sctp_input.c revision 168859
1/*- 2 * Copyright (c) 2001-2007, Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 168859 2007-04-19 11:28:43Z rrs $"); 35 36#include <netinet/sctp_os.h> 37#include <netinet/sctp_var.h> 38#include <netinet/sctp_sysctl.h> 39#include <netinet/sctp_pcb.h> 40#include <netinet/sctp_header.h> 41#include <netinet/sctputil.h> 42#include <netinet/sctp_output.h> 43#include <netinet/sctp_input.h> 44#include <netinet/sctp_auth.h> 45#include <netinet/sctp_indata.h> 46#include <netinet/sctp_asconf.h> 47 48 49 50 51static void 52sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 53{ 54 struct sctp_nets *net; 55 56 /* 57 * This now not only stops all cookie timers it also stops any INIT 58 * timers as well. This will make sure that the timers are stopped 59 * in all collision cases. 60 */ 61 SCTP_TCB_LOCK_ASSERT(stcb); 62 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 63 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 64 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 65 stcb->sctp_ep, 66 stcb, 67 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 68 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 69 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 70 stcb->sctp_ep, 71 stcb, 72 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 73 } 74 } 75} 76 77/* INIT handler */ 78static void 79sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 80 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 81 struct sctp_nets *net, int *abort_no_unlock) 82{ 83 struct sctp_init *init; 84 struct mbuf *op_err; 85 uint32_t init_limit; 86 87#ifdef SCTP_DEBUG 88 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 89 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 90 } 91#endif 92 op_err = NULL; 93 init = &cp->init; 94 /* First are we accepting? */ 95 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 96#ifdef SCTP_DEBUG 97 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 98 printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); 99 } 100#endif 101 /* 102 * FIX ME ?? What about TCP model and we have a 103 * match/restart case? 104 */ 105 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 106 if (stcb) 107 *abort_no_unlock = 1; 108 return; 109 } 110 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 111 /* Invalid length */ 112 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 113 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 114 if (stcb) 115 *abort_no_unlock = 1; 116 return; 117 } 118 /* validate parameters */ 119 if (init->initiate_tag == 0) { 120 /* protocol error... send abort */ 121 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 122 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 123 if (stcb) 124 *abort_no_unlock = 1; 125 return; 126 } 127 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 128 /* invalid parameter... send abort */ 129 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 130 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 131 return; 132 } 133 if (init->num_inbound_streams == 0) { 134 /* protocol error... send abort */ 135 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 136 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 137 if (stcb) 138 *abort_no_unlock = 1; 139 return; 140 } 141 if (init->num_outbound_streams == 0) { 142 /* protocol error... send abort */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 145 if (stcb) 146 *abort_no_unlock = 1; 147 return; 148 } 149 init_limit = offset + ntohs(cp->ch.chunk_length); 150 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 151 init_limit)) { 152 /* auth parameter(s) error... send abort */ 153 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); 154 if (stcb) 155 *abort_no_unlock = 1; 156 return; 157 } 158 /* send an INIT-ACK w/cookie */ 159#ifdef SCTP_DEBUG 160 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 161 printf("sctp_handle_init: sending INIT-ACK\n"); 162 } 163#endif 164 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 165} 166 167/* 168 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 169 */ 170static int 171sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 172 struct sctp_nets *net) 173{ 174 struct sctp_init *init; 175 struct sctp_association *asoc; 176 struct sctp_nets *lnet; 177 unsigned int i; 178 179 init = &cp->init; 180 asoc = &stcb->asoc; 181 /* save off parameters */ 182 asoc->peer_vtag = ntohl(init->initiate_tag); 183 asoc->peers_rwnd = ntohl(init->a_rwnd); 184 if (TAILQ_FIRST(&asoc->nets)) { 185 /* update any ssthresh's that may have a default */ 186 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 187 lnet->ssthresh = asoc->peers_rwnd; 188 189#if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 190 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 191#endif 192 193 } 194 } 195 SCTP_TCB_SEND_LOCK(stcb); 196 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 197 unsigned int newcnt; 198 struct sctp_stream_out *outs; 199 struct sctp_stream_queue_pending *sp; 200 201 /* cut back on number of streams */ 202 newcnt = ntohs(init->num_inbound_streams); 203 /* This if is probably not needed but I am cautious */ 204 if (asoc->strmout) { 205 /* First make sure no data chunks are trapped */ 206 for (i = newcnt; i < asoc->pre_open_streams; i++) { 207 outs = &asoc->strmout[i]; 208 sp = TAILQ_FIRST(&outs->outqueue); 209 while (sp) { 210 TAILQ_REMOVE(&outs->outqueue, sp, 211 next); 212 asoc->stream_queue_cnt--; 213 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 214 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 215 sp); 216 if (sp->data) { 217 sctp_m_freem(sp->data); 218 sp->data = NULL; 219 } 220 sctp_free_remote_addr(sp->net); 221 sp->net = NULL; 222 /* Free the chunk */ 223 printf("sp:%p tcb:%p weird free case\n", 224 sp, stcb); 225 226 sctp_free_a_strmoq(stcb, sp); 227 sp = TAILQ_FIRST(&outs->outqueue); 228 } 229 } 230 } 231 /* cut back the count and abandon the upper streams */ 232 asoc->pre_open_streams = newcnt; 233 } 234 SCTP_TCB_SEND_UNLOCK(stcb); 235 asoc->streamoutcnt = asoc->pre_open_streams; 236 /* init tsn's */ 237 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 238#ifdef SCTP_MAP_LOGGING 239 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 240#endif 241 /* This is the next one we expect */ 242 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 243 244 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 245 asoc->cumulative_tsn = asoc->asconf_seq_in; 246 asoc->last_echo_tsn = asoc->asconf_seq_in; 247 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 248 /* open the requested streams */ 249 if (asoc->strmin != NULL) { 250 /* Free the old ones */ 251 struct sctp_queued_to_read *ctl; 252 253 for (i = 0; i < asoc->streamincnt; i++) { 254 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 255 while (ctl) { 256 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 257 sctp_free_remote_addr(ctl->whoFrom); 258 sctp_m_freem(ctl->data); 259 ctl->data = NULL; 260 sctp_free_a_readq(stcb, ctl); 261 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 262 } 263 } 264 SCTP_FREE(asoc->strmin); 265 } 266 asoc->streamincnt = ntohs(init->num_outbound_streams); 267 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 268 asoc->streamincnt = MAX_SCTP_STREAMS; 269 } 270 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 271 sizeof(struct sctp_stream_in), "StreamsIn"); 272 if (asoc->strmin == NULL) { 273 /* we didn't get memory for the streams! */ 274#ifdef SCTP_DEBUG 275 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 276 printf("process_init: couldn't get memory for the streams!\n"); 277 } 278#endif 279 return (-1); 280 } 281 for (i = 0; i < asoc->streamincnt; i++) { 282 asoc->strmin[i].stream_no = i; 283 asoc->strmin[i].last_sequence_delivered = 0xffff; 284 /* 285 * U-stream ranges will be set when the cookie is unpacked. 286 * Or for the INIT sender they are un set (if pr-sctp not 287 * supported) when the INIT-ACK arrives. 288 */ 289 TAILQ_INIT(&asoc->strmin[i].inqueue); 290 /* 291 * we are not on any wheel, pr-sctp streams will go on the 292 * wheel when they have data waiting for reorder. 293 */ 294 asoc->strmin[i].next_spoke.tqe_next = 0; 295 asoc->strmin[i].next_spoke.tqe_prev = 0; 296 } 297 298 /* 299 * load_address_from_init will put the addresses into the 300 * association when the COOKIE is processed or the INIT-ACK is 301 * processed. Both types of COOKIE's existing and new call this 302 * routine. It will remove addresses that are no longer in the 303 * association (for the restarting case where addresses are 304 * removed). Up front when the INIT arrives we will discard it if it 305 * is a restart and new addresses have been added. 306 */ 307 return (0); 308} 309 310/* 311 * INIT-ACK message processing/consumption returns value < 0 on error 312 */ 313static int 314sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 315 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 316 struct sctp_nets *net, int *abort_no_unlock) 317{ 318 struct sctp_association *asoc; 319 struct mbuf *op_err; 320 int retval, abort_flag; 321 uint32_t initack_limit; 322 323 /* First verify that we have no illegal param's */ 324 abort_flag = 0; 325 op_err = NULL; 326 327 op_err = sctp_arethere_unrecognized_parameters(m, 328 (offset + sizeof(struct sctp_init_chunk)), 329 &abort_flag, (struct sctp_chunkhdr *)cp); 330 if (abort_flag) { 331 /* Send an abort and notify peer */ 332 if (op_err != NULL) { 333 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 334 } else { 335 /* 336 * Just notify (abort_assoc does this if we send an 337 * abort). 338 */ 339 sctp_abort_notification(stcb, 0); 340 /* 341 * No sense in further INIT's since we will get the 342 * same param back 343 */ 344 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 345 *abort_no_unlock = 1; 346 } 347 return (-1); 348 } 349 asoc = &stcb->asoc; 350 /* process the peer's parameters in the INIT-ACK */ 351 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 352 if (retval < 0) { 353 return (retval); 354 } 355 initack_limit = offset + ntohs(cp->ch.chunk_length); 356 /* load all addresses */ 357 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 358 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 359 NULL))) { 360 /* Huh, we should abort */ 361#ifdef SCTP_DEBUG 362 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 363 printf("Load addresses from INIT causes an abort %d\n", retval); 364 } 365#endif 366 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 367 NULL); 368 *abort_no_unlock = 1; 369 return (-1); 370 } 371 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 372 stcb->asoc.local_hmacs); 373 if (op_err) { 374 sctp_queue_op_err(stcb, op_err); 375 /* queuing will steal away the mbuf chain to the out queue */ 376 op_err = NULL; 377 } 378 /* extract the cookie and queue it to "echo" it back... */ 379 stcb->asoc.overall_error_count = 0; 380 net->error_count = 0; 381 382 /* 383 * Cancel the INIT timer, We do this first before queueing the 384 * cookie. We always cancel at the primary to assue that we are 385 * canceling the timer started by the INIT which always goes to the 386 * primary. 387 */ 388 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 389 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 390 391 /* calculate the RTO */ 392 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 393 394 retval = sctp_send_cookie_echo(m, offset, stcb, net); 395 if (retval < 0) { 396 /* 397 * No cookie, we probably should send a op error. But in any 398 * case if there is no cookie in the INIT-ACK, we can 399 * abandon the peer, its broke. 400 */ 401 if (retval == -3) { 402 /* We abort with an error of missing mandatory param */ 403 struct mbuf *op_err; 404 405 op_err = 406 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 407 if (op_err) { 408 /* 409 * Expand beyond to include the mandatory 410 * param cookie 411 */ 412 struct sctp_inv_mandatory_param *mp; 413 414 SCTP_BUF_LEN(op_err) = 415 sizeof(struct sctp_inv_mandatory_param); 416 mp = mtod(op_err, 417 struct sctp_inv_mandatory_param *); 418 /* Subtract the reserved param */ 419 mp->length = 420 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 421 mp->num_param = htonl(1); 422 mp->param = htons(SCTP_STATE_COOKIE); 423 mp->resv = 0; 424 } 425 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 426 sh, op_err); 427 *abort_no_unlock = 1; 428 } 429 return (retval); 430 } 431 return (0); 432} 433 434static void 435sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 436 struct sctp_tcb *stcb, struct sctp_nets *net) 437{ 438 struct sockaddr_storage store; 439 struct sockaddr_in *sin; 440 struct sockaddr_in6 *sin6; 441 struct sctp_nets *r_net; 442 struct timeval tv; 443 444 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 445 /* Invalid length */ 446 return; 447 } 448 sin = (struct sockaddr_in *)&store; 449 sin6 = (struct sockaddr_in6 *)&store; 450 451 memset(&store, 0, sizeof(store)); 452 if (cp->heartbeat.hb_info.addr_family == AF_INET && 453 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 454 sin->sin_family = cp->heartbeat.hb_info.addr_family; 455 sin->sin_len = cp->heartbeat.hb_info.addr_len; 456 sin->sin_port = stcb->rport; 457 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 458 sizeof(sin->sin_addr)); 459 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 460 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 461 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 462 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 463 sin6->sin6_port = stcb->rport; 464 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 465 sizeof(sin6->sin6_addr)); 466 } else { 467 return; 468 } 469 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 470 if (r_net == NULL) { 471#ifdef SCTP_DEBUG 472 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 473 printf("Huh? I can't find the address I sent it to, discard\n"); 474 } 475#endif 476 return; 477 } 478 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 479 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 480 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 481 /* 482 * If the its a HB and it's random value is correct when can 483 * confirm the destination. 484 */ 485 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 486 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 487 stcb->asoc.primary_destination = r_net; 488 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 489 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 490 r_net = TAILQ_FIRST(&stcb->asoc.nets); 491 if (r_net != stcb->asoc.primary_destination) { 492 /* 493 * first one on the list is NOT the primary 494 * sctp_cmpaddr() is much more efficent if 495 * the primary is the first on the list, 496 * make it so. 497 */ 498 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 499 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 500 } 501 } 502 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 503 stcb, 0, (void *)r_net); 504 } 505 r_net->error_count = 0; 506 r_net->hb_responded = 1; 507 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 508 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 509 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 510 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 511 r_net->dest_state |= SCTP_ADDR_REACHABLE; 512 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 513 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 514 /* now was it the primary? if so restore */ 515 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 516 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 517 } 518 } 519 /* Now lets do a RTO with this */ 520 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 521} 522 523static void 524sctp_handle_abort(struct sctp_abort_chunk *cp, 525 struct sctp_tcb *stcb, struct sctp_nets *net) 526{ 527 528#ifdef SCTP_DEBUG 529 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 530 printf("sctp_handle_abort: handling ABORT\n"); 531 } 532#endif 533 if (stcb == NULL) 534 return; 535 /* verify that the destination addr is in the association */ 536 /* ignore abort for addresses being deleted */ 537 538 /* stop any receive timers */ 539 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 540 /* notify user of the abort and clean up... */ 541 sctp_abort_notification(stcb, 0); 542 /* free the tcb */ 543 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 544 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 545 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 546 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 547 } 548#ifdef SCTP_ASOCLOG_OF_TSNS 549 sctp_print_out_track_log(stcb); 550#endif 551 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 552#ifdef SCTP_DEBUG 553 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 554 printf("sctp_handle_abort: finished\n"); 555 } 556#endif 557} 558 559static void 560sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 561 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 562{ 563 struct sctp_association *asoc; 564 int some_on_streamwheel; 565 566#ifdef SCTP_DEBUG 567 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 568 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 569 } 570#endif 571 if (stcb == NULL) 572 return; 573 asoc = &stcb->asoc; 574 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 575 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 576 return; 577 } 578 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 579 /* Shutdown NOT the expected size */ 580 return; 581 } else { 582 sctp_update_acked(stcb, cp, net, abort_flag); 583 } 584 if (asoc->control_pdapi) { 585 /* 586 * With a normal shutdown we assume the end of last record. 587 */ 588 SCTP_INP_READ_LOCK(stcb->sctp_ep); 589 asoc->control_pdapi->end_added = 1; 590 asoc->control_pdapi->pdapi_aborted = 1; 591 asoc->control_pdapi = NULL; 592 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 593 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 594 } 595 /* goto SHUTDOWN_RECEIVED state to block new requests */ 596 if (stcb->sctp_socket) { 597 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 598 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 599 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 600 /* 601 * notify upper layer that peer has initiated a 602 * shutdown 603 */ 604 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 605 606 /* reset time */ 607 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 608 } 609 } 610 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 611 /* 612 * stop the shutdown timer, since we WILL move to 613 * SHUTDOWN-ACK-SENT. 614 */ 615 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 616 } 617 /* Now are we there yet? */ 618 some_on_streamwheel = 0; 619 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 620 /* Check to see if some data queued */ 621 struct sctp_stream_out *outs; 622 623 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 624 if (!TAILQ_EMPTY(&outs->outqueue)) { 625 some_on_streamwheel = 1; 626 break; 627 } 628 } 629 } 630 if (!TAILQ_EMPTY(&asoc->send_queue) || 631 !TAILQ_EMPTY(&asoc->sent_queue) || 632 some_on_streamwheel) { 633 /* By returning we will push more data out */ 634 return; 635 } else { 636 /* no outstanding data to send, so move on... */ 637 /* send SHUTDOWN-ACK */ 638 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 639 /* move to SHUTDOWN-ACK-SENT state */ 640 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 641 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 642 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 643 } 644 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 645 646 /* start SHUTDOWN timer */ 647 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 648 stcb, net); 649 } 650} 651 652static void 653sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 654 struct sctp_tcb *stcb, struct sctp_nets *net) 655{ 656 struct sctp_association *asoc; 657 658#ifdef SCTP_DEBUG 659 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 660 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 661 } 662#endif 663 if (stcb == NULL) 664 return; 665 666 asoc = &stcb->asoc; 667 /* process according to association state */ 668 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 669 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 670 /* unexpected SHUTDOWN-ACK... so ignore... */ 671 SCTP_TCB_UNLOCK(stcb); 672 return; 673 } 674 if (asoc->control_pdapi) { 675 /* 676 * With a normal shutdown we assume the end of last record. 677 */ 678 SCTP_INP_READ_LOCK(stcb->sctp_ep); 679 asoc->control_pdapi->end_added = 1; 680 asoc->control_pdapi->pdapi_aborted = 1; 681 asoc->control_pdapi = NULL; 682 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 683 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 684 } 685 /* are the queues empty? */ 686 if (!TAILQ_EMPTY(&asoc->send_queue) || 687 !TAILQ_EMPTY(&asoc->sent_queue) || 688 !TAILQ_EMPTY(&asoc->out_wheel)) { 689 sctp_report_all_outbound(stcb, 0); 690 } 691 /* stop the timer */ 692 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 693 /* send SHUTDOWN-COMPLETE */ 694 sctp_send_shutdown_complete(stcb, net); 695 /* notify upper layer protocol */ 696 if (stcb->sctp_socket) { 697 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 698 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 699 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 700 /* Set the connected flag to disconnected */ 701 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 702 } 703 } 704 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 705 /* free the TCB but first save off the ep */ 706 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 707 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 708} 709 710/* 711 * Skip past the param header and then we will find the chunk that caused the 712 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 713 * our peer must be broken. 714 */ 715static void 716sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 717 struct sctp_nets *net) 718{ 719 struct sctp_chunkhdr *chk; 720 721 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 722 switch (chk->chunk_type) { 723 case SCTP_ASCONF_ACK: 724 case SCTP_ASCONF: 725 sctp_asconf_cleanup(stcb, net); 726 break; 727 case SCTP_FORWARD_CUM_TSN: 728 stcb->asoc.peer_supports_prsctp = 0; 729 break; 730 default: 731#ifdef SCTP_DEBUG 732 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 733 printf("Peer does not support chunk type %d(%x)??\n", 734 chk->chunk_type, (uint32_t) chk->chunk_type); 735 } 736#endif 737 break; 738 } 739} 740 741/* 742 * Skip past the param header and then we will find the param that caused the 743 * problem. There are a number of param's in a ASCONF OR the prsctp param 744 * these will turn of specific features. 745 */ 746static void 747sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 748{ 749 struct sctp_paramhdr *pbad; 750 751 pbad = phdr + 1; 752 switch (ntohs(pbad->param_type)) { 753 /* pr-sctp draft */ 754 case SCTP_PRSCTP_SUPPORTED: 755 stcb->asoc.peer_supports_prsctp = 0; 756 break; 757 case SCTP_SUPPORTED_CHUNK_EXT: 758 break; 759 /* draft-ietf-tsvwg-addip-sctp */ 760 case SCTP_ECN_NONCE_SUPPORTED: 761 stcb->asoc.peer_supports_ecn_nonce = 0; 762 stcb->asoc.ecn_nonce_allowed = 0; 763 stcb->asoc.ecn_allowed = 0; 764 break; 765 case SCTP_ADD_IP_ADDRESS: 766 case SCTP_DEL_IP_ADDRESS: 767 case SCTP_SET_PRIM_ADDR: 768 stcb->asoc.peer_supports_asconf = 0; 769 break; 770 case SCTP_SUCCESS_REPORT: 771 case SCTP_ERROR_CAUSE_IND: 772#ifdef SCTP_DEBUG 773 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 774 printf("Huh, the peer does not support success? or error cause?\n"); 775 printf("Turning off ASCONF to this strange peer\n"); 776 } 777#endif 778 stcb->asoc.peer_supports_asconf = 0; 779 break; 780 default: 781#ifdef SCTP_DEBUG 782 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 783 printf("Peer does not support param type %d(%x)??\n", 784 pbad->param_type, (uint32_t) pbad->param_type); 785 } 786#endif 787 break; 788 } 789} 790 791static int 792sctp_handle_error(struct sctp_chunkhdr *ch, 793 struct sctp_tcb *stcb, struct sctp_nets *net) 794{ 795 int chklen; 796 struct sctp_paramhdr *phdr; 797 uint16_t error_type; 798 uint16_t error_len; 799 struct sctp_association *asoc; 800 801 int adjust; 802 803 /* parse through all of the errors and process */ 804 asoc = &stcb->asoc; 805 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 806 sizeof(struct sctp_chunkhdr)); 807 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 808 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 809 /* Process an Error Cause */ 810 error_type = ntohs(phdr->param_type); 811 error_len = ntohs(phdr->param_length); 812 if ((error_len > chklen) || (error_len == 0)) { 813 /* invalid param length for this param */ 814#ifdef SCTP_DEBUG 815 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 816 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 817 chklen, error_len); 818 } 819#endif /* SCTP_DEBUG */ 820 return (0); 821 } 822 switch (error_type) { 823 case SCTP_CAUSE_INVALID_STREAM: 824 case SCTP_CAUSE_MISSING_PARAM: 825 case SCTP_CAUSE_INVALID_PARAM: 826 case SCTP_CAUSE_NO_USER_DATA: 827#ifdef SCTP_DEBUG 828 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 829 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 830 error_type); 831 } 832#endif 833 break; 834 case SCTP_CAUSE_STALE_COOKIE: 835 /* 836 * We only act if we have echoed a cookie and are 837 * waiting. 838 */ 839 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 840 int *p; 841 842 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 843 /* Save the time doubled */ 844 asoc->cookie_preserve_req = ntohl(*p) << 1; 845 asoc->stale_cookie_count++; 846 if (asoc->stale_cookie_count > 847 asoc->max_init_times) { 848 sctp_abort_notification(stcb, 0); 849 /* now free the asoc */ 850 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 851 return (-1); 852 } 853 /* blast back to INIT state */ 854 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 855 asoc->state |= SCTP_STATE_COOKIE_WAIT; 856 857 sctp_stop_all_cookie_timers(stcb); 858 sctp_send_initiate(stcb->sctp_ep, stcb); 859 } 860 break; 861 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 862 /* 863 * Nothing we can do here, we don't do hostname 864 * addresses so if the peer does not like my IPv6 865 * (or IPv4 for that matter) it does not matter. If 866 * they don't support that type of address, they can 867 * NOT possibly get that packet type... i.e. with no 868 * IPv6 you can't recieve a IPv6 packet. so we can 869 * safely ignore this one. If we ever added support 870 * for HOSTNAME Addresses, then we would need to do 871 * something here. 872 */ 873 break; 874 case SCTP_CAUSE_UNRECOG_CHUNK: 875 sctp_process_unrecog_chunk(stcb, phdr, net); 876 break; 877 case SCTP_CAUSE_UNRECOG_PARAM: 878 sctp_process_unrecog_param(stcb, phdr); 879 break; 880 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 881 /* 882 * We ignore this since the timer will drive out a 883 * new cookie anyway and there timer will drive us 884 * to send a SHUTDOWN_COMPLETE. We can't send one 885 * here since we don't have their tag. 886 */ 887 break; 888 case SCTP_CAUSE_DELETING_LAST_ADDR: 889 case SCTP_CAUSE_RESOURCE_SHORTAGE: 890 case SCTP_CAUSE_DELETING_SRC_ADDR: 891 /* 892 * We should NOT get these here, but in a 893 * ASCONF-ACK. 894 */ 895#ifdef SCTP_DEBUG 896 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 897 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 898 error_type); 899 } 900#endif 901 break; 902 case SCTP_CAUSE_OUT_OF_RESC: 903 /* 904 * And what, pray tell do we do with the fact that 905 * the peer is out of resources? Not really sure we 906 * could do anything but abort. I suspect this 907 * should have came WITH an abort instead of in a 908 * OP-ERROR. 909 */ 910 break; 911 default: 912#ifdef SCTP_DEBUG 913 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 914 /* don't know what this error cause is... */ 915 printf("sctp_handle_error: unknown error type = 0x%xh\n", 916 error_type); 917 } 918#endif /* SCTP_DEBUG */ 919 break; 920 } 921 adjust = SCTP_SIZE32(error_len); 922 chklen -= adjust; 923 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 924 } 925 return (0); 926} 927 928static int 929sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 930 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 931 struct sctp_nets *net, int *abort_no_unlock) 932{ 933 struct sctp_init_ack *init_ack; 934 int *state; 935 struct mbuf *op_err; 936 937#ifdef SCTP_DEBUG 938 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 939 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 940 } 941#endif 942 if (stcb == NULL) { 943#ifdef SCTP_DEBUG 944 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 945 printf("sctp_handle_init_ack: TCB is null\n"); 946 } 947#endif 948 return (-1); 949 } 950 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 951 /* Invalid length */ 952 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 953 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 954 op_err); 955 *abort_no_unlock = 1; 956 return (-1); 957 } 958 init_ack = &cp->init; 959 /* validate parameters */ 960 if (init_ack->initiate_tag == 0) { 961 /* protocol error... send an abort */ 962 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 963 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 964 op_err); 965 *abort_no_unlock = 1; 966 return (-1); 967 } 968 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 969 /* protocol error... send an abort */ 970 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 971 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 972 op_err); 973 *abort_no_unlock = 1; 974 return (-1); 975 } 976 if (init_ack->num_inbound_streams == 0) { 977 /* protocol error... send an abort */ 978 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 979 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 980 op_err); 981 *abort_no_unlock = 1; 982 return (-1); 983 } 984 if (init_ack->num_outbound_streams == 0) { 985 /* protocol error... send an abort */ 986 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 987 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 988 op_err); 989 *abort_no_unlock = 1; 990 return (-1); 991 } 992 /* process according to association state... */ 993 state = &stcb->asoc.state; 994 switch (*state & SCTP_STATE_MASK) { 995 case SCTP_STATE_COOKIE_WAIT: 996 /* this is the expected state for this chunk */ 997 /* process the INIT-ACK parameters */ 998 if (stcb->asoc.primary_destination->dest_state & 999 SCTP_ADDR_UNCONFIRMED) { 1000 /* 1001 * The primary is where we sent the INIT, we can 1002 * always consider it confirmed when the INIT-ACK is 1003 * returned. Do this before we load addresses 1004 * though. 1005 */ 1006 stcb->asoc.primary_destination->dest_state &= 1007 ~SCTP_ADDR_UNCONFIRMED; 1008 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1009 stcb, 0, (void *)stcb->asoc.primary_destination); 1010 } 1011 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net, 1012 abort_no_unlock) < 0) { 1013 /* error in parsing parameters */ 1014 return (-1); 1015 } 1016 /* update our state */ 1017#ifdef SCTP_DEBUG 1018 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1019 printf("moving to COOKIE-ECHOED state\n"); 1020 } 1021#endif 1022 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1023 *state = SCTP_STATE_COOKIE_ECHOED | 1024 SCTP_STATE_SHUTDOWN_PENDING; 1025 } else { 1026 *state = SCTP_STATE_COOKIE_ECHOED; 1027 } 1028 1029 /* reset the RTO calc */ 1030 stcb->asoc.overall_error_count = 0; 1031 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1032 /* 1033 * collapse the init timer back in case of a exponential 1034 * backoff 1035 */ 1036 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1037 stcb, net); 1038 /* 1039 * the send at the end of the inbound data processing will 1040 * cause the cookie to be sent 1041 */ 1042 break; 1043 case SCTP_STATE_SHUTDOWN_SENT: 1044 /* incorrect state... discard */ 1045 break; 1046 case SCTP_STATE_COOKIE_ECHOED: 1047 /* incorrect state... discard */ 1048 break; 1049 case SCTP_STATE_OPEN: 1050 /* incorrect state... discard */ 1051 break; 1052 case SCTP_STATE_EMPTY: 1053 case SCTP_STATE_INUSE: 1054 default: 1055 /* incorrect state... discard */ 1056 return (-1); 1057 break; 1058 } /* end switch asoc state */ 1059#ifdef SCTP_DEBUG 1060 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1061 printf("Leaving handle-init-ack end\n"); 1062 } 1063#endif 1064 return (0); 1065} 1066 1067 1068/* 1069 * handle a state cookie for an existing association m: input packet mbuf 1070 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1071 * "split" mbuf and the cookie signature does not exist offset: offset into 1072 * mbuf to the cookie-echo chunk 1073 */ 1074static struct sctp_tcb * 1075sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1076 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1077 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1078 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) 1079{ 1080 struct sctp_association *asoc; 1081 struct sctp_init_chunk *init_cp, init_buf; 1082 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1083 int chk_length; 1084 int init_offset, initack_offset, i; 1085 int retval; 1086 int spec_flag = 0; 1087 int how_indx; 1088 1089 /* I know that the TCB is non-NULL from the caller */ 1090 asoc = &stcb->asoc; 1091 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1092 if (asoc->cookie_how[how_indx] == 0) 1093 break; 1094 } 1095 if (how_indx < sizeof(asoc->cookie_how)) { 1096 asoc->cookie_how[how_indx] = 1; 1097 } 1098 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1099 /* SHUTDOWN came in after sending INIT-ACK */ 1100 struct mbuf *op_err; 1101 struct sctp_paramhdr *ph; 1102 1103 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1104 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1105 0, M_DONTWAIT, 1, MT_DATA); 1106 if (op_err == NULL) { 1107 /* FOOBAR */ 1108 return (NULL); 1109 } 1110 /* pre-reserve some space */ 1111 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1112 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1113 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1114 /* Set the len */ 1115 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1116 ph = mtod(op_err, struct sctp_paramhdr *); 1117 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1118 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1119 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1120 if (how_indx < sizeof(asoc->cookie_how)) 1121 asoc->cookie_how[how_indx] = 2; 1122 return (NULL); 1123 } 1124 /* 1125 * find and validate the INIT chunk in the cookie (peer's info) the 1126 * INIT should start after the cookie-echo header struct (chunk 1127 * header, state cookie header struct) 1128 */ 1129 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1130 1131 init_cp = (struct sctp_init_chunk *) 1132 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1133 (uint8_t *) & init_buf); 1134 if (init_cp == NULL) { 1135 /* could not pull a INIT chunk in cookie */ 1136 return (NULL); 1137 } 1138 chk_length = ntohs(init_cp->ch.chunk_length); 1139 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1140 return (NULL); 1141 } 1142 /* 1143 * find and validate the INIT-ACK chunk in the cookie (my info) the 1144 * INIT-ACK follows the INIT chunk 1145 */ 1146 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1147 initack_cp = (struct sctp_init_ack_chunk *) 1148 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1149 (uint8_t *) & initack_buf); 1150 if (initack_cp == NULL) { 1151 /* could not pull INIT-ACK chunk in cookie */ 1152 return (NULL); 1153 } 1154 chk_length = ntohs(initack_cp->ch.chunk_length); 1155 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1156 return (NULL); 1157 } 1158 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1159 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1160 /* 1161 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1162 * to get into the OPEN state 1163 */ 1164 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1165#ifdef INVARIANTS 1166 panic("Case D and non-match seq?"); 1167#else 1168 printf("Case D, seq non-match %x vs %x?\n", 1169 ntohl(initack_cp->init.initial_tsn), asoc->init_seq_number); 1170#endif 1171 } 1172 switch SCTP_GET_STATE 1173 (asoc) { 1174 case SCTP_STATE_COOKIE_WAIT: 1175 case SCTP_STATE_COOKIE_ECHOED: 1176 /* 1177 * INIT was sent, but got got a COOKIE_ECHO with the 1178 * correct tags... just accept it...but we must 1179 * process the init so that we can make sure we have 1180 * the right seq no's. 1181 */ 1182 /* First we must process the INIT !! */ 1183 retval = sctp_process_init(init_cp, stcb, net); 1184 if (retval < 0) { 1185 if (how_indx < sizeof(asoc->cookie_how)) 1186 asoc->cookie_how[how_indx] = 3; 1187 return (NULL); 1188 } 1189 /* we have already processed the INIT so no problem */ 1190 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1191 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1192 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1193 /* update current state */ 1194 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1195 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1196 else 1197 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1198 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1199 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1200 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1201 stcb->sctp_ep, stcb, asoc->primary_destination); 1202 1203 } else { 1204 /* if ok, move to OPEN state */ 1205 asoc->state = SCTP_STATE_OPEN; 1206 } 1207 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1208 sctp_stop_all_cookie_timers(stcb); 1209 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1210 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1211 (inp->sctp_socket->so_qlimit == 0) 1212 ) { 1213 /* 1214 * Here is where collision would go if we 1215 * did a connect() and instead got a 1216 * init/init-ack/cookie done before the 1217 * init-ack came back.. 1218 */ 1219 stcb->sctp_ep->sctp_flags |= 1220 SCTP_PCB_FLAGS_CONNECTED; 1221 soisconnected(stcb->sctp_ep->sctp_socket); 1222 } 1223 /* notify upper layer */ 1224 *notification = SCTP_NOTIFY_ASSOC_UP; 1225 /* 1226 * since we did not send a HB make sure we don't 1227 * double things 1228 */ 1229 net->hb_responded = 1; 1230 1231 if (stcb->asoc.sctp_autoclose_ticks && 1232 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1233 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1234 inp, stcb, NULL); 1235 } 1236 break; 1237 default: 1238 /* 1239 * we're in the OPEN state (or beyond), so peer must 1240 * have simply lost the COOKIE-ACK 1241 */ 1242 1243 break; 1244 } /* end switch */ 1245 sctp_stop_all_cookie_timers(stcb); 1246 /* 1247 * We ignore the return code here.. not sure if we should 1248 * somehow abort.. but we do have an existing asoc. This 1249 * really should not fail. 1250 */ 1251 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1252 init_offset + sizeof(struct sctp_init_chunk), 1253 initack_offset, sh, init_src)) { 1254 if (how_indx < sizeof(asoc->cookie_how)) 1255 asoc->cookie_how[how_indx] = 4; 1256 return (NULL); 1257 } 1258 /* respond with a COOKIE-ACK */ 1259 sctp_toss_old_cookies(stcb, asoc); 1260 sctp_send_cookie_ack(stcb); 1261 if (how_indx < sizeof(asoc->cookie_how)) 1262 asoc->cookie_how[how_indx] = 5; 1263 return (stcb); 1264 } /* end if */ 1265 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1266 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1267 cookie->tie_tag_my_vtag == 0 && 1268 cookie->tie_tag_peer_vtag == 0) { 1269 /* 1270 * case C in Section 5.2.4 Table 2: XMOO silently discard 1271 */ 1272 if (how_indx < sizeof(asoc->cookie_how)) 1273 asoc->cookie_how[how_indx] = 6; 1274 return (NULL); 1275 } 1276 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1277 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1278 init_cp->init.initiate_tag == 0)) { 1279 /* 1280 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1281 * should be ok, re-accept peer info 1282 */ 1283 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1284 /* 1285 * Extension of case C. If we hit this, then the 1286 * random number generator returned the same vtag 1287 * when we first sent our INIT-ACK and when we later 1288 * sent our INIT. The side with the seq numbers that 1289 * are different will be the one that normnally 1290 * would have hit case C. This in effect "extends" 1291 * our vtags in this collision case to be 64 bits. 1292 * The same collision could occur aka you get both 1293 * vtag and seq number the same twice in a row.. but 1294 * is much less likely. If it did happen then we 1295 * would proceed through and bring up the assoc.. we 1296 * may end up with the wrong stream setup however.. 1297 * which would be bad.. but there is no way to 1298 * tell.. until we send on a stream that does not 1299 * exist :-) 1300 */ 1301 if (how_indx < sizeof(asoc->cookie_how)) 1302 asoc->cookie_how[how_indx] = 7; 1303 1304 return (NULL); 1305 } 1306 if (how_indx < sizeof(asoc->cookie_how)) 1307 asoc->cookie_how[how_indx] = 8; 1308 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1309 sctp_stop_all_cookie_timers(stcb); 1310 /* 1311 * since we did not send a HB make sure we don't double 1312 * things 1313 */ 1314 net->hb_responded = 1; 1315 if (stcb->asoc.sctp_autoclose_ticks && 1316 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1317 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1318 NULL); 1319 } 1320 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1321 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1322 1323 /* Note last_cwr_tsn? where is this used? */ 1324 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1325 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1326 /* 1327 * Ok the peer probably discarded our data (if we 1328 * echoed a cookie+data). So anything on the 1329 * sent_queue should be marked for retransmit, we 1330 * may not get something to kick us so it COULD 1331 * still take a timeout to move these.. but it can't 1332 * hurt to mark them. 1333 */ 1334 struct sctp_tmit_chunk *chk; 1335 1336 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1337 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1338 chk->sent = SCTP_DATAGRAM_RESEND; 1339 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1340 spec_flag++; 1341 } 1342 } 1343 1344 } 1345 /* process the INIT info (peer's info) */ 1346 retval = sctp_process_init(init_cp, stcb, net); 1347 if (retval < 0) { 1348 if (how_indx < sizeof(asoc->cookie_how)) 1349 asoc->cookie_how[how_indx] = 9; 1350 return (NULL); 1351 } 1352 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1353 init_offset + sizeof(struct sctp_init_chunk), 1354 initack_offset, sh, init_src)) { 1355 if (how_indx < sizeof(asoc->cookie_how)) 1356 asoc->cookie_how[how_indx] = 10; 1357 return (NULL); 1358 } 1359 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1360 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1361 *notification = SCTP_NOTIFY_ASSOC_UP; 1362 1363 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1364 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1365 (inp->sctp_socket->so_qlimit == 0)) { 1366 stcb->sctp_ep->sctp_flags |= 1367 SCTP_PCB_FLAGS_CONNECTED; 1368 soisconnected(stcb->sctp_ep->sctp_socket); 1369 } 1370 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1371 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1372 else 1373 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1374 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1375 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1376 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1377 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1378 } else { 1379 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1380 } 1381 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1382 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1383 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1384 stcb->sctp_ep, stcb, asoc->primary_destination); 1385 1386 } else { 1387 asoc->state = SCTP_STATE_OPEN; 1388 } 1389 sctp_stop_all_cookie_timers(stcb); 1390 sctp_toss_old_cookies(stcb, asoc); 1391 sctp_send_cookie_ack(stcb); 1392 if (spec_flag) { 1393 /* 1394 * only if we have retrans set do we do this. What 1395 * this call does is get only the COOKIE-ACK out and 1396 * then when we return the normal call to 1397 * sctp_chunk_output will get the retrans out behind 1398 * this. 1399 */ 1400 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK); 1401 } 1402 if (how_indx < sizeof(asoc->cookie_how)) 1403 asoc->cookie_how[how_indx] = 11; 1404 1405 return (stcb); 1406 } 1407 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1408 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1409 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1410 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1411 cookie->tie_tag_peer_vtag != 0) { 1412 struct sctpasochead *head; 1413 1414 /* 1415 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1416 */ 1417 /* temp code */ 1418 if (how_indx < sizeof(asoc->cookie_how)) 1419 asoc->cookie_how[how_indx] = 12; 1420 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1421 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1422 1423 *sac_assoc_id = sctp_get_associd(stcb); 1424 /* notify upper layer */ 1425 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1426 atomic_add_int(&stcb->asoc.refcnt, 1); 1427 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1428 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1429 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1430 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1431 } 1432 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1433 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1434 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1435 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1436 } 1437 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1438 asoc->state = SCTP_STATE_OPEN | 1439 SCTP_STATE_SHUTDOWN_PENDING; 1440 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1441 stcb->sctp_ep, stcb, asoc->primary_destination); 1442 1443 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1444 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1445 asoc->state = SCTP_STATE_OPEN; 1446 } 1447 asoc->pre_open_streams = 1448 ntohs(initack_cp->init.num_outbound_streams); 1449 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1450 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1451 1452 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1453 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1454 1455 asoc->str_reset_seq_in = asoc->init_seq_number; 1456 1457 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1458 if (asoc->mapping_array) 1459 memset(asoc->mapping_array, 0, 1460 asoc->mapping_array_size); 1461 SCTP_TCB_UNLOCK(stcb); 1462 SCTP_INP_INFO_WLOCK(); 1463 SCTP_INP_WLOCK(stcb->sctp_ep); 1464 SCTP_TCB_LOCK(stcb); 1465 atomic_add_int(&stcb->asoc.refcnt, -1); 1466 /* send up all the data */ 1467 SCTP_TCB_SEND_LOCK(stcb); 1468 1469 sctp_report_all_outbound(stcb, 1); 1470 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1471 stcb->asoc.strmout[i].stream_no = i; 1472 stcb->asoc.strmout[i].next_sequence_sent = 0; 1473 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1474 } 1475 /* process the INIT-ACK info (my info) */ 1476 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1477 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1478 1479 /* pull from vtag hash */ 1480 LIST_REMOVE(stcb, sctp_asocs); 1481 /* re-insert to new vtag position */ 1482 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1483 sctppcbinfo.hashasocmark)]; 1484 /* 1485 * put it in the bucket in the vtag hash of assoc's for the 1486 * system 1487 */ 1488 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1489 1490 /* Is this the first restart? */ 1491 if (stcb->asoc.in_restart_hash == 0) { 1492 /* Ok add it to assoc_id vtag hash */ 1493 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1494 sctppcbinfo.hashrestartmark)]; 1495 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1496 stcb->asoc.in_restart_hash = 1; 1497 } 1498 /* process the INIT info (peer's info) */ 1499 SCTP_TCB_SEND_UNLOCK(stcb); 1500 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1501 SCTP_INP_INFO_WUNLOCK(); 1502 1503 retval = sctp_process_init(init_cp, stcb, net); 1504 if (retval < 0) { 1505 if (how_indx < sizeof(asoc->cookie_how)) 1506 asoc->cookie_how[how_indx] = 13; 1507 1508 return (NULL); 1509 } 1510 /* 1511 * since we did not send a HB make sure we don't double 1512 * things 1513 */ 1514 net->hb_responded = 1; 1515 1516 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1517 init_offset + sizeof(struct sctp_init_chunk), 1518 initack_offset, sh, init_src)) { 1519 if (how_indx < sizeof(asoc->cookie_how)) 1520 asoc->cookie_how[how_indx] = 14; 1521 1522 return (NULL); 1523 } 1524 /* respond with a COOKIE-ACK */ 1525 sctp_stop_all_cookie_timers(stcb); 1526 sctp_toss_old_cookies(stcb, asoc); 1527 sctp_send_cookie_ack(stcb); 1528 if (how_indx < sizeof(asoc->cookie_how)) 1529 asoc->cookie_how[how_indx] = 15; 1530 1531 return (stcb); 1532 } 1533 if (how_indx < sizeof(asoc->cookie_how)) 1534 asoc->cookie_how[how_indx] = 16; 1535 /* all other cases... */ 1536 return (NULL); 1537} 1538 1539 1540/* 1541 * handle a state cookie for a new association m: input packet mbuf chain-- 1542 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1543 * and the cookie signature does not exist offset: offset into mbuf to the 1544 * cookie-echo chunk length: length of the cookie chunk to: where the init 1545 * was from returns a new TCB 1546 */ 1547static struct sctp_tcb * 1548sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1549 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1550 struct sctp_inpcb *inp, struct sctp_nets **netp, 1551 struct sockaddr *init_src, int *notification, 1552 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1553{ 1554 struct sctp_tcb *stcb; 1555 struct sctp_init_chunk *init_cp, init_buf; 1556 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1557 struct sockaddr_storage sa_store; 1558 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1559 struct sockaddr_in *sin; 1560 struct sockaddr_in6 *sin6; 1561 struct sctp_association *asoc; 1562 uint32_t vrf_id; 1563 int chk_length; 1564 int init_offset, initack_offset, initack_limit; 1565 int retval; 1566 int error = 0; 1567 uint32_t old_tag; 1568 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1569 1570 vrf_id = inp->def_vrf_id; 1571 1572 /* 1573 * find and validate the INIT chunk in the cookie (peer's info) the 1574 * INIT should start after the cookie-echo header struct (chunk 1575 * header, state cookie header struct) 1576 */ 1577 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1578 init_cp = (struct sctp_init_chunk *) 1579 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1580 (uint8_t *) & init_buf); 1581 if (init_cp == NULL) { 1582 /* could not pull a INIT chunk in cookie */ 1583#ifdef SCTP_DEBUG 1584 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1585 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1586 } 1587#endif /* SCTP_DEBUG */ 1588 return (NULL); 1589 } 1590 chk_length = ntohs(init_cp->ch.chunk_length); 1591 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1592#ifdef SCTP_DEBUG 1593 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1594 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1595 } 1596#endif /* SCTP_DEBUG */ 1597 return (NULL); 1598 } 1599 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1600 /* 1601 * find and validate the INIT-ACK chunk in the cookie (my info) the 1602 * INIT-ACK follows the INIT chunk 1603 */ 1604 initack_cp = (struct sctp_init_ack_chunk *) 1605 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1606 (uint8_t *) & initack_buf); 1607 if (initack_cp == NULL) { 1608 /* could not pull INIT-ACK chunk in cookie */ 1609#ifdef SCTP_DEBUG 1610 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1611 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1612 } 1613#endif /* SCTP_DEBUG */ 1614 return (NULL); 1615 } 1616 chk_length = ntohs(initack_cp->ch.chunk_length); 1617 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1618 return (NULL); 1619 } 1620 /* 1621 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1622 * "initack_limit" value. This is because the chk_length field 1623 * includes the length of the cookie, but the cookie is omitted when 1624 * the INIT and INIT_ACK are tacked onto the cookie... 1625 */ 1626 initack_limit = offset + cookie_len; 1627 1628 /* 1629 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1630 * and popluate 1631 */ 1632 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1633 ntohl(initack_cp->init.initiate_tag), vrf_id); 1634 if (stcb == NULL) { 1635 struct mbuf *op_err; 1636 1637 /* memory problem? */ 1638#ifdef SCTP_DEBUG 1639 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1640 printf("process_cookie_new: no room for another TCB!\n"); 1641 } 1642#endif /* SCTP_DEBUG */ 1643 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1644 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1645 sh, op_err); 1646 return (NULL); 1647 } 1648 /* get the correct sctp_nets */ 1649 *netp = sctp_findnet(stcb, init_src); 1650 asoc = &stcb->asoc; 1651 /* get scope variables out of cookie */ 1652 asoc->ipv4_local_scope = cookie->ipv4_scope; 1653 asoc->site_scope = cookie->site_scope; 1654 asoc->local_scope = cookie->local_scope; 1655 asoc->loopback_scope = cookie->loopback_scope; 1656 1657 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1658 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1659 struct mbuf *op_err; 1660 1661 /* 1662 * Houston we have a problem. The EP changed while the 1663 * cookie was in flight. Only recourse is to abort the 1664 * association. 1665 */ 1666 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1667 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1668 sh, op_err); 1669 return (NULL); 1670 } 1671 /* process the INIT-ACK info (my info) */ 1672 old_tag = asoc->my_vtag; 1673 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1674 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1675 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1676 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1677 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1678 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1679 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1680 asoc->str_reset_seq_in = asoc->init_seq_number; 1681 1682 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1683 1684 /* process the INIT info (peer's info) */ 1685 retval = sctp_process_init(init_cp, stcb, *netp); 1686 if (retval < 0) { 1687 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1688 return (NULL); 1689 } 1690 /* load all addresses */ 1691 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1692 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1693 init_src)) { 1694 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1695 return (NULL); 1696 } 1697 /* 1698 * verify any preceding AUTH chunk that was skipped 1699 */ 1700 /* pull the local authentication parameters from the cookie/init-ack */ 1701 sctp_auth_get_cookie_params(stcb, m, 1702 initack_offset + sizeof(struct sctp_init_ack_chunk), 1703 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1704 if (auth_skipped) { 1705 struct sctp_auth_chunk *auth; 1706 1707 auth = (struct sctp_auth_chunk *) 1708 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 1709 if (sctp_handle_auth(stcb, auth, m, auth_offset)) { 1710 /* auth HMAC failed, dump the assoc and packet */ 1711#ifdef SCTP_DEBUG 1712 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 1713 printf("COOKIE-ECHO: AUTH failed\n"); 1714#endif /* SCTP_DEBUG */ 1715 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1716 return (NULL); 1717 } else { 1718 /* remaining chunks checked... good to go */ 1719 stcb->asoc.authenticated = 1; 1720 } 1721 } 1722 /* update current state */ 1723#ifdef SCTP_DEBUG 1724 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1725 printf("moving to OPEN state\n"); 1726 } 1727#endif 1728 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1729 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1730 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1731 stcb->sctp_ep, stcb, asoc->primary_destination); 1732 } else { 1733 asoc->state = SCTP_STATE_OPEN; 1734 } 1735 sctp_stop_all_cookie_timers(stcb); 1736 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1737 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1738 1739 /* 1740 * if we're doing ASCONFs, check to see if we have any new local 1741 * addresses that need to get added to the peer (eg. addresses 1742 * changed while cookie echo in flight). This needs to be done 1743 * after we go to the OPEN state to do the correct asconf 1744 * processing. else, make sure we have the correct addresses in our 1745 * lists 1746 */ 1747 1748 /* warning, we re-use sin, sin6, sa_store here! */ 1749 /* pull in local_address (our "from" address) */ 1750 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1751 /* source addr is IPv4 */ 1752 sin = (struct sockaddr_in *)initack_src; 1753 memset(sin, 0, sizeof(*sin)); 1754 sin->sin_family = AF_INET; 1755 sin->sin_len = sizeof(struct sockaddr_in); 1756 sin->sin_addr.s_addr = cookie->laddress[0]; 1757 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1758 /* source addr is IPv6 */ 1759 sin6 = (struct sockaddr_in6 *)initack_src; 1760 memset(sin6, 0, sizeof(*sin6)); 1761 sin6->sin6_family = AF_INET6; 1762 sin6->sin6_len = sizeof(struct sockaddr_in6); 1763 sin6->sin6_scope_id = cookie->scope_id; 1764 memcpy(&sin6->sin6_addr, cookie->laddress, 1765 sizeof(sin6->sin6_addr)); 1766 } else { 1767 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 1768 return (NULL); 1769 } 1770 1771 sctp_check_address_list(stcb, m, 1772 initack_offset + sizeof(struct sctp_init_ack_chunk), 1773 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1774 initack_src, cookie->local_scope, cookie->site_scope, 1775 cookie->ipv4_scope, cookie->loopback_scope); 1776 1777 1778 /* set up to notify upper layer */ 1779 *notification = SCTP_NOTIFY_ASSOC_UP; 1780 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1781 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1782 (inp->sctp_socket->so_qlimit == 0)) { 1783 /* 1784 * This is an endpoint that called connect() how it got a 1785 * cookie that is NEW is a bit of a mystery. It must be that 1786 * the INIT was sent, but before it got there.. a complete 1787 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1788 * should have went to the other code.. not here.. oh well.. 1789 * a bit of protection is worth having.. 1790 */ 1791 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1792 soisconnected(stcb->sctp_ep->sctp_socket); 1793 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1794 (inp->sctp_socket->so_qlimit)) { 1795 /* 1796 * We don't want to do anything with this one. Since it is 1797 * the listening guy. The timer will get started for 1798 * accepted connections in the caller. 1799 */ 1800 ; 1801 } 1802 /* since we did not send a HB make sure we don't double things */ 1803 (*netp)->hb_responded = 1; 1804 1805 if (stcb->asoc.sctp_autoclose_ticks && 1806 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1807 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1808 } 1809 /* respond with a COOKIE-ACK */ 1810 /* calculate the RTT */ 1811 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1812 &cookie->time_entered); 1813 sctp_send_cookie_ack(stcb); 1814 return (stcb); 1815} 1816 1817 1818/* 1819 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1820 * existing (non-NULL) TCB 1821 */ 1822static struct mbuf * 1823sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1824 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1825 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1826 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, struct sctp_tcb **locked_tcb) 1827{ 1828 struct sctp_state_cookie *cookie; 1829 struct sockaddr_in6 sin6; 1830 struct sockaddr_in sin; 1831 struct sctp_tcb *l_stcb = *stcb; 1832 struct sctp_inpcb *l_inp; 1833 struct sockaddr *to; 1834 sctp_assoc_t sac_restart_id; 1835 struct sctp_pcb *ep; 1836 struct mbuf *m_sig; 1837 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1838 uint8_t *sig; 1839 uint8_t cookie_ok = 0; 1840 unsigned int size_of_pkt, sig_offset, cookie_offset; 1841 unsigned int cookie_len; 1842 struct timeval now; 1843 struct timeval time_expires; 1844 struct sockaddr_storage dest_store; 1845 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1846 struct ip *iph; 1847 int notification = 0; 1848 struct sctp_nets *netl; 1849 int had_a_existing_tcb = 0; 1850 1851#ifdef SCTP_DEBUG 1852 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1853 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1854 } 1855#endif 1856 1857 if (inp_p == NULL) { 1858 return (NULL); 1859 } 1860 /* First get the destination address setup too. */ 1861 iph = mtod(m, struct ip *); 1862 if (iph->ip_v == IPVERSION) { 1863 /* its IPv4 */ 1864 struct sockaddr_in *sin; 1865 1866 sin = (struct sockaddr_in *)(localep_sa); 1867 memset(sin, 0, sizeof(*sin)); 1868 sin->sin_family = AF_INET; 1869 sin->sin_len = sizeof(*sin); 1870 sin->sin_port = sh->dest_port; 1871 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1872 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 1873 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1874 /* its IPv6 */ 1875 struct ip6_hdr *ip6; 1876 struct sockaddr_in6 *sin6; 1877 1878 sin6 = (struct sockaddr_in6 *)(localep_sa); 1879 memset(sin6, 0, sizeof(*sin6)); 1880 sin6->sin6_family = AF_INET6; 1881 sin6->sin6_len = sizeof(struct sockaddr_in6); 1882 ip6 = mtod(m, struct ip6_hdr *); 1883 sin6->sin6_port = sh->dest_port; 1884 sin6->sin6_addr = ip6->ip6_dst; 1885 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 1886 } else { 1887 return (NULL); 1888 } 1889 1890 cookie = &cp->cookie; 1891 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1892 cookie_len = ntohs(cp->ch.chunk_length); 1893 1894 if ((cookie->peerport != sh->src_port) && 1895 (cookie->myport != sh->dest_port) && 1896 (cookie->my_vtag != sh->v_tag)) { 1897 /* 1898 * invalid ports or bad tag. Note that we always leave the 1899 * v_tag in the header in network order and when we stored 1900 * it in the my_vtag slot we also left it in network order. 1901 * This maintians the match even though it may be in the 1902 * opposite byte order of the machine :-> 1903 */ 1904 return (NULL); 1905 } 1906 if (cookie_len > size_of_pkt || 1907 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1908 sizeof(struct sctp_init_chunk) + 1909 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1910 /* cookie too long! or too small */ 1911 return (NULL); 1912 } 1913 /* 1914 * split off the signature into its own mbuf (since it should not be 1915 * calculated in the sctp_hmac_m() call). 1916 */ 1917 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1918 if (sig_offset > size_of_pkt) { 1919 /* packet not correct size! */ 1920 /* XXX this may already be accounted for earlier... */ 1921 return (NULL); 1922 } 1923 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1924 if (m_sig == NULL) { 1925 /* out of memory or ?? */ 1926 return (NULL); 1927 } 1928 /* 1929 * compute the signature/digest for the cookie 1930 */ 1931 ep = &(*inp_p)->sctp_ep; 1932 l_inp = *inp_p; 1933 if (l_stcb) { 1934 SCTP_TCB_UNLOCK(l_stcb); 1935 } 1936 SCTP_INP_RLOCK(l_inp); 1937 if (l_stcb) { 1938 SCTP_TCB_LOCK(l_stcb); 1939 } 1940 /* which cookie is it? */ 1941 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1942 (ep->current_secret_number != ep->last_secret_number)) { 1943 /* it's the old cookie */ 1944 sctp_hmac_m(SCTP_HMAC, 1945 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1946 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1947 } else { 1948 /* it's the current cookie */ 1949 sctp_hmac_m(SCTP_HMAC, 1950 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1951 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1952 } 1953 /* get the signature */ 1954 SCTP_INP_RUNLOCK(l_inp); 1955 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1956 if (sig == NULL) { 1957 /* couldn't find signature */ 1958 sctp_m_freem(m_sig); 1959 return (NULL); 1960 } 1961 /* compare the received digest with the computed digest */ 1962 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1963 /* try the old cookie? */ 1964 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1965 (ep->current_secret_number != ep->last_secret_number)) { 1966 /* compute digest with old */ 1967 sctp_hmac_m(SCTP_HMAC, 1968 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1969 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1970 /* compare */ 1971 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1972 cookie_ok = 1; 1973 } 1974 } else { 1975 cookie_ok = 1; 1976 } 1977 1978 /* 1979 * Now before we continue we must reconstruct our mbuf so that 1980 * normal processing of any other chunks will work. 1981 */ 1982 { 1983 struct mbuf *m_at; 1984 1985 m_at = m; 1986 while (SCTP_BUF_NEXT(m_at) != NULL) { 1987 m_at = SCTP_BUF_NEXT(m_at); 1988 } 1989 SCTP_BUF_NEXT(m_at) = m_sig; 1990 } 1991 1992 if (cookie_ok == 0) { 1993#ifdef SCTP_DEBUG 1994 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1995 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1996 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1997 (uint32_t) offset, cookie_offset, sig_offset); 1998 } 1999#endif 2000 return (NULL); 2001 } 2002 /* 2003 * check the cookie timestamps to be sure it's not stale 2004 */ 2005 SCTP_GETTIME_TIMEVAL(&now); 2006 /* Expire time is in Ticks, so we convert to seconds */ 2007 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 2008 time_expires.tv_usec = cookie->time_entered.tv_usec; 2009 if (timevalcmp(&now, &time_expires, >)) { 2010 /* cookie is stale! */ 2011 struct mbuf *op_err; 2012 struct sctp_stale_cookie_msg *scm; 2013 uint32_t tim; 2014 2015 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2016 0, M_DONTWAIT, 1, MT_DATA); 2017 if (op_err == NULL) { 2018 /* FOOBAR */ 2019 return (NULL); 2020 } 2021 /* pre-reserve some space */ 2022 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 2023 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 2024 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 2025 2026 /* Set the len */ 2027 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2028 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2029 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2030 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2031 (sizeof(uint32_t)))); 2032 /* seconds to usec */ 2033 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2034 /* add in usec */ 2035 if (tim == 0) 2036 tim = now.tv_usec - cookie->time_entered.tv_usec; 2037 scm->time_usec = htonl(tim); 2038 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 2039 return (NULL); 2040 } 2041 /* 2042 * Now we must see with the lookup address if we have an existing 2043 * asoc. This will only happen if we were in the COOKIE-WAIT state 2044 * and a INIT collided with us and somewhere the peer sent the 2045 * cookie on another address besides the single address our assoc 2046 * had for him. In this case we will have one of the tie-tags set at 2047 * least AND the address field in the cookie can be used to look it 2048 * up. 2049 */ 2050 to = NULL; 2051 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2052 memset(&sin6, 0, sizeof(sin6)); 2053 sin6.sin6_family = AF_INET6; 2054 sin6.sin6_len = sizeof(sin6); 2055 sin6.sin6_port = sh->src_port; 2056 sin6.sin6_scope_id = cookie->scope_id; 2057 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2058 sizeof(sin6.sin6_addr.s6_addr)); 2059 to = (struct sockaddr *)&sin6; 2060 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2061 memset(&sin, 0, sizeof(sin)); 2062 sin.sin_family = AF_INET; 2063 sin.sin_len = sizeof(sin); 2064 sin.sin_port = sh->src_port; 2065 sin.sin_addr.s_addr = cookie->address[0]; 2066 to = (struct sockaddr *)&sin; 2067 } 2068 if ((*stcb == NULL) && to) { 2069 /* Yep, lets check */ 2070 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2071 if (*stcb == NULL) { 2072 /* 2073 * We should have only got back the same inp. If we 2074 * got back a different ep we have a problem. The 2075 * original findep got back l_inp and now 2076 */ 2077 if (l_inp != *inp_p) { 2078 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2079 } 2080 } else { 2081 if (*locked_tcb == NULL) { 2082 /* 2083 * In this case we found the assoc only 2084 * after we locked the create lock. This 2085 * means we are in a colliding case and we 2086 * must make sure that we unlock the tcb if 2087 * its one of the cases where we throw away 2088 * the incoming packets. 2089 */ 2090 *locked_tcb = *stcb; 2091 2092 /* 2093 * We must also increment the inp ref count 2094 * since the ref_count flags was set when we 2095 * did not find the TCB, now we found it 2096 * which reduces the refcount.. we must 2097 * raise it back out to balance it all :-) 2098 */ 2099 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2100 if ((*stcb)->sctp_ep != l_inp) { 2101 printf("Huh? ep:%p diff then l_inp:%p?\n", 2102 (*stcb)->sctp_ep, l_inp); 2103 } 2104 } 2105 } 2106 } 2107 cookie_len -= SCTP_SIGNATURE_SIZE; 2108 if (*stcb == NULL) { 2109 /* this is the "normal" case... get a new TCB */ 2110 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2111 cookie_len, *inp_p, netp, to, ¬ification, 2112 auth_skipped, auth_offset, auth_len); 2113 } else { 2114 /* this is abnormal... cookie-echo on existing TCB */ 2115 had_a_existing_tcb = 1; 2116 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2117 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 2118 &sac_restart_id); 2119 } 2120 2121 if (*stcb == NULL) { 2122 /* still no TCB... must be bad cookie-echo */ 2123 return (NULL); 2124 } 2125 /* 2126 * Ok, we built an association so confirm the address we sent the 2127 * INIT-ACK to. 2128 */ 2129 netl = sctp_findnet(*stcb, to); 2130 /* 2131 * This code should in theory NOT run but 2132 */ 2133 if (netl == NULL) { 2134 /* TSNH! Huh, why do I need to add this address here? */ 2135 int ret; 2136 2137 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2138 SCTP_IN_COOKIE_PROC); 2139 netl = sctp_findnet(*stcb, to); 2140 } 2141 if (netl) { 2142 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2143 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2144 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2145 netl); 2146 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2147 (*stcb), 0, (void *)netl); 2148 } 2149 } 2150 if (*stcb) { 2151 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2152 *stcb, NULL); 2153 } 2154 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2155 if (!had_a_existing_tcb || 2156 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2157 /* 2158 * If we have a NEW cookie or the connect never 2159 * reached the connected state during collision we 2160 * must do the TCP accept thing. 2161 */ 2162 struct socket *so, *oso; 2163 struct sctp_inpcb *inp; 2164 2165 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2166 /* 2167 * For a restart we will keep the same 2168 * socket, no need to do anything. I THINK!! 2169 */ 2170 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2171 return (m); 2172 } 2173 oso = (*inp_p)->sctp_socket; 2174 /* 2175 * We do this to keep the sockets side happy durin 2176 * the sonewcon ONLY. 2177 */ 2178 NET_LOCK_GIANT(); 2179 SCTP_TCB_UNLOCK((*stcb)); 2180 so = sonewconn(oso, 0 2181 ); 2182 NET_UNLOCK_GIANT(); 2183 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2184 SCTP_TCB_LOCK((*stcb)); 2185 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2186 if (so == NULL) { 2187 struct mbuf *op_err; 2188 2189 /* Too many sockets */ 2190#ifdef SCTP_DEBUG 2191 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2192 printf("process_cookie_new: no room for another socket!\n"); 2193 } 2194#endif /* SCTP_DEBUG */ 2195 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2196 sctp_abort_association(*inp_p, NULL, m, iphlen, 2197 sh, op_err); 2198 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2199 return (NULL); 2200 } 2201 inp = (struct sctp_inpcb *)so->so_pcb; 2202 SCTP_INP_INCR_REF(inp); 2203 /* 2204 * We add the unbound flag here so that if we get an 2205 * soabort() before we get the move_pcb done, we 2206 * will properly cleanup. 2207 */ 2208 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2209 SCTP_PCB_FLAGS_CONNECTED | 2210 SCTP_PCB_FLAGS_IN_TCPPOOL | 2211 SCTP_PCB_FLAGS_UNBOUND | 2212 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2213 SCTP_PCB_FLAGS_DONT_WAKE); 2214 inp->sctp_features = (*inp_p)->sctp_features; 2215 inp->sctp_socket = so; 2216 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2217 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2218 inp->sctp_context = (*inp_p)->sctp_context; 2219 inp->inp_starting_point_for_iterator = NULL; 2220 /* 2221 * copy in the authentication parameters from the 2222 * original endpoint 2223 */ 2224 if (inp->sctp_ep.local_hmacs) 2225 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2226 inp->sctp_ep.local_hmacs = 2227 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2228 if (inp->sctp_ep.local_auth_chunks) 2229 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2230 inp->sctp_ep.local_auth_chunks = 2231 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2232 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2233 &inp->sctp_ep.shared_keys); 2234 2235 /* 2236 * Now we must move it from one hash table to 2237 * another and get the tcb in the right place. 2238 */ 2239 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2240 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb); 2241 2242 /* 2243 * now we must check to see if we were aborted while 2244 * the move was going on and the lock/unlock 2245 * happened. 2246 */ 2247 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2248 /* 2249 * yep it was, we leave the assoc attached 2250 * to the socket since the sctp_inpcb_free() 2251 * call will send an abort for us. 2252 */ 2253 SCTP_INP_DECR_REF(inp); 2254 return (NULL); 2255 } 2256 SCTP_INP_DECR_REF(inp); 2257 /* Switch over to the new guy */ 2258 *inp_p = inp; 2259 sctp_ulp_notify(notification, *stcb, 0, NULL); 2260 2261 /* 2262 * Pull it from the incomplete queue and wake the 2263 * guy 2264 */ 2265 soisconnected(so); 2266 return (m); 2267 } 2268 } 2269 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2270 sctp_ulp_notify(notification, *stcb, 0, NULL); 2271 } 2272 return (m); 2273} 2274 2275static void 2276sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2277 struct sctp_tcb *stcb, struct sctp_nets *net) 2278{ 2279 /* cp must not be used, others call this without a c-ack :-) */ 2280 struct sctp_association *asoc; 2281 2282#ifdef SCTP_DEBUG 2283 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2284 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2285 } 2286#endif 2287 if (stcb == NULL) 2288 return; 2289 2290 asoc = &stcb->asoc; 2291 2292 sctp_stop_all_cookie_timers(stcb); 2293 /* process according to association state */ 2294 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2295 /* state change only needed when I am in right state */ 2296#ifdef SCTP_DEBUG 2297 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2298 printf("moving to OPEN state\n"); 2299 } 2300#endif 2301 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2302 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2303 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2304 stcb->sctp_ep, stcb, asoc->primary_destination); 2305 2306 } else { 2307 asoc->state = SCTP_STATE_OPEN; 2308 } 2309 /* update RTO */ 2310 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2311 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2312 if (asoc->overall_error_count == 0) { 2313 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2314 &asoc->time_entered); 2315 } 2316 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2317 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2318 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2319 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2320 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2321 soisconnected(stcb->sctp_ep->sctp_socket); 2322 } 2323 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2324 stcb, net); 2325 /* 2326 * since we did not send a HB make sure we don't double 2327 * things 2328 */ 2329 net->hb_responded = 1; 2330 2331 if (stcb->asoc.sctp_autoclose_ticks && 2332 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2333 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2334 stcb->sctp_ep, stcb, NULL); 2335 } 2336 /* 2337 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2338 * addresses changed when init/cookie echo in flight) 2339 */ 2340 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2341 (stcb->asoc.peer_supports_asconf) && 2342 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2343 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2344 stcb->sctp_ep, stcb, 2345 stcb->asoc.primary_destination); 2346 } 2347 } 2348 /* Toss the cookie if I can */ 2349 sctp_toss_old_cookies(stcb, asoc); 2350 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2351 /* Restart the timer if we have pending data */ 2352 struct sctp_tmit_chunk *chk; 2353 2354 chk = TAILQ_FIRST(&asoc->sent_queue); 2355 if (chk) { 2356 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2357 stcb, chk->whoTo); 2358 } 2359 } 2360} 2361 2362static void 2363sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2364 struct sctp_tcb *stcb) 2365{ 2366 struct sctp_nets *net; 2367 struct sctp_tmit_chunk *lchk; 2368 uint32_t tsn; 2369 2370 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2371 return; 2372 } 2373 SCTP_STAT_INCR(sctps_recvecne); 2374 tsn = ntohl(cp->tsn); 2375 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2376 /* Also we make sure we disable the nonce_wait */ 2377 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2378 if (lchk == NULL) { 2379 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2380 } else { 2381 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2382 } 2383 stcb->asoc.nonce_wait_for_ecne = 0; 2384 stcb->asoc.nonce_sum_check = 0; 2385 2386 /* Find where it was sent, if possible */ 2387 net = NULL; 2388 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2389 while (lchk) { 2390 if (lchk->rec.data.TSN_seq == tsn) { 2391 net = lchk->whoTo; 2392 break; 2393 } 2394 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2395 break; 2396 lchk = TAILQ_NEXT(lchk, sctp_next); 2397 } 2398 if (net == NULL) 2399 /* default is we use the primary */ 2400 net = stcb->asoc.primary_destination; 2401 2402 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2403#ifdef SCTP_CWND_MONITOR 2404 int old_cwnd; 2405 2406 old_cwnd = net->cwnd; 2407#endif 2408 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2409 net->ssthresh = net->cwnd / 2; 2410 if (net->ssthresh < net->mtu) { 2411 net->ssthresh = net->mtu; 2412 /* here back off the timer as well, to slow us down */ 2413 net->RTO <<= 2; 2414 } 2415 net->cwnd = net->ssthresh; 2416#ifdef SCTP_CWND_MONITOR 2417 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2418#endif 2419 /* 2420 * we reduce once every RTT. So we will only lower cwnd at 2421 * the next sending seq i.e. the resync_tsn. 2422 */ 2423 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2424 } 2425 /* 2426 * We always send a CWR this way if our previous one was lost our 2427 * peer will get an update, or if it is not time again to reduce we 2428 * still get the cwr to the peer. 2429 */ 2430 sctp_send_cwr(stcb, net, tsn); 2431} 2432 2433static void 2434sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2435{ 2436 /* 2437 * Here we get a CWR from the peer. We must look in the outqueue and 2438 * make sure that we have a covered ECNE in teh control chunk part. 2439 * If so remove it. 2440 */ 2441 struct sctp_tmit_chunk *chk; 2442 struct sctp_ecne_chunk *ecne; 2443 2444 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2445 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2446 continue; 2447 } 2448 /* 2449 * Look for and remove if it is the right TSN. Since there 2450 * is only ONE ECNE on the control queue at any one time we 2451 * don't need to worry about more than one! 2452 */ 2453 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2454 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2455 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2456 /* this covers this ECNE, we can remove it */ 2457 stcb->asoc.ecn_echo_cnt_onq--; 2458 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2459 sctp_next); 2460 if (chk->data) { 2461 sctp_m_freem(chk->data); 2462 chk->data = NULL; 2463 } 2464 stcb->asoc.ctrl_queue_cnt--; 2465 sctp_free_remote_addr(chk->whoTo); 2466 sctp_free_a_chunk(stcb, chk); 2467 break; 2468 } 2469 } 2470} 2471 2472static void 2473sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2474 struct sctp_tcb *stcb, struct sctp_nets *net) 2475{ 2476 struct sctp_association *asoc; 2477 2478#ifdef SCTP_DEBUG 2479 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2480 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2481 } 2482#endif 2483 if (stcb == NULL) 2484 return; 2485 2486 asoc = &stcb->asoc; 2487 /* process according to association state */ 2488 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2489 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2490 SCTP_TCB_UNLOCK(stcb); 2491 return; 2492 } 2493 /* notify upper layer protocol */ 2494 if (stcb->sctp_socket) { 2495 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2496 /* are the queues empty? they should be */ 2497 if (!TAILQ_EMPTY(&asoc->send_queue) || 2498 !TAILQ_EMPTY(&asoc->sent_queue) || 2499 !TAILQ_EMPTY(&asoc->out_wheel)) { 2500 sctp_report_all_outbound(stcb, 0); 2501 } 2502 } 2503 /* stop the timer */ 2504 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2505 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2506 /* free the TCB */ 2507 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2508 return; 2509} 2510 2511static int 2512process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2513 struct sctp_nets *net, uint8_t flg) 2514{ 2515 switch (desc->chunk_type) { 2516 case SCTP_DATA: 2517 /* find the tsn to resend (possibly */ 2518 { 2519 uint32_t tsn; 2520 struct sctp_tmit_chunk *tp1; 2521 2522 tsn = ntohl(desc->tsn_ifany); 2523 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2524 while (tp1) { 2525 if (tp1->rec.data.TSN_seq == tsn) { 2526 /* found it */ 2527 break; 2528 } 2529 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2530 MAX_TSN)) { 2531 /* not found */ 2532 tp1 = NULL; 2533 break; 2534 } 2535 tp1 = TAILQ_NEXT(tp1, sctp_next); 2536 } 2537 if (tp1 == NULL) { 2538 /* 2539 * Do it the other way , aka without paying 2540 * attention to queue seq order. 2541 */ 2542 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2543 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2544 while (tp1) { 2545 if (tp1->rec.data.TSN_seq == tsn) { 2546 /* found it */ 2547 break; 2548 } 2549 tp1 = TAILQ_NEXT(tp1, sctp_next); 2550 } 2551 } 2552 if (tp1 == NULL) { 2553 SCTP_STAT_INCR(sctps_pdrptsnnf); 2554 } 2555 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2556 uint8_t *ddp; 2557 2558 if ((stcb->asoc.peers_rwnd == 0) && 2559 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2560 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2561 return (0); 2562 } 2563 if (stcb->asoc.peers_rwnd == 0 && 2564 (flg & SCTP_FROM_MIDDLE_BOX)) { 2565 SCTP_STAT_INCR(sctps_pdrpdizrw); 2566 return (0); 2567 } 2568 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2569 sizeof(struct sctp_data_chunk)); 2570 { 2571 unsigned int iii; 2572 2573 for (iii = 0; iii < sizeof(desc->data_bytes); 2574 iii++) { 2575 if (ddp[iii] != desc->data_bytes[iii]) { 2576 SCTP_STAT_INCR(sctps_pdrpbadd); 2577 return (-1); 2578 } 2579 } 2580 } 2581 /* 2582 * We zero out the nonce so resync not 2583 * needed 2584 */ 2585 tp1->rec.data.ect_nonce = 0; 2586 2587 if (tp1->do_rtt) { 2588 /* 2589 * this guy had a RTO calculation 2590 * pending on it, cancel it 2591 */ 2592 tp1->do_rtt = 0; 2593 } 2594 SCTP_STAT_INCR(sctps_pdrpmark); 2595 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2596 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2597 tp1->sent = SCTP_DATAGRAM_RESEND; 2598 /* 2599 * mark it as if we were doing a FR, since 2600 * we will be getting gap ack reports behind 2601 * the info from the router. 2602 */ 2603 tp1->rec.data.doing_fast_retransmit = 1; 2604 /* 2605 * mark the tsn with what sequences can 2606 * cause a new FR. 2607 */ 2608 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2609 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2610 } else { 2611 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2612 } 2613 2614 /* restart the timer */ 2615 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2616 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2617 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2618 stcb, tp1->whoTo); 2619 2620 /* fix counts and things */ 2621#ifdef SCTP_FLIGHT_LOGGING 2622 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 2623 tp1->whoTo->flight_size, 2624 tp1->book_size, 2625 (uintptr_t) stcb, 2626 tp1->rec.data.TSN_seq); 2627#endif 2628 sctp_flight_size_decrease(tp1); 2629 sctp_total_flight_decrease(stcb, tp1); 2630 } { 2631 /* audit code */ 2632 unsigned int audit; 2633 2634 audit = 0; 2635 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2636 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2637 audit++; 2638 } 2639 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2640 sctp_next) { 2641 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2642 audit++; 2643 } 2644 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2645 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2646 audit, stcb->asoc.sent_queue_retran_cnt); 2647#ifndef SCTP_AUDITING_ENABLED 2648 stcb->asoc.sent_queue_retran_cnt = audit; 2649#endif 2650 } 2651 } 2652 } 2653 break; 2654 case SCTP_ASCONF: 2655 { 2656 struct sctp_tmit_chunk *asconf; 2657 2658 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2659 sctp_next) { 2660 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2661 break; 2662 } 2663 } 2664 if (asconf) { 2665 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2666 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2667 asconf->sent = SCTP_DATAGRAM_RESEND; 2668 asconf->snd_count--; 2669 } 2670 } 2671 break; 2672 case SCTP_INITIATION: 2673 /* resend the INIT */ 2674 stcb->asoc.dropped_special_cnt++; 2675 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2676 /* 2677 * If we can get it in, in a few attempts we do 2678 * this, otherwise we let the timer fire. 2679 */ 2680 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2681 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2682 sctp_send_initiate(stcb->sctp_ep, stcb); 2683 } 2684 break; 2685 case SCTP_SELECTIVE_ACK: 2686 /* resend the sack */ 2687 sctp_send_sack(stcb); 2688 break; 2689 case SCTP_HEARTBEAT_REQUEST: 2690 /* resend a demand HB */ 2691 sctp_send_hb(stcb, 1, net); 2692 break; 2693 case SCTP_SHUTDOWN: 2694 sctp_send_shutdown(stcb, net); 2695 break; 2696 case SCTP_SHUTDOWN_ACK: 2697 sctp_send_shutdown_ack(stcb, net); 2698 break; 2699 case SCTP_COOKIE_ECHO: 2700 { 2701 struct sctp_tmit_chunk *cookie; 2702 2703 cookie = NULL; 2704 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2705 sctp_next) { 2706 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2707 break; 2708 } 2709 } 2710 if (cookie) { 2711 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2712 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2713 cookie->sent = SCTP_DATAGRAM_RESEND; 2714 sctp_stop_all_cookie_timers(stcb); 2715 } 2716 } 2717 break; 2718 case SCTP_COOKIE_ACK: 2719 sctp_send_cookie_ack(stcb); 2720 break; 2721 case SCTP_ASCONF_ACK: 2722 /* resend last asconf ack */ 2723 sctp_send_asconf_ack(stcb, 1); 2724 break; 2725 case SCTP_FORWARD_CUM_TSN: 2726 send_forward_tsn(stcb, &stcb->asoc); 2727 break; 2728 /* can't do anything with these */ 2729 case SCTP_PACKET_DROPPED: 2730 case SCTP_INITIATION_ACK: /* this should not happen */ 2731 case SCTP_HEARTBEAT_ACK: 2732 case SCTP_ABORT_ASSOCIATION: 2733 case SCTP_OPERATION_ERROR: 2734 case SCTP_SHUTDOWN_COMPLETE: 2735 case SCTP_ECN_ECHO: 2736 case SCTP_ECN_CWR: 2737 default: 2738 break; 2739 } 2740 return (0); 2741} 2742 2743void 2744sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2745{ 2746 int i; 2747 uint16_t temp; 2748 2749 /* 2750 * We set things to 0xffff since this is the last delivered sequence 2751 * and we will be sending in 0 after the reset. 2752 */ 2753 2754 if (number_entries) { 2755 for (i = 0; i < number_entries; i++) { 2756 temp = ntohs(list[i]); 2757 if (temp >= stcb->asoc.streamincnt) { 2758 continue; 2759 } 2760 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2761 } 2762 } else { 2763 list = NULL; 2764 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2765 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2766 } 2767 } 2768 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2769} 2770 2771static void 2772sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2773{ 2774 int i; 2775 2776 if (number_entries == 0) { 2777 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2778 stcb->asoc.strmout[i].next_sequence_sent = 0; 2779 } 2780 } else if (number_entries) { 2781 for (i = 0; i < number_entries; i++) { 2782 uint16_t temp; 2783 2784 temp = ntohs(list[i]); 2785 if (temp >= stcb->asoc.streamoutcnt) { 2786 /* no such stream */ 2787 continue; 2788 } 2789 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2790 } 2791 } 2792 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2793} 2794 2795 2796struct sctp_stream_reset_out_request * 2797sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2798{ 2799 struct sctp_association *asoc; 2800 struct sctp_stream_reset_out_req *req; 2801 struct sctp_stream_reset_out_request *r; 2802 struct sctp_tmit_chunk *chk; 2803 int len, clen; 2804 2805 asoc = &stcb->asoc; 2806 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2807 return (NULL); 2808 } 2809 if (stcb->asoc.str_reset == NULL) { 2810 return (NULL); 2811 } 2812 chk = stcb->asoc.str_reset; 2813 if (chk->data == NULL) { 2814 return (NULL); 2815 } 2816 if (bchk) { 2817 /* he wants a copy of the chk pointer */ 2818 *bchk = chk; 2819 } 2820 clen = chk->send_size; 2821 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2822 r = &req->sr_req; 2823 if (ntohl(r->request_seq) == seq) { 2824 /* found it */ 2825 return (r); 2826 } 2827 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2828 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2829 /* move to the next one, there can only be a max of two */ 2830 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2831 if (ntohl(r->request_seq) == seq) { 2832 return (r); 2833 } 2834 } 2835 /* that seq is not here */ 2836 return (NULL); 2837} 2838 2839static void 2840sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2841{ 2842 struct sctp_association *asoc; 2843 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2844 2845 if (stcb->asoc.str_reset == NULL) { 2846 return; 2847 } 2848 asoc = &stcb->asoc; 2849 2850 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 2851 TAILQ_REMOVE(&asoc->control_send_queue, 2852 chk, 2853 sctp_next); 2854 if (chk->data) { 2855 sctp_m_freem(chk->data); 2856 chk->data = NULL; 2857 } 2858 asoc->ctrl_queue_cnt--; 2859 sctp_free_remote_addr(chk->whoTo); 2860 2861 sctp_free_a_chunk(stcb, chk); 2862 stcb->asoc.str_reset = NULL; 2863} 2864 2865 2866static int 2867sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2868 uint32_t seq, uint32_t action, 2869 struct sctp_stream_reset_response *respin) 2870{ 2871 uint16_t type; 2872 int lparm_len; 2873 struct sctp_association *asoc = &stcb->asoc; 2874 struct sctp_tmit_chunk *chk; 2875 struct sctp_stream_reset_out_request *srparam; 2876 int number_entries; 2877 2878 if (asoc->stream_reset_outstanding == 0) { 2879 /* duplicate */ 2880 return (0); 2881 } 2882 if (seq == stcb->asoc.str_reset_seq_out) { 2883 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2884 if (srparam) { 2885 stcb->asoc.str_reset_seq_out++; 2886 type = ntohs(srparam->ph.param_type); 2887 lparm_len = ntohs(srparam->ph.param_length); 2888 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2889 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2890 asoc->stream_reset_out_is_outstanding = 0; 2891 if (asoc->stream_reset_outstanding) 2892 asoc->stream_reset_outstanding--; 2893 if (action == SCTP_STREAM_RESET_PERFORMED) { 2894 /* do it */ 2895 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2896 } else { 2897 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2898 } 2899 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2900 /* Answered my request */ 2901 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 2902 if (asoc->stream_reset_outstanding) 2903 asoc->stream_reset_outstanding--; 2904 if (action != SCTP_STREAM_RESET_PERFORMED) { 2905 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2906 } 2907 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2908 /** 2909 * a) Adopt the new in tsn. 2910 * b) reset the map 2911 * c) Adopt the new out-tsn 2912 */ 2913 struct sctp_stream_reset_response_tsn *resp; 2914 struct sctp_forward_tsn_chunk fwdtsn; 2915 int abort_flag = 0; 2916 2917 if (respin == NULL) { 2918 /* huh ? */ 2919 return (0); 2920 } 2921 if (action == SCTP_STREAM_RESET_PERFORMED) { 2922 resp = (struct sctp_stream_reset_response_tsn *)respin; 2923 asoc->stream_reset_outstanding--; 2924 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2925 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2926 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2927 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2928 if (abort_flag) { 2929 return (1); 2930 } 2931 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2932 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2933 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2934 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2935 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2936 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2937 2938 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2939 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2940 2941 } 2942 } 2943 /* get rid of the request and get the request flags */ 2944 if (asoc->stream_reset_outstanding == 0) { 2945 sctp_clean_up_stream_reset(stcb); 2946 } 2947 } 2948 } 2949 return (0); 2950} 2951 2952static void 2953sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2954 struct sctp_tmit_chunk *chk, 2955 struct sctp_stream_reset_in_request *req) 2956{ 2957 uint32_t seq; 2958 int len, i; 2959 int number_entries; 2960 uint16_t temp; 2961 2962 /* 2963 * peer wants me to send a str-reset to him for my outgoing seq's if 2964 * seq_in is right. 2965 */ 2966 struct sctp_association *asoc = &stcb->asoc; 2967 2968 seq = ntohl(req->request_seq); 2969 if (asoc->str_reset_seq_in == seq) { 2970 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2971 len = ntohs(req->ph.param_length); 2972 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2973 for (i = 0; i < number_entries; i++) { 2974 temp = ntohs(req->list_of_streams[i]); 2975 req->list_of_streams[i] = temp; 2976 } 2977 /* move the reset action back one */ 2978 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2979 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2980 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2981 asoc->str_reset_seq_out, 2982 seq, (asoc->sending_seq - 1)); 2983 asoc->stream_reset_out_is_outstanding = 1; 2984 asoc->str_reset = chk; 2985 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2986 stcb->asoc.stream_reset_outstanding++; 2987 } else { 2988 /* Can't do it, since we have sent one out */ 2989 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2990 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2991 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2992 } 2993 asoc->str_reset_seq_in++; 2994 } else if (asoc->str_reset_seq_in - 1 == seq) { 2995 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2996 } else if (asoc->str_reset_seq_in - 2 == seq) { 2997 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2998 } else { 2999 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3000 } 3001} 3002 3003static int 3004sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 3005 struct sctp_tmit_chunk *chk, 3006 struct sctp_stream_reset_tsn_request *req) 3007{ 3008 /* reset all in and out and update the tsn */ 3009 /* 3010 * A) reset my str-seq's on in and out. B) Select a receive next, 3011 * and set cum-ack to it. Also process this selected number as a 3012 * fwd-tsn as well. C) set in the response my next sending seq. 3013 */ 3014 struct sctp_forward_tsn_chunk fwdtsn; 3015 struct sctp_association *asoc = &stcb->asoc; 3016 int abort_flag = 0; 3017 uint32_t seq; 3018 3019 seq = ntohl(req->request_seq); 3020 if (asoc->str_reset_seq_in == seq) { 3021 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3022 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3023 fwdtsn.ch.chunk_flags = 0; 3024 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3025 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 3026 if (abort_flag) { 3027 return (1); 3028 } 3029 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3030 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3031 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3032 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3033 atomic_add_int(&stcb->asoc.sending_seq, 1); 3034 /* save off historical data for retrans */ 3035 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3036 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3037 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3038 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3039 3040 sctp_add_stream_reset_result_tsn(chk, 3041 ntohl(req->request_seq), 3042 SCTP_STREAM_RESET_PERFORMED, 3043 stcb->asoc.sending_seq, 3044 stcb->asoc.mapping_array_base_tsn); 3045 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3046 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3047 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3048 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3049 3050 asoc->str_reset_seq_in++; 3051 } else if (asoc->str_reset_seq_in - 1 == seq) { 3052 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3053 stcb->asoc.last_sending_seq[0], 3054 stcb->asoc.last_base_tsnsent[0] 3055 ); 3056 } else if (asoc->str_reset_seq_in - 2 == seq) { 3057 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3058 stcb->asoc.last_sending_seq[1], 3059 stcb->asoc.last_base_tsnsent[1] 3060 ); 3061 } else { 3062 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3063 } 3064 return (0); 3065} 3066 3067static void 3068sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3069 struct sctp_tmit_chunk *chk, 3070 struct sctp_stream_reset_out_request *req) 3071{ 3072 uint32_t seq, tsn; 3073 int number_entries, len; 3074 struct sctp_association *asoc = &stcb->asoc; 3075 3076 seq = ntohl(req->request_seq); 3077 3078 /* now if its not a duplicate we process it */ 3079 if (asoc->str_reset_seq_in == seq) { 3080 len = ntohs(req->ph.param_length); 3081 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3082 /* 3083 * the sender is resetting, handle the list issue.. we must 3084 * a) verify if we can do the reset, if so no problem b) If 3085 * we can't do the reset we must copy the request. c) queue 3086 * it, and setup the data in processor to trigger it off 3087 * when needed and dequeue all the queued data. 3088 */ 3089 tsn = ntohl(req->send_reset_at_tsn); 3090 3091 /* move the reset action back one */ 3092 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3093 if ((tsn == asoc->cumulative_tsn) || 3094 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3095 /* we can do it now */ 3096 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3097 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3098 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3099 } else { 3100 /* 3101 * we must queue it up and thus wait for the TSN's 3102 * to arrive that are at or before tsn 3103 */ 3104 struct sctp_stream_reset_list *liste; 3105 int siz; 3106 3107 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3108 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3109 siz, "StrRstList"); 3110 if (liste == NULL) { 3111 /* gak out of memory */ 3112 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3113 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3114 return; 3115 } 3116 liste->tsn = tsn; 3117 liste->number_entries = number_entries; 3118 memcpy(&liste->req, req, 3119 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3120 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3121 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3122 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3123 } 3124 asoc->str_reset_seq_in++; 3125 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3126 /* 3127 * one seq back, just echo back last action since my 3128 * response was lost. 3129 */ 3130 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3131 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3132 /* 3133 * two seq back, just echo back last action since my 3134 * response was lost. 3135 */ 3136 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3137 } else { 3138 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3139 } 3140} 3141 3142static int 3143sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 3144{ 3145 int chk_length, param_len, ptype; 3146 uint32_t seq; 3147 int num_req = 0; 3148 struct sctp_tmit_chunk *chk; 3149 struct sctp_chunkhdr *ch; 3150 struct sctp_paramhdr *ph; 3151 int ret_code = 0; 3152 int num_param = 0; 3153 3154 /* now it may be a reset or a reset-response */ 3155 chk_length = ntohs(sr_req->ch.chunk_length); 3156 3157 /* setup for adding the response */ 3158 sctp_alloc_a_chunk(stcb, chk); 3159 if (chk == NULL) { 3160 return (ret_code); 3161 } 3162 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3163 chk->asoc = &stcb->asoc; 3164 chk->no_fr_allowed = 0; 3165 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3166 chk->book_size_scale = 0; 3167 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3168 if (chk->data == NULL) { 3169strres_nochunk: 3170 if (chk->data) { 3171 sctp_m_freem(chk->data); 3172 chk->data = NULL; 3173 } 3174 sctp_free_a_chunk(stcb, chk); 3175 return (ret_code); 3176 } 3177 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3178 3179 /* setup chunk parameters */ 3180 chk->sent = SCTP_DATAGRAM_UNSENT; 3181 chk->snd_count = 0; 3182 chk->whoTo = stcb->asoc.primary_destination; 3183 atomic_add_int(&chk->whoTo->ref_count, 1); 3184 3185 ch = mtod(chk->data, struct sctp_chunkhdr *); 3186 ch->chunk_type = SCTP_STREAM_RESET; 3187 ch->chunk_flags = 0; 3188 ch->chunk_length = htons(chk->send_size); 3189 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3190 3191 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3192 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3193 param_len = ntohs(ph->param_length); 3194 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3195 /* bad param */ 3196 break; 3197 } 3198 ptype = ntohs(ph->param_type); 3199 num_param++; 3200 if (num_param > SCTP_MAX_RESET_PARAMS) { 3201 /* hit the max of parameters already sorry.. */ 3202 break; 3203 } 3204 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3205 struct sctp_stream_reset_out_request *req_out; 3206 3207 req_out = (struct sctp_stream_reset_out_request *)ph; 3208 num_req++; 3209 if (stcb->asoc.stream_reset_outstanding) { 3210 seq = ntohl(req_out->response_seq); 3211 if (seq == stcb->asoc.str_reset_seq_out) { 3212 /* implicit ack */ 3213 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3214 } 3215 } 3216 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3217 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3218 struct sctp_stream_reset_in_request *req_in; 3219 3220 num_req++; 3221 req_in = (struct sctp_stream_reset_in_request *)ph; 3222 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3223 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3224 struct sctp_stream_reset_tsn_request *req_tsn; 3225 3226 num_req++; 3227 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3228 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3229 ret_code = 1; 3230 goto strres_nochunk; 3231 } 3232 /* no more */ 3233 break; 3234 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3235 struct sctp_stream_reset_response *resp; 3236 uint32_t result; 3237 3238 resp = (struct sctp_stream_reset_response *)ph; 3239 seq = ntohl(resp->response_seq); 3240 result = ntohl(resp->result); 3241 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3242 ret_code = 1; 3243 goto strres_nochunk; 3244 } 3245 } else { 3246 break; 3247 } 3248 3249 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3250 chk_length -= SCTP_SIZE32(param_len); 3251 } 3252 if (num_req == 0) { 3253 /* we have no response free the stuff */ 3254 goto strres_nochunk; 3255 } 3256 /* ok we have a chunk to link in */ 3257 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3258 chk, 3259 sctp_next); 3260 stcb->asoc.ctrl_queue_cnt++; 3261 return (ret_code); 3262} 3263 3264/* 3265 * Handle a router or endpoints report of a packet loss, there are two ways 3266 * to handle this, either we get the whole packet and must disect it 3267 * ourselves (possibly with truncation and or corruption) or it is a summary 3268 * from a middle box that did the disectting for us. 3269 */ 3270static void 3271sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3272 struct sctp_tcb *stcb, struct sctp_nets *net) 3273{ 3274 uint32_t bottle_bw, on_queue; 3275 uint16_t trunc_len; 3276 unsigned int chlen; 3277 unsigned int at; 3278 struct sctp_chunk_desc desc; 3279 struct sctp_chunkhdr *ch; 3280 3281 chlen = ntohs(cp->ch.chunk_length); 3282 chlen -= sizeof(struct sctp_pktdrop_chunk); 3283 /* XXX possible chlen underflow */ 3284 if (chlen == 0) { 3285 ch = NULL; 3286 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3287 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3288 } else { 3289 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3290 chlen -= sizeof(struct sctphdr); 3291 /* XXX possible chlen underflow */ 3292 memset(&desc, 0, sizeof(desc)); 3293 } 3294 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3295 /* now the chunks themselves */ 3296 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3297 desc.chunk_type = ch->chunk_type; 3298 /* get amount we need to move */ 3299 at = ntohs(ch->chunk_length); 3300 if (at < sizeof(struct sctp_chunkhdr)) { 3301 /* corrupt chunk, maybe at the end? */ 3302 SCTP_STAT_INCR(sctps_pdrpcrupt); 3303 break; 3304 } 3305 if (trunc_len == 0) { 3306 /* we are supposed to have all of it */ 3307 if (at > chlen) { 3308 /* corrupt skip it */ 3309 SCTP_STAT_INCR(sctps_pdrpcrupt); 3310 break; 3311 } 3312 } else { 3313 /* is there enough of it left ? */ 3314 if (desc.chunk_type == SCTP_DATA) { 3315 if (chlen < (sizeof(struct sctp_data_chunk) + 3316 sizeof(desc.data_bytes))) { 3317 break; 3318 } 3319 } else { 3320 if (chlen < sizeof(struct sctp_chunkhdr)) { 3321 break; 3322 } 3323 } 3324 } 3325 if (desc.chunk_type == SCTP_DATA) { 3326 /* can we get out the tsn? */ 3327 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3328 SCTP_STAT_INCR(sctps_pdrpmbda); 3329 3330 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3331 /* yep */ 3332 struct sctp_data_chunk *dcp; 3333 uint8_t *ddp; 3334 unsigned int iii; 3335 3336 dcp = (struct sctp_data_chunk *)ch; 3337 ddp = (uint8_t *) (dcp + 1); 3338 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3339 desc.data_bytes[iii] = ddp[iii]; 3340 } 3341 desc.tsn_ifany = dcp->dp.tsn; 3342 } else { 3343 /* nope we are done. */ 3344 SCTP_STAT_INCR(sctps_pdrpnedat); 3345 break; 3346 } 3347 } else { 3348 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3349 SCTP_STAT_INCR(sctps_pdrpmbct); 3350 } 3351 3352 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3353 SCTP_STAT_INCR(sctps_pdrppdbrk); 3354 break; 3355 } 3356 if (SCTP_SIZE32(at) > chlen) { 3357 break; 3358 } 3359 chlen -= SCTP_SIZE32(at); 3360 if (chlen < sizeof(struct sctp_chunkhdr)) { 3361 /* done, none left */ 3362 break; 3363 } 3364 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3365 } 3366 /* Now update any rwnd --- possibly */ 3367 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3368 /* From a peer, we get a rwnd report */ 3369 uint32_t a_rwnd; 3370 3371 SCTP_STAT_INCR(sctps_pdrpfehos); 3372 3373 bottle_bw = ntohl(cp->bottle_bw); 3374 on_queue = ntohl(cp->current_onq); 3375 if (bottle_bw && on_queue) { 3376 /* a rwnd report is in here */ 3377 if (bottle_bw > on_queue) 3378 a_rwnd = bottle_bw - on_queue; 3379 else 3380 a_rwnd = 0; 3381 3382 if (a_rwnd == 0) 3383 stcb->asoc.peers_rwnd = 0; 3384 else { 3385 if (a_rwnd > stcb->asoc.total_flight) { 3386 stcb->asoc.peers_rwnd = 3387 a_rwnd - stcb->asoc.total_flight; 3388 } else { 3389 stcb->asoc.peers_rwnd = 0; 3390 } 3391 if (stcb->asoc.peers_rwnd < 3392 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3393 /* SWS sender side engages */ 3394 stcb->asoc.peers_rwnd = 0; 3395 } 3396 } 3397 } 3398 } else { 3399 SCTP_STAT_INCR(sctps_pdrpfmbox); 3400 } 3401 3402 /* now middle boxes in sat networks get a cwnd bump */ 3403 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3404 (stcb->asoc.sat_t3_loss_recovery == 0) && 3405 (stcb->asoc.sat_network)) { 3406 /* 3407 * This is debateable but for sat networks it makes sense 3408 * Note if a T3 timer has went off, we will prohibit any 3409 * changes to cwnd until we exit the t3 loss recovery. 3410 */ 3411 uint32_t bw_avail; 3412 int rtt, incr; 3413 3414#ifdef SCTP_CWND_MONITOR 3415 int old_cwnd = net->cwnd; 3416 3417#endif 3418 /* need real RTT for this calc */ 3419 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3420 /* get bottle neck bw */ 3421 bottle_bw = ntohl(cp->bottle_bw); 3422 /* and whats on queue */ 3423 on_queue = ntohl(cp->current_onq); 3424 /* 3425 * adjust the on-queue if our flight is more it could be 3426 * that the router has not yet gotten data "in-flight" to it 3427 */ 3428 if (on_queue < net->flight_size) 3429 on_queue = net->flight_size; 3430 3431 /* calculate the available space */ 3432 bw_avail = (bottle_bw * rtt) / 1000; 3433 if (bw_avail > bottle_bw) { 3434 /* 3435 * Cap the growth to no more than the bottle neck. 3436 * This can happen as RTT slides up due to queues. 3437 * It also means if you have more than a 1 second 3438 * RTT with a empty queue you will be limited to the 3439 * bottle_bw per second no matter if other points 3440 * have 1/2 the RTT and you could get more out... 3441 */ 3442 bw_avail = bottle_bw; 3443 } 3444 if (on_queue > bw_avail) { 3445 /* 3446 * No room for anything else don't allow anything 3447 * else to be "added to the fire". 3448 */ 3449 int seg_inflight, seg_onqueue, my_portion; 3450 3451 net->partial_bytes_acked = 0; 3452 3453 /* how much are we over queue size? */ 3454 incr = on_queue - bw_avail; 3455 if (stcb->asoc.seen_a_sack_this_pkt) { 3456 /* 3457 * undo any cwnd adjustment that the sack 3458 * might have made 3459 */ 3460 net->cwnd = net->prev_cwnd; 3461 } 3462 /* Now how much of that is mine? */ 3463 seg_inflight = net->flight_size / net->mtu; 3464 seg_onqueue = on_queue / net->mtu; 3465 my_portion = (incr * seg_inflight) / seg_onqueue; 3466 3467 /* Have I made an adjustment already */ 3468 if (net->cwnd > net->flight_size) { 3469 /* 3470 * for this flight I made an adjustment we 3471 * need to decrease the portion by a share 3472 * our previous adjustment. 3473 */ 3474 int diff_adj; 3475 3476 diff_adj = net->cwnd - net->flight_size; 3477 if (diff_adj > my_portion) 3478 my_portion = 0; 3479 else 3480 my_portion -= diff_adj; 3481 } 3482 /* 3483 * back down to the previous cwnd (assume we have 3484 * had a sack before this packet). minus what ever 3485 * portion of the overage is my fault. 3486 */ 3487 net->cwnd -= my_portion; 3488 3489 /* we will NOT back down more than 1 MTU */ 3490 if (net->cwnd <= net->mtu) { 3491 net->cwnd = net->mtu; 3492 } 3493 /* force into CA */ 3494 net->ssthresh = net->cwnd - 1; 3495 } else { 3496 /* 3497 * Take 1/4 of the space left or max burst up .. 3498 * whichever is less. 3499 */ 3500 incr = min((bw_avail - on_queue) >> 2, 3501 (int)stcb->asoc.max_burst * (int)net->mtu); 3502 net->cwnd += incr; 3503 } 3504 if (net->cwnd > bw_avail) { 3505 /* We can't exceed the pipe size */ 3506 net->cwnd = bw_avail; 3507 } 3508 if (net->cwnd < net->mtu) { 3509 /* We always have 1 MTU */ 3510 net->cwnd = net->mtu; 3511 } 3512#ifdef SCTP_CWND_MONITOR 3513 if (net->cwnd - old_cwnd != 0) { 3514 /* log only changes */ 3515 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3516 SCTP_CWND_LOG_FROM_SAT); 3517 } 3518#endif 3519 } 3520} 3521 3522/* 3523 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3524 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3525 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3526 * length of the complete packet outputs: - length: modified to remaining 3527 * length after control processing - netp: modified to new sctp_nets after 3528 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3529 * bad packet,...) otherwise return the tcb for this packet 3530 */ 3531static struct sctp_tcb * 3532sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3533 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3534 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3535{ 3536 struct sctp_association *asoc; 3537 uint32_t vtag_in; 3538 int num_chunks = 0; /* number of control chunks processed */ 3539 int chk_length; 3540 int ret; 3541 int abort_no_unlock = 0; 3542 3543 /* 3544 * How big should this be, and should it be alloc'd? Lets try the 3545 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3546 * until we get into jumbo grams and such.. 3547 */ 3548 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 3549 struct sctp_tcb *locked_tcb = stcb; 3550 int got_auth = 0; 3551 uint32_t auth_offset = 0, auth_len = 0; 3552 int auth_skipped = 0; 3553 3554#ifdef SCTP_DEBUG 3555 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3556 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3557 iphlen, *offset, length, stcb); 3558 } 3559#endif /* SCTP_DEBUG */ 3560 3561 /* validate chunk header length... */ 3562 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3563 return (NULL); 3564 } 3565 /* 3566 * validate the verification tag 3567 */ 3568 vtag_in = ntohl(sh->v_tag); 3569 3570 if (locked_tcb) { 3571 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3572 } 3573 if (ch->chunk_type == SCTP_INITIATION) { 3574 if (vtag_in != 0) { 3575 /* protocol error- silently discard... */ 3576 SCTP_STAT_INCR(sctps_badvtag); 3577 if (locked_tcb) 3578 SCTP_TCB_UNLOCK(locked_tcb); 3579 return (NULL); 3580 } 3581 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3582 /* 3583 * If there is no stcb, skip the AUTH chunk and process 3584 * later after a stcb is found (to validate the lookup was 3585 * valid. 3586 */ 3587 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3588 (stcb == NULL) && !sctp_auth_disable) { 3589 /* save this chunk for later processing */ 3590 auth_skipped = 1; 3591 auth_offset = *offset; 3592 auth_len = ntohs(ch->chunk_length); 3593 3594 /* (temporarily) move past this chunk */ 3595 *offset += SCTP_SIZE32(auth_len); 3596 if (*offset >= length) { 3597 /* no more data left in the mbuf chain */ 3598 *offset = length; 3599 return (NULL); 3600 } 3601 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3602 sizeof(struct sctp_chunkhdr), chunk_buf); 3603 } 3604 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3605 goto process_control_chunks; 3606 } 3607 /* 3608 * first check if it's an ASCONF with an unknown src addr we 3609 * need to look inside to find the association 3610 */ 3611 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3612 /* inp's refcount may be reduced */ 3613 SCTP_INP_INCR_REF(inp); 3614 3615 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3616 *offset, sh, &inp, netp); 3617 if (stcb == NULL) { 3618 /* 3619 * reduce inp's refcount if not reduced in 3620 * sctp_findassociation_ep_asconf(). 3621 */ 3622 SCTP_INP_DECR_REF(inp); 3623 } 3624 /* now go back and verify any auth chunk to be sure */ 3625 if (auth_skipped && (stcb != NULL)) { 3626 struct sctp_auth_chunk *auth; 3627 3628 auth = (struct sctp_auth_chunk *) 3629 sctp_m_getptr(m, auth_offset, 3630 auth_len, chunk_buf); 3631 got_auth = 1; 3632 auth_skipped = 0; 3633 if (sctp_handle_auth(stcb, auth, m, 3634 auth_offset)) { 3635 /* auth HMAC failed so dump it */ 3636 *offset = length; 3637 return (NULL); 3638 } else { 3639 /* remaining chunks are HMAC checked */ 3640 stcb->asoc.authenticated = 1; 3641 } 3642 } 3643 } 3644 if (stcb == NULL) { 3645 /* no association, so it's out of the blue... */ 3646 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3647 *offset = length; 3648 if (locked_tcb) 3649 SCTP_TCB_UNLOCK(locked_tcb); 3650 return (NULL); 3651 } 3652 asoc = &stcb->asoc; 3653 /* ABORT and SHUTDOWN can use either v_tag... */ 3654 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3655 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3656 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3657 if ((vtag_in == asoc->my_vtag) || 3658 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3659 (vtag_in == asoc->peer_vtag))) { 3660 /* this is valid */ 3661 } else { 3662 /* drop this packet... */ 3663 SCTP_STAT_INCR(sctps_badvtag); 3664 if (locked_tcb) 3665 SCTP_TCB_UNLOCK(locked_tcb); 3666 return (NULL); 3667 } 3668 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3669 if (vtag_in != asoc->my_vtag) { 3670 /* 3671 * this could be a stale SHUTDOWN-ACK or the 3672 * peer never got the SHUTDOWN-COMPLETE and 3673 * is still hung; we have started a new asoc 3674 * but it won't complete until the shutdown 3675 * is completed 3676 */ 3677 if (locked_tcb) 3678 SCTP_TCB_UNLOCK(locked_tcb); 3679 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3680 NULL); 3681 return (NULL); 3682 } 3683 } else { 3684 /* for all other chunks, vtag must match */ 3685 if (vtag_in != asoc->my_vtag) { 3686 /* invalid vtag... */ 3687#ifdef SCTP_DEBUG 3688 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3689 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3690 } 3691#endif /* SCTP_DEBUG */ 3692 SCTP_STAT_INCR(sctps_badvtag); 3693 if (locked_tcb) 3694 SCTP_TCB_UNLOCK(locked_tcb); 3695 *offset = length; 3696 return (NULL); 3697 } 3698 } 3699 } /* end if !SCTP_COOKIE_ECHO */ 3700 /* 3701 * process all control chunks... 3702 */ 3703 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3704 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3705 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3706 /* implied cookie-ack.. we must have lost the ack */ 3707 stcb->asoc.overall_error_count = 0; 3708 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3709 *netp); 3710 } 3711process_control_chunks: 3712 3713 while (IS_SCTP_CONTROL(ch)) { 3714 /* validate chunk length */ 3715 chk_length = ntohs(ch->chunk_length); 3716#ifdef SCTP_DEBUG 3717 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3718 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", 3719 ch->chunk_type, chk_length); 3720 } 3721#endif /* SCTP_DEBUG */ 3722 if ((size_t)chk_length < sizeof(*ch) || 3723 (*offset + chk_length) > length) { 3724 *offset = length; 3725 if (locked_tcb) 3726 SCTP_TCB_UNLOCK(locked_tcb); 3727 return (NULL); 3728 } 3729 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3730 /* 3731 * INIT-ACK only gets the init ack "header" portion only 3732 * because we don't have to process the peer's COOKIE. All 3733 * others get a complete chunk. 3734 */ 3735 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3736 /* get an init-ack chunk */ 3737 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3738 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3739 if (ch == NULL) { 3740 *offset = length; 3741 if (locked_tcb) 3742 SCTP_TCB_UNLOCK(locked_tcb); 3743 return (NULL); 3744 } 3745 } else { 3746 /* get a complete chunk... */ 3747 if ((size_t)chk_length > sizeof(chunk_buf)) { 3748 struct mbuf *oper; 3749 struct sctp_paramhdr *phdr; 3750 3751 oper = NULL; 3752 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3753 0, M_DONTWAIT, 1, MT_DATA); 3754 if (oper) { 3755 /* pre-reserve some space */ 3756 SCTP_BUF_RESV_UF(oper, sizeof(struct sctp_chunkhdr)); 3757 SCTP_BUF_LEN(oper) = sizeof(struct sctp_paramhdr); 3758 phdr = mtod(oper, struct sctp_paramhdr *); 3759 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3760 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3761 sctp_queue_op_err(stcb, oper); 3762 } 3763 if (locked_tcb) 3764 SCTP_TCB_UNLOCK(locked_tcb); 3765 return (NULL); 3766 } 3767 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3768 chk_length, chunk_buf); 3769 if (ch == NULL) { 3770 printf("sctp_process_control: Can't get the all data....\n"); 3771 *offset = length; 3772 if (locked_tcb) 3773 SCTP_TCB_UNLOCK(locked_tcb); 3774 return (NULL); 3775 } 3776 } 3777 num_chunks++; 3778 /* Save off the last place we got a control from */ 3779 if (stcb != NULL) { 3780 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { 3781 /* 3782 * allow last_control to be NULL if 3783 * ASCONF... ASCONF processing will find the 3784 * right net later 3785 */ 3786 stcb->asoc.last_control_chunk_from = *netp; 3787 } 3788 } 3789#ifdef SCTP_AUDITING_ENABLED 3790 sctp_audit_log(0xB0, ch->chunk_type); 3791#endif 3792 3793 /* check to see if this chunk required auth, but isn't */ 3794 if ((stcb != NULL) && !sctp_auth_disable && 3795 sctp_auth_is_required_chunk(ch->chunk_type, 3796 stcb->asoc.local_auth_chunks) && 3797 !stcb->asoc.authenticated) { 3798 /* "silently" ignore */ 3799 SCTP_STAT_INCR(sctps_recvauthmissing); 3800 goto next_chunk; 3801 } 3802 switch (ch->chunk_type) { 3803 case SCTP_INITIATION: 3804 /* must be first and only chunk */ 3805#ifdef SCTP_DEBUG 3806 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3807 printf("SCTP_INIT\n"); 3808 } 3809#endif /* SCTP_DEBUG */ 3810 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3811 /* We are not interested anymore? */ 3812 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3813 /* 3814 * collision case where we are 3815 * sending to them too 3816 */ 3817 ; 3818 } else { 3819 if (locked_tcb) 3820 SCTP_TCB_UNLOCK(locked_tcb); 3821 *offset = length; 3822 return (NULL); 3823 } 3824 } 3825 if ((num_chunks > 1) || 3826 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3827 *offset = length; 3828 if (locked_tcb) 3829 SCTP_TCB_UNLOCK(locked_tcb); 3830 return (NULL); 3831 } 3832 if ((stcb != NULL) && 3833 (SCTP_GET_STATE(&stcb->asoc) == 3834 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3835 sctp_send_shutdown_ack(stcb, 3836 stcb->asoc.primary_destination); 3837 *offset = length; 3838 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3839 if (locked_tcb) 3840 SCTP_TCB_UNLOCK(locked_tcb); 3841 return (NULL); 3842 } 3843 sctp_handle_init(m, iphlen, *offset, sh, 3844 (struct sctp_init_chunk *)ch, inp, stcb, *netp, &abort_no_unlock); 3845 if (abort_no_unlock) 3846 return (NULL); 3847 3848 *offset = length; 3849 if (locked_tcb) 3850 SCTP_TCB_UNLOCK(locked_tcb); 3851 return (NULL); 3852 break; 3853 case SCTP_INITIATION_ACK: 3854 /* must be first and only chunk */ 3855#ifdef SCTP_DEBUG 3856 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3857 printf("SCTP_INIT-ACK\n"); 3858 } 3859#endif /* SCTP_DEBUG */ 3860 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3861 /* We are not interested anymore */ 3862 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3863 ; 3864 } else { 3865 if (locked_tcb) 3866 SCTP_TCB_UNLOCK(locked_tcb); 3867 *offset = length; 3868 if (stcb) { 3869 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3870 } 3871 return (NULL); 3872 } 3873 } 3874 if ((num_chunks > 1) || 3875 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3876 *offset = length; 3877 if (locked_tcb) 3878 SCTP_TCB_UNLOCK(locked_tcb); 3879 return (NULL); 3880 } 3881 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3882 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 3883 /* 3884 * Special case, I must call the output routine to 3885 * get the cookie echoed 3886 */ 3887 if (abort_no_unlock) 3888 return (NULL); 3889 3890 if ((stcb) && ret == 0) 3891 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3892 *offset = length; 3893 if (locked_tcb) 3894 SCTP_TCB_UNLOCK(locked_tcb); 3895 return (NULL); 3896 break; 3897 case SCTP_SELECTIVE_ACK: 3898#ifdef SCTP_DEBUG 3899 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3900 printf("SCTP_SACK\n"); 3901 } 3902#endif /* SCTP_DEBUG */ 3903 SCTP_STAT_INCR(sctps_recvsacks); 3904 { 3905 struct sctp_sack_chunk *sack; 3906 int abort_now = 0; 3907 uint32_t a_rwnd, cum_ack; 3908 uint16_t num_seg; 3909 int nonce_sum_flag; 3910 3911 sack = (struct sctp_sack_chunk *)ch; 3912 3913 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3914 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3915 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3916 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3917 stcb->asoc.seen_a_sack_this_pkt = 1; 3918 if ((stcb->asoc.pr_sctp_cnt == 0) && 3919 (num_seg == 0) && 3920 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3921 (cum_ack == stcb->asoc.last_acked_seq)) && 3922 (stcb->asoc.saw_sack_with_frags == 0) && 3923 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3924 ) { 3925 /* 3926 * We have a SIMPLE sack having no 3927 * prior segments and data on sent 3928 * queue to be acked.. Use the 3929 * faster path sack processing. We 3930 * also allow window update sacks 3931 * with no missing segments to go 3932 * this way too. 3933 */ 3934 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now); 3935 } else { 3936 sctp_handle_sack(sack, stcb, *netp, &abort_now); 3937 } 3938 if (abort_now) { 3939 /* ABORT signal from sack processing */ 3940 *offset = length; 3941 return (NULL); 3942 } 3943 } 3944 break; 3945 case SCTP_HEARTBEAT_REQUEST: 3946#ifdef SCTP_DEBUG 3947 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3948 printf("SCTP_HEARTBEAT\n"); 3949 } 3950#endif /* SCTP_DEBUG */ 3951 SCTP_STAT_INCR(sctps_recvheartbeat); 3952 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3953 *netp); 3954 3955 /* He's alive so give him credit */ 3956 stcb->asoc.overall_error_count = 0; 3957 break; 3958 case SCTP_HEARTBEAT_ACK: 3959#ifdef SCTP_DEBUG 3960 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3961 printf("SCTP_HEARTBEAT-ACK\n"); 3962 } 3963#endif /* SCTP_DEBUG */ 3964 3965 /* He's alive so give him credit */ 3966 stcb->asoc.overall_error_count = 0; 3967 SCTP_STAT_INCR(sctps_recvheartbeatack); 3968 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3969 stcb, *netp); 3970 break; 3971 case SCTP_ABORT_ASSOCIATION: 3972#ifdef SCTP_DEBUG 3973 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3974 printf("SCTP_ABORT\n"); 3975 } 3976#endif /* SCTP_DEBUG */ 3977 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3978 stcb, *netp); 3979 *offset = length; 3980 return (NULL); 3981 break; 3982 case SCTP_SHUTDOWN: 3983#ifdef SCTP_DEBUG 3984 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3985 printf("SCTP_SHUTDOWN\n"); 3986 } 3987#endif /* SCTP_DEBUG */ 3988 { 3989 int abort_flag = 0; 3990 3991 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3992 stcb, *netp, &abort_flag); 3993 if (abort_flag) { 3994 *offset = length; 3995 return (NULL); 3996 } 3997 } 3998 break; 3999 case SCTP_SHUTDOWN_ACK: 4000#ifdef SCTP_DEBUG 4001 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4002 printf("SCTP_SHUTDOWN-ACK\n"); 4003 } 4004#endif /* SCTP_DEBUG */ 4005 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4006 *offset = length; 4007 return (NULL); 4008 break; 4009 case SCTP_OPERATION_ERROR: 4010#ifdef SCTP_DEBUG 4011 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4012 printf("SCTP_OP-ERR\n"); 4013 } 4014#endif /* SCTP_DEBUG */ 4015 if (sctp_handle_error(ch, stcb, *netp) < 0) { 4016 *offset = length; 4017 return (NULL); 4018 } 4019 break; 4020 case SCTP_COOKIE_ECHO: 4021#ifdef SCTP_DEBUG 4022 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4023 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 4024 } 4025#endif /* SCTP_DEBUG */ 4026 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4027 ; 4028 } else { 4029 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && 4030 (stcb == NULL)) { 4031 /* We are not interested anymore */ 4032 *offset = length; 4033 return (NULL); 4034 } 4035 } 4036 /* 4037 * First are we accepting? We do this again here 4038 * since it is possible that a previous endpoint WAS 4039 * listening responded to a INIT-ACK and then 4040 * closed. We opened and bound.. and are now no 4041 * longer listening. 4042 */ 4043 if (inp->sctp_socket->so_qlimit == 0) { 4044 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 4045 /* 4046 * special case, is this a retran'd 4047 * COOKIE-ECHO or a restarting assoc 4048 * that is a peeled off or 4049 * one-to-one style socket. 4050 */ 4051 goto process_cookie_anyway; 4052 } 4053 sctp_abort_association(inp, stcb, m, iphlen, sh, 4054 NULL); 4055 *offset = length; 4056 return (NULL); 4057 } else if (inp->sctp_socket->so_qlimit) { 4058 /* we are accepting so check limits like TCP */ 4059 if (inp->sctp_socket->so_qlen > 4060 inp->sctp_socket->so_qlimit) { 4061 /* no space */ 4062 struct mbuf *oper; 4063 struct sctp_paramhdr *phdr; 4064 4065 if (sctp_abort_if_one_2_one_hits_limit) { 4066 oper = NULL; 4067 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4068 0, M_DONTWAIT, 1, MT_DATA); 4069 if (oper) { 4070 SCTP_BUF_LEN(oper) = 4071 sizeof(struct sctp_paramhdr); 4072 phdr = mtod(oper, 4073 struct sctp_paramhdr *); 4074 phdr->param_type = 4075 htons(SCTP_CAUSE_OUT_OF_RESC); 4076 phdr->param_length = 4077 htons(sizeof(struct sctp_paramhdr)); 4078 } 4079 sctp_abort_association(inp, stcb, m, 4080 iphlen, sh, oper); 4081 } 4082 *offset = length; 4083 return (NULL); 4084 } 4085 } 4086 process_cookie_anyway: 4087 { 4088 struct mbuf *ret_buf; 4089 struct sctp_inpcb *linp; 4090 4091 if (stcb) 4092 linp = NULL; 4093 else 4094 linp = inp; 4095 4096 if (linp) 4097 SCTP_ASOC_CREATE_LOCK(linp); 4098 ret_buf = 4099 sctp_handle_cookie_echo(m, iphlen, 4100 *offset, sh, 4101 (struct sctp_cookie_echo_chunk *)ch, 4102 &inp, &stcb, netp, 4103 auth_skipped, 4104 auth_offset, 4105 auth_len, 4106 &locked_tcb); 4107 if (linp) 4108 SCTP_ASOC_CREATE_UNLOCK(linp); 4109 if (ret_buf == NULL) { 4110 if (locked_tcb) { 4111 SCTP_TCB_UNLOCK(locked_tcb); 4112 } 4113#ifdef SCTP_DEBUG 4114 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4115 printf("GAK, null buffer\n"); 4116 } 4117#endif /* SCTP_DEBUG */ 4118 auth_skipped = 0; 4119 *offset = length; 4120 return (NULL); 4121 } 4122 /* if AUTH skipped, see if it verified... */ 4123 if (auth_skipped) { 4124 got_auth = 1; 4125 auth_skipped = 0; 4126 } 4127 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4128 /* 4129 * Restart the timer if we have 4130 * pending data 4131 */ 4132 struct sctp_tmit_chunk *chk; 4133 4134 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4135 if (chk) { 4136 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4137 stcb->sctp_ep, stcb, 4138 chk->whoTo); 4139 } 4140 } 4141 } 4142 break; 4143 case SCTP_COOKIE_ACK: 4144#ifdef SCTP_DEBUG 4145 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4146 printf("SCTP_COOKIE-ACK\n"); 4147 } 4148#endif /* SCTP_DEBUG */ 4149 4150 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4151 /* We are not interested anymore */ 4152 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4153 ; 4154 } else { 4155 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4156 *offset = length; 4157 return (NULL); 4158 } 4159 } 4160 /* He's alive so give him credit */ 4161 stcb->asoc.overall_error_count = 0; 4162 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4163 break; 4164 case SCTP_ECN_ECHO: 4165#ifdef SCTP_DEBUG 4166 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4167 printf("SCTP_ECN-ECHO\n"); 4168 } 4169#endif /* SCTP_DEBUG */ 4170 /* He's alive so give him credit */ 4171 stcb->asoc.overall_error_count = 0; 4172 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4173 stcb); 4174 break; 4175 case SCTP_ECN_CWR: 4176#ifdef SCTP_DEBUG 4177 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4178 printf("SCTP_ECN-CWR\n"); 4179 } 4180#endif /* SCTP_DEBUG */ 4181 /* He's alive so give him credit */ 4182 stcb->asoc.overall_error_count = 0; 4183 4184 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4185 break; 4186 case SCTP_SHUTDOWN_COMPLETE: 4187#ifdef SCTP_DEBUG 4188 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4189 printf("SCTP_SHUTDOWN-COMPLETE\n"); 4190 } 4191#endif /* SCTP_DEBUG */ 4192 /* must be first and only chunk */ 4193 if ((num_chunks > 1) || 4194 (length - *offset > SCTP_SIZE32(chk_length))) { 4195 *offset = length; 4196 if (locked_tcb) 4197 SCTP_TCB_UNLOCK(locked_tcb); 4198 4199 return (NULL); 4200 } 4201 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4202 stcb, *netp); 4203 *offset = length; 4204 return (NULL); 4205 break; 4206 case SCTP_ASCONF: 4207#ifdef SCTP_DEBUG 4208 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4209 printf("SCTP_ASCONF\n"); 4210 } 4211#endif /* SCTP_DEBUG */ 4212 /* He's alive so give him credit */ 4213 stcb->asoc.overall_error_count = 0; 4214 4215 sctp_handle_asconf(m, *offset, 4216 (struct sctp_asconf_chunk *)ch, stcb); 4217 break; 4218 case SCTP_ASCONF_ACK: 4219#ifdef SCTP_DEBUG 4220 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4221 printf("SCTP_ASCONF-ACK\n"); 4222 } 4223#endif /* SCTP_DEBUG */ 4224 /* He's alive so give him credit */ 4225 stcb->asoc.overall_error_count = 0; 4226 4227 sctp_handle_asconf_ack(m, *offset, 4228 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4229 break; 4230 case SCTP_FORWARD_CUM_TSN: 4231#ifdef SCTP_DEBUG 4232 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4233 printf("SCTP_FWD-TSN\n"); 4234 } 4235#endif /* SCTP_DEBUG */ 4236 /* He's alive so give him credit */ 4237 { 4238 int abort_flag = 0; 4239 4240 stcb->asoc.overall_error_count = 0; 4241 *fwd_tsn_seen = 1; 4242 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4243 /* We are not interested anymore */ 4244 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 4245 *offset = length; 4246 return (NULL); 4247 } 4248 sctp_handle_forward_tsn(stcb, 4249 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4250 if (abort_flag) { 4251 *offset = length; 4252 return (NULL); 4253 } else { 4254 stcb->asoc.overall_error_count = 0; 4255 } 4256 4257 } 4258 break; 4259 case SCTP_STREAM_RESET: 4260#ifdef SCTP_DEBUG 4261 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4262 printf("SCTP_STREAM_RESET\n"); 4263 } 4264#endif /* SCTP_DEBUG */ 4265 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4266 chk_length, chunk_buf); 4267 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4268 /* We are not interested anymore */ 4269 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4270 *offset = length; 4271 return (NULL); 4272 } 4273 if (stcb->asoc.peer_supports_strreset == 0) { 4274 /* 4275 * hmm, peer should have announced this, but 4276 * we will turn it on since he is sending us 4277 * a stream reset. 4278 */ 4279 stcb->asoc.peer_supports_strreset = 1; 4280 } 4281 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4282 /* stop processing */ 4283 *offset = length; 4284 return (NULL); 4285 } 4286 break; 4287 case SCTP_PACKET_DROPPED: 4288#ifdef SCTP_DEBUG 4289 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4290 printf("SCTP_PACKET_DROPPED\n"); 4291 } 4292#endif /* SCTP_DEBUG */ 4293 /* re-get it all please */ 4294 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4295 chk_length, chunk_buf); 4296 4297 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4298 stcb, *netp); 4299 4300 break; 4301 4302 case SCTP_AUTHENTICATION: 4303#ifdef SCTP_DEBUG 4304 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4305 printf("SCTP_AUTHENTICATION\n"); 4306 } 4307#endif /* SCTP_DEBUG */ 4308 if (sctp_auth_disable) 4309 goto unknown_chunk; 4310 4311 if (stcb == NULL) { 4312 /* save the first AUTH for later processing */ 4313 if (auth_skipped == 0) { 4314 auth_offset = *offset; 4315 auth_len = chk_length; 4316 auth_skipped = 1; 4317 } 4318 /* skip this chunk (temporarily) */ 4319 goto next_chunk; 4320 } 4321 if (got_auth == 1) { 4322 /* skip this chunk... it's already auth'd */ 4323 goto next_chunk; 4324 } 4325 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4326 chk_length, chunk_buf); 4327 got_auth = 1; 4328 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4329 m, *offset)) { 4330 /* auth HMAC failed so dump the packet */ 4331 *offset = length; 4332 return (stcb); 4333 } else { 4334 /* remaining chunks are HMAC checked */ 4335 stcb->asoc.authenticated = 1; 4336 } 4337 break; 4338 4339 default: 4340 unknown_chunk: 4341 /* it's an unknown chunk! */ 4342 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4343 struct mbuf *mm; 4344 struct sctp_paramhdr *phd; 4345 4346 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4347 0, M_DONTWAIT, 1, MT_DATA); 4348 if (mm) { 4349 phd = mtod(mm, struct sctp_paramhdr *); 4350 /* 4351 * We cheat and use param type since 4352 * we did not bother to define a 4353 * error cause struct. They are the 4354 * same basic format with different 4355 * names. 4356 */ 4357 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4358 phd->param_length = htons(chk_length + sizeof(*phd)); 4359 SCTP_BUF_LEN(mm) = sizeof(*phd); 4360 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 4361 M_DONTWAIT); 4362 if (SCTP_BUF_NEXT(mm)) { 4363 sctp_queue_op_err(stcb, mm); 4364 } else { 4365 sctp_m_freem(mm); 4366 } 4367 } 4368 } 4369 if ((ch->chunk_type & 0x80) == 0) { 4370 /* discard this packet */ 4371 *offset = length; 4372 return (stcb); 4373 } /* else skip this bad chunk and continue... */ 4374 break; 4375 } /* switch (ch->chunk_type) */ 4376 4377 4378next_chunk: 4379 /* get the next chunk */ 4380 *offset += SCTP_SIZE32(chk_length); 4381 if (*offset >= length) { 4382 /* no more data left in the mbuf chain */ 4383 break; 4384 } 4385 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4386 sizeof(struct sctp_chunkhdr), chunk_buf); 4387 if (ch == NULL) { 4388 if (locked_tcb) 4389 SCTP_TCB_UNLOCK(locked_tcb); 4390 *offset = length; 4391 return (NULL); 4392 } 4393 } /* while */ 4394 return (stcb); 4395} 4396 4397 4398/* 4399 * Process the ECN bits we have something set so we must look to see if it is 4400 * ECN(0) or ECN(1) or CE 4401 */ 4402static __inline void 4403sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4404 uint8_t ecn_bits) 4405{ 4406 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4407 ; 4408 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4409 /* 4410 * we only add to the nonce sum for ECT1, ECT0 does not 4411 * change the NS bit (that we have yet to find a way to send 4412 * it yet). 4413 */ 4414 4415 /* ECN Nonce stuff */ 4416 stcb->asoc.receiver_nonce_sum++; 4417 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4418 4419 /* 4420 * Drag up the last_echo point if cumack is larger since we 4421 * don't want the point falling way behind by more than 4422 * 2^^31 and then having it be incorrect. 4423 */ 4424 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4425 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4426 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4427 } 4428 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4429 /* 4430 * Drag up the last_echo point if cumack is larger since we 4431 * don't want the point falling way behind by more than 4432 * 2^^31 and then having it be incorrect. 4433 */ 4434 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4435 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4436 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4437 } 4438 } 4439} 4440 4441static __inline void 4442sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4443 uint32_t high_tsn, uint8_t ecn_bits) 4444{ 4445 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4446 /* 4447 * we possibly must notify the sender that a congestion 4448 * window reduction is in order. We do this by adding a ECNE 4449 * chunk to the output chunk queue. The incoming CWR will 4450 * remove this chunk. 4451 */ 4452 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4453 MAX_TSN)) { 4454 /* Yep, we need to add a ECNE */ 4455 sctp_send_ecn_echo(stcb, net, high_tsn); 4456 stcb->asoc.last_echo_tsn = high_tsn; 4457 } 4458 } 4459} 4460 4461/* 4462 * common input chunk processing (v4 and v6) 4463 */ 4464int 4465sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4466 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4467 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4468 uint8_t ecn_bits) 4469{ 4470 /* 4471 * Control chunk processing 4472 */ 4473 uint32_t high_tsn; 4474 int fwd_tsn_seen = 0, data_processed = 0; 4475 struct mbuf *m = *mm; 4476 int abort_flag = 0; 4477 int un_sent; 4478 4479 SCTP_STAT_INCR(sctps_recvdatagrams); 4480#ifdef SCTP_AUDITING_ENABLED 4481 sctp_audit_log(0xE0, 1); 4482 sctp_auditing(0, inp, stcb, net); 4483#endif 4484 4485#ifdef SCTP_DEBUG 4486 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4487 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4488 m, iphlen, offset); 4489 } 4490#endif /* SCTP_DEBUG */ 4491 4492 if (stcb) { 4493 /* always clear this before beginning a packet */ 4494 stcb->asoc.authenticated = 0; 4495 stcb->asoc.seen_a_sack_this_pkt = 0; 4496 } 4497 if (IS_SCTP_CONTROL(ch)) { 4498 /* process the control portion of the SCTP packet */ 4499 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4500 inp, stcb, &net, &fwd_tsn_seen); 4501 if (stcb) { 4502 /* 4503 * This covers us if the cookie-echo was there and 4504 * it changes our INP. 4505 */ 4506 inp = stcb->sctp_ep; 4507 } 4508 } else { 4509 /* 4510 * no control chunks, so pre-process DATA chunks (these 4511 * checks are taken care of by control processing) 4512 */ 4513 4514 /* 4515 * if DATA only packet, and auth is required, then punt... 4516 * can't have authenticated without any AUTH (control) 4517 * chunks 4518 */ 4519 if ((stcb != NULL) && !sctp_auth_disable && 4520 sctp_auth_is_required_chunk(SCTP_DATA, 4521 stcb->asoc.local_auth_chunks)) { 4522 /* "silently" ignore */ 4523 SCTP_STAT_INCR(sctps_recvauthmissing); 4524 SCTP_TCB_UNLOCK(stcb); 4525 return (1); 4526 } 4527 if (stcb == NULL) { 4528 /* out of the blue DATA chunk */ 4529 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4530 return (1); 4531 } 4532 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4533 /* v_tag mismatch! */ 4534 SCTP_STAT_INCR(sctps_badvtag); 4535 SCTP_TCB_UNLOCK(stcb); 4536 return (1); 4537 } 4538 } 4539 4540 if (stcb == NULL) { 4541 /* 4542 * no valid TCB for this packet, or we found it's a bad 4543 * packet while processing control, or we're done with this 4544 * packet (done or skip rest of data), so we drop it... 4545 */ 4546 return (1); 4547 } 4548 /* 4549 * DATA chunk processing 4550 */ 4551 /* plow through the data chunks while length > offset */ 4552 4553 /* 4554 * Rest should be DATA only. Check authentication state if AUTH for 4555 * DATA is required. 4556 */ 4557 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 4558 sctp_auth_is_required_chunk(SCTP_DATA, 4559 stcb->asoc.local_auth_chunks) && 4560 !stcb->asoc.authenticated) { 4561 /* "silently" ignore */ 4562 SCTP_STAT_INCR(sctps_recvauthmissing); 4563#ifdef SCTP_DEBUG 4564 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 4565 printf("Data chunk requires AUTH, skipped\n"); 4566#endif 4567 goto trigger_send; 4568 } 4569 if (length > offset) { 4570 int retval; 4571 4572 /* 4573 * First check to make sure our state is correct. We would 4574 * not get here unless we really did have a tag, so we don't 4575 * abort if this happens, just dump the chunk silently. 4576 */ 4577 switch (SCTP_GET_STATE(&stcb->asoc)) { 4578 case SCTP_STATE_COOKIE_ECHOED: 4579 /* 4580 * we consider data with valid tags in this state 4581 * shows us the cookie-ack was lost. Imply it was 4582 * there. 4583 */ 4584 stcb->asoc.overall_error_count = 0; 4585 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4586 break; 4587 case SCTP_STATE_COOKIE_WAIT: 4588 /* 4589 * We consider OOTB any data sent during asoc setup. 4590 */ 4591 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4592 SCTP_TCB_UNLOCK(stcb); 4593 return (1); 4594 break; 4595 case SCTP_STATE_EMPTY: /* should not happen */ 4596 case SCTP_STATE_INUSE: /* should not happen */ 4597 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4598 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4599 default: 4600 SCTP_TCB_UNLOCK(stcb); 4601 return (1); 4602 break; 4603 case SCTP_STATE_OPEN: 4604 case SCTP_STATE_SHUTDOWN_SENT: 4605 break; 4606 } 4607 /* take care of ECN, part 1. */ 4608 if (stcb->asoc.ecn_allowed && 4609 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4610 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4611 } 4612 /* plow through the data chunks while length > offset */ 4613 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4614 inp, stcb, net, &high_tsn); 4615 if (retval == 2) { 4616 /* 4617 * The association aborted, NO UNLOCK needed since 4618 * the association is destroyed. 4619 */ 4620 return (0); 4621 } 4622 data_processed = 1; 4623 if (retval == 0) { 4624 /* take care of ecn part 2. */ 4625 if (stcb->asoc.ecn_allowed && 4626 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4627 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4628 ecn_bits); 4629 } 4630 } 4631 /* 4632 * Anything important needs to have been m_copy'ed in 4633 * process_data 4634 */ 4635 } 4636 if ((data_processed == 0) && (fwd_tsn_seen)) { 4637 int was_a_gap = 0; 4638 4639 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4640 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4641 /* there was a gap before this data was processed */ 4642 was_a_gap = 1; 4643 } 4644 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4645 if (abort_flag) { 4646 /* Again, we aborted so NO UNLOCK needed */ 4647 return (0); 4648 } 4649 } 4650 /* trigger send of any chunks in queue... */ 4651trigger_send: 4652#ifdef SCTP_AUDITING_ENABLED 4653 sctp_audit_log(0xE0, 2); 4654 sctp_auditing(1, inp, stcb, net); 4655#endif 4656#ifdef SCTP_DEBUG 4657 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4658 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4659 stcb->asoc.peers_rwnd, 4660 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4661 stcb->asoc.total_flight); 4662 } 4663#endif 4664 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4665 4666 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4667 ((un_sent) && 4668 (stcb->asoc.peers_rwnd > 0 || 4669 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4670#ifdef SCTP_DEBUG 4671 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4672 printf("Calling chunk OUTPUT\n"); 4673 } 4674#endif 4675 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4676#ifdef SCTP_DEBUG 4677 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4678 printf("chunk OUTPUT returns\n"); 4679 } 4680#endif 4681 } 4682#ifdef SCTP_AUDITING_ENABLED 4683 sctp_audit_log(0xE0, 3); 4684 sctp_auditing(2, inp, stcb, net); 4685#endif 4686 SCTP_TCB_UNLOCK(stcb); 4687 return (0); 4688} 4689 4690 4691 4692void 4693sctp_input(i_pak, off) 4694 struct mbuf *i_pak; 4695 int off; 4696 4697{ 4698#ifdef SCTP_MBUF_LOGGING 4699 struct mbuf *mat; 4700 4701#endif 4702 struct mbuf *m; 4703 int iphlen; 4704 uint32_t vrf_id; 4705 uint8_t ecn_bits; 4706 struct ip *ip; 4707 struct sctphdr *sh; 4708 struct sctp_inpcb *inp = NULL; 4709 4710 uint32_t check, calc_check; 4711 struct sctp_nets *net; 4712 struct sctp_tcb *stcb = NULL; 4713 struct sctp_chunkhdr *ch; 4714 int refcount_up = 0; 4715 int length, mlen, offset; 4716 4717 vrf_id = SCTP_DEFAULT_VRFID; 4718 mlen = SCTP_HEADER_LEN(i_pak); 4719 iphlen = off; 4720 m = SCTP_HEADER_TO_CHAIN(i_pak); 4721 net = NULL; 4722 SCTP_STAT_INCR(sctps_recvpackets); 4723 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4724 4725#ifdef SCTP_MBUF_LOGGING 4726 /* Log in any input mbufs */ 4727 mat = m; 4728 while (mat) { 4729 if (SCTP_BUF_IS_EXTENDED(mat)) { 4730 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4731 } 4732 mat = SCTP_BUF_NEXT(mat); 4733 } 4734#endif 4735 4736 /* 4737 * Get IP, SCTP, and first chunk header together in first mbuf. 4738 */ 4739 ip = mtod(m, struct ip *); 4740 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4741 if (SCTP_BUF_LEN(m) < offset) { 4742 if ((m = m_pullup(m, offset)) == 0) { 4743 SCTP_STAT_INCR(sctps_hdrops); 4744 return; 4745 } 4746 ip = mtod(m, struct ip *); 4747 } 4748 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4749 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4750 4751 /* SCTP does not allow broadcasts or multicasts */ 4752 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4753 goto bad; 4754 } 4755 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 4756 /* 4757 * We only look at broadcast if its a front state, All 4758 * others we will not have a tcb for anyway. 4759 */ 4760 goto bad; 4761 } 4762 /* validate SCTP checksum */ 4763 if ((sctp_no_csum_on_loopback == 0) || !SCTP_IS_IT_LOOPBACK(m)) { 4764 /* 4765 * we do NOT validate things from the loopback if the sysctl 4766 * is set to 1. 4767 */ 4768 check = sh->checksum; /* save incoming checksum */ 4769 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4770 /* 4771 * special hook for where we got a local address 4772 * somehow routed across a non IFT_LOOP type 4773 * interface 4774 */ 4775 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4776 goto sctp_skip_csum_4; 4777 } 4778 sh->checksum = 0; /* prepare for calc */ 4779 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4780 if (calc_check != check) { 4781#ifdef SCTP_DEBUG 4782 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4783 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4784 calc_check, check, m, mlen, iphlen); 4785 } 4786#endif 4787 4788 stcb = sctp_findassociation_addr(m, iphlen, 4789 offset - sizeof(*ch), 4790 sh, ch, &inp, &net, vrf_id); 4791 if ((inp) && (stcb)) { 4792 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4793 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4794 } else if ((inp != NULL) && (stcb == NULL)) { 4795 refcount_up = 1; 4796 } 4797 SCTP_STAT_INCR(sctps_badsum); 4798 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4799 goto bad; 4800 } 4801 sh->checksum = calc_check; 4802 } 4803sctp_skip_csum_4: 4804 /* destination port of 0 is illegal, based on RFC2960. */ 4805 if (sh->dest_port == 0) { 4806 SCTP_STAT_INCR(sctps_hdrops); 4807 goto bad; 4808 } 4809 /* validate mbuf chain length with IP payload length */ 4810 if (mlen < (ip->ip_len - iphlen)) { 4811 SCTP_STAT_INCR(sctps_hdrops); 4812 goto bad; 4813 } 4814 /* 4815 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4816 * IP/SCTP/first chunk header... 4817 */ 4818 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4819 sh, ch, &inp, &net, vrf_id); 4820 /* inp's ref-count increased && stcb locked */ 4821 if (inp == NULL) { 4822 struct sctp_init_chunk *init_chk, chunk_buf; 4823 4824 SCTP_STAT_INCR(sctps_noport); 4825#ifdef ICMP_BANDLIM 4826 /* 4827 * we use the bandwidth limiting to protect against sending 4828 * too many ABORTS all at once. In this case these count the 4829 * same as an ICMP message. 4830 */ 4831 if (badport_bandlim(0) < 0) 4832 goto bad; 4833#endif /* ICMP_BANDLIM */ 4834#ifdef SCTP_DEBUG 4835 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4836 printf("Sending a ABORT from packet entry!\n"); 4837 } 4838#endif 4839 if (ch->chunk_type == SCTP_INITIATION) { 4840 /* 4841 * we do a trick here to get the INIT tag, dig in 4842 * and get the tag from the INIT and put it in the 4843 * common header. 4844 */ 4845 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4846 iphlen + sizeof(*sh), sizeof(*init_chk), 4847 (uint8_t *) & chunk_buf); 4848 if (init_chk != NULL) 4849 sh->v_tag = init_chk->init.initiate_tag; 4850 } 4851 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4852 sctp_send_shutdown_complete2(m, iphlen, sh); 4853 goto bad; 4854 } 4855 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 4856 goto bad; 4857 } 4858 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 4859 sctp_send_abort(m, iphlen, sh, 0, NULL); 4860 goto bad; 4861 } else if (stcb == NULL) { 4862 refcount_up = 1; 4863 } 4864#ifdef IPSEC 4865 /* 4866 * I very much doubt any of the IPSEC stuff will work but I have no 4867 * idea, so I will leave it in place. 4868 */ 4869 4870 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4871 ipsecstat.in_polvio++; 4872 SCTP_STAT_INCR(sctps_hdrops); 4873 goto bad; 4874 } 4875#endif /* IPSEC */ 4876 4877 /* 4878 * common chunk processing 4879 */ 4880 length = ip->ip_len + iphlen; 4881 offset -= sizeof(struct sctp_chunkhdr); 4882 4883 ecn_bits = ip->ip_tos; 4884 4885 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4886 inp, stcb, net, ecn_bits); 4887 /* inp's ref-count reduced && stcb unlocked */ 4888 if (m) { 4889 sctp_m_freem(m); 4890 } 4891 if ((inp) && (refcount_up)) { 4892 /* reduce ref-count */ 4893 SCTP_INP_WLOCK(inp); 4894 SCTP_INP_DECR_REF(inp); 4895 SCTP_INP_WUNLOCK(inp); 4896 } 4897 return; 4898bad: 4899 if (stcb) 4900 SCTP_TCB_UNLOCK(stcb); 4901 4902 if ((inp) && (refcount_up)) { 4903 /* reduce ref-count */ 4904 SCTP_INP_WLOCK(inp); 4905 SCTP_INP_DECR_REF(inp); 4906 SCTP_INP_WUNLOCK(inp); 4907 } 4908 if (m) { 4909 sctp_m_freem(m); 4910 } 4911 return; 4912} 4913