sctp_input.c revision 216821
1/*- 2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 216821 2010-12-30 16:23:13Z tuexen $"); 35 36#include <netinet/sctp_os.h> 37#include <netinet/sctp_var.h> 38#include <netinet/sctp_sysctl.h> 39#include <netinet/sctp_pcb.h> 40#include <netinet/sctp_header.h> 41#include <netinet/sctputil.h> 42#include <netinet/sctp_output.h> 43#include <netinet/sctp_input.h> 44#include <netinet/sctp_auth.h> 45#include <netinet/sctp_indata.h> 46#include <netinet/sctp_asconf.h> 47#include <netinet/sctp_bsd_addr.h> 48#include <netinet/sctp_timer.h> 49#include <netinet/sctp_crc32.h> 50#include <netinet/udp.h> 51 52 53 54static void 55sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 56{ 57 struct sctp_nets *net; 58 59 /* 60 * This now not only stops all cookie timers it also stops any INIT 61 * timers as well. This will make sure that the timers are stopped 62 * in all collision cases. 63 */ 64 SCTP_TCB_LOCK_ASSERT(stcb); 65 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 66 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 67 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 68 stcb->sctp_ep, 69 stcb, 70 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 71 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 72 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 73 stcb->sctp_ep, 74 stcb, 75 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 76 } 77 } 78} 79 80/* INIT handler */ 81static void 82sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 83 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 84 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, uint16_t port) 85{ 86 struct sctp_init *init; 87 struct mbuf *op_err; 88 uint32_t init_limit; 89 90 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n", 91 stcb); 92 if (stcb == NULL) { 93 SCTP_INP_RLOCK(inp); 94 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 95 goto outnow; 96 } 97 } 98 op_err = NULL; 99 init = &cp->init; 100 /* First are we accepting? */ 101 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 102 SCTPDBG(SCTP_DEBUG_INPUT2, 103 "sctp_handle_init: Abort, so_qlimit:%d\n", 104 inp->sctp_socket->so_qlimit); 105 /* 106 * FIX ME ?? What about TCP model and we have a 107 * match/restart case? Actually no fix is needed. the lookup 108 * will always find the existing assoc so stcb would not be 109 * NULL. It may be questionable to do this since we COULD 110 * just send back the INIT-ACK and hope that the app did 111 * accept()'s by the time the COOKIE was sent. But there is 112 * a price to pay for COOKIE generation and I don't want to 113 * pay it on the chance that the app will actually do some 114 * accepts(). The App just looses and should NOT be in this 115 * state :-) 116 */ 117 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 118 vrf_id, port); 119 if (stcb) 120 *abort_no_unlock = 1; 121 goto outnow; 122 } 123 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 124 /* Invalid length */ 125 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 126 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 127 vrf_id, port); 128 if (stcb) 129 *abort_no_unlock = 1; 130 goto outnow; 131 } 132 /* validate parameters */ 133 if (init->initiate_tag == 0) { 134 /* protocol error... send abort */ 135 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 136 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 137 vrf_id, port); 138 if (stcb) 139 *abort_no_unlock = 1; 140 goto outnow; 141 } 142 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 143 /* invalid parameter... send abort */ 144 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 145 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 146 vrf_id, port); 147 if (stcb) 148 *abort_no_unlock = 1; 149 goto outnow; 150 } 151 if (init->num_inbound_streams == 0) { 152 /* protocol error... send abort */ 153 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 154 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 155 vrf_id, port); 156 if (stcb) 157 *abort_no_unlock = 1; 158 goto outnow; 159 } 160 if (init->num_outbound_streams == 0) { 161 /* protocol error... send abort */ 162 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 163 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 164 vrf_id, port); 165 if (stcb) 166 *abort_no_unlock = 1; 167 goto outnow; 168 } 169 init_limit = offset + ntohs(cp->ch.chunk_length); 170 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 171 init_limit)) { 172 /* auth parameter(s) error... send abort */ 173 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, port); 174 if (stcb) 175 *abort_no_unlock = 1; 176 goto outnow; 177 } 178 /* send an INIT-ACK w/cookie */ 179 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n"); 180 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, port, 181 ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED)); 182outnow: 183 if (stcb == NULL) { 184 SCTP_INP_RUNLOCK(inp); 185 } 186} 187 188/* 189 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 190 */ 191 192int 193sctp_is_there_unsent_data(struct sctp_tcb *stcb) 194{ 195 int unsent_data = 0; 196 struct sctp_stream_queue_pending *sp; 197 struct sctp_stream_out *strq; 198 struct sctp_association *asoc; 199 200 /* 201 * This function returns the number of streams that have true unsent 202 * data on them. Note that as it looks through it will clean up any 203 * places that have old data that has been sent but left at top of 204 * stream queue. 205 */ 206 asoc = &stcb->asoc; 207 SCTP_TCB_SEND_LOCK(stcb); 208 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 209 /* Check to see if some data queued */ 210 TAILQ_FOREACH(strq, &asoc->out_wheel, next_spoke) { 211 is_there_another: 212 /* sa_ignore FREED_MEMORY */ 213 sp = TAILQ_FIRST(&strq->outqueue); 214 if (sp == NULL) { 215 continue; 216 } 217 if ((sp->msg_is_complete) && 218 (sp->length == 0) && 219 (sp->sender_all_done)) { 220 /* 221 * We are doing differed cleanup. Last time 222 * through when we took all the data the 223 * sender_all_done was not set. 224 */ 225 if (sp->put_last_out == 0) { 226 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n"); 227 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n", 228 sp->sender_all_done, 229 sp->length, 230 sp->msg_is_complete, 231 sp->put_last_out); 232 } 233 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1); 234 TAILQ_REMOVE(&strq->outqueue, sp, next); 235 if (sp->net) { 236 sctp_free_remote_addr(sp->net); 237 sp->net = NULL; 238 } 239 if (sp->data) { 240 sctp_m_freem(sp->data); 241 sp->data = NULL; 242 } 243 sctp_free_a_strmoq(stcb, sp); 244 goto is_there_another; 245 } else { 246 unsent_data++; 247 continue; 248 } 249 } 250 } 251 SCTP_TCB_SEND_UNLOCK(stcb); 252 return (unsent_data); 253} 254 255static int 256sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 257 struct sctp_nets *net) 258{ 259 struct sctp_init *init; 260 struct sctp_association *asoc; 261 struct sctp_nets *lnet; 262 unsigned int i; 263 264 init = &cp->init; 265 asoc = &stcb->asoc; 266 /* save off parameters */ 267 asoc->peer_vtag = ntohl(init->initiate_tag); 268 asoc->peers_rwnd = ntohl(init->a_rwnd); 269 if (!TAILQ_EMPTY(&asoc->nets)) { 270 /* update any ssthresh's that may have a default */ 271 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 272 lnet->ssthresh = asoc->peers_rwnd; 273 274 if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) { 275 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 276 } 277 } 278 } 279 SCTP_TCB_SEND_LOCK(stcb); 280 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 281 unsigned int newcnt; 282 struct sctp_stream_out *outs; 283 struct sctp_stream_queue_pending *sp; 284 struct sctp_tmit_chunk *chk, *chk_next; 285 286 /* abandon the upper streams */ 287 newcnt = ntohs(init->num_inbound_streams); 288 if (!TAILQ_EMPTY(&asoc->send_queue)) { 289 chk = TAILQ_FIRST(&asoc->send_queue); 290 while (chk) { 291 chk_next = TAILQ_NEXT(chk, sctp_next); 292 if (chk->rec.data.stream_number >= newcnt) { 293 TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next); 294 asoc->send_queue_cnt--; 295 if (chk->data != NULL) { 296 sctp_free_bufspace(stcb, asoc, chk, 1); 297 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL, stcb, 298 SCTP_NOTIFY_DATAGRAM_UNSENT, chk, SCTP_SO_NOT_LOCKED); 299 if (chk->data) { 300 sctp_m_freem(chk->data); 301 chk->data = NULL; 302 } 303 } 304 sctp_free_a_chunk(stcb, chk); 305 /* sa_ignore FREED_MEMORY */ 306 } 307 chk = chk_next; 308 } 309 } 310 if (asoc->strmout) { 311 for (i = newcnt; i < asoc->pre_open_streams; i++) { 312 outs = &asoc->strmout[i]; 313 sp = TAILQ_FIRST(&outs->outqueue); 314 while (sp) { 315 TAILQ_REMOVE(&outs->outqueue, sp, next); 316 asoc->stream_queue_cnt--; 317 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 318 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 319 sp, SCTP_SO_NOT_LOCKED); 320 if (sp->data) { 321 sctp_m_freem(sp->data); 322 sp->data = NULL; 323 } 324 if (sp->net) { 325 sctp_free_remote_addr(sp->net); 326 sp->net = NULL; 327 } 328 /* Free the chunk */ 329 sctp_free_a_strmoq(stcb, sp); 330 /* sa_ignore FREED_MEMORY */ 331 sp = TAILQ_FIRST(&outs->outqueue); 332 } 333 } 334 } 335 /* cut back the count */ 336 asoc->pre_open_streams = newcnt; 337 } 338 SCTP_TCB_SEND_UNLOCK(stcb); 339 asoc->strm_realoutsize = asoc->streamoutcnt = asoc->pre_open_streams; 340 /* init tsn's */ 341 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 342 /* EY - nr_sack: initialize highest tsn in nr_mapping_array */ 343 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map; 344 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 345 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 346 } 347 /* This is the next one we expect */ 348 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 349 350 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 351 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in; 352 asoc->last_echo_tsn = asoc->asconf_seq_in; 353 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 354 /* open the requested streams */ 355 356 if (asoc->strmin != NULL) { 357 /* Free the old ones */ 358 struct sctp_queued_to_read *ctl; 359 360 for (i = 0; i < asoc->streamincnt; i++) { 361 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 362 while (ctl) { 363 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 364 sctp_free_remote_addr(ctl->whoFrom); 365 ctl->whoFrom = NULL; 366 sctp_m_freem(ctl->data); 367 ctl->data = NULL; 368 sctp_free_a_readq(stcb, ctl); 369 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 370 } 371 } 372 SCTP_FREE(asoc->strmin, SCTP_M_STRMI); 373 } 374 asoc->streamincnt = ntohs(init->num_outbound_streams); 375 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 376 asoc->streamincnt = MAX_SCTP_STREAMS; 377 } 378 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 379 sizeof(struct sctp_stream_in), SCTP_M_STRMI); 380 if (asoc->strmin == NULL) { 381 /* we didn't get memory for the streams! */ 382 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n"); 383 return (-1); 384 } 385 for (i = 0; i < asoc->streamincnt; i++) { 386 asoc->strmin[i].stream_no = i; 387 asoc->strmin[i].last_sequence_delivered = 0xffff; 388 /* 389 * U-stream ranges will be set when the cookie is unpacked. 390 * Or for the INIT sender they are un set (if pr-sctp not 391 * supported) when the INIT-ACK arrives. 392 */ 393 TAILQ_INIT(&asoc->strmin[i].inqueue); 394 asoc->strmin[i].delivery_started = 0; 395 } 396 /* 397 * load_address_from_init will put the addresses into the 398 * association when the COOKIE is processed or the INIT-ACK is 399 * processed. Both types of COOKIE's existing and new call this 400 * routine. It will remove addresses that are no longer in the 401 * association (for the restarting case where addresses are 402 * removed). Up front when the INIT arrives we will discard it if it 403 * is a restart and new addresses have been added. 404 */ 405 /* sa_ignore MEMLEAK */ 406 return (0); 407} 408 409/* 410 * INIT-ACK message processing/consumption returns value < 0 on error 411 */ 412static int 413sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 414 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 415 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 416{ 417 struct sctp_association *asoc; 418 struct mbuf *op_err; 419 int retval, abort_flag; 420 uint32_t initack_limit; 421 int nat_friendly = 0; 422 423 /* First verify that we have no illegal param's */ 424 abort_flag = 0; 425 op_err = NULL; 426 427 op_err = sctp_arethere_unrecognized_parameters(m, 428 (offset + sizeof(struct sctp_init_chunk)), 429 &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly); 430 if (abort_flag) { 431 /* Send an abort and notify peer */ 432 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err, SCTP_SO_NOT_LOCKED); 433 *abort_no_unlock = 1; 434 return (-1); 435 } 436 asoc = &stcb->asoc; 437 asoc->peer_supports_nat = (uint8_t) nat_friendly; 438 /* process the peer's parameters in the INIT-ACK */ 439 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 440 if (retval < 0) { 441 return (retval); 442 } 443 initack_limit = offset + ntohs(cp->ch.chunk_length); 444 /* load all addresses */ 445 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 446 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 447 NULL))) { 448 /* Huh, we should abort */ 449 SCTPDBG(SCTP_DEBUG_INPUT1, 450 "Load addresses from INIT causes an abort %d\n", 451 retval); 452 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 453 NULL, 0, net->port); 454 *abort_no_unlock = 1; 455 return (-1); 456 } 457 /* if the peer doesn't support asconf, flush the asconf queue */ 458 if (asoc->peer_supports_asconf == 0) { 459 struct sctp_asconf_addr *aparam; 460 461 while (!TAILQ_EMPTY(&asoc->asconf_queue)) { 462 /* sa_ignore FREED_MEMORY */ 463 aparam = TAILQ_FIRST(&asoc->asconf_queue); 464 TAILQ_REMOVE(&asoc->asconf_queue, aparam, next); 465 SCTP_FREE(aparam, SCTP_M_ASC_ADDR); 466 } 467 } 468 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 469 stcb->asoc.local_hmacs); 470 if (op_err) { 471 sctp_queue_op_err(stcb, op_err); 472 /* queuing will steal away the mbuf chain to the out queue */ 473 op_err = NULL; 474 } 475 /* extract the cookie and queue it to "echo" it back... */ 476 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 477 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 478 stcb->asoc.overall_error_count, 479 0, 480 SCTP_FROM_SCTP_INPUT, 481 __LINE__); 482 } 483 stcb->asoc.overall_error_count = 0; 484 net->error_count = 0; 485 486 /* 487 * Cancel the INIT timer, We do this first before queueing the 488 * cookie. We always cancel at the primary to assue that we are 489 * canceling the timer started by the INIT which always goes to the 490 * primary. 491 */ 492 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 493 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 494 495 /* calculate the RTO */ 496 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy); 497 498 retval = sctp_send_cookie_echo(m, offset, stcb, net); 499 if (retval < 0) { 500 /* 501 * No cookie, we probably should send a op error. But in any 502 * case if there is no cookie in the INIT-ACK, we can 503 * abandon the peer, its broke. 504 */ 505 if (retval == -3) { 506 /* We abort with an error of missing mandatory param */ 507 op_err = 508 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 509 if (op_err) { 510 /* 511 * Expand beyond to include the mandatory 512 * param cookie 513 */ 514 struct sctp_inv_mandatory_param *mp; 515 516 SCTP_BUF_LEN(op_err) = 517 sizeof(struct sctp_inv_mandatory_param); 518 mp = mtod(op_err, 519 struct sctp_inv_mandatory_param *); 520 /* Subtract the reserved param */ 521 mp->length = 522 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 523 mp->num_param = htonl(1); 524 mp->param = htons(SCTP_STATE_COOKIE); 525 mp->resv = 0; 526 } 527 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 528 sh, op_err, 0, net->port); 529 *abort_no_unlock = 1; 530 } 531 return (retval); 532 } 533 return (0); 534} 535 536static void 537sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 538 struct sctp_tcb *stcb, struct sctp_nets *net) 539{ 540 struct sockaddr_storage store; 541 struct sockaddr_in *sin; 542 struct sockaddr_in6 *sin6; 543 struct sctp_nets *r_net, *f_net; 544 struct timeval tv; 545 int req_prim = 0; 546 547 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 548 /* Invalid length */ 549 return; 550 } 551 sin = (struct sockaddr_in *)&store; 552 sin6 = (struct sockaddr_in6 *)&store; 553 554 memset(&store, 0, sizeof(store)); 555 if (cp->heartbeat.hb_info.addr_family == AF_INET && 556 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 557 sin->sin_family = cp->heartbeat.hb_info.addr_family; 558 sin->sin_len = cp->heartbeat.hb_info.addr_len; 559 sin->sin_port = stcb->rport; 560 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 561 sizeof(sin->sin_addr)); 562 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 563 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 564 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 565 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 566 sin6->sin6_port = stcb->rport; 567 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 568 sizeof(sin6->sin6_addr)); 569 } else { 570 return; 571 } 572 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 573 if (r_net == NULL) { 574 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n"); 575 return; 576 } 577 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 578 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 579 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 580 /* 581 * If the its a HB and it's random value is correct when can 582 * confirm the destination. 583 */ 584 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 585 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 586 stcb->asoc.primary_destination = r_net; 587 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 588 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 589 f_net = TAILQ_FIRST(&stcb->asoc.nets); 590 if (f_net != r_net) { 591 /* 592 * first one on the list is NOT the primary 593 * sctp_cmpaddr() is much more efficent if 594 * the primary is the first on the list, 595 * make it so. 596 */ 597 TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next); 598 TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next); 599 } 600 req_prim = 1; 601 } 602 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 603 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED); 604 } 605 r_net->error_count = 0; 606 r_net->hb_responded = 1; 607 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 608 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 609 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 610 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 611 r_net->dest_state |= SCTP_ADDR_REACHABLE; 612 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 613 SCTP_HEARTBEAT_SUCCESS, (void *)r_net, SCTP_SO_NOT_LOCKED); 614 /* now was it the primary? if so restore */ 615 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 616 (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 617 } 618 } 619 /* 620 * JRS 5/14/07 - If CMT PF is on and the destination is in PF state, 621 * set the destination to active state and set the cwnd to one or 622 * two MTU's based on whether PF1 or PF2 is being used. If a T3 623 * timer is running, for the destination, stop the timer because a 624 * PF-heartbeat was received. 625 */ 626 if ((stcb->asoc.sctp_cmt_on_off > 0) && 627 (stcb->asoc.sctp_cmt_pf > 0) && 628 ((net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF)) { 629 if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 630 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 631 stcb, net, 632 SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 633 } 634 net->dest_state &= ~SCTP_ADDR_PF; 635 net->cwnd = net->mtu * stcb->asoc.sctp_cmt_pf; 636 SCTPDBG(SCTP_DEBUG_INPUT1, "Destination %p moved from PF to reachable with cwnd %d.\n", 637 net, net->cwnd); 638 } 639 /* Now lets do a RTO with this */ 640 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy); 641 /* Mobility adaptation */ 642 if (req_prim) { 643 if ((sctp_is_mobility_feature_on(stcb->sctp_ep, 644 SCTP_MOBILITY_BASE) || 645 sctp_is_mobility_feature_on(stcb->sctp_ep, 646 SCTP_MOBILITY_FASTHANDOFF)) && 647 sctp_is_mobility_feature_on(stcb->sctp_ep, 648 SCTP_MOBILITY_PRIM_DELETED)) { 649 650 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER + SCTP_LOC_7); 651 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 652 SCTP_MOBILITY_FASTHANDOFF)) { 653 sctp_assoc_immediate_retrans(stcb, 654 stcb->asoc.primary_destination); 655 } 656 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 657 SCTP_MOBILITY_BASE)) { 658 sctp_move_chunks_from_net(stcb, 659 stcb->asoc.deleted_primary); 660 } 661 sctp_delete_prim_timer(stcb->sctp_ep, stcb, 662 stcb->asoc.deleted_primary); 663 } 664 } 665} 666 667static int 668sctp_handle_nat_colliding_state(struct sctp_tcb *stcb) 669{ 670 /* 671 * return 0 means we want you to proceed with the abort non-zero 672 * means no abort processing 673 */ 674 struct sctpasochead *head; 675 676 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) { 677 /* generate a new vtag and send init */ 678 LIST_REMOVE(stcb, sctp_asocs); 679 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1); 680 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))]; 681 /* 682 * put it in the bucket in the vtag hash of assoc's for the 683 * system 684 */ 685 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 686 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 687 return (1); 688 } 689 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED) { 690 /* 691 * treat like a case where the cookie expired i.e.: - dump 692 * current cookie. - generate a new vtag. - resend init. 693 */ 694 /* generate a new vtag and send init */ 695 LIST_REMOVE(stcb, sctp_asocs); 696 stcb->asoc.state &= ~SCTP_STATE_COOKIE_ECHOED; 697 stcb->asoc.state |= SCTP_STATE_COOKIE_WAIT; 698 sctp_stop_all_cookie_timers(stcb); 699 sctp_toss_old_cookies(stcb, &stcb->asoc); 700 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1); 701 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))]; 702 /* 703 * put it in the bucket in the vtag hash of assoc's for the 704 * system 705 */ 706 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 707 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 708 return (1); 709 } 710 return (0); 711} 712 713static int 714sctp_handle_nat_missing_state(struct sctp_tcb *stcb, 715 struct sctp_nets *net) 716{ 717 /* 718 * return 0 means we want you to proceed with the abort non-zero 719 * means no abort processing 720 */ 721 if (stcb->asoc.peer_supports_auth == 0) { 722 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n"); 723 return (0); 724 } 725 sctp_asconf_send_nat_state_update(stcb, net); 726 return (1); 727} 728 729 730static void 731sctp_handle_abort(struct sctp_abort_chunk *cp, 732 struct sctp_tcb *stcb, struct sctp_nets *net) 733{ 734#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 735 struct socket *so; 736 737#endif 738 uint16_t len; 739 740 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n"); 741 if (stcb == NULL) 742 return; 743 744 len = ntohs(cp->ch.chunk_length); 745 if (len > sizeof(struct sctp_chunkhdr)) { 746 /* 747 * Need to check the cause codes for our two magic nat 748 * aborts which don't kill the assoc necessarily. 749 */ 750 struct sctp_abort_chunk *cpnext; 751 struct sctp_missing_nat_state *natc; 752 uint16_t cause; 753 754 cpnext = cp; 755 cpnext++; 756 natc = (struct sctp_missing_nat_state *)cpnext; 757 cause = ntohs(natc->cause); 758 if (cause == SCTP_CAUSE_NAT_COLLIDING_STATE) { 759 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n", 760 cp->ch.chunk_flags); 761 if (sctp_handle_nat_colliding_state(stcb)) { 762 return; 763 } 764 } else if (cause == SCTP_CAUSE_NAT_MISSING_STATE) { 765 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n", 766 cp->ch.chunk_flags); 767 if (sctp_handle_nat_missing_state(stcb, net)) { 768 return; 769 } 770 } 771 } 772 /* stop any receive timers */ 773 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 774 /* notify user of the abort and clean up... */ 775 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED); 776 /* free the tcb */ 777#if defined(SCTP_PANIC_ON_ABORT) 778 printf("stcb:%p state:%d rport:%d net:%p\n", 779 stcb, stcb->asoc.state, stcb->rport, net); 780 if (!(stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { 781 panic("Received an ABORT"); 782 } else { 783 printf("No panic its in state %x closed\n", stcb->asoc.state); 784 } 785#endif 786 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 787 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 788 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 789 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 790 } 791#ifdef SCTP_ASOCLOG_OF_TSNS 792 sctp_print_out_track_log(stcb); 793#endif 794#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 795 so = SCTP_INP_SO(stcb->sctp_ep); 796 atomic_add_int(&stcb->asoc.refcnt, 1); 797 SCTP_TCB_UNLOCK(stcb); 798 SCTP_SOCKET_LOCK(so, 1); 799 SCTP_TCB_LOCK(stcb); 800 atomic_subtract_int(&stcb->asoc.refcnt, 1); 801#endif 802 stcb->asoc.state |= SCTP_STATE_WAS_ABORTED; 803 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 804 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 805#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 806 SCTP_SOCKET_UNLOCK(so, 1); 807#endif 808 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n"); 809} 810 811static void 812sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 813 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 814{ 815 struct sctp_association *asoc; 816 int some_on_streamwheel; 817 818#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 819 struct socket *so; 820 821#endif 822 823 SCTPDBG(SCTP_DEBUG_INPUT2, 824 "sctp_handle_shutdown: handling SHUTDOWN\n"); 825 if (stcb == NULL) 826 return; 827 asoc = &stcb->asoc; 828 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 829 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 830 return; 831 } 832 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 833 /* Shutdown NOT the expected size */ 834 return; 835 } else { 836 sctp_update_acked(stcb, cp, net, abort_flag); 837 if (*abort_flag) { 838 return; 839 } 840 } 841 if (asoc->control_pdapi) { 842 /* 843 * With a normal shutdown we assume the end of last record. 844 */ 845 SCTP_INP_READ_LOCK(stcb->sctp_ep); 846 asoc->control_pdapi->end_added = 1; 847 asoc->control_pdapi->pdapi_aborted = 1; 848 asoc->control_pdapi = NULL; 849 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 850#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 851 so = SCTP_INP_SO(stcb->sctp_ep); 852 atomic_add_int(&stcb->asoc.refcnt, 1); 853 SCTP_TCB_UNLOCK(stcb); 854 SCTP_SOCKET_LOCK(so, 1); 855 SCTP_TCB_LOCK(stcb); 856 atomic_subtract_int(&stcb->asoc.refcnt, 1); 857 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 858 /* assoc was freed while we were unlocked */ 859 SCTP_SOCKET_UNLOCK(so, 1); 860 return; 861 } 862#endif 863 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 864#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 865 SCTP_SOCKET_UNLOCK(so, 1); 866#endif 867 } 868 /* goto SHUTDOWN_RECEIVED state to block new requests */ 869 if (stcb->sctp_socket) { 870 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 871 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) && 872 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 873 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED); 874 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 875 /* 876 * notify upper layer that peer has initiated a 877 * shutdown 878 */ 879 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 880 881 /* reset time */ 882 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 883 } 884 } 885 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 886 /* 887 * stop the shutdown timer, since we WILL move to 888 * SHUTDOWN-ACK-SENT. 889 */ 890 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 891 } 892 /* Now is there unsent data on a stream somewhere? */ 893 some_on_streamwheel = sctp_is_there_unsent_data(stcb); 894 895 if (!TAILQ_EMPTY(&asoc->send_queue) || 896 !TAILQ_EMPTY(&asoc->sent_queue) || 897 some_on_streamwheel) { 898 /* By returning we will push more data out */ 899 return; 900 } else { 901 /* no outstanding data to send, so move on... */ 902 /* send SHUTDOWN-ACK */ 903 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 904 /* move to SHUTDOWN-ACK-SENT state */ 905 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 906 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 907 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 908 } 909 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT); 910 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 911 sctp_stop_timers_for_shutdown(stcb); 912 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 913 stcb, net); 914 } 915} 916 917static void 918sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 919 struct sctp_tcb *stcb, 920 struct sctp_nets *net) 921{ 922 struct sctp_association *asoc; 923 924#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 925 struct socket *so; 926 927 so = SCTP_INP_SO(stcb->sctp_ep); 928#endif 929 SCTPDBG(SCTP_DEBUG_INPUT2, 930 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 931 if (stcb == NULL) 932 return; 933 934 asoc = &stcb->asoc; 935 /* process according to association state */ 936 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 937 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 938 /* unexpected SHUTDOWN-ACK... do OOTB handling... */ 939 sctp_send_shutdown_complete(stcb, net, 1); 940 SCTP_TCB_UNLOCK(stcb); 941 return; 942 } 943 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 944 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 945 /* unexpected SHUTDOWN-ACK... so ignore... */ 946 SCTP_TCB_UNLOCK(stcb); 947 return; 948 } 949 if (asoc->control_pdapi) { 950 /* 951 * With a normal shutdown we assume the end of last record. 952 */ 953 SCTP_INP_READ_LOCK(stcb->sctp_ep); 954 asoc->control_pdapi->end_added = 1; 955 asoc->control_pdapi->pdapi_aborted = 1; 956 asoc->control_pdapi = NULL; 957 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 958#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 959 atomic_add_int(&stcb->asoc.refcnt, 1); 960 SCTP_TCB_UNLOCK(stcb); 961 SCTP_SOCKET_LOCK(so, 1); 962 SCTP_TCB_LOCK(stcb); 963 atomic_subtract_int(&stcb->asoc.refcnt, 1); 964 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 965 /* assoc was freed while we were unlocked */ 966 SCTP_SOCKET_UNLOCK(so, 1); 967 return; 968 } 969#endif 970 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 971#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 972 SCTP_SOCKET_UNLOCK(so, 1); 973#endif 974 } 975 /* are the queues empty? */ 976 if (!TAILQ_EMPTY(&asoc->send_queue) || 977 !TAILQ_EMPTY(&asoc->sent_queue) || 978 !TAILQ_EMPTY(&asoc->out_wheel)) { 979 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED); 980 } 981 /* stop the timer */ 982 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 983 /* send SHUTDOWN-COMPLETE */ 984 sctp_send_shutdown_complete(stcb, net, 0); 985 /* notify upper layer protocol */ 986 if (stcb->sctp_socket) { 987 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 988 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 989 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 990 /* Set the connected flag to disconnected */ 991 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 992 } 993 } 994 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 995 /* free the TCB but first save off the ep */ 996#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 997 atomic_add_int(&stcb->asoc.refcnt, 1); 998 SCTP_TCB_UNLOCK(stcb); 999 SCTP_SOCKET_LOCK(so, 1); 1000 SCTP_TCB_LOCK(stcb); 1001 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1002#endif 1003 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 1004 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 1005#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1006 SCTP_SOCKET_UNLOCK(so, 1); 1007#endif 1008} 1009 1010/* 1011 * Skip past the param header and then we will find the chunk that caused the 1012 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 1013 * our peer must be broken. 1014 */ 1015static void 1016sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 1017 struct sctp_nets *net) 1018{ 1019 struct sctp_chunkhdr *chk; 1020 1021 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 1022 switch (chk->chunk_type) { 1023 case SCTP_ASCONF_ACK: 1024 case SCTP_ASCONF: 1025 sctp_asconf_cleanup(stcb, net); 1026 break; 1027 case SCTP_FORWARD_CUM_TSN: 1028 stcb->asoc.peer_supports_prsctp = 0; 1029 break; 1030 default: 1031 SCTPDBG(SCTP_DEBUG_INPUT2, 1032 "Peer does not support chunk type %d(%x)??\n", 1033 chk->chunk_type, (uint32_t) chk->chunk_type); 1034 break; 1035 } 1036} 1037 1038/* 1039 * Skip past the param header and then we will find the param that caused the 1040 * problem. There are a number of param's in a ASCONF OR the prsctp param 1041 * these will turn of specific features. 1042 */ 1043static void 1044sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 1045{ 1046 struct sctp_paramhdr *pbad; 1047 1048 pbad = phdr + 1; 1049 switch (ntohs(pbad->param_type)) { 1050 /* pr-sctp draft */ 1051 case SCTP_PRSCTP_SUPPORTED: 1052 stcb->asoc.peer_supports_prsctp = 0; 1053 break; 1054 case SCTP_SUPPORTED_CHUNK_EXT: 1055 break; 1056 /* draft-ietf-tsvwg-addip-sctp */ 1057 case SCTP_HAS_NAT_SUPPORT: 1058 stcb->asoc.peer_supports_nat = 0; 1059 break; 1060 case SCTP_ECN_NONCE_SUPPORTED: 1061 stcb->asoc.peer_supports_ecn_nonce = 0; 1062 stcb->asoc.ecn_nonce_allowed = 0; 1063 stcb->asoc.ecn_allowed = 0; 1064 break; 1065 case SCTP_ADD_IP_ADDRESS: 1066 case SCTP_DEL_IP_ADDRESS: 1067 case SCTP_SET_PRIM_ADDR: 1068 stcb->asoc.peer_supports_asconf = 0; 1069 break; 1070 case SCTP_SUCCESS_REPORT: 1071 case SCTP_ERROR_CAUSE_IND: 1072 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n"); 1073 SCTPDBG(SCTP_DEBUG_INPUT2, 1074 "Turning off ASCONF to this strange peer\n"); 1075 stcb->asoc.peer_supports_asconf = 0; 1076 break; 1077 default: 1078 SCTPDBG(SCTP_DEBUG_INPUT2, 1079 "Peer does not support param type %d(%x)??\n", 1080 pbad->param_type, (uint32_t) pbad->param_type); 1081 break; 1082 } 1083} 1084 1085static int 1086sctp_handle_error(struct sctp_chunkhdr *ch, 1087 struct sctp_tcb *stcb, struct sctp_nets *net) 1088{ 1089 int chklen; 1090 struct sctp_paramhdr *phdr; 1091 uint16_t error_type; 1092 uint16_t error_len; 1093 struct sctp_association *asoc; 1094 int adjust; 1095 1096#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1097 struct socket *so; 1098 1099#endif 1100 1101 /* parse through all of the errors and process */ 1102 asoc = &stcb->asoc; 1103 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 1104 sizeof(struct sctp_chunkhdr)); 1105 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 1106 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 1107 /* Process an Error Cause */ 1108 error_type = ntohs(phdr->param_type); 1109 error_len = ntohs(phdr->param_length); 1110 if ((error_len > chklen) || (error_len == 0)) { 1111 /* invalid param length for this param */ 1112 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n", 1113 chklen, error_len); 1114 return (0); 1115 } 1116 switch (error_type) { 1117 case SCTP_CAUSE_INVALID_STREAM: 1118 case SCTP_CAUSE_MISSING_PARAM: 1119 case SCTP_CAUSE_INVALID_PARAM: 1120 case SCTP_CAUSE_NO_USER_DATA: 1121 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n", 1122 error_type); 1123 break; 1124 case SCTP_CAUSE_NAT_COLLIDING_STATE: 1125 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n", 1126 ch->chunk_flags); 1127 if (sctp_handle_nat_colliding_state(stcb)) { 1128 return (0); 1129 } 1130 break; 1131 case SCTP_CAUSE_NAT_MISSING_STATE: 1132 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n", 1133 ch->chunk_flags); 1134 if (sctp_handle_nat_missing_state(stcb, net)) { 1135 return (0); 1136 } 1137 break; 1138 case SCTP_CAUSE_STALE_COOKIE: 1139 /* 1140 * We only act if we have echoed a cookie and are 1141 * waiting. 1142 */ 1143 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 1144 int *p; 1145 1146 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 1147 /* Save the time doubled */ 1148 asoc->cookie_preserve_req = ntohl(*p) << 1; 1149 asoc->stale_cookie_count++; 1150 if (asoc->stale_cookie_count > 1151 asoc->max_init_times) { 1152 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED); 1153 /* now free the asoc */ 1154#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1155 so = SCTP_INP_SO(stcb->sctp_ep); 1156 atomic_add_int(&stcb->asoc.refcnt, 1); 1157 SCTP_TCB_UNLOCK(stcb); 1158 SCTP_SOCKET_LOCK(so, 1); 1159 SCTP_TCB_LOCK(stcb); 1160 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1161#endif 1162 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 1163 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1164#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1165 SCTP_SOCKET_UNLOCK(so, 1); 1166#endif 1167 return (-1); 1168 } 1169 /* blast back to INIT state */ 1170 sctp_toss_old_cookies(stcb, &stcb->asoc); 1171 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 1172 asoc->state |= SCTP_STATE_COOKIE_WAIT; 1173 sctp_stop_all_cookie_timers(stcb); 1174 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 1175 } 1176 break; 1177 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 1178 /* 1179 * Nothing we can do here, we don't do hostname 1180 * addresses so if the peer does not like my IPv6 1181 * (or IPv4 for that matter) it does not matter. If 1182 * they don't support that type of address, they can 1183 * NOT possibly get that packet type... i.e. with no 1184 * IPv6 you can't recieve a IPv6 packet. so we can 1185 * safely ignore this one. If we ever added support 1186 * for HOSTNAME Addresses, then we would need to do 1187 * something here. 1188 */ 1189 break; 1190 case SCTP_CAUSE_UNRECOG_CHUNK: 1191 sctp_process_unrecog_chunk(stcb, phdr, net); 1192 break; 1193 case SCTP_CAUSE_UNRECOG_PARAM: 1194 sctp_process_unrecog_param(stcb, phdr); 1195 break; 1196 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 1197 /* 1198 * We ignore this since the timer will drive out a 1199 * new cookie anyway and there timer will drive us 1200 * to send a SHUTDOWN_COMPLETE. We can't send one 1201 * here since we don't have their tag. 1202 */ 1203 break; 1204 case SCTP_CAUSE_DELETING_LAST_ADDR: 1205 case SCTP_CAUSE_RESOURCE_SHORTAGE: 1206 case SCTP_CAUSE_DELETING_SRC_ADDR: 1207 /* 1208 * We should NOT get these here, but in a 1209 * ASCONF-ACK. 1210 */ 1211 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n", 1212 error_type); 1213 break; 1214 case SCTP_CAUSE_OUT_OF_RESC: 1215 /* 1216 * And what, pray tell do we do with the fact that 1217 * the peer is out of resources? Not really sure we 1218 * could do anything but abort. I suspect this 1219 * should have came WITH an abort instead of in a 1220 * OP-ERROR. 1221 */ 1222 break; 1223 default: 1224 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n", 1225 error_type); 1226 break; 1227 } 1228 adjust = SCTP_SIZE32(error_len); 1229 chklen -= adjust; 1230 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 1231 } 1232 return (0); 1233} 1234 1235static int 1236sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, 1237 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 1238 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 1239{ 1240 struct sctp_init_ack *init_ack; 1241 struct mbuf *op_err; 1242 1243 SCTPDBG(SCTP_DEBUG_INPUT2, 1244 "sctp_handle_init_ack: handling INIT-ACK\n"); 1245 1246 if (stcb == NULL) { 1247 SCTPDBG(SCTP_DEBUG_INPUT2, 1248 "sctp_handle_init_ack: TCB is null\n"); 1249 return (-1); 1250 } 1251 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 1252 /* Invalid length */ 1253 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1254 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1255 op_err, 0, net->port); 1256 *abort_no_unlock = 1; 1257 return (-1); 1258 } 1259 init_ack = &cp->init; 1260 /* validate parameters */ 1261 if (init_ack->initiate_tag == 0) { 1262 /* protocol error... send an abort */ 1263 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1264 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1265 op_err, 0, net->port); 1266 *abort_no_unlock = 1; 1267 return (-1); 1268 } 1269 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 1270 /* protocol error... send an abort */ 1271 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1272 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1273 op_err, 0, net->port); 1274 *abort_no_unlock = 1; 1275 return (-1); 1276 } 1277 if (init_ack->num_inbound_streams == 0) { 1278 /* protocol error... send an abort */ 1279 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1280 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1281 op_err, 0, net->port); 1282 *abort_no_unlock = 1; 1283 return (-1); 1284 } 1285 if (init_ack->num_outbound_streams == 0) { 1286 /* protocol error... send an abort */ 1287 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1288 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1289 op_err, 0, net->port); 1290 *abort_no_unlock = 1; 1291 return (-1); 1292 } 1293 /* process according to association state... */ 1294 switch (stcb->asoc.state & SCTP_STATE_MASK) { 1295 case SCTP_STATE_COOKIE_WAIT: 1296 /* this is the expected state for this chunk */ 1297 /* process the INIT-ACK parameters */ 1298 if (stcb->asoc.primary_destination->dest_state & 1299 SCTP_ADDR_UNCONFIRMED) { 1300 /* 1301 * The primary is where we sent the INIT, we can 1302 * always consider it confirmed when the INIT-ACK is 1303 * returned. Do this before we load addresses 1304 * though. 1305 */ 1306 stcb->asoc.primary_destination->dest_state &= 1307 ~SCTP_ADDR_UNCONFIRMED; 1308 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1309 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED); 1310 } 1311 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, 1312 net, abort_no_unlock, vrf_id) < 0) { 1313 /* error in parsing parameters */ 1314 return (-1); 1315 } 1316 /* update our state */ 1317 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n"); 1318 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED); 1319 1320 /* reset the RTO calc */ 1321 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 1322 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 1323 stcb->asoc.overall_error_count, 1324 0, 1325 SCTP_FROM_SCTP_INPUT, 1326 __LINE__); 1327 } 1328 stcb->asoc.overall_error_count = 0; 1329 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1330 /* 1331 * collapse the init timer back in case of a exponential 1332 * backoff 1333 */ 1334 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1335 stcb, net); 1336 /* 1337 * the send at the end of the inbound data processing will 1338 * cause the cookie to be sent 1339 */ 1340 break; 1341 case SCTP_STATE_SHUTDOWN_SENT: 1342 /* incorrect state... discard */ 1343 break; 1344 case SCTP_STATE_COOKIE_ECHOED: 1345 /* incorrect state... discard */ 1346 break; 1347 case SCTP_STATE_OPEN: 1348 /* incorrect state... discard */ 1349 break; 1350 case SCTP_STATE_EMPTY: 1351 case SCTP_STATE_INUSE: 1352 default: 1353 /* incorrect state... discard */ 1354 return (-1); 1355 break; 1356 } 1357 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n"); 1358 return (0); 1359} 1360 1361static struct sctp_tcb * 1362sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1363 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1364 struct sctp_inpcb *inp, struct sctp_nets **netp, 1365 struct sockaddr *init_src, int *notification, 1366 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1367 uint32_t vrf_id, uint16_t port); 1368 1369 1370/* 1371 * handle a state cookie for an existing association m: input packet mbuf 1372 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1373 * "split" mbuf and the cookie signature does not exist offset: offset into 1374 * mbuf to the cookie-echo chunk 1375 */ 1376static struct sctp_tcb * 1377sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1378 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1379 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp, 1380 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id, 1381 uint32_t vrf_id, int auth_skipped, uint32_t auth_offset, uint32_t auth_len, uint16_t port) 1382{ 1383 struct sctp_association *asoc; 1384 struct sctp_init_chunk *init_cp, init_buf; 1385 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1386 struct sctp_nets *net; 1387 struct mbuf *op_err; 1388 struct sctp_paramhdr *ph; 1389 int chk_length; 1390 int init_offset, initack_offset, i; 1391 int retval; 1392 int spec_flag = 0; 1393 uint32_t how_indx; 1394 1395 net = *netp; 1396 /* I know that the TCB is non-NULL from the caller */ 1397 asoc = &stcb->asoc; 1398 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1399 if (asoc->cookie_how[how_indx] == 0) 1400 break; 1401 } 1402 if (how_indx < sizeof(asoc->cookie_how)) { 1403 asoc->cookie_how[how_indx] = 1; 1404 } 1405 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1406 /* SHUTDOWN came in after sending INIT-ACK */ 1407 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1408 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1409 0, M_DONTWAIT, 1, MT_DATA); 1410 if (op_err == NULL) { 1411 /* FOOBAR */ 1412 return (NULL); 1413 } 1414 /* Set the len */ 1415 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1416 ph = mtod(op_err, struct sctp_paramhdr *); 1417 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1418 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1419 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 1420 vrf_id, net->port); 1421 if (how_indx < sizeof(asoc->cookie_how)) 1422 asoc->cookie_how[how_indx] = 2; 1423 return (NULL); 1424 } 1425 /* 1426 * find and validate the INIT chunk in the cookie (peer's info) the 1427 * INIT should start after the cookie-echo header struct (chunk 1428 * header, state cookie header struct) 1429 */ 1430 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1431 1432 init_cp = (struct sctp_init_chunk *) 1433 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1434 (uint8_t *) & init_buf); 1435 if (init_cp == NULL) { 1436 /* could not pull a INIT chunk in cookie */ 1437 return (NULL); 1438 } 1439 chk_length = ntohs(init_cp->ch.chunk_length); 1440 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1441 return (NULL); 1442 } 1443 /* 1444 * find and validate the INIT-ACK chunk in the cookie (my info) the 1445 * INIT-ACK follows the INIT chunk 1446 */ 1447 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1448 initack_cp = (struct sctp_init_ack_chunk *) 1449 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1450 (uint8_t *) & initack_buf); 1451 if (initack_cp == NULL) { 1452 /* could not pull INIT-ACK chunk in cookie */ 1453 return (NULL); 1454 } 1455 chk_length = ntohs(initack_cp->ch.chunk_length); 1456 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1457 return (NULL); 1458 } 1459 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1460 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1461 /* 1462 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1463 * to get into the OPEN state 1464 */ 1465 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1466 /*- 1467 * Opps, this means that we somehow generated two vtag's 1468 * the same. I.e. we did: 1469 * Us Peer 1470 * <---INIT(tag=a)------ 1471 * ----INIT-ACK(tag=t)--> 1472 * ----INIT(tag=t)------> *1 1473 * <---INIT-ACK(tag=a)--- 1474 * <----CE(tag=t)------------- *2 1475 * 1476 * At point *1 we should be generating a different 1477 * tag t'. Which means we would throw away the CE and send 1478 * ours instead. Basically this is case C (throw away side). 1479 */ 1480 if (how_indx < sizeof(asoc->cookie_how)) 1481 asoc->cookie_how[how_indx] = 17; 1482 return (NULL); 1483 1484 } 1485 switch SCTP_GET_STATE 1486 (asoc) { 1487 case SCTP_STATE_COOKIE_WAIT: 1488 case SCTP_STATE_COOKIE_ECHOED: 1489 /* 1490 * INIT was sent but got a COOKIE_ECHO with the 1491 * correct tags... just accept it...but we must 1492 * process the init so that we can make sure we have 1493 * the right seq no's. 1494 */ 1495 /* First we must process the INIT !! */ 1496 retval = sctp_process_init(init_cp, stcb, net); 1497 if (retval < 0) { 1498 if (how_indx < sizeof(asoc->cookie_how)) 1499 asoc->cookie_how[how_indx] = 3; 1500 return (NULL); 1501 } 1502 /* we have already processed the INIT so no problem */ 1503 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1504 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1505 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1506 /* update current state */ 1507 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1508 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1509 else 1510 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1511 1512 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1513 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1514 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1515 stcb->sctp_ep, stcb, asoc->primary_destination); 1516 } 1517 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1518 sctp_stop_all_cookie_timers(stcb); 1519 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1520 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1521 (inp->sctp_socket->so_qlimit == 0) 1522 ) { 1523#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1524 struct socket *so; 1525 1526#endif 1527 /* 1528 * Here is where collision would go if we 1529 * did a connect() and instead got a 1530 * init/init-ack/cookie done before the 1531 * init-ack came back.. 1532 */ 1533 stcb->sctp_ep->sctp_flags |= 1534 SCTP_PCB_FLAGS_CONNECTED; 1535#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1536 so = SCTP_INP_SO(stcb->sctp_ep); 1537 atomic_add_int(&stcb->asoc.refcnt, 1); 1538 SCTP_TCB_UNLOCK(stcb); 1539 SCTP_SOCKET_LOCK(so, 1); 1540 SCTP_TCB_LOCK(stcb); 1541 atomic_add_int(&stcb->asoc.refcnt, -1); 1542 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1543 SCTP_SOCKET_UNLOCK(so, 1); 1544 return (NULL); 1545 } 1546#endif 1547 soisconnected(stcb->sctp_socket); 1548#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1549 SCTP_SOCKET_UNLOCK(so, 1); 1550#endif 1551 } 1552 /* notify upper layer */ 1553 *notification = SCTP_NOTIFY_ASSOC_UP; 1554 /* 1555 * since we did not send a HB make sure we don't 1556 * double things 1557 */ 1558 net->hb_responded = 1; 1559 net->RTO = sctp_calculate_rto(stcb, asoc, net, 1560 &cookie->time_entered, sctp_align_unsafe_makecopy); 1561 1562 if (stcb->asoc.sctp_autoclose_ticks && 1563 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1564 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1565 inp, stcb, NULL); 1566 } 1567 break; 1568 default: 1569 /* 1570 * we're in the OPEN state (or beyond), so peer must 1571 * have simply lost the COOKIE-ACK 1572 */ 1573 break; 1574 } /* end switch */ 1575 sctp_stop_all_cookie_timers(stcb); 1576 /* 1577 * We ignore the return code here.. not sure if we should 1578 * somehow abort.. but we do have an existing asoc. This 1579 * really should not fail. 1580 */ 1581 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1582 init_offset + sizeof(struct sctp_init_chunk), 1583 initack_offset, sh, init_src)) { 1584 if (how_indx < sizeof(asoc->cookie_how)) 1585 asoc->cookie_how[how_indx] = 4; 1586 return (NULL); 1587 } 1588 /* respond with a COOKIE-ACK */ 1589 sctp_toss_old_cookies(stcb, asoc); 1590 sctp_send_cookie_ack(stcb); 1591 if (how_indx < sizeof(asoc->cookie_how)) 1592 asoc->cookie_how[how_indx] = 5; 1593 return (stcb); 1594 } 1595 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1596 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1597 cookie->tie_tag_my_vtag == 0 && 1598 cookie->tie_tag_peer_vtag == 0) { 1599 /* 1600 * case C in Section 5.2.4 Table 2: XMOO silently discard 1601 */ 1602 if (how_indx < sizeof(asoc->cookie_how)) 1603 asoc->cookie_how[how_indx] = 6; 1604 return (NULL); 1605 } 1606 /* 1607 * If nat support, and the below and stcb is established, send back 1608 * a ABORT(colliding state) if we are established. 1609 */ 1610 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) && 1611 (asoc->peer_supports_nat) && 1612 ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1613 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) || 1614 (asoc->peer_vtag == 0)))) { 1615 /* 1616 * Special case - Peer's support nat. We may have two init's 1617 * that we gave out the same tag on since one was not 1618 * established.. i.e. we get INIT from host-1 behind the nat 1619 * and we respond tag-a, we get a INIT from host-2 behind 1620 * the nat and we get tag-a again. Then we bring up host-1 1621 * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1). 1622 * Now we have colliding state. We must send an abort here 1623 * with colliding state indication. 1624 */ 1625 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1626 0, M_DONTWAIT, 1, MT_DATA); 1627 if (op_err == NULL) { 1628 /* FOOBAR */ 1629 return (NULL); 1630 } 1631 /* pre-reserve some space */ 1632#ifdef INET6 1633 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1634#else 1635 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip)); 1636#endif 1637 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1638 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1639 /* Set the len */ 1640 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1641 ph = mtod(op_err, struct sctp_paramhdr *); 1642 ph->param_type = htons(SCTP_CAUSE_NAT_COLLIDING_STATE); 1643 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1644 sctp_send_abort(m, iphlen, sh, 0, op_err, vrf_id, port); 1645 return (NULL); 1646 } 1647 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1648 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) || 1649 (asoc->peer_vtag == 0))) { 1650 /* 1651 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1652 * should be ok, re-accept peer info 1653 */ 1654 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1655 /* 1656 * Extension of case C. If we hit this, then the 1657 * random number generator returned the same vtag 1658 * when we first sent our INIT-ACK and when we later 1659 * sent our INIT. The side with the seq numbers that 1660 * are different will be the one that normnally 1661 * would have hit case C. This in effect "extends" 1662 * our vtags in this collision case to be 64 bits. 1663 * The same collision could occur aka you get both 1664 * vtag and seq number the same twice in a row.. but 1665 * is much less likely. If it did happen then we 1666 * would proceed through and bring up the assoc.. we 1667 * may end up with the wrong stream setup however.. 1668 * which would be bad.. but there is no way to 1669 * tell.. until we send on a stream that does not 1670 * exist :-) 1671 */ 1672 if (how_indx < sizeof(asoc->cookie_how)) 1673 asoc->cookie_how[how_indx] = 7; 1674 1675 return (NULL); 1676 } 1677 if (how_indx < sizeof(asoc->cookie_how)) 1678 asoc->cookie_how[how_indx] = 8; 1679 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1680 sctp_stop_all_cookie_timers(stcb); 1681 /* 1682 * since we did not send a HB make sure we don't double 1683 * things 1684 */ 1685 net->hb_responded = 1; 1686 if (stcb->asoc.sctp_autoclose_ticks && 1687 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1688 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1689 NULL); 1690 } 1691 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1692 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1693 1694 /* Note last_cwr_tsn? where is this used? */ 1695 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1696 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1697 /* 1698 * Ok the peer probably discarded our data (if we 1699 * echoed a cookie+data). So anything on the 1700 * sent_queue should be marked for retransmit, we 1701 * may not get something to kick us so it COULD 1702 * still take a timeout to move these.. but it can't 1703 * hurt to mark them. 1704 */ 1705 struct sctp_tmit_chunk *chk; 1706 1707 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1708 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1709 chk->sent = SCTP_DATAGRAM_RESEND; 1710 sctp_flight_size_decrease(chk); 1711 sctp_total_flight_decrease(stcb, chk); 1712 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1713 spec_flag++; 1714 } 1715 } 1716 1717 } 1718 /* process the INIT info (peer's info) */ 1719 retval = sctp_process_init(init_cp, stcb, net); 1720 if (retval < 0) { 1721 if (how_indx < sizeof(asoc->cookie_how)) 1722 asoc->cookie_how[how_indx] = 9; 1723 return (NULL); 1724 } 1725 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1726 init_offset + sizeof(struct sctp_init_chunk), 1727 initack_offset, sh, init_src)) { 1728 if (how_indx < sizeof(asoc->cookie_how)) 1729 asoc->cookie_how[how_indx] = 10; 1730 return (NULL); 1731 } 1732 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1733 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1734 *notification = SCTP_NOTIFY_ASSOC_UP; 1735 1736 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1737 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1738 (inp->sctp_socket->so_qlimit == 0)) { 1739#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1740 struct socket *so; 1741 1742#endif 1743 stcb->sctp_ep->sctp_flags |= 1744 SCTP_PCB_FLAGS_CONNECTED; 1745#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1746 so = SCTP_INP_SO(stcb->sctp_ep); 1747 atomic_add_int(&stcb->asoc.refcnt, 1); 1748 SCTP_TCB_UNLOCK(stcb); 1749 SCTP_SOCKET_LOCK(so, 1); 1750 SCTP_TCB_LOCK(stcb); 1751 atomic_add_int(&stcb->asoc.refcnt, -1); 1752 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1753 SCTP_SOCKET_UNLOCK(so, 1); 1754 return (NULL); 1755 } 1756#endif 1757 soisconnected(stcb->sctp_socket); 1758#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1759 SCTP_SOCKET_UNLOCK(so, 1); 1760#endif 1761 } 1762 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1763 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1764 else 1765 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1766 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1767 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1768 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1769 } else { 1770 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1771 } 1772 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1773 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1774 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1775 stcb->sctp_ep, stcb, asoc->primary_destination); 1776 } 1777 sctp_stop_all_cookie_timers(stcb); 1778 sctp_toss_old_cookies(stcb, asoc); 1779 sctp_send_cookie_ack(stcb); 1780 if (spec_flag) { 1781 /* 1782 * only if we have retrans set do we do this. What 1783 * this call does is get only the COOKIE-ACK out and 1784 * then when we return the normal call to 1785 * sctp_chunk_output will get the retrans out behind 1786 * this. 1787 */ 1788 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED); 1789 } 1790 if (how_indx < sizeof(asoc->cookie_how)) 1791 asoc->cookie_how[how_indx] = 11; 1792 1793 return (stcb); 1794 } 1795 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1796 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1797 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1798 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1799 cookie->tie_tag_peer_vtag != 0) { 1800 struct sctpasochead *head; 1801 1802 if (asoc->peer_supports_nat) { 1803 /* 1804 * This is a gross gross hack. just call the 1805 * cookie_new code since we are allowing a duplicate 1806 * association. I hope this works... 1807 */ 1808 return (sctp_process_cookie_new(m, iphlen, offset, sh, cookie, cookie_len, 1809 inp, netp, init_src, notification, 1810 auth_skipped, auth_offset, auth_len, 1811 vrf_id, port)); 1812 } 1813 /* 1814 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1815 */ 1816 /* temp code */ 1817 if (how_indx < sizeof(asoc->cookie_how)) 1818 asoc->cookie_how[how_indx] = 12; 1819 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1820 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1821 1822 *sac_assoc_id = sctp_get_associd(stcb); 1823 /* notify upper layer */ 1824 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1825 atomic_add_int(&stcb->asoc.refcnt, 1); 1826 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1827 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1828 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1829 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1830 } 1831 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1832 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1833 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1834 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1835 } 1836 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1837 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1838 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1839 stcb->sctp_ep, stcb, asoc->primary_destination); 1840 1841 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1842 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1843 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1844 } 1845 asoc->pre_open_streams = 1846 ntohs(initack_cp->init.num_outbound_streams); 1847 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1848 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1849 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 1850 1851 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1852 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1853 1854 asoc->str_reset_seq_in = asoc->init_seq_number; 1855 1856 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1857 if (asoc->mapping_array) { 1858 memset(asoc->mapping_array, 0, 1859 asoc->mapping_array_size); 1860 } 1861 if (asoc->nr_mapping_array) { 1862 memset(asoc->nr_mapping_array, 0, 1863 asoc->mapping_array_size); 1864 } 1865 SCTP_TCB_UNLOCK(stcb); 1866 SCTP_INP_INFO_WLOCK(); 1867 SCTP_INP_WLOCK(stcb->sctp_ep); 1868 SCTP_TCB_LOCK(stcb); 1869 atomic_add_int(&stcb->asoc.refcnt, -1); 1870 /* send up all the data */ 1871 SCTP_TCB_SEND_LOCK(stcb); 1872 1873 sctp_report_all_outbound(stcb, 1, SCTP_SO_NOT_LOCKED); 1874 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1875 stcb->asoc.strmout[i].stream_no = i; 1876 stcb->asoc.strmout[i].next_sequence_sent = 0; 1877 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1878 } 1879 /* process the INIT-ACK info (my info) */ 1880 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1881 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1882 1883 /* pull from vtag hash */ 1884 LIST_REMOVE(stcb, sctp_asocs); 1885 /* re-insert to new vtag position */ 1886 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1887 SCTP_BASE_INFO(hashasocmark))]; 1888 /* 1889 * put it in the bucket in the vtag hash of assoc's for the 1890 * system 1891 */ 1892 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1893 1894 /* process the INIT info (peer's info) */ 1895 SCTP_TCB_SEND_UNLOCK(stcb); 1896 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1897 SCTP_INP_INFO_WUNLOCK(); 1898 1899 retval = sctp_process_init(init_cp, stcb, net); 1900 if (retval < 0) { 1901 if (how_indx < sizeof(asoc->cookie_how)) 1902 asoc->cookie_how[how_indx] = 13; 1903 1904 return (NULL); 1905 } 1906 /* 1907 * since we did not send a HB make sure we don't double 1908 * things 1909 */ 1910 net->hb_responded = 1; 1911 1912 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1913 init_offset + sizeof(struct sctp_init_chunk), 1914 initack_offset, sh, init_src)) { 1915 if (how_indx < sizeof(asoc->cookie_how)) 1916 asoc->cookie_how[how_indx] = 14; 1917 1918 return (NULL); 1919 } 1920 /* respond with a COOKIE-ACK */ 1921 sctp_stop_all_cookie_timers(stcb); 1922 sctp_toss_old_cookies(stcb, asoc); 1923 sctp_send_cookie_ack(stcb); 1924 if (how_indx < sizeof(asoc->cookie_how)) 1925 asoc->cookie_how[how_indx] = 15; 1926 1927 return (stcb); 1928 } 1929 if (how_indx < sizeof(asoc->cookie_how)) 1930 asoc->cookie_how[how_indx] = 16; 1931 /* all other cases... */ 1932 return (NULL); 1933} 1934 1935 1936/* 1937 * handle a state cookie for a new association m: input packet mbuf chain-- 1938 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1939 * and the cookie signature does not exist offset: offset into mbuf to the 1940 * cookie-echo chunk length: length of the cookie chunk to: where the init 1941 * was from returns a new TCB 1942 */ 1943struct sctp_tcb * 1944sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1945 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1946 struct sctp_inpcb *inp, struct sctp_nets **netp, 1947 struct sockaddr *init_src, int *notification, 1948 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1949 uint32_t vrf_id, uint16_t port) 1950{ 1951 struct sctp_tcb *stcb; 1952 struct sctp_init_chunk *init_cp, init_buf; 1953 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1954 struct sockaddr_storage sa_store; 1955 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1956 struct sockaddr_in *sin; 1957 struct sockaddr_in6 *sin6; 1958 struct sctp_association *asoc; 1959 int chk_length; 1960 int init_offset, initack_offset, initack_limit; 1961 int retval; 1962 int error = 0; 1963 uint32_t old_tag; 1964 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1965 1966#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1967 struct socket *so; 1968 1969 so = SCTP_INP_SO(inp); 1970#endif 1971 1972 /* 1973 * find and validate the INIT chunk in the cookie (peer's info) the 1974 * INIT should start after the cookie-echo header struct (chunk 1975 * header, state cookie header struct) 1976 */ 1977 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1978 init_cp = (struct sctp_init_chunk *) 1979 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1980 (uint8_t *) & init_buf); 1981 if (init_cp == NULL) { 1982 /* could not pull a INIT chunk in cookie */ 1983 SCTPDBG(SCTP_DEBUG_INPUT1, 1984 "process_cookie_new: could not pull INIT chunk hdr\n"); 1985 return (NULL); 1986 } 1987 chk_length = ntohs(init_cp->ch.chunk_length); 1988 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1989 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n"); 1990 return (NULL); 1991 } 1992 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1993 /* 1994 * find and validate the INIT-ACK chunk in the cookie (my info) the 1995 * INIT-ACK follows the INIT chunk 1996 */ 1997 initack_cp = (struct sctp_init_ack_chunk *) 1998 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1999 (uint8_t *) & initack_buf); 2000 if (initack_cp == NULL) { 2001 /* could not pull INIT-ACK chunk in cookie */ 2002 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 2003 return (NULL); 2004 } 2005 chk_length = ntohs(initack_cp->ch.chunk_length); 2006 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 2007 return (NULL); 2008 } 2009 /* 2010 * NOTE: We can't use the INIT_ACK's chk_length to determine the 2011 * "initack_limit" value. This is because the chk_length field 2012 * includes the length of the cookie, but the cookie is omitted when 2013 * the INIT and INIT_ACK are tacked onto the cookie... 2014 */ 2015 initack_limit = offset + cookie_len; 2016 2017 /* 2018 * now that we know the INIT/INIT-ACK are in place, create a new TCB 2019 * and popluate 2020 */ 2021 2022 /* 2023 * Here we do a trick, we set in NULL for the proc/thread argument. 2024 * We do this since in effect we only use the p argument when the 2025 * socket is unbound and we must do an implicit bind. Since we are 2026 * getting a cookie, we cannot be unbound. 2027 */ 2028 stcb = sctp_aloc_assoc(inp, init_src, &error, 2029 ntohl(initack_cp->init.initiate_tag), vrf_id, 2030 (struct thread *)NULL 2031 ); 2032 if (stcb == NULL) { 2033 struct mbuf *op_err; 2034 2035 /* memory problem? */ 2036 SCTPDBG(SCTP_DEBUG_INPUT1, 2037 "process_cookie_new: no room for another TCB!\n"); 2038 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2039 2040 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 2041 sh, op_err, vrf_id, port); 2042 return (NULL); 2043 } 2044 /* get the correct sctp_nets */ 2045 if (netp) 2046 *netp = sctp_findnet(stcb, init_src); 2047 2048 asoc = &stcb->asoc; 2049 /* get scope variables out of cookie */ 2050 asoc->ipv4_local_scope = cookie->ipv4_scope; 2051 asoc->site_scope = cookie->site_scope; 2052 asoc->local_scope = cookie->local_scope; 2053 asoc->loopback_scope = cookie->loopback_scope; 2054 2055 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 2056 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 2057 struct mbuf *op_err; 2058 2059 /* 2060 * Houston we have a problem. The EP changed while the 2061 * cookie was in flight. Only recourse is to abort the 2062 * association. 2063 */ 2064 atomic_add_int(&stcb->asoc.refcnt, 1); 2065 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2066 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 2067 sh, op_err, vrf_id, port); 2068#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2069 SCTP_TCB_UNLOCK(stcb); 2070 SCTP_SOCKET_LOCK(so, 1); 2071 SCTP_TCB_LOCK(stcb); 2072#endif 2073 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 2074 SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 2075#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2076 SCTP_SOCKET_UNLOCK(so, 1); 2077#endif 2078 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2079 return (NULL); 2080 } 2081 /* process the INIT-ACK info (my info) */ 2082 old_tag = asoc->my_vtag; 2083 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 2084 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 2085 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 2086 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 2087 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 2088 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 2089 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 2090 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 2091 asoc->str_reset_seq_in = asoc->init_seq_number; 2092 2093 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 2094 2095 /* process the INIT info (peer's info) */ 2096 if (netp) 2097 retval = sctp_process_init(init_cp, stcb, *netp); 2098 else 2099 retval = 0; 2100 if (retval < 0) { 2101 atomic_add_int(&stcb->asoc.refcnt, 1); 2102#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2103 SCTP_TCB_UNLOCK(stcb); 2104 SCTP_SOCKET_LOCK(so, 1); 2105 SCTP_TCB_LOCK(stcb); 2106#endif 2107 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 2108#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2109 SCTP_SOCKET_UNLOCK(so, 1); 2110#endif 2111 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2112 return (NULL); 2113 } 2114 /* load all addresses */ 2115 if (sctp_load_addresses_from_init(stcb, m, iphlen, 2116 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 2117 init_src)) { 2118 atomic_add_int(&stcb->asoc.refcnt, 1); 2119#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2120 SCTP_TCB_UNLOCK(stcb); 2121 SCTP_SOCKET_LOCK(so, 1); 2122 SCTP_TCB_LOCK(stcb); 2123#endif 2124 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 2125#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2126 SCTP_SOCKET_UNLOCK(so, 1); 2127#endif 2128 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2129 return (NULL); 2130 } 2131 /* 2132 * verify any preceding AUTH chunk that was skipped 2133 */ 2134 /* pull the local authentication parameters from the cookie/init-ack */ 2135 sctp_auth_get_cookie_params(stcb, m, 2136 initack_offset + sizeof(struct sctp_init_ack_chunk), 2137 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 2138 if (auth_skipped) { 2139 struct sctp_auth_chunk *auth; 2140 2141 auth = (struct sctp_auth_chunk *) 2142 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 2143 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { 2144 /* auth HMAC failed, dump the assoc and packet */ 2145 SCTPDBG(SCTP_DEBUG_AUTH1, 2146 "COOKIE-ECHO: AUTH failed\n"); 2147 atomic_add_int(&stcb->asoc.refcnt, 1); 2148#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2149 SCTP_TCB_UNLOCK(stcb); 2150 SCTP_SOCKET_LOCK(so, 1); 2151 SCTP_TCB_LOCK(stcb); 2152#endif 2153 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 2154#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2155 SCTP_SOCKET_UNLOCK(so, 1); 2156#endif 2157 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2158 return (NULL); 2159 } else { 2160 /* remaining chunks checked... good to go */ 2161 stcb->asoc.authenticated = 1; 2162 } 2163 } 2164 /* update current state */ 2165 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2166 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 2167 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2168 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2169 stcb->sctp_ep, stcb, asoc->primary_destination); 2170 } 2171 sctp_stop_all_cookie_timers(stcb); 2172 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 2173 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2174 2175 /* 2176 * if we're doing ASCONFs, check to see if we have any new local 2177 * addresses that need to get added to the peer (eg. addresses 2178 * changed while cookie echo in flight). This needs to be done 2179 * after we go to the OPEN state to do the correct asconf 2180 * processing. else, make sure we have the correct addresses in our 2181 * lists 2182 */ 2183 2184 /* warning, we re-use sin, sin6, sa_store here! */ 2185 /* pull in local_address (our "from" address) */ 2186 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 2187 /* source addr is IPv4 */ 2188 sin = (struct sockaddr_in *)initack_src; 2189 memset(sin, 0, sizeof(*sin)); 2190 sin->sin_family = AF_INET; 2191 sin->sin_len = sizeof(struct sockaddr_in); 2192 sin->sin_addr.s_addr = cookie->laddress[0]; 2193 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 2194 /* source addr is IPv6 */ 2195 sin6 = (struct sockaddr_in6 *)initack_src; 2196 memset(sin6, 0, sizeof(*sin6)); 2197 sin6->sin6_family = AF_INET6; 2198 sin6->sin6_len = sizeof(struct sockaddr_in6); 2199 sin6->sin6_scope_id = cookie->scope_id; 2200 memcpy(&sin6->sin6_addr, cookie->laddress, 2201 sizeof(sin6->sin6_addr)); 2202 } else { 2203 atomic_add_int(&stcb->asoc.refcnt, 1); 2204#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2205 SCTP_TCB_UNLOCK(stcb); 2206 SCTP_SOCKET_LOCK(so, 1); 2207 SCTP_TCB_LOCK(stcb); 2208#endif 2209 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 2210#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2211 SCTP_SOCKET_UNLOCK(so, 1); 2212#endif 2213 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2214 return (NULL); 2215 } 2216 2217 /* set up to notify upper layer */ 2218 *notification = SCTP_NOTIFY_ASSOC_UP; 2219 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2220 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 2221 (inp->sctp_socket->so_qlimit == 0)) { 2222 /* 2223 * This is an endpoint that called connect() how it got a 2224 * cookie that is NEW is a bit of a mystery. It must be that 2225 * the INIT was sent, but before it got there.. a complete 2226 * INIT/INIT-ACK/COOKIE arrived. But of course then it 2227 * should have went to the other code.. not here.. oh well.. 2228 * a bit of protection is worth having.. 2229 */ 2230 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2231#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2232 atomic_add_int(&stcb->asoc.refcnt, 1); 2233 SCTP_TCB_UNLOCK(stcb); 2234 SCTP_SOCKET_LOCK(so, 1); 2235 SCTP_TCB_LOCK(stcb); 2236 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2237 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2238 SCTP_SOCKET_UNLOCK(so, 1); 2239 return (NULL); 2240 } 2241#endif 2242 soisconnected(stcb->sctp_socket); 2243#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2244 SCTP_SOCKET_UNLOCK(so, 1); 2245#endif 2246 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 2247 (inp->sctp_socket->so_qlimit)) { 2248 /* 2249 * We don't want to do anything with this one. Since it is 2250 * the listening guy. The timer will get started for 2251 * accepted connections in the caller. 2252 */ 2253 ; 2254 } 2255 /* since we did not send a HB make sure we don't double things */ 2256 if ((netp) && (*netp)) 2257 (*netp)->hb_responded = 1; 2258 2259 if (stcb->asoc.sctp_autoclose_ticks && 2260 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2261 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 2262 } 2263 /* calculate the RTT */ 2264 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 2265 if ((netp) && (*netp)) { 2266 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 2267 &cookie->time_entered, sctp_align_unsafe_makecopy); 2268 } 2269 /* respond with a COOKIE-ACK */ 2270 sctp_send_cookie_ack(stcb); 2271 2272 /* 2273 * check the address lists for any ASCONFs that need to be sent 2274 * AFTER the cookie-ack is sent 2275 */ 2276 sctp_check_address_list(stcb, m, 2277 initack_offset + sizeof(struct sctp_init_ack_chunk), 2278 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 2279 initack_src, cookie->local_scope, cookie->site_scope, 2280 cookie->ipv4_scope, cookie->loopback_scope); 2281 2282 2283 return (stcb); 2284} 2285 2286/* 2287 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e 2288 * we NEED to make sure we are not already using the vtag. If so we 2289 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit! 2290 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag, 2291 SCTP_BASE_INFO(hashasocmark))]; 2292 LIST_FOREACH(stcb, head, sctp_asocs) { 2293 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) { 2294 -- SEND ABORT - TRY AGAIN -- 2295 } 2296 } 2297*/ 2298 2299/* 2300 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 2301 * existing (non-NULL) TCB 2302 */ 2303static struct mbuf * 2304sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 2305 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 2306 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 2307 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 2308 struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint16_t port) 2309{ 2310 struct sctp_state_cookie *cookie; 2311 struct sockaddr_in6 sin6; 2312 struct sockaddr_in sin; 2313 struct sctp_tcb *l_stcb = *stcb; 2314 struct sctp_inpcb *l_inp; 2315 struct sockaddr *to; 2316 sctp_assoc_t sac_restart_id; 2317 struct sctp_pcb *ep; 2318 struct mbuf *m_sig; 2319 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 2320 uint8_t *sig; 2321 uint8_t cookie_ok = 0; 2322 unsigned int size_of_pkt, sig_offset, cookie_offset; 2323 unsigned int cookie_len; 2324 struct timeval now; 2325 struct timeval time_expires; 2326 struct sockaddr_storage dest_store; 2327 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 2328 struct ip *iph; 2329 int notification = 0; 2330 struct sctp_nets *netl; 2331 int had_a_existing_tcb = 0; 2332 2333 SCTPDBG(SCTP_DEBUG_INPUT2, 2334 "sctp_handle_cookie: handling COOKIE-ECHO\n"); 2335 2336 if (inp_p == NULL) { 2337 return (NULL); 2338 } 2339 /* First get the destination address setup too. */ 2340 iph = mtod(m, struct ip *); 2341 switch (iph->ip_v) { 2342 case IPVERSION: 2343 { 2344 /* its IPv4 */ 2345 struct sockaddr_in *lsin; 2346 2347 lsin = (struct sockaddr_in *)(localep_sa); 2348 memset(lsin, 0, sizeof(*lsin)); 2349 lsin->sin_family = AF_INET; 2350 lsin->sin_len = sizeof(*lsin); 2351 lsin->sin_port = sh->dest_port; 2352 lsin->sin_addr.s_addr = iph->ip_dst.s_addr; 2353 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 2354 break; 2355 } 2356#ifdef INET6 2357 case IPV6_VERSION >> 4: 2358 { 2359 /* its IPv6 */ 2360 struct ip6_hdr *ip6; 2361 struct sockaddr_in6 *lsin6; 2362 2363 lsin6 = (struct sockaddr_in6 *)(localep_sa); 2364 memset(lsin6, 0, sizeof(*lsin6)); 2365 lsin6->sin6_family = AF_INET6; 2366 lsin6->sin6_len = sizeof(struct sockaddr_in6); 2367 ip6 = mtod(m, struct ip6_hdr *); 2368 lsin6->sin6_port = sh->dest_port; 2369 lsin6->sin6_addr = ip6->ip6_dst; 2370 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 2371 break; 2372 } 2373#endif 2374 default: 2375 return (NULL); 2376 } 2377 2378 cookie = &cp->cookie; 2379 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 2380 cookie_len = ntohs(cp->ch.chunk_length); 2381 2382 if ((cookie->peerport != sh->src_port) && 2383 (cookie->myport != sh->dest_port) && 2384 (cookie->my_vtag != sh->v_tag)) { 2385 /* 2386 * invalid ports or bad tag. Note that we always leave the 2387 * v_tag in the header in network order and when we stored 2388 * it in the my_vtag slot we also left it in network order. 2389 * This maintains the match even though it may be in the 2390 * opposite byte order of the machine :-> 2391 */ 2392 return (NULL); 2393 } 2394 if (cookie_len > size_of_pkt || 2395 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 2396 sizeof(struct sctp_init_chunk) + 2397 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 2398 /* cookie too long! or too small */ 2399 return (NULL); 2400 } 2401 /* 2402 * split off the signature into its own mbuf (since it should not be 2403 * calculated in the sctp_hmac_m() call). 2404 */ 2405 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 2406 if (sig_offset > size_of_pkt) { 2407 /* packet not correct size! */ 2408 /* XXX this may already be accounted for earlier... */ 2409 return (NULL); 2410 } 2411 m_sig = m_split(m, sig_offset, M_DONTWAIT); 2412 if (m_sig == NULL) { 2413 /* out of memory or ?? */ 2414 return (NULL); 2415 } 2416#ifdef SCTP_MBUF_LOGGING 2417 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 2418 struct mbuf *mat; 2419 2420 mat = m_sig; 2421 while (mat) { 2422 if (SCTP_BUF_IS_EXTENDED(mat)) { 2423 sctp_log_mb(mat, SCTP_MBUF_SPLIT); 2424 } 2425 mat = SCTP_BUF_NEXT(mat); 2426 } 2427 } 2428#endif 2429 2430 /* 2431 * compute the signature/digest for the cookie 2432 */ 2433 ep = &(*inp_p)->sctp_ep; 2434 l_inp = *inp_p; 2435 if (l_stcb) { 2436 SCTP_TCB_UNLOCK(l_stcb); 2437 } 2438 SCTP_INP_RLOCK(l_inp); 2439 if (l_stcb) { 2440 SCTP_TCB_LOCK(l_stcb); 2441 } 2442 /* which cookie is it? */ 2443 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 2444 (ep->current_secret_number != ep->last_secret_number)) { 2445 /* it's the old cookie */ 2446 (void)sctp_hmac_m(SCTP_HMAC, 2447 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 2448 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2449 } else { 2450 /* it's the current cookie */ 2451 (void)sctp_hmac_m(SCTP_HMAC, 2452 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 2453 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2454 } 2455 /* get the signature */ 2456 SCTP_INP_RUNLOCK(l_inp); 2457 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 2458 if (sig == NULL) { 2459 /* couldn't find signature */ 2460 sctp_m_freem(m_sig); 2461 return (NULL); 2462 } 2463 /* compare the received digest with the computed digest */ 2464 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 2465 /* try the old cookie? */ 2466 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 2467 (ep->current_secret_number != ep->last_secret_number)) { 2468 /* compute digest with old */ 2469 (void)sctp_hmac_m(SCTP_HMAC, 2470 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 2471 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2472 /* compare */ 2473 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 2474 cookie_ok = 1; 2475 } 2476 } else { 2477 cookie_ok = 1; 2478 } 2479 2480 /* 2481 * Now before we continue we must reconstruct our mbuf so that 2482 * normal processing of any other chunks will work. 2483 */ 2484 { 2485 struct mbuf *m_at; 2486 2487 m_at = m; 2488 while (SCTP_BUF_NEXT(m_at) != NULL) { 2489 m_at = SCTP_BUF_NEXT(m_at); 2490 } 2491 SCTP_BUF_NEXT(m_at) = m_sig; 2492 } 2493 2494 if (cookie_ok == 0) { 2495 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n"); 2496 SCTPDBG(SCTP_DEBUG_INPUT2, 2497 "offset = %u, cookie_offset = %u, sig_offset = %u\n", 2498 (uint32_t) offset, cookie_offset, sig_offset); 2499 return (NULL); 2500 } 2501 /* 2502 * check the cookie timestamps to be sure it's not stale 2503 */ 2504 (void)SCTP_GETTIME_TIMEVAL(&now); 2505 /* Expire time is in Ticks, so we convert to seconds */ 2506 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life); 2507 time_expires.tv_usec = cookie->time_entered.tv_usec; 2508 /* 2509 * TODO sctp_constants.h needs alternative time macros when _KERNEL 2510 * is undefined. 2511 */ 2512 if (timevalcmp(&now, &time_expires, >)) { 2513 /* cookie is stale! */ 2514 struct mbuf *op_err; 2515 struct sctp_stale_cookie_msg *scm; 2516 uint32_t tim; 2517 2518 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2519 0, M_DONTWAIT, 1, MT_DATA); 2520 if (op_err == NULL) { 2521 /* FOOBAR */ 2522 return (NULL); 2523 } 2524 /* Set the len */ 2525 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2526 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2527 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2528 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2529 (sizeof(uint32_t)))); 2530 /* seconds to usec */ 2531 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2532 /* add in usec */ 2533 if (tim == 0) 2534 tim = now.tv_usec - cookie->time_entered.tv_usec; 2535 scm->time_usec = htonl(tim); 2536 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 2537 vrf_id, port); 2538 return (NULL); 2539 } 2540 /* 2541 * Now we must see with the lookup address if we have an existing 2542 * asoc. This will only happen if we were in the COOKIE-WAIT state 2543 * and a INIT collided with us and somewhere the peer sent the 2544 * cookie on another address besides the single address our assoc 2545 * had for him. In this case we will have one of the tie-tags set at 2546 * least AND the address field in the cookie can be used to look it 2547 * up. 2548 */ 2549 to = NULL; 2550 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2551 memset(&sin6, 0, sizeof(sin6)); 2552 sin6.sin6_family = AF_INET6; 2553 sin6.sin6_len = sizeof(sin6); 2554 sin6.sin6_port = sh->src_port; 2555 sin6.sin6_scope_id = cookie->scope_id; 2556 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2557 sizeof(sin6.sin6_addr.s6_addr)); 2558 to = (struct sockaddr *)&sin6; 2559 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2560 memset(&sin, 0, sizeof(sin)); 2561 sin.sin_family = AF_INET; 2562 sin.sin_len = sizeof(sin); 2563 sin.sin_port = sh->src_port; 2564 sin.sin_addr.s_addr = cookie->address[0]; 2565 to = (struct sockaddr *)&sin; 2566 } else { 2567 /* This should not happen */ 2568 return (NULL); 2569 } 2570 if ((*stcb == NULL) && to) { 2571 /* Yep, lets check */ 2572 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2573 if (*stcb == NULL) { 2574 /* 2575 * We should have only got back the same inp. If we 2576 * got back a different ep we have a problem. The 2577 * original findep got back l_inp and now 2578 */ 2579 if (l_inp != *inp_p) { 2580 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n"); 2581 } 2582 } else { 2583 if (*locked_tcb == NULL) { 2584 /* 2585 * In this case we found the assoc only 2586 * after we locked the create lock. This 2587 * means we are in a colliding case and we 2588 * must make sure that we unlock the tcb if 2589 * its one of the cases where we throw away 2590 * the incoming packets. 2591 */ 2592 *locked_tcb = *stcb; 2593 2594 /* 2595 * We must also increment the inp ref count 2596 * since the ref_count flags was set when we 2597 * did not find the TCB, now we found it 2598 * which reduces the refcount.. we must 2599 * raise it back out to balance it all :-) 2600 */ 2601 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2602 if ((*stcb)->sctp_ep != l_inp) { 2603 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n", 2604 (*stcb)->sctp_ep, l_inp); 2605 } 2606 } 2607 } 2608 } 2609 if (to == NULL) { 2610 return (NULL); 2611 } 2612 cookie_len -= SCTP_SIGNATURE_SIZE; 2613 if (*stcb == NULL) { 2614 /* this is the "normal" case... get a new TCB */ 2615 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2616 cookie_len, *inp_p, netp, to, ¬ification, 2617 auth_skipped, auth_offset, auth_len, vrf_id, port); 2618 } else { 2619 /* this is abnormal... cookie-echo on existing TCB */ 2620 had_a_existing_tcb = 1; 2621 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2622 cookie, cookie_len, *inp_p, *stcb, netp, to, 2623 ¬ification, &sac_restart_id, vrf_id, auth_skipped, auth_offset, auth_len, port); 2624 } 2625 2626 if (*stcb == NULL) { 2627 /* still no TCB... must be bad cookie-echo */ 2628 return (NULL); 2629 } 2630 /* 2631 * Ok, we built an association so confirm the address we sent the 2632 * INIT-ACK to. 2633 */ 2634 netl = sctp_findnet(*stcb, to); 2635 /* 2636 * This code should in theory NOT run but 2637 */ 2638 if (netl == NULL) { 2639 /* TSNH! Huh, why do I need to add this address here? */ 2640 int ret; 2641 2642 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2643 SCTP_IN_COOKIE_PROC); 2644 netl = sctp_findnet(*stcb, to); 2645 } 2646 if (netl) { 2647 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2648 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2649 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2650 netl); 2651 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2652 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2653 } 2654 } 2655 if (*stcb) { 2656 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2657 *stcb, NULL); 2658 } 2659 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2660 if (!had_a_existing_tcb || 2661 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2662 /* 2663 * If we have a NEW cookie or the connect never 2664 * reached the connected state during collision we 2665 * must do the TCP accept thing. 2666 */ 2667 struct socket *so, *oso; 2668 struct sctp_inpcb *inp; 2669 2670 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2671 /* 2672 * For a restart we will keep the same 2673 * socket, no need to do anything. I THINK!! 2674 */ 2675 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id, SCTP_SO_NOT_LOCKED); 2676 return (m); 2677 } 2678 oso = (*inp_p)->sctp_socket; 2679 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2680 SCTP_TCB_UNLOCK((*stcb)); 2681 so = sonewconn(oso, 0 2682 ); 2683 SCTP_TCB_LOCK((*stcb)); 2684 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2685 2686 if (so == NULL) { 2687 struct mbuf *op_err; 2688 2689#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2690 struct socket *pcb_so; 2691 2692#endif 2693 /* Too many sockets */ 2694 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n"); 2695 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2696 sctp_abort_association(*inp_p, NULL, m, iphlen, 2697 sh, op_err, vrf_id, port); 2698#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2699 pcb_so = SCTP_INP_SO(*inp_p); 2700 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2701 SCTP_TCB_UNLOCK((*stcb)); 2702 SCTP_SOCKET_LOCK(pcb_so, 1); 2703 SCTP_TCB_LOCK((*stcb)); 2704 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2705#endif 2706 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2707#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2708 SCTP_SOCKET_UNLOCK(pcb_so, 1); 2709#endif 2710 return (NULL); 2711 } 2712 inp = (struct sctp_inpcb *)so->so_pcb; 2713 SCTP_INP_INCR_REF(inp); 2714 /* 2715 * We add the unbound flag here so that if we get an 2716 * soabort() before we get the move_pcb done, we 2717 * will properly cleanup. 2718 */ 2719 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2720 SCTP_PCB_FLAGS_CONNECTED | 2721 SCTP_PCB_FLAGS_IN_TCPPOOL | 2722 SCTP_PCB_FLAGS_UNBOUND | 2723 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2724 SCTP_PCB_FLAGS_DONT_WAKE); 2725 inp->sctp_features = (*inp_p)->sctp_features; 2726 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features; 2727 inp->sctp_socket = so; 2728 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2729 inp->sctp_cmt_on_off = (*inp_p)->sctp_cmt_on_off; 2730 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2731 inp->sctp_context = (*inp_p)->sctp_context; 2732 inp->inp_starting_point_for_iterator = NULL; 2733 /* 2734 * copy in the authentication parameters from the 2735 * original endpoint 2736 */ 2737 if (inp->sctp_ep.local_hmacs) 2738 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2739 inp->sctp_ep.local_hmacs = 2740 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2741 if (inp->sctp_ep.local_auth_chunks) 2742 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2743 inp->sctp_ep.local_auth_chunks = 2744 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2745 2746 /* 2747 * Now we must move it from one hash table to 2748 * another and get the tcb in the right place. 2749 */ 2750 2751 /* 2752 * This is where the one-2-one socket is put into 2753 * the accept state waiting for the accept! 2754 */ 2755 if (*stcb) { 2756 (*stcb)->asoc.state |= SCTP_STATE_IN_ACCEPT_QUEUE; 2757 } 2758 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2759 2760 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2761 SCTP_TCB_UNLOCK((*stcb)); 2762 2763 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, 2764 0); 2765 SCTP_TCB_LOCK((*stcb)); 2766 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2767 2768 2769 /* 2770 * now we must check to see if we were aborted while 2771 * the move was going on and the lock/unlock 2772 * happened. 2773 */ 2774 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2775 /* 2776 * yep it was, we leave the assoc attached 2777 * to the socket since the sctp_inpcb_free() 2778 * call will send an abort for us. 2779 */ 2780 SCTP_INP_DECR_REF(inp); 2781 return (NULL); 2782 } 2783 SCTP_INP_DECR_REF(inp); 2784 /* Switch over to the new guy */ 2785 *inp_p = inp; 2786 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2787 2788 /* 2789 * Pull it from the incomplete queue and wake the 2790 * guy 2791 */ 2792#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2793 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2794 SCTP_TCB_UNLOCK((*stcb)); 2795 SCTP_SOCKET_LOCK(so, 1); 2796#endif 2797 soisconnected(so); 2798#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2799 SCTP_TCB_LOCK((*stcb)); 2800 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2801 SCTP_SOCKET_UNLOCK(so, 1); 2802#endif 2803 return (m); 2804 } 2805 } 2806 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2807 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2808 } 2809 return (m); 2810} 2811 2812static void 2813sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2814 struct sctp_tcb *stcb, struct sctp_nets *net) 2815{ 2816 /* cp must not be used, others call this without a c-ack :-) */ 2817 struct sctp_association *asoc; 2818 2819 SCTPDBG(SCTP_DEBUG_INPUT2, 2820 "sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2821 if (stcb == NULL) 2822 return; 2823 2824 asoc = &stcb->asoc; 2825 2826 sctp_stop_all_cookie_timers(stcb); 2827 /* process according to association state */ 2828 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2829 /* state change only needed when I am in right state */ 2830 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2831 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 2832 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2833 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2834 stcb->sctp_ep, stcb, asoc->primary_destination); 2835 2836 } 2837 /* update RTO */ 2838 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2839 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2840 if (asoc->overall_error_count == 0) { 2841 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2842 &asoc->time_entered, sctp_align_safe_nocopy); 2843 } 2844 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2845 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2846 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2847 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2848#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2849 struct socket *so; 2850 2851#endif 2852 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2853#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2854 so = SCTP_INP_SO(stcb->sctp_ep); 2855 atomic_add_int(&stcb->asoc.refcnt, 1); 2856 SCTP_TCB_UNLOCK(stcb); 2857 SCTP_SOCKET_LOCK(so, 1); 2858 SCTP_TCB_LOCK(stcb); 2859 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2860 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2861 SCTP_SOCKET_UNLOCK(so, 1); 2862 return; 2863 } 2864#endif 2865 soisconnected(stcb->sctp_socket); 2866#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2867 SCTP_SOCKET_UNLOCK(so, 1); 2868#endif 2869 } 2870 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2871 stcb, net); 2872 /* 2873 * since we did not send a HB make sure we don't double 2874 * things 2875 */ 2876 net->hb_responded = 1; 2877 2878 if (stcb->asoc.sctp_autoclose_ticks && 2879 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2880 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2881 stcb->sctp_ep, stcb, NULL); 2882 } 2883 /* 2884 * send ASCONF if parameters are pending and ASCONFs are 2885 * allowed (eg. addresses changed when init/cookie echo were 2886 * in flight) 2887 */ 2888 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2889 (stcb->asoc.peer_supports_asconf) && 2890 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2891#ifdef SCTP_TIMER_BASED_ASCONF 2892 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2893 stcb->sctp_ep, stcb, 2894 stcb->asoc.primary_destination); 2895#else 2896 sctp_send_asconf(stcb, stcb->asoc.primary_destination, 2897 SCTP_ADDR_NOT_LOCKED); 2898#endif 2899 } 2900 } 2901 /* Toss the cookie if I can */ 2902 sctp_toss_old_cookies(stcb, asoc); 2903 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2904 /* Restart the timer if we have pending data */ 2905 struct sctp_tmit_chunk *chk; 2906 2907 chk = TAILQ_FIRST(&asoc->sent_queue); 2908 if (chk) { 2909 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2910 stcb, chk->whoTo); 2911 } 2912 } 2913} 2914 2915static void 2916sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2917 struct sctp_tcb *stcb) 2918{ 2919 struct sctp_nets *net; 2920 struct sctp_tmit_chunk *lchk; 2921 uint32_t tsn; 2922 2923 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2924 return; 2925 } 2926 SCTP_STAT_INCR(sctps_recvecne); 2927 tsn = ntohl(cp->tsn); 2928 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2929 /* Also we make sure we disable the nonce_wait */ 2930 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2931 if (lchk == NULL) { 2932 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2933 } else { 2934 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2935 } 2936 stcb->asoc.nonce_wait_for_ecne = 0; 2937 stcb->asoc.nonce_sum_check = 0; 2938 2939 /* Find where it was sent, if possible */ 2940 net = NULL; 2941 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2942 while (lchk) { 2943 if (lchk->rec.data.TSN_seq == tsn) { 2944 net = lchk->whoTo; 2945 break; 2946 } 2947 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_TSN)) 2948 break; 2949 lchk = TAILQ_NEXT(lchk, sctp_next); 2950 } 2951 if (net == NULL) 2952 /* default is we use the primary */ 2953 net = stcb->asoc.primary_destination; 2954 2955 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2956 /* 2957 * JRS - Use the congestion control given in the pluggable 2958 * CC module 2959 */ 2960 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net); 2961 /* 2962 * we reduce once every RTT. So we will only lower cwnd at 2963 * the next sending seq i.e. the resync_tsn. 2964 */ 2965 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2966 } 2967 /* 2968 * We always send a CWR this way if our previous one was lost our 2969 * peer will get an update, or if it is not time again to reduce we 2970 * still get the cwr to the peer. 2971 */ 2972 sctp_send_cwr(stcb, net, tsn); 2973} 2974 2975static void 2976sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2977{ 2978 /* 2979 * Here we get a CWR from the peer. We must look in the outqueue and 2980 * make sure that we have a covered ECNE in teh control chunk part. 2981 * If so remove it. 2982 */ 2983 struct sctp_tmit_chunk *chk; 2984 struct sctp_ecne_chunk *ecne; 2985 2986 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2987 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2988 continue; 2989 } 2990 /* 2991 * Look for and remove if it is the right TSN. Since there 2992 * is only ONE ECNE on the control queue at any one time we 2993 * don't need to worry about more than one! 2994 */ 2995 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2996 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2997 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2998 /* this covers this ECNE, we can remove it */ 2999 stcb->asoc.ecn_echo_cnt_onq--; 3000 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 3001 sctp_next); 3002 if (chk->data) { 3003 sctp_m_freem(chk->data); 3004 chk->data = NULL; 3005 } 3006 stcb->asoc.ctrl_queue_cnt--; 3007 sctp_free_a_chunk(stcb, chk); 3008 break; 3009 } 3010 } 3011} 3012 3013static void 3014sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 3015 struct sctp_tcb *stcb, struct sctp_nets *net) 3016{ 3017 struct sctp_association *asoc; 3018 3019#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3020 struct socket *so; 3021 3022#endif 3023 3024 SCTPDBG(SCTP_DEBUG_INPUT2, 3025 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 3026 if (stcb == NULL) 3027 return; 3028 3029 asoc = &stcb->asoc; 3030 /* process according to association state */ 3031 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 3032 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 3033 SCTPDBG(SCTP_DEBUG_INPUT2, 3034 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n"); 3035 SCTP_TCB_UNLOCK(stcb); 3036 return; 3037 } 3038 /* notify upper layer protocol */ 3039 if (stcb->sctp_socket) { 3040 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 3041 /* are the queues empty? they should be */ 3042 if (!TAILQ_EMPTY(&asoc->send_queue) || 3043 !TAILQ_EMPTY(&asoc->sent_queue) || 3044 !TAILQ_EMPTY(&asoc->out_wheel)) { 3045 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED); 3046 } 3047 } 3048 /* stop the timer */ 3049 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 3050 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 3051 /* free the TCB */ 3052 SCTPDBG(SCTP_DEBUG_INPUT2, 3053 "sctp_handle_shutdown_complete: calls free-asoc\n"); 3054#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3055 so = SCTP_INP_SO(stcb->sctp_ep); 3056 atomic_add_int(&stcb->asoc.refcnt, 1); 3057 SCTP_TCB_UNLOCK(stcb); 3058 SCTP_SOCKET_LOCK(so, 1); 3059 SCTP_TCB_LOCK(stcb); 3060 atomic_subtract_int(&stcb->asoc.refcnt, 1); 3061#endif 3062 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 3063#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3064 SCTP_SOCKET_UNLOCK(so, 1); 3065#endif 3066 return; 3067} 3068 3069static int 3070process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 3071 struct sctp_nets *net, uint8_t flg) 3072{ 3073 switch (desc->chunk_type) { 3074 case SCTP_DATA: 3075 /* find the tsn to resend (possibly */ 3076 { 3077 uint32_t tsn; 3078 struct sctp_tmit_chunk *tp1; 3079 3080 tsn = ntohl(desc->tsn_ifany); 3081 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 3082 while (tp1) { 3083 if (tp1->rec.data.TSN_seq == tsn) { 3084 /* found it */ 3085 break; 3086 } 3087 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 3088 MAX_TSN)) { 3089 /* not found */ 3090 tp1 = NULL; 3091 break; 3092 } 3093 tp1 = TAILQ_NEXT(tp1, sctp_next); 3094 } 3095 if (tp1 == NULL) { 3096 /* 3097 * Do it the other way , aka without paying 3098 * attention to queue seq order. 3099 */ 3100 SCTP_STAT_INCR(sctps_pdrpdnfnd); 3101 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 3102 while (tp1) { 3103 if (tp1->rec.data.TSN_seq == tsn) { 3104 /* found it */ 3105 break; 3106 } 3107 tp1 = TAILQ_NEXT(tp1, sctp_next); 3108 } 3109 } 3110 if (tp1 == NULL) { 3111 SCTP_STAT_INCR(sctps_pdrptsnnf); 3112 } 3113 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 3114 uint8_t *ddp; 3115 3116 if (((flg & SCTP_BADCRC) == 0) && 3117 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 3118 return (0); 3119 } 3120 if ((stcb->asoc.peers_rwnd == 0) && 3121 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 3122 SCTP_STAT_INCR(sctps_pdrpdiwnp); 3123 return (0); 3124 } 3125 if (stcb->asoc.peers_rwnd == 0 && 3126 (flg & SCTP_FROM_MIDDLE_BOX)) { 3127 SCTP_STAT_INCR(sctps_pdrpdizrw); 3128 return (0); 3129 } 3130 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 3131 sizeof(struct sctp_data_chunk)); 3132 { 3133 unsigned int iii; 3134 3135 for (iii = 0; iii < sizeof(desc->data_bytes); 3136 iii++) { 3137 if (ddp[iii] != desc->data_bytes[iii]) { 3138 SCTP_STAT_INCR(sctps_pdrpbadd); 3139 return (-1); 3140 } 3141 } 3142 } 3143 /* 3144 * We zero out the nonce so resync not 3145 * needed 3146 */ 3147 tp1->rec.data.ect_nonce = 0; 3148 3149 if (tp1->do_rtt) { 3150 /* 3151 * this guy had a RTO calculation 3152 * pending on it, cancel it 3153 */ 3154 tp1->do_rtt = 0; 3155 } 3156 SCTP_STAT_INCR(sctps_pdrpmark); 3157 if (tp1->sent != SCTP_DATAGRAM_RESEND) 3158 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3159 /* 3160 * mark it as if we were doing a FR, since 3161 * we will be getting gap ack reports behind 3162 * the info from the router. 3163 */ 3164 tp1->rec.data.doing_fast_retransmit = 1; 3165 /* 3166 * mark the tsn with what sequences can 3167 * cause a new FR. 3168 */ 3169 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 3170 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 3171 } else { 3172 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 3173 } 3174 3175 /* restart the timer */ 3176 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 3177 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 3178 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 3179 stcb, tp1->whoTo); 3180 3181 /* fix counts and things */ 3182 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3183 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 3184 tp1->whoTo->flight_size, 3185 tp1->book_size, 3186 (uintptr_t) stcb, 3187 tp1->rec.data.TSN_seq); 3188 } 3189 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3190 sctp_flight_size_decrease(tp1); 3191 sctp_total_flight_decrease(stcb, tp1); 3192 } 3193 tp1->sent = SCTP_DATAGRAM_RESEND; 3194 } { 3195 /* audit code */ 3196 unsigned int audit; 3197 3198 audit = 0; 3199 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3200 if (tp1->sent == SCTP_DATAGRAM_RESEND) 3201 audit++; 3202 } 3203 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 3204 sctp_next) { 3205 if (tp1->sent == SCTP_DATAGRAM_RESEND) 3206 audit++; 3207 } 3208 if (audit != stcb->asoc.sent_queue_retran_cnt) { 3209 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n", 3210 audit, stcb->asoc.sent_queue_retran_cnt); 3211#ifndef SCTP_AUDITING_ENABLED 3212 stcb->asoc.sent_queue_retran_cnt = audit; 3213#endif 3214 } 3215 } 3216 } 3217 break; 3218 case SCTP_ASCONF: 3219 { 3220 struct sctp_tmit_chunk *asconf; 3221 3222 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 3223 sctp_next) { 3224 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 3225 break; 3226 } 3227 } 3228 if (asconf) { 3229 if (asconf->sent != SCTP_DATAGRAM_RESEND) 3230 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3231 asconf->sent = SCTP_DATAGRAM_RESEND; 3232 asconf->snd_count--; 3233 } 3234 } 3235 break; 3236 case SCTP_INITIATION: 3237 /* resend the INIT */ 3238 stcb->asoc.dropped_special_cnt++; 3239 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 3240 /* 3241 * If we can get it in, in a few attempts we do 3242 * this, otherwise we let the timer fire. 3243 */ 3244 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 3245 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 3246 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 3247 } 3248 break; 3249 case SCTP_SELECTIVE_ACK: 3250 case SCTP_NR_SELECTIVE_ACK: 3251 /* resend the sack */ 3252 sctp_send_sack(stcb); 3253 break; 3254 case SCTP_HEARTBEAT_REQUEST: 3255 /* resend a demand HB */ 3256 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) { 3257 /* 3258 * Only retransmit if we KNOW we wont destroy the 3259 * tcb 3260 */ 3261 (void)sctp_send_hb(stcb, 1, net); 3262 } 3263 break; 3264 case SCTP_SHUTDOWN: 3265 sctp_send_shutdown(stcb, net); 3266 break; 3267 case SCTP_SHUTDOWN_ACK: 3268 sctp_send_shutdown_ack(stcb, net); 3269 break; 3270 case SCTP_COOKIE_ECHO: 3271 { 3272 struct sctp_tmit_chunk *cookie; 3273 3274 cookie = NULL; 3275 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 3276 sctp_next) { 3277 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 3278 break; 3279 } 3280 } 3281 if (cookie) { 3282 if (cookie->sent != SCTP_DATAGRAM_RESEND) 3283 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3284 cookie->sent = SCTP_DATAGRAM_RESEND; 3285 sctp_stop_all_cookie_timers(stcb); 3286 } 3287 } 3288 break; 3289 case SCTP_COOKIE_ACK: 3290 sctp_send_cookie_ack(stcb); 3291 break; 3292 case SCTP_ASCONF_ACK: 3293 /* resend last asconf ack */ 3294 sctp_send_asconf_ack(stcb); 3295 break; 3296 case SCTP_FORWARD_CUM_TSN: 3297 send_forward_tsn(stcb, &stcb->asoc); 3298 break; 3299 /* can't do anything with these */ 3300 case SCTP_PACKET_DROPPED: 3301 case SCTP_INITIATION_ACK: /* this should not happen */ 3302 case SCTP_HEARTBEAT_ACK: 3303 case SCTP_ABORT_ASSOCIATION: 3304 case SCTP_OPERATION_ERROR: 3305 case SCTP_SHUTDOWN_COMPLETE: 3306 case SCTP_ECN_ECHO: 3307 case SCTP_ECN_CWR: 3308 default: 3309 break; 3310 } 3311 return (0); 3312} 3313 3314void 3315sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 3316{ 3317 int i; 3318 uint16_t temp; 3319 3320 /* 3321 * We set things to 0xffff since this is the last delivered sequence 3322 * and we will be sending in 0 after the reset. 3323 */ 3324 3325 if (number_entries) { 3326 for (i = 0; i < number_entries; i++) { 3327 temp = ntohs(list[i]); 3328 if (temp >= stcb->asoc.streamincnt) { 3329 continue; 3330 } 3331 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 3332 } 3333 } else { 3334 list = NULL; 3335 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3336 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 3337 } 3338 } 3339 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3340} 3341 3342static void 3343sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 3344{ 3345 int i; 3346 3347 if (number_entries == 0) { 3348 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 3349 stcb->asoc.strmout[i].next_sequence_sent = 0; 3350 } 3351 } else if (number_entries) { 3352 for (i = 0; i < number_entries; i++) { 3353 uint16_t temp; 3354 3355 temp = ntohs(list[i]); 3356 if (temp >= stcb->asoc.streamoutcnt) { 3357 /* no such stream */ 3358 continue; 3359 } 3360 stcb->asoc.strmout[temp].next_sequence_sent = 0; 3361 } 3362 } 3363 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3364} 3365 3366 3367struct sctp_stream_reset_out_request * 3368sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 3369{ 3370 struct sctp_association *asoc; 3371 struct sctp_stream_reset_out_req *req; 3372 struct sctp_stream_reset_out_request *r; 3373 struct sctp_tmit_chunk *chk; 3374 int len, clen; 3375 3376 asoc = &stcb->asoc; 3377 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 3378 asoc->stream_reset_outstanding = 0; 3379 return (NULL); 3380 } 3381 if (stcb->asoc.str_reset == NULL) { 3382 asoc->stream_reset_outstanding = 0; 3383 return (NULL); 3384 } 3385 chk = stcb->asoc.str_reset; 3386 if (chk->data == NULL) { 3387 return (NULL); 3388 } 3389 if (bchk) { 3390 /* he wants a copy of the chk pointer */ 3391 *bchk = chk; 3392 } 3393 clen = chk->send_size; 3394 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 3395 r = &req->sr_req; 3396 if (ntohl(r->request_seq) == seq) { 3397 /* found it */ 3398 return (r); 3399 } 3400 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 3401 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 3402 /* move to the next one, there can only be a max of two */ 3403 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 3404 if (ntohl(r->request_seq) == seq) { 3405 return (r); 3406 } 3407 } 3408 /* that seq is not here */ 3409 return (NULL); 3410} 3411 3412static void 3413sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 3414{ 3415 struct sctp_association *asoc; 3416 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 3417 3418 if (stcb->asoc.str_reset == NULL) { 3419 return; 3420 } 3421 asoc = &stcb->asoc; 3422 3423 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3424 TAILQ_REMOVE(&asoc->control_send_queue, 3425 chk, 3426 sctp_next); 3427 if (chk->data) { 3428 sctp_m_freem(chk->data); 3429 chk->data = NULL; 3430 } 3431 asoc->ctrl_queue_cnt--; 3432 sctp_free_a_chunk(stcb, chk); 3433 /* sa_ignore NO_NULL_CHK */ 3434 stcb->asoc.str_reset = NULL; 3435} 3436 3437 3438static int 3439sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 3440 uint32_t seq, uint32_t action, 3441 struct sctp_stream_reset_response *respin) 3442{ 3443 uint16_t type; 3444 int lparm_len; 3445 struct sctp_association *asoc = &stcb->asoc; 3446 struct sctp_tmit_chunk *chk; 3447 struct sctp_stream_reset_out_request *srparam; 3448 int number_entries; 3449 3450 if (asoc->stream_reset_outstanding == 0) { 3451 /* duplicate */ 3452 return (0); 3453 } 3454 if (seq == stcb->asoc.str_reset_seq_out) { 3455 srparam = sctp_find_stream_reset(stcb, seq, &chk); 3456 if (srparam) { 3457 stcb->asoc.str_reset_seq_out++; 3458 type = ntohs(srparam->ph.param_type); 3459 lparm_len = ntohs(srparam->ph.param_length); 3460 if (type == SCTP_STR_RESET_OUT_REQUEST) { 3461 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 3462 asoc->stream_reset_out_is_outstanding = 0; 3463 if (asoc->stream_reset_outstanding) 3464 asoc->stream_reset_outstanding--; 3465 if (action == SCTP_STREAM_RESET_PERFORMED) { 3466 /* do it */ 3467 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 3468 } else { 3469 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); 3470 } 3471 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 3472 /* Answered my request */ 3473 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 3474 if (asoc->stream_reset_outstanding) 3475 asoc->stream_reset_outstanding--; 3476 if (action != SCTP_STREAM_RESET_PERFORMED) { 3477 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); 3478 } 3479 } else if (type == SCTP_STR_RESET_ADD_STREAMS) { 3480 /* Ok we now may have more streams */ 3481 if (asoc->stream_reset_outstanding) 3482 asoc->stream_reset_outstanding--; 3483 if (action == SCTP_STREAM_RESET_PERFORMED) { 3484 /* Put the new streams into effect */ 3485 stcb->asoc.streamoutcnt = stcb->asoc.strm_realoutsize; 3486 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_ADD_OK, stcb, 3487 (uint32_t) stcb->asoc.streamoutcnt, NULL, SCTP_SO_NOT_LOCKED); 3488 } else { 3489 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_ADD_FAIL, stcb, 3490 (uint32_t) stcb->asoc.streamoutcnt, NULL, SCTP_SO_NOT_LOCKED); 3491 } 3492 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 3493 /** 3494 * a) Adopt the new in tsn. 3495 * b) reset the map 3496 * c) Adopt the new out-tsn 3497 */ 3498 struct sctp_stream_reset_response_tsn *resp; 3499 struct sctp_forward_tsn_chunk fwdtsn; 3500 int abort_flag = 0; 3501 3502 if (respin == NULL) { 3503 /* huh ? */ 3504 return (0); 3505 } 3506 if (action == SCTP_STREAM_RESET_PERFORMED) { 3507 resp = (struct sctp_stream_reset_response_tsn *)respin; 3508 asoc->stream_reset_outstanding--; 3509 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3510 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3511 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 3512 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3513 if (abort_flag) { 3514 return (1); 3515 } 3516 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 3517 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 3518 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 3519 } 3520 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3521 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 3522 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3523 3524 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map; 3525 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 3526 3527 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 3528 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 3529 3530 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3531 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3532 3533 } 3534 } 3535 /* get rid of the request and get the request flags */ 3536 if (asoc->stream_reset_outstanding == 0) { 3537 sctp_clean_up_stream_reset(stcb); 3538 } 3539 } 3540 } 3541 return (0); 3542} 3543 3544static void 3545sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 3546 struct sctp_tmit_chunk *chk, 3547 struct sctp_stream_reset_in_request *req, int trunc) 3548{ 3549 uint32_t seq; 3550 int len, i; 3551 int number_entries; 3552 uint16_t temp; 3553 3554 /* 3555 * peer wants me to send a str-reset to him for my outgoing seq's if 3556 * seq_in is right. 3557 */ 3558 struct sctp_association *asoc = &stcb->asoc; 3559 3560 seq = ntohl(req->request_seq); 3561 if (asoc->str_reset_seq_in == seq) { 3562 if (trunc) { 3563 /* Can't do it, since they exceeded our buffer size */ 3564 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3565 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3566 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3567 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 3568 len = ntohs(req->ph.param_length); 3569 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 3570 for (i = 0; i < number_entries; i++) { 3571 temp = ntohs(req->list_of_streams[i]); 3572 req->list_of_streams[i] = temp; 3573 } 3574 /* move the reset action back one */ 3575 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3576 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3577 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 3578 asoc->str_reset_seq_out, 3579 seq, (asoc->sending_seq - 1)); 3580 asoc->stream_reset_out_is_outstanding = 1; 3581 asoc->str_reset = chk; 3582 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 3583 stcb->asoc.stream_reset_outstanding++; 3584 } else { 3585 /* Can't do it, since we have sent one out */ 3586 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3587 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 3588 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3589 } 3590 asoc->str_reset_seq_in++; 3591 } else if (asoc->str_reset_seq_in - 1 == seq) { 3592 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3593 } else if (asoc->str_reset_seq_in - 2 == seq) { 3594 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3595 } else { 3596 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3597 } 3598} 3599 3600static int 3601sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 3602 struct sctp_tmit_chunk *chk, 3603 struct sctp_stream_reset_tsn_request *req) 3604{ 3605 /* reset all in and out and update the tsn */ 3606 /* 3607 * A) reset my str-seq's on in and out. B) Select a receive next, 3608 * and set cum-ack to it. Also process this selected number as a 3609 * fwd-tsn as well. C) set in the response my next sending seq. 3610 */ 3611 struct sctp_forward_tsn_chunk fwdtsn; 3612 struct sctp_association *asoc = &stcb->asoc; 3613 int abort_flag = 0; 3614 uint32_t seq; 3615 3616 seq = ntohl(req->request_seq); 3617 if (asoc->str_reset_seq_in == seq) { 3618 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3619 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3620 fwdtsn.ch.chunk_flags = 0; 3621 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3622 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3623 if (abort_flag) { 3624 return (1); 3625 } 3626 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3627 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 3628 sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 3629 } 3630 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3631 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3632 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3633 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map; 3634 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 3635 atomic_add_int(&stcb->asoc.sending_seq, 1); 3636 /* save off historical data for retrans */ 3637 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3638 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3639 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3640 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3641 3642 sctp_add_stream_reset_result_tsn(chk, 3643 ntohl(req->request_seq), 3644 SCTP_STREAM_RESET_PERFORMED, 3645 stcb->asoc.sending_seq, 3646 stcb->asoc.mapping_array_base_tsn); 3647 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3648 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3649 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3650 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3651 3652 asoc->str_reset_seq_in++; 3653 } else if (asoc->str_reset_seq_in - 1 == seq) { 3654 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3655 stcb->asoc.last_sending_seq[0], 3656 stcb->asoc.last_base_tsnsent[0] 3657 ); 3658 } else if (asoc->str_reset_seq_in - 2 == seq) { 3659 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3660 stcb->asoc.last_sending_seq[1], 3661 stcb->asoc.last_base_tsnsent[1] 3662 ); 3663 } else { 3664 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3665 } 3666 return (0); 3667} 3668 3669static void 3670sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3671 struct sctp_tmit_chunk *chk, 3672 struct sctp_stream_reset_out_request *req, int trunc) 3673{ 3674 uint32_t seq, tsn; 3675 int number_entries, len; 3676 struct sctp_association *asoc = &stcb->asoc; 3677 3678 seq = ntohl(req->request_seq); 3679 3680 /* now if its not a duplicate we process it */ 3681 if (asoc->str_reset_seq_in == seq) { 3682 len = ntohs(req->ph.param_length); 3683 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3684 /* 3685 * the sender is resetting, handle the list issue.. we must 3686 * a) verify if we can do the reset, if so no problem b) If 3687 * we can't do the reset we must copy the request. c) queue 3688 * it, and setup the data in processor to trigger it off 3689 * when needed and dequeue all the queued data. 3690 */ 3691 tsn = ntohl(req->send_reset_at_tsn); 3692 3693 /* move the reset action back one */ 3694 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3695 if (trunc) { 3696 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3697 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3698 } else if ((tsn == asoc->cumulative_tsn) || 3699 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3700 /* we can do it now */ 3701 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3702 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3703 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3704 } else { 3705 /* 3706 * we must queue it up and thus wait for the TSN's 3707 * to arrive that are at or before tsn 3708 */ 3709 struct sctp_stream_reset_list *liste; 3710 int siz; 3711 3712 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3713 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3714 siz, SCTP_M_STRESET); 3715 if (liste == NULL) { 3716 /* gak out of memory */ 3717 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3718 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3719 return; 3720 } 3721 liste->tsn = tsn; 3722 liste->number_entries = number_entries; 3723 memcpy(&liste->req, req, 3724 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3725 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3726 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3727 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3728 } 3729 asoc->str_reset_seq_in++; 3730 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3731 /* 3732 * one seq back, just echo back last action since my 3733 * response was lost. 3734 */ 3735 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3736 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3737 /* 3738 * two seq back, just echo back last action since my 3739 * response was lost. 3740 */ 3741 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3742 } else { 3743 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3744 } 3745} 3746 3747static void 3748sctp_handle_str_reset_add_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk, 3749 struct sctp_stream_reset_add_strm *str_add) 3750{ 3751 /* 3752 * Peer is requesting to add more streams. If its within our 3753 * max-streams we will allow it. 3754 */ 3755 uint16_t num_stream, i; 3756 uint32_t seq; 3757 struct sctp_association *asoc = &stcb->asoc; 3758 struct sctp_queued_to_read *ctl; 3759 3760 /* Get the number. */ 3761 seq = ntohl(str_add->request_seq); 3762 num_stream = ntohs(str_add->number_of_streams); 3763 /* Now what would be the new total? */ 3764 if (asoc->str_reset_seq_in == seq) { 3765 num_stream += stcb->asoc.streamincnt; 3766 if (num_stream > stcb->asoc.max_inbound_streams) { 3767 /* We must reject it they ask for to many */ 3768 denied: 3769 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3770 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3771 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3772 } else { 3773 /* Ok, we can do that :-) */ 3774 struct sctp_stream_in *oldstrm; 3775 3776 /* save off the old */ 3777 oldstrm = stcb->asoc.strmin; 3778 SCTP_MALLOC(stcb->asoc.strmin, struct sctp_stream_in *, 3779 (num_stream * sizeof(struct sctp_stream_in)), 3780 SCTP_M_STRMI); 3781 if (stcb->asoc.strmin == NULL) { 3782 stcb->asoc.strmin = oldstrm; 3783 goto denied; 3784 } 3785 /* copy off the old data */ 3786 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3787 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue); 3788 stcb->asoc.strmin[i].stream_no = i; 3789 stcb->asoc.strmin[i].last_sequence_delivered = oldstrm[i].last_sequence_delivered; 3790 stcb->asoc.strmin[i].delivery_started = oldstrm[i].delivery_started; 3791 /* now anything on those queues? */ 3792 while (TAILQ_EMPTY(&oldstrm[i].inqueue) == 0) { 3793 ctl = TAILQ_FIRST(&oldstrm[i].inqueue); 3794 TAILQ_REMOVE(&oldstrm[i].inqueue, ctl, next); 3795 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].inqueue, ctl, next); 3796 } 3797 } 3798 /* Init the new streams */ 3799 for (i = stcb->asoc.streamincnt; i < num_stream; i++) { 3800 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue); 3801 stcb->asoc.strmin[i].stream_no = i; 3802 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 3803 stcb->asoc.strmin[i].delivery_started = 0; 3804 } 3805 SCTP_FREE(oldstrm, SCTP_M_STRMI); 3806 /* update the size */ 3807 stcb->asoc.streamincnt = num_stream; 3808 /* Send the ack */ 3809 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3810 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3811 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3812 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_INSTREAM_ADD_OK, stcb, 3813 (uint32_t) stcb->asoc.streamincnt, NULL, SCTP_SO_NOT_LOCKED); 3814 } 3815 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3816 /* 3817 * one seq back, just echo back last action since my 3818 * response was lost. 3819 */ 3820 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3821 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3822 /* 3823 * two seq back, just echo back last action since my 3824 * response was lost. 3825 */ 3826 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3827 } else { 3828 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3829 3830 } 3831} 3832 3833#ifdef __GNUC__ 3834__attribute__((noinline)) 3835#endif 3836 static int 3837 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset, 3838 struct sctp_stream_reset_out_req *sr_req) 3839{ 3840 int chk_length, param_len, ptype; 3841 struct sctp_paramhdr pstore; 3842 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE]; 3843 3844 uint32_t seq; 3845 int num_req = 0; 3846 int trunc = 0; 3847 struct sctp_tmit_chunk *chk; 3848 struct sctp_chunkhdr *ch; 3849 struct sctp_paramhdr *ph; 3850 int ret_code = 0; 3851 int num_param = 0; 3852 3853 /* now it may be a reset or a reset-response */ 3854 chk_length = ntohs(sr_req->ch.chunk_length); 3855 3856 /* setup for adding the response */ 3857 sctp_alloc_a_chunk(stcb, chk); 3858 if (chk == NULL) { 3859 return (ret_code); 3860 } 3861 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3862 chk->rec.chunk_id.can_take_data = 0; 3863 chk->asoc = &stcb->asoc; 3864 chk->no_fr_allowed = 0; 3865 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3866 chk->book_size_scale = 0; 3867 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3868 if (chk->data == NULL) { 3869strres_nochunk: 3870 if (chk->data) { 3871 sctp_m_freem(chk->data); 3872 chk->data = NULL; 3873 } 3874 sctp_free_a_chunk(stcb, chk); 3875 return (ret_code); 3876 } 3877 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3878 3879 /* setup chunk parameters */ 3880 chk->sent = SCTP_DATAGRAM_UNSENT; 3881 chk->snd_count = 0; 3882 chk->whoTo = stcb->asoc.primary_destination; 3883 atomic_add_int(&chk->whoTo->ref_count, 1); 3884 3885 ch = mtod(chk->data, struct sctp_chunkhdr *); 3886 ch->chunk_type = SCTP_STREAM_RESET; 3887 ch->chunk_flags = 0; 3888 ch->chunk_length = htons(chk->send_size); 3889 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3890 offset += sizeof(struct sctp_chunkhdr); 3891 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3892 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore); 3893 if (ph == NULL) 3894 break; 3895 param_len = ntohs(ph->param_length); 3896 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3897 /* bad param */ 3898 break; 3899 } 3900 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)), 3901 (uint8_t *) & cstore); 3902 ptype = ntohs(ph->param_type); 3903 num_param++; 3904 if (param_len > (int)sizeof(cstore)) { 3905 trunc = 1; 3906 } else { 3907 trunc = 0; 3908 } 3909 3910 if (num_param > SCTP_MAX_RESET_PARAMS) { 3911 /* hit the max of parameters already sorry.. */ 3912 break; 3913 } 3914 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3915 struct sctp_stream_reset_out_request *req_out; 3916 3917 req_out = (struct sctp_stream_reset_out_request *)ph; 3918 num_req++; 3919 if (stcb->asoc.stream_reset_outstanding) { 3920 seq = ntohl(req_out->response_seq); 3921 if (seq == stcb->asoc.str_reset_seq_out) { 3922 /* implicit ack */ 3923 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3924 } 3925 } 3926 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc); 3927 } else if (ptype == SCTP_STR_RESET_ADD_STREAMS) { 3928 struct sctp_stream_reset_add_strm *str_add; 3929 3930 str_add = (struct sctp_stream_reset_add_strm *)ph; 3931 num_req++; 3932 sctp_handle_str_reset_add_strm(stcb, chk, str_add); 3933 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3934 struct sctp_stream_reset_in_request *req_in; 3935 3936 num_req++; 3937 3938 req_in = (struct sctp_stream_reset_in_request *)ph; 3939 3940 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc); 3941 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3942 struct sctp_stream_reset_tsn_request *req_tsn; 3943 3944 num_req++; 3945 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3946 3947 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3948 ret_code = 1; 3949 goto strres_nochunk; 3950 } 3951 /* no more */ 3952 break; 3953 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3954 struct sctp_stream_reset_response *resp; 3955 uint32_t result; 3956 3957 resp = (struct sctp_stream_reset_response *)ph; 3958 seq = ntohl(resp->response_seq); 3959 result = ntohl(resp->result); 3960 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3961 ret_code = 1; 3962 goto strres_nochunk; 3963 } 3964 } else { 3965 break; 3966 } 3967 offset += SCTP_SIZE32(param_len); 3968 chk_length -= SCTP_SIZE32(param_len); 3969 } 3970 if (num_req == 0) { 3971 /* we have no response free the stuff */ 3972 goto strres_nochunk; 3973 } 3974 /* ok we have a chunk to link in */ 3975 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3976 chk, 3977 sctp_next); 3978 stcb->asoc.ctrl_queue_cnt++; 3979 return (ret_code); 3980} 3981 3982/* 3983 * Handle a router or endpoints report of a packet loss, there are two ways 3984 * to handle this, either we get the whole packet and must disect it 3985 * ourselves (possibly with truncation and or corruption) or it is a summary 3986 * from a middle box that did the disectting for us. 3987 */ 3988static void 3989sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3990 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit) 3991{ 3992 uint32_t bottle_bw, on_queue; 3993 uint16_t trunc_len; 3994 unsigned int chlen; 3995 unsigned int at; 3996 struct sctp_chunk_desc desc; 3997 struct sctp_chunkhdr *ch; 3998 3999 chlen = ntohs(cp->ch.chunk_length); 4000 chlen -= sizeof(struct sctp_pktdrop_chunk); 4001 /* XXX possible chlen underflow */ 4002 if (chlen == 0) { 4003 ch = NULL; 4004 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 4005 SCTP_STAT_INCR(sctps_pdrpbwrpt); 4006 } else { 4007 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 4008 chlen -= sizeof(struct sctphdr); 4009 /* XXX possible chlen underflow */ 4010 memset(&desc, 0, sizeof(desc)); 4011 } 4012 trunc_len = (uint16_t) ntohs(cp->trunc_len); 4013 if (trunc_len > limit) { 4014 trunc_len = limit; 4015 } 4016 /* now the chunks themselves */ 4017 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 4018 desc.chunk_type = ch->chunk_type; 4019 /* get amount we need to move */ 4020 at = ntohs(ch->chunk_length); 4021 if (at < sizeof(struct sctp_chunkhdr)) { 4022 /* corrupt chunk, maybe at the end? */ 4023 SCTP_STAT_INCR(sctps_pdrpcrupt); 4024 break; 4025 } 4026 if (trunc_len == 0) { 4027 /* we are supposed to have all of it */ 4028 if (at > chlen) { 4029 /* corrupt skip it */ 4030 SCTP_STAT_INCR(sctps_pdrpcrupt); 4031 break; 4032 } 4033 } else { 4034 /* is there enough of it left ? */ 4035 if (desc.chunk_type == SCTP_DATA) { 4036 if (chlen < (sizeof(struct sctp_data_chunk) + 4037 sizeof(desc.data_bytes))) { 4038 break; 4039 } 4040 } else { 4041 if (chlen < sizeof(struct sctp_chunkhdr)) { 4042 break; 4043 } 4044 } 4045 } 4046 if (desc.chunk_type == SCTP_DATA) { 4047 /* can we get out the tsn? */ 4048 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 4049 SCTP_STAT_INCR(sctps_pdrpmbda); 4050 4051 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 4052 /* yep */ 4053 struct sctp_data_chunk *dcp; 4054 uint8_t *ddp; 4055 unsigned int iii; 4056 4057 dcp = (struct sctp_data_chunk *)ch; 4058 ddp = (uint8_t *) (dcp + 1); 4059 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 4060 desc.data_bytes[iii] = ddp[iii]; 4061 } 4062 desc.tsn_ifany = dcp->dp.tsn; 4063 } else { 4064 /* nope we are done. */ 4065 SCTP_STAT_INCR(sctps_pdrpnedat); 4066 break; 4067 } 4068 } else { 4069 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 4070 SCTP_STAT_INCR(sctps_pdrpmbct); 4071 } 4072 4073 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 4074 SCTP_STAT_INCR(sctps_pdrppdbrk); 4075 break; 4076 } 4077 if (SCTP_SIZE32(at) > chlen) { 4078 break; 4079 } 4080 chlen -= SCTP_SIZE32(at); 4081 if (chlen < sizeof(struct sctp_chunkhdr)) { 4082 /* done, none left */ 4083 break; 4084 } 4085 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 4086 } 4087 /* Now update any rwnd --- possibly */ 4088 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 4089 /* From a peer, we get a rwnd report */ 4090 uint32_t a_rwnd; 4091 4092 SCTP_STAT_INCR(sctps_pdrpfehos); 4093 4094 bottle_bw = ntohl(cp->bottle_bw); 4095 on_queue = ntohl(cp->current_onq); 4096 if (bottle_bw && on_queue) { 4097 /* a rwnd report is in here */ 4098 if (bottle_bw > on_queue) 4099 a_rwnd = bottle_bw - on_queue; 4100 else 4101 a_rwnd = 0; 4102 4103 if (a_rwnd == 0) 4104 stcb->asoc.peers_rwnd = 0; 4105 else { 4106 if (a_rwnd > stcb->asoc.total_flight) { 4107 stcb->asoc.peers_rwnd = 4108 a_rwnd - stcb->asoc.total_flight; 4109 } else { 4110 stcb->asoc.peers_rwnd = 0; 4111 } 4112 if (stcb->asoc.peers_rwnd < 4113 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4114 /* SWS sender side engages */ 4115 stcb->asoc.peers_rwnd = 0; 4116 } 4117 } 4118 } 4119 } else { 4120 SCTP_STAT_INCR(sctps_pdrpfmbox); 4121 } 4122 4123 /* now middle boxes in sat networks get a cwnd bump */ 4124 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 4125 (stcb->asoc.sat_t3_loss_recovery == 0) && 4126 (stcb->asoc.sat_network)) { 4127 /* 4128 * This is debateable but for sat networks it makes sense 4129 * Note if a T3 timer has went off, we will prohibit any 4130 * changes to cwnd until we exit the t3 loss recovery. 4131 */ 4132 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb, 4133 net, cp, &bottle_bw, &on_queue); 4134 } 4135} 4136 4137/* 4138 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 4139 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 4140 * offset: offset into the mbuf chain to first chunkhdr - length: is the 4141 * length of the complete packet outputs: - length: modified to remaining 4142 * length after control processing - netp: modified to new sctp_nets after 4143 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 4144 * bad packet,...) otherwise return the tcb for this packet 4145 */ 4146#ifdef __GNUC__ 4147__attribute__((noinline)) 4148#endif 4149 static struct sctp_tcb * 4150 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 4151 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 4152 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen, 4153 uint32_t vrf_id, uint16_t port) 4154{ 4155 struct sctp_association *asoc; 4156 uint32_t vtag_in; 4157 int num_chunks = 0; /* number of control chunks processed */ 4158 uint32_t chk_length; 4159 int ret; 4160 int abort_no_unlock = 0; 4161 4162 /* 4163 * How big should this be, and should it be alloc'd? Lets try the 4164 * d-mtu-ceiling for now (2k) and that should hopefully work ... 4165 * until we get into jumbo grams and such.. 4166 */ 4167 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 4168 struct sctp_tcb *locked_tcb = stcb; 4169 int got_auth = 0; 4170 uint32_t auth_offset = 0, auth_len = 0; 4171 int auth_skipped = 0; 4172 int asconf_cnt = 0; 4173 4174#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4175 struct socket *so; 4176 4177#endif 4178 4179 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 4180 iphlen, *offset, length, stcb); 4181 4182 /* validate chunk header length... */ 4183 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 4184 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n", 4185 ntohs(ch->chunk_length)); 4186 if (locked_tcb) { 4187 SCTP_TCB_UNLOCK(locked_tcb); 4188 } 4189 return (NULL); 4190 } 4191 /* 4192 * validate the verification tag 4193 */ 4194 vtag_in = ntohl(sh->v_tag); 4195 4196 if (locked_tcb) { 4197 SCTP_TCB_LOCK_ASSERT(locked_tcb); 4198 } 4199 if (ch->chunk_type == SCTP_INITIATION) { 4200 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n", 4201 ntohs(ch->chunk_length), vtag_in); 4202 if (vtag_in != 0) { 4203 /* protocol error- silently discard... */ 4204 SCTP_STAT_INCR(sctps_badvtag); 4205 if (locked_tcb) { 4206 SCTP_TCB_UNLOCK(locked_tcb); 4207 } 4208 return (NULL); 4209 } 4210 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 4211 /* 4212 * If there is no stcb, skip the AUTH chunk and process 4213 * later after a stcb is found (to validate the lookup was 4214 * valid. 4215 */ 4216 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 4217 (stcb == NULL) && 4218 !SCTP_BASE_SYSCTL(sctp_auth_disable)) { 4219 /* save this chunk for later processing */ 4220 auth_skipped = 1; 4221 auth_offset = *offset; 4222 auth_len = ntohs(ch->chunk_length); 4223 4224 /* (temporarily) move past this chunk */ 4225 *offset += SCTP_SIZE32(auth_len); 4226 if (*offset >= length) { 4227 /* no more data left in the mbuf chain */ 4228 *offset = length; 4229 if (locked_tcb) { 4230 SCTP_TCB_UNLOCK(locked_tcb); 4231 } 4232 return (NULL); 4233 } 4234 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4235 sizeof(struct sctp_chunkhdr), chunk_buf); 4236 } 4237 if (ch == NULL) { 4238 /* Help */ 4239 *offset = length; 4240 if (locked_tcb) { 4241 SCTP_TCB_UNLOCK(locked_tcb); 4242 } 4243 return (NULL); 4244 } 4245 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 4246 goto process_control_chunks; 4247 } 4248 /* 4249 * first check if it's an ASCONF with an unknown src addr we 4250 * need to look inside to find the association 4251 */ 4252 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 4253 struct sctp_chunkhdr *asconf_ch = ch; 4254 uint32_t asconf_offset = 0, asconf_len = 0; 4255 4256 /* inp's refcount may be reduced */ 4257 SCTP_INP_INCR_REF(inp); 4258 4259 asconf_offset = *offset; 4260 do { 4261 asconf_len = ntohs(asconf_ch->chunk_length); 4262 if (asconf_len < sizeof(struct sctp_asconf_paramhdr)) 4263 break; 4264 stcb = sctp_findassociation_ep_asconf(m, iphlen, 4265 *offset, sh, &inp, netp, vrf_id); 4266 if (stcb != NULL) 4267 break; 4268 asconf_offset += SCTP_SIZE32(asconf_len); 4269 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset, 4270 sizeof(struct sctp_chunkhdr), chunk_buf); 4271 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF); 4272 if (stcb == NULL) { 4273 /* 4274 * reduce inp's refcount if not reduced in 4275 * sctp_findassociation_ep_asconf(). 4276 */ 4277 SCTP_INP_DECR_REF(inp); 4278 } else { 4279 locked_tcb = stcb; 4280 } 4281 4282 /* now go back and verify any auth chunk to be sure */ 4283 if (auth_skipped && (stcb != NULL)) { 4284 struct sctp_auth_chunk *auth; 4285 4286 auth = (struct sctp_auth_chunk *) 4287 sctp_m_getptr(m, auth_offset, 4288 auth_len, chunk_buf); 4289 got_auth = 1; 4290 auth_skipped = 0; 4291 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, 4292 auth_offset)) { 4293 /* auth HMAC failed so dump it */ 4294 *offset = length; 4295 if (locked_tcb) { 4296 SCTP_TCB_UNLOCK(locked_tcb); 4297 } 4298 return (NULL); 4299 } else { 4300 /* remaining chunks are HMAC checked */ 4301 stcb->asoc.authenticated = 1; 4302 } 4303 } 4304 } 4305 if (stcb == NULL) { 4306 /* no association, so it's out of the blue... */ 4307 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL, 4308 vrf_id, port); 4309 *offset = length; 4310 if (locked_tcb) { 4311 SCTP_TCB_UNLOCK(locked_tcb); 4312 } 4313 return (NULL); 4314 } 4315 asoc = &stcb->asoc; 4316 /* ABORT and SHUTDOWN can use either v_tag... */ 4317 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 4318 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 4319 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 4320 if ((vtag_in == asoc->my_vtag) || 4321 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 4322 (vtag_in == asoc->peer_vtag))) { 4323 /* this is valid */ 4324 } else { 4325 /* drop this packet... */ 4326 SCTP_STAT_INCR(sctps_badvtag); 4327 if (locked_tcb) { 4328 SCTP_TCB_UNLOCK(locked_tcb); 4329 } 4330 return (NULL); 4331 } 4332 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4333 if (vtag_in != asoc->my_vtag) { 4334 /* 4335 * this could be a stale SHUTDOWN-ACK or the 4336 * peer never got the SHUTDOWN-COMPLETE and 4337 * is still hung; we have started a new asoc 4338 * but it won't complete until the shutdown 4339 * is completed 4340 */ 4341 if (locked_tcb) { 4342 SCTP_TCB_UNLOCK(locked_tcb); 4343 } 4344 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 4345 NULL, vrf_id, port); 4346 return (NULL); 4347 } 4348 } else { 4349 /* for all other chunks, vtag must match */ 4350 if (vtag_in != asoc->my_vtag) { 4351 /* invalid vtag... */ 4352 SCTPDBG(SCTP_DEBUG_INPUT3, 4353 "invalid vtag: %xh, expect %xh\n", 4354 vtag_in, asoc->my_vtag); 4355 SCTP_STAT_INCR(sctps_badvtag); 4356 if (locked_tcb) { 4357 SCTP_TCB_UNLOCK(locked_tcb); 4358 } 4359 *offset = length; 4360 return (NULL); 4361 } 4362 } 4363 } /* end if !SCTP_COOKIE_ECHO */ 4364 /* 4365 * process all control chunks... 4366 */ 4367 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 4368 /* EY */ 4369 (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) || 4370 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 4371 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 4372 /* implied cookie-ack.. we must have lost the ack */ 4373 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4374 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4375 stcb->asoc.overall_error_count, 4376 0, 4377 SCTP_FROM_SCTP_INPUT, 4378 __LINE__); 4379 } 4380 stcb->asoc.overall_error_count = 0; 4381 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 4382 *netp); 4383 } 4384process_control_chunks: 4385 while (IS_SCTP_CONTROL(ch)) { 4386 /* validate chunk length */ 4387 chk_length = ntohs(ch->chunk_length); 4388 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n", 4389 ch->chunk_type, chk_length); 4390 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length); 4391 if (chk_length < sizeof(*ch) || 4392 (*offset + (int)chk_length) > length) { 4393 *offset = length; 4394 if (locked_tcb) { 4395 SCTP_TCB_UNLOCK(locked_tcb); 4396 } 4397 return (NULL); 4398 } 4399 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 4400 /* 4401 * INIT-ACK only gets the init ack "header" portion only 4402 * because we don't have to process the peer's COOKIE. All 4403 * others get a complete chunk. 4404 */ 4405 if ((ch->chunk_type == SCTP_INITIATION_ACK) || 4406 (ch->chunk_type == SCTP_INITIATION)) { 4407 /* get an init-ack chunk */ 4408 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4409 sizeof(struct sctp_init_ack_chunk), chunk_buf); 4410 if (ch == NULL) { 4411 *offset = length; 4412 if (locked_tcb) { 4413 SCTP_TCB_UNLOCK(locked_tcb); 4414 } 4415 return (NULL); 4416 } 4417 } else { 4418 /* For cookies and all other chunks. */ 4419 if (chk_length > sizeof(chunk_buf)) { 4420 /* 4421 * use just the size of the chunk buffer so 4422 * the front part of our chunks fit in 4423 * contiguous space up to the chunk buffer 4424 * size (508 bytes). For chunks that need to 4425 * get more than that they must use the 4426 * sctp_m_getptr() function or other means 4427 * (e.g. know how to parse mbuf chains). 4428 * Cookies do this already. 4429 */ 4430 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4431 (sizeof(chunk_buf) - 4), 4432 chunk_buf); 4433 if (ch == NULL) { 4434 *offset = length; 4435 if (locked_tcb) { 4436 SCTP_TCB_UNLOCK(locked_tcb); 4437 } 4438 return (NULL); 4439 } 4440 } else { 4441 /* We can fit it all */ 4442 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4443 chk_length, chunk_buf); 4444 if (ch == NULL) { 4445 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n"); 4446 *offset = length; 4447 if (locked_tcb) { 4448 SCTP_TCB_UNLOCK(locked_tcb); 4449 } 4450 return (NULL); 4451 } 4452 } 4453 } 4454 num_chunks++; 4455 /* Save off the last place we got a control from */ 4456 if (stcb != NULL) { 4457 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) { 4458 /* 4459 * allow last_control to be NULL if 4460 * ASCONF... ASCONF processing will find the 4461 * right net later 4462 */ 4463 if ((netp != NULL) && (*netp != NULL)) 4464 stcb->asoc.last_control_chunk_from = *netp; 4465 } 4466 } 4467#ifdef SCTP_AUDITING_ENABLED 4468 sctp_audit_log(0xB0, ch->chunk_type); 4469#endif 4470 4471 /* check to see if this chunk required auth, but isn't */ 4472 if ((stcb != NULL) && 4473 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 4474 sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) && 4475 !stcb->asoc.authenticated) { 4476 /* "silently" ignore */ 4477 SCTP_STAT_INCR(sctps_recvauthmissing); 4478 goto next_chunk; 4479 } 4480 switch (ch->chunk_type) { 4481 case SCTP_INITIATION: 4482 /* must be first and only chunk */ 4483 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n"); 4484 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4485 /* We are not interested anymore? */ 4486 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4487 /* 4488 * collision case where we are 4489 * sending to them too 4490 */ 4491 ; 4492 } else { 4493 if (locked_tcb) { 4494 SCTP_TCB_UNLOCK(locked_tcb); 4495 } 4496 *offset = length; 4497 return (NULL); 4498 } 4499 } 4500 if ((chk_length > SCTP_LARGEST_INIT_ACCEPTED) || 4501 (num_chunks > 1) || 4502 (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 4503 *offset = length; 4504 if (locked_tcb) { 4505 SCTP_TCB_UNLOCK(locked_tcb); 4506 } 4507 return (NULL); 4508 } 4509 if ((stcb != NULL) && 4510 (SCTP_GET_STATE(&stcb->asoc) == 4511 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 4512 sctp_send_shutdown_ack(stcb, 4513 stcb->asoc.primary_destination); 4514 *offset = length; 4515 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 4516 if (locked_tcb) { 4517 SCTP_TCB_UNLOCK(locked_tcb); 4518 } 4519 return (NULL); 4520 } 4521 if (netp) { 4522 sctp_handle_init(m, iphlen, *offset, sh, 4523 (struct sctp_init_chunk *)ch, inp, 4524 stcb, *netp, &abort_no_unlock, vrf_id, port); 4525 } 4526 if (abort_no_unlock) 4527 return (NULL); 4528 4529 *offset = length; 4530 if (locked_tcb) { 4531 SCTP_TCB_UNLOCK(locked_tcb); 4532 } 4533 return (NULL); 4534 break; 4535 case SCTP_PAD_CHUNK: 4536 break; 4537 case SCTP_INITIATION_ACK: 4538 /* must be first and only chunk */ 4539 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n"); 4540 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4541 /* We are not interested anymore */ 4542 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4543 ; 4544 } else { 4545 if (locked_tcb != stcb) { 4546 /* Very unlikely */ 4547 SCTP_TCB_UNLOCK(locked_tcb); 4548 } 4549 *offset = length; 4550 if (stcb) { 4551#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4552 so = SCTP_INP_SO(inp); 4553 atomic_add_int(&stcb->asoc.refcnt, 1); 4554 SCTP_TCB_UNLOCK(stcb); 4555 SCTP_SOCKET_LOCK(so, 1); 4556 SCTP_TCB_LOCK(stcb); 4557 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4558#endif 4559 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4560#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4561 SCTP_SOCKET_UNLOCK(so, 1); 4562#endif 4563 } 4564 return (NULL); 4565 } 4566 } 4567 if ((num_chunks > 1) || 4568 (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 4569 *offset = length; 4570 if (locked_tcb) { 4571 SCTP_TCB_UNLOCK(locked_tcb); 4572 } 4573 return (NULL); 4574 } 4575 if ((netp) && (*netp)) { 4576 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 4577 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id); 4578 } else { 4579 ret = -1; 4580 } 4581 /* 4582 * Special case, I must call the output routine to 4583 * get the cookie echoed 4584 */ 4585 if (abort_no_unlock) 4586 return (NULL); 4587 4588 if ((stcb) && ret == 0) 4589 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 4590 *offset = length; 4591 if (locked_tcb) { 4592 SCTP_TCB_UNLOCK(locked_tcb); 4593 } 4594 return (NULL); 4595 break; 4596 case SCTP_SELECTIVE_ACK: 4597 { 4598 struct sctp_sack_chunk *sack; 4599 int abort_now = 0; 4600 uint32_t a_rwnd, cum_ack; 4601 uint16_t num_seg, num_dup; 4602 uint8_t flags; 4603 int offset_seg, offset_dup; 4604 int nonce_sum_flag; 4605 4606 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n"); 4607 SCTP_STAT_INCR(sctps_recvsacks); 4608 if (stcb == NULL) { 4609 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing SACK chunk\n"); 4610 break; 4611 } 4612 if (chk_length < sizeof(struct sctp_sack_chunk)) { 4613 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on SACK chunk, too small\n"); 4614 break; 4615 } 4616 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 4617 /*- 4618 * If we have sent a shutdown-ack, we will pay no 4619 * attention to a sack sent in to us since 4620 * we don't care anymore. 4621 */ 4622 break; 4623 } 4624 sack = (struct sctp_sack_chunk *)ch; 4625 flags = ch->chunk_flags; 4626 nonce_sum_flag = flags & SCTP_SACK_NONCE_SUM; 4627 cum_ack = ntohl(sack->sack.cum_tsn_ack); 4628 num_seg = ntohs(sack->sack.num_gap_ack_blks); 4629 num_dup = ntohs(sack->sack.num_dup_tsns); 4630 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 4631 if (sizeof(struct sctp_sack_chunk) + 4632 num_seg * sizeof(struct sctp_gap_ack_block) + 4633 num_dup * sizeof(uint32_t) != chk_length) { 4634 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of SACK chunk\n"); 4635 break; 4636 } 4637 offset_seg = *offset + sizeof(struct sctp_sack_chunk); 4638 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block); 4639 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n", 4640 cum_ack, num_seg, a_rwnd); 4641 stcb->asoc.seen_a_sack_this_pkt = 1; 4642 if ((stcb->asoc.pr_sctp_cnt == 0) && 4643 (num_seg == 0) && 4644 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 4645 (cum_ack == stcb->asoc.last_acked_seq)) && 4646 (stcb->asoc.saw_sack_with_frags == 0) && 4647 (stcb->asoc.saw_sack_with_nr_frags == 0) && 4648 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 4649 ) { 4650 /* 4651 * We have a SIMPLE sack having no 4652 * prior segments and data on sent 4653 * queue to be acked.. Use the 4654 * faster path sack processing. We 4655 * also allow window update sacks 4656 * with no missing segments to go 4657 * this way too. 4658 */ 4659 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, 4660 &abort_now); 4661 } else { 4662 if (netp && *netp) 4663 sctp_handle_sack(m, offset_seg, offset_dup, 4664 stcb, *netp, 4665 num_seg, 0, num_dup, &abort_now, flags, 4666 cum_ack, a_rwnd); 4667 } 4668 if (abort_now) { 4669 /* ABORT signal from sack processing */ 4670 *offset = length; 4671 return (NULL); 4672 } 4673 if (TAILQ_EMPTY(&stcb->asoc.send_queue) && 4674 TAILQ_EMPTY(&stcb->asoc.sent_queue) && 4675 (stcb->asoc.stream_queue_cnt == 0)) { 4676 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 4677 } 4678 } 4679 break; 4680 /* 4681 * EY - nr_sack: If the received chunk is an 4682 * nr_sack chunk 4683 */ 4684 case SCTP_NR_SELECTIVE_ACK: 4685 { 4686 struct sctp_nr_sack_chunk *nr_sack; 4687 int abort_now = 0; 4688 uint32_t a_rwnd, cum_ack; 4689 uint16_t num_seg, num_nr_seg, num_dup; 4690 uint8_t flags; 4691 int offset_seg, offset_dup; 4692 int nonce_sum_flag; 4693 4694 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n"); 4695 SCTP_STAT_INCR(sctps_recvsacks); 4696 if (stcb == NULL) { 4697 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing NR-SACK chunk\n"); 4698 break; 4699 } 4700 if ((stcb->asoc.sctp_nr_sack_on_off == 0) || 4701 (stcb->asoc.peer_supports_nr_sack == 0)) { 4702 goto unknown_chunk; 4703 } 4704 if (chk_length < sizeof(struct sctp_nr_sack_chunk)) { 4705 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR-SACK chunk, too small\n"); 4706 break; 4707 } 4708 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 4709 /*- 4710 * If we have sent a shutdown-ack, we will pay no 4711 * attention to a sack sent in to us since 4712 * we don't care anymore. 4713 */ 4714 break; 4715 } 4716 nr_sack = (struct sctp_nr_sack_chunk *)ch; 4717 flags = ch->chunk_flags; 4718 nonce_sum_flag = flags & SCTP_SACK_NONCE_SUM; 4719 4720 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack); 4721 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks); 4722 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks); 4723 num_dup = ntohs(nr_sack->nr_sack.num_dup_tsns); 4724 a_rwnd = (uint32_t) ntohl(nr_sack->nr_sack.a_rwnd); 4725 if (sizeof(struct sctp_nr_sack_chunk) + 4726 (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block) + 4727 num_dup * sizeof(uint32_t) != chk_length) { 4728 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of NR_SACK chunk\n"); 4729 break; 4730 } 4731 offset_seg = *offset + sizeof(struct sctp_nr_sack_chunk); 4732 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block); 4733 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n", 4734 cum_ack, num_seg, a_rwnd); 4735 stcb->asoc.seen_a_sack_this_pkt = 1; 4736 if ((stcb->asoc.pr_sctp_cnt == 0) && 4737 (num_seg == 0) && (num_nr_seg == 0) && 4738 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 4739 (cum_ack == stcb->asoc.last_acked_seq)) && 4740 (stcb->asoc.saw_sack_with_frags == 0) && 4741 (stcb->asoc.saw_sack_with_nr_frags == 0) && 4742 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))) { 4743 /* 4744 * We have a SIMPLE sack having no 4745 * prior segments and data on sent 4746 * queue to be acked. Use the faster 4747 * path sack processing. We also 4748 * allow window update sacks with no 4749 * missing segments to go this way 4750 * too. 4751 */ 4752 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, 4753 &abort_now); 4754 } else { 4755 if (netp && *netp) 4756 sctp_handle_sack(m, offset_seg, offset_dup, 4757 stcb, *netp, 4758 num_seg, num_nr_seg, num_dup, &abort_now, flags, 4759 cum_ack, a_rwnd); 4760 } 4761 if (abort_now) { 4762 /* ABORT signal from sack processing */ 4763 *offset = length; 4764 return (NULL); 4765 } 4766 if (TAILQ_EMPTY(&stcb->asoc.send_queue) && 4767 TAILQ_EMPTY(&stcb->asoc.sent_queue) && 4768 (stcb->asoc.stream_queue_cnt == 0)) { 4769 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 4770 } 4771 } 4772 break; 4773 4774 case SCTP_HEARTBEAT_REQUEST: 4775 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n"); 4776 if ((stcb) && netp && *netp) { 4777 SCTP_STAT_INCR(sctps_recvheartbeat); 4778 sctp_send_heartbeat_ack(stcb, m, *offset, 4779 chk_length, *netp); 4780 4781 /* He's alive so give him credit */ 4782 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4783 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4784 stcb->asoc.overall_error_count, 4785 0, 4786 SCTP_FROM_SCTP_INPUT, 4787 __LINE__); 4788 } 4789 stcb->asoc.overall_error_count = 0; 4790 } 4791 break; 4792 case SCTP_HEARTBEAT_ACK: 4793 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n"); 4794 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) { 4795 /* Its not ours */ 4796 *offset = length; 4797 if (locked_tcb) { 4798 SCTP_TCB_UNLOCK(locked_tcb); 4799 } 4800 return (NULL); 4801 } 4802 /* He's alive so give him credit */ 4803 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4804 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4805 stcb->asoc.overall_error_count, 4806 0, 4807 SCTP_FROM_SCTP_INPUT, 4808 __LINE__); 4809 } 4810 stcb->asoc.overall_error_count = 0; 4811 SCTP_STAT_INCR(sctps_recvheartbeatack); 4812 if (netp && *netp) 4813 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 4814 stcb, *netp); 4815 break; 4816 case SCTP_ABORT_ASSOCIATION: 4817 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n", 4818 stcb); 4819 if ((stcb) && netp && *netp) 4820 sctp_handle_abort((struct sctp_abort_chunk *)ch, 4821 stcb, *netp); 4822 *offset = length; 4823 return (NULL); 4824 break; 4825 case SCTP_SHUTDOWN: 4826 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n", 4827 stcb); 4828 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) { 4829 *offset = length; 4830 if (locked_tcb) { 4831 SCTP_TCB_UNLOCK(locked_tcb); 4832 } 4833 return (NULL); 4834 } 4835 if (netp && *netp) { 4836 int abort_flag = 0; 4837 4838 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 4839 stcb, *netp, &abort_flag); 4840 if (abort_flag) { 4841 *offset = length; 4842 return (NULL); 4843 } 4844 } 4845 break; 4846 case SCTP_SHUTDOWN_ACK: 4847 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb); 4848 if ((stcb) && (netp) && (*netp)) 4849 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4850 *offset = length; 4851 return (NULL); 4852 break; 4853 4854 case SCTP_OPERATION_ERROR: 4855 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n"); 4856 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) { 4857 4858 *offset = length; 4859 return (NULL); 4860 } 4861 break; 4862 case SCTP_COOKIE_ECHO: 4863 SCTPDBG(SCTP_DEBUG_INPUT3, 4864 "SCTP_COOKIE-ECHO, stcb %p\n", stcb); 4865 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4866 ; 4867 } else { 4868 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4869 /* We are not interested anymore */ 4870 abend: 4871 if (stcb) { 4872 SCTP_TCB_UNLOCK(stcb); 4873 } 4874 *offset = length; 4875 return (NULL); 4876 } 4877 } 4878 /* 4879 * First are we accepting? We do this again here 4880 * since it is possible that a previous endpoint WAS 4881 * listening responded to a INIT-ACK and then 4882 * closed. We opened and bound.. and are now no 4883 * longer listening. 4884 */ 4885 4886 if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) { 4887 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 4888 (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) { 4889 struct mbuf *oper; 4890 struct sctp_paramhdr *phdr; 4891 4892 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4893 0, M_DONTWAIT, 1, MT_DATA); 4894 if (oper) { 4895 SCTP_BUF_LEN(oper) = 4896 sizeof(struct sctp_paramhdr); 4897 phdr = mtod(oper, 4898 struct sctp_paramhdr *); 4899 phdr->param_type = 4900 htons(SCTP_CAUSE_OUT_OF_RESC); 4901 phdr->param_length = 4902 htons(sizeof(struct sctp_paramhdr)); 4903 } 4904 sctp_abort_association(inp, stcb, m, 4905 iphlen, sh, oper, vrf_id, port); 4906 } 4907 *offset = length; 4908 return (NULL); 4909 } else { 4910 struct mbuf *ret_buf; 4911 struct sctp_inpcb *linp; 4912 4913 if (stcb) { 4914 linp = NULL; 4915 } else { 4916 linp = inp; 4917 } 4918 4919 if (linp) { 4920 SCTP_ASOC_CREATE_LOCK(linp); 4921 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || 4922 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) { 4923 SCTP_ASOC_CREATE_UNLOCK(linp); 4924 goto abend; 4925 } 4926 } 4927 if (netp) { 4928 ret_buf = 4929 sctp_handle_cookie_echo(m, iphlen, 4930 *offset, sh, 4931 (struct sctp_cookie_echo_chunk *)ch, 4932 &inp, &stcb, netp, 4933 auth_skipped, 4934 auth_offset, 4935 auth_len, 4936 &locked_tcb, 4937 vrf_id, 4938 port); 4939 } else { 4940 ret_buf = NULL; 4941 } 4942 if (linp) { 4943 SCTP_ASOC_CREATE_UNLOCK(linp); 4944 } 4945 if (ret_buf == NULL) { 4946 if (locked_tcb) { 4947 SCTP_TCB_UNLOCK(locked_tcb); 4948 } 4949 SCTPDBG(SCTP_DEBUG_INPUT3, 4950 "GAK, null buffer\n"); 4951 auth_skipped = 0; 4952 *offset = length; 4953 return (NULL); 4954 } 4955 /* if AUTH skipped, see if it verified... */ 4956 if (auth_skipped) { 4957 got_auth = 1; 4958 auth_skipped = 0; 4959 } 4960 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4961 /* 4962 * Restart the timer if we have 4963 * pending data 4964 */ 4965 struct sctp_tmit_chunk *chk; 4966 4967 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4968 if (chk) { 4969 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4970 stcb->sctp_ep, stcb, 4971 chk->whoTo); 4972 } 4973 } 4974 } 4975 break; 4976 case SCTP_COOKIE_ACK: 4977 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb); 4978 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) { 4979 if (locked_tcb) { 4980 SCTP_TCB_UNLOCK(locked_tcb); 4981 } 4982 return (NULL); 4983 } 4984 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4985 /* We are not interested anymore */ 4986 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4987 ; 4988 } else if (stcb) { 4989#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4990 so = SCTP_INP_SO(inp); 4991 atomic_add_int(&stcb->asoc.refcnt, 1); 4992 SCTP_TCB_UNLOCK(stcb); 4993 SCTP_SOCKET_LOCK(so, 1); 4994 SCTP_TCB_LOCK(stcb); 4995 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4996#endif 4997 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4998#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4999 SCTP_SOCKET_UNLOCK(so, 1); 5000#endif 5001 *offset = length; 5002 return (NULL); 5003 } 5004 } 5005 /* He's alive so give him credit */ 5006 if ((stcb) && netp && *netp) { 5007 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5008 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5009 stcb->asoc.overall_error_count, 5010 0, 5011 SCTP_FROM_SCTP_INPUT, 5012 __LINE__); 5013 } 5014 stcb->asoc.overall_error_count = 0; 5015 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 5016 } 5017 break; 5018 case SCTP_ECN_ECHO: 5019 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n"); 5020 /* He's alive so give him credit */ 5021 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) { 5022 /* Its not ours */ 5023 if (locked_tcb) { 5024 SCTP_TCB_UNLOCK(locked_tcb); 5025 } 5026 *offset = length; 5027 return (NULL); 5028 } 5029 if (stcb) { 5030 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5031 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5032 stcb->asoc.overall_error_count, 5033 0, 5034 SCTP_FROM_SCTP_INPUT, 5035 __LINE__); 5036 } 5037 stcb->asoc.overall_error_count = 0; 5038 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 5039 stcb); 5040 } 5041 break; 5042 case SCTP_ECN_CWR: 5043 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n"); 5044 /* He's alive so give him credit */ 5045 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) { 5046 /* Its not ours */ 5047 if (locked_tcb) { 5048 SCTP_TCB_UNLOCK(locked_tcb); 5049 } 5050 *offset = length; 5051 return (NULL); 5052 } 5053 if (stcb) { 5054 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5055 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5056 stcb->asoc.overall_error_count, 5057 0, 5058 SCTP_FROM_SCTP_INPUT, 5059 __LINE__); 5060 } 5061 stcb->asoc.overall_error_count = 0; 5062 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 5063 } 5064 break; 5065 case SCTP_SHUTDOWN_COMPLETE: 5066 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb); 5067 /* must be first and only chunk */ 5068 if ((num_chunks > 1) || 5069 (length - *offset > (int)SCTP_SIZE32(chk_length))) { 5070 *offset = length; 5071 if (locked_tcb) { 5072 SCTP_TCB_UNLOCK(locked_tcb); 5073 } 5074 return (NULL); 5075 } 5076 if ((stcb) && netp && *netp) { 5077 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 5078 stcb, *netp); 5079 } 5080 *offset = length; 5081 return (NULL); 5082 break; 5083 case SCTP_ASCONF: 5084 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n"); 5085 /* He's alive so give him credit */ 5086 if (stcb) { 5087 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5088 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5089 stcb->asoc.overall_error_count, 5090 0, 5091 SCTP_FROM_SCTP_INPUT, 5092 __LINE__); 5093 } 5094 stcb->asoc.overall_error_count = 0; 5095 sctp_handle_asconf(m, *offset, 5096 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0); 5097 asconf_cnt++; 5098 } 5099 break; 5100 case SCTP_ASCONF_ACK: 5101 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n"); 5102 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) { 5103 /* Its not ours */ 5104 if (locked_tcb) { 5105 SCTP_TCB_UNLOCK(locked_tcb); 5106 } 5107 *offset = length; 5108 return (NULL); 5109 } 5110 if ((stcb) && netp && *netp) { 5111 /* He's alive so give him credit */ 5112 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5113 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5114 stcb->asoc.overall_error_count, 5115 0, 5116 SCTP_FROM_SCTP_INPUT, 5117 __LINE__); 5118 } 5119 stcb->asoc.overall_error_count = 0; 5120 sctp_handle_asconf_ack(m, *offset, 5121 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 5122 if (abort_no_unlock) 5123 return (NULL); 5124 } 5125 break; 5126 case SCTP_FORWARD_CUM_TSN: 5127 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n"); 5128 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { 5129 /* Its not ours */ 5130 if (locked_tcb) { 5131 SCTP_TCB_UNLOCK(locked_tcb); 5132 } 5133 *offset = length; 5134 return (NULL); 5135 } 5136 /* He's alive so give him credit */ 5137 if (stcb) { 5138 int abort_flag = 0; 5139 5140 stcb->asoc.overall_error_count = 0; 5141 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5142 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5143 stcb->asoc.overall_error_count, 5144 0, 5145 SCTP_FROM_SCTP_INPUT, 5146 __LINE__); 5147 } 5148 *fwd_tsn_seen = 1; 5149 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5150 /* We are not interested anymore */ 5151#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5152 so = SCTP_INP_SO(inp); 5153 atomic_add_int(&stcb->asoc.refcnt, 1); 5154 SCTP_TCB_UNLOCK(stcb); 5155 SCTP_SOCKET_LOCK(so, 1); 5156 SCTP_TCB_LOCK(stcb); 5157 atomic_subtract_int(&stcb->asoc.refcnt, 1); 5158#endif 5159 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 5160#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5161 SCTP_SOCKET_UNLOCK(so, 1); 5162#endif 5163 *offset = length; 5164 return (NULL); 5165 } 5166 sctp_handle_forward_tsn(stcb, 5167 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset); 5168 if (abort_flag) { 5169 *offset = length; 5170 return (NULL); 5171 } else { 5172 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5173 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5174 stcb->asoc.overall_error_count, 5175 0, 5176 SCTP_FROM_SCTP_INPUT, 5177 __LINE__); 5178 } 5179 stcb->asoc.overall_error_count = 0; 5180 } 5181 5182 } 5183 break; 5184 case SCTP_STREAM_RESET: 5185 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n"); 5186 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) { 5187 /* Its not ours */ 5188 if (locked_tcb) { 5189 SCTP_TCB_UNLOCK(locked_tcb); 5190 } 5191 *offset = length; 5192 return (NULL); 5193 } 5194 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5195 /* We are not interested anymore */ 5196#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5197 so = SCTP_INP_SO(inp); 5198 atomic_add_int(&stcb->asoc.refcnt, 1); 5199 SCTP_TCB_UNLOCK(stcb); 5200 SCTP_SOCKET_LOCK(so, 1); 5201 SCTP_TCB_LOCK(stcb); 5202 atomic_subtract_int(&stcb->asoc.refcnt, 1); 5203#endif 5204 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_30); 5205#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5206 SCTP_SOCKET_UNLOCK(so, 1); 5207#endif 5208 *offset = length; 5209 return (NULL); 5210 } 5211 if (stcb->asoc.peer_supports_strreset == 0) { 5212 /* 5213 * hmm, peer should have announced this, but 5214 * we will turn it on since he is sending us 5215 * a stream reset. 5216 */ 5217 stcb->asoc.peer_supports_strreset = 1; 5218 } 5219 if (sctp_handle_stream_reset(stcb, m, *offset, (struct sctp_stream_reset_out_req *)ch)) { 5220 /* stop processing */ 5221 *offset = length; 5222 return (NULL); 5223 } 5224 break; 5225 case SCTP_PACKET_DROPPED: 5226 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n"); 5227 /* re-get it all please */ 5228 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) { 5229 /* Its not ours */ 5230 if (locked_tcb) { 5231 SCTP_TCB_UNLOCK(locked_tcb); 5232 } 5233 *offset = length; 5234 return (NULL); 5235 } 5236 if (ch && (stcb) && netp && (*netp)) { 5237 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 5238 stcb, *netp, 5239 min(chk_length, (sizeof(chunk_buf) - 4))); 5240 5241 } 5242 break; 5243 5244 case SCTP_AUTHENTICATION: 5245 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n"); 5246 if (SCTP_BASE_SYSCTL(sctp_auth_disable)) 5247 goto unknown_chunk; 5248 5249 if (stcb == NULL) { 5250 /* save the first AUTH for later processing */ 5251 if (auth_skipped == 0) { 5252 auth_offset = *offset; 5253 auth_len = chk_length; 5254 auth_skipped = 1; 5255 } 5256 /* skip this chunk (temporarily) */ 5257 goto next_chunk; 5258 } 5259 if ((chk_length < (sizeof(struct sctp_auth_chunk))) || 5260 (chk_length > (sizeof(struct sctp_auth_chunk) + 5261 SCTP_AUTH_DIGEST_LEN_MAX))) { 5262 /* Its not ours */ 5263 if (locked_tcb) { 5264 SCTP_TCB_UNLOCK(locked_tcb); 5265 } 5266 *offset = length; 5267 return (NULL); 5268 } 5269 if (got_auth == 1) { 5270 /* skip this chunk... it's already auth'd */ 5271 goto next_chunk; 5272 } 5273 got_auth = 1; 5274 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 5275 m, *offset)) { 5276 /* auth HMAC failed so dump the packet */ 5277 *offset = length; 5278 return (stcb); 5279 } else { 5280 /* remaining chunks are HMAC checked */ 5281 stcb->asoc.authenticated = 1; 5282 } 5283 break; 5284 5285 default: 5286 unknown_chunk: 5287 /* it's an unknown chunk! */ 5288 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 5289 struct mbuf *mm; 5290 struct sctp_paramhdr *phd; 5291 5292 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 5293 0, M_DONTWAIT, 1, MT_DATA); 5294 if (mm) { 5295 phd = mtod(mm, struct sctp_paramhdr *); 5296 /* 5297 * We cheat and use param type since 5298 * we did not bother to define a 5299 * error cause struct. They are the 5300 * same basic format with different 5301 * names. 5302 */ 5303 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 5304 phd->param_length = htons(chk_length + sizeof(*phd)); 5305 SCTP_BUF_LEN(mm) = sizeof(*phd); 5306 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 5307 M_DONTWAIT); 5308 if (SCTP_BUF_NEXT(mm)) { 5309#ifdef SCTP_MBUF_LOGGING 5310 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 5311 struct mbuf *mat; 5312 5313 mat = SCTP_BUF_NEXT(mm); 5314 while (mat) { 5315 if (SCTP_BUF_IS_EXTENDED(mat)) { 5316 sctp_log_mb(mat, SCTP_MBUF_ICOPY); 5317 } 5318 mat = SCTP_BUF_NEXT(mat); 5319 } 5320 } 5321#endif 5322 sctp_queue_op_err(stcb, mm); 5323 } else { 5324 sctp_m_freem(mm); 5325 } 5326 } 5327 } 5328 if ((ch->chunk_type & 0x80) == 0) { 5329 /* discard this packet */ 5330 *offset = length; 5331 return (stcb); 5332 } /* else skip this bad chunk and continue... */ 5333 break; 5334 } /* switch (ch->chunk_type) */ 5335 5336 5337next_chunk: 5338 /* get the next chunk */ 5339 *offset += SCTP_SIZE32(chk_length); 5340 if (*offset >= length) { 5341 /* no more data left in the mbuf chain */ 5342 break; 5343 } 5344 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 5345 sizeof(struct sctp_chunkhdr), chunk_buf); 5346 if (ch == NULL) { 5347 if (locked_tcb) { 5348 SCTP_TCB_UNLOCK(locked_tcb); 5349 } 5350 *offset = length; 5351 return (NULL); 5352 } 5353 } /* while */ 5354 5355 if (asconf_cnt > 0 && stcb != NULL) { 5356 sctp_send_asconf_ack(stcb); 5357 } 5358 return (stcb); 5359} 5360 5361 5362/* 5363 * Process the ECN bits we have something set so we must look to see if it is 5364 * ECN(0) or ECN(1) or CE 5365 */ 5366static void 5367sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 5368 uint8_t ecn_bits) 5369{ 5370 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 5371 ; 5372 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 5373 /* 5374 * we only add to the nonce sum for ECT1, ECT0 does not 5375 * change the NS bit (that we have yet to find a way to send 5376 * it yet). 5377 */ 5378 5379 /* ECN Nonce stuff */ 5380 stcb->asoc.receiver_nonce_sum++; 5381 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 5382 5383 /* 5384 * Drag up the last_echo point if cumack is larger since we 5385 * don't want the point falling way behind by more than 5386 * 2^^31 and then having it be incorrect. 5387 */ 5388 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 5389 stcb->asoc.last_echo_tsn, MAX_TSN)) { 5390 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 5391 } 5392 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 5393 /* 5394 * Drag up the last_echo point if cumack is larger since we 5395 * don't want the point falling way behind by more than 5396 * 2^^31 and then having it be incorrect. 5397 */ 5398 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 5399 stcb->asoc.last_echo_tsn, MAX_TSN)) { 5400 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 5401 } 5402 } 5403} 5404 5405static void 5406sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 5407 uint32_t high_tsn, uint8_t ecn_bits) 5408{ 5409 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 5410 /* 5411 * we possibly must notify the sender that a congestion 5412 * window reduction is in order. We do this by adding a ECNE 5413 * chunk to the output chunk queue. The incoming CWR will 5414 * remove this chunk. 5415 */ 5416 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 5417 MAX_TSN)) { 5418 /* Yep, we need to add a ECNE */ 5419 sctp_send_ecn_echo(stcb, net, high_tsn); 5420 stcb->asoc.last_echo_tsn = high_tsn; 5421 } 5422 } 5423} 5424 5425#ifdef INVARIANTS 5426#ifdef __GNUC__ 5427__attribute__((noinline)) 5428#endif 5429 void 5430 sctp_validate_no_locks(struct sctp_inpcb *inp) 5431{ 5432 struct sctp_tcb *lstcb; 5433 5434 LIST_FOREACH(lstcb, &inp->sctp_asoc_list, sctp_tcblist) { 5435 if (mtx_owned(&lstcb->tcb_mtx)) { 5436 panic("Own lock on stcb at return from input"); 5437 } 5438 } 5439 if (mtx_owned(&inp->inp_create_mtx)) { 5440 panic("Own create lock on inp"); 5441 } 5442 if (mtx_owned(&inp->inp_mtx)) { 5443 panic("Own inp lock on inp"); 5444 } 5445} 5446 5447#endif 5448 5449/* 5450 * common input chunk processing (v4 and v6) 5451 */ 5452void 5453sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 5454 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 5455 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 5456 uint8_t ecn_bits, uint32_t vrf_id, uint16_t port) 5457{ 5458 /* 5459 * Control chunk processing 5460 */ 5461 uint32_t high_tsn; 5462 int fwd_tsn_seen = 0, data_processed = 0; 5463 struct mbuf *m = *mm; 5464 int abort_flag = 0; 5465 int un_sent; 5466 5467 SCTP_STAT_INCR(sctps_recvdatagrams); 5468#ifdef SCTP_AUDITING_ENABLED 5469 sctp_audit_log(0xE0, 1); 5470 sctp_auditing(0, inp, stcb, net); 5471#endif 5472 5473 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n", 5474 m, iphlen, offset, length, stcb); 5475 if (stcb) { 5476 /* always clear this before beginning a packet */ 5477 stcb->asoc.authenticated = 0; 5478 stcb->asoc.seen_a_sack_this_pkt = 0; 5479 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n", 5480 stcb, stcb->asoc.state); 5481 5482 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) || 5483 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) { 5484 /*- 5485 * If we hit here, we had a ref count 5486 * up when the assoc was aborted and the 5487 * timer is clearing out the assoc, we should 5488 * NOT respond to any packet.. its OOTB. 5489 */ 5490 SCTP_TCB_UNLOCK(stcb); 5491 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5492 vrf_id, port); 5493 goto out_now; 5494 } 5495 } 5496 if (IS_SCTP_CONTROL(ch)) { 5497 /* process the control portion of the SCTP packet */ 5498 /* sa_ignore NO_NULL_CHK */ 5499 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 5500 inp, stcb, &net, &fwd_tsn_seen, vrf_id, port); 5501 if (stcb) { 5502 /* 5503 * This covers us if the cookie-echo was there and 5504 * it changes our INP. 5505 */ 5506 inp = stcb->sctp_ep; 5507 if ((net) && (port)) { 5508 if (net->port == 0) { 5509 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr)); 5510 } 5511 net->port = port; 5512 } 5513 } 5514 } else { 5515 /* 5516 * no control chunks, so pre-process DATA chunks (these 5517 * checks are taken care of by control processing) 5518 */ 5519 5520 /* 5521 * if DATA only packet, and auth is required, then punt... 5522 * can't have authenticated without any AUTH (control) 5523 * chunks 5524 */ 5525 if ((stcb != NULL) && 5526 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 5527 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) { 5528 /* "silently" ignore */ 5529 SCTP_STAT_INCR(sctps_recvauthmissing); 5530 SCTP_TCB_UNLOCK(stcb); 5531 goto out_now; 5532 } 5533 if (stcb == NULL) { 5534 /* out of the blue DATA chunk */ 5535 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5536 vrf_id, port); 5537 goto out_now; 5538 } 5539 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 5540 /* v_tag mismatch! */ 5541 SCTP_STAT_INCR(sctps_badvtag); 5542 SCTP_TCB_UNLOCK(stcb); 5543 goto out_now; 5544 } 5545 } 5546 5547 if (stcb == NULL) { 5548 /* 5549 * no valid TCB for this packet, or we found it's a bad 5550 * packet while processing control, or we're done with this 5551 * packet (done or skip rest of data), so we drop it... 5552 */ 5553 goto out_now; 5554 } 5555 /* 5556 * DATA chunk processing 5557 */ 5558 /* plow through the data chunks while length > offset */ 5559 5560 /* 5561 * Rest should be DATA only. Check authentication state if AUTH for 5562 * DATA is required. 5563 */ 5564 if ((length > offset) && 5565 (stcb != NULL) && 5566 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 5567 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) && 5568 !stcb->asoc.authenticated) { 5569 /* "silently" ignore */ 5570 SCTP_STAT_INCR(sctps_recvauthmissing); 5571 SCTPDBG(SCTP_DEBUG_AUTH1, 5572 "Data chunk requires AUTH, skipped\n"); 5573 goto trigger_send; 5574 } 5575 if (length > offset) { 5576 int retval; 5577 5578 /* 5579 * First check to make sure our state is correct. We would 5580 * not get here unless we really did have a tag, so we don't 5581 * abort if this happens, just dump the chunk silently. 5582 */ 5583 switch (SCTP_GET_STATE(&stcb->asoc)) { 5584 case SCTP_STATE_COOKIE_ECHOED: 5585 /* 5586 * we consider data with valid tags in this state 5587 * shows us the cookie-ack was lost. Imply it was 5588 * there. 5589 */ 5590 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5591 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5592 stcb->asoc.overall_error_count, 5593 0, 5594 SCTP_FROM_SCTP_INPUT, 5595 __LINE__); 5596 } 5597 stcb->asoc.overall_error_count = 0; 5598 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 5599 break; 5600 case SCTP_STATE_COOKIE_WAIT: 5601 /* 5602 * We consider OOTB any data sent during asoc setup. 5603 */ 5604 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5605 vrf_id, port); 5606 SCTP_TCB_UNLOCK(stcb); 5607 goto out_now; 5608 /* sa_ignore NOTREACHED */ 5609 break; 5610 case SCTP_STATE_EMPTY: /* should not happen */ 5611 case SCTP_STATE_INUSE: /* should not happen */ 5612 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 5613 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5614 default: 5615 SCTP_TCB_UNLOCK(stcb); 5616 goto out_now; 5617 /* sa_ignore NOTREACHED */ 5618 break; 5619 case SCTP_STATE_OPEN: 5620 case SCTP_STATE_SHUTDOWN_SENT: 5621 break; 5622 } 5623 /* take care of ECN, part 1. */ 5624 if (stcb->asoc.ecn_allowed && 5625 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 5626 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 5627 } 5628 /* plow through the data chunks while length > offset */ 5629 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 5630 inp, stcb, net, &high_tsn); 5631 if (retval == 2) { 5632 /* 5633 * The association aborted, NO UNLOCK needed since 5634 * the association is destroyed. 5635 */ 5636 goto out_now; 5637 } 5638 data_processed = 1; 5639 if (retval == 0) { 5640 /* take care of ecn part 2. */ 5641 if (stcb->asoc.ecn_allowed && 5642 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 5643 sctp_process_ecn_marked_b(stcb, net, high_tsn, 5644 ecn_bits); 5645 } 5646 } 5647 /* 5648 * Anything important needs to have been m_copy'ed in 5649 * process_data 5650 */ 5651 } 5652 if ((data_processed == 0) && (fwd_tsn_seen)) { 5653 int was_a_gap; 5654 uint32_t highest_tsn; 5655 5656 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_nr_map, stcb->asoc.highest_tsn_inside_map, MAX_TSN)) { 5657 highest_tsn = stcb->asoc.highest_tsn_inside_nr_map; 5658 } else { 5659 highest_tsn = stcb->asoc.highest_tsn_inside_map; 5660 } 5661 was_a_gap = compare_with_wrap(highest_tsn, stcb->asoc.cumulative_tsn, MAX_TSN); 5662 stcb->asoc.send_sack = 1; 5663 sctp_sack_check(stcb, was_a_gap, &abort_flag); 5664 if (abort_flag) { 5665 /* Again, we aborted so NO UNLOCK needed */ 5666 goto out_now; 5667 } 5668 } else if (fwd_tsn_seen) { 5669 stcb->asoc.send_sack = 1; 5670 } 5671 /* trigger send of any chunks in queue... */ 5672trigger_send: 5673#ifdef SCTP_AUDITING_ENABLED 5674 sctp_audit_log(0xE0, 2); 5675 sctp_auditing(1, inp, stcb, net); 5676#endif 5677 SCTPDBG(SCTP_DEBUG_INPUT1, 5678 "Check for chunk output prw:%d tqe:%d tf=%d\n", 5679 stcb->asoc.peers_rwnd, 5680 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 5681 stcb->asoc.total_flight); 5682 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 5683 5684 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 5685 ((un_sent) && 5686 (stcb->asoc.peers_rwnd > 0 || 5687 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 5688 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n"); 5689 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 5690 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n"); 5691 } 5692#ifdef SCTP_AUDITING_ENABLED 5693 sctp_audit_log(0xE0, 3); 5694 sctp_auditing(2, inp, stcb, net); 5695#endif 5696 SCTP_TCB_UNLOCK(stcb); 5697out_now: 5698#ifdef INVARIANTS 5699 sctp_validate_no_locks(inp); 5700#endif 5701 return; 5702} 5703 5704#if 0 5705static void 5706sctp_print_mbuf_chain(struct mbuf *m) 5707{ 5708 for (; m; m = SCTP_BUF_NEXT(m)) { 5709 printf("%p: m_len = %ld\n", m, SCTP_BUF_LEN(m)); 5710 if (SCTP_BUF_IS_EXTENDED(m)) 5711 printf("%p: extend_size = %d\n", m, SCTP_BUF_EXTEND_SIZE(m)); 5712 } 5713} 5714 5715#endif 5716 5717void 5718sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port) 5719{ 5720#ifdef SCTP_MBUF_LOGGING 5721 struct mbuf *mat; 5722 5723#endif 5724 struct mbuf *m; 5725 int iphlen; 5726 uint32_t vrf_id = 0; 5727 uint8_t ecn_bits; 5728 struct ip *ip; 5729 struct sctphdr *sh; 5730 struct sctp_inpcb *inp = NULL; 5731 struct sctp_nets *net; 5732 struct sctp_tcb *stcb = NULL; 5733 struct sctp_chunkhdr *ch; 5734 int refcount_up = 0; 5735 int length, mlen, offset; 5736 5737#if !defined(SCTP_WITH_NO_CSUM) 5738 uint32_t check, calc_check; 5739 5740#endif 5741 5742 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) { 5743 SCTP_RELEASE_PKT(i_pak); 5744 return; 5745 } 5746 mlen = SCTP_HEADER_LEN(i_pak); 5747 iphlen = off; 5748 m = SCTP_HEADER_TO_CHAIN(i_pak); 5749 5750 net = NULL; 5751 SCTP_STAT_INCR(sctps_recvpackets); 5752 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 5753 5754 5755#ifdef SCTP_MBUF_LOGGING 5756 /* Log in any input mbufs */ 5757 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 5758 mat = m; 5759 while (mat) { 5760 if (SCTP_BUF_IS_EXTENDED(mat)) { 5761 sctp_log_mb(mat, SCTP_MBUF_INPUT); 5762 } 5763 mat = SCTP_BUF_NEXT(mat); 5764 } 5765 } 5766#endif 5767#ifdef SCTP_PACKET_LOGGING 5768 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) 5769 sctp_packet_log(m, mlen); 5770#endif 5771 /* 5772 * Must take out the iphlen, since mlen expects this (only effect lb 5773 * case) 5774 */ 5775 mlen -= iphlen; 5776 5777 /* 5778 * Get IP, SCTP, and first chunk header together in first mbuf. 5779 */ 5780 ip = mtod(m, struct ip *); 5781 offset = iphlen + sizeof(*sh) + sizeof(*ch); 5782 if (SCTP_BUF_LEN(m) < offset) { 5783 if ((m = m_pullup(m, offset)) == 0) { 5784 SCTP_STAT_INCR(sctps_hdrops); 5785 return; 5786 } 5787 ip = mtod(m, struct ip *); 5788 } 5789 /* validate mbuf chain length with IP payload length */ 5790 if (mlen < (SCTP_GET_IPV4_LENGTH(ip) - iphlen)) { 5791 SCTP_STAT_INCR(sctps_hdrops); 5792 goto bad; 5793 } 5794 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 5795 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 5796 SCTPDBG(SCTP_DEBUG_INPUT1, 5797 "sctp_input() length:%d iphlen:%d\n", mlen, iphlen); 5798 5799 /* SCTP does not allow broadcasts or multicasts */ 5800 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 5801 goto bad; 5802 } 5803 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 5804 /* 5805 * We only look at broadcast if its a front state, All 5806 * others we will not have a tcb for anyway. 5807 */ 5808 goto bad; 5809 } 5810 /* validate SCTP checksum */ 5811 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD, 5812 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%x.\n", 5813 m->m_pkthdr.len, 5814 if_name(m->m_pkthdr.rcvif), 5815 m->m_pkthdr.csum_flags); 5816#if defined(SCTP_WITH_NO_CSUM) 5817 SCTP_STAT_INCR(sctps_recvnocrc); 5818#else 5819 if (m->m_pkthdr.csum_flags & CSUM_SCTP_VALID) { 5820 SCTP_STAT_INCR(sctps_recvhwcrc); 5821 goto sctp_skip_csum_4; 5822 } 5823 check = sh->checksum; /* save incoming checksum */ 5824 sh->checksum = 0; /* prepare for calc */ 5825 calc_check = sctp_calculate_cksum(m, iphlen); 5826 sh->checksum = check; 5827 SCTP_STAT_INCR(sctps_recvswcrc); 5828 if (calc_check != check) { 5829 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 5830 calc_check, check, m, mlen, iphlen); 5831 5832 stcb = sctp_findassociation_addr(m, iphlen, 5833 offset - sizeof(*ch), 5834 sh, ch, &inp, &net, 5835 vrf_id); 5836 if ((net) && (port)) { 5837 if (net->port == 0) { 5838 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr)); 5839 } 5840 net->port = port; 5841 } 5842 if ((inp) && (stcb)) { 5843 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 5844 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED); 5845 } else if ((inp != NULL) && (stcb == NULL)) { 5846 refcount_up = 1; 5847 } 5848 SCTP_STAT_INCR(sctps_badsum); 5849 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 5850 goto bad; 5851 } 5852sctp_skip_csum_4: 5853#endif 5854 /* destination port of 0 is illegal, based on RFC2960. */ 5855 if (sh->dest_port == 0) { 5856 SCTP_STAT_INCR(sctps_hdrops); 5857 goto bad; 5858 } 5859 /* 5860 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 5861 * IP/SCTP/first chunk header... 5862 */ 5863 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 5864 sh, ch, &inp, &net, vrf_id); 5865 if ((net) && (port)) { 5866 if (net->port == 0) { 5867 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr)); 5868 } 5869 net->port = port; 5870 } 5871 /* inp's ref-count increased && stcb locked */ 5872 if (inp == NULL) { 5873 struct sctp_init_chunk *init_chk, chunk_buf; 5874 5875 SCTP_STAT_INCR(sctps_noport); 5876#ifdef ICMP_BANDLIM 5877 /* 5878 * we use the bandwidth limiting to protect against sending 5879 * too many ABORTS all at once. In this case these count the 5880 * same as an ICMP message. 5881 */ 5882 if (badport_bandlim(0) < 0) 5883 goto bad; 5884#endif /* ICMP_BANDLIM */ 5885 SCTPDBG(SCTP_DEBUG_INPUT1, 5886 "Sending a ABORT from packet entry!\n"); 5887 if (ch->chunk_type == SCTP_INITIATION) { 5888 /* 5889 * we do a trick here to get the INIT tag, dig in 5890 * and get the tag from the INIT and put it in the 5891 * common header. 5892 */ 5893 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 5894 iphlen + sizeof(*sh), sizeof(*init_chk), 5895 (uint8_t *) & chunk_buf); 5896 if (init_chk != NULL) 5897 sh->v_tag = init_chk->init.initiate_tag; 5898 } 5899 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 5900 sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id, port); 5901 goto bad; 5902 } 5903 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 5904 goto bad; 5905 } 5906 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 5907 sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, port); 5908 goto bad; 5909 } else if (stcb == NULL) { 5910 refcount_up = 1; 5911 } 5912#ifdef IPSEC 5913 /* 5914 * I very much doubt any of the IPSEC stuff will work but I have no 5915 * idea, so I will leave it in place. 5916 */ 5917 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 5918 MODULE_GLOBAL(ipsec4stat).in_polvio++; 5919 SCTP_STAT_INCR(sctps_hdrops); 5920 goto bad; 5921 } 5922#endif /* IPSEC */ 5923 5924 /* 5925 * common chunk processing 5926 */ 5927 length = ip->ip_len + iphlen; 5928 offset -= sizeof(struct sctp_chunkhdr); 5929 5930 ecn_bits = ip->ip_tos; 5931 5932 /* sa_ignore NO_NULL_CHK */ 5933 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 5934 inp, stcb, net, ecn_bits, vrf_id, port); 5935 /* inp's ref-count reduced && stcb unlocked */ 5936 if (m) { 5937 sctp_m_freem(m); 5938 } 5939 if ((inp) && (refcount_up)) { 5940 /* reduce ref-count */ 5941 SCTP_INP_DECR_REF(inp); 5942 } 5943 return; 5944bad: 5945 if (stcb) { 5946 SCTP_TCB_UNLOCK(stcb); 5947 } 5948 if ((inp) && (refcount_up)) { 5949 /* reduce ref-count */ 5950 SCTP_INP_DECR_REF(inp); 5951 } 5952 if (m) { 5953 sctp_m_freem(m); 5954 } 5955 return; 5956} 5957void 5958sctp_input(i_pak, off) 5959 struct mbuf *i_pak; 5960 int off; 5961{ 5962 sctp_input_with_port(i_pak, off, 0); 5963} 5964