sctp_input.c revision 170642
134192Sjdp/*- 234192Sjdp * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved. 334192Sjdp * 434192Sjdp * Redistribution and use in source and binary forms, with or without 534192Sjdp * modification, are permitted provided that the following conditions are met: 634192Sjdp * 734192Sjdp * a) Redistributions of source code must retain the above copyright notice, 834192Sjdp * this list of conditions and the following disclaimer. 934192Sjdp * 1034192Sjdp * b) Redistributions in binary form must reproduce the above copyright 1134192Sjdp * notice, this list of conditions and the following disclaimer in 1234192Sjdp * the documentation and/or other materials provided with the distribution. 1334192Sjdp * 1434192Sjdp * c) Neither the name of Cisco Systems, Inc. nor the names of its 1534192Sjdp * contributors may be used to endorse or promote products derived 1634192Sjdp * from this software without specific prior written permission. 1734192Sjdp * 1834192Sjdp * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 1934192Sjdp * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 2034192Sjdp * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2134192Sjdp * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 2234192Sjdp * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 2334192Sjdp * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 2434192Sjdp * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 2538816Sdfr * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 2634192Sjdp * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 2734192Sjdp * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 2834192Sjdp * THE POSSIBILITY OF SUCH DAMAGE. 2934192Sjdp */ 3034192Sjdp 3134192Sjdp/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 3234192Sjdp 3335529Sdfr#include <sys/cdefs.h> 3434192Sjdp__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 170642 2007-06-13 01:31:53Z rrs $"); 3534192Sjdp 3634192Sjdp#include <netinet/sctp_os.h> 3734192Sjdp#include <netinet/sctp_var.h> 3834192Sjdp#include <netinet/sctp_sysctl.h> 3934192Sjdp#include <netinet/sctp_pcb.h> 4034192Sjdp#include <netinet/sctp_header.h> 4134192Sjdp#include <netinet/sctputil.h> 4234192Sjdp#include <netinet/sctp_output.h> 4334192Sjdp#include <netinet/sctp_input.h> 4434192Sjdp#include <netinet/sctp_auth.h> 4534192Sjdp#include <netinet/sctp_indata.h> 4634192Sjdp#include <netinet/sctp_asconf.h> 4734192Sjdp#include <netinet/sctp_bsd_addr.h> 4834192Sjdp 4934192Sjdp 5034192Sjdp 5134192Sjdpstatic void 5234192Sjdpsctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 5334192Sjdp{ 5434192Sjdp struct sctp_nets *net; 5534192Sjdp 5634192Sjdp /* 5734192Sjdp * This now not only stops all cookie timers it also stops any INIT 5834192Sjdp * timers as well. This will make sure that the timers are stopped 5934192Sjdp * in all collision cases. 6034192Sjdp */ 6134192Sjdp SCTP_TCB_LOCK_ASSERT(stcb); 6234192Sjdp TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 6334192Sjdp if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 6434192Sjdp sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 6534192Sjdp stcb->sctp_ep, 6634192Sjdp stcb, 6734192Sjdp net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 6838467Sjb } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 6938467Sjb sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 7034192Sjdp stcb->sctp_ep, 7134192Sjdp stcb, 7234192Sjdp net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 7334192Sjdp } 7434192Sjdp } 7534192Sjdp} 7634192Sjdp 7734192Sjdp/* INIT handler */ 7834192Sjdpstatic void 7934192Sjdpsctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 8038467Sjb struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 8134192Sjdp struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 8238467Sjb{ 8334192Sjdp struct sctp_init *init; 8438467Sjb struct mbuf *op_err; 8534192Sjdp uint32_t init_limit; 8634192Sjdp 8734192Sjdp SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n", 8838467Sjb stcb); 8938467Sjb op_err = NULL; 9034192Sjdp init = &cp->init; 9138816Sdfr /* First are we accepting? */ 9238816Sdfr if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 9338467Sjb SCTPDBG(SCTP_DEBUG_INPUT2, 9434192Sjdp "sctp_handle_init: Abort, so_qlimit:%d\n", 9538816Sdfr inp->sctp_socket->so_qlimit); 9638816Sdfr /* 9738467Sjb * FIX ME ?? What about TCP model and we have a 9834192Sjdp * match/restart case? 9934192Sjdp */ 10034192Sjdp sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 10138816Sdfr vrf_id); 10234192Sjdp if (stcb) 10338816Sdfr *abort_no_unlock = 1; 10434192Sjdp return; 10534192Sjdp } 10634192Sjdp if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 10734192Sjdp /* Invalid length */ 10834192Sjdp op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 10934192Sjdp sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 11034192Sjdp vrf_id); 11134192Sjdp if (stcb) 11234192Sjdp *abort_no_unlock = 1; 11334192Sjdp return; 11434192Sjdp } 11534192Sjdp /* validate parameters */ 11638740Sjdp if (init->initiate_tag == 0) { 11735529Sdfr /* protocol error... send abort */ 11835529Sdfr op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 11934192Sjdp sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 12034192Sjdp vrf_id); 12134192Sjdp if (stcb) 12234192Sjdp *abort_no_unlock = 1; 12334192Sjdp return; 12434192Sjdp } 12534192Sjdp if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 12634192Sjdp /* invalid parameter... send abort */ 12734192Sjdp op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 12834192Sjdp sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 12938816Sdfr vrf_id); 13034192Sjdp return; 13138816Sdfr } 13238816Sdfr if (init->num_inbound_streams == 0) { 13338816Sdfr /* protocol error... send abort */ 13438816Sdfr op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 13538816Sdfr sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 13638816Sdfr vrf_id); 13738816Sdfr if (stcb) 13838816Sdfr *abort_no_unlock = 1; 13938816Sdfr return; 14038816Sdfr } 14138816Sdfr if (init->num_outbound_streams == 0) { 14238816Sdfr /* protocol error... send abort */ 14334192Sjdp op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 145 vrf_id); 146 if (stcb) 147 *abort_no_unlock = 1; 148 return; 149 } 150 init_limit = offset + ntohs(cp->ch.chunk_length); 151 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 152 init_limit)) { 153 /* auth parameter(s) error... send abort */ 154 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id); 155 if (stcb) 156 *abort_no_unlock = 1; 157 return; 158 } 159 /* send an INIT-ACK w/cookie */ 160 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n"); 161 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id); 162} 163 164/* 165 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 166 */ 167static int 168sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 169 struct sctp_nets *net) 170{ 171 struct sctp_init *init; 172 struct sctp_association *asoc; 173 struct sctp_nets *lnet; 174 unsigned int i; 175 176 init = &cp->init; 177 asoc = &stcb->asoc; 178 /* save off parameters */ 179 asoc->peer_vtag = ntohl(init->initiate_tag); 180 asoc->peers_rwnd = ntohl(init->a_rwnd); 181 if (TAILQ_FIRST(&asoc->nets)) { 182 /* update any ssthresh's that may have a default */ 183 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 184 lnet->ssthresh = asoc->peers_rwnd; 185 186#if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 187 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 188#endif 189 190 } 191 } 192 SCTP_TCB_SEND_LOCK(stcb); 193 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 194 unsigned int newcnt; 195 struct sctp_stream_out *outs; 196 struct sctp_stream_queue_pending *sp; 197 198 /* cut back on number of streams */ 199 newcnt = ntohs(init->num_inbound_streams); 200 /* This if is probably not needed but I am cautious */ 201 if (asoc->strmout) { 202 /* First make sure no data chunks are trapped */ 203 for (i = newcnt; i < asoc->pre_open_streams; i++) { 204 outs = &asoc->strmout[i]; 205 sp = TAILQ_FIRST(&outs->outqueue); 206 while (sp) { 207 TAILQ_REMOVE(&outs->outqueue, sp, 208 next); 209 asoc->stream_queue_cnt--; 210 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 211 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 212 sp); 213 if (sp->data) { 214 sctp_m_freem(sp->data); 215 sp->data = NULL; 216 } 217 sctp_free_remote_addr(sp->net); 218 sp->net = NULL; 219 /* Free the chunk */ 220 SCTP_PRINTF("sp:%p tcb:%p weird free case\n", 221 sp, stcb); 222 223 sctp_free_a_strmoq(stcb, sp); 224 /* sa_ignore FREED_MEMORY */ 225 sp = TAILQ_FIRST(&outs->outqueue); 226 } 227 } 228 } 229 /* cut back the count and abandon the upper streams */ 230 asoc->pre_open_streams = newcnt; 231 } 232 SCTP_TCB_SEND_UNLOCK(stcb); 233 asoc->streamoutcnt = asoc->pre_open_streams; 234 /* init tsn's */ 235 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 236#ifdef SCTP_MAP_LOGGING 237 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 238#endif 239 /* This is the next one we expect */ 240 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 241 242 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 243 asoc->cumulative_tsn = asoc->asconf_seq_in; 244 asoc->last_echo_tsn = asoc->asconf_seq_in; 245 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 246 /* open the requested streams */ 247 248 if (asoc->strmin != NULL) { 249 /* Free the old ones */ 250 struct sctp_queued_to_read *ctl; 251 252 for (i = 0; i < asoc->streamincnt; i++) { 253 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 254 while (ctl) { 255 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 256 sctp_free_remote_addr(ctl->whoFrom); 257 sctp_m_freem(ctl->data); 258 ctl->data = NULL; 259 sctp_free_a_readq(stcb, ctl); 260 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 261 } 262 } 263 SCTP_FREE(asoc->strmin, SCTP_M_STRMI); 264 } 265 asoc->streamincnt = ntohs(init->num_outbound_streams); 266 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 267 asoc->streamincnt = MAX_SCTP_STREAMS; 268 } 269 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 270 sizeof(struct sctp_stream_in), SCTP_M_STRMI); 271 if (asoc->strmin == NULL) { 272 /* we didn't get memory for the streams! */ 273 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n"); 274 return (-1); 275 } 276 for (i = 0; i < asoc->streamincnt; i++) { 277 asoc->strmin[i].stream_no = i; 278 asoc->strmin[i].last_sequence_delivered = 0xffff; 279 /* 280 * U-stream ranges will be set when the cookie is unpacked. 281 * Or for the INIT sender they are un set (if pr-sctp not 282 * supported) when the INIT-ACK arrives. 283 */ 284 TAILQ_INIT(&asoc->strmin[i].inqueue); 285 asoc->strmin[i].delivery_started = 0; 286 } 287 /* 288 * load_address_from_init will put the addresses into the 289 * association when the COOKIE is processed or the INIT-ACK is 290 * processed. Both types of COOKIE's existing and new call this 291 * routine. It will remove addresses that are no longer in the 292 * association (for the restarting case where addresses are 293 * removed). Up front when the INIT arrives we will discard it if it 294 * is a restart and new addresses have been added. 295 */ 296 /* sa_ignore MEMLEAK */ 297 return (0); 298} 299 300/* 301 * INIT-ACK message processing/consumption returns value < 0 on error 302 */ 303static int 304sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 305 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 306 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 307{ 308 struct sctp_association *asoc; 309 struct mbuf *op_err; 310 int retval, abort_flag; 311 uint32_t initack_limit; 312 313 /* First verify that we have no illegal param's */ 314 abort_flag = 0; 315 op_err = NULL; 316 317 op_err = sctp_arethere_unrecognized_parameters(m, 318 (offset + sizeof(struct sctp_init_chunk)), 319 &abort_flag, (struct sctp_chunkhdr *)cp); 320 if (abort_flag) { 321 /* Send an abort and notify peer */ 322 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err); 323 *abort_no_unlock = 1; 324 return (-1); 325 } 326 asoc = &stcb->asoc; 327 /* process the peer's parameters in the INIT-ACK */ 328 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 329 if (retval < 0) { 330 return (retval); 331 } 332 initack_limit = offset + ntohs(cp->ch.chunk_length); 333 /* load all addresses */ 334 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 335 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 336 NULL))) { 337 /* Huh, we should abort */ 338 SCTPDBG(SCTP_DEBUG_INPUT1, 339 "Load addresses from INIT causes an abort %d\n", 340 retval); 341 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 342 NULL, 0); 343 *abort_no_unlock = 1; 344 return (-1); 345 } 346 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 347 stcb->asoc.local_hmacs); 348 if (op_err) { 349 sctp_queue_op_err(stcb, op_err); 350 /* queuing will steal away the mbuf chain to the out queue */ 351 op_err = NULL; 352 } 353 /* extract the cookie and queue it to "echo" it back... */ 354 stcb->asoc.overall_error_count = 0; 355 net->error_count = 0; 356 357 /* 358 * Cancel the INIT timer, We do this first before queueing the 359 * cookie. We always cancel at the primary to assue that we are 360 * canceling the timer started by the INIT which always goes to the 361 * primary. 362 */ 363 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 364 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 365 366 /* calculate the RTO */ 367 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 368 369 retval = sctp_send_cookie_echo(m, offset, stcb, net); 370 if (retval < 0) { 371 /* 372 * No cookie, we probably should send a op error. But in any 373 * case if there is no cookie in the INIT-ACK, we can 374 * abandon the peer, its broke. 375 */ 376 if (retval == -3) { 377 /* We abort with an error of missing mandatory param */ 378 op_err = 379 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 380 if (op_err) { 381 /* 382 * Expand beyond to include the mandatory 383 * param cookie 384 */ 385 struct sctp_inv_mandatory_param *mp; 386 387 SCTP_BUF_LEN(op_err) = 388 sizeof(struct sctp_inv_mandatory_param); 389 mp = mtod(op_err, 390 struct sctp_inv_mandatory_param *); 391 /* Subtract the reserved param */ 392 mp->length = 393 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 394 mp->num_param = htonl(1); 395 mp->param = htons(SCTP_STATE_COOKIE); 396 mp->resv = 0; 397 } 398 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 399 sh, op_err, 0); 400 *abort_no_unlock = 1; 401 } 402 return (retval); 403 } 404 return (0); 405} 406 407static void 408sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 409 struct sctp_tcb *stcb, struct sctp_nets *net) 410{ 411 struct sockaddr_storage store; 412 struct sockaddr_in *sin; 413 struct sockaddr_in6 *sin6; 414 struct sctp_nets *r_net; 415 struct timeval tv; 416 417 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 418 /* Invalid length */ 419 return; 420 } 421 sin = (struct sockaddr_in *)&store; 422 sin6 = (struct sockaddr_in6 *)&store; 423 424 memset(&store, 0, sizeof(store)); 425 if (cp->heartbeat.hb_info.addr_family == AF_INET && 426 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 427 sin->sin_family = cp->heartbeat.hb_info.addr_family; 428 sin->sin_len = cp->heartbeat.hb_info.addr_len; 429 sin->sin_port = stcb->rport; 430 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 431 sizeof(sin->sin_addr)); 432 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 433 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 434 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 435 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 436 sin6->sin6_port = stcb->rport; 437 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 438 sizeof(sin6->sin6_addr)); 439 } else { 440 return; 441 } 442 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 443 if (r_net == NULL) { 444 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n"); 445 return; 446 } 447 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 448 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 449 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 450 /* 451 * If the its a HB and it's random value is correct when can 452 * confirm the destination. 453 */ 454 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 455 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 456 stcb->asoc.primary_destination = r_net; 457 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 458 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 459 r_net = TAILQ_FIRST(&stcb->asoc.nets); 460 if (r_net != stcb->asoc.primary_destination) { 461 /* 462 * first one on the list is NOT the primary 463 * sctp_cmpaddr() is much more efficent if 464 * the primary is the first on the list, 465 * make it so. 466 */ 467 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 468 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 469 } 470 } 471 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 472 stcb, 0, (void *)r_net); 473 } 474 r_net->error_count = 0; 475 r_net->hb_responded = 1; 476 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 477 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 478 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 479 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 480 r_net->dest_state |= SCTP_ADDR_REACHABLE; 481 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 482 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 483 /* now was it the primary? if so restore */ 484 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 485 (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 486 } 487 } 488 /* Now lets do a RTO with this */ 489 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 490} 491 492static void 493sctp_handle_abort(struct sctp_abort_chunk *cp, 494 struct sctp_tcb *stcb, struct sctp_nets *net) 495{ 496 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n"); 497 if (stcb == NULL) 498 return; 499 500 /* stop any receive timers */ 501 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 502 /* notify user of the abort and clean up... */ 503 sctp_abort_notification(stcb, 0); 504 /* free the tcb */ 505 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 506 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 507 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 508 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 509 } 510#ifdef SCTP_ASOCLOG_OF_TSNS 511 sctp_print_out_track_log(stcb); 512#endif 513 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 514 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n"); 515} 516 517static void 518sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 519 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 520{ 521 struct sctp_association *asoc; 522 int some_on_streamwheel; 523 524 SCTPDBG(SCTP_DEBUG_INPUT2, 525 "sctp_handle_shutdown: handling SHUTDOWN\n"); 526 if (stcb == NULL) 527 return; 528 asoc = &stcb->asoc; 529 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 530 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 531 return; 532 } 533 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 534 /* Shutdown NOT the expected size */ 535 return; 536 } else { 537 sctp_update_acked(stcb, cp, net, abort_flag); 538 } 539 if (asoc->control_pdapi) { 540 /* 541 * With a normal shutdown we assume the end of last record. 542 */ 543 SCTP_INP_READ_LOCK(stcb->sctp_ep); 544 asoc->control_pdapi->end_added = 1; 545 asoc->control_pdapi->pdapi_aborted = 1; 546 asoc->control_pdapi = NULL; 547 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 548 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 549 } 550 /* goto SHUTDOWN_RECEIVED state to block new requests */ 551 if (stcb->sctp_socket) { 552 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 553 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) && 554 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 555 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 556 /* 557 * notify upper layer that peer has initiated a 558 * shutdown 559 */ 560 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 561 562 /* reset time */ 563 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 564 } 565 } 566 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 567 /* 568 * stop the shutdown timer, since we WILL move to 569 * SHUTDOWN-ACK-SENT. 570 */ 571 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 572 } 573 /* Now are we there yet? */ 574 some_on_streamwheel = 0; 575 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 576 /* Check to see if some data queued */ 577 struct sctp_stream_out *outs; 578 579 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 580 if (!TAILQ_EMPTY(&outs->outqueue)) { 581 some_on_streamwheel = 1; 582 break; 583 } 584 } 585 } 586 if (!TAILQ_EMPTY(&asoc->send_queue) || 587 !TAILQ_EMPTY(&asoc->sent_queue) || 588 some_on_streamwheel) { 589 /* By returning we will push more data out */ 590 return; 591 } else { 592 /* no outstanding data to send, so move on... */ 593 /* send SHUTDOWN-ACK */ 594 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 595 /* move to SHUTDOWN-ACK-SENT state */ 596 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 597 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 598 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 599 } 600 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 601 602 /* start SHUTDOWN timer */ 603 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 604 stcb, net); 605 } 606} 607 608static void 609sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 610 struct sctp_tcb *stcb, struct sctp_nets *net) 611{ 612 struct sctp_association *asoc; 613 614 SCTPDBG(SCTP_DEBUG_INPUT2, 615 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 616 if (stcb == NULL) 617 return; 618 619 asoc = &stcb->asoc; 620 /* process according to association state */ 621 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 622 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 623 /* unexpected SHUTDOWN-ACK... so ignore... */ 624 SCTP_TCB_UNLOCK(stcb); 625 return; 626 } 627 if (asoc->control_pdapi) { 628 /* 629 * With a normal shutdown we assume the end of last record. 630 */ 631 SCTP_INP_READ_LOCK(stcb->sctp_ep); 632 asoc->control_pdapi->end_added = 1; 633 asoc->control_pdapi->pdapi_aborted = 1; 634 asoc->control_pdapi = NULL; 635 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 636 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 637 } 638 /* are the queues empty? */ 639 if (!TAILQ_EMPTY(&asoc->send_queue) || 640 !TAILQ_EMPTY(&asoc->sent_queue) || 641 !TAILQ_EMPTY(&asoc->out_wheel)) { 642 sctp_report_all_outbound(stcb, 0); 643 } 644 /* stop the timer */ 645 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 646 /* send SHUTDOWN-COMPLETE */ 647 sctp_send_shutdown_complete(stcb, net); 648 /* notify upper layer protocol */ 649 if (stcb->sctp_socket) { 650 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 651 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 652 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 653 /* Set the connected flag to disconnected */ 654 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 655 } 656 } 657 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 658 /* free the TCB but first save off the ep */ 659 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 660 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 661} 662 663/* 664 * Skip past the param header and then we will find the chunk that caused the 665 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 666 * our peer must be broken. 667 */ 668static void 669sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 670 struct sctp_nets *net) 671{ 672 struct sctp_chunkhdr *chk; 673 674 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 675 switch (chk->chunk_type) { 676 case SCTP_ASCONF_ACK: 677 case SCTP_ASCONF: 678 sctp_asconf_cleanup(stcb, net); 679 break; 680 case SCTP_FORWARD_CUM_TSN: 681 stcb->asoc.peer_supports_prsctp = 0; 682 break; 683 default: 684 SCTPDBG(SCTP_DEBUG_INPUT2, 685 "Peer does not support chunk type %d(%x)??\n", 686 chk->chunk_type, (uint32_t) chk->chunk_type); 687 break; 688 } 689} 690 691/* 692 * Skip past the param header and then we will find the param that caused the 693 * problem. There are a number of param's in a ASCONF OR the prsctp param 694 * these will turn of specific features. 695 */ 696static void 697sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 698{ 699 struct sctp_paramhdr *pbad; 700 701 pbad = phdr + 1; 702 switch (ntohs(pbad->param_type)) { 703 /* pr-sctp draft */ 704 case SCTP_PRSCTP_SUPPORTED: 705 stcb->asoc.peer_supports_prsctp = 0; 706 break; 707 case SCTP_SUPPORTED_CHUNK_EXT: 708 break; 709 /* draft-ietf-tsvwg-addip-sctp */ 710 case SCTP_ECN_NONCE_SUPPORTED: 711 stcb->asoc.peer_supports_ecn_nonce = 0; 712 stcb->asoc.ecn_nonce_allowed = 0; 713 stcb->asoc.ecn_allowed = 0; 714 break; 715 case SCTP_ADD_IP_ADDRESS: 716 case SCTP_DEL_IP_ADDRESS: 717 case SCTP_SET_PRIM_ADDR: 718 stcb->asoc.peer_supports_asconf = 0; 719 break; 720 case SCTP_SUCCESS_REPORT: 721 case SCTP_ERROR_CAUSE_IND: 722 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n"); 723 SCTPDBG(SCTP_DEBUG_INPUT2, 724 "Turning off ASCONF to this strange peer\n"); 725 stcb->asoc.peer_supports_asconf = 0; 726 break; 727 default: 728 SCTPDBG(SCTP_DEBUG_INPUT2, 729 "Peer does not support param type %d(%x)??\n", 730 pbad->param_type, (uint32_t) pbad->param_type); 731 break; 732 } 733} 734 735static int 736sctp_handle_error(struct sctp_chunkhdr *ch, 737 struct sctp_tcb *stcb, struct sctp_nets *net) 738{ 739 int chklen; 740 struct sctp_paramhdr *phdr; 741 uint16_t error_type; 742 uint16_t error_len; 743 struct sctp_association *asoc; 744 745 int adjust; 746 747 /* parse through all of the errors and process */ 748 asoc = &stcb->asoc; 749 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 750 sizeof(struct sctp_chunkhdr)); 751 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 752 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 753 /* Process an Error Cause */ 754 error_type = ntohs(phdr->param_type); 755 error_len = ntohs(phdr->param_length); 756 if ((error_len > chklen) || (error_len == 0)) { 757 /* invalid param length for this param */ 758 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n", 759 chklen, error_len); 760 return (0); 761 } 762 switch (error_type) { 763 case SCTP_CAUSE_INVALID_STREAM: 764 case SCTP_CAUSE_MISSING_PARAM: 765 case SCTP_CAUSE_INVALID_PARAM: 766 case SCTP_CAUSE_NO_USER_DATA: 767 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n", 768 error_type); 769 break; 770 case SCTP_CAUSE_STALE_COOKIE: 771 /* 772 * We only act if we have echoed a cookie and are 773 * waiting. 774 */ 775 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 776 int *p; 777 778 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 779 /* Save the time doubled */ 780 asoc->cookie_preserve_req = ntohl(*p) << 1; 781 asoc->stale_cookie_count++; 782 if (asoc->stale_cookie_count > 783 asoc->max_init_times) { 784 sctp_abort_notification(stcb, 0); 785 /* now free the asoc */ 786 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 787 return (-1); 788 } 789 /* blast back to INIT state */ 790 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 791 asoc->state |= SCTP_STATE_COOKIE_WAIT; 792 793 sctp_stop_all_cookie_timers(stcb); 794 sctp_send_initiate(stcb->sctp_ep, stcb); 795 } 796 break; 797 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 798 /* 799 * Nothing we can do here, we don't do hostname 800 * addresses so if the peer does not like my IPv6 801 * (or IPv4 for that matter) it does not matter. If 802 * they don't support that type of address, they can 803 * NOT possibly get that packet type... i.e. with no 804 * IPv6 you can't recieve a IPv6 packet. so we can 805 * safely ignore this one. If we ever added support 806 * for HOSTNAME Addresses, then we would need to do 807 * something here. 808 */ 809 break; 810 case SCTP_CAUSE_UNRECOG_CHUNK: 811 sctp_process_unrecog_chunk(stcb, phdr, net); 812 break; 813 case SCTP_CAUSE_UNRECOG_PARAM: 814 sctp_process_unrecog_param(stcb, phdr); 815 break; 816 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 817 /* 818 * We ignore this since the timer will drive out a 819 * new cookie anyway and there timer will drive us 820 * to send a SHUTDOWN_COMPLETE. We can't send one 821 * here since we don't have their tag. 822 */ 823 break; 824 case SCTP_CAUSE_DELETING_LAST_ADDR: 825 case SCTP_CAUSE_RESOURCE_SHORTAGE: 826 case SCTP_CAUSE_DELETING_SRC_ADDR: 827 /* 828 * We should NOT get these here, but in a 829 * ASCONF-ACK. 830 */ 831 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n", 832 error_type); 833 break; 834 case SCTP_CAUSE_OUT_OF_RESC: 835 /* 836 * And what, pray tell do we do with the fact that 837 * the peer is out of resources? Not really sure we 838 * could do anything but abort. I suspect this 839 * should have came WITH an abort instead of in a 840 * OP-ERROR. 841 */ 842 break; 843 default: 844 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n", 845 error_type); 846 break; 847 } 848 adjust = SCTP_SIZE32(error_len); 849 chklen -= adjust; 850 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 851 } 852 return (0); 853} 854 855static int 856sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, 857 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 858 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 859{ 860 struct sctp_init_ack *init_ack; 861 int *state; 862 struct mbuf *op_err; 863 864 SCTPDBG(SCTP_DEBUG_INPUT2, 865 "sctp_handle_init_ack: handling INIT-ACK\n"); 866 867 if (stcb == NULL) { 868 SCTPDBG(SCTP_DEBUG_INPUT2, 869 "sctp_handle_init_ack: TCB is null\n"); 870 return (-1); 871 } 872 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 873 /* Invalid length */ 874 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 875 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 876 op_err, 0); 877 *abort_no_unlock = 1; 878 return (-1); 879 } 880 init_ack = &cp->init; 881 /* validate parameters */ 882 if (init_ack->initiate_tag == 0) { 883 /* protocol error... send an abort */ 884 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 885 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 886 op_err, 0); 887 *abort_no_unlock = 1; 888 return (-1); 889 } 890 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 891 /* protocol error... send an abort */ 892 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 893 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 894 op_err, 0); 895 *abort_no_unlock = 1; 896 return (-1); 897 } 898 if (init_ack->num_inbound_streams == 0) { 899 /* protocol error... send an abort */ 900 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 901 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 902 op_err, 0); 903 *abort_no_unlock = 1; 904 return (-1); 905 } 906 if (init_ack->num_outbound_streams == 0) { 907 /* protocol error... send an abort */ 908 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 909 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 910 op_err, 0); 911 *abort_no_unlock = 1; 912 return (-1); 913 } 914 /* process according to association state... */ 915 state = &stcb->asoc.state; 916 switch (*state & SCTP_STATE_MASK) { 917 case SCTP_STATE_COOKIE_WAIT: 918 /* this is the expected state for this chunk */ 919 /* process the INIT-ACK parameters */ 920 if (stcb->asoc.primary_destination->dest_state & 921 SCTP_ADDR_UNCONFIRMED) { 922 /* 923 * The primary is where we sent the INIT, we can 924 * always consider it confirmed when the INIT-ACK is 925 * returned. Do this before we load addresses 926 * though. 927 */ 928 stcb->asoc.primary_destination->dest_state &= 929 ~SCTP_ADDR_UNCONFIRMED; 930 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 931 stcb, 0, (void *)stcb->asoc.primary_destination); 932 } 933 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, 934 net, abort_no_unlock, vrf_id) < 0) { 935 /* error in parsing parameters */ 936 return (-1); 937 } 938 /* update our state */ 939 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n"); 940 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 941 *state = SCTP_STATE_COOKIE_ECHOED | 942 SCTP_STATE_SHUTDOWN_PENDING; 943 } else { 944 *state = SCTP_STATE_COOKIE_ECHOED; 945 } 946 947 /* reset the RTO calc */ 948 stcb->asoc.overall_error_count = 0; 949 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 950 /* 951 * collapse the init timer back in case of a exponential 952 * backoff 953 */ 954 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 955 stcb, net); 956 /* 957 * the send at the end of the inbound data processing will 958 * cause the cookie to be sent 959 */ 960 break; 961 case SCTP_STATE_SHUTDOWN_SENT: 962 /* incorrect state... discard */ 963 break; 964 case SCTP_STATE_COOKIE_ECHOED: 965 /* incorrect state... discard */ 966 break; 967 case SCTP_STATE_OPEN: 968 /* incorrect state... discard */ 969 break; 970 case SCTP_STATE_EMPTY: 971 case SCTP_STATE_INUSE: 972 default: 973 /* incorrect state... discard */ 974 return (-1); 975 break; 976 } 977 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n"); 978 return (0); 979} 980 981 982/* 983 * handle a state cookie for an existing association m: input packet mbuf 984 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 985 * "split" mbuf and the cookie signature does not exist offset: offset into 986 * mbuf to the cookie-echo chunk 987 */ 988static struct sctp_tcb * 989sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 990 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 991 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 992 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id, 993 uint32_t vrf_id) 994{ 995 struct sctp_association *asoc; 996 struct sctp_init_chunk *init_cp, init_buf; 997 struct sctp_init_ack_chunk *initack_cp, initack_buf; 998 int chk_length; 999 int init_offset, initack_offset, i; 1000 int retval; 1001 int spec_flag = 0; 1002 uint32_t how_indx; 1003 1004 /* I know that the TCB is non-NULL from the caller */ 1005 asoc = &stcb->asoc; 1006 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1007 if (asoc->cookie_how[how_indx] == 0) 1008 break; 1009 } 1010 if (how_indx < sizeof(asoc->cookie_how)) { 1011 asoc->cookie_how[how_indx] = 1; 1012 } 1013 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1014 /* SHUTDOWN came in after sending INIT-ACK */ 1015 struct mbuf *op_err; 1016 struct sctp_paramhdr *ph; 1017 1018 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1019 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1020 0, M_DONTWAIT, 1, MT_DATA); 1021 if (op_err == NULL) { 1022 /* FOOBAR */ 1023 return (NULL); 1024 } 1025 /* pre-reserve some space */ 1026 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1027 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1028 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1029 /* Set the len */ 1030 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1031 ph = mtod(op_err, struct sctp_paramhdr *); 1032 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1033 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1034 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 1035 vrf_id); 1036 if (how_indx < sizeof(asoc->cookie_how)) 1037 asoc->cookie_how[how_indx] = 2; 1038 return (NULL); 1039 } 1040 /* 1041 * find and validate the INIT chunk in the cookie (peer's info) the 1042 * INIT should start after the cookie-echo header struct (chunk 1043 * header, state cookie header struct) 1044 */ 1045 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1046 1047 init_cp = (struct sctp_init_chunk *) 1048 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1049 (uint8_t *) & init_buf); 1050 if (init_cp == NULL) { 1051 /* could not pull a INIT chunk in cookie */ 1052 return (NULL); 1053 } 1054 chk_length = ntohs(init_cp->ch.chunk_length); 1055 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1056 return (NULL); 1057 } 1058 /* 1059 * find and validate the INIT-ACK chunk in the cookie (my info) the 1060 * INIT-ACK follows the INIT chunk 1061 */ 1062 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1063 initack_cp = (struct sctp_init_ack_chunk *) 1064 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1065 (uint8_t *) & initack_buf); 1066 if (initack_cp == NULL) { 1067 /* could not pull INIT-ACK chunk in cookie */ 1068 return (NULL); 1069 } 1070 chk_length = ntohs(initack_cp->ch.chunk_length); 1071 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1072 return (NULL); 1073 } 1074 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1075 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1076 /* 1077 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1078 * to get into the OPEN state 1079 */ 1080 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1081#ifdef INVARIANTS 1082 panic("Case D and non-match seq?"); 1083#else 1084 SCTP_PRINTF("Case D, seq non-match %x vs %x?\n", 1085 ntohl(initack_cp->init.initial_tsn), 1086 asoc->init_seq_number); 1087#endif 1088 } 1089 switch SCTP_GET_STATE 1090 (asoc) { 1091 case SCTP_STATE_COOKIE_WAIT: 1092 case SCTP_STATE_COOKIE_ECHOED: 1093 /* 1094 * INIT was sent but got a COOKIE_ECHO with the 1095 * correct tags... just accept it...but we must 1096 * process the init so that we can make sure we have 1097 * the right seq no's. 1098 */ 1099 /* First we must process the INIT !! */ 1100 retval = sctp_process_init(init_cp, stcb, net); 1101 if (retval < 0) { 1102 if (how_indx < sizeof(asoc->cookie_how)) 1103 asoc->cookie_how[how_indx] = 3; 1104 return (NULL); 1105 } 1106 /* we have already processed the INIT so no problem */ 1107 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1108 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1109 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1110 /* update current state */ 1111 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1112 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1113 else 1114 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1115 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1116 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1117 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1118 stcb->sctp_ep, stcb, asoc->primary_destination); 1119 1120 } else { 1121 /* if ok, move to OPEN state */ 1122 asoc->state = SCTP_STATE_OPEN; 1123 } 1124 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1125 sctp_stop_all_cookie_timers(stcb); 1126 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1127 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1128 (inp->sctp_socket->so_qlimit == 0) 1129 ) { 1130 /* 1131 * Here is where collision would go if we 1132 * did a connect() and instead got a 1133 * init/init-ack/cookie done before the 1134 * init-ack came back.. 1135 */ 1136 stcb->sctp_ep->sctp_flags |= 1137 SCTP_PCB_FLAGS_CONNECTED; 1138 soisconnected(stcb->sctp_ep->sctp_socket); 1139 } 1140 /* notify upper layer */ 1141 *notification = SCTP_NOTIFY_ASSOC_UP; 1142 /* 1143 * since we did not send a HB make sure we don't 1144 * double things 1145 */ 1146 net->hb_responded = 1; 1147 net->RTO = sctp_calculate_rto(stcb, asoc, net, 1148 &cookie->time_entered); 1149 1150 if (stcb->asoc.sctp_autoclose_ticks && 1151 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1152 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1153 inp, stcb, NULL); 1154 } 1155 break; 1156 default: 1157 /* 1158 * we're in the OPEN state (or beyond), so peer must 1159 * have simply lost the COOKIE-ACK 1160 */ 1161 break; 1162 } /* end switch */ 1163 sctp_stop_all_cookie_timers(stcb); 1164 /* 1165 * We ignore the return code here.. not sure if we should 1166 * somehow abort.. but we do have an existing asoc. This 1167 * really should not fail. 1168 */ 1169 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1170 init_offset + sizeof(struct sctp_init_chunk), 1171 initack_offset, sh, init_src)) { 1172 if (how_indx < sizeof(asoc->cookie_how)) 1173 asoc->cookie_how[how_indx] = 4; 1174 return (NULL); 1175 } 1176 /* respond with a COOKIE-ACK */ 1177 sctp_toss_old_cookies(stcb, asoc); 1178 sctp_send_cookie_ack(stcb); 1179 if (how_indx < sizeof(asoc->cookie_how)) 1180 asoc->cookie_how[how_indx] = 5; 1181 return (stcb); 1182 } 1183 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1184 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1185 cookie->tie_tag_my_vtag == 0 && 1186 cookie->tie_tag_peer_vtag == 0) { 1187 /* 1188 * case C in Section 5.2.4 Table 2: XMOO silently discard 1189 */ 1190 if (how_indx < sizeof(asoc->cookie_how)) 1191 asoc->cookie_how[how_indx] = 6; 1192 return (NULL); 1193 } 1194 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1195 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1196 init_cp->init.initiate_tag == 0)) { 1197 /* 1198 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1199 * should be ok, re-accept peer info 1200 */ 1201 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1202 /* 1203 * Extension of case C. If we hit this, then the 1204 * random number generator returned the same vtag 1205 * when we first sent our INIT-ACK and when we later 1206 * sent our INIT. The side with the seq numbers that 1207 * are different will be the one that normnally 1208 * would have hit case C. This in effect "extends" 1209 * our vtags in this collision case to be 64 bits. 1210 * The same collision could occur aka you get both 1211 * vtag and seq number the same twice in a row.. but 1212 * is much less likely. If it did happen then we 1213 * would proceed through and bring up the assoc.. we 1214 * may end up with the wrong stream setup however.. 1215 * which would be bad.. but there is no way to 1216 * tell.. until we send on a stream that does not 1217 * exist :-) 1218 */ 1219 if (how_indx < sizeof(asoc->cookie_how)) 1220 asoc->cookie_how[how_indx] = 7; 1221 1222 return (NULL); 1223 } 1224 if (how_indx < sizeof(asoc->cookie_how)) 1225 asoc->cookie_how[how_indx] = 8; 1226 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1227 sctp_stop_all_cookie_timers(stcb); 1228 /* 1229 * since we did not send a HB make sure we don't double 1230 * things 1231 */ 1232 net->hb_responded = 1; 1233 if (stcb->asoc.sctp_autoclose_ticks && 1234 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1235 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1236 NULL); 1237 } 1238 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1239 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1240 1241 /* Note last_cwr_tsn? where is this used? */ 1242 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1243 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1244 /* 1245 * Ok the peer probably discarded our data (if we 1246 * echoed a cookie+data). So anything on the 1247 * sent_queue should be marked for retransmit, we 1248 * may not get something to kick us so it COULD 1249 * still take a timeout to move these.. but it can't 1250 * hurt to mark them. 1251 */ 1252 struct sctp_tmit_chunk *chk; 1253 1254 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1255 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1256 chk->sent = SCTP_DATAGRAM_RESEND; 1257 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1258 spec_flag++; 1259 } 1260 } 1261 1262 } 1263 /* process the INIT info (peer's info) */ 1264 retval = sctp_process_init(init_cp, stcb, net); 1265 if (retval < 0) { 1266 if (how_indx < sizeof(asoc->cookie_how)) 1267 asoc->cookie_how[how_indx] = 9; 1268 return (NULL); 1269 } 1270 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1271 init_offset + sizeof(struct sctp_init_chunk), 1272 initack_offset, sh, init_src)) { 1273 if (how_indx < sizeof(asoc->cookie_how)) 1274 asoc->cookie_how[how_indx] = 10; 1275 return (NULL); 1276 } 1277 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1278 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1279 *notification = SCTP_NOTIFY_ASSOC_UP; 1280 1281 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1282 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1283 (inp->sctp_socket->so_qlimit == 0)) { 1284 stcb->sctp_ep->sctp_flags |= 1285 SCTP_PCB_FLAGS_CONNECTED; 1286 soisconnected(stcb->sctp_ep->sctp_socket); 1287 } 1288 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1289 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1290 else 1291 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1292 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1293 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1294 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1295 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1296 } else { 1297 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1298 } 1299 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1300 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1301 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1302 stcb->sctp_ep, stcb, asoc->primary_destination); 1303 1304 } else { 1305 asoc->state = SCTP_STATE_OPEN; 1306 } 1307 sctp_stop_all_cookie_timers(stcb); 1308 sctp_toss_old_cookies(stcb, asoc); 1309 sctp_send_cookie_ack(stcb); 1310 if (spec_flag) { 1311 /* 1312 * only if we have retrans set do we do this. What 1313 * this call does is get only the COOKIE-ACK out and 1314 * then when we return the normal call to 1315 * sctp_chunk_output will get the retrans out behind 1316 * this. 1317 */ 1318 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK); 1319 } 1320 if (how_indx < sizeof(asoc->cookie_how)) 1321 asoc->cookie_how[how_indx] = 11; 1322 1323 return (stcb); 1324 } 1325 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1326 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1327 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1328 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1329 cookie->tie_tag_peer_vtag != 0) { 1330 struct sctpasochead *head; 1331 1332 /* 1333 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1334 */ 1335 /* temp code */ 1336 if (how_indx < sizeof(asoc->cookie_how)) 1337 asoc->cookie_how[how_indx] = 12; 1338 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1339 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1340 1341 *sac_assoc_id = sctp_get_associd(stcb); 1342 /* notify upper layer */ 1343 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1344 atomic_add_int(&stcb->asoc.refcnt, 1); 1345 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1346 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1347 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1348 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1349 } 1350 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1351 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1352 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1353 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1354 } 1355 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1356 asoc->state = SCTP_STATE_OPEN | 1357 SCTP_STATE_SHUTDOWN_PENDING; 1358 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1359 stcb->sctp_ep, stcb, asoc->primary_destination); 1360 1361 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1362 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1363 asoc->state = SCTP_STATE_OPEN; 1364 } 1365 asoc->pre_open_streams = 1366 ntohs(initack_cp->init.num_outbound_streams); 1367 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1368 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1369 1370 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1371 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1372 1373 asoc->str_reset_seq_in = asoc->init_seq_number; 1374 1375 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1376 if (asoc->mapping_array) { 1377 memset(asoc->mapping_array, 0, 1378 asoc->mapping_array_size); 1379 } 1380 SCTP_TCB_UNLOCK(stcb); 1381 SCTP_INP_INFO_WLOCK(); 1382 SCTP_INP_WLOCK(stcb->sctp_ep); 1383 SCTP_TCB_LOCK(stcb); 1384 atomic_add_int(&stcb->asoc.refcnt, -1); 1385 /* send up all the data */ 1386 SCTP_TCB_SEND_LOCK(stcb); 1387 1388 sctp_report_all_outbound(stcb, 1); 1389 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1390 stcb->asoc.strmout[i].stream_no = i; 1391 stcb->asoc.strmout[i].next_sequence_sent = 0; 1392 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1393 } 1394 /* process the INIT-ACK info (my info) */ 1395 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1396 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1397 1398 /* pull from vtag hash */ 1399 LIST_REMOVE(stcb, sctp_asocs); 1400 /* re-insert to new vtag position */ 1401 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1402 sctppcbinfo.hashasocmark)]; 1403 /* 1404 * put it in the bucket in the vtag hash of assoc's for the 1405 * system 1406 */ 1407 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1408 1409 /* Is this the first restart? */ 1410 if (stcb->asoc.in_restart_hash == 0) { 1411 /* Ok add it to assoc_id vtag hash */ 1412 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1413 sctppcbinfo.hashrestartmark)]; 1414 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1415 stcb->asoc.in_restart_hash = 1; 1416 } 1417 /* process the INIT info (peer's info) */ 1418 SCTP_TCB_SEND_UNLOCK(stcb); 1419 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1420 SCTP_INP_INFO_WUNLOCK(); 1421 1422 retval = sctp_process_init(init_cp, stcb, net); 1423 if (retval < 0) { 1424 if (how_indx < sizeof(asoc->cookie_how)) 1425 asoc->cookie_how[how_indx] = 13; 1426 1427 return (NULL); 1428 } 1429 /* 1430 * since we did not send a HB make sure we don't double 1431 * things 1432 */ 1433 net->hb_responded = 1; 1434 1435 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1436 init_offset + sizeof(struct sctp_init_chunk), 1437 initack_offset, sh, init_src)) { 1438 if (how_indx < sizeof(asoc->cookie_how)) 1439 asoc->cookie_how[how_indx] = 14; 1440 1441 return (NULL); 1442 } 1443 /* respond with a COOKIE-ACK */ 1444 sctp_stop_all_cookie_timers(stcb); 1445 sctp_toss_old_cookies(stcb, asoc); 1446 sctp_send_cookie_ack(stcb); 1447 if (how_indx < sizeof(asoc->cookie_how)) 1448 asoc->cookie_how[how_indx] = 15; 1449 1450 return (stcb); 1451 } 1452 if (how_indx < sizeof(asoc->cookie_how)) 1453 asoc->cookie_how[how_indx] = 16; 1454 /* all other cases... */ 1455 return (NULL); 1456} 1457 1458 1459/* 1460 * handle a state cookie for a new association m: input packet mbuf chain-- 1461 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1462 * and the cookie signature does not exist offset: offset into mbuf to the 1463 * cookie-echo chunk length: length of the cookie chunk to: where the init 1464 * was from returns a new TCB 1465 */ 1466static struct sctp_tcb * 1467sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1468 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1469 struct sctp_inpcb *inp, struct sctp_nets **netp, 1470 struct sockaddr *init_src, int *notification, 1471 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1472 uint32_t vrf_id) 1473{ 1474 struct sctp_tcb *stcb; 1475 struct sctp_init_chunk *init_cp, init_buf; 1476 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1477 struct sockaddr_storage sa_store; 1478 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1479 struct sockaddr_in *sin; 1480 struct sockaddr_in6 *sin6; 1481 struct sctp_association *asoc; 1482 int chk_length; 1483 int init_offset, initack_offset, initack_limit; 1484 int retval; 1485 int error = 0; 1486 uint32_t old_tag; 1487 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1488 1489 /* 1490 * find and validate the INIT chunk in the cookie (peer's info) the 1491 * INIT should start after the cookie-echo header struct (chunk 1492 * header, state cookie header struct) 1493 */ 1494 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1495 init_cp = (struct sctp_init_chunk *) 1496 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1497 (uint8_t *) & init_buf); 1498 if (init_cp == NULL) { 1499 /* could not pull a INIT chunk in cookie */ 1500 SCTPDBG(SCTP_DEBUG_INPUT1, 1501 "process_cookie_new: could not pull INIT chunk hdr\n"); 1502 return (NULL); 1503 } 1504 chk_length = ntohs(init_cp->ch.chunk_length); 1505 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1506 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n"); 1507 return (NULL); 1508 } 1509 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1510 /* 1511 * find and validate the INIT-ACK chunk in the cookie (my info) the 1512 * INIT-ACK follows the INIT chunk 1513 */ 1514 initack_cp = (struct sctp_init_ack_chunk *) 1515 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1516 (uint8_t *) & initack_buf); 1517 if (initack_cp == NULL) { 1518 /* could not pull INIT-ACK chunk in cookie */ 1519 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1520 return (NULL); 1521 } 1522 chk_length = ntohs(initack_cp->ch.chunk_length); 1523 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1524 return (NULL); 1525 } 1526 /* 1527 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1528 * "initack_limit" value. This is because the chk_length field 1529 * includes the length of the cookie, but the cookie is omitted when 1530 * the INIT and INIT_ACK are tacked onto the cookie... 1531 */ 1532 initack_limit = offset + cookie_len; 1533 1534 /* 1535 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1536 * and popluate 1537 */ 1538 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1539 ntohl(initack_cp->init.initiate_tag), vrf_id); 1540 if (stcb == NULL) { 1541 struct mbuf *op_err; 1542 1543 /* memory problem? */ 1544 SCTPDBG(SCTP_DEBUG_INPUT1, 1545 "process_cookie_new: no room for another TCB!\n"); 1546 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1547 1548 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1549 sh, op_err, vrf_id); 1550 return (NULL); 1551 } 1552 /* get the correct sctp_nets */ 1553 if (netp) 1554 *netp = sctp_findnet(stcb, init_src); 1555 1556 asoc = &stcb->asoc; 1557 /* get scope variables out of cookie */ 1558 asoc->ipv4_local_scope = cookie->ipv4_scope; 1559 asoc->site_scope = cookie->site_scope; 1560 asoc->local_scope = cookie->local_scope; 1561 asoc->loopback_scope = cookie->loopback_scope; 1562 1563 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1564 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1565 struct mbuf *op_err; 1566 1567 /* 1568 * Houston we have a problem. The EP changed while the 1569 * cookie was in flight. Only recourse is to abort the 1570 * association. 1571 */ 1572 atomic_add_int(&stcb->asoc.refcnt, 1); 1573 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1574 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1575 sh, op_err, vrf_id); 1576 atomic_add_int(&stcb->asoc.refcnt, -1); 1577 return (NULL); 1578 } 1579 /* process the INIT-ACK info (my info) */ 1580 old_tag = asoc->my_vtag; 1581 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1582 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1583 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1584 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1585 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1586 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1587 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1588 asoc->str_reset_seq_in = asoc->init_seq_number; 1589 1590 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1591 1592 /* process the INIT info (peer's info) */ 1593 if (netp) 1594 retval = sctp_process_init(init_cp, stcb, *netp); 1595 else 1596 retval = 0; 1597 if (retval < 0) { 1598 atomic_add_int(&stcb->asoc.refcnt, 1); 1599 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1600 atomic_add_int(&stcb->asoc.refcnt, -1); 1601 return (NULL); 1602 } 1603 /* load all addresses */ 1604 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1605 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1606 init_src)) { 1607 atomic_add_int(&stcb->asoc.refcnt, 1); 1608 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1609 atomic_add_int(&stcb->asoc.refcnt, -1); 1610 return (NULL); 1611 } 1612 /* 1613 * verify any preceding AUTH chunk that was skipped 1614 */ 1615 /* pull the local authentication parameters from the cookie/init-ack */ 1616 sctp_auth_get_cookie_params(stcb, m, 1617 initack_offset + sizeof(struct sctp_init_ack_chunk), 1618 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1619 if (auth_skipped) { 1620 struct sctp_auth_chunk *auth; 1621 1622 auth = (struct sctp_auth_chunk *) 1623 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 1624 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { 1625 /* auth HMAC failed, dump the assoc and packet */ 1626 SCTPDBG(SCTP_DEBUG_AUTH1, 1627 "COOKIE-ECHO: AUTH failed\n"); 1628 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1629 return (NULL); 1630 } else { 1631 /* remaining chunks checked... good to go */ 1632 stcb->asoc.authenticated = 1; 1633 } 1634 } 1635 /* update current state */ 1636 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 1637 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1638 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1639 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1640 stcb->sctp_ep, stcb, asoc->primary_destination); 1641 } else { 1642 asoc->state = SCTP_STATE_OPEN; 1643 } 1644 sctp_stop_all_cookie_timers(stcb); 1645 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1646 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1647 1648 /* 1649 * if we're doing ASCONFs, check to see if we have any new local 1650 * addresses that need to get added to the peer (eg. addresses 1651 * changed while cookie echo in flight). This needs to be done 1652 * after we go to the OPEN state to do the correct asconf 1653 * processing. else, make sure we have the correct addresses in our 1654 * lists 1655 */ 1656 1657 /* warning, we re-use sin, sin6, sa_store here! */ 1658 /* pull in local_address (our "from" address) */ 1659 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1660 /* source addr is IPv4 */ 1661 sin = (struct sockaddr_in *)initack_src; 1662 memset(sin, 0, sizeof(*sin)); 1663 sin->sin_family = AF_INET; 1664 sin->sin_len = sizeof(struct sockaddr_in); 1665 sin->sin_addr.s_addr = cookie->laddress[0]; 1666 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1667 /* source addr is IPv6 */ 1668 sin6 = (struct sockaddr_in6 *)initack_src; 1669 memset(sin6, 0, sizeof(*sin6)); 1670 sin6->sin6_family = AF_INET6; 1671 sin6->sin6_len = sizeof(struct sockaddr_in6); 1672 sin6->sin6_scope_id = cookie->scope_id; 1673 memcpy(&sin6->sin6_addr, cookie->laddress, 1674 sizeof(sin6->sin6_addr)); 1675 } else { 1676 atomic_add_int(&stcb->asoc.refcnt, 1); 1677 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 1678 atomic_add_int(&stcb->asoc.refcnt, -1); 1679 return (NULL); 1680 } 1681 1682 sctp_check_address_list(stcb, m, 1683 initack_offset + sizeof(struct sctp_init_ack_chunk), 1684 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1685 initack_src, cookie->local_scope, cookie->site_scope, 1686 cookie->ipv4_scope, cookie->loopback_scope); 1687 1688 1689 /* set up to notify upper layer */ 1690 *notification = SCTP_NOTIFY_ASSOC_UP; 1691 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1692 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1693 (inp->sctp_socket->so_qlimit == 0)) { 1694 /* 1695 * This is an endpoint that called connect() how it got a 1696 * cookie that is NEW is a bit of a mystery. It must be that 1697 * the INIT was sent, but before it got there.. a complete 1698 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1699 * should have went to the other code.. not here.. oh well.. 1700 * a bit of protection is worth having.. 1701 */ 1702 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1703 soisconnected(stcb->sctp_ep->sctp_socket); 1704 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1705 (inp->sctp_socket->so_qlimit)) { 1706 /* 1707 * We don't want to do anything with this one. Since it is 1708 * the listening guy. The timer will get started for 1709 * accepted connections in the caller. 1710 */ 1711 ; 1712 } 1713 /* since we did not send a HB make sure we don't double things */ 1714 if ((netp) && (*netp)) 1715 (*netp)->hb_responded = 1; 1716 1717 if (stcb->asoc.sctp_autoclose_ticks && 1718 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1719 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1720 } 1721 /* respond with a COOKIE-ACK */ 1722 /* calculate the RTT */ 1723 if ((netp) && (*netp)) { 1724 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1725 &cookie->time_entered); 1726 } 1727 sctp_send_cookie_ack(stcb); 1728 return (stcb); 1729} 1730 1731 1732/* 1733 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1734 * existing (non-NULL) TCB 1735 */ 1736static struct mbuf * 1737sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1738 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1739 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1740 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1741 struct sctp_tcb **locked_tcb, uint32_t vrf_id) 1742{ 1743 struct sctp_state_cookie *cookie; 1744 struct sockaddr_in6 sin6; 1745 struct sockaddr_in sin; 1746 struct sctp_tcb *l_stcb = *stcb; 1747 struct sctp_inpcb *l_inp; 1748 struct sockaddr *to; 1749 sctp_assoc_t sac_restart_id; 1750 struct sctp_pcb *ep; 1751 struct mbuf *m_sig; 1752 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1753 uint8_t *sig; 1754 uint8_t cookie_ok = 0; 1755 unsigned int size_of_pkt, sig_offset, cookie_offset; 1756 unsigned int cookie_len; 1757 struct timeval now; 1758 struct timeval time_expires; 1759 struct sockaddr_storage dest_store; 1760 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1761 struct ip *iph; 1762 int notification = 0; 1763 struct sctp_nets *netl; 1764 int had_a_existing_tcb = 0; 1765 1766 SCTPDBG(SCTP_DEBUG_INPUT2, 1767 "sctp_handle_cookie: handling COOKIE-ECHO\n"); 1768 1769 if (inp_p == NULL) { 1770 return (NULL); 1771 } 1772 /* First get the destination address setup too. */ 1773 iph = mtod(m, struct ip *); 1774 if (iph->ip_v == IPVERSION) { 1775 /* its IPv4 */ 1776 struct sockaddr_in *lsin; 1777 1778 lsin = (struct sockaddr_in *)(localep_sa); 1779 memset(lsin, 0, sizeof(*lsin)); 1780 lsin->sin_family = AF_INET; 1781 lsin->sin_len = sizeof(*lsin); 1782 lsin->sin_port = sh->dest_port; 1783 lsin->sin_addr.s_addr = iph->ip_dst.s_addr; 1784 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 1785 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1786 /* its IPv6 */ 1787 struct ip6_hdr *ip6; 1788 struct sockaddr_in6 *lsin6; 1789 1790 lsin6 = (struct sockaddr_in6 *)(localep_sa); 1791 memset(lsin6, 0, sizeof(*lsin6)); 1792 lsin6->sin6_family = AF_INET6; 1793 lsin6->sin6_len = sizeof(struct sockaddr_in6); 1794 ip6 = mtod(m, struct ip6_hdr *); 1795 lsin6->sin6_port = sh->dest_port; 1796 lsin6->sin6_addr = ip6->ip6_dst; 1797 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 1798 } else { 1799 return (NULL); 1800 } 1801 1802 cookie = &cp->cookie; 1803 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1804 cookie_len = ntohs(cp->ch.chunk_length); 1805 1806 if ((cookie->peerport != sh->src_port) && 1807 (cookie->myport != sh->dest_port) && 1808 (cookie->my_vtag != sh->v_tag)) { 1809 /* 1810 * invalid ports or bad tag. Note that we always leave the 1811 * v_tag in the header in network order and when we stored 1812 * it in the my_vtag slot we also left it in network order. 1813 * This maintains the match even though it may be in the 1814 * opposite byte order of the machine :-> 1815 */ 1816 return (NULL); 1817 } 1818 if (cookie_len > size_of_pkt || 1819 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1820 sizeof(struct sctp_init_chunk) + 1821 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1822 /* cookie too long! or too small */ 1823 return (NULL); 1824 } 1825 /* 1826 * split off the signature into its own mbuf (since it should not be 1827 * calculated in the sctp_hmac_m() call). 1828 */ 1829 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1830 if (sig_offset > size_of_pkt) { 1831 /* packet not correct size! */ 1832 /* XXX this may already be accounted for earlier... */ 1833 return (NULL); 1834 } 1835 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1836 if (m_sig == NULL) { 1837 /* out of memory or ?? */ 1838 return (NULL); 1839 } 1840 /* 1841 * compute the signature/digest for the cookie 1842 */ 1843 ep = &(*inp_p)->sctp_ep; 1844 l_inp = *inp_p; 1845 if (l_stcb) { 1846 SCTP_TCB_UNLOCK(l_stcb); 1847 } 1848 SCTP_INP_RLOCK(l_inp); 1849 if (l_stcb) { 1850 SCTP_TCB_LOCK(l_stcb); 1851 } 1852 /* which cookie is it? */ 1853 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1854 (ep->current_secret_number != ep->last_secret_number)) { 1855 /* it's the old cookie */ 1856 (void)sctp_hmac_m(SCTP_HMAC, 1857 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1858 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 1859 } else { 1860 /* it's the current cookie */ 1861 (void)sctp_hmac_m(SCTP_HMAC, 1862 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1863 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 1864 } 1865 /* get the signature */ 1866 SCTP_INP_RUNLOCK(l_inp); 1867 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1868 if (sig == NULL) { 1869 /* couldn't find signature */ 1870 sctp_m_freem(m_sig); 1871 return (NULL); 1872 } 1873 /* compare the received digest with the computed digest */ 1874 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1875 /* try the old cookie? */ 1876 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1877 (ep->current_secret_number != ep->last_secret_number)) { 1878 /* compute digest with old */ 1879 (void)sctp_hmac_m(SCTP_HMAC, 1880 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1881 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 1882 /* compare */ 1883 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1884 cookie_ok = 1; 1885 } 1886 } else { 1887 cookie_ok = 1; 1888 } 1889 1890 /* 1891 * Now before we continue we must reconstruct our mbuf so that 1892 * normal processing of any other chunks will work. 1893 */ 1894 { 1895 struct mbuf *m_at; 1896 1897 m_at = m; 1898 while (SCTP_BUF_NEXT(m_at) != NULL) { 1899 m_at = SCTP_BUF_NEXT(m_at); 1900 } 1901 SCTP_BUF_NEXT(m_at) = m_sig; 1902 } 1903 1904 if (cookie_ok == 0) { 1905 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n"); 1906 SCTPDBG(SCTP_DEBUG_INPUT2, 1907 "offset = %u, cookie_offset = %u, sig_offset = %u\n", 1908 (uint32_t) offset, cookie_offset, sig_offset); 1909 return (NULL); 1910 } 1911 /* 1912 * check the cookie timestamps to be sure it's not stale 1913 */ 1914 (void)SCTP_GETTIME_TIMEVAL(&now); 1915 /* Expire time is in Ticks, so we convert to seconds */ 1916 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life); 1917 time_expires.tv_usec = cookie->time_entered.tv_usec; 1918 if (timevalcmp(&now, &time_expires, >)) { 1919 /* cookie is stale! */ 1920 struct mbuf *op_err; 1921 struct sctp_stale_cookie_msg *scm; 1922 uint32_t tim; 1923 1924 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 1925 0, M_DONTWAIT, 1, MT_DATA); 1926 if (op_err == NULL) { 1927 /* FOOBAR */ 1928 return (NULL); 1929 } 1930 /* pre-reserve some space */ 1931 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1932 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1933 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1934 1935 /* Set the len */ 1936 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 1937 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1938 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1939 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1940 (sizeof(uint32_t)))); 1941 /* seconds to usec */ 1942 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1943 /* add in usec */ 1944 if (tim == 0) 1945 tim = now.tv_usec - cookie->time_entered.tv_usec; 1946 scm->time_usec = htonl(tim); 1947 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 1948 vrf_id); 1949 return (NULL); 1950 } 1951 /* 1952 * Now we must see with the lookup address if we have an existing 1953 * asoc. This will only happen if we were in the COOKIE-WAIT state 1954 * and a INIT collided with us and somewhere the peer sent the 1955 * cookie on another address besides the single address our assoc 1956 * had for him. In this case we will have one of the tie-tags set at 1957 * least AND the address field in the cookie can be used to look it 1958 * up. 1959 */ 1960 to = NULL; 1961 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1962 memset(&sin6, 0, sizeof(sin6)); 1963 sin6.sin6_family = AF_INET6; 1964 sin6.sin6_len = sizeof(sin6); 1965 sin6.sin6_port = sh->src_port; 1966 sin6.sin6_scope_id = cookie->scope_id; 1967 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 1968 sizeof(sin6.sin6_addr.s6_addr)); 1969 to = (struct sockaddr *)&sin6; 1970 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 1971 memset(&sin, 0, sizeof(sin)); 1972 sin.sin_family = AF_INET; 1973 sin.sin_len = sizeof(sin); 1974 sin.sin_port = sh->src_port; 1975 sin.sin_addr.s_addr = cookie->address[0]; 1976 to = (struct sockaddr *)&sin; 1977 } else { 1978 /* This should not happen */ 1979 return (NULL); 1980 } 1981 if ((*stcb == NULL) && to) { 1982 /* Yep, lets check */ 1983 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 1984 if (*stcb == NULL) { 1985 /* 1986 * We should have only got back the same inp. If we 1987 * got back a different ep we have a problem. The 1988 * original findep got back l_inp and now 1989 */ 1990 if (l_inp != *inp_p) { 1991 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n"); 1992 } 1993 } else { 1994 if (*locked_tcb == NULL) { 1995 /* 1996 * In this case we found the assoc only 1997 * after we locked the create lock. This 1998 * means we are in a colliding case and we 1999 * must make sure that we unlock the tcb if 2000 * its one of the cases where we throw away 2001 * the incoming packets. 2002 */ 2003 *locked_tcb = *stcb; 2004 2005 /* 2006 * We must also increment the inp ref count 2007 * since the ref_count flags was set when we 2008 * did not find the TCB, now we found it 2009 * which reduces the refcount.. we must 2010 * raise it back out to balance it all :-) 2011 */ 2012 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2013 if ((*stcb)->sctp_ep != l_inp) { 2014 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n", 2015 (*stcb)->sctp_ep, l_inp); 2016 } 2017 } 2018 } 2019 } 2020 if (to == NULL) 2021 return (NULL); 2022 2023 cookie_len -= SCTP_SIGNATURE_SIZE; 2024 if (*stcb == NULL) { 2025 /* this is the "normal" case... get a new TCB */ 2026 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2027 cookie_len, *inp_p, netp, to, ¬ification, 2028 auth_skipped, auth_offset, auth_len, vrf_id); 2029 } else { 2030 /* this is abnormal... cookie-echo on existing TCB */ 2031 had_a_existing_tcb = 1; 2032 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2033 cookie, cookie_len, *inp_p, *stcb, *netp, to, 2034 ¬ification, &sac_restart_id, vrf_id); 2035 } 2036 2037 if (*stcb == NULL) { 2038 /* still no TCB... must be bad cookie-echo */ 2039 return (NULL); 2040 } 2041 /* 2042 * Ok, we built an association so confirm the address we sent the 2043 * INIT-ACK to. 2044 */ 2045 netl = sctp_findnet(*stcb, to); 2046 /* 2047 * This code should in theory NOT run but 2048 */ 2049 if (netl == NULL) { 2050 /* TSNH! Huh, why do I need to add this address here? */ 2051 int ret; 2052 2053 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2054 SCTP_IN_COOKIE_PROC); 2055 netl = sctp_findnet(*stcb, to); 2056 } 2057 if (netl) { 2058 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2059 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2060 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2061 netl); 2062 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2063 (*stcb), 0, (void *)netl); 2064 } 2065 } 2066 if (*stcb) { 2067 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2068 *stcb, NULL); 2069 } 2070 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2071 if (!had_a_existing_tcb || 2072 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2073 /* 2074 * If we have a NEW cookie or the connect never 2075 * reached the connected state during collision we 2076 * must do the TCP accept thing. 2077 */ 2078 struct socket *so, *oso; 2079 struct sctp_inpcb *inp; 2080 2081 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2082 /* 2083 * For a restart we will keep the same 2084 * socket, no need to do anything. I THINK!! 2085 */ 2086 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2087 return (m); 2088 } 2089 oso = (*inp_p)->sctp_socket; 2090 /* 2091 * We do this to keep the sockets side happy durin 2092 * the sonewcon ONLY. 2093 */ 2094 NET_LOCK_GIANT(); 2095 SCTP_TCB_UNLOCK((*stcb)); 2096 so = sonewconn(oso, 0 2097 ); 2098 NET_UNLOCK_GIANT(); 2099 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2100 SCTP_TCB_LOCK((*stcb)); 2101 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2102 if (so == NULL) { 2103 struct mbuf *op_err; 2104 2105 /* Too many sockets */ 2106 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n"); 2107 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2108 sctp_abort_association(*inp_p, NULL, m, iphlen, 2109 sh, op_err, vrf_id); 2110 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2111 return (NULL); 2112 } 2113 inp = (struct sctp_inpcb *)so->so_pcb; 2114 SCTP_INP_INCR_REF(inp); 2115 /* 2116 * We add the unbound flag here so that if we get an 2117 * soabort() before we get the move_pcb done, we 2118 * will properly cleanup. 2119 */ 2120 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2121 SCTP_PCB_FLAGS_CONNECTED | 2122 SCTP_PCB_FLAGS_IN_TCPPOOL | 2123 SCTP_PCB_FLAGS_UNBOUND | 2124 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2125 SCTP_PCB_FLAGS_DONT_WAKE); 2126 inp->sctp_features = (*inp_p)->sctp_features; 2127 inp->sctp_socket = so; 2128 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2129 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2130 inp->sctp_context = (*inp_p)->sctp_context; 2131 inp->inp_starting_point_for_iterator = NULL; 2132 /* 2133 * copy in the authentication parameters from the 2134 * original endpoint 2135 */ 2136 if (inp->sctp_ep.local_hmacs) 2137 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2138 inp->sctp_ep.local_hmacs = 2139 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2140 if (inp->sctp_ep.local_auth_chunks) 2141 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2142 inp->sctp_ep.local_auth_chunks = 2143 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2144 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2145 &inp->sctp_ep.shared_keys); 2146 2147 /* 2148 * Now we must move it from one hash table to 2149 * another and get the tcb in the right place. 2150 */ 2151 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2152 2153 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2154 SCTP_TCB_UNLOCK((*stcb)); 2155 2156 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, M_NOWAIT); 2157 SCTP_TCB_LOCK((*stcb)); 2158 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2159 2160 2161 /* 2162 * now we must check to see if we were aborted while 2163 * the move was going on and the lock/unlock 2164 * happened. 2165 */ 2166 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2167 /* 2168 * yep it was, we leave the assoc attached 2169 * to the socket since the sctp_inpcb_free() 2170 * call will send an abort for us. 2171 */ 2172 SCTP_INP_DECR_REF(inp); 2173 return (NULL); 2174 } 2175 SCTP_INP_DECR_REF(inp); 2176 /* Switch over to the new guy */ 2177 *inp_p = inp; 2178 sctp_ulp_notify(notification, *stcb, 0, NULL); 2179 2180 /* 2181 * Pull it from the incomplete queue and wake the 2182 * guy 2183 */ 2184 soisconnected(so); 2185 return (m); 2186 } 2187 } 2188 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2189 sctp_ulp_notify(notification, *stcb, 0, NULL); 2190 } 2191 return (m); 2192} 2193 2194static void 2195sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2196 struct sctp_tcb *stcb, struct sctp_nets *net) 2197{ 2198 /* cp must not be used, others call this without a c-ack :-) */ 2199 struct sctp_association *asoc; 2200 2201 SCTPDBG(SCTP_DEBUG_INPUT2, 2202 "sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2203 if (stcb == NULL) 2204 return; 2205 2206 asoc = &stcb->asoc; 2207 2208 sctp_stop_all_cookie_timers(stcb); 2209 /* process according to association state */ 2210 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2211 /* state change only needed when I am in right state */ 2212 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2213 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2214 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2215 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2216 stcb->sctp_ep, stcb, asoc->primary_destination); 2217 2218 } else { 2219 asoc->state = SCTP_STATE_OPEN; 2220 } 2221 /* update RTO */ 2222 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2223 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2224 if (asoc->overall_error_count == 0) { 2225 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2226 &asoc->time_entered); 2227 } 2228 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2229 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2230 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2231 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2232 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2233 soisconnected(stcb->sctp_ep->sctp_socket); 2234 } 2235 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2236 stcb, net); 2237 /* 2238 * since we did not send a HB make sure we don't double 2239 * things 2240 */ 2241 net->hb_responded = 1; 2242 2243 if (stcb->asoc.sctp_autoclose_ticks && 2244 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2245 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2246 stcb->sctp_ep, stcb, NULL); 2247 } 2248 /* 2249 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2250 * addresses changed when init/cookie echo in flight) 2251 */ 2252 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2253 (stcb->asoc.peer_supports_asconf) && 2254 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2255 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2256 stcb->sctp_ep, stcb, 2257 stcb->asoc.primary_destination); 2258 } 2259 } 2260 /* Toss the cookie if I can */ 2261 sctp_toss_old_cookies(stcb, asoc); 2262 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2263 /* Restart the timer if we have pending data */ 2264 struct sctp_tmit_chunk *chk; 2265 2266 chk = TAILQ_FIRST(&asoc->sent_queue); 2267 if (chk) { 2268 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2269 stcb, chk->whoTo); 2270 } 2271 } 2272} 2273 2274static void 2275sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2276 struct sctp_tcb *stcb) 2277{ 2278 struct sctp_nets *net; 2279 struct sctp_tmit_chunk *lchk; 2280 uint32_t tsn; 2281 2282 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2283 return; 2284 } 2285 SCTP_STAT_INCR(sctps_recvecne); 2286 tsn = ntohl(cp->tsn); 2287 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2288 /* Also we make sure we disable the nonce_wait */ 2289 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2290 if (lchk == NULL) { 2291 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2292 } else { 2293 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2294 } 2295 stcb->asoc.nonce_wait_for_ecne = 0; 2296 stcb->asoc.nonce_sum_check = 0; 2297 2298 /* Find where it was sent, if possible */ 2299 net = NULL; 2300 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2301 while (lchk) { 2302 if (lchk->rec.data.TSN_seq == tsn) { 2303 net = lchk->whoTo; 2304 break; 2305 } 2306 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2307 break; 2308 lchk = TAILQ_NEXT(lchk, sctp_next); 2309 } 2310 if (net == NULL) 2311 /* default is we use the primary */ 2312 net = stcb->asoc.primary_destination; 2313 2314 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2315#ifdef SCTP_CWND_MONITOR 2316 int old_cwnd; 2317 2318 old_cwnd = net->cwnd; 2319#endif 2320 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2321 net->ssthresh = net->cwnd / 2; 2322 if (net->ssthresh < net->mtu) { 2323 net->ssthresh = net->mtu; 2324 /* here back off the timer as well, to slow us down */ 2325 net->RTO <<= 1; 2326 } 2327 net->cwnd = net->ssthresh; 2328#ifdef SCTP_CWND_MONITOR 2329 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2330#endif 2331 /* 2332 * we reduce once every RTT. So we will only lower cwnd at 2333 * the next sending seq i.e. the resync_tsn. 2334 */ 2335 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2336 } 2337 /* 2338 * We always send a CWR this way if our previous one was lost our 2339 * peer will get an update, or if it is not time again to reduce we 2340 * still get the cwr to the peer. 2341 */ 2342 sctp_send_cwr(stcb, net, tsn); 2343} 2344 2345static void 2346sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2347{ 2348 /* 2349 * Here we get a CWR from the peer. We must look in the outqueue and 2350 * make sure that we have a covered ECNE in teh control chunk part. 2351 * If so remove it. 2352 */ 2353 struct sctp_tmit_chunk *chk; 2354 struct sctp_ecne_chunk *ecne; 2355 2356 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2357 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2358 continue; 2359 } 2360 /* 2361 * Look for and remove if it is the right TSN. Since there 2362 * is only ONE ECNE on the control queue at any one time we 2363 * don't need to worry about more than one! 2364 */ 2365 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2366 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2367 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2368 /* this covers this ECNE, we can remove it */ 2369 stcb->asoc.ecn_echo_cnt_onq--; 2370 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2371 sctp_next); 2372 if (chk->data) { 2373 sctp_m_freem(chk->data); 2374 chk->data = NULL; 2375 } 2376 stcb->asoc.ctrl_queue_cnt--; 2377 sctp_free_remote_addr(chk->whoTo); 2378 sctp_free_a_chunk(stcb, chk); 2379 break; 2380 } 2381 } 2382} 2383 2384static void 2385sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2386 struct sctp_tcb *stcb, struct sctp_nets *net) 2387{ 2388 struct sctp_association *asoc; 2389 2390 SCTPDBG(SCTP_DEBUG_INPUT2, 2391 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2392 if (stcb == NULL) 2393 return; 2394 2395 asoc = &stcb->asoc; 2396 /* process according to association state */ 2397 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2398 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2399 SCTP_TCB_UNLOCK(stcb); 2400 return; 2401 } 2402 /* notify upper layer protocol */ 2403 if (stcb->sctp_socket) { 2404 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2405 /* are the queues empty? they should be */ 2406 if (!TAILQ_EMPTY(&asoc->send_queue) || 2407 !TAILQ_EMPTY(&asoc->sent_queue) || 2408 !TAILQ_EMPTY(&asoc->out_wheel)) { 2409 sctp_report_all_outbound(stcb, 0); 2410 } 2411 } 2412 /* stop the timer */ 2413 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2414 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2415 /* free the TCB */ 2416 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2417 return; 2418} 2419 2420static int 2421process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2422 struct sctp_nets *net, uint8_t flg) 2423{ 2424 switch (desc->chunk_type) { 2425 case SCTP_DATA: 2426 /* find the tsn to resend (possibly */ 2427 { 2428 uint32_t tsn; 2429 struct sctp_tmit_chunk *tp1; 2430 2431 tsn = ntohl(desc->tsn_ifany); 2432 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2433 while (tp1) { 2434 if (tp1->rec.data.TSN_seq == tsn) { 2435 /* found it */ 2436 break; 2437 } 2438 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2439 MAX_TSN)) { 2440 /* not found */ 2441 tp1 = NULL; 2442 break; 2443 } 2444 tp1 = TAILQ_NEXT(tp1, sctp_next); 2445 } 2446 if (tp1 == NULL) { 2447 /* 2448 * Do it the other way , aka without paying 2449 * attention to queue seq order. 2450 */ 2451 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2452 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2453 while (tp1) { 2454 if (tp1->rec.data.TSN_seq == tsn) { 2455 /* found it */ 2456 break; 2457 } 2458 tp1 = TAILQ_NEXT(tp1, sctp_next); 2459 } 2460 } 2461 if (tp1 == NULL) { 2462 SCTP_STAT_INCR(sctps_pdrptsnnf); 2463 } 2464 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2465 uint8_t *ddp; 2466 2467 if ((stcb->asoc.peers_rwnd == 0) && 2468 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2469 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2470 return (0); 2471 } 2472 if (stcb->asoc.peers_rwnd == 0 && 2473 (flg & SCTP_FROM_MIDDLE_BOX)) { 2474 SCTP_STAT_INCR(sctps_pdrpdizrw); 2475 return (0); 2476 } 2477 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2478 sizeof(struct sctp_data_chunk)); 2479 { 2480 unsigned int iii; 2481 2482 for (iii = 0; iii < sizeof(desc->data_bytes); 2483 iii++) { 2484 if (ddp[iii] != desc->data_bytes[iii]) { 2485 SCTP_STAT_INCR(sctps_pdrpbadd); 2486 return (-1); 2487 } 2488 } 2489 } 2490 /* 2491 * We zero out the nonce so resync not 2492 * needed 2493 */ 2494 tp1->rec.data.ect_nonce = 0; 2495 2496 if (tp1->do_rtt) { 2497 /* 2498 * this guy had a RTO calculation 2499 * pending on it, cancel it 2500 */ 2501 tp1->do_rtt = 0; 2502 } 2503 SCTP_STAT_INCR(sctps_pdrpmark); 2504 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2505 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2506 tp1->sent = SCTP_DATAGRAM_RESEND; 2507 /* 2508 * mark it as if we were doing a FR, since 2509 * we will be getting gap ack reports behind 2510 * the info from the router. 2511 */ 2512 tp1->rec.data.doing_fast_retransmit = 1; 2513 /* 2514 * mark the tsn with what sequences can 2515 * cause a new FR. 2516 */ 2517 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2518 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2519 } else { 2520 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2521 } 2522 2523 /* restart the timer */ 2524 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2525 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2526 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2527 stcb, tp1->whoTo); 2528 2529 /* fix counts and things */ 2530#ifdef SCTP_FLIGHT_LOGGING 2531 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 2532 tp1->whoTo->flight_size, 2533 tp1->book_size, 2534 (uintptr_t) stcb, 2535 tp1->rec.data.TSN_seq); 2536#endif 2537 sctp_flight_size_decrease(tp1); 2538 sctp_total_flight_decrease(stcb, tp1); 2539 } { 2540 /* audit code */ 2541 unsigned int audit; 2542 2543 audit = 0; 2544 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2545 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2546 audit++; 2547 } 2548 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2549 sctp_next) { 2550 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2551 audit++; 2552 } 2553 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2554 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n", 2555 audit, stcb->asoc.sent_queue_retran_cnt); 2556#ifndef SCTP_AUDITING_ENABLED 2557 stcb->asoc.sent_queue_retran_cnt = audit; 2558#endif 2559 } 2560 } 2561 } 2562 break; 2563 case SCTP_ASCONF: 2564 { 2565 struct sctp_tmit_chunk *asconf; 2566 2567 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2568 sctp_next) { 2569 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2570 break; 2571 } 2572 } 2573 if (asconf) { 2574 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2575 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2576 asconf->sent = SCTP_DATAGRAM_RESEND; 2577 asconf->snd_count--; 2578 } 2579 } 2580 break; 2581 case SCTP_INITIATION: 2582 /* resend the INIT */ 2583 stcb->asoc.dropped_special_cnt++; 2584 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2585 /* 2586 * If we can get it in, in a few attempts we do 2587 * this, otherwise we let the timer fire. 2588 */ 2589 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2590 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2591 sctp_send_initiate(stcb->sctp_ep, stcb); 2592 } 2593 break; 2594 case SCTP_SELECTIVE_ACK: 2595 /* resend the sack */ 2596 sctp_send_sack(stcb); 2597 break; 2598 case SCTP_HEARTBEAT_REQUEST: 2599 /* resend a demand HB */ 2600 (void)sctp_send_hb(stcb, 1, net); 2601 break; 2602 case SCTP_SHUTDOWN: 2603 sctp_send_shutdown(stcb, net); 2604 break; 2605 case SCTP_SHUTDOWN_ACK: 2606 sctp_send_shutdown_ack(stcb, net); 2607 break; 2608 case SCTP_COOKIE_ECHO: 2609 { 2610 struct sctp_tmit_chunk *cookie; 2611 2612 cookie = NULL; 2613 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2614 sctp_next) { 2615 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2616 break; 2617 } 2618 } 2619 if (cookie) { 2620 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2621 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2622 cookie->sent = SCTP_DATAGRAM_RESEND; 2623 sctp_stop_all_cookie_timers(stcb); 2624 } 2625 } 2626 break; 2627 case SCTP_COOKIE_ACK: 2628 sctp_send_cookie_ack(stcb); 2629 break; 2630 case SCTP_ASCONF_ACK: 2631 /* resend last asconf ack */ 2632 sctp_send_asconf_ack(stcb, 1); 2633 break; 2634 case SCTP_FORWARD_CUM_TSN: 2635 send_forward_tsn(stcb, &stcb->asoc); 2636 break; 2637 /* can't do anything with these */ 2638 case SCTP_PACKET_DROPPED: 2639 case SCTP_INITIATION_ACK: /* this should not happen */ 2640 case SCTP_HEARTBEAT_ACK: 2641 case SCTP_ABORT_ASSOCIATION: 2642 case SCTP_OPERATION_ERROR: 2643 case SCTP_SHUTDOWN_COMPLETE: 2644 case SCTP_ECN_ECHO: 2645 case SCTP_ECN_CWR: 2646 default: 2647 break; 2648 } 2649 return (0); 2650} 2651 2652void 2653sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2654{ 2655 int i; 2656 uint16_t temp; 2657 2658 /* 2659 * We set things to 0xffff since this is the last delivered sequence 2660 * and we will be sending in 0 after the reset. 2661 */ 2662 2663 if (number_entries) { 2664 for (i = 0; i < number_entries; i++) { 2665 temp = ntohs(list[i]); 2666 if (temp >= stcb->asoc.streamincnt) { 2667 continue; 2668 } 2669 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2670 } 2671 } else { 2672 list = NULL; 2673 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2674 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2675 } 2676 } 2677 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2678} 2679 2680static void 2681sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2682{ 2683 int i; 2684 2685 if (number_entries == 0) { 2686 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2687 stcb->asoc.strmout[i].next_sequence_sent = 0; 2688 } 2689 } else if (number_entries) { 2690 for (i = 0; i < number_entries; i++) { 2691 uint16_t temp; 2692 2693 temp = ntohs(list[i]); 2694 if (temp >= stcb->asoc.streamoutcnt) { 2695 /* no such stream */ 2696 continue; 2697 } 2698 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2699 } 2700 } 2701 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2702} 2703 2704 2705struct sctp_stream_reset_out_request * 2706sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2707{ 2708 struct sctp_association *asoc; 2709 struct sctp_stream_reset_out_req *req; 2710 struct sctp_stream_reset_out_request *r; 2711 struct sctp_tmit_chunk *chk; 2712 int len, clen; 2713 2714 asoc = &stcb->asoc; 2715 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2716 asoc->stream_reset_outstanding = 0; 2717 return (NULL); 2718 } 2719 if (stcb->asoc.str_reset == NULL) { 2720 asoc->stream_reset_outstanding = 0; 2721 return (NULL); 2722 } 2723 chk = stcb->asoc.str_reset; 2724 if (chk->data == NULL) { 2725 return (NULL); 2726 } 2727 if (bchk) { 2728 /* he wants a copy of the chk pointer */ 2729 *bchk = chk; 2730 } 2731 clen = chk->send_size; 2732 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2733 r = &req->sr_req; 2734 if (ntohl(r->request_seq) == seq) { 2735 /* found it */ 2736 return (r); 2737 } 2738 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2739 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2740 /* move to the next one, there can only be a max of two */ 2741 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2742 if (ntohl(r->request_seq) == seq) { 2743 return (r); 2744 } 2745 } 2746 /* that seq is not here */ 2747 return (NULL); 2748} 2749 2750static void 2751sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2752{ 2753 struct sctp_association *asoc; 2754 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2755 2756 if (stcb->asoc.str_reset == NULL) { 2757 return; 2758 } 2759 asoc = &stcb->asoc; 2760 2761 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 2762 TAILQ_REMOVE(&asoc->control_send_queue, 2763 chk, 2764 sctp_next); 2765 if (chk->data) { 2766 sctp_m_freem(chk->data); 2767 chk->data = NULL; 2768 } 2769 asoc->ctrl_queue_cnt--; 2770 sctp_free_remote_addr(chk->whoTo); 2771 2772 sctp_free_a_chunk(stcb, chk); 2773 stcb->asoc.str_reset = NULL; 2774} 2775 2776 2777static int 2778sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2779 uint32_t seq, uint32_t action, 2780 struct sctp_stream_reset_response *respin) 2781{ 2782 uint16_t type; 2783 int lparm_len; 2784 struct sctp_association *asoc = &stcb->asoc; 2785 struct sctp_tmit_chunk *chk; 2786 struct sctp_stream_reset_out_request *srparam; 2787 int number_entries; 2788 2789 if (asoc->stream_reset_outstanding == 0) { 2790 /* duplicate */ 2791 return (0); 2792 } 2793 if (seq == stcb->asoc.str_reset_seq_out) { 2794 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2795 if (srparam) { 2796 stcb->asoc.str_reset_seq_out++; 2797 type = ntohs(srparam->ph.param_type); 2798 lparm_len = ntohs(srparam->ph.param_length); 2799 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2800 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2801 asoc->stream_reset_out_is_outstanding = 0; 2802 if (asoc->stream_reset_outstanding) 2803 asoc->stream_reset_outstanding--; 2804 if (action == SCTP_STREAM_RESET_PERFORMED) { 2805 /* do it */ 2806 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2807 } else { 2808 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2809 } 2810 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2811 /* Answered my request */ 2812 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 2813 if (asoc->stream_reset_outstanding) 2814 asoc->stream_reset_outstanding--; 2815 if (action != SCTP_STREAM_RESET_PERFORMED) { 2816 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2817 } 2818 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2819 /** 2820 * a) Adopt the new in tsn. 2821 * b) reset the map 2822 * c) Adopt the new out-tsn 2823 */ 2824 struct sctp_stream_reset_response_tsn *resp; 2825 struct sctp_forward_tsn_chunk fwdtsn; 2826 int abort_flag = 0; 2827 2828 if (respin == NULL) { 2829 /* huh ? */ 2830 return (0); 2831 } 2832 if (action == SCTP_STREAM_RESET_PERFORMED) { 2833 resp = (struct sctp_stream_reset_response_tsn *)respin; 2834 asoc->stream_reset_outstanding--; 2835 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2836 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2837 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2838 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2839 if (abort_flag) { 2840 return (1); 2841 } 2842 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2843 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2844 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2845 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2846 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2847 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2848 2849 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2850 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2851 2852 } 2853 } 2854 /* get rid of the request and get the request flags */ 2855 if (asoc->stream_reset_outstanding == 0) { 2856 sctp_clean_up_stream_reset(stcb); 2857 } 2858 } 2859 } 2860 return (0); 2861} 2862 2863static void 2864sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2865 struct sctp_tmit_chunk *chk, 2866 struct sctp_stream_reset_in_request *req) 2867{ 2868 uint32_t seq; 2869 int len, i; 2870 int number_entries; 2871 uint16_t temp; 2872 2873 /* 2874 * peer wants me to send a str-reset to him for my outgoing seq's if 2875 * seq_in is right. 2876 */ 2877 struct sctp_association *asoc = &stcb->asoc; 2878 2879 seq = ntohl(req->request_seq); 2880 if (asoc->str_reset_seq_in == seq) { 2881 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2882 len = ntohs(req->ph.param_length); 2883 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2884 for (i = 0; i < number_entries; i++) { 2885 temp = ntohs(req->list_of_streams[i]); 2886 req->list_of_streams[i] = temp; 2887 } 2888 /* move the reset action back one */ 2889 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2890 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2891 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2892 asoc->str_reset_seq_out, 2893 seq, (asoc->sending_seq - 1)); 2894 asoc->stream_reset_out_is_outstanding = 1; 2895 asoc->str_reset = chk; 2896 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2897 stcb->asoc.stream_reset_outstanding++; 2898 } else { 2899 /* Can't do it, since we have sent one out */ 2900 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2901 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2902 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2903 } 2904 asoc->str_reset_seq_in++; 2905 } else if (asoc->str_reset_seq_in - 1 == seq) { 2906 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2907 } else if (asoc->str_reset_seq_in - 2 == seq) { 2908 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2909 } else { 2910 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2911 } 2912} 2913 2914static int 2915sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 2916 struct sctp_tmit_chunk *chk, 2917 struct sctp_stream_reset_tsn_request *req) 2918{ 2919 /* reset all in and out and update the tsn */ 2920 /* 2921 * A) reset my str-seq's on in and out. B) Select a receive next, 2922 * and set cum-ack to it. Also process this selected number as a 2923 * fwd-tsn as well. C) set in the response my next sending seq. 2924 */ 2925 struct sctp_forward_tsn_chunk fwdtsn; 2926 struct sctp_association *asoc = &stcb->asoc; 2927 int abort_flag = 0; 2928 uint32_t seq; 2929 2930 seq = ntohl(req->request_seq); 2931 if (asoc->str_reset_seq_in == seq) { 2932 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2933 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2934 fwdtsn.ch.chunk_flags = 0; 2935 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 2936 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2937 if (abort_flag) { 2938 return (1); 2939 } 2940 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 2941 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2942 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 2943 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2944 atomic_add_int(&stcb->asoc.sending_seq, 1); 2945 /* save off historical data for retrans */ 2946 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 2947 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 2948 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 2949 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 2950 2951 sctp_add_stream_reset_result_tsn(chk, 2952 ntohl(req->request_seq), 2953 SCTP_STREAM_RESET_PERFORMED, 2954 stcb->asoc.sending_seq, 2955 stcb->asoc.mapping_array_base_tsn); 2956 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2957 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2958 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 2959 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2960 2961 asoc->str_reset_seq_in++; 2962 } else if (asoc->str_reset_seq_in - 1 == seq) { 2963 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 2964 stcb->asoc.last_sending_seq[0], 2965 stcb->asoc.last_base_tsnsent[0] 2966 ); 2967 } else if (asoc->str_reset_seq_in - 2 == seq) { 2968 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 2969 stcb->asoc.last_sending_seq[1], 2970 stcb->asoc.last_base_tsnsent[1] 2971 ); 2972 } else { 2973 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2974 } 2975 return (0); 2976} 2977 2978static void 2979sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 2980 struct sctp_tmit_chunk *chk, 2981 struct sctp_stream_reset_out_request *req) 2982{ 2983 uint32_t seq, tsn; 2984 int number_entries, len; 2985 struct sctp_association *asoc = &stcb->asoc; 2986 2987 seq = ntohl(req->request_seq); 2988 2989 /* now if its not a duplicate we process it */ 2990 if (asoc->str_reset_seq_in == seq) { 2991 len = ntohs(req->ph.param_length); 2992 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 2993 /* 2994 * the sender is resetting, handle the list issue.. we must 2995 * a) verify if we can do the reset, if so no problem b) If 2996 * we can't do the reset we must copy the request. c) queue 2997 * it, and setup the data in processor to trigger it off 2998 * when needed and dequeue all the queued data. 2999 */ 3000 tsn = ntohl(req->send_reset_at_tsn); 3001 3002 /* move the reset action back one */ 3003 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3004 if ((tsn == asoc->cumulative_tsn) || 3005 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3006 /* we can do it now */ 3007 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3008 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3009 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3010 } else { 3011 /* 3012 * we must queue it up and thus wait for the TSN's 3013 * to arrive that are at or before tsn 3014 */ 3015 struct sctp_stream_reset_list *liste; 3016 int siz; 3017 3018 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3019 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3020 siz, SCTP_M_STRESET); 3021 if (liste == NULL) { 3022 /* gak out of memory */ 3023 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3024 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3025 return; 3026 } 3027 liste->tsn = tsn; 3028 liste->number_entries = number_entries; 3029 memcpy(&liste->req, req, 3030 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3031 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3032 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3033 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3034 } 3035 asoc->str_reset_seq_in++; 3036 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3037 /* 3038 * one seq back, just echo back last action since my 3039 * response was lost. 3040 */ 3041 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3042 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3043 /* 3044 * two seq back, just echo back last action since my 3045 * response was lost. 3046 */ 3047 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3048 } else { 3049 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3050 } 3051} 3052 3053static int 3054sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 3055{ 3056 int chk_length, param_len, ptype; 3057 uint32_t seq; 3058 int num_req = 0; 3059 struct sctp_tmit_chunk *chk; 3060 struct sctp_chunkhdr *ch; 3061 struct sctp_paramhdr *ph; 3062 int ret_code = 0; 3063 int num_param = 0; 3064 3065 /* now it may be a reset or a reset-response */ 3066 chk_length = ntohs(sr_req->ch.chunk_length); 3067 3068 /* setup for adding the response */ 3069 sctp_alloc_a_chunk(stcb, chk); 3070 if (chk == NULL) { 3071 return (ret_code); 3072 } 3073 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3074 chk->rec.chunk_id.can_take_data = 0; 3075 chk->asoc = &stcb->asoc; 3076 chk->no_fr_allowed = 0; 3077 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3078 chk->book_size_scale = 0; 3079 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3080 if (chk->data == NULL) { 3081strres_nochunk: 3082 if (chk->data) { 3083 sctp_m_freem(chk->data); 3084 chk->data = NULL; 3085 } 3086 sctp_free_a_chunk(stcb, chk); 3087 return (ret_code); 3088 } 3089 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3090 3091 /* setup chunk parameters */ 3092 chk->sent = SCTP_DATAGRAM_UNSENT; 3093 chk->snd_count = 0; 3094 chk->whoTo = stcb->asoc.primary_destination; 3095 atomic_add_int(&chk->whoTo->ref_count, 1); 3096 3097 ch = mtod(chk->data, struct sctp_chunkhdr *); 3098 ch->chunk_type = SCTP_STREAM_RESET; 3099 ch->chunk_flags = 0; 3100 ch->chunk_length = htons(chk->send_size); 3101 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3102 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3103 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3104 param_len = ntohs(ph->param_length); 3105 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3106 /* bad param */ 3107 break; 3108 } 3109 ptype = ntohs(ph->param_type); 3110 num_param++; 3111 if (num_param > SCTP_MAX_RESET_PARAMS) { 3112 /* hit the max of parameters already sorry.. */ 3113 break; 3114 } 3115 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3116 struct sctp_stream_reset_out_request *req_out; 3117 3118 req_out = (struct sctp_stream_reset_out_request *)ph; 3119 num_req++; 3120 if (stcb->asoc.stream_reset_outstanding) { 3121 seq = ntohl(req_out->response_seq); 3122 if (seq == stcb->asoc.str_reset_seq_out) { 3123 /* implicit ack */ 3124 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3125 } 3126 } 3127 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3128 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3129 struct sctp_stream_reset_in_request *req_in; 3130 3131 num_req++; 3132 req_in = (struct sctp_stream_reset_in_request *)ph; 3133 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3134 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3135 struct sctp_stream_reset_tsn_request *req_tsn; 3136 3137 num_req++; 3138 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3139 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3140 ret_code = 1; 3141 goto strres_nochunk; 3142 } 3143 /* no more */ 3144 break; 3145 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3146 struct sctp_stream_reset_response *resp; 3147 uint32_t result; 3148 3149 resp = (struct sctp_stream_reset_response *)ph; 3150 seq = ntohl(resp->response_seq); 3151 result = ntohl(resp->result); 3152 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3153 ret_code = 1; 3154 goto strres_nochunk; 3155 } 3156 } else { 3157 break; 3158 } 3159 3160 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3161 chk_length -= SCTP_SIZE32(param_len); 3162 } 3163 if (num_req == 0) { 3164 /* we have no response free the stuff */ 3165 goto strres_nochunk; 3166 } 3167 /* ok we have a chunk to link in */ 3168 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3169 chk, 3170 sctp_next); 3171 stcb->asoc.ctrl_queue_cnt++; 3172 return (ret_code); 3173} 3174 3175/* 3176 * Handle a router or endpoints report of a packet loss, there are two ways 3177 * to handle this, either we get the whole packet and must disect it 3178 * ourselves (possibly with truncation and or corruption) or it is a summary 3179 * from a middle box that did the disectting for us. 3180 */ 3181static void 3182sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3183 struct sctp_tcb *stcb, struct sctp_nets *net) 3184{ 3185 uint32_t bottle_bw, on_queue; 3186 uint16_t trunc_len; 3187 unsigned int chlen; 3188 unsigned int at; 3189 struct sctp_chunk_desc desc; 3190 struct sctp_chunkhdr *ch; 3191 3192 chlen = ntohs(cp->ch.chunk_length); 3193 chlen -= sizeof(struct sctp_pktdrop_chunk); 3194 /* XXX possible chlen underflow */ 3195 if (chlen == 0) { 3196 ch = NULL; 3197 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3198 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3199 } else { 3200 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3201 chlen -= sizeof(struct sctphdr); 3202 /* XXX possible chlen underflow */ 3203 memset(&desc, 0, sizeof(desc)); 3204 } 3205 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3206 /* now the chunks themselves */ 3207 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3208 desc.chunk_type = ch->chunk_type; 3209 /* get amount we need to move */ 3210 at = ntohs(ch->chunk_length); 3211 if (at < sizeof(struct sctp_chunkhdr)) { 3212 /* corrupt chunk, maybe at the end? */ 3213 SCTP_STAT_INCR(sctps_pdrpcrupt); 3214 break; 3215 } 3216 if (trunc_len == 0) { 3217 /* we are supposed to have all of it */ 3218 if (at > chlen) { 3219 /* corrupt skip it */ 3220 SCTP_STAT_INCR(sctps_pdrpcrupt); 3221 break; 3222 } 3223 } else { 3224 /* is there enough of it left ? */ 3225 if (desc.chunk_type == SCTP_DATA) { 3226 if (chlen < (sizeof(struct sctp_data_chunk) + 3227 sizeof(desc.data_bytes))) { 3228 break; 3229 } 3230 } else { 3231 if (chlen < sizeof(struct sctp_chunkhdr)) { 3232 break; 3233 } 3234 } 3235 } 3236 if (desc.chunk_type == SCTP_DATA) { 3237 /* can we get out the tsn? */ 3238 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3239 SCTP_STAT_INCR(sctps_pdrpmbda); 3240 3241 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3242 /* yep */ 3243 struct sctp_data_chunk *dcp; 3244 uint8_t *ddp; 3245 unsigned int iii; 3246 3247 dcp = (struct sctp_data_chunk *)ch; 3248 ddp = (uint8_t *) (dcp + 1); 3249 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3250 desc.data_bytes[iii] = ddp[iii]; 3251 } 3252 desc.tsn_ifany = dcp->dp.tsn; 3253 } else { 3254 /* nope we are done. */ 3255 SCTP_STAT_INCR(sctps_pdrpnedat); 3256 break; 3257 } 3258 } else { 3259 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3260 SCTP_STAT_INCR(sctps_pdrpmbct); 3261 } 3262 3263 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3264 SCTP_STAT_INCR(sctps_pdrppdbrk); 3265 break; 3266 } 3267 if (SCTP_SIZE32(at) > chlen) { 3268 break; 3269 } 3270 chlen -= SCTP_SIZE32(at); 3271 if (chlen < sizeof(struct sctp_chunkhdr)) { 3272 /* done, none left */ 3273 break; 3274 } 3275 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3276 } 3277 /* Now update any rwnd --- possibly */ 3278 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3279 /* From a peer, we get a rwnd report */ 3280 uint32_t a_rwnd; 3281 3282 SCTP_STAT_INCR(sctps_pdrpfehos); 3283 3284 bottle_bw = ntohl(cp->bottle_bw); 3285 on_queue = ntohl(cp->current_onq); 3286 if (bottle_bw && on_queue) { 3287 /* a rwnd report is in here */ 3288 if (bottle_bw > on_queue) 3289 a_rwnd = bottle_bw - on_queue; 3290 else 3291 a_rwnd = 0; 3292 3293 if (a_rwnd == 0) 3294 stcb->asoc.peers_rwnd = 0; 3295 else { 3296 if (a_rwnd > stcb->asoc.total_flight) { 3297 stcb->asoc.peers_rwnd = 3298 a_rwnd - stcb->asoc.total_flight; 3299 } else { 3300 stcb->asoc.peers_rwnd = 0; 3301 } 3302 if (stcb->asoc.peers_rwnd < 3303 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3304 /* SWS sender side engages */ 3305 stcb->asoc.peers_rwnd = 0; 3306 } 3307 } 3308 } 3309 } else { 3310 SCTP_STAT_INCR(sctps_pdrpfmbox); 3311 } 3312 3313 /* now middle boxes in sat networks get a cwnd bump */ 3314 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3315 (stcb->asoc.sat_t3_loss_recovery == 0) && 3316 (stcb->asoc.sat_network)) { 3317 /* 3318 * This is debateable but for sat networks it makes sense 3319 * Note if a T3 timer has went off, we will prohibit any 3320 * changes to cwnd until we exit the t3 loss recovery. 3321 */ 3322 uint32_t bw_avail; 3323 int rtt, incr; 3324 3325#ifdef SCTP_CWND_MONITOR 3326 int old_cwnd = net->cwnd; 3327 3328#endif 3329 /* need real RTT for this calc */ 3330 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3331 /* get bottle neck bw */ 3332 bottle_bw = ntohl(cp->bottle_bw); 3333 /* and whats on queue */ 3334 on_queue = ntohl(cp->current_onq); 3335 /* 3336 * adjust the on-queue if our flight is more it could be 3337 * that the router has not yet gotten data "in-flight" to it 3338 */ 3339 if (on_queue < net->flight_size) 3340 on_queue = net->flight_size; 3341 3342 /* calculate the available space */ 3343 bw_avail = (bottle_bw * rtt) / 1000; 3344 if (bw_avail > bottle_bw) { 3345 /* 3346 * Cap the growth to no more than the bottle neck. 3347 * This can happen as RTT slides up due to queues. 3348 * It also means if you have more than a 1 second 3349 * RTT with a empty queue you will be limited to the 3350 * bottle_bw per second no matter if other points 3351 * have 1/2 the RTT and you could get more out... 3352 */ 3353 bw_avail = bottle_bw; 3354 } 3355 if (on_queue > bw_avail) { 3356 /* 3357 * No room for anything else don't allow anything 3358 * else to be "added to the fire". 3359 */ 3360 int seg_inflight, seg_onqueue, my_portion; 3361 3362 net->partial_bytes_acked = 0; 3363 3364 /* how much are we over queue size? */ 3365 incr = on_queue - bw_avail; 3366 if (stcb->asoc.seen_a_sack_this_pkt) { 3367 /* 3368 * undo any cwnd adjustment that the sack 3369 * might have made 3370 */ 3371 net->cwnd = net->prev_cwnd; 3372 } 3373 /* Now how much of that is mine? */ 3374 seg_inflight = net->flight_size / net->mtu; 3375 seg_onqueue = on_queue / net->mtu; 3376 my_portion = (incr * seg_inflight) / seg_onqueue; 3377 3378 /* Have I made an adjustment already */ 3379 if (net->cwnd > net->flight_size) { 3380 /* 3381 * for this flight I made an adjustment we 3382 * need to decrease the portion by a share 3383 * our previous adjustment. 3384 */ 3385 int diff_adj; 3386 3387 diff_adj = net->cwnd - net->flight_size; 3388 if (diff_adj > my_portion) 3389 my_portion = 0; 3390 else 3391 my_portion -= diff_adj; 3392 } 3393 /* 3394 * back down to the previous cwnd (assume we have 3395 * had a sack before this packet). minus what ever 3396 * portion of the overage is my fault. 3397 */ 3398 net->cwnd -= my_portion; 3399 3400 /* we will NOT back down more than 1 MTU */ 3401 if (net->cwnd <= net->mtu) { 3402 net->cwnd = net->mtu; 3403 } 3404 /* force into CA */ 3405 net->ssthresh = net->cwnd - 1; 3406 } else { 3407 /* 3408 * Take 1/4 of the space left or max burst up .. 3409 * whichever is less. 3410 */ 3411 incr = min((bw_avail - on_queue) >> 2, 3412 stcb->asoc.max_burst * net->mtu); 3413 net->cwnd += incr; 3414 } 3415 if (net->cwnd > bw_avail) { 3416 /* We can't exceed the pipe size */ 3417 net->cwnd = bw_avail; 3418 } 3419 if (net->cwnd < net->mtu) { 3420 /* We always have 1 MTU */ 3421 net->cwnd = net->mtu; 3422 } 3423#ifdef SCTP_CWND_MONITOR 3424 if (net->cwnd - old_cwnd != 0) { 3425 /* log only changes */ 3426 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3427 SCTP_CWND_LOG_FROM_SAT); 3428 } 3429#endif 3430 } 3431} 3432 3433/* 3434 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3435 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3436 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3437 * length of the complete packet outputs: - length: modified to remaining 3438 * length after control processing - netp: modified to new sctp_nets after 3439 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3440 * bad packet,...) otherwise return the tcb for this packet 3441 */ 3442#ifdef __GNUC__ 3443__attribute__((noinline)) 3444#endif 3445 static struct sctp_tcb * 3446 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3447 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3448 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen, 3449 uint32_t vrf_id) 3450{ 3451 struct sctp_association *asoc; 3452 uint32_t vtag_in; 3453 int num_chunks = 0; /* number of control chunks processed */ 3454 uint32_t chk_length; 3455 int ret; 3456 int abort_no_unlock = 0; 3457 3458 /* 3459 * How big should this be, and should it be alloc'd? Lets try the 3460 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3461 * until we get into jumbo grams and such.. 3462 */ 3463 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 3464 struct sctp_tcb *locked_tcb = stcb; 3465 int got_auth = 0; 3466 uint32_t auth_offset = 0, auth_len = 0; 3467 int auth_skipped = 0; 3468 3469 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3470 iphlen, *offset, length, stcb); 3471 3472 /* validate chunk header length... */ 3473 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3474 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n", 3475 ntohs(ch->chunk_length)); 3476 if (locked_tcb) { 3477 SCTP_TCB_UNLOCK(locked_tcb); 3478 } 3479 return (NULL); 3480 } 3481 /* 3482 * validate the verification tag 3483 */ 3484 vtag_in = ntohl(sh->v_tag); 3485 3486 if (locked_tcb) { 3487 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3488 } 3489 if (ch->chunk_type == SCTP_INITIATION) { 3490 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n", 3491 ntohs(ch->chunk_length), vtag_in); 3492 if (vtag_in != 0) { 3493 /* protocol error- silently discard... */ 3494 SCTP_STAT_INCR(sctps_badvtag); 3495 if (locked_tcb) { 3496 SCTP_TCB_UNLOCK(locked_tcb); 3497 } 3498 return (NULL); 3499 } 3500 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3501 /* 3502 * If there is no stcb, skip the AUTH chunk and process 3503 * later after a stcb is found (to validate the lookup was 3504 * valid. 3505 */ 3506 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3507 (stcb == NULL) && !sctp_auth_disable) { 3508 /* save this chunk for later processing */ 3509 auth_skipped = 1; 3510 auth_offset = *offset; 3511 auth_len = ntohs(ch->chunk_length); 3512 3513 /* (temporarily) move past this chunk */ 3514 *offset += SCTP_SIZE32(auth_len); 3515 if (*offset >= length) { 3516 /* no more data left in the mbuf chain */ 3517 *offset = length; 3518 if (locked_tcb) { 3519 SCTP_TCB_UNLOCK(locked_tcb); 3520 } 3521 return (NULL); 3522 } 3523 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3524 sizeof(struct sctp_chunkhdr), chunk_buf); 3525 } 3526 if (ch == NULL) { 3527 /* Help */ 3528 *offset = length; 3529 if (locked_tcb) { 3530 SCTP_TCB_UNLOCK(locked_tcb); 3531 } 3532 return (NULL); 3533 } 3534 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3535 goto process_control_chunks; 3536 } 3537 /* 3538 * first check if it's an ASCONF with an unknown src addr we 3539 * need to look inside to find the association 3540 */ 3541 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3542 /* inp's refcount may be reduced */ 3543 SCTP_INP_INCR_REF(inp); 3544 3545 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3546 *offset, sh, &inp, netp); 3547 if (stcb == NULL) { 3548 /* 3549 * reduce inp's refcount if not reduced in 3550 * sctp_findassociation_ep_asconf(). 3551 */ 3552 SCTP_INP_DECR_REF(inp); 3553 } 3554 /* now go back and verify any auth chunk to be sure */ 3555 if (auth_skipped && (stcb != NULL)) { 3556 struct sctp_auth_chunk *auth; 3557 3558 auth = (struct sctp_auth_chunk *) 3559 sctp_m_getptr(m, auth_offset, 3560 auth_len, chunk_buf); 3561 got_auth = 1; 3562 auth_skipped = 0; 3563 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, 3564 auth_offset)) { 3565 /* auth HMAC failed so dump it */ 3566 *offset = length; 3567 if (locked_tcb) { 3568 SCTP_TCB_UNLOCK(locked_tcb); 3569 } 3570 return (NULL); 3571 } else { 3572 /* remaining chunks are HMAC checked */ 3573 stcb->asoc.authenticated = 1; 3574 } 3575 } 3576 } 3577 if (stcb == NULL) { 3578 /* no association, so it's out of the blue... */ 3579 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL, 3580 vrf_id); 3581 *offset = length; 3582 if (locked_tcb) { 3583 SCTP_TCB_UNLOCK(locked_tcb); 3584 } 3585 return (NULL); 3586 } 3587 asoc = &stcb->asoc; 3588 /* ABORT and SHUTDOWN can use either v_tag... */ 3589 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3590 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3591 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3592 if ((vtag_in == asoc->my_vtag) || 3593 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3594 (vtag_in == asoc->peer_vtag))) { 3595 /* this is valid */ 3596 } else { 3597 /* drop this packet... */ 3598 SCTP_STAT_INCR(sctps_badvtag); 3599 if (locked_tcb) { 3600 SCTP_TCB_UNLOCK(locked_tcb); 3601 } 3602 return (NULL); 3603 } 3604 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3605 if (vtag_in != asoc->my_vtag) { 3606 /* 3607 * this could be a stale SHUTDOWN-ACK or the 3608 * peer never got the SHUTDOWN-COMPLETE and 3609 * is still hung; we have started a new asoc 3610 * but it won't complete until the shutdown 3611 * is completed 3612 */ 3613 if (locked_tcb) { 3614 SCTP_TCB_UNLOCK(locked_tcb); 3615 } 3616 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3617 NULL, vrf_id); 3618 return (NULL); 3619 } 3620 } else { 3621 /* for all other chunks, vtag must match */ 3622 if (vtag_in != asoc->my_vtag) { 3623 /* invalid vtag... */ 3624 SCTPDBG(SCTP_DEBUG_INPUT3, 3625 "invalid vtag: %xh, expect %xh\n", 3626 vtag_in, asoc->my_vtag); 3627 SCTP_STAT_INCR(sctps_badvtag); 3628 if (locked_tcb) { 3629 SCTP_TCB_UNLOCK(locked_tcb); 3630 } 3631 *offset = length; 3632 return (NULL); 3633 } 3634 } 3635 } /* end if !SCTP_COOKIE_ECHO */ 3636 /* 3637 * process all control chunks... 3638 */ 3639 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3640 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3641 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3642 /* implied cookie-ack.. we must have lost the ack */ 3643 stcb->asoc.overall_error_count = 0; 3644 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3645 *netp); 3646 } 3647process_control_chunks: 3648 while (IS_SCTP_CONTROL(ch)) { 3649 /* validate chunk length */ 3650 chk_length = ntohs(ch->chunk_length); 3651 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n", 3652 ch->chunk_type, chk_length); 3653 if (chk_length < sizeof(*ch) || 3654 (*offset + (int)chk_length) > length) { 3655 *offset = length; 3656 if (locked_tcb) { 3657 SCTP_TCB_UNLOCK(locked_tcb); 3658 } 3659 return (NULL); 3660 } 3661 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3662 /* 3663 * INIT-ACK only gets the init ack "header" portion only 3664 * because we don't have to process the peer's COOKIE. All 3665 * others get a complete chunk. 3666 */ 3667 if ((ch->chunk_type == SCTP_INITIATION_ACK) || 3668 (ch->chunk_type == SCTP_INITIATION)) { 3669 /* get an init-ack chunk */ 3670 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3671 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3672 if (ch == NULL) { 3673 *offset = length; 3674 if (locked_tcb) { 3675 SCTP_TCB_UNLOCK(locked_tcb); 3676 } 3677 return (NULL); 3678 } 3679 } else { 3680 /* 3681 * For cookies and all other chunks. if the 3682 */ 3683 if (chk_length > sizeof(chunk_buf)) { 3684 /* 3685 * use just the size of the chunk buffer so 3686 * the front part of our chunks fit in 3687 * contiguous space up to the chunk buffer 3688 * size (508 bytes). For chunks that need to 3689 * get more than that they mus use the 3690 * sctp_m_getptr() function or other means 3691 * (know how to parse mbuf chains). Cookies 3692 * do this already. 3693 */ 3694 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3695 (sizeof(chunk_buf) - 4), 3696 chunk_buf); 3697 if (ch == NULL) { 3698 *offset = length; 3699 if (locked_tcb) { 3700 SCTP_TCB_UNLOCK(locked_tcb); 3701 } 3702 return (NULL); 3703 } 3704 } else { 3705 /* We can fit it all */ 3706 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3707 chk_length, chunk_buf); 3708 if (ch == NULL) { 3709 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n"); 3710 *offset = length; 3711 if (locked_tcb) { 3712 SCTP_TCB_UNLOCK(locked_tcb); 3713 } 3714 return (NULL); 3715 } 3716 } 3717 } 3718 num_chunks++; 3719 /* Save off the last place we got a control from */ 3720 if (stcb != NULL) { 3721 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) { 3722 /* 3723 * allow last_control to be NULL if 3724 * ASCONF... ASCONF processing will find the 3725 * right net later 3726 */ 3727 if ((netp != NULL) && (*netp != NULL)) 3728 stcb->asoc.last_control_chunk_from = *netp; 3729 } 3730 } 3731#ifdef SCTP_AUDITING_ENABLED 3732 sctp_audit_log(0xB0, ch->chunk_type); 3733#endif 3734 3735 /* check to see if this chunk required auth, but isn't */ 3736 if ((stcb != NULL) && !sctp_auth_disable && 3737 sctp_auth_is_required_chunk(ch->chunk_type, 3738 stcb->asoc.local_auth_chunks) && 3739 !stcb->asoc.authenticated) { 3740 /* "silently" ignore */ 3741 SCTP_STAT_INCR(sctps_recvauthmissing); 3742 goto next_chunk; 3743 } 3744 switch (ch->chunk_type) { 3745 case SCTP_INITIATION: 3746 /* must be first and only chunk */ 3747 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n"); 3748 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3749 /* We are not interested anymore? */ 3750 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3751 /* 3752 * collision case where we are 3753 * sending to them too 3754 */ 3755 ; 3756 } else { 3757 if (locked_tcb) { 3758 SCTP_TCB_UNLOCK(locked_tcb); 3759 } 3760 *offset = length; 3761 return (NULL); 3762 } 3763 } 3764 if ((num_chunks > 1) || 3765 (sctp_strict_init && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 3766 *offset = length; 3767 if (locked_tcb) { 3768 SCTP_TCB_UNLOCK(locked_tcb); 3769 } 3770 return (NULL); 3771 } 3772 if ((stcb != NULL) && 3773 (SCTP_GET_STATE(&stcb->asoc) == 3774 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3775 sctp_send_shutdown_ack(stcb, 3776 stcb->asoc.primary_destination); 3777 *offset = length; 3778 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3779 if (locked_tcb) { 3780 SCTP_TCB_UNLOCK(locked_tcb); 3781 } 3782 return (NULL); 3783 } 3784 if (netp) { 3785 sctp_handle_init(m, iphlen, *offset, sh, 3786 (struct sctp_init_chunk *)ch, inp, 3787 stcb, *netp, &abort_no_unlock, vrf_id); 3788 } 3789 if (abort_no_unlock) 3790 return (NULL); 3791 3792 *offset = length; 3793 if (locked_tcb) { 3794 SCTP_TCB_UNLOCK(locked_tcb); 3795 } 3796 return (NULL); 3797 break; 3798 case SCTP_PAD_CHUNK: 3799 break; 3800 case SCTP_INITIATION_ACK: 3801 /* must be first and only chunk */ 3802 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n"); 3803 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3804 /* We are not interested anymore */ 3805 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3806 ; 3807 } else { 3808 if (locked_tcb) { 3809 SCTP_TCB_UNLOCK(locked_tcb); 3810 } 3811 *offset = length; 3812 if (stcb) { 3813 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3814 } 3815 return (NULL); 3816 } 3817 } 3818 if ((num_chunks > 1) || 3819 (sctp_strict_init && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 3820 *offset = length; 3821 if (locked_tcb) { 3822 SCTP_TCB_UNLOCK(locked_tcb); 3823 } 3824 return (NULL); 3825 } 3826 if ((netp) && (*netp)) { 3827 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3828 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id); 3829 } else { 3830 ret = -1; 3831 } 3832 /* 3833 * Special case, I must call the output routine to 3834 * get the cookie echoed 3835 */ 3836 if (abort_no_unlock) 3837 return (NULL); 3838 3839 if ((stcb) && ret == 0) 3840 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3841 *offset = length; 3842 if (locked_tcb) { 3843 SCTP_TCB_UNLOCK(locked_tcb); 3844 } 3845 return (NULL); 3846 break; 3847 case SCTP_SELECTIVE_ACK: 3848 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n"); 3849 SCTP_STAT_INCR(sctps_recvsacks); 3850 { 3851 struct sctp_sack_chunk *sack; 3852 int abort_now = 0; 3853 uint32_t a_rwnd, cum_ack; 3854 uint16_t num_seg; 3855 int nonce_sum_flag; 3856 3857 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_sack_chunk))) { 3858 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on sack chunk, too small\n"); 3859 *offset = length; 3860 if (locked_tcb) { 3861 SCTP_TCB_UNLOCK(locked_tcb); 3862 } 3863 return (NULL); 3864 } 3865 sack = (struct sctp_sack_chunk *)ch; 3866 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3867 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3868 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3869 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3870 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n", 3871 cum_ack, 3872 num_seg, 3873 a_rwnd 3874 ); 3875 stcb->asoc.seen_a_sack_this_pkt = 1; 3876 if ((stcb->asoc.pr_sctp_cnt == 0) && 3877 (num_seg == 0) && 3878 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3879 (cum_ack == stcb->asoc.last_acked_seq)) && 3880 (stcb->asoc.saw_sack_with_frags == 0) && 3881 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3882 ) { 3883 /* 3884 * We have a SIMPLE sack having no 3885 * prior segments and data on sent 3886 * queue to be acked.. Use the 3887 * faster path sack processing. We 3888 * also allow window update sacks 3889 * with no missing segments to go 3890 * this way too. 3891 */ 3892 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, 3893 &abort_now); 3894 } else { 3895 if (netp && *netp) 3896 sctp_handle_sack(sack, stcb, *netp, &abort_now, chk_length, a_rwnd); 3897 } 3898 if (abort_now) { 3899 /* ABORT signal from sack processing */ 3900 *offset = length; 3901 return (NULL); 3902 } 3903 } 3904 break; 3905 case SCTP_HEARTBEAT_REQUEST: 3906 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n"); 3907 if ((stcb) && netp && *netp) { 3908 SCTP_STAT_INCR(sctps_recvheartbeat); 3909 sctp_send_heartbeat_ack(stcb, m, *offset, 3910 chk_length, *netp); 3911 3912 /* He's alive so give him credit */ 3913 stcb->asoc.overall_error_count = 0; 3914 } 3915 break; 3916 case SCTP_HEARTBEAT_ACK: 3917 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n"); 3918 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) { 3919 /* Its not ours */ 3920 *offset = length; 3921 if (locked_tcb) { 3922 SCTP_TCB_UNLOCK(locked_tcb); 3923 } 3924 return (NULL); 3925 } 3926 /* He's alive so give him credit */ 3927 stcb->asoc.overall_error_count = 0; 3928 SCTP_STAT_INCR(sctps_recvheartbeatack); 3929 if (netp && *netp) 3930 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3931 stcb, *netp); 3932 break; 3933 case SCTP_ABORT_ASSOCIATION: 3934 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n", 3935 stcb); 3936 if ((stcb) && netp && *netp) 3937 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3938 stcb, *netp); 3939 *offset = length; 3940 return (NULL); 3941 break; 3942 case SCTP_SHUTDOWN: 3943 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n", 3944 stcb); 3945 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) { 3946 *offset = length; 3947 if (locked_tcb) { 3948 SCTP_TCB_UNLOCK(locked_tcb); 3949 } 3950 return (NULL); 3951 3952 } 3953 if (netp && *netp) { 3954 int abort_flag = 0; 3955 3956 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3957 stcb, *netp, &abort_flag); 3958 if (abort_flag) { 3959 *offset = length; 3960 return (NULL); 3961 } 3962 } 3963 break; 3964 case SCTP_SHUTDOWN_ACK: 3965 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb); 3966 if ((stcb) && (netp) && (*netp)) 3967 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3968 *offset = length; 3969 return (NULL); 3970 break; 3971 3972 case SCTP_OPERATION_ERROR: 3973 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n"); 3974 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) { 3975 3976 *offset = length; 3977 return (NULL); 3978 } 3979 break; 3980 case SCTP_COOKIE_ECHO: 3981 SCTPDBG(SCTP_DEBUG_INPUT3, 3982 "SCTP_COOKIE-ECHO, stcb %p\n", stcb); 3983 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3984 ; 3985 } else { 3986 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3987 /* We are not interested anymore */ 3988 *offset = length; 3989 return (NULL); 3990 } 3991 } 3992 /* 3993 * First are we accepting? We do this again here 3994 * sincen it is possible that a previous endpoint 3995 * WAS listening responded to a INIT-ACK and then 3996 * closed. We opened and bound.. and are now no 3997 * longer listening. 3998 */ 3999 if (inp->sctp_socket->so_qlimit == 0) { 4000 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 4001 /* 4002 * special case, is this a retran'd 4003 * COOKIE-ECHO or a restarting assoc 4004 * that is a peeled off or 4005 * one-to-one style socket. 4006 */ 4007 goto process_cookie_anyway; 4008 } 4009 sctp_abort_association(inp, stcb, m, iphlen, 4010 sh, NULL, vrf_id); 4011 *offset = length; 4012 return (NULL); 4013 } else if (inp->sctp_socket->so_qlimit) { 4014 /* we are accepting so check limits like TCP */ 4015 if (inp->sctp_socket->so_qlen > 4016 inp->sctp_socket->so_qlimit) { 4017 /* no space */ 4018 struct mbuf *oper; 4019 struct sctp_paramhdr *phdr; 4020 4021 if (sctp_abort_if_one_2_one_hits_limit) { 4022 oper = NULL; 4023 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4024 0, M_DONTWAIT, 1, MT_DATA); 4025 if (oper) { 4026 SCTP_BUF_LEN(oper) = 4027 sizeof(struct sctp_paramhdr); 4028 phdr = mtod(oper, 4029 struct sctp_paramhdr *); 4030 phdr->param_type = 4031 htons(SCTP_CAUSE_OUT_OF_RESC); 4032 phdr->param_length = 4033 htons(sizeof(struct sctp_paramhdr)); 4034 } 4035 sctp_abort_association(inp, stcb, m, 4036 iphlen, sh, oper, vrf_id); 4037 } 4038 *offset = length; 4039 return (NULL); 4040 } 4041 } 4042 process_cookie_anyway: 4043 { 4044 struct mbuf *ret_buf; 4045 struct sctp_inpcb *linp; 4046 4047 if (stcb) { 4048 linp = NULL; 4049 } else { 4050 linp = inp; 4051 } 4052 4053 if (linp) { 4054 SCTP_ASOC_CREATE_LOCK(linp); 4055 } 4056 if (netp) { 4057 ret_buf = 4058 sctp_handle_cookie_echo(m, iphlen, 4059 *offset, sh, 4060 (struct sctp_cookie_echo_chunk *)ch, 4061 &inp, &stcb, netp, 4062 auth_skipped, 4063 auth_offset, 4064 auth_len, 4065 &locked_tcb, 4066 vrf_id); 4067 } else { 4068 ret_buf = NULL; 4069 } 4070 if (linp) { 4071 SCTP_ASOC_CREATE_UNLOCK(linp); 4072 } 4073 if (ret_buf == NULL) { 4074 if (locked_tcb) { 4075 SCTP_TCB_UNLOCK(locked_tcb); 4076 } 4077 SCTPDBG(SCTP_DEBUG_INPUT3, 4078 "GAK, null buffer\n"); 4079 auth_skipped = 0; 4080 *offset = length; 4081 return (NULL); 4082 } 4083 /* if AUTH skipped, see if it verified... */ 4084 if (auth_skipped) { 4085 got_auth = 1; 4086 auth_skipped = 0; 4087 } 4088 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4089 /* 4090 * Restart the timer if we have 4091 * pending data 4092 */ 4093 struct sctp_tmit_chunk *chk; 4094 4095 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4096 if (chk) { 4097 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4098 stcb->sctp_ep, stcb, 4099 chk->whoTo); 4100 } 4101 } 4102 } 4103 break; 4104 case SCTP_COOKIE_ACK: 4105 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb); 4106 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) { 4107 if (locked_tcb) { 4108 SCTP_TCB_UNLOCK(locked_tcb); 4109 } 4110 return (NULL); 4111 } 4112 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4113 /* We are not interested anymore */ 4114 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4115 ; 4116 } else if (stcb) { 4117 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4118 *offset = length; 4119 return (NULL); 4120 } 4121 } 4122 /* He's alive so give him credit */ 4123 if ((stcb) && netp && *netp) { 4124 stcb->asoc.overall_error_count = 0; 4125 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4126 } 4127 break; 4128 case SCTP_ECN_ECHO: 4129 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n"); 4130 /* He's alive so give him credit */ 4131 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) { 4132 /* Its not ours */ 4133 if (locked_tcb) { 4134 SCTP_TCB_UNLOCK(locked_tcb); 4135 } 4136 *offset = length; 4137 return (NULL); 4138 } 4139 if (stcb) { 4140 stcb->asoc.overall_error_count = 0; 4141 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4142 stcb); 4143 } 4144 break; 4145 case SCTP_ECN_CWR: 4146 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n"); 4147 /* He's alive so give him credit */ 4148 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) { 4149 /* Its not ours */ 4150 if (locked_tcb) { 4151 SCTP_TCB_UNLOCK(locked_tcb); 4152 } 4153 *offset = length; 4154 return (NULL); 4155 } 4156 if (stcb) { 4157 stcb->asoc.overall_error_count = 0; 4158 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4159 } 4160 break; 4161 case SCTP_SHUTDOWN_COMPLETE: 4162 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb); 4163 /* must be first and only chunk */ 4164 if ((num_chunks > 1) || 4165 (length - *offset > (int)SCTP_SIZE32(chk_length))) { 4166 *offset = length; 4167 if (locked_tcb) { 4168 SCTP_TCB_UNLOCK(locked_tcb); 4169 } 4170 return (NULL); 4171 } 4172 if ((stcb) && netp && *netp) { 4173 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4174 stcb, *netp); 4175 } 4176 *offset = length; 4177 return (NULL); 4178 break; 4179 case SCTP_ASCONF: 4180 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n"); 4181 /* He's alive so give him credit */ 4182 if (stcb) { 4183 stcb->asoc.overall_error_count = 0; 4184 sctp_handle_asconf(m, *offset, 4185 (struct sctp_asconf_chunk *)ch, stcb); 4186 } 4187 break; 4188 case SCTP_ASCONF_ACK: 4189 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n"); 4190 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) { 4191 /* Its not ours */ 4192 if (locked_tcb) { 4193 SCTP_TCB_UNLOCK(locked_tcb); 4194 } 4195 *offset = length; 4196 return (NULL); 4197 } 4198 if ((stcb) && netp && *netp) { 4199 /* He's alive so give him credit */ 4200 stcb->asoc.overall_error_count = 0; 4201 sctp_handle_asconf_ack(m, *offset, 4202 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4203 } 4204 break; 4205 case SCTP_FORWARD_CUM_TSN: 4206 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n"); 4207 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { 4208 /* Its not ours */ 4209 if (locked_tcb) { 4210 SCTP_TCB_UNLOCK(locked_tcb); 4211 } 4212 *offset = length; 4213 return (NULL); 4214 } 4215 /* He's alive so give him credit */ 4216 if (stcb) { 4217 int abort_flag = 0; 4218 4219 stcb->asoc.overall_error_count = 0; 4220 *fwd_tsn_seen = 1; 4221 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4222 /* We are not interested anymore */ 4223 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 4224 *offset = length; 4225 return (NULL); 4226 } 4227 sctp_handle_forward_tsn(stcb, 4228 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4229 if (abort_flag) { 4230 *offset = length; 4231 return (NULL); 4232 } else { 4233 stcb->asoc.overall_error_count = 0; 4234 } 4235 4236 } 4237 break; 4238 case SCTP_STREAM_RESET: 4239 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n"); 4240 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4241 chk_length, chunk_buf); 4242 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) { 4243 /* Its not ours */ 4244 if (locked_tcb) { 4245 SCTP_TCB_UNLOCK(locked_tcb); 4246 } 4247 *offset = length; 4248 return (NULL); 4249 } 4250 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4251 /* We are not interested anymore */ 4252 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4253 *offset = length; 4254 return (NULL); 4255 } 4256 if (stcb->asoc.peer_supports_strreset == 0) { 4257 /* 4258 * hmm, peer should have announced this, but 4259 * we will turn it on since he is sending us 4260 * a stream reset. 4261 */ 4262 stcb->asoc.peer_supports_strreset = 1; 4263 } 4264 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4265 /* stop processing */ 4266 *offset = length; 4267 return (NULL); 4268 } 4269 break; 4270 case SCTP_PACKET_DROPPED: 4271 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n"); 4272 /* re-get it all please */ 4273 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) { 4274 /* Its not ours */ 4275 if (locked_tcb) { 4276 SCTP_TCB_UNLOCK(locked_tcb); 4277 } 4278 *offset = length; 4279 return (NULL); 4280 } 4281 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4282 chk_length, chunk_buf); 4283 4284 if (ch && (stcb) && netp && (*netp)) { 4285 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4286 stcb, *netp); 4287 } 4288 break; 4289 4290 case SCTP_AUTHENTICATION: 4291 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n"); 4292 if (sctp_auth_disable) 4293 goto unknown_chunk; 4294 4295 if (stcb == NULL) { 4296 /* save the first AUTH for later processing */ 4297 if (auth_skipped == 0) { 4298 auth_offset = *offset; 4299 auth_len = chk_length; 4300 auth_skipped = 1; 4301 } 4302 /* skip this chunk (temporarily) */ 4303 goto next_chunk; 4304 } 4305 if ((chk_length < (sizeof(struct sctp_auth_chunk))) || 4306 (chk_length > (sizeof(struct sctp_auth_chunk) + 4307 SCTP_AUTH_DIGEST_LEN_MAX))) { 4308 /* Its not ours */ 4309 if (locked_tcb) { 4310 SCTP_TCB_UNLOCK(locked_tcb); 4311 } 4312 *offset = length; 4313 return (NULL); 4314 } 4315 if (got_auth == 1) { 4316 /* skip this chunk... it's already auth'd */ 4317 goto next_chunk; 4318 } 4319 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4320 chk_length, chunk_buf); 4321 got_auth = 1; 4322 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4323 m, *offset)) { 4324 /* auth HMAC failed so dump the packet */ 4325 *offset = length; 4326 return (stcb); 4327 } else { 4328 /* remaining chunks are HMAC checked */ 4329 stcb->asoc.authenticated = 1; 4330 } 4331 break; 4332 4333 default: 4334 unknown_chunk: 4335 /* it's an unknown chunk! */ 4336 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4337 struct mbuf *mm; 4338 struct sctp_paramhdr *phd; 4339 4340 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4341 0, M_DONTWAIT, 1, MT_DATA); 4342 if (mm) { 4343 phd = mtod(mm, struct sctp_paramhdr *); 4344 /* 4345 * We cheat and use param type since 4346 * we did not bother to define a 4347 * error cause struct. They are the 4348 * same basic format with different 4349 * names. 4350 */ 4351 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4352 phd->param_length = htons(chk_length + sizeof(*phd)); 4353 SCTP_BUF_LEN(mm) = sizeof(*phd); 4354 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 4355 M_DONTWAIT); 4356 if (SCTP_BUF_NEXT(mm)) { 4357 sctp_queue_op_err(stcb, mm); 4358 } else { 4359 sctp_m_freem(mm); 4360 } 4361 } 4362 } 4363 if ((ch->chunk_type & 0x80) == 0) { 4364 /* discard this packet */ 4365 *offset = length; 4366 return (stcb); 4367 } /* else skip this bad chunk and continue... */ 4368 break; 4369 } /* switch (ch->chunk_type) */ 4370 4371 4372next_chunk: 4373 /* get the next chunk */ 4374 *offset += SCTP_SIZE32(chk_length); 4375 if (*offset >= length) { 4376 /* no more data left in the mbuf chain */ 4377 break; 4378 } 4379 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4380 sizeof(struct sctp_chunkhdr), chunk_buf); 4381 if (ch == NULL) { 4382 if (locked_tcb) { 4383 SCTP_TCB_UNLOCK(locked_tcb); 4384 } 4385 *offset = length; 4386 return (NULL); 4387 } 4388 } /* while */ 4389 return (stcb); 4390} 4391 4392 4393/* 4394 * Process the ECN bits we have something set so we must look to see if it is 4395 * ECN(0) or ECN(1) or CE 4396 */ 4397static __inline void 4398sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4399 uint8_t ecn_bits) 4400{ 4401 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4402 ; 4403 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4404 /* 4405 * we only add to the nonce sum for ECT1, ECT0 does not 4406 * change the NS bit (that we have yet to find a way to send 4407 * it yet). 4408 */ 4409 4410 /* ECN Nonce stuff */ 4411 stcb->asoc.receiver_nonce_sum++; 4412 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4413 4414 /* 4415 * Drag up the last_echo point if cumack is larger since we 4416 * don't want the point falling way behind by more than 4417 * 2^^31 and then having it be incorrect. 4418 */ 4419 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4420 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4421 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4422 } 4423 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4424 /* 4425 * Drag up the last_echo point if cumack is larger since we 4426 * don't want the point falling way behind by more than 4427 * 2^^31 and then having it be incorrect. 4428 */ 4429 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4430 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4431 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4432 } 4433 } 4434} 4435 4436static __inline void 4437sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4438 uint32_t high_tsn, uint8_t ecn_bits) 4439{ 4440 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4441 /* 4442 * we possibly must notify the sender that a congestion 4443 * window reduction is in order. We do this by adding a ECNE 4444 * chunk to the output chunk queue. The incoming CWR will 4445 * remove this chunk. 4446 */ 4447 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4448 MAX_TSN)) { 4449 /* Yep, we need to add a ECNE */ 4450 sctp_send_ecn_echo(stcb, net, high_tsn); 4451 stcb->asoc.last_echo_tsn = high_tsn; 4452 } 4453 } 4454} 4455 4456/* 4457 * common input chunk processing (v4 and v6) 4458 */ 4459void 4460sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4461 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4462 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4463 uint8_t ecn_bits, uint32_t vrf_id) 4464{ 4465 /* 4466 * Control chunk processing 4467 */ 4468 uint32_t high_tsn; 4469 int fwd_tsn_seen = 0, data_processed = 0; 4470 struct mbuf *m = *mm; 4471 int abort_flag = 0; 4472 int un_sent; 4473 4474 SCTP_STAT_INCR(sctps_recvdatagrams); 4475#ifdef SCTP_AUDITING_ENABLED 4476 sctp_audit_log(0xE0, 1); 4477 sctp_auditing(0, inp, stcb, net); 4478#endif 4479 4480 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4481 m, iphlen, offset); 4482 4483 if (stcb) { 4484 /* always clear this before beginning a packet */ 4485 stcb->asoc.authenticated = 0; 4486 stcb->asoc.seen_a_sack_this_pkt = 0; 4487 } 4488 if (IS_SCTP_CONTROL(ch)) { 4489 /* process the control portion of the SCTP packet */ 4490 /* sa_ignore NO_NULL_CHK */ 4491 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4492 inp, stcb, &net, &fwd_tsn_seen, vrf_id); 4493 if (stcb) { 4494 /* 4495 * This covers us if the cookie-echo was there and 4496 * it changes our INP. 4497 */ 4498 inp = stcb->sctp_ep; 4499 } 4500 } else { 4501 /* 4502 * no control chunks, so pre-process DATA chunks (these 4503 * checks are taken care of by control processing) 4504 */ 4505 4506 /* 4507 * if DATA only packet, and auth is required, then punt... 4508 * can't have authenticated without any AUTH (control) 4509 * chunks 4510 */ 4511 if ((stcb != NULL) && !sctp_auth_disable && 4512 sctp_auth_is_required_chunk(SCTP_DATA, 4513 stcb->asoc.local_auth_chunks)) { 4514 /* "silently" ignore */ 4515 SCTP_STAT_INCR(sctps_recvauthmissing); 4516 SCTP_TCB_UNLOCK(stcb); 4517 return; 4518 } 4519 if (stcb == NULL) { 4520 /* out of the blue DATA chunk */ 4521 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 4522 vrf_id); 4523 return; 4524 } 4525 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4526 /* v_tag mismatch! */ 4527 SCTP_STAT_INCR(sctps_badvtag); 4528 SCTP_TCB_UNLOCK(stcb); 4529 return; 4530 } 4531 } 4532 4533 if (stcb == NULL) { 4534 /* 4535 * no valid TCB for this packet, or we found it's a bad 4536 * packet while processing control, or we're done with this 4537 * packet (done or skip rest of data), so we drop it... 4538 */ 4539 return; 4540 } 4541 /* 4542 * DATA chunk processing 4543 */ 4544 /* plow through the data chunks while length > offset */ 4545 4546 /* 4547 * Rest should be DATA only. Check authentication state if AUTH for 4548 * DATA is required. 4549 */ 4550 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 4551 sctp_auth_is_required_chunk(SCTP_DATA, 4552 stcb->asoc.local_auth_chunks) && 4553 !stcb->asoc.authenticated) { 4554 /* "silently" ignore */ 4555 SCTP_STAT_INCR(sctps_recvauthmissing); 4556 SCTPDBG(SCTP_DEBUG_AUTH1, 4557 "Data chunk requires AUTH, skipped\n"); 4558 goto trigger_send; 4559 } 4560 if (length > offset) { 4561 int retval; 4562 4563 /* 4564 * First check to make sure our state is correct. We would 4565 * not get here unless we really did have a tag, so we don't 4566 * abort if this happens, just dump the chunk silently. 4567 */ 4568 switch (SCTP_GET_STATE(&stcb->asoc)) { 4569 case SCTP_STATE_COOKIE_ECHOED: 4570 /* 4571 * we consider data with valid tags in this state 4572 * shows us the cookie-ack was lost. Imply it was 4573 * there. 4574 */ 4575 stcb->asoc.overall_error_count = 0; 4576 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4577 break; 4578 case SCTP_STATE_COOKIE_WAIT: 4579 /* 4580 * We consider OOTB any data sent during asoc setup. 4581 */ 4582 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 4583 vrf_id); 4584 SCTP_TCB_UNLOCK(stcb); 4585 return; 4586 break; 4587 case SCTP_STATE_EMPTY: /* should not happen */ 4588 case SCTP_STATE_INUSE: /* should not happen */ 4589 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4590 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4591 default: 4592 SCTP_TCB_UNLOCK(stcb); 4593 return; 4594 break; 4595 case SCTP_STATE_OPEN: 4596 case SCTP_STATE_SHUTDOWN_SENT: 4597 break; 4598 } 4599 /* take care of ECN, part 1. */ 4600 if (stcb->asoc.ecn_allowed && 4601 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4602 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4603 } 4604 /* plow through the data chunks while length > offset */ 4605 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4606 inp, stcb, net, &high_tsn); 4607 if (retval == 2) { 4608 /* 4609 * The association aborted, NO UNLOCK needed since 4610 * the association is destroyed. 4611 */ 4612 return; 4613 } 4614 data_processed = 1; 4615 if (retval == 0) { 4616 /* take care of ecn part 2. */ 4617 if (stcb->asoc.ecn_allowed && 4618 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4619 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4620 ecn_bits); 4621 } 4622 } 4623 /* 4624 * Anything important needs to have been m_copy'ed in 4625 * process_data 4626 */ 4627 } 4628 if ((data_processed == 0) && (fwd_tsn_seen)) { 4629 int was_a_gap = 0; 4630 4631 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4632 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4633 /* there was a gap before this data was processed */ 4634 was_a_gap = 1; 4635 } 4636 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4637 if (abort_flag) { 4638 /* Again, we aborted so NO UNLOCK needed */ 4639 return; 4640 } 4641 } 4642 /* trigger send of any chunks in queue... */ 4643trigger_send: 4644#ifdef SCTP_AUDITING_ENABLED 4645 sctp_audit_log(0xE0, 2); 4646 sctp_auditing(1, inp, stcb, net); 4647#endif 4648 SCTPDBG(SCTP_DEBUG_INPUT1, 4649 "Check for chunk output prw:%d tqe:%d tf=%d\n", 4650 stcb->asoc.peers_rwnd, 4651 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4652 stcb->asoc.total_flight); 4653 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4654 4655 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4656 ((un_sent) && 4657 (stcb->asoc.peers_rwnd > 0 || 4658 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4659 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n"); 4660 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4661 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n"); 4662 } 4663#ifdef SCTP_AUDITING_ENABLED 4664 sctp_audit_log(0xE0, 3); 4665 sctp_auditing(2, inp, stcb, net); 4666#endif 4667 SCTP_TCB_UNLOCK(stcb); 4668 return; 4669} 4670 4671 4672 4673void 4674sctp_input(i_pak, off) 4675 struct mbuf *i_pak; 4676 int off; 4677 4678{ 4679#ifdef SCTP_MBUF_LOGGING 4680 struct mbuf *mat; 4681 4682#endif 4683 struct mbuf *m; 4684 int iphlen; 4685 uint32_t vrf_id = 0; 4686 uint8_t ecn_bits; 4687 struct ip *ip; 4688 struct sctphdr *sh; 4689 struct sctp_inpcb *inp = NULL; 4690 4691 uint32_t check, calc_check; 4692 struct sctp_nets *net; 4693 struct sctp_tcb *stcb = NULL; 4694 struct sctp_chunkhdr *ch; 4695 int refcount_up = 0; 4696 int length, mlen, offset; 4697 4698 4699 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) { 4700 SCTP_RELEASE_PKT(i_pak); 4701 return; 4702 } 4703 mlen = SCTP_HEADER_LEN(i_pak); 4704 iphlen = off; 4705 m = SCTP_HEADER_TO_CHAIN(i_pak); 4706 4707 net = NULL; 4708 SCTP_STAT_INCR(sctps_recvpackets); 4709 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4710 4711 4712#ifdef SCTP_MBUF_LOGGING 4713 /* Log in any input mbufs */ 4714 mat = m; 4715 while (mat) { 4716 if (SCTP_BUF_IS_EXTENDED(mat)) { 4717 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4718 } 4719 mat = SCTP_BUF_NEXT(mat); 4720 } 4721#endif 4722#ifdef SCTP_PACKET_LOGGING 4723 sctp_packet_log(m, mlen); 4724#endif 4725 /* 4726 * Must take out the iphlen, since mlen expects this (only effect lb 4727 * case) 4728 */ 4729 mlen -= iphlen; 4730 4731 /* 4732 * Get IP, SCTP, and first chunk header together in first mbuf. 4733 */ 4734 ip = mtod(m, struct ip *); 4735 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4736 if (SCTP_BUF_LEN(m) < offset) { 4737 if ((m = m_pullup(m, offset)) == 0) { 4738 SCTP_STAT_INCR(sctps_hdrops); 4739 return; 4740 } 4741 ip = mtod(m, struct ip *); 4742 } 4743 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4744 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4745 4746 /* SCTP does not allow broadcasts or multicasts */ 4747 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4748 goto bad; 4749 } 4750 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 4751 /* 4752 * We only look at broadcast if its a front state, All 4753 * others we will not have a tcb for anyway. 4754 */ 4755 goto bad; 4756 } 4757 /* validate SCTP checksum */ 4758 if ((sctp_no_csum_on_loopback == 0) || !SCTP_IS_IT_LOOPBACK(m)) { 4759 /* 4760 * we do NOT validate things from the loopback if the sysctl 4761 * is set to 1. 4762 */ 4763 check = sh->checksum; /* save incoming checksum */ 4764 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4765 /* 4766 * special hook for where we got a local address 4767 * somehow routed across a non IFT_LOOP type 4768 * interface 4769 */ 4770 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4771 goto sctp_skip_csum_4; 4772 } 4773 sh->checksum = 0; /* prepare for calc */ 4774 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4775 if (calc_check != check) { 4776 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4777 calc_check, check, m, mlen, iphlen); 4778 4779 stcb = sctp_findassociation_addr(m, iphlen, 4780 offset - sizeof(*ch), 4781 sh, ch, &inp, &net, 4782 vrf_id); 4783 if ((inp) && (stcb)) { 4784 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4785 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4786 } else if ((inp != NULL) && (stcb == NULL)) { 4787 refcount_up = 1; 4788 } 4789 SCTP_STAT_INCR(sctps_badsum); 4790 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4791 goto bad; 4792 } 4793 sh->checksum = calc_check; 4794 } 4795sctp_skip_csum_4: 4796 /* destination port of 0 is illegal, based on RFC2960. */ 4797 if (sh->dest_port == 0) { 4798 SCTP_STAT_INCR(sctps_hdrops); 4799 goto bad; 4800 } 4801 /* validate mbuf chain length with IP payload length */ 4802 if (mlen < (ip->ip_len - iphlen)) { 4803 SCTP_STAT_INCR(sctps_hdrops); 4804 goto bad; 4805 } 4806 /* 4807 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4808 * IP/SCTP/first chunk header... 4809 */ 4810 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4811 sh, ch, &inp, &net, vrf_id); 4812 /* inp's ref-count increased && stcb locked */ 4813 if (inp == NULL) { 4814 struct sctp_init_chunk *init_chk, chunk_buf; 4815 4816 SCTP_STAT_INCR(sctps_noport); 4817#ifdef ICMP_BANDLIM 4818 /* 4819 * we use the bandwidth limiting to protect against sending 4820 * too many ABORTS all at once. In this case these count the 4821 * same as an ICMP message. 4822 */ 4823 if (badport_bandlim(0) < 0) 4824 goto bad; 4825#endif /* ICMP_BANDLIM */ 4826 SCTPDBG(SCTP_DEBUG_INPUT1, 4827 "Sending a ABORT from packet entry!\n"); 4828 if (ch->chunk_type == SCTP_INITIATION) { 4829 /* 4830 * we do a trick here to get the INIT tag, dig in 4831 * and get the tag from the INIT and put it in the 4832 * common header. 4833 */ 4834 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4835 iphlen + sizeof(*sh), sizeof(*init_chk), 4836 (uint8_t *) & chunk_buf); 4837 if (init_chk != NULL) 4838 sh->v_tag = init_chk->init.initiate_tag; 4839 } 4840 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4841 sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id); 4842 goto bad; 4843 } 4844 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 4845 goto bad; 4846 } 4847 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 4848 sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id); 4849 goto bad; 4850 } else if (stcb == NULL) { 4851 refcount_up = 1; 4852 } 4853#ifdef IPSEC 4854 /* 4855 * I very much doubt any of the IPSEC stuff will work but I have no 4856 * idea, so I will leave it in place. 4857 */ 4858 4859 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4860 ipsecstat.in_polvio++; 4861 SCTP_STAT_INCR(sctps_hdrops); 4862 goto bad; 4863 } 4864#endif /* IPSEC */ 4865 4866 /* 4867 * common chunk processing 4868 */ 4869 length = ip->ip_len + iphlen; 4870 offset -= sizeof(struct sctp_chunkhdr); 4871 4872 ecn_bits = ip->ip_tos; 4873 4874 /* sa_ignore NO_NULL_CHK */ 4875 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4876 inp, stcb, net, ecn_bits, vrf_id); 4877 /* inp's ref-count reduced && stcb unlocked */ 4878 if (m) { 4879 sctp_m_freem(m); 4880 } 4881 if ((inp) && (refcount_up)) { 4882 /* reduce ref-count */ 4883 SCTP_INP_WLOCK(inp); 4884 SCTP_INP_DECR_REF(inp); 4885 SCTP_INP_WUNLOCK(inp); 4886 } 4887 return; 4888bad: 4889 if (stcb) { 4890 SCTP_TCB_UNLOCK(stcb); 4891 } 4892 if ((inp) && (refcount_up)) { 4893 /* reduce ref-count */ 4894 SCTP_INP_WLOCK(inp); 4895 SCTP_INP_DECR_REF(inp); 4896 SCTP_INP_WUNLOCK(inp); 4897 } 4898 if (m) { 4899 sctp_m_freem(m); 4900 } 4901 return; 4902} 4903