sctp_input.c revision 169208
1843SN/A/*- 2843SN/A * Copyright (c) 2001-2007, Cisco Systems, Inc. All rights reserved. 3843SN/A * 4843SN/A * Redistribution and use in source and binary forms, with or without 5843SN/A * modification, are permitted provided that the following conditions are met: 6843SN/A * 7843SN/A * a) Redistributions of source code must retain the above copyright notice, 8843SN/A * this list of conditions and the following disclaimer. 9843SN/A * 10843SN/A * b) Redistributions in binary form must reproduce the above copyright 11843SN/A * notice, this list of conditions and the following disclaimer in 12843SN/A * the documentation and/or other materials provided with the distribution. 13843SN/A * 14843SN/A * c) Neither the name of Cisco Systems, Inc. nor the names of its 15843SN/A * contributors may be used to endorse or promote products derived 16843SN/A * from this software without specific prior written permission. 17843SN/A * 18843SN/A * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19843SN/A * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20843SN/A * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21843SN/A * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22843SN/A * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23843SN/A * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24843SN/A * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25843SN/A * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26843SN/A * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27843SN/A * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28843SN/A * THE POSSIBILITY OF SUCH DAMAGE. 29843SN/A */ 30843SN/A 31843SN/A/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32843SN/A 33843SN/A#include <sys/cdefs.h> 34843SN/A__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 169208 2007-05-02 12:50:13Z rrs $"); 35843SN/A 36843SN/A#include <netinet/sctp_os.h> 37843SN/A#include <netinet/sctp_var.h> 38843SN/A#include <netinet/sctp_sysctl.h> 39843SN/A#include <netinet/sctp_pcb.h> 40843SN/A#include <netinet/sctp_header.h> 41843SN/A#include <netinet/sctputil.h> 42843SN/A#include <netinet/sctp_output.h> 43843SN/A#include <netinet/sctp_input.h> 44843SN/A#include <netinet/sctp_auth.h> 45843SN/A#include <netinet/sctp_indata.h> 46843SN/A#include <netinet/sctp_asconf.h> 47843SN/A 48843SN/A 49 50 51static void 52sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 53{ 54 struct sctp_nets *net; 55 56 /* 57 * This now not only stops all cookie timers it also stops any INIT 58 * timers as well. This will make sure that the timers are stopped 59 * in all collision cases. 60 */ 61 SCTP_TCB_LOCK_ASSERT(stcb); 62 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 63 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 64 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 65 stcb->sctp_ep, 66 stcb, 67 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 68 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 69 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 70 stcb->sctp_ep, 71 stcb, 72 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 73 } 74 } 75} 76 77/* INIT handler */ 78static void 79sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 80 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 81 struct sctp_nets *net, int *abort_no_unlock) 82{ 83 struct sctp_init *init; 84 struct mbuf *op_err; 85 uint32_t init_limit; 86 87#ifdef SCTP_DEBUG 88 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 89 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 90 } 91#endif 92 op_err = NULL; 93 init = &cp->init; 94 /* First are we accepting? */ 95 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 96#ifdef SCTP_DEBUG 97 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 98 printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); 99 } 100#endif 101 /* 102 * FIX ME ?? What about TCP model and we have a 103 * match/restart case? 104 */ 105 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 106 if (stcb) 107 *abort_no_unlock = 1; 108 return; 109 } 110 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 111 /* Invalid length */ 112 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 113 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 114 if (stcb) 115 *abort_no_unlock = 1; 116 return; 117 } 118 /* validate parameters */ 119 if (init->initiate_tag == 0) { 120 /* protocol error... send abort */ 121 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 122 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 123 if (stcb) 124 *abort_no_unlock = 1; 125 return; 126 } 127 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 128 /* invalid parameter... send abort */ 129 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 130 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 131 return; 132 } 133 if (init->num_inbound_streams == 0) { 134 /* protocol error... send abort */ 135 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 136 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 137 if (stcb) 138 *abort_no_unlock = 1; 139 return; 140 } 141 if (init->num_outbound_streams == 0) { 142 /* protocol error... send abort */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 145 if (stcb) 146 *abort_no_unlock = 1; 147 return; 148 } 149 init_limit = offset + ntohs(cp->ch.chunk_length); 150 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 151 init_limit)) { 152 /* auth parameter(s) error... send abort */ 153 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); 154 if (stcb) 155 *abort_no_unlock = 1; 156 return; 157 } 158 /* send an INIT-ACK w/cookie */ 159#ifdef SCTP_DEBUG 160 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 161 printf("sctp_handle_init: sending INIT-ACK\n"); 162 } 163#endif 164 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 165} 166 167/* 168 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 169 */ 170static int 171sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 172 struct sctp_nets *net) 173{ 174 struct sctp_init *init; 175 struct sctp_association *asoc; 176 struct sctp_nets *lnet; 177 unsigned int i; 178 179 init = &cp->init; 180 asoc = &stcb->asoc; 181 /* save off parameters */ 182 asoc->peer_vtag = ntohl(init->initiate_tag); 183 asoc->peers_rwnd = ntohl(init->a_rwnd); 184 if (TAILQ_FIRST(&asoc->nets)) { 185 /* update any ssthresh's that may have a default */ 186 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 187 lnet->ssthresh = asoc->peers_rwnd; 188 189#if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 190 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 191#endif 192 193 } 194 } 195 SCTP_TCB_SEND_LOCK(stcb); 196 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 197 unsigned int newcnt; 198 struct sctp_stream_out *outs; 199 struct sctp_stream_queue_pending *sp; 200 201 /* cut back on number of streams */ 202 newcnt = ntohs(init->num_inbound_streams); 203 /* This if is probably not needed but I am cautious */ 204 if (asoc->strmout) { 205 /* First make sure no data chunks are trapped */ 206 for (i = newcnt; i < asoc->pre_open_streams; i++) { 207 outs = &asoc->strmout[i]; 208 sp = TAILQ_FIRST(&outs->outqueue); 209 while (sp) { 210 TAILQ_REMOVE(&outs->outqueue, sp, 211 next); 212 asoc->stream_queue_cnt--; 213 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 214 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 215 sp); 216 if (sp->data) { 217 sctp_m_freem(sp->data); 218 sp->data = NULL; 219 } 220 sctp_free_remote_addr(sp->net); 221 sp->net = NULL; 222 /* Free the chunk */ 223 printf("sp:%p tcb:%p weird free case\n", 224 sp, stcb); 225 226 sctp_free_a_strmoq(stcb, sp); 227 sp = TAILQ_FIRST(&outs->outqueue); 228 } 229 } 230 } 231 /* cut back the count and abandon the upper streams */ 232 asoc->pre_open_streams = newcnt; 233 } 234 SCTP_TCB_SEND_UNLOCK(stcb); 235 asoc->streamoutcnt = asoc->pre_open_streams; 236 /* init tsn's */ 237 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 238#ifdef SCTP_MAP_LOGGING 239 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 240#endif 241 /* This is the next one we expect */ 242 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 243 244 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 245 asoc->cumulative_tsn = asoc->asconf_seq_in; 246 asoc->last_echo_tsn = asoc->asconf_seq_in; 247 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 248 /* open the requested streams */ 249 if (asoc->strmin != NULL) { 250 /* Free the old ones */ 251 struct sctp_queued_to_read *ctl; 252 253 for (i = 0; i < asoc->streamincnt; i++) { 254 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 255 while (ctl) { 256 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 257 sctp_free_remote_addr(ctl->whoFrom); 258 sctp_m_freem(ctl->data); 259 ctl->data = NULL; 260 sctp_free_a_readq(stcb, ctl); 261 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 262 } 263 } 264 SCTP_FREE(asoc->strmin); 265 } 266 asoc->streamincnt = ntohs(init->num_outbound_streams); 267 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 268 asoc->streamincnt = MAX_SCTP_STREAMS; 269 } 270 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 271 sizeof(struct sctp_stream_in), "StreamsIn"); 272 if (asoc->strmin == NULL) { 273 /* we didn't get memory for the streams! */ 274#ifdef SCTP_DEBUG 275 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 276 printf("process_init: couldn't get memory for the streams!\n"); 277 } 278#endif 279 return (-1); 280 } 281 for (i = 0; i < asoc->streamincnt; i++) { 282 asoc->strmin[i].stream_no = i; 283 asoc->strmin[i].last_sequence_delivered = 0xffff; 284 /* 285 * U-stream ranges will be set when the cookie is unpacked. 286 * Or for the INIT sender they are un set (if pr-sctp not 287 * supported) when the INIT-ACK arrives. 288 */ 289 TAILQ_INIT(&asoc->strmin[i].inqueue); 290 asoc->strmin[i].delivery_started = 0; 291 } 292 /* 293 * load_address_from_init will put the addresses into the 294 * association when the COOKIE is processed or the INIT-ACK is 295 * processed. Both types of COOKIE's existing and new call this 296 * routine. It will remove addresses that are no longer in the 297 * association (for the restarting case where addresses are 298 * removed). Up front when the INIT arrives we will discard it if it 299 * is a restart and new addresses have been added. 300 */ 301 return (0); 302} 303 304/* 305 * INIT-ACK message processing/consumption returns value < 0 on error 306 */ 307static int 308sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 309 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 310 struct sctp_nets *net, int *abort_no_unlock) 311{ 312 struct sctp_association *asoc; 313 struct mbuf *op_err; 314 int retval, abort_flag; 315 uint32_t initack_limit; 316 317 /* First verify that we have no illegal param's */ 318 abort_flag = 0; 319 op_err = NULL; 320 321 op_err = sctp_arethere_unrecognized_parameters(m, 322 (offset + sizeof(struct sctp_init_chunk)), 323 &abort_flag, (struct sctp_chunkhdr *)cp); 324 if (abort_flag) { 325 /* Send an abort and notify peer */ 326 if (op_err != NULL) { 327 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 328 } else { 329 /* 330 * Just notify (abort_assoc does this if we send an 331 * abort). 332 */ 333 sctp_abort_notification(stcb, 0); 334 /* 335 * No sense in further INIT's since we will get the 336 * same param back 337 */ 338 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 339 *abort_no_unlock = 1; 340 } 341 return (-1); 342 } 343 asoc = &stcb->asoc; 344 /* process the peer's parameters in the INIT-ACK */ 345 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 346 if (retval < 0) { 347 return (retval); 348 } 349 initack_limit = offset + ntohs(cp->ch.chunk_length); 350 /* load all addresses */ 351 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 352 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 353 NULL))) { 354 /* Huh, we should abort */ 355#ifdef SCTP_DEBUG 356 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 357 printf("Load addresses from INIT causes an abort %d\n", retval); 358 } 359#endif 360 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 361 NULL); 362 *abort_no_unlock = 1; 363 return (-1); 364 } 365 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 366 stcb->asoc.local_hmacs); 367 if (op_err) { 368 sctp_queue_op_err(stcb, op_err); 369 /* queuing will steal away the mbuf chain to the out queue */ 370 op_err = NULL; 371 } 372 /* extract the cookie and queue it to "echo" it back... */ 373 stcb->asoc.overall_error_count = 0; 374 net->error_count = 0; 375 376 /* 377 * Cancel the INIT timer, We do this first before queueing the 378 * cookie. We always cancel at the primary to assue that we are 379 * canceling the timer started by the INIT which always goes to the 380 * primary. 381 */ 382 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 383 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 384 385 /* calculate the RTO */ 386 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 387 388 retval = sctp_send_cookie_echo(m, offset, stcb, net); 389 if (retval < 0) { 390 /* 391 * No cookie, we probably should send a op error. But in any 392 * case if there is no cookie in the INIT-ACK, we can 393 * abandon the peer, its broke. 394 */ 395 if (retval == -3) { 396 /* We abort with an error of missing mandatory param */ 397 struct mbuf *op_err; 398 399 op_err = 400 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 401 if (op_err) { 402 /* 403 * Expand beyond to include the mandatory 404 * param cookie 405 */ 406 struct sctp_inv_mandatory_param *mp; 407 408 SCTP_BUF_LEN(op_err) = 409 sizeof(struct sctp_inv_mandatory_param); 410 mp = mtod(op_err, 411 struct sctp_inv_mandatory_param *); 412 /* Subtract the reserved param */ 413 mp->length = 414 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 415 mp->num_param = htonl(1); 416 mp->param = htons(SCTP_STATE_COOKIE); 417 mp->resv = 0; 418 } 419 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 420 sh, op_err); 421 *abort_no_unlock = 1; 422 } 423 return (retval); 424 } 425 return (0); 426} 427 428static void 429sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 430 struct sctp_tcb *stcb, struct sctp_nets *net) 431{ 432 struct sockaddr_storage store; 433 struct sockaddr_in *sin; 434 struct sockaddr_in6 *sin6; 435 struct sctp_nets *r_net; 436 struct timeval tv; 437 438 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 439 /* Invalid length */ 440 return; 441 } 442 sin = (struct sockaddr_in *)&store; 443 sin6 = (struct sockaddr_in6 *)&store; 444 445 memset(&store, 0, sizeof(store)); 446 if (cp->heartbeat.hb_info.addr_family == AF_INET && 447 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 448 sin->sin_family = cp->heartbeat.hb_info.addr_family; 449 sin->sin_len = cp->heartbeat.hb_info.addr_len; 450 sin->sin_port = stcb->rport; 451 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 452 sizeof(sin->sin_addr)); 453 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 454 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 455 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 456 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 457 sin6->sin6_port = stcb->rport; 458 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 459 sizeof(sin6->sin6_addr)); 460 } else { 461 return; 462 } 463 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 464 if (r_net == NULL) { 465#ifdef SCTP_DEBUG 466 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 467 printf("Huh? I can't find the address I sent it to, discard\n"); 468 } 469#endif 470 return; 471 } 472 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 473 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 474 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 475 /* 476 * If the its a HB and it's random value is correct when can 477 * confirm the destination. 478 */ 479 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 480 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 481 stcb->asoc.primary_destination = r_net; 482 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 483 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 484 r_net = TAILQ_FIRST(&stcb->asoc.nets); 485 if (r_net != stcb->asoc.primary_destination) { 486 /* 487 * first one on the list is NOT the primary 488 * sctp_cmpaddr() is much more efficent if 489 * the primary is the first on the list, 490 * make it so. 491 */ 492 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 493 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 494 } 495 } 496 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 497 stcb, 0, (void *)r_net); 498 } 499 r_net->error_count = 0; 500 r_net->hb_responded = 1; 501 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 502 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 503 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 504 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 505 r_net->dest_state |= SCTP_ADDR_REACHABLE; 506 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 507 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 508 /* now was it the primary? if so restore */ 509 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 510 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 511 } 512 } 513 /* Now lets do a RTO with this */ 514 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 515} 516 517static void 518sctp_handle_abort(struct sctp_abort_chunk *cp, 519 struct sctp_tcb *stcb, struct sctp_nets *net) 520{ 521 522#ifdef SCTP_DEBUG 523 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 524 printf("sctp_handle_abort: handling ABORT\n"); 525 } 526#endif 527 if (stcb == NULL) 528 return; 529 /* verify that the destination addr is in the association */ 530 /* ignore abort for addresses being deleted */ 531 532 /* stop any receive timers */ 533 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 534 /* notify user of the abort and clean up... */ 535 sctp_abort_notification(stcb, 0); 536 /* free the tcb */ 537 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 538 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 539 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 540 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 541 } 542#ifdef SCTP_ASOCLOG_OF_TSNS 543 sctp_print_out_track_log(stcb); 544#endif 545 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 546#ifdef SCTP_DEBUG 547 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 548 printf("sctp_handle_abort: finished\n"); 549 } 550#endif 551} 552 553static void 554sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 555 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 556{ 557 struct sctp_association *asoc; 558 int some_on_streamwheel; 559 560#ifdef SCTP_DEBUG 561 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 562 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 563 } 564#endif 565 if (stcb == NULL) 566 return; 567 asoc = &stcb->asoc; 568 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 569 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 570 return; 571 } 572 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 573 /* Shutdown NOT the expected size */ 574 return; 575 } else { 576 sctp_update_acked(stcb, cp, net, abort_flag); 577 } 578 if (asoc->control_pdapi) { 579 /* 580 * With a normal shutdown we assume the end of last record. 581 */ 582 SCTP_INP_READ_LOCK(stcb->sctp_ep); 583 asoc->control_pdapi->end_added = 1; 584 asoc->control_pdapi->pdapi_aborted = 1; 585 asoc->control_pdapi = NULL; 586 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 587 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 588 } 589 /* goto SHUTDOWN_RECEIVED state to block new requests */ 590 if (stcb->sctp_socket) { 591 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 592 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 593 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 594 /* 595 * notify upper layer that peer has initiated a 596 * shutdown 597 */ 598 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 599 600 /* reset time */ 601 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 602 } 603 } 604 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 605 /* 606 * stop the shutdown timer, since we WILL move to 607 * SHUTDOWN-ACK-SENT. 608 */ 609 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 610 } 611 /* Now are we there yet? */ 612 some_on_streamwheel = 0; 613 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 614 /* Check to see if some data queued */ 615 struct sctp_stream_out *outs; 616 617 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 618 if (!TAILQ_EMPTY(&outs->outqueue)) { 619 some_on_streamwheel = 1; 620 break; 621 } 622 } 623 } 624 if (!TAILQ_EMPTY(&asoc->send_queue) || 625 !TAILQ_EMPTY(&asoc->sent_queue) || 626 some_on_streamwheel) { 627 /* By returning we will push more data out */ 628 return; 629 } else { 630 /* no outstanding data to send, so move on... */ 631 /* send SHUTDOWN-ACK */ 632 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 633 /* move to SHUTDOWN-ACK-SENT state */ 634 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 635 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 636 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 637 } 638 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 639 640 /* start SHUTDOWN timer */ 641 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 642 stcb, net); 643 } 644} 645 646static void 647sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 648 struct sctp_tcb *stcb, struct sctp_nets *net) 649{ 650 struct sctp_association *asoc; 651 652#ifdef SCTP_DEBUG 653 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 654 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 655 } 656#endif 657 if (stcb == NULL) 658 return; 659 660 asoc = &stcb->asoc; 661 /* process according to association state */ 662 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 663 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 664 /* unexpected SHUTDOWN-ACK... so ignore... */ 665 SCTP_TCB_UNLOCK(stcb); 666 return; 667 } 668 if (asoc->control_pdapi) { 669 /* 670 * With a normal shutdown we assume the end of last record. 671 */ 672 SCTP_INP_READ_LOCK(stcb->sctp_ep); 673 asoc->control_pdapi->end_added = 1; 674 asoc->control_pdapi->pdapi_aborted = 1; 675 asoc->control_pdapi = NULL; 676 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 677 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 678 } 679 /* are the queues empty? */ 680 if (!TAILQ_EMPTY(&asoc->send_queue) || 681 !TAILQ_EMPTY(&asoc->sent_queue) || 682 !TAILQ_EMPTY(&asoc->out_wheel)) { 683 sctp_report_all_outbound(stcb, 0); 684 } 685 /* stop the timer */ 686 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 687 /* send SHUTDOWN-COMPLETE */ 688 sctp_send_shutdown_complete(stcb, net); 689 /* notify upper layer protocol */ 690 if (stcb->sctp_socket) { 691 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 692 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 693 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 694 /* Set the connected flag to disconnected */ 695 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 696 } 697 } 698 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 699 /* free the TCB but first save off the ep */ 700 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 701 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 702} 703 704/* 705 * Skip past the param header and then we will find the chunk that caused the 706 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 707 * our peer must be broken. 708 */ 709static void 710sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 711 struct sctp_nets *net) 712{ 713 struct sctp_chunkhdr *chk; 714 715 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 716 switch (chk->chunk_type) { 717 case SCTP_ASCONF_ACK: 718 case SCTP_ASCONF: 719 sctp_asconf_cleanup(stcb, net); 720 break; 721 case SCTP_FORWARD_CUM_TSN: 722 stcb->asoc.peer_supports_prsctp = 0; 723 break; 724 default: 725#ifdef SCTP_DEBUG 726 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 727 printf("Peer does not support chunk type %d(%x)??\n", 728 chk->chunk_type, (uint32_t) chk->chunk_type); 729 } 730#endif 731 break; 732 } 733} 734 735/* 736 * Skip past the param header and then we will find the param that caused the 737 * problem. There are a number of param's in a ASCONF OR the prsctp param 738 * these will turn of specific features. 739 */ 740static void 741sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 742{ 743 struct sctp_paramhdr *pbad; 744 745 pbad = phdr + 1; 746 switch (ntohs(pbad->param_type)) { 747 /* pr-sctp draft */ 748 case SCTP_PRSCTP_SUPPORTED: 749 stcb->asoc.peer_supports_prsctp = 0; 750 break; 751 case SCTP_SUPPORTED_CHUNK_EXT: 752 break; 753 /* draft-ietf-tsvwg-addip-sctp */ 754 case SCTP_ECN_NONCE_SUPPORTED: 755 stcb->asoc.peer_supports_ecn_nonce = 0; 756 stcb->asoc.ecn_nonce_allowed = 0; 757 stcb->asoc.ecn_allowed = 0; 758 break; 759 case SCTP_ADD_IP_ADDRESS: 760 case SCTP_DEL_IP_ADDRESS: 761 case SCTP_SET_PRIM_ADDR: 762 stcb->asoc.peer_supports_asconf = 0; 763 break; 764 case SCTP_SUCCESS_REPORT: 765 case SCTP_ERROR_CAUSE_IND: 766#ifdef SCTP_DEBUG 767 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 768 printf("Huh, the peer does not support success? or error cause?\n"); 769 printf("Turning off ASCONF to this strange peer\n"); 770 } 771#endif 772 stcb->asoc.peer_supports_asconf = 0; 773 break; 774 default: 775#ifdef SCTP_DEBUG 776 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 777 printf("Peer does not support param type %d(%x)??\n", 778 pbad->param_type, (uint32_t) pbad->param_type); 779 } 780#endif 781 break; 782 } 783} 784 785static int 786sctp_handle_error(struct sctp_chunkhdr *ch, 787 struct sctp_tcb *stcb, struct sctp_nets *net) 788{ 789 int chklen; 790 struct sctp_paramhdr *phdr; 791 uint16_t error_type; 792 uint16_t error_len; 793 struct sctp_association *asoc; 794 795 int adjust; 796 797 /* parse through all of the errors and process */ 798 asoc = &stcb->asoc; 799 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 800 sizeof(struct sctp_chunkhdr)); 801 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 802 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 803 /* Process an Error Cause */ 804 error_type = ntohs(phdr->param_type); 805 error_len = ntohs(phdr->param_length); 806 if ((error_len > chklen) || (error_len == 0)) { 807 /* invalid param length for this param */ 808#ifdef SCTP_DEBUG 809 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 810 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 811 chklen, error_len); 812 } 813#endif /* SCTP_DEBUG */ 814 return (0); 815 } 816 switch (error_type) { 817 case SCTP_CAUSE_INVALID_STREAM: 818 case SCTP_CAUSE_MISSING_PARAM: 819 case SCTP_CAUSE_INVALID_PARAM: 820 case SCTP_CAUSE_NO_USER_DATA: 821#ifdef SCTP_DEBUG 822 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 823 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 824 error_type); 825 } 826#endif 827 break; 828 case SCTP_CAUSE_STALE_COOKIE: 829 /* 830 * We only act if we have echoed a cookie and are 831 * waiting. 832 */ 833 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 834 int *p; 835 836 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 837 /* Save the time doubled */ 838 asoc->cookie_preserve_req = ntohl(*p) << 1; 839 asoc->stale_cookie_count++; 840 if (asoc->stale_cookie_count > 841 asoc->max_init_times) { 842 sctp_abort_notification(stcb, 0); 843 /* now free the asoc */ 844 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 845 return (-1); 846 } 847 /* blast back to INIT state */ 848 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 849 asoc->state |= SCTP_STATE_COOKIE_WAIT; 850 851 sctp_stop_all_cookie_timers(stcb); 852 sctp_send_initiate(stcb->sctp_ep, stcb); 853 } 854 break; 855 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 856 /* 857 * Nothing we can do here, we don't do hostname 858 * addresses so if the peer does not like my IPv6 859 * (or IPv4 for that matter) it does not matter. If 860 * they don't support that type of address, they can 861 * NOT possibly get that packet type... i.e. with no 862 * IPv6 you can't recieve a IPv6 packet. so we can 863 * safely ignore this one. If we ever added support 864 * for HOSTNAME Addresses, then we would need to do 865 * something here. 866 */ 867 break; 868 case SCTP_CAUSE_UNRECOG_CHUNK: 869 sctp_process_unrecog_chunk(stcb, phdr, net); 870 break; 871 case SCTP_CAUSE_UNRECOG_PARAM: 872 sctp_process_unrecog_param(stcb, phdr); 873 break; 874 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 875 /* 876 * We ignore this since the timer will drive out a 877 * new cookie anyway and there timer will drive us 878 * to send a SHUTDOWN_COMPLETE. We can't send one 879 * here since we don't have their tag. 880 */ 881 break; 882 case SCTP_CAUSE_DELETING_LAST_ADDR: 883 case SCTP_CAUSE_RESOURCE_SHORTAGE: 884 case SCTP_CAUSE_DELETING_SRC_ADDR: 885 /* 886 * We should NOT get these here, but in a 887 * ASCONF-ACK. 888 */ 889#ifdef SCTP_DEBUG 890 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 891 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 892 error_type); 893 } 894#endif 895 break; 896 case SCTP_CAUSE_OUT_OF_RESC: 897 /* 898 * And what, pray tell do we do with the fact that 899 * the peer is out of resources? Not really sure we 900 * could do anything but abort. I suspect this 901 * should have came WITH an abort instead of in a 902 * OP-ERROR. 903 */ 904 break; 905 default: 906#ifdef SCTP_DEBUG 907 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 908 /* don't know what this error cause is... */ 909 printf("sctp_handle_error: unknown error type = 0x%xh\n", 910 error_type); 911 } 912#endif /* SCTP_DEBUG */ 913 break; 914 } 915 adjust = SCTP_SIZE32(error_len); 916 chklen -= adjust; 917 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 918 } 919 return (0); 920} 921 922static int 923sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 924 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 925 struct sctp_nets *net, int *abort_no_unlock) 926{ 927 struct sctp_init_ack *init_ack; 928 int *state; 929 struct mbuf *op_err; 930 931#ifdef SCTP_DEBUG 932 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 933 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 934 } 935#endif 936 if (stcb == NULL) { 937#ifdef SCTP_DEBUG 938 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 939 printf("sctp_handle_init_ack: TCB is null\n"); 940 } 941#endif 942 return (-1); 943 } 944 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 945 /* Invalid length */ 946 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 947 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 948 op_err); 949 *abort_no_unlock = 1; 950 return (-1); 951 } 952 init_ack = &cp->init; 953 /* validate parameters */ 954 if (init_ack->initiate_tag == 0) { 955 /* protocol error... send an abort */ 956 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 957 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 958 op_err); 959 *abort_no_unlock = 1; 960 return (-1); 961 } 962 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 963 /* protocol error... send an abort */ 964 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 965 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 966 op_err); 967 *abort_no_unlock = 1; 968 return (-1); 969 } 970 if (init_ack->num_inbound_streams == 0) { 971 /* protocol error... send an abort */ 972 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 973 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 974 op_err); 975 *abort_no_unlock = 1; 976 return (-1); 977 } 978 if (init_ack->num_outbound_streams == 0) { 979 /* protocol error... send an abort */ 980 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 981 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 982 op_err); 983 *abort_no_unlock = 1; 984 return (-1); 985 } 986 /* process according to association state... */ 987 state = &stcb->asoc.state; 988 switch (*state & SCTP_STATE_MASK) { 989 case SCTP_STATE_COOKIE_WAIT: 990 /* this is the expected state for this chunk */ 991 /* process the INIT-ACK parameters */ 992 if (stcb->asoc.primary_destination->dest_state & 993 SCTP_ADDR_UNCONFIRMED) { 994 /* 995 * The primary is where we sent the INIT, we can 996 * always consider it confirmed when the INIT-ACK is 997 * returned. Do this before we load addresses 998 * though. 999 */ 1000 stcb->asoc.primary_destination->dest_state &= 1001 ~SCTP_ADDR_UNCONFIRMED; 1002 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1003 stcb, 0, (void *)stcb->asoc.primary_destination); 1004 } 1005 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net, 1006 abort_no_unlock) < 0) { 1007 /* error in parsing parameters */ 1008 return (-1); 1009 } 1010 /* update our state */ 1011#ifdef SCTP_DEBUG 1012 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1013 printf("moving to COOKIE-ECHOED state\n"); 1014 } 1015#endif 1016 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1017 *state = SCTP_STATE_COOKIE_ECHOED | 1018 SCTP_STATE_SHUTDOWN_PENDING; 1019 } else { 1020 *state = SCTP_STATE_COOKIE_ECHOED; 1021 } 1022 1023 /* reset the RTO calc */ 1024 stcb->asoc.overall_error_count = 0; 1025 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1026 /* 1027 * collapse the init timer back in case of a exponential 1028 * backoff 1029 */ 1030 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1031 stcb, net); 1032 /* 1033 * the send at the end of the inbound data processing will 1034 * cause the cookie to be sent 1035 */ 1036 break; 1037 case SCTP_STATE_SHUTDOWN_SENT: 1038 /* incorrect state... discard */ 1039 break; 1040 case SCTP_STATE_COOKIE_ECHOED: 1041 /* incorrect state... discard */ 1042 break; 1043 case SCTP_STATE_OPEN: 1044 /* incorrect state... discard */ 1045 break; 1046 case SCTP_STATE_EMPTY: 1047 case SCTP_STATE_INUSE: 1048 default: 1049 /* incorrect state... discard */ 1050 return (-1); 1051 break; 1052 } /* end switch asoc state */ 1053#ifdef SCTP_DEBUG 1054 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1055 printf("Leaving handle-init-ack end\n"); 1056 } 1057#endif 1058 return (0); 1059} 1060 1061 1062/* 1063 * handle a state cookie for an existing association m: input packet mbuf 1064 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1065 * "split" mbuf and the cookie signature does not exist offset: offset into 1066 * mbuf to the cookie-echo chunk 1067 */ 1068static struct sctp_tcb * 1069sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1070 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1071 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1072 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) 1073{ 1074 struct sctp_association *asoc; 1075 struct sctp_init_chunk *init_cp, init_buf; 1076 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1077 int chk_length; 1078 int init_offset, initack_offset, i; 1079 int retval; 1080 int spec_flag = 0; 1081 int how_indx; 1082 1083 /* I know that the TCB is non-NULL from the caller */ 1084 asoc = &stcb->asoc; 1085 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1086 if (asoc->cookie_how[how_indx] == 0) 1087 break; 1088 } 1089 if (how_indx < sizeof(asoc->cookie_how)) { 1090 asoc->cookie_how[how_indx] = 1; 1091 } 1092 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1093 /* SHUTDOWN came in after sending INIT-ACK */ 1094 struct mbuf *op_err; 1095 struct sctp_paramhdr *ph; 1096 1097 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1098 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1099 0, M_DONTWAIT, 1, MT_DATA); 1100 if (op_err == NULL) { 1101 /* FOOBAR */ 1102 return (NULL); 1103 } 1104 /* pre-reserve some space */ 1105 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1106 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1107 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1108 /* Set the len */ 1109 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1110 ph = mtod(op_err, struct sctp_paramhdr *); 1111 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1112 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1113 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1114 if (how_indx < sizeof(asoc->cookie_how)) 1115 asoc->cookie_how[how_indx] = 2; 1116 return (NULL); 1117 } 1118 /* 1119 * find and validate the INIT chunk in the cookie (peer's info) the 1120 * INIT should start after the cookie-echo header struct (chunk 1121 * header, state cookie header struct) 1122 */ 1123 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1124 1125 init_cp = (struct sctp_init_chunk *) 1126 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1127 (uint8_t *) & init_buf); 1128 if (init_cp == NULL) { 1129 /* could not pull a INIT chunk in cookie */ 1130 return (NULL); 1131 } 1132 chk_length = ntohs(init_cp->ch.chunk_length); 1133 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1134 return (NULL); 1135 } 1136 /* 1137 * find and validate the INIT-ACK chunk in the cookie (my info) the 1138 * INIT-ACK follows the INIT chunk 1139 */ 1140 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1141 initack_cp = (struct sctp_init_ack_chunk *) 1142 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1143 (uint8_t *) & initack_buf); 1144 if (initack_cp == NULL) { 1145 /* could not pull INIT-ACK chunk in cookie */ 1146 return (NULL); 1147 } 1148 chk_length = ntohs(initack_cp->ch.chunk_length); 1149 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1150 return (NULL); 1151 } 1152 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1153 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1154 /* 1155 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1156 * to get into the OPEN state 1157 */ 1158 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1159#ifdef INVARIANTS 1160 panic("Case D and non-match seq?"); 1161#else 1162 printf("Case D, seq non-match %x vs %x?\n", 1163 ntohl(initack_cp->init.initial_tsn), asoc->init_seq_number); 1164#endif 1165 } 1166 switch SCTP_GET_STATE 1167 (asoc) { 1168 case SCTP_STATE_COOKIE_WAIT: 1169 case SCTP_STATE_COOKIE_ECHOED: 1170 /* 1171 * INIT was sent, but got got a COOKIE_ECHO with the 1172 * correct tags... just accept it...but we must 1173 * process the init so that we can make sure we have 1174 * the right seq no's. 1175 */ 1176 /* First we must process the INIT !! */ 1177 retval = sctp_process_init(init_cp, stcb, net); 1178 if (retval < 0) { 1179 if (how_indx < sizeof(asoc->cookie_how)) 1180 asoc->cookie_how[how_indx] = 3; 1181 return (NULL); 1182 } 1183 /* we have already processed the INIT so no problem */ 1184 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1185 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1186 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1187 /* update current state */ 1188 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1189 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1190 else 1191 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1192 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1193 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1194 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1195 stcb->sctp_ep, stcb, asoc->primary_destination); 1196 1197 } else { 1198 /* if ok, move to OPEN state */ 1199 asoc->state = SCTP_STATE_OPEN; 1200 } 1201 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1202 sctp_stop_all_cookie_timers(stcb); 1203 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1204 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1205 (inp->sctp_socket->so_qlimit == 0) 1206 ) { 1207 /* 1208 * Here is where collision would go if we 1209 * did a connect() and instead got a 1210 * init/init-ack/cookie done before the 1211 * init-ack came back.. 1212 */ 1213 stcb->sctp_ep->sctp_flags |= 1214 SCTP_PCB_FLAGS_CONNECTED; 1215 soisconnected(stcb->sctp_ep->sctp_socket); 1216 } 1217 /* notify upper layer */ 1218 *notification = SCTP_NOTIFY_ASSOC_UP; 1219 /* 1220 * since we did not send a HB make sure we don't 1221 * double things 1222 */ 1223 net->hb_responded = 1; 1224 1225 if (stcb->asoc.sctp_autoclose_ticks && 1226 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1227 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1228 inp, stcb, NULL); 1229 } 1230 break; 1231 default: 1232 /* 1233 * we're in the OPEN state (or beyond), so peer must 1234 * have simply lost the COOKIE-ACK 1235 */ 1236 1237 break; 1238 } /* end switch */ 1239 sctp_stop_all_cookie_timers(stcb); 1240 /* 1241 * We ignore the return code here.. not sure if we should 1242 * somehow abort.. but we do have an existing asoc. This 1243 * really should not fail. 1244 */ 1245 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1246 init_offset + sizeof(struct sctp_init_chunk), 1247 initack_offset, sh, init_src)) { 1248 if (how_indx < sizeof(asoc->cookie_how)) 1249 asoc->cookie_how[how_indx] = 4; 1250 return (NULL); 1251 } 1252 /* respond with a COOKIE-ACK */ 1253 sctp_toss_old_cookies(stcb, asoc); 1254 sctp_send_cookie_ack(stcb); 1255 if (how_indx < sizeof(asoc->cookie_how)) 1256 asoc->cookie_how[how_indx] = 5; 1257 return (stcb); 1258 } /* end if */ 1259 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1260 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1261 cookie->tie_tag_my_vtag == 0 && 1262 cookie->tie_tag_peer_vtag == 0) { 1263 /* 1264 * case C in Section 5.2.4 Table 2: XMOO silently discard 1265 */ 1266 if (how_indx < sizeof(asoc->cookie_how)) 1267 asoc->cookie_how[how_indx] = 6; 1268 return (NULL); 1269 } 1270 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1271 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1272 init_cp->init.initiate_tag == 0)) { 1273 /* 1274 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1275 * should be ok, re-accept peer info 1276 */ 1277 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1278 /* 1279 * Extension of case C. If we hit this, then the 1280 * random number generator returned the same vtag 1281 * when we first sent our INIT-ACK and when we later 1282 * sent our INIT. The side with the seq numbers that 1283 * are different will be the one that normnally 1284 * would have hit case C. This in effect "extends" 1285 * our vtags in this collision case to be 64 bits. 1286 * The same collision could occur aka you get both 1287 * vtag and seq number the same twice in a row.. but 1288 * is much less likely. If it did happen then we 1289 * would proceed through and bring up the assoc.. we 1290 * may end up with the wrong stream setup however.. 1291 * which would be bad.. but there is no way to 1292 * tell.. until we send on a stream that does not 1293 * exist :-) 1294 */ 1295 if (how_indx < sizeof(asoc->cookie_how)) 1296 asoc->cookie_how[how_indx] = 7; 1297 1298 return (NULL); 1299 } 1300 if (how_indx < sizeof(asoc->cookie_how)) 1301 asoc->cookie_how[how_indx] = 8; 1302 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1303 sctp_stop_all_cookie_timers(stcb); 1304 /* 1305 * since we did not send a HB make sure we don't double 1306 * things 1307 */ 1308 net->hb_responded = 1; 1309 if (stcb->asoc.sctp_autoclose_ticks && 1310 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1311 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1312 NULL); 1313 } 1314 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1315 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1316 1317 /* Note last_cwr_tsn? where is this used? */ 1318 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1319 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1320 /* 1321 * Ok the peer probably discarded our data (if we 1322 * echoed a cookie+data). So anything on the 1323 * sent_queue should be marked for retransmit, we 1324 * may not get something to kick us so it COULD 1325 * still take a timeout to move these.. but it can't 1326 * hurt to mark them. 1327 */ 1328 struct sctp_tmit_chunk *chk; 1329 1330 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1331 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1332 chk->sent = SCTP_DATAGRAM_RESEND; 1333 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1334 spec_flag++; 1335 } 1336 } 1337 1338 } 1339 /* process the INIT info (peer's info) */ 1340 retval = sctp_process_init(init_cp, stcb, net); 1341 if (retval < 0) { 1342 if (how_indx < sizeof(asoc->cookie_how)) 1343 asoc->cookie_how[how_indx] = 9; 1344 return (NULL); 1345 } 1346 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1347 init_offset + sizeof(struct sctp_init_chunk), 1348 initack_offset, sh, init_src)) { 1349 if (how_indx < sizeof(asoc->cookie_how)) 1350 asoc->cookie_how[how_indx] = 10; 1351 return (NULL); 1352 } 1353 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1354 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1355 *notification = SCTP_NOTIFY_ASSOC_UP; 1356 1357 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1358 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1359 (inp->sctp_socket->so_qlimit == 0)) { 1360 stcb->sctp_ep->sctp_flags |= 1361 SCTP_PCB_FLAGS_CONNECTED; 1362 soisconnected(stcb->sctp_ep->sctp_socket); 1363 } 1364 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1365 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1366 else 1367 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1368 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1369 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1370 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1371 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1372 } else { 1373 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1374 } 1375 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1376 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1377 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1378 stcb->sctp_ep, stcb, asoc->primary_destination); 1379 1380 } else { 1381 asoc->state = SCTP_STATE_OPEN; 1382 } 1383 sctp_stop_all_cookie_timers(stcb); 1384 sctp_toss_old_cookies(stcb, asoc); 1385 sctp_send_cookie_ack(stcb); 1386 if (spec_flag) { 1387 /* 1388 * only if we have retrans set do we do this. What 1389 * this call does is get only the COOKIE-ACK out and 1390 * then when we return the normal call to 1391 * sctp_chunk_output will get the retrans out behind 1392 * this. 1393 */ 1394 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK); 1395 } 1396 if (how_indx < sizeof(asoc->cookie_how)) 1397 asoc->cookie_how[how_indx] = 11; 1398 1399 return (stcb); 1400 } 1401 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1402 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1403 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1404 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1405 cookie->tie_tag_peer_vtag != 0) { 1406 struct sctpasochead *head; 1407 1408 /* 1409 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1410 */ 1411 /* temp code */ 1412 if (how_indx < sizeof(asoc->cookie_how)) 1413 asoc->cookie_how[how_indx] = 12; 1414 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1415 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1416 1417 *sac_assoc_id = sctp_get_associd(stcb); 1418 /* notify upper layer */ 1419 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1420 atomic_add_int(&stcb->asoc.refcnt, 1); 1421 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1422 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1423 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1424 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1425 } 1426 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1427 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1428 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1429 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1430 } 1431 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1432 asoc->state = SCTP_STATE_OPEN | 1433 SCTP_STATE_SHUTDOWN_PENDING; 1434 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1435 stcb->sctp_ep, stcb, asoc->primary_destination); 1436 1437 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1438 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1439 asoc->state = SCTP_STATE_OPEN; 1440 } 1441 asoc->pre_open_streams = 1442 ntohs(initack_cp->init.num_outbound_streams); 1443 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1444 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1445 1446 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1447 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1448 1449 asoc->str_reset_seq_in = asoc->init_seq_number; 1450 1451 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1452 if (asoc->mapping_array) 1453 memset(asoc->mapping_array, 0, 1454 asoc->mapping_array_size); 1455 SCTP_TCB_UNLOCK(stcb); 1456 SCTP_INP_INFO_WLOCK(); 1457 SCTP_INP_WLOCK(stcb->sctp_ep); 1458 SCTP_TCB_LOCK(stcb); 1459 atomic_add_int(&stcb->asoc.refcnt, -1); 1460 /* send up all the data */ 1461 SCTP_TCB_SEND_LOCK(stcb); 1462 1463 sctp_report_all_outbound(stcb, 1); 1464 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1465 stcb->asoc.strmout[i].stream_no = i; 1466 stcb->asoc.strmout[i].next_sequence_sent = 0; 1467 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1468 } 1469 /* process the INIT-ACK info (my info) */ 1470 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1471 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1472 1473 /* pull from vtag hash */ 1474 LIST_REMOVE(stcb, sctp_asocs); 1475 /* re-insert to new vtag position */ 1476 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1477 sctppcbinfo.hashasocmark)]; 1478 /* 1479 * put it in the bucket in the vtag hash of assoc's for the 1480 * system 1481 */ 1482 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1483 1484 /* Is this the first restart? */ 1485 if (stcb->asoc.in_restart_hash == 0) { 1486 /* Ok add it to assoc_id vtag hash */ 1487 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1488 sctppcbinfo.hashrestartmark)]; 1489 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1490 stcb->asoc.in_restart_hash = 1; 1491 } 1492 /* process the INIT info (peer's info) */ 1493 SCTP_TCB_SEND_UNLOCK(stcb); 1494 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1495 SCTP_INP_INFO_WUNLOCK(); 1496 1497 retval = sctp_process_init(init_cp, stcb, net); 1498 if (retval < 0) { 1499 if (how_indx < sizeof(asoc->cookie_how)) 1500 asoc->cookie_how[how_indx] = 13; 1501 1502 return (NULL); 1503 } 1504 /* 1505 * since we did not send a HB make sure we don't double 1506 * things 1507 */ 1508 net->hb_responded = 1; 1509 1510 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1511 init_offset + sizeof(struct sctp_init_chunk), 1512 initack_offset, sh, init_src)) { 1513 if (how_indx < sizeof(asoc->cookie_how)) 1514 asoc->cookie_how[how_indx] = 14; 1515 1516 return (NULL); 1517 } 1518 /* respond with a COOKIE-ACK */ 1519 sctp_stop_all_cookie_timers(stcb); 1520 sctp_toss_old_cookies(stcb, asoc); 1521 sctp_send_cookie_ack(stcb); 1522 if (how_indx < sizeof(asoc->cookie_how)) 1523 asoc->cookie_how[how_indx] = 15; 1524 1525 return (stcb); 1526 } 1527 if (how_indx < sizeof(asoc->cookie_how)) 1528 asoc->cookie_how[how_indx] = 16; 1529 /* all other cases... */ 1530 return (NULL); 1531} 1532 1533 1534/* 1535 * handle a state cookie for a new association m: input packet mbuf chain-- 1536 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1537 * and the cookie signature does not exist offset: offset into mbuf to the 1538 * cookie-echo chunk length: length of the cookie chunk to: where the init 1539 * was from returns a new TCB 1540 */ 1541static struct sctp_tcb * 1542sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1543 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1544 struct sctp_inpcb *inp, struct sctp_nets **netp, 1545 struct sockaddr *init_src, int *notification, 1546 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1547{ 1548 struct sctp_tcb *stcb; 1549 struct sctp_init_chunk *init_cp, init_buf; 1550 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1551 struct sockaddr_storage sa_store; 1552 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1553 struct sockaddr_in *sin; 1554 struct sockaddr_in6 *sin6; 1555 struct sctp_association *asoc; 1556 uint32_t vrf_id; 1557 int chk_length; 1558 int init_offset, initack_offset, initack_limit; 1559 int retval; 1560 int error = 0; 1561 uint32_t old_tag; 1562 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1563 1564 vrf_id = inp->def_vrf_id; 1565 1566 /* 1567 * find and validate the INIT chunk in the cookie (peer's info) the 1568 * INIT should start after the cookie-echo header struct (chunk 1569 * header, state cookie header struct) 1570 */ 1571 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1572 init_cp = (struct sctp_init_chunk *) 1573 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1574 (uint8_t *) & init_buf); 1575 if (init_cp == NULL) { 1576 /* could not pull a INIT chunk in cookie */ 1577#ifdef SCTP_DEBUG 1578 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1579 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1580 } 1581#endif /* SCTP_DEBUG */ 1582 return (NULL); 1583 } 1584 chk_length = ntohs(init_cp->ch.chunk_length); 1585 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1586#ifdef SCTP_DEBUG 1587 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1588 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1589 } 1590#endif /* SCTP_DEBUG */ 1591 return (NULL); 1592 } 1593 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1594 /* 1595 * find and validate the INIT-ACK chunk in the cookie (my info) the 1596 * INIT-ACK follows the INIT chunk 1597 */ 1598 initack_cp = (struct sctp_init_ack_chunk *) 1599 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1600 (uint8_t *) & initack_buf); 1601 if (initack_cp == NULL) { 1602 /* could not pull INIT-ACK chunk in cookie */ 1603#ifdef SCTP_DEBUG 1604 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1605 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1606 } 1607#endif /* SCTP_DEBUG */ 1608 return (NULL); 1609 } 1610 chk_length = ntohs(initack_cp->ch.chunk_length); 1611 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1612 return (NULL); 1613 } 1614 /* 1615 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1616 * "initack_limit" value. This is because the chk_length field 1617 * includes the length of the cookie, but the cookie is omitted when 1618 * the INIT and INIT_ACK are tacked onto the cookie... 1619 */ 1620 initack_limit = offset + cookie_len; 1621 1622 /* 1623 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1624 * and popluate 1625 */ 1626 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1627 ntohl(initack_cp->init.initiate_tag), vrf_id); 1628 if (stcb == NULL) { 1629 struct mbuf *op_err; 1630 1631 /* memory problem? */ 1632#ifdef SCTP_DEBUG 1633 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1634 printf("process_cookie_new: no room for another TCB!\n"); 1635 } 1636#endif /* SCTP_DEBUG */ 1637 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1638 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1639 sh, op_err); 1640 return (NULL); 1641 } 1642 /* get the correct sctp_nets */ 1643 *netp = sctp_findnet(stcb, init_src); 1644 asoc = &stcb->asoc; 1645 /* get scope variables out of cookie */ 1646 asoc->ipv4_local_scope = cookie->ipv4_scope; 1647 asoc->site_scope = cookie->site_scope; 1648 asoc->local_scope = cookie->local_scope; 1649 asoc->loopback_scope = cookie->loopback_scope; 1650 1651 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1652 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1653 struct mbuf *op_err; 1654 1655 /* 1656 * Houston we have a problem. The EP changed while the 1657 * cookie was in flight. Only recourse is to abort the 1658 * association. 1659 */ 1660 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1661 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1662 sh, op_err); 1663 return (NULL); 1664 } 1665 /* process the INIT-ACK info (my info) */ 1666 old_tag = asoc->my_vtag; 1667 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1668 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1669 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1670 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1671 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1672 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1673 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1674 asoc->str_reset_seq_in = asoc->init_seq_number; 1675 1676 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1677 1678 /* process the INIT info (peer's info) */ 1679 retval = sctp_process_init(init_cp, stcb, *netp); 1680 if (retval < 0) { 1681 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1682 return (NULL); 1683 } 1684 /* load all addresses */ 1685 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1686 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1687 init_src)) { 1688 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1689 return (NULL); 1690 } 1691 /* 1692 * verify any preceding AUTH chunk that was skipped 1693 */ 1694 /* pull the local authentication parameters from the cookie/init-ack */ 1695 sctp_auth_get_cookie_params(stcb, m, 1696 initack_offset + sizeof(struct sctp_init_ack_chunk), 1697 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1698 if (auth_skipped) { 1699 struct sctp_auth_chunk *auth; 1700 1701 auth = (struct sctp_auth_chunk *) 1702 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 1703 if (sctp_handle_auth(stcb, auth, m, auth_offset)) { 1704 /* auth HMAC failed, dump the assoc and packet */ 1705#ifdef SCTP_DEBUG 1706 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 1707 printf("COOKIE-ECHO: AUTH failed\n"); 1708#endif /* SCTP_DEBUG */ 1709 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1710 return (NULL); 1711 } else { 1712 /* remaining chunks checked... good to go */ 1713 stcb->asoc.authenticated = 1; 1714 } 1715 } 1716 /* update current state */ 1717#ifdef SCTP_DEBUG 1718 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1719 printf("moving to OPEN state\n"); 1720 } 1721#endif 1722 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1723 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1724 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1725 stcb->sctp_ep, stcb, asoc->primary_destination); 1726 } else { 1727 asoc->state = SCTP_STATE_OPEN; 1728 } 1729 sctp_stop_all_cookie_timers(stcb); 1730 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1731 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1732 1733 /* 1734 * if we're doing ASCONFs, check to see if we have any new local 1735 * addresses that need to get added to the peer (eg. addresses 1736 * changed while cookie echo in flight). This needs to be done 1737 * after we go to the OPEN state to do the correct asconf 1738 * processing. else, make sure we have the correct addresses in our 1739 * lists 1740 */ 1741 1742 /* warning, we re-use sin, sin6, sa_store here! */ 1743 /* pull in local_address (our "from" address) */ 1744 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1745 /* source addr is IPv4 */ 1746 sin = (struct sockaddr_in *)initack_src; 1747 memset(sin, 0, sizeof(*sin)); 1748 sin->sin_family = AF_INET; 1749 sin->sin_len = sizeof(struct sockaddr_in); 1750 sin->sin_addr.s_addr = cookie->laddress[0]; 1751 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1752 /* source addr is IPv6 */ 1753 sin6 = (struct sockaddr_in6 *)initack_src; 1754 memset(sin6, 0, sizeof(*sin6)); 1755 sin6->sin6_family = AF_INET6; 1756 sin6->sin6_len = sizeof(struct sockaddr_in6); 1757 sin6->sin6_scope_id = cookie->scope_id; 1758 memcpy(&sin6->sin6_addr, cookie->laddress, 1759 sizeof(sin6->sin6_addr)); 1760 } else { 1761 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 1762 return (NULL); 1763 } 1764 1765 sctp_check_address_list(stcb, m, 1766 initack_offset + sizeof(struct sctp_init_ack_chunk), 1767 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1768 initack_src, cookie->local_scope, cookie->site_scope, 1769 cookie->ipv4_scope, cookie->loopback_scope); 1770 1771 1772 /* set up to notify upper layer */ 1773 *notification = SCTP_NOTIFY_ASSOC_UP; 1774 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1775 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1776 (inp->sctp_socket->so_qlimit == 0)) { 1777 /* 1778 * This is an endpoint that called connect() how it got a 1779 * cookie that is NEW is a bit of a mystery. It must be that 1780 * the INIT was sent, but before it got there.. a complete 1781 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1782 * should have went to the other code.. not here.. oh well.. 1783 * a bit of protection is worth having.. 1784 */ 1785 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1786 soisconnected(stcb->sctp_ep->sctp_socket); 1787 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1788 (inp->sctp_socket->so_qlimit)) { 1789 /* 1790 * We don't want to do anything with this one. Since it is 1791 * the listening guy. The timer will get started for 1792 * accepted connections in the caller. 1793 */ 1794 ; 1795 } 1796 /* since we did not send a HB make sure we don't double things */ 1797 (*netp)->hb_responded = 1; 1798 1799 if (stcb->asoc.sctp_autoclose_ticks && 1800 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1801 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1802 } 1803 /* respond with a COOKIE-ACK */ 1804 /* calculate the RTT */ 1805 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1806 &cookie->time_entered); 1807 sctp_send_cookie_ack(stcb); 1808 return (stcb); 1809} 1810 1811 1812/* 1813 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1814 * existing (non-NULL) TCB 1815 */ 1816static struct mbuf * 1817sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1818 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1819 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1820 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, struct sctp_tcb **locked_tcb) 1821{ 1822 struct sctp_state_cookie *cookie; 1823 struct sockaddr_in6 sin6; 1824 struct sockaddr_in sin; 1825 struct sctp_tcb *l_stcb = *stcb; 1826 struct sctp_inpcb *l_inp; 1827 struct sockaddr *to; 1828 sctp_assoc_t sac_restart_id; 1829 struct sctp_pcb *ep; 1830 struct mbuf *m_sig; 1831 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1832 uint8_t *sig; 1833 uint8_t cookie_ok = 0; 1834 unsigned int size_of_pkt, sig_offset, cookie_offset; 1835 unsigned int cookie_len; 1836 struct timeval now; 1837 struct timeval time_expires; 1838 struct sockaddr_storage dest_store; 1839 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1840 struct ip *iph; 1841 int notification = 0; 1842 struct sctp_nets *netl; 1843 int had_a_existing_tcb = 0; 1844 1845#ifdef SCTP_DEBUG 1846 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1847 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1848 } 1849#endif 1850 1851 if (inp_p == NULL) { 1852 return (NULL); 1853 } 1854 /* First get the destination address setup too. */ 1855 iph = mtod(m, struct ip *); 1856 if (iph->ip_v == IPVERSION) { 1857 /* its IPv4 */ 1858 struct sockaddr_in *sin; 1859 1860 sin = (struct sockaddr_in *)(localep_sa); 1861 memset(sin, 0, sizeof(*sin)); 1862 sin->sin_family = AF_INET; 1863 sin->sin_len = sizeof(*sin); 1864 sin->sin_port = sh->dest_port; 1865 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1866 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 1867 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1868 /* its IPv6 */ 1869 struct ip6_hdr *ip6; 1870 struct sockaddr_in6 *sin6; 1871 1872 sin6 = (struct sockaddr_in6 *)(localep_sa); 1873 memset(sin6, 0, sizeof(*sin6)); 1874 sin6->sin6_family = AF_INET6; 1875 sin6->sin6_len = sizeof(struct sockaddr_in6); 1876 ip6 = mtod(m, struct ip6_hdr *); 1877 sin6->sin6_port = sh->dest_port; 1878 sin6->sin6_addr = ip6->ip6_dst; 1879 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 1880 } else { 1881 return (NULL); 1882 } 1883 1884 cookie = &cp->cookie; 1885 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1886 cookie_len = ntohs(cp->ch.chunk_length); 1887 1888 if ((cookie->peerport != sh->src_port) && 1889 (cookie->myport != sh->dest_port) && 1890 (cookie->my_vtag != sh->v_tag)) { 1891 /* 1892 * invalid ports or bad tag. Note that we always leave the 1893 * v_tag in the header in network order and when we stored 1894 * it in the my_vtag slot we also left it in network order. 1895 * This maintians the match even though it may be in the 1896 * opposite byte order of the machine :-> 1897 */ 1898 return (NULL); 1899 } 1900 if (cookie_len > size_of_pkt || 1901 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1902 sizeof(struct sctp_init_chunk) + 1903 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1904 /* cookie too long! or too small */ 1905 return (NULL); 1906 } 1907 /* 1908 * split off the signature into its own mbuf (since it should not be 1909 * calculated in the sctp_hmac_m() call). 1910 */ 1911 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1912 if (sig_offset > size_of_pkt) { 1913 /* packet not correct size! */ 1914 /* XXX this may already be accounted for earlier... */ 1915 return (NULL); 1916 } 1917 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1918 if (m_sig == NULL) { 1919 /* out of memory or ?? */ 1920 return (NULL); 1921 } 1922 /* 1923 * compute the signature/digest for the cookie 1924 */ 1925 ep = &(*inp_p)->sctp_ep; 1926 l_inp = *inp_p; 1927 if (l_stcb) { 1928 SCTP_TCB_UNLOCK(l_stcb); 1929 } 1930 SCTP_INP_RLOCK(l_inp); 1931 if (l_stcb) { 1932 SCTP_TCB_LOCK(l_stcb); 1933 } 1934 /* which cookie is it? */ 1935 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1936 (ep->current_secret_number != ep->last_secret_number)) { 1937 /* it's the old cookie */ 1938 sctp_hmac_m(SCTP_HMAC, 1939 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1940 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1941 } else { 1942 /* it's the current cookie */ 1943 sctp_hmac_m(SCTP_HMAC, 1944 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1945 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1946 } 1947 /* get the signature */ 1948 SCTP_INP_RUNLOCK(l_inp); 1949 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1950 if (sig == NULL) { 1951 /* couldn't find signature */ 1952 sctp_m_freem(m_sig); 1953 return (NULL); 1954 } 1955 /* compare the received digest with the computed digest */ 1956 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1957 /* try the old cookie? */ 1958 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1959 (ep->current_secret_number != ep->last_secret_number)) { 1960 /* compute digest with old */ 1961 sctp_hmac_m(SCTP_HMAC, 1962 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1963 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1964 /* compare */ 1965 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1966 cookie_ok = 1; 1967 } 1968 } else { 1969 cookie_ok = 1; 1970 } 1971 1972 /* 1973 * Now before we continue we must reconstruct our mbuf so that 1974 * normal processing of any other chunks will work. 1975 */ 1976 { 1977 struct mbuf *m_at; 1978 1979 m_at = m; 1980 while (SCTP_BUF_NEXT(m_at) != NULL) { 1981 m_at = SCTP_BUF_NEXT(m_at); 1982 } 1983 SCTP_BUF_NEXT(m_at) = m_sig; 1984 } 1985 1986 if (cookie_ok == 0) { 1987#ifdef SCTP_DEBUG 1988 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1989 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1990 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1991 (uint32_t) offset, cookie_offset, sig_offset); 1992 } 1993#endif 1994 return (NULL); 1995 } 1996 /* 1997 * check the cookie timestamps to be sure it's not stale 1998 */ 1999 SCTP_GETTIME_TIMEVAL(&now); 2000 /* Expire time is in Ticks, so we convert to seconds */ 2001 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 2002 time_expires.tv_usec = cookie->time_entered.tv_usec; 2003 if (timevalcmp(&now, &time_expires, >)) { 2004 /* cookie is stale! */ 2005 struct mbuf *op_err; 2006 struct sctp_stale_cookie_msg *scm; 2007 uint32_t tim; 2008 2009 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2010 0, M_DONTWAIT, 1, MT_DATA); 2011 if (op_err == NULL) { 2012 /* FOOBAR */ 2013 return (NULL); 2014 } 2015 /* pre-reserve some space */ 2016 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 2017 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 2018 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 2019 2020 /* Set the len */ 2021 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2022 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2023 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2024 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2025 (sizeof(uint32_t)))); 2026 /* seconds to usec */ 2027 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2028 /* add in usec */ 2029 if (tim == 0) 2030 tim = now.tv_usec - cookie->time_entered.tv_usec; 2031 scm->time_usec = htonl(tim); 2032 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 2033 return (NULL); 2034 } 2035 /* 2036 * Now we must see with the lookup address if we have an existing 2037 * asoc. This will only happen if we were in the COOKIE-WAIT state 2038 * and a INIT collided with us and somewhere the peer sent the 2039 * cookie on another address besides the single address our assoc 2040 * had for him. In this case we will have one of the tie-tags set at 2041 * least AND the address field in the cookie can be used to look it 2042 * up. 2043 */ 2044 to = NULL; 2045 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2046 memset(&sin6, 0, sizeof(sin6)); 2047 sin6.sin6_family = AF_INET6; 2048 sin6.sin6_len = sizeof(sin6); 2049 sin6.sin6_port = sh->src_port; 2050 sin6.sin6_scope_id = cookie->scope_id; 2051 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2052 sizeof(sin6.sin6_addr.s6_addr)); 2053 to = (struct sockaddr *)&sin6; 2054 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2055 memset(&sin, 0, sizeof(sin)); 2056 sin.sin_family = AF_INET; 2057 sin.sin_len = sizeof(sin); 2058 sin.sin_port = sh->src_port; 2059 sin.sin_addr.s_addr = cookie->address[0]; 2060 to = (struct sockaddr *)&sin; 2061 } 2062 if ((*stcb == NULL) && to) { 2063 /* Yep, lets check */ 2064 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2065 if (*stcb == NULL) { 2066 /* 2067 * We should have only got back the same inp. If we 2068 * got back a different ep we have a problem. The 2069 * original findep got back l_inp and now 2070 */ 2071 if (l_inp != *inp_p) { 2072 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2073 } 2074 } else { 2075 if (*locked_tcb == NULL) { 2076 /* 2077 * In this case we found the assoc only 2078 * after we locked the create lock. This 2079 * means we are in a colliding case and we 2080 * must make sure that we unlock the tcb if 2081 * its one of the cases where we throw away 2082 * the incoming packets. 2083 */ 2084 *locked_tcb = *stcb; 2085 2086 /* 2087 * We must also increment the inp ref count 2088 * since the ref_count flags was set when we 2089 * did not find the TCB, now we found it 2090 * which reduces the refcount.. we must 2091 * raise it back out to balance it all :-) 2092 */ 2093 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2094 if ((*stcb)->sctp_ep != l_inp) { 2095 printf("Huh? ep:%p diff then l_inp:%p?\n", 2096 (*stcb)->sctp_ep, l_inp); 2097 } 2098 } 2099 } 2100 } 2101 cookie_len -= SCTP_SIGNATURE_SIZE; 2102 if (*stcb == NULL) { 2103 /* this is the "normal" case... get a new TCB */ 2104 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2105 cookie_len, *inp_p, netp, to, ¬ification, 2106 auth_skipped, auth_offset, auth_len); 2107 } else { 2108 /* this is abnormal... cookie-echo on existing TCB */ 2109 had_a_existing_tcb = 1; 2110 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2111 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 2112 &sac_restart_id); 2113 } 2114 2115 if (*stcb == NULL) { 2116 /* still no TCB... must be bad cookie-echo */ 2117 return (NULL); 2118 } 2119 /* 2120 * Ok, we built an association so confirm the address we sent the 2121 * INIT-ACK to. 2122 */ 2123 netl = sctp_findnet(*stcb, to); 2124 /* 2125 * This code should in theory NOT run but 2126 */ 2127 if (netl == NULL) { 2128 /* TSNH! Huh, why do I need to add this address here? */ 2129 int ret; 2130 2131 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2132 SCTP_IN_COOKIE_PROC); 2133 netl = sctp_findnet(*stcb, to); 2134 } 2135 if (netl) { 2136 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2137 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2138 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2139 netl); 2140 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2141 (*stcb), 0, (void *)netl); 2142 } 2143 } 2144 if (*stcb) { 2145 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2146 *stcb, NULL); 2147 } 2148 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2149 if (!had_a_existing_tcb || 2150 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2151 /* 2152 * If we have a NEW cookie or the connect never 2153 * reached the connected state during collision we 2154 * must do the TCP accept thing. 2155 */ 2156 struct socket *so, *oso; 2157 struct sctp_inpcb *inp; 2158 2159 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2160 /* 2161 * For a restart we will keep the same 2162 * socket, no need to do anything. I THINK!! 2163 */ 2164 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2165 return (m); 2166 } 2167 oso = (*inp_p)->sctp_socket; 2168 /* 2169 * We do this to keep the sockets side happy durin 2170 * the sonewcon ONLY. 2171 */ 2172 NET_LOCK_GIANT(); 2173 SCTP_TCB_UNLOCK((*stcb)); 2174 so = sonewconn(oso, 0 2175 ); 2176 NET_UNLOCK_GIANT(); 2177 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2178 SCTP_TCB_LOCK((*stcb)); 2179 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2180 if (so == NULL) { 2181 struct mbuf *op_err; 2182 2183 /* Too many sockets */ 2184#ifdef SCTP_DEBUG 2185 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2186 printf("process_cookie_new: no room for another socket!\n"); 2187 } 2188#endif /* SCTP_DEBUG */ 2189 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2190 sctp_abort_association(*inp_p, NULL, m, iphlen, 2191 sh, op_err); 2192 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2193 return (NULL); 2194 } 2195 inp = (struct sctp_inpcb *)so->so_pcb; 2196 SCTP_INP_INCR_REF(inp); 2197 /* 2198 * We add the unbound flag here so that if we get an 2199 * soabort() before we get the move_pcb done, we 2200 * will properly cleanup. 2201 */ 2202 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2203 SCTP_PCB_FLAGS_CONNECTED | 2204 SCTP_PCB_FLAGS_IN_TCPPOOL | 2205 SCTP_PCB_FLAGS_UNBOUND | 2206 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2207 SCTP_PCB_FLAGS_DONT_WAKE); 2208 inp->sctp_features = (*inp_p)->sctp_features; 2209 inp->sctp_socket = so; 2210 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2211 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2212 inp->sctp_context = (*inp_p)->sctp_context; 2213 inp->inp_starting_point_for_iterator = NULL; 2214 /* 2215 * copy in the authentication parameters from the 2216 * original endpoint 2217 */ 2218 if (inp->sctp_ep.local_hmacs) 2219 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2220 inp->sctp_ep.local_hmacs = 2221 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2222 if (inp->sctp_ep.local_auth_chunks) 2223 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2224 inp->sctp_ep.local_auth_chunks = 2225 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2226 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2227 &inp->sctp_ep.shared_keys); 2228 2229 /* 2230 * Now we must move it from one hash table to 2231 * another and get the tcb in the right place. 2232 */ 2233 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2234 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, M_NOWAIT); 2235 2236 /* 2237 * now we must check to see if we were aborted while 2238 * the move was going on and the lock/unlock 2239 * happened. 2240 */ 2241 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2242 /* 2243 * yep it was, we leave the assoc attached 2244 * to the socket since the sctp_inpcb_free() 2245 * call will send an abort for us. 2246 */ 2247 SCTP_INP_DECR_REF(inp); 2248 return (NULL); 2249 } 2250 SCTP_INP_DECR_REF(inp); 2251 /* Switch over to the new guy */ 2252 *inp_p = inp; 2253 sctp_ulp_notify(notification, *stcb, 0, NULL); 2254 2255 /* 2256 * Pull it from the incomplete queue and wake the 2257 * guy 2258 */ 2259 soisconnected(so); 2260 return (m); 2261 } 2262 } 2263 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2264 sctp_ulp_notify(notification, *stcb, 0, NULL); 2265 } 2266 return (m); 2267} 2268 2269static void 2270sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2271 struct sctp_tcb *stcb, struct sctp_nets *net) 2272{ 2273 /* cp must not be used, others call this without a c-ack :-) */ 2274 struct sctp_association *asoc; 2275 2276#ifdef SCTP_DEBUG 2277 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2278 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2279 } 2280#endif 2281 if (stcb == NULL) 2282 return; 2283 2284 asoc = &stcb->asoc; 2285 2286 sctp_stop_all_cookie_timers(stcb); 2287 /* process according to association state */ 2288 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2289 /* state change only needed when I am in right state */ 2290#ifdef SCTP_DEBUG 2291 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2292 printf("moving to OPEN state\n"); 2293 } 2294#endif 2295 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2296 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2297 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2298 stcb->sctp_ep, stcb, asoc->primary_destination); 2299 2300 } else { 2301 asoc->state = SCTP_STATE_OPEN; 2302 } 2303 /* update RTO */ 2304 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2305 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2306 if (asoc->overall_error_count == 0) { 2307 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2308 &asoc->time_entered); 2309 } 2310 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2311 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2312 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2313 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2314 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2315 soisconnected(stcb->sctp_ep->sctp_socket); 2316 } 2317 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2318 stcb, net); 2319 /* 2320 * since we did not send a HB make sure we don't double 2321 * things 2322 */ 2323 net->hb_responded = 1; 2324 2325 if (stcb->asoc.sctp_autoclose_ticks && 2326 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2327 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2328 stcb->sctp_ep, stcb, NULL); 2329 } 2330 /* 2331 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2332 * addresses changed when init/cookie echo in flight) 2333 */ 2334 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2335 (stcb->asoc.peer_supports_asconf) && 2336 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2337 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2338 stcb->sctp_ep, stcb, 2339 stcb->asoc.primary_destination); 2340 } 2341 } 2342 /* Toss the cookie if I can */ 2343 sctp_toss_old_cookies(stcb, asoc); 2344 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2345 /* Restart the timer if we have pending data */ 2346 struct sctp_tmit_chunk *chk; 2347 2348 chk = TAILQ_FIRST(&asoc->sent_queue); 2349 if (chk) { 2350 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2351 stcb, chk->whoTo); 2352 } 2353 } 2354} 2355 2356static void 2357sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2358 struct sctp_tcb *stcb) 2359{ 2360 struct sctp_nets *net; 2361 struct sctp_tmit_chunk *lchk; 2362 uint32_t tsn; 2363 2364 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2365 return; 2366 } 2367 SCTP_STAT_INCR(sctps_recvecne); 2368 tsn = ntohl(cp->tsn); 2369 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2370 /* Also we make sure we disable the nonce_wait */ 2371 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2372 if (lchk == NULL) { 2373 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2374 } else { 2375 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2376 } 2377 stcb->asoc.nonce_wait_for_ecne = 0; 2378 stcb->asoc.nonce_sum_check = 0; 2379 2380 /* Find where it was sent, if possible */ 2381 net = NULL; 2382 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2383 while (lchk) { 2384 if (lchk->rec.data.TSN_seq == tsn) { 2385 net = lchk->whoTo; 2386 break; 2387 } 2388 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2389 break; 2390 lchk = TAILQ_NEXT(lchk, sctp_next); 2391 } 2392 if (net == NULL) 2393 /* default is we use the primary */ 2394 net = stcb->asoc.primary_destination; 2395 2396 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2397#ifdef SCTP_CWND_MONITOR 2398 int old_cwnd; 2399 2400 old_cwnd = net->cwnd; 2401#endif 2402 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2403 net->ssthresh = net->cwnd / 2; 2404 if (net->ssthresh < net->mtu) { 2405 net->ssthresh = net->mtu; 2406 /* here back off the timer as well, to slow us down */ 2407 net->RTO <<= 2; 2408 } 2409 net->cwnd = net->ssthresh; 2410#ifdef SCTP_CWND_MONITOR 2411 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2412#endif 2413 /* 2414 * we reduce once every RTT. So we will only lower cwnd at 2415 * the next sending seq i.e. the resync_tsn. 2416 */ 2417 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2418 } 2419 /* 2420 * We always send a CWR this way if our previous one was lost our 2421 * peer will get an update, or if it is not time again to reduce we 2422 * still get the cwr to the peer. 2423 */ 2424 sctp_send_cwr(stcb, net, tsn); 2425} 2426 2427static void 2428sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2429{ 2430 /* 2431 * Here we get a CWR from the peer. We must look in the outqueue and 2432 * make sure that we have a covered ECNE in teh control chunk part. 2433 * If so remove it. 2434 */ 2435 struct sctp_tmit_chunk *chk; 2436 struct sctp_ecne_chunk *ecne; 2437 2438 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2439 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2440 continue; 2441 } 2442 /* 2443 * Look for and remove if it is the right TSN. Since there 2444 * is only ONE ECNE on the control queue at any one time we 2445 * don't need to worry about more than one! 2446 */ 2447 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2448 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2449 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2450 /* this covers this ECNE, we can remove it */ 2451 stcb->asoc.ecn_echo_cnt_onq--; 2452 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2453 sctp_next); 2454 if (chk->data) { 2455 sctp_m_freem(chk->data); 2456 chk->data = NULL; 2457 } 2458 stcb->asoc.ctrl_queue_cnt--; 2459 sctp_free_remote_addr(chk->whoTo); 2460 sctp_free_a_chunk(stcb, chk); 2461 break; 2462 } 2463 } 2464} 2465 2466static void 2467sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2468 struct sctp_tcb *stcb, struct sctp_nets *net) 2469{ 2470 struct sctp_association *asoc; 2471 2472#ifdef SCTP_DEBUG 2473 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2474 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2475 } 2476#endif 2477 if (stcb == NULL) 2478 return; 2479 2480 asoc = &stcb->asoc; 2481 /* process according to association state */ 2482 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2483 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2484 SCTP_TCB_UNLOCK(stcb); 2485 return; 2486 } 2487 /* notify upper layer protocol */ 2488 if (stcb->sctp_socket) { 2489 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2490 /* are the queues empty? they should be */ 2491 if (!TAILQ_EMPTY(&asoc->send_queue) || 2492 !TAILQ_EMPTY(&asoc->sent_queue) || 2493 !TAILQ_EMPTY(&asoc->out_wheel)) { 2494 sctp_report_all_outbound(stcb, 0); 2495 } 2496 } 2497 /* stop the timer */ 2498 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2499 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2500 /* free the TCB */ 2501 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2502 return; 2503} 2504 2505static int 2506process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2507 struct sctp_nets *net, uint8_t flg) 2508{ 2509 switch (desc->chunk_type) { 2510 case SCTP_DATA: 2511 /* find the tsn to resend (possibly */ 2512 { 2513 uint32_t tsn; 2514 struct sctp_tmit_chunk *tp1; 2515 2516 tsn = ntohl(desc->tsn_ifany); 2517 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2518 while (tp1) { 2519 if (tp1->rec.data.TSN_seq == tsn) { 2520 /* found it */ 2521 break; 2522 } 2523 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2524 MAX_TSN)) { 2525 /* not found */ 2526 tp1 = NULL; 2527 break; 2528 } 2529 tp1 = TAILQ_NEXT(tp1, sctp_next); 2530 } 2531 if (tp1 == NULL) { 2532 /* 2533 * Do it the other way , aka without paying 2534 * attention to queue seq order. 2535 */ 2536 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2537 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2538 while (tp1) { 2539 if (tp1->rec.data.TSN_seq == tsn) { 2540 /* found it */ 2541 break; 2542 } 2543 tp1 = TAILQ_NEXT(tp1, sctp_next); 2544 } 2545 } 2546 if (tp1 == NULL) { 2547 SCTP_STAT_INCR(sctps_pdrptsnnf); 2548 } 2549 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2550 uint8_t *ddp; 2551 2552 if ((stcb->asoc.peers_rwnd == 0) && 2553 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2554 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2555 return (0); 2556 } 2557 if (stcb->asoc.peers_rwnd == 0 && 2558 (flg & SCTP_FROM_MIDDLE_BOX)) { 2559 SCTP_STAT_INCR(sctps_pdrpdizrw); 2560 return (0); 2561 } 2562 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2563 sizeof(struct sctp_data_chunk)); 2564 { 2565 unsigned int iii; 2566 2567 for (iii = 0; iii < sizeof(desc->data_bytes); 2568 iii++) { 2569 if (ddp[iii] != desc->data_bytes[iii]) { 2570 SCTP_STAT_INCR(sctps_pdrpbadd); 2571 return (-1); 2572 } 2573 } 2574 } 2575 /* 2576 * We zero out the nonce so resync not 2577 * needed 2578 */ 2579 tp1->rec.data.ect_nonce = 0; 2580 2581 if (tp1->do_rtt) { 2582 /* 2583 * this guy had a RTO calculation 2584 * pending on it, cancel it 2585 */ 2586 tp1->do_rtt = 0; 2587 } 2588 SCTP_STAT_INCR(sctps_pdrpmark); 2589 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2590 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2591 tp1->sent = SCTP_DATAGRAM_RESEND; 2592 /* 2593 * mark it as if we were doing a FR, since 2594 * we will be getting gap ack reports behind 2595 * the info from the router. 2596 */ 2597 tp1->rec.data.doing_fast_retransmit = 1; 2598 /* 2599 * mark the tsn with what sequences can 2600 * cause a new FR. 2601 */ 2602 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2603 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2604 } else { 2605 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2606 } 2607 2608 /* restart the timer */ 2609 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2610 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2611 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2612 stcb, tp1->whoTo); 2613 2614 /* fix counts and things */ 2615#ifdef SCTP_FLIGHT_LOGGING 2616 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 2617 tp1->whoTo->flight_size, 2618 tp1->book_size, 2619 (uintptr_t) stcb, 2620 tp1->rec.data.TSN_seq); 2621#endif 2622 sctp_flight_size_decrease(tp1); 2623 sctp_total_flight_decrease(stcb, tp1); 2624 } { 2625 /* audit code */ 2626 unsigned int audit; 2627 2628 audit = 0; 2629 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2630 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2631 audit++; 2632 } 2633 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2634 sctp_next) { 2635 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2636 audit++; 2637 } 2638 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2639 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2640 audit, stcb->asoc.sent_queue_retran_cnt); 2641#ifndef SCTP_AUDITING_ENABLED 2642 stcb->asoc.sent_queue_retran_cnt = audit; 2643#endif 2644 } 2645 } 2646 } 2647 break; 2648 case SCTP_ASCONF: 2649 { 2650 struct sctp_tmit_chunk *asconf; 2651 2652 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2653 sctp_next) { 2654 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2655 break; 2656 } 2657 } 2658 if (asconf) { 2659 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2660 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2661 asconf->sent = SCTP_DATAGRAM_RESEND; 2662 asconf->snd_count--; 2663 } 2664 } 2665 break; 2666 case SCTP_INITIATION: 2667 /* resend the INIT */ 2668 stcb->asoc.dropped_special_cnt++; 2669 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2670 /* 2671 * If we can get it in, in a few attempts we do 2672 * this, otherwise we let the timer fire. 2673 */ 2674 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2675 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2676 sctp_send_initiate(stcb->sctp_ep, stcb); 2677 } 2678 break; 2679 case SCTP_SELECTIVE_ACK: 2680 /* resend the sack */ 2681 sctp_send_sack(stcb); 2682 break; 2683 case SCTP_HEARTBEAT_REQUEST: 2684 /* resend a demand HB */ 2685 sctp_send_hb(stcb, 1, net); 2686 break; 2687 case SCTP_SHUTDOWN: 2688 sctp_send_shutdown(stcb, net); 2689 break; 2690 case SCTP_SHUTDOWN_ACK: 2691 sctp_send_shutdown_ack(stcb, net); 2692 break; 2693 case SCTP_COOKIE_ECHO: 2694 { 2695 struct sctp_tmit_chunk *cookie; 2696 2697 cookie = NULL; 2698 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2699 sctp_next) { 2700 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2701 break; 2702 } 2703 } 2704 if (cookie) { 2705 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2706 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2707 cookie->sent = SCTP_DATAGRAM_RESEND; 2708 sctp_stop_all_cookie_timers(stcb); 2709 } 2710 } 2711 break; 2712 case SCTP_COOKIE_ACK: 2713 sctp_send_cookie_ack(stcb); 2714 break; 2715 case SCTP_ASCONF_ACK: 2716 /* resend last asconf ack */ 2717 sctp_send_asconf_ack(stcb, 1); 2718 break; 2719 case SCTP_FORWARD_CUM_TSN: 2720 send_forward_tsn(stcb, &stcb->asoc); 2721 break; 2722 /* can't do anything with these */ 2723 case SCTP_PACKET_DROPPED: 2724 case SCTP_INITIATION_ACK: /* this should not happen */ 2725 case SCTP_HEARTBEAT_ACK: 2726 case SCTP_ABORT_ASSOCIATION: 2727 case SCTP_OPERATION_ERROR: 2728 case SCTP_SHUTDOWN_COMPLETE: 2729 case SCTP_ECN_ECHO: 2730 case SCTP_ECN_CWR: 2731 default: 2732 break; 2733 } 2734 return (0); 2735} 2736 2737void 2738sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2739{ 2740 int i; 2741 uint16_t temp; 2742 2743 /* 2744 * We set things to 0xffff since this is the last delivered sequence 2745 * and we will be sending in 0 after the reset. 2746 */ 2747 2748 if (number_entries) { 2749 for (i = 0; i < number_entries; i++) { 2750 temp = ntohs(list[i]); 2751 if (temp >= stcb->asoc.streamincnt) { 2752 continue; 2753 } 2754 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2755 } 2756 } else { 2757 list = NULL; 2758 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2759 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2760 } 2761 } 2762 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2763} 2764 2765static void 2766sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2767{ 2768 int i; 2769 2770 if (number_entries == 0) { 2771 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2772 stcb->asoc.strmout[i].next_sequence_sent = 0; 2773 } 2774 } else if (number_entries) { 2775 for (i = 0; i < number_entries; i++) { 2776 uint16_t temp; 2777 2778 temp = ntohs(list[i]); 2779 if (temp >= stcb->asoc.streamoutcnt) { 2780 /* no such stream */ 2781 continue; 2782 } 2783 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2784 } 2785 } 2786 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2787} 2788 2789 2790struct sctp_stream_reset_out_request * 2791sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2792{ 2793 struct sctp_association *asoc; 2794 struct sctp_stream_reset_out_req *req; 2795 struct sctp_stream_reset_out_request *r; 2796 struct sctp_tmit_chunk *chk; 2797 int len, clen; 2798 2799 asoc = &stcb->asoc; 2800 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2801 asoc->stream_reset_outstanding = 0; 2802 return (NULL); 2803 } 2804 if (stcb->asoc.str_reset == NULL) { 2805 asoc->stream_reset_outstanding = 0; 2806 return (NULL); 2807 } 2808 chk = stcb->asoc.str_reset; 2809 if (chk->data == NULL) { 2810 return (NULL); 2811 } 2812 if (bchk) { 2813 /* he wants a copy of the chk pointer */ 2814 *bchk = chk; 2815 } 2816 clen = chk->send_size; 2817 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2818 r = &req->sr_req; 2819 if (ntohl(r->request_seq) == seq) { 2820 /* found it */ 2821 return (r); 2822 } 2823 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2824 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2825 /* move to the next one, there can only be a max of two */ 2826 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2827 if (ntohl(r->request_seq) == seq) { 2828 return (r); 2829 } 2830 } 2831 /* that seq is not here */ 2832 return (NULL); 2833} 2834 2835static void 2836sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2837{ 2838 struct sctp_association *asoc; 2839 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2840 2841 if (stcb->asoc.str_reset == NULL) { 2842 return; 2843 } 2844 asoc = &stcb->asoc; 2845 2846 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 2847 TAILQ_REMOVE(&asoc->control_send_queue, 2848 chk, 2849 sctp_next); 2850 if (chk->data) { 2851 sctp_m_freem(chk->data); 2852 chk->data = NULL; 2853 } 2854 asoc->ctrl_queue_cnt--; 2855 sctp_free_remote_addr(chk->whoTo); 2856 2857 sctp_free_a_chunk(stcb, chk); 2858 stcb->asoc.str_reset = NULL; 2859} 2860 2861 2862static int 2863sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2864 uint32_t seq, uint32_t action, 2865 struct sctp_stream_reset_response *respin) 2866{ 2867 uint16_t type; 2868 int lparm_len; 2869 struct sctp_association *asoc = &stcb->asoc; 2870 struct sctp_tmit_chunk *chk; 2871 struct sctp_stream_reset_out_request *srparam; 2872 int number_entries; 2873 2874 if (asoc->stream_reset_outstanding == 0) { 2875 /* duplicate */ 2876 return (0); 2877 } 2878 if (seq == stcb->asoc.str_reset_seq_out) { 2879 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2880 if (srparam) { 2881 stcb->asoc.str_reset_seq_out++; 2882 type = ntohs(srparam->ph.param_type); 2883 lparm_len = ntohs(srparam->ph.param_length); 2884 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2885 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2886 asoc->stream_reset_out_is_outstanding = 0; 2887 if (asoc->stream_reset_outstanding) 2888 asoc->stream_reset_outstanding--; 2889 if (action == SCTP_STREAM_RESET_PERFORMED) { 2890 /* do it */ 2891 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2892 } else { 2893 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2894 } 2895 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2896 /* Answered my request */ 2897 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 2898 if (asoc->stream_reset_outstanding) 2899 asoc->stream_reset_outstanding--; 2900 if (action != SCTP_STREAM_RESET_PERFORMED) { 2901 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2902 } 2903 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2904 /** 2905 * a) Adopt the new in tsn. 2906 * b) reset the map 2907 * c) Adopt the new out-tsn 2908 */ 2909 struct sctp_stream_reset_response_tsn *resp; 2910 struct sctp_forward_tsn_chunk fwdtsn; 2911 int abort_flag = 0; 2912 2913 if (respin == NULL) { 2914 /* huh ? */ 2915 return (0); 2916 } 2917 if (action == SCTP_STREAM_RESET_PERFORMED) { 2918 resp = (struct sctp_stream_reset_response_tsn *)respin; 2919 asoc->stream_reset_outstanding--; 2920 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2921 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2922 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2923 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2924 if (abort_flag) { 2925 return (1); 2926 } 2927 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2928 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2929 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2930 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2931 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2932 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2933 2934 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2935 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2936 2937 } 2938 } 2939 /* get rid of the request and get the request flags */ 2940 if (asoc->stream_reset_outstanding == 0) { 2941 sctp_clean_up_stream_reset(stcb); 2942 } 2943 } 2944 } 2945 return (0); 2946} 2947 2948static void 2949sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2950 struct sctp_tmit_chunk *chk, 2951 struct sctp_stream_reset_in_request *req) 2952{ 2953 uint32_t seq; 2954 int len, i; 2955 int number_entries; 2956 uint16_t temp; 2957 2958 /* 2959 * peer wants me to send a str-reset to him for my outgoing seq's if 2960 * seq_in is right. 2961 */ 2962 struct sctp_association *asoc = &stcb->asoc; 2963 2964 seq = ntohl(req->request_seq); 2965 if (asoc->str_reset_seq_in == seq) { 2966 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2967 len = ntohs(req->ph.param_length); 2968 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2969 for (i = 0; i < number_entries; i++) { 2970 temp = ntohs(req->list_of_streams[i]); 2971 req->list_of_streams[i] = temp; 2972 } 2973 /* move the reset action back one */ 2974 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2975 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2976 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2977 asoc->str_reset_seq_out, 2978 seq, (asoc->sending_seq - 1)); 2979 asoc->stream_reset_out_is_outstanding = 1; 2980 asoc->str_reset = chk; 2981 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2982 stcb->asoc.stream_reset_outstanding++; 2983 } else { 2984 /* Can't do it, since we have sent one out */ 2985 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2986 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2987 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2988 } 2989 asoc->str_reset_seq_in++; 2990 } else if (asoc->str_reset_seq_in - 1 == seq) { 2991 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2992 } else if (asoc->str_reset_seq_in - 2 == seq) { 2993 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2994 } else { 2995 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2996 } 2997} 2998 2999static int 3000sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 3001 struct sctp_tmit_chunk *chk, 3002 struct sctp_stream_reset_tsn_request *req) 3003{ 3004 /* reset all in and out and update the tsn */ 3005 /* 3006 * A) reset my str-seq's on in and out. B) Select a receive next, 3007 * and set cum-ack to it. Also process this selected number as a 3008 * fwd-tsn as well. C) set in the response my next sending seq. 3009 */ 3010 struct sctp_forward_tsn_chunk fwdtsn; 3011 struct sctp_association *asoc = &stcb->asoc; 3012 int abort_flag = 0; 3013 uint32_t seq; 3014 3015 seq = ntohl(req->request_seq); 3016 if (asoc->str_reset_seq_in == seq) { 3017 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3018 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3019 fwdtsn.ch.chunk_flags = 0; 3020 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3021 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 3022 if (abort_flag) { 3023 return (1); 3024 } 3025 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3026 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3027 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3028 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3029 atomic_add_int(&stcb->asoc.sending_seq, 1); 3030 /* save off historical data for retrans */ 3031 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3032 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3033 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3034 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3035 3036 sctp_add_stream_reset_result_tsn(chk, 3037 ntohl(req->request_seq), 3038 SCTP_STREAM_RESET_PERFORMED, 3039 stcb->asoc.sending_seq, 3040 stcb->asoc.mapping_array_base_tsn); 3041 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3042 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3043 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3044 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3045 3046 asoc->str_reset_seq_in++; 3047 } else if (asoc->str_reset_seq_in - 1 == seq) { 3048 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3049 stcb->asoc.last_sending_seq[0], 3050 stcb->asoc.last_base_tsnsent[0] 3051 ); 3052 } else if (asoc->str_reset_seq_in - 2 == seq) { 3053 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3054 stcb->asoc.last_sending_seq[1], 3055 stcb->asoc.last_base_tsnsent[1] 3056 ); 3057 } else { 3058 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3059 } 3060 return (0); 3061} 3062 3063static void 3064sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3065 struct sctp_tmit_chunk *chk, 3066 struct sctp_stream_reset_out_request *req) 3067{ 3068 uint32_t seq, tsn; 3069 int number_entries, len; 3070 struct sctp_association *asoc = &stcb->asoc; 3071 3072 seq = ntohl(req->request_seq); 3073 3074 /* now if its not a duplicate we process it */ 3075 if (asoc->str_reset_seq_in == seq) { 3076 len = ntohs(req->ph.param_length); 3077 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3078 /* 3079 * the sender is resetting, handle the list issue.. we must 3080 * a) verify if we can do the reset, if so no problem b) If 3081 * we can't do the reset we must copy the request. c) queue 3082 * it, and setup the data in processor to trigger it off 3083 * when needed and dequeue all the queued data. 3084 */ 3085 tsn = ntohl(req->send_reset_at_tsn); 3086 3087 /* move the reset action back one */ 3088 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3089 if ((tsn == asoc->cumulative_tsn) || 3090 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3091 /* we can do it now */ 3092 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3093 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3094 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3095 } else { 3096 /* 3097 * we must queue it up and thus wait for the TSN's 3098 * to arrive that are at or before tsn 3099 */ 3100 struct sctp_stream_reset_list *liste; 3101 int siz; 3102 3103 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3104 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3105 siz, "StrRstList"); 3106 if (liste == NULL) { 3107 /* gak out of memory */ 3108 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3109 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3110 return; 3111 } 3112 liste->tsn = tsn; 3113 liste->number_entries = number_entries; 3114 memcpy(&liste->req, req, 3115 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3116 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3117 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3118 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3119 } 3120 asoc->str_reset_seq_in++; 3121 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3122 /* 3123 * one seq back, just echo back last action since my 3124 * response was lost. 3125 */ 3126 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3127 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3128 /* 3129 * two seq back, just echo back last action since my 3130 * response was lost. 3131 */ 3132 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3133 } else { 3134 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3135 } 3136} 3137 3138static int 3139sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 3140{ 3141 int chk_length, param_len, ptype; 3142 uint32_t seq; 3143 int num_req = 0; 3144 struct sctp_tmit_chunk *chk; 3145 struct sctp_chunkhdr *ch; 3146 struct sctp_paramhdr *ph; 3147 int ret_code = 0; 3148 int num_param = 0; 3149 3150 /* now it may be a reset or a reset-response */ 3151 chk_length = ntohs(sr_req->ch.chunk_length); 3152 3153 /* setup for adding the response */ 3154 sctp_alloc_a_chunk(stcb, chk); 3155 if (chk == NULL) { 3156 return (ret_code); 3157 } 3158 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3159 chk->rec.chunk_id.can_take_data = 0; 3160 chk->asoc = &stcb->asoc; 3161 chk->no_fr_allowed = 0; 3162 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3163 chk->book_size_scale = 0; 3164 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3165 if (chk->data == NULL) { 3166strres_nochunk: 3167 if (chk->data) { 3168 sctp_m_freem(chk->data); 3169 chk->data = NULL; 3170 } 3171 sctp_free_a_chunk(stcb, chk); 3172 return (ret_code); 3173 } 3174 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3175 3176 /* setup chunk parameters */ 3177 chk->sent = SCTP_DATAGRAM_UNSENT; 3178 chk->snd_count = 0; 3179 chk->whoTo = stcb->asoc.primary_destination; 3180 atomic_add_int(&chk->whoTo->ref_count, 1); 3181 3182 ch = mtod(chk->data, struct sctp_chunkhdr *); 3183 ch->chunk_type = SCTP_STREAM_RESET; 3184 ch->chunk_flags = 0; 3185 ch->chunk_length = htons(chk->send_size); 3186 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3187 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3188 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3189 param_len = ntohs(ph->param_length); 3190 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3191 /* bad param */ 3192 break; 3193 } 3194 ptype = ntohs(ph->param_type); 3195 num_param++; 3196 if (num_param > SCTP_MAX_RESET_PARAMS) { 3197 /* hit the max of parameters already sorry.. */ 3198 break; 3199 } 3200 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3201 struct sctp_stream_reset_out_request *req_out; 3202 3203 req_out = (struct sctp_stream_reset_out_request *)ph; 3204 num_req++; 3205 if (stcb->asoc.stream_reset_outstanding) { 3206 seq = ntohl(req_out->response_seq); 3207 if (seq == stcb->asoc.str_reset_seq_out) { 3208 /* implicit ack */ 3209 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3210 } 3211 } 3212 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3213 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3214 struct sctp_stream_reset_in_request *req_in; 3215 3216 num_req++; 3217 req_in = (struct sctp_stream_reset_in_request *)ph; 3218 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3219 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3220 struct sctp_stream_reset_tsn_request *req_tsn; 3221 3222 num_req++; 3223 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3224 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3225 ret_code = 1; 3226 goto strres_nochunk; 3227 } 3228 /* no more */ 3229 break; 3230 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3231 struct sctp_stream_reset_response *resp; 3232 uint32_t result; 3233 3234 resp = (struct sctp_stream_reset_response *)ph; 3235 seq = ntohl(resp->response_seq); 3236 result = ntohl(resp->result); 3237 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3238 ret_code = 1; 3239 goto strres_nochunk; 3240 } 3241 } else { 3242 break; 3243 } 3244 3245 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3246 chk_length -= SCTP_SIZE32(param_len); 3247 } 3248 if (num_req == 0) { 3249 /* we have no response free the stuff */ 3250 goto strres_nochunk; 3251 } 3252 /* ok we have a chunk to link in */ 3253 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3254 chk, 3255 sctp_next); 3256 stcb->asoc.ctrl_queue_cnt++; 3257 return (ret_code); 3258} 3259 3260/* 3261 * Handle a router or endpoints report of a packet loss, there are two ways 3262 * to handle this, either we get the whole packet and must disect it 3263 * ourselves (possibly with truncation and or corruption) or it is a summary 3264 * from a middle box that did the disectting for us. 3265 */ 3266static void 3267sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3268 struct sctp_tcb *stcb, struct sctp_nets *net) 3269{ 3270 uint32_t bottle_bw, on_queue; 3271 uint16_t trunc_len; 3272 unsigned int chlen; 3273 unsigned int at; 3274 struct sctp_chunk_desc desc; 3275 struct sctp_chunkhdr *ch; 3276 3277 chlen = ntohs(cp->ch.chunk_length); 3278 chlen -= sizeof(struct sctp_pktdrop_chunk); 3279 /* XXX possible chlen underflow */ 3280 if (chlen == 0) { 3281 ch = NULL; 3282 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3283 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3284 } else { 3285 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3286 chlen -= sizeof(struct sctphdr); 3287 /* XXX possible chlen underflow */ 3288 memset(&desc, 0, sizeof(desc)); 3289 } 3290 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3291 /* now the chunks themselves */ 3292 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3293 desc.chunk_type = ch->chunk_type; 3294 /* get amount we need to move */ 3295 at = ntohs(ch->chunk_length); 3296 if (at < sizeof(struct sctp_chunkhdr)) { 3297 /* corrupt chunk, maybe at the end? */ 3298 SCTP_STAT_INCR(sctps_pdrpcrupt); 3299 break; 3300 } 3301 if (trunc_len == 0) { 3302 /* we are supposed to have all of it */ 3303 if (at > chlen) { 3304 /* corrupt skip it */ 3305 SCTP_STAT_INCR(sctps_pdrpcrupt); 3306 break; 3307 } 3308 } else { 3309 /* is there enough of it left ? */ 3310 if (desc.chunk_type == SCTP_DATA) { 3311 if (chlen < (sizeof(struct sctp_data_chunk) + 3312 sizeof(desc.data_bytes))) { 3313 break; 3314 } 3315 } else { 3316 if (chlen < sizeof(struct sctp_chunkhdr)) { 3317 break; 3318 } 3319 } 3320 } 3321 if (desc.chunk_type == SCTP_DATA) { 3322 /* can we get out the tsn? */ 3323 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3324 SCTP_STAT_INCR(sctps_pdrpmbda); 3325 3326 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3327 /* yep */ 3328 struct sctp_data_chunk *dcp; 3329 uint8_t *ddp; 3330 unsigned int iii; 3331 3332 dcp = (struct sctp_data_chunk *)ch; 3333 ddp = (uint8_t *) (dcp + 1); 3334 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3335 desc.data_bytes[iii] = ddp[iii]; 3336 } 3337 desc.tsn_ifany = dcp->dp.tsn; 3338 } else { 3339 /* nope we are done. */ 3340 SCTP_STAT_INCR(sctps_pdrpnedat); 3341 break; 3342 } 3343 } else { 3344 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3345 SCTP_STAT_INCR(sctps_pdrpmbct); 3346 } 3347 3348 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3349 SCTP_STAT_INCR(sctps_pdrppdbrk); 3350 break; 3351 } 3352 if (SCTP_SIZE32(at) > chlen) { 3353 break; 3354 } 3355 chlen -= SCTP_SIZE32(at); 3356 if (chlen < sizeof(struct sctp_chunkhdr)) { 3357 /* done, none left */ 3358 break; 3359 } 3360 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3361 } 3362 /* Now update any rwnd --- possibly */ 3363 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3364 /* From a peer, we get a rwnd report */ 3365 uint32_t a_rwnd; 3366 3367 SCTP_STAT_INCR(sctps_pdrpfehos); 3368 3369 bottle_bw = ntohl(cp->bottle_bw); 3370 on_queue = ntohl(cp->current_onq); 3371 if (bottle_bw && on_queue) { 3372 /* a rwnd report is in here */ 3373 if (bottle_bw > on_queue) 3374 a_rwnd = bottle_bw - on_queue; 3375 else 3376 a_rwnd = 0; 3377 3378 if (a_rwnd == 0) 3379 stcb->asoc.peers_rwnd = 0; 3380 else { 3381 if (a_rwnd > stcb->asoc.total_flight) { 3382 stcb->asoc.peers_rwnd = 3383 a_rwnd - stcb->asoc.total_flight; 3384 } else { 3385 stcb->asoc.peers_rwnd = 0; 3386 } 3387 if (stcb->asoc.peers_rwnd < 3388 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3389 /* SWS sender side engages */ 3390 stcb->asoc.peers_rwnd = 0; 3391 } 3392 } 3393 } 3394 } else { 3395 SCTP_STAT_INCR(sctps_pdrpfmbox); 3396 } 3397 3398 /* now middle boxes in sat networks get a cwnd bump */ 3399 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3400 (stcb->asoc.sat_t3_loss_recovery == 0) && 3401 (stcb->asoc.sat_network)) { 3402 /* 3403 * This is debateable but for sat networks it makes sense 3404 * Note if a T3 timer has went off, we will prohibit any 3405 * changes to cwnd until we exit the t3 loss recovery. 3406 */ 3407 uint32_t bw_avail; 3408 int rtt, incr; 3409 3410#ifdef SCTP_CWND_MONITOR 3411 int old_cwnd = net->cwnd; 3412 3413#endif 3414 /* need real RTT for this calc */ 3415 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3416 /* get bottle neck bw */ 3417 bottle_bw = ntohl(cp->bottle_bw); 3418 /* and whats on queue */ 3419 on_queue = ntohl(cp->current_onq); 3420 /* 3421 * adjust the on-queue if our flight is more it could be 3422 * that the router has not yet gotten data "in-flight" to it 3423 */ 3424 if (on_queue < net->flight_size) 3425 on_queue = net->flight_size; 3426 3427 /* calculate the available space */ 3428 bw_avail = (bottle_bw * rtt) / 1000; 3429 if (bw_avail > bottle_bw) { 3430 /* 3431 * Cap the growth to no more than the bottle neck. 3432 * This can happen as RTT slides up due to queues. 3433 * It also means if you have more than a 1 second 3434 * RTT with a empty queue you will be limited to the 3435 * bottle_bw per second no matter if other points 3436 * have 1/2 the RTT and you could get more out... 3437 */ 3438 bw_avail = bottle_bw; 3439 } 3440 if (on_queue > bw_avail) { 3441 /* 3442 * No room for anything else don't allow anything 3443 * else to be "added to the fire". 3444 */ 3445 int seg_inflight, seg_onqueue, my_portion; 3446 3447 net->partial_bytes_acked = 0; 3448 3449 /* how much are we over queue size? */ 3450 incr = on_queue - bw_avail; 3451 if (stcb->asoc.seen_a_sack_this_pkt) { 3452 /* 3453 * undo any cwnd adjustment that the sack 3454 * might have made 3455 */ 3456 net->cwnd = net->prev_cwnd; 3457 } 3458 /* Now how much of that is mine? */ 3459 seg_inflight = net->flight_size / net->mtu; 3460 seg_onqueue = on_queue / net->mtu; 3461 my_portion = (incr * seg_inflight) / seg_onqueue; 3462 3463 /* Have I made an adjustment already */ 3464 if (net->cwnd > net->flight_size) { 3465 /* 3466 * for this flight I made an adjustment we 3467 * need to decrease the portion by a share 3468 * our previous adjustment. 3469 */ 3470 int diff_adj; 3471 3472 diff_adj = net->cwnd - net->flight_size; 3473 if (diff_adj > my_portion) 3474 my_portion = 0; 3475 else 3476 my_portion -= diff_adj; 3477 } 3478 /* 3479 * back down to the previous cwnd (assume we have 3480 * had a sack before this packet). minus what ever 3481 * portion of the overage is my fault. 3482 */ 3483 net->cwnd -= my_portion; 3484 3485 /* we will NOT back down more than 1 MTU */ 3486 if (net->cwnd <= net->mtu) { 3487 net->cwnd = net->mtu; 3488 } 3489 /* force into CA */ 3490 net->ssthresh = net->cwnd - 1; 3491 } else { 3492 /* 3493 * Take 1/4 of the space left or max burst up .. 3494 * whichever is less. 3495 */ 3496 incr = min((bw_avail - on_queue) >> 2, 3497 (int)stcb->asoc.max_burst * (int)net->mtu); 3498 net->cwnd += incr; 3499 } 3500 if (net->cwnd > bw_avail) { 3501 /* We can't exceed the pipe size */ 3502 net->cwnd = bw_avail; 3503 } 3504 if (net->cwnd < net->mtu) { 3505 /* We always have 1 MTU */ 3506 net->cwnd = net->mtu; 3507 } 3508#ifdef SCTP_CWND_MONITOR 3509 if (net->cwnd - old_cwnd != 0) { 3510 /* log only changes */ 3511 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3512 SCTP_CWND_LOG_FROM_SAT); 3513 } 3514#endif 3515 } 3516} 3517 3518/* 3519 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3520 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3521 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3522 * length of the complete packet outputs: - length: modified to remaining 3523 * length after control processing - netp: modified to new sctp_nets after 3524 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3525 * bad packet,...) otherwise return the tcb for this packet 3526 */ 3527static struct sctp_tcb * 3528sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3529 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3530 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3531{ 3532 struct sctp_association *asoc; 3533 uint32_t vtag_in; 3534 int num_chunks = 0; /* number of control chunks processed */ 3535 int chk_length; 3536 int ret; 3537 int abort_no_unlock = 0; 3538 3539 /* 3540 * How big should this be, and should it be alloc'd? Lets try the 3541 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3542 * until we get into jumbo grams and such.. 3543 */ 3544 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 3545 struct sctp_tcb *locked_tcb = stcb; 3546 int got_auth = 0; 3547 uint32_t auth_offset = 0, auth_len = 0; 3548 int auth_skipped = 0; 3549 3550#ifdef SCTP_DEBUG 3551 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3552 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3553 iphlen, *offset, length, stcb); 3554 } 3555#endif /* SCTP_DEBUG */ 3556 3557 /* validate chunk header length... */ 3558 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3559 return (NULL); 3560 } 3561 /* 3562 * validate the verification tag 3563 */ 3564 vtag_in = ntohl(sh->v_tag); 3565 3566 if (locked_tcb) { 3567 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3568 } 3569 if (ch->chunk_type == SCTP_INITIATION) { 3570 if (vtag_in != 0) { 3571 /* protocol error- silently discard... */ 3572 SCTP_STAT_INCR(sctps_badvtag); 3573 if (locked_tcb) 3574 SCTP_TCB_UNLOCK(locked_tcb); 3575 return (NULL); 3576 } 3577 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3578 /* 3579 * If there is no stcb, skip the AUTH chunk and process 3580 * later after a stcb is found (to validate the lookup was 3581 * valid. 3582 */ 3583 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3584 (stcb == NULL) && !sctp_auth_disable) { 3585 /* save this chunk for later processing */ 3586 auth_skipped = 1; 3587 auth_offset = *offset; 3588 auth_len = ntohs(ch->chunk_length); 3589 3590 /* (temporarily) move past this chunk */ 3591 *offset += SCTP_SIZE32(auth_len); 3592 if (*offset >= length) { 3593 /* no more data left in the mbuf chain */ 3594 *offset = length; 3595 return (NULL); 3596 } 3597 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3598 sizeof(struct sctp_chunkhdr), chunk_buf); 3599 } 3600 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3601 goto process_control_chunks; 3602 } 3603 /* 3604 * first check if it's an ASCONF with an unknown src addr we 3605 * need to look inside to find the association 3606 */ 3607 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3608 /* inp's refcount may be reduced */ 3609 SCTP_INP_INCR_REF(inp); 3610 3611 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3612 *offset, sh, &inp, netp); 3613 if (stcb == NULL) { 3614 /* 3615 * reduce inp's refcount if not reduced in 3616 * sctp_findassociation_ep_asconf(). 3617 */ 3618 SCTP_INP_DECR_REF(inp); 3619 } 3620 /* now go back and verify any auth chunk to be sure */ 3621 if (auth_skipped && (stcb != NULL)) { 3622 struct sctp_auth_chunk *auth; 3623 3624 auth = (struct sctp_auth_chunk *) 3625 sctp_m_getptr(m, auth_offset, 3626 auth_len, chunk_buf); 3627 got_auth = 1; 3628 auth_skipped = 0; 3629 if (sctp_handle_auth(stcb, auth, m, 3630 auth_offset)) { 3631 /* auth HMAC failed so dump it */ 3632 *offset = length; 3633 return (NULL); 3634 } else { 3635 /* remaining chunks are HMAC checked */ 3636 stcb->asoc.authenticated = 1; 3637 } 3638 } 3639 } 3640 if (stcb == NULL) { 3641 /* no association, so it's out of the blue... */ 3642 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3643 *offset = length; 3644 if (locked_tcb) 3645 SCTP_TCB_UNLOCK(locked_tcb); 3646 return (NULL); 3647 } 3648 asoc = &stcb->asoc; 3649 /* ABORT and SHUTDOWN can use either v_tag... */ 3650 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3651 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3652 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3653 if ((vtag_in == asoc->my_vtag) || 3654 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3655 (vtag_in == asoc->peer_vtag))) { 3656 /* this is valid */ 3657 } else { 3658 /* drop this packet... */ 3659 SCTP_STAT_INCR(sctps_badvtag); 3660 if (locked_tcb) 3661 SCTP_TCB_UNLOCK(locked_tcb); 3662 return (NULL); 3663 } 3664 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3665 if (vtag_in != asoc->my_vtag) { 3666 /* 3667 * this could be a stale SHUTDOWN-ACK or the 3668 * peer never got the SHUTDOWN-COMPLETE and 3669 * is still hung; we have started a new asoc 3670 * but it won't complete until the shutdown 3671 * is completed 3672 */ 3673 if (locked_tcb) 3674 SCTP_TCB_UNLOCK(locked_tcb); 3675 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3676 NULL); 3677 return (NULL); 3678 } 3679 } else { 3680 /* for all other chunks, vtag must match */ 3681 if (vtag_in != asoc->my_vtag) { 3682 /* invalid vtag... */ 3683#ifdef SCTP_DEBUG 3684 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3685 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3686 } 3687#endif /* SCTP_DEBUG */ 3688 SCTP_STAT_INCR(sctps_badvtag); 3689 if (locked_tcb) 3690 SCTP_TCB_UNLOCK(locked_tcb); 3691 *offset = length; 3692 return (NULL); 3693 } 3694 } 3695 } /* end if !SCTP_COOKIE_ECHO */ 3696 /* 3697 * process all control chunks... 3698 */ 3699 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3700 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3701 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3702 /* implied cookie-ack.. we must have lost the ack */ 3703 stcb->asoc.overall_error_count = 0; 3704 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3705 *netp); 3706 } 3707process_control_chunks: 3708 3709 while (IS_SCTP_CONTROL(ch)) { 3710 /* validate chunk length */ 3711 chk_length = ntohs(ch->chunk_length); 3712#ifdef SCTP_DEBUG 3713 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3714 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", 3715 ch->chunk_type, chk_length); 3716 } 3717#endif /* SCTP_DEBUG */ 3718 if ((size_t)chk_length < sizeof(*ch) || 3719 (*offset + chk_length) > length) { 3720 *offset = length; 3721 if (locked_tcb) 3722 SCTP_TCB_UNLOCK(locked_tcb); 3723 return (NULL); 3724 } 3725 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3726 /* 3727 * INIT-ACK only gets the init ack "header" portion only 3728 * because we don't have to process the peer's COOKIE. All 3729 * others get a complete chunk. 3730 */ 3731 if ((ch->chunk_type == SCTP_INITIATION_ACK) || 3732 (ch->chunk_type == SCTP_INITIATION)) { 3733 /* get an init-ack chunk */ 3734 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3735 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3736 if (ch == NULL) { 3737 *offset = length; 3738 if (locked_tcb) 3739 SCTP_TCB_UNLOCK(locked_tcb); 3740 return (NULL); 3741 } 3742 } else if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3743 if (chk_length > sizeof(chunk_buf)) { 3744 /* 3745 * use just the size of the chunk buffer so 3746 * the front part of our cookie is intact. 3747 * The rest of cookie processing should use 3748 * the sctp_m_getptr() function to access 3749 * the other parts. 3750 */ 3751 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3752 (sizeof(chunk_buf) - 4), 3753 chunk_buf); 3754 if (ch == NULL) { 3755 *offset = length; 3756 if (locked_tcb) 3757 SCTP_TCB_UNLOCK(locked_tcb); 3758 return (NULL); 3759 } 3760 } else { 3761 /* We can fit it all */ 3762 goto all_fits; 3763 } 3764 3765 } else { 3766 /* get a complete chunk... */ 3767 if ((size_t)chk_length > sizeof(chunk_buf)) { 3768 struct mbuf *oper; 3769 struct sctp_paramhdr *phdr; 3770 3771 oper = NULL; 3772 if (stcb) { 3773 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3774 0, M_DONTWAIT, 1, MT_DATA); 3775 3776 if (oper) { 3777 /* pre-reserve some space */ 3778 SCTP_BUF_RESV_UF(oper, sizeof(struct sctp_chunkhdr)); 3779 SCTP_BUF_LEN(oper) = sizeof(struct sctp_paramhdr); 3780 phdr = mtod(oper, struct sctp_paramhdr *); 3781 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3782 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3783 sctp_queue_op_err(stcb, oper); 3784 } 3785 } 3786 if (locked_tcb) 3787 SCTP_TCB_UNLOCK(locked_tcb); 3788 return (NULL); 3789 } 3790 all_fits: 3791 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3792 chk_length, chunk_buf); 3793 if (ch == NULL) { 3794 printf("sctp_process_control: Can't get the all data....\n"); 3795 *offset = length; 3796 if (locked_tcb) 3797 SCTP_TCB_UNLOCK(locked_tcb); 3798 return (NULL); 3799 } 3800 } 3801 num_chunks++; 3802 /* Save off the last place we got a control from */ 3803 if (stcb != NULL) { 3804 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { 3805 /* 3806 * allow last_control to be NULL if 3807 * ASCONF... ASCONF processing will find the 3808 * right net later 3809 */ 3810 stcb->asoc.last_control_chunk_from = *netp; 3811 } 3812 } 3813#ifdef SCTP_AUDITING_ENABLED 3814 sctp_audit_log(0xB0, ch->chunk_type); 3815#endif 3816 3817 /* check to see if this chunk required auth, but isn't */ 3818 if ((stcb != NULL) && !sctp_auth_disable && 3819 sctp_auth_is_required_chunk(ch->chunk_type, 3820 stcb->asoc.local_auth_chunks) && 3821 !stcb->asoc.authenticated) { 3822 /* "silently" ignore */ 3823 SCTP_STAT_INCR(sctps_recvauthmissing); 3824 goto next_chunk; 3825 } 3826 switch (ch->chunk_type) { 3827 case SCTP_INITIATION: 3828 /* must be first and only chunk */ 3829#ifdef SCTP_DEBUG 3830 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3831 printf("SCTP_INIT\n"); 3832 } 3833#endif /* SCTP_DEBUG */ 3834 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3835 /* We are not interested anymore? */ 3836 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3837 /* 3838 * collision case where we are 3839 * sending to them too 3840 */ 3841 ; 3842 } else { 3843 if (locked_tcb) 3844 SCTP_TCB_UNLOCK(locked_tcb); 3845 *offset = length; 3846 return (NULL); 3847 } 3848 } 3849 if ((num_chunks > 1) || 3850 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3851 *offset = length; 3852 if (locked_tcb) 3853 SCTP_TCB_UNLOCK(locked_tcb); 3854 return (NULL); 3855 } 3856 if ((stcb != NULL) && 3857 (SCTP_GET_STATE(&stcb->asoc) == 3858 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3859 sctp_send_shutdown_ack(stcb, 3860 stcb->asoc.primary_destination); 3861 *offset = length; 3862 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3863 if (locked_tcb) 3864 SCTP_TCB_UNLOCK(locked_tcb); 3865 return (NULL); 3866 } 3867 sctp_handle_init(m, iphlen, *offset, sh, 3868 (struct sctp_init_chunk *)ch, inp, stcb, *netp, &abort_no_unlock); 3869 if (abort_no_unlock) 3870 return (NULL); 3871 3872 *offset = length; 3873 if (locked_tcb) 3874 SCTP_TCB_UNLOCK(locked_tcb); 3875 return (NULL); 3876 break; 3877 case SCTP_INITIATION_ACK: 3878 /* must be first and only chunk */ 3879#ifdef SCTP_DEBUG 3880 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3881 printf("SCTP_INIT-ACK\n"); 3882 } 3883#endif /* SCTP_DEBUG */ 3884 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3885 /* We are not interested anymore */ 3886 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3887 ; 3888 } else { 3889 if (locked_tcb) 3890 SCTP_TCB_UNLOCK(locked_tcb); 3891 *offset = length; 3892 if (stcb) { 3893 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3894 } 3895 return (NULL); 3896 } 3897 } 3898 if ((num_chunks > 1) || 3899 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3900 *offset = length; 3901 if (locked_tcb) 3902 SCTP_TCB_UNLOCK(locked_tcb); 3903 return (NULL); 3904 } 3905 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3906 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 3907 /* 3908 * Special case, I must call the output routine to 3909 * get the cookie echoed 3910 */ 3911 if (abort_no_unlock) 3912 return (NULL); 3913 3914 if ((stcb) && ret == 0) 3915 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3916 *offset = length; 3917 if (locked_tcb) 3918 SCTP_TCB_UNLOCK(locked_tcb); 3919 return (NULL); 3920 break; 3921 case SCTP_SELECTIVE_ACK: 3922#ifdef SCTP_DEBUG 3923 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3924 printf("SCTP_SACK\n"); 3925 } 3926#endif /* SCTP_DEBUG */ 3927 SCTP_STAT_INCR(sctps_recvsacks); 3928 { 3929 struct sctp_sack_chunk *sack; 3930 int abort_now = 0; 3931 uint32_t a_rwnd, cum_ack; 3932 uint16_t num_seg; 3933 int nonce_sum_flag; 3934 3935 if (chk_length < sizeof(struct sctp_sack_chunk)) { 3936#ifdef SCTP_DEBUG 3937 if (sctp_debug_on & SCTP_DEBUG_INDATA1) { 3938 printf("Bad size on sack chunk .. to small\n"); 3939 } 3940#endif 3941 *offset = length; 3942 return (NULL); 3943 } 3944 sack = (struct sctp_sack_chunk *)ch; 3945 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3946 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3947 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3948 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3949 stcb->asoc.seen_a_sack_this_pkt = 1; 3950 if ((stcb->asoc.pr_sctp_cnt == 0) && 3951 (num_seg == 0) && 3952 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3953 (cum_ack == stcb->asoc.last_acked_seq)) && 3954 (stcb->asoc.saw_sack_with_frags == 0) && 3955 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3956 ) { 3957 /* 3958 * We have a SIMPLE sack having no 3959 * prior segments and data on sent 3960 * queue to be acked.. Use the 3961 * faster path sack processing. We 3962 * also allow window update sacks 3963 * with no missing segments to go 3964 * this way too. 3965 */ 3966 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, 3967 &abort_now); 3968 } else { 3969 sctp_handle_sack(sack, stcb, *netp, &abort_now, chk_length, a_rwnd); 3970 } 3971 if (abort_now) { 3972 /* ABORT signal from sack processing */ 3973 *offset = length; 3974 return (NULL); 3975 } 3976 } 3977 break; 3978 case SCTP_HEARTBEAT_REQUEST: 3979#ifdef SCTP_DEBUG 3980 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3981 printf("SCTP_HEARTBEAT\n"); 3982 } 3983#endif /* SCTP_DEBUG */ 3984 SCTP_STAT_INCR(sctps_recvheartbeat); 3985 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3986 *netp); 3987 3988 /* He's alive so give him credit */ 3989 stcb->asoc.overall_error_count = 0; 3990 break; 3991 case SCTP_HEARTBEAT_ACK: 3992#ifdef SCTP_DEBUG 3993 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3994 printf("SCTP_HEARTBEAT-ACK\n"); 3995 } 3996#endif /* SCTP_DEBUG */ 3997 if (chk_length != sizeof(struct sctp_heartbeat_chunk)) { 3998 /* Its not ours */ 3999 *offset = length; 4000 return (NULL); 4001 } 4002 /* He's alive so give him credit */ 4003 stcb->asoc.overall_error_count = 0; 4004 SCTP_STAT_INCR(sctps_recvheartbeatack); 4005 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 4006 stcb, *netp); 4007 break; 4008 case SCTP_ABORT_ASSOCIATION: 4009#ifdef SCTP_DEBUG 4010 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4011 printf("SCTP_ABORT\n"); 4012 } 4013#endif /* SCTP_DEBUG */ 4014 sctp_handle_abort((struct sctp_abort_chunk *)ch, 4015 stcb, *netp); 4016 *offset = length; 4017 return (NULL); 4018 break; 4019 case SCTP_SHUTDOWN: 4020#ifdef SCTP_DEBUG 4021 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4022 printf("SCTP_SHUTDOWN\n"); 4023 } 4024#endif /* SCTP_DEBUG */ 4025 if (chk_length != sizeof(struct sctp_shutdown_chunk)) { 4026 *offset = length; 4027 return (NULL); 4028 4029 } { 4030 int abort_flag = 0; 4031 4032 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 4033 stcb, *netp, &abort_flag); 4034 if (abort_flag) { 4035 *offset = length; 4036 return (NULL); 4037 } 4038 } 4039 break; 4040 case SCTP_SHUTDOWN_ACK: 4041#ifdef SCTP_DEBUG 4042 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4043 printf("SCTP_SHUTDOWN-ACK\n"); 4044 } 4045#endif /* SCTP_DEBUG */ 4046 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4047 *offset = length; 4048 return (NULL); 4049 break; 4050 case SCTP_OPERATION_ERROR: 4051#ifdef SCTP_DEBUG 4052 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4053 printf("SCTP_OP-ERR\n"); 4054 } 4055#endif /* SCTP_DEBUG */ 4056 if (sctp_handle_error(ch, stcb, *netp) < 0) { 4057 *offset = length; 4058 return (NULL); 4059 } 4060 break; 4061 case SCTP_COOKIE_ECHO: 4062#ifdef SCTP_DEBUG 4063 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4064 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 4065 } 4066#endif /* SCTP_DEBUG */ 4067 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4068 ; 4069 } else { 4070 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && 4071 (stcb == NULL)) { 4072 /* We are not interested anymore */ 4073 *offset = length; 4074 return (NULL); 4075 } 4076 } 4077 /* 4078 * First are we accepting? We do this again here 4079 * since it is possible that a previous endpoint WAS 4080 * listening responded to a INIT-ACK and then 4081 * closed. We opened and bound.. and are now no 4082 * longer listening. 4083 */ 4084 if (inp->sctp_socket->so_qlimit == 0) { 4085 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 4086 /* 4087 * special case, is this a retran'd 4088 * COOKIE-ECHO or a restarting assoc 4089 * that is a peeled off or 4090 * one-to-one style socket. 4091 */ 4092 goto process_cookie_anyway; 4093 } 4094 sctp_abort_association(inp, stcb, m, iphlen, sh, 4095 NULL); 4096 *offset = length; 4097 return (NULL); 4098 } else if (inp->sctp_socket->so_qlimit) { 4099 /* we are accepting so check limits like TCP */ 4100 if (inp->sctp_socket->so_qlen > 4101 inp->sctp_socket->so_qlimit) { 4102 /* no space */ 4103 struct mbuf *oper; 4104 struct sctp_paramhdr *phdr; 4105 4106 if (sctp_abort_if_one_2_one_hits_limit) { 4107 oper = NULL; 4108 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4109 0, M_DONTWAIT, 1, MT_DATA); 4110 if (oper) { 4111 SCTP_BUF_LEN(oper) = 4112 sizeof(struct sctp_paramhdr); 4113 phdr = mtod(oper, 4114 struct sctp_paramhdr *); 4115 phdr->param_type = 4116 htons(SCTP_CAUSE_OUT_OF_RESC); 4117 phdr->param_length = 4118 htons(sizeof(struct sctp_paramhdr)); 4119 } 4120 sctp_abort_association(inp, stcb, m, 4121 iphlen, sh, oper); 4122 } 4123 *offset = length; 4124 return (NULL); 4125 } 4126 } 4127 process_cookie_anyway: 4128 { 4129 struct mbuf *ret_buf; 4130 struct sctp_inpcb *linp; 4131 4132 if (stcb) 4133 linp = NULL; 4134 else 4135 linp = inp; 4136 4137 if (linp) 4138 SCTP_ASOC_CREATE_LOCK(linp); 4139 ret_buf = 4140 sctp_handle_cookie_echo(m, iphlen, 4141 *offset, sh, 4142 (struct sctp_cookie_echo_chunk *)ch, 4143 &inp, &stcb, netp, 4144 auth_skipped, 4145 auth_offset, 4146 auth_len, 4147 &locked_tcb); 4148 if (linp) 4149 SCTP_ASOC_CREATE_UNLOCK(linp); 4150 if (ret_buf == NULL) { 4151 if (locked_tcb) { 4152 SCTP_TCB_UNLOCK(locked_tcb); 4153 } 4154#ifdef SCTP_DEBUG 4155 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4156 printf("GAK, null buffer\n"); 4157 } 4158#endif /* SCTP_DEBUG */ 4159 auth_skipped = 0; 4160 *offset = length; 4161 return (NULL); 4162 } 4163 /* if AUTH skipped, see if it verified... */ 4164 if (auth_skipped) { 4165 got_auth = 1; 4166 auth_skipped = 0; 4167 } 4168 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4169 /* 4170 * Restart the timer if we have 4171 * pending data 4172 */ 4173 struct sctp_tmit_chunk *chk; 4174 4175 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4176 if (chk) { 4177 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4178 stcb->sctp_ep, stcb, 4179 chk->whoTo); 4180 } 4181 } 4182 } 4183 break; 4184 case SCTP_COOKIE_ACK: 4185#ifdef SCTP_DEBUG 4186 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4187 printf("SCTP_COOKIE-ACK\n"); 4188 } 4189#endif /* SCTP_DEBUG */ 4190 4191 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4192 /* We are not interested anymore */ 4193 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4194 ; 4195 } else { 4196 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4197 *offset = length; 4198 return (NULL); 4199 } 4200 } 4201 /* He's alive so give him credit */ 4202 stcb->asoc.overall_error_count = 0; 4203 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4204 break; 4205 case SCTP_ECN_ECHO: 4206#ifdef SCTP_DEBUG 4207 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4208 printf("SCTP_ECN-ECHO\n"); 4209 } 4210#endif /* SCTP_DEBUG */ 4211 /* He's alive so give him credit */ 4212 if (chk_length != sizeof(struct sctp_ecne_chunk)) { 4213 /* Its not ours */ 4214 *offset = length; 4215 return (NULL); 4216 } 4217 stcb->asoc.overall_error_count = 0; 4218 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4219 stcb); 4220 break; 4221 case SCTP_ECN_CWR: 4222#ifdef SCTP_DEBUG 4223 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4224 printf("SCTP_ECN-CWR\n"); 4225 } 4226#endif /* SCTP_DEBUG */ 4227 /* He's alive so give him credit */ 4228 if (chk_length != sizeof(struct sctp_cwr_chunk)) { 4229 /* Its not ours */ 4230 *offset = length; 4231 return (NULL); 4232 } 4233 stcb->asoc.overall_error_count = 0; 4234 4235 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4236 break; 4237 case SCTP_SHUTDOWN_COMPLETE: 4238#ifdef SCTP_DEBUG 4239 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4240 printf("SCTP_SHUTDOWN-COMPLETE\n"); 4241 } 4242#endif /* SCTP_DEBUG */ 4243 /* must be first and only chunk */ 4244 if ((num_chunks > 1) || 4245 (length - *offset > SCTP_SIZE32(chk_length))) { 4246 *offset = length; 4247 if (locked_tcb) 4248 SCTP_TCB_UNLOCK(locked_tcb); 4249 4250 return (NULL); 4251 } 4252 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4253 stcb, *netp); 4254 *offset = length; 4255 return (NULL); 4256 break; 4257 case SCTP_ASCONF: 4258#ifdef SCTP_DEBUG 4259 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4260 printf("SCTP_ASCONF\n"); 4261 } 4262#endif /* SCTP_DEBUG */ 4263 /* He's alive so give him credit */ 4264 stcb->asoc.overall_error_count = 0; 4265 4266 sctp_handle_asconf(m, *offset, 4267 (struct sctp_asconf_chunk *)ch, stcb); 4268 break; 4269 case SCTP_ASCONF_ACK: 4270#ifdef SCTP_DEBUG 4271 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4272 printf("SCTP_ASCONF-ACK\n"); 4273 } 4274#endif /* SCTP_DEBUG */ 4275 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) { 4276 /* Its not ours */ 4277 *offset = length; 4278 return (NULL); 4279 } 4280 /* He's alive so give him credit */ 4281 stcb->asoc.overall_error_count = 0; 4282 4283 sctp_handle_asconf_ack(m, *offset, 4284 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4285 break; 4286 case SCTP_FORWARD_CUM_TSN: 4287#ifdef SCTP_DEBUG 4288 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4289 printf("SCTP_FWD-TSN\n"); 4290 } 4291#endif /* SCTP_DEBUG */ 4292 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { 4293 /* Its not ours */ 4294 *offset = length; 4295 return (NULL); 4296 } 4297 /* He's alive so give him credit */ 4298 { 4299 int abort_flag = 0; 4300 4301 stcb->asoc.overall_error_count = 0; 4302 *fwd_tsn_seen = 1; 4303 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4304 /* We are not interested anymore */ 4305 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 4306 *offset = length; 4307 return (NULL); 4308 } 4309 sctp_handle_forward_tsn(stcb, 4310 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4311 if (abort_flag) { 4312 *offset = length; 4313 return (NULL); 4314 } else { 4315 stcb->asoc.overall_error_count = 0; 4316 } 4317 4318 } 4319 break; 4320 case SCTP_STREAM_RESET: 4321#ifdef SCTP_DEBUG 4322 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4323 printf("SCTP_STREAM_RESET\n"); 4324 } 4325#endif /* SCTP_DEBUG */ 4326 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4327 chk_length, chunk_buf); 4328 if (chk_length < sizeof(struct sctp_stream_reset_tsn_req)) { 4329 /* Its not ours */ 4330 *offset = length; 4331 return (NULL); 4332 } 4333 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4334 /* We are not interested anymore */ 4335 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4336 *offset = length; 4337 return (NULL); 4338 } 4339 if (stcb->asoc.peer_supports_strreset == 0) { 4340 /* 4341 * hmm, peer should have announced this, but 4342 * we will turn it on since he is sending us 4343 * a stream reset. 4344 */ 4345 stcb->asoc.peer_supports_strreset = 1; 4346 } 4347 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4348 /* stop processing */ 4349 *offset = length; 4350 return (NULL); 4351 } 4352 break; 4353 case SCTP_PACKET_DROPPED: 4354#ifdef SCTP_DEBUG 4355 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4356 printf("SCTP_PACKET_DROPPED\n"); 4357 } 4358#endif /* SCTP_DEBUG */ 4359 /* re-get it all please */ 4360 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) { 4361 /* Its not ours */ 4362 *offset = length; 4363 return (NULL); 4364 } 4365 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4366 chk_length, chunk_buf); 4367 4368 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4369 stcb, *netp); 4370 4371 break; 4372 4373 case SCTP_AUTHENTICATION: 4374#ifdef SCTP_DEBUG 4375 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4376 printf("SCTP_AUTHENTICATION\n"); 4377 } 4378#endif /* SCTP_DEBUG */ 4379 if (sctp_auth_disable) 4380 goto unknown_chunk; 4381 4382 if (stcb == NULL) { 4383 /* save the first AUTH for later processing */ 4384 if (auth_skipped == 0) { 4385 auth_offset = *offset; 4386 auth_len = chk_length; 4387 auth_skipped = 1; 4388 } 4389 /* skip this chunk (temporarily) */ 4390 goto next_chunk; 4391 } 4392 if ((chk_length < (sizeof(struct sctp_auth_chunk))) || 4393 (chk_length > (sizeof(struct sctp_auth_chunk) + SCTP_AUTH_DIGEST_LEN_MAX))) { 4394 /* Its not ours */ 4395 *offset = length; 4396 return (NULL); 4397 } 4398 if (got_auth == 1) { 4399 /* skip this chunk... it's already auth'd */ 4400 goto next_chunk; 4401 } 4402 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4403 chk_length, chunk_buf); 4404 got_auth = 1; 4405 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4406 m, *offset)) { 4407 /* auth HMAC failed so dump the packet */ 4408 *offset = length; 4409 return (stcb); 4410 } else { 4411 /* remaining chunks are HMAC checked */ 4412 stcb->asoc.authenticated = 1; 4413 } 4414 break; 4415 4416 default: 4417 unknown_chunk: 4418 /* it's an unknown chunk! */ 4419 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4420 struct mbuf *mm; 4421 struct sctp_paramhdr *phd; 4422 4423 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4424 0, M_DONTWAIT, 1, MT_DATA); 4425 if (mm) { 4426 phd = mtod(mm, struct sctp_paramhdr *); 4427 /* 4428 * We cheat and use param type since 4429 * we did not bother to define a 4430 * error cause struct. They are the 4431 * same basic format with different 4432 * names. 4433 */ 4434 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4435 phd->param_length = htons(chk_length + sizeof(*phd)); 4436 SCTP_BUF_LEN(mm) = sizeof(*phd); 4437 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 4438 M_DONTWAIT); 4439 if (SCTP_BUF_NEXT(mm)) { 4440 sctp_queue_op_err(stcb, mm); 4441 } else { 4442 sctp_m_freem(mm); 4443 } 4444 } 4445 } 4446 if ((ch->chunk_type & 0x80) == 0) { 4447 /* discard this packet */ 4448 *offset = length; 4449 return (stcb); 4450 } /* else skip this bad chunk and continue... */ 4451 break; 4452 } /* switch (ch->chunk_type) */ 4453 4454 4455next_chunk: 4456 /* get the next chunk */ 4457 *offset += SCTP_SIZE32(chk_length); 4458 if (*offset >= length) { 4459 /* no more data left in the mbuf chain */ 4460 break; 4461 } 4462 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4463 sizeof(struct sctp_chunkhdr), chunk_buf); 4464 if (ch == NULL) { 4465 if (locked_tcb) 4466 SCTP_TCB_UNLOCK(locked_tcb); 4467 *offset = length; 4468 return (NULL); 4469 } 4470 } /* while */ 4471 return (stcb); 4472} 4473 4474 4475/* 4476 * Process the ECN bits we have something set so we must look to see if it is 4477 * ECN(0) or ECN(1) or CE 4478 */ 4479static __inline void 4480sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4481 uint8_t ecn_bits) 4482{ 4483 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4484 ; 4485 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4486 /* 4487 * we only add to the nonce sum for ECT1, ECT0 does not 4488 * change the NS bit (that we have yet to find a way to send 4489 * it yet). 4490 */ 4491 4492 /* ECN Nonce stuff */ 4493 stcb->asoc.receiver_nonce_sum++; 4494 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4495 4496 /* 4497 * Drag up the last_echo point if cumack is larger since we 4498 * don't want the point falling way behind by more than 4499 * 2^^31 and then having it be incorrect. 4500 */ 4501 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4502 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4503 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4504 } 4505 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4506 /* 4507 * Drag up the last_echo point if cumack is larger since we 4508 * don't want the point falling way behind by more than 4509 * 2^^31 and then having it be incorrect. 4510 */ 4511 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4512 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4513 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4514 } 4515 } 4516} 4517 4518static __inline void 4519sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4520 uint32_t high_tsn, uint8_t ecn_bits) 4521{ 4522 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4523 /* 4524 * we possibly must notify the sender that a congestion 4525 * window reduction is in order. We do this by adding a ECNE 4526 * chunk to the output chunk queue. The incoming CWR will 4527 * remove this chunk. 4528 */ 4529 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4530 MAX_TSN)) { 4531 /* Yep, we need to add a ECNE */ 4532 sctp_send_ecn_echo(stcb, net, high_tsn); 4533 stcb->asoc.last_echo_tsn = high_tsn; 4534 } 4535 } 4536} 4537 4538/* 4539 * common input chunk processing (v4 and v6) 4540 */ 4541int 4542sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4543 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4544 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4545 uint8_t ecn_bits) 4546{ 4547 /* 4548 * Control chunk processing 4549 */ 4550 uint32_t high_tsn; 4551 int fwd_tsn_seen = 0, data_processed = 0; 4552 struct mbuf *m = *mm; 4553 int abort_flag = 0; 4554 int un_sent; 4555 4556 SCTP_STAT_INCR(sctps_recvdatagrams); 4557#ifdef SCTP_AUDITING_ENABLED 4558 sctp_audit_log(0xE0, 1); 4559 sctp_auditing(0, inp, stcb, net); 4560#endif 4561 4562#ifdef SCTP_DEBUG 4563 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4564 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4565 m, iphlen, offset); 4566 } 4567#endif /* SCTP_DEBUG */ 4568 4569 if (stcb) { 4570 /* always clear this before beginning a packet */ 4571 stcb->asoc.authenticated = 0; 4572 stcb->asoc.seen_a_sack_this_pkt = 0; 4573 } 4574 if (IS_SCTP_CONTROL(ch)) { 4575 /* process the control portion of the SCTP packet */ 4576 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4577 inp, stcb, &net, &fwd_tsn_seen); 4578 if (stcb) { 4579 /* 4580 * This covers us if the cookie-echo was there and 4581 * it changes our INP. 4582 */ 4583 inp = stcb->sctp_ep; 4584 } 4585 } else { 4586 /* 4587 * no control chunks, so pre-process DATA chunks (these 4588 * checks are taken care of by control processing) 4589 */ 4590 4591 /* 4592 * if DATA only packet, and auth is required, then punt... 4593 * can't have authenticated without any AUTH (control) 4594 * chunks 4595 */ 4596 if ((stcb != NULL) && !sctp_auth_disable && 4597 sctp_auth_is_required_chunk(SCTP_DATA, 4598 stcb->asoc.local_auth_chunks)) { 4599 /* "silently" ignore */ 4600 SCTP_STAT_INCR(sctps_recvauthmissing); 4601 SCTP_TCB_UNLOCK(stcb); 4602 return (1); 4603 } 4604 if (stcb == NULL) { 4605 /* out of the blue DATA chunk */ 4606 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4607 return (1); 4608 } 4609 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4610 /* v_tag mismatch! */ 4611 SCTP_STAT_INCR(sctps_badvtag); 4612 SCTP_TCB_UNLOCK(stcb); 4613 return (1); 4614 } 4615 } 4616 4617 if (stcb == NULL) { 4618 /* 4619 * no valid TCB for this packet, or we found it's a bad 4620 * packet while processing control, or we're done with this 4621 * packet (done or skip rest of data), so we drop it... 4622 */ 4623 return (1); 4624 } 4625 /* 4626 * DATA chunk processing 4627 */ 4628 /* plow through the data chunks while length > offset */ 4629 4630 /* 4631 * Rest should be DATA only. Check authentication state if AUTH for 4632 * DATA is required. 4633 */ 4634 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 4635 sctp_auth_is_required_chunk(SCTP_DATA, 4636 stcb->asoc.local_auth_chunks) && 4637 !stcb->asoc.authenticated) { 4638 /* "silently" ignore */ 4639 SCTP_STAT_INCR(sctps_recvauthmissing); 4640#ifdef SCTP_DEBUG 4641 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 4642 printf("Data chunk requires AUTH, skipped\n"); 4643#endif 4644 goto trigger_send; 4645 } 4646 if (length > offset) { 4647 int retval; 4648 4649 /* 4650 * First check to make sure our state is correct. We would 4651 * not get here unless we really did have a tag, so we don't 4652 * abort if this happens, just dump the chunk silently. 4653 */ 4654 switch (SCTP_GET_STATE(&stcb->asoc)) { 4655 case SCTP_STATE_COOKIE_ECHOED: 4656 /* 4657 * we consider data with valid tags in this state 4658 * shows us the cookie-ack was lost. Imply it was 4659 * there. 4660 */ 4661 stcb->asoc.overall_error_count = 0; 4662 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4663 break; 4664 case SCTP_STATE_COOKIE_WAIT: 4665 /* 4666 * We consider OOTB any data sent during asoc setup. 4667 */ 4668 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4669 SCTP_TCB_UNLOCK(stcb); 4670 return (1); 4671 break; 4672 case SCTP_STATE_EMPTY: /* should not happen */ 4673 case SCTP_STATE_INUSE: /* should not happen */ 4674 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4675 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4676 default: 4677 SCTP_TCB_UNLOCK(stcb); 4678 return (1); 4679 break; 4680 case SCTP_STATE_OPEN: 4681 case SCTP_STATE_SHUTDOWN_SENT: 4682 break; 4683 } 4684 /* take care of ECN, part 1. */ 4685 if (stcb->asoc.ecn_allowed && 4686 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4687 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4688 } 4689 /* plow through the data chunks while length > offset */ 4690 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4691 inp, stcb, net, &high_tsn); 4692 if (retval == 2) { 4693 /* 4694 * The association aborted, NO UNLOCK needed since 4695 * the association is destroyed. 4696 */ 4697 return (0); 4698 } 4699 data_processed = 1; 4700 if (retval == 0) { 4701 /* take care of ecn part 2. */ 4702 if (stcb->asoc.ecn_allowed && 4703 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4704 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4705 ecn_bits); 4706 } 4707 } 4708 /* 4709 * Anything important needs to have been m_copy'ed in 4710 * process_data 4711 */ 4712 } 4713 if ((data_processed == 0) && (fwd_tsn_seen)) { 4714 int was_a_gap = 0; 4715 4716 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4717 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4718 /* there was a gap before this data was processed */ 4719 was_a_gap = 1; 4720 } 4721 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4722 if (abort_flag) { 4723 /* Again, we aborted so NO UNLOCK needed */ 4724 return (0); 4725 } 4726 } 4727 /* trigger send of any chunks in queue... */ 4728trigger_send: 4729#ifdef SCTP_AUDITING_ENABLED 4730 sctp_audit_log(0xE0, 2); 4731 sctp_auditing(1, inp, stcb, net); 4732#endif 4733#ifdef SCTP_DEBUG 4734 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4735 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4736 stcb->asoc.peers_rwnd, 4737 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4738 stcb->asoc.total_flight); 4739 } 4740#endif 4741 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4742 4743 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4744 ((un_sent) && 4745 (stcb->asoc.peers_rwnd > 0 || 4746 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4747#ifdef SCTP_DEBUG 4748 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4749 printf("Calling chunk OUTPUT\n"); 4750 } 4751#endif 4752 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4753#ifdef SCTP_DEBUG 4754 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4755 printf("chunk OUTPUT returns\n"); 4756 } 4757#endif 4758 } 4759#ifdef SCTP_AUDITING_ENABLED 4760 sctp_audit_log(0xE0, 3); 4761 sctp_auditing(2, inp, stcb, net); 4762#endif 4763 SCTP_TCB_UNLOCK(stcb); 4764 return (0); 4765} 4766 4767 4768 4769void 4770sctp_input(i_pak, off) 4771 struct mbuf *i_pak; 4772 int off; 4773 4774{ 4775#ifdef SCTP_MBUF_LOGGING 4776 struct mbuf *mat; 4777 4778#endif 4779 struct mbuf *m; 4780 int iphlen; 4781 uint32_t vrf_id; 4782 uint8_t ecn_bits; 4783 struct ip *ip; 4784 struct sctphdr *sh; 4785 struct sctp_inpcb *inp = NULL; 4786 4787 uint32_t check, calc_check; 4788 struct sctp_nets *net; 4789 struct sctp_tcb *stcb = NULL; 4790 struct sctp_chunkhdr *ch; 4791 int refcount_up = 0; 4792 int length, mlen, offset; 4793 4794 vrf_id = SCTP_DEFAULT_VRFID; 4795 mlen = SCTP_HEADER_LEN(i_pak); 4796 iphlen = off; 4797 m = SCTP_HEADER_TO_CHAIN(i_pak); 4798 net = NULL; 4799 SCTP_STAT_INCR(sctps_recvpackets); 4800 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4801 4802#ifdef SCTP_MBUF_LOGGING 4803 /* Log in any input mbufs */ 4804 mat = m; 4805 while (mat) { 4806 if (SCTP_BUF_IS_EXTENDED(mat)) { 4807 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4808 } 4809 mat = SCTP_BUF_NEXT(mat); 4810 } 4811#endif 4812 4813 /* 4814 * Get IP, SCTP, and first chunk header together in first mbuf. 4815 */ 4816 ip = mtod(m, struct ip *); 4817 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4818 if (SCTP_BUF_LEN(m) < offset) { 4819 if ((m = m_pullup(m, offset)) == 0) { 4820 SCTP_STAT_INCR(sctps_hdrops); 4821 return; 4822 } 4823 ip = mtod(m, struct ip *); 4824 } 4825 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4826 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4827 4828 /* SCTP does not allow broadcasts or multicasts */ 4829 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4830 goto bad; 4831 } 4832 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 4833 /* 4834 * We only look at broadcast if its a front state, All 4835 * others we will not have a tcb for anyway. 4836 */ 4837 goto bad; 4838 } 4839 /* validate SCTP checksum */ 4840 if ((sctp_no_csum_on_loopback == 0) || !SCTP_IS_IT_LOOPBACK(m)) { 4841 /* 4842 * we do NOT validate things from the loopback if the sysctl 4843 * is set to 1. 4844 */ 4845 check = sh->checksum; /* save incoming checksum */ 4846 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4847 /* 4848 * special hook for where we got a local address 4849 * somehow routed across a non IFT_LOOP type 4850 * interface 4851 */ 4852 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4853 goto sctp_skip_csum_4; 4854 } 4855 sh->checksum = 0; /* prepare for calc */ 4856 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4857 if (calc_check != check) { 4858#ifdef SCTP_DEBUG 4859 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4860 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4861 calc_check, check, m, mlen, iphlen); 4862 } 4863#endif 4864 4865 stcb = sctp_findassociation_addr(m, iphlen, 4866 offset - sizeof(*ch), 4867 sh, ch, &inp, &net, vrf_id); 4868 if ((inp) && (stcb)) { 4869 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4870 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4871 } else if ((inp != NULL) && (stcb == NULL)) { 4872 refcount_up = 1; 4873 } 4874 SCTP_STAT_INCR(sctps_badsum); 4875 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4876 goto bad; 4877 } 4878 sh->checksum = calc_check; 4879 } 4880sctp_skip_csum_4: 4881 /* destination port of 0 is illegal, based on RFC2960. */ 4882 if (sh->dest_port == 0) { 4883 SCTP_STAT_INCR(sctps_hdrops); 4884 goto bad; 4885 } 4886 /* validate mbuf chain length with IP payload length */ 4887 if (mlen < (ip->ip_len - iphlen)) { 4888 SCTP_STAT_INCR(sctps_hdrops); 4889 goto bad; 4890 } 4891 /* 4892 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4893 * IP/SCTP/first chunk header... 4894 */ 4895 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4896 sh, ch, &inp, &net, vrf_id); 4897 /* inp's ref-count increased && stcb locked */ 4898 if (inp == NULL) { 4899 struct sctp_init_chunk *init_chk, chunk_buf; 4900 4901 SCTP_STAT_INCR(sctps_noport); 4902#ifdef ICMP_BANDLIM 4903 /* 4904 * we use the bandwidth limiting to protect against sending 4905 * too many ABORTS all at once. In this case these count the 4906 * same as an ICMP message. 4907 */ 4908 if (badport_bandlim(0) < 0) 4909 goto bad; 4910#endif /* ICMP_BANDLIM */ 4911#ifdef SCTP_DEBUG 4912 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4913 printf("Sending a ABORT from packet entry!\n"); 4914 } 4915#endif 4916 if (ch->chunk_type == SCTP_INITIATION) { 4917 /* 4918 * we do a trick here to get the INIT tag, dig in 4919 * and get the tag from the INIT and put it in the 4920 * common header. 4921 */ 4922 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4923 iphlen + sizeof(*sh), sizeof(*init_chk), 4924 (uint8_t *) & chunk_buf); 4925 if (init_chk != NULL) 4926 sh->v_tag = init_chk->init.initiate_tag; 4927 } 4928 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4929 sctp_send_shutdown_complete2(m, iphlen, sh); 4930 goto bad; 4931 } 4932 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 4933 goto bad; 4934 } 4935 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 4936 sctp_send_abort(m, iphlen, sh, 0, NULL); 4937 goto bad; 4938 } else if (stcb == NULL) { 4939 refcount_up = 1; 4940 } 4941#ifdef IPSEC 4942 /* 4943 * I very much doubt any of the IPSEC stuff will work but I have no 4944 * idea, so I will leave it in place. 4945 */ 4946 4947 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4948 ipsecstat.in_polvio++; 4949 SCTP_STAT_INCR(sctps_hdrops); 4950 goto bad; 4951 } 4952#endif /* IPSEC */ 4953 4954 /* 4955 * common chunk processing 4956 */ 4957 length = ip->ip_len + iphlen; 4958 offset -= sizeof(struct sctp_chunkhdr); 4959 4960 ecn_bits = ip->ip_tos; 4961 4962 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4963 inp, stcb, net, ecn_bits); 4964 /* inp's ref-count reduced && stcb unlocked */ 4965 if (m) { 4966 sctp_m_freem(m); 4967 } 4968 if ((inp) && (refcount_up)) { 4969 /* reduce ref-count */ 4970 SCTP_INP_WLOCK(inp); 4971 SCTP_INP_DECR_REF(inp); 4972 SCTP_INP_WUNLOCK(inp); 4973 } 4974 return; 4975bad: 4976 if (stcb) 4977 SCTP_TCB_UNLOCK(stcb); 4978 4979 if ((inp) && (refcount_up)) { 4980 /* reduce ref-count */ 4981 SCTP_INP_WLOCK(inp); 4982 SCTP_INP_DECR_REF(inp); 4983 SCTP_INP_WUNLOCK(inp); 4984 } 4985 if (m) { 4986 sctp_m_freem(m); 4987 } 4988 /* For BSD/MAC this does nothing */ 4989 SCTP_RELEASE_PAK(i_pak); 4990 return; 4991} 4992