sctp_input.c revision 179157
1/*- 2 * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 179157 2008-05-20 13:47:46Z rrs $"); 35 36#include <netinet/sctp_os.h> 37#include <netinet/sctp_var.h> 38#include <netinet/sctp_sysctl.h> 39#include <netinet/sctp_pcb.h> 40#include <netinet/sctp_header.h> 41#include <netinet/sctputil.h> 42#include <netinet/sctp_output.h> 43#include <netinet/sctp_input.h> 44#include <netinet/sctp_auth.h> 45#include <netinet/sctp_indata.h> 46#include <netinet/sctp_asconf.h> 47#include <netinet/sctp_bsd_addr.h> 48#include <netinet/sctp_timer.h> 49#include <netinet/udp.h> 50 51 52 53static void 54sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 55{ 56 struct sctp_nets *net; 57 58 /* 59 * This now not only stops all cookie timers it also stops any INIT 60 * timers as well. This will make sure that the timers are stopped 61 * in all collision cases. 62 */ 63 SCTP_TCB_LOCK_ASSERT(stcb); 64 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 65 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 66 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 67 stcb->sctp_ep, 68 stcb, 69 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 70 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 71 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 72 stcb->sctp_ep, 73 stcb, 74 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 75 } 76 } 77} 78 79/* INIT handler */ 80static void 81sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 82 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 83 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, uint16_t port) 84{ 85 struct sctp_init *init; 86 struct mbuf *op_err; 87 uint32_t init_limit; 88 89 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n", 90 stcb); 91 if (stcb == NULL) { 92 SCTP_INP_RLOCK(inp); 93 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 94 goto outnow; 95 } 96 } 97 op_err = NULL; 98 init = &cp->init; 99 /* First are we accepting? */ 100 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 101 SCTPDBG(SCTP_DEBUG_INPUT2, 102 "sctp_handle_init: Abort, so_qlimit:%d\n", 103 inp->sctp_socket->so_qlimit); 104 /* 105 * FIX ME ?? What about TCP model and we have a 106 * match/restart case? Actually no fix is needed. the lookup 107 * will always find the existing assoc so stcb would not be 108 * NULL. It may be questionable to do this since we COULD 109 * just send back the INIT-ACK and hope that the app did 110 * accept()'s by the time the COOKIE was sent. But there is 111 * a price to pay for COOKIE generation and I don't want to 112 * pay it on the chance that the app will actually do some 113 * accepts(). The App just looses and should NOT be in this 114 * state :-) 115 */ 116 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 117 vrf_id, port); 118 if (stcb) 119 *abort_no_unlock = 1; 120 goto outnow; 121 } 122 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 123 /* Invalid length */ 124 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 125 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 126 vrf_id, port); 127 if (stcb) 128 *abort_no_unlock = 1; 129 goto outnow; 130 } 131 /* validate parameters */ 132 if (init->initiate_tag == 0) { 133 /* protocol error... send abort */ 134 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 135 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 136 vrf_id, port); 137 if (stcb) 138 *abort_no_unlock = 1; 139 goto outnow; 140 } 141 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 142 /* invalid parameter... send abort */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 145 vrf_id, port); 146 if (stcb) 147 *abort_no_unlock = 1; 148 goto outnow; 149 } 150 if (init->num_inbound_streams == 0) { 151 /* protocol error... send abort */ 152 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 153 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 154 vrf_id, port); 155 if (stcb) 156 *abort_no_unlock = 1; 157 goto outnow; 158 } 159 if (init->num_outbound_streams == 0) { 160 /* protocol error... send abort */ 161 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 162 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 163 vrf_id, port); 164 if (stcb) 165 *abort_no_unlock = 1; 166 goto outnow; 167 } 168 init_limit = offset + ntohs(cp->ch.chunk_length); 169 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 170 init_limit)) { 171 /* auth parameter(s) error... send abort */ 172 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, port); 173 if (stcb) 174 *abort_no_unlock = 1; 175 goto outnow; 176 } 177 /* send an INIT-ACK w/cookie */ 178 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n"); 179 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, port, 180 ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED)); 181outnow: 182 if (stcb == NULL) { 183 SCTP_INP_RUNLOCK(inp); 184 } 185} 186 187/* 188 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 189 */ 190 191int 192sctp_is_there_unsent_data(struct sctp_tcb *stcb) 193{ 194 int unsent_data = 0; 195 struct sctp_stream_queue_pending *sp; 196 struct sctp_stream_out *strq; 197 struct sctp_association *asoc; 198 199 /* 200 * This function returns the number of streams that have true unsent 201 * data on them. Note that as it looks through it will clean up any 202 * places that have old data that has been sent but left at top of 203 * stream queue. 204 */ 205 asoc = &stcb->asoc; 206 SCTP_TCB_SEND_LOCK(stcb); 207 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 208 /* Check to see if some data queued */ 209 TAILQ_FOREACH(strq, &asoc->out_wheel, next_spoke) { 210 is_there_another: 211 /* sa_ignore FREED_MEMORY */ 212 sp = TAILQ_FIRST(&strq->outqueue); 213 if (sp == NULL) { 214 continue; 215 } 216 if ((sp->msg_is_complete) && 217 (sp->length == 0) && 218 (sp->sender_all_done)) { 219 /* 220 * We are doing differed cleanup. Last time 221 * through when we took all the data the 222 * sender_all_done was not set. 223 */ 224 if (sp->put_last_out == 0) { 225 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n"); 226 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n", 227 sp->sender_all_done, 228 sp->length, 229 sp->msg_is_complete, 230 sp->put_last_out); 231 } 232 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1); 233 TAILQ_REMOVE(&strq->outqueue, sp, next); 234 sctp_free_remote_addr(sp->net); 235 if (sp->data) { 236 sctp_m_freem(sp->data); 237 sp->data = NULL; 238 } 239 sctp_free_a_strmoq(stcb, sp); 240 goto is_there_another; 241 } else { 242 unsent_data++; 243 continue; 244 } 245 } 246 } 247 SCTP_TCB_SEND_UNLOCK(stcb); 248 return (unsent_data); 249} 250 251static int 252sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 253 struct sctp_nets *net) 254{ 255 struct sctp_init *init; 256 struct sctp_association *asoc; 257 struct sctp_nets *lnet; 258 unsigned int i; 259 260 init = &cp->init; 261 asoc = &stcb->asoc; 262 /* save off parameters */ 263 asoc->peer_vtag = ntohl(init->initiate_tag); 264 asoc->peers_rwnd = ntohl(init->a_rwnd); 265 if (TAILQ_FIRST(&asoc->nets)) { 266 /* update any ssthresh's that may have a default */ 267 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 268 lnet->ssthresh = asoc->peers_rwnd; 269 270 if (sctp_logging_level & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) { 271 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 272 } 273 } 274 } 275 SCTP_TCB_SEND_LOCK(stcb); 276 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 277 unsigned int newcnt; 278 struct sctp_stream_out *outs; 279 struct sctp_stream_queue_pending *sp; 280 281 /* cut back on number of streams */ 282 newcnt = ntohs(init->num_inbound_streams); 283 /* This if is probably not needed but I am cautious */ 284 if (asoc->strmout) { 285 /* First make sure no data chunks are trapped */ 286 for (i = newcnt; i < asoc->pre_open_streams; i++) { 287 outs = &asoc->strmout[i]; 288 sp = TAILQ_FIRST(&outs->outqueue); 289 while (sp) { 290 TAILQ_REMOVE(&outs->outqueue, sp, 291 next); 292 asoc->stream_queue_cnt--; 293 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 294 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 295 sp, SCTP_SO_NOT_LOCKED); 296 if (sp->data) { 297 sctp_m_freem(sp->data); 298 sp->data = NULL; 299 } 300 sctp_free_remote_addr(sp->net); 301 sp->net = NULL; 302 /* Free the chunk */ 303 SCTP_PRINTF("sp:%p tcb:%p weird free case\n", 304 sp, stcb); 305 306 sctp_free_a_strmoq(stcb, sp); 307 /* sa_ignore FREED_MEMORY */ 308 sp = TAILQ_FIRST(&outs->outqueue); 309 } 310 } 311 } 312 /* cut back the count and abandon the upper streams */ 313 asoc->pre_open_streams = newcnt; 314 } 315 SCTP_TCB_SEND_UNLOCK(stcb); 316 asoc->streamoutcnt = asoc->pre_open_streams; 317 /* init tsn's */ 318 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 319 if (sctp_logging_level & SCTP_MAP_LOGGING_ENABLE) { 320 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 321 } 322 /* This is the next one we expect */ 323 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 324 325 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 326 asoc->cumulative_tsn = asoc->asconf_seq_in; 327 asoc->last_echo_tsn = asoc->asconf_seq_in; 328 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 329 /* open the requested streams */ 330 331 if (asoc->strmin != NULL) { 332 /* Free the old ones */ 333 struct sctp_queued_to_read *ctl; 334 335 for (i = 0; i < asoc->streamincnt; i++) { 336 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 337 while (ctl) { 338 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 339 sctp_free_remote_addr(ctl->whoFrom); 340 ctl->whoFrom = NULL; 341 sctp_m_freem(ctl->data); 342 ctl->data = NULL; 343 sctp_free_a_readq(stcb, ctl); 344 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 345 } 346 } 347 SCTP_FREE(asoc->strmin, SCTP_M_STRMI); 348 } 349 asoc->streamincnt = ntohs(init->num_outbound_streams); 350 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 351 asoc->streamincnt = MAX_SCTP_STREAMS; 352 } 353 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 354 sizeof(struct sctp_stream_in), SCTP_M_STRMI); 355 if (asoc->strmin == NULL) { 356 /* we didn't get memory for the streams! */ 357 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n"); 358 return (-1); 359 } 360 for (i = 0; i < asoc->streamincnt; i++) { 361 asoc->strmin[i].stream_no = i; 362 asoc->strmin[i].last_sequence_delivered = 0xffff; 363 /* 364 * U-stream ranges will be set when the cookie is unpacked. 365 * Or for the INIT sender they are un set (if pr-sctp not 366 * supported) when the INIT-ACK arrives. 367 */ 368 TAILQ_INIT(&asoc->strmin[i].inqueue); 369 asoc->strmin[i].delivery_started = 0; 370 } 371 /* 372 * load_address_from_init will put the addresses into the 373 * association when the COOKIE is processed or the INIT-ACK is 374 * processed. Both types of COOKIE's existing and new call this 375 * routine. It will remove addresses that are no longer in the 376 * association (for the restarting case where addresses are 377 * removed). Up front when the INIT arrives we will discard it if it 378 * is a restart and new addresses have been added. 379 */ 380 /* sa_ignore MEMLEAK */ 381 return (0); 382} 383 384/* 385 * INIT-ACK message processing/consumption returns value < 0 on error 386 */ 387static int 388sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 389 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 390 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 391{ 392 struct sctp_association *asoc; 393 struct mbuf *op_err; 394 int retval, abort_flag; 395 uint32_t initack_limit; 396 397 /* First verify that we have no illegal param's */ 398 abort_flag = 0; 399 op_err = NULL; 400 401 op_err = sctp_arethere_unrecognized_parameters(m, 402 (offset + sizeof(struct sctp_init_chunk)), 403 &abort_flag, (struct sctp_chunkhdr *)cp); 404 if (abort_flag) { 405 /* Send an abort and notify peer */ 406 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err, SCTP_SO_NOT_LOCKED); 407 *abort_no_unlock = 1; 408 return (-1); 409 } 410 asoc = &stcb->asoc; 411 /* process the peer's parameters in the INIT-ACK */ 412 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 413 if (retval < 0) { 414 return (retval); 415 } 416 initack_limit = offset + ntohs(cp->ch.chunk_length); 417 /* load all addresses */ 418 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 419 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 420 NULL))) { 421 /* Huh, we should abort */ 422 SCTPDBG(SCTP_DEBUG_INPUT1, 423 "Load addresses from INIT causes an abort %d\n", 424 retval); 425 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 426 NULL, 0, net->port); 427 *abort_no_unlock = 1; 428 return (-1); 429 } 430 /* if the peer doesn't support asconf, flush the asconf queue */ 431 if (asoc->peer_supports_asconf == 0) { 432 struct sctp_asconf_addr *aparam; 433 434 while (!TAILQ_EMPTY(&asoc->asconf_queue)) { 435 /* sa_ignore FREED_MEMORY */ 436 aparam = TAILQ_FIRST(&asoc->asconf_queue); 437 TAILQ_REMOVE(&asoc->asconf_queue, aparam, next); 438 SCTP_FREE(aparam, SCTP_M_ASC_ADDR); 439 } 440 } 441 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 442 stcb->asoc.local_hmacs); 443 if (op_err) { 444 sctp_queue_op_err(stcb, op_err); 445 /* queuing will steal away the mbuf chain to the out queue */ 446 op_err = NULL; 447 } 448 /* extract the cookie and queue it to "echo" it back... */ 449 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 450 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 451 stcb->asoc.overall_error_count, 452 0, 453 SCTP_FROM_SCTP_INPUT, 454 __LINE__); 455 } 456 stcb->asoc.overall_error_count = 0; 457 net->error_count = 0; 458 459 /* 460 * Cancel the INIT timer, We do this first before queueing the 461 * cookie. We always cancel at the primary to assue that we are 462 * canceling the timer started by the INIT which always goes to the 463 * primary. 464 */ 465 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 466 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 467 468 /* calculate the RTO */ 469 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy); 470 471 retval = sctp_send_cookie_echo(m, offset, stcb, net); 472 if (retval < 0) { 473 /* 474 * No cookie, we probably should send a op error. But in any 475 * case if there is no cookie in the INIT-ACK, we can 476 * abandon the peer, its broke. 477 */ 478 if (retval == -3) { 479 /* We abort with an error of missing mandatory param */ 480 op_err = 481 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 482 if (op_err) { 483 /* 484 * Expand beyond to include the mandatory 485 * param cookie 486 */ 487 struct sctp_inv_mandatory_param *mp; 488 489 SCTP_BUF_LEN(op_err) = 490 sizeof(struct sctp_inv_mandatory_param); 491 mp = mtod(op_err, 492 struct sctp_inv_mandatory_param *); 493 /* Subtract the reserved param */ 494 mp->length = 495 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 496 mp->num_param = htonl(1); 497 mp->param = htons(SCTP_STATE_COOKIE); 498 mp->resv = 0; 499 } 500 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 501 sh, op_err, 0, net->port); 502 *abort_no_unlock = 1; 503 } 504 return (retval); 505 } 506 return (0); 507} 508 509static void 510sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 511 struct sctp_tcb *stcb, struct sctp_nets *net) 512{ 513 struct sockaddr_storage store; 514 struct sockaddr_in *sin; 515 struct sockaddr_in6 *sin6; 516 struct sctp_nets *r_net; 517 struct timeval tv; 518 int req_prim = 0; 519 520 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 521 /* Invalid length */ 522 return; 523 } 524 sin = (struct sockaddr_in *)&store; 525 sin6 = (struct sockaddr_in6 *)&store; 526 527 memset(&store, 0, sizeof(store)); 528 if (cp->heartbeat.hb_info.addr_family == AF_INET && 529 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 530 sin->sin_family = cp->heartbeat.hb_info.addr_family; 531 sin->sin_len = cp->heartbeat.hb_info.addr_len; 532 sin->sin_port = stcb->rport; 533 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 534 sizeof(sin->sin_addr)); 535 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 536 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 537 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 538 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 539 sin6->sin6_port = stcb->rport; 540 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 541 sizeof(sin6->sin6_addr)); 542 } else { 543 return; 544 } 545 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 546 if (r_net == NULL) { 547 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n"); 548 return; 549 } 550 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 551 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 552 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 553 /* 554 * If the its a HB and it's random value is correct when can 555 * confirm the destination. 556 */ 557 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 558 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 559 stcb->asoc.primary_destination = r_net; 560 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 561 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 562 r_net = TAILQ_FIRST(&stcb->asoc.nets); 563 if (r_net != stcb->asoc.primary_destination) { 564 /* 565 * first one on the list is NOT the primary 566 * sctp_cmpaddr() is much more efficent if 567 * the primary is the first on the list, 568 * make it so. 569 */ 570 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 571 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 572 } 573 req_prim = 1; 574 } 575 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 576 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED); 577 } 578 r_net->error_count = 0; 579 r_net->hb_responded = 1; 580 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 581 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 582 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 583 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 584 r_net->dest_state |= SCTP_ADDR_REACHABLE; 585 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 586 SCTP_HEARTBEAT_SUCCESS, (void *)r_net, SCTP_SO_NOT_LOCKED); 587 /* now was it the primary? if so restore */ 588 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 589 (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 590 } 591 } 592 /* 593 * JRS 5/14/07 - If CMT PF is on and the destination is in PF state, 594 * set the destination to active state and set the cwnd to one or 595 * two MTU's based on whether PF1 or PF2 is being used. If a T3 596 * timer is running, for the destination, stop the timer because a 597 * PF-heartbeat was received. 598 */ 599 if (sctp_cmt_on_off && sctp_cmt_pf && (net->dest_state & SCTP_ADDR_PF) == 600 SCTP_ADDR_PF) { 601 if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 602 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 603 stcb, net, 604 SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 605 } 606 net->dest_state &= ~SCTP_ADDR_PF; 607 net->cwnd = net->mtu * sctp_cmt_pf; 608 SCTPDBG(SCTP_DEBUG_INPUT1, "Destination %p moved from PF to reachable with cwnd %d.\n", 609 net, net->cwnd); 610 } 611 /* Now lets do a RTO with this */ 612 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy); 613 /* Mobility adaptation */ 614 if (req_prim) { 615 if ((sctp_is_mobility_feature_on(stcb->sctp_ep, 616 SCTP_MOBILITY_BASE) || 617 sctp_is_mobility_feature_on(stcb->sctp_ep, 618 SCTP_MOBILITY_FASTHANDOFF)) && 619 sctp_is_mobility_feature_on(stcb->sctp_ep, 620 SCTP_MOBILITY_PRIM_DELETED)) { 621 622 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER + SCTP_LOC_7); 623 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 624 SCTP_MOBILITY_FASTHANDOFF)) { 625 sctp_assoc_immediate_retrans(stcb, 626 stcb->asoc.primary_destination); 627 } 628 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 629 SCTP_MOBILITY_BASE)) { 630 sctp_move_chunks_from_deleted_prim(stcb, 631 stcb->asoc.primary_destination); 632 } 633 sctp_delete_prim_timer(stcb->sctp_ep, stcb, 634 stcb->asoc.deleted_primary); 635 } 636 } 637} 638 639static void 640sctp_handle_abort(struct sctp_abort_chunk *cp, 641 struct sctp_tcb *stcb, struct sctp_nets *net) 642{ 643#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 644 struct socket *so; 645 646#endif 647 648 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n"); 649 if (stcb == NULL) 650 return; 651 652 /* stop any receive timers */ 653 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 654 /* notify user of the abort and clean up... */ 655 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED); 656 /* free the tcb */ 657#if defined(SCTP_PANIC_ON_ABORT) 658 printf("stcb:%p state:%d rport:%d net:%p\n", 659 stcb, stcb->asoc.state, stcb->rport, net); 660 if (!(stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { 661 panic("Received an ABORT"); 662 } else { 663 printf("No panic its in state %x closed\n", stcb->asoc.state); 664 } 665#endif 666 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 667 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 668 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 669 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 670 } 671#ifdef SCTP_ASOCLOG_OF_TSNS 672 sctp_print_out_track_log(stcb); 673#endif 674#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 675 so = SCTP_INP_SO(stcb->sctp_ep); 676 atomic_add_int(&stcb->asoc.refcnt, 1); 677 SCTP_TCB_UNLOCK(stcb); 678 SCTP_SOCKET_LOCK(so, 1); 679 SCTP_TCB_LOCK(stcb); 680 atomic_subtract_int(&stcb->asoc.refcnt, 1); 681#endif 682 stcb->asoc.state |= SCTP_STATE_WAS_ABORTED; 683 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 684 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 685#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 686 SCTP_SOCKET_UNLOCK(so, 1); 687#endif 688 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n"); 689} 690 691static void 692sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 693 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 694{ 695 struct sctp_association *asoc; 696 int some_on_streamwheel; 697 698#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 699 struct socket *so; 700 701#endif 702 703 SCTPDBG(SCTP_DEBUG_INPUT2, 704 "sctp_handle_shutdown: handling SHUTDOWN\n"); 705 if (stcb == NULL) 706 return; 707 asoc = &stcb->asoc; 708 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 709 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 710 return; 711 } 712 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 713 /* Shutdown NOT the expected size */ 714 return; 715 } else { 716 sctp_update_acked(stcb, cp, net, abort_flag); 717 } 718 if (asoc->control_pdapi) { 719 /* 720 * With a normal shutdown we assume the end of last record. 721 */ 722 SCTP_INP_READ_LOCK(stcb->sctp_ep); 723 asoc->control_pdapi->end_added = 1; 724 asoc->control_pdapi->pdapi_aborted = 1; 725 asoc->control_pdapi = NULL; 726 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 727#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 728 so = SCTP_INP_SO(stcb->sctp_ep); 729 atomic_add_int(&stcb->asoc.refcnt, 1); 730 SCTP_TCB_UNLOCK(stcb); 731 SCTP_SOCKET_LOCK(so, 1); 732 SCTP_TCB_LOCK(stcb); 733 atomic_subtract_int(&stcb->asoc.refcnt, 1); 734 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 735 /* assoc was freed while we were unlocked */ 736 SCTP_SOCKET_UNLOCK(so, 1); 737 return; 738 } 739#endif 740 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 741#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 742 SCTP_SOCKET_UNLOCK(so, 1); 743#endif 744 } 745 /* goto SHUTDOWN_RECEIVED state to block new requests */ 746 if (stcb->sctp_socket) { 747 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 748 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) && 749 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 750 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED); 751 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 752 /* 753 * notify upper layer that peer has initiated a 754 * shutdown 755 */ 756 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 757 758 /* reset time */ 759 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 760 } 761 } 762 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 763 /* 764 * stop the shutdown timer, since we WILL move to 765 * SHUTDOWN-ACK-SENT. 766 */ 767 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 768 } 769 /* Now is there unsent data on a stream somewhere? */ 770 some_on_streamwheel = sctp_is_there_unsent_data(stcb); 771 772 if (!TAILQ_EMPTY(&asoc->send_queue) || 773 !TAILQ_EMPTY(&asoc->sent_queue) || 774 some_on_streamwheel) { 775 /* By returning we will push more data out */ 776 return; 777 } else { 778 /* no outstanding data to send, so move on... */ 779 /* send SHUTDOWN-ACK */ 780 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 781 /* move to SHUTDOWN-ACK-SENT state */ 782 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 783 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 784 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 785 } 786 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT); 787 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 788 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, 789 SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 790 /* start SHUTDOWN timer */ 791 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 792 stcb, net); 793 } 794} 795 796static void 797sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 798 struct sctp_tcb *stcb, struct sctp_nets *net) 799{ 800 struct sctp_association *asoc; 801 802#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 803 struct socket *so; 804 805 so = SCTP_INP_SO(stcb->sctp_ep); 806#endif 807 SCTPDBG(SCTP_DEBUG_INPUT2, 808 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 809 if (stcb == NULL) 810 return; 811 812 asoc = &stcb->asoc; 813 /* process according to association state */ 814 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 815 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 816 /* unexpected SHUTDOWN-ACK... so ignore... */ 817 SCTP_TCB_UNLOCK(stcb); 818 return; 819 } 820 if (asoc->control_pdapi) { 821 /* 822 * With a normal shutdown we assume the end of last record. 823 */ 824 SCTP_INP_READ_LOCK(stcb->sctp_ep); 825 asoc->control_pdapi->end_added = 1; 826 asoc->control_pdapi->pdapi_aborted = 1; 827 asoc->control_pdapi = NULL; 828 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 829#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 830 atomic_add_int(&stcb->asoc.refcnt, 1); 831 SCTP_TCB_UNLOCK(stcb); 832 SCTP_SOCKET_LOCK(so, 1); 833 SCTP_TCB_LOCK(stcb); 834 atomic_subtract_int(&stcb->asoc.refcnt, 1); 835 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 836 /* assoc was freed while we were unlocked */ 837 SCTP_SOCKET_UNLOCK(so, 1); 838 return; 839 } 840#endif 841 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 842#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 843 SCTP_SOCKET_UNLOCK(so, 1); 844#endif 845 } 846 /* are the queues empty? */ 847 if (!TAILQ_EMPTY(&asoc->send_queue) || 848 !TAILQ_EMPTY(&asoc->sent_queue) || 849 !TAILQ_EMPTY(&asoc->out_wheel)) { 850 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED); 851 } 852 /* stop the timer */ 853 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 854 /* send SHUTDOWN-COMPLETE */ 855 sctp_send_shutdown_complete(stcb, net); 856 /* notify upper layer protocol */ 857 if (stcb->sctp_socket) { 858 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 859 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 860 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 861 /* Set the connected flag to disconnected */ 862 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 863 } 864 } 865 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 866 /* free the TCB but first save off the ep */ 867#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 868 atomic_add_int(&stcb->asoc.refcnt, 1); 869 SCTP_TCB_UNLOCK(stcb); 870 SCTP_SOCKET_LOCK(so, 1); 871 SCTP_TCB_LOCK(stcb); 872 atomic_subtract_int(&stcb->asoc.refcnt, 1); 873#endif 874 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 875 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 876#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 877 SCTP_SOCKET_UNLOCK(so, 1); 878#endif 879} 880 881/* 882 * Skip past the param header and then we will find the chunk that caused the 883 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 884 * our peer must be broken. 885 */ 886static void 887sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 888 struct sctp_nets *net) 889{ 890 struct sctp_chunkhdr *chk; 891 892 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 893 switch (chk->chunk_type) { 894 case SCTP_ASCONF_ACK: 895 case SCTP_ASCONF: 896 sctp_asconf_cleanup(stcb, net); 897 break; 898 case SCTP_FORWARD_CUM_TSN: 899 stcb->asoc.peer_supports_prsctp = 0; 900 break; 901 default: 902 SCTPDBG(SCTP_DEBUG_INPUT2, 903 "Peer does not support chunk type %d(%x)??\n", 904 chk->chunk_type, (uint32_t) chk->chunk_type); 905 break; 906 } 907} 908 909/* 910 * Skip past the param header and then we will find the param that caused the 911 * problem. There are a number of param's in a ASCONF OR the prsctp param 912 * these will turn of specific features. 913 */ 914static void 915sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 916{ 917 struct sctp_paramhdr *pbad; 918 919 pbad = phdr + 1; 920 switch (ntohs(pbad->param_type)) { 921 /* pr-sctp draft */ 922 case SCTP_PRSCTP_SUPPORTED: 923 stcb->asoc.peer_supports_prsctp = 0; 924 break; 925 case SCTP_SUPPORTED_CHUNK_EXT: 926 break; 927 /* draft-ietf-tsvwg-addip-sctp */ 928 case SCTP_ECN_NONCE_SUPPORTED: 929 stcb->asoc.peer_supports_ecn_nonce = 0; 930 stcb->asoc.ecn_nonce_allowed = 0; 931 stcb->asoc.ecn_allowed = 0; 932 break; 933 case SCTP_ADD_IP_ADDRESS: 934 case SCTP_DEL_IP_ADDRESS: 935 case SCTP_SET_PRIM_ADDR: 936 stcb->asoc.peer_supports_asconf = 0; 937 break; 938 case SCTP_SUCCESS_REPORT: 939 case SCTP_ERROR_CAUSE_IND: 940 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n"); 941 SCTPDBG(SCTP_DEBUG_INPUT2, 942 "Turning off ASCONF to this strange peer\n"); 943 stcb->asoc.peer_supports_asconf = 0; 944 break; 945 default: 946 SCTPDBG(SCTP_DEBUG_INPUT2, 947 "Peer does not support param type %d(%x)??\n", 948 pbad->param_type, (uint32_t) pbad->param_type); 949 break; 950 } 951} 952 953static int 954sctp_handle_error(struct sctp_chunkhdr *ch, 955 struct sctp_tcb *stcb, struct sctp_nets *net) 956{ 957 int chklen; 958 struct sctp_paramhdr *phdr; 959 uint16_t error_type; 960 uint16_t error_len; 961 struct sctp_association *asoc; 962 int adjust; 963 964#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 965 struct socket *so; 966 967#endif 968 969 /* parse through all of the errors and process */ 970 asoc = &stcb->asoc; 971 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 972 sizeof(struct sctp_chunkhdr)); 973 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 974 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 975 /* Process an Error Cause */ 976 error_type = ntohs(phdr->param_type); 977 error_len = ntohs(phdr->param_length); 978 if ((error_len > chklen) || (error_len == 0)) { 979 /* invalid param length for this param */ 980 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n", 981 chklen, error_len); 982 return (0); 983 } 984 switch (error_type) { 985 case SCTP_CAUSE_INVALID_STREAM: 986 case SCTP_CAUSE_MISSING_PARAM: 987 case SCTP_CAUSE_INVALID_PARAM: 988 case SCTP_CAUSE_NO_USER_DATA: 989 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n", 990 error_type); 991 break; 992 case SCTP_CAUSE_STALE_COOKIE: 993 /* 994 * We only act if we have echoed a cookie and are 995 * waiting. 996 */ 997 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 998 int *p; 999 1000 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 1001 /* Save the time doubled */ 1002 asoc->cookie_preserve_req = ntohl(*p) << 1; 1003 asoc->stale_cookie_count++; 1004 if (asoc->stale_cookie_count > 1005 asoc->max_init_times) { 1006 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED); 1007 /* now free the asoc */ 1008#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1009 so = SCTP_INP_SO(stcb->sctp_ep); 1010 atomic_add_int(&stcb->asoc.refcnt, 1); 1011 SCTP_TCB_UNLOCK(stcb); 1012 SCTP_SOCKET_LOCK(so, 1); 1013 SCTP_TCB_LOCK(stcb); 1014 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1015#endif 1016 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 1017 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1018#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1019 SCTP_SOCKET_UNLOCK(so, 1); 1020#endif 1021 return (-1); 1022 } 1023 /* blast back to INIT state */ 1024 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 1025 asoc->state |= SCTP_STATE_COOKIE_WAIT; 1026 1027 sctp_stop_all_cookie_timers(stcb); 1028 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 1029 } 1030 break; 1031 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 1032 /* 1033 * Nothing we can do here, we don't do hostname 1034 * addresses so if the peer does not like my IPv6 1035 * (or IPv4 for that matter) it does not matter. If 1036 * they don't support that type of address, they can 1037 * NOT possibly get that packet type... i.e. with no 1038 * IPv6 you can't recieve a IPv6 packet. so we can 1039 * safely ignore this one. If we ever added support 1040 * for HOSTNAME Addresses, then we would need to do 1041 * something here. 1042 */ 1043 break; 1044 case SCTP_CAUSE_UNRECOG_CHUNK: 1045 sctp_process_unrecog_chunk(stcb, phdr, net); 1046 break; 1047 case SCTP_CAUSE_UNRECOG_PARAM: 1048 sctp_process_unrecog_param(stcb, phdr); 1049 break; 1050 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 1051 /* 1052 * We ignore this since the timer will drive out a 1053 * new cookie anyway and there timer will drive us 1054 * to send a SHUTDOWN_COMPLETE. We can't send one 1055 * here since we don't have their tag. 1056 */ 1057 break; 1058 case SCTP_CAUSE_DELETING_LAST_ADDR: 1059 case SCTP_CAUSE_RESOURCE_SHORTAGE: 1060 case SCTP_CAUSE_DELETING_SRC_ADDR: 1061 /* 1062 * We should NOT get these here, but in a 1063 * ASCONF-ACK. 1064 */ 1065 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n", 1066 error_type); 1067 break; 1068 case SCTP_CAUSE_OUT_OF_RESC: 1069 /* 1070 * And what, pray tell do we do with the fact that 1071 * the peer is out of resources? Not really sure we 1072 * could do anything but abort. I suspect this 1073 * should have came WITH an abort instead of in a 1074 * OP-ERROR. 1075 */ 1076 break; 1077 default: 1078 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n", 1079 error_type); 1080 break; 1081 } 1082 adjust = SCTP_SIZE32(error_len); 1083 chklen -= adjust; 1084 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 1085 } 1086 return (0); 1087} 1088 1089static int 1090sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, 1091 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 1092 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 1093{ 1094 struct sctp_init_ack *init_ack; 1095 struct mbuf *op_err; 1096 1097 SCTPDBG(SCTP_DEBUG_INPUT2, 1098 "sctp_handle_init_ack: handling INIT-ACK\n"); 1099 1100 if (stcb == NULL) { 1101 SCTPDBG(SCTP_DEBUG_INPUT2, 1102 "sctp_handle_init_ack: TCB is null\n"); 1103 return (-1); 1104 } 1105 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 1106 /* Invalid length */ 1107 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1108 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1109 op_err, 0, net->port); 1110 *abort_no_unlock = 1; 1111 return (-1); 1112 } 1113 init_ack = &cp->init; 1114 /* validate parameters */ 1115 if (init_ack->initiate_tag == 0) { 1116 /* protocol error... send an abort */ 1117 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1118 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1119 op_err, 0, net->port); 1120 *abort_no_unlock = 1; 1121 return (-1); 1122 } 1123 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 1124 /* protocol error... send an abort */ 1125 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1126 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1127 op_err, 0, net->port); 1128 *abort_no_unlock = 1; 1129 return (-1); 1130 } 1131 if (init_ack->num_inbound_streams == 0) { 1132 /* protocol error... send an abort */ 1133 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1134 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1135 op_err, 0, net->port); 1136 *abort_no_unlock = 1; 1137 return (-1); 1138 } 1139 if (init_ack->num_outbound_streams == 0) { 1140 /* protocol error... send an abort */ 1141 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1142 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1143 op_err, 0, net->port); 1144 *abort_no_unlock = 1; 1145 return (-1); 1146 } 1147 /* process according to association state... */ 1148 switch (stcb->asoc.state & SCTP_STATE_MASK) { 1149 case SCTP_STATE_COOKIE_WAIT: 1150 /* this is the expected state for this chunk */ 1151 /* process the INIT-ACK parameters */ 1152 if (stcb->asoc.primary_destination->dest_state & 1153 SCTP_ADDR_UNCONFIRMED) { 1154 /* 1155 * The primary is where we sent the INIT, we can 1156 * always consider it confirmed when the INIT-ACK is 1157 * returned. Do this before we load addresses 1158 * though. 1159 */ 1160 stcb->asoc.primary_destination->dest_state &= 1161 ~SCTP_ADDR_UNCONFIRMED; 1162 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1163 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED); 1164 } 1165 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, 1166 net, abort_no_unlock, vrf_id) < 0) { 1167 /* error in parsing parameters */ 1168 return (-1); 1169 } 1170 /* update our state */ 1171 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n"); 1172 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED); 1173 1174 /* reset the RTO calc */ 1175 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 1176 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 1177 stcb->asoc.overall_error_count, 1178 0, 1179 SCTP_FROM_SCTP_INPUT, 1180 __LINE__); 1181 } 1182 stcb->asoc.overall_error_count = 0; 1183 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1184 /* 1185 * collapse the init timer back in case of a exponential 1186 * backoff 1187 */ 1188 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1189 stcb, net); 1190 /* 1191 * the send at the end of the inbound data processing will 1192 * cause the cookie to be sent 1193 */ 1194 break; 1195 case SCTP_STATE_SHUTDOWN_SENT: 1196 /* incorrect state... discard */ 1197 break; 1198 case SCTP_STATE_COOKIE_ECHOED: 1199 /* incorrect state... discard */ 1200 break; 1201 case SCTP_STATE_OPEN: 1202 /* incorrect state... discard */ 1203 break; 1204 case SCTP_STATE_EMPTY: 1205 case SCTP_STATE_INUSE: 1206 default: 1207 /* incorrect state... discard */ 1208 return (-1); 1209 break; 1210 } 1211 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n"); 1212 return (0); 1213} 1214 1215 1216/* 1217 * handle a state cookie for an existing association m: input packet mbuf 1218 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1219 * "split" mbuf and the cookie signature does not exist offset: offset into 1220 * mbuf to the cookie-echo chunk 1221 */ 1222static struct sctp_tcb * 1223sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1224 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1225 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1226 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id, 1227 uint32_t vrf_id) 1228{ 1229 struct sctp_association *asoc; 1230 struct sctp_init_chunk *init_cp, init_buf; 1231 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1232 int chk_length; 1233 int init_offset, initack_offset, i; 1234 int retval; 1235 int spec_flag = 0; 1236 uint32_t how_indx; 1237 1238 /* I know that the TCB is non-NULL from the caller */ 1239 asoc = &stcb->asoc; 1240 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1241 if (asoc->cookie_how[how_indx] == 0) 1242 break; 1243 } 1244 if (how_indx < sizeof(asoc->cookie_how)) { 1245 asoc->cookie_how[how_indx] = 1; 1246 } 1247 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1248 /* SHUTDOWN came in after sending INIT-ACK */ 1249 struct mbuf *op_err; 1250 struct sctp_paramhdr *ph; 1251 1252 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1253 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1254 0, M_DONTWAIT, 1, MT_DATA); 1255 if (op_err == NULL) { 1256 /* FOOBAR */ 1257 return (NULL); 1258 } 1259 /* pre-reserve some space */ 1260#ifdef INET6 1261 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1262#else 1263 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip)); 1264#endif 1265 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1266 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1267 /* Set the len */ 1268 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1269 ph = mtod(op_err, struct sctp_paramhdr *); 1270 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1271 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1272 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 1273 vrf_id, net->port); 1274 if (how_indx < sizeof(asoc->cookie_how)) 1275 asoc->cookie_how[how_indx] = 2; 1276 return (NULL); 1277 } 1278 /* 1279 * find and validate the INIT chunk in the cookie (peer's info) the 1280 * INIT should start after the cookie-echo header struct (chunk 1281 * header, state cookie header struct) 1282 */ 1283 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1284 1285 init_cp = (struct sctp_init_chunk *) 1286 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1287 (uint8_t *) & init_buf); 1288 if (init_cp == NULL) { 1289 /* could not pull a INIT chunk in cookie */ 1290 return (NULL); 1291 } 1292 chk_length = ntohs(init_cp->ch.chunk_length); 1293 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1294 return (NULL); 1295 } 1296 /* 1297 * find and validate the INIT-ACK chunk in the cookie (my info) the 1298 * INIT-ACK follows the INIT chunk 1299 */ 1300 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1301 initack_cp = (struct sctp_init_ack_chunk *) 1302 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1303 (uint8_t *) & initack_buf); 1304 if (initack_cp == NULL) { 1305 /* could not pull INIT-ACK chunk in cookie */ 1306 return (NULL); 1307 } 1308 chk_length = ntohs(initack_cp->ch.chunk_length); 1309 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1310 return (NULL); 1311 } 1312 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1313 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1314 /* 1315 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1316 * to get into the OPEN state 1317 */ 1318 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1319 /*- 1320 * Opps, this means that we somehow generated two vtag's 1321 * the same. I.e. we did: 1322 * Us Peer 1323 * <---INIT(tag=a)------ 1324 * ----INIT-ACK(tag=t)--> 1325 * ----INIT(tag=t)------> *1 1326 * <---INIT-ACK(tag=a)--- 1327 * <----CE(tag=t)------------- *2 1328 * 1329 * At point *1 we should be generating a different 1330 * tag t'. Which means we would throw away the CE and send 1331 * ours instead. Basically this is case C (throw away side). 1332 */ 1333 if (how_indx < sizeof(asoc->cookie_how)) 1334 asoc->cookie_how[how_indx] = 17; 1335 return (NULL); 1336 1337 } 1338 switch SCTP_GET_STATE 1339 (asoc) { 1340 case SCTP_STATE_COOKIE_WAIT: 1341 case SCTP_STATE_COOKIE_ECHOED: 1342 /* 1343 * INIT was sent but got a COOKIE_ECHO with the 1344 * correct tags... just accept it...but we must 1345 * process the init so that we can make sure we have 1346 * the right seq no's. 1347 */ 1348 /* First we must process the INIT !! */ 1349 retval = sctp_process_init(init_cp, stcb, net); 1350 if (retval < 0) { 1351 if (how_indx < sizeof(asoc->cookie_how)) 1352 asoc->cookie_how[how_indx] = 3; 1353 return (NULL); 1354 } 1355 /* we have already processed the INIT so no problem */ 1356 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1357 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1358 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1359 /* update current state */ 1360 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1361 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1362 else 1363 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1364 1365 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1366 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1367 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1368 stcb->sctp_ep, stcb, asoc->primary_destination); 1369 } 1370 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1371 sctp_stop_all_cookie_timers(stcb); 1372 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1373 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1374 (inp->sctp_socket->so_qlimit == 0) 1375 ) { 1376#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1377 struct socket *so; 1378 1379#endif 1380 /* 1381 * Here is where collision would go if we 1382 * did a connect() and instead got a 1383 * init/init-ack/cookie done before the 1384 * init-ack came back.. 1385 */ 1386 stcb->sctp_ep->sctp_flags |= 1387 SCTP_PCB_FLAGS_CONNECTED; 1388#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1389 so = SCTP_INP_SO(stcb->sctp_ep); 1390 atomic_add_int(&stcb->asoc.refcnt, 1); 1391 SCTP_TCB_UNLOCK(stcb); 1392 SCTP_SOCKET_LOCK(so, 1); 1393 SCTP_TCB_LOCK(stcb); 1394 atomic_add_int(&stcb->asoc.refcnt, -1); 1395 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1396 SCTP_SOCKET_UNLOCK(so, 1); 1397 return (NULL); 1398 } 1399#endif 1400 soisconnected(stcb->sctp_socket); 1401#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1402 SCTP_SOCKET_UNLOCK(so, 1); 1403#endif 1404 } 1405 /* notify upper layer */ 1406 *notification = SCTP_NOTIFY_ASSOC_UP; 1407 /* 1408 * since we did not send a HB make sure we don't 1409 * double things 1410 */ 1411 net->hb_responded = 1; 1412 net->RTO = sctp_calculate_rto(stcb, asoc, net, 1413 &cookie->time_entered, sctp_align_unsafe_makecopy); 1414 1415 if (stcb->asoc.sctp_autoclose_ticks && 1416 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1417 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1418 inp, stcb, NULL); 1419 } 1420 break; 1421 default: 1422 /* 1423 * we're in the OPEN state (or beyond), so peer must 1424 * have simply lost the COOKIE-ACK 1425 */ 1426 break; 1427 } /* end switch */ 1428 sctp_stop_all_cookie_timers(stcb); 1429 /* 1430 * We ignore the return code here.. not sure if we should 1431 * somehow abort.. but we do have an existing asoc. This 1432 * really should not fail. 1433 */ 1434 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1435 init_offset + sizeof(struct sctp_init_chunk), 1436 initack_offset, sh, init_src)) { 1437 if (how_indx < sizeof(asoc->cookie_how)) 1438 asoc->cookie_how[how_indx] = 4; 1439 return (NULL); 1440 } 1441 /* respond with a COOKIE-ACK */ 1442 sctp_toss_old_cookies(stcb, asoc); 1443 sctp_send_cookie_ack(stcb); 1444 if (how_indx < sizeof(asoc->cookie_how)) 1445 asoc->cookie_how[how_indx] = 5; 1446 return (stcb); 1447 } 1448 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1449 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1450 cookie->tie_tag_my_vtag == 0 && 1451 cookie->tie_tag_peer_vtag == 0) { 1452 /* 1453 * case C in Section 5.2.4 Table 2: XMOO silently discard 1454 */ 1455 if (how_indx < sizeof(asoc->cookie_how)) 1456 asoc->cookie_how[how_indx] = 6; 1457 return (NULL); 1458 } 1459 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1460 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1461 init_cp->init.initiate_tag == 0)) { 1462 /* 1463 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1464 * should be ok, re-accept peer info 1465 */ 1466 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1467 /* 1468 * Extension of case C. If we hit this, then the 1469 * random number generator returned the same vtag 1470 * when we first sent our INIT-ACK and when we later 1471 * sent our INIT. The side with the seq numbers that 1472 * are different will be the one that normnally 1473 * would have hit case C. This in effect "extends" 1474 * our vtags in this collision case to be 64 bits. 1475 * The same collision could occur aka you get both 1476 * vtag and seq number the same twice in a row.. but 1477 * is much less likely. If it did happen then we 1478 * would proceed through and bring up the assoc.. we 1479 * may end up with the wrong stream setup however.. 1480 * which would be bad.. but there is no way to 1481 * tell.. until we send on a stream that does not 1482 * exist :-) 1483 */ 1484 if (how_indx < sizeof(asoc->cookie_how)) 1485 asoc->cookie_how[how_indx] = 7; 1486 1487 return (NULL); 1488 } 1489 if (how_indx < sizeof(asoc->cookie_how)) 1490 asoc->cookie_how[how_indx] = 8; 1491 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1492 sctp_stop_all_cookie_timers(stcb); 1493 /* 1494 * since we did not send a HB make sure we don't double 1495 * things 1496 */ 1497 net->hb_responded = 1; 1498 if (stcb->asoc.sctp_autoclose_ticks && 1499 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1500 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1501 NULL); 1502 } 1503 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1504 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1505 1506 /* Note last_cwr_tsn? where is this used? */ 1507 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1508 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1509 /* 1510 * Ok the peer probably discarded our data (if we 1511 * echoed a cookie+data). So anything on the 1512 * sent_queue should be marked for retransmit, we 1513 * may not get something to kick us so it COULD 1514 * still take a timeout to move these.. but it can't 1515 * hurt to mark them. 1516 */ 1517 struct sctp_tmit_chunk *chk; 1518 1519 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1520 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1521 chk->sent = SCTP_DATAGRAM_RESEND; 1522 sctp_flight_size_decrease(chk); 1523 sctp_total_flight_decrease(stcb, chk); 1524 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1525 spec_flag++; 1526 } 1527 } 1528 1529 } 1530 /* process the INIT info (peer's info) */ 1531 retval = sctp_process_init(init_cp, stcb, net); 1532 if (retval < 0) { 1533 if (how_indx < sizeof(asoc->cookie_how)) 1534 asoc->cookie_how[how_indx] = 9; 1535 return (NULL); 1536 } 1537 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1538 init_offset + sizeof(struct sctp_init_chunk), 1539 initack_offset, sh, init_src)) { 1540 if (how_indx < sizeof(asoc->cookie_how)) 1541 asoc->cookie_how[how_indx] = 10; 1542 return (NULL); 1543 } 1544 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1545 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1546 *notification = SCTP_NOTIFY_ASSOC_UP; 1547 1548 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1549 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1550 (inp->sctp_socket->so_qlimit == 0)) { 1551#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1552 struct socket *so; 1553 1554#endif 1555 stcb->sctp_ep->sctp_flags |= 1556 SCTP_PCB_FLAGS_CONNECTED; 1557#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1558 so = SCTP_INP_SO(stcb->sctp_ep); 1559 atomic_add_int(&stcb->asoc.refcnt, 1); 1560 SCTP_TCB_UNLOCK(stcb); 1561 SCTP_SOCKET_LOCK(so, 1); 1562 SCTP_TCB_LOCK(stcb); 1563 atomic_add_int(&stcb->asoc.refcnt, -1); 1564 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1565 SCTP_SOCKET_UNLOCK(so, 1); 1566 return (NULL); 1567 } 1568#endif 1569 soisconnected(stcb->sctp_socket); 1570#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1571 SCTP_SOCKET_UNLOCK(so, 1); 1572#endif 1573 } 1574 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1575 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1576 else 1577 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1578 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1579 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1580 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1581 } else { 1582 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1583 } 1584 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1585 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1586 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1587 stcb->sctp_ep, stcb, asoc->primary_destination); 1588 } 1589 sctp_stop_all_cookie_timers(stcb); 1590 sctp_toss_old_cookies(stcb, asoc); 1591 sctp_send_cookie_ack(stcb); 1592 if (spec_flag) { 1593 /* 1594 * only if we have retrans set do we do this. What 1595 * this call does is get only the COOKIE-ACK out and 1596 * then when we return the normal call to 1597 * sctp_chunk_output will get the retrans out behind 1598 * this. 1599 */ 1600 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED); 1601 } 1602 if (how_indx < sizeof(asoc->cookie_how)) 1603 asoc->cookie_how[how_indx] = 11; 1604 1605 return (stcb); 1606 } 1607 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1608 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1609 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1610 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1611 cookie->tie_tag_peer_vtag != 0) { 1612 struct sctpasochead *head; 1613 1614 /* 1615 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1616 */ 1617 /* temp code */ 1618 if (how_indx < sizeof(asoc->cookie_how)) 1619 asoc->cookie_how[how_indx] = 12; 1620 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1621 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1622 1623 *sac_assoc_id = sctp_get_associd(stcb); 1624 /* notify upper layer */ 1625 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1626 atomic_add_int(&stcb->asoc.refcnt, 1); 1627 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1628 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1629 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1630 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1631 } 1632 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1633 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1634 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1635 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1636 } 1637 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1638 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1639 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1640 stcb->sctp_ep, stcb, asoc->primary_destination); 1641 1642 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1643 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1644 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1645 } 1646 asoc->pre_open_streams = 1647 ntohs(initack_cp->init.num_outbound_streams); 1648 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1649 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1650 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 1651 1652 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1653 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1654 1655 asoc->str_reset_seq_in = asoc->init_seq_number; 1656 1657 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1658 if (asoc->mapping_array) { 1659 memset(asoc->mapping_array, 0, 1660 asoc->mapping_array_size); 1661 } 1662 SCTP_TCB_UNLOCK(stcb); 1663 SCTP_INP_INFO_WLOCK(); 1664 SCTP_INP_WLOCK(stcb->sctp_ep); 1665 SCTP_TCB_LOCK(stcb); 1666 atomic_add_int(&stcb->asoc.refcnt, -1); 1667 /* send up all the data */ 1668 SCTP_TCB_SEND_LOCK(stcb); 1669 1670 sctp_report_all_outbound(stcb, 1, SCTP_SO_NOT_LOCKED); 1671 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1672 stcb->asoc.strmout[i].stream_no = i; 1673 stcb->asoc.strmout[i].next_sequence_sent = 0; 1674 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1675 } 1676 /* process the INIT-ACK info (my info) */ 1677 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1678 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1679 1680 /* pull from vtag hash */ 1681 LIST_REMOVE(stcb, sctp_asocs); 1682 /* re-insert to new vtag position */ 1683 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1684 sctppcbinfo.hashasocmark)]; 1685 /* 1686 * put it in the bucket in the vtag hash of assoc's for the 1687 * system 1688 */ 1689 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1690 1691 /* Is this the first restart? */ 1692 if (stcb->asoc.in_restart_hash == 0) { 1693 /* Ok add it to assoc_id vtag hash */ 1694 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1695 sctppcbinfo.hashrestartmark)]; 1696 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1697 stcb->asoc.in_restart_hash = 1; 1698 } 1699 /* process the INIT info (peer's info) */ 1700 SCTP_TCB_SEND_UNLOCK(stcb); 1701 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1702 SCTP_INP_INFO_WUNLOCK(); 1703 1704 retval = sctp_process_init(init_cp, stcb, net); 1705 if (retval < 0) { 1706 if (how_indx < sizeof(asoc->cookie_how)) 1707 asoc->cookie_how[how_indx] = 13; 1708 1709 return (NULL); 1710 } 1711 /* 1712 * since we did not send a HB make sure we don't double 1713 * things 1714 */ 1715 net->hb_responded = 1; 1716 1717 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1718 init_offset + sizeof(struct sctp_init_chunk), 1719 initack_offset, sh, init_src)) { 1720 if (how_indx < sizeof(asoc->cookie_how)) 1721 asoc->cookie_how[how_indx] = 14; 1722 1723 return (NULL); 1724 } 1725 /* respond with a COOKIE-ACK */ 1726 sctp_stop_all_cookie_timers(stcb); 1727 sctp_toss_old_cookies(stcb, asoc); 1728 sctp_send_cookie_ack(stcb); 1729 if (how_indx < sizeof(asoc->cookie_how)) 1730 asoc->cookie_how[how_indx] = 15; 1731 1732 return (stcb); 1733 } 1734 if (how_indx < sizeof(asoc->cookie_how)) 1735 asoc->cookie_how[how_indx] = 16; 1736 /* all other cases... */ 1737 return (NULL); 1738} 1739 1740 1741/* 1742 * handle a state cookie for a new association m: input packet mbuf chain-- 1743 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1744 * and the cookie signature does not exist offset: offset into mbuf to the 1745 * cookie-echo chunk length: length of the cookie chunk to: where the init 1746 * was from returns a new TCB 1747 */ 1748static struct sctp_tcb * 1749sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1750 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1751 struct sctp_inpcb *inp, struct sctp_nets **netp, 1752 struct sockaddr *init_src, int *notification, 1753 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1754 uint32_t vrf_id, uint16_t port) 1755{ 1756 struct sctp_tcb *stcb; 1757 struct sctp_init_chunk *init_cp, init_buf; 1758 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1759 struct sockaddr_storage sa_store; 1760 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1761 struct sockaddr_in *sin; 1762 struct sockaddr_in6 *sin6; 1763 struct sctp_association *asoc; 1764 int chk_length; 1765 int init_offset, initack_offset, initack_limit; 1766 int retval; 1767 int error = 0; 1768 uint32_t old_tag; 1769 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1770 1771#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1772 struct socket *so; 1773 1774 so = SCTP_INP_SO(inp); 1775#endif 1776 1777 /* 1778 * find and validate the INIT chunk in the cookie (peer's info) the 1779 * INIT should start after the cookie-echo header struct (chunk 1780 * header, state cookie header struct) 1781 */ 1782 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1783 init_cp = (struct sctp_init_chunk *) 1784 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1785 (uint8_t *) & init_buf); 1786 if (init_cp == NULL) { 1787 /* could not pull a INIT chunk in cookie */ 1788 SCTPDBG(SCTP_DEBUG_INPUT1, 1789 "process_cookie_new: could not pull INIT chunk hdr\n"); 1790 return (NULL); 1791 } 1792 chk_length = ntohs(init_cp->ch.chunk_length); 1793 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1794 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n"); 1795 return (NULL); 1796 } 1797 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1798 /* 1799 * find and validate the INIT-ACK chunk in the cookie (my info) the 1800 * INIT-ACK follows the INIT chunk 1801 */ 1802 initack_cp = (struct sctp_init_ack_chunk *) 1803 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1804 (uint8_t *) & initack_buf); 1805 if (initack_cp == NULL) { 1806 /* could not pull INIT-ACK chunk in cookie */ 1807 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1808 return (NULL); 1809 } 1810 chk_length = ntohs(initack_cp->ch.chunk_length); 1811 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1812 return (NULL); 1813 } 1814 /* 1815 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1816 * "initack_limit" value. This is because the chk_length field 1817 * includes the length of the cookie, but the cookie is omitted when 1818 * the INIT and INIT_ACK are tacked onto the cookie... 1819 */ 1820 initack_limit = offset + cookie_len; 1821 1822 /* 1823 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1824 * and popluate 1825 */ 1826 1827 /* 1828 * Here we do a trick, we set in NULL for the proc/thread argument. 1829 * We do this since in effect we only use the p argument when the 1830 * socket is unbound and we must do an implicit bind. Since we are 1831 * getting a cookie, we cannot be unbound. 1832 */ 1833 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1834 ntohl(initack_cp->init.initiate_tag), vrf_id, 1835 (struct thread *)NULL 1836 ); 1837 if (stcb == NULL) { 1838 struct mbuf *op_err; 1839 1840 /* memory problem? */ 1841 SCTPDBG(SCTP_DEBUG_INPUT1, 1842 "process_cookie_new: no room for another TCB!\n"); 1843 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1844 1845 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1846 sh, op_err, vrf_id, port); 1847 return (NULL); 1848 } 1849 /* get the correct sctp_nets */ 1850 if (netp) 1851 *netp = sctp_findnet(stcb, init_src); 1852 1853 asoc = &stcb->asoc; 1854 /* get scope variables out of cookie */ 1855 asoc->ipv4_local_scope = cookie->ipv4_scope; 1856 asoc->site_scope = cookie->site_scope; 1857 asoc->local_scope = cookie->local_scope; 1858 asoc->loopback_scope = cookie->loopback_scope; 1859 1860 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1861 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1862 struct mbuf *op_err; 1863 1864 /* 1865 * Houston we have a problem. The EP changed while the 1866 * cookie was in flight. Only recourse is to abort the 1867 * association. 1868 */ 1869 atomic_add_int(&stcb->asoc.refcnt, 1); 1870 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1871 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1872 sh, op_err, vrf_id, port); 1873#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1874 SCTP_TCB_UNLOCK(stcb); 1875 SCTP_SOCKET_LOCK(so, 1); 1876 SCTP_TCB_LOCK(stcb); 1877#endif 1878 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 1879 SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1880#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1881 SCTP_SOCKET_UNLOCK(so, 1); 1882#endif 1883 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1884 return (NULL); 1885 } 1886 /* process the INIT-ACK info (my info) */ 1887 old_tag = asoc->my_vtag; 1888 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1889 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1890 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1891 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1892 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1893 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 1894 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1895 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1896 asoc->str_reset_seq_in = asoc->init_seq_number; 1897 1898 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1899 1900 /* process the INIT info (peer's info) */ 1901 if (netp) 1902 retval = sctp_process_init(init_cp, stcb, *netp); 1903 else 1904 retval = 0; 1905 if (retval < 0) { 1906 atomic_add_int(&stcb->asoc.refcnt, 1); 1907#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1908 SCTP_TCB_UNLOCK(stcb); 1909 SCTP_SOCKET_LOCK(so, 1); 1910 SCTP_TCB_LOCK(stcb); 1911#endif 1912 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1913#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1914 SCTP_SOCKET_UNLOCK(so, 1); 1915#endif 1916 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1917 return (NULL); 1918 } 1919 /* load all addresses */ 1920 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1921 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1922 init_src)) { 1923 atomic_add_int(&stcb->asoc.refcnt, 1); 1924#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1925 SCTP_TCB_UNLOCK(stcb); 1926 SCTP_SOCKET_LOCK(so, 1); 1927 SCTP_TCB_LOCK(stcb); 1928#endif 1929 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1930#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1931 SCTP_SOCKET_UNLOCK(so, 1); 1932#endif 1933 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1934 return (NULL); 1935 } 1936 /* 1937 * verify any preceding AUTH chunk that was skipped 1938 */ 1939 /* pull the local authentication parameters from the cookie/init-ack */ 1940 sctp_auth_get_cookie_params(stcb, m, 1941 initack_offset + sizeof(struct sctp_init_ack_chunk), 1942 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1943 if (auth_skipped) { 1944 struct sctp_auth_chunk *auth; 1945 1946 auth = (struct sctp_auth_chunk *) 1947 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 1948 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { 1949 /* auth HMAC failed, dump the assoc and packet */ 1950 SCTPDBG(SCTP_DEBUG_AUTH1, 1951 "COOKIE-ECHO: AUTH failed\n"); 1952 atomic_add_int(&stcb->asoc.refcnt, 1); 1953#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1954 SCTP_TCB_UNLOCK(stcb); 1955 SCTP_SOCKET_LOCK(so, 1); 1956 SCTP_TCB_LOCK(stcb); 1957#endif 1958 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1959#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1960 SCTP_SOCKET_UNLOCK(so, 1); 1961#endif 1962 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1963 return (NULL); 1964 } else { 1965 /* remaining chunks checked... good to go */ 1966 stcb->asoc.authenticated = 1; 1967 } 1968 } 1969 /* update current state */ 1970 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 1971 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1972 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1973 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1974 stcb->sctp_ep, stcb, asoc->primary_destination); 1975 } 1976 sctp_stop_all_cookie_timers(stcb); 1977 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1978 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1979 1980 /* 1981 * if we're doing ASCONFs, check to see if we have any new local 1982 * addresses that need to get added to the peer (eg. addresses 1983 * changed while cookie echo in flight). This needs to be done 1984 * after we go to the OPEN state to do the correct asconf 1985 * processing. else, make sure we have the correct addresses in our 1986 * lists 1987 */ 1988 1989 /* warning, we re-use sin, sin6, sa_store here! */ 1990 /* pull in local_address (our "from" address) */ 1991 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1992 /* source addr is IPv4 */ 1993 sin = (struct sockaddr_in *)initack_src; 1994 memset(sin, 0, sizeof(*sin)); 1995 sin->sin_family = AF_INET; 1996 sin->sin_len = sizeof(struct sockaddr_in); 1997 sin->sin_addr.s_addr = cookie->laddress[0]; 1998 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1999 /* source addr is IPv6 */ 2000 sin6 = (struct sockaddr_in6 *)initack_src; 2001 memset(sin6, 0, sizeof(*sin6)); 2002 sin6->sin6_family = AF_INET6; 2003 sin6->sin6_len = sizeof(struct sockaddr_in6); 2004 sin6->sin6_scope_id = cookie->scope_id; 2005 memcpy(&sin6->sin6_addr, cookie->laddress, 2006 sizeof(sin6->sin6_addr)); 2007 } else { 2008 atomic_add_int(&stcb->asoc.refcnt, 1); 2009#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2010 SCTP_TCB_UNLOCK(stcb); 2011 SCTP_SOCKET_LOCK(so, 1); 2012 SCTP_TCB_LOCK(stcb); 2013#endif 2014 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 2015#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2016 SCTP_SOCKET_UNLOCK(so, 1); 2017#endif 2018 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2019 return (NULL); 2020 } 2021 2022 /* set up to notify upper layer */ 2023 *notification = SCTP_NOTIFY_ASSOC_UP; 2024 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2025 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 2026 (inp->sctp_socket->so_qlimit == 0)) { 2027 /* 2028 * This is an endpoint that called connect() how it got a 2029 * cookie that is NEW is a bit of a mystery. It must be that 2030 * the INIT was sent, but before it got there.. a complete 2031 * INIT/INIT-ACK/COOKIE arrived. But of course then it 2032 * should have went to the other code.. not here.. oh well.. 2033 * a bit of protection is worth having.. 2034 */ 2035 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2036#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2037 atomic_add_int(&stcb->asoc.refcnt, 1); 2038 SCTP_TCB_UNLOCK(stcb); 2039 SCTP_SOCKET_LOCK(so, 1); 2040 SCTP_TCB_LOCK(stcb); 2041 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2042 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2043 SCTP_SOCKET_UNLOCK(so, 1); 2044 return (NULL); 2045 } 2046#endif 2047 soisconnected(stcb->sctp_socket); 2048#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2049 SCTP_SOCKET_UNLOCK(so, 1); 2050#endif 2051 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 2052 (inp->sctp_socket->so_qlimit)) { 2053 /* 2054 * We don't want to do anything with this one. Since it is 2055 * the listening guy. The timer will get started for 2056 * accepted connections in the caller. 2057 */ 2058 ; 2059 } 2060 /* since we did not send a HB make sure we don't double things */ 2061 if ((netp) && (*netp)) 2062 (*netp)->hb_responded = 1; 2063 2064 if (stcb->asoc.sctp_autoclose_ticks && 2065 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2066 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 2067 } 2068 /* calculate the RTT */ 2069 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 2070 if ((netp) && (*netp)) { 2071 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 2072 &cookie->time_entered, sctp_align_unsafe_makecopy); 2073 } 2074 /* respond with a COOKIE-ACK */ 2075 sctp_send_cookie_ack(stcb); 2076 2077 /* 2078 * check the address lists for any ASCONFs that need to be sent 2079 * AFTER the cookie-ack is sent 2080 */ 2081 sctp_check_address_list(stcb, m, 2082 initack_offset + sizeof(struct sctp_init_ack_chunk), 2083 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 2084 initack_src, cookie->local_scope, cookie->site_scope, 2085 cookie->ipv4_scope, cookie->loopback_scope); 2086 2087 2088 return (stcb); 2089} 2090 2091 2092/* 2093 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 2094 * existing (non-NULL) TCB 2095 */ 2096static struct mbuf * 2097sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 2098 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 2099 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 2100 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 2101 struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint16_t port) 2102{ 2103 struct sctp_state_cookie *cookie; 2104 struct sockaddr_in6 sin6; 2105 struct sockaddr_in sin; 2106 struct sctp_tcb *l_stcb = *stcb; 2107 struct sctp_inpcb *l_inp; 2108 struct sockaddr *to; 2109 sctp_assoc_t sac_restart_id; 2110 struct sctp_pcb *ep; 2111 struct mbuf *m_sig; 2112 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 2113 uint8_t *sig; 2114 uint8_t cookie_ok = 0; 2115 unsigned int size_of_pkt, sig_offset, cookie_offset; 2116 unsigned int cookie_len; 2117 struct timeval now; 2118 struct timeval time_expires; 2119 struct sockaddr_storage dest_store; 2120 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 2121 struct ip *iph; 2122 int notification = 0; 2123 struct sctp_nets *netl; 2124 int had_a_existing_tcb = 0; 2125 2126 SCTPDBG(SCTP_DEBUG_INPUT2, 2127 "sctp_handle_cookie: handling COOKIE-ECHO\n"); 2128 2129 if (inp_p == NULL) { 2130 return (NULL); 2131 } 2132 /* First get the destination address setup too. */ 2133 iph = mtod(m, struct ip *); 2134 switch (iph->ip_v) { 2135 case IPVERSION: 2136 { 2137 /* its IPv4 */ 2138 struct sockaddr_in *lsin; 2139 2140 lsin = (struct sockaddr_in *)(localep_sa); 2141 memset(lsin, 0, sizeof(*lsin)); 2142 lsin->sin_family = AF_INET; 2143 lsin->sin_len = sizeof(*lsin); 2144 lsin->sin_port = sh->dest_port; 2145 lsin->sin_addr.s_addr = iph->ip_dst.s_addr; 2146 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 2147 break; 2148 } 2149#ifdef INET6 2150 case IPV6_VERSION >> 4: 2151 { 2152 /* its IPv6 */ 2153 struct ip6_hdr *ip6; 2154 struct sockaddr_in6 *lsin6; 2155 2156 lsin6 = (struct sockaddr_in6 *)(localep_sa); 2157 memset(lsin6, 0, sizeof(*lsin6)); 2158 lsin6->sin6_family = AF_INET6; 2159 lsin6->sin6_len = sizeof(struct sockaddr_in6); 2160 ip6 = mtod(m, struct ip6_hdr *); 2161 lsin6->sin6_port = sh->dest_port; 2162 lsin6->sin6_addr = ip6->ip6_dst; 2163 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 2164 break; 2165 } 2166#endif 2167 default: 2168 return (NULL); 2169 } 2170 2171 cookie = &cp->cookie; 2172 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 2173 cookie_len = ntohs(cp->ch.chunk_length); 2174 2175 if ((cookie->peerport != sh->src_port) && 2176 (cookie->myport != sh->dest_port) && 2177 (cookie->my_vtag != sh->v_tag)) { 2178 /* 2179 * invalid ports or bad tag. Note that we always leave the 2180 * v_tag in the header in network order and when we stored 2181 * it in the my_vtag slot we also left it in network order. 2182 * This maintains the match even though it may be in the 2183 * opposite byte order of the machine :-> 2184 */ 2185 return (NULL); 2186 } 2187 if (cookie_len > size_of_pkt || 2188 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 2189 sizeof(struct sctp_init_chunk) + 2190 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 2191 /* cookie too long! or too small */ 2192 return (NULL); 2193 } 2194 /* 2195 * split off the signature into its own mbuf (since it should not be 2196 * calculated in the sctp_hmac_m() call). 2197 */ 2198 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 2199 if (sig_offset > size_of_pkt) { 2200 /* packet not correct size! */ 2201 /* XXX this may already be accounted for earlier... */ 2202 return (NULL); 2203 } 2204 m_sig = m_split(m, sig_offset, M_DONTWAIT); 2205 if (m_sig == NULL) { 2206 /* out of memory or ?? */ 2207 return (NULL); 2208 } 2209#ifdef SCTP_MBUF_LOGGING 2210 if (sctp_logging_level & SCTP_MBUF_LOGGING_ENABLE) { 2211 struct mbuf *mat; 2212 2213 mat = m_sig; 2214 while (mat) { 2215 if (SCTP_BUF_IS_EXTENDED(mat)) { 2216 sctp_log_mb(mat, SCTP_MBUF_SPLIT); 2217 } 2218 mat = SCTP_BUF_NEXT(mat); 2219 } 2220 } 2221#endif 2222 2223 /* 2224 * compute the signature/digest for the cookie 2225 */ 2226 ep = &(*inp_p)->sctp_ep; 2227 l_inp = *inp_p; 2228 if (l_stcb) { 2229 SCTP_TCB_UNLOCK(l_stcb); 2230 } 2231 SCTP_INP_RLOCK(l_inp); 2232 if (l_stcb) { 2233 SCTP_TCB_LOCK(l_stcb); 2234 } 2235 /* which cookie is it? */ 2236 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 2237 (ep->current_secret_number != ep->last_secret_number)) { 2238 /* it's the old cookie */ 2239 (void)sctp_hmac_m(SCTP_HMAC, 2240 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 2241 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2242 } else { 2243 /* it's the current cookie */ 2244 (void)sctp_hmac_m(SCTP_HMAC, 2245 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 2246 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2247 } 2248 /* get the signature */ 2249 SCTP_INP_RUNLOCK(l_inp); 2250 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 2251 if (sig == NULL) { 2252 /* couldn't find signature */ 2253 sctp_m_freem(m_sig); 2254 return (NULL); 2255 } 2256 /* compare the received digest with the computed digest */ 2257 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 2258 /* try the old cookie? */ 2259 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 2260 (ep->current_secret_number != ep->last_secret_number)) { 2261 /* compute digest with old */ 2262 (void)sctp_hmac_m(SCTP_HMAC, 2263 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 2264 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2265 /* compare */ 2266 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 2267 cookie_ok = 1; 2268 } 2269 } else { 2270 cookie_ok = 1; 2271 } 2272 2273 /* 2274 * Now before we continue we must reconstruct our mbuf so that 2275 * normal processing of any other chunks will work. 2276 */ 2277 { 2278 struct mbuf *m_at; 2279 2280 m_at = m; 2281 while (SCTP_BUF_NEXT(m_at) != NULL) { 2282 m_at = SCTP_BUF_NEXT(m_at); 2283 } 2284 SCTP_BUF_NEXT(m_at) = m_sig; 2285 } 2286 2287 if (cookie_ok == 0) { 2288 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n"); 2289 SCTPDBG(SCTP_DEBUG_INPUT2, 2290 "offset = %u, cookie_offset = %u, sig_offset = %u\n", 2291 (uint32_t) offset, cookie_offset, sig_offset); 2292 return (NULL); 2293 } 2294 /* 2295 * check the cookie timestamps to be sure it's not stale 2296 */ 2297 (void)SCTP_GETTIME_TIMEVAL(&now); 2298 /* Expire time is in Ticks, so we convert to seconds */ 2299 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life); 2300 time_expires.tv_usec = cookie->time_entered.tv_usec; 2301 if (timevalcmp(&now, &time_expires, >)) { 2302 /* cookie is stale! */ 2303 struct mbuf *op_err; 2304 struct sctp_stale_cookie_msg *scm; 2305 uint32_t tim; 2306 2307 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2308 0, M_DONTWAIT, 1, MT_DATA); 2309 if (op_err == NULL) { 2310 /* FOOBAR */ 2311 return (NULL); 2312 } 2313 /* pre-reserve some space */ 2314#ifdef INET6 2315 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 2316#else 2317 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip)); 2318#endif 2319 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 2320 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 2321 2322 /* Set the len */ 2323 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2324 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2325 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2326 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2327 (sizeof(uint32_t)))); 2328 /* seconds to usec */ 2329 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2330 /* add in usec */ 2331 if (tim == 0) 2332 tim = now.tv_usec - cookie->time_entered.tv_usec; 2333 scm->time_usec = htonl(tim); 2334 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 2335 vrf_id, port); 2336 return (NULL); 2337 } 2338 /* 2339 * Now we must see with the lookup address if we have an existing 2340 * asoc. This will only happen if we were in the COOKIE-WAIT state 2341 * and a INIT collided with us and somewhere the peer sent the 2342 * cookie on another address besides the single address our assoc 2343 * had for him. In this case we will have one of the tie-tags set at 2344 * least AND the address field in the cookie can be used to look it 2345 * up. 2346 */ 2347 to = NULL; 2348 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2349 memset(&sin6, 0, sizeof(sin6)); 2350 sin6.sin6_family = AF_INET6; 2351 sin6.sin6_len = sizeof(sin6); 2352 sin6.sin6_port = sh->src_port; 2353 sin6.sin6_scope_id = cookie->scope_id; 2354 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2355 sizeof(sin6.sin6_addr.s6_addr)); 2356 to = (struct sockaddr *)&sin6; 2357 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2358 memset(&sin, 0, sizeof(sin)); 2359 sin.sin_family = AF_INET; 2360 sin.sin_len = sizeof(sin); 2361 sin.sin_port = sh->src_port; 2362 sin.sin_addr.s_addr = cookie->address[0]; 2363 to = (struct sockaddr *)&sin; 2364 } else { 2365 /* This should not happen */ 2366 return (NULL); 2367 } 2368 if ((*stcb == NULL) && to) { 2369 /* Yep, lets check */ 2370 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2371 if (*stcb == NULL) { 2372 /* 2373 * We should have only got back the same inp. If we 2374 * got back a different ep we have a problem. The 2375 * original findep got back l_inp and now 2376 */ 2377 if (l_inp != *inp_p) { 2378 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n"); 2379 } 2380 } else { 2381 if (*locked_tcb == NULL) { 2382 /* 2383 * In this case we found the assoc only 2384 * after we locked the create lock. This 2385 * means we are in a colliding case and we 2386 * must make sure that we unlock the tcb if 2387 * its one of the cases where we throw away 2388 * the incoming packets. 2389 */ 2390 *locked_tcb = *stcb; 2391 2392 /* 2393 * We must also increment the inp ref count 2394 * since the ref_count flags was set when we 2395 * did not find the TCB, now we found it 2396 * which reduces the refcount.. we must 2397 * raise it back out to balance it all :-) 2398 */ 2399 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2400 if ((*stcb)->sctp_ep != l_inp) { 2401 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n", 2402 (*stcb)->sctp_ep, l_inp); 2403 } 2404 } 2405 } 2406 } 2407 if (to == NULL) 2408 return (NULL); 2409 2410 cookie_len -= SCTP_SIGNATURE_SIZE; 2411 if (*stcb == NULL) { 2412 /* this is the "normal" case... get a new TCB */ 2413 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2414 cookie_len, *inp_p, netp, to, ¬ification, 2415 auth_skipped, auth_offset, auth_len, vrf_id, port); 2416 } else { 2417 /* this is abnormal... cookie-echo on existing TCB */ 2418 had_a_existing_tcb = 1; 2419 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2420 cookie, cookie_len, *inp_p, *stcb, *netp, to, 2421 ¬ification, &sac_restart_id, vrf_id); 2422 } 2423 2424 if (*stcb == NULL) { 2425 /* still no TCB... must be bad cookie-echo */ 2426 return (NULL); 2427 } 2428 /* 2429 * Ok, we built an association so confirm the address we sent the 2430 * INIT-ACK to. 2431 */ 2432 netl = sctp_findnet(*stcb, to); 2433 /* 2434 * This code should in theory NOT run but 2435 */ 2436 if (netl == NULL) { 2437 /* TSNH! Huh, why do I need to add this address here? */ 2438 int ret; 2439 2440 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2441 SCTP_IN_COOKIE_PROC); 2442 netl = sctp_findnet(*stcb, to); 2443 } 2444 if (netl) { 2445 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2446 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2447 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2448 netl); 2449 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2450 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2451 } 2452 } 2453 if (*stcb) { 2454 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2455 *stcb, NULL); 2456 } 2457 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2458 if (!had_a_existing_tcb || 2459 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2460 /* 2461 * If we have a NEW cookie or the connect never 2462 * reached the connected state during collision we 2463 * must do the TCP accept thing. 2464 */ 2465 struct socket *so, *oso; 2466 struct sctp_inpcb *inp; 2467 2468 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2469 /* 2470 * For a restart we will keep the same 2471 * socket, no need to do anything. I THINK!! 2472 */ 2473 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id, SCTP_SO_NOT_LOCKED); 2474 return (m); 2475 } 2476 oso = (*inp_p)->sctp_socket; 2477 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2478 SCTP_TCB_UNLOCK((*stcb)); 2479 so = sonewconn(oso, 0 2480 ); 2481 SCTP_TCB_LOCK((*stcb)); 2482 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2483 2484 if (so == NULL) { 2485 struct mbuf *op_err; 2486 2487#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2488 struct socket *pcb_so; 2489 2490#endif 2491 /* Too many sockets */ 2492 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n"); 2493 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2494 sctp_abort_association(*inp_p, NULL, m, iphlen, 2495 sh, op_err, vrf_id, port); 2496#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2497 pcb_so = SCTP_INP_SO(*inp_p); 2498 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2499 SCTP_TCB_UNLOCK((*stcb)); 2500 SCTP_SOCKET_LOCK(pcb_so, 1); 2501 SCTP_TCB_LOCK((*stcb)); 2502 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2503#endif 2504 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2505#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2506 SCTP_SOCKET_UNLOCK(pcb_so, 1); 2507#endif 2508 return (NULL); 2509 } 2510 inp = (struct sctp_inpcb *)so->so_pcb; 2511 SCTP_INP_INCR_REF(inp); 2512 /* 2513 * We add the unbound flag here so that if we get an 2514 * soabort() before we get the move_pcb done, we 2515 * will properly cleanup. 2516 */ 2517 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2518 SCTP_PCB_FLAGS_CONNECTED | 2519 SCTP_PCB_FLAGS_IN_TCPPOOL | 2520 SCTP_PCB_FLAGS_UNBOUND | 2521 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2522 SCTP_PCB_FLAGS_DONT_WAKE); 2523 inp->sctp_features = (*inp_p)->sctp_features; 2524 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features; 2525 inp->sctp_socket = so; 2526 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2527 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2528 inp->sctp_context = (*inp_p)->sctp_context; 2529 inp->inp_starting_point_for_iterator = NULL; 2530 /* 2531 * copy in the authentication parameters from the 2532 * original endpoint 2533 */ 2534 if (inp->sctp_ep.local_hmacs) 2535 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2536 inp->sctp_ep.local_hmacs = 2537 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2538 if (inp->sctp_ep.local_auth_chunks) 2539 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2540 inp->sctp_ep.local_auth_chunks = 2541 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2542 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2543 &inp->sctp_ep.shared_keys); 2544 2545 /* 2546 * Now we must move it from one hash table to 2547 * another and get the tcb in the right place. 2548 */ 2549 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2550 2551 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2552 SCTP_TCB_UNLOCK((*stcb)); 2553 2554 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, 2555 0); 2556 SCTP_TCB_LOCK((*stcb)); 2557 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2558 2559 2560 /* 2561 * now we must check to see if we were aborted while 2562 * the move was going on and the lock/unlock 2563 * happened. 2564 */ 2565 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2566 /* 2567 * yep it was, we leave the assoc attached 2568 * to the socket since the sctp_inpcb_free() 2569 * call will send an abort for us. 2570 */ 2571 SCTP_INP_DECR_REF(inp); 2572 return (NULL); 2573 } 2574 SCTP_INP_DECR_REF(inp); 2575 /* Switch over to the new guy */ 2576 *inp_p = inp; 2577 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2578 2579 /* 2580 * Pull it from the incomplete queue and wake the 2581 * guy 2582 */ 2583#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2584 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2585 SCTP_TCB_UNLOCK((*stcb)); 2586 SCTP_SOCKET_LOCK(so, 1); 2587#endif 2588 soisconnected(so); 2589#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2590 SCTP_TCB_LOCK((*stcb)); 2591 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2592 SCTP_SOCKET_UNLOCK(so, 1); 2593#endif 2594 return (m); 2595 } 2596 } 2597 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2598 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2599 } 2600 return (m); 2601} 2602 2603static void 2604sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2605 struct sctp_tcb *stcb, struct sctp_nets *net) 2606{ 2607 /* cp must not be used, others call this without a c-ack :-) */ 2608 struct sctp_association *asoc; 2609 2610 SCTPDBG(SCTP_DEBUG_INPUT2, 2611 "sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2612 if (stcb == NULL) 2613 return; 2614 2615 asoc = &stcb->asoc; 2616 2617 sctp_stop_all_cookie_timers(stcb); 2618 /* process according to association state */ 2619 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2620 /* state change only needed when I am in right state */ 2621 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2622 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 2623 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2624 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2625 stcb->sctp_ep, stcb, asoc->primary_destination); 2626 2627 } 2628 /* update RTO */ 2629 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2630 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2631 if (asoc->overall_error_count == 0) { 2632 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2633 &asoc->time_entered, sctp_align_safe_nocopy); 2634 } 2635 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2636 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2637 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2638 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2639#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2640 struct socket *so; 2641 2642#endif 2643 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2644#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2645 so = SCTP_INP_SO(stcb->sctp_ep); 2646 atomic_add_int(&stcb->asoc.refcnt, 1); 2647 SCTP_TCB_UNLOCK(stcb); 2648 SCTP_SOCKET_LOCK(so, 1); 2649 SCTP_TCB_LOCK(stcb); 2650 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2651 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2652 SCTP_SOCKET_UNLOCK(so, 1); 2653 return; 2654 } 2655#endif 2656 soisconnected(stcb->sctp_socket); 2657#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2658 SCTP_SOCKET_UNLOCK(so, 1); 2659#endif 2660 } 2661 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2662 stcb, net); 2663 /* 2664 * since we did not send a HB make sure we don't double 2665 * things 2666 */ 2667 net->hb_responded = 1; 2668 2669 if (stcb->asoc.sctp_autoclose_ticks && 2670 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2671 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2672 stcb->sctp_ep, stcb, NULL); 2673 } 2674 /* 2675 * send ASCONF if parameters are pending and ASCONFs are 2676 * allowed (eg. addresses changed when init/cookie echo were 2677 * in flight) 2678 */ 2679 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2680 (stcb->asoc.peer_supports_asconf) && 2681 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2682#ifdef SCTP_TIMER_BASED_ASCONF 2683 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2684 stcb->sctp_ep, stcb, 2685 stcb->asoc.primary_destination); 2686#else 2687 sctp_send_asconf(stcb, stcb->asoc.primary_destination, 2688 SCTP_ADDR_NOT_LOCKED); 2689#endif 2690 } 2691 } 2692 /* Toss the cookie if I can */ 2693 sctp_toss_old_cookies(stcb, asoc); 2694 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2695 /* Restart the timer if we have pending data */ 2696 struct sctp_tmit_chunk *chk; 2697 2698 chk = TAILQ_FIRST(&asoc->sent_queue); 2699 if (chk) { 2700 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2701 stcb, chk->whoTo); 2702 } 2703 } 2704} 2705 2706static void 2707sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2708 struct sctp_tcb *stcb) 2709{ 2710 struct sctp_nets *net; 2711 struct sctp_tmit_chunk *lchk; 2712 uint32_t tsn; 2713 2714 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2715 return; 2716 } 2717 SCTP_STAT_INCR(sctps_recvecne); 2718 tsn = ntohl(cp->tsn); 2719 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2720 /* Also we make sure we disable the nonce_wait */ 2721 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2722 if (lchk == NULL) { 2723 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2724 } else { 2725 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2726 } 2727 stcb->asoc.nonce_wait_for_ecne = 0; 2728 stcb->asoc.nonce_sum_check = 0; 2729 2730 /* Find where it was sent, if possible */ 2731 net = NULL; 2732 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2733 while (lchk) { 2734 if (lchk->rec.data.TSN_seq == tsn) { 2735 net = lchk->whoTo; 2736 break; 2737 } 2738 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2739 break; 2740 lchk = TAILQ_NEXT(lchk, sctp_next); 2741 } 2742 if (net == NULL) 2743 /* default is we use the primary */ 2744 net = stcb->asoc.primary_destination; 2745 2746 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2747 /* 2748 * JRS - Use the congestion control given in the pluggable 2749 * CC module 2750 */ 2751 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net); 2752 /* 2753 * we reduce once every RTT. So we will only lower cwnd at 2754 * the next sending seq i.e. the resync_tsn. 2755 */ 2756 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2757 } 2758 /* 2759 * We always send a CWR this way if our previous one was lost our 2760 * peer will get an update, or if it is not time again to reduce we 2761 * still get the cwr to the peer. 2762 */ 2763 sctp_send_cwr(stcb, net, tsn); 2764} 2765 2766static void 2767sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2768{ 2769 /* 2770 * Here we get a CWR from the peer. We must look in the outqueue and 2771 * make sure that we have a covered ECNE in teh control chunk part. 2772 * If so remove it. 2773 */ 2774 struct sctp_tmit_chunk *chk; 2775 struct sctp_ecne_chunk *ecne; 2776 2777 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2778 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2779 continue; 2780 } 2781 /* 2782 * Look for and remove if it is the right TSN. Since there 2783 * is only ONE ECNE on the control queue at any one time we 2784 * don't need to worry about more than one! 2785 */ 2786 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2787 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2788 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2789 /* this covers this ECNE, we can remove it */ 2790 stcb->asoc.ecn_echo_cnt_onq--; 2791 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2792 sctp_next); 2793 if (chk->data) { 2794 sctp_m_freem(chk->data); 2795 chk->data = NULL; 2796 } 2797 stcb->asoc.ctrl_queue_cnt--; 2798 sctp_free_a_chunk(stcb, chk); 2799 break; 2800 } 2801 } 2802} 2803 2804static void 2805sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2806 struct sctp_tcb *stcb, struct sctp_nets *net) 2807{ 2808 struct sctp_association *asoc; 2809 2810#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2811 struct socket *so; 2812 2813#endif 2814 2815 SCTPDBG(SCTP_DEBUG_INPUT2, 2816 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2817 if (stcb == NULL) 2818 return; 2819 2820 asoc = &stcb->asoc; 2821 /* process according to association state */ 2822 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2823 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2824 SCTPDBG(SCTP_DEBUG_INPUT2, 2825 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n"); 2826 SCTP_TCB_UNLOCK(stcb); 2827 return; 2828 } 2829 /* notify upper layer protocol */ 2830 if (stcb->sctp_socket) { 2831 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2832 /* are the queues empty? they should be */ 2833 if (!TAILQ_EMPTY(&asoc->send_queue) || 2834 !TAILQ_EMPTY(&asoc->sent_queue) || 2835 !TAILQ_EMPTY(&asoc->out_wheel)) { 2836 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED); 2837 } 2838 } 2839 /* stop the timer */ 2840 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2841 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2842 /* free the TCB */ 2843 SCTPDBG(SCTP_DEBUG_INPUT2, 2844 "sctp_handle_shutdown_complete: calls free-asoc\n"); 2845#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2846 so = SCTP_INP_SO(stcb->sctp_ep); 2847 atomic_add_int(&stcb->asoc.refcnt, 1); 2848 SCTP_TCB_UNLOCK(stcb); 2849 SCTP_SOCKET_LOCK(so, 1); 2850 SCTP_TCB_LOCK(stcb); 2851 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2852#endif 2853 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2854#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2855 SCTP_SOCKET_UNLOCK(so, 1); 2856#endif 2857 return; 2858} 2859 2860static int 2861process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2862 struct sctp_nets *net, uint8_t flg) 2863{ 2864 switch (desc->chunk_type) { 2865 case SCTP_DATA: 2866 /* find the tsn to resend (possibly */ 2867 { 2868 uint32_t tsn; 2869 struct sctp_tmit_chunk *tp1; 2870 2871 tsn = ntohl(desc->tsn_ifany); 2872 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2873 while (tp1) { 2874 if (tp1->rec.data.TSN_seq == tsn) { 2875 /* found it */ 2876 break; 2877 } 2878 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2879 MAX_TSN)) { 2880 /* not found */ 2881 tp1 = NULL; 2882 break; 2883 } 2884 tp1 = TAILQ_NEXT(tp1, sctp_next); 2885 } 2886 if (tp1 == NULL) { 2887 /* 2888 * Do it the other way , aka without paying 2889 * attention to queue seq order. 2890 */ 2891 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2892 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2893 while (tp1) { 2894 if (tp1->rec.data.TSN_seq == tsn) { 2895 /* found it */ 2896 break; 2897 } 2898 tp1 = TAILQ_NEXT(tp1, sctp_next); 2899 } 2900 } 2901 if (tp1 == NULL) { 2902 SCTP_STAT_INCR(sctps_pdrptsnnf); 2903 } 2904 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2905 uint8_t *ddp; 2906 2907 if ((stcb->asoc.peers_rwnd == 0) && 2908 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2909 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2910 return (0); 2911 } 2912 if (stcb->asoc.peers_rwnd == 0 && 2913 (flg & SCTP_FROM_MIDDLE_BOX)) { 2914 SCTP_STAT_INCR(sctps_pdrpdizrw); 2915 return (0); 2916 } 2917 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2918 sizeof(struct sctp_data_chunk)); 2919 { 2920 unsigned int iii; 2921 2922 for (iii = 0; iii < sizeof(desc->data_bytes); 2923 iii++) { 2924 if (ddp[iii] != desc->data_bytes[iii]) { 2925 SCTP_STAT_INCR(sctps_pdrpbadd); 2926 return (-1); 2927 } 2928 } 2929 } 2930 /* 2931 * We zero out the nonce so resync not 2932 * needed 2933 */ 2934 tp1->rec.data.ect_nonce = 0; 2935 2936 if (tp1->do_rtt) { 2937 /* 2938 * this guy had a RTO calculation 2939 * pending on it, cancel it 2940 */ 2941 tp1->do_rtt = 0; 2942 } 2943 SCTP_STAT_INCR(sctps_pdrpmark); 2944 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2945 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2946 tp1->sent = SCTP_DATAGRAM_RESEND; 2947 /* 2948 * mark it as if we were doing a FR, since 2949 * we will be getting gap ack reports behind 2950 * the info from the router. 2951 */ 2952 tp1->rec.data.doing_fast_retransmit = 1; 2953 /* 2954 * mark the tsn with what sequences can 2955 * cause a new FR. 2956 */ 2957 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2958 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2959 } else { 2960 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2961 } 2962 2963 /* restart the timer */ 2964 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2965 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2966 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2967 stcb, tp1->whoTo); 2968 2969 /* fix counts and things */ 2970 if (sctp_logging_level & SCTP_FLIGHT_LOGGING_ENABLE) { 2971 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 2972 tp1->whoTo->flight_size, 2973 tp1->book_size, 2974 (uintptr_t) stcb, 2975 tp1->rec.data.TSN_seq); 2976 } 2977 sctp_flight_size_decrease(tp1); 2978 sctp_total_flight_decrease(stcb, tp1); 2979 } { 2980 /* audit code */ 2981 unsigned int audit; 2982 2983 audit = 0; 2984 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2985 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2986 audit++; 2987 } 2988 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2989 sctp_next) { 2990 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2991 audit++; 2992 } 2993 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2994 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n", 2995 audit, stcb->asoc.sent_queue_retran_cnt); 2996#ifndef SCTP_AUDITING_ENABLED 2997 stcb->asoc.sent_queue_retran_cnt = audit; 2998#endif 2999 } 3000 } 3001 } 3002 break; 3003 case SCTP_ASCONF: 3004 { 3005 struct sctp_tmit_chunk *asconf; 3006 3007 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 3008 sctp_next) { 3009 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 3010 break; 3011 } 3012 } 3013 if (asconf) { 3014 if (asconf->sent != SCTP_DATAGRAM_RESEND) 3015 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3016 asconf->sent = SCTP_DATAGRAM_RESEND; 3017 asconf->snd_count--; 3018 } 3019 } 3020 break; 3021 case SCTP_INITIATION: 3022 /* resend the INIT */ 3023 stcb->asoc.dropped_special_cnt++; 3024 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 3025 /* 3026 * If we can get it in, in a few attempts we do 3027 * this, otherwise we let the timer fire. 3028 */ 3029 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 3030 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 3031 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 3032 } 3033 break; 3034 case SCTP_SELECTIVE_ACK: 3035 /* resend the sack */ 3036 sctp_send_sack(stcb); 3037 break; 3038 case SCTP_HEARTBEAT_REQUEST: 3039 /* resend a demand HB */ 3040 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) { 3041 /* 3042 * Only retransmit if we KNOW we wont destroy the 3043 * tcb 3044 */ 3045 (void)sctp_send_hb(stcb, 1, net); 3046 } 3047 break; 3048 case SCTP_SHUTDOWN: 3049 sctp_send_shutdown(stcb, net); 3050 break; 3051 case SCTP_SHUTDOWN_ACK: 3052 sctp_send_shutdown_ack(stcb, net); 3053 break; 3054 case SCTP_COOKIE_ECHO: 3055 { 3056 struct sctp_tmit_chunk *cookie; 3057 3058 cookie = NULL; 3059 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 3060 sctp_next) { 3061 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 3062 break; 3063 } 3064 } 3065 if (cookie) { 3066 if (cookie->sent != SCTP_DATAGRAM_RESEND) 3067 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3068 cookie->sent = SCTP_DATAGRAM_RESEND; 3069 sctp_stop_all_cookie_timers(stcb); 3070 } 3071 } 3072 break; 3073 case SCTP_COOKIE_ACK: 3074 sctp_send_cookie_ack(stcb); 3075 break; 3076 case SCTP_ASCONF_ACK: 3077 /* resend last asconf ack */ 3078 sctp_send_asconf_ack(stcb); 3079 break; 3080 case SCTP_FORWARD_CUM_TSN: 3081 send_forward_tsn(stcb, &stcb->asoc); 3082 break; 3083 /* can't do anything with these */ 3084 case SCTP_PACKET_DROPPED: 3085 case SCTP_INITIATION_ACK: /* this should not happen */ 3086 case SCTP_HEARTBEAT_ACK: 3087 case SCTP_ABORT_ASSOCIATION: 3088 case SCTP_OPERATION_ERROR: 3089 case SCTP_SHUTDOWN_COMPLETE: 3090 case SCTP_ECN_ECHO: 3091 case SCTP_ECN_CWR: 3092 default: 3093 break; 3094 } 3095 return (0); 3096} 3097 3098void 3099sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 3100{ 3101 int i; 3102 uint16_t temp; 3103 3104 /* 3105 * We set things to 0xffff since this is the last delivered sequence 3106 * and we will be sending in 0 after the reset. 3107 */ 3108 3109 if (number_entries) { 3110 for (i = 0; i < number_entries; i++) { 3111 temp = ntohs(list[i]); 3112 if (temp >= stcb->asoc.streamincnt) { 3113 continue; 3114 } 3115 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 3116 } 3117 } else { 3118 list = NULL; 3119 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3120 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 3121 } 3122 } 3123 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3124} 3125 3126static void 3127sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 3128{ 3129 int i; 3130 3131 if (number_entries == 0) { 3132 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 3133 stcb->asoc.strmout[i].next_sequence_sent = 0; 3134 } 3135 } else if (number_entries) { 3136 for (i = 0; i < number_entries; i++) { 3137 uint16_t temp; 3138 3139 temp = ntohs(list[i]); 3140 if (temp >= stcb->asoc.streamoutcnt) { 3141 /* no such stream */ 3142 continue; 3143 } 3144 stcb->asoc.strmout[temp].next_sequence_sent = 0; 3145 } 3146 } 3147 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3148} 3149 3150 3151struct sctp_stream_reset_out_request * 3152sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 3153{ 3154 struct sctp_association *asoc; 3155 struct sctp_stream_reset_out_req *req; 3156 struct sctp_stream_reset_out_request *r; 3157 struct sctp_tmit_chunk *chk; 3158 int len, clen; 3159 3160 asoc = &stcb->asoc; 3161 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 3162 asoc->stream_reset_outstanding = 0; 3163 return (NULL); 3164 } 3165 if (stcb->asoc.str_reset == NULL) { 3166 asoc->stream_reset_outstanding = 0; 3167 return (NULL); 3168 } 3169 chk = stcb->asoc.str_reset; 3170 if (chk->data == NULL) { 3171 return (NULL); 3172 } 3173 if (bchk) { 3174 /* he wants a copy of the chk pointer */ 3175 *bchk = chk; 3176 } 3177 clen = chk->send_size; 3178 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 3179 r = &req->sr_req; 3180 if (ntohl(r->request_seq) == seq) { 3181 /* found it */ 3182 return (r); 3183 } 3184 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 3185 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 3186 /* move to the next one, there can only be a max of two */ 3187 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 3188 if (ntohl(r->request_seq) == seq) { 3189 return (r); 3190 } 3191 } 3192 /* that seq is not here */ 3193 return (NULL); 3194} 3195 3196static void 3197sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 3198{ 3199 struct sctp_association *asoc; 3200 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 3201 3202 if (stcb->asoc.str_reset == NULL) { 3203 return; 3204 } 3205 asoc = &stcb->asoc; 3206 3207 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3208 TAILQ_REMOVE(&asoc->control_send_queue, 3209 chk, 3210 sctp_next); 3211 if (chk->data) { 3212 sctp_m_freem(chk->data); 3213 chk->data = NULL; 3214 } 3215 asoc->ctrl_queue_cnt--; 3216 sctp_free_a_chunk(stcb, chk); 3217 /* sa_ignore NO_NULL_CHK */ 3218 stcb->asoc.str_reset = NULL; 3219} 3220 3221 3222static int 3223sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 3224 uint32_t seq, uint32_t action, 3225 struct sctp_stream_reset_response *respin) 3226{ 3227 uint16_t type; 3228 int lparm_len; 3229 struct sctp_association *asoc = &stcb->asoc; 3230 struct sctp_tmit_chunk *chk; 3231 struct sctp_stream_reset_out_request *srparam; 3232 int number_entries; 3233 3234 if (asoc->stream_reset_outstanding == 0) { 3235 /* duplicate */ 3236 return (0); 3237 } 3238 if (seq == stcb->asoc.str_reset_seq_out) { 3239 srparam = sctp_find_stream_reset(stcb, seq, &chk); 3240 if (srparam) { 3241 stcb->asoc.str_reset_seq_out++; 3242 type = ntohs(srparam->ph.param_type); 3243 lparm_len = ntohs(srparam->ph.param_length); 3244 if (type == SCTP_STR_RESET_OUT_REQUEST) { 3245 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 3246 asoc->stream_reset_out_is_outstanding = 0; 3247 if (asoc->stream_reset_outstanding) 3248 asoc->stream_reset_outstanding--; 3249 if (action == SCTP_STREAM_RESET_PERFORMED) { 3250 /* do it */ 3251 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 3252 } else { 3253 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); 3254 } 3255 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 3256 /* Answered my request */ 3257 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 3258 if (asoc->stream_reset_outstanding) 3259 asoc->stream_reset_outstanding--; 3260 if (action != SCTP_STREAM_RESET_PERFORMED) { 3261 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); 3262 } 3263 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 3264 /** 3265 * a) Adopt the new in tsn. 3266 * b) reset the map 3267 * c) Adopt the new out-tsn 3268 */ 3269 struct sctp_stream_reset_response_tsn *resp; 3270 struct sctp_forward_tsn_chunk fwdtsn; 3271 int abort_flag = 0; 3272 3273 if (respin == NULL) { 3274 /* huh ? */ 3275 return (0); 3276 } 3277 if (action == SCTP_STREAM_RESET_PERFORMED) { 3278 resp = (struct sctp_stream_reset_response_tsn *)respin; 3279 asoc->stream_reset_outstanding--; 3280 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3281 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3282 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 3283 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3284 if (abort_flag) { 3285 return (1); 3286 } 3287 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 3288 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3289 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 3290 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3291 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 3292 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 3293 3294 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3295 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3296 3297 } 3298 } 3299 /* get rid of the request and get the request flags */ 3300 if (asoc->stream_reset_outstanding == 0) { 3301 sctp_clean_up_stream_reset(stcb); 3302 } 3303 } 3304 } 3305 return (0); 3306} 3307 3308static void 3309sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 3310 struct sctp_tmit_chunk *chk, 3311 struct sctp_stream_reset_in_request *req, int trunc) 3312{ 3313 uint32_t seq; 3314 int len, i; 3315 int number_entries; 3316 uint16_t temp; 3317 3318 /* 3319 * peer wants me to send a str-reset to him for my outgoing seq's if 3320 * seq_in is right. 3321 */ 3322 struct sctp_association *asoc = &stcb->asoc; 3323 3324 seq = ntohl(req->request_seq); 3325 if (asoc->str_reset_seq_in == seq) { 3326 if (trunc) { 3327 /* Can't do it, since they exceeded our buffer size */ 3328 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3329 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3330 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3331 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 3332 len = ntohs(req->ph.param_length); 3333 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 3334 for (i = 0; i < number_entries; i++) { 3335 temp = ntohs(req->list_of_streams[i]); 3336 req->list_of_streams[i] = temp; 3337 } 3338 /* move the reset action back one */ 3339 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3340 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3341 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 3342 asoc->str_reset_seq_out, 3343 seq, (asoc->sending_seq - 1)); 3344 asoc->stream_reset_out_is_outstanding = 1; 3345 asoc->str_reset = chk; 3346 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 3347 stcb->asoc.stream_reset_outstanding++; 3348 } else { 3349 /* Can't do it, since we have sent one out */ 3350 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3351 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 3352 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3353 } 3354 asoc->str_reset_seq_in++; 3355 } else if (asoc->str_reset_seq_in - 1 == seq) { 3356 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3357 } else if (asoc->str_reset_seq_in - 2 == seq) { 3358 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3359 } else { 3360 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3361 } 3362} 3363 3364static int 3365sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 3366 struct sctp_tmit_chunk *chk, 3367 struct sctp_stream_reset_tsn_request *req) 3368{ 3369 /* reset all in and out and update the tsn */ 3370 /* 3371 * A) reset my str-seq's on in and out. B) Select a receive next, 3372 * and set cum-ack to it. Also process this selected number as a 3373 * fwd-tsn as well. C) set in the response my next sending seq. 3374 */ 3375 struct sctp_forward_tsn_chunk fwdtsn; 3376 struct sctp_association *asoc = &stcb->asoc; 3377 int abort_flag = 0; 3378 uint32_t seq; 3379 3380 seq = ntohl(req->request_seq); 3381 if (asoc->str_reset_seq_in == seq) { 3382 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3383 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3384 fwdtsn.ch.chunk_flags = 0; 3385 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3386 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3387 if (abort_flag) { 3388 return (1); 3389 } 3390 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3391 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3392 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3393 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3394 atomic_add_int(&stcb->asoc.sending_seq, 1); 3395 /* save off historical data for retrans */ 3396 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3397 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3398 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3399 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3400 3401 sctp_add_stream_reset_result_tsn(chk, 3402 ntohl(req->request_seq), 3403 SCTP_STREAM_RESET_PERFORMED, 3404 stcb->asoc.sending_seq, 3405 stcb->asoc.mapping_array_base_tsn); 3406 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3407 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3408 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3409 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3410 3411 asoc->str_reset_seq_in++; 3412 } else if (asoc->str_reset_seq_in - 1 == seq) { 3413 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3414 stcb->asoc.last_sending_seq[0], 3415 stcb->asoc.last_base_tsnsent[0] 3416 ); 3417 } else if (asoc->str_reset_seq_in - 2 == seq) { 3418 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3419 stcb->asoc.last_sending_seq[1], 3420 stcb->asoc.last_base_tsnsent[1] 3421 ); 3422 } else { 3423 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3424 } 3425 return (0); 3426} 3427 3428static void 3429sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3430 struct sctp_tmit_chunk *chk, 3431 struct sctp_stream_reset_out_request *req, int trunc) 3432{ 3433 uint32_t seq, tsn; 3434 int number_entries, len; 3435 struct sctp_association *asoc = &stcb->asoc; 3436 3437 seq = ntohl(req->request_seq); 3438 3439 /* now if its not a duplicate we process it */ 3440 if (asoc->str_reset_seq_in == seq) { 3441 len = ntohs(req->ph.param_length); 3442 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3443 /* 3444 * the sender is resetting, handle the list issue.. we must 3445 * a) verify if we can do the reset, if so no problem b) If 3446 * we can't do the reset we must copy the request. c) queue 3447 * it, and setup the data in processor to trigger it off 3448 * when needed and dequeue all the queued data. 3449 */ 3450 tsn = ntohl(req->send_reset_at_tsn); 3451 3452 /* move the reset action back one */ 3453 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3454 if (trunc) { 3455 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3456 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3457 } else if ((tsn == asoc->cumulative_tsn) || 3458 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3459 /* we can do it now */ 3460 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3461 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3462 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3463 } else { 3464 /* 3465 * we must queue it up and thus wait for the TSN's 3466 * to arrive that are at or before tsn 3467 */ 3468 struct sctp_stream_reset_list *liste; 3469 int siz; 3470 3471 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3472 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3473 siz, SCTP_M_STRESET); 3474 if (liste == NULL) { 3475 /* gak out of memory */ 3476 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3477 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3478 return; 3479 } 3480 liste->tsn = tsn; 3481 liste->number_entries = number_entries; 3482 memcpy(&liste->req, req, 3483 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3484 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3485 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3486 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3487 } 3488 asoc->str_reset_seq_in++; 3489 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3490 /* 3491 * one seq back, just echo back last action since my 3492 * response was lost. 3493 */ 3494 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3495 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3496 /* 3497 * two seq back, just echo back last action since my 3498 * response was lost. 3499 */ 3500 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3501 } else { 3502 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3503 } 3504} 3505 3506#ifdef __GNUC__ 3507__attribute__((noinline)) 3508#endif 3509 static int 3510 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset, 3511 struct sctp_stream_reset_out_req *sr_req) 3512{ 3513 int chk_length, param_len, ptype; 3514 struct sctp_paramhdr pstore; 3515 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE]; 3516 3517 uint32_t seq; 3518 int num_req = 0; 3519 int trunc = 0; 3520 struct sctp_tmit_chunk *chk; 3521 struct sctp_chunkhdr *ch; 3522 struct sctp_paramhdr *ph; 3523 int ret_code = 0; 3524 int num_param = 0; 3525 3526 /* now it may be a reset or a reset-response */ 3527 chk_length = ntohs(sr_req->ch.chunk_length); 3528 3529 /* setup for adding the response */ 3530 sctp_alloc_a_chunk(stcb, chk); 3531 if (chk == NULL) { 3532 return (ret_code); 3533 } 3534 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3535 chk->rec.chunk_id.can_take_data = 0; 3536 chk->asoc = &stcb->asoc; 3537 chk->no_fr_allowed = 0; 3538 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3539 chk->book_size_scale = 0; 3540 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3541 if (chk->data == NULL) { 3542strres_nochunk: 3543 if (chk->data) { 3544 sctp_m_freem(chk->data); 3545 chk->data = NULL; 3546 } 3547 sctp_free_a_chunk(stcb, chk); 3548 return (ret_code); 3549 } 3550 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3551 3552 /* setup chunk parameters */ 3553 chk->sent = SCTP_DATAGRAM_UNSENT; 3554 chk->snd_count = 0; 3555 chk->whoTo = stcb->asoc.primary_destination; 3556 atomic_add_int(&chk->whoTo->ref_count, 1); 3557 3558 ch = mtod(chk->data, struct sctp_chunkhdr *); 3559 ch->chunk_type = SCTP_STREAM_RESET; 3560 ch->chunk_flags = 0; 3561 ch->chunk_length = htons(chk->send_size); 3562 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3563 offset += sizeof(struct sctp_chunkhdr); 3564 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3565 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore); 3566 if (ph == NULL) 3567 break; 3568 param_len = ntohs(ph->param_length); 3569 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3570 /* bad param */ 3571 break; 3572 } 3573 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)), 3574 (uint8_t *) & cstore); 3575 ptype = ntohs(ph->param_type); 3576 num_param++; 3577 if (param_len > (int)sizeof(cstore)) { 3578 trunc = 1; 3579 } else { 3580 trunc = 0; 3581 } 3582 3583 if (num_param > SCTP_MAX_RESET_PARAMS) { 3584 /* hit the max of parameters already sorry.. */ 3585 break; 3586 } 3587 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3588 struct sctp_stream_reset_out_request *req_out; 3589 3590 req_out = (struct sctp_stream_reset_out_request *)ph; 3591 num_req++; 3592 if (stcb->asoc.stream_reset_outstanding) { 3593 seq = ntohl(req_out->response_seq); 3594 if (seq == stcb->asoc.str_reset_seq_out) { 3595 /* implicit ack */ 3596 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3597 } 3598 } 3599 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc); 3600 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3601 struct sctp_stream_reset_in_request *req_in; 3602 3603 num_req++; 3604 3605 req_in = (struct sctp_stream_reset_in_request *)ph; 3606 3607 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc); 3608 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3609 struct sctp_stream_reset_tsn_request *req_tsn; 3610 3611 num_req++; 3612 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3613 3614 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3615 ret_code = 1; 3616 goto strres_nochunk; 3617 } 3618 /* no more */ 3619 break; 3620 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3621 struct sctp_stream_reset_response *resp; 3622 uint32_t result; 3623 3624 resp = (struct sctp_stream_reset_response *)ph; 3625 seq = ntohl(resp->response_seq); 3626 result = ntohl(resp->result); 3627 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3628 ret_code = 1; 3629 goto strres_nochunk; 3630 } 3631 } else { 3632 break; 3633 } 3634 offset += SCTP_SIZE32(param_len); 3635 chk_length -= SCTP_SIZE32(param_len); 3636 } 3637 if (num_req == 0) { 3638 /* we have no response free the stuff */ 3639 goto strres_nochunk; 3640 } 3641 /* ok we have a chunk to link in */ 3642 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3643 chk, 3644 sctp_next); 3645 stcb->asoc.ctrl_queue_cnt++; 3646 return (ret_code); 3647} 3648 3649/* 3650 * Handle a router or endpoints report of a packet loss, there are two ways 3651 * to handle this, either we get the whole packet and must disect it 3652 * ourselves (possibly with truncation and or corruption) or it is a summary 3653 * from a middle box that did the disectting for us. 3654 */ 3655static void 3656sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3657 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit) 3658{ 3659 uint32_t bottle_bw, on_queue; 3660 uint16_t trunc_len; 3661 unsigned int chlen; 3662 unsigned int at; 3663 struct sctp_chunk_desc desc; 3664 struct sctp_chunkhdr *ch; 3665 3666 chlen = ntohs(cp->ch.chunk_length); 3667 chlen -= sizeof(struct sctp_pktdrop_chunk); 3668 /* XXX possible chlen underflow */ 3669 if (chlen == 0) { 3670 ch = NULL; 3671 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3672 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3673 } else { 3674 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3675 chlen -= sizeof(struct sctphdr); 3676 /* XXX possible chlen underflow */ 3677 memset(&desc, 0, sizeof(desc)); 3678 } 3679 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3680 if (trunc_len > limit) { 3681 trunc_len = limit; 3682 } 3683 /* now the chunks themselves */ 3684 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3685 desc.chunk_type = ch->chunk_type; 3686 /* get amount we need to move */ 3687 at = ntohs(ch->chunk_length); 3688 if (at < sizeof(struct sctp_chunkhdr)) { 3689 /* corrupt chunk, maybe at the end? */ 3690 SCTP_STAT_INCR(sctps_pdrpcrupt); 3691 break; 3692 } 3693 if (trunc_len == 0) { 3694 /* we are supposed to have all of it */ 3695 if (at > chlen) { 3696 /* corrupt skip it */ 3697 SCTP_STAT_INCR(sctps_pdrpcrupt); 3698 break; 3699 } 3700 } else { 3701 /* is there enough of it left ? */ 3702 if (desc.chunk_type == SCTP_DATA) { 3703 if (chlen < (sizeof(struct sctp_data_chunk) + 3704 sizeof(desc.data_bytes))) { 3705 break; 3706 } 3707 } else { 3708 if (chlen < sizeof(struct sctp_chunkhdr)) { 3709 break; 3710 } 3711 } 3712 } 3713 if (desc.chunk_type == SCTP_DATA) { 3714 /* can we get out the tsn? */ 3715 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3716 SCTP_STAT_INCR(sctps_pdrpmbda); 3717 3718 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3719 /* yep */ 3720 struct sctp_data_chunk *dcp; 3721 uint8_t *ddp; 3722 unsigned int iii; 3723 3724 dcp = (struct sctp_data_chunk *)ch; 3725 ddp = (uint8_t *) (dcp + 1); 3726 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3727 desc.data_bytes[iii] = ddp[iii]; 3728 } 3729 desc.tsn_ifany = dcp->dp.tsn; 3730 } else { 3731 /* nope we are done. */ 3732 SCTP_STAT_INCR(sctps_pdrpnedat); 3733 break; 3734 } 3735 } else { 3736 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3737 SCTP_STAT_INCR(sctps_pdrpmbct); 3738 } 3739 3740 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3741 SCTP_STAT_INCR(sctps_pdrppdbrk); 3742 break; 3743 } 3744 if (SCTP_SIZE32(at) > chlen) { 3745 break; 3746 } 3747 chlen -= SCTP_SIZE32(at); 3748 if (chlen < sizeof(struct sctp_chunkhdr)) { 3749 /* done, none left */ 3750 break; 3751 } 3752 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3753 } 3754 /* Now update any rwnd --- possibly */ 3755 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3756 /* From a peer, we get a rwnd report */ 3757 uint32_t a_rwnd; 3758 3759 SCTP_STAT_INCR(sctps_pdrpfehos); 3760 3761 bottle_bw = ntohl(cp->bottle_bw); 3762 on_queue = ntohl(cp->current_onq); 3763 if (bottle_bw && on_queue) { 3764 /* a rwnd report is in here */ 3765 if (bottle_bw > on_queue) 3766 a_rwnd = bottle_bw - on_queue; 3767 else 3768 a_rwnd = 0; 3769 3770 if (a_rwnd == 0) 3771 stcb->asoc.peers_rwnd = 0; 3772 else { 3773 if (a_rwnd > stcb->asoc.total_flight) { 3774 stcb->asoc.peers_rwnd = 3775 a_rwnd - stcb->asoc.total_flight; 3776 } else { 3777 stcb->asoc.peers_rwnd = 0; 3778 } 3779 if (stcb->asoc.peers_rwnd < 3780 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3781 /* SWS sender side engages */ 3782 stcb->asoc.peers_rwnd = 0; 3783 } 3784 } 3785 } 3786 } else { 3787 SCTP_STAT_INCR(sctps_pdrpfmbox); 3788 } 3789 3790 /* now middle boxes in sat networks get a cwnd bump */ 3791 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3792 (stcb->asoc.sat_t3_loss_recovery == 0) && 3793 (stcb->asoc.sat_network)) { 3794 /* 3795 * This is debateable but for sat networks it makes sense 3796 * Note if a T3 timer has went off, we will prohibit any 3797 * changes to cwnd until we exit the t3 loss recovery. 3798 */ 3799 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb, 3800 net, cp, &bottle_bw, &on_queue); 3801 } 3802} 3803 3804/* 3805 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3806 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3807 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3808 * length of the complete packet outputs: - length: modified to remaining 3809 * length after control processing - netp: modified to new sctp_nets after 3810 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3811 * bad packet,...) otherwise return the tcb for this packet 3812 */ 3813#ifdef __GNUC__ 3814__attribute__((noinline)) 3815#endif 3816 static struct sctp_tcb * 3817 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3818 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3819 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen, 3820 uint32_t vrf_id, uint16_t port) 3821{ 3822 struct sctp_association *asoc; 3823 uint32_t vtag_in; 3824 int num_chunks = 0; /* number of control chunks processed */ 3825 uint32_t chk_length; 3826 int ret; 3827 int abort_no_unlock = 0; 3828 3829 /* 3830 * How big should this be, and should it be alloc'd? Lets try the 3831 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3832 * until we get into jumbo grams and such.. 3833 */ 3834 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 3835 struct sctp_tcb *locked_tcb = stcb; 3836 int got_auth = 0; 3837 uint32_t auth_offset = 0, auth_len = 0; 3838 int auth_skipped = 0; 3839 int asconf_cnt = 0; 3840 3841#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3842 struct socket *so; 3843 3844#endif 3845 3846 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3847 iphlen, *offset, length, stcb); 3848 3849 /* validate chunk header length... */ 3850 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3851 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n", 3852 ntohs(ch->chunk_length)); 3853 if (locked_tcb) { 3854 SCTP_TCB_UNLOCK(locked_tcb); 3855 } 3856 return (NULL); 3857 } 3858 /* 3859 * validate the verification tag 3860 */ 3861 vtag_in = ntohl(sh->v_tag); 3862 3863 if (locked_tcb) { 3864 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3865 } 3866 if (ch->chunk_type == SCTP_INITIATION) { 3867 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n", 3868 ntohs(ch->chunk_length), vtag_in); 3869 if (vtag_in != 0) { 3870 /* protocol error- silently discard... */ 3871 SCTP_STAT_INCR(sctps_badvtag); 3872 if (locked_tcb) { 3873 SCTP_TCB_UNLOCK(locked_tcb); 3874 } 3875 return (NULL); 3876 } 3877 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3878 /* 3879 * If there is no stcb, skip the AUTH chunk and process 3880 * later after a stcb is found (to validate the lookup was 3881 * valid. 3882 */ 3883 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3884 (stcb == NULL) && !sctp_auth_disable) { 3885 /* save this chunk for later processing */ 3886 auth_skipped = 1; 3887 auth_offset = *offset; 3888 auth_len = ntohs(ch->chunk_length); 3889 3890 /* (temporarily) move past this chunk */ 3891 *offset += SCTP_SIZE32(auth_len); 3892 if (*offset >= length) { 3893 /* no more data left in the mbuf chain */ 3894 *offset = length; 3895 if (locked_tcb) { 3896 SCTP_TCB_UNLOCK(locked_tcb); 3897 } 3898 return (NULL); 3899 } 3900 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3901 sizeof(struct sctp_chunkhdr), chunk_buf); 3902 } 3903 if (ch == NULL) { 3904 /* Help */ 3905 *offset = length; 3906 if (locked_tcb) { 3907 SCTP_TCB_UNLOCK(locked_tcb); 3908 } 3909 return (NULL); 3910 } 3911 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3912 goto process_control_chunks; 3913 } 3914 /* 3915 * first check if it's an ASCONF with an unknown src addr we 3916 * need to look inside to find the association 3917 */ 3918 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3919 struct sctp_chunkhdr *asconf_ch = ch; 3920 uint32_t asconf_offset = 0, asconf_len = 0; 3921 3922 /* inp's refcount may be reduced */ 3923 SCTP_INP_INCR_REF(inp); 3924 3925 asconf_offset = *offset; 3926 do { 3927 asconf_len = ntohs(asconf_ch->chunk_length); 3928 if (asconf_len < sizeof(struct sctp_asconf_paramhdr)) 3929 break; 3930 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3931 *offset, sh, &inp, netp); 3932 if (stcb != NULL) 3933 break; 3934 asconf_offset += SCTP_SIZE32(asconf_len); 3935 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset, 3936 sizeof(struct sctp_chunkhdr), chunk_buf); 3937 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF); 3938 if (stcb == NULL) { 3939 /* 3940 * reduce inp's refcount if not reduced in 3941 * sctp_findassociation_ep_asconf(). 3942 */ 3943 SCTP_INP_DECR_REF(inp); 3944 } else { 3945 locked_tcb = stcb; 3946 } 3947 3948 /* now go back and verify any auth chunk to be sure */ 3949 if (auth_skipped && (stcb != NULL)) { 3950 struct sctp_auth_chunk *auth; 3951 3952 auth = (struct sctp_auth_chunk *) 3953 sctp_m_getptr(m, auth_offset, 3954 auth_len, chunk_buf); 3955 got_auth = 1; 3956 auth_skipped = 0; 3957 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, 3958 auth_offset)) { 3959 /* auth HMAC failed so dump it */ 3960 *offset = length; 3961 if (locked_tcb) { 3962 SCTP_TCB_UNLOCK(locked_tcb); 3963 } 3964 return (NULL); 3965 } else { 3966 /* remaining chunks are HMAC checked */ 3967 stcb->asoc.authenticated = 1; 3968 } 3969 } 3970 } 3971 if (stcb == NULL) { 3972 /* no association, so it's out of the blue... */ 3973 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL, 3974 vrf_id, port); 3975 *offset = length; 3976 if (locked_tcb) { 3977 SCTP_TCB_UNLOCK(locked_tcb); 3978 } 3979 return (NULL); 3980 } 3981 asoc = &stcb->asoc; 3982 /* ABORT and SHUTDOWN can use either v_tag... */ 3983 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3984 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3985 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3986 if ((vtag_in == asoc->my_vtag) || 3987 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3988 (vtag_in == asoc->peer_vtag))) { 3989 /* this is valid */ 3990 } else { 3991 /* drop this packet... */ 3992 SCTP_STAT_INCR(sctps_badvtag); 3993 if (locked_tcb) { 3994 SCTP_TCB_UNLOCK(locked_tcb); 3995 } 3996 return (NULL); 3997 } 3998 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3999 if (vtag_in != asoc->my_vtag) { 4000 /* 4001 * this could be a stale SHUTDOWN-ACK or the 4002 * peer never got the SHUTDOWN-COMPLETE and 4003 * is still hung; we have started a new asoc 4004 * but it won't complete until the shutdown 4005 * is completed 4006 */ 4007 if (locked_tcb) { 4008 SCTP_TCB_UNLOCK(locked_tcb); 4009 } 4010 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 4011 NULL, vrf_id, port); 4012 return (NULL); 4013 } 4014 } else { 4015 /* for all other chunks, vtag must match */ 4016 if (vtag_in != asoc->my_vtag) { 4017 /* invalid vtag... */ 4018 SCTPDBG(SCTP_DEBUG_INPUT3, 4019 "invalid vtag: %xh, expect %xh\n", 4020 vtag_in, asoc->my_vtag); 4021 SCTP_STAT_INCR(sctps_badvtag); 4022 if (locked_tcb) { 4023 SCTP_TCB_UNLOCK(locked_tcb); 4024 } 4025 *offset = length; 4026 return (NULL); 4027 } 4028 } 4029 } /* end if !SCTP_COOKIE_ECHO */ 4030 /* 4031 * process all control chunks... 4032 */ 4033 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 4034 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 4035 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 4036 /* implied cookie-ack.. we must have lost the ack */ 4037 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4038 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4039 stcb->asoc.overall_error_count, 4040 0, 4041 SCTP_FROM_SCTP_INPUT, 4042 __LINE__); 4043 } 4044 stcb->asoc.overall_error_count = 0; 4045 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 4046 *netp); 4047 } 4048process_control_chunks: 4049 while (IS_SCTP_CONTROL(ch)) { 4050 /* validate chunk length */ 4051 chk_length = ntohs(ch->chunk_length); 4052 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n", 4053 ch->chunk_type, chk_length); 4054 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length); 4055 if (chk_length < sizeof(*ch) || 4056 (*offset + (int)chk_length) > length) { 4057 *offset = length; 4058 if (locked_tcb) { 4059 SCTP_TCB_UNLOCK(locked_tcb); 4060 } 4061 return (NULL); 4062 } 4063 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 4064 /* 4065 * INIT-ACK only gets the init ack "header" portion only 4066 * because we don't have to process the peer's COOKIE. All 4067 * others get a complete chunk. 4068 */ 4069 if ((ch->chunk_type == SCTP_INITIATION_ACK) || 4070 (ch->chunk_type == SCTP_INITIATION)) { 4071 /* get an init-ack chunk */ 4072 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4073 sizeof(struct sctp_init_ack_chunk), chunk_buf); 4074 if (ch == NULL) { 4075 *offset = length; 4076 if (locked_tcb) { 4077 SCTP_TCB_UNLOCK(locked_tcb); 4078 } 4079 return (NULL); 4080 } 4081 } else { 4082 /* For cookies and all other chunks. */ 4083 if (chk_length > sizeof(chunk_buf)) { 4084 /* 4085 * use just the size of the chunk buffer so 4086 * the front part of our chunks fit in 4087 * contiguous space up to the chunk buffer 4088 * size (508 bytes). For chunks that need to 4089 * get more than that they must use the 4090 * sctp_m_getptr() function or other means 4091 * (e.g. know how to parse mbuf chains). 4092 * Cookies do this already. 4093 */ 4094 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4095 (sizeof(chunk_buf) - 4), 4096 chunk_buf); 4097 if (ch == NULL) { 4098 *offset = length; 4099 if (locked_tcb) { 4100 SCTP_TCB_UNLOCK(locked_tcb); 4101 } 4102 return (NULL); 4103 } 4104 } else { 4105 /* We can fit it all */ 4106 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4107 chk_length, chunk_buf); 4108 if (ch == NULL) { 4109 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n"); 4110 *offset = length; 4111 if (locked_tcb) { 4112 SCTP_TCB_UNLOCK(locked_tcb); 4113 } 4114 return (NULL); 4115 } 4116 } 4117 } 4118 num_chunks++; 4119 /* Save off the last place we got a control from */ 4120 if (stcb != NULL) { 4121 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) { 4122 /* 4123 * allow last_control to be NULL if 4124 * ASCONF... ASCONF processing will find the 4125 * right net later 4126 */ 4127 if ((netp != NULL) && (*netp != NULL)) 4128 stcb->asoc.last_control_chunk_from = *netp; 4129 } 4130 } 4131#ifdef SCTP_AUDITING_ENABLED 4132 sctp_audit_log(0xB0, ch->chunk_type); 4133#endif 4134 4135 /* check to see if this chunk required auth, but isn't */ 4136 if ((stcb != NULL) && !sctp_auth_disable && 4137 sctp_auth_is_required_chunk(ch->chunk_type, 4138 stcb->asoc.local_auth_chunks) && 4139 !stcb->asoc.authenticated) { 4140 /* "silently" ignore */ 4141 SCTP_STAT_INCR(sctps_recvauthmissing); 4142 goto next_chunk; 4143 } 4144 switch (ch->chunk_type) { 4145 case SCTP_INITIATION: 4146 /* must be first and only chunk */ 4147 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n"); 4148 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4149 /* We are not interested anymore? */ 4150 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4151 /* 4152 * collision case where we are 4153 * sending to them too 4154 */ 4155 ; 4156 } else { 4157 if (locked_tcb) { 4158 SCTP_TCB_UNLOCK(locked_tcb); 4159 } 4160 *offset = length; 4161 return (NULL); 4162 } 4163 } 4164 if ((chk_length > SCTP_LARGEST_INIT_ACCEPTED) || 4165 (num_chunks > 1) || 4166 (sctp_strict_init && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 4167 *offset = length; 4168 if (locked_tcb) { 4169 SCTP_TCB_UNLOCK(locked_tcb); 4170 } 4171 return (NULL); 4172 } 4173 if ((stcb != NULL) && 4174 (SCTP_GET_STATE(&stcb->asoc) == 4175 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 4176 sctp_send_shutdown_ack(stcb, 4177 stcb->asoc.primary_destination); 4178 *offset = length; 4179 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 4180 if (locked_tcb) { 4181 SCTP_TCB_UNLOCK(locked_tcb); 4182 } 4183 return (NULL); 4184 } 4185 if (netp) { 4186 sctp_handle_init(m, iphlen, *offset, sh, 4187 (struct sctp_init_chunk *)ch, inp, 4188 stcb, *netp, &abort_no_unlock, vrf_id, port); 4189 } 4190 if (abort_no_unlock) 4191 return (NULL); 4192 4193 *offset = length; 4194 if (locked_tcb) { 4195 SCTP_TCB_UNLOCK(locked_tcb); 4196 } 4197 return (NULL); 4198 break; 4199 case SCTP_PAD_CHUNK: 4200 break; 4201 case SCTP_INITIATION_ACK: 4202 /* must be first and only chunk */ 4203 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n"); 4204 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4205 /* We are not interested anymore */ 4206 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4207 ; 4208 } else { 4209 if (locked_tcb) { 4210 SCTP_TCB_UNLOCK(locked_tcb); 4211 } 4212 *offset = length; 4213 if (stcb) { 4214#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4215 so = SCTP_INP_SO(inp); 4216 atomic_add_int(&stcb->asoc.refcnt, 1); 4217 SCTP_TCB_UNLOCK(stcb); 4218 SCTP_SOCKET_LOCK(so, 1); 4219 SCTP_TCB_LOCK(stcb); 4220 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4221#endif 4222 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4223#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4224 SCTP_SOCKET_UNLOCK(so, 1); 4225#endif 4226 } 4227 return (NULL); 4228 } 4229 } 4230 if ((num_chunks > 1) || 4231 (sctp_strict_init && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 4232 *offset = length; 4233 if (locked_tcb) { 4234 SCTP_TCB_UNLOCK(locked_tcb); 4235 } 4236 return (NULL); 4237 } 4238 if ((netp) && (*netp)) { 4239 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 4240 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id); 4241 } else { 4242 ret = -1; 4243 } 4244 /* 4245 * Special case, I must call the output routine to 4246 * get the cookie echoed 4247 */ 4248 if (abort_no_unlock) 4249 return (NULL); 4250 4251 if ((stcb) && ret == 0) 4252 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 4253 *offset = length; 4254 if (locked_tcb) { 4255 SCTP_TCB_UNLOCK(locked_tcb); 4256 } 4257 return (NULL); 4258 break; 4259 case SCTP_SELECTIVE_ACK: 4260 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n"); 4261 SCTP_STAT_INCR(sctps_recvsacks); 4262 { 4263 struct sctp_sack_chunk *sack; 4264 int abort_now = 0; 4265 uint32_t a_rwnd, cum_ack; 4266 uint16_t num_seg; 4267 int nonce_sum_flag; 4268 4269 if ((stcb == NULL) || (chk_length < sizeof(struct sctp_sack_chunk))) { 4270 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on sack chunk, too small\n"); 4271 ignore_sack: 4272 *offset = length; 4273 if (locked_tcb) { 4274 SCTP_TCB_UNLOCK(locked_tcb); 4275 } 4276 return (NULL); 4277 } 4278 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 4279 /*- 4280 * If we have sent a shutdown-ack, we will pay no 4281 * attention to a sack sent in to us since 4282 * we don't care anymore. 4283 */ 4284 goto ignore_sack; 4285 } 4286 sack = (struct sctp_sack_chunk *)ch; 4287 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 4288 cum_ack = ntohl(sack->sack.cum_tsn_ack); 4289 num_seg = ntohs(sack->sack.num_gap_ack_blks); 4290 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 4291 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n", 4292 cum_ack, 4293 num_seg, 4294 a_rwnd 4295 ); 4296 stcb->asoc.seen_a_sack_this_pkt = 1; 4297 if ((stcb->asoc.pr_sctp_cnt == 0) && 4298 (num_seg == 0) && 4299 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 4300 (cum_ack == stcb->asoc.last_acked_seq)) && 4301 (stcb->asoc.saw_sack_with_frags == 0) && 4302 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 4303 ) { 4304 /* 4305 * We have a SIMPLE sack having no 4306 * prior segments and data on sent 4307 * queue to be acked.. Use the 4308 * faster path sack processing. We 4309 * also allow window update sacks 4310 * with no missing segments to go 4311 * this way too. 4312 */ 4313 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, 4314 &abort_now); 4315 } else { 4316 if (netp && *netp) 4317 sctp_handle_sack(m, *offset, 4318 sack, stcb, *netp, &abort_now, chk_length, a_rwnd); 4319 } 4320 if (abort_now) { 4321 /* ABORT signal from sack processing */ 4322 *offset = length; 4323 return (NULL); 4324 } 4325 } 4326 break; 4327 case SCTP_HEARTBEAT_REQUEST: 4328 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n"); 4329 if ((stcb) && netp && *netp) { 4330 SCTP_STAT_INCR(sctps_recvheartbeat); 4331 sctp_send_heartbeat_ack(stcb, m, *offset, 4332 chk_length, *netp); 4333 4334 /* He's alive so give him credit */ 4335 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4336 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4337 stcb->asoc.overall_error_count, 4338 0, 4339 SCTP_FROM_SCTP_INPUT, 4340 __LINE__); 4341 } 4342 stcb->asoc.overall_error_count = 0; 4343 } 4344 break; 4345 case SCTP_HEARTBEAT_ACK: 4346 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n"); 4347 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) { 4348 /* Its not ours */ 4349 *offset = length; 4350 if (locked_tcb) { 4351 SCTP_TCB_UNLOCK(locked_tcb); 4352 } 4353 return (NULL); 4354 } 4355 /* He's alive so give him credit */ 4356 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4357 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4358 stcb->asoc.overall_error_count, 4359 0, 4360 SCTP_FROM_SCTP_INPUT, 4361 __LINE__); 4362 } 4363 stcb->asoc.overall_error_count = 0; 4364 SCTP_STAT_INCR(sctps_recvheartbeatack); 4365 if (netp && *netp) 4366 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 4367 stcb, *netp); 4368 break; 4369 case SCTP_ABORT_ASSOCIATION: 4370 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n", 4371 stcb); 4372 if ((stcb) && netp && *netp) 4373 sctp_handle_abort((struct sctp_abort_chunk *)ch, 4374 stcb, *netp); 4375 *offset = length; 4376 return (NULL); 4377 break; 4378 case SCTP_SHUTDOWN: 4379 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n", 4380 stcb); 4381 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) { 4382 *offset = length; 4383 if (locked_tcb) { 4384 SCTP_TCB_UNLOCK(locked_tcb); 4385 } 4386 return (NULL); 4387 } 4388 if (netp && *netp) { 4389 int abort_flag = 0; 4390 4391 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 4392 stcb, *netp, &abort_flag); 4393 if (abort_flag) { 4394 *offset = length; 4395 return (NULL); 4396 } 4397 } 4398 break; 4399 case SCTP_SHUTDOWN_ACK: 4400 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb); 4401 if ((stcb) && (netp) && (*netp)) 4402 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4403 *offset = length; 4404 return (NULL); 4405 break; 4406 4407 case SCTP_OPERATION_ERROR: 4408 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n"); 4409 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) { 4410 4411 *offset = length; 4412 return (NULL); 4413 } 4414 break; 4415 case SCTP_COOKIE_ECHO: 4416 SCTPDBG(SCTP_DEBUG_INPUT3, 4417 "SCTP_COOKIE-ECHO, stcb %p\n", stcb); 4418 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4419 ; 4420 } else { 4421 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4422 /* We are not interested anymore */ 4423 *offset = length; 4424 return (NULL); 4425 } 4426 } 4427 /* 4428 * First are we accepting? We do this again here 4429 * sincen it is possible that a previous endpoint 4430 * WAS listening responded to a INIT-ACK and then 4431 * closed. We opened and bound.. and are now no 4432 * longer listening. 4433 */ 4434 4435 if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) { 4436 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 4437 (sctp_abort_if_one_2_one_hits_limit)) { 4438 struct mbuf *oper; 4439 struct sctp_paramhdr *phdr; 4440 4441 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4442 0, M_DONTWAIT, 1, MT_DATA); 4443 if (oper) { 4444 SCTP_BUF_LEN(oper) = 4445 sizeof(struct sctp_paramhdr); 4446 phdr = mtod(oper, 4447 struct sctp_paramhdr *); 4448 phdr->param_type = 4449 htons(SCTP_CAUSE_OUT_OF_RESC); 4450 phdr->param_length = 4451 htons(sizeof(struct sctp_paramhdr)); 4452 } 4453 sctp_abort_association(inp, stcb, m, 4454 iphlen, sh, oper, vrf_id, port); 4455 } 4456 *offset = length; 4457 return (NULL); 4458 } else { 4459 struct mbuf *ret_buf; 4460 struct sctp_inpcb *linp; 4461 4462 if (stcb) { 4463 linp = NULL; 4464 } else { 4465 linp = inp; 4466 } 4467 4468 if (linp) { 4469 SCTP_ASOC_CREATE_LOCK(linp); 4470 } 4471 if (netp) { 4472 ret_buf = 4473 sctp_handle_cookie_echo(m, iphlen, 4474 *offset, sh, 4475 (struct sctp_cookie_echo_chunk *)ch, 4476 &inp, &stcb, netp, 4477 auth_skipped, 4478 auth_offset, 4479 auth_len, 4480 &locked_tcb, 4481 vrf_id, 4482 port); 4483 } else { 4484 ret_buf = NULL; 4485 } 4486 if (linp) { 4487 SCTP_ASOC_CREATE_UNLOCK(linp); 4488 } 4489 if (ret_buf == NULL) { 4490 if (locked_tcb) { 4491 SCTP_TCB_UNLOCK(locked_tcb); 4492 } 4493 SCTPDBG(SCTP_DEBUG_INPUT3, 4494 "GAK, null buffer\n"); 4495 auth_skipped = 0; 4496 *offset = length; 4497 return (NULL); 4498 } 4499 /* if AUTH skipped, see if it verified... */ 4500 if (auth_skipped) { 4501 got_auth = 1; 4502 auth_skipped = 0; 4503 } 4504 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4505 /* 4506 * Restart the timer if we have 4507 * pending data 4508 */ 4509 struct sctp_tmit_chunk *chk; 4510 4511 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4512 if (chk) { 4513 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4514 stcb->sctp_ep, stcb, 4515 chk->whoTo); 4516 } 4517 } 4518 } 4519 break; 4520 case SCTP_COOKIE_ACK: 4521 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb); 4522 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) { 4523 if (locked_tcb) { 4524 SCTP_TCB_UNLOCK(locked_tcb); 4525 } 4526 return (NULL); 4527 } 4528 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4529 /* We are not interested anymore */ 4530 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4531 ; 4532 } else if (stcb) { 4533#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4534 so = SCTP_INP_SO(inp); 4535 atomic_add_int(&stcb->asoc.refcnt, 1); 4536 SCTP_TCB_UNLOCK(stcb); 4537 SCTP_SOCKET_LOCK(so, 1); 4538 SCTP_TCB_LOCK(stcb); 4539 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4540#endif 4541 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4542#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4543 SCTP_SOCKET_UNLOCK(so, 1); 4544#endif 4545 *offset = length; 4546 return (NULL); 4547 } 4548 } 4549 /* He's alive so give him credit */ 4550 if ((stcb) && netp && *netp) { 4551 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4552 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4553 stcb->asoc.overall_error_count, 4554 0, 4555 SCTP_FROM_SCTP_INPUT, 4556 __LINE__); 4557 } 4558 stcb->asoc.overall_error_count = 0; 4559 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4560 } 4561 break; 4562 case SCTP_ECN_ECHO: 4563 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n"); 4564 /* He's alive so give him credit */ 4565 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) { 4566 /* Its not ours */ 4567 if (locked_tcb) { 4568 SCTP_TCB_UNLOCK(locked_tcb); 4569 } 4570 *offset = length; 4571 return (NULL); 4572 } 4573 if (stcb) { 4574 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4575 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4576 stcb->asoc.overall_error_count, 4577 0, 4578 SCTP_FROM_SCTP_INPUT, 4579 __LINE__); 4580 } 4581 stcb->asoc.overall_error_count = 0; 4582 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4583 stcb); 4584 } 4585 break; 4586 case SCTP_ECN_CWR: 4587 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n"); 4588 /* He's alive so give him credit */ 4589 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) { 4590 /* Its not ours */ 4591 if (locked_tcb) { 4592 SCTP_TCB_UNLOCK(locked_tcb); 4593 } 4594 *offset = length; 4595 return (NULL); 4596 } 4597 if (stcb) { 4598 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4599 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4600 stcb->asoc.overall_error_count, 4601 0, 4602 SCTP_FROM_SCTP_INPUT, 4603 __LINE__); 4604 } 4605 stcb->asoc.overall_error_count = 0; 4606 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4607 } 4608 break; 4609 case SCTP_SHUTDOWN_COMPLETE: 4610 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb); 4611 /* must be first and only chunk */ 4612 if ((num_chunks > 1) || 4613 (length - *offset > (int)SCTP_SIZE32(chk_length))) { 4614 *offset = length; 4615 if (locked_tcb) { 4616 SCTP_TCB_UNLOCK(locked_tcb); 4617 } 4618 return (NULL); 4619 } 4620 if ((stcb) && netp && *netp) { 4621 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4622 stcb, *netp); 4623 } 4624 *offset = length; 4625 return (NULL); 4626 break; 4627 case SCTP_ASCONF: 4628 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n"); 4629 /* He's alive so give him credit */ 4630 if (stcb) { 4631 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4632 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4633 stcb->asoc.overall_error_count, 4634 0, 4635 SCTP_FROM_SCTP_INPUT, 4636 __LINE__); 4637 } 4638 stcb->asoc.overall_error_count = 0; 4639 sctp_handle_asconf(m, *offset, 4640 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0); 4641 asconf_cnt++; 4642 } 4643 break; 4644 case SCTP_ASCONF_ACK: 4645 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n"); 4646 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) { 4647 /* Its not ours */ 4648 if (locked_tcb) { 4649 SCTP_TCB_UNLOCK(locked_tcb); 4650 } 4651 *offset = length; 4652 return (NULL); 4653 } 4654 if ((stcb) && netp && *netp) { 4655 /* He's alive so give him credit */ 4656 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4657 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4658 stcb->asoc.overall_error_count, 4659 0, 4660 SCTP_FROM_SCTP_INPUT, 4661 __LINE__); 4662 } 4663 stcb->asoc.overall_error_count = 0; 4664 sctp_handle_asconf_ack(m, *offset, 4665 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 4666 if (abort_no_unlock) 4667 return (NULL); 4668 } 4669 break; 4670 case SCTP_FORWARD_CUM_TSN: 4671 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n"); 4672 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { 4673 /* Its not ours */ 4674 if (locked_tcb) { 4675 SCTP_TCB_UNLOCK(locked_tcb); 4676 } 4677 *offset = length; 4678 return (NULL); 4679 } 4680 /* He's alive so give him credit */ 4681 if (stcb) { 4682 int abort_flag = 0; 4683 4684 stcb->asoc.overall_error_count = 0; 4685 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4686 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4687 stcb->asoc.overall_error_count, 4688 0, 4689 SCTP_FROM_SCTP_INPUT, 4690 __LINE__); 4691 } 4692 *fwd_tsn_seen = 1; 4693 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4694 /* We are not interested anymore */ 4695#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4696 so = SCTP_INP_SO(inp); 4697 atomic_add_int(&stcb->asoc.refcnt, 1); 4698 SCTP_TCB_UNLOCK(stcb); 4699 SCTP_SOCKET_LOCK(so, 1); 4700 SCTP_TCB_LOCK(stcb); 4701 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4702#endif 4703 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4704#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4705 SCTP_SOCKET_UNLOCK(so, 1); 4706#endif 4707 *offset = length; 4708 return (NULL); 4709 } 4710 sctp_handle_forward_tsn(stcb, 4711 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset); 4712 if (abort_flag) { 4713 *offset = length; 4714 return (NULL); 4715 } else { 4716 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 4717 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4718 stcb->asoc.overall_error_count, 4719 0, 4720 SCTP_FROM_SCTP_INPUT, 4721 __LINE__); 4722 } 4723 stcb->asoc.overall_error_count = 0; 4724 } 4725 4726 } 4727 break; 4728 case SCTP_STREAM_RESET: 4729 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n"); 4730 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) { 4731 /* Its not ours */ 4732 if (locked_tcb) { 4733 SCTP_TCB_UNLOCK(locked_tcb); 4734 } 4735 *offset = length; 4736 return (NULL); 4737 } 4738 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4739 /* We are not interested anymore */ 4740#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4741 so = SCTP_INP_SO(inp); 4742 atomic_add_int(&stcb->asoc.refcnt, 1); 4743 SCTP_TCB_UNLOCK(stcb); 4744 SCTP_SOCKET_LOCK(so, 1); 4745 SCTP_TCB_LOCK(stcb); 4746 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4747#endif 4748 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_30); 4749#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4750 SCTP_SOCKET_UNLOCK(so, 1); 4751#endif 4752 *offset = length; 4753 return (NULL); 4754 } 4755 if (stcb->asoc.peer_supports_strreset == 0) { 4756 /* 4757 * hmm, peer should have announced this, but 4758 * we will turn it on since he is sending us 4759 * a stream reset. 4760 */ 4761 stcb->asoc.peer_supports_strreset = 1; 4762 } 4763 if (sctp_handle_stream_reset(stcb, m, *offset, (struct sctp_stream_reset_out_req *)ch)) { 4764 /* stop processing */ 4765 *offset = length; 4766 return (NULL); 4767 } 4768 break; 4769 case SCTP_PACKET_DROPPED: 4770 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n"); 4771 /* re-get it all please */ 4772 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) { 4773 /* Its not ours */ 4774 if (locked_tcb) { 4775 SCTP_TCB_UNLOCK(locked_tcb); 4776 } 4777 *offset = length; 4778 return (NULL); 4779 } 4780 if (ch && (stcb) && netp && (*netp)) { 4781 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4782 stcb, *netp, 4783 min(chk_length, (sizeof(chunk_buf) - 4))); 4784 4785 } 4786 break; 4787 4788 case SCTP_AUTHENTICATION: 4789 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n"); 4790 if (sctp_auth_disable) 4791 goto unknown_chunk; 4792 4793 if (stcb == NULL) { 4794 /* save the first AUTH for later processing */ 4795 if (auth_skipped == 0) { 4796 auth_offset = *offset; 4797 auth_len = chk_length; 4798 auth_skipped = 1; 4799 } 4800 /* skip this chunk (temporarily) */ 4801 goto next_chunk; 4802 } 4803 if ((chk_length < (sizeof(struct sctp_auth_chunk))) || 4804 (chk_length > (sizeof(struct sctp_auth_chunk) + 4805 SCTP_AUTH_DIGEST_LEN_MAX))) { 4806 /* Its not ours */ 4807 if (locked_tcb) { 4808 SCTP_TCB_UNLOCK(locked_tcb); 4809 } 4810 *offset = length; 4811 return (NULL); 4812 } 4813 if (got_auth == 1) { 4814 /* skip this chunk... it's already auth'd */ 4815 goto next_chunk; 4816 } 4817 got_auth = 1; 4818 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4819 m, *offset)) { 4820 /* auth HMAC failed so dump the packet */ 4821 *offset = length; 4822 return (stcb); 4823 } else { 4824 /* remaining chunks are HMAC checked */ 4825 stcb->asoc.authenticated = 1; 4826 } 4827 break; 4828 4829 default: 4830 unknown_chunk: 4831 /* it's an unknown chunk! */ 4832 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4833 struct mbuf *mm; 4834 struct sctp_paramhdr *phd; 4835 4836 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4837 0, M_DONTWAIT, 1, MT_DATA); 4838 if (mm) { 4839 phd = mtod(mm, struct sctp_paramhdr *); 4840 /* 4841 * We cheat and use param type since 4842 * we did not bother to define a 4843 * error cause struct. They are the 4844 * same basic format with different 4845 * names. 4846 */ 4847 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4848 phd->param_length = htons(chk_length + sizeof(*phd)); 4849 SCTP_BUF_LEN(mm) = sizeof(*phd); 4850 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 4851 M_DONTWAIT); 4852 if (SCTP_BUF_NEXT(mm)) { 4853#ifdef SCTP_MBUF_LOGGING 4854 if (sctp_logging_level & SCTP_MBUF_LOGGING_ENABLE) { 4855 struct mbuf *mat; 4856 4857 mat = SCTP_BUF_NEXT(mm); 4858 while (mat) { 4859 if (SCTP_BUF_IS_EXTENDED(mat)) { 4860 sctp_log_mb(mat, SCTP_MBUF_ICOPY); 4861 } 4862 mat = SCTP_BUF_NEXT(mat); 4863 } 4864 } 4865#endif 4866 sctp_queue_op_err(stcb, mm); 4867 } else { 4868 sctp_m_freem(mm); 4869 } 4870 } 4871 } 4872 if ((ch->chunk_type & 0x80) == 0) { 4873 /* discard this packet */ 4874 *offset = length; 4875 return (stcb); 4876 } /* else skip this bad chunk and continue... */ 4877 break; 4878 } /* switch (ch->chunk_type) */ 4879 4880 4881next_chunk: 4882 /* get the next chunk */ 4883 *offset += SCTP_SIZE32(chk_length); 4884 if (*offset >= length) { 4885 /* no more data left in the mbuf chain */ 4886 break; 4887 } 4888 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4889 sizeof(struct sctp_chunkhdr), chunk_buf); 4890 if (ch == NULL) { 4891 if (locked_tcb) { 4892 SCTP_TCB_UNLOCK(locked_tcb); 4893 } 4894 *offset = length; 4895 return (NULL); 4896 } 4897 } /* while */ 4898 4899 if (asconf_cnt > 0 && stcb != NULL) { 4900 sctp_send_asconf_ack(stcb); 4901 } 4902 return (stcb); 4903} 4904 4905 4906/* 4907 * Process the ECN bits we have something set so we must look to see if it is 4908 * ECN(0) or ECN(1) or CE 4909 */ 4910static void 4911sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4912 uint8_t ecn_bits) 4913{ 4914 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4915 ; 4916 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4917 /* 4918 * we only add to the nonce sum for ECT1, ECT0 does not 4919 * change the NS bit (that we have yet to find a way to send 4920 * it yet). 4921 */ 4922 4923 /* ECN Nonce stuff */ 4924 stcb->asoc.receiver_nonce_sum++; 4925 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4926 4927 /* 4928 * Drag up the last_echo point if cumack is larger since we 4929 * don't want the point falling way behind by more than 4930 * 2^^31 and then having it be incorrect. 4931 */ 4932 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4933 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4934 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4935 } 4936 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4937 /* 4938 * Drag up the last_echo point if cumack is larger since we 4939 * don't want the point falling way behind by more than 4940 * 2^^31 and then having it be incorrect. 4941 */ 4942 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4943 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4944 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4945 } 4946 } 4947} 4948 4949static void 4950sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4951 uint32_t high_tsn, uint8_t ecn_bits) 4952{ 4953 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4954 /* 4955 * we possibly must notify the sender that a congestion 4956 * window reduction is in order. We do this by adding a ECNE 4957 * chunk to the output chunk queue. The incoming CWR will 4958 * remove this chunk. 4959 */ 4960 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4961 MAX_TSN)) { 4962 /* Yep, we need to add a ECNE */ 4963 sctp_send_ecn_echo(stcb, net, high_tsn); 4964 stcb->asoc.last_echo_tsn = high_tsn; 4965 } 4966 } 4967} 4968 4969#ifdef INVARIANTS 4970static void 4971sctp_validate_no_locks(struct sctp_inpcb *inp) 4972{ 4973 struct sctp_tcb *stcb; 4974 4975 LIST_FOREACH(stcb, &inp->sctp_asoc_list, sctp_tcblist) { 4976 if (mtx_owned(&stcb->tcb_mtx)) { 4977 panic("Own lock on stcb at return from input"); 4978 } 4979 } 4980} 4981 4982#endif 4983 4984/* 4985 * common input chunk processing (v4 and v6) 4986 */ 4987void 4988sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4989 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4990 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4991 uint8_t ecn_bits, uint32_t vrf_id, uint16_t port) 4992{ 4993 /* 4994 * Control chunk processing 4995 */ 4996 uint32_t high_tsn; 4997 int fwd_tsn_seen = 0, data_processed = 0; 4998 struct mbuf *m = *mm; 4999 int abort_flag = 0; 5000 int un_sent; 5001 5002 SCTP_STAT_INCR(sctps_recvdatagrams); 5003#ifdef SCTP_AUDITING_ENABLED 5004 sctp_audit_log(0xE0, 1); 5005 sctp_auditing(0, inp, stcb, net); 5006#endif 5007 5008 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d stcb:%p\n", 5009 m, iphlen, offset, stcb); 5010 if (stcb) { 5011 /* always clear this before beginning a packet */ 5012 stcb->asoc.authenticated = 0; 5013 stcb->asoc.seen_a_sack_this_pkt = 0; 5014 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n", 5015 stcb, stcb->asoc.state); 5016 5017 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) || 5018 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) { 5019 /*- 5020 * If we hit here, we had a ref count 5021 * up when the assoc was aborted and the 5022 * timer is clearing out the assoc, we should 5023 * NOT respond to any packet.. its OOTB. 5024 */ 5025 SCTP_TCB_UNLOCK(stcb); 5026 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5027 vrf_id, port); 5028 goto out_now; 5029 } 5030 } 5031 if (IS_SCTP_CONTROL(ch)) { 5032 /* process the control portion of the SCTP packet */ 5033 /* sa_ignore NO_NULL_CHK */ 5034 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 5035 inp, stcb, &net, &fwd_tsn_seen, vrf_id, port); 5036 if (stcb) { 5037 /* 5038 * This covers us if the cookie-echo was there and 5039 * it changes our INP. 5040 */ 5041 inp = stcb->sctp_ep; 5042 } 5043 } else { 5044 /* 5045 * no control chunks, so pre-process DATA chunks (these 5046 * checks are taken care of by control processing) 5047 */ 5048 5049 /* 5050 * if DATA only packet, and auth is required, then punt... 5051 * can't have authenticated without any AUTH (control) 5052 * chunks 5053 */ 5054 if ((stcb != NULL) && !sctp_auth_disable && 5055 sctp_auth_is_required_chunk(SCTP_DATA, 5056 stcb->asoc.local_auth_chunks)) { 5057 /* "silently" ignore */ 5058 SCTP_STAT_INCR(sctps_recvauthmissing); 5059 SCTP_TCB_UNLOCK(stcb); 5060 goto out_now; 5061 } 5062 if (stcb == NULL) { 5063 /* out of the blue DATA chunk */ 5064 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5065 vrf_id, port); 5066 goto out_now; 5067 } 5068 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 5069 /* v_tag mismatch! */ 5070 SCTP_STAT_INCR(sctps_badvtag); 5071 SCTP_TCB_UNLOCK(stcb); 5072 goto out_now; 5073 } 5074 } 5075 5076 if (stcb == NULL) { 5077 /* 5078 * no valid TCB for this packet, or we found it's a bad 5079 * packet while processing control, or we're done with this 5080 * packet (done or skip rest of data), so we drop it... 5081 */ 5082 goto out_now; 5083 } 5084 /* 5085 * DATA chunk processing 5086 */ 5087 /* plow through the data chunks while length > offset */ 5088 5089 /* 5090 * Rest should be DATA only. Check authentication state if AUTH for 5091 * DATA is required. 5092 */ 5093 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 5094 sctp_auth_is_required_chunk(SCTP_DATA, 5095 stcb->asoc.local_auth_chunks) && 5096 !stcb->asoc.authenticated) { 5097 /* "silently" ignore */ 5098 SCTP_STAT_INCR(sctps_recvauthmissing); 5099 SCTPDBG(SCTP_DEBUG_AUTH1, 5100 "Data chunk requires AUTH, skipped\n"); 5101 goto trigger_send; 5102 } 5103 if (length > offset) { 5104 int retval; 5105 5106 /* 5107 * First check to make sure our state is correct. We would 5108 * not get here unless we really did have a tag, so we don't 5109 * abort if this happens, just dump the chunk silently. 5110 */ 5111 switch (SCTP_GET_STATE(&stcb->asoc)) { 5112 case SCTP_STATE_COOKIE_ECHOED: 5113 /* 5114 * we consider data with valid tags in this state 5115 * shows us the cookie-ack was lost. Imply it was 5116 * there. 5117 */ 5118 if (sctp_logging_level & SCTP_THRESHOLD_LOGGING) { 5119 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5120 stcb->asoc.overall_error_count, 5121 0, 5122 SCTP_FROM_SCTP_INPUT, 5123 __LINE__); 5124 } 5125 stcb->asoc.overall_error_count = 0; 5126 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 5127 break; 5128 case SCTP_STATE_COOKIE_WAIT: 5129 /* 5130 * We consider OOTB any data sent during asoc setup. 5131 */ 5132 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5133 vrf_id, port); 5134 SCTP_TCB_UNLOCK(stcb); 5135 goto out_now; 5136 /* sa_ignore NOTREACHED */ 5137 break; 5138 case SCTP_STATE_EMPTY: /* should not happen */ 5139 case SCTP_STATE_INUSE: /* should not happen */ 5140 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 5141 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5142 default: 5143 SCTP_TCB_UNLOCK(stcb); 5144 goto out_now; 5145 /* sa_ignore NOTREACHED */ 5146 break; 5147 case SCTP_STATE_OPEN: 5148 case SCTP_STATE_SHUTDOWN_SENT: 5149 break; 5150 } 5151 /* take care of ECN, part 1. */ 5152 if (stcb->asoc.ecn_allowed && 5153 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 5154 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 5155 } 5156 /* plow through the data chunks while length > offset */ 5157 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 5158 inp, stcb, net, &high_tsn); 5159 if (retval == 2) { 5160 /* 5161 * The association aborted, NO UNLOCK needed since 5162 * the association is destroyed. 5163 */ 5164 goto out_now; 5165 } 5166 data_processed = 1; 5167 if (retval == 0) { 5168 /* take care of ecn part 2. */ 5169 if (stcb->asoc.ecn_allowed && 5170 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 5171 sctp_process_ecn_marked_b(stcb, net, high_tsn, 5172 ecn_bits); 5173 } 5174 } 5175 /* 5176 * Anything important needs to have been m_copy'ed in 5177 * process_data 5178 */ 5179 } 5180 if ((data_processed == 0) && (fwd_tsn_seen)) { 5181 int was_a_gap = 0; 5182 5183 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 5184 stcb->asoc.cumulative_tsn, MAX_TSN)) { 5185 /* there was a gap before this data was processed */ 5186 was_a_gap = 1; 5187 } 5188 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 5189 if (abort_flag) { 5190 /* Again, we aborted so NO UNLOCK needed */ 5191 goto out_now; 5192 } 5193 } 5194 /* trigger send of any chunks in queue... */ 5195trigger_send: 5196#ifdef SCTP_AUDITING_ENABLED 5197 sctp_audit_log(0xE0, 2); 5198 sctp_auditing(1, inp, stcb, net); 5199#endif 5200 SCTPDBG(SCTP_DEBUG_INPUT1, 5201 "Check for chunk output prw:%d tqe:%d tf=%d\n", 5202 stcb->asoc.peers_rwnd, 5203 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 5204 stcb->asoc.total_flight); 5205 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 5206 5207 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 5208 ((un_sent) && 5209 (stcb->asoc.peers_rwnd > 0 || 5210 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 5211 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n"); 5212 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 5213 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n"); 5214 } 5215#ifdef SCTP_AUDITING_ENABLED 5216 sctp_audit_log(0xE0, 3); 5217 sctp_auditing(2, inp, stcb, net); 5218#endif 5219 SCTP_TCB_UNLOCK(stcb); 5220out_now: 5221#ifdef INVARIANTS 5222 sctp_validate_no_locks(inp); 5223#endif 5224 return; 5225} 5226 5227 5228void 5229sctp_input_with_port(i_pak, off, port) 5230 struct mbuf *i_pak; 5231 int off; 5232 uint16_t port; 5233{ 5234#ifdef SCTP_MBUF_LOGGING 5235 struct mbuf *mat; 5236 5237#endif 5238 struct mbuf *m; 5239 int iphlen; 5240 uint32_t vrf_id = 0; 5241 uint8_t ecn_bits; 5242 struct ip *ip; 5243 struct sctphdr *sh; 5244 struct sctp_inpcb *inp = NULL; 5245 5246 uint32_t check, calc_check; 5247 struct sctp_nets *net; 5248 struct sctp_tcb *stcb = NULL; 5249 struct sctp_chunkhdr *ch; 5250 int refcount_up = 0; 5251 int length, mlen, offset; 5252 5253 5254 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) { 5255 SCTP_RELEASE_PKT(i_pak); 5256 return; 5257 } 5258 mlen = SCTP_HEADER_LEN(i_pak); 5259 iphlen = off; 5260 m = SCTP_HEADER_TO_CHAIN(i_pak); 5261 5262 net = NULL; 5263 SCTP_STAT_INCR(sctps_recvpackets); 5264 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 5265 5266 5267#ifdef SCTP_MBUF_LOGGING 5268 /* Log in any input mbufs */ 5269 if (sctp_logging_level & SCTP_MBUF_LOGGING_ENABLE) { 5270 mat = m; 5271 while (mat) { 5272 if (SCTP_BUF_IS_EXTENDED(mat)) { 5273 sctp_log_mb(mat, SCTP_MBUF_INPUT); 5274 } 5275 mat = SCTP_BUF_NEXT(mat); 5276 } 5277 } 5278#endif 5279#ifdef SCTP_PACKET_LOGGING 5280 if (sctp_logging_level & SCTP_LAST_PACKET_TRACING) 5281 sctp_packet_log(m, mlen); 5282#endif 5283 /* 5284 * Must take out the iphlen, since mlen expects this (only effect lb 5285 * case) 5286 */ 5287 mlen -= iphlen; 5288 5289 /* 5290 * Get IP, SCTP, and first chunk header together in first mbuf. 5291 */ 5292 ip = mtod(m, struct ip *); 5293 offset = iphlen + sizeof(*sh) + sizeof(*ch); 5294 if (SCTP_BUF_LEN(m) < offset) { 5295 if ((m = m_pullup(m, offset)) == 0) { 5296 SCTP_STAT_INCR(sctps_hdrops); 5297 return; 5298 } 5299 ip = mtod(m, struct ip *); 5300 } 5301 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 5302 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 5303 SCTPDBG(SCTP_DEBUG_INPUT1, 5304 "sctp_input() length:%d iphlen:%d\n", mlen, iphlen); 5305 5306 /* SCTP does not allow broadcasts or multicasts */ 5307 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 5308 goto bad; 5309 } 5310 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 5311 /* 5312 * We only look at broadcast if its a front state, All 5313 * others we will not have a tcb for anyway. 5314 */ 5315 goto bad; 5316 } 5317 /* validate SCTP checksum */ 5318 check = sh->checksum; /* save incoming checksum */ 5319 if ((check == 0) && (sctp_no_csum_on_loopback) && 5320 ((ip->ip_src.s_addr == ip->ip_dst.s_addr) || 5321 (SCTP_IS_IT_LOOPBACK(m))) 5322 ) { 5323 goto sctp_skip_csum_4; 5324 } 5325 sh->checksum = 0; /* prepare for calc */ 5326 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 5327 if (calc_check != check) { 5328 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 5329 calc_check, check, m, mlen, iphlen); 5330 5331 stcb = sctp_findassociation_addr(m, iphlen, 5332 offset - sizeof(*ch), 5333 sh, ch, &inp, &net, 5334 vrf_id); 5335 if ((net) && (port)) { 5336 if (net->port == 0) { 5337 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr)); 5338 } 5339 net->port = port; 5340 } 5341 if ((inp) && (stcb)) { 5342 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 5343 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED); 5344 } else if ((inp != NULL) && (stcb == NULL)) { 5345 refcount_up = 1; 5346 } 5347 SCTP_STAT_INCR(sctps_badsum); 5348 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 5349 goto bad; 5350 } 5351 sh->checksum = calc_check; 5352sctp_skip_csum_4: 5353 /* destination port of 0 is illegal, based on RFC2960. */ 5354 if (sh->dest_port == 0) { 5355 SCTP_STAT_INCR(sctps_hdrops); 5356 goto bad; 5357 } 5358 /* validate mbuf chain length with IP payload length */ 5359 if (mlen < (ip->ip_len - iphlen)) { 5360 SCTP_STAT_INCR(sctps_hdrops); 5361 goto bad; 5362 } 5363 /* 5364 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 5365 * IP/SCTP/first chunk header... 5366 */ 5367 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 5368 sh, ch, &inp, &net, vrf_id); 5369 if ((net) && (port)) { 5370 if (net->port == 0) { 5371 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr)); 5372 } 5373 net->port = port; 5374 } 5375 /* inp's ref-count increased && stcb locked */ 5376 if (inp == NULL) { 5377 struct sctp_init_chunk *init_chk, chunk_buf; 5378 5379 SCTP_STAT_INCR(sctps_noport); 5380#ifdef ICMP_BANDLIM 5381 /* 5382 * we use the bandwidth limiting to protect against sending 5383 * too many ABORTS all at once. In this case these count the 5384 * same as an ICMP message. 5385 */ 5386 if (badport_bandlim(0) < 0) 5387 goto bad; 5388#endif /* ICMP_BANDLIM */ 5389 SCTPDBG(SCTP_DEBUG_INPUT1, 5390 "Sending a ABORT from packet entry!\n"); 5391 if (ch->chunk_type == SCTP_INITIATION) { 5392 /* 5393 * we do a trick here to get the INIT tag, dig in 5394 * and get the tag from the INIT and put it in the 5395 * common header. 5396 */ 5397 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 5398 iphlen + sizeof(*sh), sizeof(*init_chk), 5399 (uint8_t *) & chunk_buf); 5400 if (init_chk != NULL) 5401 sh->v_tag = init_chk->init.initiate_tag; 5402 } 5403 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 5404 sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id, port); 5405 goto bad; 5406 } 5407 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 5408 goto bad; 5409 } 5410 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 5411 sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, port); 5412 goto bad; 5413 } else if (stcb == NULL) { 5414 refcount_up = 1; 5415 } 5416#ifdef IPSEC 5417 /* 5418 * I very much doubt any of the IPSEC stuff will work but I have no 5419 * idea, so I will leave it in place. 5420 */ 5421 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 5422 ipsec4stat.in_polvio++; 5423 SCTP_STAT_INCR(sctps_hdrops); 5424 goto bad; 5425 } 5426#endif /* IPSEC */ 5427 5428 /* 5429 * common chunk processing 5430 */ 5431 length = ip->ip_len + iphlen; 5432 offset -= sizeof(struct sctp_chunkhdr); 5433 5434 ecn_bits = ip->ip_tos; 5435 5436 /* sa_ignore NO_NULL_CHK */ 5437 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 5438 inp, stcb, net, ecn_bits, vrf_id, port); 5439 /* inp's ref-count reduced && stcb unlocked */ 5440 if (m) { 5441 sctp_m_freem(m); 5442 } 5443 if ((inp) && (refcount_up)) { 5444 /* reduce ref-count */ 5445 SCTP_INP_DECR_REF(inp); 5446 } 5447 return; 5448bad: 5449 if (stcb) { 5450 SCTP_TCB_UNLOCK(stcb); 5451 } 5452 if ((inp) && (refcount_up)) { 5453 /* reduce ref-count */ 5454 SCTP_INP_DECR_REF(inp); 5455 } 5456 if (m) { 5457 sctp_m_freem(m); 5458 } 5459 return; 5460} 5461void 5462sctp_input(i_pak, off) 5463 struct mbuf *i_pak; 5464 int off; 5465{ 5466 sctp_input_with_port(i_pak, off, 0); 5467} 5468