sctp_input.c revision 170056
1/*- 2 * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 170056 2007-05-28 11:17:24Z rrs $"); 35 36#include <netinet/sctp_os.h> 37#include <netinet/sctp_var.h> 38#include <netinet/sctp_sysctl.h> 39#include <netinet/sctp_pcb.h> 40#include <netinet/sctp_header.h> 41#include <netinet/sctputil.h> 42#include <netinet/sctp_output.h> 43#include <netinet/sctp_input.h> 44#include <netinet/sctp_auth.h> 45#include <netinet/sctp_indata.h> 46#include <netinet/sctp_asconf.h> 47 48 49 50 51static void 52sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 53{ 54 struct sctp_nets *net; 55 56 /* 57 * This now not only stops all cookie timers it also stops any INIT 58 * timers as well. This will make sure that the timers are stopped 59 * in all collision cases. 60 */ 61 SCTP_TCB_LOCK_ASSERT(stcb); 62 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 63 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 64 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 65 stcb->sctp_ep, 66 stcb, 67 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 68 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 69 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 70 stcb->sctp_ep, 71 stcb, 72 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 73 } 74 } 75} 76 77/* INIT handler */ 78static void 79sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 80 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 81 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, 82 uint32_t table_id) 83{ 84 struct sctp_init *init; 85 struct mbuf *op_err; 86 uint32_t init_limit; 87 88 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n", 89 stcb); 90 op_err = NULL; 91 init = &cp->init; 92 /* First are we accepting? */ 93 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 94 SCTPDBG(SCTP_DEBUG_INPUT2, 95 "sctp_handle_init: Abort, so_qlimit:%d\n", 96 inp->sctp_socket->so_qlimit); 97 /* 98 * FIX ME ?? What about TCP model and we have a 99 * match/restart case? 100 */ 101 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 102 vrf_id, table_id); 103 if (stcb) 104 *abort_no_unlock = 1; 105 return; 106 } 107 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 108 /* Invalid length */ 109 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 110 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 111 vrf_id, table_id); 112 if (stcb) 113 *abort_no_unlock = 1; 114 return; 115 } 116 /* validate parameters */ 117 if (init->initiate_tag == 0) { 118 /* protocol error... send abort */ 119 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 120 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 121 vrf_id, table_id); 122 if (stcb) 123 *abort_no_unlock = 1; 124 return; 125 } 126 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 127 /* invalid parameter... send abort */ 128 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 129 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 130 vrf_id, table_id); 131 return; 132 } 133 if (init->num_inbound_streams == 0) { 134 /* protocol error... send abort */ 135 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 136 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 137 vrf_id, table_id); 138 if (stcb) 139 *abort_no_unlock = 1; 140 return; 141 } 142 if (init->num_outbound_streams == 0) { 143 /* protocol error... send abort */ 144 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 145 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 146 vrf_id, table_id); 147 if (stcb) 148 *abort_no_unlock = 1; 149 return; 150 } 151 init_limit = offset + ntohs(cp->ch.chunk_length); 152 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 153 init_limit)) { 154 /* auth parameter(s) error... send abort */ 155 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, 156 table_id); 157 if (stcb) 158 *abort_no_unlock = 1; 159 return; 160 } 161 /* send an INIT-ACK w/cookie */ 162 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n"); 163 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, 164 table_id); 165} 166 167/* 168 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 169 */ 170static int 171sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 172 struct sctp_nets *net) 173{ 174 struct sctp_init *init; 175 struct sctp_association *asoc; 176 struct sctp_nets *lnet; 177 unsigned int i; 178 179 init = &cp->init; 180 asoc = &stcb->asoc; 181 /* save off parameters */ 182 asoc->peer_vtag = ntohl(init->initiate_tag); 183 asoc->peers_rwnd = ntohl(init->a_rwnd); 184 if (TAILQ_FIRST(&asoc->nets)) { 185 /* update any ssthresh's that may have a default */ 186 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 187 lnet->ssthresh = asoc->peers_rwnd; 188 189#if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 190 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 191#endif 192 193 } 194 } 195 SCTP_TCB_SEND_LOCK(stcb); 196 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 197 unsigned int newcnt; 198 struct sctp_stream_out *outs; 199 struct sctp_stream_queue_pending *sp; 200 201 /* cut back on number of streams */ 202 newcnt = ntohs(init->num_inbound_streams); 203 /* This if is probably not needed but I am cautious */ 204 if (asoc->strmout) { 205 /* First make sure no data chunks are trapped */ 206 for (i = newcnt; i < asoc->pre_open_streams; i++) { 207 outs = &asoc->strmout[i]; 208 sp = TAILQ_FIRST(&outs->outqueue); 209 while (sp) { 210 TAILQ_REMOVE(&outs->outqueue, sp, 211 next); 212 asoc->stream_queue_cnt--; 213 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 214 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 215 sp); 216 if (sp->data) { 217 sctp_m_freem(sp->data); 218 sp->data = NULL; 219 } 220 sctp_free_remote_addr(sp->net); 221 sp->net = NULL; 222 /* Free the chunk */ 223 SCTP_PRINTF("sp:%p tcb:%p weird free case\n", 224 sp, stcb); 225 226 sctp_free_a_strmoq(stcb, sp); 227 /* sa_ignore FREED_MEMORY */ 228 sp = TAILQ_FIRST(&outs->outqueue); 229 } 230 } 231 } 232 /* cut back the count and abandon the upper streams */ 233 asoc->pre_open_streams = newcnt; 234 } 235 SCTP_TCB_SEND_UNLOCK(stcb); 236 asoc->streamoutcnt = asoc->pre_open_streams; 237 /* init tsn's */ 238 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 239#ifdef SCTP_MAP_LOGGING 240 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 241#endif 242 /* This is the next one we expect */ 243 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 244 245 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 246 asoc->cumulative_tsn = asoc->asconf_seq_in; 247 asoc->last_echo_tsn = asoc->asconf_seq_in; 248 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 249 /* open the requested streams */ 250 if (asoc->strmin != NULL) { 251 /* Free the old ones */ 252 struct sctp_queued_to_read *ctl; 253 254 for (i = 0; i < asoc->streamincnt; i++) { 255 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 256 while (ctl) { 257 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 258 sctp_free_remote_addr(ctl->whoFrom); 259 sctp_m_freem(ctl->data); 260 ctl->data = NULL; 261 sctp_free_a_readq(stcb, ctl); 262 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 263 } 264 } 265 SCTP_FREE(asoc->strmin); 266 } 267 asoc->streamincnt = ntohs(init->num_outbound_streams); 268 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 269 asoc->streamincnt = MAX_SCTP_STREAMS; 270 } 271 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 272 sizeof(struct sctp_stream_in), "StreamsIn"); 273 if (asoc->strmin == NULL) { 274 /* we didn't get memory for the streams! */ 275 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n"); 276 return (-1); 277 } 278 for (i = 0; i < asoc->streamincnt; i++) { 279 asoc->strmin[i].stream_no = i; 280 asoc->strmin[i].last_sequence_delivered = 0xffff; 281 /* 282 * U-stream ranges will be set when the cookie is unpacked. 283 * Or for the INIT sender they are un set (if pr-sctp not 284 * supported) when the INIT-ACK arrives. 285 */ 286 TAILQ_INIT(&asoc->strmin[i].inqueue); 287 asoc->strmin[i].delivery_started = 0; 288 } 289 /* 290 * load_address_from_init will put the addresses into the 291 * association when the COOKIE is processed or the INIT-ACK is 292 * processed. Both types of COOKIE's existing and new call this 293 * routine. It will remove addresses that are no longer in the 294 * association (for the restarting case where addresses are 295 * removed). Up front when the INIT arrives we will discard it if it 296 * is a restart and new addresses have been added. 297 */ 298 /* sa_ignore MEMLEAK */ 299 return (0); 300} 301 302/* 303 * INIT-ACK message processing/consumption returns value < 0 on error 304 */ 305static int 306sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 307 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 308 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, 309 uint32_t table_id) 310{ 311 struct sctp_association *asoc; 312 struct mbuf *op_err; 313 int retval, abort_flag; 314 uint32_t initack_limit; 315 316 /* First verify that we have no illegal param's */ 317 abort_flag = 0; 318 op_err = NULL; 319 320 op_err = sctp_arethere_unrecognized_parameters(m, 321 (offset + sizeof(struct sctp_init_chunk)), 322 &abort_flag, (struct sctp_chunkhdr *)cp); 323 if (abort_flag) { 324 /* Send an abort and notify peer */ 325 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err); 326 *abort_no_unlock = 1; 327 return (-1); 328 } 329 asoc = &stcb->asoc; 330 /* process the peer's parameters in the INIT-ACK */ 331 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 332 if (retval < 0) { 333 return (retval); 334 } 335 initack_limit = offset + ntohs(cp->ch.chunk_length); 336 /* load all addresses */ 337 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 338 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 339 NULL))) { 340 /* Huh, we should abort */ 341 SCTPDBG(SCTP_DEBUG_INPUT1, 342 "Load addresses from INIT causes an abort %d\n", 343 retval); 344 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 345 NULL, 0, 0); 346 *abort_no_unlock = 1; 347 return (-1); 348 } 349 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 350 stcb->asoc.local_hmacs); 351 if (op_err) { 352 sctp_queue_op_err(stcb, op_err); 353 /* queuing will steal away the mbuf chain to the out queue */ 354 op_err = NULL; 355 } 356 /* extract the cookie and queue it to "echo" it back... */ 357 stcb->asoc.overall_error_count = 0; 358 net->error_count = 0; 359 360 /* 361 * Cancel the INIT timer, We do this first before queueing the 362 * cookie. We always cancel at the primary to assue that we are 363 * canceling the timer started by the INIT which always goes to the 364 * primary. 365 */ 366 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 367 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 368 369 /* calculate the RTO */ 370 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 371 372 retval = sctp_send_cookie_echo(m, offset, stcb, net); 373 if (retval < 0) { 374 /* 375 * No cookie, we probably should send a op error. But in any 376 * case if there is no cookie in the INIT-ACK, we can 377 * abandon the peer, its broke. 378 */ 379 if (retval == -3) { 380 /* We abort with an error of missing mandatory param */ 381 op_err = 382 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 383 if (op_err) { 384 /* 385 * Expand beyond to include the mandatory 386 * param cookie 387 */ 388 struct sctp_inv_mandatory_param *mp; 389 390 SCTP_BUF_LEN(op_err) = 391 sizeof(struct sctp_inv_mandatory_param); 392 mp = mtod(op_err, 393 struct sctp_inv_mandatory_param *); 394 /* Subtract the reserved param */ 395 mp->length = 396 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 397 mp->num_param = htonl(1); 398 mp->param = htons(SCTP_STATE_COOKIE); 399 mp->resv = 0; 400 } 401 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 402 sh, op_err, 0, 0); 403 *abort_no_unlock = 1; 404 } 405 return (retval); 406 } 407 return (0); 408} 409 410static void 411sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 412 struct sctp_tcb *stcb, struct sctp_nets *net) 413{ 414 struct sockaddr_storage store; 415 struct sockaddr_in *sin; 416 struct sockaddr_in6 *sin6; 417 struct sctp_nets *r_net; 418 struct timeval tv; 419 420 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 421 /* Invalid length */ 422 return; 423 } 424 sin = (struct sockaddr_in *)&store; 425 sin6 = (struct sockaddr_in6 *)&store; 426 427 memset(&store, 0, sizeof(store)); 428 if (cp->heartbeat.hb_info.addr_family == AF_INET && 429 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 430 sin->sin_family = cp->heartbeat.hb_info.addr_family; 431 sin->sin_len = cp->heartbeat.hb_info.addr_len; 432 sin->sin_port = stcb->rport; 433 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 434 sizeof(sin->sin_addr)); 435 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 436 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 437 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 438 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 439 sin6->sin6_port = stcb->rport; 440 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 441 sizeof(sin6->sin6_addr)); 442 } else { 443 return; 444 } 445 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 446 if (r_net == NULL) { 447 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n"); 448 return; 449 } 450 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 451 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 452 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 453 /* 454 * If the its a HB and it's random value is correct when can 455 * confirm the destination. 456 */ 457 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 458 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 459 stcb->asoc.primary_destination = r_net; 460 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 461 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 462 r_net = TAILQ_FIRST(&stcb->asoc.nets); 463 if (r_net != stcb->asoc.primary_destination) { 464 /* 465 * first one on the list is NOT the primary 466 * sctp_cmpaddr() is much more efficent if 467 * the primary is the first on the list, 468 * make it so. 469 */ 470 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 471 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 472 } 473 } 474 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 475 stcb, 0, (void *)r_net); 476 } 477 r_net->error_count = 0; 478 r_net->hb_responded = 1; 479 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 480 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 481 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 482 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 483 r_net->dest_state |= SCTP_ADDR_REACHABLE; 484 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 485 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 486 /* now was it the primary? if so restore */ 487 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 488 (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 489 } 490 } 491 /* Now lets do a RTO with this */ 492 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 493} 494 495static void 496sctp_handle_abort(struct sctp_abort_chunk *cp, 497 struct sctp_tcb *stcb, struct sctp_nets *net) 498{ 499 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n"); 500 if (stcb == NULL) 501 return; 502 503 /* stop any receive timers */ 504 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 505 /* notify user of the abort and clean up... */ 506 sctp_abort_notification(stcb, 0); 507 /* free the tcb */ 508 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 509 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 510 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 511 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 512 } 513#ifdef SCTP_ASOCLOG_OF_TSNS 514 sctp_print_out_track_log(stcb); 515#endif 516 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 517 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n"); 518} 519 520static void 521sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 522 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 523{ 524 struct sctp_association *asoc; 525 int some_on_streamwheel; 526 527 SCTPDBG(SCTP_DEBUG_INPUT2, 528 "sctp_handle_shutdown: handling SHUTDOWN\n"); 529 if (stcb == NULL) 530 return; 531 asoc = &stcb->asoc; 532 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 533 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 534 return; 535 } 536 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 537 /* Shutdown NOT the expected size */ 538 return; 539 } else { 540 sctp_update_acked(stcb, cp, net, abort_flag); 541 } 542 if (asoc->control_pdapi) { 543 /* 544 * With a normal shutdown we assume the end of last record. 545 */ 546 SCTP_INP_READ_LOCK(stcb->sctp_ep); 547 asoc->control_pdapi->end_added = 1; 548 asoc->control_pdapi->pdapi_aborted = 1; 549 asoc->control_pdapi = NULL; 550 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 551 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 552 } 553 /* goto SHUTDOWN_RECEIVED state to block new requests */ 554 if (stcb->sctp_socket) { 555 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 556 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) && 557 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 558 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 559 /* 560 * notify upper layer that peer has initiated a 561 * shutdown 562 */ 563 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 564 565 /* reset time */ 566 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 567 } 568 } 569 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 570 /* 571 * stop the shutdown timer, since we WILL move to 572 * SHUTDOWN-ACK-SENT. 573 */ 574 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 575 } 576 /* Now are we there yet? */ 577 some_on_streamwheel = 0; 578 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 579 /* Check to see if some data queued */ 580 struct sctp_stream_out *outs; 581 582 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 583 if (!TAILQ_EMPTY(&outs->outqueue)) { 584 some_on_streamwheel = 1; 585 break; 586 } 587 } 588 } 589 if (!TAILQ_EMPTY(&asoc->send_queue) || 590 !TAILQ_EMPTY(&asoc->sent_queue) || 591 some_on_streamwheel) { 592 /* By returning we will push more data out */ 593 return; 594 } else { 595 /* no outstanding data to send, so move on... */ 596 /* send SHUTDOWN-ACK */ 597 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 598 /* move to SHUTDOWN-ACK-SENT state */ 599 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 600 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 601 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 602 } 603 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 604 605 /* start SHUTDOWN timer */ 606 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 607 stcb, net); 608 } 609} 610 611static void 612sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 613 struct sctp_tcb *stcb, struct sctp_nets *net) 614{ 615 struct sctp_association *asoc; 616 617 SCTPDBG(SCTP_DEBUG_INPUT2, 618 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 619 if (stcb == NULL) 620 return; 621 622 asoc = &stcb->asoc; 623 /* process according to association state */ 624 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 625 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 626 /* unexpected SHUTDOWN-ACK... so ignore... */ 627 SCTP_TCB_UNLOCK(stcb); 628 return; 629 } 630 if (asoc->control_pdapi) { 631 /* 632 * With a normal shutdown we assume the end of last record. 633 */ 634 SCTP_INP_READ_LOCK(stcb->sctp_ep); 635 asoc->control_pdapi->end_added = 1; 636 asoc->control_pdapi->pdapi_aborted = 1; 637 asoc->control_pdapi = NULL; 638 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 639 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 640 } 641 /* are the queues empty? */ 642 if (!TAILQ_EMPTY(&asoc->send_queue) || 643 !TAILQ_EMPTY(&asoc->sent_queue) || 644 !TAILQ_EMPTY(&asoc->out_wheel)) { 645 sctp_report_all_outbound(stcb, 0); 646 } 647 /* stop the timer */ 648 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 649 /* send SHUTDOWN-COMPLETE */ 650 sctp_send_shutdown_complete(stcb, net); 651 /* notify upper layer protocol */ 652 if (stcb->sctp_socket) { 653 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 654 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 655 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 656 /* Set the connected flag to disconnected */ 657 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 658 } 659 } 660 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 661 /* free the TCB but first save off the ep */ 662 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 663 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 664} 665 666/* 667 * Skip past the param header and then we will find the chunk that caused the 668 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 669 * our peer must be broken. 670 */ 671static void 672sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 673 struct sctp_nets *net) 674{ 675 struct sctp_chunkhdr *chk; 676 677 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 678 switch (chk->chunk_type) { 679 case SCTP_ASCONF_ACK: 680 case SCTP_ASCONF: 681 sctp_asconf_cleanup(stcb, net); 682 break; 683 case SCTP_FORWARD_CUM_TSN: 684 stcb->asoc.peer_supports_prsctp = 0; 685 break; 686 default: 687 SCTPDBG(SCTP_DEBUG_INPUT2, 688 "Peer does not support chunk type %d(%x)??\n", 689 chk->chunk_type, (uint32_t) chk->chunk_type); 690 break; 691 } 692} 693 694/* 695 * Skip past the param header and then we will find the param that caused the 696 * problem. There are a number of param's in a ASCONF OR the prsctp param 697 * these will turn of specific features. 698 */ 699static void 700sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 701{ 702 struct sctp_paramhdr *pbad; 703 704 pbad = phdr + 1; 705 switch (ntohs(pbad->param_type)) { 706 /* pr-sctp draft */ 707 case SCTP_PRSCTP_SUPPORTED: 708 stcb->asoc.peer_supports_prsctp = 0; 709 break; 710 case SCTP_SUPPORTED_CHUNK_EXT: 711 break; 712 /* draft-ietf-tsvwg-addip-sctp */ 713 case SCTP_ECN_NONCE_SUPPORTED: 714 stcb->asoc.peer_supports_ecn_nonce = 0; 715 stcb->asoc.ecn_nonce_allowed = 0; 716 stcb->asoc.ecn_allowed = 0; 717 break; 718 case SCTP_ADD_IP_ADDRESS: 719 case SCTP_DEL_IP_ADDRESS: 720 case SCTP_SET_PRIM_ADDR: 721 stcb->asoc.peer_supports_asconf = 0; 722 break; 723 case SCTP_SUCCESS_REPORT: 724 case SCTP_ERROR_CAUSE_IND: 725 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n"); 726 SCTPDBG(SCTP_DEBUG_INPUT2, 727 "Turning off ASCONF to this strange peer\n"); 728 stcb->asoc.peer_supports_asconf = 0; 729 break; 730 default: 731 SCTPDBG(SCTP_DEBUG_INPUT2, 732 "Peer does not support param type %d(%x)??\n", 733 pbad->param_type, (uint32_t) pbad->param_type); 734 break; 735 } 736} 737 738static int 739sctp_handle_error(struct sctp_chunkhdr *ch, 740 struct sctp_tcb *stcb, struct sctp_nets *net) 741{ 742 int chklen; 743 struct sctp_paramhdr *phdr; 744 uint16_t error_type; 745 uint16_t error_len; 746 struct sctp_association *asoc; 747 748 int adjust; 749 750 /* parse through all of the errors and process */ 751 asoc = &stcb->asoc; 752 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 753 sizeof(struct sctp_chunkhdr)); 754 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 755 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 756 /* Process an Error Cause */ 757 error_type = ntohs(phdr->param_type); 758 error_len = ntohs(phdr->param_length); 759 if ((error_len > chklen) || (error_len == 0)) { 760 /* invalid param length for this param */ 761 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n", 762 chklen, error_len); 763 return (0); 764 } 765 switch (error_type) { 766 case SCTP_CAUSE_INVALID_STREAM: 767 case SCTP_CAUSE_MISSING_PARAM: 768 case SCTP_CAUSE_INVALID_PARAM: 769 case SCTP_CAUSE_NO_USER_DATA: 770 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n", 771 error_type); 772 break; 773 case SCTP_CAUSE_STALE_COOKIE: 774 /* 775 * We only act if we have echoed a cookie and are 776 * waiting. 777 */ 778 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 779 int *p; 780 781 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 782 /* Save the time doubled */ 783 asoc->cookie_preserve_req = ntohl(*p) << 1; 784 asoc->stale_cookie_count++; 785 if (asoc->stale_cookie_count > 786 asoc->max_init_times) { 787 sctp_abort_notification(stcb, 0); 788 /* now free the asoc */ 789 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 790 return (-1); 791 } 792 /* blast back to INIT state */ 793 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 794 asoc->state |= SCTP_STATE_COOKIE_WAIT; 795 796 sctp_stop_all_cookie_timers(stcb); 797 sctp_send_initiate(stcb->sctp_ep, stcb); 798 } 799 break; 800 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 801 /* 802 * Nothing we can do here, we don't do hostname 803 * addresses so if the peer does not like my IPv6 804 * (or IPv4 for that matter) it does not matter. If 805 * they don't support that type of address, they can 806 * NOT possibly get that packet type... i.e. with no 807 * IPv6 you can't recieve a IPv6 packet. so we can 808 * safely ignore this one. If we ever added support 809 * for HOSTNAME Addresses, then we would need to do 810 * something here. 811 */ 812 break; 813 case SCTP_CAUSE_UNRECOG_CHUNK: 814 sctp_process_unrecog_chunk(stcb, phdr, net); 815 break; 816 case SCTP_CAUSE_UNRECOG_PARAM: 817 sctp_process_unrecog_param(stcb, phdr); 818 break; 819 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 820 /* 821 * We ignore this since the timer will drive out a 822 * new cookie anyway and there timer will drive us 823 * to send a SHUTDOWN_COMPLETE. We can't send one 824 * here since we don't have their tag. 825 */ 826 break; 827 case SCTP_CAUSE_DELETING_LAST_ADDR: 828 case SCTP_CAUSE_RESOURCE_SHORTAGE: 829 case SCTP_CAUSE_DELETING_SRC_ADDR: 830 /* 831 * We should NOT get these here, but in a 832 * ASCONF-ACK. 833 */ 834 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n", 835 error_type); 836 break; 837 case SCTP_CAUSE_OUT_OF_RESC: 838 /* 839 * And what, pray tell do we do with the fact that 840 * the peer is out of resources? Not really sure we 841 * could do anything but abort. I suspect this 842 * should have came WITH an abort instead of in a 843 * OP-ERROR. 844 */ 845 break; 846 default: 847 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n", 848 error_type); 849 break; 850 } 851 adjust = SCTP_SIZE32(error_len); 852 chklen -= adjust; 853 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 854 } 855 return (0); 856} 857 858static int 859sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, 860 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 861 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, 862 uint32_t table_id) 863{ 864 struct sctp_init_ack *init_ack; 865 int *state; 866 struct mbuf *op_err; 867 868 SCTPDBG(SCTP_DEBUG_INPUT2, 869 "sctp_handle_init_ack: handling INIT-ACK\n"); 870 871 if (stcb == NULL) { 872 SCTPDBG(SCTP_DEBUG_INPUT2, 873 "sctp_handle_init_ack: TCB is null\n"); 874 return (-1); 875 } 876 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 877 /* Invalid length */ 878 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 879 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 880 op_err, 0, 0); 881 *abort_no_unlock = 1; 882 return (-1); 883 } 884 init_ack = &cp->init; 885 /* validate parameters */ 886 if (init_ack->initiate_tag == 0) { 887 /* protocol error... send an abort */ 888 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 889 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 890 op_err, 0, 0); 891 *abort_no_unlock = 1; 892 return (-1); 893 } 894 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 895 /* protocol error... send an abort */ 896 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 897 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 898 op_err, 0, 0); 899 *abort_no_unlock = 1; 900 return (-1); 901 } 902 if (init_ack->num_inbound_streams == 0) { 903 /* protocol error... send an abort */ 904 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 905 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 906 op_err, 0, 0); 907 *abort_no_unlock = 1; 908 return (-1); 909 } 910 if (init_ack->num_outbound_streams == 0) { 911 /* protocol error... send an abort */ 912 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 913 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 914 op_err, 0, 0); 915 *abort_no_unlock = 1; 916 return (-1); 917 } 918 /* process according to association state... */ 919 state = &stcb->asoc.state; 920 switch (*state & SCTP_STATE_MASK) { 921 case SCTP_STATE_COOKIE_WAIT: 922 /* this is the expected state for this chunk */ 923 /* process the INIT-ACK parameters */ 924 if (stcb->asoc.primary_destination->dest_state & 925 SCTP_ADDR_UNCONFIRMED) { 926 /* 927 * The primary is where we sent the INIT, we can 928 * always consider it confirmed when the INIT-ACK is 929 * returned. Do this before we load addresses 930 * though. 931 */ 932 stcb->asoc.primary_destination->dest_state &= 933 ~SCTP_ADDR_UNCONFIRMED; 934 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 935 stcb, 0, (void *)stcb->asoc.primary_destination); 936 } 937 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, 938 net, abort_no_unlock, vrf_id, 939 table_id) < 0) { 940 /* error in parsing parameters */ 941 return (-1); 942 } 943 /* update our state */ 944 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n"); 945 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 946 *state = SCTP_STATE_COOKIE_ECHOED | 947 SCTP_STATE_SHUTDOWN_PENDING; 948 } else { 949 *state = SCTP_STATE_COOKIE_ECHOED; 950 } 951 952 /* reset the RTO calc */ 953 stcb->asoc.overall_error_count = 0; 954 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 955 /* 956 * collapse the init timer back in case of a exponential 957 * backoff 958 */ 959 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 960 stcb, net); 961 /* 962 * the send at the end of the inbound data processing will 963 * cause the cookie to be sent 964 */ 965 break; 966 case SCTP_STATE_SHUTDOWN_SENT: 967 /* incorrect state... discard */ 968 break; 969 case SCTP_STATE_COOKIE_ECHOED: 970 /* incorrect state... discard */ 971 break; 972 case SCTP_STATE_OPEN: 973 /* incorrect state... discard */ 974 break; 975 case SCTP_STATE_EMPTY: 976 case SCTP_STATE_INUSE: 977 default: 978 /* incorrect state... discard */ 979 return (-1); 980 break; 981 } 982 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n"); 983 return (0); 984} 985 986 987/* 988 * handle a state cookie for an existing association m: input packet mbuf 989 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 990 * "split" mbuf and the cookie signature does not exist offset: offset into 991 * mbuf to the cookie-echo chunk 992 */ 993static struct sctp_tcb * 994sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 995 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 996 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 997 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id, 998 uint32_t vrf_id, uint32_t table_id) 999{ 1000 struct sctp_association *asoc; 1001 struct sctp_init_chunk *init_cp, init_buf; 1002 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1003 int chk_length; 1004 int init_offset, initack_offset, i; 1005 int retval; 1006 int spec_flag = 0; 1007 int how_indx; 1008 1009 /* I know that the TCB is non-NULL from the caller */ 1010 asoc = &stcb->asoc; 1011 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1012 if (asoc->cookie_how[how_indx] == 0) 1013 break; 1014 } 1015 if (how_indx < sizeof(asoc->cookie_how)) { 1016 asoc->cookie_how[how_indx] = 1; 1017 } 1018 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1019 /* SHUTDOWN came in after sending INIT-ACK */ 1020 struct mbuf *op_err; 1021 struct sctp_paramhdr *ph; 1022 1023 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1024 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1025 0, M_DONTWAIT, 1, MT_DATA); 1026 if (op_err == NULL) { 1027 /* FOOBAR */ 1028 return (NULL); 1029 } 1030 /* pre-reserve some space */ 1031 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1032 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1033 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1034 /* Set the len */ 1035 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1036 ph = mtod(op_err, struct sctp_paramhdr *); 1037 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1038 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1039 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 1040 vrf_id, table_id); 1041 if (how_indx < sizeof(asoc->cookie_how)) 1042 asoc->cookie_how[how_indx] = 2; 1043 return (NULL); 1044 } 1045 /* 1046 * find and validate the INIT chunk in the cookie (peer's info) the 1047 * INIT should start after the cookie-echo header struct (chunk 1048 * header, state cookie header struct) 1049 */ 1050 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1051 1052 init_cp = (struct sctp_init_chunk *) 1053 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1054 (uint8_t *) & init_buf); 1055 if (init_cp == NULL) { 1056 /* could not pull a INIT chunk in cookie */ 1057 return (NULL); 1058 } 1059 chk_length = ntohs(init_cp->ch.chunk_length); 1060 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1061 return (NULL); 1062 } 1063 /* 1064 * find and validate the INIT-ACK chunk in the cookie (my info) the 1065 * INIT-ACK follows the INIT chunk 1066 */ 1067 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1068 initack_cp = (struct sctp_init_ack_chunk *) 1069 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1070 (uint8_t *) & initack_buf); 1071 if (initack_cp == NULL) { 1072 /* could not pull INIT-ACK chunk in cookie */ 1073 return (NULL); 1074 } 1075 chk_length = ntohs(initack_cp->ch.chunk_length); 1076 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1077 return (NULL); 1078 } 1079 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1080 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1081 /* 1082 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1083 * to get into the OPEN state 1084 */ 1085 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1086#ifdef INVARIANTS 1087 panic("Case D and non-match seq?"); 1088#else 1089 SCTP_PRINTF("Case D, seq non-match %x vs %x?\n", 1090 ntohl(initack_cp->init.initial_tsn), 1091 asoc->init_seq_number); 1092#endif 1093 } 1094 switch SCTP_GET_STATE 1095 (asoc) { 1096 case SCTP_STATE_COOKIE_WAIT: 1097 case SCTP_STATE_COOKIE_ECHOED: 1098 /* 1099 * INIT was sent but got a COOKIE_ECHO with the 1100 * correct tags... just accept it...but we must 1101 * process the init so that we can make sure we have 1102 * the right seq no's. 1103 */ 1104 /* First we must process the INIT !! */ 1105 retval = sctp_process_init(init_cp, stcb, net); 1106 if (retval < 0) { 1107 if (how_indx < sizeof(asoc->cookie_how)) 1108 asoc->cookie_how[how_indx] = 3; 1109 return (NULL); 1110 } 1111 /* we have already processed the INIT so no problem */ 1112 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1113 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1114 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1115 /* update current state */ 1116 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1117 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1118 else 1119 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1120 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1121 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1122 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1123 stcb->sctp_ep, stcb, asoc->primary_destination); 1124 1125 } else { 1126 /* if ok, move to OPEN state */ 1127 asoc->state = SCTP_STATE_OPEN; 1128 } 1129 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1130 sctp_stop_all_cookie_timers(stcb); 1131 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1132 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1133 (inp->sctp_socket->so_qlimit == 0) 1134 ) { 1135 /* 1136 * Here is where collision would go if we 1137 * did a connect() and instead got a 1138 * init/init-ack/cookie done before the 1139 * init-ack came back.. 1140 */ 1141 stcb->sctp_ep->sctp_flags |= 1142 SCTP_PCB_FLAGS_CONNECTED; 1143 soisconnected(stcb->sctp_ep->sctp_socket); 1144 } 1145 /* notify upper layer */ 1146 *notification = SCTP_NOTIFY_ASSOC_UP; 1147 /* 1148 * since we did not send a HB make sure we don't 1149 * double things 1150 */ 1151 net->hb_responded = 1; 1152 1153 if (stcb->asoc.sctp_autoclose_ticks && 1154 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1155 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1156 inp, stcb, NULL); 1157 } 1158 break; 1159 default: 1160 /* 1161 * we're in the OPEN state (or beyond), so peer must 1162 * have simply lost the COOKIE-ACK 1163 */ 1164 break; 1165 } /* end switch */ 1166 sctp_stop_all_cookie_timers(stcb); 1167 /* 1168 * We ignore the return code here.. not sure if we should 1169 * somehow abort.. but we do have an existing asoc. This 1170 * really should not fail. 1171 */ 1172 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1173 init_offset + sizeof(struct sctp_init_chunk), 1174 initack_offset, sh, init_src)) { 1175 if (how_indx < sizeof(asoc->cookie_how)) 1176 asoc->cookie_how[how_indx] = 4; 1177 return (NULL); 1178 } 1179 /* respond with a COOKIE-ACK */ 1180 sctp_toss_old_cookies(stcb, asoc); 1181 sctp_send_cookie_ack(stcb); 1182 if (how_indx < sizeof(asoc->cookie_how)) 1183 asoc->cookie_how[how_indx] = 5; 1184 return (stcb); 1185 } 1186 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1187 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1188 cookie->tie_tag_my_vtag == 0 && 1189 cookie->tie_tag_peer_vtag == 0) { 1190 /* 1191 * case C in Section 5.2.4 Table 2: XMOO silently discard 1192 */ 1193 if (how_indx < sizeof(asoc->cookie_how)) 1194 asoc->cookie_how[how_indx] = 6; 1195 return (NULL); 1196 } 1197 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1198 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1199 init_cp->init.initiate_tag == 0)) { 1200 /* 1201 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1202 * should be ok, re-accept peer info 1203 */ 1204 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1205 /* 1206 * Extension of case C. If we hit this, then the 1207 * random number generator returned the same vtag 1208 * when we first sent our INIT-ACK and when we later 1209 * sent our INIT. The side with the seq numbers that 1210 * are different will be the one that normnally 1211 * would have hit case C. This in effect "extends" 1212 * our vtags in this collision case to be 64 bits. 1213 * The same collision could occur aka you get both 1214 * vtag and seq number the same twice in a row.. but 1215 * is much less likely. If it did happen then we 1216 * would proceed through and bring up the assoc.. we 1217 * may end up with the wrong stream setup however.. 1218 * which would be bad.. but there is no way to 1219 * tell.. until we send on a stream that does not 1220 * exist :-) 1221 */ 1222 if (how_indx < sizeof(asoc->cookie_how)) 1223 asoc->cookie_how[how_indx] = 7; 1224 1225 return (NULL); 1226 } 1227 if (how_indx < sizeof(asoc->cookie_how)) 1228 asoc->cookie_how[how_indx] = 8; 1229 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1230 sctp_stop_all_cookie_timers(stcb); 1231 /* 1232 * since we did not send a HB make sure we don't double 1233 * things 1234 */ 1235 net->hb_responded = 1; 1236 if (stcb->asoc.sctp_autoclose_ticks && 1237 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1238 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1239 NULL); 1240 } 1241 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1242 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1243 1244 /* Note last_cwr_tsn? where is this used? */ 1245 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1246 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1247 /* 1248 * Ok the peer probably discarded our data (if we 1249 * echoed a cookie+data). So anything on the 1250 * sent_queue should be marked for retransmit, we 1251 * may not get something to kick us so it COULD 1252 * still take a timeout to move these.. but it can't 1253 * hurt to mark them. 1254 */ 1255 struct sctp_tmit_chunk *chk; 1256 1257 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1258 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1259 chk->sent = SCTP_DATAGRAM_RESEND; 1260 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1261 spec_flag++; 1262 } 1263 } 1264 1265 } 1266 /* process the INIT info (peer's info) */ 1267 retval = sctp_process_init(init_cp, stcb, net); 1268 if (retval < 0) { 1269 if (how_indx < sizeof(asoc->cookie_how)) 1270 asoc->cookie_how[how_indx] = 9; 1271 return (NULL); 1272 } 1273 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1274 init_offset + sizeof(struct sctp_init_chunk), 1275 initack_offset, sh, init_src)) { 1276 if (how_indx < sizeof(asoc->cookie_how)) 1277 asoc->cookie_how[how_indx] = 10; 1278 return (NULL); 1279 } 1280 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1281 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1282 *notification = SCTP_NOTIFY_ASSOC_UP; 1283 1284 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1285 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1286 (inp->sctp_socket->so_qlimit == 0)) { 1287 stcb->sctp_ep->sctp_flags |= 1288 SCTP_PCB_FLAGS_CONNECTED; 1289 soisconnected(stcb->sctp_ep->sctp_socket); 1290 } 1291 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1292 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1293 else 1294 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1295 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1296 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1297 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1298 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1299 } else { 1300 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1301 } 1302 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1303 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1304 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1305 stcb->sctp_ep, stcb, asoc->primary_destination); 1306 1307 } else { 1308 asoc->state = SCTP_STATE_OPEN; 1309 } 1310 sctp_stop_all_cookie_timers(stcb); 1311 sctp_toss_old_cookies(stcb, asoc); 1312 sctp_send_cookie_ack(stcb); 1313 if (spec_flag) { 1314 /* 1315 * only if we have retrans set do we do this. What 1316 * this call does is get only the COOKIE-ACK out and 1317 * then when we return the normal call to 1318 * sctp_chunk_output will get the retrans out behind 1319 * this. 1320 */ 1321 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK); 1322 } 1323 if (how_indx < sizeof(asoc->cookie_how)) 1324 asoc->cookie_how[how_indx] = 11; 1325 1326 return (stcb); 1327 } 1328 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1329 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1330 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1331 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1332 cookie->tie_tag_peer_vtag != 0) { 1333 struct sctpasochead *head; 1334 1335 /* 1336 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1337 */ 1338 /* temp code */ 1339 if (how_indx < sizeof(asoc->cookie_how)) 1340 asoc->cookie_how[how_indx] = 12; 1341 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1342 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1343 1344 *sac_assoc_id = sctp_get_associd(stcb); 1345 /* notify upper layer */ 1346 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1347 atomic_add_int(&stcb->asoc.refcnt, 1); 1348 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1349 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1350 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1351 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1352 } 1353 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1354 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1355 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1356 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1357 } 1358 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1359 asoc->state = SCTP_STATE_OPEN | 1360 SCTP_STATE_SHUTDOWN_PENDING; 1361 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1362 stcb->sctp_ep, stcb, asoc->primary_destination); 1363 1364 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1365 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1366 asoc->state = SCTP_STATE_OPEN; 1367 } 1368 asoc->pre_open_streams = 1369 ntohs(initack_cp->init.num_outbound_streams); 1370 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1371 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1372 1373 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1374 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1375 1376 asoc->str_reset_seq_in = asoc->init_seq_number; 1377 1378 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1379 if (asoc->mapping_array) 1380 memset(asoc->mapping_array, 0, 1381 asoc->mapping_array_size); 1382 SCTP_TCB_UNLOCK(stcb); 1383 SCTP_INP_INFO_WLOCK(); 1384 SCTP_INP_WLOCK(stcb->sctp_ep); 1385 SCTP_TCB_LOCK(stcb); 1386 atomic_add_int(&stcb->asoc.refcnt, -1); 1387 /* send up all the data */ 1388 SCTP_TCB_SEND_LOCK(stcb); 1389 1390 sctp_report_all_outbound(stcb, 1); 1391 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1392 stcb->asoc.strmout[i].stream_no = i; 1393 stcb->asoc.strmout[i].next_sequence_sent = 0; 1394 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1395 } 1396 /* process the INIT-ACK info (my info) */ 1397 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1398 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1399 1400 /* pull from vtag hash */ 1401 LIST_REMOVE(stcb, sctp_asocs); 1402 /* re-insert to new vtag position */ 1403 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1404 sctppcbinfo.hashasocmark)]; 1405 /* 1406 * put it in the bucket in the vtag hash of assoc's for the 1407 * system 1408 */ 1409 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1410 1411 /* Is this the first restart? */ 1412 if (stcb->asoc.in_restart_hash == 0) { 1413 /* Ok add it to assoc_id vtag hash */ 1414 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1415 sctppcbinfo.hashrestartmark)]; 1416 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1417 stcb->asoc.in_restart_hash = 1; 1418 } 1419 /* process the INIT info (peer's info) */ 1420 SCTP_TCB_SEND_UNLOCK(stcb); 1421 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1422 SCTP_INP_INFO_WUNLOCK(); 1423 1424 retval = sctp_process_init(init_cp, stcb, net); 1425 if (retval < 0) { 1426 if (how_indx < sizeof(asoc->cookie_how)) 1427 asoc->cookie_how[how_indx] = 13; 1428 1429 return (NULL); 1430 } 1431 /* 1432 * since we did not send a HB make sure we don't double 1433 * things 1434 */ 1435 net->hb_responded = 1; 1436 1437 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1438 init_offset + sizeof(struct sctp_init_chunk), 1439 initack_offset, sh, init_src)) { 1440 if (how_indx < sizeof(asoc->cookie_how)) 1441 asoc->cookie_how[how_indx] = 14; 1442 1443 return (NULL); 1444 } 1445 /* respond with a COOKIE-ACK */ 1446 sctp_stop_all_cookie_timers(stcb); 1447 sctp_toss_old_cookies(stcb, asoc); 1448 sctp_send_cookie_ack(stcb); 1449 if (how_indx < sizeof(asoc->cookie_how)) 1450 asoc->cookie_how[how_indx] = 15; 1451 1452 return (stcb); 1453 } 1454 if (how_indx < sizeof(asoc->cookie_how)) 1455 asoc->cookie_how[how_indx] = 16; 1456 /* all other cases... */ 1457 return (NULL); 1458} 1459 1460 1461/* 1462 * handle a state cookie for a new association m: input packet mbuf chain-- 1463 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1464 * and the cookie signature does not exist offset: offset into mbuf to the 1465 * cookie-echo chunk length: length of the cookie chunk to: where the init 1466 * was from returns a new TCB 1467 */ 1468static struct sctp_tcb * 1469sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1470 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1471 struct sctp_inpcb *inp, struct sctp_nets **netp, 1472 struct sockaddr *init_src, int *notification, 1473 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1474 uint32_t vrf_id, uint32_t table_id) 1475{ 1476 struct sctp_tcb *stcb; 1477 struct sctp_init_chunk *init_cp, init_buf; 1478 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1479 struct sockaddr_storage sa_store; 1480 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1481 struct sockaddr_in *sin; 1482 struct sockaddr_in6 *sin6; 1483 struct sctp_association *asoc; 1484 int chk_length; 1485 int init_offset, initack_offset, initack_limit; 1486 int retval; 1487 int error = 0; 1488 uint32_t old_tag; 1489 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1490 1491 /* 1492 * find and validate the INIT chunk in the cookie (peer's info) the 1493 * INIT should start after the cookie-echo header struct (chunk 1494 * header, state cookie header struct) 1495 */ 1496 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1497 init_cp = (struct sctp_init_chunk *) 1498 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1499 (uint8_t *) & init_buf); 1500 if (init_cp == NULL) { 1501 /* could not pull a INIT chunk in cookie */ 1502 SCTPDBG(SCTP_DEBUG_INPUT1, 1503 "process_cookie_new: could not pull INIT chunk hdr\n"); 1504 return (NULL); 1505 } 1506 chk_length = ntohs(init_cp->ch.chunk_length); 1507 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1508 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n"); 1509 return (NULL); 1510 } 1511 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1512 /* 1513 * find and validate the INIT-ACK chunk in the cookie (my info) the 1514 * INIT-ACK follows the INIT chunk 1515 */ 1516 initack_cp = (struct sctp_init_ack_chunk *) 1517 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1518 (uint8_t *) & initack_buf); 1519 if (initack_cp == NULL) { 1520 /* could not pull INIT-ACK chunk in cookie */ 1521 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1522 return (NULL); 1523 } 1524 chk_length = ntohs(initack_cp->ch.chunk_length); 1525 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1526 return (NULL); 1527 } 1528 /* 1529 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1530 * "initack_limit" value. This is because the chk_length field 1531 * includes the length of the cookie, but the cookie is omitted when 1532 * the INIT and INIT_ACK are tacked onto the cookie... 1533 */ 1534 initack_limit = offset + cookie_len; 1535 1536 /* 1537 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1538 * and popluate 1539 */ 1540 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1541 ntohl(initack_cp->init.initiate_tag), vrf_id); 1542 if (stcb == NULL) { 1543 struct mbuf *op_err; 1544 1545 /* memory problem? */ 1546 SCTPDBG(SCTP_DEBUG_INPUT1, 1547 "process_cookie_new: no room for another TCB!\n"); 1548 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1549 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1550 sh, op_err, vrf_id, table_id); 1551 return (NULL); 1552 } 1553 /* get the correct sctp_nets */ 1554 if (netp) 1555 *netp = sctp_findnet(stcb, init_src); 1556 1557 asoc = &stcb->asoc; 1558 /* save the table id (vrf_id is done in aloc_assoc) */ 1559 asoc->table_id = table_id; 1560 /* get scope variables out of cookie */ 1561 asoc->ipv4_local_scope = cookie->ipv4_scope; 1562 asoc->site_scope = cookie->site_scope; 1563 asoc->local_scope = cookie->local_scope; 1564 asoc->loopback_scope = cookie->loopback_scope; 1565 1566 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1567 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1568 struct mbuf *op_err; 1569 1570 /* 1571 * Houston we have a problem. The EP changed while the 1572 * cookie was in flight. Only recourse is to abort the 1573 * association. 1574 */ 1575 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1576 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1577 sh, op_err, vrf_id, table_id); 1578 return (NULL); 1579 } 1580 /* process the INIT-ACK info (my info) */ 1581 old_tag = asoc->my_vtag; 1582 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1583 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1584 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1585 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1586 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1587 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1588 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1589 asoc->str_reset_seq_in = asoc->init_seq_number; 1590 1591 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1592 1593 /* process the INIT info (peer's info) */ 1594 if (netp) 1595 retval = sctp_process_init(init_cp, stcb, *netp); 1596 else 1597 retval = 0; 1598 if (retval < 0) { 1599 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1600 return (NULL); 1601 } 1602 /* load all addresses */ 1603 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1604 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1605 init_src)) { 1606 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1607 return (NULL); 1608 } 1609 /* 1610 * verify any preceding AUTH chunk that was skipped 1611 */ 1612 /* pull the local authentication parameters from the cookie/init-ack */ 1613 sctp_auth_get_cookie_params(stcb, m, 1614 initack_offset + sizeof(struct sctp_init_ack_chunk), 1615 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1616 if (auth_skipped) { 1617 struct sctp_auth_chunk *auth; 1618 1619 auth = (struct sctp_auth_chunk *) 1620 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 1621 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { 1622 /* auth HMAC failed, dump the assoc and packet */ 1623 SCTPDBG(SCTP_DEBUG_AUTH1, 1624 "COOKIE-ECHO: AUTH failed\n"); 1625 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1626 return (NULL); 1627 } else { 1628 /* remaining chunks checked... good to go */ 1629 stcb->asoc.authenticated = 1; 1630 } 1631 } 1632 /* update current state */ 1633 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 1634 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1635 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1636 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1637 stcb->sctp_ep, stcb, asoc->primary_destination); 1638 } else { 1639 asoc->state = SCTP_STATE_OPEN; 1640 } 1641 sctp_stop_all_cookie_timers(stcb); 1642 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1643 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1644 1645 /* 1646 * if we're doing ASCONFs, check to see if we have any new local 1647 * addresses that need to get added to the peer (eg. addresses 1648 * changed while cookie echo in flight). This needs to be done 1649 * after we go to the OPEN state to do the correct asconf 1650 * processing. else, make sure we have the correct addresses in our 1651 * lists 1652 */ 1653 1654 /* warning, we re-use sin, sin6, sa_store here! */ 1655 /* pull in local_address (our "from" address) */ 1656 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1657 /* source addr is IPv4 */ 1658 sin = (struct sockaddr_in *)initack_src; 1659 memset(sin, 0, sizeof(*sin)); 1660 sin->sin_family = AF_INET; 1661 sin->sin_len = sizeof(struct sockaddr_in); 1662 sin->sin_addr.s_addr = cookie->laddress[0]; 1663 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1664 /* source addr is IPv6 */ 1665 sin6 = (struct sockaddr_in6 *)initack_src; 1666 memset(sin6, 0, sizeof(*sin6)); 1667 sin6->sin6_family = AF_INET6; 1668 sin6->sin6_len = sizeof(struct sockaddr_in6); 1669 sin6->sin6_scope_id = cookie->scope_id; 1670 memcpy(&sin6->sin6_addr, cookie->laddress, 1671 sizeof(sin6->sin6_addr)); 1672 } else { 1673 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 1674 return (NULL); 1675 } 1676 1677 sctp_check_address_list(stcb, m, 1678 initack_offset + sizeof(struct sctp_init_ack_chunk), 1679 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1680 initack_src, cookie->local_scope, cookie->site_scope, 1681 cookie->ipv4_scope, cookie->loopback_scope); 1682 1683 1684 /* set up to notify upper layer */ 1685 *notification = SCTP_NOTIFY_ASSOC_UP; 1686 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1687 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1688 (inp->sctp_socket->so_qlimit == 0)) { 1689 /* 1690 * This is an endpoint that called connect() how it got a 1691 * cookie that is NEW is a bit of a mystery. It must be that 1692 * the INIT was sent, but before it got there.. a complete 1693 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1694 * should have went to the other code.. not here.. oh well.. 1695 * a bit of protection is worth having.. 1696 */ 1697 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1698 soisconnected(stcb->sctp_ep->sctp_socket); 1699 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1700 (inp->sctp_socket->so_qlimit)) { 1701 /* 1702 * We don't want to do anything with this one. Since it is 1703 * the listening guy. The timer will get started for 1704 * accepted connections in the caller. 1705 */ 1706 ; 1707 } 1708 /* since we did not send a HB make sure we don't double things */ 1709 if ((netp) && (*netp)) 1710 (*netp)->hb_responded = 1; 1711 1712 if (stcb->asoc.sctp_autoclose_ticks && 1713 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1714 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1715 } 1716 /* respond with a COOKIE-ACK */ 1717 /* calculate the RTT */ 1718 if ((netp) && (*netp)) 1719 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1720 &cookie->time_entered); 1721 sctp_send_cookie_ack(stcb); 1722 return (stcb); 1723} 1724 1725 1726/* 1727 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1728 * existing (non-NULL) TCB 1729 */ 1730static struct mbuf * 1731sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1732 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1733 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1734 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1735 struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint32_t table_id) 1736{ 1737 struct sctp_state_cookie *cookie; 1738 struct sockaddr_in6 sin6; 1739 struct sockaddr_in sin; 1740 struct sctp_tcb *l_stcb = *stcb; 1741 struct sctp_inpcb *l_inp; 1742 struct sockaddr *to; 1743 sctp_assoc_t sac_restart_id; 1744 struct sctp_pcb *ep; 1745 struct mbuf *m_sig; 1746 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1747 uint8_t *sig; 1748 uint8_t cookie_ok = 0; 1749 unsigned int size_of_pkt, sig_offset, cookie_offset; 1750 unsigned int cookie_len; 1751 struct timeval now; 1752 struct timeval time_expires; 1753 struct sockaddr_storage dest_store; 1754 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1755 struct ip *iph; 1756 int notification = 0; 1757 struct sctp_nets *netl; 1758 int had_a_existing_tcb = 0; 1759 1760 SCTPDBG(SCTP_DEBUG_INPUT2, 1761 "sctp_handle_cookie: handling COOKIE-ECHO\n"); 1762 1763 if (inp_p == NULL) { 1764 return (NULL); 1765 } 1766 /* First get the destination address setup too. */ 1767 iph = mtod(m, struct ip *); 1768 if (iph->ip_v == IPVERSION) { 1769 /* its IPv4 */ 1770 struct sockaddr_in *sin; 1771 1772 sin = (struct sockaddr_in *)(localep_sa); 1773 memset(sin, 0, sizeof(*sin)); 1774 sin->sin_family = AF_INET; 1775 sin->sin_len = sizeof(*sin); 1776 sin->sin_port = sh->dest_port; 1777 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1778 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 1779 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1780 /* its IPv6 */ 1781 struct ip6_hdr *ip6; 1782 struct sockaddr_in6 *sin6; 1783 1784 sin6 = (struct sockaddr_in6 *)(localep_sa); 1785 memset(sin6, 0, sizeof(*sin6)); 1786 sin6->sin6_family = AF_INET6; 1787 sin6->sin6_len = sizeof(struct sockaddr_in6); 1788 ip6 = mtod(m, struct ip6_hdr *); 1789 sin6->sin6_port = sh->dest_port; 1790 sin6->sin6_addr = ip6->ip6_dst; 1791 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 1792 } else { 1793 return (NULL); 1794 } 1795 1796 cookie = &cp->cookie; 1797 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1798 cookie_len = ntohs(cp->ch.chunk_length); 1799 1800 if ((cookie->peerport != sh->src_port) && 1801 (cookie->myport != sh->dest_port) && 1802 (cookie->my_vtag != sh->v_tag)) { 1803 /* 1804 * invalid ports or bad tag. Note that we always leave the 1805 * v_tag in the header in network order and when we stored 1806 * it in the my_vtag slot we also left it in network order. 1807 * This maintains the match even though it may be in the 1808 * opposite byte order of the machine :-> 1809 */ 1810 return (NULL); 1811 } 1812 if (cookie_len > size_of_pkt || 1813 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1814 sizeof(struct sctp_init_chunk) + 1815 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1816 /* cookie too long! or too small */ 1817 return (NULL); 1818 } 1819 /* 1820 * split off the signature into its own mbuf (since it should not be 1821 * calculated in the sctp_hmac_m() call). 1822 */ 1823 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1824 if (sig_offset > size_of_pkt) { 1825 /* packet not correct size! */ 1826 /* XXX this may already be accounted for earlier... */ 1827 return (NULL); 1828 } 1829 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1830 if (m_sig == NULL) { 1831 /* out of memory or ?? */ 1832 return (NULL); 1833 } 1834 /* 1835 * compute the signature/digest for the cookie 1836 */ 1837 ep = &(*inp_p)->sctp_ep; 1838 l_inp = *inp_p; 1839 if (l_stcb) { 1840 SCTP_TCB_UNLOCK(l_stcb); 1841 } 1842 SCTP_INP_RLOCK(l_inp); 1843 if (l_stcb) { 1844 SCTP_TCB_LOCK(l_stcb); 1845 } 1846 /* which cookie is it? */ 1847 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1848 (ep->current_secret_number != ep->last_secret_number)) { 1849 /* it's the old cookie */ 1850 (void)sctp_hmac_m(SCTP_HMAC, 1851 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1852 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1853 } else { 1854 /* it's the current cookie */ 1855 (void)sctp_hmac_m(SCTP_HMAC, 1856 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1857 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1858 } 1859 /* get the signature */ 1860 SCTP_INP_RUNLOCK(l_inp); 1861 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1862 if (sig == NULL) { 1863 /* couldn't find signature */ 1864 sctp_m_freem(m_sig); 1865 return (NULL); 1866 } 1867 /* compare the received digest with the computed digest */ 1868 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1869 /* try the old cookie? */ 1870 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1871 (ep->current_secret_number != ep->last_secret_number)) { 1872 /* compute digest with old */ 1873 (void)sctp_hmac_m(SCTP_HMAC, 1874 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1875 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1876 /* compare */ 1877 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1878 cookie_ok = 1; 1879 } 1880 } else { 1881 cookie_ok = 1; 1882 } 1883 1884 /* 1885 * Now before we continue we must reconstruct our mbuf so that 1886 * normal processing of any other chunks will work. 1887 */ 1888 { 1889 struct mbuf *m_at; 1890 1891 m_at = m; 1892 while (SCTP_BUF_NEXT(m_at) != NULL) { 1893 m_at = SCTP_BUF_NEXT(m_at); 1894 } 1895 SCTP_BUF_NEXT(m_at) = m_sig; 1896 } 1897 1898 if (cookie_ok == 0) { 1899 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n"); 1900 SCTPDBG(SCTP_DEBUG_INPUT2, 1901 "offset = %u, cookie_offset = %u, sig_offset = %u\n", 1902 (uint32_t) offset, cookie_offset, sig_offset); 1903 return (NULL); 1904 } 1905 /* 1906 * check the cookie timestamps to be sure it's not stale 1907 */ 1908 (void)SCTP_GETTIME_TIMEVAL(&now); 1909 /* Expire time is in Ticks, so we convert to seconds */ 1910 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life); 1911 time_expires.tv_usec = cookie->time_entered.tv_usec; 1912 if (timevalcmp(&now, &time_expires, >)) { 1913 /* cookie is stale! */ 1914 struct mbuf *op_err; 1915 struct sctp_stale_cookie_msg *scm; 1916 uint32_t tim; 1917 1918 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 1919 0, M_DONTWAIT, 1, MT_DATA); 1920 if (op_err == NULL) { 1921 /* FOOBAR */ 1922 return (NULL); 1923 } 1924 /* pre-reserve some space */ 1925 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1926 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1927 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1928 1929 /* Set the len */ 1930 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 1931 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1932 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1933 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1934 (sizeof(uint32_t)))); 1935 /* seconds to usec */ 1936 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1937 /* add in usec */ 1938 if (tim == 0) 1939 tim = now.tv_usec - cookie->time_entered.tv_usec; 1940 scm->time_usec = htonl(tim); 1941 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 1942 vrf_id, table_id); 1943 return (NULL); 1944 } 1945 /* 1946 * Now we must see with the lookup address if we have an existing 1947 * asoc. This will only happen if we were in the COOKIE-WAIT state 1948 * and a INIT collided with us and somewhere the peer sent the 1949 * cookie on another address besides the single address our assoc 1950 * had for him. In this case we will have one of the tie-tags set at 1951 * least AND the address field in the cookie can be used to look it 1952 * up. 1953 */ 1954 to = NULL; 1955 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1956 memset(&sin6, 0, sizeof(sin6)); 1957 sin6.sin6_family = AF_INET6; 1958 sin6.sin6_len = sizeof(sin6); 1959 sin6.sin6_port = sh->src_port; 1960 sin6.sin6_scope_id = cookie->scope_id; 1961 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 1962 sizeof(sin6.sin6_addr.s6_addr)); 1963 to = (struct sockaddr *)&sin6; 1964 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 1965 memset(&sin, 0, sizeof(sin)); 1966 sin.sin_family = AF_INET; 1967 sin.sin_len = sizeof(sin); 1968 sin.sin_port = sh->src_port; 1969 sin.sin_addr.s_addr = cookie->address[0]; 1970 to = (struct sockaddr *)&sin; 1971 } else { 1972 /* This should not happen */ 1973 return (NULL); 1974 } 1975 if ((*stcb == NULL) && to) { 1976 /* Yep, lets check */ 1977 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 1978 if (*stcb == NULL) { 1979 /* 1980 * We should have only got back the same inp. If we 1981 * got back a different ep we have a problem. The 1982 * original findep got back l_inp and now 1983 */ 1984 if (l_inp != *inp_p) { 1985 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n"); 1986 } 1987 } else { 1988 if (*locked_tcb == NULL) { 1989 /* 1990 * In this case we found the assoc only 1991 * after we locked the create lock. This 1992 * means we are in a colliding case and we 1993 * must make sure that we unlock the tcb if 1994 * its one of the cases where we throw away 1995 * the incoming packets. 1996 */ 1997 *locked_tcb = *stcb; 1998 1999 /* 2000 * We must also increment the inp ref count 2001 * since the ref_count flags was set when we 2002 * did not find the TCB, now we found it 2003 * which reduces the refcount.. we must 2004 * raise it back out to balance it all :-) 2005 */ 2006 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2007 if ((*stcb)->sctp_ep != l_inp) { 2008 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n", 2009 (*stcb)->sctp_ep, l_inp); 2010 } 2011 } 2012 } 2013 } 2014 if (to == NULL) 2015 return (NULL); 2016 2017 cookie_len -= SCTP_SIGNATURE_SIZE; 2018 if (*stcb == NULL) { 2019 /* this is the "normal" case... get a new TCB */ 2020 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2021 cookie_len, *inp_p, netp, to, ¬ification, 2022 auth_skipped, auth_offset, auth_len, vrf_id, table_id); 2023 } else { 2024 /* this is abnormal... cookie-echo on existing TCB */ 2025 had_a_existing_tcb = 1; 2026 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2027 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 2028 &sac_restart_id, vrf_id, table_id); 2029 } 2030 2031 if (*stcb == NULL) { 2032 /* still no TCB... must be bad cookie-echo */ 2033 return (NULL); 2034 } 2035 /* 2036 * Ok, we built an association so confirm the address we sent the 2037 * INIT-ACK to. 2038 */ 2039 netl = sctp_findnet(*stcb, to); 2040 /* 2041 * This code should in theory NOT run but 2042 */ 2043 if (netl == NULL) { 2044 /* TSNH! Huh, why do I need to add this address here? */ 2045 int ret; 2046 2047 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2048 SCTP_IN_COOKIE_PROC); 2049 netl = sctp_findnet(*stcb, to); 2050 } 2051 if (netl) { 2052 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2053 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2054 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2055 netl); 2056 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2057 (*stcb), 0, (void *)netl); 2058 } 2059 } 2060 if (*stcb) { 2061 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2062 *stcb, NULL); 2063 } 2064 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2065 if (!had_a_existing_tcb || 2066 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2067 /* 2068 * If we have a NEW cookie or the connect never 2069 * reached the connected state during collision we 2070 * must do the TCP accept thing. 2071 */ 2072 struct socket *so, *oso; 2073 struct sctp_inpcb *inp; 2074 2075 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2076 /* 2077 * For a restart we will keep the same 2078 * socket, no need to do anything. I THINK!! 2079 */ 2080 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2081 return (m); 2082 } 2083 oso = (*inp_p)->sctp_socket; 2084 /* 2085 * We do this to keep the sockets side happy durin 2086 * the sonewcon ONLY. 2087 */ 2088 NET_LOCK_GIANT(); 2089 SCTP_TCB_UNLOCK((*stcb)); 2090 so = sonewconn(oso, 0 2091 ); 2092 NET_UNLOCK_GIANT(); 2093 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2094 SCTP_TCB_LOCK((*stcb)); 2095 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2096 if (so == NULL) { 2097 struct mbuf *op_err; 2098 2099 /* Too many sockets */ 2100 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n"); 2101 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2102 sctp_abort_association(*inp_p, NULL, m, iphlen, 2103 sh, op_err, vrf_id, 2104 table_id); 2105 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2106 return (NULL); 2107 } 2108 inp = (struct sctp_inpcb *)so->so_pcb; 2109 SCTP_INP_INCR_REF(inp); 2110 /* 2111 * We add the unbound flag here so that if we get an 2112 * soabort() before we get the move_pcb done, we 2113 * will properly cleanup. 2114 */ 2115 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2116 SCTP_PCB_FLAGS_CONNECTED | 2117 SCTP_PCB_FLAGS_IN_TCPPOOL | 2118 SCTP_PCB_FLAGS_UNBOUND | 2119 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2120 SCTP_PCB_FLAGS_DONT_WAKE); 2121 inp->sctp_features = (*inp_p)->sctp_features; 2122 inp->sctp_socket = so; 2123 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2124 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2125 inp->sctp_context = (*inp_p)->sctp_context; 2126 inp->inp_starting_point_for_iterator = NULL; 2127 /* 2128 * copy in the authentication parameters from the 2129 * original endpoint 2130 */ 2131 if (inp->sctp_ep.local_hmacs) 2132 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2133 inp->sctp_ep.local_hmacs = 2134 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2135 if (inp->sctp_ep.local_auth_chunks) 2136 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2137 inp->sctp_ep.local_auth_chunks = 2138 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2139 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2140 &inp->sctp_ep.shared_keys); 2141 2142 /* 2143 * Now we must move it from one hash table to 2144 * another and get the tcb in the right place. 2145 */ 2146 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2147 2148 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2149 SCTP_TCB_UNLOCK((*stcb)); 2150 2151 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, M_NOWAIT); 2152 SCTP_TCB_LOCK((*stcb)); 2153 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2154 2155 2156 /* 2157 * now we must check to see if we were aborted while 2158 * the move was going on and the lock/unlock 2159 * happened. 2160 */ 2161 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2162 /* 2163 * yep it was, we leave the assoc attached 2164 * to the socket since the sctp_inpcb_free() 2165 * call will send an abort for us. 2166 */ 2167 SCTP_INP_DECR_REF(inp); 2168 return (NULL); 2169 } 2170 SCTP_INP_DECR_REF(inp); 2171 /* Switch over to the new guy */ 2172 *inp_p = inp; 2173 sctp_ulp_notify(notification, *stcb, 0, NULL); 2174 2175 /* 2176 * Pull it from the incomplete queue and wake the 2177 * guy 2178 */ 2179 soisconnected(so); 2180 return (m); 2181 } 2182 } 2183 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2184 sctp_ulp_notify(notification, *stcb, 0, NULL); 2185 } 2186 return (m); 2187} 2188 2189static void 2190sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2191 struct sctp_tcb *stcb, struct sctp_nets *net) 2192{ 2193 /* cp must not be used, others call this without a c-ack :-) */ 2194 struct sctp_association *asoc; 2195 2196 SCTPDBG(SCTP_DEBUG_INPUT2, 2197 "sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2198 if (stcb == NULL) 2199 return; 2200 2201 asoc = &stcb->asoc; 2202 2203 sctp_stop_all_cookie_timers(stcb); 2204 /* process according to association state */ 2205 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2206 /* state change only needed when I am in right state */ 2207 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2208 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2209 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2210 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2211 stcb->sctp_ep, stcb, asoc->primary_destination); 2212 2213 } else { 2214 asoc->state = SCTP_STATE_OPEN; 2215 } 2216 /* update RTO */ 2217 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2218 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2219 if (asoc->overall_error_count == 0) { 2220 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2221 &asoc->time_entered); 2222 } 2223 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2224 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2225 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2226 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2227 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2228 soisconnected(stcb->sctp_ep->sctp_socket); 2229 } 2230 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2231 stcb, net); 2232 /* 2233 * since we did not send a HB make sure we don't double 2234 * things 2235 */ 2236 net->hb_responded = 1; 2237 2238 if (stcb->asoc.sctp_autoclose_ticks && 2239 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2240 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2241 stcb->sctp_ep, stcb, NULL); 2242 } 2243 /* 2244 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2245 * addresses changed when init/cookie echo in flight) 2246 */ 2247 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2248 (stcb->asoc.peer_supports_asconf) && 2249 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2250 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2251 stcb->sctp_ep, stcb, 2252 stcb->asoc.primary_destination); 2253 } 2254 } 2255 /* Toss the cookie if I can */ 2256 sctp_toss_old_cookies(stcb, asoc); 2257 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2258 /* Restart the timer if we have pending data */ 2259 struct sctp_tmit_chunk *chk; 2260 2261 chk = TAILQ_FIRST(&asoc->sent_queue); 2262 if (chk) { 2263 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2264 stcb, chk->whoTo); 2265 } 2266 } 2267} 2268 2269static void 2270sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2271 struct sctp_tcb *stcb) 2272{ 2273 struct sctp_nets *net; 2274 struct sctp_tmit_chunk *lchk; 2275 uint32_t tsn; 2276 2277 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2278 return; 2279 } 2280 SCTP_STAT_INCR(sctps_recvecne); 2281 tsn = ntohl(cp->tsn); 2282 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2283 /* Also we make sure we disable the nonce_wait */ 2284 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2285 if (lchk == NULL) { 2286 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2287 } else { 2288 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2289 } 2290 stcb->asoc.nonce_wait_for_ecne = 0; 2291 stcb->asoc.nonce_sum_check = 0; 2292 2293 /* Find where it was sent, if possible */ 2294 net = NULL; 2295 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2296 while (lchk) { 2297 if (lchk->rec.data.TSN_seq == tsn) { 2298 net = lchk->whoTo; 2299 break; 2300 } 2301 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2302 break; 2303 lchk = TAILQ_NEXT(lchk, sctp_next); 2304 } 2305 if (net == NULL) 2306 /* default is we use the primary */ 2307 net = stcb->asoc.primary_destination; 2308 2309 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2310#ifdef SCTP_CWND_MONITOR 2311 int old_cwnd; 2312 2313 old_cwnd = net->cwnd; 2314#endif 2315 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2316 net->ssthresh = net->cwnd / 2; 2317 if (net->ssthresh < net->mtu) { 2318 net->ssthresh = net->mtu; 2319 /* here back off the timer as well, to slow us down */ 2320 net->RTO <<= 2; 2321 } 2322 net->cwnd = net->ssthresh; 2323#ifdef SCTP_CWND_MONITOR 2324 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2325#endif 2326 /* 2327 * we reduce once every RTT. So we will only lower cwnd at 2328 * the next sending seq i.e. the resync_tsn. 2329 */ 2330 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2331 } 2332 /* 2333 * We always send a CWR this way if our previous one was lost our 2334 * peer will get an update, or if it is not time again to reduce we 2335 * still get the cwr to the peer. 2336 */ 2337 sctp_send_cwr(stcb, net, tsn); 2338} 2339 2340static void 2341sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2342{ 2343 /* 2344 * Here we get a CWR from the peer. We must look in the outqueue and 2345 * make sure that we have a covered ECNE in teh control chunk part. 2346 * If so remove it. 2347 */ 2348 struct sctp_tmit_chunk *chk; 2349 struct sctp_ecne_chunk *ecne; 2350 2351 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2352 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2353 continue; 2354 } 2355 /* 2356 * Look for and remove if it is the right TSN. Since there 2357 * is only ONE ECNE on the control queue at any one time we 2358 * don't need to worry about more than one! 2359 */ 2360 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2361 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2362 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2363 /* this covers this ECNE, we can remove it */ 2364 stcb->asoc.ecn_echo_cnt_onq--; 2365 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2366 sctp_next); 2367 if (chk->data) { 2368 sctp_m_freem(chk->data); 2369 chk->data = NULL; 2370 } 2371 stcb->asoc.ctrl_queue_cnt--; 2372 sctp_free_remote_addr(chk->whoTo); 2373 sctp_free_a_chunk(stcb, chk); 2374 break; 2375 } 2376 } 2377} 2378 2379static void 2380sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2381 struct sctp_tcb *stcb, struct sctp_nets *net) 2382{ 2383 struct sctp_association *asoc; 2384 2385 SCTPDBG(SCTP_DEBUG_INPUT2, 2386 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2387 if (stcb == NULL) 2388 return; 2389 2390 asoc = &stcb->asoc; 2391 /* process according to association state */ 2392 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2393 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2394 SCTP_TCB_UNLOCK(stcb); 2395 return; 2396 } 2397 /* notify upper layer protocol */ 2398 if (stcb->sctp_socket) { 2399 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2400 /* are the queues empty? they should be */ 2401 if (!TAILQ_EMPTY(&asoc->send_queue) || 2402 !TAILQ_EMPTY(&asoc->sent_queue) || 2403 !TAILQ_EMPTY(&asoc->out_wheel)) { 2404 sctp_report_all_outbound(stcb, 0); 2405 } 2406 } 2407 /* stop the timer */ 2408 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2409 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2410 /* free the TCB */ 2411 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2412 return; 2413} 2414 2415static int 2416process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2417 struct sctp_nets *net, uint8_t flg) 2418{ 2419 switch (desc->chunk_type) { 2420 case SCTP_DATA: 2421 /* find the tsn to resend (possibly */ 2422 { 2423 uint32_t tsn; 2424 struct sctp_tmit_chunk *tp1; 2425 2426 tsn = ntohl(desc->tsn_ifany); 2427 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2428 while (tp1) { 2429 if (tp1->rec.data.TSN_seq == tsn) { 2430 /* found it */ 2431 break; 2432 } 2433 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2434 MAX_TSN)) { 2435 /* not found */ 2436 tp1 = NULL; 2437 break; 2438 } 2439 tp1 = TAILQ_NEXT(tp1, sctp_next); 2440 } 2441 if (tp1 == NULL) { 2442 /* 2443 * Do it the other way , aka without paying 2444 * attention to queue seq order. 2445 */ 2446 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2447 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2448 while (tp1) { 2449 if (tp1->rec.data.TSN_seq == tsn) { 2450 /* found it */ 2451 break; 2452 } 2453 tp1 = TAILQ_NEXT(tp1, sctp_next); 2454 } 2455 } 2456 if (tp1 == NULL) { 2457 SCTP_STAT_INCR(sctps_pdrptsnnf); 2458 } 2459 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2460 uint8_t *ddp; 2461 2462 if ((stcb->asoc.peers_rwnd == 0) && 2463 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2464 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2465 return (0); 2466 } 2467 if (stcb->asoc.peers_rwnd == 0 && 2468 (flg & SCTP_FROM_MIDDLE_BOX)) { 2469 SCTP_STAT_INCR(sctps_pdrpdizrw); 2470 return (0); 2471 } 2472 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2473 sizeof(struct sctp_data_chunk)); 2474 { 2475 unsigned int iii; 2476 2477 for (iii = 0; iii < sizeof(desc->data_bytes); 2478 iii++) { 2479 if (ddp[iii] != desc->data_bytes[iii]) { 2480 SCTP_STAT_INCR(sctps_pdrpbadd); 2481 return (-1); 2482 } 2483 } 2484 } 2485 /* 2486 * We zero out the nonce so resync not 2487 * needed 2488 */ 2489 tp1->rec.data.ect_nonce = 0; 2490 2491 if (tp1->do_rtt) { 2492 /* 2493 * this guy had a RTO calculation 2494 * pending on it, cancel it 2495 */ 2496 tp1->do_rtt = 0; 2497 } 2498 SCTP_STAT_INCR(sctps_pdrpmark); 2499 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2500 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2501 tp1->sent = SCTP_DATAGRAM_RESEND; 2502 /* 2503 * mark it as if we were doing a FR, since 2504 * we will be getting gap ack reports behind 2505 * the info from the router. 2506 */ 2507 tp1->rec.data.doing_fast_retransmit = 1; 2508 /* 2509 * mark the tsn with what sequences can 2510 * cause a new FR. 2511 */ 2512 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2513 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2514 } else { 2515 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2516 } 2517 2518 /* restart the timer */ 2519 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2520 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2521 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2522 stcb, tp1->whoTo); 2523 2524 /* fix counts and things */ 2525#ifdef SCTP_FLIGHT_LOGGING 2526 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 2527 tp1->whoTo->flight_size, 2528 tp1->book_size, 2529 (uintptr_t) stcb, 2530 tp1->rec.data.TSN_seq); 2531#endif 2532 sctp_flight_size_decrease(tp1); 2533 sctp_total_flight_decrease(stcb, tp1); 2534 } { 2535 /* audit code */ 2536 unsigned int audit; 2537 2538 audit = 0; 2539 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2540 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2541 audit++; 2542 } 2543 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2544 sctp_next) { 2545 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2546 audit++; 2547 } 2548 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2549 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n", 2550 audit, stcb->asoc.sent_queue_retran_cnt); 2551#ifndef SCTP_AUDITING_ENABLED 2552 stcb->asoc.sent_queue_retran_cnt = audit; 2553#endif 2554 } 2555 } 2556 } 2557 break; 2558 case SCTP_ASCONF: 2559 { 2560 struct sctp_tmit_chunk *asconf; 2561 2562 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2563 sctp_next) { 2564 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2565 break; 2566 } 2567 } 2568 if (asconf) { 2569 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2570 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2571 asconf->sent = SCTP_DATAGRAM_RESEND; 2572 asconf->snd_count--; 2573 } 2574 } 2575 break; 2576 case SCTP_INITIATION: 2577 /* resend the INIT */ 2578 stcb->asoc.dropped_special_cnt++; 2579 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2580 /* 2581 * If we can get it in, in a few attempts we do 2582 * this, otherwise we let the timer fire. 2583 */ 2584 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2585 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2586 sctp_send_initiate(stcb->sctp_ep, stcb); 2587 } 2588 break; 2589 case SCTP_SELECTIVE_ACK: 2590 /* resend the sack */ 2591 sctp_send_sack(stcb); 2592 break; 2593 case SCTP_HEARTBEAT_REQUEST: 2594 /* resend a demand HB */ 2595 (void)sctp_send_hb(stcb, 1, net); 2596 break; 2597 case SCTP_SHUTDOWN: 2598 sctp_send_shutdown(stcb, net); 2599 break; 2600 case SCTP_SHUTDOWN_ACK: 2601 sctp_send_shutdown_ack(stcb, net); 2602 break; 2603 case SCTP_COOKIE_ECHO: 2604 { 2605 struct sctp_tmit_chunk *cookie; 2606 2607 cookie = NULL; 2608 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2609 sctp_next) { 2610 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2611 break; 2612 } 2613 } 2614 if (cookie) { 2615 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2616 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2617 cookie->sent = SCTP_DATAGRAM_RESEND; 2618 sctp_stop_all_cookie_timers(stcb); 2619 } 2620 } 2621 break; 2622 case SCTP_COOKIE_ACK: 2623 sctp_send_cookie_ack(stcb); 2624 break; 2625 case SCTP_ASCONF_ACK: 2626 /* resend last asconf ack */ 2627 sctp_send_asconf_ack(stcb, 1); 2628 break; 2629 case SCTP_FORWARD_CUM_TSN: 2630 send_forward_tsn(stcb, &stcb->asoc); 2631 break; 2632 /* can't do anything with these */ 2633 case SCTP_PACKET_DROPPED: 2634 case SCTP_INITIATION_ACK: /* this should not happen */ 2635 case SCTP_HEARTBEAT_ACK: 2636 case SCTP_ABORT_ASSOCIATION: 2637 case SCTP_OPERATION_ERROR: 2638 case SCTP_SHUTDOWN_COMPLETE: 2639 case SCTP_ECN_ECHO: 2640 case SCTP_ECN_CWR: 2641 default: 2642 break; 2643 } 2644 return (0); 2645} 2646 2647void 2648sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2649{ 2650 int i; 2651 uint16_t temp; 2652 2653 /* 2654 * We set things to 0xffff since this is the last delivered sequence 2655 * and we will be sending in 0 after the reset. 2656 */ 2657 2658 if (number_entries) { 2659 for (i = 0; i < number_entries; i++) { 2660 temp = ntohs(list[i]); 2661 if (temp >= stcb->asoc.streamincnt) { 2662 continue; 2663 } 2664 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2665 } 2666 } else { 2667 list = NULL; 2668 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2669 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2670 } 2671 } 2672 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2673} 2674 2675static void 2676sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2677{ 2678 int i; 2679 2680 if (number_entries == 0) { 2681 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2682 stcb->asoc.strmout[i].next_sequence_sent = 0; 2683 } 2684 } else if (number_entries) { 2685 for (i = 0; i < number_entries; i++) { 2686 uint16_t temp; 2687 2688 temp = ntohs(list[i]); 2689 if (temp >= stcb->asoc.streamoutcnt) { 2690 /* no such stream */ 2691 continue; 2692 } 2693 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2694 } 2695 } 2696 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2697} 2698 2699 2700struct sctp_stream_reset_out_request * 2701sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2702{ 2703 struct sctp_association *asoc; 2704 struct sctp_stream_reset_out_req *req; 2705 struct sctp_stream_reset_out_request *r; 2706 struct sctp_tmit_chunk *chk; 2707 int len, clen; 2708 2709 asoc = &stcb->asoc; 2710 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2711 asoc->stream_reset_outstanding = 0; 2712 return (NULL); 2713 } 2714 if (stcb->asoc.str_reset == NULL) { 2715 asoc->stream_reset_outstanding = 0; 2716 return (NULL); 2717 } 2718 chk = stcb->asoc.str_reset; 2719 if (chk->data == NULL) { 2720 return (NULL); 2721 } 2722 if (bchk) { 2723 /* he wants a copy of the chk pointer */ 2724 *bchk = chk; 2725 } 2726 clen = chk->send_size; 2727 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2728 r = &req->sr_req; 2729 if (ntohl(r->request_seq) == seq) { 2730 /* found it */ 2731 return (r); 2732 } 2733 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2734 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2735 /* move to the next one, there can only be a max of two */ 2736 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2737 if (ntohl(r->request_seq) == seq) { 2738 return (r); 2739 } 2740 } 2741 /* that seq is not here */ 2742 return (NULL); 2743} 2744 2745static void 2746sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2747{ 2748 struct sctp_association *asoc; 2749 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2750 2751 if (stcb->asoc.str_reset == NULL) { 2752 return; 2753 } 2754 asoc = &stcb->asoc; 2755 2756 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 2757 TAILQ_REMOVE(&asoc->control_send_queue, 2758 chk, 2759 sctp_next); 2760 if (chk->data) { 2761 sctp_m_freem(chk->data); 2762 chk->data = NULL; 2763 } 2764 asoc->ctrl_queue_cnt--; 2765 sctp_free_remote_addr(chk->whoTo); 2766 2767 sctp_free_a_chunk(stcb, chk); 2768 stcb->asoc.str_reset = NULL; 2769} 2770 2771 2772static int 2773sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2774 uint32_t seq, uint32_t action, 2775 struct sctp_stream_reset_response *respin) 2776{ 2777 uint16_t type; 2778 int lparm_len; 2779 struct sctp_association *asoc = &stcb->asoc; 2780 struct sctp_tmit_chunk *chk; 2781 struct sctp_stream_reset_out_request *srparam; 2782 int number_entries; 2783 2784 if (asoc->stream_reset_outstanding == 0) { 2785 /* duplicate */ 2786 return (0); 2787 } 2788 if (seq == stcb->asoc.str_reset_seq_out) { 2789 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2790 if (srparam) { 2791 stcb->asoc.str_reset_seq_out++; 2792 type = ntohs(srparam->ph.param_type); 2793 lparm_len = ntohs(srparam->ph.param_length); 2794 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2795 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2796 asoc->stream_reset_out_is_outstanding = 0; 2797 if (asoc->stream_reset_outstanding) 2798 asoc->stream_reset_outstanding--; 2799 if (action == SCTP_STREAM_RESET_PERFORMED) { 2800 /* do it */ 2801 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2802 } else { 2803 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2804 } 2805 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2806 /* Answered my request */ 2807 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 2808 if (asoc->stream_reset_outstanding) 2809 asoc->stream_reset_outstanding--; 2810 if (action != SCTP_STREAM_RESET_PERFORMED) { 2811 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2812 } 2813 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2814 /** 2815 * a) Adopt the new in tsn. 2816 * b) reset the map 2817 * c) Adopt the new out-tsn 2818 */ 2819 struct sctp_stream_reset_response_tsn *resp; 2820 struct sctp_forward_tsn_chunk fwdtsn; 2821 int abort_flag = 0; 2822 2823 if (respin == NULL) { 2824 /* huh ? */ 2825 return (0); 2826 } 2827 if (action == SCTP_STREAM_RESET_PERFORMED) { 2828 resp = (struct sctp_stream_reset_response_tsn *)respin; 2829 asoc->stream_reset_outstanding--; 2830 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2831 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2832 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2833 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2834 if (abort_flag) { 2835 return (1); 2836 } 2837 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2838 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2839 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2840 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2841 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2842 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2843 2844 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2845 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2846 2847 } 2848 } 2849 /* get rid of the request and get the request flags */ 2850 if (asoc->stream_reset_outstanding == 0) { 2851 sctp_clean_up_stream_reset(stcb); 2852 } 2853 } 2854 } 2855 return (0); 2856} 2857 2858static void 2859sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2860 struct sctp_tmit_chunk *chk, 2861 struct sctp_stream_reset_in_request *req) 2862{ 2863 uint32_t seq; 2864 int len, i; 2865 int number_entries; 2866 uint16_t temp; 2867 2868 /* 2869 * peer wants me to send a str-reset to him for my outgoing seq's if 2870 * seq_in is right. 2871 */ 2872 struct sctp_association *asoc = &stcb->asoc; 2873 2874 seq = ntohl(req->request_seq); 2875 if (asoc->str_reset_seq_in == seq) { 2876 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2877 len = ntohs(req->ph.param_length); 2878 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2879 for (i = 0; i < number_entries; i++) { 2880 temp = ntohs(req->list_of_streams[i]); 2881 req->list_of_streams[i] = temp; 2882 } 2883 /* move the reset action back one */ 2884 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2885 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2886 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2887 asoc->str_reset_seq_out, 2888 seq, (asoc->sending_seq - 1)); 2889 asoc->stream_reset_out_is_outstanding = 1; 2890 asoc->str_reset = chk; 2891 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2892 stcb->asoc.stream_reset_outstanding++; 2893 } else { 2894 /* Can't do it, since we have sent one out */ 2895 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2896 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2897 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2898 } 2899 asoc->str_reset_seq_in++; 2900 } else if (asoc->str_reset_seq_in - 1 == seq) { 2901 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2902 } else if (asoc->str_reset_seq_in - 2 == seq) { 2903 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2904 } else { 2905 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2906 } 2907} 2908 2909static int 2910sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 2911 struct sctp_tmit_chunk *chk, 2912 struct sctp_stream_reset_tsn_request *req) 2913{ 2914 /* reset all in and out and update the tsn */ 2915 /* 2916 * A) reset my str-seq's on in and out. B) Select a receive next, 2917 * and set cum-ack to it. Also process this selected number as a 2918 * fwd-tsn as well. C) set in the response my next sending seq. 2919 */ 2920 struct sctp_forward_tsn_chunk fwdtsn; 2921 struct sctp_association *asoc = &stcb->asoc; 2922 int abort_flag = 0; 2923 uint32_t seq; 2924 2925 seq = ntohl(req->request_seq); 2926 if (asoc->str_reset_seq_in == seq) { 2927 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2928 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2929 fwdtsn.ch.chunk_flags = 0; 2930 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 2931 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2932 if (abort_flag) { 2933 return (1); 2934 } 2935 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 2936 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2937 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 2938 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2939 atomic_add_int(&stcb->asoc.sending_seq, 1); 2940 /* save off historical data for retrans */ 2941 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 2942 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 2943 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 2944 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 2945 2946 sctp_add_stream_reset_result_tsn(chk, 2947 ntohl(req->request_seq), 2948 SCTP_STREAM_RESET_PERFORMED, 2949 stcb->asoc.sending_seq, 2950 stcb->asoc.mapping_array_base_tsn); 2951 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2952 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2953 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 2954 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2955 2956 asoc->str_reset_seq_in++; 2957 } else if (asoc->str_reset_seq_in - 1 == seq) { 2958 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 2959 stcb->asoc.last_sending_seq[0], 2960 stcb->asoc.last_base_tsnsent[0] 2961 ); 2962 } else if (asoc->str_reset_seq_in - 2 == seq) { 2963 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 2964 stcb->asoc.last_sending_seq[1], 2965 stcb->asoc.last_base_tsnsent[1] 2966 ); 2967 } else { 2968 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2969 } 2970 return (0); 2971} 2972 2973static void 2974sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 2975 struct sctp_tmit_chunk *chk, 2976 struct sctp_stream_reset_out_request *req) 2977{ 2978 uint32_t seq, tsn; 2979 int number_entries, len; 2980 struct sctp_association *asoc = &stcb->asoc; 2981 2982 seq = ntohl(req->request_seq); 2983 2984 /* now if its not a duplicate we process it */ 2985 if (asoc->str_reset_seq_in == seq) { 2986 len = ntohs(req->ph.param_length); 2987 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 2988 /* 2989 * the sender is resetting, handle the list issue.. we must 2990 * a) verify if we can do the reset, if so no problem b) If 2991 * we can't do the reset we must copy the request. c) queue 2992 * it, and setup the data in processor to trigger it off 2993 * when needed and dequeue all the queued data. 2994 */ 2995 tsn = ntohl(req->send_reset_at_tsn); 2996 2997 /* move the reset action back one */ 2998 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2999 if ((tsn == asoc->cumulative_tsn) || 3000 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3001 /* we can do it now */ 3002 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3003 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3004 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3005 } else { 3006 /* 3007 * we must queue it up and thus wait for the TSN's 3008 * to arrive that are at or before tsn 3009 */ 3010 struct sctp_stream_reset_list *liste; 3011 int siz; 3012 3013 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3014 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3015 siz, "StrRstList"); 3016 if (liste == NULL) { 3017 /* gak out of memory */ 3018 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3019 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3020 return; 3021 } 3022 liste->tsn = tsn; 3023 liste->number_entries = number_entries; 3024 memcpy(&liste->req, req, 3025 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3026 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3027 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3028 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3029 } 3030 asoc->str_reset_seq_in++; 3031 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3032 /* 3033 * one seq back, just echo back last action since my 3034 * response was lost. 3035 */ 3036 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3037 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3038 /* 3039 * two seq back, just echo back last action since my 3040 * response was lost. 3041 */ 3042 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3043 } else { 3044 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3045 } 3046} 3047 3048static int 3049sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 3050{ 3051 int chk_length, param_len, ptype; 3052 uint32_t seq; 3053 int num_req = 0; 3054 struct sctp_tmit_chunk *chk; 3055 struct sctp_chunkhdr *ch; 3056 struct sctp_paramhdr *ph; 3057 int ret_code = 0; 3058 int num_param = 0; 3059 3060 /* now it may be a reset or a reset-response */ 3061 chk_length = ntohs(sr_req->ch.chunk_length); 3062 3063 /* setup for adding the response */ 3064 sctp_alloc_a_chunk(stcb, chk); 3065 if (chk == NULL) { 3066 return (ret_code); 3067 } 3068 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3069 chk->rec.chunk_id.can_take_data = 0; 3070 chk->asoc = &stcb->asoc; 3071 chk->no_fr_allowed = 0; 3072 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3073 chk->book_size_scale = 0; 3074 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3075 if (chk->data == NULL) { 3076strres_nochunk: 3077 if (chk->data) { 3078 sctp_m_freem(chk->data); 3079 chk->data = NULL; 3080 } 3081 sctp_free_a_chunk(stcb, chk); 3082 return (ret_code); 3083 } 3084 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3085 3086 /* setup chunk parameters */ 3087 chk->sent = SCTP_DATAGRAM_UNSENT; 3088 chk->snd_count = 0; 3089 chk->whoTo = stcb->asoc.primary_destination; 3090 atomic_add_int(&chk->whoTo->ref_count, 1); 3091 3092 ch = mtod(chk->data, struct sctp_chunkhdr *); 3093 ch->chunk_type = SCTP_STREAM_RESET; 3094 ch->chunk_flags = 0; 3095 ch->chunk_length = htons(chk->send_size); 3096 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3097 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3098 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3099 param_len = ntohs(ph->param_length); 3100 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3101 /* bad param */ 3102 break; 3103 } 3104 ptype = ntohs(ph->param_type); 3105 num_param++; 3106 if (num_param > SCTP_MAX_RESET_PARAMS) { 3107 /* hit the max of parameters already sorry.. */ 3108 break; 3109 } 3110 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3111 struct sctp_stream_reset_out_request *req_out; 3112 3113 req_out = (struct sctp_stream_reset_out_request *)ph; 3114 num_req++; 3115 if (stcb->asoc.stream_reset_outstanding) { 3116 seq = ntohl(req_out->response_seq); 3117 if (seq == stcb->asoc.str_reset_seq_out) { 3118 /* implicit ack */ 3119 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3120 } 3121 } 3122 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3123 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3124 struct sctp_stream_reset_in_request *req_in; 3125 3126 num_req++; 3127 req_in = (struct sctp_stream_reset_in_request *)ph; 3128 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3129 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3130 struct sctp_stream_reset_tsn_request *req_tsn; 3131 3132 num_req++; 3133 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3134 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3135 ret_code = 1; 3136 goto strres_nochunk; 3137 } 3138 /* no more */ 3139 break; 3140 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3141 struct sctp_stream_reset_response *resp; 3142 uint32_t result; 3143 3144 resp = (struct sctp_stream_reset_response *)ph; 3145 seq = ntohl(resp->response_seq); 3146 result = ntohl(resp->result); 3147 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3148 ret_code = 1; 3149 goto strres_nochunk; 3150 } 3151 } else { 3152 break; 3153 } 3154 3155 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3156 chk_length -= SCTP_SIZE32(param_len); 3157 } 3158 if (num_req == 0) { 3159 /* we have no response free the stuff */ 3160 goto strres_nochunk; 3161 } 3162 /* ok we have a chunk to link in */ 3163 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3164 chk, 3165 sctp_next); 3166 stcb->asoc.ctrl_queue_cnt++; 3167 return (ret_code); 3168} 3169 3170/* 3171 * Handle a router or endpoints report of a packet loss, there are two ways 3172 * to handle this, either we get the whole packet and must disect it 3173 * ourselves (possibly with truncation and or corruption) or it is a summary 3174 * from a middle box that did the disectting for us. 3175 */ 3176static void 3177sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3178 struct sctp_tcb *stcb, struct sctp_nets *net) 3179{ 3180 uint32_t bottle_bw, on_queue; 3181 uint16_t trunc_len; 3182 unsigned int chlen; 3183 unsigned int at; 3184 struct sctp_chunk_desc desc; 3185 struct sctp_chunkhdr *ch; 3186 3187 chlen = ntohs(cp->ch.chunk_length); 3188 chlen -= sizeof(struct sctp_pktdrop_chunk); 3189 /* XXX possible chlen underflow */ 3190 if (chlen == 0) { 3191 ch = NULL; 3192 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3193 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3194 } else { 3195 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3196 chlen -= sizeof(struct sctphdr); 3197 /* XXX possible chlen underflow */ 3198 memset(&desc, 0, sizeof(desc)); 3199 } 3200 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3201 /* now the chunks themselves */ 3202 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3203 desc.chunk_type = ch->chunk_type; 3204 /* get amount we need to move */ 3205 at = ntohs(ch->chunk_length); 3206 if (at < sizeof(struct sctp_chunkhdr)) { 3207 /* corrupt chunk, maybe at the end? */ 3208 SCTP_STAT_INCR(sctps_pdrpcrupt); 3209 break; 3210 } 3211 if (trunc_len == 0) { 3212 /* we are supposed to have all of it */ 3213 if (at > chlen) { 3214 /* corrupt skip it */ 3215 SCTP_STAT_INCR(sctps_pdrpcrupt); 3216 break; 3217 } 3218 } else { 3219 /* is there enough of it left ? */ 3220 if (desc.chunk_type == SCTP_DATA) { 3221 if (chlen < (sizeof(struct sctp_data_chunk) + 3222 sizeof(desc.data_bytes))) { 3223 break; 3224 } 3225 } else { 3226 if (chlen < sizeof(struct sctp_chunkhdr)) { 3227 break; 3228 } 3229 } 3230 } 3231 if (desc.chunk_type == SCTP_DATA) { 3232 /* can we get out the tsn? */ 3233 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3234 SCTP_STAT_INCR(sctps_pdrpmbda); 3235 3236 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3237 /* yep */ 3238 struct sctp_data_chunk *dcp; 3239 uint8_t *ddp; 3240 unsigned int iii; 3241 3242 dcp = (struct sctp_data_chunk *)ch; 3243 ddp = (uint8_t *) (dcp + 1); 3244 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3245 desc.data_bytes[iii] = ddp[iii]; 3246 } 3247 desc.tsn_ifany = dcp->dp.tsn; 3248 } else { 3249 /* nope we are done. */ 3250 SCTP_STAT_INCR(sctps_pdrpnedat); 3251 break; 3252 } 3253 } else { 3254 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3255 SCTP_STAT_INCR(sctps_pdrpmbct); 3256 } 3257 3258 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3259 SCTP_STAT_INCR(sctps_pdrppdbrk); 3260 break; 3261 } 3262 if (SCTP_SIZE32(at) > chlen) { 3263 break; 3264 } 3265 chlen -= SCTP_SIZE32(at); 3266 if (chlen < sizeof(struct sctp_chunkhdr)) { 3267 /* done, none left */ 3268 break; 3269 } 3270 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3271 } 3272 /* Now update any rwnd --- possibly */ 3273 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3274 /* From a peer, we get a rwnd report */ 3275 uint32_t a_rwnd; 3276 3277 SCTP_STAT_INCR(sctps_pdrpfehos); 3278 3279 bottle_bw = ntohl(cp->bottle_bw); 3280 on_queue = ntohl(cp->current_onq); 3281 if (bottle_bw && on_queue) { 3282 /* a rwnd report is in here */ 3283 if (bottle_bw > on_queue) 3284 a_rwnd = bottle_bw - on_queue; 3285 else 3286 a_rwnd = 0; 3287 3288 if (a_rwnd == 0) 3289 stcb->asoc.peers_rwnd = 0; 3290 else { 3291 if (a_rwnd > stcb->asoc.total_flight) { 3292 stcb->asoc.peers_rwnd = 3293 a_rwnd - stcb->asoc.total_flight; 3294 } else { 3295 stcb->asoc.peers_rwnd = 0; 3296 } 3297 if (stcb->asoc.peers_rwnd < 3298 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3299 /* SWS sender side engages */ 3300 stcb->asoc.peers_rwnd = 0; 3301 } 3302 } 3303 } 3304 } else { 3305 SCTP_STAT_INCR(sctps_pdrpfmbox); 3306 } 3307 3308 /* now middle boxes in sat networks get a cwnd bump */ 3309 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3310 (stcb->asoc.sat_t3_loss_recovery == 0) && 3311 (stcb->asoc.sat_network)) { 3312 /* 3313 * This is debateable but for sat networks it makes sense 3314 * Note if a T3 timer has went off, we will prohibit any 3315 * changes to cwnd until we exit the t3 loss recovery. 3316 */ 3317 uint32_t bw_avail; 3318 int rtt, incr; 3319 3320#ifdef SCTP_CWND_MONITOR 3321 int old_cwnd = net->cwnd; 3322 3323#endif 3324 /* need real RTT for this calc */ 3325 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3326 /* get bottle neck bw */ 3327 bottle_bw = ntohl(cp->bottle_bw); 3328 /* and whats on queue */ 3329 on_queue = ntohl(cp->current_onq); 3330 /* 3331 * adjust the on-queue if our flight is more it could be 3332 * that the router has not yet gotten data "in-flight" to it 3333 */ 3334 if (on_queue < net->flight_size) 3335 on_queue = net->flight_size; 3336 3337 /* calculate the available space */ 3338 bw_avail = (bottle_bw * rtt) / 1000; 3339 if (bw_avail > bottle_bw) { 3340 /* 3341 * Cap the growth to no more than the bottle neck. 3342 * This can happen as RTT slides up due to queues. 3343 * It also means if you have more than a 1 second 3344 * RTT with a empty queue you will be limited to the 3345 * bottle_bw per second no matter if other points 3346 * have 1/2 the RTT and you could get more out... 3347 */ 3348 bw_avail = bottle_bw; 3349 } 3350 if (on_queue > bw_avail) { 3351 /* 3352 * No room for anything else don't allow anything 3353 * else to be "added to the fire". 3354 */ 3355 int seg_inflight, seg_onqueue, my_portion; 3356 3357 net->partial_bytes_acked = 0; 3358 3359 /* how much are we over queue size? */ 3360 incr = on_queue - bw_avail; 3361 if (stcb->asoc.seen_a_sack_this_pkt) { 3362 /* 3363 * undo any cwnd adjustment that the sack 3364 * might have made 3365 */ 3366 net->cwnd = net->prev_cwnd; 3367 } 3368 /* Now how much of that is mine? */ 3369 seg_inflight = net->flight_size / net->mtu; 3370 seg_onqueue = on_queue / net->mtu; 3371 my_portion = (incr * seg_inflight) / seg_onqueue; 3372 3373 /* Have I made an adjustment already */ 3374 if (net->cwnd > net->flight_size) { 3375 /* 3376 * for this flight I made an adjustment we 3377 * need to decrease the portion by a share 3378 * our previous adjustment. 3379 */ 3380 int diff_adj; 3381 3382 diff_adj = net->cwnd - net->flight_size; 3383 if (diff_adj > my_portion) 3384 my_portion = 0; 3385 else 3386 my_portion -= diff_adj; 3387 } 3388 /* 3389 * back down to the previous cwnd (assume we have 3390 * had a sack before this packet). minus what ever 3391 * portion of the overage is my fault. 3392 */ 3393 net->cwnd -= my_portion; 3394 3395 /* we will NOT back down more than 1 MTU */ 3396 if (net->cwnd <= net->mtu) { 3397 net->cwnd = net->mtu; 3398 } 3399 /* force into CA */ 3400 net->ssthresh = net->cwnd - 1; 3401 } else { 3402 /* 3403 * Take 1/4 of the space left or max burst up .. 3404 * whichever is less. 3405 */ 3406 incr = min((bw_avail - on_queue) >> 2, 3407 (int)stcb->asoc.max_burst * (int)net->mtu); 3408 net->cwnd += incr; 3409 } 3410 if (net->cwnd > bw_avail) { 3411 /* We can't exceed the pipe size */ 3412 net->cwnd = bw_avail; 3413 } 3414 if (net->cwnd < net->mtu) { 3415 /* We always have 1 MTU */ 3416 net->cwnd = net->mtu; 3417 } 3418#ifdef SCTP_CWND_MONITOR 3419 if (net->cwnd - old_cwnd != 0) { 3420 /* log only changes */ 3421 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3422 SCTP_CWND_LOG_FROM_SAT); 3423 } 3424#endif 3425 } 3426} 3427 3428/* 3429 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3430 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3431 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3432 * length of the complete packet outputs: - length: modified to remaining 3433 * length after control processing - netp: modified to new sctp_nets after 3434 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3435 * bad packet,...) otherwise return the tcb for this packet 3436 */ 3437static struct sctp_tcb * 3438sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3439 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3440 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen, 3441 uint32_t vrf_id, uint32_t table_id) 3442{ 3443 struct sctp_association *asoc; 3444 uint32_t vtag_in; 3445 int num_chunks = 0; /* number of control chunks processed */ 3446 int chk_length; 3447 int ret; 3448 int abort_no_unlock = 0; 3449 3450 /* 3451 * How big should this be, and should it be alloc'd? Lets try the 3452 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3453 * until we get into jumbo grams and such.. 3454 */ 3455 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 3456 struct sctp_tcb *locked_tcb = stcb; 3457 int got_auth = 0; 3458 uint32_t auth_offset = 0, auth_len = 0; 3459 int auth_skipped = 0; 3460 3461 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3462 iphlen, *offset, length, stcb); 3463 3464 /* validate chunk header length... */ 3465 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3466 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n", 3467 ntohs(ch->chunk_length)); 3468 return (NULL); 3469 } 3470 /* 3471 * validate the verification tag 3472 */ 3473 vtag_in = ntohl(sh->v_tag); 3474 3475 if (locked_tcb) { 3476 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3477 } 3478 if (ch->chunk_type == SCTP_INITIATION) { 3479 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n", 3480 ntohs(ch->chunk_length), vtag_in); 3481 if (vtag_in != 0) { 3482 /* protocol error- silently discard... */ 3483 SCTP_STAT_INCR(sctps_badvtag); 3484 if (locked_tcb) { 3485 SCTP_TCB_UNLOCK(locked_tcb); 3486 } 3487 return (NULL); 3488 } 3489 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3490 /* 3491 * If there is no stcb, skip the AUTH chunk and process 3492 * later after a stcb is found (to validate the lookup was 3493 * valid. 3494 */ 3495 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3496 (stcb == NULL) && !sctp_auth_disable) { 3497 /* save this chunk for later processing */ 3498 auth_skipped = 1; 3499 auth_offset = *offset; 3500 auth_len = ntohs(ch->chunk_length); 3501 3502 /* (temporarily) move past this chunk */ 3503 *offset += SCTP_SIZE32(auth_len); 3504 if (*offset >= length) { 3505 /* no more data left in the mbuf chain */ 3506 *offset = length; 3507 return (NULL); 3508 } 3509 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3510 sizeof(struct sctp_chunkhdr), chunk_buf); 3511 } 3512 if (ch == NULL) { 3513 /* Help */ 3514 *offset = length; 3515 return (NULL); 3516 } 3517 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3518 goto process_control_chunks; 3519 } 3520 /* 3521 * first check if it's an ASCONF with an unknown src addr we 3522 * need to look inside to find the association 3523 */ 3524 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3525 /* inp's refcount may be reduced */ 3526 SCTP_INP_INCR_REF(inp); 3527 3528 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3529 *offset, sh, &inp, netp); 3530 if (stcb == NULL) { 3531 /* 3532 * reduce inp's refcount if not reduced in 3533 * sctp_findassociation_ep_asconf(). 3534 */ 3535 SCTP_INP_DECR_REF(inp); 3536 } 3537 /* now go back and verify any auth chunk to be sure */ 3538 if (auth_skipped && (stcb != NULL)) { 3539 struct sctp_auth_chunk *auth; 3540 3541 auth = (struct sctp_auth_chunk *) 3542 sctp_m_getptr(m, auth_offset, 3543 auth_len, chunk_buf); 3544 got_auth = 1; 3545 auth_skipped = 0; 3546 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, 3547 auth_offset)) { 3548 /* auth HMAC failed so dump it */ 3549 *offset = length; 3550 return (NULL); 3551 } else { 3552 /* remaining chunks are HMAC checked */ 3553 stcb->asoc.authenticated = 1; 3554 } 3555 } 3556 } 3557 if (stcb == NULL) { 3558 /* no association, so it's out of the blue... */ 3559 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL, 3560 vrf_id, table_id); 3561 *offset = length; 3562 if (locked_tcb) { 3563 SCTP_TCB_UNLOCK(locked_tcb); 3564 } 3565 return (NULL); 3566 } 3567 asoc = &stcb->asoc; 3568 /* ABORT and SHUTDOWN can use either v_tag... */ 3569 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3570 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3571 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3572 if ((vtag_in == asoc->my_vtag) || 3573 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3574 (vtag_in == asoc->peer_vtag))) { 3575 /* this is valid */ 3576 } else { 3577 /* drop this packet... */ 3578 SCTP_STAT_INCR(sctps_badvtag); 3579 if (locked_tcb) { 3580 SCTP_TCB_UNLOCK(locked_tcb); 3581 } 3582 return (NULL); 3583 } 3584 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3585 if (vtag_in != asoc->my_vtag) { 3586 /* 3587 * this could be a stale SHUTDOWN-ACK or the 3588 * peer never got the SHUTDOWN-COMPLETE and 3589 * is still hung; we have started a new asoc 3590 * but it won't complete until the shutdown 3591 * is completed 3592 */ 3593 if (locked_tcb) { 3594 SCTP_TCB_UNLOCK(locked_tcb); 3595 } 3596 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3597 NULL, vrf_id, table_id); 3598 return (NULL); 3599 } 3600 } else { 3601 /* for all other chunks, vtag must match */ 3602 if (vtag_in != asoc->my_vtag) { 3603 /* invalid vtag... */ 3604 SCTPDBG(SCTP_DEBUG_INPUT3, 3605 "invalid vtag: %xh, expect %xh\n", 3606 vtag_in, asoc->my_vtag); 3607 SCTP_STAT_INCR(sctps_badvtag); 3608 if (locked_tcb) { 3609 SCTP_TCB_UNLOCK(locked_tcb); 3610 } 3611 *offset = length; 3612 return (NULL); 3613 } 3614 } 3615 } /* end if !SCTP_COOKIE_ECHO */ 3616 /* 3617 * process all control chunks... 3618 */ 3619 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3620 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3621 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3622 /* implied cookie-ack.. we must have lost the ack */ 3623 stcb->asoc.overall_error_count = 0; 3624 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3625 *netp); 3626 } 3627process_control_chunks: 3628 while (IS_SCTP_CONTROL(ch)) { 3629 /* validate chunk length */ 3630 chk_length = ntohs(ch->chunk_length); 3631 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n", 3632 ch->chunk_type, chk_length); 3633 if ((size_t)chk_length < sizeof(*ch) || 3634 (*offset + chk_length) > length) { 3635 *offset = length; 3636 if (locked_tcb) { 3637 SCTP_TCB_UNLOCK(locked_tcb); 3638 } 3639 return (NULL); 3640 } 3641 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3642 /* 3643 * INIT-ACK only gets the init ack "header" portion only 3644 * because we don't have to process the peer's COOKIE. All 3645 * others get a complete chunk. 3646 */ 3647 if ((ch->chunk_type == SCTP_INITIATION_ACK) || 3648 (ch->chunk_type == SCTP_INITIATION)) { 3649 /* get an init-ack chunk */ 3650 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3651 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3652 if (ch == NULL) { 3653 *offset = length; 3654 if (locked_tcb) { 3655 SCTP_TCB_UNLOCK(locked_tcb); 3656 } 3657 return (NULL); 3658 } 3659 } else if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3660 if (chk_length > sizeof(chunk_buf)) { 3661 /* 3662 * use just the size of the chunk buffer so 3663 * the front part of our cookie is intact. 3664 * The rest of cookie processing should use 3665 * the sctp_m_getptr() function to access 3666 * the other parts. 3667 */ 3668 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3669 (sizeof(chunk_buf) - 4), 3670 chunk_buf); 3671 if (ch == NULL) { 3672 *offset = length; 3673 if (locked_tcb) { 3674 SCTP_TCB_UNLOCK(locked_tcb); 3675 } 3676 return (NULL); 3677 } 3678 } else { 3679 /* We can fit it all */ 3680 goto all_fits; 3681 } 3682 } else { 3683 /* get a complete chunk... */ 3684 if ((size_t)chk_length > sizeof(chunk_buf)) { 3685 struct mbuf *oper; 3686 struct sctp_paramhdr *phdr; 3687 3688 oper = NULL; 3689 if (stcb) { 3690 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3691 0, M_DONTWAIT, 1, MT_DATA); 3692 3693 if (oper) { 3694 /* pre-reserve some space */ 3695 SCTP_BUF_RESV_UF(oper, sizeof(struct sctp_chunkhdr)); 3696 SCTP_BUF_LEN(oper) = sizeof(struct sctp_paramhdr); 3697 phdr = mtod(oper, struct sctp_paramhdr *); 3698 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3699 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3700 sctp_queue_op_err(stcb, oper); 3701 } 3702 } 3703 if (locked_tcb) { 3704 SCTP_TCB_UNLOCK(locked_tcb); 3705 } 3706 return (NULL); 3707 } 3708 all_fits: 3709 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3710 chk_length, chunk_buf); 3711 if (ch == NULL) { 3712 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n"); 3713 *offset = length; 3714 if (locked_tcb) { 3715 SCTP_TCB_UNLOCK(locked_tcb); 3716 } 3717 return (NULL); 3718 } 3719 } 3720 num_chunks++; 3721 /* Save off the last place we got a control from */ 3722 if (stcb != NULL) { 3723 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) { 3724 /* 3725 * allow last_control to be NULL if 3726 * ASCONF... ASCONF processing will find the 3727 * right net later 3728 */ 3729 if ((netp != NULL) && (*netp != NULL)) 3730 stcb->asoc.last_control_chunk_from = *netp; 3731 } 3732 } 3733#ifdef SCTP_AUDITING_ENABLED 3734 sctp_audit_log(0xB0, ch->chunk_type); 3735#endif 3736 3737 /* check to see if this chunk required auth, but isn't */ 3738 if ((stcb != NULL) && !sctp_auth_disable && 3739 sctp_auth_is_required_chunk(ch->chunk_type, 3740 stcb->asoc.local_auth_chunks) && 3741 !stcb->asoc.authenticated) { 3742 /* "silently" ignore */ 3743 SCTP_STAT_INCR(sctps_recvauthmissing); 3744 goto next_chunk; 3745 } 3746 switch (ch->chunk_type) { 3747 case SCTP_INITIATION: 3748 /* must be first and only chunk */ 3749 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n"); 3750 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3751 /* We are not interested anymore? */ 3752 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3753 /* 3754 * collision case where we are 3755 * sending to them too 3756 */ 3757 ; 3758 } else { 3759 if (locked_tcb) { 3760 SCTP_TCB_UNLOCK(locked_tcb); 3761 } 3762 *offset = length; 3763 return (NULL); 3764 } 3765 } 3766 if ((num_chunks > 1) || 3767 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3768 *offset = length; 3769 if (locked_tcb) { 3770 SCTP_TCB_UNLOCK(locked_tcb); 3771 } 3772 return (NULL); 3773 } 3774 if ((stcb != NULL) && 3775 (SCTP_GET_STATE(&stcb->asoc) == 3776 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3777 sctp_send_shutdown_ack(stcb, 3778 stcb->asoc.primary_destination); 3779 *offset = length; 3780 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3781 if (locked_tcb) { 3782 SCTP_TCB_UNLOCK(locked_tcb); 3783 } 3784 return (NULL); 3785 } 3786 if (netp) { 3787 sctp_handle_init(m, iphlen, *offset, sh, 3788 (struct sctp_init_chunk *)ch, inp, 3789 stcb, *netp, &abort_no_unlock, vrf_id, table_id); 3790 } 3791 if (abort_no_unlock) 3792 return (NULL); 3793 3794 *offset = length; 3795 if (locked_tcb) { 3796 SCTP_TCB_UNLOCK(locked_tcb); 3797 } 3798 return (NULL); 3799 break; 3800 case SCTP_INITIATION_ACK: 3801 /* must be first and only chunk */ 3802 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n"); 3803 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3804 /* We are not interested anymore */ 3805 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3806 ; 3807 } else { 3808 if (locked_tcb) { 3809 SCTP_TCB_UNLOCK(locked_tcb); 3810 } 3811 *offset = length; 3812 if (stcb) { 3813 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3814 } 3815 return (NULL); 3816 } 3817 } 3818 if ((num_chunks > 1) || 3819 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3820 *offset = length; 3821 if (locked_tcb) { 3822 SCTP_TCB_UNLOCK(locked_tcb); 3823 } 3824 return (NULL); 3825 } 3826 if ((netp) && (*netp)) { 3827 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3828 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id, table_id); 3829 } else { 3830 ret = -1; 3831 } 3832 /* 3833 * Special case, I must call the output routine to 3834 * get the cookie echoed 3835 */ 3836 if (abort_no_unlock) 3837 return (NULL); 3838 3839 if ((stcb) && ret == 0) 3840 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3841 *offset = length; 3842 if (locked_tcb) { 3843 SCTP_TCB_UNLOCK(locked_tcb); 3844 } 3845 return (NULL); 3846 break; 3847 case SCTP_SELECTIVE_ACK: 3848 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n"); 3849 SCTP_STAT_INCR(sctps_recvsacks); 3850 { 3851 struct sctp_sack_chunk *sack; 3852 int abort_now = 0; 3853 uint32_t a_rwnd, cum_ack; 3854 uint16_t num_seg; 3855 int nonce_sum_flag; 3856 3857 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_sack_chunk))) { 3858 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on sack chunk, too small\n"); 3859 *offset = length; 3860 if (locked_tcb) { 3861 SCTP_TCB_UNLOCK(locked_tcb); 3862 } 3863 return (NULL); 3864 } 3865 sack = (struct sctp_sack_chunk *)ch; 3866 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3867 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3868 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3869 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3870 stcb->asoc.seen_a_sack_this_pkt = 1; 3871 if ((stcb->asoc.pr_sctp_cnt == 0) && 3872 (num_seg == 0) && 3873 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3874 (cum_ack == stcb->asoc.last_acked_seq)) && 3875 (stcb->asoc.saw_sack_with_frags == 0) && 3876 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3877 ) { 3878 /* 3879 * We have a SIMPLE sack having no 3880 * prior segments and data on sent 3881 * queue to be acked.. Use the 3882 * faster path sack processing. We 3883 * also allow window update sacks 3884 * with no missing segments to go 3885 * this way too. 3886 */ 3887 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, 3888 &abort_now); 3889 } else { 3890 if (netp && *netp) 3891 sctp_handle_sack(sack, stcb, *netp, &abort_now, chk_length, a_rwnd); 3892 } 3893 if (abort_now) { 3894 /* ABORT signal from sack processing */ 3895 *offset = length; 3896 return (NULL); 3897 } 3898 } 3899 break; 3900 case SCTP_HEARTBEAT_REQUEST: 3901 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n"); 3902 if ((stcb) && netp && *netp) { 3903 SCTP_STAT_INCR(sctps_recvheartbeat); 3904 sctp_send_heartbeat_ack(stcb, m, *offset, 3905 chk_length, *netp); 3906 3907 /* He's alive so give him credit */ 3908 stcb->asoc.overall_error_count = 0; 3909 } 3910 break; 3911 case SCTP_HEARTBEAT_ACK: 3912 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n"); 3913 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) { 3914 /* Its not ours */ 3915 *offset = length; 3916 if (locked_tcb) { 3917 SCTP_TCB_UNLOCK(locked_tcb); 3918 } 3919 return (NULL); 3920 } 3921 /* He's alive so give him credit */ 3922 stcb->asoc.overall_error_count = 0; 3923 SCTP_STAT_INCR(sctps_recvheartbeatack); 3924 if (netp && *netp) 3925 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3926 stcb, *netp); 3927 break; 3928 case SCTP_ABORT_ASSOCIATION: 3929 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT\n"); 3930 if ((stcb) && netp && *netp) 3931 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3932 stcb, *netp); 3933 *offset = length; 3934 return (NULL); 3935 break; 3936 case SCTP_SHUTDOWN: 3937 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN\n"); 3938 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) { 3939 *offset = length; 3940 if (locked_tcb) { 3941 SCTP_TCB_UNLOCK(locked_tcb); 3942 } 3943 return (NULL); 3944 3945 } 3946 if (netp && *netp) { 3947 int abort_flag = 0; 3948 3949 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3950 stcb, *netp, &abort_flag); 3951 if (abort_flag) { 3952 *offset = length; 3953 return (NULL); 3954 } 3955 } 3956 break; 3957 case SCTP_SHUTDOWN_ACK: 3958 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK\n"); 3959 if ((stcb) && (netp) && (*netp)) 3960 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3961 *offset = length; 3962 return (NULL); 3963 break; 3964 3965 case SCTP_OPERATION_ERROR: 3966 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n"); 3967 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) { 3968 3969 *offset = length; 3970 return (NULL); 3971 } 3972 break; 3973 case SCTP_COOKIE_ECHO: 3974 SCTPDBG(SCTP_DEBUG_INPUT3, 3975 "SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3976 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3977 ; 3978 } else { 3979 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3980 /* We are not interested anymore */ 3981 *offset = length; 3982 return (NULL); 3983 } 3984 } 3985 /* 3986 * First are we accepting? We do this again here 3987 * sincen it is possible that a previous endpoint 3988 * WAS listening responded to a INIT-ACK and then 3989 * closed. We opened and bound.. and are now no 3990 * longer listening. 3991 */ 3992 if (inp->sctp_socket->so_qlimit == 0) { 3993 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 3994 /* 3995 * special case, is this a retran'd 3996 * COOKIE-ECHO or a restarting assoc 3997 * that is a peeled off or 3998 * one-to-one style socket. 3999 */ 4000 goto process_cookie_anyway; 4001 } 4002 sctp_abort_association(inp, stcb, m, iphlen, 4003 sh, NULL, vrf_id, 4004 table_id); 4005 *offset = length; 4006 return (NULL); 4007 } else if (inp->sctp_socket->so_qlimit) { 4008 /* we are accepting so check limits like TCP */ 4009 if (inp->sctp_socket->so_qlen > 4010 inp->sctp_socket->so_qlimit) { 4011 /* no space */ 4012 struct mbuf *oper; 4013 struct sctp_paramhdr *phdr; 4014 4015 if (sctp_abort_if_one_2_one_hits_limit) { 4016 oper = NULL; 4017 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4018 0, M_DONTWAIT, 1, MT_DATA); 4019 if (oper) { 4020 SCTP_BUF_LEN(oper) = 4021 sizeof(struct sctp_paramhdr); 4022 phdr = mtod(oper, 4023 struct sctp_paramhdr *); 4024 phdr->param_type = 4025 htons(SCTP_CAUSE_OUT_OF_RESC); 4026 phdr->param_length = 4027 htons(sizeof(struct sctp_paramhdr)); 4028 } 4029 sctp_abort_association(inp, stcb, m, 4030 iphlen, sh, oper, vrf_id, table_id); 4031 } 4032 *offset = length; 4033 return (NULL); 4034 } 4035 } 4036 process_cookie_anyway: 4037 { 4038 struct mbuf *ret_buf; 4039 struct sctp_inpcb *linp; 4040 4041 if (stcb) { 4042 linp = NULL; 4043 } else { 4044 linp = inp; 4045 } 4046 4047 if (linp) { 4048 SCTP_ASOC_CREATE_LOCK(linp); 4049 } 4050 if (netp) { 4051 ret_buf = 4052 sctp_handle_cookie_echo(m, iphlen, 4053 *offset, sh, 4054 (struct sctp_cookie_echo_chunk *)ch, 4055 &inp, &stcb, netp, 4056 auth_skipped, 4057 auth_offset, 4058 auth_len, 4059 &locked_tcb, 4060 vrf_id, 4061 table_id); 4062 } else { 4063 ret_buf = NULL; 4064 } 4065 if (linp) { 4066 SCTP_ASOC_CREATE_UNLOCK(linp); 4067 } 4068 if (ret_buf == NULL) { 4069 if (locked_tcb) { 4070 SCTP_TCB_UNLOCK(locked_tcb); 4071 } 4072 SCTPDBG(SCTP_DEBUG_INPUT3, 4073 "GAK, null buffer\n"); 4074 auth_skipped = 0; 4075 *offset = length; 4076 return (NULL); 4077 } 4078 /* if AUTH skipped, see if it verified... */ 4079 if (auth_skipped) { 4080 got_auth = 1; 4081 auth_skipped = 0; 4082 } 4083 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4084 /* 4085 * Restart the timer if we have 4086 * pending data 4087 */ 4088 struct sctp_tmit_chunk *chk; 4089 4090 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4091 if (chk) { 4092 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4093 stcb->sctp_ep, stcb, 4094 chk->whoTo); 4095 } 4096 } 4097 } 4098 break; 4099 case SCTP_COOKIE_ACK: 4100 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK\n"); 4101 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) { 4102 if (locked_tcb) { 4103 SCTP_TCB_UNLOCK(locked_tcb); 4104 } 4105 return (NULL); 4106 } 4107 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4108 /* We are not interested anymore */ 4109 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4110 ; 4111 } else if (stcb) { 4112 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4113 *offset = length; 4114 return (NULL); 4115 } 4116 } 4117 /* He's alive so give him credit */ 4118 if ((stcb) && netp && *netp) { 4119 stcb->asoc.overall_error_count = 0; 4120 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4121 } 4122 break; 4123 case SCTP_ECN_ECHO: 4124 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n"); 4125 /* He's alive so give him credit */ 4126 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) { 4127 /* Its not ours */ 4128 if (locked_tcb) { 4129 SCTP_TCB_UNLOCK(locked_tcb); 4130 } 4131 *offset = length; 4132 return (NULL); 4133 } 4134 if (stcb) { 4135 stcb->asoc.overall_error_count = 0; 4136 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4137 stcb); 4138 } 4139 break; 4140 case SCTP_ECN_CWR: 4141 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n"); 4142 /* He's alive so give him credit */ 4143 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) { 4144 /* Its not ours */ 4145 if (locked_tcb) { 4146 SCTP_TCB_UNLOCK(locked_tcb); 4147 } 4148 *offset = length; 4149 return (NULL); 4150 } 4151 if (stcb) { 4152 stcb->asoc.overall_error_count = 0; 4153 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4154 } 4155 break; 4156 case SCTP_SHUTDOWN_COMPLETE: 4157 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE\n"); 4158 /* must be first and only chunk */ 4159 if ((num_chunks > 1) || 4160 (length - *offset > SCTP_SIZE32(chk_length))) { 4161 *offset = length; 4162 if (locked_tcb) { 4163 SCTP_TCB_UNLOCK(locked_tcb); 4164 } 4165 return (NULL); 4166 } 4167 if ((stcb) && netp && *netp) { 4168 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4169 stcb, *netp); 4170 } 4171 *offset = length; 4172 return (NULL); 4173 break; 4174 case SCTP_ASCONF: 4175 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n"); 4176 /* He's alive so give him credit */ 4177 if (stcb) { 4178 stcb->asoc.overall_error_count = 0; 4179 sctp_handle_asconf(m, *offset, 4180 (struct sctp_asconf_chunk *)ch, stcb); 4181 } 4182 break; 4183 case SCTP_ASCONF_ACK: 4184 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n"); 4185 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) { 4186 /* Its not ours */ 4187 if (locked_tcb) { 4188 SCTP_TCB_UNLOCK(locked_tcb); 4189 } 4190 *offset = length; 4191 return (NULL); 4192 } 4193 if ((stcb) && netp && *netp) { 4194 /* He's alive so give him credit */ 4195 stcb->asoc.overall_error_count = 0; 4196 sctp_handle_asconf_ack(m, *offset, 4197 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4198 } 4199 break; 4200 case SCTP_FORWARD_CUM_TSN: 4201 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n"); 4202 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { 4203 /* Its not ours */ 4204 if (locked_tcb) { 4205 SCTP_TCB_UNLOCK(locked_tcb); 4206 } 4207 *offset = length; 4208 return (NULL); 4209 } 4210 /* He's alive so give him credit */ 4211 if (stcb) { 4212 int abort_flag = 0; 4213 4214 stcb->asoc.overall_error_count = 0; 4215 *fwd_tsn_seen = 1; 4216 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4217 /* We are not interested anymore */ 4218 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 4219 *offset = length; 4220 return (NULL); 4221 } 4222 sctp_handle_forward_tsn(stcb, 4223 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4224 if (abort_flag) { 4225 *offset = length; 4226 return (NULL); 4227 } else { 4228 stcb->asoc.overall_error_count = 0; 4229 } 4230 4231 } 4232 break; 4233 case SCTP_STREAM_RESET: 4234 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n"); 4235 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4236 chk_length, chunk_buf); 4237 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) { 4238 /* Its not ours */ 4239 if (locked_tcb) { 4240 SCTP_TCB_UNLOCK(locked_tcb); 4241 } 4242 *offset = length; 4243 return (NULL); 4244 } 4245 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4246 /* We are not interested anymore */ 4247 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4248 *offset = length; 4249 return (NULL); 4250 } 4251 if (stcb->asoc.peer_supports_strreset == 0) { 4252 /* 4253 * hmm, peer should have announced this, but 4254 * we will turn it on since he is sending us 4255 * a stream reset. 4256 */ 4257 stcb->asoc.peer_supports_strreset = 1; 4258 } 4259 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4260 /* stop processing */ 4261 *offset = length; 4262 return (NULL); 4263 } 4264 break; 4265 case SCTP_PACKET_DROPPED: 4266 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n"); 4267 /* re-get it all please */ 4268 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) { 4269 /* Its not ours */ 4270 if (locked_tcb) { 4271 SCTP_TCB_UNLOCK(locked_tcb); 4272 } 4273 *offset = length; 4274 return (NULL); 4275 } 4276 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4277 chk_length, chunk_buf); 4278 4279 if (ch && (stcb) && netp && (*netp)) { 4280 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4281 stcb, *netp); 4282 } 4283 break; 4284 4285 case SCTP_AUTHENTICATION: 4286 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n"); 4287 if (sctp_auth_disable) 4288 goto unknown_chunk; 4289 4290 if (stcb == NULL) { 4291 /* save the first AUTH for later processing */ 4292 if (auth_skipped == 0) { 4293 auth_offset = *offset; 4294 auth_len = chk_length; 4295 auth_skipped = 1; 4296 } 4297 /* skip this chunk (temporarily) */ 4298 goto next_chunk; 4299 } 4300 if ((chk_length < (sizeof(struct sctp_auth_chunk))) || 4301 (chk_length > (sizeof(struct sctp_auth_chunk) + 4302 SCTP_AUTH_DIGEST_LEN_MAX))) { 4303 /* Its not ours */ 4304 if (locked_tcb) { 4305 SCTP_TCB_UNLOCK(locked_tcb); 4306 } 4307 *offset = length; 4308 return (NULL); 4309 } 4310 if (got_auth == 1) { 4311 /* skip this chunk... it's already auth'd */ 4312 goto next_chunk; 4313 } 4314 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4315 chk_length, chunk_buf); 4316 got_auth = 1; 4317 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4318 m, *offset)) { 4319 /* auth HMAC failed so dump the packet */ 4320 *offset = length; 4321 return (stcb); 4322 } else { 4323 /* remaining chunks are HMAC checked */ 4324 stcb->asoc.authenticated = 1; 4325 } 4326 break; 4327 4328 default: 4329 unknown_chunk: 4330 /* it's an unknown chunk! */ 4331 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4332 struct mbuf *mm; 4333 struct sctp_paramhdr *phd; 4334 4335 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4336 0, M_DONTWAIT, 1, MT_DATA); 4337 if (mm) { 4338 phd = mtod(mm, struct sctp_paramhdr *); 4339 /* 4340 * We cheat and use param type since 4341 * we did not bother to define a 4342 * error cause struct. They are the 4343 * same basic format with different 4344 * names. 4345 */ 4346 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4347 phd->param_length = htons(chk_length + sizeof(*phd)); 4348 SCTP_BUF_LEN(mm) = sizeof(*phd); 4349 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 4350 M_DONTWAIT); 4351 if (SCTP_BUF_NEXT(mm)) { 4352 sctp_queue_op_err(stcb, mm); 4353 } else { 4354 sctp_m_freem(mm); 4355 } 4356 } 4357 } 4358 if ((ch->chunk_type & 0x80) == 0) { 4359 /* discard this packet */ 4360 *offset = length; 4361 return (stcb); 4362 } /* else skip this bad chunk and continue... */ 4363 break; 4364 } /* switch (ch->chunk_type) */ 4365 4366 4367next_chunk: 4368 /* get the next chunk */ 4369 *offset += SCTP_SIZE32(chk_length); 4370 if (*offset >= length) { 4371 /* no more data left in the mbuf chain */ 4372 break; 4373 } 4374 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4375 sizeof(struct sctp_chunkhdr), chunk_buf); 4376 if (ch == NULL) { 4377 if (locked_tcb) { 4378 SCTP_TCB_UNLOCK(locked_tcb); 4379 } 4380 *offset = length; 4381 return (NULL); 4382 } 4383 } /* while */ 4384 return (stcb); 4385} 4386 4387 4388/* 4389 * Process the ECN bits we have something set so we must look to see if it is 4390 * ECN(0) or ECN(1) or CE 4391 */ 4392static __inline void 4393sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4394 uint8_t ecn_bits) 4395{ 4396 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4397 ; 4398 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4399 /* 4400 * we only add to the nonce sum for ECT1, ECT0 does not 4401 * change the NS bit (that we have yet to find a way to send 4402 * it yet). 4403 */ 4404 4405 /* ECN Nonce stuff */ 4406 stcb->asoc.receiver_nonce_sum++; 4407 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4408 4409 /* 4410 * Drag up the last_echo point if cumack is larger since we 4411 * don't want the point falling way behind by more than 4412 * 2^^31 and then having it be incorrect. 4413 */ 4414 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4415 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4416 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4417 } 4418 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4419 /* 4420 * Drag up the last_echo point if cumack is larger since we 4421 * don't want the point falling way behind by more than 4422 * 2^^31 and then having it be incorrect. 4423 */ 4424 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4425 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4426 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4427 } 4428 } 4429} 4430 4431static __inline void 4432sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4433 uint32_t high_tsn, uint8_t ecn_bits) 4434{ 4435 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4436 /* 4437 * we possibly must notify the sender that a congestion 4438 * window reduction is in order. We do this by adding a ECNE 4439 * chunk to the output chunk queue. The incoming CWR will 4440 * remove this chunk. 4441 */ 4442 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4443 MAX_TSN)) { 4444 /* Yep, we need to add a ECNE */ 4445 sctp_send_ecn_echo(stcb, net, high_tsn); 4446 stcb->asoc.last_echo_tsn = high_tsn; 4447 } 4448 } 4449} 4450 4451/* 4452 * common input chunk processing (v4 and v6) 4453 */ 4454void 4455sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4456 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4457 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4458 uint8_t ecn_bits, uint32_t vrf_id, uint32_t table_id) 4459{ 4460 /* 4461 * Control chunk processing 4462 */ 4463 uint32_t high_tsn; 4464 int fwd_tsn_seen = 0, data_processed = 0; 4465 struct mbuf *m = *mm; 4466 int abort_flag = 0; 4467 int un_sent; 4468 4469 SCTP_STAT_INCR(sctps_recvdatagrams); 4470#ifdef SCTP_AUDITING_ENABLED 4471 sctp_audit_log(0xE0, 1); 4472 sctp_auditing(0, inp, stcb, net); 4473#endif 4474 4475 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4476 m, iphlen, offset); 4477 4478 if (stcb) { 4479 /* always clear this before beginning a packet */ 4480 stcb->asoc.authenticated = 0; 4481 stcb->asoc.seen_a_sack_this_pkt = 0; 4482 } 4483 if (IS_SCTP_CONTROL(ch)) { 4484 /* process the control portion of the SCTP packet */ 4485 /* sa_ignore NO_NULL_CHK */ 4486 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4487 inp, stcb, &net, &fwd_tsn_seen, vrf_id, table_id); 4488 if (stcb) { 4489 /* 4490 * This covers us if the cookie-echo was there and 4491 * it changes our INP. 4492 */ 4493 inp = stcb->sctp_ep; 4494 } 4495 } else { 4496 /* 4497 * no control chunks, so pre-process DATA chunks (these 4498 * checks are taken care of by control processing) 4499 */ 4500 4501 /* 4502 * if DATA only packet, and auth is required, then punt... 4503 * can't have authenticated without any AUTH (control) 4504 * chunks 4505 */ 4506 if ((stcb != NULL) && !sctp_auth_disable && 4507 sctp_auth_is_required_chunk(SCTP_DATA, 4508 stcb->asoc.local_auth_chunks)) { 4509 /* "silently" ignore */ 4510 SCTP_STAT_INCR(sctps_recvauthmissing); 4511 SCTP_TCB_UNLOCK(stcb); 4512 return; 4513 } 4514 if (stcb == NULL) { 4515 /* out of the blue DATA chunk */ 4516 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 4517 vrf_id, table_id); 4518 return; 4519 } 4520 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4521 /* v_tag mismatch! */ 4522 SCTP_STAT_INCR(sctps_badvtag); 4523 SCTP_TCB_UNLOCK(stcb); 4524 return; 4525 } 4526 } 4527 4528 if (stcb == NULL) { 4529 /* 4530 * no valid TCB for this packet, or we found it's a bad 4531 * packet while processing control, or we're done with this 4532 * packet (done or skip rest of data), so we drop it... 4533 */ 4534 return; 4535 } 4536 /* 4537 * DATA chunk processing 4538 */ 4539 /* plow through the data chunks while length > offset */ 4540 4541 /* 4542 * Rest should be DATA only. Check authentication state if AUTH for 4543 * DATA is required. 4544 */ 4545 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 4546 sctp_auth_is_required_chunk(SCTP_DATA, 4547 stcb->asoc.local_auth_chunks) && 4548 !stcb->asoc.authenticated) { 4549 /* "silently" ignore */ 4550 SCTP_STAT_INCR(sctps_recvauthmissing); 4551 SCTPDBG(SCTP_DEBUG_AUTH1, 4552 "Data chunk requires AUTH, skipped\n"); 4553 goto trigger_send; 4554 } 4555 if (length > offset) { 4556 int retval; 4557 4558 /* 4559 * First check to make sure our state is correct. We would 4560 * not get here unless we really did have a tag, so we don't 4561 * abort if this happens, just dump the chunk silently. 4562 */ 4563 switch (SCTP_GET_STATE(&stcb->asoc)) { 4564 case SCTP_STATE_COOKIE_ECHOED: 4565 /* 4566 * we consider data with valid tags in this state 4567 * shows us the cookie-ack was lost. Imply it was 4568 * there. 4569 */ 4570 stcb->asoc.overall_error_count = 0; 4571 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4572 break; 4573 case SCTP_STATE_COOKIE_WAIT: 4574 /* 4575 * We consider OOTB any data sent during asoc setup. 4576 */ 4577 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 4578 vrf_id, table_id); 4579 SCTP_TCB_UNLOCK(stcb); 4580 return; 4581 break; 4582 case SCTP_STATE_EMPTY: /* should not happen */ 4583 case SCTP_STATE_INUSE: /* should not happen */ 4584 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4585 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4586 default: 4587 SCTP_TCB_UNLOCK(stcb); 4588 return; 4589 break; 4590 case SCTP_STATE_OPEN: 4591 case SCTP_STATE_SHUTDOWN_SENT: 4592 break; 4593 } 4594 /* take care of ECN, part 1. */ 4595 if (stcb->asoc.ecn_allowed && 4596 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4597 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4598 } 4599 /* plow through the data chunks while length > offset */ 4600 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4601 inp, stcb, net, &high_tsn); 4602 if (retval == 2) { 4603 /* 4604 * The association aborted, NO UNLOCK needed since 4605 * the association is destroyed. 4606 */ 4607 return; 4608 } 4609 data_processed = 1; 4610 if (retval == 0) { 4611 /* take care of ecn part 2. */ 4612 if (stcb->asoc.ecn_allowed && 4613 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4614 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4615 ecn_bits); 4616 } 4617 } 4618 /* 4619 * Anything important needs to have been m_copy'ed in 4620 * process_data 4621 */ 4622 } 4623 if ((data_processed == 0) && (fwd_tsn_seen)) { 4624 int was_a_gap = 0; 4625 4626 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4627 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4628 /* there was a gap before this data was processed */ 4629 was_a_gap = 1; 4630 } 4631 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4632 if (abort_flag) { 4633 /* Again, we aborted so NO UNLOCK needed */ 4634 return; 4635 } 4636 } 4637 /* trigger send of any chunks in queue... */ 4638trigger_send: 4639#ifdef SCTP_AUDITING_ENABLED 4640 sctp_audit_log(0xE0, 2); 4641 sctp_auditing(1, inp, stcb, net); 4642#endif 4643 SCTPDBG(SCTP_DEBUG_INPUT1, 4644 "Check for chunk output prw:%d tqe:%d tf=%d\n", 4645 stcb->asoc.peers_rwnd, 4646 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4647 stcb->asoc.total_flight); 4648 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4649 4650 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4651 ((un_sent) && 4652 (stcb->asoc.peers_rwnd > 0 || 4653 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4654 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n"); 4655 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4656 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n"); 4657 } 4658#ifdef SCTP_AUDITING_ENABLED 4659 sctp_audit_log(0xE0, 3); 4660 sctp_auditing(2, inp, stcb, net); 4661#endif 4662 SCTP_TCB_UNLOCK(stcb); 4663 return; 4664} 4665 4666 4667 4668void 4669sctp_input(i_pak, off) 4670 struct mbuf *i_pak; 4671 int off; 4672 4673{ 4674#ifdef SCTP_MBUF_LOGGING 4675 struct mbuf *mat; 4676 4677#endif 4678 struct mbuf *m; 4679 int iphlen; 4680 uint32_t vrf_id = 0, table_id = 0; 4681 uint8_t ecn_bits; 4682 struct ip *ip; 4683 struct sctphdr *sh; 4684 struct sctp_inpcb *inp = NULL; 4685 4686 uint32_t check, calc_check; 4687 struct sctp_nets *net; 4688 struct sctp_tcb *stcb = NULL; 4689 struct sctp_chunkhdr *ch; 4690 int refcount_up = 0; 4691 int length, mlen, offset; 4692 4693 4694 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) { 4695 SCTP_RELEASE_PKT(i_pak); 4696 return; 4697 } 4698 if (SCTP_GET_PKT_TABLEID(i_pak, table_id)) { 4699 SCTP_RELEASE_PKT(i_pak); 4700 return; 4701 } 4702 mlen = SCTP_HEADER_LEN(i_pak); 4703 iphlen = off; 4704 m = SCTP_HEADER_TO_CHAIN(i_pak); 4705 4706 net = NULL; 4707 SCTP_STAT_INCR(sctps_recvpackets); 4708 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4709 4710#ifdef SCTP_MBUF_LOGGING 4711 /* Log in any input mbufs */ 4712 mat = m; 4713 while (mat) { 4714 if (SCTP_BUF_IS_EXTENDED(mat)) { 4715 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4716 } 4717 mat = SCTP_BUF_NEXT(mat); 4718 } 4719#endif 4720 4721 /* 4722 * Get IP, SCTP, and first chunk header together in first mbuf. 4723 */ 4724 ip = mtod(m, struct ip *); 4725 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4726 if (SCTP_BUF_LEN(m) < offset) { 4727 if ((m = m_pullup(m, offset)) == 0) { 4728 SCTP_STAT_INCR(sctps_hdrops); 4729 return; 4730 } 4731 ip = mtod(m, struct ip *); 4732 } 4733 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4734 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4735 4736 /* SCTP does not allow broadcasts or multicasts */ 4737 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4738 goto bad; 4739 } 4740 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 4741 /* 4742 * We only look at broadcast if its a front state, All 4743 * others we will not have a tcb for anyway. 4744 */ 4745 goto bad; 4746 } 4747 /* validate SCTP checksum */ 4748 if ((sctp_no_csum_on_loopback == 0) || !SCTP_IS_IT_LOOPBACK(m)) { 4749 /* 4750 * we do NOT validate things from the loopback if the sysctl 4751 * is set to 1. 4752 */ 4753 check = sh->checksum; /* save incoming checksum */ 4754 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4755 /* 4756 * special hook for where we got a local address 4757 * somehow routed across a non IFT_LOOP type 4758 * interface 4759 */ 4760 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4761 goto sctp_skip_csum_4; 4762 } 4763 sh->checksum = 0; /* prepare for calc */ 4764 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4765 if (calc_check != check) { 4766 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4767 calc_check, check, m, mlen, iphlen); 4768 4769 stcb = sctp_findassociation_addr(m, iphlen, 4770 offset - sizeof(*ch), 4771 sh, ch, &inp, &net, 4772 vrf_id); 4773 if ((inp) && (stcb)) { 4774 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4775 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4776 } else if ((inp != NULL) && (stcb == NULL)) { 4777 refcount_up = 1; 4778 } 4779 SCTP_STAT_INCR(sctps_badsum); 4780 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4781 goto bad; 4782 } 4783 sh->checksum = calc_check; 4784 } 4785sctp_skip_csum_4: 4786 /* destination port of 0 is illegal, based on RFC2960. */ 4787 if (sh->dest_port == 0) { 4788 SCTP_STAT_INCR(sctps_hdrops); 4789 goto bad; 4790 } 4791 /* validate mbuf chain length with IP payload length */ 4792 if (mlen < (ip->ip_len - iphlen)) { 4793 SCTP_STAT_INCR(sctps_hdrops); 4794 goto bad; 4795 } 4796 /* 4797 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4798 * IP/SCTP/first chunk header... 4799 */ 4800 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4801 sh, ch, &inp, &net, vrf_id); 4802 /* inp's ref-count increased && stcb locked */ 4803 if (inp == NULL) { 4804 struct sctp_init_chunk *init_chk, chunk_buf; 4805 4806 SCTP_STAT_INCR(sctps_noport); 4807#ifdef ICMP_BANDLIM 4808 /* 4809 * we use the bandwidth limiting to protect against sending 4810 * too many ABORTS all at once. In this case these count the 4811 * same as an ICMP message. 4812 */ 4813 if (badport_bandlim(0) < 0) 4814 goto bad; 4815#endif /* ICMP_BANDLIM */ 4816 SCTPDBG(SCTP_DEBUG_INPUT1, 4817 "Sending a ABORT from packet entry!\n"); 4818 if (ch->chunk_type == SCTP_INITIATION) { 4819 /* 4820 * we do a trick here to get the INIT tag, dig in 4821 * and get the tag from the INIT and put it in the 4822 * common header. 4823 */ 4824 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4825 iphlen + sizeof(*sh), sizeof(*init_chk), 4826 (uint8_t *) & chunk_buf); 4827 if (init_chk != NULL) 4828 sh->v_tag = init_chk->init.initiate_tag; 4829 } 4830 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4831 sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id, 4832 table_id); 4833 goto bad; 4834 } 4835 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 4836 goto bad; 4837 } 4838 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 4839 sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, 4840 table_id); 4841 goto bad; 4842 } else if (stcb == NULL) { 4843 refcount_up = 1; 4844 } 4845#ifdef IPSEC 4846 /* 4847 * I very much doubt any of the IPSEC stuff will work but I have no 4848 * idea, so I will leave it in place. 4849 */ 4850 4851 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4852 ipsecstat.in_polvio++; 4853 SCTP_STAT_INCR(sctps_hdrops); 4854 goto bad; 4855 } 4856#endif /* IPSEC */ 4857 4858 /* 4859 * common chunk processing 4860 */ 4861 length = ip->ip_len + iphlen; 4862 offset -= sizeof(struct sctp_chunkhdr); 4863 4864 ecn_bits = ip->ip_tos; 4865 4866 /* sa_ignore NO_NULL_CHK */ 4867 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4868 inp, stcb, net, ecn_bits, vrf_id, 4869 table_id); 4870 /* inp's ref-count reduced && stcb unlocked */ 4871 if (m) { 4872 sctp_m_freem(m); 4873 } 4874 if ((inp) && (refcount_up)) { 4875 /* reduce ref-count */ 4876 SCTP_INP_WLOCK(inp); 4877 SCTP_INP_DECR_REF(inp); 4878 SCTP_INP_WUNLOCK(inp); 4879 } 4880 return; 4881bad: 4882 if (stcb) { 4883 SCTP_TCB_UNLOCK(stcb); 4884 } 4885 if ((inp) && (refcount_up)) { 4886 /* reduce ref-count */ 4887 SCTP_INP_WLOCK(inp); 4888 SCTP_INP_DECR_REF(inp); 4889 SCTP_INP_WUNLOCK(inp); 4890 } 4891 if (m) { 4892 sctp_m_freem(m); 4893 } 4894 return; 4895} 4896