sctp_input.c revision 163953
1779SN/A/*- 21635Shannesw * Copyright (c) 2001-2006, Cisco Systems, Inc. All rights reserved. 3779SN/A * 4779SN/A * Redistribution and use in source and binary forms, with or without 5779SN/A * modification, are permitted provided that the following conditions are met: 6779SN/A * 7779SN/A * a) Redistributions of source code must retain the above copyright notice, 8779SN/A * this list of conditions and the following disclaimer. 9779SN/A * 10779SN/A * b) Redistributions in binary form must reproduce the above copyright 11779SN/A * notice, this list of conditions and the following disclaimer in 12779SN/A * the documentation and/or other materials provided with the distribution. 13779SN/A * 14779SN/A * c) Neither the name of Cisco Systems, Inc. nor the names of its 15779SN/A * contributors may be used to endorse or promote products derived 16779SN/A * from this software without specific prior written permission. 17779SN/A * 18779SN/A * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19779SN/A * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20779SN/A * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21779SN/A * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22779SN/A * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23779SN/A * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24779SN/A * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25779SN/A * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26779SN/A * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27779SN/A * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28779SN/A * THE POSSIBILITY OF SUCH DAMAGE. 29779SN/A */ 30779SN/A 31779SN/A/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32779SN/A 33779SN/A#include <sys/cdefs.h> 34779SN/A__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 163953 2006-11-03 15:23:16Z rrs $"); 35779SN/A 36779SN/A#include "opt_ipsec.h" 37779SN/A#include "opt_compat.h" 38779SN/A#include "opt_inet6.h" 39779SN/A#include "opt_inet.h" 40779SN/A#include "opt_sctp.h" 411093Shannesw 42970SN/A#include <sys/param.h> 43970SN/A#include <sys/systm.h> 44970SN/A#include <sys/malloc.h> 45970SN/A#include <sys/mbuf.h> 461032Shannesw#include <sys/socket.h> 47779SN/A#include <sys/socketvar.h> 48779SN/A#include <sys/sysctl.h> 49779SN/A#include <sys/domain.h> 50779SN/A#include <sys/protosw.h> 51958SN/A#include <sys/kernel.h> 521032Shannesw#include <sys/errno.h> 53779SN/A#include <sys/syslog.h> 541032Shannesw 55779SN/A#include <sys/limits.h> 56779SN/A#include <machine/cpu.h> 57779SN/A 58779SN/A#include <net/if.h> 591032Shannesw#include <net/route.h> 60958SN/A#include <net/if_types.h> 61958SN/A 62958SN/A#include <netinet/in.h> 63970SN/A#include <netinet/in_systm.h> 641032Shannesw#include <netinet/ip.h> 651032Shannesw#include <netinet/in_pcb.h> 66958SN/A#include <netinet/in_var.h> 67958SN/A#include <netinet/ip_var.h> 68958SN/A 69958SN/A#ifdef INET6 70958SN/A#include <netinet/ip6.h> 71779SN/A#include <netinet6/ip6_var.h> 72779SN/A#endif /* INET6 */ 731032Shannesw 741032Shannesw#include <netinet/ip_icmp.h> 751032Shannesw#include <netinet/icmp_var.h> 761032Shannesw 771106Shannesw#include <netinet/sctp_os.h> 781032Shannesw#include <netinet/sctp_var.h> 791106Shannesw#include <netinet/sctp_pcb.h> 801106Shannesw#include <netinet/sctp_header.h> 811106Shannesw#include <netinet/sctputil.h> 821106Shannesw#include <netinet/sctp_output.h> 831106Shannesw#include <netinet/sctp_input.h> 841106Shannesw#include <netinet/sctp_auth.h> 851106Shannesw#include <netinet/sctp_indata.h> 861106Shannesw#include <netinet/sctp_asconf.h> 871106Shannesw 88779SN/A#include <netinet/ip_options.h> 89779SN/A 901032Shannesw 911032Shannesw#ifdef IPSEC 921032Shannesw#include <netinet6/ipsec.h> 931032Shannesw#include <netkey/key.h> 941032Shannesw#endif /* IPSEC */ 951032Shannesw 961032Shannesw 971032Shannesw#ifdef SCTP_DEBUG 981032Shanneswextern uint32_t sctp_debug_on; 991032Shannesw 1001032Shannesw#endif 1011036Slagergren 1021036Slagergren 1031032Shanneswstatic void 1041032Shanneswsctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 1051032Shannesw{ 1061032Shannesw struct sctp_nets *net; 1071032Shannesw 1081032Shannesw SCTP_TCB_LOCK_ASSERT(stcb); 1091032Shannesw TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 1101032Shannesw if ((callout_pending(&net->rxt_timer.timer)) && 1111032Shannesw (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE)) { 1121032Shannesw sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 1131032Shannesw stcb->sctp_ep, 1141032Shannesw stcb, 1151032Shannesw net); 1161032Shannesw } 1171032Shannesw } 1181032Shannesw} 1191032Shannesw 1201032Shannesw/* INIT handler */ 1211032Shanneswstatic void 1221032Shanneswsctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 1231032Shannesw struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 1241032Shannesw struct sctp_nets *net) 1251032Shannesw{ 1261032Shannesw struct sctp_init *init; 1271032Shannesw struct mbuf *op_err; 1281032Shannesw uint32_t init_limit; 1291032Shannesw 1301032Shannesw#ifdef SCTP_DEBUG 1311032Shannesw if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1321032Shannesw printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 1331032Shannesw } 1341032Shannesw#endif 1351032Shannesw op_err = NULL; 1361032Shannesw init = &cp->init; 1371032Shannesw /* First are we accepting? */ 1381036Slagergren if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 1391032Shannesw#ifdef SCTP_DEBUG 1401032Shannesw if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1411032Shannesw printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); 1421032Shannesw } 1431032Shannesw#endif 1441036Slagergren /* 1451032Shannesw * FIX ME ?? What about TCP model and we have a 1461032Shannesw * match/restart case? 1471032Shannesw */ 1481032Shannesw sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 1491032Shannesw return; 1501032Shannesw } 1511032Shannesw if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 1521032Shannesw /* Invalid length */ 1531032Shannesw op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1541032Shannesw sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 1551032Shannesw return; 1561032Shannesw } 1571032Shannesw /* validate parameters */ 1581032Shannesw if (init->initiate_tag == 0) { 159958SN/A /* protocol error... send abort */ 160958SN/A op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 161958SN/A sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 162958SN/A return; 163958SN/A } 164958SN/A if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 165958SN/A /* invalid parameter... send abort */ 166958SN/A op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1671260Shannesw sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 168958SN/A return; 169958SN/A } 170958SN/A if (init->num_inbound_streams == 0) { 171958SN/A /* protocol error... send abort */ 172958SN/A op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 173958SN/A sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 174958SN/A return; 175958SN/A } 176958SN/A if (init->num_outbound_streams == 0) { 177958SN/A /* protocol error... send abort */ 178779SN/A op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1791032Shannesw sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 180779SN/A return; 1811032Shannesw } 1821032Shannesw init_limit = offset + ntohs(cp->ch.chunk_length); 1831032Shannesw if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 1841032Shannesw init_limit)) { 1851032Shannesw /* auth parameter(s) error... send abort */ 1861032Shannesw sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); 1871032Shannesw return; 1881032Shannesw } 1891032Shannesw /* send an INIT-ACK w/cookie */ 1901032Shannesw#ifdef SCTP_DEBUG 1911032Shannesw if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 1921032Shannesw printf("sctp_handle_init: sending INIT-ACK\n"); 1931093Shannesw } 1941040Slagergren#endif 1951032Shannesw sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 1961093Shannesw} 1971093Shannesw 198779SN/A/* 199779SN/A * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 2001032Shannesw */ 2011032Shanneswstatic int 2021032Shanneswsctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 2031093Shannesw struct sctp_nets *net) 2041032Shannesw{ 2051036Slagergren struct sctp_init *init; 2061032Shannesw struct sctp_association *asoc; 2071040Slagergren struct sctp_nets *lnet; 2081032Shannesw unsigned int i; 2091093Shannesw 2101093Shannesw init = &cp->init; 2111032Shannesw asoc = &stcb->asoc; 2121032Shannesw /* save off parameters */ 213779SN/A asoc->peer_vtag = ntohl(init->initiate_tag); 214779SN/A asoc->peers_rwnd = ntohl(init->a_rwnd); 2151093Shannesw if (TAILQ_FIRST(&asoc->nets)) { 2161032Shannesw /* update any ssthresh's that may have a default */ 2171032Shannesw TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 2181032Shannesw lnet->ssthresh = asoc->peers_rwnd; 2191032Shannesw 2201093Shannesw#if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 2211032Shannesw sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 2221032Shannesw#endif 2231032Shannesw 2241032Shannesw } 2251032Shannesw } 2261032Shannesw if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 2271032Shannesw unsigned int newcnt; 2281032Shannesw struct sctp_stream_out *outs; 2291032Shannesw struct sctp_stream_queue_pending *sp; 2301032Shannesw 2311032Shannesw /* cut back on number of streams */ 2321032Shannesw newcnt = ntohs(init->num_inbound_streams); 2331032Shannesw /* This if is probably not needed but I am cautious */ 2341032Shannesw if (asoc->strmout) { 2351032Shannesw /* First make sure no data chunks are trapped */ 2361032Shannesw for (i = newcnt; i < asoc->pre_open_streams; i++) { 2371032Shannesw outs = &asoc->strmout[i]; 2381032Shannesw sp = TAILQ_FIRST(&outs->outqueue); 239779SN/A while (sp) { 240779SN/A TAILQ_REMOVE(&outs->outqueue, sp, 241779SN/A next); 2421093Shannesw asoc->stream_queue_cnt--; 2431093Shannesw sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 2441093Shannesw stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 2451093Shannesw sp); 2461093Shannesw if (sp->data) { 2471093Shannesw sctp_m_freem(sp->data); 2481093Shannesw sp->data = NULL; 2491093Shannesw } 2501093Shannesw sctp_free_remote_addr(sp->net); 2511032Shannesw sp->net = NULL; 2521032Shannesw /* Free the chunk */ 2531260Shannesw printf("sp:%x tcb:%x weird free case\n", 2541032Shannesw (u_int)sp, (u_int)stcb); 2551032Shannesw 2561032Shannesw sctp_free_a_strmoq(stcb, sp); 2571032Shannesw sp = TAILQ_FIRST(&outs->outqueue); 2581032Shannesw } 2591032Shannesw } 2601032Shannesw } 2611032Shannesw /* cut back the count and abandon the upper streams */ 2621032Shannesw asoc->pre_open_streams = newcnt; 2631032Shannesw } 2641032Shannesw asoc->streamincnt = ntohs(init->num_outbound_streams); 2651032Shannesw if (asoc->streamincnt > MAX_SCTP_STREAMS) { 2661032Shannesw asoc->streamincnt = MAX_SCTP_STREAMS; 2671032Shannesw } 2681032Shannesw asoc->streamoutcnt = asoc->pre_open_streams; 2691032Shannesw /* init tsn's */ 2701032Shannesw asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 2711032Shannesw#ifdef SCTP_MAP_LOGGING 2721032Shannesw sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 2731032Shannesw#endif 2741032Shannesw /* This is the next one we expect */ 2751032Shannesw asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 2761032Shannesw 2771032Shannesw asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 278779SN/A asoc->cumulative_tsn = asoc->asconf_seq_in; 2791032Shannesw asoc->last_echo_tsn = asoc->asconf_seq_in; 2801032Shannesw asoc->advanced_peer_ack_point = asoc->last_acked_seq; 2811032Shannesw /* open the requested streams */ 2821032Shannesw if (asoc->strmin != NULL) { 2831032Shannesw /* Free the old ones */ 2841032Shannesw SCTP_FREE(asoc->strmin); 2851032Shannesw } 2861032Shannesw SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 2871032Shannesw sizeof(struct sctp_stream_in), "StreamsIn"); 2881032Shannesw if (asoc->strmin == NULL) { 2891032Shannesw /* we didn't get memory for the streams! */ 2901032Shannesw#ifdef SCTP_DEBUG 2911032Shannesw if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2921032Shannesw printf("process_init: couldn't get memory for the streams!\n"); 2931032Shannesw } 2941032Shannesw#endif 2951032Shannesw return (-1); 296779SN/A } 2971032Shannesw for (i = 0; i < asoc->streamincnt; i++) { 2981032Shannesw asoc->strmin[i].stream_no = i; 2991032Shannesw asoc->strmin[i].last_sequence_delivered = 0xffff; 3001032Shannesw /* 3011032Shannesw * U-stream ranges will be set when the cookie is unpacked. 3021032Shannesw * Or for the INIT sender they are un set (if pr-sctp not 3031032Shannesw * supported) when the INIT-ACK arrives. 3041032Shannesw */ 3051032Shannesw TAILQ_INIT(&asoc->strmin[i].inqueue); 3061032Shannesw /* 3071032Shannesw * we are not on any wheel, pr-sctp streams will go on the 3081032Shannesw * wheel when they have data waiting for reorder. 3091032Shannesw */ 3101032Shannesw asoc->strmin[i].next_spoke.tqe_next = 0; 3111032Shannesw asoc->strmin[i].next_spoke.tqe_prev = 0; 3121032Shannesw } 3131032Shannesw 3141032Shannesw /* 315779SN/A * load_address_from_init will put the addresses into the 316779SN/A * association when the COOKIE is processed or the INIT-ACK is 317779SN/A * processed. Both types of COOKIE's existing and new call this 318779SN/A * routine. It will remove addresses that are no longer in the 319 * association (for the restarting case where addresses are 320 * removed). Up front when the INIT arrives we will discard it if it 321 * is a restart and new addresses have been added. 322 */ 323 return (0); 324} 325 326/* 327 * INIT-ACK message processing/consumption returns value < 0 on error 328 */ 329static int 330sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 331 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 332 struct sctp_nets *net) 333{ 334 struct sctp_association *asoc; 335 struct mbuf *op_err; 336 int retval, abort_flag; 337 uint32_t initack_limit; 338 339 /* First verify that we have no illegal param's */ 340 abort_flag = 0; 341 op_err = NULL; 342 343 op_err = sctp_arethere_unrecognized_parameters(m, 344 (offset + sizeof(struct sctp_init_chunk)), 345 &abort_flag, (struct sctp_chunkhdr *)cp); 346 if (abort_flag) { 347 /* Send an abort and notify peer */ 348 if (op_err != NULL) { 349 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 350 } else { 351 /* 352 * Just notify (abort_assoc does this if we send an 353 * abort). 354 */ 355 sctp_abort_notification(stcb, 0); 356 /* 357 * No sense in further INIT's since we will get the 358 * same param back 359 */ 360 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 361 } 362 return (-1); 363 } 364 asoc = &stcb->asoc; 365 /* process the peer's parameters in the INIT-ACK */ 366 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 367 if (retval < 0) { 368 return (retval); 369 } 370 initack_limit = offset + ntohs(cp->ch.chunk_length); 371 /* load all addresses */ 372 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 373 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 374 NULL))) { 375 /* Huh, we should abort */ 376#ifdef SCTP_DEBUG 377 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 378 printf("Load addresses from INIT causes an abort %d\n", retval); 379 } 380#endif 381 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 382 NULL); 383 return (-1); 384 } 385 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 386 stcb->asoc.local_hmacs); 387 if (op_err) { 388 sctp_queue_op_err(stcb, op_err); 389 /* queuing will steal away the mbuf chain to the out queue */ 390 op_err = NULL; 391 } 392 /* extract the cookie and queue it to "echo" it back... */ 393 stcb->asoc.overall_error_count = 0; 394 net->error_count = 0; 395 396 /* 397 * Cancel the INIT timer, We do this first before queueing the 398 * cookie. We always cancel at the primary to assue that we are 399 * canceling the timer started by the INIT which always goes to the 400 * primary. 401 */ 402 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 403 asoc->primary_destination); 404 405 retval = sctp_send_cookie_echo(m, offset, stcb, net); 406 if (retval < 0) { 407 /* 408 * No cookie, we probably should send a op error. But in any 409 * case if there is no cookie in the INIT-ACK, we can 410 * abandon the peer, its broke. 411 */ 412 if (retval == -3) { 413 /* We abort with an error of missing mandatory param */ 414 struct mbuf *op_err; 415 416 op_err = 417 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 418 if (op_err) { 419 /* 420 * Expand beyond to include the mandatory 421 * param cookie 422 */ 423 struct sctp_inv_mandatory_param *mp; 424 425 op_err->m_len = 426 sizeof(struct sctp_inv_mandatory_param); 427 mp = mtod(op_err, 428 struct sctp_inv_mandatory_param *); 429 /* Subtract the reserved param */ 430 mp->length = 431 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 432 mp->num_param = htonl(1); 433 mp->param = htons(SCTP_STATE_COOKIE); 434 mp->resv = 0; 435 } 436 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 437 sh, op_err); 438 } 439 return (retval); 440 } 441 /* calculate the RTO */ 442 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 443 444 return (0); 445} 446 447static void 448sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 449 struct sctp_tcb *stcb, struct sctp_nets *net) 450{ 451 struct sockaddr_storage store; 452 struct sockaddr_in *sin; 453 struct sockaddr_in6 *sin6; 454 struct sctp_nets *r_net; 455 struct timeval tv; 456 457 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 458 /* Invalid length */ 459 return; 460 } 461 sin = (struct sockaddr_in *)&store; 462 sin6 = (struct sockaddr_in6 *)&store; 463 464 memset(&store, 0, sizeof(store)); 465 if (cp->heartbeat.hb_info.addr_family == AF_INET && 466 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 467 sin->sin_family = cp->heartbeat.hb_info.addr_family; 468 sin->sin_len = cp->heartbeat.hb_info.addr_len; 469 sin->sin_port = stcb->rport; 470 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 471 sizeof(sin->sin_addr)); 472 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 473 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 474 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 475 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 476 sin6->sin6_port = stcb->rport; 477 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 478 sizeof(sin6->sin6_addr)); 479 } else { 480 return; 481 } 482 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 483 if (r_net == NULL) { 484#ifdef SCTP_DEBUG 485 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 486 printf("Huh? I can't find the address I sent it to, discard\n"); 487 } 488#endif 489 return; 490 } 491 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 492 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 493 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 494 /* 495 * If the its a HB and it's random value is correct when can 496 * confirm the destination. 497 */ 498 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 499 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 500 stcb, 0, (void *)r_net); 501 } 502 r_net->error_count = 0; 503 r_net->hb_responded = 1; 504 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 505 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 506 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 507 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 508 r_net->dest_state |= SCTP_ADDR_REACHABLE; 509 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 510 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 511 /* now was it the primary? if so restore */ 512 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 513 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 514 } 515 } 516 /* Now lets do a RTO with this */ 517 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 518} 519 520static void 521sctp_handle_abort(struct sctp_abort_chunk *cp, 522 struct sctp_tcb *stcb, struct sctp_nets *net) 523{ 524 525#ifdef SCTP_DEBUG 526 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 527 printf("sctp_handle_abort: handling ABORT\n"); 528 } 529#endif 530 if (stcb == NULL) 531 return; 532 /* verify that the destination addr is in the association */ 533 /* ignore abort for addresses being deleted */ 534 535 /* stop any receive timers */ 536 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net); 537 /* notify user of the abort and clean up... */ 538 sctp_abort_notification(stcb, 0); 539 /* free the tcb */ 540 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 541 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 542 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 543 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 544 } 545 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 546#ifdef SCTP_DEBUG 547 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 548 printf("sctp_handle_abort: finished\n"); 549 } 550#endif 551} 552 553static void 554sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 555 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 556{ 557 struct sctp_association *asoc; 558 int some_on_streamwheel; 559 560#ifdef SCTP_DEBUG 561 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 562 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 563 } 564#endif 565 if (stcb == NULL) 566 return; 567 568 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) || 569 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 570 return; 571 } 572 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 573 /* Shutdown NOT the expected size */ 574 return; 575 } else { 576 sctp_update_acked(stcb, cp, net, abort_flag); 577 } 578 asoc = &stcb->asoc; 579 if (stcb->asoc.control_pdapi) { 580 /* 581 * With a normal shutdown we assume the end of last record. 582 */ 583 SCTP_INP_READ_LOCK(stcb->sctp_ep); 584 stcb->asoc.control_pdapi->end_added = 1; 585 if (stcb->asoc.control_pdapi->tail_mbuf) { 586 stcb->asoc.control_pdapi->tail_mbuf->m_flags |= M_EOR; 587 } 588 stcb->asoc.control_pdapi = NULL; 589 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 590 } 591 /* goto SHUTDOWN_RECEIVED state to block new requests */ 592 if (stcb->sctp_socket) { 593 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 594 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 595 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 596 /* 597 * notify upper layer that peer has initiated a 598 * shutdown 599 */ 600 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 601 602 /* reset time */ 603 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 604 } 605 } 606 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 607 /* 608 * stop the shutdown timer, since we WILL move to 609 * SHUTDOWN-ACK-SENT. 610 */ 611 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 612 } 613 /* Now are we there yet? */ 614 some_on_streamwheel = 0; 615 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 616 /* Check to see if some data queued */ 617 struct sctp_stream_out *outs; 618 619 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 620 if (!TAILQ_EMPTY(&outs->outqueue)) { 621 some_on_streamwheel = 1; 622 break; 623 } 624 } 625 } 626 if (!TAILQ_EMPTY(&asoc->send_queue) || 627 !TAILQ_EMPTY(&asoc->sent_queue) || 628 some_on_streamwheel) { 629 /* By returning we will push more data out */ 630 return; 631 } else { 632 /* no outstanding data to send, so move on... */ 633 /* send SHUTDOWN-ACK */ 634 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 635 /* move to SHUTDOWN-ACK-SENT state */ 636 if (asoc->state == SCTP_STATE_SHUTDOWN_RECEIVED) { 637 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 638 } 639 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 640 641 /* start SHUTDOWN timer */ 642 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 643 stcb, net); 644 } 645} 646 647static void 648sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 649 struct sctp_tcb *stcb, struct sctp_nets *net) 650{ 651 struct sctp_association *asoc; 652 653#ifdef SCTP_DEBUG 654 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 655 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 656 } 657#endif 658 if (stcb == NULL) 659 return; 660 661 asoc = &stcb->asoc; 662 /* process according to association state */ 663 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 664 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 665 /* unexpected SHUTDOWN-ACK... so ignore... */ 666 SCTP_TCB_UNLOCK(stcb); 667 return; 668 } 669 if (stcb->asoc.control_pdapi) { 670 /* 671 * With a normal shutdown we assume the end of last record. 672 */ 673 SCTP_INP_READ_LOCK(stcb->sctp_ep); 674 stcb->asoc.control_pdapi->end_added = 1; 675 if (stcb->asoc.control_pdapi->tail_mbuf) { 676 stcb->asoc.control_pdapi->tail_mbuf->m_flags |= M_EOR; 677 } 678 stcb->asoc.control_pdapi = NULL; 679 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 680 } 681 /* are the queues empty? */ 682 if (!TAILQ_EMPTY(&asoc->send_queue) || 683 !TAILQ_EMPTY(&asoc->sent_queue) || 684 !TAILQ_EMPTY(&asoc->out_wheel)) { 685 sctp_report_all_outbound(stcb); 686 } 687 /* stop the timer */ 688 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 689 /* send SHUTDOWN-COMPLETE */ 690 sctp_send_shutdown_complete(stcb, net); 691 /* notify upper layer protocol */ 692 if (stcb->sctp_socket) { 693 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 694 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 695 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 696 /* Set the connected flag to disconnected */ 697 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 698 } 699 } 700 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 701 /* free the TCB but first save off the ep */ 702 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 703} 704 705/* 706 * Skip past the param header and then we will find the chunk that caused the 707 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 708 * our peer must be broken. 709 */ 710static void 711sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 712 struct sctp_nets *net) 713{ 714 struct sctp_chunkhdr *chk; 715 716 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 717 switch (chk->chunk_type) { 718 case SCTP_ASCONF_ACK: 719 case SCTP_ASCONF: 720 sctp_asconf_cleanup(stcb, net); 721 break; 722 case SCTP_FORWARD_CUM_TSN: 723 stcb->asoc.peer_supports_prsctp = 0; 724 break; 725 default: 726#ifdef SCTP_DEBUG 727 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 728 printf("Peer does not support chunk type %d(%x)??\n", 729 chk->chunk_type, (uint32_t) chk->chunk_type); 730 } 731#endif 732 break; 733 } 734} 735 736/* 737 * Skip past the param header and then we will find the param that caused the 738 * problem. There are a number of param's in a ASCONF OR the prsctp param 739 * these will turn of specific features. 740 */ 741static void 742sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 743{ 744 struct sctp_paramhdr *pbad; 745 746 pbad = phdr + 1; 747 switch (ntohs(pbad->param_type)) { 748 /* pr-sctp draft */ 749 case SCTP_PRSCTP_SUPPORTED: 750 stcb->asoc.peer_supports_prsctp = 0; 751 break; 752 case SCTP_SUPPORTED_CHUNK_EXT: 753 break; 754 /* draft-ietf-tsvwg-addip-sctp */ 755 case SCTP_ECN_NONCE_SUPPORTED: 756 stcb->asoc.peer_supports_ecn_nonce = 0; 757 stcb->asoc.ecn_nonce_allowed = 0; 758 stcb->asoc.ecn_allowed = 0; 759 break; 760 case SCTP_ADD_IP_ADDRESS: 761 case SCTP_DEL_IP_ADDRESS: 762 case SCTP_SET_PRIM_ADDR: 763 stcb->asoc.peer_supports_asconf = 0; 764 break; 765 case SCTP_SUCCESS_REPORT: 766 case SCTP_ERROR_CAUSE_IND: 767#ifdef SCTP_DEBUG 768 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 769 printf("Huh, the peer does not support success? or error cause?\n"); 770 printf("Turning off ASCONF to this strange peer\n"); 771 } 772#endif 773 stcb->asoc.peer_supports_asconf = 0; 774 break; 775 default: 776#ifdef SCTP_DEBUG 777 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 778 printf("Peer does not support param type %d(%x)??\n", 779 pbad->param_type, (uint32_t) pbad->param_type); 780 } 781#endif 782 break; 783 } 784} 785 786static int 787sctp_handle_error(struct sctp_chunkhdr *ch, 788 struct sctp_tcb *stcb, struct sctp_nets *net) 789{ 790 int chklen; 791 struct sctp_paramhdr *phdr; 792 uint16_t error_type; 793 uint16_t error_len; 794 struct sctp_association *asoc; 795 796 int adjust; 797 798 /* parse through all of the errors and process */ 799 asoc = &stcb->asoc; 800 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 801 sizeof(struct sctp_chunkhdr)); 802 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 803 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 804 /* Process an Error Cause */ 805 error_type = ntohs(phdr->param_type); 806 error_len = ntohs(phdr->param_length); 807 if ((error_len > chklen) || (error_len == 0)) { 808 /* invalid param length for this param */ 809#ifdef SCTP_DEBUG 810 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 811 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 812 chklen, error_len); 813 } 814#endif /* SCTP_DEBUG */ 815 return (0); 816 } 817 switch (error_type) { 818 case SCTP_CAUSE_INVALID_STREAM: 819 case SCTP_CAUSE_MISSING_PARAM: 820 case SCTP_CAUSE_INVALID_PARAM: 821 case SCTP_CAUSE_NO_USER_DATA: 822#ifdef SCTP_DEBUG 823 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 824 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 825 error_type); 826 } 827#endif 828 break; 829 case SCTP_CAUSE_STALE_COOKIE: 830 /* 831 * We only act if we have echoed a cookie and are 832 * waiting. 833 */ 834 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 835 int *p; 836 837 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 838 /* Save the time doubled */ 839 asoc->cookie_preserve_req = ntohl(*p) << 1; 840 asoc->stale_cookie_count++; 841 if (asoc->stale_cookie_count > 842 asoc->max_init_times) { 843 sctp_abort_notification(stcb, 0); 844 /* now free the asoc */ 845 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 846 return (-1); 847 } 848 /* blast back to INIT state */ 849 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 850 asoc->state |= SCTP_STATE_COOKIE_WAIT; 851 852 sctp_stop_all_cookie_timers(stcb); 853 sctp_send_initiate(stcb->sctp_ep, stcb); 854 } 855 break; 856 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 857 /* 858 * Nothing we can do here, we don't do hostname 859 * addresses so if the peer does not like my IPv6 860 * (or IPv4 for that matter) it does not matter. If 861 * they don't support that type of address, they can 862 * NOT possibly get that packet type... i.e. with no 863 * IPv6 you can't recieve a IPv6 packet. so we can 864 * safely ignore this one. If we ever added support 865 * for HOSTNAME Addresses, then we would need to do 866 * something here. 867 */ 868 break; 869 case SCTP_CAUSE_UNRECOG_CHUNK: 870 sctp_process_unrecog_chunk(stcb, phdr, net); 871 break; 872 case SCTP_CAUSE_UNRECOG_PARAM: 873 sctp_process_unrecog_param(stcb, phdr); 874 break; 875 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 876 /* 877 * We ignore this since the timer will drive out a 878 * new cookie anyway and there timer will drive us 879 * to send a SHUTDOWN_COMPLETE. We can't send one 880 * here since we don't have their tag. 881 */ 882 break; 883 case SCTP_CAUSE_DELETING_LAST_ADDR: 884 case SCTP_CAUSE_RESOURCE_SHORTAGE: 885 case SCTP_CAUSE_DELETING_SRC_ADDR: 886 /* 887 * We should NOT get these here, but in a 888 * ASCONF-ACK. n 889 */ 890#ifdef SCTP_DEBUG 891 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 892 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 893 error_type); 894 } 895#endif 896 break; 897 case SCTP_CAUSE_OUT_OF_RESC: 898 /* 899 * And what, pray tell do we do with the fact that 900 * the peer is out of resources? Not really sure we 901 * could do anything but abort. I suspect this n * 902 * should have came WITH an abort instead of in a 903 * OP-ERROR. 904 */ 905 break; 906 default: 907#ifdef SCTP_DEBUG 908 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 909 /* don't know what this error cause is... */ 910 printf("sctp_handle_error: unknown error type = 0x%xh\n", 911 error_type); 912 } 913#endif /* SCTP_DEBUG */ 914 break; 915 } 916 adjust = SCTP_SIZE32(error_len); 917 chklen -= adjust; 918 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 919 } 920 return (0); 921} 922 923static int 924sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 925 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 926 struct sctp_nets *net) 927{ 928 struct sctp_init_ack *init_ack; 929 int *state; 930 struct mbuf *op_err; 931 932#ifdef SCTP_DEBUG 933 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 934 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 935 } 936#endif 937 if (stcb == NULL) { 938#ifdef SCTP_DEBUG 939 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 940 printf("sctp_handle_init_ack: TCB is null\n"); 941 } 942#endif 943 return (-1); 944 } 945 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 946 /* Invalid length */ 947 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 948 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 949 op_err); 950 return (-1); 951 } 952 init_ack = &cp->init; 953 /* validate parameters */ 954 if (init_ack->initiate_tag == 0) { 955 /* protocol error... send an abort */ 956 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 957 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 958 op_err); 959 return (-1); 960 } 961 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 962 /* protocol error... send an abort */ 963 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 964 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 965 op_err); 966 return (-1); 967 } 968 if (init_ack->num_inbound_streams == 0) { 969 /* protocol error... send an abort */ 970 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 971 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 972 op_err); 973 return (-1); 974 } 975 if (init_ack->num_outbound_streams == 0) { 976 /* protocol error... send an abort */ 977 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 978 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 979 op_err); 980 return (-1); 981 } 982 /* process according to association state... */ 983 state = &stcb->asoc.state; 984 switch (*state & SCTP_STATE_MASK) { 985 case SCTP_STATE_COOKIE_WAIT: 986 /* this is the expected state for this chunk */ 987 /* process the INIT-ACK parameters */ 988 if (stcb->asoc.primary_destination->dest_state & 989 SCTP_ADDR_UNCONFIRMED) { 990 /* 991 * The primary is where we sent the INIT, we can 992 * always consider it confirmed when the INIT-ACK is 993 * returned. Do this before we load addresses 994 * though. 995 */ 996 stcb->asoc.primary_destination->dest_state &= 997 ~SCTP_ADDR_UNCONFIRMED; 998 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 999 stcb, 0, (void *)stcb->asoc.primary_destination); 1000 } 1001 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 1002 ) < 0) { 1003 /* error in parsing parameters */ 1004 return (-1); 1005 } 1006 /* update our state */ 1007#ifdef SCTP_DEBUG 1008 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1009 printf("moving to COOKIE-ECHOED state\n"); 1010 } 1011#endif 1012 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1013 *state = SCTP_STATE_COOKIE_ECHOED | 1014 SCTP_STATE_SHUTDOWN_PENDING; 1015 } else { 1016 *state = SCTP_STATE_COOKIE_ECHOED; 1017 } 1018 1019 /* reset the RTO calc */ 1020 stcb->asoc.overall_error_count = 0; 1021 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1022 /* 1023 * collapse the init timer back in case of a exponential 1024 * backoff n 1025 */ 1026 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1027 stcb, net); 1028 /* 1029 * the send at the end of the inbound data processing will 1030 * cause the cookie to be sent 1031 */ 1032 break; 1033 case SCTP_STATE_SHUTDOWN_SENT: 1034 /* incorrect state... discard */ 1035 break; 1036 case SCTP_STATE_COOKIE_ECHOED: 1037 /* incorrect state... discard */ 1038 break; 1039 case SCTP_STATE_OPEN: 1040 /* incorrect state... discard */ 1041 break; 1042 case SCTP_STATE_EMPTY: 1043 case SCTP_STATE_INUSE: 1044 default: 1045 /* incorrect state... discard */ 1046 return (-1); 1047 break; 1048 } /* end switch asoc state */ 1049#ifdef SCTP_DEBUG 1050 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1051 printf("Leaving handle-init-ack end\n"); 1052 } 1053#endif 1054 return (0); 1055} 1056 1057 1058/* 1059 * handle a state cookie for an existing association m: input packet mbuf 1060 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1061 * "split" mbuf and the cookie signature does not exist offset: offset into 1062 * mbuf to the cookie-echo chunk 1063 */ 1064static struct sctp_tcb * 1065sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1066 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1067 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1068 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) 1069{ 1070 struct sctp_association *asoc; 1071 struct sctp_init_chunk *init_cp, init_buf; 1072 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1073 int chk_length; 1074 int init_offset, initack_offset; 1075 int retval; 1076 1077 /* I know that the TCB is non-NULL from the caller */ 1078 asoc = &stcb->asoc; 1079 1080 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1081 /* SHUTDOWN came in after sending INIT-ACK */ 1082 struct mbuf *op_err; 1083 struct sctp_paramhdr *ph; 1084 1085 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1086 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1087 1, M_DONTWAIT, 1, MT_DATA); 1088 if (op_err == NULL) { 1089 /* FOOBAR */ 1090 return (NULL); 1091 } 1092 /* pre-reserve some space */ 1093 op_err->m_data += sizeof(struct ip6_hdr); 1094 op_err->m_data += sizeof(struct sctphdr); 1095 op_err->m_data += sizeof(struct sctp_chunkhdr); 1096 /* Set the len */ 1097 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); 1098 ph = mtod(op_err, struct sctp_paramhdr *); 1099 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1100 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1101 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1102 return (NULL); 1103 } 1104 /* 1105 * find and validate the INIT chunk in the cookie (peer's info) the 1106 * INIT should start after the cookie-echo header struct (chunk 1107 * header, state cookie header struct) 1108 */ 1109 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1110 1111 init_cp = (struct sctp_init_chunk *) 1112 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1113 (uint8_t *) & init_buf); 1114 if (init_cp == NULL) { 1115 /* could not pull a INIT chunk in cookie */ 1116 return (NULL); 1117 } 1118 chk_length = ntohs(init_cp->ch.chunk_length); 1119 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1120 return (NULL); 1121 } 1122 /* 1123 * find and validate the INIT-ACK chunk in the cookie (my info) the 1124 * INIT-ACK follows the INIT chunk 1125 */ 1126 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1127 initack_cp = (struct sctp_init_ack_chunk *) 1128 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1129 (uint8_t *) & initack_buf); 1130 if (initack_cp == NULL) { 1131 /* could not pull INIT-ACK chunk in cookie */ 1132 return (NULL); 1133 } 1134 chk_length = ntohs(initack_cp->ch.chunk_length); 1135 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1136 return (NULL); 1137 } 1138 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1139 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1140 /* 1141 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1142 * to get into the OPEN state 1143 */ 1144 switch SCTP_GET_STATE 1145 (asoc) { 1146 case SCTP_STATE_COOKIE_WAIT: 1147 /* 1148 * INIT was sent, but got got a COOKIE_ECHO with the 1149 * correct tags... just accept it... 1150 */ 1151 /* First we must process the INIT !! */ 1152 retval = sctp_process_init(init_cp, stcb, net); 1153 if (retval < 0) { 1154 return (NULL); 1155 } 1156 /* intentional fall through to below... */ 1157 1158 case SCTP_STATE_COOKIE_ECHOED: 1159 /* Duplicate INIT case */ 1160 /* we have already processed the INIT so no problem */ 1161 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1162 net); 1163 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1164 sctp_stop_all_cookie_timers(stcb); 1165 /* update current state */ 1166 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1167 asoc->state = SCTP_STATE_OPEN | 1168 SCTP_STATE_SHUTDOWN_PENDING; 1169 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1170 stcb->sctp_ep, stcb, asoc->primary_destination); 1171 1172 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1173 /* if ok, move to OPEN state */ 1174 asoc->state = SCTP_STATE_OPEN; 1175 } 1176 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1177 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1178 (inp->sctp_socket->so_qlimit == 0) 1179 ) { 1180 /* 1181 * Here is where collision would go if we 1182 * did a connect() and instead got a 1183 * init/init-ack/cookie done before the 1184 * init-ack came back.. 1185 */ 1186 stcb->sctp_ep->sctp_flags |= 1187 SCTP_PCB_FLAGS_CONNECTED; 1188 soisconnected(stcb->sctp_ep->sctp_socket); 1189 } 1190 /* notify upper layer */ 1191 *notification = SCTP_NOTIFY_ASSOC_UP; 1192 /* 1193 * since we did not send a HB make sure we don't 1194 * double things 1195 */ 1196 net->hb_responded = 1; 1197 1198 if (stcb->asoc.sctp_autoclose_ticks && 1199 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1200 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1201 inp, stcb, NULL); 1202 } 1203 break; 1204 default: 1205 /* 1206 * we're in the OPEN state (or beyond), so peer must 1207 * have simply lost the COOKIE-ACK 1208 */ 1209 break; 1210 } /* end switch */ 1211 1212 /* 1213 * We ignore the return code here.. not sure if we should 1214 * somehow abort.. but we do have an existing asoc. This 1215 * really should not fail. 1216 */ 1217 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1218 init_offset + sizeof(struct sctp_init_chunk), 1219 initack_offset, sh, init_src)) { 1220 return (NULL); 1221 } 1222 /* respond with a COOKIE-ACK */ 1223 sctp_send_cookie_ack(stcb); 1224 return (stcb); 1225 } /* end if */ 1226 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1227 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1228 cookie->tie_tag_my_vtag == 0 && 1229 cookie->tie_tag_peer_vtag == 0) { 1230 /* 1231 * case C in Section 5.2.4 Table 2: XMOO silently discard 1232 */ 1233 return (NULL); 1234 } 1235 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1236 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1237 init_cp->init.initiate_tag == 0)) { 1238 /* 1239 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1240 * should be ok, re-accept peer info 1241 */ 1242 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1243 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1244 sctp_stop_all_cookie_timers(stcb); 1245 /* 1246 * since we did not send a HB make sure we don't double 1247 * things 1248 */ 1249 net->hb_responded = 1; 1250 if (stcb->asoc.sctp_autoclose_ticks && 1251 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1252 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1253 NULL); 1254 } 1255 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1256 asoc->pre_open_streams = 1257 ntohs(initack_cp->init.num_outbound_streams); 1258 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1259 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1260 asoc->init_seq_number; 1261 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1262 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1263 asoc->str_reset_seq_in = asoc->init_seq_number; 1264 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1265 1266 /* process the INIT info (peer's info) */ 1267 retval = sctp_process_init(init_cp, stcb, net); 1268 if (retval < 0) { 1269 return (NULL); 1270 } 1271 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1272 init_offset + sizeof(struct sctp_init_chunk), 1273 initack_offset, sh, init_src)) { 1274 return (NULL); 1275 } 1276 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1277 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1278 *notification = SCTP_NOTIFY_ASSOC_UP; 1279 1280 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1281 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1282 (inp->sctp_socket->so_qlimit == 0)) { 1283 stcb->sctp_ep->sctp_flags |= 1284 SCTP_PCB_FLAGS_CONNECTED; 1285 soisconnected(stcb->sctp_ep->sctp_socket); 1286 } 1287 } 1288 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1289 asoc->state = SCTP_STATE_OPEN | 1290 SCTP_STATE_SHUTDOWN_PENDING; 1291 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1292 stcb->sctp_ep, stcb, asoc->primary_destination); 1293 1294 } else { 1295 asoc->state = SCTP_STATE_OPEN; 1296 } 1297 sctp_stop_all_cookie_timers(stcb); 1298 sctp_send_cookie_ack(stcb); 1299 return (stcb); 1300 } 1301 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1302 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1303 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1304 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1305 cookie->tie_tag_peer_vtag != 0) { 1306 struct sctpasochead *head; 1307 1308 /* 1309 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1310 */ 1311 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1312 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1313 *sac_assoc_id = sctp_get_associd(stcb); 1314 /* notify upper layer */ 1315 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1316 1317 1318 /* send up all the data */ 1319 sctp_report_all_outbound(stcb); 1320 1321 /* process the INIT-ACK info (my info) */ 1322 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1323 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1324 1325 /* pull from vtag hash */ 1326 LIST_REMOVE(stcb, sctp_asocs); 1327 /* re-insert to new vtag position */ 1328 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1329 sctppcbinfo.hashasocmark)]; 1330 /* 1331 * put it in the bucket in the vtag hash of assoc's for the 1332 * system 1333 */ 1334 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1335 1336 /* Is this the first restart? */ 1337 if (stcb->asoc.in_restart_hash == 0) { 1338 /* Ok add it to assoc_id vtag hash */ 1339 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1340 sctppcbinfo.hashrestartmark)]; 1341 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1342 stcb->asoc.in_restart_hash = 1; 1343 } 1344 asoc->pre_open_streams = 1345 ntohs(initack_cp->init.num_outbound_streams); 1346 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1347 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1348 1349 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1350 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1351 1352 asoc->str_reset_seq_in = asoc->init_seq_number; 1353 1354 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1355 if (asoc->mapping_array) 1356 memset(asoc->mapping_array, 0, 1357 asoc->mapping_array_size); 1358 /* process the INIT info (peer's info) */ 1359 retval = sctp_process_init(init_cp, stcb, net); 1360 if (retval < 0) { 1361 return (NULL); 1362 } 1363 /* 1364 * since we did not send a HB make sure we don't double 1365 * things 1366 */ 1367 net->hb_responded = 1; 1368 1369 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1370 init_offset + sizeof(struct sctp_init_chunk), 1371 initack_offset, sh, init_src)) { 1372 return (NULL); 1373 } 1374 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1375 asoc->state = SCTP_STATE_OPEN | 1376 SCTP_STATE_SHUTDOWN_PENDING; 1377 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1378 stcb->sctp_ep, stcb, asoc->primary_destination); 1379 1380 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1381 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1382 asoc->state = SCTP_STATE_OPEN; 1383 } 1384 /* respond with a COOKIE-ACK */ 1385 sctp_stop_all_cookie_timers(stcb); 1386 sctp_send_cookie_ack(stcb); 1387 1388 return (stcb); 1389 } 1390 /* if we are not a restart we need the assoc_id field pop'd */ 1391 asoc->assoc_id = ntohl(initack_cp->init.initiate_tag); 1392 1393 /* all other cases... */ 1394 return (NULL); 1395} 1396 1397/* 1398 * handle a state cookie for a new association m: input packet mbuf chain-- 1399 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1400 * and the cookie signature does not exist offset: offset into mbuf to the 1401 * cookie-echo chunk length: length of the cookie chunk to: where the init 1402 * was from returns a new TCB 1403 */ 1404static struct sctp_tcb * 1405sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1406 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1407 struct sctp_inpcb *inp, struct sctp_nets **netp, 1408 struct sockaddr *init_src, int *notification, 1409 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1410{ 1411 struct sctp_tcb *stcb; 1412 struct sctp_init_chunk *init_cp, init_buf; 1413 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1414 struct sockaddr_storage sa_store; 1415 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1416 struct sockaddr_in *sin; 1417 struct sockaddr_in6 *sin6; 1418 struct sctp_association *asoc; 1419 int chk_length; 1420 int init_offset, initack_offset, initack_limit; 1421 int retval; 1422 int error = 0; 1423 uint32_t old_tag; 1424 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 1425 1426 /* 1427 * find and validate the INIT chunk in the cookie (peer's info) the 1428 * INIT should start after the cookie-echo header struct (chunk 1429 * header, state cookie header struct) 1430 */ 1431 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1432 init_cp = (struct sctp_init_chunk *) 1433 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1434 (uint8_t *) & init_buf); 1435 if (init_cp == NULL) { 1436 /* could not pull a INIT chunk in cookie */ 1437#ifdef SCTP_DEBUG 1438 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1439 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1440 } 1441#endif /* SCTP_DEBUG */ 1442 return (NULL); 1443 } 1444 chk_length = ntohs(init_cp->ch.chunk_length); 1445 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1446#ifdef SCTP_DEBUG 1447 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1448 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1449 } 1450#endif /* SCTP_DEBUG */ 1451 return (NULL); 1452 } 1453 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1454 /* 1455 * find and validate the INIT-ACK chunk in the cookie (my info) the 1456 * INIT-ACK follows the INIT chunk 1457 */ 1458 initack_cp = (struct sctp_init_ack_chunk *) 1459 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1460 (uint8_t *) & initack_buf); 1461 if (initack_cp == NULL) { 1462 /* could not pull INIT-ACK chunk in cookie */ 1463#ifdef SCTP_DEBUG 1464 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1465 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1466 } 1467#endif /* SCTP_DEBUG */ 1468 return (NULL); 1469 } 1470 chk_length = ntohs(initack_cp->ch.chunk_length); 1471 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1472 return (NULL); 1473 } 1474 /* 1475 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1476 * "initack_limit" value. This is because the chk_length field 1477 * includes the length of the cookie, but the cookie is omitted when 1478 * the INIT and INIT_ACK are tacked onto the cookie... 1479 */ 1480 initack_limit = offset + cookie_len; 1481 1482 /* 1483 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1484 * and popluate 1485 */ 1486 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1487 ntohl(initack_cp->init.initiate_tag)); 1488 if (stcb == NULL) { 1489 struct mbuf *op_err; 1490 1491 /* memory problem? */ 1492#ifdef SCTP_DEBUG 1493 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1494 printf("process_cookie_new: no room for another TCB!\n"); 1495 } 1496#endif /* SCTP_DEBUG */ 1497 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1498 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1499 sh, op_err); 1500 return (NULL); 1501 } 1502 /* get the correct sctp_nets */ 1503 *netp = sctp_findnet(stcb, init_src); 1504 asoc = &stcb->asoc; 1505 /* get scope variables out of cookie */ 1506 asoc->ipv4_local_scope = cookie->ipv4_scope; 1507 asoc->site_scope = cookie->site_scope; 1508 asoc->local_scope = cookie->local_scope; 1509 asoc->loopback_scope = cookie->loopback_scope; 1510 1511 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1512 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1513 struct mbuf *op_err; 1514 1515 /* 1516 * Houston we have a problem. The EP changed while the 1517 * cookie was in flight. Only recourse is to abort the 1518 * association. 1519 */ 1520 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1521 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1522 sh, op_err); 1523 return (NULL); 1524 } 1525 /* process the INIT-ACK info (my info) */ 1526 old_tag = asoc->my_vtag; 1527 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1528 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1529 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1530 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1531 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1532 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1533 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1534 asoc->str_reset_seq_in = asoc->init_seq_number; 1535 1536 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1537 1538 /* process the INIT info (peer's info) */ 1539 retval = sctp_process_init(init_cp, stcb, *netp); 1540 if (retval < 0) { 1541 sctp_free_assoc(inp, stcb, 0); 1542 return (NULL); 1543 } 1544 /* load all addresses */ 1545 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1546 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1547 init_src)) { 1548 sctp_free_assoc(inp, stcb, 0); 1549 return (NULL); 1550 } 1551 /* 1552 * verify any preceding AUTH chunk that was skipped 1553 */ 1554 /* pull the local authentication parameters from the cookie/init-ack */ 1555 sctp_auth_get_cookie_params(stcb, m, 1556 initack_offset + sizeof(struct sctp_init_ack_chunk), 1557 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1558 if (auth_skipped) { 1559 struct sctp_auth_chunk *auth; 1560 1561 auth = (struct sctp_auth_chunk *) 1562 sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); 1563 if (sctp_handle_auth(stcb, auth, m, auth_offset)) { 1564 /* auth HMAC failed, dump the assoc and packet */ 1565#ifdef SCTP_DEBUG 1566 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 1567 printf("COOKIE-ECHO: AUTH failed\n"); 1568#endif /* SCTP_DEBUG */ 1569 sctp_free_assoc(inp, stcb, 0); 1570 return (NULL); 1571 } else { 1572 /* remaining chunks checked... good to go */ 1573 stcb->asoc.authenticated = 1; 1574 } 1575 } 1576 /* update current state */ 1577#ifdef SCTP_DEBUG 1578 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1579 printf("moving to OPEN state\n"); 1580 } 1581#endif 1582 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1583 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1584 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1585 stcb->sctp_ep, stcb, asoc->primary_destination); 1586 } else { 1587 asoc->state = SCTP_STATE_OPEN; 1588 } 1589 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1590 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1591 sctp_stop_all_cookie_timers(stcb); 1592 /* calculate the RTT */ 1593 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1594 &cookie->time_entered); 1595 1596 /* 1597 * if we're doing ASCONFs, check to see if we have any new local 1598 * addresses that need to get added to the peer (eg. addresses 1599 * changed while cookie echo in flight). This needs to be done 1600 * after we go to the OPEN state to do the correct asconf 1601 * processing. else, make sure we have the correct addresses in our 1602 * lists 1603 */ 1604 1605 /* warning, we re-use sin, sin6, sa_store here! */ 1606 /* pull in local_address (our "from" address) */ 1607 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1608 /* source addr is IPv4 */ 1609 sin = (struct sockaddr_in *)initack_src; 1610 memset(sin, 0, sizeof(*sin)); 1611 sin->sin_family = AF_INET; 1612 sin->sin_len = sizeof(struct sockaddr_in); 1613 sin->sin_addr.s_addr = cookie->laddress[0]; 1614 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1615 /* source addr is IPv6 */ 1616 sin6 = (struct sockaddr_in6 *)initack_src; 1617 memset(sin6, 0, sizeof(*sin6)); 1618 sin6->sin6_family = AF_INET6; 1619 sin6->sin6_len = sizeof(struct sockaddr_in6); 1620 sin6->sin6_scope_id = cookie->scope_id; 1621 memcpy(&sin6->sin6_addr, cookie->laddress, 1622 sizeof(sin6->sin6_addr)); 1623 } else { 1624 sctp_free_assoc(inp, stcb, 0); 1625 return (NULL); 1626 } 1627 1628 sctp_check_address_list(stcb, m, 1629 initack_offset + sizeof(struct sctp_init_ack_chunk), 1630 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1631 initack_src, cookie->local_scope, cookie->site_scope, 1632 cookie->ipv4_scope, cookie->loopback_scope); 1633 1634 1635 /* set up to notify upper layer */ 1636 *notification = SCTP_NOTIFY_ASSOC_UP; 1637 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1638 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1639 (inp->sctp_socket->so_qlimit == 0)) { 1640 /* 1641 * This is an endpoint that called connect() how it got a 1642 * cookie that is NEW is a bit of a mystery. It must be that 1643 * the INIT was sent, but before it got there.. a complete 1644 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1645 * should have went to the other code.. not here.. oh well.. 1646 * a bit of protection is worth having.. 1647 */ 1648 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1649 soisconnected(stcb->sctp_ep->sctp_socket); 1650 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1651 (inp->sctp_socket->so_qlimit)) { 1652 /* 1653 * We don't want to do anything with this one. Since it is 1654 * the listening guy. The timer will get started for 1655 * accepted connections in the caller. 1656 */ 1657 ; 1658 } 1659 /* since we did not send a HB make sure we don't double things */ 1660 (*netp)->hb_responded = 1; 1661 1662 if (stcb->asoc.sctp_autoclose_ticks && 1663 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1664 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1665 } 1666 /* respond with a COOKIE-ACK */ 1667 sctp_send_cookie_ack(stcb); 1668 return (stcb); 1669} 1670 1671 1672/* 1673 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1674 * existing (non-NULL) TCB 1675 */ 1676static struct mbuf * 1677sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1678 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1679 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1680 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1681{ 1682 struct sctp_state_cookie *cookie; 1683 struct sockaddr_in6 sin6; 1684 struct sockaddr_in sin; 1685 struct sctp_tcb *l_stcb = *stcb; 1686 struct sctp_inpcb *l_inp; 1687 struct sockaddr *to; 1688 sctp_assoc_t sac_restart_id; 1689 struct sctp_pcb *ep; 1690 struct mbuf *m_sig; 1691 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1692 uint8_t *sig; 1693 uint8_t cookie_ok = 0; 1694 unsigned int size_of_pkt, sig_offset, cookie_offset; 1695 unsigned int cookie_len; 1696 struct timeval now; 1697 struct timeval time_expires; 1698 struct sockaddr_storage dest_store; 1699 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1700 struct ip *iph; 1701 int notification = 0; 1702 struct sctp_nets *netl; 1703 int had_a_existing_tcb = 0; 1704 1705#ifdef SCTP_DEBUG 1706 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1707 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1708 } 1709#endif 1710 1711 if (inp_p == NULL) { 1712 return (NULL); 1713 } 1714 /* First get the destination address setup too. */ 1715 iph = mtod(m, struct ip *); 1716 if (iph->ip_v == IPVERSION) { 1717 /* its IPv4 */ 1718 struct sockaddr_in *sin; 1719 1720 sin = (struct sockaddr_in *)(localep_sa); 1721 memset(sin, 0, sizeof(*sin)); 1722 sin->sin_family = AF_INET; 1723 sin->sin_len = sizeof(*sin); 1724 sin->sin_port = sh->dest_port; 1725 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1726 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1727 /* its IPv6 */ 1728 struct ip6_hdr *ip6; 1729 struct sockaddr_in6 *sin6; 1730 1731 sin6 = (struct sockaddr_in6 *)(localep_sa); 1732 memset(sin6, 0, sizeof(*sin6)); 1733 sin6->sin6_family = AF_INET6; 1734 sin6->sin6_len = sizeof(struct sockaddr_in6); 1735 ip6 = mtod(m, struct ip6_hdr *); 1736 sin6->sin6_port = sh->dest_port; 1737 sin6->sin6_addr = ip6->ip6_dst; 1738 } else { 1739 return (NULL); 1740 } 1741 1742 cookie = &cp->cookie; 1743 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1744 cookie_len = ntohs(cp->ch.chunk_length); 1745 1746 if ((cookie->peerport != sh->src_port) && 1747 (cookie->myport != sh->dest_port) && 1748 (cookie->my_vtag != sh->v_tag)) { 1749 /* 1750 * invalid ports or bad tag. Note that we always leave the 1751 * v_tag in the header in network order and when we stored 1752 * it in the my_vtag slot we also left it in network order. 1753 * This maintians the match even though it may be in the 1754 * opposite byte order of the machine :-> 1755 */ 1756 return (NULL); 1757 } 1758 /* compute size of packet */ 1759 if (m->m_flags & M_PKTHDR) { 1760 size_of_pkt = m->m_pkthdr.len; 1761 } else { 1762 /* Should have a pkt hdr really */ 1763 struct mbuf *mat; 1764 1765 mat = m; 1766 size_of_pkt = 0; 1767 while (mat != NULL) { 1768 size_of_pkt += mat->m_len; 1769 mat = mat->m_next; 1770 } 1771 } 1772 if (cookie_len > size_of_pkt || 1773 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1774 sizeof(struct sctp_init_chunk) + 1775 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1776 /* cookie too long! or too small */ 1777 return (NULL); 1778 } 1779 /* 1780 * split off the signature into its own mbuf (since it should not be 1781 * calculated in the sctp_hmac_m() call). 1782 */ 1783 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1784 if (sig_offset > size_of_pkt) { 1785 /* packet not correct size! */ 1786 /* XXX this may already be accounted for earlier... */ 1787 return (NULL); 1788 } 1789 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1790 if (m_sig == NULL) { 1791 /* out of memory or ?? */ 1792 return (NULL); 1793 } 1794 /* 1795 * compute the signature/digest for the cookie 1796 */ 1797 ep = &(*inp_p)->sctp_ep; 1798 l_inp = *inp_p; 1799 if (l_stcb) { 1800 SCTP_TCB_UNLOCK(l_stcb); 1801 } 1802 SCTP_INP_RLOCK(l_inp); 1803 if (l_stcb) { 1804 SCTP_TCB_LOCK(l_stcb); 1805 } 1806 /* which cookie is it? */ 1807 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1808 (ep->current_secret_number != ep->last_secret_number)) { 1809 /* it's the old cookie */ 1810 sctp_hmac_m(SCTP_HMAC, 1811 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1812 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1813 } else { 1814 /* it's the current cookie */ 1815 sctp_hmac_m(SCTP_HMAC, 1816 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1817 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1818 } 1819 /* get the signature */ 1820 SCTP_INP_RUNLOCK(l_inp); 1821 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1822 if (sig == NULL) { 1823 /* couldn't find signature */ 1824 return (NULL); 1825 } 1826 /* compare the received digest with the computed digest */ 1827 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1828 /* try the old cookie? */ 1829 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1830 (ep->current_secret_number != ep->last_secret_number)) { 1831 /* compute digest with old */ 1832 sctp_hmac_m(SCTP_HMAC, 1833 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1834 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1835 /* compare */ 1836 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1837 cookie_ok = 1; 1838 } 1839 } else { 1840 cookie_ok = 1; 1841 } 1842 1843 /* 1844 * Now before we continue we must reconstruct our mbuf so that 1845 * normal processing of any other chunks will work. 1846 */ 1847 { 1848 struct mbuf *m_at; 1849 1850 m_at = m; 1851 while (m_at->m_next != NULL) { 1852 m_at = m_at->m_next; 1853 } 1854 m_at->m_next = m_sig; 1855 if (m->m_flags & M_PKTHDR) { 1856 /* 1857 * We should only do this if and only if the front 1858 * mbuf has a m_pkthdr... it should in theory. 1859 */ 1860 if (m_sig->m_flags & M_PKTHDR) { 1861 /* Add back to the pkt hdr of main m chain */ 1862 m->m_pkthdr.len += m_sig->m_pkthdr.len; 1863 } else { 1864 /* 1865 * Got a problem, no pkthdr in split chain. 1866 * TSNH but we will handle it just in case 1867 */ 1868 int mmlen = 0; 1869 struct mbuf *lat; 1870 1871 printf("Warning: Hitting m_split join TSNH code - fixed\n"); 1872 lat = m_sig; 1873 while (lat) { 1874 mmlen += lat->m_len; 1875 lat = lat->m_next; 1876 } 1877 m->m_pkthdr.len += mmlen; 1878 } 1879 } 1880 } 1881 1882 if (cookie_ok == 0) { 1883#ifdef SCTP_DEBUG 1884 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1885 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1886 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1887 (uint32_t) offset, cookie_offset, sig_offset); 1888 } 1889#endif 1890 return (NULL); 1891 } 1892 /* 1893 * check the cookie timestamps to be sure it's not stale 1894 */ 1895 SCTP_GETTIME_TIMEVAL(&now); 1896 /* Expire time is in Ticks, so we convert to seconds */ 1897 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1898 time_expires.tv_usec = cookie->time_entered.tv_usec; 1899 if (timevalcmp(&now, &time_expires, >)) { 1900 /* cookie is stale! */ 1901 struct mbuf *op_err; 1902 struct sctp_stale_cookie_msg *scm; 1903 uint32_t tim; 1904 1905 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 1906 1, M_DONTWAIT, 1, MT_DATA); 1907 if (op_err == NULL) { 1908 /* FOOBAR */ 1909 return (NULL); 1910 } 1911 /* pre-reserve some space */ 1912 op_err->m_data += sizeof(struct ip6_hdr); 1913 op_err->m_data += sizeof(struct sctphdr); 1914 op_err->m_data += sizeof(struct sctp_chunkhdr); 1915 1916 /* Set the len */ 1917 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); 1918 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1919 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1920 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1921 (sizeof(uint32_t)))); 1922 /* seconds to usec */ 1923 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1924 /* add in usec */ 1925 if (tim == 0) 1926 tim = now.tv_usec - cookie->time_entered.tv_usec; 1927 scm->time_usec = htonl(tim); 1928 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1929 return (NULL); 1930 } 1931 /* 1932 * Now we must see with the lookup address if we have an existing 1933 * asoc. This will only happen if we were in the COOKIE-WAIT state 1934 * and a INIT collided with us and somewhere the peer sent the 1935 * cookie on another address besides the single address our assoc 1936 * had for him. In this case we will have one of the tie-tags set at 1937 * least AND the address field in the cookie can be used to look it 1938 * up. 1939 */ 1940 to = NULL; 1941 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1942 memset(&sin6, 0, sizeof(sin6)); 1943 sin6.sin6_family = AF_INET6; 1944 sin6.sin6_len = sizeof(sin6); 1945 sin6.sin6_port = sh->src_port; 1946 sin6.sin6_scope_id = cookie->scope_id; 1947 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 1948 sizeof(sin6.sin6_addr.s6_addr)); 1949 to = (struct sockaddr *)&sin6; 1950 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 1951 memset(&sin, 0, sizeof(sin)); 1952 sin.sin_family = AF_INET; 1953 sin.sin_len = sizeof(sin); 1954 sin.sin_port = sh->src_port; 1955 sin.sin_addr.s_addr = cookie->address[0]; 1956 to = (struct sockaddr *)&sin; 1957 } 1958 if ((*stcb == NULL) && to) { 1959 /* Yep, lets check */ 1960 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 1961 if (*stcb == NULL) { 1962 /* 1963 * We should have only got back the same inp. If we 1964 * got back a different ep we have a problem. The 1965 * original findep got back l_inp and now 1966 */ 1967 if (l_inp != *inp_p) { 1968 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 1969 } 1970 } 1971 } 1972 cookie_len -= SCTP_SIGNATURE_SIZE; 1973 if (*stcb == NULL) { 1974 /* this is the "normal" case... get a new TCB */ 1975 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 1976 cookie_len, *inp_p, netp, to, ¬ification, 1977 auth_skipped, auth_offset, auth_len); 1978 } else { 1979 /* this is abnormal... cookie-echo on existing TCB */ 1980 had_a_existing_tcb = 1; 1981 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 1982 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 1983 &sac_restart_id); 1984 } 1985 1986 if (*stcb == NULL) { 1987 /* still no TCB... must be bad cookie-echo */ 1988 return (NULL); 1989 } 1990 /* 1991 * Ok, we built an association so confirm the address we sent the 1992 * INIT-ACK to. 1993 */ 1994 netl = sctp_findnet(*stcb, to); 1995 /* 1996 * This code should in theory NOT run but 1997 */ 1998 if (netl == NULL) { 1999 /* TSNH! Huh, why do I need to add this address here? */ 2000 int ret; 2001 2002 ret = sctp_add_remote_addr(*stcb, to, 0, 100); 2003 netl = sctp_findnet(*stcb, to); 2004 } 2005 if (netl) { 2006 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2007 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2008 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2009 netl); 2010 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2011 (*stcb), 0, (void *)netl); 2012 } 2013 } 2014 if (*stcb) { 2015 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2016 *stcb, NULL); 2017 } 2018 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2019 if (!had_a_existing_tcb || 2020 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2021 /* 2022 * If we have a NEW cookie or the connect never 2023 * reached the connected state during collision we 2024 * must do the TCP accept thing. 2025 */ 2026 struct socket *so, *oso; 2027 struct sctp_inpcb *inp; 2028 2029 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2030 /* 2031 * For a restart we will keep the same 2032 * socket, no need to do anything. I THINK!! 2033 */ 2034 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2035 return (m); 2036 } 2037 oso = (*inp_p)->sctp_socket; 2038 /* 2039 * We do this to keep the sockets side happy durin 2040 * the sonewcon ONLY. 2041 */ 2042 NET_LOCK_GIANT(); 2043 SCTP_TCB_UNLOCK((*stcb)); 2044 so = sonewconn(oso, SS_ISCONNECTED 2045 ); 2046 NET_UNLOCK_GIANT(); 2047 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2048 SCTP_TCB_LOCK((*stcb)); 2049 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2050 if (so == NULL) { 2051 struct mbuf *op_err; 2052 2053 /* Too many sockets */ 2054#ifdef SCTP_DEBUG 2055 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2056 printf("process_cookie_new: no room for another socket!\n"); 2057 } 2058#endif /* SCTP_DEBUG */ 2059 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2060 sctp_abort_association(*inp_p, NULL, m, iphlen, 2061 sh, op_err); 2062 sctp_free_assoc(*inp_p, *stcb, 0); 2063 return (NULL); 2064 } 2065 inp = (struct sctp_inpcb *)so->so_pcb; 2066 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2067 SCTP_PCB_FLAGS_CONNECTED | 2068 SCTP_PCB_FLAGS_IN_TCPPOOL | 2069 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2070 SCTP_PCB_FLAGS_DONT_WAKE); 2071 inp->sctp_features = (*inp_p)->sctp_features; 2072 inp->sctp_socket = so; 2073 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2074 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2075 inp->sctp_context = (*inp_p)->sctp_context; 2076 inp->inp_starting_point_for_iterator = NULL; 2077 /* 2078 * copy in the authentication parameters from the 2079 * original endpoint 2080 */ 2081 if (inp->sctp_ep.local_hmacs) 2082 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2083 inp->sctp_ep.local_hmacs = 2084 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2085 if (inp->sctp_ep.local_auth_chunks) 2086 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2087 inp->sctp_ep.local_auth_chunks = 2088 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2089 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2090 &inp->sctp_ep.shared_keys); 2091 2092 /* 2093 * Now we must move it from one hash table to 2094 * another and get the tcb in the right place. 2095 */ 2096 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2097 2098 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb); 2099 2100 /* Switch over to the new guy */ 2101 *inp_p = inp; 2102 2103 sctp_ulp_notify(notification, *stcb, 0, NULL); 2104 return (m); 2105 } 2106 } 2107 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2108 sctp_ulp_notify(notification, *stcb, 0, NULL); 2109 } 2110 return (m); 2111} 2112 2113static void 2114sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2115 struct sctp_tcb *stcb, struct sctp_nets *net) 2116{ 2117 /* cp must not be used, others call this without a c-ack :-) */ 2118 struct sctp_association *asoc; 2119 2120#ifdef SCTP_DEBUG 2121 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2122 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2123 } 2124#endif 2125 if (stcb == NULL) 2126 return; 2127 2128 asoc = &stcb->asoc; 2129 2130 sctp_stop_all_cookie_timers(stcb); 2131 /* process according to association state */ 2132 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2133 /* state change only needed when I am in right state */ 2134#ifdef SCTP_DEBUG 2135 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2136 printf("moving to OPEN state\n"); 2137 } 2138#endif 2139 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2140 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2141 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2142 stcb->sctp_ep, stcb, asoc->primary_destination); 2143 2144 } else { 2145 asoc->state = SCTP_STATE_OPEN; 2146 } 2147 /* update RTO */ 2148 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2149 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2150 if (asoc->overall_error_count == 0) { 2151 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2152 &asoc->time_entered); 2153 } 2154 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2155 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2156 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2157 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2158 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2159 soisconnected(stcb->sctp_ep->sctp_socket); 2160 } 2161 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2162 stcb, net); 2163 /* 2164 * since we did not send a HB make sure we don't double 2165 * things 2166 */ 2167 net->hb_responded = 1; 2168 2169 if (stcb->asoc.sctp_autoclose_ticks && 2170 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2171 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2172 stcb->sctp_ep, stcb, NULL); 2173 } 2174 /* 2175 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2176 * addresses changed when init/cookie echo in flight) 2177 */ 2178 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2179 (stcb->asoc.peer_supports_asconf) && 2180 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2181 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2182 stcb->sctp_ep, stcb, 2183 stcb->asoc.primary_destination); 2184 } 2185 } 2186 /* Toss the cookie if I can */ 2187 sctp_toss_old_cookies(stcb, asoc); 2188 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2189 /* Restart the timer if we have pending data */ 2190 struct sctp_tmit_chunk *chk; 2191 2192 chk = TAILQ_FIRST(&asoc->sent_queue); 2193 if (chk) { 2194 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2195 stcb, chk->whoTo); 2196 } 2197 } 2198} 2199 2200static void 2201sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2202 struct sctp_tcb *stcb) 2203{ 2204 struct sctp_nets *net; 2205 struct sctp_tmit_chunk *lchk; 2206 uint32_t tsn; 2207 2208 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2209 return; 2210 } 2211 SCTP_STAT_INCR(sctps_recvecne); 2212 tsn = ntohl(cp->tsn); 2213 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2214 /* Also we make sure we disable the nonce_wait */ 2215 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2216 if (lchk == NULL) { 2217 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2218 } else { 2219 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2220 } 2221 stcb->asoc.nonce_wait_for_ecne = 0; 2222 stcb->asoc.nonce_sum_check = 0; 2223 2224 /* Find where it was sent, if possible */ 2225 net = NULL; 2226 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2227 while (lchk) { 2228 if (lchk->rec.data.TSN_seq == tsn) { 2229 net = lchk->whoTo; 2230 break; 2231 } 2232 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2233 break; 2234 lchk = TAILQ_NEXT(lchk, sctp_next); 2235 } 2236 if (net == NULL) 2237 /* default is we use the primary */ 2238 net = stcb->asoc.primary_destination; 2239 2240 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2241#ifdef SCTP_CWND_MONITOR 2242 int old_cwnd; 2243 2244 old_cwnd = net->cwnd; 2245#endif 2246 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2247 net->ssthresh = net->cwnd / 2; 2248 if (net->ssthresh < net->mtu) { 2249 net->ssthresh = net->mtu; 2250 /* here back off the timer as well, to slow us down */ 2251 net->RTO <<= 2; 2252 } 2253 net->cwnd = net->ssthresh; 2254#ifdef SCTP_CWND_MONITOR 2255 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2256#endif 2257 /* 2258 * we reduce once every RTT. So we will only lower cwnd at 2259 * the next sending seq i.e. the resync_tsn. 2260 */ 2261 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2262 } 2263 /* 2264 * We always send a CWR this way if our previous one was lost our 2265 * peer will get an update, or if it is not time again to reduce we 2266 * still get the cwr to the peer. 2267 */ 2268 sctp_send_cwr(stcb, net, tsn); 2269} 2270 2271static void 2272sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2273{ 2274 /* 2275 * Here we get a CWR from the peer. We must look in the outqueue and 2276 * make sure that we have a covered ECNE in teh control chunk part. 2277 * If so remove it. 2278 */ 2279 struct sctp_tmit_chunk *chk; 2280 struct sctp_ecne_chunk *ecne; 2281 2282 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2283 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2284 continue; 2285 } 2286 /* 2287 * Look for and remove if it is the right TSN. Since there 2288 * is only ONE ECNE on the control queue at any one time we 2289 * don't need to worry about more than one! 2290 */ 2291 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2292 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2293 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2294 /* this covers this ECNE, we can remove it */ 2295 stcb->asoc.ecn_echo_cnt_onq--; 2296 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2297 sctp_next); 2298 if (chk->data) { 2299 sctp_m_freem(chk->data); 2300 chk->data = NULL; 2301 } 2302 stcb->asoc.ctrl_queue_cnt--; 2303 sctp_free_remote_addr(chk->whoTo); 2304 sctp_free_a_chunk(stcb, chk); 2305 break; 2306 } 2307 } 2308} 2309 2310static void 2311sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2312 struct sctp_tcb *stcb, struct sctp_nets *net) 2313{ 2314 struct sctp_association *asoc; 2315 2316#ifdef SCTP_DEBUG 2317 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2318 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2319 } 2320#endif 2321 if (stcb == NULL) 2322 return; 2323 2324 asoc = &stcb->asoc; 2325 /* process according to association state */ 2326 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2327 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2328 SCTP_TCB_UNLOCK(stcb); 2329 return; 2330 } 2331 /* notify upper layer protocol */ 2332 if (stcb->sctp_socket) { 2333 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2334 /* are the queues empty? they should be */ 2335 if (!TAILQ_EMPTY(&asoc->send_queue) || 2336 !TAILQ_EMPTY(&asoc->sent_queue) || 2337 !TAILQ_EMPTY(&asoc->out_wheel)) { 2338 sctp_report_all_outbound(stcb); 2339 } 2340 } 2341 /* stop the timer */ 2342 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 2343 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2344 /* free the TCB */ 2345 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 2346 return; 2347} 2348 2349static int 2350process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2351 struct sctp_nets *net, uint8_t flg) 2352{ 2353 switch (desc->chunk_type) { 2354 case SCTP_DATA: 2355 /* find the tsn to resend (possibly */ 2356 { 2357 uint32_t tsn; 2358 struct sctp_tmit_chunk *tp1; 2359 2360 tsn = ntohl(desc->tsn_ifany); 2361 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2362 while (tp1) { 2363 if (tp1->rec.data.TSN_seq == tsn) { 2364 /* found it */ 2365 break; 2366 } 2367 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2368 MAX_TSN)) { 2369 /* not found */ 2370 tp1 = NULL; 2371 break; 2372 } 2373 tp1 = TAILQ_NEXT(tp1, sctp_next); 2374 } 2375 if (tp1 == NULL) { 2376 /* 2377 * Do it the other way , aka without paying 2378 * attention to queue seq order. 2379 */ 2380 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2381 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2382 while (tp1) { 2383 if (tp1->rec.data.TSN_seq == tsn) { 2384 /* found it */ 2385 break; 2386 } 2387 tp1 = TAILQ_NEXT(tp1, sctp_next); 2388 } 2389 } 2390 if (tp1 == NULL) { 2391 SCTP_STAT_INCR(sctps_pdrptsnnf); 2392 } 2393 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2394 uint8_t *ddp; 2395 2396 if ((stcb->asoc.peers_rwnd == 0) && 2397 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2398 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2399 return (0); 2400 } 2401 if (stcb->asoc.peers_rwnd == 0 && 2402 (flg & SCTP_FROM_MIDDLE_BOX)) { 2403 SCTP_STAT_INCR(sctps_pdrpdizrw); 2404 return (0); 2405 } 2406 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2407 sizeof(struct sctp_data_chunk)); 2408 { 2409 unsigned int iii; 2410 2411 for (iii = 0; iii < sizeof(desc->data_bytes); 2412 iii++) { 2413 if (ddp[iii] != desc->data_bytes[iii]) { 2414 SCTP_STAT_INCR(sctps_pdrpbadd); 2415 return (-1); 2416 } 2417 } 2418 } 2419 /* 2420 * We zero out the nonce so resync not 2421 * needed 2422 */ 2423 tp1->rec.data.ect_nonce = 0; 2424 2425 if (tp1->do_rtt) { 2426 /* 2427 * this guy had a RTO calculation 2428 * pending on it, cancel it 2429 */ 2430 tp1->whoTo->rto_pending = 0; 2431 tp1->do_rtt = 0; 2432 } 2433 SCTP_STAT_INCR(sctps_pdrpmark); 2434 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2435 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2436 tp1->sent = SCTP_DATAGRAM_RESEND; 2437 /* 2438 * mark it as if we were doing a FR, since 2439 * we will be getting gap ack reports behind 2440 * the info from the router. 2441 */ 2442 tp1->rec.data.doing_fast_retransmit = 1; 2443 /* 2444 * mark the tsn with what sequences can 2445 * cause a new FR. 2446 */ 2447 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2448 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2449 } else { 2450 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2451 } 2452 2453 /* restart the timer */ 2454 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2455 stcb, tp1->whoTo); 2456 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2457 stcb, tp1->whoTo); 2458 2459 /* fix counts and things */ 2460 if (tp1->whoTo->flight_size >= tp1->book_size) 2461 tp1->whoTo->flight_size -= tp1->book_size; 2462 else 2463 tp1->whoTo->flight_size = 0; 2464 2465 if (stcb->asoc.total_flight >= tp1->book_size) { 2466 stcb->asoc.total_flight -= tp1->book_size; 2467 if (stcb->asoc.total_flight_count > 0) 2468 stcb->asoc.total_flight_count--; 2469 } else { 2470 stcb->asoc.total_flight = 0; 2471 stcb->asoc.total_flight_count = 0; 2472 } 2473 tp1->snd_count--; 2474 } { 2475 /* audit code */ 2476 unsigned int audit; 2477 2478 audit = 0; 2479 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2480 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2481 audit++; 2482 } 2483 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2484 sctp_next) { 2485 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2486 audit++; 2487 } 2488 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2489 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2490 audit, stcb->asoc.sent_queue_retran_cnt); 2491#ifndef SCTP_AUDITING_ENABLED 2492 stcb->asoc.sent_queue_retran_cnt = audit; 2493#endif 2494 } 2495 } 2496 } 2497 break; 2498 case SCTP_ASCONF: 2499 { 2500 struct sctp_tmit_chunk *asconf; 2501 2502 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2503 sctp_next) { 2504 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2505 break; 2506 } 2507 } 2508 if (asconf) { 2509 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2510 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2511 asconf->sent = SCTP_DATAGRAM_RESEND; 2512 asconf->snd_count--; 2513 } 2514 } 2515 break; 2516 case SCTP_INITIATION: 2517 /* resend the INIT */ 2518 stcb->asoc.dropped_special_cnt++; 2519 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2520 /* 2521 * If we can get it in, in a few attempts we do 2522 * this, otherwise we let the timer fire. 2523 */ 2524 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2525 stcb, net); 2526 sctp_send_initiate(stcb->sctp_ep, stcb); 2527 } 2528 break; 2529 case SCTP_SELECTIVE_ACK: 2530 /* resend the sack */ 2531 sctp_send_sack(stcb); 2532 break; 2533 case SCTP_HEARTBEAT_REQUEST: 2534 /* resend a demand HB */ 2535 sctp_send_hb(stcb, 1, net); 2536 break; 2537 case SCTP_SHUTDOWN: 2538 sctp_send_shutdown(stcb, net); 2539 break; 2540 case SCTP_SHUTDOWN_ACK: 2541 sctp_send_shutdown_ack(stcb, net); 2542 break; 2543 case SCTP_COOKIE_ECHO: 2544 { 2545 struct sctp_tmit_chunk *cookie; 2546 2547 cookie = NULL; 2548 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2549 sctp_next) { 2550 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2551 break; 2552 } 2553 } 2554 if (cookie) { 2555 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2556 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2557 cookie->sent = SCTP_DATAGRAM_RESEND; 2558 sctp_stop_all_cookie_timers(stcb); 2559 } 2560 } 2561 break; 2562 case SCTP_COOKIE_ACK: 2563 sctp_send_cookie_ack(stcb); 2564 break; 2565 case SCTP_ASCONF_ACK: 2566 /* resend last asconf ack */ 2567 sctp_send_asconf_ack(stcb, 1); 2568 break; 2569 case SCTP_FORWARD_CUM_TSN: 2570 send_forward_tsn(stcb, &stcb->asoc); 2571 break; 2572 /* can't do anything with these */ 2573 case SCTP_PACKET_DROPPED: 2574 case SCTP_INITIATION_ACK: /* this should not happen */ 2575 case SCTP_HEARTBEAT_ACK: 2576 case SCTP_ABORT_ASSOCIATION: 2577 case SCTP_OPERATION_ERROR: 2578 case SCTP_SHUTDOWN_COMPLETE: 2579 case SCTP_ECN_ECHO: 2580 case SCTP_ECN_CWR: 2581 default: 2582 break; 2583 } 2584 return (0); 2585} 2586 2587void 2588sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2589{ 2590 int i; 2591 uint16_t temp; 2592 2593 /* 2594 * We set things to 0xffff since this is the last delivered sequence 2595 * and we will be sending in 0 after the reset. 2596 */ 2597 2598 if (number_entries) { 2599 for (i = 0; i < number_entries; i++) { 2600 temp = ntohs(list[i]); 2601 if (temp >= stcb->asoc.streamincnt) { 2602 continue; 2603 } 2604 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2605 } 2606 } else { 2607 list = NULL; 2608 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2609 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2610 } 2611 } 2612 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2613} 2614 2615static void 2616sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2617{ 2618 int i; 2619 2620 if (number_entries == 0) { 2621 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2622 stcb->asoc.strmout[i].next_sequence_sent = 0; 2623 } 2624 } else if (number_entries) { 2625 for (i = 0; i < number_entries; i++) { 2626 uint16_t temp; 2627 2628 temp = ntohs(list[i]); 2629 if (temp >= stcb->asoc.streamoutcnt) { 2630 /* no such stream */ 2631 continue; 2632 } 2633 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2634 } 2635 } 2636 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2637} 2638 2639 2640struct sctp_stream_reset_out_request * 2641sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2642{ 2643 struct sctp_association *asoc; 2644 struct sctp_stream_reset_out_req *req; 2645 struct sctp_stream_reset_out_request *r; 2646 struct sctp_tmit_chunk *chk; 2647 int len, clen; 2648 2649 asoc = &stcb->asoc; 2650 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2651 return (NULL); 2652 } 2653 if (stcb->asoc.str_reset == NULL) { 2654 return (NULL); 2655 } 2656 chk = stcb->asoc.str_reset; 2657 if (chk->data == NULL) { 2658 return (NULL); 2659 } 2660 if (bchk) { 2661 /* he wants a copy of the chk pointer */ 2662 *bchk = chk; 2663 } 2664 clen = chk->send_size; 2665 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2666 r = &req->sr_req; 2667 if (ntohl(r->request_seq) == seq) { 2668 /* found it */ 2669 return (r); 2670 } 2671 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2672 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2673 /* move to the next one, there can only be a max of two */ 2674 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2675 if (ntohl(r->request_seq) == seq) { 2676 return (r); 2677 } 2678 } 2679 /* that seq is not here */ 2680 return (NULL); 2681} 2682 2683static void 2684sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2685{ 2686 struct sctp_association *asoc; 2687 2688 asoc = &stcb->asoc; 2689 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2690 2691 if (stcb->asoc.str_reset == NULL) { 2692 return; 2693 } 2694 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2695 TAILQ_REMOVE(&asoc->control_send_queue, 2696 chk, 2697 sctp_next); 2698 if (chk->data) { 2699 sctp_m_freem(chk->data); 2700 chk->data = NULL; 2701 } 2702 asoc->ctrl_queue_cnt--; 2703 sctp_free_remote_addr(chk->whoTo); 2704 2705 sctp_free_a_chunk(stcb, chk); 2706 stcb->asoc.str_reset = NULL; 2707} 2708 2709 2710static int 2711sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2712 uint32_t seq, uint32_t action, 2713 struct sctp_stream_reset_response *respin 2714) 2715{ 2716 uint16_t type; 2717 int lparm_len; 2718 struct sctp_association *asoc = &stcb->asoc; 2719 struct sctp_tmit_chunk *chk; 2720 struct sctp_stream_reset_out_request *srparam; 2721 int number_entries; 2722 2723 if (asoc->stream_reset_outstanding == 0) { 2724 /* duplicate */ 2725 return (0); 2726 } 2727 if (seq == stcb->asoc.str_reset_seq_out) { 2728 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2729 if (srparam) { 2730 stcb->asoc.str_reset_seq_out++; 2731 type = ntohs(srparam->ph.param_type); 2732 lparm_len = ntohs(srparam->ph.param_length); 2733 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2734 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2735 asoc->stream_reset_out_is_outstanding = 0; 2736 if (asoc->stream_reset_outstanding) 2737 asoc->stream_reset_outstanding--; 2738 if (action == SCTP_STREAM_RESET_PERFORMED) { 2739 /* do it */ 2740 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2741 } else { 2742 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2743 } 2744 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2745 /* Answered my request */ 2746 if (asoc->stream_reset_outstanding) 2747 asoc->stream_reset_outstanding--; 2748 if (action != SCTP_STREAM_RESET_PERFORMED) { 2749 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2750 } 2751 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2752 /** 2753 * a) Adopt the new in tsn. 2754 * b) reset the map 2755 * c) Adopt the new out-tsn 2756 */ 2757 struct sctp_stream_reset_response_tsn *resp; 2758 struct sctp_forward_tsn_chunk fwdtsn; 2759 int abort_flag = 0; 2760 2761 if (respin == NULL) { 2762 /* huh ? */ 2763 return (0); 2764 } 2765 if (action == SCTP_STREAM_RESET_PERFORMED) { 2766 resp = (struct sctp_stream_reset_response_tsn *)respin; 2767 asoc->stream_reset_outstanding--; 2768 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2769 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2770 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2771 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2772 if (abort_flag) { 2773 return (1); 2774 } 2775 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2776 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2777 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2778 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2779 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2780 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2781 2782 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2783 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2784 2785 } 2786 } 2787 /* get rid of the request and get the request flags */ 2788 if (asoc->stream_reset_outstanding == 0) { 2789 sctp_clean_up_stream_reset(stcb); 2790 } 2791 } 2792 } 2793 return (0); 2794} 2795 2796static void 2797sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2798 struct sctp_tmit_chunk *chk, 2799 struct sctp_stream_reset_in_request *req) 2800{ 2801 uint32_t seq; 2802 int len, i; 2803 int number_entries; 2804 uint16_t temp; 2805 2806 /* 2807 * peer wants me to send a str-reset to him for my outgoing seq's if 2808 * seq_in is right. 2809 */ 2810 struct sctp_association *asoc = &stcb->asoc; 2811 2812 seq = ntohl(req->request_seq); 2813 if (asoc->str_reset_seq_in == seq) { 2814 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2815 len = ntohs(req->ph.param_length); 2816 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2817 for (i = 0; i < number_entries; i++) { 2818 temp = ntohs(req->list_of_streams[i]); 2819 req->list_of_streams[i] = temp; 2820 } 2821 /* move the reset action back one */ 2822 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2823 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2824 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2825 asoc->str_reset_seq_out, 2826 seq, (asoc->sending_seq - 1)); 2827 asoc->stream_reset_out_is_outstanding = 1; 2828 asoc->str_reset = chk; 2829 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2830 stcb->asoc.stream_reset_outstanding++; 2831 } else { 2832 /* Can't do it, since we have sent one out */ 2833 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2834 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2835 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2836 } 2837 asoc->str_reset_seq_in++; 2838 } else if (asoc->str_reset_seq_in - 1 == seq) { 2839 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2840 } else if (asoc->str_reset_seq_in - 2 == seq) { 2841 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2842 } else { 2843 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2844 } 2845} 2846 2847static int 2848sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 2849 struct sctp_tmit_chunk *chk, 2850 struct sctp_stream_reset_tsn_request *req) 2851{ 2852 /* reset all in and out and update the tsn */ 2853 /* 2854 * A) reset my str-seq's on in and out. B) Select a receive next, 2855 * and set cum-ack to it. Also process this selected number as a 2856 * fwd-tsn as well. C) set in the response my next sending seq. 2857 */ 2858 struct sctp_forward_tsn_chunk fwdtsn; 2859 struct sctp_association *asoc = &stcb->asoc; 2860 int abort_flag = 0; 2861 uint32_t seq; 2862 2863 seq = ntohl(req->request_seq); 2864 if (asoc->str_reset_seq_in == seq) { 2865 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2866 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2867 fwdtsn.ch.chunk_flags = 0; 2868 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 2869 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2870 if (abort_flag) { 2871 return (1); 2872 } 2873 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 2874 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2875 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 2876 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2877 atomic_add_int(&stcb->asoc.sending_seq, 1); 2878 /* save off historical data for retrans */ 2879 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 2880 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 2881 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 2882 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 2883 2884 sctp_add_stream_reset_result_tsn(chk, 2885 ntohl(req->request_seq), 2886 SCTP_STREAM_RESET_PERFORMED, 2887 stcb->asoc.sending_seq, 2888 stcb->asoc.mapping_array_base_tsn); 2889 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2890 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2891 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 2892 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2893 2894 asoc->str_reset_seq_in++; 2895 } else if (asoc->str_reset_seq_in - 1 == seq) { 2896 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 2897 stcb->asoc.last_sending_seq[0], 2898 stcb->asoc.last_base_tsnsent[0] 2899 ); 2900 } else if (asoc->str_reset_seq_in - 2 == seq) { 2901 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 2902 stcb->asoc.last_sending_seq[1], 2903 stcb->asoc.last_base_tsnsent[1] 2904 ); 2905 } else { 2906 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2907 } 2908 return (0); 2909} 2910 2911static void 2912sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 2913 struct sctp_tmit_chunk *chk, 2914 struct sctp_stream_reset_out_request *req) 2915{ 2916 uint32_t seq, tsn; 2917 int number_entries, len; 2918 struct sctp_association *asoc = &stcb->asoc; 2919 2920 seq = ntohl(req->request_seq); 2921 2922 /* now if its not a duplicate we process it */ 2923 if (asoc->str_reset_seq_in == seq) { 2924 len = ntohs(req->ph.param_length); 2925 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 2926 /* 2927 * the sender is resetting, handle the list issue.. we must 2928 * a) verify if we can do the reset, if so no problem b) If 2929 * we can't do the reset we must copy the request. c) queue 2930 * it, and setup the data in processor to trigger it off 2931 * when needed and dequeue all the queued data. 2932 */ 2933 tsn = ntohl(req->send_reset_at_tsn); 2934 2935 /* move the reset action back one */ 2936 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2937 if ((tsn == asoc->cumulative_tsn) || 2938 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 2939 /* we can do it now */ 2940 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 2941 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 2942 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2943 } else { 2944 /* 2945 * we must queue it up and thus wait for the TSN's 2946 * to arrive that are at or before tsn 2947 */ 2948 struct sctp_stream_reset_list *liste; 2949 int siz; 2950 2951 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 2952 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 2953 siz, "StrRstList"); 2954 if (liste == NULL) { 2955 /* gak out of memory */ 2956 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 2957 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 2958 return; 2959 } 2960 liste->tsn = tsn; 2961 liste->number_entries = number_entries; 2962 memcpy(&liste->req, req, 2963 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 2964 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 2965 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 2966 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2967 } 2968 asoc->str_reset_seq_in++; 2969 } else if ((asoc->str_reset_seq_in - 1) == seq) { 2970 /* 2971 * one seq back, just echo back last action since my 2972 * response was lost. 2973 */ 2974 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2975 } else if ((asoc->str_reset_seq_in - 2) == seq) { 2976 /* 2977 * two seq back, just echo back last action since my 2978 * response was lost. 2979 */ 2980 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2981 } else { 2982 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2983 } 2984} 2985 2986static int 2987sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 2988{ 2989 int chk_length, param_len, ptype; 2990 uint32_t seq; 2991 int num_req = 0; 2992 struct sctp_tmit_chunk *chk; 2993 struct sctp_chunkhdr *ch; 2994 struct sctp_paramhdr *ph; 2995 2996 /* now it may be a reset or a reset-response */ 2997 chk_length = ntohs(sr_req->ch.chunk_length); 2998 int ret_code = 0; 2999 int num_param = 0; 3000 3001 /* setup for adding the response */ 3002 sctp_alloc_a_chunk(stcb, chk); 3003 if (chk == NULL) { 3004 return (ret_code); 3005 } 3006 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3007 chk->asoc = &stcb->asoc; 3008 chk->no_fr_allowed = 0; 3009 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3010 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_DONTWAIT, 1, MT_DATA); 3011 if (chk->data == NULL) { 3012strres_nochunk: 3013 if (chk->data) { 3014 sctp_m_freem(chk->data); 3015 chk->data = NULL; 3016 } 3017 sctp_free_a_chunk(stcb, chk); 3018 return (ret_code); 3019 } 3020 chk->data->m_data += SCTP_MIN_OVERHEAD; 3021 3022 /* setup chunk parameters */ 3023 chk->sent = SCTP_DATAGRAM_UNSENT; 3024 chk->snd_count = 0; 3025 chk->whoTo = stcb->asoc.primary_destination; 3026 atomic_add_int(&chk->whoTo->ref_count, 1); 3027 3028 ch = mtod(chk->data, struct sctp_chunkhdr *); 3029 ch->chunk_type = SCTP_STREAM_RESET; 3030 ch->chunk_flags = 0; 3031 ch->chunk_length = htons(chk->send_size); 3032 chk->data->m_pkthdr.len = chk->data->m_len = SCTP_SIZE32(chk->send_size); 3033 3034 3035 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3036 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3037 param_len = ntohs(ph->param_length); 3038 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3039 /* bad param */ 3040 break; 3041 } 3042 ptype = ntohs(ph->param_type); 3043 num_param++; 3044 if (num_param > SCTP_MAX_RESET_PARAMS) { 3045 /* hit the max of parameters already sorry.. */ 3046 break; 3047 } 3048 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3049 struct sctp_stream_reset_out_request *req_out; 3050 3051 req_out = (struct sctp_stream_reset_out_request *)ph; 3052 num_req++; 3053 if (stcb->asoc.stream_reset_outstanding) { 3054 seq = ntohl(req_out->response_seq); 3055 if (seq == stcb->asoc.str_reset_seq_out) { 3056 /* implicit ack */ 3057 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3058 } 3059 } 3060 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3061 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3062 struct sctp_stream_reset_in_request *req_in; 3063 3064 num_req++; 3065 req_in = (struct sctp_stream_reset_in_request *)ph; 3066 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3067 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3068 struct sctp_stream_reset_tsn_request *req_tsn; 3069 3070 num_req++; 3071 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3072 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3073 ret_code = 1; 3074 goto strres_nochunk; 3075 } 3076 /* no more */ 3077 break; 3078 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3079 struct sctp_stream_reset_response *resp; 3080 uint32_t result; 3081 3082 resp = (struct sctp_stream_reset_response *)ph; 3083 seq = ntohl(resp->response_seq); 3084 result = ntohl(resp->result); 3085 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3086 ret_code = 1; 3087 goto strres_nochunk; 3088 } 3089 } else { 3090 break; 3091 } 3092 3093 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3094 chk_length -= SCTP_SIZE32(param_len); 3095 } 3096 if (num_req == 0) { 3097 /* we have no response free the stuff */ 3098 goto strres_nochunk; 3099 } 3100 /* ok we have a chunk to link in */ 3101 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3102 chk, 3103 sctp_next); 3104 stcb->asoc.ctrl_queue_cnt++; 3105 return (ret_code); 3106} 3107 3108/* 3109 * Handle a router or endpoints report of a packet loss, there are two ways 3110 * to handle this, either we get the whole packet and must disect it 3111 * ourselves (possibly with truncation and or corruption) or it is a summary 3112 * from a middle box that did the disectting for us. 3113 */ 3114static void 3115sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3116 struct sctp_tcb *stcb, struct sctp_nets *net) 3117{ 3118 uint32_t bottle_bw, on_queue; 3119 uint16_t trunc_len; 3120 unsigned int chlen; 3121 unsigned int at; 3122 struct sctp_chunk_desc desc; 3123 struct sctp_chunkhdr *ch; 3124 3125 chlen = ntohs(cp->ch.chunk_length); 3126 chlen -= sizeof(struct sctp_pktdrop_chunk); 3127 /* XXX possible chlen underflow */ 3128 if (chlen == 0) { 3129 ch = NULL; 3130 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3131 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3132 } else { 3133 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3134 chlen -= sizeof(struct sctphdr); 3135 /* XXX possible chlen underflow */ 3136 memset(&desc, 0, sizeof(desc)); 3137 } 3138 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3139 /* now the chunks themselves */ 3140 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3141 desc.chunk_type = ch->chunk_type; 3142 /* get amount we need to move */ 3143 at = ntohs(ch->chunk_length); 3144 if (at < sizeof(struct sctp_chunkhdr)) { 3145 /* corrupt chunk, maybe at the end? */ 3146 SCTP_STAT_INCR(sctps_pdrpcrupt); 3147 break; 3148 } 3149 if (trunc_len == 0) { 3150 /* we are supposed to have all of it */ 3151 if (at > chlen) { 3152 /* corrupt skip it */ 3153 SCTP_STAT_INCR(sctps_pdrpcrupt); 3154 break; 3155 } 3156 } else { 3157 /* is there enough of it left ? */ 3158 if (desc.chunk_type == SCTP_DATA) { 3159 if (chlen < (sizeof(struct sctp_data_chunk) + 3160 sizeof(desc.data_bytes))) { 3161 break; 3162 } 3163 } else { 3164 if (chlen < sizeof(struct sctp_chunkhdr)) { 3165 break; 3166 } 3167 } 3168 } 3169 if (desc.chunk_type == SCTP_DATA) { 3170 /* can we get out the tsn? */ 3171 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3172 SCTP_STAT_INCR(sctps_pdrpmbda); 3173 3174 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3175 /* yep */ 3176 struct sctp_data_chunk *dcp; 3177 uint8_t *ddp; 3178 unsigned int iii; 3179 3180 dcp = (struct sctp_data_chunk *)ch; 3181 ddp = (uint8_t *) (dcp + 1); 3182 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3183 desc.data_bytes[iii] = ddp[iii]; 3184 } 3185 desc.tsn_ifany = dcp->dp.tsn; 3186 } else { 3187 /* nope we are done. */ 3188 SCTP_STAT_INCR(sctps_pdrpnedat); 3189 break; 3190 } 3191 } else { 3192 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3193 SCTP_STAT_INCR(sctps_pdrpmbct); 3194 } 3195 3196 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3197 SCTP_STAT_INCR(sctps_pdrppdbrk); 3198 break; 3199 } 3200 if (SCTP_SIZE32(at) > chlen) { 3201 break; 3202 } 3203 chlen -= SCTP_SIZE32(at); 3204 if (chlen < sizeof(struct sctp_chunkhdr)) { 3205 /* done, none left */ 3206 break; 3207 } 3208 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3209 } 3210 /* Now update any rwnd --- possibly */ 3211 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3212 /* From a peer, we get a rwnd report */ 3213 uint32_t a_rwnd; 3214 3215 SCTP_STAT_INCR(sctps_pdrpfehos); 3216 3217 bottle_bw = ntohl(cp->bottle_bw); 3218 on_queue = ntohl(cp->current_onq); 3219 if (bottle_bw && on_queue) { 3220 /* a rwnd report is in here */ 3221 if (bottle_bw > on_queue) 3222 a_rwnd = bottle_bw - on_queue; 3223 else 3224 a_rwnd = 0; 3225 3226 if (a_rwnd == 0) 3227 stcb->asoc.peers_rwnd = 0; 3228 else { 3229 if (a_rwnd > stcb->asoc.total_flight) { 3230 stcb->asoc.peers_rwnd = 3231 a_rwnd - stcb->asoc.total_flight; 3232 } else { 3233 stcb->asoc.peers_rwnd = 0; 3234 } 3235 if (stcb->asoc.peers_rwnd < 3236 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3237 /* SWS sender side engages */ 3238 stcb->asoc.peers_rwnd = 0; 3239 } 3240 } 3241 } 3242 } else { 3243 SCTP_STAT_INCR(sctps_pdrpfmbox); 3244 } 3245 3246 /* now middle boxes in sat networks get a cwnd bump */ 3247 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3248 (stcb->asoc.sat_t3_loss_recovery == 0) && 3249 (stcb->asoc.sat_network)) { 3250 /* 3251 * This is debateable but for sat networks it makes sense 3252 * Note if a T3 timer has went off, we will prohibit any 3253 * changes to cwnd until we exit the t3 loss recovery. 3254 */ 3255 uint32_t bw_avail; 3256 int rtt, incr; 3257 3258#ifdef SCTP_CWND_MONITOR 3259 int old_cwnd = net->cwnd; 3260 3261#endif 3262 /* need real RTT for this calc */ 3263 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3264 /* get bottle neck bw */ 3265 bottle_bw = ntohl(cp->bottle_bw); 3266 /* and whats on queue */ 3267 on_queue = ntohl(cp->current_onq); 3268 /* 3269 * adjust the on-queue if our flight is more it could be 3270 * that the router has not yet gotten data "in-flight" to it 3271 */ 3272 if (on_queue < net->flight_size) 3273 on_queue = net->flight_size; 3274 3275 /* calculate the available space */ 3276 bw_avail = (bottle_bw * rtt) / 1000; 3277 if (bw_avail > bottle_bw) { 3278 /* 3279 * Cap the growth to no more than the bottle neck. 3280 * This can happen as RTT slides up due to queues. 3281 * It also means if you have more than a 1 second 3282 * RTT with a empty queue you will be limited to the 3283 * bottle_bw per second no matter if other points 3284 * have 1/2 the RTT and you could get more out... 3285 */ 3286 bw_avail = bottle_bw; 3287 } 3288 if (on_queue > bw_avail) { 3289 /* 3290 * No room for anything else don't allow anything 3291 * else to be "added to the fire". 3292 */ 3293 int seg_inflight, seg_onqueue, my_portion; 3294 3295 net->partial_bytes_acked = 0; 3296 3297 /* how much are we over queue size? */ 3298 incr = on_queue - bw_avail; 3299 if (stcb->asoc.seen_a_sack_this_pkt) { 3300 /* 3301 * undo any cwnd adjustment that the sack 3302 * might have made 3303 */ 3304 net->cwnd = net->prev_cwnd; 3305 } 3306 /* Now how much of that is mine? */ 3307 seg_inflight = net->flight_size / net->mtu; 3308 seg_onqueue = on_queue / net->mtu; 3309 my_portion = (incr * seg_inflight) / seg_onqueue; 3310 3311 /* Have I made an adjustment already */ 3312 if (net->cwnd > net->flight_size) { 3313 /* 3314 * for this flight I made an adjustment we 3315 * need to decrease the portion by a share 3316 * our previous adjustment. 3317 */ 3318 int diff_adj; 3319 3320 diff_adj = net->cwnd - net->flight_size; 3321 if (diff_adj > my_portion) 3322 my_portion = 0; 3323 else 3324 my_portion -= diff_adj; 3325 } 3326 /* 3327 * back down to the previous cwnd (assume we have 3328 * had a sack before this packet). minus what ever 3329 * portion of the overage is my fault. 3330 */ 3331 net->cwnd -= my_portion; 3332 3333 /* we will NOT back down more than 1 MTU */ 3334 if (net->cwnd <= net->mtu) { 3335 net->cwnd = net->mtu; 3336 } 3337 /* force into CA */ 3338 net->ssthresh = net->cwnd - 1; 3339 } else { 3340 /* 3341 * Take 1/4 of the space left or max burst up .. 3342 * whichever is less. 3343 */ 3344 incr = min((bw_avail - on_queue) >> 2, 3345 (int)stcb->asoc.max_burst * (int)net->mtu); 3346 net->cwnd += incr; 3347 } 3348 if (net->cwnd > bw_avail) { 3349 /* We can't exceed the pipe size */ 3350 net->cwnd = bw_avail; 3351 } 3352 if (net->cwnd < net->mtu) { 3353 /* We always have 1 MTU */ 3354 net->cwnd = net->mtu; 3355 } 3356#ifdef SCTP_CWND_MONITOR 3357 if (net->cwnd - old_cwnd != 0) { 3358 /* log only changes */ 3359 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3360 SCTP_CWND_LOG_FROM_SAT); 3361 } 3362#endif 3363 } 3364} 3365 3366extern int sctp_strict_init; 3367extern int sctp_abort_if_one_2_one_hits_limit; 3368 3369/* 3370 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3371 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3372 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3373 * length of the complete packet outputs: - length: modified to remaining 3374 * length after control processing - netp: modified to new sctp_nets after 3375 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3376 * bad packet,...) otherwise return the tcb for this packet 3377 */ 3378static struct sctp_tcb * 3379sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3380 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3381 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3382{ 3383 struct sctp_association *asoc; 3384 uint32_t vtag_in; 3385 int num_chunks = 0; /* number of control chunks processed */ 3386 int chk_length; 3387 int ret; 3388 3389 /* 3390 * How big should this be, and should it be alloc'd? Lets try the 3391 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3392 * until we get into jumbo grams and such.. 3393 */ 3394 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3395 struct sctp_tcb *locked_tcb = stcb; 3396 int got_auth = 0; 3397 uint32_t auth_offset = 0, auth_len = 0; 3398 int auth_skipped = 0; 3399 3400#ifdef SCTP_DEBUG 3401 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3402 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3403 iphlen, *offset, length, stcb); 3404 } 3405#endif /* SCTP_DEBUG */ 3406 3407 /* validate chunk header length... */ 3408 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3409 return (NULL); 3410 } 3411 /* 3412 * validate the verification tag 3413 */ 3414 vtag_in = ntohl(sh->v_tag); 3415 3416 if (ch->chunk_type == SCTP_INITIATION) { 3417 if (vtag_in != 0) { 3418 /* protocol error- silently discard... */ 3419 SCTP_STAT_INCR(sctps_badvtag); 3420 if (locked_tcb) 3421 SCTP_TCB_UNLOCK(locked_tcb); 3422 return (NULL); 3423 } 3424 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3425 /* 3426 * If there is no stcb, skip the AUTH chunk and process 3427 * later after a stcb is found (to validate the lookup was 3428 * valid. 3429 */ 3430 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3431 (stcb == NULL) && !sctp_auth_disable) { 3432 /* save this chunk for later processing */ 3433 auth_skipped = 1; 3434 auth_offset = *offset; 3435 auth_len = ntohs(ch->chunk_length); 3436 3437 /* (temporarily) move past this chunk */ 3438 *offset += SCTP_SIZE32(auth_len); 3439 if (*offset >= length) { 3440 /* no more data left in the mbuf chain */ 3441 *offset = length; 3442 return (NULL); 3443 } 3444 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3445 sizeof(struct sctp_chunkhdr), chunk_buf); 3446 } 3447 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3448 goto process_control_chunks; 3449 } 3450 /* 3451 * first check if it's an ASCONF with an unknown src addr we 3452 * need to look inside to find the association 3453 */ 3454 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3455 /* inp's refcount may be reduced */ 3456 SCTP_INP_INCR_REF(inp); 3457 3458 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3459 *offset, sh, &inp, netp); 3460 if (stcb == NULL) { 3461 /* 3462 * reduce inp's refcount if not reduced in 3463 * sctp_findassociation_ep_asconf(). 3464 */ 3465 SCTP_INP_DECR_REF(inp); 3466 } 3467 /* now go back and verify any auth chunk to be sure */ 3468 if (auth_skipped && (stcb != NULL)) { 3469 struct sctp_auth_chunk *auth; 3470 3471 auth = (struct sctp_auth_chunk *) 3472 sctp_m_getptr(m, auth_offset, 3473 auth_len, chunk_buf); 3474 got_auth = 1; 3475 auth_skipped = 0; 3476 if (sctp_handle_auth(stcb, auth, m, 3477 auth_offset)) { 3478 /* auth HMAC failed so dump it */ 3479 *offset = length; 3480 return (NULL); 3481 } else { 3482 /* remaining chunks are HMAC checked */ 3483 stcb->asoc.authenticated = 1; 3484 } 3485 } 3486 } 3487 if (stcb == NULL) { 3488 /* no association, so it's out of the blue... */ 3489 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3490 *offset = length; 3491 if (locked_tcb) 3492 SCTP_TCB_UNLOCK(locked_tcb); 3493 return (NULL); 3494 } 3495 asoc = &stcb->asoc; 3496 /* ABORT and SHUTDOWN can use either v_tag... */ 3497 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3498 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3499 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3500 if ((vtag_in == asoc->my_vtag) || 3501 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3502 (vtag_in == asoc->peer_vtag))) { 3503 /* this is valid */ 3504 } else { 3505 /* drop this packet... */ 3506 SCTP_STAT_INCR(sctps_badvtag); 3507 if (locked_tcb) 3508 SCTP_TCB_UNLOCK(locked_tcb); 3509 return (NULL); 3510 } 3511 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3512 if (vtag_in != asoc->my_vtag) { 3513 /* 3514 * this could be a stale SHUTDOWN-ACK or the 3515 * peer never got the SHUTDOWN-COMPLETE and 3516 * is still hung; we have started a new asoc 3517 * but it won't complete until the shutdown 3518 * is completed 3519 */ 3520 if (locked_tcb) 3521 SCTP_TCB_UNLOCK(locked_tcb); 3522 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3523 NULL); 3524 return (NULL); 3525 } 3526 } else { 3527 /* for all other chunks, vtag must match */ 3528 if (vtag_in != asoc->my_vtag) { 3529 /* invalid vtag... */ 3530#ifdef SCTP_DEBUG 3531 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3532 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3533 } 3534#endif /* SCTP_DEBUG */ 3535 SCTP_STAT_INCR(sctps_badvtag); 3536 if (locked_tcb) 3537 SCTP_TCB_UNLOCK(locked_tcb); 3538 *offset = length; 3539 return (NULL); 3540 } 3541 } 3542 } /* end if !SCTP_COOKIE_ECHO */ 3543 /* 3544 * process all control chunks... 3545 */ 3546 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3547 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3548 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3549 /* implied cookie-ack.. we must have lost the ack */ 3550 stcb->asoc.overall_error_count = 0; 3551 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3552 *netp); 3553 } 3554process_control_chunks: 3555 3556 while (IS_SCTP_CONTROL(ch)) { 3557 /* validate chunk length */ 3558 chk_length = ntohs(ch->chunk_length); 3559#ifdef SCTP_DEBUG 3560 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3561 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", 3562 ch->chunk_type, chk_length); 3563 } 3564#endif /* SCTP_DEBUG */ 3565 if ((size_t)chk_length < sizeof(*ch) || 3566 (*offset + chk_length) > length) { 3567 *offset = length; 3568 if (locked_tcb) 3569 SCTP_TCB_UNLOCK(locked_tcb); 3570 return (NULL); 3571 } 3572 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3573 /* 3574 * INIT-ACK only gets the init ack "header" portion only 3575 * because we don't have to process the peer's COOKIE. All 3576 * others get a complete chunk. 3577 */ 3578 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3579 /* get an init-ack chunk */ 3580 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3581 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3582 if (ch == NULL) { 3583 *offset = length; 3584 if (locked_tcb) 3585 SCTP_TCB_UNLOCK(locked_tcb); 3586 return (NULL); 3587 } 3588 } else { 3589 /* get a complete chunk... */ 3590 if ((size_t)chk_length > sizeof(chunk_buf)) { 3591 struct mbuf *oper; 3592 struct sctp_paramhdr *phdr; 3593 3594 oper = NULL; 3595 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3596 1, M_DONTWAIT, 1, MT_DATA); 3597 if (oper) { 3598 /* pre-reserve some space */ 3599 oper->m_data += sizeof(struct sctp_chunkhdr); 3600 oper->m_len = sizeof(struct sctp_paramhdr); 3601 oper->m_pkthdr.len = oper->m_len; 3602 phdr = mtod(oper, struct sctp_paramhdr *); 3603 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3604 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3605 sctp_queue_op_err(stcb, oper); 3606 } 3607 if (locked_tcb) 3608 SCTP_TCB_UNLOCK(locked_tcb); 3609 return (NULL); 3610 } 3611 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3612 chk_length, chunk_buf); 3613 if (ch == NULL) { 3614 printf("sctp_process_control: Can't get the all data....\n"); 3615 *offset = length; 3616 if (locked_tcb) 3617 SCTP_TCB_UNLOCK(locked_tcb); 3618 return (NULL); 3619 } 3620 } 3621 num_chunks++; 3622 /* Save off the last place we got a control from */ 3623 if (stcb != NULL) { 3624 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { 3625 /* 3626 * allow last_control to be NULL if 3627 * ASCONF... ASCONF processing will find the 3628 * right net later 3629 */ 3630 stcb->asoc.last_control_chunk_from = *netp; 3631 } 3632 } 3633#ifdef SCTP_AUDITING_ENABLED 3634 sctp_audit_log(0xB0, ch->chunk_type); 3635#endif 3636 3637 /* check to see if this chunk required auth, but isn't */ 3638 if ((stcb != NULL) && !sctp_auth_disable && 3639 sctp_auth_is_required_chunk(ch->chunk_type, 3640 stcb->asoc.local_auth_chunks) && 3641 !stcb->asoc.authenticated) { 3642 /* "silently" ignore */ 3643 SCTP_STAT_INCR(sctps_recvauthmissing); 3644 goto next_chunk; 3645 } 3646 switch (ch->chunk_type) { 3647 case SCTP_INITIATION: 3648 /* must be first and only chunk */ 3649#ifdef SCTP_DEBUG 3650 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3651 printf("SCTP_INIT\n"); 3652 } 3653#endif /* SCTP_DEBUG */ 3654 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3655 /* We are not interested anymore? */ 3656 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3657 /* 3658 * collision case where we are 3659 * sending to them too 3660 */ 3661 ; 3662 } else { 3663 if (locked_tcb) 3664 SCTP_TCB_UNLOCK(locked_tcb); 3665 *offset = length; 3666 return (NULL); 3667 } 3668 } 3669 if ((num_chunks > 1) || 3670 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3671 *offset = length; 3672 if (locked_tcb) 3673 SCTP_TCB_UNLOCK(locked_tcb); 3674 return (NULL); 3675 } 3676 if ((stcb != NULL) && 3677 (SCTP_GET_STATE(&stcb->asoc) == 3678 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3679 sctp_send_shutdown_ack(stcb, 3680 stcb->asoc.primary_destination); 3681 *offset = length; 3682 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3683 if (locked_tcb) 3684 SCTP_TCB_UNLOCK(locked_tcb); 3685 return (NULL); 3686 } 3687 sctp_handle_init(m, iphlen, *offset, sh, 3688 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3689 *offset = length; 3690 if (locked_tcb) 3691 SCTP_TCB_UNLOCK(locked_tcb); 3692 return (NULL); 3693 break; 3694 case SCTP_INITIATION_ACK: 3695 /* must be first and only chunk */ 3696#ifdef SCTP_DEBUG 3697 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3698 printf("SCTP_INIT-ACK\n"); 3699 } 3700#endif /* SCTP_DEBUG */ 3701 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3702 /* We are not interested anymore */ 3703 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3704 ; 3705 } else { 3706 if (locked_tcb) 3707 SCTP_TCB_UNLOCK(locked_tcb); 3708 *offset = length; 3709 if (stcb) { 3710 sctp_free_assoc(inp, stcb, 0); 3711 } 3712 return (NULL); 3713 } 3714 } 3715 if ((num_chunks > 1) || 3716 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3717 *offset = length; 3718 if (locked_tcb) 3719 SCTP_TCB_UNLOCK(locked_tcb); 3720 return (NULL); 3721 } 3722 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3723 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3724 /* 3725 * Special case, I must call the output routine to 3726 * get the cookie echoed 3727 */ 3728 if ((stcb) && ret == 0) 3729 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3730 *offset = length; 3731 if (locked_tcb) 3732 SCTP_TCB_UNLOCK(locked_tcb); 3733 return (NULL); 3734 break; 3735 case SCTP_SELECTIVE_ACK: 3736#ifdef SCTP_DEBUG 3737 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3738 printf("SCTP_SACK\n"); 3739 } 3740#endif /* SCTP_DEBUG */ 3741 SCTP_STAT_INCR(sctps_recvsacks); 3742 { 3743 struct sctp_sack_chunk *sack; 3744 int abort_now = 0; 3745 uint32_t a_rwnd, cum_ack; 3746 uint16_t num_seg; 3747 int nonce_sum_flag; 3748 3749 sack = (struct sctp_sack_chunk *)ch; 3750 3751 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3752 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3753 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3754 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3755 stcb->asoc.seen_a_sack_this_pkt = 1; 3756 if ((stcb->asoc.pr_sctp_cnt == 0) && 3757 (num_seg == 0) && 3758 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3759 (cum_ack == stcb->asoc.last_acked_seq)) && 3760 (stcb->asoc.saw_sack_with_frags == 0) && 3761 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3762 ) { 3763 /* 3764 * We have a SIMPLE sack having no 3765 * prior segments and data on sent 3766 * queue to be acked.. Use the 3767 * faster path sack processing. We 3768 * also allow window update sacks 3769 * with no missing segments to go 3770 * this way too. 3771 */ 3772 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now); 3773 } else { 3774 sctp_handle_sack(sack, stcb, *netp, &abort_now); 3775 } 3776 if (abort_now) { 3777 /* ABORT signal from sack processing */ 3778 *offset = length; 3779 return (NULL); 3780 } 3781 } 3782 break; 3783 case SCTP_HEARTBEAT_REQUEST: 3784#ifdef SCTP_DEBUG 3785 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3786 printf("SCTP_HEARTBEAT\n"); 3787 } 3788#endif /* SCTP_DEBUG */ 3789 SCTP_STAT_INCR(sctps_recvheartbeat); 3790 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3791 *netp); 3792 3793 /* He's alive so give him credit */ 3794 stcb->asoc.overall_error_count = 0; 3795 break; 3796 case SCTP_HEARTBEAT_ACK: 3797#ifdef SCTP_DEBUG 3798 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3799 printf("SCTP_HEARTBEAT-ACK\n"); 3800 } 3801#endif /* SCTP_DEBUG */ 3802 3803 /* He's alive so give him credit */ 3804 stcb->asoc.overall_error_count = 0; 3805 SCTP_STAT_INCR(sctps_recvheartbeatack); 3806 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3807 stcb, *netp); 3808 break; 3809 case SCTP_ABORT_ASSOCIATION: 3810#ifdef SCTP_DEBUG 3811 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3812 printf("SCTP_ABORT\n"); 3813 } 3814#endif /* SCTP_DEBUG */ 3815 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3816 stcb, *netp); 3817 *offset = length; 3818 return (NULL); 3819 break; 3820 case SCTP_SHUTDOWN: 3821#ifdef SCTP_DEBUG 3822 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3823 printf("SCTP_SHUTDOWN\n"); 3824 } 3825#endif /* SCTP_DEBUG */ 3826 { 3827 int abort_flag = 0; 3828 3829 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3830 stcb, *netp, &abort_flag); 3831 if (abort_flag) { 3832 *offset = length; 3833 return (NULL); 3834 } 3835 } 3836 break; 3837 case SCTP_SHUTDOWN_ACK: 3838#ifdef SCTP_DEBUG 3839 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3840 printf("SCTP_SHUTDOWN-ACK\n"); 3841 } 3842#endif /* SCTP_DEBUG */ 3843 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3844 *offset = length; 3845 return (NULL); 3846 break; 3847 case SCTP_OPERATION_ERROR: 3848#ifdef SCTP_DEBUG 3849 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3850 printf("SCTP_OP-ERR\n"); 3851 } 3852#endif /* SCTP_DEBUG */ 3853 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3854 *offset = length; 3855 return (NULL); 3856 } 3857 break; 3858 case SCTP_COOKIE_ECHO: 3859#ifdef SCTP_DEBUG 3860 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3861 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3862 } 3863#endif /* SCTP_DEBUG */ 3864 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3865 ; 3866 } else { 3867 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && 3868 (stcb == NULL)) { 3869 /* We are not interested anymore */ 3870 *offset = length; 3871 return (NULL); 3872 } 3873 } 3874 /* 3875 * First are we accepting? We do this again here 3876 * since it is possible that a previous endpoint WAS 3877 * listening responded to a INIT-ACK and then 3878 * closed. We opened and bound.. and are now no 3879 * longer listening. 3880 */ 3881 if (inp->sctp_socket->so_qlimit == 0) { 3882 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 3883 /* 3884 * special case, is this a retran'd 3885 * COOKIE-ECHO or a restarting assoc 3886 * that is a peeled off or 3887 * one-to-one style socket. 3888 */ 3889 goto process_cookie_anyway; 3890 } 3891 sctp_abort_association(inp, stcb, m, iphlen, sh, 3892 NULL); 3893 *offset = length; 3894 return (NULL); 3895 } else if (inp->sctp_socket->so_qlimit) { 3896 /* we are accepting so check limits like TCP */ 3897 if (inp->sctp_socket->so_qlen > 3898 inp->sctp_socket->so_qlimit) { 3899 /* no space */ 3900 struct mbuf *oper; 3901 struct sctp_paramhdr *phdr; 3902 3903 if (sctp_abort_if_one_2_one_hits_limit) { 3904 oper = NULL; 3905 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3906 1, M_DONTWAIT, 1, MT_DATA); 3907 if (oper) { 3908 oper->m_len = 3909 oper->m_pkthdr.len = 3910 sizeof(struct sctp_paramhdr); 3911 phdr = mtod(oper, 3912 struct sctp_paramhdr *); 3913 phdr->param_type = 3914 htons(SCTP_CAUSE_OUT_OF_RESC); 3915 phdr->param_length = 3916 htons(sizeof(struct sctp_paramhdr)); 3917 } 3918 sctp_abort_association(inp, stcb, m, 3919 iphlen, sh, oper); 3920 } 3921 *offset = length; 3922 return (NULL); 3923 } 3924 } 3925 process_cookie_anyway: 3926 { 3927 struct mbuf *ret_buf; 3928 3929 ret_buf = 3930 sctp_handle_cookie_echo(m, iphlen, 3931 *offset, sh, 3932 (struct sctp_cookie_echo_chunk *)ch, 3933 &inp, &stcb, netp, 3934 auth_skipped, 3935 auth_offset, 3936 auth_len); 3937 3938 if (ret_buf == NULL) { 3939 if (locked_tcb) { 3940 SCTP_TCB_UNLOCK(locked_tcb); 3941 } 3942#ifdef SCTP_DEBUG 3943 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3944 printf("GAK, null buffer\n"); 3945 } 3946#endif /* SCTP_DEBUG */ 3947 auth_skipped = 0; 3948 *offset = length; 3949 return (NULL); 3950 } 3951 /* if AUTH skipped, see if it verified... */ 3952 if (auth_skipped) { 3953 got_auth = 1; 3954 auth_skipped = 0; 3955 } 3956 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 3957 /* 3958 * Restart the timer if we have 3959 * pending data 3960 */ 3961 struct sctp_tmit_chunk *chk; 3962 3963 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 3964 if (chk) { 3965 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 3966 stcb->sctp_ep, stcb, 3967 chk->whoTo); 3968 } 3969 } 3970 } 3971 break; 3972 case SCTP_COOKIE_ACK: 3973#ifdef SCTP_DEBUG 3974 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3975 printf("SCTP_COOKIE-ACK\n"); 3976 } 3977#endif /* SCTP_DEBUG */ 3978 3979 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3980 /* We are not interested anymore */ 3981 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3982 ; 3983 } else { 3984 sctp_free_assoc(inp, stcb, 0); 3985 *offset = length; 3986 return (NULL); 3987 } 3988 } 3989 /* He's alive so give him credit */ 3990 stcb->asoc.overall_error_count = 0; 3991 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 3992 break; 3993 case SCTP_ECN_ECHO: 3994#ifdef SCTP_DEBUG 3995 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3996 printf("SCTP_ECN-ECHO\n"); 3997 } 3998#endif /* SCTP_DEBUG */ 3999 /* He's alive so give him credit */ 4000 stcb->asoc.overall_error_count = 0; 4001 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4002 stcb); 4003 break; 4004 case SCTP_ECN_CWR: 4005#ifdef SCTP_DEBUG 4006 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4007 printf("SCTP_ECN-CWR\n"); 4008 } 4009#endif /* SCTP_DEBUG */ 4010 /* He's alive so give him credit */ 4011 stcb->asoc.overall_error_count = 0; 4012 4013 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4014 break; 4015 case SCTP_SHUTDOWN_COMPLETE: 4016#ifdef SCTP_DEBUG 4017 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4018 printf("SCTP_SHUTDOWN-COMPLETE\n"); 4019 } 4020#endif /* SCTP_DEBUG */ 4021 /* must be first and only chunk */ 4022 if ((num_chunks > 1) || 4023 (length - *offset > SCTP_SIZE32(chk_length))) { 4024 *offset = length; 4025 if (locked_tcb) 4026 SCTP_TCB_UNLOCK(locked_tcb); 4027 4028 return (NULL); 4029 } 4030 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4031 stcb, *netp); 4032 *offset = length; 4033 return (NULL); 4034 break; 4035 case SCTP_ASCONF: 4036#ifdef SCTP_DEBUG 4037 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4038 printf("SCTP_ASCONF\n"); 4039 } 4040#endif /* SCTP_DEBUG */ 4041 /* He's alive so give him credit */ 4042 stcb->asoc.overall_error_count = 0; 4043 4044 sctp_handle_asconf(m, *offset, 4045 (struct sctp_asconf_chunk *)ch, stcb); 4046 break; 4047 case SCTP_ASCONF_ACK: 4048#ifdef SCTP_DEBUG 4049 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4050 printf("SCTP_ASCONF-ACK\n"); 4051 } 4052#endif /* SCTP_DEBUG */ 4053 /* He's alive so give him credit */ 4054 stcb->asoc.overall_error_count = 0; 4055 4056 sctp_handle_asconf_ack(m, *offset, 4057 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4058 break; 4059 case SCTP_FORWARD_CUM_TSN: 4060#ifdef SCTP_DEBUG 4061 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4062 printf("SCTP_FWD-TSN\n"); 4063 } 4064#endif /* SCTP_DEBUG */ 4065 /* He's alive so give him credit */ 4066 { 4067 int abort_flag = 0; 4068 4069 stcb->asoc.overall_error_count = 0; 4070 *fwd_tsn_seen = 1; 4071 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4072 /* We are not interested anymore */ 4073 sctp_free_assoc(inp, stcb, 0); 4074 *offset = length; 4075 return (NULL); 4076 } 4077 sctp_handle_forward_tsn(stcb, 4078 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4079 if (abort_flag) { 4080 *offset = length; 4081 return (NULL); 4082 } else { 4083 stcb->asoc.overall_error_count = 0; 4084 } 4085 4086 } 4087 break; 4088 case SCTP_STREAM_RESET: 4089#ifdef SCTP_DEBUG 4090 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4091 printf("SCTP_STREAM_RESET\n"); 4092 } 4093#endif /* SCTP_DEBUG */ 4094 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4095 chk_length, chunk_buf); 4096 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4097 /* We are not interested anymore */ 4098 sctp_free_assoc(inp, stcb, 0); 4099 *offset = length; 4100 return (NULL); 4101 } 4102 if (stcb->asoc.peer_supports_strreset == 0) { 4103 /* 4104 * hmm, peer should have announced this, but 4105 * we will turn it on since he is sending us 4106 * a stream reset. 4107 */ 4108 stcb->asoc.peer_supports_strreset = 1; 4109 } 4110 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4111 /* stop processing */ 4112 *offset = length; 4113 return (NULL); 4114 } 4115 break; 4116 case SCTP_PACKET_DROPPED: 4117#ifdef SCTP_DEBUG 4118 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4119 printf("SCTP_PACKET_DROPPED\n"); 4120 } 4121#endif /* SCTP_DEBUG */ 4122 /* re-get it all please */ 4123 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4124 chk_length, chunk_buf); 4125 4126 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4127 stcb, *netp); 4128 4129 break; 4130 4131 case SCTP_AUTHENTICATION: 4132#ifdef SCTP_DEBUG 4133 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4134 printf("SCTP_AUTHENTICATION\n"); 4135 } 4136#endif /* SCTP_DEBUG */ 4137 if (sctp_auth_disable) 4138 goto unknown_chunk; 4139 4140 if (stcb == NULL) { 4141 /* save the first AUTH for later processing */ 4142 if (auth_skipped == 0) { 4143 auth_offset = *offset; 4144 auth_len = chk_length; 4145 auth_skipped = 1; 4146 } 4147 /* skip this chunk (temporarily) */ 4148 goto next_chunk; 4149 } 4150 if (got_auth == 1) { 4151 /* skip this chunk... it's already auth'd */ 4152 goto next_chunk; 4153 } 4154 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4155 chk_length, chunk_buf); 4156 got_auth = 1; 4157 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4158 m, *offset)) { 4159 /* auth HMAC failed so dump the packet */ 4160 *offset = length; 4161 return (stcb); 4162 } else { 4163 /* remaining chunks are HMAC checked */ 4164 stcb->asoc.authenticated = 1; 4165 } 4166 break; 4167 4168 default: 4169 unknown_chunk: 4170 /* it's an unknown chunk! */ 4171 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4172 struct mbuf *mm; 4173 struct sctp_paramhdr *phd; 4174 4175 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4176 1, M_DONTWAIT, 1, MT_DATA); 4177 if (mm) { 4178 phd = mtod(mm, struct sctp_paramhdr *); 4179 /* 4180 * We cheat and use param type since 4181 * we did not bother to define a 4182 * error cause struct. They are the 4183 * same basic format with different 4184 * names. 4185 */ 4186 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4187 phd->param_length = htons(chk_length + sizeof(*phd)); 4188 mm->m_len = sizeof(*phd); 4189 mm->m_next = sctp_m_copym(m, *offset, SCTP_SIZE32(chk_length), 4190 M_DONTWAIT); 4191 if (mm->m_next) { 4192 mm->m_pkthdr.len = SCTP_SIZE32(chk_length) + sizeof(*phd); 4193 sctp_queue_op_err(stcb, mm); 4194 } else { 4195 sctp_m_freem(mm); 4196 } 4197 } 4198 } 4199 if ((ch->chunk_type & 0x80) == 0) { 4200 /* discard this packet */ 4201 *offset = length; 4202 return (stcb); 4203 } /* else skip this bad chunk and continue... */ 4204 break; 4205 } /* switch (ch->chunk_type) */ 4206 4207 4208next_chunk: 4209 /* get the next chunk */ 4210 *offset += SCTP_SIZE32(chk_length); 4211 if (*offset >= length) { 4212 /* no more data left in the mbuf chain */ 4213 break; 4214 } 4215 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4216 sizeof(struct sctp_chunkhdr), chunk_buf); 4217 if (ch == NULL) { 4218 if (locked_tcb) 4219 SCTP_TCB_UNLOCK(locked_tcb); 4220 *offset = length; 4221 return (NULL); 4222 } 4223 } /* while */ 4224 return (stcb); 4225} 4226 4227 4228/* 4229 * Process the ECN bits we have something set so we must look to see if it is 4230 * ECN(0) or ECN(1) or CE 4231 */ 4232static __inline void 4233sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4234 uint8_t ecn_bits) 4235{ 4236 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4237 ; 4238 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4239 /* 4240 * we only add to the nonce sum for ECT1, ECT0 does not 4241 * change the NS bit (that we have yet to find a way to send 4242 * it yet). 4243 */ 4244 4245 /* ECN Nonce stuff */ 4246 stcb->asoc.receiver_nonce_sum++; 4247 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4248 4249 /* 4250 * Drag up the last_echo point if cumack is larger since we 4251 * don't want the point falling way behind by more than 4252 * 2^^31 and then having it be incorrect. 4253 */ 4254 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4255 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4256 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4257 } 4258 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4259 /* 4260 * Drag up the last_echo point if cumack is larger since we 4261 * don't want the point falling way behind by more than 4262 * 2^^31 and then having it be incorrect. 4263 */ 4264 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4265 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4266 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4267 } 4268 } 4269} 4270 4271static __inline void 4272sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4273 uint32_t high_tsn, uint8_t ecn_bits) 4274{ 4275 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4276 /* 4277 * we possibly must notify the sender that a congestion 4278 * window reduction is in order. We do this by adding a ECNE 4279 * chunk to the output chunk queue. The incoming CWR will 4280 * remove this chunk. 4281 */ 4282 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4283 MAX_TSN)) { 4284 /* Yep, we need to add a ECNE */ 4285 sctp_send_ecn_echo(stcb, net, high_tsn); 4286 stcb->asoc.last_echo_tsn = high_tsn; 4287 } 4288 } 4289} 4290 4291/* 4292 * common input chunk processing (v4 and v6) 4293 */ 4294int 4295sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4296 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4297 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4298 uint8_t ecn_bits) 4299{ 4300 /* 4301 * Control chunk processing 4302 */ 4303 uint32_t high_tsn; 4304 int fwd_tsn_seen = 0, data_processed = 0; 4305 struct mbuf *m = *mm; 4306 int abort_flag = 0; 4307 int un_sent; 4308 4309 SCTP_STAT_INCR(sctps_recvdatagrams); 4310#ifdef SCTP_AUDITING_ENABLED 4311 sctp_audit_log(0xE0, 1); 4312 sctp_auditing(0, inp, stcb, net); 4313#endif 4314 4315#ifdef SCTP_DEBUG 4316 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4317 printf("Ok, Common input processing called, m:%x iphlen:%d offset:%d\n", 4318 (uint32_t) m, iphlen, offset); 4319 } 4320#endif /* SCTP_DEBUG */ 4321 4322 if (stcb) { 4323 /* always clear this before beginning a packet */ 4324 stcb->asoc.authenticated = 0; 4325 stcb->asoc.seen_a_sack_this_pkt = 0; 4326 } 4327 if (IS_SCTP_CONTROL(ch)) { 4328 /* process the control portion of the SCTP packet */ 4329 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4330 inp, stcb, &net, &fwd_tsn_seen); 4331 if (stcb) { 4332 /* 4333 * This covers us if the cookie-echo was there and 4334 * it changes our INP. 4335 */ 4336 inp = stcb->sctp_ep; 4337 } 4338 } else { 4339 /* 4340 * no control chunks, so pre-process DATA chunks (these 4341 * checks are taken care of by control processing) 4342 */ 4343 4344 /* 4345 * if DATA only packet, and auth is required, then punt... 4346 * can't have authenticated without any AUTH (control) 4347 * chunks 4348 */ 4349 if ((stcb != NULL) && !sctp_auth_disable && 4350 sctp_auth_is_required_chunk(SCTP_DATA, 4351 stcb->asoc.local_auth_chunks)) { 4352 /* "silently" ignore */ 4353 SCTP_STAT_INCR(sctps_recvauthmissing); 4354 SCTP_TCB_UNLOCK(stcb); 4355 return (1); 4356 } 4357 if (stcb == NULL) { 4358 /* out of the blue DATA chunk */ 4359 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4360 return (1); 4361 } 4362 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4363 /* v_tag mismatch! */ 4364 SCTP_STAT_INCR(sctps_badvtag); 4365 SCTP_TCB_UNLOCK(stcb); 4366 return (1); 4367 } 4368 } 4369 4370 if (stcb == NULL) { 4371 /* 4372 * no valid TCB for this packet, or we found it's a bad 4373 * packet while processing control, or we're done with this 4374 * packet (done or skip rest of data), so we drop it... 4375 */ 4376 return (1); 4377 } 4378 /* 4379 * DATA chunk processing 4380 */ 4381 /* plow through the data chunks while length > offset */ 4382 4383 /* 4384 * Rest should be DATA only. Check authentication state if AUTH for 4385 * DATA is required. 4386 */ 4387 if ((stcb != NULL) && !sctp_auth_disable && 4388 sctp_auth_is_required_chunk(SCTP_DATA, 4389 stcb->asoc.local_auth_chunks) && 4390 !stcb->asoc.authenticated) { 4391 /* "silently" ignore */ 4392 SCTP_STAT_INCR(sctps_recvauthmissing); 4393#ifdef SCTP_DEBUG 4394 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 4395 printf("Data chunk requires AUTH, skipped\n"); 4396#endif 4397 SCTP_TCB_UNLOCK(stcb); 4398 return (1); 4399 } 4400 if (length > offset) { 4401 int retval; 4402 4403 /* 4404 * First check to make sure our state is correct. We would 4405 * not get here unless we really did have a tag, so we don't 4406 * abort if this happens, just dump the chunk silently. 4407 */ 4408 switch (SCTP_GET_STATE(&stcb->asoc)) { 4409 case SCTP_STATE_COOKIE_ECHOED: 4410 /* 4411 * we consider data with valid tags in this state 4412 * shows us the cookie-ack was lost. Imply it was 4413 * there. 4414 */ 4415 stcb->asoc.overall_error_count = 0; 4416 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4417 break; 4418 case SCTP_STATE_COOKIE_WAIT: 4419 /* 4420 * We consider OOTB any data sent during asoc setup. 4421 */ 4422 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4423 SCTP_TCB_UNLOCK(stcb); 4424 return (1); 4425 break; 4426 case SCTP_STATE_EMPTY: /* should not happen */ 4427 case SCTP_STATE_INUSE: /* should not happen */ 4428 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4429 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4430 default: 4431 SCTP_TCB_UNLOCK(stcb); 4432 return (1); 4433 break; 4434 case SCTP_STATE_OPEN: 4435 case SCTP_STATE_SHUTDOWN_SENT: 4436 break; 4437 } 4438 /* take care of ECN, part 1. */ 4439 if (stcb->asoc.ecn_allowed && 4440 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4441 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4442 } 4443 /* plow through the data chunks while length > offset */ 4444 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4445 inp, stcb, net, &high_tsn); 4446 if (retval == 2) { 4447 /* 4448 * The association aborted, NO UNLOCK needed since 4449 * the association is destroyed. 4450 */ 4451 return (0); 4452 } 4453 data_processed = 1; 4454 if (retval == 0) { 4455 /* take care of ecn part 2. */ 4456 if (stcb->asoc.ecn_allowed && 4457 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4458 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4459 ecn_bits); 4460 } 4461 } 4462 /* 4463 * Anything important needs to have been m_copy'ed in 4464 * process_data 4465 */ 4466 } 4467 if ((data_processed == 0) && (fwd_tsn_seen)) { 4468 int was_a_gap = 0; 4469 4470 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4471 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4472 /* there was a gap before this data was processed */ 4473 was_a_gap = 1; 4474 } 4475 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4476 if (abort_flag) { 4477 /* Again, we aborted so NO UNLOCK needed */ 4478 return (0); 4479 } 4480 } 4481 /* trigger send of any chunks in queue... */ 4482#ifdef SCTP_AUDITING_ENABLED 4483 sctp_audit_log(0xE0, 2); 4484 sctp_auditing(1, inp, stcb, net); 4485#endif 4486#ifdef SCTP_DEBUG 4487 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4488 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4489 stcb->asoc.peers_rwnd, 4490 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4491 stcb->asoc.total_flight); 4492 } 4493#endif 4494 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4495 4496 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4497 ((un_sent) && 4498 (stcb->asoc.peers_rwnd > 0 || 4499 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4500#ifdef SCTP_DEBUG 4501 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4502 printf("Calling chunk OUTPUT\n"); 4503 } 4504#endif 4505 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4506#ifdef SCTP_DEBUG 4507 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4508 printf("chunk OUTPUT returns\n"); 4509 } 4510#endif 4511 } 4512#ifdef SCTP_AUDITING_ENABLED 4513 sctp_audit_log(0xE0, 3); 4514 sctp_auditing(2, inp, stcb, net); 4515#endif 4516 SCTP_TCB_UNLOCK(stcb); 4517 return (0); 4518} 4519 4520extern int sctp_no_csum_on_loopback; 4521 4522 4523void 4524sctp_input(m, off) 4525 struct mbuf *m; 4526 int off; 4527 4528{ 4529#ifdef SCTP_MBUF_LOGGING 4530 struct mbuf *mat; 4531 4532#endif 4533 int iphlen; 4534 int s; 4535 uint8_t ecn_bits; 4536 struct ip *ip; 4537 struct sctphdr *sh; 4538 struct sctp_inpcb *inp = NULL; 4539 4540 uint32_t check, calc_check; 4541 struct sctp_nets *net; 4542 struct sctp_tcb *stcb = NULL; 4543 struct sctp_chunkhdr *ch; 4544 int refcount_up = 0; 4545 int length, mlen, offset; 4546 4547 4548 iphlen = off; 4549 net = NULL; 4550 SCTP_STAT_INCR(sctps_recvpackets); 4551 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4552 4553 /* 4554 * Strip IP options, we don't allow any in or out. 4555 */ 4556#ifdef SCTP_MBUF_LOGGING 4557 /* Log in any input mbufs */ 4558 mat = m; 4559 while (mat) { 4560 if (mat->m_flags & M_EXT) { 4561 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4562 } 4563 mat = mat->m_next; 4564 } 4565#endif 4566 if ((size_t)iphlen > sizeof(struct ip)) { 4567 ip_stripoptions(m, (struct mbuf *)0); 4568 iphlen = sizeof(struct ip); 4569 } 4570 /* 4571 * Get IP, SCTP, and first chunk header together in first mbuf. 4572 */ 4573 ip = mtod(m, struct ip *); 4574 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4575 if (m->m_len < offset) { 4576 if ((m = m_pullup(m, offset)) == 0) { 4577 SCTP_STAT_INCR(sctps_hdrops); 4578 return; 4579 } 4580 ip = mtod(m, struct ip *); 4581 } 4582 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4583 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4584 4585 /* SCTP does not allow broadcasts or multicasts */ 4586 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4587 goto bad; 4588 } 4589 if (((ch->chunk_type == SCTP_INITIATION) || 4590 (ch->chunk_type == SCTP_INITIATION_ACK) || 4591 (ch->chunk_type == SCTP_COOKIE_ECHO)) && 4592 (in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))) { 4593 /* 4594 * We only look at broadcast if its a front state, All 4595 * others we will not have a tcb for anyway. 4596 */ 4597 goto bad; 4598 } 4599 /* destination port of 0 is illegal, based on RFC2960. */ 4600 if (sh->dest_port == 0) { 4601 SCTP_STAT_INCR(sctps_hdrops); 4602 goto bad; 4603 } 4604 /* validate SCTP checksum */ 4605 if ((sctp_no_csum_on_loopback == 0) || 4606 (m->m_pkthdr.rcvif == NULL) || 4607 (m->m_pkthdr.rcvif->if_type != IFT_LOOP)) { 4608 /* 4609 * we do NOT validate things from the loopback if the sysctl 4610 * is set to 1. 4611 */ 4612 check = sh->checksum; /* save incoming checksum */ 4613 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4614 /* 4615 * special hook for where we got a local address 4616 * somehow routed across a non IFT_LOOP type 4617 * interface 4618 */ 4619 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4620 goto sctp_skip_csum_4; 4621 } 4622 sh->checksum = 0; /* prepare for calc */ 4623 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4624 if (calc_check != check) { 4625#ifdef SCTP_DEBUG 4626 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4627 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%x mlen:%d iphlen:%d\n", 4628 calc_check, check, (uint32_t) m, mlen, iphlen); 4629 } 4630#endif 4631 4632 stcb = sctp_findassociation_addr(m, iphlen, 4633 offset - sizeof(*ch), 4634 sh, ch, &inp, &net); 4635 if ((inp) && (stcb)) { 4636 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4637 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4638 } else if ((inp != NULL) && (stcb == NULL)) { 4639 refcount_up = 1; 4640 } 4641 SCTP_STAT_INCR(sctps_badsum); 4642 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4643 goto bad; 4644 } 4645 sh->checksum = calc_check; 4646 } else { 4647sctp_skip_csum_4: 4648 mlen = m->m_pkthdr.len; 4649 } 4650 /* validate mbuf chain length with IP payload length */ 4651 if (mlen < (ip->ip_len - iphlen)) { 4652 SCTP_STAT_INCR(sctps_hdrops); 4653 goto bad; 4654 } 4655 /* 4656 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4657 * IP/SCTP/first chunk header... 4658 */ 4659 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4660 sh, ch, &inp, &net); 4661 /* inp's ref-count increased && stcb locked */ 4662 if (inp == NULL) { 4663 struct sctp_init_chunk *init_chk, chunk_buf; 4664 4665 SCTP_STAT_INCR(sctps_noport); 4666#ifdef ICMP_BANDLIM 4667 /* 4668 * we use the bandwidth limiting to protect against sending 4669 * too many ABORTS all at once. In this case these count the 4670 * same as an ICMP message. 4671 */ 4672 if (badport_bandlim(0) < 0) 4673 goto bad; 4674#endif /* ICMP_BANDLIM */ 4675#ifdef SCTP_DEBUG 4676 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4677 printf("Sending a ABORT from packet entry!\n"); 4678 } 4679#endif 4680 if (ch->chunk_type == SCTP_INITIATION) { 4681 /* 4682 * we do a trick here to get the INIT tag, dig in 4683 * and get the tag from the INIT and put it in the 4684 * common header. 4685 */ 4686 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4687 iphlen + sizeof(*sh), sizeof(*init_chk), 4688 (uint8_t *) & chunk_buf); 4689 if (init_chk != NULL) 4690 sh->v_tag = init_chk->init.initiate_tag; 4691 } 4692 sctp_send_abort(m, iphlen, sh, 0, NULL); 4693 goto bad; 4694 } else if (stcb == NULL) { 4695 refcount_up = 1; 4696 } 4697#ifdef IPSEC 4698 /* 4699 * I very much doubt any of the IPSEC stuff will work but I have no 4700 * idea, so I will leave it in place. 4701 */ 4702 4703 if (ipsec4_in_reject_so(m, inp->ip_inp.inp.inp_socket)) { 4704 ipsecstat.in_polvio++; 4705 SCTP_STAT_INCR(sctps_hdrops); 4706 goto bad; 4707 } 4708#endif /* IPSEC */ 4709 4710 4711 4712 /* 4713 * common chunk processing 4714 */ 4715 length = ip->ip_len + iphlen; 4716 offset -= sizeof(struct sctp_chunkhdr); 4717 4718 ecn_bits = ip->ip_tos; 4719 s = splnet(); 4720 4721 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4722 inp, stcb, net, ecn_bits); 4723 /* inp's ref-count reduced && stcb unlocked */ 4724 splx(s); 4725 if (m) { 4726 sctp_m_freem(m); 4727 } 4728 if ((inp) && (refcount_up)) { 4729 /* reduce ref-count */ 4730 SCTP_INP_WLOCK(inp); 4731 SCTP_INP_DECR_REF(inp); 4732 SCTP_INP_WUNLOCK(inp); 4733 } 4734 return; 4735bad: 4736 if (stcb) 4737 SCTP_TCB_UNLOCK(stcb); 4738 4739 if ((inp) && (refcount_up)) { 4740 /* reduce ref-count */ 4741 SCTP_INP_WLOCK(inp); 4742 SCTP_INP_DECR_REF(inp); 4743 SCTP_INP_WUNLOCK(inp); 4744 } 4745 if (m) { 4746 sctp_m_freem(m); 4747 } 4748 return; 4749} 4750