sctp_input.c revision 166023
1/*- 2 * Copyright (c) 2001-2006, Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 166023 2007-01-15 15:12:10Z rrs $"); 35 36#include "opt_ipsec.h" 37#include "opt_compat.h" 38#include "opt_inet6.h" 39#include "opt_inet.h" 40#include "opt_sctp.h" 41 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/malloc.h> 45#include <sys/mbuf.h> 46#include <sys/socket.h> 47#include <sys/socketvar.h> 48#include <sys/sysctl.h> 49#include <sys/domain.h> 50#include <sys/protosw.h> 51#include <sys/kernel.h> 52#include <sys/errno.h> 53#include <sys/syslog.h> 54 55#include <sys/limits.h> 56#include <machine/cpu.h> 57 58#include <net/if.h> 59#include <net/route.h> 60#include <net/if_types.h> 61 62#include <netinet/in.h> 63#include <netinet/in_systm.h> 64#include <netinet/ip.h> 65#include <netinet/in_pcb.h> 66#include <netinet/in_var.h> 67#include <netinet/ip_var.h> 68 69#ifdef INET6 70#include <netinet/ip6.h> 71#include <netinet6/ip6_var.h> 72#endif /* INET6 */ 73 74#include <netinet/ip_icmp.h> 75#include <netinet/icmp_var.h> 76 77#include <netinet/sctp_os.h> 78#include <netinet/sctp_var.h> 79#include <netinet/sctp_pcb.h> 80#include <netinet/sctp_header.h> 81#include <netinet/sctputil.h> 82#include <netinet/sctp_output.h> 83#include <netinet/sctp_input.h> 84#include <netinet/sctp_auth.h> 85#include <netinet/sctp_indata.h> 86#include <netinet/sctp_asconf.h> 87 88#include <netinet/ip_options.h> 89 90 91#ifdef IPSEC 92#include <netinet6/ipsec.h> 93#include <netkey/key.h> 94#endif /* IPSEC */ 95 96 97#ifdef SCTP_DEBUG 98extern uint32_t sctp_debug_on; 99 100#endif 101 102 103 104 105struct sctp_foo_stuff sctp_logoff[30000]; 106int sctp_logoff_stuff = 0; 107 108 109static void 110sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 111{ 112 struct sctp_nets *net; 113 114 /* 115 * This now not only stops all cookie timers it also stops any INIT 116 * timers as well. This will make sure that the timers are stopped 117 * in all collision cases. 118 */ 119 SCTP_TCB_LOCK_ASSERT(stcb); 120 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 121 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 122 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 123 stcb->sctp_ep, 124 stcb, 125 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 126 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 127 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 128 stcb->sctp_ep, 129 stcb, 130 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 131 } 132 } 133} 134 135/* INIT handler */ 136static void 137sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 138 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 139 struct sctp_nets *net) 140{ 141 struct sctp_init *init; 142 struct mbuf *op_err; 143 uint32_t init_limit; 144 145#ifdef SCTP_DEBUG 146 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 147 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 148 } 149#endif 150 op_err = NULL; 151 init = &cp->init; 152 /* First are we accepting? */ 153 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 154#ifdef SCTP_DEBUG 155 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 156 printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); 157 } 158#endif 159 /* 160 * FIX ME ?? What about TCP model and we have a 161 * match/restart case? 162 */ 163 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 164 return; 165 } 166 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 167 /* Invalid length */ 168 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 169 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 170 return; 171 } 172 /* validate parameters */ 173 if (init->initiate_tag == 0) { 174 /* protocol error... send abort */ 175 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 176 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 177 return; 178 } 179 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 180 /* invalid parameter... send abort */ 181 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 182 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 183 return; 184 } 185 if (init->num_inbound_streams == 0) { 186 /* protocol error... send abort */ 187 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 188 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 189 return; 190 } 191 if (init->num_outbound_streams == 0) { 192 /* protocol error... send abort */ 193 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 194 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 195 return; 196 } 197 init_limit = offset + ntohs(cp->ch.chunk_length); 198 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 199 init_limit)) { 200 /* auth parameter(s) error... send abort */ 201 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); 202 return; 203 } 204 /* send an INIT-ACK w/cookie */ 205#ifdef SCTP_DEBUG 206 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 207 printf("sctp_handle_init: sending INIT-ACK\n"); 208 } 209#endif 210 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 211} 212 213/* 214 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 215 */ 216static int 217sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 218 struct sctp_nets *net) 219{ 220 struct sctp_init *init; 221 struct sctp_association *asoc; 222 struct sctp_nets *lnet; 223 unsigned int i; 224 225 init = &cp->init; 226 asoc = &stcb->asoc; 227 /* save off parameters */ 228 asoc->peer_vtag = ntohl(init->initiate_tag); 229 asoc->peers_rwnd = ntohl(init->a_rwnd); 230 if (TAILQ_FIRST(&asoc->nets)) { 231 /* update any ssthresh's that may have a default */ 232 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 233 lnet->ssthresh = asoc->peers_rwnd; 234 235#if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 236 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 237#endif 238 239 } 240 } 241 SCTP_TCB_SEND_LOCK(stcb); 242 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 243 unsigned int newcnt; 244 struct sctp_stream_out *outs; 245 struct sctp_stream_queue_pending *sp; 246 247 /* cut back on number of streams */ 248 newcnt = ntohs(init->num_inbound_streams); 249 /* This if is probably not needed but I am cautious */ 250 if (asoc->strmout) { 251 /* First make sure no data chunks are trapped */ 252 for (i = newcnt; i < asoc->pre_open_streams; i++) { 253 outs = &asoc->strmout[i]; 254 sp = TAILQ_FIRST(&outs->outqueue); 255 while (sp) { 256 TAILQ_REMOVE(&outs->outqueue, sp, 257 next); 258 asoc->stream_queue_cnt--; 259 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 260 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 261 sp); 262 if (sp->data) { 263 sctp_m_freem(sp->data); 264 sp->data = NULL; 265 } 266 sctp_free_remote_addr(sp->net); 267 sp->net = NULL; 268 /* Free the chunk */ 269 printf("sp:%p tcb:%p weird free case\n", 270 sp, stcb); 271 272 sctp_free_a_strmoq(stcb, sp); 273 sp = TAILQ_FIRST(&outs->outqueue); 274 } 275 } 276 } 277 /* cut back the count and abandon the upper streams */ 278 asoc->pre_open_streams = newcnt; 279 } 280 SCTP_TCB_SEND_UNLOCK(stcb); 281 asoc->streamoutcnt = asoc->pre_open_streams; 282 /* init tsn's */ 283 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 284#ifdef SCTP_MAP_LOGGING 285 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 286#endif 287 /* This is the next one we expect */ 288 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 289 290 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 291 asoc->cumulative_tsn = asoc->asconf_seq_in; 292 asoc->last_echo_tsn = asoc->asconf_seq_in; 293 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 294 /* open the requested streams */ 295 if (asoc->strmin != NULL) { 296 /* Free the old ones */ 297 struct sctp_queued_to_read *ctl; 298 299 for (i = 0; i < asoc->streamincnt; i++) { 300 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 301 while (ctl) { 302 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 303 sctp_free_remote_addr(ctl->whoFrom); 304 sctp_m_freem(ctl->data); 305 ctl->data = NULL; 306 sctp_free_a_readq(stcb, ctl); 307 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 308 } 309 } 310 SCTP_FREE(asoc->strmin); 311 } 312 asoc->streamincnt = ntohs(init->num_outbound_streams); 313 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 314 asoc->streamincnt = MAX_SCTP_STREAMS; 315 } 316 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 317 sizeof(struct sctp_stream_in), "StreamsIn"); 318 if (asoc->strmin == NULL) { 319 /* we didn't get memory for the streams! */ 320#ifdef SCTP_DEBUG 321 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 322 printf("process_init: couldn't get memory for the streams!\n"); 323 } 324#endif 325 return (-1); 326 } 327 for (i = 0; i < asoc->streamincnt; i++) { 328 asoc->strmin[i].stream_no = i; 329 asoc->strmin[i].last_sequence_delivered = 0xffff; 330 /* 331 * U-stream ranges will be set when the cookie is unpacked. 332 * Or for the INIT sender they are un set (if pr-sctp not 333 * supported) when the INIT-ACK arrives. 334 */ 335 TAILQ_INIT(&asoc->strmin[i].inqueue); 336 /* 337 * we are not on any wheel, pr-sctp streams will go on the 338 * wheel when they have data waiting for reorder. 339 */ 340 asoc->strmin[i].next_spoke.tqe_next = 0; 341 asoc->strmin[i].next_spoke.tqe_prev = 0; 342 } 343 344 /* 345 * load_address_from_init will put the addresses into the 346 * association when the COOKIE is processed or the INIT-ACK is 347 * processed. Both types of COOKIE's existing and new call this 348 * routine. It will remove addresses that are no longer in the 349 * association (for the restarting case where addresses are 350 * removed). Up front when the INIT arrives we will discard it if it 351 * is a restart and new addresses have been added. 352 */ 353 return (0); 354} 355 356/* 357 * INIT-ACK message processing/consumption returns value < 0 on error 358 */ 359static int 360sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 361 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 362 struct sctp_nets *net) 363{ 364 struct sctp_association *asoc; 365 struct mbuf *op_err; 366 int retval, abort_flag; 367 uint32_t initack_limit; 368 369 /* First verify that we have no illegal param's */ 370 abort_flag = 0; 371 op_err = NULL; 372 373 op_err = sctp_arethere_unrecognized_parameters(m, 374 (offset + sizeof(struct sctp_init_chunk)), 375 &abort_flag, (struct sctp_chunkhdr *)cp); 376 if (abort_flag) { 377 /* Send an abort and notify peer */ 378 if (op_err != NULL) { 379 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 380 } else { 381 /* 382 * Just notify (abort_assoc does this if we send an 383 * abort). 384 */ 385 sctp_abort_notification(stcb, 0); 386 /* 387 * No sense in further INIT's since we will get the 388 * same param back 389 */ 390 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 391 } 392 return (-1); 393 } 394 asoc = &stcb->asoc; 395 /* process the peer's parameters in the INIT-ACK */ 396 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 397 if (retval < 0) { 398 return (retval); 399 } 400 initack_limit = offset + ntohs(cp->ch.chunk_length); 401 /* load all addresses */ 402 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 403 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 404 NULL))) { 405 /* Huh, we should abort */ 406#ifdef SCTP_DEBUG 407 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 408 printf("Load addresses from INIT causes an abort %d\n", retval); 409 } 410#endif 411 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 412 NULL); 413 return (-1); 414 } 415 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 416 stcb->asoc.local_hmacs); 417 if (op_err) { 418 sctp_queue_op_err(stcb, op_err); 419 /* queuing will steal away the mbuf chain to the out queue */ 420 op_err = NULL; 421 } 422 /* extract the cookie and queue it to "echo" it back... */ 423 stcb->asoc.overall_error_count = 0; 424 net->error_count = 0; 425 426 /* 427 * Cancel the INIT timer, We do this first before queueing the 428 * cookie. We always cancel at the primary to assue that we are 429 * canceling the timer started by the INIT which always goes to the 430 * primary. 431 */ 432 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 433 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 434 435 /* calculate the RTO */ 436 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 437 438 retval = sctp_send_cookie_echo(m, offset, stcb, net); 439 if (retval < 0) { 440 /* 441 * No cookie, we probably should send a op error. But in any 442 * case if there is no cookie in the INIT-ACK, we can 443 * abandon the peer, its broke. 444 */ 445 if (retval == -3) { 446 /* We abort with an error of missing mandatory param */ 447 struct mbuf *op_err; 448 449 op_err = 450 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 451 if (op_err) { 452 /* 453 * Expand beyond to include the mandatory 454 * param cookie 455 */ 456 struct sctp_inv_mandatory_param *mp; 457 458 SCTP_BUF_LEN(op_err) = 459 sizeof(struct sctp_inv_mandatory_param); 460 mp = mtod(op_err, 461 struct sctp_inv_mandatory_param *); 462 /* Subtract the reserved param */ 463 mp->length = 464 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 465 mp->num_param = htonl(1); 466 mp->param = htons(SCTP_STATE_COOKIE); 467 mp->resv = 0; 468 } 469 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 470 sh, op_err); 471 } 472 return (retval); 473 } 474 return (0); 475} 476 477static void 478sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 479 struct sctp_tcb *stcb, struct sctp_nets *net) 480{ 481 struct sockaddr_storage store; 482 struct sockaddr_in *sin; 483 struct sockaddr_in6 *sin6; 484 struct sctp_nets *r_net; 485 struct timeval tv; 486 487 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 488 /* Invalid length */ 489 return; 490 } 491 sin = (struct sockaddr_in *)&store; 492 sin6 = (struct sockaddr_in6 *)&store; 493 494 memset(&store, 0, sizeof(store)); 495 if (cp->heartbeat.hb_info.addr_family == AF_INET && 496 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 497 sin->sin_family = cp->heartbeat.hb_info.addr_family; 498 sin->sin_len = cp->heartbeat.hb_info.addr_len; 499 sin->sin_port = stcb->rport; 500 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 501 sizeof(sin->sin_addr)); 502 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 503 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 504 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 505 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 506 sin6->sin6_port = stcb->rport; 507 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 508 sizeof(sin6->sin6_addr)); 509 } else { 510 return; 511 } 512 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 513 if (r_net == NULL) { 514#ifdef SCTP_DEBUG 515 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 516 printf("Huh? I can't find the address I sent it to, discard\n"); 517 } 518#endif 519 return; 520 } 521 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 522 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 523 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 524 /* 525 * If the its a HB and it's random value is correct when can 526 * confirm the destination. 527 */ 528 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 529 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 530 stcb, 0, (void *)r_net); 531 } 532 r_net->error_count = 0; 533 r_net->hb_responded = 1; 534 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 535 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 536 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 537 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 538 r_net->dest_state |= SCTP_ADDR_REACHABLE; 539 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 540 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 541 /* now was it the primary? if so restore */ 542 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 543 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 544 } 545 } 546 /* Now lets do a RTO with this */ 547 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 548} 549 550static void 551sctp_handle_abort(struct sctp_abort_chunk *cp, 552 struct sctp_tcb *stcb, struct sctp_nets *net) 553{ 554 555#ifdef SCTP_DEBUG 556 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 557 printf("sctp_handle_abort: handling ABORT\n"); 558 } 559#endif 560 if (stcb == NULL) 561 return; 562 /* verify that the destination addr is in the association */ 563 /* ignore abort for addresses being deleted */ 564 565 /* stop any receive timers */ 566 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 567 /* notify user of the abort and clean up... */ 568 sctp_abort_notification(stcb, 0); 569 /* free the tcb */ 570 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 571 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 572 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 573 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 574 } 575 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 576#ifdef SCTP_DEBUG 577 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 578 printf("sctp_handle_abort: finished\n"); 579 } 580#endif 581} 582 583static void 584sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 585 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 586{ 587 struct sctp_association *asoc; 588 int some_on_streamwheel; 589 590#ifdef SCTP_DEBUG 591 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 592 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 593 } 594#endif 595 if (stcb == NULL) 596 return; 597 asoc = &stcb->asoc; 598 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 599 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 600 return; 601 } 602 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 603 /* Shutdown NOT the expected size */ 604 return; 605 } else { 606 sctp_update_acked(stcb, cp, net, abort_flag); 607 } 608 if (asoc->control_pdapi) { 609 /* 610 * With a normal shutdown we assume the end of last record. 611 */ 612 SCTP_INP_READ_LOCK(stcb->sctp_ep); 613 asoc->control_pdapi->end_added = 1; 614 asoc->control_pdapi->pdapi_aborted = 1; 615 asoc->control_pdapi = NULL; 616 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 617 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 618 } 619 /* goto SHUTDOWN_RECEIVED state to block new requests */ 620 if (stcb->sctp_socket) { 621 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 622 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 623 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 624 /* 625 * notify upper layer that peer has initiated a 626 * shutdown 627 */ 628 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 629 630 /* reset time */ 631 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 632 } 633 } 634 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 635 /* 636 * stop the shutdown timer, since we WILL move to 637 * SHUTDOWN-ACK-SENT. 638 */ 639 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 640 } 641 /* Now are we there yet? */ 642 some_on_streamwheel = 0; 643 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 644 /* Check to see if some data queued */ 645 struct sctp_stream_out *outs; 646 647 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 648 if (!TAILQ_EMPTY(&outs->outqueue)) { 649 some_on_streamwheel = 1; 650 break; 651 } 652 } 653 } 654 if (!TAILQ_EMPTY(&asoc->send_queue) || 655 !TAILQ_EMPTY(&asoc->sent_queue) || 656 some_on_streamwheel) { 657 /* By returning we will push more data out */ 658 return; 659 } else { 660 /* no outstanding data to send, so move on... */ 661 /* send SHUTDOWN-ACK */ 662 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 663 /* move to SHUTDOWN-ACK-SENT state */ 664 if (asoc->state == SCTP_STATE_SHUTDOWN_RECEIVED) { 665 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 666 } 667 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 668 669 /* start SHUTDOWN timer */ 670 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 671 stcb, net); 672 } 673} 674 675static void 676sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 677 struct sctp_tcb *stcb, struct sctp_nets *net) 678{ 679 struct sctp_association *asoc; 680 681#ifdef SCTP_DEBUG 682 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 683 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 684 } 685#endif 686 if (stcb == NULL) 687 return; 688 689 asoc = &stcb->asoc; 690 /* process according to association state */ 691 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 692 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 693 /* unexpected SHUTDOWN-ACK... so ignore... */ 694 SCTP_TCB_UNLOCK(stcb); 695 return; 696 } 697 if (asoc->control_pdapi) { 698 /* 699 * With a normal shutdown we assume the end of last record. 700 */ 701 SCTP_INP_READ_LOCK(stcb->sctp_ep); 702 asoc->control_pdapi->end_added = 1; 703 asoc->control_pdapi->pdapi_aborted = 1; 704 asoc->control_pdapi = NULL; 705 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 706 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 707 } 708 /* are the queues empty? */ 709 if (!TAILQ_EMPTY(&asoc->send_queue) || 710 !TAILQ_EMPTY(&asoc->sent_queue) || 711 !TAILQ_EMPTY(&asoc->out_wheel)) { 712 sctp_report_all_outbound(stcb, 0); 713 } 714 /* stop the timer */ 715 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 716 /* send SHUTDOWN-COMPLETE */ 717 sctp_send_shutdown_complete(stcb, net); 718 /* notify upper layer protocol */ 719 if (stcb->sctp_socket) { 720 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 721 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 722 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 723 /* Set the connected flag to disconnected */ 724 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 725 } 726 } 727 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 728 /* free the TCB but first save off the ep */ 729 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 730 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 731} 732 733/* 734 * Skip past the param header and then we will find the chunk that caused the 735 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 736 * our peer must be broken. 737 */ 738static void 739sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 740 struct sctp_nets *net) 741{ 742 struct sctp_chunkhdr *chk; 743 744 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 745 switch (chk->chunk_type) { 746 case SCTP_ASCONF_ACK: 747 case SCTP_ASCONF: 748 sctp_asconf_cleanup(stcb, net); 749 break; 750 case SCTP_FORWARD_CUM_TSN: 751 stcb->asoc.peer_supports_prsctp = 0; 752 break; 753 default: 754#ifdef SCTP_DEBUG 755 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 756 printf("Peer does not support chunk type %d(%x)??\n", 757 chk->chunk_type, (uint32_t) chk->chunk_type); 758 } 759#endif 760 break; 761 } 762} 763 764/* 765 * Skip past the param header and then we will find the param that caused the 766 * problem. There are a number of param's in a ASCONF OR the prsctp param 767 * these will turn of specific features. 768 */ 769static void 770sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 771{ 772 struct sctp_paramhdr *pbad; 773 774 pbad = phdr + 1; 775 switch (ntohs(pbad->param_type)) { 776 /* pr-sctp draft */ 777 case SCTP_PRSCTP_SUPPORTED: 778 stcb->asoc.peer_supports_prsctp = 0; 779 break; 780 case SCTP_SUPPORTED_CHUNK_EXT: 781 break; 782 /* draft-ietf-tsvwg-addip-sctp */ 783 case SCTP_ECN_NONCE_SUPPORTED: 784 stcb->asoc.peer_supports_ecn_nonce = 0; 785 stcb->asoc.ecn_nonce_allowed = 0; 786 stcb->asoc.ecn_allowed = 0; 787 break; 788 case SCTP_ADD_IP_ADDRESS: 789 case SCTP_DEL_IP_ADDRESS: 790 case SCTP_SET_PRIM_ADDR: 791 stcb->asoc.peer_supports_asconf = 0; 792 break; 793 case SCTP_SUCCESS_REPORT: 794 case SCTP_ERROR_CAUSE_IND: 795#ifdef SCTP_DEBUG 796 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 797 printf("Huh, the peer does not support success? or error cause?\n"); 798 printf("Turning off ASCONF to this strange peer\n"); 799 } 800#endif 801 stcb->asoc.peer_supports_asconf = 0; 802 break; 803 default: 804#ifdef SCTP_DEBUG 805 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 806 printf("Peer does not support param type %d(%x)??\n", 807 pbad->param_type, (uint32_t) pbad->param_type); 808 } 809#endif 810 break; 811 } 812} 813 814static int 815sctp_handle_error(struct sctp_chunkhdr *ch, 816 struct sctp_tcb *stcb, struct sctp_nets *net) 817{ 818 int chklen; 819 struct sctp_paramhdr *phdr; 820 uint16_t error_type; 821 uint16_t error_len; 822 struct sctp_association *asoc; 823 824 int adjust; 825 826 /* parse through all of the errors and process */ 827 asoc = &stcb->asoc; 828 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 829 sizeof(struct sctp_chunkhdr)); 830 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 831 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 832 /* Process an Error Cause */ 833 error_type = ntohs(phdr->param_type); 834 error_len = ntohs(phdr->param_length); 835 if ((error_len > chklen) || (error_len == 0)) { 836 /* invalid param length for this param */ 837#ifdef SCTP_DEBUG 838 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 839 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 840 chklen, error_len); 841 } 842#endif /* SCTP_DEBUG */ 843 return (0); 844 } 845 switch (error_type) { 846 case SCTP_CAUSE_INVALID_STREAM: 847 case SCTP_CAUSE_MISSING_PARAM: 848 case SCTP_CAUSE_INVALID_PARAM: 849 case SCTP_CAUSE_NO_USER_DATA: 850#ifdef SCTP_DEBUG 851 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 852 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 853 error_type); 854 } 855#endif 856 break; 857 case SCTP_CAUSE_STALE_COOKIE: 858 /* 859 * We only act if we have echoed a cookie and are 860 * waiting. 861 */ 862 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 863 int *p; 864 865 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 866 /* Save the time doubled */ 867 asoc->cookie_preserve_req = ntohl(*p) << 1; 868 asoc->stale_cookie_count++; 869 if (asoc->stale_cookie_count > 870 asoc->max_init_times) { 871 sctp_abort_notification(stcb, 0); 872 /* now free the asoc */ 873 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 874 return (-1); 875 } 876 /* blast back to INIT state */ 877 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 878 asoc->state |= SCTP_STATE_COOKIE_WAIT; 879 880 sctp_stop_all_cookie_timers(stcb); 881 sctp_send_initiate(stcb->sctp_ep, stcb); 882 } 883 break; 884 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 885 /* 886 * Nothing we can do here, we don't do hostname 887 * addresses so if the peer does not like my IPv6 888 * (or IPv4 for that matter) it does not matter. If 889 * they don't support that type of address, they can 890 * NOT possibly get that packet type... i.e. with no 891 * IPv6 you can't recieve a IPv6 packet. so we can 892 * safely ignore this one. If we ever added support 893 * for HOSTNAME Addresses, then we would need to do 894 * something here. 895 */ 896 break; 897 case SCTP_CAUSE_UNRECOG_CHUNK: 898 sctp_process_unrecog_chunk(stcb, phdr, net); 899 break; 900 case SCTP_CAUSE_UNRECOG_PARAM: 901 sctp_process_unrecog_param(stcb, phdr); 902 break; 903 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 904 /* 905 * We ignore this since the timer will drive out a 906 * new cookie anyway and there timer will drive us 907 * to send a SHUTDOWN_COMPLETE. We can't send one 908 * here since we don't have their tag. 909 */ 910 break; 911 case SCTP_CAUSE_DELETING_LAST_ADDR: 912 case SCTP_CAUSE_RESOURCE_SHORTAGE: 913 case SCTP_CAUSE_DELETING_SRC_ADDR: 914 /* 915 * We should NOT get these here, but in a 916 * ASCONF-ACK. n 917 */ 918#ifdef SCTP_DEBUG 919 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 920 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 921 error_type); 922 } 923#endif 924 break; 925 case SCTP_CAUSE_OUT_OF_RESC: 926 /* 927 * And what, pray tell do we do with the fact that 928 * the peer is out of resources? Not really sure we 929 * could do anything but abort. I suspect this n * 930 * should have came WITH an abort instead of in a 931 * OP-ERROR. 932 */ 933 break; 934 default: 935#ifdef SCTP_DEBUG 936 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 937 /* don't know what this error cause is... */ 938 printf("sctp_handle_error: unknown error type = 0x%xh\n", 939 error_type); 940 } 941#endif /* SCTP_DEBUG */ 942 break; 943 } 944 adjust = SCTP_SIZE32(error_len); 945 chklen -= adjust; 946 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 947 } 948 return (0); 949} 950 951static int 952sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 953 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 954 struct sctp_nets *net) 955{ 956 struct sctp_init_ack *init_ack; 957 int *state; 958 struct mbuf *op_err; 959 960#ifdef SCTP_DEBUG 961 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 962 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 963 } 964#endif 965 if (stcb == NULL) { 966#ifdef SCTP_DEBUG 967 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 968 printf("sctp_handle_init_ack: TCB is null\n"); 969 } 970#endif 971 return (-1); 972 } 973 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 974 /* Invalid length */ 975 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 976 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 977 op_err); 978 return (-1); 979 } 980 init_ack = &cp->init; 981 /* validate parameters */ 982 if (init_ack->initiate_tag == 0) { 983 /* protocol error... send an abort */ 984 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 985 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 986 op_err); 987 return (-1); 988 } 989 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 990 /* protocol error... send an abort */ 991 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 992 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 993 op_err); 994 return (-1); 995 } 996 if (init_ack->num_inbound_streams == 0) { 997 /* protocol error... send an abort */ 998 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 999 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1000 op_err); 1001 return (-1); 1002 } 1003 if (init_ack->num_outbound_streams == 0) { 1004 /* protocol error... send an abort */ 1005 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1006 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1007 op_err); 1008 return (-1); 1009 } 1010 /* process according to association state... */ 1011 state = &stcb->asoc.state; 1012 switch (*state & SCTP_STATE_MASK) { 1013 case SCTP_STATE_COOKIE_WAIT: 1014 /* this is the expected state for this chunk */ 1015 /* process the INIT-ACK parameters */ 1016 if (stcb->asoc.primary_destination->dest_state & 1017 SCTP_ADDR_UNCONFIRMED) { 1018 /* 1019 * The primary is where we sent the INIT, we can 1020 * always consider it confirmed when the INIT-ACK is 1021 * returned. Do this before we load addresses 1022 * though. 1023 */ 1024 stcb->asoc.primary_destination->dest_state &= 1025 ~SCTP_ADDR_UNCONFIRMED; 1026 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1027 stcb, 0, (void *)stcb->asoc.primary_destination); 1028 } 1029 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 1030 ) < 0) { 1031 /* error in parsing parameters */ 1032 return (-1); 1033 } 1034 /* update our state */ 1035#ifdef SCTP_DEBUG 1036 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1037 printf("moving to COOKIE-ECHOED state\n"); 1038 } 1039#endif 1040 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1041 *state = SCTP_STATE_COOKIE_ECHOED | 1042 SCTP_STATE_SHUTDOWN_PENDING; 1043 } else { 1044 *state = SCTP_STATE_COOKIE_ECHOED; 1045 } 1046 1047 /* reset the RTO calc */ 1048 stcb->asoc.overall_error_count = 0; 1049 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1050 /* 1051 * collapse the init timer back in case of a exponential 1052 * backoff 1053 */ 1054 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1055 stcb, net); 1056 /* 1057 * the send at the end of the inbound data processing will 1058 * cause the cookie to be sent 1059 */ 1060 break; 1061 case SCTP_STATE_SHUTDOWN_SENT: 1062 /* incorrect state... discard */ 1063 break; 1064 case SCTP_STATE_COOKIE_ECHOED: 1065 /* incorrect state... discard */ 1066 break; 1067 case SCTP_STATE_OPEN: 1068 /* incorrect state... discard */ 1069 break; 1070 case SCTP_STATE_EMPTY: 1071 case SCTP_STATE_INUSE: 1072 default: 1073 /* incorrect state... discard */ 1074 return (-1); 1075 break; 1076 } /* end switch asoc state */ 1077#ifdef SCTP_DEBUG 1078 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1079 printf("Leaving handle-init-ack end\n"); 1080 } 1081#endif 1082 return (0); 1083} 1084 1085 1086/* 1087 * handle a state cookie for an existing association m: input packet mbuf 1088 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1089 * "split" mbuf and the cookie signature does not exist offset: offset into 1090 * mbuf to the cookie-echo chunk 1091 */ 1092static struct sctp_tcb * 1093sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1094 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1095 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1096 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) 1097{ 1098 struct sctp_association *asoc; 1099 struct sctp_init_chunk *init_cp, init_buf; 1100 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1101 int chk_length; 1102 int init_offset, initack_offset, i; 1103 int retval; 1104 int spec_flag = 0; 1105 int how_indx; 1106 1107 /* I know that the TCB is non-NULL from the caller */ 1108 asoc = &stcb->asoc; 1109 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); i++) { 1110 if (asoc->cookie_how[how_indx] == 0) 1111 break; 1112 } 1113 if (how_indx < sizeof(asoc->cookie_how)) { 1114 asoc->cookie_how[how_indx] = 1; 1115 } 1116 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1117 /* SHUTDOWN came in after sending INIT-ACK */ 1118 struct mbuf *op_err; 1119 struct sctp_paramhdr *ph; 1120 1121 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1122 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1123 0, M_DONTWAIT, 1, MT_DATA); 1124 if (op_err == NULL) { 1125 /* FOOBAR */ 1126 return (NULL); 1127 } 1128 /* pre-reserve some space */ 1129 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1130 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1131 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1132 /* Set the len */ 1133 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1134 ph = mtod(op_err, struct sctp_paramhdr *); 1135 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1136 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1137 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1138 if (how_indx < sizeof(asoc->cookie_how)) 1139 asoc->cookie_how[how_indx] = 2; 1140 return (NULL); 1141 } 1142 /* 1143 * find and validate the INIT chunk in the cookie (peer's info) the 1144 * INIT should start after the cookie-echo header struct (chunk 1145 * header, state cookie header struct) 1146 */ 1147 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1148 1149 init_cp = (struct sctp_init_chunk *) 1150 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1151 (uint8_t *) & init_buf); 1152 if (init_cp == NULL) { 1153 /* could not pull a INIT chunk in cookie */ 1154 return (NULL); 1155 } 1156 chk_length = ntohs(init_cp->ch.chunk_length); 1157 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1158 return (NULL); 1159 } 1160 /* 1161 * find and validate the INIT-ACK chunk in the cookie (my info) the 1162 * INIT-ACK follows the INIT chunk 1163 */ 1164 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1165 initack_cp = (struct sctp_init_ack_chunk *) 1166 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1167 (uint8_t *) & initack_buf); 1168 if (initack_cp == NULL) { 1169 /* could not pull INIT-ACK chunk in cookie */ 1170 return (NULL); 1171 } 1172 chk_length = ntohs(initack_cp->ch.chunk_length); 1173 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1174 return (NULL); 1175 } 1176 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1177 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1178 /* 1179 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1180 * to get into the OPEN state 1181 */ 1182 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1183 panic("Case D and non-match seq?"); 1184 } 1185 switch SCTP_GET_STATE 1186 (asoc) { 1187 case SCTP_STATE_COOKIE_WAIT: 1188 case SCTP_STATE_COOKIE_ECHOED: 1189 /* 1190 * INIT was sent, but got got a COOKIE_ECHO with the 1191 * correct tags... just accept it...but we must 1192 * process the init so that we can make sure we have 1193 * the right seq no's. 1194 */ 1195 /* First we must process the INIT !! */ 1196 retval = sctp_process_init(init_cp, stcb, net); 1197 if (retval < 0) { 1198 if (how_indx < sizeof(asoc->cookie_how)) 1199 asoc->cookie_how[how_indx] = 3; 1200 return (NULL); 1201 } 1202 /* we have already processed the INIT so no problem */ 1203 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1204 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1205 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1206 /* update current state */ 1207 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1208 asoc->state = SCTP_STATE_OPEN | 1209 SCTP_STATE_SHUTDOWN_PENDING; 1210 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1211 stcb->sctp_ep, stcb, asoc->primary_destination); 1212 1213 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1214 /* if ok, move to OPEN state */ 1215 asoc->state = SCTP_STATE_OPEN; 1216 } 1217 sctp_stop_all_cookie_timers(stcb); 1218 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1219 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1220 (inp->sctp_socket->so_qlimit == 0) 1221 ) { 1222 /* 1223 * Here is where collision would go if we 1224 * did a connect() and instead got a 1225 * init/init-ack/cookie done before the 1226 * init-ack came back.. 1227 */ 1228 stcb->sctp_ep->sctp_flags |= 1229 SCTP_PCB_FLAGS_CONNECTED; 1230 soisconnected(stcb->sctp_ep->sctp_socket); 1231 } 1232 /* notify upper layer */ 1233 *notification = SCTP_NOTIFY_ASSOC_UP; 1234 /* 1235 * since we did not send a HB make sure we don't 1236 * double things 1237 */ 1238 net->hb_responded = 1; 1239 1240 if (stcb->asoc.sctp_autoclose_ticks && 1241 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1242 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1243 inp, stcb, NULL); 1244 } 1245 break; 1246 default: 1247 /* 1248 * we're in the OPEN state (or beyond), so peer must 1249 * have simply lost the COOKIE-ACK 1250 */ 1251 break; 1252 } /* end switch */ 1253 sctp_stop_all_cookie_timers(stcb); 1254 /* 1255 * We ignore the return code here.. not sure if we should 1256 * somehow abort.. but we do have an existing asoc. This 1257 * really should not fail. 1258 */ 1259 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1260 init_offset + sizeof(struct sctp_init_chunk), 1261 initack_offset, sh, init_src)) { 1262 if (how_indx < sizeof(asoc->cookie_how)) 1263 asoc->cookie_how[how_indx] = 4; 1264 return (NULL); 1265 } 1266 /* respond with a COOKIE-ACK */ 1267 sctp_toss_old_cookies(stcb, asoc); 1268 sctp_send_cookie_ack(stcb); 1269 if (how_indx < sizeof(asoc->cookie_how)) 1270 asoc->cookie_how[how_indx] = 5; 1271 return (stcb); 1272 } /* end if */ 1273 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1274 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1275 cookie->tie_tag_my_vtag == 0 && 1276 cookie->tie_tag_peer_vtag == 0) { 1277 /* 1278 * case C in Section 5.2.4 Table 2: XMOO silently discard 1279 */ 1280 if (how_indx < sizeof(asoc->cookie_how)) 1281 asoc->cookie_how[how_indx] = 6; 1282 return (NULL); 1283 } 1284 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1285 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1286 init_cp->init.initiate_tag == 0)) { 1287 /* 1288 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1289 * should be ok, re-accept peer info 1290 */ 1291 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1292 /* 1293 * Extension of case C. If we hit this, then the 1294 * random number generator returned the same vtag 1295 * when we first sent our INIT-ACK and when we later 1296 * sent our INIT. The side with the seq numbers that 1297 * are different will be the one that normnally 1298 * would have hit case C. This in effect "extends" 1299 * our vtags in this collision case to be 64 bits. 1300 * The same collision could occur aka you get both 1301 * vtag and seq number the same twice in a row.. but 1302 * is much less likely. If it did happen then we 1303 * would proceed through and bring up the assoc.. we 1304 * may end up with the wrong stream setup however.. 1305 * which would be bad.. but there is no way to 1306 * tell.. until we send on a stream that does not 1307 * exist :-) 1308 */ 1309 if (how_indx < sizeof(asoc->cookie_how)) 1310 asoc->cookie_how[how_indx] = 7; 1311 1312 return (NULL); 1313 } 1314 if (how_indx < sizeof(asoc->cookie_how)) 1315 asoc->cookie_how[how_indx] = 8; 1316 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1317 sctp_stop_all_cookie_timers(stcb); 1318 /* 1319 * since we did not send a HB make sure we don't double 1320 * things 1321 */ 1322 net->hb_responded = 1; 1323 if (stcb->asoc.sctp_autoclose_ticks && 1324 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1325 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1326 NULL); 1327 } 1328 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1329 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1330 1331 /* Note last_cwr_tsn? where is this used? */ 1332 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1333 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1334 /* 1335 * Ok the peer probably discarded our data (if we 1336 * echoed a cookie+data). So anything on the 1337 * sent_queue should be marked for retransmit, we 1338 * may not get something to kick us so it COULD 1339 * still take a timeout to move these.. but it can't 1340 * hurt to mark them. 1341 */ 1342 struct sctp_tmit_chunk *chk; 1343 1344 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1345 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1346 chk->sent = SCTP_DATAGRAM_RESEND; 1347 stcb->asoc.sent_queue_retran_cnt++; 1348 spec_flag++; 1349 } 1350 } 1351 1352 } 1353 /* process the INIT info (peer's info) */ 1354 retval = sctp_process_init(init_cp, stcb, net); 1355 if (retval < 0) { 1356 if (how_indx < sizeof(asoc->cookie_how)) 1357 asoc->cookie_how[how_indx] = 9; 1358 return (NULL); 1359 } 1360 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1361 init_offset + sizeof(struct sctp_init_chunk), 1362 initack_offset, sh, init_src)) { 1363 if (how_indx < sizeof(asoc->cookie_how)) 1364 asoc->cookie_how[how_indx] = 10; 1365 return (NULL); 1366 } 1367 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1368 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1369 *notification = SCTP_NOTIFY_ASSOC_UP; 1370 1371 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1372 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1373 (inp->sctp_socket->so_qlimit == 0)) { 1374 stcb->sctp_ep->sctp_flags |= 1375 SCTP_PCB_FLAGS_CONNECTED; 1376 soisconnected(stcb->sctp_ep->sctp_socket); 1377 } 1378 } 1379 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1380 asoc->state = SCTP_STATE_OPEN | 1381 SCTP_STATE_SHUTDOWN_PENDING; 1382 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1383 stcb->sctp_ep, stcb, asoc->primary_destination); 1384 1385 } else { 1386 asoc->state = SCTP_STATE_OPEN; 1387 } 1388 sctp_stop_all_cookie_timers(stcb); 1389 sctp_toss_old_cookies(stcb, asoc); 1390 sctp_send_cookie_ack(stcb); 1391 if (spec_flag) { 1392 /* 1393 * only if we have retrans set do we do this. What 1394 * this call does is get only the COOKIE-ACK out and 1395 * then when we return the normal call to 1396 * sctp_chunk_output will get the retrans out behind 1397 * this. 1398 */ 1399 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK); 1400 } 1401 if (how_indx < sizeof(asoc->cookie_how)) 1402 asoc->cookie_how[how_indx] = 11; 1403 1404 return (stcb); 1405 } 1406 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1407 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1408 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1409 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1410 cookie->tie_tag_peer_vtag != 0) { 1411 struct sctpasochead *head; 1412 1413 /* 1414 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1415 */ 1416 /* temp code */ 1417 if (how_indx < sizeof(asoc->cookie_how)) 1418 asoc->cookie_how[how_indx] = 12; 1419 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1420 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1421 1422 *sac_assoc_id = sctp_get_associd(stcb); 1423 /* notify upper layer */ 1424 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1425 atomic_add_int(&stcb->asoc.refcnt, 1); 1426 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1427 asoc->state = SCTP_STATE_OPEN | 1428 SCTP_STATE_SHUTDOWN_PENDING; 1429 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1430 stcb->sctp_ep, stcb, asoc->primary_destination); 1431 1432 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1433 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1434 asoc->state = SCTP_STATE_OPEN; 1435 } 1436 asoc->pre_open_streams = 1437 ntohs(initack_cp->init.num_outbound_streams); 1438 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1439 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1440 1441 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1442 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1443 1444 asoc->str_reset_seq_in = asoc->init_seq_number; 1445 1446 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1447 if (asoc->mapping_array) 1448 memset(asoc->mapping_array, 0, 1449 asoc->mapping_array_size); 1450 SCTP_TCB_UNLOCK(stcb); 1451 SCTP_INP_INFO_WLOCK(); 1452 SCTP_INP_WLOCK(stcb->sctp_ep); 1453 SCTP_TCB_LOCK(stcb); 1454 atomic_add_int(&stcb->asoc.refcnt, -1); 1455 /* send up all the data */ 1456 SCTP_TCB_SEND_LOCK(stcb); 1457 1458 sctp_report_all_outbound(stcb, 1); 1459 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1460 stcb->asoc.strmout[i].stream_no = i; 1461 stcb->asoc.strmout[i].next_sequence_sent = 0; 1462 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1463 } 1464 /* process the INIT-ACK info (my info) */ 1465 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1466 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1467 1468 /* pull from vtag hash */ 1469 LIST_REMOVE(stcb, sctp_asocs); 1470 /* re-insert to new vtag position */ 1471 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1472 sctppcbinfo.hashasocmark)]; 1473 /* 1474 * put it in the bucket in the vtag hash of assoc's for the 1475 * system 1476 */ 1477 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1478 1479 /* Is this the first restart? */ 1480 if (stcb->asoc.in_restart_hash == 0) { 1481 /* Ok add it to assoc_id vtag hash */ 1482 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1483 sctppcbinfo.hashrestartmark)]; 1484 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1485 stcb->asoc.in_restart_hash = 1; 1486 } 1487 /* process the INIT info (peer's info) */ 1488 SCTP_TCB_SEND_UNLOCK(stcb); 1489 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1490 SCTP_INP_INFO_WUNLOCK(); 1491 1492 retval = sctp_process_init(init_cp, stcb, net); 1493 if (retval < 0) { 1494 if (how_indx < sizeof(asoc->cookie_how)) 1495 asoc->cookie_how[how_indx] = 13; 1496 1497 return (NULL); 1498 } 1499 /* 1500 * since we did not send a HB make sure we don't double 1501 * things 1502 */ 1503 net->hb_responded = 1; 1504 1505 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1506 init_offset + sizeof(struct sctp_init_chunk), 1507 initack_offset, sh, init_src)) { 1508 if (how_indx < sizeof(asoc->cookie_how)) 1509 asoc->cookie_how[how_indx] = 14; 1510 1511 return (NULL); 1512 } 1513 /* respond with a COOKIE-ACK */ 1514 sctp_stop_all_cookie_timers(stcb); 1515 sctp_toss_old_cookies(stcb, asoc); 1516 sctp_send_cookie_ack(stcb); 1517 if (how_indx < sizeof(asoc->cookie_how)) 1518 asoc->cookie_how[how_indx] = 15; 1519 1520 return (stcb); 1521 } 1522 /* if we are not a restart we need the assoc_id field pop'd */ 1523 asoc->assoc_id = ntohl(initack_cp->init.initiate_tag); 1524 if (how_indx < sizeof(asoc->cookie_how)) 1525 asoc->cookie_how[how_indx] = 16; 1526 /* all other cases... */ 1527 return (NULL); 1528} 1529 1530/* 1531 * handle a state cookie for a new association m: input packet mbuf chain-- 1532 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1533 * and the cookie signature does not exist offset: offset into mbuf to the 1534 * cookie-echo chunk length: length of the cookie chunk to: where the init 1535 * was from returns a new TCB 1536 */ 1537static struct sctp_tcb * 1538sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1539 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1540 struct sctp_inpcb *inp, struct sctp_nets **netp, 1541 struct sockaddr *init_src, int *notification, 1542 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1543{ 1544 struct sctp_tcb *stcb; 1545 struct sctp_init_chunk *init_cp, init_buf; 1546 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1547 struct sockaddr_storage sa_store; 1548 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1549 struct sockaddr_in *sin; 1550 struct sockaddr_in6 *sin6; 1551 struct sctp_association *asoc; 1552 int chk_length; 1553 int init_offset, initack_offset, initack_limit; 1554 int retval; 1555 int error = 0; 1556 uint32_t old_tag; 1557 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 1558 1559 /* 1560 * find and validate the INIT chunk in the cookie (peer's info) the 1561 * INIT should start after the cookie-echo header struct (chunk 1562 * header, state cookie header struct) 1563 */ 1564 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1565 init_cp = (struct sctp_init_chunk *) 1566 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1567 (uint8_t *) & init_buf); 1568 if (init_cp == NULL) { 1569 /* could not pull a INIT chunk in cookie */ 1570#ifdef SCTP_DEBUG 1571 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1572 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1573 } 1574#endif /* SCTP_DEBUG */ 1575 return (NULL); 1576 } 1577 chk_length = ntohs(init_cp->ch.chunk_length); 1578 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1579#ifdef SCTP_DEBUG 1580 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1581 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1582 } 1583#endif /* SCTP_DEBUG */ 1584 return (NULL); 1585 } 1586 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1587 /* 1588 * find and validate the INIT-ACK chunk in the cookie (my info) the 1589 * INIT-ACK follows the INIT chunk 1590 */ 1591 initack_cp = (struct sctp_init_ack_chunk *) 1592 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1593 (uint8_t *) & initack_buf); 1594 if (initack_cp == NULL) { 1595 /* could not pull INIT-ACK chunk in cookie */ 1596#ifdef SCTP_DEBUG 1597 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1598 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1599 } 1600#endif /* SCTP_DEBUG */ 1601 return (NULL); 1602 } 1603 chk_length = ntohs(initack_cp->ch.chunk_length); 1604 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1605 return (NULL); 1606 } 1607 /* 1608 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1609 * "initack_limit" value. This is because the chk_length field 1610 * includes the length of the cookie, but the cookie is omitted when 1611 * the INIT and INIT_ACK are tacked onto the cookie... 1612 */ 1613 initack_limit = offset + cookie_len; 1614 1615 /* 1616 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1617 * and popluate 1618 */ 1619 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1620 ntohl(initack_cp->init.initiate_tag)); 1621 if (stcb == NULL) { 1622 struct mbuf *op_err; 1623 1624 /* memory problem? */ 1625#ifdef SCTP_DEBUG 1626 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1627 printf("process_cookie_new: no room for another TCB!\n"); 1628 } 1629#endif /* SCTP_DEBUG */ 1630 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1631 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1632 sh, op_err); 1633 return (NULL); 1634 } 1635 /* get the correct sctp_nets */ 1636 *netp = sctp_findnet(stcb, init_src); 1637 asoc = &stcb->asoc; 1638 /* get scope variables out of cookie */ 1639 asoc->ipv4_local_scope = cookie->ipv4_scope; 1640 asoc->site_scope = cookie->site_scope; 1641 asoc->local_scope = cookie->local_scope; 1642 asoc->loopback_scope = cookie->loopback_scope; 1643 1644 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1645 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1646 struct mbuf *op_err; 1647 1648 /* 1649 * Houston we have a problem. The EP changed while the 1650 * cookie was in flight. Only recourse is to abort the 1651 * association. 1652 */ 1653 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1654 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1655 sh, op_err); 1656 return (NULL); 1657 } 1658 /* process the INIT-ACK info (my info) */ 1659 old_tag = asoc->my_vtag; 1660 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1661 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1662 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1663 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1664 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1665 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1666 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1667 asoc->str_reset_seq_in = asoc->init_seq_number; 1668 1669 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1670 1671 /* process the INIT info (peer's info) */ 1672 retval = sctp_process_init(init_cp, stcb, *netp); 1673 if (retval < 0) { 1674 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1675 return (NULL); 1676 } 1677 /* load all addresses */ 1678 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1679 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1680 init_src)) { 1681 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1682 return (NULL); 1683 } 1684 /* 1685 * verify any preceding AUTH chunk that was skipped 1686 */ 1687 /* pull the local authentication parameters from the cookie/init-ack */ 1688 sctp_auth_get_cookie_params(stcb, m, 1689 initack_offset + sizeof(struct sctp_init_ack_chunk), 1690 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1691 if (auth_skipped) { 1692 struct sctp_auth_chunk *auth; 1693 1694 auth = (struct sctp_auth_chunk *) 1695 sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); 1696 if (sctp_handle_auth(stcb, auth, m, auth_offset)) { 1697 /* auth HMAC failed, dump the assoc and packet */ 1698#ifdef SCTP_DEBUG 1699 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 1700 printf("COOKIE-ECHO: AUTH failed\n"); 1701#endif /* SCTP_DEBUG */ 1702 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1703 return (NULL); 1704 } else { 1705 /* remaining chunks checked... good to go */ 1706 stcb->asoc.authenticated = 1; 1707 } 1708 } 1709 /* update current state */ 1710#ifdef SCTP_DEBUG 1711 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1712 printf("moving to OPEN state\n"); 1713 } 1714#endif 1715 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1716 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1717 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1718 stcb->sctp_ep, stcb, asoc->primary_destination); 1719 } else { 1720 asoc->state = SCTP_STATE_OPEN; 1721 } 1722 sctp_stop_all_cookie_timers(stcb); 1723 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1724 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1725 1726 /* 1727 * if we're doing ASCONFs, check to see if we have any new local 1728 * addresses that need to get added to the peer (eg. addresses 1729 * changed while cookie echo in flight). This needs to be done 1730 * after we go to the OPEN state to do the correct asconf 1731 * processing. else, make sure we have the correct addresses in our 1732 * lists 1733 */ 1734 1735 /* warning, we re-use sin, sin6, sa_store here! */ 1736 /* pull in local_address (our "from" address) */ 1737 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1738 /* source addr is IPv4 */ 1739 sin = (struct sockaddr_in *)initack_src; 1740 memset(sin, 0, sizeof(*sin)); 1741 sin->sin_family = AF_INET; 1742 sin->sin_len = sizeof(struct sockaddr_in); 1743 sin->sin_addr.s_addr = cookie->laddress[0]; 1744 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1745 /* source addr is IPv6 */ 1746 sin6 = (struct sockaddr_in6 *)initack_src; 1747 memset(sin6, 0, sizeof(*sin6)); 1748 sin6->sin6_family = AF_INET6; 1749 sin6->sin6_len = sizeof(struct sockaddr_in6); 1750 sin6->sin6_scope_id = cookie->scope_id; 1751 memcpy(&sin6->sin6_addr, cookie->laddress, 1752 sizeof(sin6->sin6_addr)); 1753 } else { 1754 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 1755 return (NULL); 1756 } 1757 1758 sctp_check_address_list(stcb, m, 1759 initack_offset + sizeof(struct sctp_init_ack_chunk), 1760 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1761 initack_src, cookie->local_scope, cookie->site_scope, 1762 cookie->ipv4_scope, cookie->loopback_scope); 1763 1764 1765 /* set up to notify upper layer */ 1766 *notification = SCTP_NOTIFY_ASSOC_UP; 1767 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1768 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1769 (inp->sctp_socket->so_qlimit == 0)) { 1770 /* 1771 * This is an endpoint that called connect() how it got a 1772 * cookie that is NEW is a bit of a mystery. It must be that 1773 * the INIT was sent, but before it got there.. a complete 1774 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1775 * should have went to the other code.. not here.. oh well.. 1776 * a bit of protection is worth having.. 1777 */ 1778 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1779 soisconnected(stcb->sctp_ep->sctp_socket); 1780 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1781 (inp->sctp_socket->so_qlimit)) { 1782 /* 1783 * We don't want to do anything with this one. Since it is 1784 * the listening guy. The timer will get started for 1785 * accepted connections in the caller. 1786 */ 1787 ; 1788 } 1789 /* since we did not send a HB make sure we don't double things */ 1790 (*netp)->hb_responded = 1; 1791 1792 if (stcb->asoc.sctp_autoclose_ticks && 1793 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1794 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1795 } 1796 /* respond with a COOKIE-ACK */ 1797 /* calculate the RTT */ 1798 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1799 &cookie->time_entered); 1800 sctp_send_cookie_ack(stcb); 1801 return (stcb); 1802} 1803 1804 1805/* 1806 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1807 * existing (non-NULL) TCB 1808 */ 1809static struct mbuf * 1810sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1811 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1812 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1813 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, struct sctp_tcb **locked_tcb) 1814{ 1815 struct sctp_state_cookie *cookie; 1816 struct sockaddr_in6 sin6; 1817 struct sockaddr_in sin; 1818 struct sctp_tcb *l_stcb = *stcb; 1819 struct sctp_inpcb *l_inp; 1820 struct sockaddr *to; 1821 sctp_assoc_t sac_restart_id; 1822 struct sctp_pcb *ep; 1823 struct mbuf *m_sig; 1824 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1825 uint8_t *sig; 1826 uint8_t cookie_ok = 0; 1827 unsigned int size_of_pkt, sig_offset, cookie_offset; 1828 unsigned int cookie_len; 1829 struct timeval now; 1830 struct timeval time_expires; 1831 struct sockaddr_storage dest_store; 1832 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1833 struct ip *iph; 1834 int notification = 0; 1835 struct sctp_nets *netl; 1836 int had_a_existing_tcb = 0; 1837 1838#ifdef SCTP_DEBUG 1839 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1840 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1841 } 1842#endif 1843 1844 if (inp_p == NULL) { 1845 return (NULL); 1846 } 1847 /* First get the destination address setup too. */ 1848 iph = mtod(m, struct ip *); 1849 if (iph->ip_v == IPVERSION) { 1850 /* its IPv4 */ 1851 struct sockaddr_in *sin; 1852 1853 sin = (struct sockaddr_in *)(localep_sa); 1854 memset(sin, 0, sizeof(*sin)); 1855 sin->sin_family = AF_INET; 1856 sin->sin_len = sizeof(*sin); 1857 sin->sin_port = sh->dest_port; 1858 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1859 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 1860 1861 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1862 /* its IPv6 */ 1863 struct ip6_hdr *ip6; 1864 struct sockaddr_in6 *sin6; 1865 1866 sin6 = (struct sockaddr_in6 *)(localep_sa); 1867 memset(sin6, 0, sizeof(*sin6)); 1868 sin6->sin6_family = AF_INET6; 1869 sin6->sin6_len = sizeof(struct sockaddr_in6); 1870 ip6 = mtod(m, struct ip6_hdr *); 1871 sin6->sin6_port = sh->dest_port; 1872 sin6->sin6_addr = ip6->ip6_dst; 1873 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6); 1874 } else { 1875 return (NULL); 1876 } 1877 1878 cookie = &cp->cookie; 1879 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1880 cookie_len = ntohs(cp->ch.chunk_length); 1881 1882 if ((cookie->peerport != sh->src_port) && 1883 (cookie->myport != sh->dest_port) && 1884 (cookie->my_vtag != sh->v_tag)) { 1885 /* 1886 * invalid ports or bad tag. Note that we always leave the 1887 * v_tag in the header in network order and when we stored 1888 * it in the my_vtag slot we also left it in network order. 1889 * This maintians the match even though it may be in the 1890 * opposite byte order of the machine :-> 1891 */ 1892 return (NULL); 1893 } 1894 if (cookie_len > size_of_pkt || 1895 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1896 sizeof(struct sctp_init_chunk) + 1897 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1898 /* cookie too long! or too small */ 1899 return (NULL); 1900 } 1901 /* 1902 * split off the signature into its own mbuf (since it should not be 1903 * calculated in the sctp_hmac_m() call). 1904 */ 1905 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1906 if (sig_offset > size_of_pkt) { 1907 /* packet not correct size! */ 1908 /* XXX this may already be accounted for earlier... */ 1909 return (NULL); 1910 } 1911 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1912 if (m_sig == NULL) { 1913 /* out of memory or ?? */ 1914 return (NULL); 1915 } 1916 /* 1917 * compute the signature/digest for the cookie 1918 */ 1919 ep = &(*inp_p)->sctp_ep; 1920 l_inp = *inp_p; 1921 if (l_stcb) { 1922 SCTP_TCB_UNLOCK(l_stcb); 1923 } 1924 SCTP_INP_RLOCK(l_inp); 1925 if (l_stcb) { 1926 SCTP_TCB_LOCK(l_stcb); 1927 } 1928 /* which cookie is it? */ 1929 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1930 (ep->current_secret_number != ep->last_secret_number)) { 1931 /* it's the old cookie */ 1932 sctp_hmac_m(SCTP_HMAC, 1933 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1934 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1935 } else { 1936 /* it's the current cookie */ 1937 sctp_hmac_m(SCTP_HMAC, 1938 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1939 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1940 } 1941 /* get the signature */ 1942 SCTP_INP_RUNLOCK(l_inp); 1943 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1944 if (sig == NULL) { 1945 /* couldn't find signature */ 1946 sctp_m_freem(m_sig); 1947 return (NULL); 1948 } 1949 /* compare the received digest with the computed digest */ 1950 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1951 /* try the old cookie? */ 1952 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1953 (ep->current_secret_number != ep->last_secret_number)) { 1954 /* compute digest with old */ 1955 sctp_hmac_m(SCTP_HMAC, 1956 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1957 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1958 /* compare */ 1959 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1960 cookie_ok = 1; 1961 } 1962 } else { 1963 cookie_ok = 1; 1964 } 1965 1966 /* 1967 * Now before we continue we must reconstruct our mbuf so that 1968 * normal processing of any other chunks will work. 1969 */ 1970 { 1971 struct mbuf *m_at; 1972 1973 m_at = m; 1974 while (SCTP_BUF_NEXT(m_at) != NULL) { 1975 m_at = SCTP_BUF_NEXT(m_at); 1976 } 1977 SCTP_BUF_NEXT(m_at) = m_sig; 1978 } 1979 1980 if (cookie_ok == 0) { 1981#ifdef SCTP_DEBUG 1982 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1983 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1984 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1985 (uint32_t) offset, cookie_offset, sig_offset); 1986 } 1987#endif 1988 return (NULL); 1989 } 1990 /* 1991 * check the cookie timestamps to be sure it's not stale 1992 */ 1993 SCTP_GETTIME_TIMEVAL(&now); 1994 /* Expire time is in Ticks, so we convert to seconds */ 1995 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1996 time_expires.tv_usec = cookie->time_entered.tv_usec; 1997 if (timevalcmp(&now, &time_expires, >)) { 1998 /* cookie is stale! */ 1999 struct mbuf *op_err; 2000 struct sctp_stale_cookie_msg *scm; 2001 uint32_t tim; 2002 2003 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2004 0, M_DONTWAIT, 1, MT_DATA); 2005 if (op_err == NULL) { 2006 /* FOOBAR */ 2007 return (NULL); 2008 } 2009 /* pre-reserve some space */ 2010 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 2011 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 2012 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 2013 2014 /* Set the len */ 2015 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2016 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2017 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2018 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2019 (sizeof(uint32_t)))); 2020 /* seconds to usec */ 2021 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2022 /* add in usec */ 2023 if (tim == 0) 2024 tim = now.tv_usec - cookie->time_entered.tv_usec; 2025 scm->time_usec = htonl(tim); 2026 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 2027 return (NULL); 2028 } 2029 /* 2030 * Now we must see with the lookup address if we have an existing 2031 * asoc. This will only happen if we were in the COOKIE-WAIT state 2032 * and a INIT collided with us and somewhere the peer sent the 2033 * cookie on another address besides the single address our assoc 2034 * had for him. In this case we will have one of the tie-tags set at 2035 * least AND the address field in the cookie can be used to look it 2036 * up. 2037 */ 2038 to = NULL; 2039 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2040 memset(&sin6, 0, sizeof(sin6)); 2041 sin6.sin6_family = AF_INET6; 2042 sin6.sin6_len = sizeof(sin6); 2043 sin6.sin6_port = sh->src_port; 2044 sin6.sin6_scope_id = cookie->scope_id; 2045 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2046 sizeof(sin6.sin6_addr.s6_addr)); 2047 to = (struct sockaddr *)&sin6; 2048 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2049 memset(&sin, 0, sizeof(sin)); 2050 sin.sin_family = AF_INET; 2051 sin.sin_len = sizeof(sin); 2052 sin.sin_port = sh->src_port; 2053 sin.sin_addr.s_addr = cookie->address[0]; 2054 to = (struct sockaddr *)&sin; 2055 } 2056 if ((*stcb == NULL) && to) { 2057 /* Yep, lets check */ 2058 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2059 if (*stcb == NULL) { 2060 /* 2061 * We should have only got back the same inp. If we 2062 * got back a different ep we have a problem. The 2063 * original findep got back l_inp and now 2064 */ 2065 if (l_inp != *inp_p) { 2066 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2067 } 2068 } else { 2069 if (*locked_tcb == NULL) { 2070 /* 2071 * In this case we found the assoc only 2072 * after we locked the create lock. This 2073 * means we are in a colliding case and we 2074 * must make sure that we unlock the tcb if 2075 * its one of the cases where we throw away 2076 * the incoming packets. 2077 */ 2078 *locked_tcb = *stcb; 2079 2080 /* 2081 * We must also increment the inp ref count 2082 * since the ref_count flags was set when we 2083 * did not find the TCB, now we found it 2084 * which reduces the refcount.. we must 2085 * raise it back out to balance it all :-) 2086 */ 2087 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2088 if ((*stcb)->sctp_ep != l_inp) { 2089 printf("Huh? ep:%p diff then l_inp:%p?\n", 2090 (*stcb)->sctp_ep, l_inp); 2091 } 2092 } 2093 } 2094 } 2095 cookie_len -= SCTP_SIGNATURE_SIZE; 2096 if (*stcb == NULL) { 2097 /* this is the "normal" case... get a new TCB */ 2098 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2099 cookie_len, *inp_p, netp, to, ¬ification, 2100 auth_skipped, auth_offset, auth_len); 2101 } else { 2102 /* this is abnormal... cookie-echo on existing TCB */ 2103 had_a_existing_tcb = 1; 2104 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2105 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 2106 &sac_restart_id); 2107 } 2108 2109 if (*stcb == NULL) { 2110 /* still no TCB... must be bad cookie-echo */ 2111 return (NULL); 2112 } 2113 /* 2114 * Ok, we built an association so confirm the address we sent the 2115 * INIT-ACK to. 2116 */ 2117 netl = sctp_findnet(*stcb, to); 2118 /* 2119 * This code should in theory NOT run but 2120 */ 2121 if (netl == NULL) { 2122 /* TSNH! Huh, why do I need to add this address here? */ 2123 int ret; 2124 2125 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2126 SCTP_IN_COOKIE_PROC); 2127 netl = sctp_findnet(*stcb, to); 2128 } 2129 if (netl) { 2130 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2131 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2132 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2133 netl); 2134 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2135 (*stcb), 0, (void *)netl); 2136 } 2137 } 2138 if (*stcb) { 2139 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2140 *stcb, NULL); 2141 } 2142 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2143 if (!had_a_existing_tcb || 2144 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2145 /* 2146 * If we have a NEW cookie or the connect never 2147 * reached the connected state during collision we 2148 * must do the TCP accept thing. 2149 */ 2150 struct socket *so, *oso; 2151 struct sctp_inpcb *inp; 2152 2153 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2154 /* 2155 * For a restart we will keep the same 2156 * socket, no need to do anything. I THINK!! 2157 */ 2158 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2159 return (m); 2160 } 2161 oso = (*inp_p)->sctp_socket; 2162 /* 2163 * We do this to keep the sockets side happy durin 2164 * the sonewcon ONLY. 2165 */ 2166 NET_LOCK_GIANT(); 2167 SCTP_TCB_UNLOCK((*stcb)); 2168 so = sonewconn(oso, SS_ISCONNECTED 2169 ); 2170 NET_UNLOCK_GIANT(); 2171 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2172 SCTP_TCB_LOCK((*stcb)); 2173 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2174 if (so == NULL) { 2175 struct mbuf *op_err; 2176 2177 /* Too many sockets */ 2178#ifdef SCTP_DEBUG 2179 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2180 printf("process_cookie_new: no room for another socket!\n"); 2181 } 2182#endif /* SCTP_DEBUG */ 2183 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2184 sctp_abort_association(*inp_p, NULL, m, iphlen, 2185 sh, op_err); 2186 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2187 return (NULL); 2188 } 2189 inp = (struct sctp_inpcb *)so->so_pcb; 2190 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2191 SCTP_PCB_FLAGS_CONNECTED | 2192 SCTP_PCB_FLAGS_IN_TCPPOOL | 2193 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2194 SCTP_PCB_FLAGS_DONT_WAKE); 2195 inp->sctp_features = (*inp_p)->sctp_features; 2196 inp->sctp_socket = so; 2197 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2198 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2199 inp->sctp_context = (*inp_p)->sctp_context; 2200 inp->inp_starting_point_for_iterator = NULL; 2201 /* 2202 * copy in the authentication parameters from the 2203 * original endpoint 2204 */ 2205 if (inp->sctp_ep.local_hmacs) 2206 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2207 inp->sctp_ep.local_hmacs = 2208 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2209 if (inp->sctp_ep.local_auth_chunks) 2210 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2211 inp->sctp_ep.local_auth_chunks = 2212 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2213 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2214 &inp->sctp_ep.shared_keys); 2215 2216 /* 2217 * Now we must move it from one hash table to 2218 * another and get the tcb in the right place. 2219 */ 2220 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2221 2222 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb); 2223 2224 /* Switch over to the new guy */ 2225 *inp_p = inp; 2226 2227 sctp_ulp_notify(notification, *stcb, 0, NULL); 2228 return (m); 2229 } 2230 } 2231 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2232 sctp_ulp_notify(notification, *stcb, 0, NULL); 2233 } 2234 return (m); 2235} 2236 2237static void 2238sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2239 struct sctp_tcb *stcb, struct sctp_nets *net) 2240{ 2241 /* cp must not be used, others call this without a c-ack :-) */ 2242 struct sctp_association *asoc; 2243 2244#ifdef SCTP_DEBUG 2245 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2246 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2247 } 2248#endif 2249 if (stcb == NULL) 2250 return; 2251 2252 asoc = &stcb->asoc; 2253 2254 sctp_stop_all_cookie_timers(stcb); 2255 /* process according to association state */ 2256 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2257 /* state change only needed when I am in right state */ 2258#ifdef SCTP_DEBUG 2259 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2260 printf("moving to OPEN state\n"); 2261 } 2262#endif 2263 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2264 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2265 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2266 stcb->sctp_ep, stcb, asoc->primary_destination); 2267 2268 } else { 2269 asoc->state = SCTP_STATE_OPEN; 2270 } 2271 /* update RTO */ 2272 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2273 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2274 if (asoc->overall_error_count == 0) { 2275 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2276 &asoc->time_entered); 2277 } 2278 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2279 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2280 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2281 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2282 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2283 soisconnected(stcb->sctp_ep->sctp_socket); 2284 } 2285 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2286 stcb, net); 2287 /* 2288 * since we did not send a HB make sure we don't double 2289 * things 2290 */ 2291 net->hb_responded = 1; 2292 2293 if (stcb->asoc.sctp_autoclose_ticks && 2294 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2295 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2296 stcb->sctp_ep, stcb, NULL); 2297 } 2298 /* 2299 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2300 * addresses changed when init/cookie echo in flight) 2301 */ 2302 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2303 (stcb->asoc.peer_supports_asconf) && 2304 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2305 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2306 stcb->sctp_ep, stcb, 2307 stcb->asoc.primary_destination); 2308 } 2309 } 2310 /* Toss the cookie if I can */ 2311 sctp_toss_old_cookies(stcb, asoc); 2312 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2313 /* Restart the timer if we have pending data */ 2314 struct sctp_tmit_chunk *chk; 2315 2316 chk = TAILQ_FIRST(&asoc->sent_queue); 2317 if (chk) { 2318 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2319 stcb, chk->whoTo); 2320 } 2321 } 2322} 2323 2324static void 2325sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2326 struct sctp_tcb *stcb) 2327{ 2328 struct sctp_nets *net; 2329 struct sctp_tmit_chunk *lchk; 2330 uint32_t tsn; 2331 2332 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2333 return; 2334 } 2335 SCTP_STAT_INCR(sctps_recvecne); 2336 tsn = ntohl(cp->tsn); 2337 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2338 /* Also we make sure we disable the nonce_wait */ 2339 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2340 if (lchk == NULL) { 2341 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2342 } else { 2343 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2344 } 2345 stcb->asoc.nonce_wait_for_ecne = 0; 2346 stcb->asoc.nonce_sum_check = 0; 2347 2348 /* Find where it was sent, if possible */ 2349 net = NULL; 2350 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2351 while (lchk) { 2352 if (lchk->rec.data.TSN_seq == tsn) { 2353 net = lchk->whoTo; 2354 break; 2355 } 2356 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2357 break; 2358 lchk = TAILQ_NEXT(lchk, sctp_next); 2359 } 2360 if (net == NULL) 2361 /* default is we use the primary */ 2362 net = stcb->asoc.primary_destination; 2363 2364 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2365#ifdef SCTP_CWND_MONITOR 2366 int old_cwnd; 2367 2368 old_cwnd = net->cwnd; 2369#endif 2370 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2371 net->ssthresh = net->cwnd / 2; 2372 if (net->ssthresh < net->mtu) { 2373 net->ssthresh = net->mtu; 2374 /* here back off the timer as well, to slow us down */ 2375 net->RTO <<= 2; 2376 } 2377 net->cwnd = net->ssthresh; 2378#ifdef SCTP_CWND_MONITOR 2379 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2380#endif 2381 /* 2382 * we reduce once every RTT. So we will only lower cwnd at 2383 * the next sending seq i.e. the resync_tsn. 2384 */ 2385 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2386 } 2387 /* 2388 * We always send a CWR this way if our previous one was lost our 2389 * peer will get an update, or if it is not time again to reduce we 2390 * still get the cwr to the peer. 2391 */ 2392 sctp_send_cwr(stcb, net, tsn); 2393} 2394 2395static void 2396sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2397{ 2398 /* 2399 * Here we get a CWR from the peer. We must look in the outqueue and 2400 * make sure that we have a covered ECNE in teh control chunk part. 2401 * If so remove it. 2402 */ 2403 struct sctp_tmit_chunk *chk; 2404 struct sctp_ecne_chunk *ecne; 2405 2406 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2407 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2408 continue; 2409 } 2410 /* 2411 * Look for and remove if it is the right TSN. Since there 2412 * is only ONE ECNE on the control queue at any one time we 2413 * don't need to worry about more than one! 2414 */ 2415 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2416 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2417 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2418 /* this covers this ECNE, we can remove it */ 2419 stcb->asoc.ecn_echo_cnt_onq--; 2420 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2421 sctp_next); 2422 if (chk->data) { 2423 sctp_m_freem(chk->data); 2424 chk->data = NULL; 2425 } 2426 stcb->asoc.ctrl_queue_cnt--; 2427 sctp_free_remote_addr(chk->whoTo); 2428 sctp_free_a_chunk(stcb, chk); 2429 break; 2430 } 2431 } 2432} 2433 2434static void 2435sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2436 struct sctp_tcb *stcb, struct sctp_nets *net) 2437{ 2438 struct sctp_association *asoc; 2439 2440#ifdef SCTP_DEBUG 2441 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2442 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2443 } 2444#endif 2445 if (stcb == NULL) 2446 return; 2447 2448 asoc = &stcb->asoc; 2449 /* process according to association state */ 2450 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2451 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2452 SCTP_TCB_UNLOCK(stcb); 2453 return; 2454 } 2455 /* notify upper layer protocol */ 2456 if (stcb->sctp_socket) { 2457 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2458 /* are the queues empty? they should be */ 2459 if (!TAILQ_EMPTY(&asoc->send_queue) || 2460 !TAILQ_EMPTY(&asoc->sent_queue) || 2461 !TAILQ_EMPTY(&asoc->out_wheel)) { 2462 sctp_report_all_outbound(stcb, 0); 2463 } 2464 } 2465 /* stop the timer */ 2466 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2467 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2468 /* free the TCB */ 2469 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2470 return; 2471} 2472 2473static int 2474process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2475 struct sctp_nets *net, uint8_t flg) 2476{ 2477 switch (desc->chunk_type) { 2478 case SCTP_DATA: 2479 /* find the tsn to resend (possibly */ 2480 { 2481 uint32_t tsn; 2482 struct sctp_tmit_chunk *tp1; 2483 2484 tsn = ntohl(desc->tsn_ifany); 2485 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2486 while (tp1) { 2487 if (tp1->rec.data.TSN_seq == tsn) { 2488 /* found it */ 2489 break; 2490 } 2491 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2492 MAX_TSN)) { 2493 /* not found */ 2494 tp1 = NULL; 2495 break; 2496 } 2497 tp1 = TAILQ_NEXT(tp1, sctp_next); 2498 } 2499 if (tp1 == NULL) { 2500 /* 2501 * Do it the other way , aka without paying 2502 * attention to queue seq order. 2503 */ 2504 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2505 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2506 while (tp1) { 2507 if (tp1->rec.data.TSN_seq == tsn) { 2508 /* found it */ 2509 break; 2510 } 2511 tp1 = TAILQ_NEXT(tp1, sctp_next); 2512 } 2513 } 2514 if (tp1 == NULL) { 2515 SCTP_STAT_INCR(sctps_pdrptsnnf); 2516 } 2517 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2518 uint8_t *ddp; 2519 2520 if ((stcb->asoc.peers_rwnd == 0) && 2521 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2522 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2523 return (0); 2524 } 2525 if (stcb->asoc.peers_rwnd == 0 && 2526 (flg & SCTP_FROM_MIDDLE_BOX)) { 2527 SCTP_STAT_INCR(sctps_pdrpdizrw); 2528 return (0); 2529 } 2530 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2531 sizeof(struct sctp_data_chunk)); 2532 { 2533 unsigned int iii; 2534 2535 for (iii = 0; iii < sizeof(desc->data_bytes); 2536 iii++) { 2537 if (ddp[iii] != desc->data_bytes[iii]) { 2538 SCTP_STAT_INCR(sctps_pdrpbadd); 2539 return (-1); 2540 } 2541 } 2542 } 2543 /* 2544 * We zero out the nonce so resync not 2545 * needed 2546 */ 2547 tp1->rec.data.ect_nonce = 0; 2548 2549 if (tp1->do_rtt) { 2550 /* 2551 * this guy had a RTO calculation 2552 * pending on it, cancel it 2553 */ 2554 tp1->whoTo->rto_pending = 0; 2555 tp1->do_rtt = 0; 2556 } 2557 SCTP_STAT_INCR(sctps_pdrpmark); 2558 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2559 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2560 tp1->sent = SCTP_DATAGRAM_RESEND; 2561 /* 2562 * mark it as if we were doing a FR, since 2563 * we will be getting gap ack reports behind 2564 * the info from the router. 2565 */ 2566 tp1->rec.data.doing_fast_retransmit = 1; 2567 /* 2568 * mark the tsn with what sequences can 2569 * cause a new FR. 2570 */ 2571 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2572 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2573 } else { 2574 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2575 } 2576 2577 /* restart the timer */ 2578 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2579 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2580 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2581 stcb, tp1->whoTo); 2582 2583 /* fix counts and things */ 2584#ifdef SCTP_FLIGHT_LOGGING 2585 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN, 2586 tp1->whoTo->flight_size, 2587 tp1->book_size, 2588 (uintptr_t) stcb, 2589 tp1->rec.data.TSN_seq); 2590#endif 2591 if (tp1->whoTo->flight_size >= tp1->book_size) 2592 tp1->whoTo->flight_size -= tp1->book_size; 2593 else 2594 tp1->whoTo->flight_size = 0; 2595 2596 if (stcb->asoc.total_flight >= tp1->book_size) { 2597 stcb->asoc.total_flight -= tp1->book_size; 2598 if (stcb->asoc.total_flight_count > 0) 2599 stcb->asoc.total_flight_count--; 2600 } else { 2601 stcb->asoc.total_flight = 0; 2602 stcb->asoc.total_flight_count = 0; 2603 } 2604 tp1->snd_count--; 2605 } { 2606 /* audit code */ 2607 unsigned int audit; 2608 2609 audit = 0; 2610 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2611 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2612 audit++; 2613 } 2614 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2615 sctp_next) { 2616 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2617 audit++; 2618 } 2619 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2620 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2621 audit, stcb->asoc.sent_queue_retran_cnt); 2622#ifndef SCTP_AUDITING_ENABLED 2623 stcb->asoc.sent_queue_retran_cnt = audit; 2624#endif 2625 } 2626 } 2627 } 2628 break; 2629 case SCTP_ASCONF: 2630 { 2631 struct sctp_tmit_chunk *asconf; 2632 2633 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2634 sctp_next) { 2635 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2636 break; 2637 } 2638 } 2639 if (asconf) { 2640 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2641 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2642 asconf->sent = SCTP_DATAGRAM_RESEND; 2643 asconf->snd_count--; 2644 } 2645 } 2646 break; 2647 case SCTP_INITIATION: 2648 /* resend the INIT */ 2649 stcb->asoc.dropped_special_cnt++; 2650 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2651 /* 2652 * If we can get it in, in a few attempts we do 2653 * this, otherwise we let the timer fire. 2654 */ 2655 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2656 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2657 sctp_send_initiate(stcb->sctp_ep, stcb); 2658 } 2659 break; 2660 case SCTP_SELECTIVE_ACK: 2661 /* resend the sack */ 2662 sctp_send_sack(stcb); 2663 break; 2664 case SCTP_HEARTBEAT_REQUEST: 2665 /* resend a demand HB */ 2666 sctp_send_hb(stcb, 1, net); 2667 break; 2668 case SCTP_SHUTDOWN: 2669 sctp_send_shutdown(stcb, net); 2670 break; 2671 case SCTP_SHUTDOWN_ACK: 2672 sctp_send_shutdown_ack(stcb, net); 2673 break; 2674 case SCTP_COOKIE_ECHO: 2675 { 2676 struct sctp_tmit_chunk *cookie; 2677 2678 cookie = NULL; 2679 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2680 sctp_next) { 2681 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2682 break; 2683 } 2684 } 2685 if (cookie) { 2686 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2687 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2688 cookie->sent = SCTP_DATAGRAM_RESEND; 2689 sctp_stop_all_cookie_timers(stcb); 2690 } 2691 } 2692 break; 2693 case SCTP_COOKIE_ACK: 2694 sctp_send_cookie_ack(stcb); 2695 break; 2696 case SCTP_ASCONF_ACK: 2697 /* resend last asconf ack */ 2698 sctp_send_asconf_ack(stcb, 1); 2699 break; 2700 case SCTP_FORWARD_CUM_TSN: 2701 send_forward_tsn(stcb, &stcb->asoc); 2702 break; 2703 /* can't do anything with these */ 2704 case SCTP_PACKET_DROPPED: 2705 case SCTP_INITIATION_ACK: /* this should not happen */ 2706 case SCTP_HEARTBEAT_ACK: 2707 case SCTP_ABORT_ASSOCIATION: 2708 case SCTP_OPERATION_ERROR: 2709 case SCTP_SHUTDOWN_COMPLETE: 2710 case SCTP_ECN_ECHO: 2711 case SCTP_ECN_CWR: 2712 default: 2713 break; 2714 } 2715 return (0); 2716} 2717 2718void 2719sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2720{ 2721 int i; 2722 uint16_t temp; 2723 2724 /* 2725 * We set things to 0xffff since this is the last delivered sequence 2726 * and we will be sending in 0 after the reset. 2727 */ 2728 2729 if (number_entries) { 2730 for (i = 0; i < number_entries; i++) { 2731 temp = ntohs(list[i]); 2732 if (temp >= stcb->asoc.streamincnt) { 2733 continue; 2734 } 2735 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2736 } 2737 } else { 2738 list = NULL; 2739 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2740 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2741 } 2742 } 2743 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2744} 2745 2746static void 2747sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2748{ 2749 int i; 2750 2751 if (number_entries == 0) { 2752 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2753 stcb->asoc.strmout[i].next_sequence_sent = 0; 2754 } 2755 } else if (number_entries) { 2756 for (i = 0; i < number_entries; i++) { 2757 uint16_t temp; 2758 2759 temp = ntohs(list[i]); 2760 if (temp >= stcb->asoc.streamoutcnt) { 2761 /* no such stream */ 2762 continue; 2763 } 2764 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2765 } 2766 } 2767 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2768} 2769 2770 2771struct sctp_stream_reset_out_request * 2772sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2773{ 2774 struct sctp_association *asoc; 2775 struct sctp_stream_reset_out_req *req; 2776 struct sctp_stream_reset_out_request *r; 2777 struct sctp_tmit_chunk *chk; 2778 int len, clen; 2779 2780 asoc = &stcb->asoc; 2781 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2782 return (NULL); 2783 } 2784 if (stcb->asoc.str_reset == NULL) { 2785 return (NULL); 2786 } 2787 chk = stcb->asoc.str_reset; 2788 if (chk->data == NULL) { 2789 return (NULL); 2790 } 2791 if (bchk) { 2792 /* he wants a copy of the chk pointer */ 2793 *bchk = chk; 2794 } 2795 clen = chk->send_size; 2796 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2797 r = &req->sr_req; 2798 if (ntohl(r->request_seq) == seq) { 2799 /* found it */ 2800 return (r); 2801 } 2802 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2803 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2804 /* move to the next one, there can only be a max of two */ 2805 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2806 if (ntohl(r->request_seq) == seq) { 2807 return (r); 2808 } 2809 } 2810 /* that seq is not here */ 2811 return (NULL); 2812} 2813 2814static void 2815sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2816{ 2817 struct sctp_association *asoc; 2818 2819 asoc = &stcb->asoc; 2820 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2821 2822 if (stcb->asoc.str_reset == NULL) { 2823 return; 2824 } 2825 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 2826 TAILQ_REMOVE(&asoc->control_send_queue, 2827 chk, 2828 sctp_next); 2829 if (chk->data) { 2830 sctp_m_freem(chk->data); 2831 chk->data = NULL; 2832 } 2833 asoc->ctrl_queue_cnt--; 2834 sctp_free_remote_addr(chk->whoTo); 2835 2836 sctp_free_a_chunk(stcb, chk); 2837 stcb->asoc.str_reset = NULL; 2838} 2839 2840 2841static int 2842sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2843 uint32_t seq, uint32_t action, 2844 struct sctp_stream_reset_response *respin) 2845{ 2846 uint16_t type; 2847 int lparm_len; 2848 struct sctp_association *asoc = &stcb->asoc; 2849 struct sctp_tmit_chunk *chk; 2850 struct sctp_stream_reset_out_request *srparam; 2851 int number_entries; 2852 2853 if (asoc->stream_reset_outstanding == 0) { 2854 /* duplicate */ 2855 return (0); 2856 } 2857 if (seq == stcb->asoc.str_reset_seq_out) { 2858 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2859 if (srparam) { 2860 stcb->asoc.str_reset_seq_out++; 2861 type = ntohs(srparam->ph.param_type); 2862 lparm_len = ntohs(srparam->ph.param_length); 2863 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2864 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2865 asoc->stream_reset_out_is_outstanding = 0; 2866 if (asoc->stream_reset_outstanding) 2867 asoc->stream_reset_outstanding--; 2868 if (action == SCTP_STREAM_RESET_PERFORMED) { 2869 /* do it */ 2870 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2871 } else { 2872 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2873 } 2874 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2875 /* Answered my request */ 2876 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 2877 if (asoc->stream_reset_outstanding) 2878 asoc->stream_reset_outstanding--; 2879 if (action != SCTP_STREAM_RESET_PERFORMED) { 2880 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2881 } 2882 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2883 /** 2884 * a) Adopt the new in tsn. 2885 * b) reset the map 2886 * c) Adopt the new out-tsn 2887 */ 2888 struct sctp_stream_reset_response_tsn *resp; 2889 struct sctp_forward_tsn_chunk fwdtsn; 2890 int abort_flag = 0; 2891 2892 if (respin == NULL) { 2893 /* huh ? */ 2894 return (0); 2895 } 2896 if (action == SCTP_STREAM_RESET_PERFORMED) { 2897 resp = (struct sctp_stream_reset_response_tsn *)respin; 2898 asoc->stream_reset_outstanding--; 2899 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2900 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2901 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2902 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2903 if (abort_flag) { 2904 return (1); 2905 } 2906 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2907 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2908 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2909 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2910 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2911 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2912 2913 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2914 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2915 2916 } 2917 } 2918 /* get rid of the request and get the request flags */ 2919 if (asoc->stream_reset_outstanding == 0) { 2920 sctp_clean_up_stream_reset(stcb); 2921 } 2922 } 2923 } 2924 return (0); 2925} 2926 2927static void 2928sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2929 struct sctp_tmit_chunk *chk, 2930 struct sctp_stream_reset_in_request *req) 2931{ 2932 uint32_t seq; 2933 int len, i; 2934 int number_entries; 2935 uint16_t temp; 2936 2937 /* 2938 * peer wants me to send a str-reset to him for my outgoing seq's if 2939 * seq_in is right. 2940 */ 2941 struct sctp_association *asoc = &stcb->asoc; 2942 2943 seq = ntohl(req->request_seq); 2944 if (asoc->str_reset_seq_in == seq) { 2945 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2946 len = ntohs(req->ph.param_length); 2947 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2948 for (i = 0; i < number_entries; i++) { 2949 temp = ntohs(req->list_of_streams[i]); 2950 req->list_of_streams[i] = temp; 2951 } 2952 /* move the reset action back one */ 2953 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2954 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2955 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2956 asoc->str_reset_seq_out, 2957 seq, (asoc->sending_seq - 1)); 2958 asoc->stream_reset_out_is_outstanding = 1; 2959 asoc->str_reset = chk; 2960 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2961 stcb->asoc.stream_reset_outstanding++; 2962 } else { 2963 /* Can't do it, since we have sent one out */ 2964 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2965 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2966 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2967 } 2968 asoc->str_reset_seq_in++; 2969 } else if (asoc->str_reset_seq_in - 1 == seq) { 2970 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2971 } else if (asoc->str_reset_seq_in - 2 == seq) { 2972 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2973 } else { 2974 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2975 } 2976} 2977 2978static int 2979sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 2980 struct sctp_tmit_chunk *chk, 2981 struct sctp_stream_reset_tsn_request *req) 2982{ 2983 /* reset all in and out and update the tsn */ 2984 /* 2985 * A) reset my str-seq's on in and out. B) Select a receive next, 2986 * and set cum-ack to it. Also process this selected number as a 2987 * fwd-tsn as well. C) set in the response my next sending seq. 2988 */ 2989 struct sctp_forward_tsn_chunk fwdtsn; 2990 struct sctp_association *asoc = &stcb->asoc; 2991 int abort_flag = 0; 2992 uint32_t seq; 2993 2994 seq = ntohl(req->request_seq); 2995 if (asoc->str_reset_seq_in == seq) { 2996 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2997 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2998 fwdtsn.ch.chunk_flags = 0; 2999 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3000 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 3001 if (abort_flag) { 3002 return (1); 3003 } 3004 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3005 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3006 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3007 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3008 atomic_add_int(&stcb->asoc.sending_seq, 1); 3009 /* save off historical data for retrans */ 3010 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3011 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3012 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3013 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3014 3015 sctp_add_stream_reset_result_tsn(chk, 3016 ntohl(req->request_seq), 3017 SCTP_STREAM_RESET_PERFORMED, 3018 stcb->asoc.sending_seq, 3019 stcb->asoc.mapping_array_base_tsn); 3020 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3021 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3022 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3023 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3024 3025 asoc->str_reset_seq_in++; 3026 } else if (asoc->str_reset_seq_in - 1 == seq) { 3027 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3028 stcb->asoc.last_sending_seq[0], 3029 stcb->asoc.last_base_tsnsent[0] 3030 ); 3031 } else if (asoc->str_reset_seq_in - 2 == seq) { 3032 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3033 stcb->asoc.last_sending_seq[1], 3034 stcb->asoc.last_base_tsnsent[1] 3035 ); 3036 } else { 3037 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3038 } 3039 return (0); 3040} 3041 3042static void 3043sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3044 struct sctp_tmit_chunk *chk, 3045 struct sctp_stream_reset_out_request *req) 3046{ 3047 uint32_t seq, tsn; 3048 int number_entries, len; 3049 struct sctp_association *asoc = &stcb->asoc; 3050 3051 seq = ntohl(req->request_seq); 3052 3053 /* now if its not a duplicate we process it */ 3054 if (asoc->str_reset_seq_in == seq) { 3055 len = ntohs(req->ph.param_length); 3056 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3057 /* 3058 * the sender is resetting, handle the list issue.. we must 3059 * a) verify if we can do the reset, if so no problem b) If 3060 * we can't do the reset we must copy the request. c) queue 3061 * it, and setup the data in processor to trigger it off 3062 * when needed and dequeue all the queued data. 3063 */ 3064 tsn = ntohl(req->send_reset_at_tsn); 3065 3066 /* move the reset action back one */ 3067 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3068 if ((tsn == asoc->cumulative_tsn) || 3069 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3070 /* we can do it now */ 3071 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3072 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3073 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3074 } else { 3075 /* 3076 * we must queue it up and thus wait for the TSN's 3077 * to arrive that are at or before tsn 3078 */ 3079 struct sctp_stream_reset_list *liste; 3080 int siz; 3081 3082 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3083 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3084 siz, "StrRstList"); 3085 if (liste == NULL) { 3086 /* gak out of memory */ 3087 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3088 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3089 return; 3090 } 3091 liste->tsn = tsn; 3092 liste->number_entries = number_entries; 3093 memcpy(&liste->req, req, 3094 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3095 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3096 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3097 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3098 } 3099 asoc->str_reset_seq_in++; 3100 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3101 /* 3102 * one seq back, just echo back last action since my 3103 * response was lost. 3104 */ 3105 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3106 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3107 /* 3108 * two seq back, just echo back last action since my 3109 * response was lost. 3110 */ 3111 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3112 } else { 3113 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3114 } 3115} 3116 3117static int 3118sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 3119{ 3120 int chk_length, param_len, ptype; 3121 uint32_t seq; 3122 int num_req = 0; 3123 struct sctp_tmit_chunk *chk; 3124 struct sctp_chunkhdr *ch; 3125 struct sctp_paramhdr *ph; 3126 3127 /* now it may be a reset or a reset-response */ 3128 chk_length = ntohs(sr_req->ch.chunk_length); 3129 int ret_code = 0; 3130 int num_param = 0; 3131 3132 /* setup for adding the response */ 3133 sctp_alloc_a_chunk(stcb, chk); 3134 if (chk == NULL) { 3135 return (ret_code); 3136 } 3137 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3138 chk->asoc = &stcb->asoc; 3139 chk->no_fr_allowed = 0; 3140 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3141 chk->book_size_scale = 0; 3142 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3143 if (chk->data == NULL) { 3144strres_nochunk: 3145 if (chk->data) { 3146 sctp_m_freem(chk->data); 3147 chk->data = NULL; 3148 } 3149 sctp_free_a_chunk(stcb, chk); 3150 return (ret_code); 3151 } 3152 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3153 3154 /* setup chunk parameters */ 3155 chk->sent = SCTP_DATAGRAM_UNSENT; 3156 chk->snd_count = 0; 3157 chk->whoTo = stcb->asoc.primary_destination; 3158 atomic_add_int(&chk->whoTo->ref_count, 1); 3159 3160 ch = mtod(chk->data, struct sctp_chunkhdr *); 3161 ch->chunk_type = SCTP_STREAM_RESET; 3162 ch->chunk_flags = 0; 3163 ch->chunk_length = htons(chk->send_size); 3164 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3165 3166 3167 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3168 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3169 param_len = ntohs(ph->param_length); 3170 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3171 /* bad param */ 3172 break; 3173 } 3174 ptype = ntohs(ph->param_type); 3175 num_param++; 3176 if (num_param > SCTP_MAX_RESET_PARAMS) { 3177 /* hit the max of parameters already sorry.. */ 3178 break; 3179 } 3180 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3181 struct sctp_stream_reset_out_request *req_out; 3182 3183 req_out = (struct sctp_stream_reset_out_request *)ph; 3184 num_req++; 3185 if (stcb->asoc.stream_reset_outstanding) { 3186 seq = ntohl(req_out->response_seq); 3187 if (seq == stcb->asoc.str_reset_seq_out) { 3188 /* implicit ack */ 3189 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3190 } 3191 } 3192 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3193 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3194 struct sctp_stream_reset_in_request *req_in; 3195 3196 num_req++; 3197 req_in = (struct sctp_stream_reset_in_request *)ph; 3198 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3199 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3200 struct sctp_stream_reset_tsn_request *req_tsn; 3201 3202 num_req++; 3203 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3204 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3205 ret_code = 1; 3206 goto strres_nochunk; 3207 } 3208 /* no more */ 3209 break; 3210 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3211 struct sctp_stream_reset_response *resp; 3212 uint32_t result; 3213 3214 resp = (struct sctp_stream_reset_response *)ph; 3215 seq = ntohl(resp->response_seq); 3216 result = ntohl(resp->result); 3217 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3218 ret_code = 1; 3219 goto strres_nochunk; 3220 } 3221 } else { 3222 break; 3223 } 3224 3225 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3226 chk_length -= SCTP_SIZE32(param_len); 3227 } 3228 if (num_req == 0) { 3229 /* we have no response free the stuff */ 3230 goto strres_nochunk; 3231 } 3232 /* ok we have a chunk to link in */ 3233 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3234 chk, 3235 sctp_next); 3236 stcb->asoc.ctrl_queue_cnt++; 3237 return (ret_code); 3238} 3239 3240/* 3241 * Handle a router or endpoints report of a packet loss, there are two ways 3242 * to handle this, either we get the whole packet and must disect it 3243 * ourselves (possibly with truncation and or corruption) or it is a summary 3244 * from a middle box that did the disectting for us. 3245 */ 3246static void 3247sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3248 struct sctp_tcb *stcb, struct sctp_nets *net) 3249{ 3250 uint32_t bottle_bw, on_queue; 3251 uint16_t trunc_len; 3252 unsigned int chlen; 3253 unsigned int at; 3254 struct sctp_chunk_desc desc; 3255 struct sctp_chunkhdr *ch; 3256 3257 chlen = ntohs(cp->ch.chunk_length); 3258 chlen -= sizeof(struct sctp_pktdrop_chunk); 3259 /* XXX possible chlen underflow */ 3260 if (chlen == 0) { 3261 ch = NULL; 3262 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3263 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3264 } else { 3265 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3266 chlen -= sizeof(struct sctphdr); 3267 /* XXX possible chlen underflow */ 3268 memset(&desc, 0, sizeof(desc)); 3269 } 3270 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3271 /* now the chunks themselves */ 3272 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3273 desc.chunk_type = ch->chunk_type; 3274 /* get amount we need to move */ 3275 at = ntohs(ch->chunk_length); 3276 if (at < sizeof(struct sctp_chunkhdr)) { 3277 /* corrupt chunk, maybe at the end? */ 3278 SCTP_STAT_INCR(sctps_pdrpcrupt); 3279 break; 3280 } 3281 if (trunc_len == 0) { 3282 /* we are supposed to have all of it */ 3283 if (at > chlen) { 3284 /* corrupt skip it */ 3285 SCTP_STAT_INCR(sctps_pdrpcrupt); 3286 break; 3287 } 3288 } else { 3289 /* is there enough of it left ? */ 3290 if (desc.chunk_type == SCTP_DATA) { 3291 if (chlen < (sizeof(struct sctp_data_chunk) + 3292 sizeof(desc.data_bytes))) { 3293 break; 3294 } 3295 } else { 3296 if (chlen < sizeof(struct sctp_chunkhdr)) { 3297 break; 3298 } 3299 } 3300 } 3301 if (desc.chunk_type == SCTP_DATA) { 3302 /* can we get out the tsn? */ 3303 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3304 SCTP_STAT_INCR(sctps_pdrpmbda); 3305 3306 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3307 /* yep */ 3308 struct sctp_data_chunk *dcp; 3309 uint8_t *ddp; 3310 unsigned int iii; 3311 3312 dcp = (struct sctp_data_chunk *)ch; 3313 ddp = (uint8_t *) (dcp + 1); 3314 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3315 desc.data_bytes[iii] = ddp[iii]; 3316 } 3317 desc.tsn_ifany = dcp->dp.tsn; 3318 } else { 3319 /* nope we are done. */ 3320 SCTP_STAT_INCR(sctps_pdrpnedat); 3321 break; 3322 } 3323 } else { 3324 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3325 SCTP_STAT_INCR(sctps_pdrpmbct); 3326 } 3327 3328 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3329 SCTP_STAT_INCR(sctps_pdrppdbrk); 3330 break; 3331 } 3332 if (SCTP_SIZE32(at) > chlen) { 3333 break; 3334 } 3335 chlen -= SCTP_SIZE32(at); 3336 if (chlen < sizeof(struct sctp_chunkhdr)) { 3337 /* done, none left */ 3338 break; 3339 } 3340 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3341 } 3342 /* Now update any rwnd --- possibly */ 3343 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3344 /* From a peer, we get a rwnd report */ 3345 uint32_t a_rwnd; 3346 3347 SCTP_STAT_INCR(sctps_pdrpfehos); 3348 3349 bottle_bw = ntohl(cp->bottle_bw); 3350 on_queue = ntohl(cp->current_onq); 3351 if (bottle_bw && on_queue) { 3352 /* a rwnd report is in here */ 3353 if (bottle_bw > on_queue) 3354 a_rwnd = bottle_bw - on_queue; 3355 else 3356 a_rwnd = 0; 3357 3358 if (a_rwnd == 0) 3359 stcb->asoc.peers_rwnd = 0; 3360 else { 3361 if (a_rwnd > stcb->asoc.total_flight) { 3362 stcb->asoc.peers_rwnd = 3363 a_rwnd - stcb->asoc.total_flight; 3364 } else { 3365 stcb->asoc.peers_rwnd = 0; 3366 } 3367 if (stcb->asoc.peers_rwnd < 3368 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3369 /* SWS sender side engages */ 3370 stcb->asoc.peers_rwnd = 0; 3371 } 3372 } 3373 } 3374 } else { 3375 SCTP_STAT_INCR(sctps_pdrpfmbox); 3376 } 3377 3378 /* now middle boxes in sat networks get a cwnd bump */ 3379 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3380 (stcb->asoc.sat_t3_loss_recovery == 0) && 3381 (stcb->asoc.sat_network)) { 3382 /* 3383 * This is debateable but for sat networks it makes sense 3384 * Note if a T3 timer has went off, we will prohibit any 3385 * changes to cwnd until we exit the t3 loss recovery. 3386 */ 3387 uint32_t bw_avail; 3388 int rtt, incr; 3389 3390#ifdef SCTP_CWND_MONITOR 3391 int old_cwnd = net->cwnd; 3392 3393#endif 3394 /* need real RTT for this calc */ 3395 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3396 /* get bottle neck bw */ 3397 bottle_bw = ntohl(cp->bottle_bw); 3398 /* and whats on queue */ 3399 on_queue = ntohl(cp->current_onq); 3400 /* 3401 * adjust the on-queue if our flight is more it could be 3402 * that the router has not yet gotten data "in-flight" to it 3403 */ 3404 if (on_queue < net->flight_size) 3405 on_queue = net->flight_size; 3406 3407 /* calculate the available space */ 3408 bw_avail = (bottle_bw * rtt) / 1000; 3409 if (bw_avail > bottle_bw) { 3410 /* 3411 * Cap the growth to no more than the bottle neck. 3412 * This can happen as RTT slides up due to queues. 3413 * It also means if you have more than a 1 second 3414 * RTT with a empty queue you will be limited to the 3415 * bottle_bw per second no matter if other points 3416 * have 1/2 the RTT and you could get more out... 3417 */ 3418 bw_avail = bottle_bw; 3419 } 3420 if (on_queue > bw_avail) { 3421 /* 3422 * No room for anything else don't allow anything 3423 * else to be "added to the fire". 3424 */ 3425 int seg_inflight, seg_onqueue, my_portion; 3426 3427 net->partial_bytes_acked = 0; 3428 3429 /* how much are we over queue size? */ 3430 incr = on_queue - bw_avail; 3431 if (stcb->asoc.seen_a_sack_this_pkt) { 3432 /* 3433 * undo any cwnd adjustment that the sack 3434 * might have made 3435 */ 3436 net->cwnd = net->prev_cwnd; 3437 } 3438 /* Now how much of that is mine? */ 3439 seg_inflight = net->flight_size / net->mtu; 3440 seg_onqueue = on_queue / net->mtu; 3441 my_portion = (incr * seg_inflight) / seg_onqueue; 3442 3443 /* Have I made an adjustment already */ 3444 if (net->cwnd > net->flight_size) { 3445 /* 3446 * for this flight I made an adjustment we 3447 * need to decrease the portion by a share 3448 * our previous adjustment. 3449 */ 3450 int diff_adj; 3451 3452 diff_adj = net->cwnd - net->flight_size; 3453 if (diff_adj > my_portion) 3454 my_portion = 0; 3455 else 3456 my_portion -= diff_adj; 3457 } 3458 /* 3459 * back down to the previous cwnd (assume we have 3460 * had a sack before this packet). minus what ever 3461 * portion of the overage is my fault. 3462 */ 3463 net->cwnd -= my_portion; 3464 3465 /* we will NOT back down more than 1 MTU */ 3466 if (net->cwnd <= net->mtu) { 3467 net->cwnd = net->mtu; 3468 } 3469 /* force into CA */ 3470 net->ssthresh = net->cwnd - 1; 3471 } else { 3472 /* 3473 * Take 1/4 of the space left or max burst up .. 3474 * whichever is less. 3475 */ 3476 incr = min((bw_avail - on_queue) >> 2, 3477 (int)stcb->asoc.max_burst * (int)net->mtu); 3478 net->cwnd += incr; 3479 } 3480 if (net->cwnd > bw_avail) { 3481 /* We can't exceed the pipe size */ 3482 net->cwnd = bw_avail; 3483 } 3484 if (net->cwnd < net->mtu) { 3485 /* We always have 1 MTU */ 3486 net->cwnd = net->mtu; 3487 } 3488#ifdef SCTP_CWND_MONITOR 3489 if (net->cwnd - old_cwnd != 0) { 3490 /* log only changes */ 3491 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3492 SCTP_CWND_LOG_FROM_SAT); 3493 } 3494#endif 3495 } 3496} 3497 3498extern int sctp_strict_init; 3499extern int sctp_abort_if_one_2_one_hits_limit; 3500 3501/* 3502 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3503 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3504 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3505 * length of the complete packet outputs: - length: modified to remaining 3506 * length after control processing - netp: modified to new sctp_nets after 3507 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3508 * bad packet,...) otherwise return the tcb for this packet 3509 */ 3510static struct sctp_tcb * 3511sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3512 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3513 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3514{ 3515 struct sctp_association *asoc; 3516 uint32_t vtag_in; 3517 int num_chunks = 0; /* number of control chunks processed */ 3518 int chk_length; 3519 int ret; 3520 3521 /* 3522 * How big should this be, and should it be alloc'd? Lets try the 3523 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3524 * until we get into jumbo grams and such.. 3525 */ 3526 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3527 struct sctp_tcb *locked_tcb = stcb; 3528 int got_auth = 0; 3529 uint32_t auth_offset = 0, auth_len = 0; 3530 int auth_skipped = 0; 3531 3532#ifdef SCTP_DEBUG 3533 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3534 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3535 iphlen, *offset, length, stcb); 3536 } 3537#endif /* SCTP_DEBUG */ 3538 3539 /* validate chunk header length... */ 3540 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3541 return (NULL); 3542 } 3543 /* 3544 * validate the verification tag 3545 */ 3546 vtag_in = ntohl(sh->v_tag); 3547 3548 if (locked_tcb) { 3549 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3550 } 3551 if (ch->chunk_type == SCTP_INITIATION) { 3552 if (vtag_in != 0) { 3553 /* protocol error- silently discard... */ 3554 SCTP_STAT_INCR(sctps_badvtag); 3555 if (locked_tcb) 3556 SCTP_TCB_UNLOCK(locked_tcb); 3557 return (NULL); 3558 } 3559 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3560 /* 3561 * If there is no stcb, skip the AUTH chunk and process 3562 * later after a stcb is found (to validate the lookup was 3563 * valid. 3564 */ 3565 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3566 (stcb == NULL) && !sctp_auth_disable) { 3567 /* save this chunk for later processing */ 3568 auth_skipped = 1; 3569 auth_offset = *offset; 3570 auth_len = ntohs(ch->chunk_length); 3571 3572 /* (temporarily) move past this chunk */ 3573 *offset += SCTP_SIZE32(auth_len); 3574 if (*offset >= length) { 3575 /* no more data left in the mbuf chain */ 3576 *offset = length; 3577 return (NULL); 3578 } 3579 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3580 sizeof(struct sctp_chunkhdr), chunk_buf); 3581 } 3582 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3583 goto process_control_chunks; 3584 } 3585 /* 3586 * first check if it's an ASCONF with an unknown src addr we 3587 * need to look inside to find the association 3588 */ 3589 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3590 /* inp's refcount may be reduced */ 3591 SCTP_INP_INCR_REF(inp); 3592 3593 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3594 *offset, sh, &inp, netp); 3595 if (stcb == NULL) { 3596 /* 3597 * reduce inp's refcount if not reduced in 3598 * sctp_findassociation_ep_asconf(). 3599 */ 3600 SCTP_INP_DECR_REF(inp); 3601 } 3602 /* now go back and verify any auth chunk to be sure */ 3603 if (auth_skipped && (stcb != NULL)) { 3604 struct sctp_auth_chunk *auth; 3605 3606 auth = (struct sctp_auth_chunk *) 3607 sctp_m_getptr(m, auth_offset, 3608 auth_len, chunk_buf); 3609 got_auth = 1; 3610 auth_skipped = 0; 3611 if (sctp_handle_auth(stcb, auth, m, 3612 auth_offset)) { 3613 /* auth HMAC failed so dump it */ 3614 *offset = length; 3615 return (NULL); 3616 } else { 3617 /* remaining chunks are HMAC checked */ 3618 stcb->asoc.authenticated = 1; 3619 } 3620 } 3621 } 3622 if (stcb == NULL) { 3623 /* no association, so it's out of the blue... */ 3624 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3625 *offset = length; 3626 if (locked_tcb) 3627 SCTP_TCB_UNLOCK(locked_tcb); 3628 return (NULL); 3629 } 3630 asoc = &stcb->asoc; 3631 /* ABORT and SHUTDOWN can use either v_tag... */ 3632 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3633 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3634 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3635 if ((vtag_in == asoc->my_vtag) || 3636 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3637 (vtag_in == asoc->peer_vtag))) { 3638 /* this is valid */ 3639 } else { 3640 /* drop this packet... */ 3641 SCTP_STAT_INCR(sctps_badvtag); 3642 if (locked_tcb) 3643 SCTP_TCB_UNLOCK(locked_tcb); 3644 return (NULL); 3645 } 3646 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3647 if (vtag_in != asoc->my_vtag) { 3648 /* 3649 * this could be a stale SHUTDOWN-ACK or the 3650 * peer never got the SHUTDOWN-COMPLETE and 3651 * is still hung; we have started a new asoc 3652 * but it won't complete until the shutdown 3653 * is completed 3654 */ 3655 if (locked_tcb) 3656 SCTP_TCB_UNLOCK(locked_tcb); 3657 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3658 NULL); 3659 return (NULL); 3660 } 3661 } else { 3662 /* for all other chunks, vtag must match */ 3663 if (vtag_in != asoc->my_vtag) { 3664 /* invalid vtag... */ 3665#ifdef SCTP_DEBUG 3666 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3667 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3668 } 3669#endif /* SCTP_DEBUG */ 3670 SCTP_STAT_INCR(sctps_badvtag); 3671 if (locked_tcb) 3672 SCTP_TCB_UNLOCK(locked_tcb); 3673 *offset = length; 3674 return (NULL); 3675 } 3676 } 3677 } /* end if !SCTP_COOKIE_ECHO */ 3678 /* 3679 * process all control chunks... 3680 */ 3681 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3682 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3683 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3684 /* implied cookie-ack.. we must have lost the ack */ 3685 stcb->asoc.overall_error_count = 0; 3686 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3687 *netp); 3688 } 3689process_control_chunks: 3690 3691 while (IS_SCTP_CONTROL(ch)) { 3692 /* validate chunk length */ 3693 chk_length = ntohs(ch->chunk_length); 3694#ifdef SCTP_DEBUG 3695 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3696 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", 3697 ch->chunk_type, chk_length); 3698 } 3699#endif /* SCTP_DEBUG */ 3700 if ((size_t)chk_length < sizeof(*ch) || 3701 (*offset + chk_length) > length) { 3702 *offset = length; 3703 if (locked_tcb) 3704 SCTP_TCB_UNLOCK(locked_tcb); 3705 return (NULL); 3706 } 3707 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3708 /* 3709 * INIT-ACK only gets the init ack "header" portion only 3710 * because we don't have to process the peer's COOKIE. All 3711 * others get a complete chunk. 3712 */ 3713 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3714 /* get an init-ack chunk */ 3715 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3716 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3717 if (ch == NULL) { 3718 *offset = length; 3719 if (locked_tcb) 3720 SCTP_TCB_UNLOCK(locked_tcb); 3721 return (NULL); 3722 } 3723 } else { 3724 /* get a complete chunk... */ 3725 if ((size_t)chk_length > sizeof(chunk_buf)) { 3726 struct mbuf *oper; 3727 struct sctp_paramhdr *phdr; 3728 3729 oper = NULL; 3730 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3731 0, M_DONTWAIT, 1, MT_DATA); 3732 if (oper) { 3733 /* pre-reserve some space */ 3734 SCTP_BUF_RESV_UF(oper, sizeof(struct sctp_chunkhdr)); 3735 SCTP_BUF_LEN(oper) = sizeof(struct sctp_paramhdr); 3736 phdr = mtod(oper, struct sctp_paramhdr *); 3737 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3738 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3739 sctp_queue_op_err(stcb, oper); 3740 } 3741 if (locked_tcb) 3742 SCTP_TCB_UNLOCK(locked_tcb); 3743 return (NULL); 3744 } 3745 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3746 chk_length, chunk_buf); 3747 if (ch == NULL) { 3748 printf("sctp_process_control: Can't get the all data....\n"); 3749 *offset = length; 3750 if (locked_tcb) 3751 SCTP_TCB_UNLOCK(locked_tcb); 3752 return (NULL); 3753 } 3754 } 3755 num_chunks++; 3756 /* Save off the last place we got a control from */ 3757 if (stcb != NULL) { 3758 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { 3759 /* 3760 * allow last_control to be NULL if 3761 * ASCONF... ASCONF processing will find the 3762 * right net later 3763 */ 3764 stcb->asoc.last_control_chunk_from = *netp; 3765 } 3766 } 3767#ifdef SCTP_AUDITING_ENABLED 3768 sctp_audit_log(0xB0, ch->chunk_type); 3769#endif 3770 3771 /* check to see if this chunk required auth, but isn't */ 3772 if ((stcb != NULL) && !sctp_auth_disable && 3773 sctp_auth_is_required_chunk(ch->chunk_type, 3774 stcb->asoc.local_auth_chunks) && 3775 !stcb->asoc.authenticated) { 3776 /* "silently" ignore */ 3777 SCTP_STAT_INCR(sctps_recvauthmissing); 3778 goto next_chunk; 3779 } 3780 switch (ch->chunk_type) { 3781 case SCTP_INITIATION: 3782 /* must be first and only chunk */ 3783#ifdef SCTP_DEBUG 3784 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3785 printf("SCTP_INIT\n"); 3786 } 3787#endif /* SCTP_DEBUG */ 3788 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3789 /* We are not interested anymore? */ 3790 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3791 /* 3792 * collision case where we are 3793 * sending to them too 3794 */ 3795 ; 3796 } else { 3797 if (locked_tcb) 3798 SCTP_TCB_UNLOCK(locked_tcb); 3799 *offset = length; 3800 return (NULL); 3801 } 3802 } 3803 if ((num_chunks > 1) || 3804 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3805 *offset = length; 3806 if (locked_tcb) 3807 SCTP_TCB_UNLOCK(locked_tcb); 3808 return (NULL); 3809 } 3810 if ((stcb != NULL) && 3811 (SCTP_GET_STATE(&stcb->asoc) == 3812 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3813 sctp_send_shutdown_ack(stcb, 3814 stcb->asoc.primary_destination); 3815 *offset = length; 3816 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3817 if (locked_tcb) 3818 SCTP_TCB_UNLOCK(locked_tcb); 3819 return (NULL); 3820 } 3821 sctp_handle_init(m, iphlen, *offset, sh, 3822 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3823 *offset = length; 3824 if (locked_tcb) 3825 SCTP_TCB_UNLOCK(locked_tcb); 3826 return (NULL); 3827 break; 3828 case SCTP_INITIATION_ACK: 3829 /* must be first and only chunk */ 3830#ifdef SCTP_DEBUG 3831 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3832 printf("SCTP_INIT-ACK\n"); 3833 } 3834#endif /* SCTP_DEBUG */ 3835 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3836 /* We are not interested anymore */ 3837 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3838 ; 3839 } else { 3840 if (locked_tcb) 3841 SCTP_TCB_UNLOCK(locked_tcb); 3842 *offset = length; 3843 if (stcb) { 3844 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3845 } 3846 return (NULL); 3847 } 3848 } 3849 if ((num_chunks > 1) || 3850 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3851 *offset = length; 3852 if (locked_tcb) 3853 SCTP_TCB_UNLOCK(locked_tcb); 3854 return (NULL); 3855 } 3856 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3857 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3858 /* 3859 * Special case, I must call the output routine to 3860 * get the cookie echoed 3861 */ 3862 if ((stcb) && ret == 0) 3863 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3864 *offset = length; 3865 if (locked_tcb) 3866 SCTP_TCB_UNLOCK(locked_tcb); 3867 return (NULL); 3868 break; 3869 case SCTP_SELECTIVE_ACK: 3870#ifdef SCTP_DEBUG 3871 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3872 printf("SCTP_SACK\n"); 3873 } 3874#endif /* SCTP_DEBUG */ 3875 SCTP_STAT_INCR(sctps_recvsacks); 3876 { 3877 struct sctp_sack_chunk *sack; 3878 int abort_now = 0; 3879 uint32_t a_rwnd, cum_ack; 3880 uint16_t num_seg; 3881 int nonce_sum_flag; 3882 3883 sack = (struct sctp_sack_chunk *)ch; 3884 3885 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3886 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3887 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3888 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3889 stcb->asoc.seen_a_sack_this_pkt = 1; 3890 if ((stcb->asoc.pr_sctp_cnt == 0) && 3891 (num_seg == 0) && 3892 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3893 (cum_ack == stcb->asoc.last_acked_seq)) && 3894 (stcb->asoc.saw_sack_with_frags == 0) && 3895 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3896 ) { 3897 /* 3898 * We have a SIMPLE sack having no 3899 * prior segments and data on sent 3900 * queue to be acked.. Use the 3901 * faster path sack processing. We 3902 * also allow window update sacks 3903 * with no missing segments to go 3904 * this way too. 3905 */ 3906 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now); 3907 } else { 3908 sctp_handle_sack(sack, stcb, *netp, &abort_now); 3909 } 3910 if (abort_now) { 3911 /* ABORT signal from sack processing */ 3912 *offset = length; 3913 return (NULL); 3914 } 3915 } 3916 break; 3917 case SCTP_HEARTBEAT_REQUEST: 3918#ifdef SCTP_DEBUG 3919 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3920 printf("SCTP_HEARTBEAT\n"); 3921 } 3922#endif /* SCTP_DEBUG */ 3923 SCTP_STAT_INCR(sctps_recvheartbeat); 3924 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3925 *netp); 3926 3927 /* He's alive so give him credit */ 3928 stcb->asoc.overall_error_count = 0; 3929 break; 3930 case SCTP_HEARTBEAT_ACK: 3931#ifdef SCTP_DEBUG 3932 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3933 printf("SCTP_HEARTBEAT-ACK\n"); 3934 } 3935#endif /* SCTP_DEBUG */ 3936 3937 /* He's alive so give him credit */ 3938 stcb->asoc.overall_error_count = 0; 3939 SCTP_STAT_INCR(sctps_recvheartbeatack); 3940 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3941 stcb, *netp); 3942 break; 3943 case SCTP_ABORT_ASSOCIATION: 3944#ifdef SCTP_DEBUG 3945 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3946 printf("SCTP_ABORT\n"); 3947 } 3948#endif /* SCTP_DEBUG */ 3949 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3950 stcb, *netp); 3951 *offset = length; 3952 return (NULL); 3953 break; 3954 case SCTP_SHUTDOWN: 3955#ifdef SCTP_DEBUG 3956 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3957 printf("SCTP_SHUTDOWN\n"); 3958 } 3959#endif /* SCTP_DEBUG */ 3960 { 3961 int abort_flag = 0; 3962 3963 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3964 stcb, *netp, &abort_flag); 3965 if (abort_flag) { 3966 *offset = length; 3967 return (NULL); 3968 } 3969 } 3970 break; 3971 case SCTP_SHUTDOWN_ACK: 3972#ifdef SCTP_DEBUG 3973 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3974 printf("SCTP_SHUTDOWN-ACK\n"); 3975 } 3976#endif /* SCTP_DEBUG */ 3977 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3978 *offset = length; 3979 return (NULL); 3980 break; 3981 case SCTP_OPERATION_ERROR: 3982#ifdef SCTP_DEBUG 3983 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3984 printf("SCTP_OP-ERR\n"); 3985 } 3986#endif /* SCTP_DEBUG */ 3987 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3988 *offset = length; 3989 return (NULL); 3990 } 3991 break; 3992 case SCTP_COOKIE_ECHO: 3993#ifdef SCTP_DEBUG 3994 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3995 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3996 } 3997#endif /* SCTP_DEBUG */ 3998 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3999 ; 4000 } else { 4001 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && 4002 (stcb == NULL)) { 4003 /* We are not interested anymore */ 4004 *offset = length; 4005 return (NULL); 4006 } 4007 } 4008 /* 4009 * First are we accepting? We do this again here 4010 * since it is possible that a previous endpoint WAS 4011 * listening responded to a INIT-ACK and then 4012 * closed. We opened and bound.. and are now no 4013 * longer listening. 4014 */ 4015 if (inp->sctp_socket->so_qlimit == 0) { 4016 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 4017 /* 4018 * special case, is this a retran'd 4019 * COOKIE-ECHO or a restarting assoc 4020 * that is a peeled off or 4021 * one-to-one style socket. 4022 */ 4023 goto process_cookie_anyway; 4024 } 4025 sctp_abort_association(inp, stcb, m, iphlen, sh, 4026 NULL); 4027 *offset = length; 4028 return (NULL); 4029 } else if (inp->sctp_socket->so_qlimit) { 4030 /* we are accepting so check limits like TCP */ 4031 if (inp->sctp_socket->so_qlen > 4032 inp->sctp_socket->so_qlimit) { 4033 /* no space */ 4034 struct mbuf *oper; 4035 struct sctp_paramhdr *phdr; 4036 4037 if (sctp_abort_if_one_2_one_hits_limit) { 4038 oper = NULL; 4039 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4040 0, M_DONTWAIT, 1, MT_DATA); 4041 if (oper) { 4042 SCTP_BUF_LEN(oper) = 4043 sizeof(struct sctp_paramhdr); 4044 phdr = mtod(oper, 4045 struct sctp_paramhdr *); 4046 phdr->param_type = 4047 htons(SCTP_CAUSE_OUT_OF_RESC); 4048 phdr->param_length = 4049 htons(sizeof(struct sctp_paramhdr)); 4050 } 4051 sctp_abort_association(inp, stcb, m, 4052 iphlen, sh, oper); 4053 } 4054 *offset = length; 4055 return (NULL); 4056 } 4057 } 4058 process_cookie_anyway: 4059 { 4060 struct mbuf *ret_buf; 4061 struct sctp_inpcb *linp; 4062 4063 if (stcb) 4064 linp = NULL; 4065 else 4066 linp = inp; 4067 4068 if (linp) 4069 SCTP_ASOC_CREATE_LOCK(linp); 4070 ret_buf = 4071 sctp_handle_cookie_echo(m, iphlen, 4072 *offset, sh, 4073 (struct sctp_cookie_echo_chunk *)ch, 4074 &inp, &stcb, netp, 4075 auth_skipped, 4076 auth_offset, 4077 auth_len, 4078 &locked_tcb); 4079 if (linp) 4080 SCTP_ASOC_CREATE_UNLOCK(linp); 4081 if (ret_buf == NULL) { 4082 if (locked_tcb) { 4083 SCTP_TCB_UNLOCK(locked_tcb); 4084 } 4085#ifdef SCTP_DEBUG 4086 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4087 printf("GAK, null buffer\n"); 4088 } 4089#endif /* SCTP_DEBUG */ 4090 auth_skipped = 0; 4091 *offset = length; 4092 return (NULL); 4093 } 4094 /* if AUTH skipped, see if it verified... */ 4095 if (auth_skipped) { 4096 got_auth = 1; 4097 auth_skipped = 0; 4098 } 4099 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4100 /* 4101 * Restart the timer if we have 4102 * pending data 4103 */ 4104 struct sctp_tmit_chunk *chk; 4105 4106 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4107 if (chk) { 4108 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4109 stcb->sctp_ep, stcb, 4110 chk->whoTo); 4111 } 4112 } 4113 } 4114 break; 4115 case SCTP_COOKIE_ACK: 4116#ifdef SCTP_DEBUG 4117 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4118 printf("SCTP_COOKIE-ACK\n"); 4119 } 4120#endif /* SCTP_DEBUG */ 4121 4122 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4123 /* We are not interested anymore */ 4124 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4125 ; 4126 } else { 4127 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4128 *offset = length; 4129 return (NULL); 4130 } 4131 } 4132 /* He's alive so give him credit */ 4133 stcb->asoc.overall_error_count = 0; 4134 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4135 break; 4136 case SCTP_ECN_ECHO: 4137#ifdef SCTP_DEBUG 4138 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4139 printf("SCTP_ECN-ECHO\n"); 4140 } 4141#endif /* SCTP_DEBUG */ 4142 /* He's alive so give him credit */ 4143 stcb->asoc.overall_error_count = 0; 4144 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4145 stcb); 4146 break; 4147 case SCTP_ECN_CWR: 4148#ifdef SCTP_DEBUG 4149 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4150 printf("SCTP_ECN-CWR\n"); 4151 } 4152#endif /* SCTP_DEBUG */ 4153 /* He's alive so give him credit */ 4154 stcb->asoc.overall_error_count = 0; 4155 4156 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4157 break; 4158 case SCTP_SHUTDOWN_COMPLETE: 4159#ifdef SCTP_DEBUG 4160 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4161 printf("SCTP_SHUTDOWN-COMPLETE\n"); 4162 } 4163#endif /* SCTP_DEBUG */ 4164 /* must be first and only chunk */ 4165 if ((num_chunks > 1) || 4166 (length - *offset > SCTP_SIZE32(chk_length))) { 4167 *offset = length; 4168 if (locked_tcb) 4169 SCTP_TCB_UNLOCK(locked_tcb); 4170 4171 return (NULL); 4172 } 4173 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4174 stcb, *netp); 4175 *offset = length; 4176 return (NULL); 4177 break; 4178 case SCTP_ASCONF: 4179#ifdef SCTP_DEBUG 4180 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4181 printf("SCTP_ASCONF\n"); 4182 } 4183#endif /* SCTP_DEBUG */ 4184 /* He's alive so give him credit */ 4185 stcb->asoc.overall_error_count = 0; 4186 4187 sctp_handle_asconf(m, *offset, 4188 (struct sctp_asconf_chunk *)ch, stcb); 4189 break; 4190 case SCTP_ASCONF_ACK: 4191#ifdef SCTP_DEBUG 4192 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4193 printf("SCTP_ASCONF-ACK\n"); 4194 } 4195#endif /* SCTP_DEBUG */ 4196 /* He's alive so give him credit */ 4197 stcb->asoc.overall_error_count = 0; 4198 4199 sctp_handle_asconf_ack(m, *offset, 4200 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4201 break; 4202 case SCTP_FORWARD_CUM_TSN: 4203#ifdef SCTP_DEBUG 4204 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4205 printf("SCTP_FWD-TSN\n"); 4206 } 4207#endif /* SCTP_DEBUG */ 4208 /* He's alive so give him credit */ 4209 { 4210 int abort_flag = 0; 4211 4212 stcb->asoc.overall_error_count = 0; 4213 *fwd_tsn_seen = 1; 4214 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4215 /* We are not interested anymore */ 4216 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 4217 *offset = length; 4218 return (NULL); 4219 } 4220 sctp_handle_forward_tsn(stcb, 4221 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4222 if (abort_flag) { 4223 *offset = length; 4224 return (NULL); 4225 } else { 4226 stcb->asoc.overall_error_count = 0; 4227 } 4228 4229 } 4230 break; 4231 case SCTP_STREAM_RESET: 4232#ifdef SCTP_DEBUG 4233 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4234 printf("SCTP_STREAM_RESET\n"); 4235 } 4236#endif /* SCTP_DEBUG */ 4237 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4238 chk_length, chunk_buf); 4239 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4240 /* We are not interested anymore */ 4241 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4242 *offset = length; 4243 return (NULL); 4244 } 4245 if (stcb->asoc.peer_supports_strreset == 0) { 4246 /* 4247 * hmm, peer should have announced this, but 4248 * we will turn it on since he is sending us 4249 * a stream reset. 4250 */ 4251 stcb->asoc.peer_supports_strreset = 1; 4252 } 4253 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4254 /* stop processing */ 4255 *offset = length; 4256 return (NULL); 4257 } 4258 break; 4259 case SCTP_PACKET_DROPPED: 4260#ifdef SCTP_DEBUG 4261 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4262 printf("SCTP_PACKET_DROPPED\n"); 4263 } 4264#endif /* SCTP_DEBUG */ 4265 /* re-get it all please */ 4266 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4267 chk_length, chunk_buf); 4268 4269 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4270 stcb, *netp); 4271 4272 break; 4273 4274 case SCTP_AUTHENTICATION: 4275#ifdef SCTP_DEBUG 4276 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4277 printf("SCTP_AUTHENTICATION\n"); 4278 } 4279#endif /* SCTP_DEBUG */ 4280 if (sctp_auth_disable) 4281 goto unknown_chunk; 4282 4283 if (stcb == NULL) { 4284 /* save the first AUTH for later processing */ 4285 if (auth_skipped == 0) { 4286 auth_offset = *offset; 4287 auth_len = chk_length; 4288 auth_skipped = 1; 4289 } 4290 /* skip this chunk (temporarily) */ 4291 goto next_chunk; 4292 } 4293 if (got_auth == 1) { 4294 /* skip this chunk... it's already auth'd */ 4295 goto next_chunk; 4296 } 4297 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4298 chk_length, chunk_buf); 4299 got_auth = 1; 4300 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4301 m, *offset)) { 4302 /* auth HMAC failed so dump the packet */ 4303 *offset = length; 4304 return (stcb); 4305 } else { 4306 /* remaining chunks are HMAC checked */ 4307 stcb->asoc.authenticated = 1; 4308 } 4309 break; 4310 4311 default: 4312 unknown_chunk: 4313 /* it's an unknown chunk! */ 4314 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4315 struct mbuf *mm; 4316 struct sctp_paramhdr *phd; 4317 4318 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4319 0, M_DONTWAIT, 1, MT_DATA); 4320 if (mm) { 4321 phd = mtod(mm, struct sctp_paramhdr *); 4322 /* 4323 * We cheat and use param type since 4324 * we did not bother to define a 4325 * error cause struct. They are the 4326 * same basic format with different 4327 * names. 4328 */ 4329 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4330 phd->param_length = htons(chk_length + sizeof(*phd)); 4331 SCTP_BUF_LEN(mm) = sizeof(*phd); 4332 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 4333 M_DONTWAIT); 4334 if (SCTP_BUF_NEXT(mm)) { 4335 sctp_queue_op_err(stcb, mm); 4336 } else { 4337 sctp_m_freem(mm); 4338 } 4339 } 4340 } 4341 if ((ch->chunk_type & 0x80) == 0) { 4342 /* discard this packet */ 4343 *offset = length; 4344 return (stcb); 4345 } /* else skip this bad chunk and continue... */ 4346 break; 4347 } /* switch (ch->chunk_type) */ 4348 4349 4350next_chunk: 4351 /* get the next chunk */ 4352 *offset += SCTP_SIZE32(chk_length); 4353 if (*offset >= length) { 4354 /* no more data left in the mbuf chain */ 4355 break; 4356 } 4357 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4358 sizeof(struct sctp_chunkhdr), chunk_buf); 4359 if (ch == NULL) { 4360 if (locked_tcb) 4361 SCTP_TCB_UNLOCK(locked_tcb); 4362 *offset = length; 4363 return (NULL); 4364 } 4365 } /* while */ 4366 return (stcb); 4367} 4368 4369 4370/* 4371 * Process the ECN bits we have something set so we must look to see if it is 4372 * ECN(0) or ECN(1) or CE 4373 */ 4374static __inline void 4375sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4376 uint8_t ecn_bits) 4377{ 4378 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4379 ; 4380 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4381 /* 4382 * we only add to the nonce sum for ECT1, ECT0 does not 4383 * change the NS bit (that we have yet to find a way to send 4384 * it yet). 4385 */ 4386 4387 /* ECN Nonce stuff */ 4388 stcb->asoc.receiver_nonce_sum++; 4389 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4390 4391 /* 4392 * Drag up the last_echo point if cumack is larger since we 4393 * don't want the point falling way behind by more than 4394 * 2^^31 and then having it be incorrect. 4395 */ 4396 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4397 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4398 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4399 } 4400 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4401 /* 4402 * Drag up the last_echo point if cumack is larger since we 4403 * don't want the point falling way behind by more than 4404 * 2^^31 and then having it be incorrect. 4405 */ 4406 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4407 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4408 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4409 } 4410 } 4411} 4412 4413static __inline void 4414sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4415 uint32_t high_tsn, uint8_t ecn_bits) 4416{ 4417 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4418 /* 4419 * we possibly must notify the sender that a congestion 4420 * window reduction is in order. We do this by adding a ECNE 4421 * chunk to the output chunk queue. The incoming CWR will 4422 * remove this chunk. 4423 */ 4424 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4425 MAX_TSN)) { 4426 /* Yep, we need to add a ECNE */ 4427 sctp_send_ecn_echo(stcb, net, high_tsn); 4428 stcb->asoc.last_echo_tsn = high_tsn; 4429 } 4430 } 4431} 4432 4433/* 4434 * common input chunk processing (v4 and v6) 4435 */ 4436int 4437sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4438 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4439 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4440 uint8_t ecn_bits) 4441{ 4442 /* 4443 * Control chunk processing 4444 */ 4445 uint32_t high_tsn; 4446 int fwd_tsn_seen = 0, data_processed = 0; 4447 struct mbuf *m = *mm; 4448 int abort_flag = 0; 4449 int un_sent; 4450 4451 SCTP_STAT_INCR(sctps_recvdatagrams); 4452#ifdef SCTP_AUDITING_ENABLED 4453 sctp_audit_log(0xE0, 1); 4454 sctp_auditing(0, inp, stcb, net); 4455#endif 4456 4457#ifdef SCTP_DEBUG 4458 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4459 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4460 m, iphlen, offset); 4461 } 4462#endif /* SCTP_DEBUG */ 4463 4464 if (stcb) { 4465 /* always clear this before beginning a packet */ 4466 stcb->asoc.authenticated = 0; 4467 stcb->asoc.seen_a_sack_this_pkt = 0; 4468 } 4469 if (IS_SCTP_CONTROL(ch)) { 4470 /* process the control portion of the SCTP packet */ 4471 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4472 inp, stcb, &net, &fwd_tsn_seen); 4473 if (stcb) { 4474 /* 4475 * This covers us if the cookie-echo was there and 4476 * it changes our INP. 4477 */ 4478 inp = stcb->sctp_ep; 4479 } 4480 } else { 4481 /* 4482 * no control chunks, so pre-process DATA chunks (these 4483 * checks are taken care of by control processing) 4484 */ 4485 4486 /* 4487 * if DATA only packet, and auth is required, then punt... 4488 * can't have authenticated without any AUTH (control) 4489 * chunks 4490 */ 4491 if ((stcb != NULL) && !sctp_auth_disable && 4492 sctp_auth_is_required_chunk(SCTP_DATA, 4493 stcb->asoc.local_auth_chunks)) { 4494 /* "silently" ignore */ 4495 SCTP_STAT_INCR(sctps_recvauthmissing); 4496 SCTP_TCB_UNLOCK(stcb); 4497 return (1); 4498 } 4499 if (stcb == NULL) { 4500 /* out of the blue DATA chunk */ 4501 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4502 return (1); 4503 } 4504 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4505 /* v_tag mismatch! */ 4506 SCTP_STAT_INCR(sctps_badvtag); 4507 SCTP_TCB_UNLOCK(stcb); 4508 return (1); 4509 } 4510 } 4511 4512 if (stcb == NULL) { 4513 /* 4514 * no valid TCB for this packet, or we found it's a bad 4515 * packet while processing control, or we're done with this 4516 * packet (done or skip rest of data), so we drop it... 4517 */ 4518 return (1); 4519 } 4520 /* 4521 * DATA chunk processing 4522 */ 4523 /* plow through the data chunks while length > offset */ 4524 4525 /* 4526 * Rest should be DATA only. Check authentication state if AUTH for 4527 * DATA is required. 4528 */ 4529 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 4530 sctp_auth_is_required_chunk(SCTP_DATA, 4531 stcb->asoc.local_auth_chunks) && 4532 !stcb->asoc.authenticated) { 4533 /* "silently" ignore */ 4534 SCTP_STAT_INCR(sctps_recvauthmissing); 4535#ifdef SCTP_DEBUG 4536 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 4537 printf("Data chunk requires AUTH, skipped\n"); 4538#endif 4539 goto trigger_send; 4540 } 4541 if (length > offset) { 4542 int retval; 4543 4544 /* 4545 * First check to make sure our state is correct. We would 4546 * not get here unless we really did have a tag, so we don't 4547 * abort if this happens, just dump the chunk silently. 4548 */ 4549 switch (SCTP_GET_STATE(&stcb->asoc)) { 4550 case SCTP_STATE_COOKIE_ECHOED: 4551 /* 4552 * we consider data with valid tags in this state 4553 * shows us the cookie-ack was lost. Imply it was 4554 * there. 4555 */ 4556 stcb->asoc.overall_error_count = 0; 4557 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4558 break; 4559 case SCTP_STATE_COOKIE_WAIT: 4560 /* 4561 * We consider OOTB any data sent during asoc setup. 4562 */ 4563 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4564 SCTP_TCB_UNLOCK(stcb); 4565 return (1); 4566 break; 4567 case SCTP_STATE_EMPTY: /* should not happen */ 4568 case SCTP_STATE_INUSE: /* should not happen */ 4569 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4570 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4571 default: 4572 SCTP_TCB_UNLOCK(stcb); 4573 return (1); 4574 break; 4575 case SCTP_STATE_OPEN: 4576 case SCTP_STATE_SHUTDOWN_SENT: 4577 break; 4578 } 4579 /* take care of ECN, part 1. */ 4580 if (stcb->asoc.ecn_allowed && 4581 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4582 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4583 } 4584 /* plow through the data chunks while length > offset */ 4585 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4586 inp, stcb, net, &high_tsn); 4587 if (retval == 2) { 4588 /* 4589 * The association aborted, NO UNLOCK needed since 4590 * the association is destroyed. 4591 */ 4592 return (0); 4593 } 4594 data_processed = 1; 4595 if (retval == 0) { 4596 /* take care of ecn part 2. */ 4597 if (stcb->asoc.ecn_allowed && 4598 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4599 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4600 ecn_bits); 4601 } 4602 } 4603 /* 4604 * Anything important needs to have been m_copy'ed in 4605 * process_data 4606 */ 4607 } 4608 if ((data_processed == 0) && (fwd_tsn_seen)) { 4609 int was_a_gap = 0; 4610 4611 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4612 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4613 /* there was a gap before this data was processed */ 4614 was_a_gap = 1; 4615 } 4616 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4617 if (abort_flag) { 4618 /* Again, we aborted so NO UNLOCK needed */ 4619 return (0); 4620 } 4621 } 4622 /* trigger send of any chunks in queue... */ 4623trigger_send: 4624#ifdef SCTP_AUDITING_ENABLED 4625 sctp_audit_log(0xE0, 2); 4626 sctp_auditing(1, inp, stcb, net); 4627#endif 4628#ifdef SCTP_DEBUG 4629 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4630 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4631 stcb->asoc.peers_rwnd, 4632 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4633 stcb->asoc.total_flight); 4634 } 4635#endif 4636 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4637 4638 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4639 ((un_sent) && 4640 (stcb->asoc.peers_rwnd > 0 || 4641 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4642#ifdef SCTP_DEBUG 4643 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4644 printf("Calling chunk OUTPUT\n"); 4645 } 4646#endif 4647 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4648#ifdef SCTP_DEBUG 4649 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4650 printf("chunk OUTPUT returns\n"); 4651 } 4652#endif 4653 } 4654#ifdef SCTP_AUDITING_ENABLED 4655 sctp_audit_log(0xE0, 3); 4656 sctp_auditing(2, inp, stcb, net); 4657#endif 4658 SCTP_TCB_UNLOCK(stcb); 4659 return (0); 4660} 4661 4662extern int sctp_no_csum_on_loopback; 4663 4664 4665int sctp_buf_index = 0; 4666uint8_t sctp_list_of_chunks[30000]; 4667 4668 4669void 4670sctp_input(i_pak, off) 4671 struct mbuf *i_pak; 4672 int off; 4673 4674{ 4675#ifdef SCTP_MBUF_LOGGING 4676 struct mbuf *mat; 4677 4678#endif 4679 struct mbuf *m; 4680 int iphlen; 4681 int s; 4682 uint8_t ecn_bits; 4683 struct ip *ip; 4684 struct sctphdr *sh; 4685 struct sctp_inpcb *inp = NULL; 4686 4687 uint32_t check, calc_check; 4688 struct sctp_nets *net; 4689 struct sctp_tcb *stcb = NULL; 4690 struct sctp_chunkhdr *ch; 4691 int refcount_up = 0; 4692 int length, mlen, offset; 4693 4694 4695 iphlen = off; 4696 m = SCTP_HEADER_TO_CHAIN(i_pak); 4697 net = NULL; 4698 SCTP_STAT_INCR(sctps_recvpackets); 4699 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4700 4701 /* 4702 * Strip IP options, we don't allow any in or out. 4703 */ 4704#ifdef SCTP_MBUF_LOGGING 4705 /* Log in any input mbufs */ 4706 mat = m; 4707 while (mat) { 4708 if (SCTP_BUF_IS_EXTENDED(mat)) { 4709 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4710 } 4711 mat = SCTP_BUF_NEXT(mat); 4712 } 4713#endif 4714 if ((size_t)iphlen > sizeof(struct ip)) { 4715 ip_stripoptions(m, (struct mbuf *)0); 4716 iphlen = sizeof(struct ip); 4717 } 4718 /* 4719 * Get IP, SCTP, and first chunk header together in first mbuf. 4720 */ 4721 ip = mtod(m, struct ip *); 4722 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4723 if (SCTP_BUF_LEN(m) < offset) { 4724 if ((m = m_pullup(m, offset)) == 0) { 4725 SCTP_STAT_INCR(sctps_hdrops); 4726 return; 4727 } 4728 ip = mtod(m, struct ip *); 4729 } 4730 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4731 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4732 4733 /* SCTP does not allow broadcasts or multicasts */ 4734 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4735 goto bad; 4736 } 4737 if (((ch->chunk_type == SCTP_INITIATION) || 4738 (ch->chunk_type == SCTP_INITIATION_ACK) || 4739 (ch->chunk_type == SCTP_COOKIE_ECHO)) && 4740 (SCTP_IS_IT_BROADCAST(ip->ip_dst, i_pak))) { 4741 /* 4742 * We only look at broadcast if its a front state, All 4743 * others we will not have a tcb for anyway. 4744 */ 4745 goto bad; 4746 } 4747 /* destination port of 0 is illegal, based on RFC2960. */ 4748 if (sh->dest_port == 0) { 4749 SCTP_STAT_INCR(sctps_hdrops); 4750 goto bad; 4751 } 4752 /* validate SCTP checksum */ 4753 if ((sctp_no_csum_on_loopback == 0) || !SCTP_IS_IT_LOOPBACK(i_pak)) { 4754 /* 4755 * we do NOT validate things from the loopback if the sysctl 4756 * is set to 1. 4757 */ 4758 check = sh->checksum; /* save incoming checksum */ 4759 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4760 /* 4761 * special hook for where we got a local address 4762 * somehow routed across a non IFT_LOOP type 4763 * interface 4764 */ 4765 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4766 goto sctp_skip_csum_4; 4767 } 4768 sh->checksum = 0; /* prepare for calc */ 4769 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4770 if (calc_check != check) { 4771#ifdef SCTP_DEBUG 4772 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4773 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4774 calc_check, check, m, mlen, iphlen); 4775 } 4776#endif 4777 4778 stcb = sctp_findassociation_addr(m, iphlen, 4779 offset - sizeof(*ch), 4780 sh, ch, &inp, &net); 4781 if ((inp) && (stcb)) { 4782 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4783 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4784 } else if ((inp != NULL) && (stcb == NULL)) { 4785 refcount_up = 1; 4786 } 4787 SCTP_STAT_INCR(sctps_badsum); 4788 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4789 goto bad; 4790 } 4791 sh->checksum = calc_check; 4792 } else { 4793sctp_skip_csum_4: 4794 mlen = SCTP_HEADER_LEN(i_pak); 4795 } 4796 /* validate mbuf chain length with IP payload length */ 4797 if (mlen < (ip->ip_len - iphlen)) { 4798 SCTP_STAT_INCR(sctps_hdrops); 4799 goto bad; 4800 } { 4801 /* TEMP log the first chunk */ 4802 int x; 4803 4804 x = atomic_fetchadd_int(&sctp_buf_index, 1); 4805 if (x >= 30000) { 4806 sctp_buf_index = 1; 4807 x = 0;; 4808 } 4809 sctp_list_of_chunks[x] = ch->chunk_type; 4810 } 4811 /* 4812 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4813 * IP/SCTP/first chunk header... 4814 */ 4815 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4816 sh, ch, &inp, &net); 4817 /* inp's ref-count increased && stcb locked */ 4818 if (inp == NULL) { 4819 struct sctp_init_chunk *init_chk, chunk_buf; 4820 4821 SCTP_STAT_INCR(sctps_noport); 4822#ifdef ICMP_BANDLIM 4823 /* 4824 * we use the bandwidth limiting to protect against sending 4825 * too many ABORTS all at once. In this case these count the 4826 * same as an ICMP message. 4827 */ 4828 if (badport_bandlim(0) < 0) 4829 goto bad; 4830#endif /* ICMP_BANDLIM */ 4831#ifdef SCTP_DEBUG 4832 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4833 printf("Sending a ABORT from packet entry!\n"); 4834 } 4835#endif 4836 if (ch->chunk_type == SCTP_INITIATION) { 4837 /* 4838 * we do a trick here to get the INIT tag, dig in 4839 * and get the tag from the INIT and put it in the 4840 * common header. 4841 */ 4842 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4843 iphlen + sizeof(*sh), sizeof(*init_chk), 4844 (uint8_t *) & chunk_buf); 4845 if (init_chk != NULL) 4846 sh->v_tag = init_chk->init.initiate_tag; 4847 } 4848 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4849 sctp_send_shutdown_complete2(m, iphlen, sh); 4850 goto bad; 4851 } 4852 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 4853 goto bad; 4854 } 4855 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 4856 sctp_send_abort(m, iphlen, sh, 0, NULL); 4857 goto bad; 4858 } else if (stcb == NULL) { 4859 refcount_up = 1; 4860 } 4861#ifdef IPSEC 4862 /* 4863 * I very much doubt any of the IPSEC stuff will work but I have no 4864 * idea, so I will leave it in place. 4865 */ 4866 4867 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4868 ipsecstat.in_polvio++; 4869 SCTP_STAT_INCR(sctps_hdrops); 4870 goto bad; 4871 } 4872#endif /* IPSEC */ 4873 4874 4875 4876 /* 4877 * common chunk processing 4878 */ 4879 length = ip->ip_len + iphlen; 4880 offset -= sizeof(struct sctp_chunkhdr); 4881 4882 ecn_bits = ip->ip_tos; 4883 s = splnet(); 4884 4885 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4886 inp, stcb, net, ecn_bits); 4887 /* inp's ref-count reduced && stcb unlocked */ 4888 splx(s); 4889 if (m) { 4890 sctp_m_freem(m); 4891 } 4892 if ((inp) && (refcount_up)) { 4893 /* reduce ref-count */ 4894 SCTP_INP_WLOCK(inp); 4895 SCTP_INP_DECR_REF(inp); 4896 SCTP_INP_WUNLOCK(inp); 4897 } 4898 return; 4899bad: 4900 if (stcb) 4901 SCTP_TCB_UNLOCK(stcb); 4902 4903 if ((inp) && (refcount_up)) { 4904 /* reduce ref-count */ 4905 SCTP_INP_WLOCK(inp); 4906 SCTP_INP_DECR_REF(inp); 4907 SCTP_INP_WUNLOCK(inp); 4908 } 4909 if (m) { 4910 sctp_m_freem(m); 4911 } 4912 return; 4913} 4914