomic_add_int(&chk->whoTo->ref_count, 1);
11343
11344	stcb->asoc.ecn_echo_cnt_onq++;
11345	ecne = mtod(chk->data, struct sctp_ecne_chunk *);
11346	ecne->ch.chunk_type = SCTP_ECN_ECHO;
11347	ecne->ch.chunk_flags = 0;
11348	ecne->ch.chunk_length = htons(sizeof(struct sctp_ecne_chunk));
11349	ecne->tsn = htonl(high_tsn);
11350	ecne->num_pkts_since_cwr = htonl(1);
11351	TAILQ_INSERT_HEAD(&stcb->asoc.control_send_queue, chk, sctp_next);
11352	asoc->ctrl_queue_cnt++;
11353}
11354
11355void
11356sctp_send_packet_dropped(struct sctp_tcb *stcb, struct sctp_nets *net,
11357    struct mbuf *m, int len, int iphlen, int bad_crc)
11358{
11359	struct sctp_association *asoc;
11360	struct sctp_pktdrop_chunk *drp;
11361	struct sctp_tmit_chunk *chk;
11362	uint8_t *datap;
11363	int was_trunc = 0;
11364	int fullsz = 0;
11365	long spc;
11366	int offset;
11367	struct sctp_chunkhdr *ch, chunk_buf;
11368	unsigned int chk_length;
11369
11370	if (!stcb) {
11371		return;
11372	}
11373	asoc = &stcb->asoc;
11374	SCTP_TCB_LOCK_ASSERT(stcb);
11375	if (asoc->pktdrop_supported == 0) {
11376		/*-
11377		 * peer must declare support before I send one.
11378		 */
11379		return;
11380	}
11381	if (stcb->sctp_socket == NULL) {
11382		return;
11383	}
11384	sctp_alloc_a_chunk(stcb, chk);
11385	if (chk == NULL) {
11386		return;
11387	}
11388	chk->copy_by_ref = 0;
11389	chk->rec.chunk_id.id = SCTP_PACKET_DROPPED;
11390	chk->rec.chunk_id.can_take_data = 1;
11391	chk->flags = 0;
11392	len -= iphlen;
11393	chk->send_size = len;
11394	/* Validate that we do not have an ABORT in here. */
11395	offset = iphlen + sizeof(struct sctphdr);
11396	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
11397	    sizeof(*ch), (uint8_t *) & chunk_buf);
11398	while (ch != NULL) {
11399		chk_length = ntohs(ch->chunk_length);
11400		if (chk_length < sizeof(*ch)) {
11401			/* break to abort land */
11402			break;
11403		}
11404		switch (ch->chunk_type) {
11405		case SCTP_PACKET_DROPPED:
11406		case SCTP_ABORT_ASSOCIATION:
11407		case SCTP_INITIATION_ACK:
11408			/**
11409			 * We don't respond with an PKT-DROP to an ABORT
11410			 * or PKT-DROP. We also do not respond to an
11411			 * INIT-ACK, because we can't know if the initiation
11412			 * tag is correct or not.
11413			 */
11414			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11415			return;
11416		default:
11417			break;
11418		}
11419		offset += SCTP_SIZE32(chk_length);
11420		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
11421		    sizeof(*ch), (uint8_t *) & chunk_buf);
11422	}
11423
11424	if ((len + SCTP_MAX_OVERHEAD + sizeof(struct sctp_pktdrop_chunk)) >
11425	    min(stcb->asoc.smallest_mtu, MCLBYTES)) {
11426		/*
11427		 * only send 1 mtu worth, trim off the excess on the end.
11428		 */
11429		fullsz = len;
11430		len = min(stcb->asoc.smallest_mtu, MCLBYTES) - SCTP_MAX_OVERHEAD;
11431		was_trunc = 1;
11432	}
11433	chk->asoc = &stcb->asoc;
11434	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
11435	if (chk->data == NULL) {
11436jump_out:
11437		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11438		return;
11439	}
11440	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11441	drp = mtod(chk->data, struct sctp_pktdrop_chunk *);
11442	if (drp == NULL) {
11443		sctp_m_freem(chk->data);
11444		chk->data = NULL;
11445		goto jump_out;
11446	}
11447	chk->book_size = SCTP_SIZE32((chk->send_size + sizeof(struct sctp_pktdrop_chunk) +
11448	    sizeof(struct sctphdr) + SCTP_MED_OVERHEAD));
11449	chk->book_size_scale = 0;
11450	if (was_trunc) {
11451		drp->ch.chunk_flags = SCTP_PACKET_TRUNCATED;
11452		drp->trunc_len = htons(fullsz);
11453		/*
11454		 * Len is already adjusted to size minus overhead above take
11455		 * out the pkt_drop chunk itself from it.
11456		 */
11457		chk->send_size = len - sizeof(struct sctp_pktdrop_chunk);
11458		len = chk->send_size;
11459	} else {
11460		/* no truncation needed */
11461		drp->ch.chunk_flags = 0;
11462		drp->trunc_len = htons(0);
11463	}
11464	if (bad_crc) {
11465		drp->ch.chunk_flags |= SCTP_BADCRC;
11466	}
11467	chk->send_size += sizeof(struct sctp_pktdrop_chunk);
11468	SCTP_BUF_LEN(chk->data) = chk->send_size;
11469	chk->sent = SCTP_DATAGRAM_UNSENT;
11470	chk->snd_count = 0;
11471	if (net) {
11472		/* we should hit here */
11473		chk->whoTo = net;
11474		atomic_add_int(&chk->whoTo->ref_count, 1);
11475	} else {
11476		chk->whoTo = NULL;
11477	}
11478	drp->ch.chunk_type = SCTP_PACKET_DROPPED;
11479	drp->ch.chunk_length = htons(chk->send_size);
11480	spc = SCTP_SB_LIMIT_RCV(stcb->sctp_socket);
11481	if (spc < 0) {
11482		spc = 0;
11483	}
11484	drp->bottle_bw = htonl(spc);
11485	if (asoc->my_rwnd) {
11486		drp->current_onq = htonl(asoc->size_on_reasm_queue +
11487		    asoc->size_on_all_streams +
11488		    asoc->my_rwnd_control_len +
11489		    stcb->sctp_socket->so_rcv.sb_cc);
11490	} else {
11491		/*-
11492		 * If my rwnd is 0, possibly from mbuf depletion as well as
11493		 * space used, tell the peer there is NO space aka onq == bw
11494		 */
11495		drp->current_onq = htonl(spc);
11496	}
11497	drp->reserved = 0;
11498	datap = drp->data;
11499	m_copydata(m, iphlen, len, (caddr_t)datap);
11500	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11501	asoc->ctrl_queue_cnt++;
11502}
11503
11504void
11505sctp_send_cwr(struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t high_tsn, uint8_t override)
11506{
11507	struct sctp_association *asoc;
11508	struct sctp_cwr_chunk *cwr;
11509	struct sctp_tmit_chunk *chk;
11510
11511	SCTP_TCB_LOCK_ASSERT(stcb);
11512	if (net == NULL) {
11513		return;
11514	}
11515	asoc = &stcb->asoc;
11516	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11517		if ((chk->rec.chunk_id.id == SCTP_ECN_CWR) && (net == chk->whoTo)) {
11518			/*
11519			 * found a previous CWR queued to same destination
11520			 * update it if needed
11521			 */
11522			uint32_t ctsn;
11523
11524			cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11525			ctsn = ntohl(cwr->tsn);
11526			if (SCTP_TSN_GT(high_tsn, ctsn)) {
11527				cwr->tsn = htonl(high_tsn);
11528			}
11529			if (override & SCTP_CWR_REDUCE_OVERRIDE) {
11530				/* Make sure override is carried */
11531				cwr->ch.chunk_flags |= SCTP_CWR_REDUCE_OVERRIDE;
11532			}
11533			return;
11534		}
11535	}
11536	sctp_alloc_a_chunk(stcb, chk);
11537	if (chk == NULL) {
11538		return;
11539	}
11540	chk->copy_by_ref = 0;
11541	chk->rec.chunk_id.id = SCTP_ECN_CWR;
11542	chk->rec.chunk_id.can_take_data = 1;
11543	chk->flags = 0;
11544	chk->asoc = &stcb->asoc;
11545	chk->send_size = sizeof(struct sctp_cwr_chunk);
11546	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11547	if (chk->data == NULL) {
11548		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11549		return;
11550	}
11551	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11552	SCTP_BUF_LEN(chk->data) = chk->send_size;
11553	chk->sent = SCTP_DATAGRAM_UNSENT;
11554	chk->snd_count = 0;
11555	chk->whoTo = net;
11556	atomic_add_int(&chk->whoTo->ref_count, 1);
11557	cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11558	cwr->ch.chunk_type = SCTP_ECN_CWR;
11559	cwr->ch.chunk_flags = override;
11560	cwr->ch.chunk_length = htons(sizeof(struct sctp_cwr_chunk));
11561	cwr->tsn = htonl(high_tsn);
11562	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11563	asoc->ctrl_queue_cnt++;
11564}
11565
11566static int
11567sctp_add_stream_reset_out(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
11568    uint32_t seq, uint32_t resp_seq, uint32_t last_sent)
11569{
11570	uint16_t len, old_len, i;
11571	struct sctp_stream_reset_out_request *req_out;
11572	struct sctp_chunkhdr *ch;
11573	int at;
11574	int number_entries = 0;
11575
11576	ch = mtod(chk->data, struct sctp_chunkhdr *);
11577	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11578	/* get to new offset for the param. */
11579	req_out = (struct sctp_stream_reset_out_request *)((caddr_t)ch + len);
11580	/* now how long will this param be? */
11581	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11582		if ((stcb->asoc.strmout[i].state == SCTP_STREAM_RESET_PENDING) &&
11583		    (stcb->asoc.strmout[i].chunks_on_queues == 0) &&
11584		    TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) {
11585			number_entries++;
11586		}
11587	}
11588	if (number_entries == 0) {
11589		return (0);
11590	}
11591	if (number_entries == stcb->asoc.streamoutcnt) {
11592		number_entries = 0;
11593	}
11594	if (number_entries > SCTP_MAX_STREAMS_AT_ONCE_RESET) {
11595		number_entries = SCTP_MAX_STREAMS_AT_ONCE_RESET;
11596	}
11597	len = (sizeof(struct sctp_stream_reset_out_request) + (sizeof(uint16_t) * number_entries));
11598	req_out->ph.param_type = htons(SCTP_STR_RESET_OUT_REQUEST);
11599	req_out->ph.param_length = htons(len);
11600	req_out->request_seq = htonl(seq);
11601	req_out->response_seq = htonl(resp_seq);
11602	req_out->send_reset_at_tsn = htonl(last_sent);
11603	at = 0;
11604	if (number_entries) {
11605		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11606			if ((stcb->asoc.strmout[i].state == SCTP_STREAM_RESET_PENDING) &&
11607			    (stcb->asoc.strmout[i].chunks_on_queues == 0) &&
11608			    TAILQ_EMPTY(&stcb->asoc.strmout[i].outqueue)) {
11609				req_out->list_of_streams[at] = htons(i);
11610				at++;
11611				stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_IN_FLIGHT;
11612				if (at >= number_entries) {
11613					break;
11614				}
11615			}
11616		}
11617	} else {
11618		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
11619			stcb->asoc.strmout[i].state = SCTP_STREAM_RESET_IN_FLIGHT;
11620		}
11621	}
11622	if (SCTP_SIZE32(len) > len) {
11623		/*-
11624		 * Need to worry about the pad we may end up adding to the
11625		 * end. This is easy since the struct is either aligned to 4
11626		 * bytes or 2 bytes off.
11627		 */
11628		req_out->list_of_streams[number_entries] = 0;
11629	}
11630	/* now fix the chunk length */
11631	ch->chunk_length = htons(len + old_len);
11632	chk->book_size = len + old_len;
11633	chk->book_size_scale = 0;
11634	chk->send_size = SCTP_SIZE32(chk->book_size);
11635	SCTP_BUF_LEN(chk->data) = chk->send_size;
11636	return (1);
11637}
11638
11639static void
11640sctp_add_stream_reset_in(struct sctp_tmit_chunk *chk,
11641    int number_entries, uint16_t * list,
11642    uint32_t seq)
11643{
11644	uint16_t len, old_len, i;
11645	struct sctp_stream_reset_in_request *req_in;
11646	struct sctp_chunkhdr *ch;
11647
11648	ch = mtod(chk->data, struct sctp_chunkhdr *);
11649	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11650
11651	/* get to new offset for the param. */
11652	req_in = (struct sctp_stream_reset_in_request *)((caddr_t)ch + len);
11653	/* now how long will this param be? */
11654	len = (sizeof(struct sctp_stream_reset_in_request) + (sizeof(uint16_t) * number_entries));
11655	req_in->ph.param_type = htons(SCTP_STR_RESET_IN_REQUEST);
11656	req_in->ph.param_length = htons(len);
11657	req_in->request_seq = htonl(seq);
11658	if (number_entries) {
11659		for (i = 0; i < number_entries; i++) {
11660			req_in->list_of_streams[i] = htons(list[i]);
11661		}
11662	}
11663	if (SCTP_SIZE32(len) > len) {
11664		/*-
11665		 * Need to worry about the pad we may end up adding to the
11666		 * end. This is easy since the struct is either aligned to 4
11667		 * bytes or 2 bytes off.
11668		 */
11669		req_in->list_of_streams[number_entries] = 0;
11670	}
11671	/* now fix the chunk length */
11672	ch->chunk_length = htons(len + old_len);
11673	chk->book_size = len + old_len;
11674	chk->book_size_scale = 0;
11675	chk->send_size = SCTP_SIZE32(chk->book_size);
11676	SCTP_BUF_LEN(chk->data) = chk->send_size;
11677	return;
11678}
11679
11680static void
11681sctp_add_stream_reset_tsn(struct sctp_tmit_chunk *chk,
11682    uint32_t seq)
11683{
11684	uint16_t len, old_len;
11685	struct sctp_stream_reset_tsn_request *req_tsn;
11686	struct sctp_chunkhdr *ch;
11687
11688	ch = mtod(chk->data, struct sctp_chunkhdr *);
11689	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11690
11691	/* get to new offset for the param. */
11692	req_tsn = (struct sctp_stream_reset_tsn_request *)((caddr_t)ch + len);
11693	/* now how long will this param be? */
11694	len = sizeof(struct sctp_stream_reset_tsn_request);
11695	req_tsn->ph.param_type = htons(SCTP_STR_RESET_TSN_REQUEST);
11696	req_tsn->ph.param_length = htons(len);
11697	req_tsn->request_seq = htonl(seq);
11698
11699	/* now fix the chunk length */
11700	ch->chunk_length = htons(len + old_len);
11701	chk->send_size = len + old_len;
11702	chk->book_size = SCTP_SIZE32(chk->send_size);
11703	chk->book_size_scale = 0;
11704	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11705	return;
11706}
11707
11708void
11709sctp_add_stream_reset_result(struct sctp_tmit_chunk *chk,
11710    uint32_t resp_seq, uint32_t result)
11711{
11712	uint16_t len, old_len;
11713	struct sctp_stream_reset_response *resp;
11714	struct sctp_chunkhdr *ch;
11715
11716	ch = mtod(chk->data, struct sctp_chunkhdr *);
11717	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11718
11719	/* get to new offset for the param. */
11720	resp = (struct sctp_stream_reset_response *)((caddr_t)ch + len);
11721	/* now how long will this param be? */
11722	len = sizeof(struct sctp_stream_reset_response);
11723	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
11724	resp->ph.param_length = htons(len);
11725	resp->response_seq = htonl(resp_seq);
11726	resp->result = ntohl(result);
11727
11728	/* now fix the chunk length */
11729	ch->chunk_length = htons(len + old_len);
11730	chk->book_size = len + old_len;
11731	chk->book_size_scale = 0;
11732	chk->send_size = SCTP_SIZE32(chk->book_size);
11733	SCTP_BUF_LEN(chk->data) = chk->send_size;
11734	return;
11735}
11736
11737void
11738sctp_send_deferred_reset_response(struct sctp_tcb *stcb,
11739    struct sctp_stream_reset_list *ent,
11740    int response)
11741{
11742	struct sctp_association *asoc;
11743	struct sctp_tmit_chunk *chk;
11744	struct sctp_chunkhdr *ch;
11745
11746	asoc = &stcb->asoc;
11747
11748	/*
11749	 * Reset our last reset action to the new one IP -> response
11750	 * (PERFORMED probably). This assures that if we fail to send, a
11751	 * retran from the peer will get the new response.
11752	 */
11753	asoc->last_reset_action[0] = response;
11754	if (asoc->stream_reset_outstanding) {
11755		return;
11756	}
11757	sctp_alloc_a_chunk(stcb, chk);
11758	if (chk == NULL) {
11759		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11760		return;
11761	}
11762	chk->copy_by_ref = 0;
11763	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
11764	chk->rec.chunk_id.can_take_data = 0;
11765	chk->flags = 0;
11766	chk->asoc = &stcb->asoc;
11767	chk->book_size = sizeof(struct sctp_chunkhdr);
11768	chk->send_size = SCTP_SIZE32(chk->book_size);
11769	chk->book_size_scale = 0;
11770	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
11771	if (chk->data == NULL) {
11772		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);
11773		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11774		return;
11775	}
11776	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11777	sctp_add_stream_reset_result(chk, ent->seq, response);
11778	/* setup chunk parameters */
11779	chk->sent = SCTP_DATAGRAM_UNSENT;
11780	chk->snd_count = 0;
11781	if (stcb->asoc.alternate) {
11782		chk->whoTo = stcb->asoc.alternate;
11783	} else {
11784		chk->whoTo = stcb->asoc.primary_destination;
11785	}
11786	ch = mtod(chk->data, struct sctp_chunkhdr *);
11787	ch->chunk_type = SCTP_STREAM_RESET;
11788	ch->chunk_flags = 0;
11789	ch->chunk_length = htons(chk->book_size);
11790	atomic_add_int(&chk->whoTo->ref_count, 1);
11791	SCTP_BUF_LEN(chk->data) = chk->send_size;
11792	/* insert the chunk for sending */
11793	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
11794	    chk,
11795	    sctp_next);
11796	asoc->ctrl_queue_cnt++;
11797}
11798
11799void
11800sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *chk,
11801    uint32_t resp_seq, uint32_t result,
11802    uint32_t send_una, uint32_t recv_next)
11803{
11804	uint16_t len, old_len;
11805	struct sctp_stream_reset_response_tsn *resp;
11806	struct sctp_chunkhdr *ch;
11807
11808	ch = mtod(chk->data, struct sctp_chunkhdr *);
11809	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11810
11811	/* get to new offset for the param. */
11812	resp = (struct sctp_stream_reset_response_tsn *)((caddr_t)ch + len);
11813	/* now how long will this param be? */
11814	len = sizeof(struct sctp_stream_reset_response_tsn);
11815	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
11816	resp->ph.param_length = htons(len);
11817	resp->response_seq = htonl(resp_seq);
11818	resp->result = htonl(result);
11819	resp->senders_next_tsn = htonl(send_una);
11820	resp->receivers_next_tsn = htonl(recv_next);
11821
11822	/* now fix the chunk length */
11823	ch->chunk_length = htons(len + old_len);
11824	chk->book_size = len + old_len;
11825	chk->send_size = SCTP_SIZE32(chk->book_size);
11826	chk->book_size_scale = 0;
11827	SCTP_BUF_LEN(chk->data) = chk->send_size;
11828	return;
11829}
11830
11831static void
11832sctp_add_an_out_stream(struct sctp_tmit_chunk *chk,
11833    uint32_t seq,
11834    uint16_t adding)
11835{
11836	uint16_t len, old_len;
11837	struct sctp_chunkhdr *ch;
11838	struct sctp_stream_reset_add_strm *addstr;
11839
11840	ch = mtod(chk->data, struct sctp_chunkhdr *);
11841	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11842
11843	/* get to new offset for the param. */
11844	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
11845	/* now how long will this param be? */
11846	len = sizeof(struct sctp_stream_reset_add_strm);
11847
11848	/* Fill it out. */
11849	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_OUT_STREAMS);
11850	addstr->ph.param_length = htons(len);
11851	addstr->request_seq = htonl(seq);
11852	addstr->number_of_streams = htons(adding);
11853	addstr->reserved = 0;
11854
11855	/* now fix the chunk length */
11856	ch->chunk_length = htons(len + old_len);
11857	chk->send_size = len + old_len;
11858	chk->book_size = SCTP_SIZE32(chk->send_size);
11859	chk->book_size_scale = 0;
11860	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11861	return;
11862}
11863
11864static void
11865sctp_add_an_in_stream(struct sctp_tmit_chunk *chk,
11866    uint32_t seq,
11867    uint16_t adding)
11868{
11869	uint16_t len, old_len;
11870	struct sctp_chunkhdr *ch;
11871	struct sctp_stream_reset_add_strm *addstr;
11872
11873	ch = mtod(chk->data, struct sctp_chunkhdr *);
11874	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11875
11876	/* get to new offset for the param. */
11877	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
11878	/* now how long will this param be? */
11879	len = sizeof(struct sctp_stream_reset_add_strm);
11880	/* Fill it out. */
11881	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_IN_STREAMS);
11882	addstr->ph.param_length = htons(len);
11883	addstr->request_seq = htonl(seq);
11884	addstr->number_of_streams = htons(adding);
11885	addstr->reserved = 0;
11886
11887	/* now fix the chunk length */
11888	ch->chunk_length = htons(len + old_len);
11889	chk->send_size = len + old_len;
11890	chk->book_size = SCTP_SIZE32(chk->send_size);
11891	chk->book_size_scale = 0;
11892	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11893	return;
11894}
11895
11896int
11897sctp_send_stream_reset_out_if_possible(struct sctp_tcb *stcb, int so_locked)
11898{
11899	struct sctp_association *asoc;
11900	struct sctp_tmit_chunk *chk;
11901	struct sctp_chunkhdr *ch;
11902	uint32_t seq;
11903
11904	asoc = &stcb->asoc;
11905	asoc->trigger_reset = 0;
11906	if (asoc->stream_reset_outstanding) {
11907		return (EALREADY);
11908	}
11909	sctp_alloc_a_chunk(stcb, chk);
11910	if (chk == NULL) {
11911		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11912		return (ENOMEM);
11913	}
11914	chk->copy_by_ref = 0;
11915	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
11916	chk->rec.chunk_id.can_take_data = 0;
11917	chk->flags = 0;
11918	chk->asoc = &stcb->asoc;
11919	chk->book_size = sizeof(struct sctp_chunkhdr);
11920	chk->send_size = SCTP_SIZE32(chk->book_size);
11921	chk->book_size_scale = 0;
11922	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
11923	if (chk->data == NULL) {
11924		sctp_free_a_chunk(stcb, chk, so_locked);
11925		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11926		return (ENOMEM);
11927	}
11928	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11929
11930	/* setup chunk parameters */
11931	chk->sent = SCTP_DATAGRAM_UNSENT;
11932	chk->snd_count = 0;
11933	if (stcb->asoc.alternate) {
11934		chk->whoTo = stcb->asoc.alternate;
11935	} else {
11936		chk->whoTo = stcb->asoc.primary_destination;
11937	}
11938	ch = mtod(chk->data, struct sctp_chunkhdr *);
11939	ch->chunk_type = SCTP_STREAM_RESET;
11940	ch->chunk_flags = 0;
11941	ch->chunk_length = htons(chk->book_size);
11942	atomic_add_int(&chk->whoTo->ref_count, 1);
11943	SCTP_BUF_LEN(chk->data) = chk->send_size;
11944	seq = stcb->asoc.str_reset_seq_out;
11945	if (sctp_add_stream_reset_out(stcb, chk, seq, (stcb->asoc.str_reset_seq_in - 1), (stcb->asoc.sending_seq - 1))) {
11946		seq++;
11947		asoc->stream_reset_outstanding++;
11948	} else {
11949		m_freem(chk->data);
11950		chk->data = NULL;
11951		sctp_free_a_chunk(stcb, chk, so_locked);
11952		return (ENOENT);
11953	}
11954	asoc->str_reset = chk;
11955	/* insert the chunk for sending */
11956	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
11957	    chk,
11958	    sctp_next);
11959	asoc->ctrl_queue_cnt++;
11960
11961	if (stcb->asoc.send_sack) {
11962		sctp_send_sack(stcb, so_locked);
11963	}
11964	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
11965	return (0);
11966}
11967
11968int
11969sctp_send_str_reset_req(struct sctp_tcb *stcb,
11970    uint16_t number_entries, uint16_t * list,
11971    uint8_t send_in_req,
11972    uint8_t send_tsn_req,
11973    uint8_t add_stream,
11974    uint16_t adding_o,
11975    uint16_t adding_i, uint8_t peer_asked)
11976{
11977	struct sctp_association *asoc;
11978	struct sctp_tmit_chunk *chk;
11979	struct sctp_chunkhdr *ch;
11980	int can_send_out_req = 0;
11981	uint32_t seq;
11982
11983	asoc = &stcb->asoc;
11984	if (asoc->stream_reset_outstanding) {
11985		/*-
11986		 * Already one pending, must get ACK back to clear the flag.
11987		 */
11988		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EBUSY);
11989		return (EBUSY);
11990	}
11991	if ((send_in_req == 0) && (send_tsn_req == 0) &&
11992	    (add_stream == 0)) {
11993		/* nothing to do */
11994		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
11995		return (EINVAL);
11996	}
11997	if (send_tsn_req && send_in_req) {
11998		/* error, can't do that */
11999		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12000		return (EINVAL);
12001	} else if (send_in_req) {
12002		can_send_out_req = 1;
12003	}
12004	if (number_entries > (MCLBYTES -
12005	    SCTP_MIN_OVERHEAD -
12006	    sizeof(struct sctp_chunkhdr) -
12007	    sizeof(struct sctp_stream_reset_out_request)) /
12008	    sizeof(uint16_t)) {
12009		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12010		return (ENOMEM);
12011	}
12012	sctp_alloc_a_chunk(stcb, chk);
12013	if (chk == NULL) {
12014		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12015		return (ENOMEM);
12016	}
12017	chk->copy_by_ref = 0;
12018	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
12019	chk->rec.chunk_id.can_take_data = 0;
12020	chk->flags = 0;
12021	chk->asoc = &stcb->asoc;
12022	chk->book_size = sizeof(struct sctp_chunkhdr);
12023	chk->send_size = SCTP_SIZE32(chk->book_size);
12024	chk->book_size_scale = 0;
12025
12026	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
12027	if (chk->data == NULL) {
12028		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);
12029		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12030		return (ENOMEM);
12031	}
12032	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12033
12034	/* setup chunk parameters */
12035	chk->sent = SCTP_DATAGRAM_UNSENT;
12036	chk->snd_count = 0;
12037	if (stcb->asoc.alternate) {
12038		chk->whoTo = stcb->asoc.alternate;
12039	} else {
12040		chk->whoTo = stcb->asoc.primary_destination;
12041	}
12042	atomic_add_int(&chk->whoTo->ref_count, 1);
12043	ch = mtod(chk->data, struct sctp_chunkhdr *);
12044	ch->chunk_type = SCTP_STREAM_RESET;
12045	ch->chunk_flags = 0;
12046	ch->chunk_length = htons(chk->book_size);
12047	SCTP_BUF_LEN(chk->data) = chk->send_size;
12048
12049	seq = stcb->asoc.str_reset_seq_out;
12050	if (can_send_out_req) {
12051		int ret;
12052
12053		ret = sctp_add_stream_reset_out(stcb, chk, seq, (stcb->asoc.str_reset_seq_in - 1), (stcb->asoc.sending_seq - 1));
12054		if (ret) {
12055			seq++;
12056			asoc->stream_reset_outstanding++;
12057		}
12058	}
12059	if ((add_stream & 1) &&
12060	    ((stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt) < adding_o)) {
12061		/* Need to allocate more */
12062		struct sctp_stream_out *oldstream;
12063		struct sctp_stream_queue_pending *sp, *nsp;
12064		int i;
12065
12066#if defined(SCTP_DETAILED_STR_STATS)
12067		int j;
12068
12069#endif
12070
12071		oldstream = stcb->asoc.strmout;
12072		/* get some more */
12073		SCTP_MALLOC(stcb->asoc.strmout, struct sctp_stream_out *,
12074		    (stcb->asoc.streamoutcnt + adding_o) * sizeof(struct sctp_stream_out),
12075		    SCTP_M_STRMO);
12076		if (stcb->asoc.strmout == NULL) {
12077			uint8_t x;
12078
12079			stcb->asoc.strmout = oldstream;
12080			/* Turn off the bit */
12081			x = add_stream & 0xfe;
12082			add_stream = x;
12083			goto skip_stuff;
12084		}
12085		/*
12086		 * Ok now we proceed with copying the old out stuff and
12087		 * initializing the new stuff.
12088		 */
12089		SCTP_TCB_SEND_LOCK(stcb);
12090		stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, 0, 1);
12091		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
12092			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12093			stcb->asoc.strmout[i].chunks_on_queues = oldstream[i].chunks_on_queues;
12094			stcb->asoc.strmout[i].next_sequence_send = oldstream[i].next_sequence_send;
12095			stcb->asoc.strmout[i].last_msg_incomplete = oldstream[i].last_msg_incomplete;
12096			stcb->asoc.strmout[i].stream_no = i;
12097			stcb->asoc.strmout[i].state = oldstream[i].state;
12098			stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], &oldstream[i]);
12099			/* now anything on those queues? */
12100			TAILQ_FOREACH_SAFE(sp, &oldstream[i].outqueue, next, nsp) {
12101				TAILQ_REMOVE(&oldstream[i].outqueue, sp, next);
12102				TAILQ_INSERT_TAIL(&stcb->asoc.strmout[i].outqueue, sp, next);
12103			}
12104			/* Now move assoc pointers too */
12105			if (stcb->asoc.last_out_stream == &oldstream[i]) {
12106				stcb->asoc.last_out_stream = &stcb->asoc.strmout[i];
12107			}
12108			if (stcb->asoc.locked_on_sending == &oldstream[i]) {
12109				stcb->asoc.locked_on_sending = &stcb->asoc.strmout[i];
12110			}
12111		}
12112		/* now the new streams */
12113		stcb->asoc.ss_functions.sctp_ss_init(stcb, &stcb->asoc, 1);
12114		for (i = stcb->asoc.streamoutcnt; i < (stcb->asoc.streamoutcnt + adding_o); i++) {
12115			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12116			stcb->asoc.strmout[i].chunks_on_queues = 0;
12117#if defined(SCTP_DETAILED_STR_STATS)
12118			for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
12119				stcb->asoc.strmout[i].abandoned_sent[j] = 0;
12120				stcb->asoc.strmout[i].abandoned_unsent[j] = 0;
12121			}
12122#else
12123			stcb->asoc.strmout[i].abandoned_sent[0] = 0;
12124			stcb->asoc.strmout[i].abandoned_unsent[0] = 0;
12125#endif
12126			stcb->asoc.strmout[i].next_sequence_send = 0x0;
12127			stcb->asoc.strmout[i].stream_no = i;
12128			stcb->asoc.strmout[i].last_msg_incomplete = 0;
12129			stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], NULL);
12130			stcb->asoc.strmout[i].state = SCTP_STREAM_CLOSED;
12131		}
12132		stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt + adding_o;
12133		SCTP_FREE(oldstream, SCTP_M_STRMO);
12134		SCTP_TCB_SEND_UNLOCK(stcb);
12135	}
12136skip_stuff:
12137	if ((add_stream & 1) && (adding_o > 0)) {
12138		asoc->strm_pending_add_size = adding_o;
12139		asoc->peer_req_out = peer_asked;
12140		sctp_add_an_out_stream(chk, seq, adding_o);
12141		seq++;
12142		asoc->stream_reset_outstanding++;
12143	}
12144	if ((add_stream & 2) && (adding_i > 0)) {
12145		sctp_add_an_in_stream(chk, seq, adding_i);
12146		seq++;
12147		asoc->stream_reset_outstanding++;
12148	}
12149	if (send_in_req) {
12150		sctp_add_stream_reset_in(chk, number_entries, list, seq);
12151		seq++;
12152		asoc->stream_reset_outstanding++;
12153	}
12154	if (send_tsn_req) {
12155		sctp_add_stream_reset_tsn(chk, seq);
12156		asoc->stream_reset_outstanding++;
12157	}
12158	asoc->str_reset = chk;
12159	/* insert the chunk for sending */
12160	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
12161	    chk,
12162	    sctp_next);
12163	asoc->ctrl_queue_cnt++;
12164	if (stcb->asoc.send_sack) {
12165		sctp_send_sack(stcb, SCTP_SO_LOCKED);
12166	}
12167	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
12168	return (0);
12169}
12170
12171void
12172sctp_send_abort(struct mbuf *m, int iphlen, struct sockaddr *src, struct sockaddr *dst,
12173    struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12174    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
12175    uint32_t vrf_id, uint16_t port)
12176{
12177	/* Don't respond to an ABORT with an ABORT. */
12178	if (sctp_is_there_an_abort_here(m, iphlen, &vtag)) {
12179		if (cause)
12180			sctp_m_freem(cause);
12181		return;
12182	}
12183	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_ABORT_ASSOCIATION, cause,
12184	    mflowtype, mflowid, fibnum,
12185	    vrf_id, port);
12186	return;
12187}
12188
12189void
12190sctp_send_operr_to(struct sockaddr *src, struct sockaddr *dst,
12191    struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12192    uint8_t mflowtype, uint32_t mflowid, uint16_t fibnum,
12193    uint32_t vrf_id, uint16_t port)
12194{
12195	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_OPERATION_ERROR, cause,
12196	    mflowtype, mflowid, fibnum,
12197	    vrf_id, port);
12198	return;
12199}
12200
12201static struct mbuf *
12202sctp_copy_resume(struct uio *uio,
12203    int max_send_len,
12204    int user_marks_eor,
12205    int *error,
12206    uint32_t * sndout,
12207    struct mbuf **new_tail)
12208{
12209	struct mbuf *m;
12210
12211	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
12212	    (M_PKTHDR | (user_marks_eor ? M_EOR : 0)));
12213	if (m == NULL) {
12214		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12215		*error = ENOBUFS;
12216	} else {
12217		*sndout = m_length(m, NULL);
12218		*new_tail = m_last(m);
12219	}
12220	return (m);
12221}
12222
12223static int
12224sctp_copy_one(struct sctp_stream_queue_pending *sp,
12225    struct uio *uio,
12226    int resv_upfront)
12227{
12228	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length,
12229	    resv_upfront, 0);
12230	if (sp->data == NULL) {
12231		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOBUFS);
12232		return (ENOBUFS);
12233	}
12234	sp->tail_mbuf = m_last(sp->data);
12235	return (0);
12236}
12237
12238
12239
12240static struct sctp_stream_queue_pending *
12241sctp_copy_it_in(struct sctp_tcb *stcb,
12242    struct sctp_association *asoc,
12243    struct sctp_sndrcvinfo *srcv,
12244    struct uio *uio,
12245    struct sctp_nets *net,
12246    int max_send_len,
12247    int user_marks_eor,
12248    int *error)
12249{
12250	/*-
12251	 * This routine must be very careful in its work. Protocol
12252	 * processing is up and running so care must be taken to spl...()
12253	 * when you need to do something that may effect the stcb/asoc. The
12254	 * sb is locked however. When data is copied the protocol processing
12255	 * should be enabled since this is a slower operation...
12256	 */
12257	struct sctp_stream_queue_pending *sp = NULL;
12258	int resv_in_first;
12259
12260	*error = 0;
12261	/* Now can we send this? */
12262	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
12263	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
12264	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
12265	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
12266		/* got data while shutting down */
12267		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12268		*error = ECONNRESET;
12269		goto out_now;
12270	}
12271	sctp_alloc_a_strmoq(stcb, sp);
12272	if (sp == NULL) {
12273		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12274		*error = ENOMEM;
12275		goto out_now;
12276	}
12277	sp->act_flags = 0;
12278	sp->sender_all_done = 0;
12279	sp->sinfo_flags = srcv->sinfo_flags;
12280	sp->timetolive = srcv->sinfo_timetolive;
12281	sp->ppid = srcv->sinfo_ppid;
12282	sp->context = srcv->sinfo_context;
12283	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
12284
12285	sp->stream = srcv->sinfo_stream;
12286	sp->length = min(uio->uio_resid, max_send_len);
12287	if ((sp->length == (uint32_t) uio->uio_resid) &&
12288	    ((user_marks_eor == 0) ||
12289	    (srcv->sinfo_flags & SCTP_EOF) ||
12290	    (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
12291		sp->msg_is_complete = 1;
12292	} else {
12293		sp->msg_is_complete = 0;
12294	}
12295	sp->sender_all_done = 0;
12296	sp->some_taken = 0;
12297	sp->put_last_out = 0;
12298	resv_in_first = sizeof(struct sctp_data_chunk);
12299	sp->data = sp->tail_mbuf = NULL;
12300	if (sp->length == 0) {
12301		*error = 0;
12302		goto skip_copy;
12303	}
12304	if (srcv->sinfo_keynumber_valid) {
12305		sp->auth_keyid = srcv->sinfo_keynumber;
12306	} else {
12307		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
12308	}
12309	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
12310		sctp_auth_key_acquire(stcb, sp->auth_keyid);
12311		sp->holds_key_ref = 1;
12312	}
12313	*error = sctp_copy_one(sp, uio, resv_in_first);
12314skip_copy:
12315	if (*error) {
12316		sctp_free_a_strmoq(stcb, sp, SCTP_SO_LOCKED);
12317		sp = NULL;
12318	} else {
12319		if (sp->sinfo_flags & SCTP_ADDR_OVER) {
12320			sp->net = net;
12321			atomic_add_int(&sp->net->ref_count, 1);
12322		} else {
12323			sp->net = NULL;
12324		}
12325		sctp_set_prsctp_policy(sp);
12326	}
12327out_now:
12328	return (sp);
12329}
12330
12331
12332int
12333sctp_sosend(struct socket *so,
12334    struct sockaddr *addr,
12335    struct uio *uio,
12336    struct mbuf *top,
12337    struct mbuf *control,
12338    int flags,
12339    struct thread *p
12340)
12341{
12342	int error, use_sndinfo = 0;
12343	struct sctp_sndrcvinfo sndrcvninfo;
12344	struct sockaddr *addr_to_use;
12345
12346#if defined(INET) && defined(INET6)
12347	struct sockaddr_in sin;
12348
12349#endif
12350
12351	if (control) {
12352		/* process cmsg snd/rcv info (maybe a assoc-id) */
12353		if (sctp_find_cmsg(SCTP_SNDRCV, (void *)&sndrcvninfo, control,
12354		    sizeof(sndrcvninfo))) {
12355			/* got one */
12356			use_sndinfo = 1;
12357		}
12358	}
12359	addr_to_use = addr;
12360#if defined(INET) && defined(INET6)
12361	if ((addr) && (addr->sa_family == AF_INET6)) {
12362		struct sockaddr_in6 *sin6;
12363
12364		sin6 = (struct sockaddr_in6 *)addr;
12365		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
12366			in6_sin6_2_sin(&sin, sin6);
12367			addr_to_use = (struct sockaddr *)&sin;
12368		}
12369	}
12370#endif
12371	error = sctp_lower_sosend(so, addr_to_use, uio, top,
12372	    control,
12373	    flags,
12374	    use_sndinfo ? &sndrcvninfo : NULL
12375	    ,p
12376	    );
12377	return (error);
12378}
12379
12380
12381int
12382sctp_lower_sosend(struct socket *so,
12383    struct sockaddr *addr,
12384    struct uio *uio,
12385    struct mbuf *i_pak,
12386    struct mbuf *control,
12387    int flags,
12388    struct sctp_sndrcvinfo *srcv
12389    ,
12390    struct thread *p
12391)
12392{
12393	unsigned int sndlen = 0, max_len;
12394	int error, len;
12395	struct mbuf *top = NULL;
12396	int queue_only = 0, queue_only_for_init = 0;
12397	int free_cnt_applied = 0;
12398	int un_sent;
12399	int now_filled = 0;
12400	unsigned int inqueue_bytes = 0;
12401	struct sctp_block_entry be;
12402	struct sctp_inpcb *inp;
12403	struct sctp_tcb *stcb = NULL;
12404	struct timeval now;
12405	struct sctp_nets *net;
12406	struct sctp_association *asoc;
12407	struct sctp_inpcb *t_inp;
12408	int user_marks_eor;
12409	int create_lock_applied = 0;
12410	int nagle_applies = 0;
12411	int some_on_control = 0;
12412	int got_all_of_the_send = 0;
12413	int hold_tcblock = 0;
12414	int non_blocking = 0;
12415	uint32_t local_add_more, local_soresv = 0;
12416	uint16_t port;
12417	uint16_t sinfo_flags;
12418	sctp_assoc_t sinfo_assoc_id;
12419
12420	error = 0;
12421	net = NULL;
12422	stcb = NULL;
12423	asoc = NULL;
12424
12425	t_inp = inp = (struct sctp_inpcb *)so->so_pcb;
12426	if (inp == NULL) {
12427		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12428		error = EINVAL;
12429		if (i_pak) {
12430			SCTP_RELEASE_PKT(i_pak);
12431		}
12432		return (error);
12433	}
12434	if ((uio == NULL) && (i_pak == NULL)) {
12435		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12436		return (EINVAL);
12437	}
12438	user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
12439	atomic_add_int(&inp->total_sends, 1);
12440	if (uio) {
12441		if (uio->uio_resid < 0) {
12442			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12443			return (EINVAL);
12444		}
12445		sndlen = uio->uio_resid;
12446	} else {
12447		top = SCTP_HEADER_TO_CHAIN(i_pak);
12448		sndlen = SCTP_HEADER_LEN(i_pak);
12449	}
12450	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %d\n",
12451	    (void *)addr,
12452	    sndlen);
12453	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
12454	    (inp->sctp_socket->so_qlimit)) {
12455		/* The listener can NOT send */
12456		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12457		error = ENOTCONN;
12458		goto out_unlocked;
12459	}
12460	/**
12461	 * Pre-screen address, if one is given the sin-len
12462	 * must be set correctly!
12463	 */
12464	if (addr) {
12465		union sctp_sockstore *raddr = (union sctp_sockstore *)addr;
12466
12467		switch (raddr->sa.sa_family) {
12468#ifdef INET
12469		case AF_INET:
12470			if (raddr->sin.sin_len != sizeof(struct sockaddr_in)) {
12471				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12472				error = EINVAL;
12473				goto out_unlocked;
12474			}
12475			port = raddr->sin.sin_port;
12476			break;
12477#endif
12478#ifdef INET6
12479		case AF_INET6:
12480			if (raddr->sin6.sin6_len != sizeof(struct sockaddr_in6)) {
12481				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12482				error = EINVAL;
12483				goto out_unlocked;
12484			}
12485			port = raddr->sin6.sin6_port;
12486			break;
12487#endif
12488		default:
12489			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAFNOSUPPORT);
12490			error = EAFNOSUPPORT;
12491			goto out_unlocked;
12492		}
12493	} else
12494		port = 0;
12495
12496	if (srcv) {
12497		sinfo_flags = srcv->sinfo_flags;
12498		sinfo_assoc_id = srcv->sinfo_assoc_id;
12499		if (INVALID_SINFO_FLAG(sinfo_flags) ||
12500		    PR_SCTP_INVALID_POLICY(sinfo_flags)) {
12501			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12502			error = EINVAL;
12503			goto out_unlocked;
12504		}
12505		if (srcv->sinfo_flags)
12506			SCTP_STAT_INCR(sctps_sends_with_flags);
12507	} else {
12508		sinfo_flags = inp->def_send.sinfo_flags;
12509		sinfo_assoc_id = inp->def_send.sinfo_assoc_id;
12510	}
12511	if (sinfo_flags & SCTP_SENDALL) {
12512		/* its a sendall */
12513		error = sctp_sendall(inp, uio, top, srcv);
12514		top = NULL;
12515		goto out_unlocked;
12516	}
12517	if ((sinfo_flags & SCTP_ADDR_OVER) && (addr == NULL)) {
12518		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12519		error = EINVAL;
12520		goto out_unlocked;
12521	}
12522	/* now we must find the assoc */
12523	if ((inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) ||
12524	    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
12525		SCTP_INP_RLOCK(inp);
12526		stcb = LIST_FIRST(&inp->sctp_asoc_list);
12527		if (stcb) {
12528			SCTP_TCB_LOCK(stcb);
12529			hold_tcblock = 1;
12530		}
12531		SCTP_INP_RUNLOCK(inp);
12532	} else if (sinfo_assoc_id) {
12533		stcb = sctp_findassociation_ep_asocid(inp, sinfo_assoc_id, 0);
12534	} else if (addr) {
12535		/*-
12536		 * Since we did not use findep we must
12537		 * increment it, and if we don't find a tcb
12538		 * decrement it.
12539		 */
12540		SCTP_INP_WLOCK(inp);
12541		SCTP_INP_INCR_REF(inp);
12542		SCTP_INP_WUNLOCK(inp);
12543		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12544		if (stcb == NULL) {
12545			SCTP_INP_WLOCK(inp);
12546			SCTP_INP_DECR_REF(inp);
12547			SCTP_INP_WUNLOCK(inp);
12548		} else {
12549			hold_tcblock = 1;
12550		}
12551	}
12552	if ((stcb == NULL) && (addr)) {
12553		/* Possible implicit send? */
12554		SCTP_ASOC_CREATE_LOCK(inp);
12555		create_lock_applied = 1;
12556		if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
12557		    (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
12558			/* Should I really unlock ? */
12559			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12560			error = EINVAL;
12561			goto out_unlocked;
12562
12563		}
12564		if (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0) &&
12565		    (addr->sa_family == AF_INET6)) {
12566			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12567			error = EINVAL;
12568			goto out_unlocked;
12569		}
12570		SCTP_INP_WLOCK(inp);
12571		SCTP_INP_INCR_REF(inp);
12572		SCTP_INP_WUNLOCK(inp);
12573		/* With the lock applied look again */
12574		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12575		if ((stcb == NULL) && (control != NULL) && (port > 0)) {
12576			stcb = sctp_findassociation_cmsgs(&t_inp, port, control, &net, &error);
12577		}
12578		if (stcb == NULL) {
12579			SCTP_INP_WLOCK(inp);
12580			SCTP_INP_DECR_REF(inp);
12581			SCTP_INP_WUNLOCK(inp);
12582		} else {
12583			hold_tcblock = 1;
12584		}
12585		if (error) {
12586			goto out_unlocked;
12587		}
12588		if (t_inp != inp) {
12589			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12590			error = ENOTCONN;
12591			goto out_unlocked;
12592		}
12593	}
12594	if (stcb == NULL) {
12595		if (addr == NULL) {
12596			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
12597			error = ENOENT;
12598			goto out_unlocked;
12599		} else {
12600			/* We must go ahead and start the INIT process */
12601			uint32_t vrf_id;
12602
12603			if ((sinfo_flags & SCTP_ABORT) ||
12604			    ((sinfo_flags & SCTP_EOF) && (sndlen == 0))) {
12605				/*-
12606				 * User asks to abort a non-existant assoc,
12607				 * or EOF a non-existant assoc with no data
12608				 */
12609				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
12610				error = ENOENT;
12611				goto out_unlocked;
12612			}
12613			/* get an asoc/stcb struct */
12614			vrf_id = inp->def_vrf_id;
12615#ifdef INVARIANTS
12616			if (create_lock_applied == 0) {
12617				panic("Error, should hold create lock and I don't?");
12618			}
12619#endif
12620			stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id,
12621			    inp->sctp_ep.pre_open_stream_count,
12622			    p
12623			    );
12624			if (stcb == NULL) {
12625				/* Error is setup for us in the call */
12626				goto out_unlocked;
12627			}
12628			if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
12629				stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
12630				/*
12631				 * Set the connected flag so we can queue
12632				 * data
12633				 */
12634				soisconnecting(so);
12635			}
12636			hold_tcblock = 1;
12637			if (create_lock_applied) {
12638				SCTP_ASOC_CREATE_UNLOCK(inp);
12639				create_lock_applied = 0;
12640			} else {
12641				SCTP_PRINTF("Huh-3? create lock should have been on??\n");
12642			}
12643			/*
12644			 * Turn on queue only flag to prevent data from
12645			 * being sent
12646			 */
12647			queue_only = 1;
12648			asoc = &stcb->asoc;
12649			SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
12650			(void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
12651
12652			/* initialize authentication params for the assoc */
12653			sctp_initialize_auth_params(inp, stcb);
12654
12655			if (control) {
12656				if (sctp_process_cmsgs_for_init(stcb, control, &error)) {
12657					sctp_free_assoc(inp, stcb, SCTP_PCBFREE_FORCE,
12658					    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_5);
12659					hold_tcblock = 0;
12660					stcb = NULL;
12661					goto out_unlocked;
12662				}
12663			}
12664			/* out with the INIT */
12665			queue_only_for_init = 1;
12666			/*-
12667			 * we may want to dig in after this call and adjust the MTU
12668			 * value. It defaulted to 1500 (constant) but the ro
12669			 * structure may now have an update and thus we may need to
12670			 * change it BEFORE we append the message.
12671			 */
12672		}
12673	} else
12674		asoc = &stcb->asoc;
12675	if (srcv == NULL)
12676		srcv = (struct sctp_sndrcvinfo *)&asoc->def_send;
12677	if (srcv->sinfo_flags & SCTP_ADDR_OVER) {
12678		if (addr)
12679			net = sctp_findnet(stcb, addr);
12680		else
12681			net = NULL;
12682		if ((net == NULL) ||
12683		    ((port != 0) && (port != stcb->rport))) {
12684			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12685			error = EINVAL;
12686			goto out_unlocked;
12687		}
12688	} else {
12689		if (stcb->asoc.alternate) {
12690			net = stcb->asoc.alternate;
12691		} else {
12692			net = stcb->asoc.primary_destination;
12693		}
12694	}
12695	atomic_add_int(&stcb->total_sends, 1);
12696	/* Keep the stcb from being freed under our feet */
12697	atomic_add_int(&asoc->refcnt, 1);
12698	free_cnt_applied = 1;
12699
12700	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) {
12701		if (sndlen > asoc->smallest_mtu) {
12702			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12703			error = EMSGSIZE;
12704			goto out_unlocked;
12705		}
12706	}
12707	if (SCTP_SO_IS_NBIO(so)
12708	    || (flags & MSG_NBIO)
12709	    ) {
12710		non_blocking = 1;
12711	}
12712	/* would we block? */
12713	if (non_blocking) {
12714		if (hold_tcblock == 0) {
12715			SCTP_TCB_LOCK(stcb);
12716			hold_tcblock = 1;
12717		}
12718		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12719		if ((SCTP_SB_LIMIT_SND(so) < (sndlen + inqueue_bytes + stcb->asoc.sb_send_resv)) ||
12720		    (stcb->asoc.chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12721			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EWOULDBLOCK);
12722			if (sndlen > SCTP_SB_LIMIT_SND(so))
12723				error = EMSGSIZE;
12724			else
12725				error = EWOULDBLOCK;
12726			goto out_unlocked;
12727		}
12728		stcb->asoc.sb_send_resv += sndlen;
12729		SCTP_TCB_UNLOCK(stcb);
12730		hold_tcblock = 0;
12731	} else {
12732		atomic_add_int(&stcb->asoc.sb_send_resv, sndlen);
12733	}
12734	local_soresv = sndlen;
12735	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12736		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12737		error = ECONNRESET;
12738		goto out_unlocked;
12739	}
12740	if (create_lock_applied) {
12741		SCTP_ASOC_CREATE_UNLOCK(inp);
12742		create_lock_applied = 0;
12743	}
12744	/* Is the stream no. valid? */
12745	if (srcv->sinfo_stream >= asoc->streamoutcnt) {
12746		/* Invalid stream number */
12747		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12748		error = EINVAL;
12749		goto out_unlocked;
12750	}
12751	if ((asoc->strmout[srcv->sinfo_stream].state != SCTP_STREAM_OPEN) &&
12752	    (asoc->strmout[srcv->sinfo_stream].state != SCTP_STREAM_OPENING)) {
12753		/*
12754		 * Can't queue any data while stream reset is underway.
12755		 */
12756		if (asoc->strmout[srcv->sinfo_stream].state > SCTP_STREAM_OPEN) {
12757			error = EAGAIN;
12758		} else {
12759			error = EINVAL;
12760		}
12761		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, error);
12762		goto out_unlocked;
12763	}
12764	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
12765	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
12766		queue_only = 1;
12767	}
12768	/* we are now done with all control */
12769	if (control) {
12770		sctp_m_freem(control);
12771		control = NULL;
12772	}
12773	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
12774	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
12775	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
12776	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
12777		if (srcv->sinfo_flags & SCTP_ABORT) {
12778			;
12779		} else {
12780			SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12781			error = ECONNRESET;
12782			goto out_unlocked;
12783		}
12784	}
12785	/* Ok, we will attempt a msgsnd :> */
12786	if (p) {
12787		p->td_ru.ru_msgsnd++;
12788	}
12789	/* Are we aborting? */
12790	if (srcv->sinfo_flags & SCTP_ABORT) {
12791		struct mbuf *mm;
12792		int tot_demand, tot_out = 0, max_out;
12793
12794		SCTP_STAT_INCR(sctps_sends_with_abort);
12795		if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
12796		    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
12797			/* It has to be up before we abort */
12798			/* how big is the user initiated abort? */
12799			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12800			error = EINVAL;
12801			goto out;
12802		}
12803		if (hold_tcblock) {
12804			SCTP_TCB_UNLOCK(stcb);
12805			hold_tcblock = 0;
12806		}
12807		if (top) {
12808			struct mbuf *cntm = NULL;
12809
12810			mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_WAITOK, 1, MT_DATA);
12811			if (sndlen != 0) {
12812				for (cntm = top; cntm; cntm = SCTP_BUF_NEXT(cntm)) {
12813					tot_out += SCTP_BUF_LEN(cntm);
12814				}
12815			}
12816		} else {
12817			/* Must fit in a MTU */
12818			tot_out = sndlen;
12819			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
12820			if (tot_demand > SCTP_DEFAULT_ADD_MORE) {
12821				/* To big */
12822				SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12823				error = EMSGSIZE;
12824				goto out;
12825			}
12826			mm = sctp_get_mbuf_for_msg(tot_demand, 0, M_WAITOK, 1, MT_DATA);
12827		}
12828		if (mm == NULL) {
12829			SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12830			error = ENOMEM;
12831			goto out;
12832		}
12833		max_out = asoc->smallest_mtu - sizeof(struct sctp_paramhdr);
12834		max_out -= sizeof(struct sctp_abort_msg);
12835		if (tot_out > max_out) {
12836			tot_out = max_out;
12837		}
12838		if (mm) {
12839			struct sctp_paramhdr *ph;
12840
12841			/* now move forward the data pointer */
12842			ph = mtod(mm, struct sctp_paramhdr *);
12843			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
12844			ph->param_length = htons(sizeof(struct sctp_paramhdr) + tot_out);
12845			ph++;
12846			SCTP_BUF_LEN(mm) = tot_out + sizeof(struct sctp_paramhdr);
12847			if (top == NULL) {
12848				error = uiomove((caddr_t)ph, (int)tot_out, uio);
12849				if (error) {
12850					/*-
12851					 * Here if we can't get his data we
12852					 * still abort we just don't get to
12853					 * send the users note :-0
12854					 */
12855					sctp_m_freem(mm);
12856					mm = NULL;
12857				}
12858			} else {
12859				if (sndlen != 0) {
12860					SCTP_BUF_NEXT(mm) = top;
12861				}
12862			}
12863		}
12864		if (hold_tcblock == 0) {
12865			SCTP_TCB_LOCK(stcb);
12866		}
12867		atomic_add_int(&stcb->asoc.refcnt, -1);
12868		free_cnt_applied = 0;
12869		/* release this lock, otherwise we hang on ourselves */
12870		sctp_abort_an_association(stcb->sctp_ep, stcb, mm, SCTP_SO_LOCKED);
12871		/* now relock the stcb so everything is sane */
12872		hold_tcblock = 0;
12873		stcb = NULL;
12874		/*
12875		 * In this case top is already chained to mm avoid double
12876		 * free, since we free it below if top != NULL and driver
12877		 * would free it after sending the packet out
12878		 */
12879		if (sndlen != 0) {
12880			top = NULL;
12881		}
12882		goto out_unlocked;
12883	}
12884	/* Calculate the maximum we can send */
12885	inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12886	if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
12887		if (non_blocking) {
12888			/* we already checked for non-blocking above. */
12889			max_len = sndlen;
12890		} else {
12891			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
12892		}
12893	} else {
12894		max_len = 0;
12895	}
12896	if (hold_tcblock) {
12897		SCTP_TCB_UNLOCK(stcb);
12898		hold_tcblock = 0;
12899	}
12900	if (asoc->strmout == NULL) {
12901		/* huh? software error */
12902		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12903		error = EFAULT;
12904		goto out_unlocked;
12905	}
12906	/* Unless E_EOR mode is on, we must make a send FIT in one call. */
12907	if ((user_marks_eor == 0) &&
12908	    (sndlen > SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
12909		/* It will NEVER fit */
12910		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12911		error = EMSGSIZE;
12912		goto out_unlocked;
12913	}
12914	if ((uio == NULL) && user_marks_eor) {
12915		/*-
12916		 * We do not support eeor mode for
12917		 * sending with mbuf chains (like sendfile).
12918		 */
12919		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12920		error = EINVAL;
12921		goto out_unlocked;
12922	}
12923	if (user_marks_eor) {
12924		local_add_more = min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
12925	} else {
12926		/*-
12927		 * For non-eeor the whole message must fit in
12928		 * the socket send buffer.
12929		 */
12930		local_add_more = sndlen;
12931	}
12932	len = 0;
12933	if (non_blocking) {
12934		goto skip_preblock;
12935	}
12936	if (((max_len <= local_add_more) &&
12937	    (SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
12938	    (max_len == 0) ||
12939	    ((stcb->asoc.chunks_on_out_queue + stcb->asoc.stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12940		/* No room right now ! */
12941		SOCKBUF_LOCK(&so->so_snd);
12942		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12943		while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) ||
12944		    ((stcb->asoc.stream_queue_cnt + stcb->asoc.chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12945			SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %d) || (%d+%d > %d)\n",
12946			    (unsigned int)SCTP_SB_LIMIT_SND(so),
12947			    inqueue_bytes,
12948			    local_add_more,
12949			    stcb->asoc.stream_queue_cnt,
12950			    stcb->asoc.chunks_on_out_queue,
12951			    SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue));
12952			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
12953				sctp_log_block(SCTP_BLOCK_LOG_INTO_BLKA, asoc, sndlen);
12954			}
12955			be.error = 0;
12956			stcb->block_entry = &be;
12957			error = sbwait(&so->so_snd);
12958			stcb->block_entry = NULL;
12959			if (error || so->so_error || be.error) {
12960				if (error == 0) {
12961					if (so->so_error)
12962						error = so->so_error;
12963					if (be.error) {
12964						error = be.error;
12965					}
12966				}
12967				SOCKBUF_UNLOCK(&so->so_snd);
12968				goto out_unlocked;
12969			}
12970			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
12971				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
12972				    asoc, stcb->asoc.total_output_queue_size);
12973			}
12974			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12975				goto out_unlocked;
12976			}
12977			inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12978		}
12979		if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
12980			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
12981		} else {
12982			max_len = 0;
12983		}
12984		SOCKBUF_UNLOCK(&so->so_snd);
12985	}
12986skip_preblock:
12987	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12988		goto out_unlocked;
12989	}
12990	/*
12991	 * sndlen covers for mbuf case uio_resid covers for the non-mbuf
12992	 * case NOTE: uio will be null when top/mbuf is passed
12993	 */
12994	if (sndlen == 0) {
12995		if (srcv->sinfo_flags & SCTP_EOF) {
12996			got_all_of_the_send = 1;
12997			goto dataless_eof;
12998		} else {
12999			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13000			error = EINVAL;
13001			goto out;
13002		}
13003	}
13004	if (top == NULL) {
13005		struct sctp_stream_queue_pending *sp;
13006		struct sctp_stream_out *strm;
13007		uint32_t sndout;
13008
13009		SCTP_TCB_SEND_LOCK(stcb);
13010		if ((asoc->stream_locked) &&
13011		    (asoc->stream_locked_on != srcv->sinfo_stream)) {
13012			SCTP_TCB_SEND_UNLOCK(stcb);
13013			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13014			error = EINVAL;
13015			goto out;
13016		}
13017		SCTP_TCB_SEND_UNLOCK(stcb);
13018
13019		strm = &stcb->asoc.strmout[srcv->sinfo_stream];
13020		if (strm->last_msg_incomplete == 0) {
13021	do_a_copy_in:
13022			sp = sctp_copy_it_in(stcb, asoc, srcv, uio, net, max_len, user_marks_eor, &error);
13023			if ((sp == NULL) || (error)) {
13024				goto out;
13025			}
13026			SCTP_TCB_SEND_LOCK(stcb);
13027			if (sp->msg_is_complete) {
13028				strm->last_msg_incomplete = 0;
13029				asoc->stream_locked = 0;
13030			} else {
13031				/*
13032				 * Just got locked to this guy in case of an
13033				 * interrupt.
13034				 */
13035				strm->last_msg_incomplete = 1;
13036				asoc->stream_locked = 1;
13037				asoc->stream_locked_on = srcv->sinfo_stream;
13038				sp->sender_all_done = 0;
13039			}
13040			sctp_snd_sb_alloc(stcb, sp->length);
13041			atomic_add_int(&asoc->stream_queue_cnt, 1);
13042			if (srcv->sinfo_flags & SCTP_UNORDERED) {
13043				SCTP_STAT_INCR(sctps_sends_with_unord);
13044			}
13045			TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
13046			stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, asoc, strm, sp, 1);
13047			SCTP_TCB_SEND_UNLOCK(stcb);
13048		} else {
13049			SCTP_TCB_SEND_LOCK(stcb);
13050			sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead);
13051			SCTP_TCB_SEND_UNLOCK(stcb);
13052			if (sp == NULL) {
13053				/* ???? Huh ??? last msg is gone */
13054#ifdef INVARIANTS
13055				panic("Warning: Last msg marked incomplete, yet nothing left?");
13056#else
13057				SCTP_PRINTF("Warning: Last msg marked incomplete, yet nothing left?\n");
13058				strm->last_msg_incomplete = 0;
13059#endif
13060				goto do_a_copy_in;
13061
13062			}
13063		}
13064		while (uio->uio_resid > 0) {
13065			/* How much room do we have? */
13066			struct mbuf *new_tail, *mm;
13067
13068			if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
13069				max_len = SCTP_SB_LIMIT_SND(so) - stcb->asoc.total_output_queue_size;
13070			else
13071				max_len = 0;
13072
13073			if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
13074			    (max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
13075			    (uio->uio_resid && (uio->uio_resid <= (int)max_len))) {
13076				sndout = 0;
13077				new_tail = NULL;
13078				if (hold_tcblock) {
13079					SCTP_TCB_UNLOCK(stcb);
13080					hold_tcblock = 0;
13081				}
13082				mm = sctp_copy_resume(uio, max_len, user_marks_eor, &error, &sndout, &new_tail);
13083				if ((mm == NULL) || error) {
13084					if (mm) {
13085						sctp_m_freem(mm);
13086					}
13087					goto out;
13088				}
13089				/* Update the mbuf and count */
13090				SCTP_TCB_SEND_LOCK(stcb);
13091				if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13092					/*
13093					 * we need to get out. Peer probably
13094					 * aborted.
13095					 */
13096					sctp_m_freem(mm);
13097					if (stcb->asoc.state & SCTP_PCB_FLAGS_WAS_ABORTED) {
13098						SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
13099						error = ECONNRESET;
13100					}
13101					SCTP_TCB_SEND_UNLOCK(stcb);
13102					goto out;
13103				}
13104				if (sp->tail_mbuf) {
13105					/* tack it to the end */
13106					SCTP_BUF_NEXT(sp->tail_mbuf) = mm;
13107					sp->tail_mbuf = new_tail;
13108				} else {
13109					/* A stolen mbuf */
13110					sp->data = mm;
13111					sp->tail_mbuf = new_tail;
13112				}
13113				sctp_snd_sb_alloc(stcb, sndout);
13114				atomic_add_int(&sp->length, sndout);
13115				len += sndout;
13116
13117				/* Did we reach EOR? */
13118				if ((uio->uio_resid == 0) &&
13119				    ((user_marks_eor == 0) ||
13120				    (srcv->sinfo_flags & SCTP_EOF) ||
13121				    (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
13122					sp->msg_is_complete = 1;
13123				} else {
13124					sp->msg_is_complete = 0;
13125				}
13126				SCTP_TCB_SEND_UNLOCK(stcb);
13127			}
13128			if (uio->uio_resid == 0) {
13129				/* got it all? */
13130				continue;
13131			}
13132			/* PR-SCTP? */
13133			if ((asoc->prsctp_supported) && (asoc->sent_queue_cnt_removeable > 0)) {
13134				/*
13135				 * This is ugly but we must assure locking
13136				 * order
13137				 */
13138				if (hold_tcblock == 0) {
13139					SCTP_TCB_LOCK(stcb);
13140					hold_tcblock = 1;
13141				}
13142				sctp_prune_prsctp(stcb, asoc, srcv, sndlen);
13143				inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13144				if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
13145					max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13146				else
13147					max_len = 0;
13148				if (max_len > 0) {
13149					continue;
13150				}
13151				SCTP_TCB_UNLOCK(stcb);
13152				hold_tcblock = 0;
13153			}
13154			/* wait for space now */
13155			if (non_blocking) {
13156				/* Non-blocking io in place out */
13157				goto skip_out_eof;
13158			}
13159			/* What about the INIT, send it maybe */
13160			if (queue_only_for_init) {
13161				if (hold_tcblock == 0) {
13162					SCTP_TCB_LOCK(stcb);
13163					hold_tcblock = 1;
13164				}
13165				if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
13166					/* a collision took us forward? */
13167					queue_only = 0;
13168				} else {
13169					sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13170					SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
13171					queue_only = 1;
13172				}
13173			}
13174			if ((net->flight_size > net->cwnd) &&
13175			    (asoc->sctp_cmt_on_off == 0)) {
13176				SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13177				queue_only = 1;
13178			} else if (asoc->ifp_had_enobuf) {
13179				SCTP_STAT_INCR(sctps_ifnomemqueued);
13180				if (net->flight_size > (2 * net->mtu)) {
13181					queue_only = 1;
13182				}
13183				asoc->ifp_had_enobuf = 0;
13184			}
13185			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
13186			    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
13187			if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13188			    (stcb->asoc.total_flight > 0) &&
13189			    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13190			    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
13191
13192				/*-
13193				 * Ok, Nagle is set on and we have data outstanding.
13194				 * Don't send anything and let SACKs drive out the
13195				 * data unless we have a "full" segment to send.
13196				 */
13197				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13198					sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13199				}
13200				SCTP_STAT_INCR(sctps_naglequeued);
13201				nagle_applies = 1;
13202			} else {
13203				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13204					if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13205						sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13206				}
13207				SCTP_STAT_INCR(sctps_naglesent);
13208				nagle_applies = 0;
13209			}
13210			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13211
13212				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13213				    nagle_applies, un_sent);
13214				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
13215				    stcb->asoc.total_flight,
13216				    stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
13217			}
13218			if (queue_only_for_init)
13219				queue_only_for_init = 0;
13220			if ((queue_only == 0) && (nagle_applies == 0)) {
13221				/*-
13222				 * need to start chunk output
13223				 * before blocking.. note that if
13224				 * a lock is already applied, then
13225				 * the input via the net is happening
13226				 * and I don't need to start output :-D
13227				 */
13228				if (hold_tcblock == 0) {
13229					if (SCTP_TCB_TRYLOCK(stcb)) {
13230						hold_tcblock = 1;
13231						sctp_chunk_output(inp,
13232						    stcb,
13233						    SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13234					}
13235				} else {
13236					sctp_chunk_output(inp,
13237					    stcb,
13238					    SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13239				}
13240				if (hold_tcblock == 1) {
13241					SCTP_TCB_UNLOCK(stcb);
13242					hold_tcblock = 0;
13243				}
13244			}
13245			SOCKBUF_LOCK(&so->so_snd);
13246			/*-
13247			 * This is a bit strange, but I think it will
13248			 * work. The total_output_queue_size is locked and
13249			 * protected by the TCB_LOCK, which we just released.
13250			 * There is a race that can occur between releasing it
13251			 * above, and me getting the socket lock, where sacks
13252			 * come in but we have not put the SB_WAIT on the
13253			 * so_snd buffer to get the wakeup. After the LOCK
13254			 * is applied the sack_processing will also need to
13255			 * LOCK the so->so_snd to do the actual sowwakeup(). So
13256			 * once we have the socket buffer lock if we recheck the
13257			 * size we KNOW we will get to sleep safely with the
13258			 * wakeup flag in place.
13259			 */
13260			if (SCTP_SB_LIMIT_SND(so) <= (stcb->asoc.total_output_queue_size +
13261			    min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) {
13262				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13263					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
13264					    asoc, uio->uio_resid);
13265				}
13266				be.error = 0;
13267				stcb->block_entry = &be;
13268				error = sbwait(&so->so_snd);
13269				stcb->block_entry = NULL;
13270
13271				if (error || so->so_error || be.error) {
13272					if (error == 0) {
13273						if (so->so_error)
13274							error = so->so_error;
13275						if (be.error) {
13276							error = be.error;
13277						}
13278					}
13279					SOCKBUF_UNLOCK(&so->so_snd);
13280					goto out_unlocked;
13281				}
13282				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13283					sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13284					    asoc, stcb->asoc.total_output_queue_size);
13285				}
13286			}
13287			SOCKBUF_UNLOCK(&so->so_snd);
13288			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13289				goto out_unlocked;
13290			}
13291		}
13292		SCTP_TCB_SEND_LOCK(stcb);
13293		if (sp) {
13294			if (sp->msg_is_complete == 0) {
13295				strm->last_msg_incomplete = 1;
13296				asoc->stream_locked = 1;
13297				asoc->stream_locked_on = srcv->sinfo_stream;
13298			} else {
13299				sp->sender_all_done = 1;
13300				strm->last_msg_incomplete = 0;
13301				asoc->stream_locked = 0;
13302			}
13303		} else {
13304			SCTP_PRINTF("Huh no sp TSNH?\n");
13305			strm->last_msg_incomplete = 0;
13306			asoc->stream_locked = 0;
13307		}
13308		SCTP_TCB_SEND_UNLOCK(stcb);
13309		if (uio->uio_resid == 0) {
13310			got_all_of_the_send = 1;
13311		}
13312	} else {
13313		/* We send in a 0, since we do NOT have any locks */
13314		error = sctp_msg_append(stcb, net, top, srcv, 0);
13315		top = NULL;
13316		if (srcv->sinfo_flags & SCTP_EOF) {
13317			/*
13318			 * This should only happen for Panda for the mbuf
13319			 * send case, which does NOT yet support EEOR mode.
13320			 * Thus, we can just set this flag to do the proper
13321			 * EOF handling.
13322			 */
13323			got_all_of_the_send = 1;
13324		}
13325	}
13326	if (error) {
13327		goto out;
13328	}
13329dataless_eof:
13330	/* EOF thing ? */
13331	if ((srcv->sinfo_flags & SCTP_EOF) &&
13332	    (got_all_of_the_send == 1)) {
13333		int cnt;
13334
13335		SCTP_STAT_INCR(sctps_sends_with_eof);
13336		error = 0;
13337		if (hold_tcblock == 0) {
13338			SCTP_TCB_LOCK(stcb);
13339			hold_tcblock = 1;
13340		}
13341		cnt = sctp_is_there_unsent_data(stcb, SCTP_SO_LOCKED);
13342		if (TAILQ_EMPTY(&asoc->send_queue) &&
13343		    TAILQ_EMPTY(&asoc->sent_queue) &&
13344		    (cnt == 0)) {
13345			if (asoc->locked_on_sending) {
13346				goto abort_anyway;
13347			}
13348			/* there is nothing queued to send, so I'm done... */
13349			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
13350			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13351			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13352				struct sctp_nets *netp;
13353
13354				/* only send SHUTDOWN the first time through */
13355				if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
13356					SCTP_STAT_DECR_GAUGE32(sctps_currestab);
13357				}
13358				SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
13359				SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
13360				sctp_stop_timers_for_shutdown(stcb);
13361				if (stcb->asoc.alternate) {
13362					netp = stcb->asoc.alternate;
13363				} else {
13364					netp = stcb->asoc.primary_destination;
13365				}
13366				sctp_send_shutdown(stcb, netp);
13367				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
13368				    netp);
13369				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
13370				    asoc->primary_destination);
13371			}
13372		} else {
13373			/*-
13374			 * we still got (or just got) data to send, so set
13375			 * SHUTDOWN_PENDING
13376			 */
13377			/*-
13378			 * XXX sockets draft says that SCTP_EOF should be
13379			 * sent with no data.  currently, we will allow user
13380			 * data to be sent first and move to
13381			 * SHUTDOWN-PENDING
13382			 */
13383			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
13384			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13385			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13386				if (hold_tcblock == 0) {
13387					SCTP_TCB_LOCK(stcb);
13388					hold_tcblock = 1;
13389				}
13390				if (asoc->locked_on_sending) {
13391					/* Locked to send out the data */
13392					struct sctp_stream_queue_pending *sp;
13393
13394					sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
13395					if (sp) {
13396						if ((sp->length == 0) && (sp->msg_is_complete == 0))
13397							asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
13398					}
13399				}
13400				asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
13401				if (TAILQ_EMPTY(&asoc->send_queue) &&
13402				    TAILQ_EMPTY(&asoc->sent_queue) &&
13403				    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
13404					struct mbuf *op_err;
13405					char msg[SCTP_DIAG_INFO_LEN];
13406
13407			abort_anyway:
13408					if (free_cnt_applied) {
13409						atomic_add_int(&stcb->asoc.refcnt, -1);
13410						free_cnt_applied = 0;
13411					}
13412					snprintf(msg, sizeof(msg),
13413					    "%s:%d at %s", __FILE__, __LINE__, __func__);
13414					op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
13415					    msg);
13416					sctp_abort_an_association(stcb->sctp_ep, stcb,
13417					    op_err, SCTP_SO_LOCKED);
13418					/*
13419					 * now relock the stcb so everything
13420					 * is sane
13421					 */
13422					hold_tcblock = 0;
13423					stcb = NULL;
13424					goto out;
13425				}
13426				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
13427				    asoc->primary_destination);
13428				sctp_feature_off(inp, SCTP_PCB_FLAGS_NODELAY);
13429			}
13430		}
13431	}
13432skip_out_eof:
13433	if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
13434		some_on_control = 1;
13435	}
13436	if (queue_only_for_init) {
13437		if (hold_tcblock == 0) {
13438			SCTP_TCB_LOCK(stcb);
13439			hold_tcblock = 1;
13440		}
13441		if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
13442			/* a collision took us forward? */
13443			queue_only = 0;
13444		} else {
13445			sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13446			SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_WAIT);
13447			queue_only = 1;
13448		}
13449	}
13450	if ((net->flight_size > net->cwnd) &&
13451	    (stcb->asoc.sctp_cmt_on_off == 0)) {
13452		SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13453		queue_only = 1;
13454	} else if (asoc->ifp_had_enobuf) {
13455		SCTP_STAT_INCR(sctps_ifnomemqueued);
13456		if (net->flight_size > (2 * net->mtu)) {
13457			queue_only = 1;
13458		}
13459		asoc->ifp_had_enobuf = 0;
13460	}
13461	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
13462	    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
13463	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13464	    (stcb->asoc.total_flight > 0) &&
13465	    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13466	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
13467		/*-
13468		 * Ok, Nagle is set on and we have data outstanding.
13469		 * Don't send anything and let SACKs drive out the
13470		 * data unless wen have a "full" segment to send.
13471		 */
13472		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13473			sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13474		}
13475		SCTP_STAT_INCR(sctps_naglequeued);
13476		nagle_applies = 1;
13477	} else {
13478		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13479			if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13480				sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13481		}
13482		SCTP_STAT_INCR(sctps_naglesent);
13483		nagle_applies = 0;
13484	}
13485	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13486		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13487		    nagle_applies, un_sent);
13488		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
13489		    stcb->asoc.total_flight,
13490		    stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
13491	}
13492	if ((queue_only == 0) && (nagle_applies == 0) && (stcb->asoc.peers_rwnd && un_sent)) {
13493		/* we can attempt to send too. */
13494		if (hold_tcblock == 0) {
13495			/*
13496			 * If there is activity recv'ing sacks no need to
13497			 * send
13498			 */
13499			if (SCTP_TCB_TRYLOCK(stcb)) {
13500				sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13501				hold_tcblock = 1;
13502			}
13503		} else {
13504			sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13505		}
13506	} else if ((queue_only == 0) &&
13507		    (stcb->asoc.peers_rwnd == 0) &&
13508	    (stcb->asoc.total_flight == 0)) {
13509		/* We get to have a probe outstanding */
13510		if (hold_tcblock == 0) {
13511			hold_tcblock = 1;
13512			SCTP_TCB_LOCK(stcb);
13513		}
13514		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13515	} else if (some_on_control) {
13516		int num_out, reason, frag_point;
13517
13518		/* Here we do control only */
13519		if (hold_tcblock == 0) {
13520			hold_tcblock = 1;
13521			SCTP_TCB_LOCK(stcb);
13522		}
13523		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
13524		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
13525		    &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_LOCKED);
13526	}
13527	SCTPDBG(SCTP_DEBUG_OUTPUT1, "USR Send complete qo:%d prw:%d unsent:%d tf:%d cooq:%d toqs:%d err:%d\n",
13528	    queue_only, stcb->asoc.peers_rwnd, un_sent,
13529	    stcb->asoc.total_flight, stcb->asoc.chunks_on_out_queue,
13530	    stcb->asoc.total_output_queue_size, error);
13531
13532out:
13533out_unlocked:
13534
13535	if (local_soresv && stcb) {
13536		atomic_subtract_int(&stcb->asoc.sb_send_resv, sndlen);
13537	}
13538	if (create_lock_applied) {
13539		SCTP_ASOC_CREATE_UNLOCK(inp);
13540	}
13541	if ((stcb) && hold_tcblock) {
13542		SCTP_TCB_UNLOCK(stcb);
13543	}
13544	if (stcb && free_cnt_applied) {
13545		atomic_add_int(&stcb->asoc.refcnt, -1);
13546	}
13547#ifdef INVARIANTS
13548	if (stcb) {
13549		if (mtx_owned(&stcb->tcb_mtx)) {
13550			panic("Leaving with tcb mtx owned?");
13551		}
13552		if (mtx_owned(&stcb->tcb_send_mtx)) {
13553			panic("Leaving with tcb send mtx owned?");
13554		}
13555	}
13556#endif
13557	if (top) {
13558		sctp_m_freem(top);
13559	}
13560	if (control) {
13561		sctp_m_freem(control);
13562	}
13563	return (error);
13564}
13565
13566
13567/*
13568 * generate an AUTHentication chunk, if required
13569 */
13570struct mbuf *
13571sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
13572    struct sctp_auth_chunk **auth_ret, uint32_t * offset,
13573    struct sctp_tcb *stcb, uint8_t chunk)
13574{
13575	struct mbuf *m_auth;
13576	struct sctp_auth_chunk *auth;
13577	int chunk_len;
13578	struct mbuf *cn;
13579
13580	if ((m_end == NULL) || (auth_ret == NULL) || (offset == NULL) ||
13581	    (stcb == NULL))
13582		return (m);
13583
13584	if (stcb->asoc.auth_supported == 0) {
13585		return (m);
13586	}
13587	/* does the requested chunk require auth? */
13588	if (!sctp_auth_is_required_chunk(chunk, stcb->asoc.peer_auth_chunks)) {
13589		return (m);
13590	}
13591	m_auth = sctp_get_mbuf_for_msg(sizeof(*auth), 0, M_NOWAIT, 1, MT_HEADER);
13592	if (m_auth == NULL) {
13593		/* no mbuf's */
13594		return (m);
13595	}
13596	/* reserve some space if this will be the first mbuf */
13597	if (m == NULL)
13598		SCTP_BUF_RESV_UF(m_auth, SCTP_MIN_OVERHEAD);
13599	/* fill in the AUTH chunk details */
13600	auth = mtod(m_auth, struct sctp_auth_chunk *);
13601	bzero(auth, sizeof(*auth));
13602	auth->ch.chunk_type = SCTP_AUTHENTICATION;
13603	auth->ch.chunk_flags = 0;
13604	chunk_len = sizeof(*auth) +
13605	    sctp_get_hmac_digest_len(stcb->asoc.peer_hmac_id);
13606	auth->ch.chunk_length = htons(chunk_len);
13607	auth->hmac_id = htons(stcb->asoc.peer_hmac_id);
13608	/* key id and hmac digest will be computed and filled in upon send */
13609
13610	/* save the offset where the auth was inserted into the chain */
13611	*offset = 0;
13612	for (cn = m; cn; cn = SCTP_BUF_NEXT(cn)) {
13613		*offset += SCTP_BUF_LEN(cn);
13614	}
13615
13616	/* update length and return pointer to the auth chunk */
13617	SCTP_BUF_LEN(m_auth) = chunk_len;
13618	m = sctp_copy_mbufchain(m_auth, m, m_end, 1, chunk_len, 0);
13619	if (auth_ret != NULL)
13620		*auth_ret = auth;
13621
13622	return (m);
13623}
13624
13625#ifdef INET6
13626int
13627sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t * ro)
13628{
13629	struct nd_prefix *pfx = NULL;
13630	struct nd_pfxrouter *pfxrtr = NULL;
13631	struct sockaddr_in6 gw6;
13632
13633	if (ro == NULL || ro->ro_rt == NULL || src6->sin6_family != AF_INET6)
13634		return (0);
13635
13636	/* get prefix entry of address */
13637	LIST_FOREACH(pfx, &MODULE_GLOBAL(nd_prefix), ndpr_entry) {
13638		if (pfx->ndpr_stateflags & NDPRF_DETACHED)
13639			continue;
13640		if (IN6_ARE_MASKED_ADDR_EQUAL(&pfx->ndpr_prefix.sin6_addr,
13641		    &src6->sin6_addr, &pfx->ndpr_mask))
13642			break;
13643	}
13644	/* no prefix entry in the prefix list */
13645	if (pfx == NULL) {
13646		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefix entry for ");
13647		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13648		return (0);
13649	}
13650	SCTPDBG(SCTP_DEBUG_OUTPUT2, "v6src_match_nexthop(), Prefix entry is ");
13651	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13652
13653	/* search installed gateway from prefix entry */
13654	LIST_FOREACH(pfxrtr, &pfx->ndpr_advrtrs, pfr_entry) {
13655		memset(&gw6, 0, sizeof(struct sockaddr_in6));
13656		gw6.sin6_family = AF_INET6;
13657		gw6.sin6_len = sizeof(struct sockaddr_in6);
13658		memcpy(&gw6.sin6_addr, &pfxrtr->router->rtaddr,
13659		    sizeof(struct in6_addr));
13660		SCTPDBG(SCTP_DEBUG_OUTPUT2, "prefix router is ");
13661		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&gw6);
13662		SCTPDBG(SCTP_DEBUG_OUTPUT2, "installed router is ");
13663		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
13664		if (sctp_cmpaddr((struct sockaddr *)&gw6,
13665		    ro->ro_rt->rt_gateway)) {
13666			SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is installed\n");
13667			return (1);
13668		}
13669	}
13670	SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is not installed\n");
13671	return (0);
13672}
13673
13674#endif
13675
13676int
13677sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t * ro)
13678{
13679#ifdef INET
13680	struct sockaddr_in *sin, *mask;
13681	struct ifaddr *ifa;
13682	struct in_addr srcnetaddr, gwnetaddr;
13683
13684	if (ro == NULL || ro->ro_rt == NULL ||
13685	    sifa->address.sa.sa_family != AF_INET) {
13686		return (0);
13687	}
13688	ifa = (struct ifaddr *)sifa->ifa;
13689	mask = (struct sockaddr_in *)(ifa->ifa_netmask);
13690	sin = &sifa->address.sin;
13691	srcnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13692	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: src address is ");
13693	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
13694	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", srcnetaddr.s_addr);
13695
13696	sin = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
13697	gwnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13698	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: nexthop is ");
13699	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
13700	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", gwnetaddr.s_addr);
13701	if (srcnetaddr.s_addr == gwnetaddr.s_addr) {
13702		return (1);
13703	}
13704#endif
13705	return (0);
13706}
13707