sctp_input.c revision 163996
1/*- 2 * Copyright (c) 2001-2006, Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 163996 2006-11-05 13:25:18Z rrs $"); 35 36#include "opt_ipsec.h" 37#include "opt_compat.h" 38#include "opt_inet6.h" 39#include "opt_inet.h" 40#include "opt_sctp.h" 41 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/malloc.h> 45#include <sys/mbuf.h> 46#include <sys/socket.h> 47#include <sys/socketvar.h> 48#include <sys/sysctl.h> 49#include <sys/domain.h> 50#include <sys/protosw.h> 51#include <sys/kernel.h> 52#include <sys/errno.h> 53#include <sys/syslog.h> 54 55#include <sys/limits.h> 56#include <machine/cpu.h> 57 58#include <net/if.h> 59#include <net/route.h> 60#include <net/if_types.h> 61 62#include <netinet/in.h> 63#include <netinet/in_systm.h> 64#include <netinet/ip.h> 65#include <netinet/in_pcb.h> 66#include <netinet/in_var.h> 67#include <netinet/ip_var.h> 68 69#ifdef INET6 70#include <netinet/ip6.h> 71#include <netinet6/ip6_var.h> 72#endif /* INET6 */ 73 74#include <netinet/ip_icmp.h> 75#include <netinet/icmp_var.h> 76 77#include <netinet/sctp_os.h> 78#include <netinet/sctp_var.h> 79#include <netinet/sctp_pcb.h> 80#include <netinet/sctp_header.h> 81#include <netinet/sctputil.h> 82#include <netinet/sctp_output.h> 83#include <netinet/sctp_input.h> 84#include <netinet/sctp_auth.h> 85#include <netinet/sctp_indata.h> 86#include <netinet/sctp_asconf.h> 87 88#include <netinet/ip_options.h> 89 90 91#ifdef IPSEC 92#include <netinet6/ipsec.h> 93#include <netkey/key.h> 94#endif /* IPSEC */ 95 96 97#ifdef SCTP_DEBUG 98extern uint32_t sctp_debug_on; 99 100#endif 101 102 103static void 104sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 105{ 106 struct sctp_nets *net; 107 108 SCTP_TCB_LOCK_ASSERT(stcb); 109 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 110 if ((callout_pending(&net->rxt_timer.timer)) && 111 (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE)) { 112 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 113 stcb->sctp_ep, 114 stcb, 115 net); 116 } 117 } 118} 119 120/* INIT handler */ 121static void 122sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 123 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 124 struct sctp_nets *net) 125{ 126 struct sctp_init *init; 127 struct mbuf *op_err; 128 uint32_t init_limit; 129 130#ifdef SCTP_DEBUG 131 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 132 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 133 } 134#endif 135 op_err = NULL; 136 init = &cp->init; 137 /* First are we accepting? */ 138 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 139#ifdef SCTP_DEBUG 140 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 141 printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); 142 } 143#endif 144 /* 145 * FIX ME ?? What about TCP model and we have a 146 * match/restart case? 147 */ 148 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 149 return; 150 } 151 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 152 /* Invalid length */ 153 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 154 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 155 return; 156 } 157 /* validate parameters */ 158 if (init->initiate_tag == 0) { 159 /* protocol error... send abort */ 160 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 161 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 162 return; 163 } 164 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 165 /* invalid parameter... send abort */ 166 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 167 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 168 return; 169 } 170 if (init->num_inbound_streams == 0) { 171 /* protocol error... send abort */ 172 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 173 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 174 return; 175 } 176 if (init->num_outbound_streams == 0) { 177 /* protocol error... send abort */ 178 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 179 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 180 return; 181 } 182 init_limit = offset + ntohs(cp->ch.chunk_length); 183 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 184 init_limit)) { 185 /* auth parameter(s) error... send abort */ 186 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); 187 return; 188 } 189 /* send an INIT-ACK w/cookie */ 190#ifdef SCTP_DEBUG 191 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 192 printf("sctp_handle_init: sending INIT-ACK\n"); 193 } 194#endif 195 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 196} 197 198/* 199 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 200 */ 201static int 202sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 203 struct sctp_nets *net) 204{ 205 struct sctp_init *init; 206 struct sctp_association *asoc; 207 struct sctp_nets *lnet; 208 unsigned int i; 209 210 init = &cp->init; 211 asoc = &stcb->asoc; 212 /* save off parameters */ 213 asoc->peer_vtag = ntohl(init->initiate_tag); 214 asoc->peers_rwnd = ntohl(init->a_rwnd); 215 if (TAILQ_FIRST(&asoc->nets)) { 216 /* update any ssthresh's that may have a default */ 217 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 218 lnet->ssthresh = asoc->peers_rwnd; 219 220#if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 221 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 222#endif 223 224 } 225 } 226 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 227 unsigned int newcnt; 228 struct sctp_stream_out *outs; 229 struct sctp_stream_queue_pending *sp; 230 231 /* cut back on number of streams */ 232 newcnt = ntohs(init->num_inbound_streams); 233 /* This if is probably not needed but I am cautious */ 234 if (asoc->strmout) { 235 /* First make sure no data chunks are trapped */ 236 for (i = newcnt; i < asoc->pre_open_streams; i++) { 237 outs = &asoc->strmout[i]; 238 sp = TAILQ_FIRST(&outs->outqueue); 239 while (sp) { 240 TAILQ_REMOVE(&outs->outqueue, sp, 241 next); 242 asoc->stream_queue_cnt--; 243 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 244 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 245 sp); 246 if (sp->data) { 247 sctp_m_freem(sp->data); 248 sp->data = NULL; 249 } 250 sctp_free_remote_addr(sp->net); 251 sp->net = NULL; 252 /* Free the chunk */ 253 printf("sp:%p tcb:%p weird free case\n", 254 sp, stcb); 255 256 sctp_free_a_strmoq(stcb, sp); 257 sp = TAILQ_FIRST(&outs->outqueue); 258 } 259 } 260 } 261 /* cut back the count and abandon the upper streams */ 262 asoc->pre_open_streams = newcnt; 263 } 264 asoc->streamincnt = ntohs(init->num_outbound_streams); 265 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 266 asoc->streamincnt = MAX_SCTP_STREAMS; 267 } 268 asoc->streamoutcnt = asoc->pre_open_streams; 269 /* init tsn's */ 270 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 271#ifdef SCTP_MAP_LOGGING 272 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 273#endif 274 /* This is the next one we expect */ 275 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 276 277 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 278 asoc->cumulative_tsn = asoc->asconf_seq_in; 279 asoc->last_echo_tsn = asoc->asconf_seq_in; 280 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 281 /* open the requested streams */ 282 if (asoc->strmin != NULL) { 283 /* Free the old ones */ 284 SCTP_FREE(asoc->strmin); 285 } 286 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 287 sizeof(struct sctp_stream_in), "StreamsIn"); 288 if (asoc->strmin == NULL) { 289 /* we didn't get memory for the streams! */ 290#ifdef SCTP_DEBUG 291 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 292 printf("process_init: couldn't get memory for the streams!\n"); 293 } 294#endif 295 return (-1); 296 } 297 for (i = 0; i < asoc->streamincnt; i++) { 298 asoc->strmin[i].stream_no = i; 299 asoc->strmin[i].last_sequence_delivered = 0xffff; 300 /* 301 * U-stream ranges will be set when the cookie is unpacked. 302 * Or for the INIT sender they are un set (if pr-sctp not 303 * supported) when the INIT-ACK arrives. 304 */ 305 TAILQ_INIT(&asoc->strmin[i].inqueue); 306 /* 307 * we are not on any wheel, pr-sctp streams will go on the 308 * wheel when they have data waiting for reorder. 309 */ 310 asoc->strmin[i].next_spoke.tqe_next = 0; 311 asoc->strmin[i].next_spoke.tqe_prev = 0; 312 } 313 314 /* 315 * load_address_from_init will put the addresses into the 316 * association when the COOKIE is processed or the INIT-ACK is 317 * processed. Both types of COOKIE's existing and new call this 318 * routine. It will remove addresses that are no longer in the 319 * association (for the restarting case where addresses are 320 * removed). Up front when the INIT arrives we will discard it if it 321 * is a restart and new addresses have been added. 322 */ 323 return (0); 324} 325 326/* 327 * INIT-ACK message processing/consumption returns value < 0 on error 328 */ 329static int 330sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 331 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 332 struct sctp_nets *net) 333{ 334 struct sctp_association *asoc; 335 struct mbuf *op_err; 336 int retval, abort_flag; 337 uint32_t initack_limit; 338 339 /* First verify that we have no illegal param's */ 340 abort_flag = 0; 341 op_err = NULL; 342 343 op_err = sctp_arethere_unrecognized_parameters(m, 344 (offset + sizeof(struct sctp_init_chunk)), 345 &abort_flag, (struct sctp_chunkhdr *)cp); 346 if (abort_flag) { 347 /* Send an abort and notify peer */ 348 if (op_err != NULL) { 349 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 350 } else { 351 /* 352 * Just notify (abort_assoc does this if we send an 353 * abort). 354 */ 355 sctp_abort_notification(stcb, 0); 356 /* 357 * No sense in further INIT's since we will get the 358 * same param back 359 */ 360 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 361 } 362 return (-1); 363 } 364 asoc = &stcb->asoc; 365 /* process the peer's parameters in the INIT-ACK */ 366 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 367 if (retval < 0) { 368 return (retval); 369 } 370 initack_limit = offset + ntohs(cp->ch.chunk_length); 371 /* load all addresses */ 372 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 373 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 374 NULL))) { 375 /* Huh, we should abort */ 376#ifdef SCTP_DEBUG 377 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 378 printf("Load addresses from INIT causes an abort %d\n", retval); 379 } 380#endif 381 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 382 NULL); 383 return (-1); 384 } 385 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 386 stcb->asoc.local_hmacs); 387 if (op_err) { 388 sctp_queue_op_err(stcb, op_err); 389 /* queuing will steal away the mbuf chain to the out queue */ 390 op_err = NULL; 391 } 392 /* extract the cookie and queue it to "echo" it back... */ 393 stcb->asoc.overall_error_count = 0; 394 net->error_count = 0; 395 396 /* 397 * Cancel the INIT timer, We do this first before queueing the 398 * cookie. We always cancel at the primary to assue that we are 399 * canceling the timer started by the INIT which always goes to the 400 * primary. 401 */ 402 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 403 asoc->primary_destination); 404 405 retval = sctp_send_cookie_echo(m, offset, stcb, net); 406 if (retval < 0) { 407 /* 408 * No cookie, we probably should send a op error. But in any 409 * case if there is no cookie in the INIT-ACK, we can 410 * abandon the peer, its broke. 411 */ 412 if (retval == -3) { 413 /* We abort with an error of missing mandatory param */ 414 struct mbuf *op_err; 415 416 op_err = 417 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 418 if (op_err) { 419 /* 420 * Expand beyond to include the mandatory 421 * param cookie 422 */ 423 struct sctp_inv_mandatory_param *mp; 424 425 op_err->m_len = 426 sizeof(struct sctp_inv_mandatory_param); 427 mp = mtod(op_err, 428 struct sctp_inv_mandatory_param *); 429 /* Subtract the reserved param */ 430 mp->length = 431 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 432 mp->num_param = htonl(1); 433 mp->param = htons(SCTP_STATE_COOKIE); 434 mp->resv = 0; 435 } 436 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 437 sh, op_err); 438 } 439 return (retval); 440 } 441 /* calculate the RTO */ 442 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 443 444 return (0); 445} 446 447static void 448sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 449 struct sctp_tcb *stcb, struct sctp_nets *net) 450{ 451 struct sockaddr_storage store; 452 struct sockaddr_in *sin; 453 struct sockaddr_in6 *sin6; 454 struct sctp_nets *r_net; 455 struct timeval tv; 456 457 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 458 /* Invalid length */ 459 return; 460 } 461 sin = (struct sockaddr_in *)&store; 462 sin6 = (struct sockaddr_in6 *)&store; 463 464 memset(&store, 0, sizeof(store)); 465 if (cp->heartbeat.hb_info.addr_family == AF_INET && 466 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 467 sin->sin_family = cp->heartbeat.hb_info.addr_family; 468 sin->sin_len = cp->heartbeat.hb_info.addr_len; 469 sin->sin_port = stcb->rport; 470 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 471 sizeof(sin->sin_addr)); 472 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 473 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 474 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 475 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 476 sin6->sin6_port = stcb->rport; 477 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 478 sizeof(sin6->sin6_addr)); 479 } else { 480 return; 481 } 482 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 483 if (r_net == NULL) { 484#ifdef SCTP_DEBUG 485 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 486 printf("Huh? I can't find the address I sent it to, discard\n"); 487 } 488#endif 489 return; 490 } 491 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 492 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 493 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 494 /* 495 * If the its a HB and it's random value is correct when can 496 * confirm the destination. 497 */ 498 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 499 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 500 stcb, 0, (void *)r_net); 501 } 502 r_net->error_count = 0; 503 r_net->hb_responded = 1; 504 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 505 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 506 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 507 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 508 r_net->dest_state |= SCTP_ADDR_REACHABLE; 509 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 510 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 511 /* now was it the primary? if so restore */ 512 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 513 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 514 } 515 } 516 /* Now lets do a RTO with this */ 517 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 518} 519 520static void 521sctp_handle_abort(struct sctp_abort_chunk *cp, 522 struct sctp_tcb *stcb, struct sctp_nets *net) 523{ 524 525#ifdef SCTP_DEBUG 526 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 527 printf("sctp_handle_abort: handling ABORT\n"); 528 } 529#endif 530 if (stcb == NULL) 531 return; 532 /* verify that the destination addr is in the association */ 533 /* ignore abort for addresses being deleted */ 534 535 /* stop any receive timers */ 536 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net); 537 /* notify user of the abort and clean up... */ 538 sctp_abort_notification(stcb, 0); 539 /* free the tcb */ 540 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 541 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 542 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 543 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 544 } 545 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 546#ifdef SCTP_DEBUG 547 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 548 printf("sctp_handle_abort: finished\n"); 549 } 550#endif 551} 552 553static void 554sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 555 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 556{ 557 struct sctp_association *asoc; 558 int some_on_streamwheel; 559 560#ifdef SCTP_DEBUG 561 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 562 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 563 } 564#endif 565 if (stcb == NULL) 566 return; 567 568 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) || 569 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 570 return; 571 } 572 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 573 /* Shutdown NOT the expected size */ 574 return; 575 } else { 576 sctp_update_acked(stcb, cp, net, abort_flag); 577 } 578 asoc = &stcb->asoc; 579 if (stcb->asoc.control_pdapi) { 580 /* 581 * With a normal shutdown we assume the end of last record. 582 */ 583 SCTP_INP_READ_LOCK(stcb->sctp_ep); 584 stcb->asoc.control_pdapi->end_added = 1; 585 if (stcb->asoc.control_pdapi->tail_mbuf) { 586 stcb->asoc.control_pdapi->tail_mbuf->m_flags |= M_EOR; 587 } 588 stcb->asoc.control_pdapi = NULL; 589 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 590 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 591 } 592 /* goto SHUTDOWN_RECEIVED state to block new requests */ 593 if (stcb->sctp_socket) { 594 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 595 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 596 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 597 /* 598 * notify upper layer that peer has initiated a 599 * shutdown 600 */ 601 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 602 603 /* reset time */ 604 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 605 } 606 } 607 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 608 /* 609 * stop the shutdown timer, since we WILL move to 610 * SHUTDOWN-ACK-SENT. 611 */ 612 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 613 } 614 /* Now are we there yet? */ 615 some_on_streamwheel = 0; 616 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 617 /* Check to see if some data queued */ 618 struct sctp_stream_out *outs; 619 620 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 621 if (!TAILQ_EMPTY(&outs->outqueue)) { 622 some_on_streamwheel = 1; 623 break; 624 } 625 } 626 } 627 if (!TAILQ_EMPTY(&asoc->send_queue) || 628 !TAILQ_EMPTY(&asoc->sent_queue) || 629 some_on_streamwheel) { 630 /* By returning we will push more data out */ 631 return; 632 } else { 633 /* no outstanding data to send, so move on... */ 634 /* send SHUTDOWN-ACK */ 635 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 636 /* move to SHUTDOWN-ACK-SENT state */ 637 if (asoc->state == SCTP_STATE_SHUTDOWN_RECEIVED) { 638 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 639 } 640 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 641 642 /* start SHUTDOWN timer */ 643 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 644 stcb, net); 645 } 646} 647 648static void 649sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 650 struct sctp_tcb *stcb, struct sctp_nets *net) 651{ 652 struct sctp_association *asoc; 653 654#ifdef SCTP_DEBUG 655 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 656 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 657 } 658#endif 659 if (stcb == NULL) 660 return; 661 662 asoc = &stcb->asoc; 663 /* process according to association state */ 664 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 665 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 666 /* unexpected SHUTDOWN-ACK... so ignore... */ 667 SCTP_TCB_UNLOCK(stcb); 668 return; 669 } 670 if (stcb->asoc.control_pdapi) { 671 /* 672 * With a normal shutdown we assume the end of last record. 673 */ 674 SCTP_INP_READ_LOCK(stcb->sctp_ep); 675 stcb->asoc.control_pdapi->end_added = 1; 676 if (stcb->asoc.control_pdapi->tail_mbuf) { 677 stcb->asoc.control_pdapi->tail_mbuf->m_flags |= M_EOR; 678 } 679 stcb->asoc.control_pdapi = NULL; 680 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 681 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 682 } 683 /* are the queues empty? */ 684 if (!TAILQ_EMPTY(&asoc->send_queue) || 685 !TAILQ_EMPTY(&asoc->sent_queue) || 686 !TAILQ_EMPTY(&asoc->out_wheel)) { 687 sctp_report_all_outbound(stcb); 688 } 689 /* stop the timer */ 690 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 691 /* send SHUTDOWN-COMPLETE */ 692 sctp_send_shutdown_complete(stcb, net); 693 /* notify upper layer protocol */ 694 if (stcb->sctp_socket) { 695 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 696 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 697 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 698 /* Set the connected flag to disconnected */ 699 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 700 } 701 } 702 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 703 /* free the TCB but first save off the ep */ 704 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 705} 706 707/* 708 * Skip past the param header and then we will find the chunk that caused the 709 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 710 * our peer must be broken. 711 */ 712static void 713sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 714 struct sctp_nets *net) 715{ 716 struct sctp_chunkhdr *chk; 717 718 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 719 switch (chk->chunk_type) { 720 case SCTP_ASCONF_ACK: 721 case SCTP_ASCONF: 722 sctp_asconf_cleanup(stcb, net); 723 break; 724 case SCTP_FORWARD_CUM_TSN: 725 stcb->asoc.peer_supports_prsctp = 0; 726 break; 727 default: 728#ifdef SCTP_DEBUG 729 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 730 printf("Peer does not support chunk type %d(%x)??\n", 731 chk->chunk_type, (uint32_t) chk->chunk_type); 732 } 733#endif 734 break; 735 } 736} 737 738/* 739 * Skip past the param header and then we will find the param that caused the 740 * problem. There are a number of param's in a ASCONF OR the prsctp param 741 * these will turn of specific features. 742 */ 743static void 744sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 745{ 746 struct sctp_paramhdr *pbad; 747 748 pbad = phdr + 1; 749 switch (ntohs(pbad->param_type)) { 750 /* pr-sctp draft */ 751 case SCTP_PRSCTP_SUPPORTED: 752 stcb->asoc.peer_supports_prsctp = 0; 753 break; 754 case SCTP_SUPPORTED_CHUNK_EXT: 755 break; 756 /* draft-ietf-tsvwg-addip-sctp */ 757 case SCTP_ECN_NONCE_SUPPORTED: 758 stcb->asoc.peer_supports_ecn_nonce = 0; 759 stcb->asoc.ecn_nonce_allowed = 0; 760 stcb->asoc.ecn_allowed = 0; 761 break; 762 case SCTP_ADD_IP_ADDRESS: 763 case SCTP_DEL_IP_ADDRESS: 764 case SCTP_SET_PRIM_ADDR: 765 stcb->asoc.peer_supports_asconf = 0; 766 break; 767 case SCTP_SUCCESS_REPORT: 768 case SCTP_ERROR_CAUSE_IND: 769#ifdef SCTP_DEBUG 770 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 771 printf("Huh, the peer does not support success? or error cause?\n"); 772 printf("Turning off ASCONF to this strange peer\n"); 773 } 774#endif 775 stcb->asoc.peer_supports_asconf = 0; 776 break; 777 default: 778#ifdef SCTP_DEBUG 779 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 780 printf("Peer does not support param type %d(%x)??\n", 781 pbad->param_type, (uint32_t) pbad->param_type); 782 } 783#endif 784 break; 785 } 786} 787 788static int 789sctp_handle_error(struct sctp_chunkhdr *ch, 790 struct sctp_tcb *stcb, struct sctp_nets *net) 791{ 792 int chklen; 793 struct sctp_paramhdr *phdr; 794 uint16_t error_type; 795 uint16_t error_len; 796 struct sctp_association *asoc; 797 798 int adjust; 799 800 /* parse through all of the errors and process */ 801 asoc = &stcb->asoc; 802 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 803 sizeof(struct sctp_chunkhdr)); 804 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 805 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 806 /* Process an Error Cause */ 807 error_type = ntohs(phdr->param_type); 808 error_len = ntohs(phdr->param_length); 809 if ((error_len > chklen) || (error_len == 0)) { 810 /* invalid param length for this param */ 811#ifdef SCTP_DEBUG 812 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 813 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 814 chklen, error_len); 815 } 816#endif /* SCTP_DEBUG */ 817 return (0); 818 } 819 switch (error_type) { 820 case SCTP_CAUSE_INVALID_STREAM: 821 case SCTP_CAUSE_MISSING_PARAM: 822 case SCTP_CAUSE_INVALID_PARAM: 823 case SCTP_CAUSE_NO_USER_DATA: 824#ifdef SCTP_DEBUG 825 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 826 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 827 error_type); 828 } 829#endif 830 break; 831 case SCTP_CAUSE_STALE_COOKIE: 832 /* 833 * We only act if we have echoed a cookie and are 834 * waiting. 835 */ 836 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 837 int *p; 838 839 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 840 /* Save the time doubled */ 841 asoc->cookie_preserve_req = ntohl(*p) << 1; 842 asoc->stale_cookie_count++; 843 if (asoc->stale_cookie_count > 844 asoc->max_init_times) { 845 sctp_abort_notification(stcb, 0); 846 /* now free the asoc */ 847 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 848 return (-1); 849 } 850 /* blast back to INIT state */ 851 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 852 asoc->state |= SCTP_STATE_COOKIE_WAIT; 853 854 sctp_stop_all_cookie_timers(stcb); 855 sctp_send_initiate(stcb->sctp_ep, stcb); 856 } 857 break; 858 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 859 /* 860 * Nothing we can do here, we don't do hostname 861 * addresses so if the peer does not like my IPv6 862 * (or IPv4 for that matter) it does not matter. If 863 * they don't support that type of address, they can 864 * NOT possibly get that packet type... i.e. with no 865 * IPv6 you can't recieve a IPv6 packet. so we can 866 * safely ignore this one. If we ever added support 867 * for HOSTNAME Addresses, then we would need to do 868 * something here. 869 */ 870 break; 871 case SCTP_CAUSE_UNRECOG_CHUNK: 872 sctp_process_unrecog_chunk(stcb, phdr, net); 873 break; 874 case SCTP_CAUSE_UNRECOG_PARAM: 875 sctp_process_unrecog_param(stcb, phdr); 876 break; 877 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 878 /* 879 * We ignore this since the timer will drive out a 880 * new cookie anyway and there timer will drive us 881 * to send a SHUTDOWN_COMPLETE. We can't send one 882 * here since we don't have their tag. 883 */ 884 break; 885 case SCTP_CAUSE_DELETING_LAST_ADDR: 886 case SCTP_CAUSE_RESOURCE_SHORTAGE: 887 case SCTP_CAUSE_DELETING_SRC_ADDR: 888 /* 889 * We should NOT get these here, but in a 890 * ASCONF-ACK. n 891 */ 892#ifdef SCTP_DEBUG 893 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 894 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 895 error_type); 896 } 897#endif 898 break; 899 case SCTP_CAUSE_OUT_OF_RESC: 900 /* 901 * And what, pray tell do we do with the fact that 902 * the peer is out of resources? Not really sure we 903 * could do anything but abort. I suspect this n * 904 * should have came WITH an abort instead of in a 905 * OP-ERROR. 906 */ 907 break; 908 default: 909#ifdef SCTP_DEBUG 910 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 911 /* don't know what this error cause is... */ 912 printf("sctp_handle_error: unknown error type = 0x%xh\n", 913 error_type); 914 } 915#endif /* SCTP_DEBUG */ 916 break; 917 } 918 adjust = SCTP_SIZE32(error_len); 919 chklen -= adjust; 920 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 921 } 922 return (0); 923} 924 925static int 926sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 927 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 928 struct sctp_nets *net) 929{ 930 struct sctp_init_ack *init_ack; 931 int *state; 932 struct mbuf *op_err; 933 934#ifdef SCTP_DEBUG 935 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 936 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 937 } 938#endif 939 if (stcb == NULL) { 940#ifdef SCTP_DEBUG 941 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 942 printf("sctp_handle_init_ack: TCB is null\n"); 943 } 944#endif 945 return (-1); 946 } 947 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 948 /* Invalid length */ 949 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 950 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 951 op_err); 952 return (-1); 953 } 954 init_ack = &cp->init; 955 /* validate parameters */ 956 if (init_ack->initiate_tag == 0) { 957 /* protocol error... send an abort */ 958 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 959 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 960 op_err); 961 return (-1); 962 } 963 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 964 /* protocol error... send an abort */ 965 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 966 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 967 op_err); 968 return (-1); 969 } 970 if (init_ack->num_inbound_streams == 0) { 971 /* protocol error... send an abort */ 972 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 973 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 974 op_err); 975 return (-1); 976 } 977 if (init_ack->num_outbound_streams == 0) { 978 /* protocol error... send an abort */ 979 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 980 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 981 op_err); 982 return (-1); 983 } 984 /* process according to association state... */ 985 state = &stcb->asoc.state; 986 switch (*state & SCTP_STATE_MASK) { 987 case SCTP_STATE_COOKIE_WAIT: 988 /* this is the expected state for this chunk */ 989 /* process the INIT-ACK parameters */ 990 if (stcb->asoc.primary_destination->dest_state & 991 SCTP_ADDR_UNCONFIRMED) { 992 /* 993 * The primary is where we sent the INIT, we can 994 * always consider it confirmed when the INIT-ACK is 995 * returned. Do this before we load addresses 996 * though. 997 */ 998 stcb->asoc.primary_destination->dest_state &= 999 ~SCTP_ADDR_UNCONFIRMED; 1000 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1001 stcb, 0, (void *)stcb->asoc.primary_destination); 1002 } 1003 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 1004 ) < 0) { 1005 /* error in parsing parameters */ 1006 return (-1); 1007 } 1008 /* update our state */ 1009#ifdef SCTP_DEBUG 1010 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1011 printf("moving to COOKIE-ECHOED state\n"); 1012 } 1013#endif 1014 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1015 *state = SCTP_STATE_COOKIE_ECHOED | 1016 SCTP_STATE_SHUTDOWN_PENDING; 1017 } else { 1018 *state = SCTP_STATE_COOKIE_ECHOED; 1019 } 1020 1021 /* reset the RTO calc */ 1022 stcb->asoc.overall_error_count = 0; 1023 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1024 /* 1025 * collapse the init timer back in case of a exponential 1026 * backoff n 1027 */ 1028 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1029 stcb, net); 1030 /* 1031 * the send at the end of the inbound data processing will 1032 * cause the cookie to be sent 1033 */ 1034 break; 1035 case SCTP_STATE_SHUTDOWN_SENT: 1036 /* incorrect state... discard */ 1037 break; 1038 case SCTP_STATE_COOKIE_ECHOED: 1039 /* incorrect state... discard */ 1040 break; 1041 case SCTP_STATE_OPEN: 1042 /* incorrect state... discard */ 1043 break; 1044 case SCTP_STATE_EMPTY: 1045 case SCTP_STATE_INUSE: 1046 default: 1047 /* incorrect state... discard */ 1048 return (-1); 1049 break; 1050 } /* end switch asoc state */ 1051#ifdef SCTP_DEBUG 1052 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1053 printf("Leaving handle-init-ack end\n"); 1054 } 1055#endif 1056 return (0); 1057} 1058 1059 1060/* 1061 * handle a state cookie for an existing association m: input packet mbuf 1062 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1063 * "split" mbuf and the cookie signature does not exist offset: offset into 1064 * mbuf to the cookie-echo chunk 1065 */ 1066static struct sctp_tcb * 1067sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1068 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1069 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1070 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) 1071{ 1072 struct sctp_association *asoc; 1073 struct sctp_init_chunk *init_cp, init_buf; 1074 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1075 int chk_length; 1076 int init_offset, initack_offset; 1077 int retval; 1078 1079 /* I know that the TCB is non-NULL from the caller */ 1080 asoc = &stcb->asoc; 1081 1082 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1083 /* SHUTDOWN came in after sending INIT-ACK */ 1084 struct mbuf *op_err; 1085 struct sctp_paramhdr *ph; 1086 1087 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1088 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1089 1, M_DONTWAIT, 1, MT_DATA); 1090 if (op_err == NULL) { 1091 /* FOOBAR */ 1092 return (NULL); 1093 } 1094 /* pre-reserve some space */ 1095 op_err->m_data += sizeof(struct ip6_hdr); 1096 op_err->m_data += sizeof(struct sctphdr); 1097 op_err->m_data += sizeof(struct sctp_chunkhdr); 1098 /* Set the len */ 1099 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); 1100 ph = mtod(op_err, struct sctp_paramhdr *); 1101 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1102 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1103 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1104 return (NULL); 1105 } 1106 /* 1107 * find and validate the INIT chunk in the cookie (peer's info) the 1108 * INIT should start after the cookie-echo header struct (chunk 1109 * header, state cookie header struct) 1110 */ 1111 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1112 1113 init_cp = (struct sctp_init_chunk *) 1114 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1115 (uint8_t *) & init_buf); 1116 if (init_cp == NULL) { 1117 /* could not pull a INIT chunk in cookie */ 1118 return (NULL); 1119 } 1120 chk_length = ntohs(init_cp->ch.chunk_length); 1121 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1122 return (NULL); 1123 } 1124 /* 1125 * find and validate the INIT-ACK chunk in the cookie (my info) the 1126 * INIT-ACK follows the INIT chunk 1127 */ 1128 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1129 initack_cp = (struct sctp_init_ack_chunk *) 1130 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1131 (uint8_t *) & initack_buf); 1132 if (initack_cp == NULL) { 1133 /* could not pull INIT-ACK chunk in cookie */ 1134 return (NULL); 1135 } 1136 chk_length = ntohs(initack_cp->ch.chunk_length); 1137 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1138 return (NULL); 1139 } 1140 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1141 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1142 /* 1143 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1144 * to get into the OPEN state 1145 */ 1146 switch SCTP_GET_STATE 1147 (asoc) { 1148 case SCTP_STATE_COOKIE_WAIT: 1149 /* 1150 * INIT was sent, but got got a COOKIE_ECHO with the 1151 * correct tags... just accept it... 1152 */ 1153 /* First we must process the INIT !! */ 1154 retval = sctp_process_init(init_cp, stcb, net); 1155 if (retval < 0) { 1156 return (NULL); 1157 } 1158 /* intentional fall through to below... */ 1159 1160 case SCTP_STATE_COOKIE_ECHOED: 1161 /* Duplicate INIT case */ 1162 /* we have already processed the INIT so no problem */ 1163 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1164 net); 1165 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1166 sctp_stop_all_cookie_timers(stcb); 1167 /* update current state */ 1168 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1169 asoc->state = SCTP_STATE_OPEN | 1170 SCTP_STATE_SHUTDOWN_PENDING; 1171 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1172 stcb->sctp_ep, stcb, asoc->primary_destination); 1173 1174 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1175 /* if ok, move to OPEN state */ 1176 asoc->state = SCTP_STATE_OPEN; 1177 } 1178 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1179 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1180 (inp->sctp_socket->so_qlimit == 0) 1181 ) { 1182 /* 1183 * Here is where collision would go if we 1184 * did a connect() and instead got a 1185 * init/init-ack/cookie done before the 1186 * init-ack came back.. 1187 */ 1188 stcb->sctp_ep->sctp_flags |= 1189 SCTP_PCB_FLAGS_CONNECTED; 1190 soisconnected(stcb->sctp_ep->sctp_socket); 1191 } 1192 /* notify upper layer */ 1193 *notification = SCTP_NOTIFY_ASSOC_UP; 1194 /* 1195 * since we did not send a HB make sure we don't 1196 * double things 1197 */ 1198 net->hb_responded = 1; 1199 1200 if (stcb->asoc.sctp_autoclose_ticks && 1201 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1202 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1203 inp, stcb, NULL); 1204 } 1205 break; 1206 default: 1207 /* 1208 * we're in the OPEN state (or beyond), so peer must 1209 * have simply lost the COOKIE-ACK 1210 */ 1211 break; 1212 } /* end switch */ 1213 1214 /* 1215 * We ignore the return code here.. not sure if we should 1216 * somehow abort.. but we do have an existing asoc. This 1217 * really should not fail. 1218 */ 1219 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1220 init_offset + sizeof(struct sctp_init_chunk), 1221 initack_offset, sh, init_src)) { 1222 return (NULL); 1223 } 1224 /* respond with a COOKIE-ACK */ 1225 sctp_send_cookie_ack(stcb); 1226 return (stcb); 1227 } /* end if */ 1228 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1229 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1230 cookie->tie_tag_my_vtag == 0 && 1231 cookie->tie_tag_peer_vtag == 0) { 1232 /* 1233 * case C in Section 5.2.4 Table 2: XMOO silently discard 1234 */ 1235 return (NULL); 1236 } 1237 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1238 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1239 init_cp->init.initiate_tag == 0)) { 1240 /* 1241 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1242 * should be ok, re-accept peer info 1243 */ 1244 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1245 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1246 sctp_stop_all_cookie_timers(stcb); 1247 /* 1248 * since we did not send a HB make sure we don't double 1249 * things 1250 */ 1251 net->hb_responded = 1; 1252 if (stcb->asoc.sctp_autoclose_ticks && 1253 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1254 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1255 NULL); 1256 } 1257 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1258 asoc->pre_open_streams = 1259 ntohs(initack_cp->init.num_outbound_streams); 1260 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1261 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1262 asoc->init_seq_number; 1263 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1264 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1265 asoc->str_reset_seq_in = asoc->init_seq_number; 1266 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1267 1268 /* process the INIT info (peer's info) */ 1269 retval = sctp_process_init(init_cp, stcb, net); 1270 if (retval < 0) { 1271 return (NULL); 1272 } 1273 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1274 init_offset + sizeof(struct sctp_init_chunk), 1275 initack_offset, sh, init_src)) { 1276 return (NULL); 1277 } 1278 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1279 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1280 *notification = SCTP_NOTIFY_ASSOC_UP; 1281 1282 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1283 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1284 (inp->sctp_socket->so_qlimit == 0)) { 1285 stcb->sctp_ep->sctp_flags |= 1286 SCTP_PCB_FLAGS_CONNECTED; 1287 soisconnected(stcb->sctp_ep->sctp_socket); 1288 } 1289 } 1290 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1291 asoc->state = SCTP_STATE_OPEN | 1292 SCTP_STATE_SHUTDOWN_PENDING; 1293 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1294 stcb->sctp_ep, stcb, asoc->primary_destination); 1295 1296 } else { 1297 asoc->state = SCTP_STATE_OPEN; 1298 } 1299 sctp_stop_all_cookie_timers(stcb); 1300 sctp_send_cookie_ack(stcb); 1301 return (stcb); 1302 } 1303 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1304 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1305 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1306 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1307 cookie->tie_tag_peer_vtag != 0) { 1308 struct sctpasochead *head; 1309 1310 /* 1311 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1312 */ 1313 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1314 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1315 *sac_assoc_id = sctp_get_associd(stcb); 1316 /* notify upper layer */ 1317 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1318 1319 1320 /* send up all the data */ 1321 sctp_report_all_outbound(stcb); 1322 1323 /* process the INIT-ACK info (my info) */ 1324 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1325 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1326 1327 /* pull from vtag hash */ 1328 LIST_REMOVE(stcb, sctp_asocs); 1329 /* re-insert to new vtag position */ 1330 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1331 sctppcbinfo.hashasocmark)]; 1332 /* 1333 * put it in the bucket in the vtag hash of assoc's for the 1334 * system 1335 */ 1336 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1337 1338 /* Is this the first restart? */ 1339 if (stcb->asoc.in_restart_hash == 0) { 1340 /* Ok add it to assoc_id vtag hash */ 1341 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1342 sctppcbinfo.hashrestartmark)]; 1343 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1344 stcb->asoc.in_restart_hash = 1; 1345 } 1346 asoc->pre_open_streams = 1347 ntohs(initack_cp->init.num_outbound_streams); 1348 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1349 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1350 1351 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1352 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1353 1354 asoc->str_reset_seq_in = asoc->init_seq_number; 1355 1356 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1357 if (asoc->mapping_array) 1358 memset(asoc->mapping_array, 0, 1359 asoc->mapping_array_size); 1360 /* process the INIT info (peer's info) */ 1361 retval = sctp_process_init(init_cp, stcb, net); 1362 if (retval < 0) { 1363 return (NULL); 1364 } 1365 /* 1366 * since we did not send a HB make sure we don't double 1367 * things 1368 */ 1369 net->hb_responded = 1; 1370 1371 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1372 init_offset + sizeof(struct sctp_init_chunk), 1373 initack_offset, sh, init_src)) { 1374 return (NULL); 1375 } 1376 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1377 asoc->state = SCTP_STATE_OPEN | 1378 SCTP_STATE_SHUTDOWN_PENDING; 1379 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1380 stcb->sctp_ep, stcb, asoc->primary_destination); 1381 1382 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1383 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1384 asoc->state = SCTP_STATE_OPEN; 1385 } 1386 /* respond with a COOKIE-ACK */ 1387 sctp_stop_all_cookie_timers(stcb); 1388 sctp_send_cookie_ack(stcb); 1389 1390 return (stcb); 1391 } 1392 /* if we are not a restart we need the assoc_id field pop'd */ 1393 asoc->assoc_id = ntohl(initack_cp->init.initiate_tag); 1394 1395 /* all other cases... */ 1396 return (NULL); 1397} 1398 1399/* 1400 * handle a state cookie for a new association m: input packet mbuf chain-- 1401 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1402 * and the cookie signature does not exist offset: offset into mbuf to the 1403 * cookie-echo chunk length: length of the cookie chunk to: where the init 1404 * was from returns a new TCB 1405 */ 1406static struct sctp_tcb * 1407sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1408 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1409 struct sctp_inpcb *inp, struct sctp_nets **netp, 1410 struct sockaddr *init_src, int *notification, 1411 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1412{ 1413 struct sctp_tcb *stcb; 1414 struct sctp_init_chunk *init_cp, init_buf; 1415 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1416 struct sockaddr_storage sa_store; 1417 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1418 struct sockaddr_in *sin; 1419 struct sockaddr_in6 *sin6; 1420 struct sctp_association *asoc; 1421 int chk_length; 1422 int init_offset, initack_offset, initack_limit; 1423 int retval; 1424 int error = 0; 1425 uint32_t old_tag; 1426 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 1427 1428 /* 1429 * find and validate the INIT chunk in the cookie (peer's info) the 1430 * INIT should start after the cookie-echo header struct (chunk 1431 * header, state cookie header struct) 1432 */ 1433 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1434 init_cp = (struct sctp_init_chunk *) 1435 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1436 (uint8_t *) & init_buf); 1437 if (init_cp == NULL) { 1438 /* could not pull a INIT chunk in cookie */ 1439#ifdef SCTP_DEBUG 1440 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1441 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1442 } 1443#endif /* SCTP_DEBUG */ 1444 return (NULL); 1445 } 1446 chk_length = ntohs(init_cp->ch.chunk_length); 1447 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1448#ifdef SCTP_DEBUG 1449 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1450 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1451 } 1452#endif /* SCTP_DEBUG */ 1453 return (NULL); 1454 } 1455 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1456 /* 1457 * find and validate the INIT-ACK chunk in the cookie (my info) the 1458 * INIT-ACK follows the INIT chunk 1459 */ 1460 initack_cp = (struct sctp_init_ack_chunk *) 1461 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1462 (uint8_t *) & initack_buf); 1463 if (initack_cp == NULL) { 1464 /* could not pull INIT-ACK chunk in cookie */ 1465#ifdef SCTP_DEBUG 1466 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1467 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1468 } 1469#endif /* SCTP_DEBUG */ 1470 return (NULL); 1471 } 1472 chk_length = ntohs(initack_cp->ch.chunk_length); 1473 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1474 return (NULL); 1475 } 1476 /* 1477 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1478 * "initack_limit" value. This is because the chk_length field 1479 * includes the length of the cookie, but the cookie is omitted when 1480 * the INIT and INIT_ACK are tacked onto the cookie... 1481 */ 1482 initack_limit = offset + cookie_len; 1483 1484 /* 1485 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1486 * and popluate 1487 */ 1488 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1489 ntohl(initack_cp->init.initiate_tag)); 1490 if (stcb == NULL) { 1491 struct mbuf *op_err; 1492 1493 /* memory problem? */ 1494#ifdef SCTP_DEBUG 1495 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1496 printf("process_cookie_new: no room for another TCB!\n"); 1497 } 1498#endif /* SCTP_DEBUG */ 1499 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1500 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1501 sh, op_err); 1502 return (NULL); 1503 } 1504 /* get the correct sctp_nets */ 1505 *netp = sctp_findnet(stcb, init_src); 1506 asoc = &stcb->asoc; 1507 /* get scope variables out of cookie */ 1508 asoc->ipv4_local_scope = cookie->ipv4_scope; 1509 asoc->site_scope = cookie->site_scope; 1510 asoc->local_scope = cookie->local_scope; 1511 asoc->loopback_scope = cookie->loopback_scope; 1512 1513 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1514 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1515 struct mbuf *op_err; 1516 1517 /* 1518 * Houston we have a problem. The EP changed while the 1519 * cookie was in flight. Only recourse is to abort the 1520 * association. 1521 */ 1522 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1523 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1524 sh, op_err); 1525 return (NULL); 1526 } 1527 /* process the INIT-ACK info (my info) */ 1528 old_tag = asoc->my_vtag; 1529 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1530 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1531 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1532 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1533 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1534 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1535 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1536 asoc->str_reset_seq_in = asoc->init_seq_number; 1537 1538 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1539 1540 /* process the INIT info (peer's info) */ 1541 retval = sctp_process_init(init_cp, stcb, *netp); 1542 if (retval < 0) { 1543 sctp_free_assoc(inp, stcb, 0); 1544 return (NULL); 1545 } 1546 /* load all addresses */ 1547 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1548 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1549 init_src)) { 1550 sctp_free_assoc(inp, stcb, 0); 1551 return (NULL); 1552 } 1553 /* 1554 * verify any preceding AUTH chunk that was skipped 1555 */ 1556 /* pull the local authentication parameters from the cookie/init-ack */ 1557 sctp_auth_get_cookie_params(stcb, m, 1558 initack_offset + sizeof(struct sctp_init_ack_chunk), 1559 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1560 if (auth_skipped) { 1561 struct sctp_auth_chunk *auth; 1562 1563 auth = (struct sctp_auth_chunk *) 1564 sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); 1565 if (sctp_handle_auth(stcb, auth, m, auth_offset)) { 1566 /* auth HMAC failed, dump the assoc and packet */ 1567#ifdef SCTP_DEBUG 1568 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 1569 printf("COOKIE-ECHO: AUTH failed\n"); 1570#endif /* SCTP_DEBUG */ 1571 sctp_free_assoc(inp, stcb, 0); 1572 return (NULL); 1573 } else { 1574 /* remaining chunks checked... good to go */ 1575 stcb->asoc.authenticated = 1; 1576 } 1577 } 1578 /* update current state */ 1579#ifdef SCTP_DEBUG 1580 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1581 printf("moving to OPEN state\n"); 1582 } 1583#endif 1584 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1585 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1586 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1587 stcb->sctp_ep, stcb, asoc->primary_destination); 1588 } else { 1589 asoc->state = SCTP_STATE_OPEN; 1590 } 1591 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1592 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1593 sctp_stop_all_cookie_timers(stcb); 1594 /* calculate the RTT */ 1595 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1596 &cookie->time_entered); 1597 1598 /* 1599 * if we're doing ASCONFs, check to see if we have any new local 1600 * addresses that need to get added to the peer (eg. addresses 1601 * changed while cookie echo in flight). This needs to be done 1602 * after we go to the OPEN state to do the correct asconf 1603 * processing. else, make sure we have the correct addresses in our 1604 * lists 1605 */ 1606 1607 /* warning, we re-use sin, sin6, sa_store here! */ 1608 /* pull in local_address (our "from" address) */ 1609 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1610 /* source addr is IPv4 */ 1611 sin = (struct sockaddr_in *)initack_src; 1612 memset(sin, 0, sizeof(*sin)); 1613 sin->sin_family = AF_INET; 1614 sin->sin_len = sizeof(struct sockaddr_in); 1615 sin->sin_addr.s_addr = cookie->laddress[0]; 1616 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1617 /* source addr is IPv6 */ 1618 sin6 = (struct sockaddr_in6 *)initack_src; 1619 memset(sin6, 0, sizeof(*sin6)); 1620 sin6->sin6_family = AF_INET6; 1621 sin6->sin6_len = sizeof(struct sockaddr_in6); 1622 sin6->sin6_scope_id = cookie->scope_id; 1623 memcpy(&sin6->sin6_addr, cookie->laddress, 1624 sizeof(sin6->sin6_addr)); 1625 } else { 1626 sctp_free_assoc(inp, stcb, 0); 1627 return (NULL); 1628 } 1629 1630 sctp_check_address_list(stcb, m, 1631 initack_offset + sizeof(struct sctp_init_ack_chunk), 1632 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1633 initack_src, cookie->local_scope, cookie->site_scope, 1634 cookie->ipv4_scope, cookie->loopback_scope); 1635 1636 1637 /* set up to notify upper layer */ 1638 *notification = SCTP_NOTIFY_ASSOC_UP; 1639 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1640 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1641 (inp->sctp_socket->so_qlimit == 0)) { 1642 /* 1643 * This is an endpoint that called connect() how it got a 1644 * cookie that is NEW is a bit of a mystery. It must be that 1645 * the INIT was sent, but before it got there.. a complete 1646 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1647 * should have went to the other code.. not here.. oh well.. 1648 * a bit of protection is worth having.. 1649 */ 1650 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1651 soisconnected(stcb->sctp_ep->sctp_socket); 1652 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1653 (inp->sctp_socket->so_qlimit)) { 1654 /* 1655 * We don't want to do anything with this one. Since it is 1656 * the listening guy. The timer will get started for 1657 * accepted connections in the caller. 1658 */ 1659 ; 1660 } 1661 /* since we did not send a HB make sure we don't double things */ 1662 (*netp)->hb_responded = 1; 1663 1664 if (stcb->asoc.sctp_autoclose_ticks && 1665 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1666 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1667 } 1668 /* respond with a COOKIE-ACK */ 1669 sctp_send_cookie_ack(stcb); 1670 return (stcb); 1671} 1672 1673 1674/* 1675 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1676 * existing (non-NULL) TCB 1677 */ 1678static struct mbuf * 1679sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1680 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1681 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1682 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1683{ 1684 struct sctp_state_cookie *cookie; 1685 struct sockaddr_in6 sin6; 1686 struct sockaddr_in sin; 1687 struct sctp_tcb *l_stcb = *stcb; 1688 struct sctp_inpcb *l_inp; 1689 struct sockaddr *to; 1690 sctp_assoc_t sac_restart_id; 1691 struct sctp_pcb *ep; 1692 struct mbuf *m_sig; 1693 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1694 uint8_t *sig; 1695 uint8_t cookie_ok = 0; 1696 unsigned int size_of_pkt, sig_offset, cookie_offset; 1697 unsigned int cookie_len; 1698 struct timeval now; 1699 struct timeval time_expires; 1700 struct sockaddr_storage dest_store; 1701 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1702 struct ip *iph; 1703 int notification = 0; 1704 struct sctp_nets *netl; 1705 int had_a_existing_tcb = 0; 1706 1707#ifdef SCTP_DEBUG 1708 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1709 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1710 } 1711#endif 1712 1713 if (inp_p == NULL) { 1714 return (NULL); 1715 } 1716 /* First get the destination address setup too. */ 1717 iph = mtod(m, struct ip *); 1718 if (iph->ip_v == IPVERSION) { 1719 /* its IPv4 */ 1720 struct sockaddr_in *sin; 1721 1722 sin = (struct sockaddr_in *)(localep_sa); 1723 memset(sin, 0, sizeof(*sin)); 1724 sin->sin_family = AF_INET; 1725 sin->sin_len = sizeof(*sin); 1726 sin->sin_port = sh->dest_port; 1727 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1728 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1729 /* its IPv6 */ 1730 struct ip6_hdr *ip6; 1731 struct sockaddr_in6 *sin6; 1732 1733 sin6 = (struct sockaddr_in6 *)(localep_sa); 1734 memset(sin6, 0, sizeof(*sin6)); 1735 sin6->sin6_family = AF_INET6; 1736 sin6->sin6_len = sizeof(struct sockaddr_in6); 1737 ip6 = mtod(m, struct ip6_hdr *); 1738 sin6->sin6_port = sh->dest_port; 1739 sin6->sin6_addr = ip6->ip6_dst; 1740 } else { 1741 return (NULL); 1742 } 1743 1744 cookie = &cp->cookie; 1745 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1746 cookie_len = ntohs(cp->ch.chunk_length); 1747 1748 if ((cookie->peerport != sh->src_port) && 1749 (cookie->myport != sh->dest_port) && 1750 (cookie->my_vtag != sh->v_tag)) { 1751 /* 1752 * invalid ports or bad tag. Note that we always leave the 1753 * v_tag in the header in network order and when we stored 1754 * it in the my_vtag slot we also left it in network order. 1755 * This maintians the match even though it may be in the 1756 * opposite byte order of the machine :-> 1757 */ 1758 return (NULL); 1759 } 1760 /* compute size of packet */ 1761 if (m->m_flags & M_PKTHDR) { 1762 size_of_pkt = m->m_pkthdr.len; 1763 } else { 1764 /* Should have a pkt hdr really */ 1765 struct mbuf *mat; 1766 1767 mat = m; 1768 size_of_pkt = 0; 1769 while (mat != NULL) { 1770 size_of_pkt += mat->m_len; 1771 mat = mat->m_next; 1772 } 1773 } 1774 if (cookie_len > size_of_pkt || 1775 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1776 sizeof(struct sctp_init_chunk) + 1777 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1778 /* cookie too long! or too small */ 1779 return (NULL); 1780 } 1781 /* 1782 * split off the signature into its own mbuf (since it should not be 1783 * calculated in the sctp_hmac_m() call). 1784 */ 1785 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1786 if (sig_offset > size_of_pkt) { 1787 /* packet not correct size! */ 1788 /* XXX this may already be accounted for earlier... */ 1789 return (NULL); 1790 } 1791 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1792 if (m_sig == NULL) { 1793 /* out of memory or ?? */ 1794 return (NULL); 1795 } 1796 /* 1797 * compute the signature/digest for the cookie 1798 */ 1799 ep = &(*inp_p)->sctp_ep; 1800 l_inp = *inp_p; 1801 if (l_stcb) { 1802 SCTP_TCB_UNLOCK(l_stcb); 1803 } 1804 SCTP_INP_RLOCK(l_inp); 1805 if (l_stcb) { 1806 SCTP_TCB_LOCK(l_stcb); 1807 } 1808 /* which cookie is it? */ 1809 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1810 (ep->current_secret_number != ep->last_secret_number)) { 1811 /* it's the old cookie */ 1812 sctp_hmac_m(SCTP_HMAC, 1813 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1814 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1815 } else { 1816 /* it's the current cookie */ 1817 sctp_hmac_m(SCTP_HMAC, 1818 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1819 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1820 } 1821 /* get the signature */ 1822 SCTP_INP_RUNLOCK(l_inp); 1823 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1824 if (sig == NULL) { 1825 /* couldn't find signature */ 1826 return (NULL); 1827 } 1828 /* compare the received digest with the computed digest */ 1829 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1830 /* try the old cookie? */ 1831 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1832 (ep->current_secret_number != ep->last_secret_number)) { 1833 /* compute digest with old */ 1834 sctp_hmac_m(SCTP_HMAC, 1835 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1836 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1837 /* compare */ 1838 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1839 cookie_ok = 1; 1840 } 1841 } else { 1842 cookie_ok = 1; 1843 } 1844 1845 /* 1846 * Now before we continue we must reconstruct our mbuf so that 1847 * normal processing of any other chunks will work. 1848 */ 1849 { 1850 struct mbuf *m_at; 1851 1852 m_at = m; 1853 while (m_at->m_next != NULL) { 1854 m_at = m_at->m_next; 1855 } 1856 m_at->m_next = m_sig; 1857 if (m->m_flags & M_PKTHDR) { 1858 /* 1859 * We should only do this if and only if the front 1860 * mbuf has a m_pkthdr... it should in theory. 1861 */ 1862 if (m_sig->m_flags & M_PKTHDR) { 1863 /* Add back to the pkt hdr of main m chain */ 1864 m->m_pkthdr.len += m_sig->m_pkthdr.len; 1865 } else { 1866 /* 1867 * Got a problem, no pkthdr in split chain. 1868 * TSNH but we will handle it just in case 1869 */ 1870 int mmlen = 0; 1871 struct mbuf *lat; 1872 1873 printf("Warning: Hitting m_split join TSNH code - fixed\n"); 1874 lat = m_sig; 1875 while (lat) { 1876 mmlen += lat->m_len; 1877 lat = lat->m_next; 1878 } 1879 m->m_pkthdr.len += mmlen; 1880 } 1881 } 1882 } 1883 1884 if (cookie_ok == 0) { 1885#ifdef SCTP_DEBUG 1886 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1887 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1888 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1889 (uint32_t) offset, cookie_offset, sig_offset); 1890 } 1891#endif 1892 return (NULL); 1893 } 1894 /* 1895 * check the cookie timestamps to be sure it's not stale 1896 */ 1897 SCTP_GETTIME_TIMEVAL(&now); 1898 /* Expire time is in Ticks, so we convert to seconds */ 1899 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1900 time_expires.tv_usec = cookie->time_entered.tv_usec; 1901 if (timevalcmp(&now, &time_expires, >)) { 1902 /* cookie is stale! */ 1903 struct mbuf *op_err; 1904 struct sctp_stale_cookie_msg *scm; 1905 uint32_t tim; 1906 1907 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 1908 1, M_DONTWAIT, 1, MT_DATA); 1909 if (op_err == NULL) { 1910 /* FOOBAR */ 1911 return (NULL); 1912 } 1913 /* pre-reserve some space */ 1914 op_err->m_data += sizeof(struct ip6_hdr); 1915 op_err->m_data += sizeof(struct sctphdr); 1916 op_err->m_data += sizeof(struct sctp_chunkhdr); 1917 1918 /* Set the len */ 1919 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); 1920 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1921 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1922 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1923 (sizeof(uint32_t)))); 1924 /* seconds to usec */ 1925 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1926 /* add in usec */ 1927 if (tim == 0) 1928 tim = now.tv_usec - cookie->time_entered.tv_usec; 1929 scm->time_usec = htonl(tim); 1930 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1931 return (NULL); 1932 } 1933 /* 1934 * Now we must see with the lookup address if we have an existing 1935 * asoc. This will only happen if we were in the COOKIE-WAIT state 1936 * and a INIT collided with us and somewhere the peer sent the 1937 * cookie on another address besides the single address our assoc 1938 * had for him. In this case we will have one of the tie-tags set at 1939 * least AND the address field in the cookie can be used to look it 1940 * up. 1941 */ 1942 to = NULL; 1943 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1944 memset(&sin6, 0, sizeof(sin6)); 1945 sin6.sin6_family = AF_INET6; 1946 sin6.sin6_len = sizeof(sin6); 1947 sin6.sin6_port = sh->src_port; 1948 sin6.sin6_scope_id = cookie->scope_id; 1949 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 1950 sizeof(sin6.sin6_addr.s6_addr)); 1951 to = (struct sockaddr *)&sin6; 1952 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 1953 memset(&sin, 0, sizeof(sin)); 1954 sin.sin_family = AF_INET; 1955 sin.sin_len = sizeof(sin); 1956 sin.sin_port = sh->src_port; 1957 sin.sin_addr.s_addr = cookie->address[0]; 1958 to = (struct sockaddr *)&sin; 1959 } 1960 if ((*stcb == NULL) && to) { 1961 /* Yep, lets check */ 1962 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 1963 if (*stcb == NULL) { 1964 /* 1965 * We should have only got back the same inp. If we 1966 * got back a different ep we have a problem. The 1967 * original findep got back l_inp and now 1968 */ 1969 if (l_inp != *inp_p) { 1970 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 1971 } 1972 } 1973 } 1974 cookie_len -= SCTP_SIGNATURE_SIZE; 1975 if (*stcb == NULL) { 1976 /* this is the "normal" case... get a new TCB */ 1977 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 1978 cookie_len, *inp_p, netp, to, ¬ification, 1979 auth_skipped, auth_offset, auth_len); 1980 } else { 1981 /* this is abnormal... cookie-echo on existing TCB */ 1982 had_a_existing_tcb = 1; 1983 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 1984 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 1985 &sac_restart_id); 1986 } 1987 1988 if (*stcb == NULL) { 1989 /* still no TCB... must be bad cookie-echo */ 1990 return (NULL); 1991 } 1992 /* 1993 * Ok, we built an association so confirm the address we sent the 1994 * INIT-ACK to. 1995 */ 1996 netl = sctp_findnet(*stcb, to); 1997 /* 1998 * This code should in theory NOT run but 1999 */ 2000 if (netl == NULL) { 2001 /* TSNH! Huh, why do I need to add this address here? */ 2002 int ret; 2003 2004 ret = sctp_add_remote_addr(*stcb, to, 0, 100); 2005 netl = sctp_findnet(*stcb, to); 2006 } 2007 if (netl) { 2008 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2009 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2010 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2011 netl); 2012 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2013 (*stcb), 0, (void *)netl); 2014 } 2015 } 2016 if (*stcb) { 2017 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2018 *stcb, NULL); 2019 } 2020 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2021 if (!had_a_existing_tcb || 2022 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2023 /* 2024 * If we have a NEW cookie or the connect never 2025 * reached the connected state during collision we 2026 * must do the TCP accept thing. 2027 */ 2028 struct socket *so, *oso; 2029 struct sctp_inpcb *inp; 2030 2031 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2032 /* 2033 * For a restart we will keep the same 2034 * socket, no need to do anything. I THINK!! 2035 */ 2036 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2037 return (m); 2038 } 2039 oso = (*inp_p)->sctp_socket; 2040 /* 2041 * We do this to keep the sockets side happy durin 2042 * the sonewcon ONLY. 2043 */ 2044 NET_LOCK_GIANT(); 2045 SCTP_TCB_UNLOCK((*stcb)); 2046 so = sonewconn(oso, SS_ISCONNECTED 2047 ); 2048 NET_UNLOCK_GIANT(); 2049 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2050 SCTP_TCB_LOCK((*stcb)); 2051 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2052 if (so == NULL) { 2053 struct mbuf *op_err; 2054 2055 /* Too many sockets */ 2056#ifdef SCTP_DEBUG 2057 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2058 printf("process_cookie_new: no room for another socket!\n"); 2059 } 2060#endif /* SCTP_DEBUG */ 2061 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2062 sctp_abort_association(*inp_p, NULL, m, iphlen, 2063 sh, op_err); 2064 sctp_free_assoc(*inp_p, *stcb, 0); 2065 return (NULL); 2066 } 2067 inp = (struct sctp_inpcb *)so->so_pcb; 2068 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2069 SCTP_PCB_FLAGS_CONNECTED | 2070 SCTP_PCB_FLAGS_IN_TCPPOOL | 2071 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2072 SCTP_PCB_FLAGS_DONT_WAKE); 2073 inp->sctp_features = (*inp_p)->sctp_features; 2074 inp->sctp_socket = so; 2075 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2076 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2077 inp->sctp_context = (*inp_p)->sctp_context; 2078 inp->inp_starting_point_for_iterator = NULL; 2079 /* 2080 * copy in the authentication parameters from the 2081 * original endpoint 2082 */ 2083 if (inp->sctp_ep.local_hmacs) 2084 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2085 inp->sctp_ep.local_hmacs = 2086 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2087 if (inp->sctp_ep.local_auth_chunks) 2088 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2089 inp->sctp_ep.local_auth_chunks = 2090 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2091 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2092 &inp->sctp_ep.shared_keys); 2093 2094 /* 2095 * Now we must move it from one hash table to 2096 * another and get the tcb in the right place. 2097 */ 2098 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2099 2100 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb); 2101 2102 /* Switch over to the new guy */ 2103 *inp_p = inp; 2104 2105 sctp_ulp_notify(notification, *stcb, 0, NULL); 2106 return (m); 2107 } 2108 } 2109 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2110 sctp_ulp_notify(notification, *stcb, 0, NULL); 2111 } 2112 return (m); 2113} 2114 2115static void 2116sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2117 struct sctp_tcb *stcb, struct sctp_nets *net) 2118{ 2119 /* cp must not be used, others call this without a c-ack :-) */ 2120 struct sctp_association *asoc; 2121 2122#ifdef SCTP_DEBUG 2123 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2124 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2125 } 2126#endif 2127 if (stcb == NULL) 2128 return; 2129 2130 asoc = &stcb->asoc; 2131 2132 sctp_stop_all_cookie_timers(stcb); 2133 /* process according to association state */ 2134 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2135 /* state change only needed when I am in right state */ 2136#ifdef SCTP_DEBUG 2137 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2138 printf("moving to OPEN state\n"); 2139 } 2140#endif 2141 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2142 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2143 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2144 stcb->sctp_ep, stcb, asoc->primary_destination); 2145 2146 } else { 2147 asoc->state = SCTP_STATE_OPEN; 2148 } 2149 /* update RTO */ 2150 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2151 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2152 if (asoc->overall_error_count == 0) { 2153 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2154 &asoc->time_entered); 2155 } 2156 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2157 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2158 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2159 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2160 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2161 soisconnected(stcb->sctp_ep->sctp_socket); 2162 } 2163 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2164 stcb, net); 2165 /* 2166 * since we did not send a HB make sure we don't double 2167 * things 2168 */ 2169 net->hb_responded = 1; 2170 2171 if (stcb->asoc.sctp_autoclose_ticks && 2172 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2173 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2174 stcb->sctp_ep, stcb, NULL); 2175 } 2176 /* 2177 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2178 * addresses changed when init/cookie echo in flight) 2179 */ 2180 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2181 (stcb->asoc.peer_supports_asconf) && 2182 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2183 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2184 stcb->sctp_ep, stcb, 2185 stcb->asoc.primary_destination); 2186 } 2187 } 2188 /* Toss the cookie if I can */ 2189 sctp_toss_old_cookies(stcb, asoc); 2190 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2191 /* Restart the timer if we have pending data */ 2192 struct sctp_tmit_chunk *chk; 2193 2194 chk = TAILQ_FIRST(&asoc->sent_queue); 2195 if (chk) { 2196 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2197 stcb, chk->whoTo); 2198 } 2199 } 2200} 2201 2202static void 2203sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2204 struct sctp_tcb *stcb) 2205{ 2206 struct sctp_nets *net; 2207 struct sctp_tmit_chunk *lchk; 2208 uint32_t tsn; 2209 2210 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2211 return; 2212 } 2213 SCTP_STAT_INCR(sctps_recvecne); 2214 tsn = ntohl(cp->tsn); 2215 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2216 /* Also we make sure we disable the nonce_wait */ 2217 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2218 if (lchk == NULL) { 2219 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2220 } else { 2221 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2222 } 2223 stcb->asoc.nonce_wait_for_ecne = 0; 2224 stcb->asoc.nonce_sum_check = 0; 2225 2226 /* Find where it was sent, if possible */ 2227 net = NULL; 2228 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2229 while (lchk) { 2230 if (lchk->rec.data.TSN_seq == tsn) { 2231 net = lchk->whoTo; 2232 break; 2233 } 2234 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2235 break; 2236 lchk = TAILQ_NEXT(lchk, sctp_next); 2237 } 2238 if (net == NULL) 2239 /* default is we use the primary */ 2240 net = stcb->asoc.primary_destination; 2241 2242 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2243#ifdef SCTP_CWND_MONITOR 2244 int old_cwnd; 2245 2246 old_cwnd = net->cwnd; 2247#endif 2248 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2249 net->ssthresh = net->cwnd / 2; 2250 if (net->ssthresh < net->mtu) { 2251 net->ssthresh = net->mtu; 2252 /* here back off the timer as well, to slow us down */ 2253 net->RTO <<= 2; 2254 } 2255 net->cwnd = net->ssthresh; 2256#ifdef SCTP_CWND_MONITOR 2257 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2258#endif 2259 /* 2260 * we reduce once every RTT. So we will only lower cwnd at 2261 * the next sending seq i.e. the resync_tsn. 2262 */ 2263 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2264 } 2265 /* 2266 * We always send a CWR this way if our previous one was lost our 2267 * peer will get an update, or if it is not time again to reduce we 2268 * still get the cwr to the peer. 2269 */ 2270 sctp_send_cwr(stcb, net, tsn); 2271} 2272 2273static void 2274sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2275{ 2276 /* 2277 * Here we get a CWR from the peer. We must look in the outqueue and 2278 * make sure that we have a covered ECNE in teh control chunk part. 2279 * If so remove it. 2280 */ 2281 struct sctp_tmit_chunk *chk; 2282 struct sctp_ecne_chunk *ecne; 2283 2284 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2285 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2286 continue; 2287 } 2288 /* 2289 * Look for and remove if it is the right TSN. Since there 2290 * is only ONE ECNE on the control queue at any one time we 2291 * don't need to worry about more than one! 2292 */ 2293 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2294 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2295 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2296 /* this covers this ECNE, we can remove it */ 2297 stcb->asoc.ecn_echo_cnt_onq--; 2298 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2299 sctp_next); 2300 if (chk->data) { 2301 sctp_m_freem(chk->data); 2302 chk->data = NULL; 2303 } 2304 stcb->asoc.ctrl_queue_cnt--; 2305 sctp_free_remote_addr(chk->whoTo); 2306 sctp_free_a_chunk(stcb, chk); 2307 break; 2308 } 2309 } 2310} 2311 2312static void 2313sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2314 struct sctp_tcb *stcb, struct sctp_nets *net) 2315{ 2316 struct sctp_association *asoc; 2317 2318#ifdef SCTP_DEBUG 2319 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2320 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2321 } 2322#endif 2323 if (stcb == NULL) 2324 return; 2325 2326 asoc = &stcb->asoc; 2327 /* process according to association state */ 2328 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2329 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2330 SCTP_TCB_UNLOCK(stcb); 2331 return; 2332 } 2333 /* notify upper layer protocol */ 2334 if (stcb->sctp_socket) { 2335 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2336 /* are the queues empty? they should be */ 2337 if (!TAILQ_EMPTY(&asoc->send_queue) || 2338 !TAILQ_EMPTY(&asoc->sent_queue) || 2339 !TAILQ_EMPTY(&asoc->out_wheel)) { 2340 sctp_report_all_outbound(stcb); 2341 } 2342 } 2343 /* stop the timer */ 2344 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 2345 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2346 /* free the TCB */ 2347 sctp_free_assoc(stcb->sctp_ep, stcb, 0); 2348 return; 2349} 2350 2351static int 2352process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2353 struct sctp_nets *net, uint8_t flg) 2354{ 2355 switch (desc->chunk_type) { 2356 case SCTP_DATA: 2357 /* find the tsn to resend (possibly */ 2358 { 2359 uint32_t tsn; 2360 struct sctp_tmit_chunk *tp1; 2361 2362 tsn = ntohl(desc->tsn_ifany); 2363 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2364 while (tp1) { 2365 if (tp1->rec.data.TSN_seq == tsn) { 2366 /* found it */ 2367 break; 2368 } 2369 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2370 MAX_TSN)) { 2371 /* not found */ 2372 tp1 = NULL; 2373 break; 2374 } 2375 tp1 = TAILQ_NEXT(tp1, sctp_next); 2376 } 2377 if (tp1 == NULL) { 2378 /* 2379 * Do it the other way , aka without paying 2380 * attention to queue seq order. 2381 */ 2382 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2383 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2384 while (tp1) { 2385 if (tp1->rec.data.TSN_seq == tsn) { 2386 /* found it */ 2387 break; 2388 } 2389 tp1 = TAILQ_NEXT(tp1, sctp_next); 2390 } 2391 } 2392 if (tp1 == NULL) { 2393 SCTP_STAT_INCR(sctps_pdrptsnnf); 2394 } 2395 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2396 uint8_t *ddp; 2397 2398 if ((stcb->asoc.peers_rwnd == 0) && 2399 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2400 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2401 return (0); 2402 } 2403 if (stcb->asoc.peers_rwnd == 0 && 2404 (flg & SCTP_FROM_MIDDLE_BOX)) { 2405 SCTP_STAT_INCR(sctps_pdrpdizrw); 2406 return (0); 2407 } 2408 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2409 sizeof(struct sctp_data_chunk)); 2410 { 2411 unsigned int iii; 2412 2413 for (iii = 0; iii < sizeof(desc->data_bytes); 2414 iii++) { 2415 if (ddp[iii] != desc->data_bytes[iii]) { 2416 SCTP_STAT_INCR(sctps_pdrpbadd); 2417 return (-1); 2418 } 2419 } 2420 } 2421 /* 2422 * We zero out the nonce so resync not 2423 * needed 2424 */ 2425 tp1->rec.data.ect_nonce = 0; 2426 2427 if (tp1->do_rtt) { 2428 /* 2429 * this guy had a RTO calculation 2430 * pending on it, cancel it 2431 */ 2432 tp1->whoTo->rto_pending = 0; 2433 tp1->do_rtt = 0; 2434 } 2435 SCTP_STAT_INCR(sctps_pdrpmark); 2436 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2437 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2438 tp1->sent = SCTP_DATAGRAM_RESEND; 2439 /* 2440 * mark it as if we were doing a FR, since 2441 * we will be getting gap ack reports behind 2442 * the info from the router. 2443 */ 2444 tp1->rec.data.doing_fast_retransmit = 1; 2445 /* 2446 * mark the tsn with what sequences can 2447 * cause a new FR. 2448 */ 2449 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2450 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2451 } else { 2452 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2453 } 2454 2455 /* restart the timer */ 2456 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2457 stcb, tp1->whoTo); 2458 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2459 stcb, tp1->whoTo); 2460 2461 /* fix counts and things */ 2462 if (tp1->whoTo->flight_size >= tp1->book_size) 2463 tp1->whoTo->flight_size -= tp1->book_size; 2464 else 2465 tp1->whoTo->flight_size = 0; 2466 2467 if (stcb->asoc.total_flight >= tp1->book_size) { 2468 stcb->asoc.total_flight -= tp1->book_size; 2469 if (stcb->asoc.total_flight_count > 0) 2470 stcb->asoc.total_flight_count--; 2471 } else { 2472 stcb->asoc.total_flight = 0; 2473 stcb->asoc.total_flight_count = 0; 2474 } 2475 tp1->snd_count--; 2476 } { 2477 /* audit code */ 2478 unsigned int audit; 2479 2480 audit = 0; 2481 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2482 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2483 audit++; 2484 } 2485 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2486 sctp_next) { 2487 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2488 audit++; 2489 } 2490 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2491 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2492 audit, stcb->asoc.sent_queue_retran_cnt); 2493#ifndef SCTP_AUDITING_ENABLED 2494 stcb->asoc.sent_queue_retran_cnt = audit; 2495#endif 2496 } 2497 } 2498 } 2499 break; 2500 case SCTP_ASCONF: 2501 { 2502 struct sctp_tmit_chunk *asconf; 2503 2504 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2505 sctp_next) { 2506 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2507 break; 2508 } 2509 } 2510 if (asconf) { 2511 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2512 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2513 asconf->sent = SCTP_DATAGRAM_RESEND; 2514 asconf->snd_count--; 2515 } 2516 } 2517 break; 2518 case SCTP_INITIATION: 2519 /* resend the INIT */ 2520 stcb->asoc.dropped_special_cnt++; 2521 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2522 /* 2523 * If we can get it in, in a few attempts we do 2524 * this, otherwise we let the timer fire. 2525 */ 2526 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2527 stcb, net); 2528 sctp_send_initiate(stcb->sctp_ep, stcb); 2529 } 2530 break; 2531 case SCTP_SELECTIVE_ACK: 2532 /* resend the sack */ 2533 sctp_send_sack(stcb); 2534 break; 2535 case SCTP_HEARTBEAT_REQUEST: 2536 /* resend a demand HB */ 2537 sctp_send_hb(stcb, 1, net); 2538 break; 2539 case SCTP_SHUTDOWN: 2540 sctp_send_shutdown(stcb, net); 2541 break; 2542 case SCTP_SHUTDOWN_ACK: 2543 sctp_send_shutdown_ack(stcb, net); 2544 break; 2545 case SCTP_COOKIE_ECHO: 2546 { 2547 struct sctp_tmit_chunk *cookie; 2548 2549 cookie = NULL; 2550 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2551 sctp_next) { 2552 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2553 break; 2554 } 2555 } 2556 if (cookie) { 2557 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2558 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2559 cookie->sent = SCTP_DATAGRAM_RESEND; 2560 sctp_stop_all_cookie_timers(stcb); 2561 } 2562 } 2563 break; 2564 case SCTP_COOKIE_ACK: 2565 sctp_send_cookie_ack(stcb); 2566 break; 2567 case SCTP_ASCONF_ACK: 2568 /* resend last asconf ack */ 2569 sctp_send_asconf_ack(stcb, 1); 2570 break; 2571 case SCTP_FORWARD_CUM_TSN: 2572 send_forward_tsn(stcb, &stcb->asoc); 2573 break; 2574 /* can't do anything with these */ 2575 case SCTP_PACKET_DROPPED: 2576 case SCTP_INITIATION_ACK: /* this should not happen */ 2577 case SCTP_HEARTBEAT_ACK: 2578 case SCTP_ABORT_ASSOCIATION: 2579 case SCTP_OPERATION_ERROR: 2580 case SCTP_SHUTDOWN_COMPLETE: 2581 case SCTP_ECN_ECHO: 2582 case SCTP_ECN_CWR: 2583 default: 2584 break; 2585 } 2586 return (0); 2587} 2588 2589void 2590sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2591{ 2592 int i; 2593 uint16_t temp; 2594 2595 /* 2596 * We set things to 0xffff since this is the last delivered sequence 2597 * and we will be sending in 0 after the reset. 2598 */ 2599 2600 if (number_entries) { 2601 for (i = 0; i < number_entries; i++) { 2602 temp = ntohs(list[i]); 2603 if (temp >= stcb->asoc.streamincnt) { 2604 continue; 2605 } 2606 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2607 } 2608 } else { 2609 list = NULL; 2610 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2611 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2612 } 2613 } 2614 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2615} 2616 2617static void 2618sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2619{ 2620 int i; 2621 2622 if (number_entries == 0) { 2623 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2624 stcb->asoc.strmout[i].next_sequence_sent = 0; 2625 } 2626 } else if (number_entries) { 2627 for (i = 0; i < number_entries; i++) { 2628 uint16_t temp; 2629 2630 temp = ntohs(list[i]); 2631 if (temp >= stcb->asoc.streamoutcnt) { 2632 /* no such stream */ 2633 continue; 2634 } 2635 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2636 } 2637 } 2638 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2639} 2640 2641 2642struct sctp_stream_reset_out_request * 2643sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2644{ 2645 struct sctp_association *asoc; 2646 struct sctp_stream_reset_out_req *req; 2647 struct sctp_stream_reset_out_request *r; 2648 struct sctp_tmit_chunk *chk; 2649 int len, clen; 2650 2651 asoc = &stcb->asoc; 2652 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2653 return (NULL); 2654 } 2655 if (stcb->asoc.str_reset == NULL) { 2656 return (NULL); 2657 } 2658 chk = stcb->asoc.str_reset; 2659 if (chk->data == NULL) { 2660 return (NULL); 2661 } 2662 if (bchk) { 2663 /* he wants a copy of the chk pointer */ 2664 *bchk = chk; 2665 } 2666 clen = chk->send_size; 2667 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2668 r = &req->sr_req; 2669 if (ntohl(r->request_seq) == seq) { 2670 /* found it */ 2671 return (r); 2672 } 2673 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2674 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2675 /* move to the next one, there can only be a max of two */ 2676 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2677 if (ntohl(r->request_seq) == seq) { 2678 return (r); 2679 } 2680 } 2681 /* that seq is not here */ 2682 return (NULL); 2683} 2684 2685static void 2686sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2687{ 2688 struct sctp_association *asoc; 2689 2690 asoc = &stcb->asoc; 2691 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2692 2693 if (stcb->asoc.str_reset == NULL) { 2694 return; 2695 } 2696 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2697 TAILQ_REMOVE(&asoc->control_send_queue, 2698 chk, 2699 sctp_next); 2700 if (chk->data) { 2701 sctp_m_freem(chk->data); 2702 chk->data = NULL; 2703 } 2704 asoc->ctrl_queue_cnt--; 2705 sctp_free_remote_addr(chk->whoTo); 2706 2707 sctp_free_a_chunk(stcb, chk); 2708 stcb->asoc.str_reset = NULL; 2709} 2710 2711 2712static int 2713sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2714 uint32_t seq, uint32_t action, 2715 struct sctp_stream_reset_response *respin 2716) 2717{ 2718 uint16_t type; 2719 int lparm_len; 2720 struct sctp_association *asoc = &stcb->asoc; 2721 struct sctp_tmit_chunk *chk; 2722 struct sctp_stream_reset_out_request *srparam; 2723 int number_entries; 2724 2725 if (asoc->stream_reset_outstanding == 0) { 2726 /* duplicate */ 2727 return (0); 2728 } 2729 if (seq == stcb->asoc.str_reset_seq_out) { 2730 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2731 if (srparam) { 2732 stcb->asoc.str_reset_seq_out++; 2733 type = ntohs(srparam->ph.param_type); 2734 lparm_len = ntohs(srparam->ph.param_length); 2735 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2736 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2737 asoc->stream_reset_out_is_outstanding = 0; 2738 if (asoc->stream_reset_outstanding) 2739 asoc->stream_reset_outstanding--; 2740 if (action == SCTP_STREAM_RESET_PERFORMED) { 2741 /* do it */ 2742 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2743 } else { 2744 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2745 } 2746 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2747 /* Answered my request */ 2748 if (asoc->stream_reset_outstanding) 2749 asoc->stream_reset_outstanding--; 2750 if (action != SCTP_STREAM_RESET_PERFORMED) { 2751 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2752 } 2753 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2754 /** 2755 * a) Adopt the new in tsn. 2756 * b) reset the map 2757 * c) Adopt the new out-tsn 2758 */ 2759 struct sctp_stream_reset_response_tsn *resp; 2760 struct sctp_forward_tsn_chunk fwdtsn; 2761 int abort_flag = 0; 2762 2763 if (respin == NULL) { 2764 /* huh ? */ 2765 return (0); 2766 } 2767 if (action == SCTP_STREAM_RESET_PERFORMED) { 2768 resp = (struct sctp_stream_reset_response_tsn *)respin; 2769 asoc->stream_reset_outstanding--; 2770 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2771 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2772 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2773 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2774 if (abort_flag) { 2775 return (1); 2776 } 2777 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2778 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2779 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2780 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2781 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2782 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2783 2784 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2785 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2786 2787 } 2788 } 2789 /* get rid of the request and get the request flags */ 2790 if (asoc->stream_reset_outstanding == 0) { 2791 sctp_clean_up_stream_reset(stcb); 2792 } 2793 } 2794 } 2795 return (0); 2796} 2797 2798static void 2799sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2800 struct sctp_tmit_chunk *chk, 2801 struct sctp_stream_reset_in_request *req) 2802{ 2803 uint32_t seq; 2804 int len, i; 2805 int number_entries; 2806 uint16_t temp; 2807 2808 /* 2809 * peer wants me to send a str-reset to him for my outgoing seq's if 2810 * seq_in is right. 2811 */ 2812 struct sctp_association *asoc = &stcb->asoc; 2813 2814 seq = ntohl(req->request_seq); 2815 if (asoc->str_reset_seq_in == seq) { 2816 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2817 len = ntohs(req->ph.param_length); 2818 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2819 for (i = 0; i < number_entries; i++) { 2820 temp = ntohs(req->list_of_streams[i]); 2821 req->list_of_streams[i] = temp; 2822 } 2823 /* move the reset action back one */ 2824 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2825 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2826 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2827 asoc->str_reset_seq_out, 2828 seq, (asoc->sending_seq - 1)); 2829 asoc->stream_reset_out_is_outstanding = 1; 2830 asoc->str_reset = chk; 2831 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2832 stcb->asoc.stream_reset_outstanding++; 2833 } else { 2834 /* Can't do it, since we have sent one out */ 2835 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2836 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2837 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2838 } 2839 asoc->str_reset_seq_in++; 2840 } else if (asoc->str_reset_seq_in - 1 == seq) { 2841 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2842 } else if (asoc->str_reset_seq_in - 2 == seq) { 2843 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2844 } else { 2845 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2846 } 2847} 2848 2849static int 2850sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 2851 struct sctp_tmit_chunk *chk, 2852 struct sctp_stream_reset_tsn_request *req) 2853{ 2854 /* reset all in and out and update the tsn */ 2855 /* 2856 * A) reset my str-seq's on in and out. B) Select a receive next, 2857 * and set cum-ack to it. Also process this selected number as a 2858 * fwd-tsn as well. C) set in the response my next sending seq. 2859 */ 2860 struct sctp_forward_tsn_chunk fwdtsn; 2861 struct sctp_association *asoc = &stcb->asoc; 2862 int abort_flag = 0; 2863 uint32_t seq; 2864 2865 seq = ntohl(req->request_seq); 2866 if (asoc->str_reset_seq_in == seq) { 2867 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2868 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2869 fwdtsn.ch.chunk_flags = 0; 2870 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 2871 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2872 if (abort_flag) { 2873 return (1); 2874 } 2875 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 2876 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2877 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 2878 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2879 atomic_add_int(&stcb->asoc.sending_seq, 1); 2880 /* save off historical data for retrans */ 2881 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 2882 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 2883 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 2884 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 2885 2886 sctp_add_stream_reset_result_tsn(chk, 2887 ntohl(req->request_seq), 2888 SCTP_STREAM_RESET_PERFORMED, 2889 stcb->asoc.sending_seq, 2890 stcb->asoc.mapping_array_base_tsn); 2891 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2892 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2893 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 2894 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2895 2896 asoc->str_reset_seq_in++; 2897 } else if (asoc->str_reset_seq_in - 1 == seq) { 2898 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 2899 stcb->asoc.last_sending_seq[0], 2900 stcb->asoc.last_base_tsnsent[0] 2901 ); 2902 } else if (asoc->str_reset_seq_in - 2 == seq) { 2903 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 2904 stcb->asoc.last_sending_seq[1], 2905 stcb->asoc.last_base_tsnsent[1] 2906 ); 2907 } else { 2908 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2909 } 2910 return (0); 2911} 2912 2913static void 2914sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 2915 struct sctp_tmit_chunk *chk, 2916 struct sctp_stream_reset_out_request *req) 2917{ 2918 uint32_t seq, tsn; 2919 int number_entries, len; 2920 struct sctp_association *asoc = &stcb->asoc; 2921 2922 seq = ntohl(req->request_seq); 2923 2924 /* now if its not a duplicate we process it */ 2925 if (asoc->str_reset_seq_in == seq) { 2926 len = ntohs(req->ph.param_length); 2927 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 2928 /* 2929 * the sender is resetting, handle the list issue.. we must 2930 * a) verify if we can do the reset, if so no problem b) If 2931 * we can't do the reset we must copy the request. c) queue 2932 * it, and setup the data in processor to trigger it off 2933 * when needed and dequeue all the queued data. 2934 */ 2935 tsn = ntohl(req->send_reset_at_tsn); 2936 2937 /* move the reset action back one */ 2938 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2939 if ((tsn == asoc->cumulative_tsn) || 2940 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 2941 /* we can do it now */ 2942 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 2943 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 2944 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2945 } else { 2946 /* 2947 * we must queue it up and thus wait for the TSN's 2948 * to arrive that are at or before tsn 2949 */ 2950 struct sctp_stream_reset_list *liste; 2951 int siz; 2952 2953 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 2954 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 2955 siz, "StrRstList"); 2956 if (liste == NULL) { 2957 /* gak out of memory */ 2958 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 2959 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 2960 return; 2961 } 2962 liste->tsn = tsn; 2963 liste->number_entries = number_entries; 2964 memcpy(&liste->req, req, 2965 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 2966 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 2967 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 2968 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2969 } 2970 asoc->str_reset_seq_in++; 2971 } else if ((asoc->str_reset_seq_in - 1) == seq) { 2972 /* 2973 * one seq back, just echo back last action since my 2974 * response was lost. 2975 */ 2976 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2977 } else if ((asoc->str_reset_seq_in - 2) == seq) { 2978 /* 2979 * two seq back, just echo back last action since my 2980 * response was lost. 2981 */ 2982 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2983 } else { 2984 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2985 } 2986} 2987 2988static int 2989sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 2990{ 2991 int chk_length, param_len, ptype; 2992 uint32_t seq; 2993 int num_req = 0; 2994 struct sctp_tmit_chunk *chk; 2995 struct sctp_chunkhdr *ch; 2996 struct sctp_paramhdr *ph; 2997 2998 /* now it may be a reset or a reset-response */ 2999 chk_length = ntohs(sr_req->ch.chunk_length); 3000 int ret_code = 0; 3001 int num_param = 0; 3002 3003 /* setup for adding the response */ 3004 sctp_alloc_a_chunk(stcb, chk); 3005 if (chk == NULL) { 3006 return (ret_code); 3007 } 3008 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3009 chk->asoc = &stcb->asoc; 3010 chk->no_fr_allowed = 0; 3011 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3012 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_DONTWAIT, 1, MT_DATA); 3013 if (chk->data == NULL) { 3014strres_nochunk: 3015 if (chk->data) { 3016 sctp_m_freem(chk->data); 3017 chk->data = NULL; 3018 } 3019 sctp_free_a_chunk(stcb, chk); 3020 return (ret_code); 3021 } 3022 chk->data->m_data += SCTP_MIN_OVERHEAD; 3023 3024 /* setup chunk parameters */ 3025 chk->sent = SCTP_DATAGRAM_UNSENT; 3026 chk->snd_count = 0; 3027 chk->whoTo = stcb->asoc.primary_destination; 3028 atomic_add_int(&chk->whoTo->ref_count, 1); 3029 3030 ch = mtod(chk->data, struct sctp_chunkhdr *); 3031 ch->chunk_type = SCTP_STREAM_RESET; 3032 ch->chunk_flags = 0; 3033 ch->chunk_length = htons(chk->send_size); 3034 chk->data->m_pkthdr.len = chk->data->m_len = SCTP_SIZE32(chk->send_size); 3035 3036 3037 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3038 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3039 param_len = ntohs(ph->param_length); 3040 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3041 /* bad param */ 3042 break; 3043 } 3044 ptype = ntohs(ph->param_type); 3045 num_param++; 3046 if (num_param > SCTP_MAX_RESET_PARAMS) { 3047 /* hit the max of parameters already sorry.. */ 3048 break; 3049 } 3050 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3051 struct sctp_stream_reset_out_request *req_out; 3052 3053 req_out = (struct sctp_stream_reset_out_request *)ph; 3054 num_req++; 3055 if (stcb->asoc.stream_reset_outstanding) { 3056 seq = ntohl(req_out->response_seq); 3057 if (seq == stcb->asoc.str_reset_seq_out) { 3058 /* implicit ack */ 3059 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3060 } 3061 } 3062 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3063 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3064 struct sctp_stream_reset_in_request *req_in; 3065 3066 num_req++; 3067 req_in = (struct sctp_stream_reset_in_request *)ph; 3068 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3069 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3070 struct sctp_stream_reset_tsn_request *req_tsn; 3071 3072 num_req++; 3073 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3074 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3075 ret_code = 1; 3076 goto strres_nochunk; 3077 } 3078 /* no more */ 3079 break; 3080 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3081 struct sctp_stream_reset_response *resp; 3082 uint32_t result; 3083 3084 resp = (struct sctp_stream_reset_response *)ph; 3085 seq = ntohl(resp->response_seq); 3086 result = ntohl(resp->result); 3087 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3088 ret_code = 1; 3089 goto strres_nochunk; 3090 } 3091 } else { 3092 break; 3093 } 3094 3095 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3096 chk_length -= SCTP_SIZE32(param_len); 3097 } 3098 if (num_req == 0) { 3099 /* we have no response free the stuff */ 3100 goto strres_nochunk; 3101 } 3102 /* ok we have a chunk to link in */ 3103 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3104 chk, 3105 sctp_next); 3106 stcb->asoc.ctrl_queue_cnt++; 3107 return (ret_code); 3108} 3109 3110/* 3111 * Handle a router or endpoints report of a packet loss, there are two ways 3112 * to handle this, either we get the whole packet and must disect it 3113 * ourselves (possibly with truncation and or corruption) or it is a summary 3114 * from a middle box that did the disectting for us. 3115 */ 3116static void 3117sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3118 struct sctp_tcb *stcb, struct sctp_nets *net) 3119{ 3120 uint32_t bottle_bw, on_queue; 3121 uint16_t trunc_len; 3122 unsigned int chlen; 3123 unsigned int at; 3124 struct sctp_chunk_desc desc; 3125 struct sctp_chunkhdr *ch; 3126 3127 chlen = ntohs(cp->ch.chunk_length); 3128 chlen -= sizeof(struct sctp_pktdrop_chunk); 3129 /* XXX possible chlen underflow */ 3130 if (chlen == 0) { 3131 ch = NULL; 3132 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3133 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3134 } else { 3135 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3136 chlen -= sizeof(struct sctphdr); 3137 /* XXX possible chlen underflow */ 3138 memset(&desc, 0, sizeof(desc)); 3139 } 3140 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3141 /* now the chunks themselves */ 3142 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3143 desc.chunk_type = ch->chunk_type; 3144 /* get amount we need to move */ 3145 at = ntohs(ch->chunk_length); 3146 if (at < sizeof(struct sctp_chunkhdr)) { 3147 /* corrupt chunk, maybe at the end? */ 3148 SCTP_STAT_INCR(sctps_pdrpcrupt); 3149 break; 3150 } 3151 if (trunc_len == 0) { 3152 /* we are supposed to have all of it */ 3153 if (at > chlen) { 3154 /* corrupt skip it */ 3155 SCTP_STAT_INCR(sctps_pdrpcrupt); 3156 break; 3157 } 3158 } else { 3159 /* is there enough of it left ? */ 3160 if (desc.chunk_type == SCTP_DATA) { 3161 if (chlen < (sizeof(struct sctp_data_chunk) + 3162 sizeof(desc.data_bytes))) { 3163 break; 3164 } 3165 } else { 3166 if (chlen < sizeof(struct sctp_chunkhdr)) { 3167 break; 3168 } 3169 } 3170 } 3171 if (desc.chunk_type == SCTP_DATA) { 3172 /* can we get out the tsn? */ 3173 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3174 SCTP_STAT_INCR(sctps_pdrpmbda); 3175 3176 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3177 /* yep */ 3178 struct sctp_data_chunk *dcp; 3179 uint8_t *ddp; 3180 unsigned int iii; 3181 3182 dcp = (struct sctp_data_chunk *)ch; 3183 ddp = (uint8_t *) (dcp + 1); 3184 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3185 desc.data_bytes[iii] = ddp[iii]; 3186 } 3187 desc.tsn_ifany = dcp->dp.tsn; 3188 } else { 3189 /* nope we are done. */ 3190 SCTP_STAT_INCR(sctps_pdrpnedat); 3191 break; 3192 } 3193 } else { 3194 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3195 SCTP_STAT_INCR(sctps_pdrpmbct); 3196 } 3197 3198 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3199 SCTP_STAT_INCR(sctps_pdrppdbrk); 3200 break; 3201 } 3202 if (SCTP_SIZE32(at) > chlen) { 3203 break; 3204 } 3205 chlen -= SCTP_SIZE32(at); 3206 if (chlen < sizeof(struct sctp_chunkhdr)) { 3207 /* done, none left */ 3208 break; 3209 } 3210 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3211 } 3212 /* Now update any rwnd --- possibly */ 3213 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3214 /* From a peer, we get a rwnd report */ 3215 uint32_t a_rwnd; 3216 3217 SCTP_STAT_INCR(sctps_pdrpfehos); 3218 3219 bottle_bw = ntohl(cp->bottle_bw); 3220 on_queue = ntohl(cp->current_onq); 3221 if (bottle_bw && on_queue) { 3222 /* a rwnd report is in here */ 3223 if (bottle_bw > on_queue) 3224 a_rwnd = bottle_bw - on_queue; 3225 else 3226 a_rwnd = 0; 3227 3228 if (a_rwnd == 0) 3229 stcb->asoc.peers_rwnd = 0; 3230 else { 3231 if (a_rwnd > stcb->asoc.total_flight) { 3232 stcb->asoc.peers_rwnd = 3233 a_rwnd - stcb->asoc.total_flight; 3234 } else { 3235 stcb->asoc.peers_rwnd = 0; 3236 } 3237 if (stcb->asoc.peers_rwnd < 3238 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3239 /* SWS sender side engages */ 3240 stcb->asoc.peers_rwnd = 0; 3241 } 3242 } 3243 } 3244 } else { 3245 SCTP_STAT_INCR(sctps_pdrpfmbox); 3246 } 3247 3248 /* now middle boxes in sat networks get a cwnd bump */ 3249 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3250 (stcb->asoc.sat_t3_loss_recovery == 0) && 3251 (stcb->asoc.sat_network)) { 3252 /* 3253 * This is debateable but for sat networks it makes sense 3254 * Note if a T3 timer has went off, we will prohibit any 3255 * changes to cwnd until we exit the t3 loss recovery. 3256 */ 3257 uint32_t bw_avail; 3258 int rtt, incr; 3259 3260#ifdef SCTP_CWND_MONITOR 3261 int old_cwnd = net->cwnd; 3262 3263#endif 3264 /* need real RTT for this calc */ 3265 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3266 /* get bottle neck bw */ 3267 bottle_bw = ntohl(cp->bottle_bw); 3268 /* and whats on queue */ 3269 on_queue = ntohl(cp->current_onq); 3270 /* 3271 * adjust the on-queue if our flight is more it could be 3272 * that the router has not yet gotten data "in-flight" to it 3273 */ 3274 if (on_queue < net->flight_size) 3275 on_queue = net->flight_size; 3276 3277 /* calculate the available space */ 3278 bw_avail = (bottle_bw * rtt) / 1000; 3279 if (bw_avail > bottle_bw) { 3280 /* 3281 * Cap the growth to no more than the bottle neck. 3282 * This can happen as RTT slides up due to queues. 3283 * It also means if you have more than a 1 second 3284 * RTT with a empty queue you will be limited to the 3285 * bottle_bw per second no matter if other points 3286 * have 1/2 the RTT and you could get more out... 3287 */ 3288 bw_avail = bottle_bw; 3289 } 3290 if (on_queue > bw_avail) { 3291 /* 3292 * No room for anything else don't allow anything 3293 * else to be "added to the fire". 3294 */ 3295 int seg_inflight, seg_onqueue, my_portion; 3296 3297 net->partial_bytes_acked = 0; 3298 3299 /* how much are we over queue size? */ 3300 incr = on_queue - bw_avail; 3301 if (stcb->asoc.seen_a_sack_this_pkt) { 3302 /* 3303 * undo any cwnd adjustment that the sack 3304 * might have made 3305 */ 3306 net->cwnd = net->prev_cwnd; 3307 } 3308 /* Now how much of that is mine? */ 3309 seg_inflight = net->flight_size / net->mtu; 3310 seg_onqueue = on_queue / net->mtu; 3311 my_portion = (incr * seg_inflight) / seg_onqueue; 3312 3313 /* Have I made an adjustment already */ 3314 if (net->cwnd > net->flight_size) { 3315 /* 3316 * for this flight I made an adjustment we 3317 * need to decrease the portion by a share 3318 * our previous adjustment. 3319 */ 3320 int diff_adj; 3321 3322 diff_adj = net->cwnd - net->flight_size; 3323 if (diff_adj > my_portion) 3324 my_portion = 0; 3325 else 3326 my_portion -= diff_adj; 3327 } 3328 /* 3329 * back down to the previous cwnd (assume we have 3330 * had a sack before this packet). minus what ever 3331 * portion of the overage is my fault. 3332 */ 3333 net->cwnd -= my_portion; 3334 3335 /* we will NOT back down more than 1 MTU */ 3336 if (net->cwnd <= net->mtu) { 3337 net->cwnd = net->mtu; 3338 } 3339 /* force into CA */ 3340 net->ssthresh = net->cwnd - 1; 3341 } else { 3342 /* 3343 * Take 1/4 of the space left or max burst up .. 3344 * whichever is less. 3345 */ 3346 incr = min((bw_avail - on_queue) >> 2, 3347 (int)stcb->asoc.max_burst * (int)net->mtu); 3348 net->cwnd += incr; 3349 } 3350 if (net->cwnd > bw_avail) { 3351 /* We can't exceed the pipe size */ 3352 net->cwnd = bw_avail; 3353 } 3354 if (net->cwnd < net->mtu) { 3355 /* We always have 1 MTU */ 3356 net->cwnd = net->mtu; 3357 } 3358#ifdef SCTP_CWND_MONITOR 3359 if (net->cwnd - old_cwnd != 0) { 3360 /* log only changes */ 3361 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3362 SCTP_CWND_LOG_FROM_SAT); 3363 } 3364#endif 3365 } 3366} 3367 3368extern int sctp_strict_init; 3369extern int sctp_abort_if_one_2_one_hits_limit; 3370 3371/* 3372 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3373 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3374 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3375 * length of the complete packet outputs: - length: modified to remaining 3376 * length after control processing - netp: modified to new sctp_nets after 3377 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3378 * bad packet,...) otherwise return the tcb for this packet 3379 */ 3380static struct sctp_tcb * 3381sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3382 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3383 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3384{ 3385 struct sctp_association *asoc; 3386 uint32_t vtag_in; 3387 int num_chunks = 0; /* number of control chunks processed */ 3388 int chk_length; 3389 int ret; 3390 3391 /* 3392 * How big should this be, and should it be alloc'd? Lets try the 3393 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3394 * until we get into jumbo grams and such.. 3395 */ 3396 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3397 struct sctp_tcb *locked_tcb = stcb; 3398 int got_auth = 0; 3399 uint32_t auth_offset = 0, auth_len = 0; 3400 int auth_skipped = 0; 3401 3402#ifdef SCTP_DEBUG 3403 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3404 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3405 iphlen, *offset, length, stcb); 3406 } 3407#endif /* SCTP_DEBUG */ 3408 3409 /* validate chunk header length... */ 3410 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3411 return (NULL); 3412 } 3413 /* 3414 * validate the verification tag 3415 */ 3416 vtag_in = ntohl(sh->v_tag); 3417 3418 if (ch->chunk_type == SCTP_INITIATION) { 3419 if (vtag_in != 0) { 3420 /* protocol error- silently discard... */ 3421 SCTP_STAT_INCR(sctps_badvtag); 3422 if (locked_tcb) 3423 SCTP_TCB_UNLOCK(locked_tcb); 3424 return (NULL); 3425 } 3426 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3427 /* 3428 * If there is no stcb, skip the AUTH chunk and process 3429 * later after a stcb is found (to validate the lookup was 3430 * valid. 3431 */ 3432 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3433 (stcb == NULL) && !sctp_auth_disable) { 3434 /* save this chunk for later processing */ 3435 auth_skipped = 1; 3436 auth_offset = *offset; 3437 auth_len = ntohs(ch->chunk_length); 3438 3439 /* (temporarily) move past this chunk */ 3440 *offset += SCTP_SIZE32(auth_len); 3441 if (*offset >= length) { 3442 /* no more data left in the mbuf chain */ 3443 *offset = length; 3444 return (NULL); 3445 } 3446 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3447 sizeof(struct sctp_chunkhdr), chunk_buf); 3448 } 3449 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3450 goto process_control_chunks; 3451 } 3452 /* 3453 * first check if it's an ASCONF with an unknown src addr we 3454 * need to look inside to find the association 3455 */ 3456 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3457 /* inp's refcount may be reduced */ 3458 SCTP_INP_INCR_REF(inp); 3459 3460 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3461 *offset, sh, &inp, netp); 3462 if (stcb == NULL) { 3463 /* 3464 * reduce inp's refcount if not reduced in 3465 * sctp_findassociation_ep_asconf(). 3466 */ 3467 SCTP_INP_DECR_REF(inp); 3468 } 3469 /* now go back and verify any auth chunk to be sure */ 3470 if (auth_skipped && (stcb != NULL)) { 3471 struct sctp_auth_chunk *auth; 3472 3473 auth = (struct sctp_auth_chunk *) 3474 sctp_m_getptr(m, auth_offset, 3475 auth_len, chunk_buf); 3476 got_auth = 1; 3477 auth_skipped = 0; 3478 if (sctp_handle_auth(stcb, auth, m, 3479 auth_offset)) { 3480 /* auth HMAC failed so dump it */ 3481 *offset = length; 3482 return (NULL); 3483 } else { 3484 /* remaining chunks are HMAC checked */ 3485 stcb->asoc.authenticated = 1; 3486 } 3487 } 3488 } 3489 if (stcb == NULL) { 3490 /* no association, so it's out of the blue... */ 3491 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3492 *offset = length; 3493 if (locked_tcb) 3494 SCTP_TCB_UNLOCK(locked_tcb); 3495 return (NULL); 3496 } 3497 asoc = &stcb->asoc; 3498 /* ABORT and SHUTDOWN can use either v_tag... */ 3499 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3500 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3501 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3502 if ((vtag_in == asoc->my_vtag) || 3503 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3504 (vtag_in == asoc->peer_vtag))) { 3505 /* this is valid */ 3506 } else { 3507 /* drop this packet... */ 3508 SCTP_STAT_INCR(sctps_badvtag); 3509 if (locked_tcb) 3510 SCTP_TCB_UNLOCK(locked_tcb); 3511 return (NULL); 3512 } 3513 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3514 if (vtag_in != asoc->my_vtag) { 3515 /* 3516 * this could be a stale SHUTDOWN-ACK or the 3517 * peer never got the SHUTDOWN-COMPLETE and 3518 * is still hung; we have started a new asoc 3519 * but it won't complete until the shutdown 3520 * is completed 3521 */ 3522 if (locked_tcb) 3523 SCTP_TCB_UNLOCK(locked_tcb); 3524 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3525 NULL); 3526 return (NULL); 3527 } 3528 } else { 3529 /* for all other chunks, vtag must match */ 3530 if (vtag_in != asoc->my_vtag) { 3531 /* invalid vtag... */ 3532#ifdef SCTP_DEBUG 3533 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3534 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3535 } 3536#endif /* SCTP_DEBUG */ 3537 SCTP_STAT_INCR(sctps_badvtag); 3538 if (locked_tcb) 3539 SCTP_TCB_UNLOCK(locked_tcb); 3540 *offset = length; 3541 return (NULL); 3542 } 3543 } 3544 } /* end if !SCTP_COOKIE_ECHO */ 3545 /* 3546 * process all control chunks... 3547 */ 3548 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3549 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3550 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3551 /* implied cookie-ack.. we must have lost the ack */ 3552 stcb->asoc.overall_error_count = 0; 3553 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3554 *netp); 3555 } 3556process_control_chunks: 3557 3558 while (IS_SCTP_CONTROL(ch)) { 3559 /* validate chunk length */ 3560 chk_length = ntohs(ch->chunk_length); 3561#ifdef SCTP_DEBUG 3562 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3563 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", 3564 ch->chunk_type, chk_length); 3565 } 3566#endif /* SCTP_DEBUG */ 3567 if ((size_t)chk_length < sizeof(*ch) || 3568 (*offset + chk_length) > length) { 3569 *offset = length; 3570 if (locked_tcb) 3571 SCTP_TCB_UNLOCK(locked_tcb); 3572 return (NULL); 3573 } 3574 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3575 /* 3576 * INIT-ACK only gets the init ack "header" portion only 3577 * because we don't have to process the peer's COOKIE. All 3578 * others get a complete chunk. 3579 */ 3580 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3581 /* get an init-ack chunk */ 3582 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3583 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3584 if (ch == NULL) { 3585 *offset = length; 3586 if (locked_tcb) 3587 SCTP_TCB_UNLOCK(locked_tcb); 3588 return (NULL); 3589 } 3590 } else { 3591 /* get a complete chunk... */ 3592 if ((size_t)chk_length > sizeof(chunk_buf)) { 3593 struct mbuf *oper; 3594 struct sctp_paramhdr *phdr; 3595 3596 oper = NULL; 3597 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3598 1, M_DONTWAIT, 1, MT_DATA); 3599 if (oper) { 3600 /* pre-reserve some space */ 3601 oper->m_data += sizeof(struct sctp_chunkhdr); 3602 oper->m_len = sizeof(struct sctp_paramhdr); 3603 oper->m_pkthdr.len = oper->m_len; 3604 phdr = mtod(oper, struct sctp_paramhdr *); 3605 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3606 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3607 sctp_queue_op_err(stcb, oper); 3608 } 3609 if (locked_tcb) 3610 SCTP_TCB_UNLOCK(locked_tcb); 3611 return (NULL); 3612 } 3613 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3614 chk_length, chunk_buf); 3615 if (ch == NULL) { 3616 printf("sctp_process_control: Can't get the all data....\n"); 3617 *offset = length; 3618 if (locked_tcb) 3619 SCTP_TCB_UNLOCK(locked_tcb); 3620 return (NULL); 3621 } 3622 } 3623 num_chunks++; 3624 /* Save off the last place we got a control from */ 3625 if (stcb != NULL) { 3626 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { 3627 /* 3628 * allow last_control to be NULL if 3629 * ASCONF... ASCONF processing will find the 3630 * right net later 3631 */ 3632 stcb->asoc.last_control_chunk_from = *netp; 3633 } 3634 } 3635#ifdef SCTP_AUDITING_ENABLED 3636 sctp_audit_log(0xB0, ch->chunk_type); 3637#endif 3638 3639 /* check to see if this chunk required auth, but isn't */ 3640 if ((stcb != NULL) && !sctp_auth_disable && 3641 sctp_auth_is_required_chunk(ch->chunk_type, 3642 stcb->asoc.local_auth_chunks) && 3643 !stcb->asoc.authenticated) { 3644 /* "silently" ignore */ 3645 SCTP_STAT_INCR(sctps_recvauthmissing); 3646 goto next_chunk; 3647 } 3648 switch (ch->chunk_type) { 3649 case SCTP_INITIATION: 3650 /* must be first and only chunk */ 3651#ifdef SCTP_DEBUG 3652 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3653 printf("SCTP_INIT\n"); 3654 } 3655#endif /* SCTP_DEBUG */ 3656 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3657 /* We are not interested anymore? */ 3658 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3659 /* 3660 * collision case where we are 3661 * sending to them too 3662 */ 3663 ; 3664 } else { 3665 if (locked_tcb) 3666 SCTP_TCB_UNLOCK(locked_tcb); 3667 *offset = length; 3668 return (NULL); 3669 } 3670 } 3671 if ((num_chunks > 1) || 3672 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3673 *offset = length; 3674 if (locked_tcb) 3675 SCTP_TCB_UNLOCK(locked_tcb); 3676 return (NULL); 3677 } 3678 if ((stcb != NULL) && 3679 (SCTP_GET_STATE(&stcb->asoc) == 3680 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3681 sctp_send_shutdown_ack(stcb, 3682 stcb->asoc.primary_destination); 3683 *offset = length; 3684 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3685 if (locked_tcb) 3686 SCTP_TCB_UNLOCK(locked_tcb); 3687 return (NULL); 3688 } 3689 sctp_handle_init(m, iphlen, *offset, sh, 3690 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3691 *offset = length; 3692 if (locked_tcb) 3693 SCTP_TCB_UNLOCK(locked_tcb); 3694 return (NULL); 3695 break; 3696 case SCTP_INITIATION_ACK: 3697 /* must be first and only chunk */ 3698#ifdef SCTP_DEBUG 3699 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3700 printf("SCTP_INIT-ACK\n"); 3701 } 3702#endif /* SCTP_DEBUG */ 3703 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3704 /* We are not interested anymore */ 3705 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3706 ; 3707 } else { 3708 if (locked_tcb) 3709 SCTP_TCB_UNLOCK(locked_tcb); 3710 *offset = length; 3711 if (stcb) { 3712 sctp_free_assoc(inp, stcb, 0); 3713 } 3714 return (NULL); 3715 } 3716 } 3717 if ((num_chunks > 1) || 3718 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3719 *offset = length; 3720 if (locked_tcb) 3721 SCTP_TCB_UNLOCK(locked_tcb); 3722 return (NULL); 3723 } 3724 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3725 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3726 /* 3727 * Special case, I must call the output routine to 3728 * get the cookie echoed 3729 */ 3730 if ((stcb) && ret == 0) 3731 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3732 *offset = length; 3733 if (locked_tcb) 3734 SCTP_TCB_UNLOCK(locked_tcb); 3735 return (NULL); 3736 break; 3737 case SCTP_SELECTIVE_ACK: 3738#ifdef SCTP_DEBUG 3739 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3740 printf("SCTP_SACK\n"); 3741 } 3742#endif /* SCTP_DEBUG */ 3743 SCTP_STAT_INCR(sctps_recvsacks); 3744 { 3745 struct sctp_sack_chunk *sack; 3746 int abort_now = 0; 3747 uint32_t a_rwnd, cum_ack; 3748 uint16_t num_seg; 3749 int nonce_sum_flag; 3750 3751 sack = (struct sctp_sack_chunk *)ch; 3752 3753 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3754 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3755 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3756 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3757 stcb->asoc.seen_a_sack_this_pkt = 1; 3758 if ((stcb->asoc.pr_sctp_cnt == 0) && 3759 (num_seg == 0) && 3760 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3761 (cum_ack == stcb->asoc.last_acked_seq)) && 3762 (stcb->asoc.saw_sack_with_frags == 0) && 3763 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3764 ) { 3765 /* 3766 * We have a SIMPLE sack having no 3767 * prior segments and data on sent 3768 * queue to be acked.. Use the 3769 * faster path sack processing. We 3770 * also allow window update sacks 3771 * with no missing segments to go 3772 * this way too. 3773 */ 3774 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now); 3775 } else { 3776 sctp_handle_sack(sack, stcb, *netp, &abort_now); 3777 } 3778 if (abort_now) { 3779 /* ABORT signal from sack processing */ 3780 *offset = length; 3781 return (NULL); 3782 } 3783 } 3784 break; 3785 case SCTP_HEARTBEAT_REQUEST: 3786#ifdef SCTP_DEBUG 3787 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3788 printf("SCTP_HEARTBEAT\n"); 3789 } 3790#endif /* SCTP_DEBUG */ 3791 SCTP_STAT_INCR(sctps_recvheartbeat); 3792 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3793 *netp); 3794 3795 /* He's alive so give him credit */ 3796 stcb->asoc.overall_error_count = 0; 3797 break; 3798 case SCTP_HEARTBEAT_ACK: 3799#ifdef SCTP_DEBUG 3800 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3801 printf("SCTP_HEARTBEAT-ACK\n"); 3802 } 3803#endif /* SCTP_DEBUG */ 3804 3805 /* He's alive so give him credit */ 3806 stcb->asoc.overall_error_count = 0; 3807 SCTP_STAT_INCR(sctps_recvheartbeatack); 3808 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3809 stcb, *netp); 3810 break; 3811 case SCTP_ABORT_ASSOCIATION: 3812#ifdef SCTP_DEBUG 3813 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3814 printf("SCTP_ABORT\n"); 3815 } 3816#endif /* SCTP_DEBUG */ 3817 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3818 stcb, *netp); 3819 *offset = length; 3820 return (NULL); 3821 break; 3822 case SCTP_SHUTDOWN: 3823#ifdef SCTP_DEBUG 3824 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3825 printf("SCTP_SHUTDOWN\n"); 3826 } 3827#endif /* SCTP_DEBUG */ 3828 { 3829 int abort_flag = 0; 3830 3831 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3832 stcb, *netp, &abort_flag); 3833 if (abort_flag) { 3834 *offset = length; 3835 return (NULL); 3836 } 3837 } 3838 break; 3839 case SCTP_SHUTDOWN_ACK: 3840#ifdef SCTP_DEBUG 3841 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3842 printf("SCTP_SHUTDOWN-ACK\n"); 3843 } 3844#endif /* SCTP_DEBUG */ 3845 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3846 *offset = length; 3847 return (NULL); 3848 break; 3849 case SCTP_OPERATION_ERROR: 3850#ifdef SCTP_DEBUG 3851 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3852 printf("SCTP_OP-ERR\n"); 3853 } 3854#endif /* SCTP_DEBUG */ 3855 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3856 *offset = length; 3857 return (NULL); 3858 } 3859 break; 3860 case SCTP_COOKIE_ECHO: 3861#ifdef SCTP_DEBUG 3862 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3863 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3864 } 3865#endif /* SCTP_DEBUG */ 3866 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3867 ; 3868 } else { 3869 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && 3870 (stcb == NULL)) { 3871 /* We are not interested anymore */ 3872 *offset = length; 3873 return (NULL); 3874 } 3875 } 3876 /* 3877 * First are we accepting? We do this again here 3878 * since it is possible that a previous endpoint WAS 3879 * listening responded to a INIT-ACK and then 3880 * closed. We opened and bound.. and are now no 3881 * longer listening. 3882 */ 3883 if (inp->sctp_socket->so_qlimit == 0) { 3884 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 3885 /* 3886 * special case, is this a retran'd 3887 * COOKIE-ECHO or a restarting assoc 3888 * that is a peeled off or 3889 * one-to-one style socket. 3890 */ 3891 goto process_cookie_anyway; 3892 } 3893 sctp_abort_association(inp, stcb, m, iphlen, sh, 3894 NULL); 3895 *offset = length; 3896 return (NULL); 3897 } else if (inp->sctp_socket->so_qlimit) { 3898 /* we are accepting so check limits like TCP */ 3899 if (inp->sctp_socket->so_qlen > 3900 inp->sctp_socket->so_qlimit) { 3901 /* no space */ 3902 struct mbuf *oper; 3903 struct sctp_paramhdr *phdr; 3904 3905 if (sctp_abort_if_one_2_one_hits_limit) { 3906 oper = NULL; 3907 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3908 1, M_DONTWAIT, 1, MT_DATA); 3909 if (oper) { 3910 oper->m_len = 3911 oper->m_pkthdr.len = 3912 sizeof(struct sctp_paramhdr); 3913 phdr = mtod(oper, 3914 struct sctp_paramhdr *); 3915 phdr->param_type = 3916 htons(SCTP_CAUSE_OUT_OF_RESC); 3917 phdr->param_length = 3918 htons(sizeof(struct sctp_paramhdr)); 3919 } 3920 sctp_abort_association(inp, stcb, m, 3921 iphlen, sh, oper); 3922 } 3923 *offset = length; 3924 return (NULL); 3925 } 3926 } 3927 process_cookie_anyway: 3928 { 3929 struct mbuf *ret_buf; 3930 3931 ret_buf = 3932 sctp_handle_cookie_echo(m, iphlen, 3933 *offset, sh, 3934 (struct sctp_cookie_echo_chunk *)ch, 3935 &inp, &stcb, netp, 3936 auth_skipped, 3937 auth_offset, 3938 auth_len); 3939 3940 if (ret_buf == NULL) { 3941 if (locked_tcb) { 3942 SCTP_TCB_UNLOCK(locked_tcb); 3943 } 3944#ifdef SCTP_DEBUG 3945 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3946 printf("GAK, null buffer\n"); 3947 } 3948#endif /* SCTP_DEBUG */ 3949 auth_skipped = 0; 3950 *offset = length; 3951 return (NULL); 3952 } 3953 /* if AUTH skipped, see if it verified... */ 3954 if (auth_skipped) { 3955 got_auth = 1; 3956 auth_skipped = 0; 3957 } 3958 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 3959 /* 3960 * Restart the timer if we have 3961 * pending data 3962 */ 3963 struct sctp_tmit_chunk *chk; 3964 3965 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 3966 if (chk) { 3967 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 3968 stcb->sctp_ep, stcb, 3969 chk->whoTo); 3970 } 3971 } 3972 } 3973 break; 3974 case SCTP_COOKIE_ACK: 3975#ifdef SCTP_DEBUG 3976 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3977 printf("SCTP_COOKIE-ACK\n"); 3978 } 3979#endif /* SCTP_DEBUG */ 3980 3981 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3982 /* We are not interested anymore */ 3983 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3984 ; 3985 } else { 3986 sctp_free_assoc(inp, stcb, 0); 3987 *offset = length; 3988 return (NULL); 3989 } 3990 } 3991 /* He's alive so give him credit */ 3992 stcb->asoc.overall_error_count = 0; 3993 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 3994 break; 3995 case SCTP_ECN_ECHO: 3996#ifdef SCTP_DEBUG 3997 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3998 printf("SCTP_ECN-ECHO\n"); 3999 } 4000#endif /* SCTP_DEBUG */ 4001 /* He's alive so give him credit */ 4002 stcb->asoc.overall_error_count = 0; 4003 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4004 stcb); 4005 break; 4006 case SCTP_ECN_CWR: 4007#ifdef SCTP_DEBUG 4008 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4009 printf("SCTP_ECN-CWR\n"); 4010 } 4011#endif /* SCTP_DEBUG */ 4012 /* He's alive so give him credit */ 4013 stcb->asoc.overall_error_count = 0; 4014 4015 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4016 break; 4017 case SCTP_SHUTDOWN_COMPLETE: 4018#ifdef SCTP_DEBUG 4019 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4020 printf("SCTP_SHUTDOWN-COMPLETE\n"); 4021 } 4022#endif /* SCTP_DEBUG */ 4023 /* must be first and only chunk */ 4024 if ((num_chunks > 1) || 4025 (length - *offset > SCTP_SIZE32(chk_length))) { 4026 *offset = length; 4027 if (locked_tcb) 4028 SCTP_TCB_UNLOCK(locked_tcb); 4029 4030 return (NULL); 4031 } 4032 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4033 stcb, *netp); 4034 *offset = length; 4035 return (NULL); 4036 break; 4037 case SCTP_ASCONF: 4038#ifdef SCTP_DEBUG 4039 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4040 printf("SCTP_ASCONF\n"); 4041 } 4042#endif /* SCTP_DEBUG */ 4043 /* He's alive so give him credit */ 4044 stcb->asoc.overall_error_count = 0; 4045 4046 sctp_handle_asconf(m, *offset, 4047 (struct sctp_asconf_chunk *)ch, stcb); 4048 break; 4049 case SCTP_ASCONF_ACK: 4050#ifdef SCTP_DEBUG 4051 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4052 printf("SCTP_ASCONF-ACK\n"); 4053 } 4054#endif /* SCTP_DEBUG */ 4055 /* He's alive so give him credit */ 4056 stcb->asoc.overall_error_count = 0; 4057 4058 sctp_handle_asconf_ack(m, *offset, 4059 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4060 break; 4061 case SCTP_FORWARD_CUM_TSN: 4062#ifdef SCTP_DEBUG 4063 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4064 printf("SCTP_FWD-TSN\n"); 4065 } 4066#endif /* SCTP_DEBUG */ 4067 /* He's alive so give him credit */ 4068 { 4069 int abort_flag = 0; 4070 4071 stcb->asoc.overall_error_count = 0; 4072 *fwd_tsn_seen = 1; 4073 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4074 /* We are not interested anymore */ 4075 sctp_free_assoc(inp, stcb, 0); 4076 *offset = length; 4077 return (NULL); 4078 } 4079 sctp_handle_forward_tsn(stcb, 4080 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4081 if (abort_flag) { 4082 *offset = length; 4083 return (NULL); 4084 } else { 4085 stcb->asoc.overall_error_count = 0; 4086 } 4087 4088 } 4089 break; 4090 case SCTP_STREAM_RESET: 4091#ifdef SCTP_DEBUG 4092 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4093 printf("SCTP_STREAM_RESET\n"); 4094 } 4095#endif /* SCTP_DEBUG */ 4096 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4097 chk_length, chunk_buf); 4098 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4099 /* We are not interested anymore */ 4100 sctp_free_assoc(inp, stcb, 0); 4101 *offset = length; 4102 return (NULL); 4103 } 4104 if (stcb->asoc.peer_supports_strreset == 0) { 4105 /* 4106 * hmm, peer should have announced this, but 4107 * we will turn it on since he is sending us 4108 * a stream reset. 4109 */ 4110 stcb->asoc.peer_supports_strreset = 1; 4111 } 4112 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4113 /* stop processing */ 4114 *offset = length; 4115 return (NULL); 4116 } 4117 break; 4118 case SCTP_PACKET_DROPPED: 4119#ifdef SCTP_DEBUG 4120 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4121 printf("SCTP_PACKET_DROPPED\n"); 4122 } 4123#endif /* SCTP_DEBUG */ 4124 /* re-get it all please */ 4125 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4126 chk_length, chunk_buf); 4127 4128 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4129 stcb, *netp); 4130 4131 break; 4132 4133 case SCTP_AUTHENTICATION: 4134#ifdef SCTP_DEBUG 4135 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4136 printf("SCTP_AUTHENTICATION\n"); 4137 } 4138#endif /* SCTP_DEBUG */ 4139 if (sctp_auth_disable) 4140 goto unknown_chunk; 4141 4142 if (stcb == NULL) { 4143 /* save the first AUTH for later processing */ 4144 if (auth_skipped == 0) { 4145 auth_offset = *offset; 4146 auth_len = chk_length; 4147 auth_skipped = 1; 4148 } 4149 /* skip this chunk (temporarily) */ 4150 goto next_chunk; 4151 } 4152 if (got_auth == 1) { 4153 /* skip this chunk... it's already auth'd */ 4154 goto next_chunk; 4155 } 4156 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4157 chk_length, chunk_buf); 4158 got_auth = 1; 4159 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4160 m, *offset)) { 4161 /* auth HMAC failed so dump the packet */ 4162 *offset = length; 4163 return (stcb); 4164 } else { 4165 /* remaining chunks are HMAC checked */ 4166 stcb->asoc.authenticated = 1; 4167 } 4168 break; 4169 4170 default: 4171 unknown_chunk: 4172 /* it's an unknown chunk! */ 4173 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4174 struct mbuf *mm; 4175 struct sctp_paramhdr *phd; 4176 4177 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4178 1, M_DONTWAIT, 1, MT_DATA); 4179 if (mm) { 4180 phd = mtod(mm, struct sctp_paramhdr *); 4181 /* 4182 * We cheat and use param type since 4183 * we did not bother to define a 4184 * error cause struct. They are the 4185 * same basic format with different 4186 * names. 4187 */ 4188 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4189 phd->param_length = htons(chk_length + sizeof(*phd)); 4190 mm->m_len = sizeof(*phd); 4191 mm->m_next = sctp_m_copym(m, *offset, SCTP_SIZE32(chk_length), 4192 M_DONTWAIT); 4193 if (mm->m_next) { 4194 mm->m_pkthdr.len = SCTP_SIZE32(chk_length) + sizeof(*phd); 4195 sctp_queue_op_err(stcb, mm); 4196 } else { 4197 sctp_m_freem(mm); 4198 } 4199 } 4200 } 4201 if ((ch->chunk_type & 0x80) == 0) { 4202 /* discard this packet */ 4203 *offset = length; 4204 return (stcb); 4205 } /* else skip this bad chunk and continue... */ 4206 break; 4207 } /* switch (ch->chunk_type) */ 4208 4209 4210next_chunk: 4211 /* get the next chunk */ 4212 *offset += SCTP_SIZE32(chk_length); 4213 if (*offset >= length) { 4214 /* no more data left in the mbuf chain */ 4215 break; 4216 } 4217 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4218 sizeof(struct sctp_chunkhdr), chunk_buf); 4219 if (ch == NULL) { 4220 if (locked_tcb) 4221 SCTP_TCB_UNLOCK(locked_tcb); 4222 *offset = length; 4223 return (NULL); 4224 } 4225 } /* while */ 4226 return (stcb); 4227} 4228 4229 4230/* 4231 * Process the ECN bits we have something set so we must look to see if it is 4232 * ECN(0) or ECN(1) or CE 4233 */ 4234static __inline void 4235sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4236 uint8_t ecn_bits) 4237{ 4238 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4239 ; 4240 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4241 /* 4242 * we only add to the nonce sum for ECT1, ECT0 does not 4243 * change the NS bit (that we have yet to find a way to send 4244 * it yet). 4245 */ 4246 4247 /* ECN Nonce stuff */ 4248 stcb->asoc.receiver_nonce_sum++; 4249 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4250 4251 /* 4252 * Drag up the last_echo point if cumack is larger since we 4253 * don't want the point falling way behind by more than 4254 * 2^^31 and then having it be incorrect. 4255 */ 4256 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4257 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4258 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4259 } 4260 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4261 /* 4262 * Drag up the last_echo point if cumack is larger since we 4263 * don't want the point falling way behind by more than 4264 * 2^^31 and then having it be incorrect. 4265 */ 4266 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4267 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4268 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4269 } 4270 } 4271} 4272 4273static __inline void 4274sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4275 uint32_t high_tsn, uint8_t ecn_bits) 4276{ 4277 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4278 /* 4279 * we possibly must notify the sender that a congestion 4280 * window reduction is in order. We do this by adding a ECNE 4281 * chunk to the output chunk queue. The incoming CWR will 4282 * remove this chunk. 4283 */ 4284 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4285 MAX_TSN)) { 4286 /* Yep, we need to add a ECNE */ 4287 sctp_send_ecn_echo(stcb, net, high_tsn); 4288 stcb->asoc.last_echo_tsn = high_tsn; 4289 } 4290 } 4291} 4292 4293/* 4294 * common input chunk processing (v4 and v6) 4295 */ 4296int 4297sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4298 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4299 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4300 uint8_t ecn_bits) 4301{ 4302 /* 4303 * Control chunk processing 4304 */ 4305 uint32_t high_tsn; 4306 int fwd_tsn_seen = 0, data_processed = 0; 4307 struct mbuf *m = *mm; 4308 int abort_flag = 0; 4309 int un_sent; 4310 4311 SCTP_STAT_INCR(sctps_recvdatagrams); 4312#ifdef SCTP_AUDITING_ENABLED 4313 sctp_audit_log(0xE0, 1); 4314 sctp_auditing(0, inp, stcb, net); 4315#endif 4316 4317#ifdef SCTP_DEBUG 4318 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4319 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4320 m, iphlen, offset); 4321 } 4322#endif /* SCTP_DEBUG */ 4323 4324 if (stcb) { 4325 /* always clear this before beginning a packet */ 4326 stcb->asoc.authenticated = 0; 4327 stcb->asoc.seen_a_sack_this_pkt = 0; 4328 } 4329 if (IS_SCTP_CONTROL(ch)) { 4330 /* process the control portion of the SCTP packet */ 4331 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4332 inp, stcb, &net, &fwd_tsn_seen); 4333 if (stcb) { 4334 /* 4335 * This covers us if the cookie-echo was there and 4336 * it changes our INP. 4337 */ 4338 inp = stcb->sctp_ep; 4339 } 4340 } else { 4341 /* 4342 * no control chunks, so pre-process DATA chunks (these 4343 * checks are taken care of by control processing) 4344 */ 4345 4346 /* 4347 * if DATA only packet, and auth is required, then punt... 4348 * can't have authenticated without any AUTH (control) 4349 * chunks 4350 */ 4351 if ((stcb != NULL) && !sctp_auth_disable && 4352 sctp_auth_is_required_chunk(SCTP_DATA, 4353 stcb->asoc.local_auth_chunks)) { 4354 /* "silently" ignore */ 4355 SCTP_STAT_INCR(sctps_recvauthmissing); 4356 SCTP_TCB_UNLOCK(stcb); 4357 return (1); 4358 } 4359 if (stcb == NULL) { 4360 /* out of the blue DATA chunk */ 4361 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4362 return (1); 4363 } 4364 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4365 /* v_tag mismatch! */ 4366 SCTP_STAT_INCR(sctps_badvtag); 4367 SCTP_TCB_UNLOCK(stcb); 4368 return (1); 4369 } 4370 } 4371 4372 if (stcb == NULL) { 4373 /* 4374 * no valid TCB for this packet, or we found it's a bad 4375 * packet while processing control, or we're done with this 4376 * packet (done or skip rest of data), so we drop it... 4377 */ 4378 return (1); 4379 } 4380 /* 4381 * DATA chunk processing 4382 */ 4383 /* plow through the data chunks while length > offset */ 4384 4385 /* 4386 * Rest should be DATA only. Check authentication state if AUTH for 4387 * DATA is required. 4388 */ 4389 if ((stcb != NULL) && !sctp_auth_disable && 4390 sctp_auth_is_required_chunk(SCTP_DATA, 4391 stcb->asoc.local_auth_chunks) && 4392 !stcb->asoc.authenticated) { 4393 /* "silently" ignore */ 4394 SCTP_STAT_INCR(sctps_recvauthmissing); 4395#ifdef SCTP_DEBUG 4396 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 4397 printf("Data chunk requires AUTH, skipped\n"); 4398#endif 4399 SCTP_TCB_UNLOCK(stcb); 4400 return (1); 4401 } 4402 if (length > offset) { 4403 int retval; 4404 4405 /* 4406 * First check to make sure our state is correct. We would 4407 * not get here unless we really did have a tag, so we don't 4408 * abort if this happens, just dump the chunk silently. 4409 */ 4410 switch (SCTP_GET_STATE(&stcb->asoc)) { 4411 case SCTP_STATE_COOKIE_ECHOED: 4412 /* 4413 * we consider data with valid tags in this state 4414 * shows us the cookie-ack was lost. Imply it was 4415 * there. 4416 */ 4417 stcb->asoc.overall_error_count = 0; 4418 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4419 break; 4420 case SCTP_STATE_COOKIE_WAIT: 4421 /* 4422 * We consider OOTB any data sent during asoc setup. 4423 */ 4424 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4425 SCTP_TCB_UNLOCK(stcb); 4426 return (1); 4427 break; 4428 case SCTP_STATE_EMPTY: /* should not happen */ 4429 case SCTP_STATE_INUSE: /* should not happen */ 4430 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4431 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4432 default: 4433 SCTP_TCB_UNLOCK(stcb); 4434 return (1); 4435 break; 4436 case SCTP_STATE_OPEN: 4437 case SCTP_STATE_SHUTDOWN_SENT: 4438 break; 4439 } 4440 /* take care of ECN, part 1. */ 4441 if (stcb->asoc.ecn_allowed && 4442 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4443 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4444 } 4445 /* plow through the data chunks while length > offset */ 4446 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4447 inp, stcb, net, &high_tsn); 4448 if (retval == 2) { 4449 /* 4450 * The association aborted, NO UNLOCK needed since 4451 * the association is destroyed. 4452 */ 4453 return (0); 4454 } 4455 data_processed = 1; 4456 if (retval == 0) { 4457 /* take care of ecn part 2. */ 4458 if (stcb->asoc.ecn_allowed && 4459 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4460 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4461 ecn_bits); 4462 } 4463 } 4464 /* 4465 * Anything important needs to have been m_copy'ed in 4466 * process_data 4467 */ 4468 } 4469 if ((data_processed == 0) && (fwd_tsn_seen)) { 4470 int was_a_gap = 0; 4471 4472 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4473 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4474 /* there was a gap before this data was processed */ 4475 was_a_gap = 1; 4476 } 4477 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4478 if (abort_flag) { 4479 /* Again, we aborted so NO UNLOCK needed */ 4480 return (0); 4481 } 4482 } 4483 /* trigger send of any chunks in queue... */ 4484#ifdef SCTP_AUDITING_ENABLED 4485 sctp_audit_log(0xE0, 2); 4486 sctp_auditing(1, inp, stcb, net); 4487#endif 4488#ifdef SCTP_DEBUG 4489 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4490 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4491 stcb->asoc.peers_rwnd, 4492 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4493 stcb->asoc.total_flight); 4494 } 4495#endif 4496 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4497 4498 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4499 ((un_sent) && 4500 (stcb->asoc.peers_rwnd > 0 || 4501 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4502#ifdef SCTP_DEBUG 4503 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4504 printf("Calling chunk OUTPUT\n"); 4505 } 4506#endif 4507 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4508#ifdef SCTP_DEBUG 4509 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4510 printf("chunk OUTPUT returns\n"); 4511 } 4512#endif 4513 } 4514#ifdef SCTP_AUDITING_ENABLED 4515 sctp_audit_log(0xE0, 3); 4516 sctp_auditing(2, inp, stcb, net); 4517#endif 4518 SCTP_TCB_UNLOCK(stcb); 4519 return (0); 4520} 4521 4522extern int sctp_no_csum_on_loopback; 4523 4524 4525void 4526sctp_input(m, off) 4527 struct mbuf *m; 4528 int off; 4529 4530{ 4531#ifdef SCTP_MBUF_LOGGING 4532 struct mbuf *mat; 4533 4534#endif 4535 int iphlen; 4536 int s; 4537 uint8_t ecn_bits; 4538 struct ip *ip; 4539 struct sctphdr *sh; 4540 struct sctp_inpcb *inp = NULL; 4541 4542 uint32_t check, calc_check; 4543 struct sctp_nets *net; 4544 struct sctp_tcb *stcb = NULL; 4545 struct sctp_chunkhdr *ch; 4546 int refcount_up = 0; 4547 int length, mlen, offset; 4548 4549 4550 iphlen = off; 4551 net = NULL; 4552 SCTP_STAT_INCR(sctps_recvpackets); 4553 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4554 4555 /* 4556 * Strip IP options, we don't allow any in or out. 4557 */ 4558#ifdef SCTP_MBUF_LOGGING 4559 /* Log in any input mbufs */ 4560 mat = m; 4561 while (mat) { 4562 if (mat->m_flags & M_EXT) { 4563 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4564 } 4565 mat = mat->m_next; 4566 } 4567#endif 4568 if ((size_t)iphlen > sizeof(struct ip)) { 4569 ip_stripoptions(m, (struct mbuf *)0); 4570 iphlen = sizeof(struct ip); 4571 } 4572 /* 4573 * Get IP, SCTP, and first chunk header together in first mbuf. 4574 */ 4575 ip = mtod(m, struct ip *); 4576 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4577 if (m->m_len < offset) { 4578 if ((m = m_pullup(m, offset)) == 0) { 4579 SCTP_STAT_INCR(sctps_hdrops); 4580 return; 4581 } 4582 ip = mtod(m, struct ip *); 4583 } 4584 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4585 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4586 4587 /* SCTP does not allow broadcasts or multicasts */ 4588 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4589 goto bad; 4590 } 4591 if (((ch->chunk_type == SCTP_INITIATION) || 4592 (ch->chunk_type == SCTP_INITIATION_ACK) || 4593 (ch->chunk_type == SCTP_COOKIE_ECHO)) && 4594 (in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))) { 4595 /* 4596 * We only look at broadcast if its a front state, All 4597 * others we will not have a tcb for anyway. 4598 */ 4599 goto bad; 4600 } 4601 /* destination port of 0 is illegal, based on RFC2960. */ 4602 if (sh->dest_port == 0) { 4603 SCTP_STAT_INCR(sctps_hdrops); 4604 goto bad; 4605 } 4606 /* validate SCTP checksum */ 4607 if ((sctp_no_csum_on_loopback == 0) || 4608 (m->m_pkthdr.rcvif == NULL) || 4609 (m->m_pkthdr.rcvif->if_type != IFT_LOOP)) { 4610 /* 4611 * we do NOT validate things from the loopback if the sysctl 4612 * is set to 1. 4613 */ 4614 check = sh->checksum; /* save incoming checksum */ 4615 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4616 /* 4617 * special hook for where we got a local address 4618 * somehow routed across a non IFT_LOOP type 4619 * interface 4620 */ 4621 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4622 goto sctp_skip_csum_4; 4623 } 4624 sh->checksum = 0; /* prepare for calc */ 4625 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4626 if (calc_check != check) { 4627#ifdef SCTP_DEBUG 4628 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4629 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4630 calc_check, check, m, mlen, iphlen); 4631 } 4632#endif 4633 4634 stcb = sctp_findassociation_addr(m, iphlen, 4635 offset - sizeof(*ch), 4636 sh, ch, &inp, &net); 4637 if ((inp) && (stcb)) { 4638 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4639 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4640 } else if ((inp != NULL) && (stcb == NULL)) { 4641 refcount_up = 1; 4642 } 4643 SCTP_STAT_INCR(sctps_badsum); 4644 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4645 goto bad; 4646 } 4647 sh->checksum = calc_check; 4648 } else { 4649sctp_skip_csum_4: 4650 mlen = m->m_pkthdr.len; 4651 } 4652 /* validate mbuf chain length with IP payload length */ 4653 if (mlen < (ip->ip_len - iphlen)) { 4654 SCTP_STAT_INCR(sctps_hdrops); 4655 goto bad; 4656 } 4657 /* 4658 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4659 * IP/SCTP/first chunk header... 4660 */ 4661 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4662 sh, ch, &inp, &net); 4663 /* inp's ref-count increased && stcb locked */ 4664 if (inp == NULL) { 4665 struct sctp_init_chunk *init_chk, chunk_buf; 4666 4667 SCTP_STAT_INCR(sctps_noport); 4668#ifdef ICMP_BANDLIM 4669 /* 4670 * we use the bandwidth limiting to protect against sending 4671 * too many ABORTS all at once. In this case these count the 4672 * same as an ICMP message. 4673 */ 4674 if (badport_bandlim(0) < 0) 4675 goto bad; 4676#endif /* ICMP_BANDLIM */ 4677#ifdef SCTP_DEBUG 4678 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4679 printf("Sending a ABORT from packet entry!\n"); 4680 } 4681#endif 4682 if (ch->chunk_type == SCTP_INITIATION) { 4683 /* 4684 * we do a trick here to get the INIT tag, dig in 4685 * and get the tag from the INIT and put it in the 4686 * common header. 4687 */ 4688 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4689 iphlen + sizeof(*sh), sizeof(*init_chk), 4690 (uint8_t *) & chunk_buf); 4691 if (init_chk != NULL) 4692 sh->v_tag = init_chk->init.initiate_tag; 4693 } 4694 sctp_send_abort(m, iphlen, sh, 0, NULL); 4695 goto bad; 4696 } else if (stcb == NULL) { 4697 refcount_up = 1; 4698 } 4699#ifdef IPSEC 4700 /* 4701 * I very much doubt any of the IPSEC stuff will work but I have no 4702 * idea, so I will leave it in place. 4703 */ 4704 4705 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4706 ipsecstat.in_polvio++; 4707 SCTP_STAT_INCR(sctps_hdrops); 4708 goto bad; 4709 } 4710#endif /* IPSEC */ 4711 4712 4713 4714 /* 4715 * common chunk processing 4716 */ 4717 length = ip->ip_len + iphlen; 4718 offset -= sizeof(struct sctp_chunkhdr); 4719 4720 ecn_bits = ip->ip_tos; 4721 s = splnet(); 4722 4723 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4724 inp, stcb, net, ecn_bits); 4725 /* inp's ref-count reduced && stcb unlocked */ 4726 splx(s); 4727 if (m) { 4728 sctp_m_freem(m); 4729 } 4730 if ((inp) && (refcount_up)) { 4731 /* reduce ref-count */ 4732 SCTP_INP_WLOCK(inp); 4733 SCTP_INP_DECR_REF(inp); 4734 SCTP_INP_WUNLOCK(inp); 4735 } 4736 return; 4737bad: 4738 if (stcb) 4739 SCTP_TCB_UNLOCK(stcb); 4740 4741 if ((inp) && (refcount_up)) { 4742 /* reduce ref-count */ 4743 SCTP_INP_WLOCK(inp); 4744 SCTP_INP_DECR_REF(inp); 4745 SCTP_INP_WUNLOCK(inp); 4746 } 4747 if (m) { 4748 sctp_m_freem(m); 4749 } 4750 return; 4751} 4752