sctp_input.c revision 218186
1/*- 2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 218186 2011-02-02 11:13:23Z rrs $"); 35 36#include <netinet/sctp_os.h> 37#include <netinet/sctp_var.h> 38#include <netinet/sctp_sysctl.h> 39#include <netinet/sctp_pcb.h> 40#include <netinet/sctp_header.h> 41#include <netinet/sctputil.h> 42#include <netinet/sctp_output.h> 43#include <netinet/sctp_input.h> 44#include <netinet/sctp_auth.h> 45#include <netinet/sctp_indata.h> 46#include <netinet/sctp_asconf.h> 47#include <netinet/sctp_bsd_addr.h> 48#include <netinet/sctp_timer.h> 49#include <netinet/sctp_crc32.h> 50#include <netinet/udp.h> 51 52 53 54static void 55sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 56{ 57 struct sctp_nets *net; 58 59 /* 60 * This now not only stops all cookie timers it also stops any INIT 61 * timers as well. This will make sure that the timers are stopped 62 * in all collision cases. 63 */ 64 SCTP_TCB_LOCK_ASSERT(stcb); 65 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 66 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 67 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 68 stcb->sctp_ep, 69 stcb, 70 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 71 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 72 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 73 stcb->sctp_ep, 74 stcb, 75 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 76 } 77 } 78} 79 80/* INIT handler */ 81static void 82sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 83 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 84 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id, uint16_t port) 85{ 86 struct sctp_init *init; 87 struct mbuf *op_err; 88 uint32_t init_limit; 89 90 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n", 91 stcb); 92 if (stcb == NULL) { 93 SCTP_INP_RLOCK(inp); 94 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 95 goto outnow; 96 } 97 } 98 op_err = NULL; 99 init = &cp->init; 100 /* First are we accepting? */ 101 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 102 SCTPDBG(SCTP_DEBUG_INPUT2, 103 "sctp_handle_init: Abort, so_qlimit:%d\n", 104 inp->sctp_socket->so_qlimit); 105 /* 106 * FIX ME ?? What about TCP model and we have a 107 * match/restart case? Actually no fix is needed. the lookup 108 * will always find the existing assoc so stcb would not be 109 * NULL. It may be questionable to do this since we COULD 110 * just send back the INIT-ACK and hope that the app did 111 * accept()'s by the time the COOKIE was sent. But there is 112 * a price to pay for COOKIE generation and I don't want to 113 * pay it on the chance that the app will actually do some 114 * accepts(). The App just looses and should NOT be in this 115 * state :-) 116 */ 117 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 118 vrf_id, port); 119 if (stcb) 120 *abort_no_unlock = 1; 121 goto outnow; 122 } 123 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 124 /* Invalid length */ 125 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 126 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 127 vrf_id, port); 128 if (stcb) 129 *abort_no_unlock = 1; 130 goto outnow; 131 } 132 /* validate parameters */ 133 if (init->initiate_tag == 0) { 134 /* protocol error... send abort */ 135 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 136 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 137 vrf_id, port); 138 if (stcb) 139 *abort_no_unlock = 1; 140 goto outnow; 141 } 142 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 143 /* invalid parameter... send abort */ 144 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 145 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 146 vrf_id, port); 147 if (stcb) 148 *abort_no_unlock = 1; 149 goto outnow; 150 } 151 if (init->num_inbound_streams == 0) { 152 /* protocol error... send abort */ 153 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 154 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 155 vrf_id, port); 156 if (stcb) 157 *abort_no_unlock = 1; 158 goto outnow; 159 } 160 if (init->num_outbound_streams == 0) { 161 /* protocol error... send abort */ 162 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 163 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 164 vrf_id, port); 165 if (stcb) 166 *abort_no_unlock = 1; 167 goto outnow; 168 } 169 init_limit = offset + ntohs(cp->ch.chunk_length); 170 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 171 init_limit)) { 172 /* auth parameter(s) error... send abort */ 173 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, port); 174 if (stcb) 175 *abort_no_unlock = 1; 176 goto outnow; 177 } 178 /* send an INIT-ACK w/cookie */ 179 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n"); 180 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, port, 181 ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED)); 182outnow: 183 if (stcb == NULL) { 184 SCTP_INP_RUNLOCK(inp); 185 } 186} 187 188/* 189 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 190 */ 191 192int 193sctp_is_there_unsent_data(struct sctp_tcb *stcb) 194{ 195 int unsent_data = 0; 196 unsigned int i; 197 struct sctp_stream_queue_pending *sp; 198 struct sctp_association *asoc; 199 200 /* 201 * This function returns the number of streams that have true unsent 202 * data on them. Note that as it looks through it will clean up any 203 * places that have old data that has been sent but left at top of 204 * stream queue. 205 */ 206 asoc = &stcb->asoc; 207 SCTP_TCB_SEND_LOCK(stcb); 208 if (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) { 209 /* Check to see if some data queued */ 210 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 211 /* sa_ignore FREED_MEMORY */ 212 sp = TAILQ_FIRST(&stcb->asoc.strmout[i].outqueue); 213 if (sp == NULL) { 214 continue; 215 } 216 if ((sp->msg_is_complete) && 217 (sp->length == 0) && 218 (sp->sender_all_done)) { 219 /* 220 * We are doing differed cleanup. Last time 221 * through when we took all the data the 222 * sender_all_done was not set. 223 */ 224 if (sp->put_last_out == 0) { 225 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n"); 226 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n", 227 sp->sender_all_done, 228 sp->length, 229 sp->msg_is_complete, 230 sp->put_last_out); 231 } 232 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1); 233 TAILQ_REMOVE(&stcb->asoc.strmout[i].outqueue, sp, next); 234 if (sp->net) { 235 sctp_free_remote_addr(sp->net); 236 sp->net = NULL; 237 } 238 if (sp->data) { 239 sctp_m_freem(sp->data); 240 sp->data = NULL; 241 } 242 sctp_free_a_strmoq(stcb, sp); 243 } else { 244 unsent_data++; 245 break; 246 } 247 } 248 } 249 SCTP_TCB_SEND_UNLOCK(stcb); 250 return (unsent_data); 251} 252 253static int 254sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 255 struct sctp_nets *net) 256{ 257 struct sctp_init *init; 258 struct sctp_association *asoc; 259 struct sctp_nets *lnet; 260 unsigned int i; 261 262 init = &cp->init; 263 asoc = &stcb->asoc; 264 /* save off parameters */ 265 asoc->peer_vtag = ntohl(init->initiate_tag); 266 asoc->peers_rwnd = ntohl(init->a_rwnd); 267 /* init tsn's */ 268 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 269 270 if (!TAILQ_EMPTY(&asoc->nets)) { 271 /* update any ssthresh's that may have a default */ 272 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 273 lnet->ssthresh = asoc->peers_rwnd; 274 if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) { 275 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 276 } 277 } 278 } 279 SCTP_TCB_SEND_LOCK(stcb); 280 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 281 unsigned int newcnt; 282 struct sctp_stream_out *outs; 283 struct sctp_stream_queue_pending *sp, *nsp; 284 struct sctp_tmit_chunk *chk, *nchk; 285 286 /* abandon the upper streams */ 287 newcnt = ntohs(init->num_inbound_streams); 288 TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) { 289 if (chk->rec.data.stream_number >= newcnt) { 290 TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next); 291 asoc->send_queue_cnt--; 292 if (chk->data != NULL) { 293 sctp_free_bufspace(stcb, asoc, chk, 1); 294 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL, stcb, 295 SCTP_NOTIFY_DATAGRAM_UNSENT, chk, SCTP_SO_NOT_LOCKED); 296 if (chk->data) { 297 sctp_m_freem(chk->data); 298 chk->data = NULL; 299 } 300 } 301 sctp_free_a_chunk(stcb, chk); 302 /* sa_ignore FREED_MEMORY */ 303 } 304 } 305 if (asoc->strmout) { 306 for (i = newcnt; i < asoc->pre_open_streams; i++) { 307 outs = &asoc->strmout[i]; 308 TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) { 309 TAILQ_REMOVE(&outs->outqueue, sp, next); 310 asoc->stream_queue_cnt--; 311 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 312 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 313 sp, SCTP_SO_NOT_LOCKED); 314 if (sp->data) { 315 sctp_m_freem(sp->data); 316 sp->data = NULL; 317 } 318 if (sp->net) { 319 sctp_free_remote_addr(sp->net); 320 sp->net = NULL; 321 } 322 /* Free the chunk */ 323 sctp_free_a_strmoq(stcb, sp); 324 /* sa_ignore FREED_MEMORY */ 325 } 326 } 327 } 328 /* cut back the count */ 329 asoc->pre_open_streams = newcnt; 330 } 331 SCTP_TCB_SEND_UNLOCK(stcb); 332 asoc->strm_realoutsize = asoc->streamoutcnt = asoc->pre_open_streams; 333 334 /* EY - nr_sack: initialize highest tsn in nr_mapping_array */ 335 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map; 336 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 337 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 338 } 339 /* This is the next one we expect */ 340 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 341 342 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 343 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in; 344 345 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 346 /* open the requested streams */ 347 348 if (asoc->strmin != NULL) { 349 /* Free the old ones */ 350 struct sctp_queued_to_read *ctl, *nctl; 351 352 for (i = 0; i < asoc->streamincnt; i++) { 353 TAILQ_FOREACH_SAFE(ctl, &asoc->strmin[i].inqueue, next, nctl) { 354 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 355 sctp_free_remote_addr(ctl->whoFrom); 356 ctl->whoFrom = NULL; 357 sctp_m_freem(ctl->data); 358 ctl->data = NULL; 359 sctp_free_a_readq(stcb, ctl); 360 } 361 } 362 SCTP_FREE(asoc->strmin, SCTP_M_STRMI); 363 } 364 asoc->streamincnt = ntohs(init->num_outbound_streams); 365 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 366 asoc->streamincnt = MAX_SCTP_STREAMS; 367 } 368 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 369 sizeof(struct sctp_stream_in), SCTP_M_STRMI); 370 if (asoc->strmin == NULL) { 371 /* we didn't get memory for the streams! */ 372 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n"); 373 return (-1); 374 } 375 for (i = 0; i < asoc->streamincnt; i++) { 376 asoc->strmin[i].stream_no = i; 377 asoc->strmin[i].last_sequence_delivered = 0xffff; 378 /* 379 * U-stream ranges will be set when the cookie is unpacked. 380 * Or for the INIT sender they are un set (if pr-sctp not 381 * supported) when the INIT-ACK arrives. 382 */ 383 TAILQ_INIT(&asoc->strmin[i].inqueue); 384 asoc->strmin[i].delivery_started = 0; 385 } 386 /* 387 * load_address_from_init will put the addresses into the 388 * association when the COOKIE is processed or the INIT-ACK is 389 * processed. Both types of COOKIE's existing and new call this 390 * routine. It will remove addresses that are no longer in the 391 * association (for the restarting case where addresses are 392 * removed). Up front when the INIT arrives we will discard it if it 393 * is a restart and new addresses have been added. 394 */ 395 /* sa_ignore MEMLEAK */ 396 return (0); 397} 398 399/* 400 * INIT-ACK message processing/consumption returns value < 0 on error 401 */ 402static int 403sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 404 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 405 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 406{ 407 struct sctp_association *asoc; 408 struct mbuf *op_err; 409 int retval, abort_flag; 410 uint32_t initack_limit; 411 int nat_friendly = 0; 412 413 /* First verify that we have no illegal param's */ 414 abort_flag = 0; 415 op_err = NULL; 416 417 op_err = sctp_arethere_unrecognized_parameters(m, 418 (offset + sizeof(struct sctp_init_chunk)), 419 &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly); 420 if (abort_flag) { 421 /* Send an abort and notify peer */ 422 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err, SCTP_SO_NOT_LOCKED); 423 *abort_no_unlock = 1; 424 return (-1); 425 } 426 asoc = &stcb->asoc; 427 asoc->peer_supports_nat = (uint8_t) nat_friendly; 428 /* process the peer's parameters in the INIT-ACK */ 429 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 430 if (retval < 0) { 431 return (retval); 432 } 433 initack_limit = offset + ntohs(cp->ch.chunk_length); 434 /* load all addresses */ 435 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 436 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 437 NULL))) { 438 /* Huh, we should abort */ 439 SCTPDBG(SCTP_DEBUG_INPUT1, 440 "Load addresses from INIT causes an abort %d\n", 441 retval); 442 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 443 NULL, 0, net->port); 444 *abort_no_unlock = 1; 445 return (-1); 446 } 447 /* if the peer doesn't support asconf, flush the asconf queue */ 448 if (asoc->peer_supports_asconf == 0) { 449 struct sctp_asconf_addr *param, *nparam; 450 451 TAILQ_FOREACH_SAFE(param, &asoc->asconf_queue, next, nparam) { 452 TAILQ_REMOVE(&asoc->asconf_queue, param, next); 453 SCTP_FREE(param, SCTP_M_ASC_ADDR); 454 } 455 } 456 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 457 stcb->asoc.local_hmacs); 458 if (op_err) { 459 sctp_queue_op_err(stcb, op_err); 460 /* queuing will steal away the mbuf chain to the out queue */ 461 op_err = NULL; 462 } 463 /* extract the cookie and queue it to "echo" it back... */ 464 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 465 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 466 stcb->asoc.overall_error_count, 467 0, 468 SCTP_FROM_SCTP_INPUT, 469 __LINE__); 470 } 471 stcb->asoc.overall_error_count = 0; 472 net->error_count = 0; 473 474 /* 475 * Cancel the INIT timer, We do this first before queueing the 476 * cookie. We always cancel at the primary to assue that we are 477 * canceling the timer started by the INIT which always goes to the 478 * primary. 479 */ 480 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 481 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 482 483 /* calculate the RTO */ 484 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy, 485 SCTP_DETERMINE_LL_NOTOK); 486 487 retval = sctp_send_cookie_echo(m, offset, stcb, net); 488 if (retval < 0) { 489 /* 490 * No cookie, we probably should send a op error. But in any 491 * case if there is no cookie in the INIT-ACK, we can 492 * abandon the peer, its broke. 493 */ 494 if (retval == -3) { 495 /* We abort with an error of missing mandatory param */ 496 op_err = 497 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 498 if (op_err) { 499 /* 500 * Expand beyond to include the mandatory 501 * param cookie 502 */ 503 struct sctp_inv_mandatory_param *mp; 504 505 SCTP_BUF_LEN(op_err) = 506 sizeof(struct sctp_inv_mandatory_param); 507 mp = mtod(op_err, 508 struct sctp_inv_mandatory_param *); 509 /* Subtract the reserved param */ 510 mp->length = 511 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 512 mp->num_param = htonl(1); 513 mp->param = htons(SCTP_STATE_COOKIE); 514 mp->resv = 0; 515 } 516 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 517 sh, op_err, 0, net->port); 518 *abort_no_unlock = 1; 519 } 520 return (retval); 521 } 522 return (0); 523} 524 525static void 526sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 527 struct sctp_tcb *stcb, struct sctp_nets *net) 528{ 529 struct sockaddr_storage store; 530 struct sockaddr_in *sin; 531 struct sockaddr_in6 *sin6; 532 struct sctp_nets *r_net, *f_net; 533 struct timeval tv; 534 int req_prim = 0; 535 536 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 537 /* Invalid length */ 538 return; 539 } 540 sin = (struct sockaddr_in *)&store; 541 sin6 = (struct sockaddr_in6 *)&store; 542 543 memset(&store, 0, sizeof(store)); 544 if (cp->heartbeat.hb_info.addr_family == AF_INET && 545 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 546 sin->sin_family = cp->heartbeat.hb_info.addr_family; 547 sin->sin_len = cp->heartbeat.hb_info.addr_len; 548 sin->sin_port = stcb->rport; 549 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 550 sizeof(sin->sin_addr)); 551 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 552 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 553 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 554 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 555 sin6->sin6_port = stcb->rport; 556 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 557 sizeof(sin6->sin6_addr)); 558 } else { 559 return; 560 } 561 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 562 if (r_net == NULL) { 563 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n"); 564 return; 565 } 566 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 567 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 568 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 569 /* 570 * If the its a HB and it's random value is correct when can 571 * confirm the destination. 572 */ 573 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 574 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 575 stcb->asoc.primary_destination = r_net; 576 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 577 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 578 f_net = TAILQ_FIRST(&stcb->asoc.nets); 579 if (f_net != r_net) { 580 /* 581 * first one on the list is NOT the primary 582 * sctp_cmpaddr() is much more efficent if 583 * the primary is the first on the list, 584 * make it so. 585 */ 586 TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next); 587 TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next); 588 } 589 req_prim = 1; 590 } 591 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 592 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED); 593 } 594 r_net->error_count = 0; 595 r_net->hb_responded = 1; 596 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 597 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 598 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 599 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 600 r_net->dest_state |= SCTP_ADDR_REACHABLE; 601 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 602 SCTP_HEARTBEAT_SUCCESS, (void *)r_net, SCTP_SO_NOT_LOCKED); 603 /* now was it the primary? if so restore */ 604 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 605 (void)sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 606 } 607 } 608 /* 609 * JRS 5/14/07 - If CMT PF is on and the destination is in PF state, 610 * set the destination to active state and set the cwnd to one or 611 * two MTU's based on whether PF1 or PF2 is being used. If a T3 612 * timer is running, for the destination, stop the timer because a 613 * PF-heartbeat was received. 614 */ 615 if ((stcb->asoc.sctp_cmt_on_off > 0) && 616 (stcb->asoc.sctp_cmt_pf > 0) && 617 ((net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF)) { 618 if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 619 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 620 stcb, net, 621 SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 622 } 623 net->dest_state &= ~SCTP_ADDR_PF; 624 net->cwnd = net->mtu * stcb->asoc.sctp_cmt_pf; 625 SCTPDBG(SCTP_DEBUG_INPUT1, "Destination %p moved from PF to reachable with cwnd %d.\n", 626 net, net->cwnd); 627 } 628 /* Now lets do a RTO with this */ 629 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy, 630 SCTP_DETERMINE_LL_OK); 631 /* Mobility adaptation */ 632 if (req_prim) { 633 if ((sctp_is_mobility_feature_on(stcb->sctp_ep, 634 SCTP_MOBILITY_BASE) || 635 sctp_is_mobility_feature_on(stcb->sctp_ep, 636 SCTP_MOBILITY_FASTHANDOFF)) && 637 sctp_is_mobility_feature_on(stcb->sctp_ep, 638 SCTP_MOBILITY_PRIM_DELETED)) { 639 640 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER + SCTP_LOC_7); 641 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 642 SCTP_MOBILITY_FASTHANDOFF)) { 643 sctp_assoc_immediate_retrans(stcb, 644 stcb->asoc.primary_destination); 645 } 646 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 647 SCTP_MOBILITY_BASE)) { 648 sctp_move_chunks_from_net(stcb, 649 stcb->asoc.deleted_primary); 650 } 651 sctp_delete_prim_timer(stcb->sctp_ep, stcb, 652 stcb->asoc.deleted_primary); 653 } 654 } 655} 656 657static int 658sctp_handle_nat_colliding_state(struct sctp_tcb *stcb) 659{ 660 /* 661 * return 0 means we want you to proceed with the abort non-zero 662 * means no abort processing 663 */ 664 struct sctpasochead *head; 665 666 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) { 667 /* generate a new vtag and send init */ 668 LIST_REMOVE(stcb, sctp_asocs); 669 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1); 670 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))]; 671 /* 672 * put it in the bucket in the vtag hash of assoc's for the 673 * system 674 */ 675 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 676 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 677 return (1); 678 } 679 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED) { 680 /* 681 * treat like a case where the cookie expired i.e.: - dump 682 * current cookie. - generate a new vtag. - resend init. 683 */ 684 /* generate a new vtag and send init */ 685 LIST_REMOVE(stcb, sctp_asocs); 686 stcb->asoc.state &= ~SCTP_STATE_COOKIE_ECHOED; 687 stcb->asoc.state |= SCTP_STATE_COOKIE_WAIT; 688 sctp_stop_all_cookie_timers(stcb); 689 sctp_toss_old_cookies(stcb, &stcb->asoc); 690 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1); 691 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))]; 692 /* 693 * put it in the bucket in the vtag hash of assoc's for the 694 * system 695 */ 696 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 697 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 698 return (1); 699 } 700 return (0); 701} 702 703static int 704sctp_handle_nat_missing_state(struct sctp_tcb *stcb, 705 struct sctp_nets *net) 706{ 707 /* 708 * return 0 means we want you to proceed with the abort non-zero 709 * means no abort processing 710 */ 711 if (stcb->asoc.peer_supports_auth == 0) { 712 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n"); 713 return (0); 714 } 715 sctp_asconf_send_nat_state_update(stcb, net); 716 return (1); 717} 718 719 720static void 721sctp_handle_abort(struct sctp_abort_chunk *cp, 722 struct sctp_tcb *stcb, struct sctp_nets *net) 723{ 724#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 725 struct socket *so; 726 727#endif 728 uint16_t len; 729 730 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n"); 731 if (stcb == NULL) 732 return; 733 734 len = ntohs(cp->ch.chunk_length); 735 if (len > sizeof(struct sctp_chunkhdr)) { 736 /* 737 * Need to check the cause codes for our two magic nat 738 * aborts which don't kill the assoc necessarily. 739 */ 740 struct sctp_abort_chunk *cpnext; 741 struct sctp_missing_nat_state *natc; 742 uint16_t cause; 743 744 cpnext = cp; 745 cpnext++; 746 natc = (struct sctp_missing_nat_state *)cpnext; 747 cause = ntohs(natc->cause); 748 if (cause == SCTP_CAUSE_NAT_COLLIDING_STATE) { 749 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n", 750 cp->ch.chunk_flags); 751 if (sctp_handle_nat_colliding_state(stcb)) { 752 return; 753 } 754 } else if (cause == SCTP_CAUSE_NAT_MISSING_STATE) { 755 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n", 756 cp->ch.chunk_flags); 757 if (sctp_handle_nat_missing_state(stcb, net)) { 758 return; 759 } 760 } 761 } 762 /* stop any receive timers */ 763 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 764 /* notify user of the abort and clean up... */ 765 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED); 766 /* free the tcb */ 767#if defined(SCTP_PANIC_ON_ABORT) 768 printf("stcb:%p state:%d rport:%d net:%p\n", 769 stcb, stcb->asoc.state, stcb->rport, net); 770 if (!(stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { 771 panic("Received an ABORT"); 772 } else { 773 printf("No panic its in state %x closed\n", stcb->asoc.state); 774 } 775#endif 776 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 777 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 778 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 779 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 780 } 781#ifdef SCTP_ASOCLOG_OF_TSNS 782 sctp_print_out_track_log(stcb); 783#endif 784#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 785 so = SCTP_INP_SO(stcb->sctp_ep); 786 atomic_add_int(&stcb->asoc.refcnt, 1); 787 SCTP_TCB_UNLOCK(stcb); 788 SCTP_SOCKET_LOCK(so, 1); 789 SCTP_TCB_LOCK(stcb); 790 atomic_subtract_int(&stcb->asoc.refcnt, 1); 791#endif 792 stcb->asoc.state |= SCTP_STATE_WAS_ABORTED; 793 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 794 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 795#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 796 SCTP_SOCKET_UNLOCK(so, 1); 797#endif 798 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n"); 799} 800 801static void 802sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 803 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 804{ 805 struct sctp_association *asoc; 806 int some_on_streamwheel; 807 808#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 809 struct socket *so; 810 811#endif 812 813 SCTPDBG(SCTP_DEBUG_INPUT2, 814 "sctp_handle_shutdown: handling SHUTDOWN\n"); 815 if (stcb == NULL) 816 return; 817 asoc = &stcb->asoc; 818 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 819 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 820 return; 821 } 822 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 823 /* Shutdown NOT the expected size */ 824 return; 825 } else { 826 sctp_update_acked(stcb, cp, net, abort_flag); 827 if (*abort_flag) { 828 return; 829 } 830 } 831 if (asoc->control_pdapi) { 832 /* 833 * With a normal shutdown we assume the end of last record. 834 */ 835 SCTP_INP_READ_LOCK(stcb->sctp_ep); 836 asoc->control_pdapi->end_added = 1; 837 asoc->control_pdapi->pdapi_aborted = 1; 838 asoc->control_pdapi = NULL; 839 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 840#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 841 so = SCTP_INP_SO(stcb->sctp_ep); 842 atomic_add_int(&stcb->asoc.refcnt, 1); 843 SCTP_TCB_UNLOCK(stcb); 844 SCTP_SOCKET_LOCK(so, 1); 845 SCTP_TCB_LOCK(stcb); 846 atomic_subtract_int(&stcb->asoc.refcnt, 1); 847 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 848 /* assoc was freed while we were unlocked */ 849 SCTP_SOCKET_UNLOCK(so, 1); 850 return; 851 } 852#endif 853 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 854#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 855 SCTP_SOCKET_UNLOCK(so, 1); 856#endif 857 } 858 /* goto SHUTDOWN_RECEIVED state to block new requests */ 859 if (stcb->sctp_socket) { 860 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 861 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) && 862 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 863 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED); 864 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 865 /* 866 * notify upper layer that peer has initiated a 867 * shutdown 868 */ 869 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 870 871 /* reset time */ 872 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 873 } 874 } 875 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 876 /* 877 * stop the shutdown timer, since we WILL move to 878 * SHUTDOWN-ACK-SENT. 879 */ 880 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 881 } 882 /* Now is there unsent data on a stream somewhere? */ 883 some_on_streamwheel = sctp_is_there_unsent_data(stcb); 884 885 if (!TAILQ_EMPTY(&asoc->send_queue) || 886 !TAILQ_EMPTY(&asoc->sent_queue) || 887 some_on_streamwheel) { 888 /* By returning we will push more data out */ 889 return; 890 } else { 891 /* no outstanding data to send, so move on... */ 892 /* send SHUTDOWN-ACK */ 893 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 894 /* move to SHUTDOWN-ACK-SENT state */ 895 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 896 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 897 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 898 } 899 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT); 900 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 901 sctp_stop_timers_for_shutdown(stcb); 902 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 903 stcb, net); 904 } 905} 906 907static void 908sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 909 struct sctp_tcb *stcb, 910 struct sctp_nets *net) 911{ 912 struct sctp_association *asoc; 913 914#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 915 struct socket *so; 916 917 so = SCTP_INP_SO(stcb->sctp_ep); 918#endif 919 SCTPDBG(SCTP_DEBUG_INPUT2, 920 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 921 if (stcb == NULL) 922 return; 923 924 asoc = &stcb->asoc; 925 /* process according to association state */ 926 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 927 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 928 /* unexpected SHUTDOWN-ACK... do OOTB handling... */ 929 sctp_send_shutdown_complete(stcb, net, 1); 930 SCTP_TCB_UNLOCK(stcb); 931 return; 932 } 933 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 934 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 935 /* unexpected SHUTDOWN-ACK... so ignore... */ 936 SCTP_TCB_UNLOCK(stcb); 937 return; 938 } 939 if (asoc->control_pdapi) { 940 /* 941 * With a normal shutdown we assume the end of last record. 942 */ 943 SCTP_INP_READ_LOCK(stcb->sctp_ep); 944 asoc->control_pdapi->end_added = 1; 945 asoc->control_pdapi->pdapi_aborted = 1; 946 asoc->control_pdapi = NULL; 947 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 948#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 949 atomic_add_int(&stcb->asoc.refcnt, 1); 950 SCTP_TCB_UNLOCK(stcb); 951 SCTP_SOCKET_LOCK(so, 1); 952 SCTP_TCB_LOCK(stcb); 953 atomic_subtract_int(&stcb->asoc.refcnt, 1); 954 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 955 /* assoc was freed while we were unlocked */ 956 SCTP_SOCKET_UNLOCK(so, 1); 957 return; 958 } 959#endif 960 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 961#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 962 SCTP_SOCKET_UNLOCK(so, 1); 963#endif 964 } 965 /* are the queues empty? */ 966 if (!TAILQ_EMPTY(&asoc->send_queue) || 967 !TAILQ_EMPTY(&asoc->sent_queue) || 968 !stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) { 969 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED); 970 } 971 /* stop the timer */ 972 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 973 /* send SHUTDOWN-COMPLETE */ 974 sctp_send_shutdown_complete(stcb, net, 0); 975 /* notify upper layer protocol */ 976 if (stcb->sctp_socket) { 977 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 978 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 979 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 980 /* Set the connected flag to disconnected */ 981 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 982 } 983 } 984 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 985 /* free the TCB but first save off the ep */ 986#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 987 atomic_add_int(&stcb->asoc.refcnt, 1); 988 SCTP_TCB_UNLOCK(stcb); 989 SCTP_SOCKET_LOCK(so, 1); 990 SCTP_TCB_LOCK(stcb); 991 atomic_subtract_int(&stcb->asoc.refcnt, 1); 992#endif 993 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 994 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 995#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 996 SCTP_SOCKET_UNLOCK(so, 1); 997#endif 998} 999 1000/* 1001 * Skip past the param header and then we will find the chunk that caused the 1002 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 1003 * our peer must be broken. 1004 */ 1005static void 1006sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 1007 struct sctp_nets *net) 1008{ 1009 struct sctp_chunkhdr *chk; 1010 1011 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 1012 switch (chk->chunk_type) { 1013 case SCTP_ASCONF_ACK: 1014 case SCTP_ASCONF: 1015 sctp_asconf_cleanup(stcb, net); 1016 break; 1017 case SCTP_FORWARD_CUM_TSN: 1018 stcb->asoc.peer_supports_prsctp = 0; 1019 break; 1020 default: 1021 SCTPDBG(SCTP_DEBUG_INPUT2, 1022 "Peer does not support chunk type %d(%x)??\n", 1023 chk->chunk_type, (uint32_t) chk->chunk_type); 1024 break; 1025 } 1026} 1027 1028/* 1029 * Skip past the param header and then we will find the param that caused the 1030 * problem. There are a number of param's in a ASCONF OR the prsctp param 1031 * these will turn of specific features. 1032 */ 1033static void 1034sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 1035{ 1036 struct sctp_paramhdr *pbad; 1037 1038 pbad = phdr + 1; 1039 switch (ntohs(pbad->param_type)) { 1040 /* pr-sctp draft */ 1041 case SCTP_PRSCTP_SUPPORTED: 1042 stcb->asoc.peer_supports_prsctp = 0; 1043 break; 1044 case SCTP_SUPPORTED_CHUNK_EXT: 1045 break; 1046 /* draft-ietf-tsvwg-addip-sctp */ 1047 case SCTP_HAS_NAT_SUPPORT: 1048 stcb->asoc.peer_supports_nat = 0; 1049 break; 1050 case SCTP_ADD_IP_ADDRESS: 1051 case SCTP_DEL_IP_ADDRESS: 1052 case SCTP_SET_PRIM_ADDR: 1053 stcb->asoc.peer_supports_asconf = 0; 1054 break; 1055 case SCTP_SUCCESS_REPORT: 1056 case SCTP_ERROR_CAUSE_IND: 1057 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n"); 1058 SCTPDBG(SCTP_DEBUG_INPUT2, 1059 "Turning off ASCONF to this strange peer\n"); 1060 stcb->asoc.peer_supports_asconf = 0; 1061 break; 1062 default: 1063 SCTPDBG(SCTP_DEBUG_INPUT2, 1064 "Peer does not support param type %d(%x)??\n", 1065 pbad->param_type, (uint32_t) pbad->param_type); 1066 break; 1067 } 1068} 1069 1070static int 1071sctp_handle_error(struct sctp_chunkhdr *ch, 1072 struct sctp_tcb *stcb, struct sctp_nets *net) 1073{ 1074 int chklen; 1075 struct sctp_paramhdr *phdr; 1076 uint16_t error_type; 1077 uint16_t error_len; 1078 struct sctp_association *asoc; 1079 int adjust; 1080 1081#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1082 struct socket *so; 1083 1084#endif 1085 1086 /* parse through all of the errors and process */ 1087 asoc = &stcb->asoc; 1088 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 1089 sizeof(struct sctp_chunkhdr)); 1090 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 1091 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 1092 /* Process an Error Cause */ 1093 error_type = ntohs(phdr->param_type); 1094 error_len = ntohs(phdr->param_length); 1095 if ((error_len > chklen) || (error_len == 0)) { 1096 /* invalid param length for this param */ 1097 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n", 1098 chklen, error_len); 1099 return (0); 1100 } 1101 switch (error_type) { 1102 case SCTP_CAUSE_INVALID_STREAM: 1103 case SCTP_CAUSE_MISSING_PARAM: 1104 case SCTP_CAUSE_INVALID_PARAM: 1105 case SCTP_CAUSE_NO_USER_DATA: 1106 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n", 1107 error_type); 1108 break; 1109 case SCTP_CAUSE_NAT_COLLIDING_STATE: 1110 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n", 1111 ch->chunk_flags); 1112 if (sctp_handle_nat_colliding_state(stcb)) { 1113 return (0); 1114 } 1115 break; 1116 case SCTP_CAUSE_NAT_MISSING_STATE: 1117 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n", 1118 ch->chunk_flags); 1119 if (sctp_handle_nat_missing_state(stcb, net)) { 1120 return (0); 1121 } 1122 break; 1123 case SCTP_CAUSE_STALE_COOKIE: 1124 /* 1125 * We only act if we have echoed a cookie and are 1126 * waiting. 1127 */ 1128 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 1129 int *p; 1130 1131 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 1132 /* Save the time doubled */ 1133 asoc->cookie_preserve_req = ntohl(*p) << 1; 1134 asoc->stale_cookie_count++; 1135 if (asoc->stale_cookie_count > 1136 asoc->max_init_times) { 1137 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED); 1138 /* now free the asoc */ 1139#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1140 so = SCTP_INP_SO(stcb->sctp_ep); 1141 atomic_add_int(&stcb->asoc.refcnt, 1); 1142 SCTP_TCB_UNLOCK(stcb); 1143 SCTP_SOCKET_LOCK(so, 1); 1144 SCTP_TCB_LOCK(stcb); 1145 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1146#endif 1147 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 1148 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1149#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1150 SCTP_SOCKET_UNLOCK(so, 1); 1151#endif 1152 return (-1); 1153 } 1154 /* blast back to INIT state */ 1155 sctp_toss_old_cookies(stcb, &stcb->asoc); 1156 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 1157 asoc->state |= SCTP_STATE_COOKIE_WAIT; 1158 sctp_stop_all_cookie_timers(stcb); 1159 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 1160 } 1161 break; 1162 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 1163 /* 1164 * Nothing we can do here, we don't do hostname 1165 * addresses so if the peer does not like my IPv6 1166 * (or IPv4 for that matter) it does not matter. If 1167 * they don't support that type of address, they can 1168 * NOT possibly get that packet type... i.e. with no 1169 * IPv6 you can't recieve a IPv6 packet. so we can 1170 * safely ignore this one. If we ever added support 1171 * for HOSTNAME Addresses, then we would need to do 1172 * something here. 1173 */ 1174 break; 1175 case SCTP_CAUSE_UNRECOG_CHUNK: 1176 sctp_process_unrecog_chunk(stcb, phdr, net); 1177 break; 1178 case SCTP_CAUSE_UNRECOG_PARAM: 1179 sctp_process_unrecog_param(stcb, phdr); 1180 break; 1181 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 1182 /* 1183 * We ignore this since the timer will drive out a 1184 * new cookie anyway and there timer will drive us 1185 * to send a SHUTDOWN_COMPLETE. We can't send one 1186 * here since we don't have their tag. 1187 */ 1188 break; 1189 case SCTP_CAUSE_DELETING_LAST_ADDR: 1190 case SCTP_CAUSE_RESOURCE_SHORTAGE: 1191 case SCTP_CAUSE_DELETING_SRC_ADDR: 1192 /* 1193 * We should NOT get these here, but in a 1194 * ASCONF-ACK. 1195 */ 1196 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n", 1197 error_type); 1198 break; 1199 case SCTP_CAUSE_OUT_OF_RESC: 1200 /* 1201 * And what, pray tell do we do with the fact that 1202 * the peer is out of resources? Not really sure we 1203 * could do anything but abort. I suspect this 1204 * should have came WITH an abort instead of in a 1205 * OP-ERROR. 1206 */ 1207 break; 1208 default: 1209 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n", 1210 error_type); 1211 break; 1212 } 1213 adjust = SCTP_SIZE32(error_len); 1214 chklen -= adjust; 1215 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 1216 } 1217 return (0); 1218} 1219 1220static int 1221sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, 1222 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 1223 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 1224{ 1225 struct sctp_init_ack *init_ack; 1226 struct mbuf *op_err; 1227 1228 SCTPDBG(SCTP_DEBUG_INPUT2, 1229 "sctp_handle_init_ack: handling INIT-ACK\n"); 1230 1231 if (stcb == NULL) { 1232 SCTPDBG(SCTP_DEBUG_INPUT2, 1233 "sctp_handle_init_ack: TCB is null\n"); 1234 return (-1); 1235 } 1236 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 1237 /* Invalid length */ 1238 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1239 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1240 op_err, 0, net->port); 1241 *abort_no_unlock = 1; 1242 return (-1); 1243 } 1244 init_ack = &cp->init; 1245 /* validate parameters */ 1246 if (init_ack->initiate_tag == 0) { 1247 /* protocol error... send an abort */ 1248 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1249 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1250 op_err, 0, net->port); 1251 *abort_no_unlock = 1; 1252 return (-1); 1253 } 1254 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 1255 /* protocol error... send an abort */ 1256 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1257 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1258 op_err, 0, net->port); 1259 *abort_no_unlock = 1; 1260 return (-1); 1261 } 1262 if (init_ack->num_inbound_streams == 0) { 1263 /* protocol error... send an abort */ 1264 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1265 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1266 op_err, 0, net->port); 1267 *abort_no_unlock = 1; 1268 return (-1); 1269 } 1270 if (init_ack->num_outbound_streams == 0) { 1271 /* protocol error... send an abort */ 1272 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1273 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1274 op_err, 0, net->port); 1275 *abort_no_unlock = 1; 1276 return (-1); 1277 } 1278 /* process according to association state... */ 1279 switch (stcb->asoc.state & SCTP_STATE_MASK) { 1280 case SCTP_STATE_COOKIE_WAIT: 1281 /* this is the expected state for this chunk */ 1282 /* process the INIT-ACK parameters */ 1283 if (stcb->asoc.primary_destination->dest_state & 1284 SCTP_ADDR_UNCONFIRMED) { 1285 /* 1286 * The primary is where we sent the INIT, we can 1287 * always consider it confirmed when the INIT-ACK is 1288 * returned. Do this before we load addresses 1289 * though. 1290 */ 1291 stcb->asoc.primary_destination->dest_state &= 1292 ~SCTP_ADDR_UNCONFIRMED; 1293 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1294 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED); 1295 } 1296 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, 1297 net, abort_no_unlock, vrf_id) < 0) { 1298 /* error in parsing parameters */ 1299 return (-1); 1300 } 1301 /* update our state */ 1302 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n"); 1303 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED); 1304 1305 /* reset the RTO calc */ 1306 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 1307 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 1308 stcb->asoc.overall_error_count, 1309 0, 1310 SCTP_FROM_SCTP_INPUT, 1311 __LINE__); 1312 } 1313 stcb->asoc.overall_error_count = 0; 1314 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1315 /* 1316 * collapse the init timer back in case of a exponential 1317 * backoff 1318 */ 1319 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1320 stcb, net); 1321 /* 1322 * the send at the end of the inbound data processing will 1323 * cause the cookie to be sent 1324 */ 1325 break; 1326 case SCTP_STATE_SHUTDOWN_SENT: 1327 /* incorrect state... discard */ 1328 break; 1329 case SCTP_STATE_COOKIE_ECHOED: 1330 /* incorrect state... discard */ 1331 break; 1332 case SCTP_STATE_OPEN: 1333 /* incorrect state... discard */ 1334 break; 1335 case SCTP_STATE_EMPTY: 1336 case SCTP_STATE_INUSE: 1337 default: 1338 /* incorrect state... discard */ 1339 return (-1); 1340 break; 1341 } 1342 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n"); 1343 return (0); 1344} 1345 1346static struct sctp_tcb * 1347sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1348 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1349 struct sctp_inpcb *inp, struct sctp_nets **netp, 1350 struct sockaddr *init_src, int *notification, 1351 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1352 uint32_t vrf_id, uint16_t port); 1353 1354 1355/* 1356 * handle a state cookie for an existing association m: input packet mbuf 1357 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1358 * "split" mbuf and the cookie signature does not exist offset: offset into 1359 * mbuf to the cookie-echo chunk 1360 */ 1361static struct sctp_tcb * 1362sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1363 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1364 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp, 1365 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id, 1366 uint32_t vrf_id, int auth_skipped, uint32_t auth_offset, uint32_t auth_len, uint16_t port) 1367{ 1368 struct sctp_association *asoc; 1369 struct sctp_init_chunk *init_cp, init_buf; 1370 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1371 struct sctp_nets *net; 1372 struct mbuf *op_err; 1373 struct sctp_paramhdr *ph; 1374 int chk_length; 1375 int init_offset, initack_offset, i; 1376 int retval; 1377 int spec_flag = 0; 1378 uint32_t how_indx; 1379 1380 net = *netp; 1381 /* I know that the TCB is non-NULL from the caller */ 1382 asoc = &stcb->asoc; 1383 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1384 if (asoc->cookie_how[how_indx] == 0) 1385 break; 1386 } 1387 if (how_indx < sizeof(asoc->cookie_how)) { 1388 asoc->cookie_how[how_indx] = 1; 1389 } 1390 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1391 /* SHUTDOWN came in after sending INIT-ACK */ 1392 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1393 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1394 0, M_DONTWAIT, 1, MT_DATA); 1395 if (op_err == NULL) { 1396 /* FOOBAR */ 1397 return (NULL); 1398 } 1399 /* Set the len */ 1400 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1401 ph = mtod(op_err, struct sctp_paramhdr *); 1402 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1403 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1404 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 1405 vrf_id, net->port); 1406 if (how_indx < sizeof(asoc->cookie_how)) 1407 asoc->cookie_how[how_indx] = 2; 1408 return (NULL); 1409 } 1410 /* 1411 * find and validate the INIT chunk in the cookie (peer's info) the 1412 * INIT should start after the cookie-echo header struct (chunk 1413 * header, state cookie header struct) 1414 */ 1415 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1416 1417 init_cp = (struct sctp_init_chunk *) 1418 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1419 (uint8_t *) & init_buf); 1420 if (init_cp == NULL) { 1421 /* could not pull a INIT chunk in cookie */ 1422 return (NULL); 1423 } 1424 chk_length = ntohs(init_cp->ch.chunk_length); 1425 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1426 return (NULL); 1427 } 1428 /* 1429 * find and validate the INIT-ACK chunk in the cookie (my info) the 1430 * INIT-ACK follows the INIT chunk 1431 */ 1432 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1433 initack_cp = (struct sctp_init_ack_chunk *) 1434 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1435 (uint8_t *) & initack_buf); 1436 if (initack_cp == NULL) { 1437 /* could not pull INIT-ACK chunk in cookie */ 1438 return (NULL); 1439 } 1440 chk_length = ntohs(initack_cp->ch.chunk_length); 1441 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1442 return (NULL); 1443 } 1444 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1445 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1446 /* 1447 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1448 * to get into the OPEN state 1449 */ 1450 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1451 /*- 1452 * Opps, this means that we somehow generated two vtag's 1453 * the same. I.e. we did: 1454 * Us Peer 1455 * <---INIT(tag=a)------ 1456 * ----INIT-ACK(tag=t)--> 1457 * ----INIT(tag=t)------> *1 1458 * <---INIT-ACK(tag=a)--- 1459 * <----CE(tag=t)------------- *2 1460 * 1461 * At point *1 we should be generating a different 1462 * tag t'. Which means we would throw away the CE and send 1463 * ours instead. Basically this is case C (throw away side). 1464 */ 1465 if (how_indx < sizeof(asoc->cookie_how)) 1466 asoc->cookie_how[how_indx] = 17; 1467 return (NULL); 1468 1469 } 1470 switch SCTP_GET_STATE 1471 (asoc) { 1472 case SCTP_STATE_COOKIE_WAIT: 1473 case SCTP_STATE_COOKIE_ECHOED: 1474 /* 1475 * INIT was sent but got a COOKIE_ECHO with the 1476 * correct tags... just accept it...but we must 1477 * process the init so that we can make sure we have 1478 * the right seq no's. 1479 */ 1480 /* First we must process the INIT !! */ 1481 retval = sctp_process_init(init_cp, stcb, net); 1482 if (retval < 0) { 1483 if (how_indx < sizeof(asoc->cookie_how)) 1484 asoc->cookie_how[how_indx] = 3; 1485 return (NULL); 1486 } 1487 /* we have already processed the INIT so no problem */ 1488 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1489 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1490 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1491 /* update current state */ 1492 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1493 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1494 else 1495 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1496 1497 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1498 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1499 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1500 stcb->sctp_ep, stcb, asoc->primary_destination); 1501 } 1502 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1503 sctp_stop_all_cookie_timers(stcb); 1504 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1505 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1506 (inp->sctp_socket->so_qlimit == 0) 1507 ) { 1508#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1509 struct socket *so; 1510 1511#endif 1512 /* 1513 * Here is where collision would go if we 1514 * did a connect() and instead got a 1515 * init/init-ack/cookie done before the 1516 * init-ack came back.. 1517 */ 1518 stcb->sctp_ep->sctp_flags |= 1519 SCTP_PCB_FLAGS_CONNECTED; 1520#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1521 so = SCTP_INP_SO(stcb->sctp_ep); 1522 atomic_add_int(&stcb->asoc.refcnt, 1); 1523 SCTP_TCB_UNLOCK(stcb); 1524 SCTP_SOCKET_LOCK(so, 1); 1525 SCTP_TCB_LOCK(stcb); 1526 atomic_add_int(&stcb->asoc.refcnt, -1); 1527 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1528 SCTP_SOCKET_UNLOCK(so, 1); 1529 return (NULL); 1530 } 1531#endif 1532 soisconnected(stcb->sctp_socket); 1533#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1534 SCTP_SOCKET_UNLOCK(so, 1); 1535#endif 1536 } 1537 /* notify upper layer */ 1538 *notification = SCTP_NOTIFY_ASSOC_UP; 1539 /* 1540 * since we did not send a HB make sure we don't 1541 * double things 1542 */ 1543 net->hb_responded = 1; 1544 net->RTO = sctp_calculate_rto(stcb, asoc, net, 1545 &cookie->time_entered, 1546 sctp_align_unsafe_makecopy, 1547 SCTP_DETERMINE_LL_NOTOK); 1548 1549 if (stcb->asoc.sctp_autoclose_ticks && 1550 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1551 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1552 inp, stcb, NULL); 1553 } 1554 break; 1555 default: 1556 /* 1557 * we're in the OPEN state (or beyond), so peer must 1558 * have simply lost the COOKIE-ACK 1559 */ 1560 break; 1561 } /* end switch */ 1562 sctp_stop_all_cookie_timers(stcb); 1563 /* 1564 * We ignore the return code here.. not sure if we should 1565 * somehow abort.. but we do have an existing asoc. This 1566 * really should not fail. 1567 */ 1568 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1569 init_offset + sizeof(struct sctp_init_chunk), 1570 initack_offset, sh, init_src)) { 1571 if (how_indx < sizeof(asoc->cookie_how)) 1572 asoc->cookie_how[how_indx] = 4; 1573 return (NULL); 1574 } 1575 /* respond with a COOKIE-ACK */ 1576 sctp_toss_old_cookies(stcb, asoc); 1577 sctp_send_cookie_ack(stcb); 1578 if (how_indx < sizeof(asoc->cookie_how)) 1579 asoc->cookie_how[how_indx] = 5; 1580 return (stcb); 1581 } 1582 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1583 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1584 cookie->tie_tag_my_vtag == 0 && 1585 cookie->tie_tag_peer_vtag == 0) { 1586 /* 1587 * case C in Section 5.2.4 Table 2: XMOO silently discard 1588 */ 1589 if (how_indx < sizeof(asoc->cookie_how)) 1590 asoc->cookie_how[how_indx] = 6; 1591 return (NULL); 1592 } 1593 /* 1594 * If nat support, and the below and stcb is established, send back 1595 * a ABORT(colliding state) if we are established. 1596 */ 1597 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) && 1598 (asoc->peer_supports_nat) && 1599 ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1600 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) || 1601 (asoc->peer_vtag == 0)))) { 1602 /* 1603 * Special case - Peer's support nat. We may have two init's 1604 * that we gave out the same tag on since one was not 1605 * established.. i.e. we get INIT from host-1 behind the nat 1606 * and we respond tag-a, we get a INIT from host-2 behind 1607 * the nat and we get tag-a again. Then we bring up host-1 1608 * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1). 1609 * Now we have colliding state. We must send an abort here 1610 * with colliding state indication. 1611 */ 1612 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1613 0, M_DONTWAIT, 1, MT_DATA); 1614 if (op_err == NULL) { 1615 /* FOOBAR */ 1616 return (NULL); 1617 } 1618 /* pre-reserve some space */ 1619#ifdef INET6 1620 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1621#else 1622 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip)); 1623#endif 1624 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1625 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1626 /* Set the len */ 1627 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1628 ph = mtod(op_err, struct sctp_paramhdr *); 1629 ph->param_type = htons(SCTP_CAUSE_NAT_COLLIDING_STATE); 1630 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1631 sctp_send_abort(m, iphlen, sh, 0, op_err, vrf_id, port); 1632 return (NULL); 1633 } 1634 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1635 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) || 1636 (asoc->peer_vtag == 0))) { 1637 /* 1638 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1639 * should be ok, re-accept peer info 1640 */ 1641 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1642 /* 1643 * Extension of case C. If we hit this, then the 1644 * random number generator returned the same vtag 1645 * when we first sent our INIT-ACK and when we later 1646 * sent our INIT. The side with the seq numbers that 1647 * are different will be the one that normnally 1648 * would have hit case C. This in effect "extends" 1649 * our vtags in this collision case to be 64 bits. 1650 * The same collision could occur aka you get both 1651 * vtag and seq number the same twice in a row.. but 1652 * is much less likely. If it did happen then we 1653 * would proceed through and bring up the assoc.. we 1654 * may end up with the wrong stream setup however.. 1655 * which would be bad.. but there is no way to 1656 * tell.. until we send on a stream that does not 1657 * exist :-) 1658 */ 1659 if (how_indx < sizeof(asoc->cookie_how)) 1660 asoc->cookie_how[how_indx] = 7; 1661 1662 return (NULL); 1663 } 1664 if (how_indx < sizeof(asoc->cookie_how)) 1665 asoc->cookie_how[how_indx] = 8; 1666 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1667 sctp_stop_all_cookie_timers(stcb); 1668 /* 1669 * since we did not send a HB make sure we don't double 1670 * things 1671 */ 1672 net->hb_responded = 1; 1673 if (stcb->asoc.sctp_autoclose_ticks && 1674 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1675 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1676 NULL); 1677 } 1678 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1679 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1680 1681 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1682 /* 1683 * Ok the peer probably discarded our data (if we 1684 * echoed a cookie+data). So anything on the 1685 * sent_queue should be marked for retransmit, we 1686 * may not get something to kick us so it COULD 1687 * still take a timeout to move these.. but it can't 1688 * hurt to mark them. 1689 */ 1690 struct sctp_tmit_chunk *chk; 1691 1692 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1693 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1694 chk->sent = SCTP_DATAGRAM_RESEND; 1695 sctp_flight_size_decrease(chk); 1696 sctp_total_flight_decrease(stcb, chk); 1697 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1698 spec_flag++; 1699 } 1700 } 1701 1702 } 1703 /* process the INIT info (peer's info) */ 1704 retval = sctp_process_init(init_cp, stcb, net); 1705 if (retval < 0) { 1706 if (how_indx < sizeof(asoc->cookie_how)) 1707 asoc->cookie_how[how_indx] = 9; 1708 return (NULL); 1709 } 1710 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1711 init_offset + sizeof(struct sctp_init_chunk), 1712 initack_offset, sh, init_src)) { 1713 if (how_indx < sizeof(asoc->cookie_how)) 1714 asoc->cookie_how[how_indx] = 10; 1715 return (NULL); 1716 } 1717 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1718 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1719 *notification = SCTP_NOTIFY_ASSOC_UP; 1720 1721 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1722 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1723 (inp->sctp_socket->so_qlimit == 0)) { 1724#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1725 struct socket *so; 1726 1727#endif 1728 stcb->sctp_ep->sctp_flags |= 1729 SCTP_PCB_FLAGS_CONNECTED; 1730#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1731 so = SCTP_INP_SO(stcb->sctp_ep); 1732 atomic_add_int(&stcb->asoc.refcnt, 1); 1733 SCTP_TCB_UNLOCK(stcb); 1734 SCTP_SOCKET_LOCK(so, 1); 1735 SCTP_TCB_LOCK(stcb); 1736 atomic_add_int(&stcb->asoc.refcnt, -1); 1737 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1738 SCTP_SOCKET_UNLOCK(so, 1); 1739 return (NULL); 1740 } 1741#endif 1742 soisconnected(stcb->sctp_socket); 1743#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1744 SCTP_SOCKET_UNLOCK(so, 1); 1745#endif 1746 } 1747 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1748 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1749 else 1750 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1751 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1752 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1753 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1754 } else { 1755 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1756 } 1757 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1758 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1759 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1760 stcb->sctp_ep, stcb, asoc->primary_destination); 1761 } 1762 sctp_stop_all_cookie_timers(stcb); 1763 sctp_toss_old_cookies(stcb, asoc); 1764 sctp_send_cookie_ack(stcb); 1765 if (spec_flag) { 1766 /* 1767 * only if we have retrans set do we do this. What 1768 * this call does is get only the COOKIE-ACK out and 1769 * then when we return the normal call to 1770 * sctp_chunk_output will get the retrans out behind 1771 * this. 1772 */ 1773 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED); 1774 } 1775 if (how_indx < sizeof(asoc->cookie_how)) 1776 asoc->cookie_how[how_indx] = 11; 1777 1778 return (stcb); 1779 } 1780 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1781 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1782 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1783 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1784 cookie->tie_tag_peer_vtag != 0) { 1785 struct sctpasochead *head; 1786 1787 if (asoc->peer_supports_nat) { 1788 /* 1789 * This is a gross gross hack. just call the 1790 * cookie_new code since we are allowing a duplicate 1791 * association. I hope this works... 1792 */ 1793 return (sctp_process_cookie_new(m, iphlen, offset, sh, cookie, cookie_len, 1794 inp, netp, init_src, notification, 1795 auth_skipped, auth_offset, auth_len, 1796 vrf_id, port)); 1797 } 1798 /* 1799 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1800 */ 1801 /* temp code */ 1802 if (how_indx < sizeof(asoc->cookie_how)) 1803 asoc->cookie_how[how_indx] = 12; 1804 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1805 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1806 1807 *sac_assoc_id = sctp_get_associd(stcb); 1808 /* notify upper layer */ 1809 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1810 atomic_add_int(&stcb->asoc.refcnt, 1); 1811 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1812 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1813 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1814 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1815 } 1816 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1817 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1818 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1819 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1820 } 1821 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1822 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1823 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1824 stcb->sctp_ep, stcb, asoc->primary_destination); 1825 1826 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1827 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1828 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1829 } 1830 asoc->pre_open_streams = 1831 ntohs(initack_cp->init.num_outbound_streams); 1832 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1833 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1834 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 1835 1836 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1837 1838 asoc->str_reset_seq_in = asoc->init_seq_number; 1839 1840 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1841 if (asoc->mapping_array) { 1842 memset(asoc->mapping_array, 0, 1843 asoc->mapping_array_size); 1844 } 1845 if (asoc->nr_mapping_array) { 1846 memset(asoc->nr_mapping_array, 0, 1847 asoc->mapping_array_size); 1848 } 1849 SCTP_TCB_UNLOCK(stcb); 1850 SCTP_INP_INFO_WLOCK(); 1851 SCTP_INP_WLOCK(stcb->sctp_ep); 1852 SCTP_TCB_LOCK(stcb); 1853 atomic_add_int(&stcb->asoc.refcnt, -1); 1854 /* send up all the data */ 1855 SCTP_TCB_SEND_LOCK(stcb); 1856 1857 sctp_report_all_outbound(stcb, 1, SCTP_SO_NOT_LOCKED); 1858 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1859 stcb->asoc.strmout[i].stream_no = i; 1860 stcb->asoc.strmout[i].next_sequence_sent = 0; 1861 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1862 } 1863 /* process the INIT-ACK info (my info) */ 1864 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1865 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1866 1867 /* pull from vtag hash */ 1868 LIST_REMOVE(stcb, sctp_asocs); 1869 /* re-insert to new vtag position */ 1870 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1871 SCTP_BASE_INFO(hashasocmark))]; 1872 /* 1873 * put it in the bucket in the vtag hash of assoc's for the 1874 * system 1875 */ 1876 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1877 1878 /* process the INIT info (peer's info) */ 1879 SCTP_TCB_SEND_UNLOCK(stcb); 1880 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1881 SCTP_INP_INFO_WUNLOCK(); 1882 1883 retval = sctp_process_init(init_cp, stcb, net); 1884 if (retval < 0) { 1885 if (how_indx < sizeof(asoc->cookie_how)) 1886 asoc->cookie_how[how_indx] = 13; 1887 1888 return (NULL); 1889 } 1890 /* 1891 * since we did not send a HB make sure we don't double 1892 * things 1893 */ 1894 net->hb_responded = 1; 1895 1896 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1897 init_offset + sizeof(struct sctp_init_chunk), 1898 initack_offset, sh, init_src)) { 1899 if (how_indx < sizeof(asoc->cookie_how)) 1900 asoc->cookie_how[how_indx] = 14; 1901 1902 return (NULL); 1903 } 1904 /* respond with a COOKIE-ACK */ 1905 sctp_stop_all_cookie_timers(stcb); 1906 sctp_toss_old_cookies(stcb, asoc); 1907 sctp_send_cookie_ack(stcb); 1908 if (how_indx < sizeof(asoc->cookie_how)) 1909 asoc->cookie_how[how_indx] = 15; 1910 1911 return (stcb); 1912 } 1913 if (how_indx < sizeof(asoc->cookie_how)) 1914 asoc->cookie_how[how_indx] = 16; 1915 /* all other cases... */ 1916 return (NULL); 1917} 1918 1919 1920/* 1921 * handle a state cookie for a new association m: input packet mbuf chain-- 1922 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1923 * and the cookie signature does not exist offset: offset into mbuf to the 1924 * cookie-echo chunk length: length of the cookie chunk to: where the init 1925 * was from returns a new TCB 1926 */ 1927struct sctp_tcb * 1928sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1929 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1930 struct sctp_inpcb *inp, struct sctp_nets **netp, 1931 struct sockaddr *init_src, int *notification, 1932 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1933 uint32_t vrf_id, uint16_t port) 1934{ 1935 struct sctp_tcb *stcb; 1936 struct sctp_init_chunk *init_cp, init_buf; 1937 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1938 struct sockaddr_storage sa_store; 1939 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1940 struct sockaddr_in *sin; 1941 struct sockaddr_in6 *sin6; 1942 struct sctp_association *asoc; 1943 int chk_length; 1944 int init_offset, initack_offset, initack_limit; 1945 int retval; 1946 int error = 0; 1947 uint32_t old_tag; 1948 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1949 1950#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1951 struct socket *so; 1952 1953 so = SCTP_INP_SO(inp); 1954#endif 1955 1956 /* 1957 * find and validate the INIT chunk in the cookie (peer's info) the 1958 * INIT should start after the cookie-echo header struct (chunk 1959 * header, state cookie header struct) 1960 */ 1961 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1962 init_cp = (struct sctp_init_chunk *) 1963 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1964 (uint8_t *) & init_buf); 1965 if (init_cp == NULL) { 1966 /* could not pull a INIT chunk in cookie */ 1967 SCTPDBG(SCTP_DEBUG_INPUT1, 1968 "process_cookie_new: could not pull INIT chunk hdr\n"); 1969 return (NULL); 1970 } 1971 chk_length = ntohs(init_cp->ch.chunk_length); 1972 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1973 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n"); 1974 return (NULL); 1975 } 1976 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1977 /* 1978 * find and validate the INIT-ACK chunk in the cookie (my info) the 1979 * INIT-ACK follows the INIT chunk 1980 */ 1981 initack_cp = (struct sctp_init_ack_chunk *) 1982 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1983 (uint8_t *) & initack_buf); 1984 if (initack_cp == NULL) { 1985 /* could not pull INIT-ACK chunk in cookie */ 1986 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1987 return (NULL); 1988 } 1989 chk_length = ntohs(initack_cp->ch.chunk_length); 1990 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1991 return (NULL); 1992 } 1993 /* 1994 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1995 * "initack_limit" value. This is because the chk_length field 1996 * includes the length of the cookie, but the cookie is omitted when 1997 * the INIT and INIT_ACK are tacked onto the cookie... 1998 */ 1999 initack_limit = offset + cookie_len; 2000 2001 /* 2002 * now that we know the INIT/INIT-ACK are in place, create a new TCB 2003 * and popluate 2004 */ 2005 2006 /* 2007 * Here we do a trick, we set in NULL for the proc/thread argument. 2008 * We do this since in effect we only use the p argument when the 2009 * socket is unbound and we must do an implicit bind. Since we are 2010 * getting a cookie, we cannot be unbound. 2011 */ 2012 stcb = sctp_aloc_assoc(inp, init_src, &error, 2013 ntohl(initack_cp->init.initiate_tag), vrf_id, 2014 (struct thread *)NULL 2015 ); 2016 if (stcb == NULL) { 2017 struct mbuf *op_err; 2018 2019 /* memory problem? */ 2020 SCTPDBG(SCTP_DEBUG_INPUT1, 2021 "process_cookie_new: no room for another TCB!\n"); 2022 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2023 2024 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 2025 sh, op_err, vrf_id, port); 2026 return (NULL); 2027 } 2028 /* get the correct sctp_nets */ 2029 if (netp) 2030 *netp = sctp_findnet(stcb, init_src); 2031 2032 asoc = &stcb->asoc; 2033 /* get scope variables out of cookie */ 2034 asoc->ipv4_local_scope = cookie->ipv4_scope; 2035 asoc->site_scope = cookie->site_scope; 2036 asoc->local_scope = cookie->local_scope; 2037 asoc->loopback_scope = cookie->loopback_scope; 2038 2039 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 2040 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 2041 struct mbuf *op_err; 2042 2043 /* 2044 * Houston we have a problem. The EP changed while the 2045 * cookie was in flight. Only recourse is to abort the 2046 * association. 2047 */ 2048 atomic_add_int(&stcb->asoc.refcnt, 1); 2049 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2050 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 2051 sh, op_err, vrf_id, port); 2052#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2053 SCTP_TCB_UNLOCK(stcb); 2054 SCTP_SOCKET_LOCK(so, 1); 2055 SCTP_TCB_LOCK(stcb); 2056#endif 2057 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 2058 SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 2059#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2060 SCTP_SOCKET_UNLOCK(so, 1); 2061#endif 2062 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2063 return (NULL); 2064 } 2065 /* process the INIT-ACK info (my info) */ 2066 old_tag = asoc->my_vtag; 2067 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 2068 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 2069 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 2070 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 2071 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 2072 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 2073 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 2074 asoc->str_reset_seq_in = asoc->init_seq_number; 2075 2076 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 2077 2078 /* process the INIT info (peer's info) */ 2079 if (netp) 2080 retval = sctp_process_init(init_cp, stcb, *netp); 2081 else 2082 retval = 0; 2083 if (retval < 0) { 2084 atomic_add_int(&stcb->asoc.refcnt, 1); 2085#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2086 SCTP_TCB_UNLOCK(stcb); 2087 SCTP_SOCKET_LOCK(so, 1); 2088 SCTP_TCB_LOCK(stcb); 2089#endif 2090 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 2091#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2092 SCTP_SOCKET_UNLOCK(so, 1); 2093#endif 2094 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2095 return (NULL); 2096 } 2097 /* load all addresses */ 2098 if (sctp_load_addresses_from_init(stcb, m, iphlen, 2099 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 2100 init_src)) { 2101 atomic_add_int(&stcb->asoc.refcnt, 1); 2102#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2103 SCTP_TCB_UNLOCK(stcb); 2104 SCTP_SOCKET_LOCK(so, 1); 2105 SCTP_TCB_LOCK(stcb); 2106#endif 2107 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 2108#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2109 SCTP_SOCKET_UNLOCK(so, 1); 2110#endif 2111 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2112 return (NULL); 2113 } 2114 /* 2115 * verify any preceding AUTH chunk that was skipped 2116 */ 2117 /* pull the local authentication parameters from the cookie/init-ack */ 2118 sctp_auth_get_cookie_params(stcb, m, 2119 initack_offset + sizeof(struct sctp_init_ack_chunk), 2120 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 2121 if (auth_skipped) { 2122 struct sctp_auth_chunk *auth; 2123 2124 auth = (struct sctp_auth_chunk *) 2125 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 2126 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { 2127 /* auth HMAC failed, dump the assoc and packet */ 2128 SCTPDBG(SCTP_DEBUG_AUTH1, 2129 "COOKIE-ECHO: AUTH failed\n"); 2130 atomic_add_int(&stcb->asoc.refcnt, 1); 2131#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2132 SCTP_TCB_UNLOCK(stcb); 2133 SCTP_SOCKET_LOCK(so, 1); 2134 SCTP_TCB_LOCK(stcb); 2135#endif 2136 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 2137#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2138 SCTP_SOCKET_UNLOCK(so, 1); 2139#endif 2140 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2141 return (NULL); 2142 } else { 2143 /* remaining chunks checked... good to go */ 2144 stcb->asoc.authenticated = 1; 2145 } 2146 } 2147 /* update current state */ 2148 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2149 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 2150 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2151 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2152 stcb->sctp_ep, stcb, asoc->primary_destination); 2153 } 2154 sctp_stop_all_cookie_timers(stcb); 2155 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 2156 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2157 2158 /* 2159 * if we're doing ASCONFs, check to see if we have any new local 2160 * addresses that need to get added to the peer (eg. addresses 2161 * changed while cookie echo in flight). This needs to be done 2162 * after we go to the OPEN state to do the correct asconf 2163 * processing. else, make sure we have the correct addresses in our 2164 * lists 2165 */ 2166 2167 /* warning, we re-use sin, sin6, sa_store here! */ 2168 /* pull in local_address (our "from" address) */ 2169 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 2170 /* source addr is IPv4 */ 2171 sin = (struct sockaddr_in *)initack_src; 2172 memset(sin, 0, sizeof(*sin)); 2173 sin->sin_family = AF_INET; 2174 sin->sin_len = sizeof(struct sockaddr_in); 2175 sin->sin_addr.s_addr = cookie->laddress[0]; 2176 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 2177 /* source addr is IPv6 */ 2178 sin6 = (struct sockaddr_in6 *)initack_src; 2179 memset(sin6, 0, sizeof(*sin6)); 2180 sin6->sin6_family = AF_INET6; 2181 sin6->sin6_len = sizeof(struct sockaddr_in6); 2182 sin6->sin6_scope_id = cookie->scope_id; 2183 memcpy(&sin6->sin6_addr, cookie->laddress, 2184 sizeof(sin6->sin6_addr)); 2185 } else { 2186 atomic_add_int(&stcb->asoc.refcnt, 1); 2187#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2188 SCTP_TCB_UNLOCK(stcb); 2189 SCTP_SOCKET_LOCK(so, 1); 2190 SCTP_TCB_LOCK(stcb); 2191#endif 2192 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 2193#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2194 SCTP_SOCKET_UNLOCK(so, 1); 2195#endif 2196 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2197 return (NULL); 2198 } 2199 2200 /* set up to notify upper layer */ 2201 *notification = SCTP_NOTIFY_ASSOC_UP; 2202 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2203 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 2204 (inp->sctp_socket->so_qlimit == 0)) { 2205 /* 2206 * This is an endpoint that called connect() how it got a 2207 * cookie that is NEW is a bit of a mystery. It must be that 2208 * the INIT was sent, but before it got there.. a complete 2209 * INIT/INIT-ACK/COOKIE arrived. But of course then it 2210 * should have went to the other code.. not here.. oh well.. 2211 * a bit of protection is worth having.. 2212 */ 2213 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2214#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2215 atomic_add_int(&stcb->asoc.refcnt, 1); 2216 SCTP_TCB_UNLOCK(stcb); 2217 SCTP_SOCKET_LOCK(so, 1); 2218 SCTP_TCB_LOCK(stcb); 2219 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2220 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2221 SCTP_SOCKET_UNLOCK(so, 1); 2222 return (NULL); 2223 } 2224#endif 2225 soisconnected(stcb->sctp_socket); 2226#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2227 SCTP_SOCKET_UNLOCK(so, 1); 2228#endif 2229 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 2230 (inp->sctp_socket->so_qlimit)) { 2231 /* 2232 * We don't want to do anything with this one. Since it is 2233 * the listening guy. The timer will get started for 2234 * accepted connections in the caller. 2235 */ 2236 ; 2237 } 2238 /* since we did not send a HB make sure we don't double things */ 2239 if ((netp) && (*netp)) 2240 (*netp)->hb_responded = 1; 2241 2242 if (stcb->asoc.sctp_autoclose_ticks && 2243 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2244 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 2245 } 2246 /* calculate the RTT */ 2247 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 2248 if ((netp) && (*netp)) { 2249 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 2250 &cookie->time_entered, sctp_align_unsafe_makecopy, 2251 SCTP_DETERMINE_LL_NOTOK); 2252 } 2253 /* respond with a COOKIE-ACK */ 2254 sctp_send_cookie_ack(stcb); 2255 2256 /* 2257 * check the address lists for any ASCONFs that need to be sent 2258 * AFTER the cookie-ack is sent 2259 */ 2260 sctp_check_address_list(stcb, m, 2261 initack_offset + sizeof(struct sctp_init_ack_chunk), 2262 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 2263 initack_src, cookie->local_scope, cookie->site_scope, 2264 cookie->ipv4_scope, cookie->loopback_scope); 2265 2266 2267 return (stcb); 2268} 2269 2270/* 2271 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e 2272 * we NEED to make sure we are not already using the vtag. If so we 2273 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit! 2274 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag, 2275 SCTP_BASE_INFO(hashasocmark))]; 2276 LIST_FOREACH(stcb, head, sctp_asocs) { 2277 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) { 2278 -- SEND ABORT - TRY AGAIN -- 2279 } 2280 } 2281*/ 2282 2283/* 2284 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 2285 * existing (non-NULL) TCB 2286 */ 2287static struct mbuf * 2288sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 2289 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 2290 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 2291 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 2292 struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint16_t port) 2293{ 2294 struct sctp_state_cookie *cookie; 2295 struct sockaddr_in6 sin6; 2296 struct sockaddr_in sin; 2297 struct sctp_tcb *l_stcb = *stcb; 2298 struct sctp_inpcb *l_inp; 2299 struct sockaddr *to; 2300 sctp_assoc_t sac_restart_id; 2301 struct sctp_pcb *ep; 2302 struct mbuf *m_sig; 2303 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 2304 uint8_t *sig; 2305 uint8_t cookie_ok = 0; 2306 unsigned int size_of_pkt, sig_offset, cookie_offset; 2307 unsigned int cookie_len; 2308 struct timeval now; 2309 struct timeval time_expires; 2310 struct sockaddr_storage dest_store; 2311 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 2312 struct ip *iph; 2313 int notification = 0; 2314 struct sctp_nets *netl; 2315 int had_a_existing_tcb = 0; 2316 int send_int_conf = 0; 2317 2318 SCTPDBG(SCTP_DEBUG_INPUT2, 2319 "sctp_handle_cookie: handling COOKIE-ECHO\n"); 2320 2321 if (inp_p == NULL) { 2322 return (NULL); 2323 } 2324 /* First get the destination address setup too. */ 2325 iph = mtod(m, struct ip *); 2326 switch (iph->ip_v) { 2327 case IPVERSION: 2328 { 2329 /* its IPv4 */ 2330 struct sockaddr_in *lsin; 2331 2332 lsin = (struct sockaddr_in *)(localep_sa); 2333 memset(lsin, 0, sizeof(*lsin)); 2334 lsin->sin_family = AF_INET; 2335 lsin->sin_len = sizeof(*lsin); 2336 lsin->sin_port = sh->dest_port; 2337 lsin->sin_addr.s_addr = iph->ip_dst.s_addr; 2338 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 2339 break; 2340 } 2341#ifdef INET6 2342 case IPV6_VERSION >> 4: 2343 { 2344 /* its IPv6 */ 2345 struct ip6_hdr *ip6; 2346 struct sockaddr_in6 *lsin6; 2347 2348 lsin6 = (struct sockaddr_in6 *)(localep_sa); 2349 memset(lsin6, 0, sizeof(*lsin6)); 2350 lsin6->sin6_family = AF_INET6; 2351 lsin6->sin6_len = sizeof(struct sockaddr_in6); 2352 ip6 = mtod(m, struct ip6_hdr *); 2353 lsin6->sin6_port = sh->dest_port; 2354 lsin6->sin6_addr = ip6->ip6_dst; 2355 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 2356 break; 2357 } 2358#endif 2359 default: 2360 return (NULL); 2361 } 2362 2363 cookie = &cp->cookie; 2364 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 2365 cookie_len = ntohs(cp->ch.chunk_length); 2366 2367 if ((cookie->peerport != sh->src_port) && 2368 (cookie->myport != sh->dest_port) && 2369 (cookie->my_vtag != sh->v_tag)) { 2370 /* 2371 * invalid ports or bad tag. Note that we always leave the 2372 * v_tag in the header in network order and when we stored 2373 * it in the my_vtag slot we also left it in network order. 2374 * This maintains the match even though it may be in the 2375 * opposite byte order of the machine :-> 2376 */ 2377 return (NULL); 2378 } 2379 if (cookie_len > size_of_pkt || 2380 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 2381 sizeof(struct sctp_init_chunk) + 2382 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 2383 /* cookie too long! or too small */ 2384 return (NULL); 2385 } 2386 /* 2387 * split off the signature into its own mbuf (since it should not be 2388 * calculated in the sctp_hmac_m() call). 2389 */ 2390 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 2391 if (sig_offset > size_of_pkt) { 2392 /* packet not correct size! */ 2393 /* XXX this may already be accounted for earlier... */ 2394 return (NULL); 2395 } 2396 m_sig = m_split(m, sig_offset, M_DONTWAIT); 2397 if (m_sig == NULL) { 2398 /* out of memory or ?? */ 2399 return (NULL); 2400 } 2401#ifdef SCTP_MBUF_LOGGING 2402 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 2403 struct mbuf *mat; 2404 2405 mat = m_sig; 2406 while (mat) { 2407 if (SCTP_BUF_IS_EXTENDED(mat)) { 2408 sctp_log_mb(mat, SCTP_MBUF_SPLIT); 2409 } 2410 mat = SCTP_BUF_NEXT(mat); 2411 } 2412 } 2413#endif 2414 2415 /* 2416 * compute the signature/digest for the cookie 2417 */ 2418 ep = &(*inp_p)->sctp_ep; 2419 l_inp = *inp_p; 2420 if (l_stcb) { 2421 SCTP_TCB_UNLOCK(l_stcb); 2422 } 2423 SCTP_INP_RLOCK(l_inp); 2424 if (l_stcb) { 2425 SCTP_TCB_LOCK(l_stcb); 2426 } 2427 /* which cookie is it? */ 2428 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 2429 (ep->current_secret_number != ep->last_secret_number)) { 2430 /* it's the old cookie */ 2431 (void)sctp_hmac_m(SCTP_HMAC, 2432 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 2433 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2434 } else { 2435 /* it's the current cookie */ 2436 (void)sctp_hmac_m(SCTP_HMAC, 2437 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 2438 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2439 } 2440 /* get the signature */ 2441 SCTP_INP_RUNLOCK(l_inp); 2442 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 2443 if (sig == NULL) { 2444 /* couldn't find signature */ 2445 sctp_m_freem(m_sig); 2446 return (NULL); 2447 } 2448 /* compare the received digest with the computed digest */ 2449 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 2450 /* try the old cookie? */ 2451 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 2452 (ep->current_secret_number != ep->last_secret_number)) { 2453 /* compute digest with old */ 2454 (void)sctp_hmac_m(SCTP_HMAC, 2455 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 2456 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2457 /* compare */ 2458 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 2459 cookie_ok = 1; 2460 } 2461 } else { 2462 cookie_ok = 1; 2463 } 2464 2465 /* 2466 * Now before we continue we must reconstruct our mbuf so that 2467 * normal processing of any other chunks will work. 2468 */ 2469 { 2470 struct mbuf *m_at; 2471 2472 m_at = m; 2473 while (SCTP_BUF_NEXT(m_at) != NULL) { 2474 m_at = SCTP_BUF_NEXT(m_at); 2475 } 2476 SCTP_BUF_NEXT(m_at) = m_sig; 2477 } 2478 2479 if (cookie_ok == 0) { 2480 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n"); 2481 SCTPDBG(SCTP_DEBUG_INPUT2, 2482 "offset = %u, cookie_offset = %u, sig_offset = %u\n", 2483 (uint32_t) offset, cookie_offset, sig_offset); 2484 return (NULL); 2485 } 2486 /* 2487 * check the cookie timestamps to be sure it's not stale 2488 */ 2489 (void)SCTP_GETTIME_TIMEVAL(&now); 2490 /* Expire time is in Ticks, so we convert to seconds */ 2491 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life); 2492 time_expires.tv_usec = cookie->time_entered.tv_usec; 2493 /* 2494 * TODO sctp_constants.h needs alternative time macros when _KERNEL 2495 * is undefined. 2496 */ 2497 if (timevalcmp(&now, &time_expires, >)) { 2498 /* cookie is stale! */ 2499 struct mbuf *op_err; 2500 struct sctp_stale_cookie_msg *scm; 2501 uint32_t tim; 2502 2503 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2504 0, M_DONTWAIT, 1, MT_DATA); 2505 if (op_err == NULL) { 2506 /* FOOBAR */ 2507 return (NULL); 2508 } 2509 /* Set the len */ 2510 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2511 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2512 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2513 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2514 (sizeof(uint32_t)))); 2515 /* seconds to usec */ 2516 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2517 /* add in usec */ 2518 if (tim == 0) 2519 tim = now.tv_usec - cookie->time_entered.tv_usec; 2520 scm->time_usec = htonl(tim); 2521 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 2522 vrf_id, port); 2523 return (NULL); 2524 } 2525 /* 2526 * Now we must see with the lookup address if we have an existing 2527 * asoc. This will only happen if we were in the COOKIE-WAIT state 2528 * and a INIT collided with us and somewhere the peer sent the 2529 * cookie on another address besides the single address our assoc 2530 * had for him. In this case we will have one of the tie-tags set at 2531 * least AND the address field in the cookie can be used to look it 2532 * up. 2533 */ 2534 to = NULL; 2535 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2536 memset(&sin6, 0, sizeof(sin6)); 2537 sin6.sin6_family = AF_INET6; 2538 sin6.sin6_len = sizeof(sin6); 2539 sin6.sin6_port = sh->src_port; 2540 sin6.sin6_scope_id = cookie->scope_id; 2541 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2542 sizeof(sin6.sin6_addr.s6_addr)); 2543 to = (struct sockaddr *)&sin6; 2544 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2545 memset(&sin, 0, sizeof(sin)); 2546 sin.sin_family = AF_INET; 2547 sin.sin_len = sizeof(sin); 2548 sin.sin_port = sh->src_port; 2549 sin.sin_addr.s_addr = cookie->address[0]; 2550 to = (struct sockaddr *)&sin; 2551 } else { 2552 /* This should not happen */ 2553 return (NULL); 2554 } 2555 if ((*stcb == NULL) && to) { 2556 /* Yep, lets check */ 2557 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2558 if (*stcb == NULL) { 2559 /* 2560 * We should have only got back the same inp. If we 2561 * got back a different ep we have a problem. The 2562 * original findep got back l_inp and now 2563 */ 2564 if (l_inp != *inp_p) { 2565 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n"); 2566 } 2567 } else { 2568 if (*locked_tcb == NULL) { 2569 /* 2570 * In this case we found the assoc only 2571 * after we locked the create lock. This 2572 * means we are in a colliding case and we 2573 * must make sure that we unlock the tcb if 2574 * its one of the cases where we throw away 2575 * the incoming packets. 2576 */ 2577 *locked_tcb = *stcb; 2578 2579 /* 2580 * We must also increment the inp ref count 2581 * since the ref_count flags was set when we 2582 * did not find the TCB, now we found it 2583 * which reduces the refcount.. we must 2584 * raise it back out to balance it all :-) 2585 */ 2586 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2587 if ((*stcb)->sctp_ep != l_inp) { 2588 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n", 2589 (*stcb)->sctp_ep, l_inp); 2590 } 2591 } 2592 } 2593 } 2594 if (to == NULL) { 2595 return (NULL); 2596 } 2597 cookie_len -= SCTP_SIGNATURE_SIZE; 2598 if (*stcb == NULL) { 2599 /* this is the "normal" case... get a new TCB */ 2600 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2601 cookie_len, *inp_p, netp, to, ¬ification, 2602 auth_skipped, auth_offset, auth_len, vrf_id, port); 2603 } else { 2604 /* this is abnormal... cookie-echo on existing TCB */ 2605 had_a_existing_tcb = 1; 2606 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2607 cookie, cookie_len, *inp_p, *stcb, netp, to, 2608 ¬ification, &sac_restart_id, vrf_id, auth_skipped, auth_offset, auth_len, port); 2609 } 2610 2611 if (*stcb == NULL) { 2612 /* still no TCB... must be bad cookie-echo */ 2613 return (NULL); 2614 } 2615 /* 2616 * Ok, we built an association so confirm the address we sent the 2617 * INIT-ACK to. 2618 */ 2619 netl = sctp_findnet(*stcb, to); 2620 /* 2621 * This code should in theory NOT run but 2622 */ 2623 if (netl == NULL) { 2624 /* TSNH! Huh, why do I need to add this address here? */ 2625 int ret; 2626 2627 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2628 SCTP_IN_COOKIE_PROC); 2629 netl = sctp_findnet(*stcb, to); 2630 } 2631 if (netl) { 2632 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2633 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2634 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2635 netl); 2636 send_int_conf = 1; 2637 } 2638 } 2639 if (*stcb) { 2640 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2641 *stcb, NULL); 2642 } 2643 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2644 if (!had_a_existing_tcb || 2645 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2646 /* 2647 * If we have a NEW cookie or the connect never 2648 * reached the connected state during collision we 2649 * must do the TCP accept thing. 2650 */ 2651 struct socket *so, *oso; 2652 struct sctp_inpcb *inp; 2653 2654 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2655 /* 2656 * For a restart we will keep the same 2657 * socket, no need to do anything. I THINK!! 2658 */ 2659 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id, SCTP_SO_NOT_LOCKED); 2660 if (send_int_conf) { 2661 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2662 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2663 } 2664 return (m); 2665 } 2666 oso = (*inp_p)->sctp_socket; 2667 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2668 SCTP_TCB_UNLOCK((*stcb)); 2669 so = sonewconn(oso, 0 2670 ); 2671 SCTP_TCB_LOCK((*stcb)); 2672 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2673 2674 if (so == NULL) { 2675 struct mbuf *op_err; 2676 2677#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2678 struct socket *pcb_so; 2679 2680#endif 2681 /* Too many sockets */ 2682 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n"); 2683 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2684 sctp_abort_association(*inp_p, NULL, m, iphlen, 2685 sh, op_err, vrf_id, port); 2686#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2687 pcb_so = SCTP_INP_SO(*inp_p); 2688 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2689 SCTP_TCB_UNLOCK((*stcb)); 2690 SCTP_SOCKET_LOCK(pcb_so, 1); 2691 SCTP_TCB_LOCK((*stcb)); 2692 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2693#endif 2694 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2695#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2696 SCTP_SOCKET_UNLOCK(pcb_so, 1); 2697#endif 2698 return (NULL); 2699 } 2700 inp = (struct sctp_inpcb *)so->so_pcb; 2701 SCTP_INP_INCR_REF(inp); 2702 /* 2703 * We add the unbound flag here so that if we get an 2704 * soabort() before we get the move_pcb done, we 2705 * will properly cleanup. 2706 */ 2707 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2708 SCTP_PCB_FLAGS_CONNECTED | 2709 SCTP_PCB_FLAGS_IN_TCPPOOL | 2710 SCTP_PCB_FLAGS_UNBOUND | 2711 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2712 SCTP_PCB_FLAGS_DONT_WAKE); 2713 inp->sctp_features = (*inp_p)->sctp_features; 2714 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features; 2715 inp->sctp_socket = so; 2716 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2717 inp->sctp_cmt_on_off = (*inp_p)->sctp_cmt_on_off; 2718 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2719 inp->sctp_context = (*inp_p)->sctp_context; 2720 inp->inp_starting_point_for_iterator = NULL; 2721 /* 2722 * copy in the authentication parameters from the 2723 * original endpoint 2724 */ 2725 if (inp->sctp_ep.local_hmacs) 2726 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2727 inp->sctp_ep.local_hmacs = 2728 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2729 if (inp->sctp_ep.local_auth_chunks) 2730 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2731 inp->sctp_ep.local_auth_chunks = 2732 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2733 2734 /* 2735 * Now we must move it from one hash table to 2736 * another and get the tcb in the right place. 2737 */ 2738 2739 /* 2740 * This is where the one-2-one socket is put into 2741 * the accept state waiting for the accept! 2742 */ 2743 if (*stcb) { 2744 (*stcb)->asoc.state |= SCTP_STATE_IN_ACCEPT_QUEUE; 2745 } 2746 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2747 2748 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2749 SCTP_TCB_UNLOCK((*stcb)); 2750 2751 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, 2752 0); 2753 SCTP_TCB_LOCK((*stcb)); 2754 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2755 2756 2757 /* 2758 * now we must check to see if we were aborted while 2759 * the move was going on and the lock/unlock 2760 * happened. 2761 */ 2762 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2763 /* 2764 * yep it was, we leave the assoc attached 2765 * to the socket since the sctp_inpcb_free() 2766 * call will send an abort for us. 2767 */ 2768 SCTP_INP_DECR_REF(inp); 2769 return (NULL); 2770 } 2771 SCTP_INP_DECR_REF(inp); 2772 /* Switch over to the new guy */ 2773 *inp_p = inp; 2774 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2775 if (send_int_conf) { 2776 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2777 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2778 } 2779 /* 2780 * Pull it from the incomplete queue and wake the 2781 * guy 2782 */ 2783#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2784 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2785 SCTP_TCB_UNLOCK((*stcb)); 2786 SCTP_SOCKET_LOCK(so, 1); 2787#endif 2788 soisconnected(so); 2789#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2790 SCTP_TCB_LOCK((*stcb)); 2791 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2792 SCTP_SOCKET_UNLOCK(so, 1); 2793#endif 2794 return (m); 2795 } 2796 } 2797 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE) { 2798 if (notification) { 2799 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2800 } 2801 if (send_int_conf) { 2802 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2803 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2804 } 2805 } 2806 return (m); 2807} 2808 2809static void 2810sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2811 struct sctp_tcb *stcb, struct sctp_nets *net) 2812{ 2813 /* cp must not be used, others call this without a c-ack :-) */ 2814 struct sctp_association *asoc; 2815 2816 SCTPDBG(SCTP_DEBUG_INPUT2, 2817 "sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2818 if (stcb == NULL) 2819 return; 2820 2821 asoc = &stcb->asoc; 2822 2823 sctp_stop_all_cookie_timers(stcb); 2824 /* process according to association state */ 2825 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2826 /* state change only needed when I am in right state */ 2827 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2828 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 2829 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2830 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2831 stcb->sctp_ep, stcb, asoc->primary_destination); 2832 2833 } 2834 /* update RTO */ 2835 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2836 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2837 if (asoc->overall_error_count == 0) { 2838 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2839 &asoc->time_entered, sctp_align_safe_nocopy, 2840 SCTP_DETERMINE_LL_NOTOK); 2841 } 2842 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2843 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2844 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2845 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2846#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2847 struct socket *so; 2848 2849#endif 2850 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2851#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2852 so = SCTP_INP_SO(stcb->sctp_ep); 2853 atomic_add_int(&stcb->asoc.refcnt, 1); 2854 SCTP_TCB_UNLOCK(stcb); 2855 SCTP_SOCKET_LOCK(so, 1); 2856 SCTP_TCB_LOCK(stcb); 2857 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2858 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2859 SCTP_SOCKET_UNLOCK(so, 1); 2860 return; 2861 } 2862#endif 2863 soisconnected(stcb->sctp_socket); 2864#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2865 SCTP_SOCKET_UNLOCK(so, 1); 2866#endif 2867 } 2868 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2869 stcb, net); 2870 /* 2871 * since we did not send a HB make sure we don't double 2872 * things 2873 */ 2874 net->hb_responded = 1; 2875 2876 if (stcb->asoc.sctp_autoclose_ticks && 2877 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2878 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2879 stcb->sctp_ep, stcb, NULL); 2880 } 2881 /* 2882 * send ASCONF if parameters are pending and ASCONFs are 2883 * allowed (eg. addresses changed when init/cookie echo were 2884 * in flight) 2885 */ 2886 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2887 (stcb->asoc.peer_supports_asconf) && 2888 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2889#ifdef SCTP_TIMER_BASED_ASCONF 2890 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2891 stcb->sctp_ep, stcb, 2892 stcb->asoc.primary_destination); 2893#else 2894 sctp_send_asconf(stcb, stcb->asoc.primary_destination, 2895 SCTP_ADDR_NOT_LOCKED); 2896#endif 2897 } 2898 } 2899 /* Toss the cookie if I can */ 2900 sctp_toss_old_cookies(stcb, asoc); 2901 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2902 /* Restart the timer if we have pending data */ 2903 struct sctp_tmit_chunk *chk; 2904 2905 chk = TAILQ_FIRST(&asoc->sent_queue); 2906 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo); 2907 } 2908} 2909 2910static void 2911sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2912 struct sctp_tcb *stcb) 2913{ 2914 struct sctp_nets *net; 2915 struct sctp_tmit_chunk *lchk; 2916 struct sctp_ecne_chunk bkup; 2917 uint8_t override_bit = 0; 2918 uint32_t tsn, window_data_tsn; 2919 int len; 2920 int pkt_cnt; 2921 2922 len = ntohs(cp->ch.chunk_length); 2923 if ((len != sizeof(struct sctp_ecne_chunk)) && 2924 (len != sizeof(struct old_sctp_ecne_chunk))) { 2925 return; 2926 } 2927 if (len == sizeof(struct old_sctp_ecne_chunk)) { 2928 /* Its the old format */ 2929 memcpy(&bkup, cp, sizeof(struct old_sctp_ecne_chunk)); 2930 bkup.num_pkts_since_cwr = htonl(1); 2931 cp = &bkup; 2932 } 2933 SCTP_STAT_INCR(sctps_recvecne); 2934 tsn = ntohl(cp->tsn); 2935 pkt_cnt = ntohl(cp->num_pkts_since_cwr); 2936 lchk = TAILQ_LAST(&stcb->asoc.send_queue, sctpchunk_listhead); 2937 if (lchk == NULL) { 2938 window_data_tsn = stcb->asoc.sending_seq - 1; 2939 } else { 2940 window_data_tsn = lchk->rec.data.TSN_seq; 2941 } 2942 2943 /* Find where it was sent to if possible. */ 2944 net = NULL; 2945 TAILQ_FOREACH(lchk, &stcb->asoc.sent_queue, sctp_next) { 2946 if (lchk->rec.data.TSN_seq == tsn) { 2947 net = lchk->whoTo; 2948 net->ecn_prev_cwnd = lchk->rec.data.cwnd_at_send; 2949 break; 2950 } 2951 if (SCTP_TSN_GT(lchk->rec.data.TSN_seq, tsn)) { 2952 break; 2953 } 2954 } 2955 if (net == NULL) { 2956 /* 2957 * What to do. A previous send of a CWR was possibly lost. 2958 * See how old it is, we may have it marked on the actual 2959 * net. 2960 */ 2961 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 2962 if (tsn == net->last_cwr_tsn) { 2963 /* Found him, send it off */ 2964 goto out; 2965 } 2966 } 2967 /* 2968 * If we reach here, we need to send a special CWR that says 2969 * hey, we did this a long time ago and you lost the 2970 * response. 2971 */ 2972 net = TAILQ_FIRST(&stcb->asoc.nets); 2973 override_bit = SCTP_CWR_REDUCE_OVERRIDE; 2974 } 2975out: 2976 if (SCTP_TSN_GT(tsn, net->cwr_window_tsn) && 2977 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) { 2978 /* 2979 * JRS - Use the congestion control given in the pluggable 2980 * CC module 2981 */ 2982 int ocwnd; 2983 2984 ocwnd = net->cwnd; 2985 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 0, pkt_cnt); 2986 /* 2987 * We reduce once every RTT. So we will only lower cwnd at 2988 * the next sending seq i.e. the window_data_tsn 2989 */ 2990 net->cwr_window_tsn = window_data_tsn; 2991 net->ecn_ce_pkt_cnt += pkt_cnt; 2992 net->lost_cnt = pkt_cnt; 2993 net->last_cwr_tsn = tsn; 2994 } else { 2995 override_bit |= SCTP_CWR_IN_SAME_WINDOW; 2996 if (SCTP_TSN_GT(tsn, net->last_cwr_tsn) && 2997 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) { 2998 /* 2999 * Another loss in the same window update how many 3000 * marks/packets lost we have had. 3001 */ 3002 int cnt = 1; 3003 3004 if (pkt_cnt > net->lost_cnt) { 3005 /* Should be the case */ 3006 cnt = (pkt_cnt - net->lost_cnt); 3007 net->ecn_ce_pkt_cnt += cnt; 3008 } 3009 net->lost_cnt = pkt_cnt; 3010 net->last_cwr_tsn = tsn; 3011 /* 3012 * Most CC functions will ignore this call, since we 3013 * are in-window yet of the initial CE the peer saw. 3014 */ 3015 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 1, cnt); 3016 } 3017 } 3018 /* 3019 * We always send a CWR this way if our previous one was lost our 3020 * peer will get an update, or if it is not time again to reduce we 3021 * still get the cwr to the peer. Note we set the override when we 3022 * could not find the TSN on the chunk or the destination network. 3023 */ 3024 sctp_send_cwr(stcb, net, net->last_cwr_tsn, override_bit); 3025} 3026 3027static void 3028sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb, struct sctp_nets *net) 3029{ 3030 /* 3031 * Here we get a CWR from the peer. We must look in the outqueue and 3032 * make sure that we have a covered ECNE in teh control chunk part. 3033 * If so remove it. 3034 */ 3035 struct sctp_tmit_chunk *chk; 3036 struct sctp_ecne_chunk *ecne; 3037 int override; 3038 uint32_t cwr_tsn; 3039 3040 cwr_tsn = ntohl(cp->tsn); 3041 3042 override = cp->ch.chunk_flags & SCTP_CWR_REDUCE_OVERRIDE; 3043 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 3044 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 3045 continue; 3046 } 3047 if ((override == 0) && (chk->whoTo != net)) { 3048 /* Must be from the right src unless override is set */ 3049 continue; 3050 } 3051 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 3052 if (SCTP_TSN_GE(cwr_tsn, ntohl(ecne->tsn))) { 3053 /* this covers this ECNE, we can remove it */ 3054 stcb->asoc.ecn_echo_cnt_onq--; 3055 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 3056 sctp_next); 3057 if (chk->data) { 3058 sctp_m_freem(chk->data); 3059 chk->data = NULL; 3060 } 3061 stcb->asoc.ctrl_queue_cnt--; 3062 sctp_free_a_chunk(stcb, chk); 3063 if (override == 0) { 3064 break; 3065 } 3066 } 3067 } 3068} 3069 3070static void 3071sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 3072 struct sctp_tcb *stcb, struct sctp_nets *net) 3073{ 3074 struct sctp_association *asoc; 3075 3076#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3077 struct socket *so; 3078 3079#endif 3080 3081 SCTPDBG(SCTP_DEBUG_INPUT2, 3082 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 3083 if (stcb == NULL) 3084 return; 3085 3086 asoc = &stcb->asoc; 3087 /* process according to association state */ 3088 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 3089 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 3090 SCTPDBG(SCTP_DEBUG_INPUT2, 3091 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n"); 3092 SCTP_TCB_UNLOCK(stcb); 3093 return; 3094 } 3095 /* notify upper layer protocol */ 3096 if (stcb->sctp_socket) { 3097 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 3098 /* are the queues empty? they should be */ 3099 if (!TAILQ_EMPTY(&asoc->send_queue) || 3100 !TAILQ_EMPTY(&asoc->sent_queue) || 3101 !stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) { 3102 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED); 3103 } 3104 } 3105 /* stop the timer */ 3106 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 3107 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 3108 /* free the TCB */ 3109 SCTPDBG(SCTP_DEBUG_INPUT2, 3110 "sctp_handle_shutdown_complete: calls free-asoc\n"); 3111#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3112 so = SCTP_INP_SO(stcb->sctp_ep); 3113 atomic_add_int(&stcb->asoc.refcnt, 1); 3114 SCTP_TCB_UNLOCK(stcb); 3115 SCTP_SOCKET_LOCK(so, 1); 3116 SCTP_TCB_LOCK(stcb); 3117 atomic_subtract_int(&stcb->asoc.refcnt, 1); 3118#endif 3119 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 3120#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3121 SCTP_SOCKET_UNLOCK(so, 1); 3122#endif 3123 return; 3124} 3125 3126static int 3127process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 3128 struct sctp_nets *net, uint8_t flg) 3129{ 3130 switch (desc->chunk_type) { 3131 case SCTP_DATA: 3132 /* find the tsn to resend (possibly */ 3133 { 3134 uint32_t tsn; 3135 struct sctp_tmit_chunk *tp1; 3136 3137 tsn = ntohl(desc->tsn_ifany); 3138 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3139 if (tp1->rec.data.TSN_seq == tsn) { 3140 /* found it */ 3141 break; 3142 } 3143 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, tsn)) { 3144 /* not found */ 3145 tp1 = NULL; 3146 break; 3147 } 3148 } 3149 if (tp1 == NULL) { 3150 /* 3151 * Do it the other way , aka without paying 3152 * attention to queue seq order. 3153 */ 3154 SCTP_STAT_INCR(sctps_pdrpdnfnd); 3155 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3156 if (tp1->rec.data.TSN_seq == tsn) { 3157 /* found it */ 3158 break; 3159 } 3160 } 3161 } 3162 if (tp1 == NULL) { 3163 SCTP_STAT_INCR(sctps_pdrptsnnf); 3164 } 3165 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 3166 uint8_t *ddp; 3167 3168 if (((flg & SCTP_BADCRC) == 0) && 3169 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 3170 return (0); 3171 } 3172 if ((stcb->asoc.peers_rwnd == 0) && 3173 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 3174 SCTP_STAT_INCR(sctps_pdrpdiwnp); 3175 return (0); 3176 } 3177 if (stcb->asoc.peers_rwnd == 0 && 3178 (flg & SCTP_FROM_MIDDLE_BOX)) { 3179 SCTP_STAT_INCR(sctps_pdrpdizrw); 3180 return (0); 3181 } 3182 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 3183 sizeof(struct sctp_data_chunk)); 3184 { 3185 unsigned int iii; 3186 3187 for (iii = 0; iii < sizeof(desc->data_bytes); 3188 iii++) { 3189 if (ddp[iii] != desc->data_bytes[iii]) { 3190 SCTP_STAT_INCR(sctps_pdrpbadd); 3191 return (-1); 3192 } 3193 } 3194 } 3195 3196 if (tp1->do_rtt) { 3197 /* 3198 * this guy had a RTO calculation 3199 * pending on it, cancel it 3200 */ 3201 tp1->do_rtt = 0; 3202 } 3203 SCTP_STAT_INCR(sctps_pdrpmark); 3204 if (tp1->sent != SCTP_DATAGRAM_RESEND) 3205 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3206 /* 3207 * mark it as if we were doing a FR, since 3208 * we will be getting gap ack reports behind 3209 * the info from the router. 3210 */ 3211 tp1->rec.data.doing_fast_retransmit = 1; 3212 /* 3213 * mark the tsn with what sequences can 3214 * cause a new FR. 3215 */ 3216 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 3217 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 3218 } else { 3219 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 3220 } 3221 3222 /* restart the timer */ 3223 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 3224 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 3225 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 3226 stcb, tp1->whoTo); 3227 3228 /* fix counts and things */ 3229 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3230 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 3231 tp1->whoTo->flight_size, 3232 tp1->book_size, 3233 (uintptr_t) stcb, 3234 tp1->rec.data.TSN_seq); 3235 } 3236 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3237 sctp_flight_size_decrease(tp1); 3238 sctp_total_flight_decrease(stcb, tp1); 3239 } 3240 tp1->sent = SCTP_DATAGRAM_RESEND; 3241 } { 3242 /* audit code */ 3243 unsigned int audit; 3244 3245 audit = 0; 3246 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3247 if (tp1->sent == SCTP_DATAGRAM_RESEND) 3248 audit++; 3249 } 3250 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 3251 sctp_next) { 3252 if (tp1->sent == SCTP_DATAGRAM_RESEND) 3253 audit++; 3254 } 3255 if (audit != stcb->asoc.sent_queue_retran_cnt) { 3256 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n", 3257 audit, stcb->asoc.sent_queue_retran_cnt); 3258#ifndef SCTP_AUDITING_ENABLED 3259 stcb->asoc.sent_queue_retran_cnt = audit; 3260#endif 3261 } 3262 } 3263 } 3264 break; 3265 case SCTP_ASCONF: 3266 { 3267 struct sctp_tmit_chunk *asconf; 3268 3269 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 3270 sctp_next) { 3271 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 3272 break; 3273 } 3274 } 3275 if (asconf) { 3276 if (asconf->sent != SCTP_DATAGRAM_RESEND) 3277 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3278 asconf->sent = SCTP_DATAGRAM_RESEND; 3279 asconf->snd_count--; 3280 } 3281 } 3282 break; 3283 case SCTP_INITIATION: 3284 /* resend the INIT */ 3285 stcb->asoc.dropped_special_cnt++; 3286 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 3287 /* 3288 * If we can get it in, in a few attempts we do 3289 * this, otherwise we let the timer fire. 3290 */ 3291 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 3292 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 3293 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 3294 } 3295 break; 3296 case SCTP_SELECTIVE_ACK: 3297 case SCTP_NR_SELECTIVE_ACK: 3298 /* resend the sack */ 3299 sctp_send_sack(stcb); 3300 break; 3301 case SCTP_HEARTBEAT_REQUEST: 3302 /* resend a demand HB */ 3303 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) { 3304 /* 3305 * Only retransmit if we KNOW we wont destroy the 3306 * tcb 3307 */ 3308 (void)sctp_send_hb(stcb, 1, net); 3309 } 3310 break; 3311 case SCTP_SHUTDOWN: 3312 sctp_send_shutdown(stcb, net); 3313 break; 3314 case SCTP_SHUTDOWN_ACK: 3315 sctp_send_shutdown_ack(stcb, net); 3316 break; 3317 case SCTP_COOKIE_ECHO: 3318 { 3319 struct sctp_tmit_chunk *cookie; 3320 3321 cookie = NULL; 3322 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 3323 sctp_next) { 3324 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 3325 break; 3326 } 3327 } 3328 if (cookie) { 3329 if (cookie->sent != SCTP_DATAGRAM_RESEND) 3330 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3331 cookie->sent = SCTP_DATAGRAM_RESEND; 3332 sctp_stop_all_cookie_timers(stcb); 3333 } 3334 } 3335 break; 3336 case SCTP_COOKIE_ACK: 3337 sctp_send_cookie_ack(stcb); 3338 break; 3339 case SCTP_ASCONF_ACK: 3340 /* resend last asconf ack */ 3341 sctp_send_asconf_ack(stcb); 3342 break; 3343 case SCTP_FORWARD_CUM_TSN: 3344 send_forward_tsn(stcb, &stcb->asoc); 3345 break; 3346 /* can't do anything with these */ 3347 case SCTP_PACKET_DROPPED: 3348 case SCTP_INITIATION_ACK: /* this should not happen */ 3349 case SCTP_HEARTBEAT_ACK: 3350 case SCTP_ABORT_ASSOCIATION: 3351 case SCTP_OPERATION_ERROR: 3352 case SCTP_SHUTDOWN_COMPLETE: 3353 case SCTP_ECN_ECHO: 3354 case SCTP_ECN_CWR: 3355 default: 3356 break; 3357 } 3358 return (0); 3359} 3360 3361void 3362sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 3363{ 3364 int i; 3365 uint16_t temp; 3366 3367 /* 3368 * We set things to 0xffff since this is the last delivered sequence 3369 * and we will be sending in 0 after the reset. 3370 */ 3371 3372 if (number_entries) { 3373 for (i = 0; i < number_entries; i++) { 3374 temp = ntohs(list[i]); 3375 if (temp >= stcb->asoc.streamincnt) { 3376 continue; 3377 } 3378 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 3379 } 3380 } else { 3381 list = NULL; 3382 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3383 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 3384 } 3385 } 3386 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3387} 3388 3389static void 3390sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 3391{ 3392 int i; 3393 3394 if (number_entries == 0) { 3395 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 3396 stcb->asoc.strmout[i].next_sequence_sent = 0; 3397 } 3398 } else if (number_entries) { 3399 for (i = 0; i < number_entries; i++) { 3400 uint16_t temp; 3401 3402 temp = ntohs(list[i]); 3403 if (temp >= stcb->asoc.streamoutcnt) { 3404 /* no such stream */ 3405 continue; 3406 } 3407 stcb->asoc.strmout[temp].next_sequence_sent = 0; 3408 } 3409 } 3410 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3411} 3412 3413 3414struct sctp_stream_reset_out_request * 3415sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 3416{ 3417 struct sctp_association *asoc; 3418 struct sctp_stream_reset_out_req *req; 3419 struct sctp_stream_reset_out_request *r; 3420 struct sctp_tmit_chunk *chk; 3421 int len, clen; 3422 3423 asoc = &stcb->asoc; 3424 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 3425 asoc->stream_reset_outstanding = 0; 3426 return (NULL); 3427 } 3428 if (stcb->asoc.str_reset == NULL) { 3429 asoc->stream_reset_outstanding = 0; 3430 return (NULL); 3431 } 3432 chk = stcb->asoc.str_reset; 3433 if (chk->data == NULL) { 3434 return (NULL); 3435 } 3436 if (bchk) { 3437 /* he wants a copy of the chk pointer */ 3438 *bchk = chk; 3439 } 3440 clen = chk->send_size; 3441 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 3442 r = &req->sr_req; 3443 if (ntohl(r->request_seq) == seq) { 3444 /* found it */ 3445 return (r); 3446 } 3447 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 3448 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 3449 /* move to the next one, there can only be a max of two */ 3450 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 3451 if (ntohl(r->request_seq) == seq) { 3452 return (r); 3453 } 3454 } 3455 /* that seq is not here */ 3456 return (NULL); 3457} 3458 3459static void 3460sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 3461{ 3462 struct sctp_association *asoc; 3463 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 3464 3465 if (stcb->asoc.str_reset == NULL) { 3466 return; 3467 } 3468 asoc = &stcb->asoc; 3469 3470 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3471 TAILQ_REMOVE(&asoc->control_send_queue, 3472 chk, 3473 sctp_next); 3474 if (chk->data) { 3475 sctp_m_freem(chk->data); 3476 chk->data = NULL; 3477 } 3478 asoc->ctrl_queue_cnt--; 3479 sctp_free_a_chunk(stcb, chk); 3480 /* sa_ignore NO_NULL_CHK */ 3481 stcb->asoc.str_reset = NULL; 3482} 3483 3484 3485static int 3486sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 3487 uint32_t seq, uint32_t action, 3488 struct sctp_stream_reset_response *respin) 3489{ 3490 uint16_t type; 3491 int lparm_len; 3492 struct sctp_association *asoc = &stcb->asoc; 3493 struct sctp_tmit_chunk *chk; 3494 struct sctp_stream_reset_out_request *srparam; 3495 int number_entries; 3496 3497 if (asoc->stream_reset_outstanding == 0) { 3498 /* duplicate */ 3499 return (0); 3500 } 3501 if (seq == stcb->asoc.str_reset_seq_out) { 3502 srparam = sctp_find_stream_reset(stcb, seq, &chk); 3503 if (srparam) { 3504 stcb->asoc.str_reset_seq_out++; 3505 type = ntohs(srparam->ph.param_type); 3506 lparm_len = ntohs(srparam->ph.param_length); 3507 if (type == SCTP_STR_RESET_OUT_REQUEST) { 3508 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 3509 asoc->stream_reset_out_is_outstanding = 0; 3510 if (asoc->stream_reset_outstanding) 3511 asoc->stream_reset_outstanding--; 3512 if (action == SCTP_STREAM_RESET_PERFORMED) { 3513 /* do it */ 3514 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 3515 } else { 3516 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); 3517 } 3518 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 3519 /* Answered my request */ 3520 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 3521 if (asoc->stream_reset_outstanding) 3522 asoc->stream_reset_outstanding--; 3523 if (action != SCTP_STREAM_RESET_PERFORMED) { 3524 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); 3525 } 3526 } else if (type == SCTP_STR_RESET_ADD_STREAMS) { 3527 /* Ok we now may have more streams */ 3528 if (asoc->stream_reset_outstanding) 3529 asoc->stream_reset_outstanding--; 3530 if (action == SCTP_STREAM_RESET_PERFORMED) { 3531 /* Put the new streams into effect */ 3532 stcb->asoc.streamoutcnt = stcb->asoc.strm_realoutsize; 3533 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_ADD_OK, stcb, 3534 (uint32_t) stcb->asoc.streamoutcnt, NULL, SCTP_SO_NOT_LOCKED); 3535 } else { 3536 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_ADD_FAIL, stcb, 3537 (uint32_t) stcb->asoc.streamoutcnt, NULL, SCTP_SO_NOT_LOCKED); 3538 } 3539 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 3540 /** 3541 * a) Adopt the new in tsn. 3542 * b) reset the map 3543 * c) Adopt the new out-tsn 3544 */ 3545 struct sctp_stream_reset_response_tsn *resp; 3546 struct sctp_forward_tsn_chunk fwdtsn; 3547 int abort_flag = 0; 3548 3549 if (respin == NULL) { 3550 /* huh ? */ 3551 return (0); 3552 } 3553 if (action == SCTP_STREAM_RESET_PERFORMED) { 3554 resp = (struct sctp_stream_reset_response_tsn *)respin; 3555 asoc->stream_reset_outstanding--; 3556 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3557 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3558 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 3559 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3560 if (abort_flag) { 3561 return (1); 3562 } 3563 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 3564 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 3565 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 3566 } 3567 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3568 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 3569 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3570 3571 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map; 3572 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 3573 3574 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 3575 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 3576 3577 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3578 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3579 3580 } 3581 } 3582 /* get rid of the request and get the request flags */ 3583 if (asoc->stream_reset_outstanding == 0) { 3584 sctp_clean_up_stream_reset(stcb); 3585 } 3586 } 3587 } 3588 return (0); 3589} 3590 3591static void 3592sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 3593 struct sctp_tmit_chunk *chk, 3594 struct sctp_stream_reset_in_request *req, int trunc) 3595{ 3596 uint32_t seq; 3597 int len, i; 3598 int number_entries; 3599 uint16_t temp; 3600 3601 /* 3602 * peer wants me to send a str-reset to him for my outgoing seq's if 3603 * seq_in is right. 3604 */ 3605 struct sctp_association *asoc = &stcb->asoc; 3606 3607 seq = ntohl(req->request_seq); 3608 if (asoc->str_reset_seq_in == seq) { 3609 if (trunc) { 3610 /* Can't do it, since they exceeded our buffer size */ 3611 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3612 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3613 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3614 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 3615 len = ntohs(req->ph.param_length); 3616 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 3617 for (i = 0; i < number_entries; i++) { 3618 temp = ntohs(req->list_of_streams[i]); 3619 req->list_of_streams[i] = temp; 3620 } 3621 /* move the reset action back one */ 3622 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3623 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3624 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 3625 asoc->str_reset_seq_out, 3626 seq, (asoc->sending_seq - 1)); 3627 asoc->stream_reset_out_is_outstanding = 1; 3628 asoc->str_reset = chk; 3629 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 3630 stcb->asoc.stream_reset_outstanding++; 3631 } else { 3632 /* Can't do it, since we have sent one out */ 3633 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3634 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 3635 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3636 } 3637 asoc->str_reset_seq_in++; 3638 } else if (asoc->str_reset_seq_in - 1 == seq) { 3639 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3640 } else if (asoc->str_reset_seq_in - 2 == seq) { 3641 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3642 } else { 3643 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3644 } 3645} 3646 3647static int 3648sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 3649 struct sctp_tmit_chunk *chk, 3650 struct sctp_stream_reset_tsn_request *req) 3651{ 3652 /* reset all in and out and update the tsn */ 3653 /* 3654 * A) reset my str-seq's on in and out. B) Select a receive next, 3655 * and set cum-ack to it. Also process this selected number as a 3656 * fwd-tsn as well. C) set in the response my next sending seq. 3657 */ 3658 struct sctp_forward_tsn_chunk fwdtsn; 3659 struct sctp_association *asoc = &stcb->asoc; 3660 int abort_flag = 0; 3661 uint32_t seq; 3662 3663 seq = ntohl(req->request_seq); 3664 if (asoc->str_reset_seq_in == seq) { 3665 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3666 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3667 fwdtsn.ch.chunk_flags = 0; 3668 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3669 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3670 if (abort_flag) { 3671 return (1); 3672 } 3673 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3674 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 3675 sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 3676 } 3677 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3678 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3679 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3680 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map; 3681 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 3682 atomic_add_int(&stcb->asoc.sending_seq, 1); 3683 /* save off historical data for retrans */ 3684 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3685 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3686 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3687 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3688 3689 sctp_add_stream_reset_result_tsn(chk, 3690 ntohl(req->request_seq), 3691 SCTP_STREAM_RESET_PERFORMED, 3692 stcb->asoc.sending_seq, 3693 stcb->asoc.mapping_array_base_tsn); 3694 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3695 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3696 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3697 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3698 3699 asoc->str_reset_seq_in++; 3700 } else if (asoc->str_reset_seq_in - 1 == seq) { 3701 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3702 stcb->asoc.last_sending_seq[0], 3703 stcb->asoc.last_base_tsnsent[0] 3704 ); 3705 } else if (asoc->str_reset_seq_in - 2 == seq) { 3706 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3707 stcb->asoc.last_sending_seq[1], 3708 stcb->asoc.last_base_tsnsent[1] 3709 ); 3710 } else { 3711 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3712 } 3713 return (0); 3714} 3715 3716static void 3717sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3718 struct sctp_tmit_chunk *chk, 3719 struct sctp_stream_reset_out_request *req, int trunc) 3720{ 3721 uint32_t seq, tsn; 3722 int number_entries, len; 3723 struct sctp_association *asoc = &stcb->asoc; 3724 3725 seq = ntohl(req->request_seq); 3726 3727 /* now if its not a duplicate we process it */ 3728 if (asoc->str_reset_seq_in == seq) { 3729 len = ntohs(req->ph.param_length); 3730 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3731 /* 3732 * the sender is resetting, handle the list issue.. we must 3733 * a) verify if we can do the reset, if so no problem b) If 3734 * we can't do the reset we must copy the request. c) queue 3735 * it, and setup the data in processor to trigger it off 3736 * when needed and dequeue all the queued data. 3737 */ 3738 tsn = ntohl(req->send_reset_at_tsn); 3739 3740 /* move the reset action back one */ 3741 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3742 if (trunc) { 3743 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3744 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3745 } else if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) { 3746 /* we can do it now */ 3747 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3748 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3749 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3750 } else { 3751 /* 3752 * we must queue it up and thus wait for the TSN's 3753 * to arrive that are at or before tsn 3754 */ 3755 struct sctp_stream_reset_list *liste; 3756 int siz; 3757 3758 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3759 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3760 siz, SCTP_M_STRESET); 3761 if (liste == NULL) { 3762 /* gak out of memory */ 3763 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3764 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3765 return; 3766 } 3767 liste->tsn = tsn; 3768 liste->number_entries = number_entries; 3769 memcpy(&liste->req, req, 3770 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3771 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3772 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3773 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3774 } 3775 asoc->str_reset_seq_in++; 3776 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3777 /* 3778 * one seq back, just echo back last action since my 3779 * response was lost. 3780 */ 3781 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3782 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3783 /* 3784 * two seq back, just echo back last action since my 3785 * response was lost. 3786 */ 3787 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3788 } else { 3789 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3790 } 3791} 3792 3793static void 3794sctp_handle_str_reset_add_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk, 3795 struct sctp_stream_reset_add_strm *str_add) 3796{ 3797 /* 3798 * Peer is requesting to add more streams. If its within our 3799 * max-streams we will allow it. 3800 */ 3801 uint16_t num_stream, i; 3802 uint32_t seq; 3803 struct sctp_association *asoc = &stcb->asoc; 3804 struct sctp_queued_to_read *ctl, *nctl; 3805 3806 /* Get the number. */ 3807 seq = ntohl(str_add->request_seq); 3808 num_stream = ntohs(str_add->number_of_streams); 3809 /* Now what would be the new total? */ 3810 if (asoc->str_reset_seq_in == seq) { 3811 num_stream += stcb->asoc.streamincnt; 3812 if (num_stream > stcb->asoc.max_inbound_streams) { 3813 /* We must reject it they ask for to many */ 3814 denied: 3815 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3816 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3817 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3818 } else { 3819 /* Ok, we can do that :-) */ 3820 struct sctp_stream_in *oldstrm; 3821 3822 /* save off the old */ 3823 oldstrm = stcb->asoc.strmin; 3824 SCTP_MALLOC(stcb->asoc.strmin, struct sctp_stream_in *, 3825 (num_stream * sizeof(struct sctp_stream_in)), 3826 SCTP_M_STRMI); 3827 if (stcb->asoc.strmin == NULL) { 3828 stcb->asoc.strmin = oldstrm; 3829 goto denied; 3830 } 3831 /* copy off the old data */ 3832 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3833 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue); 3834 stcb->asoc.strmin[i].stream_no = i; 3835 stcb->asoc.strmin[i].last_sequence_delivered = oldstrm[i].last_sequence_delivered; 3836 stcb->asoc.strmin[i].delivery_started = oldstrm[i].delivery_started; 3837 /* now anything on those queues? */ 3838 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].inqueue, next, nctl) { 3839 TAILQ_REMOVE(&oldstrm[i].inqueue, ctl, next); 3840 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].inqueue, ctl, next); 3841 } 3842 } 3843 /* Init the new streams */ 3844 for (i = stcb->asoc.streamincnt; i < num_stream; i++) { 3845 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue); 3846 stcb->asoc.strmin[i].stream_no = i; 3847 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 3848 stcb->asoc.strmin[i].delivery_started = 0; 3849 } 3850 SCTP_FREE(oldstrm, SCTP_M_STRMI); 3851 /* update the size */ 3852 stcb->asoc.streamincnt = num_stream; 3853 /* Send the ack */ 3854 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3855 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3856 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3857 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_INSTREAM_ADD_OK, stcb, 3858 (uint32_t) stcb->asoc.streamincnt, NULL, SCTP_SO_NOT_LOCKED); 3859 } 3860 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3861 /* 3862 * one seq back, just echo back last action since my 3863 * response was lost. 3864 */ 3865 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3866 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3867 /* 3868 * two seq back, just echo back last action since my 3869 * response was lost. 3870 */ 3871 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3872 } else { 3873 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3874 3875 } 3876} 3877 3878#ifdef __GNUC__ 3879__attribute__((noinline)) 3880#endif 3881 static int 3882 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset, 3883 struct sctp_stream_reset_out_req *sr_req) 3884{ 3885 int chk_length, param_len, ptype; 3886 struct sctp_paramhdr pstore; 3887 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE]; 3888 3889 uint32_t seq; 3890 int num_req = 0; 3891 int trunc = 0; 3892 struct sctp_tmit_chunk *chk; 3893 struct sctp_chunkhdr *ch; 3894 struct sctp_paramhdr *ph; 3895 int ret_code = 0; 3896 int num_param = 0; 3897 3898 /* now it may be a reset or a reset-response */ 3899 chk_length = ntohs(sr_req->ch.chunk_length); 3900 3901 /* setup for adding the response */ 3902 sctp_alloc_a_chunk(stcb, chk); 3903 if (chk == NULL) { 3904 return (ret_code); 3905 } 3906 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3907 chk->rec.chunk_id.can_take_data = 0; 3908 chk->asoc = &stcb->asoc; 3909 chk->no_fr_allowed = 0; 3910 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3911 chk->book_size_scale = 0; 3912 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3913 if (chk->data == NULL) { 3914strres_nochunk: 3915 if (chk->data) { 3916 sctp_m_freem(chk->data); 3917 chk->data = NULL; 3918 } 3919 sctp_free_a_chunk(stcb, chk); 3920 return (ret_code); 3921 } 3922 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3923 3924 /* setup chunk parameters */ 3925 chk->sent = SCTP_DATAGRAM_UNSENT; 3926 chk->snd_count = 0; 3927 chk->whoTo = stcb->asoc.primary_destination; 3928 atomic_add_int(&chk->whoTo->ref_count, 1); 3929 3930 ch = mtod(chk->data, struct sctp_chunkhdr *); 3931 ch->chunk_type = SCTP_STREAM_RESET; 3932 ch->chunk_flags = 0; 3933 ch->chunk_length = htons(chk->send_size); 3934 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3935 offset += sizeof(struct sctp_chunkhdr); 3936 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3937 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore); 3938 if (ph == NULL) 3939 break; 3940 param_len = ntohs(ph->param_length); 3941 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3942 /* bad param */ 3943 break; 3944 } 3945 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)), 3946 (uint8_t *) & cstore); 3947 ptype = ntohs(ph->param_type); 3948 num_param++; 3949 if (param_len > (int)sizeof(cstore)) { 3950 trunc = 1; 3951 } else { 3952 trunc = 0; 3953 } 3954 3955 if (num_param > SCTP_MAX_RESET_PARAMS) { 3956 /* hit the max of parameters already sorry.. */ 3957 break; 3958 } 3959 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3960 struct sctp_stream_reset_out_request *req_out; 3961 3962 req_out = (struct sctp_stream_reset_out_request *)ph; 3963 num_req++; 3964 if (stcb->asoc.stream_reset_outstanding) { 3965 seq = ntohl(req_out->response_seq); 3966 if (seq == stcb->asoc.str_reset_seq_out) { 3967 /* implicit ack */ 3968 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3969 } 3970 } 3971 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc); 3972 } else if (ptype == SCTP_STR_RESET_ADD_STREAMS) { 3973 struct sctp_stream_reset_add_strm *str_add; 3974 3975 str_add = (struct sctp_stream_reset_add_strm *)ph; 3976 num_req++; 3977 sctp_handle_str_reset_add_strm(stcb, chk, str_add); 3978 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3979 struct sctp_stream_reset_in_request *req_in; 3980 3981 num_req++; 3982 3983 req_in = (struct sctp_stream_reset_in_request *)ph; 3984 3985 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc); 3986 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3987 struct sctp_stream_reset_tsn_request *req_tsn; 3988 3989 num_req++; 3990 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3991 3992 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3993 ret_code = 1; 3994 goto strres_nochunk; 3995 } 3996 /* no more */ 3997 break; 3998 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3999 struct sctp_stream_reset_response *resp; 4000 uint32_t result; 4001 4002 resp = (struct sctp_stream_reset_response *)ph; 4003 seq = ntohl(resp->response_seq); 4004 result = ntohl(resp->result); 4005 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 4006 ret_code = 1; 4007 goto strres_nochunk; 4008 } 4009 } else { 4010 break; 4011 } 4012 offset += SCTP_SIZE32(param_len); 4013 chk_length -= SCTP_SIZE32(param_len); 4014 } 4015 if (num_req == 0) { 4016 /* we have no response free the stuff */ 4017 goto strres_nochunk; 4018 } 4019 /* ok we have a chunk to link in */ 4020 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 4021 chk, 4022 sctp_next); 4023 stcb->asoc.ctrl_queue_cnt++; 4024 return (ret_code); 4025} 4026 4027/* 4028 * Handle a router or endpoints report of a packet loss, there are two ways 4029 * to handle this, either we get the whole packet and must disect it 4030 * ourselves (possibly with truncation and or corruption) or it is a summary 4031 * from a middle box that did the disectting for us. 4032 */ 4033static void 4034sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 4035 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit) 4036{ 4037 uint32_t bottle_bw, on_queue; 4038 uint16_t trunc_len; 4039 unsigned int chlen; 4040 unsigned int at; 4041 struct sctp_chunk_desc desc; 4042 struct sctp_chunkhdr *ch; 4043 4044 chlen = ntohs(cp->ch.chunk_length); 4045 chlen -= sizeof(struct sctp_pktdrop_chunk); 4046 /* XXX possible chlen underflow */ 4047 if (chlen == 0) { 4048 ch = NULL; 4049 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 4050 SCTP_STAT_INCR(sctps_pdrpbwrpt); 4051 } else { 4052 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 4053 chlen -= sizeof(struct sctphdr); 4054 /* XXX possible chlen underflow */ 4055 memset(&desc, 0, sizeof(desc)); 4056 } 4057 trunc_len = (uint16_t) ntohs(cp->trunc_len); 4058 if (trunc_len > limit) { 4059 trunc_len = limit; 4060 } 4061 /* now the chunks themselves */ 4062 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 4063 desc.chunk_type = ch->chunk_type; 4064 /* get amount we need to move */ 4065 at = ntohs(ch->chunk_length); 4066 if (at < sizeof(struct sctp_chunkhdr)) { 4067 /* corrupt chunk, maybe at the end? */ 4068 SCTP_STAT_INCR(sctps_pdrpcrupt); 4069 break; 4070 } 4071 if (trunc_len == 0) { 4072 /* we are supposed to have all of it */ 4073 if (at > chlen) { 4074 /* corrupt skip it */ 4075 SCTP_STAT_INCR(sctps_pdrpcrupt); 4076 break; 4077 } 4078 } else { 4079 /* is there enough of it left ? */ 4080 if (desc.chunk_type == SCTP_DATA) { 4081 if (chlen < (sizeof(struct sctp_data_chunk) + 4082 sizeof(desc.data_bytes))) { 4083 break; 4084 } 4085 } else { 4086 if (chlen < sizeof(struct sctp_chunkhdr)) { 4087 break; 4088 } 4089 } 4090 } 4091 if (desc.chunk_type == SCTP_DATA) { 4092 /* can we get out the tsn? */ 4093 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 4094 SCTP_STAT_INCR(sctps_pdrpmbda); 4095 4096 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 4097 /* yep */ 4098 struct sctp_data_chunk *dcp; 4099 uint8_t *ddp; 4100 unsigned int iii; 4101 4102 dcp = (struct sctp_data_chunk *)ch; 4103 ddp = (uint8_t *) (dcp + 1); 4104 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 4105 desc.data_bytes[iii] = ddp[iii]; 4106 } 4107 desc.tsn_ifany = dcp->dp.tsn; 4108 } else { 4109 /* nope we are done. */ 4110 SCTP_STAT_INCR(sctps_pdrpnedat); 4111 break; 4112 } 4113 } else { 4114 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 4115 SCTP_STAT_INCR(sctps_pdrpmbct); 4116 } 4117 4118 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 4119 SCTP_STAT_INCR(sctps_pdrppdbrk); 4120 break; 4121 } 4122 if (SCTP_SIZE32(at) > chlen) { 4123 break; 4124 } 4125 chlen -= SCTP_SIZE32(at); 4126 if (chlen < sizeof(struct sctp_chunkhdr)) { 4127 /* done, none left */ 4128 break; 4129 } 4130 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 4131 } 4132 /* Now update any rwnd --- possibly */ 4133 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 4134 /* From a peer, we get a rwnd report */ 4135 uint32_t a_rwnd; 4136 4137 SCTP_STAT_INCR(sctps_pdrpfehos); 4138 4139 bottle_bw = ntohl(cp->bottle_bw); 4140 on_queue = ntohl(cp->current_onq); 4141 if (bottle_bw && on_queue) { 4142 /* a rwnd report is in here */ 4143 if (bottle_bw > on_queue) 4144 a_rwnd = bottle_bw - on_queue; 4145 else 4146 a_rwnd = 0; 4147 4148 if (a_rwnd == 0) 4149 stcb->asoc.peers_rwnd = 0; 4150 else { 4151 if (a_rwnd > stcb->asoc.total_flight) { 4152 stcb->asoc.peers_rwnd = 4153 a_rwnd - stcb->asoc.total_flight; 4154 } else { 4155 stcb->asoc.peers_rwnd = 0; 4156 } 4157 if (stcb->asoc.peers_rwnd < 4158 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4159 /* SWS sender side engages */ 4160 stcb->asoc.peers_rwnd = 0; 4161 } 4162 } 4163 } 4164 } else { 4165 SCTP_STAT_INCR(sctps_pdrpfmbox); 4166 } 4167 4168 /* now middle boxes in sat networks get a cwnd bump */ 4169 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 4170 (stcb->asoc.sat_t3_loss_recovery == 0) && 4171 (stcb->asoc.sat_network)) { 4172 /* 4173 * This is debateable but for sat networks it makes sense 4174 * Note if a T3 timer has went off, we will prohibit any 4175 * changes to cwnd until we exit the t3 loss recovery. 4176 */ 4177 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb, 4178 net, cp, &bottle_bw, &on_queue); 4179 } 4180} 4181 4182/* 4183 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 4184 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 4185 * offset: offset into the mbuf chain to first chunkhdr - length: is the 4186 * length of the complete packet outputs: - length: modified to remaining 4187 * length after control processing - netp: modified to new sctp_nets after 4188 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 4189 * bad packet,...) otherwise return the tcb for this packet 4190 */ 4191#ifdef __GNUC__ 4192__attribute__((noinline)) 4193#endif 4194 static struct sctp_tcb * 4195 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 4196 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 4197 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen, 4198 uint32_t vrf_id, uint16_t port) 4199{ 4200 struct sctp_association *asoc; 4201 uint32_t vtag_in; 4202 int num_chunks = 0; /* number of control chunks processed */ 4203 uint32_t chk_length; 4204 int ret; 4205 int abort_no_unlock = 0; 4206 int ecne_seen = 0; 4207 4208 /* 4209 * How big should this be, and should it be alloc'd? Lets try the 4210 * d-mtu-ceiling for now (2k) and that should hopefully work ... 4211 * until we get into jumbo grams and such.. 4212 */ 4213 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 4214 struct sctp_tcb *locked_tcb = stcb; 4215 int got_auth = 0; 4216 uint32_t auth_offset = 0, auth_len = 0; 4217 int auth_skipped = 0; 4218 int asconf_cnt = 0; 4219 4220#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4221 struct socket *so; 4222 4223#endif 4224 4225 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 4226 iphlen, *offset, length, stcb); 4227 4228 /* validate chunk header length... */ 4229 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 4230 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n", 4231 ntohs(ch->chunk_length)); 4232 if (locked_tcb) { 4233 SCTP_TCB_UNLOCK(locked_tcb); 4234 } 4235 return (NULL); 4236 } 4237 /* 4238 * validate the verification tag 4239 */ 4240 vtag_in = ntohl(sh->v_tag); 4241 4242 if (locked_tcb) { 4243 SCTP_TCB_LOCK_ASSERT(locked_tcb); 4244 } 4245 if (ch->chunk_type == SCTP_INITIATION) { 4246 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n", 4247 ntohs(ch->chunk_length), vtag_in); 4248 if (vtag_in != 0) { 4249 /* protocol error- silently discard... */ 4250 SCTP_STAT_INCR(sctps_badvtag); 4251 if (locked_tcb) { 4252 SCTP_TCB_UNLOCK(locked_tcb); 4253 } 4254 return (NULL); 4255 } 4256 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 4257 /* 4258 * If there is no stcb, skip the AUTH chunk and process 4259 * later after a stcb is found (to validate the lookup was 4260 * valid. 4261 */ 4262 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 4263 (stcb == NULL) && 4264 !SCTP_BASE_SYSCTL(sctp_auth_disable)) { 4265 /* save this chunk for later processing */ 4266 auth_skipped = 1; 4267 auth_offset = *offset; 4268 auth_len = ntohs(ch->chunk_length); 4269 4270 /* (temporarily) move past this chunk */ 4271 *offset += SCTP_SIZE32(auth_len); 4272 if (*offset >= length) { 4273 /* no more data left in the mbuf chain */ 4274 *offset = length; 4275 if (locked_tcb) { 4276 SCTP_TCB_UNLOCK(locked_tcb); 4277 } 4278 return (NULL); 4279 } 4280 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4281 sizeof(struct sctp_chunkhdr), chunk_buf); 4282 } 4283 if (ch == NULL) { 4284 /* Help */ 4285 *offset = length; 4286 if (locked_tcb) { 4287 SCTP_TCB_UNLOCK(locked_tcb); 4288 } 4289 return (NULL); 4290 } 4291 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 4292 goto process_control_chunks; 4293 } 4294 /* 4295 * first check if it's an ASCONF with an unknown src addr we 4296 * need to look inside to find the association 4297 */ 4298 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 4299 struct sctp_chunkhdr *asconf_ch = ch; 4300 uint32_t asconf_offset = 0, asconf_len = 0; 4301 4302 /* inp's refcount may be reduced */ 4303 SCTP_INP_INCR_REF(inp); 4304 4305 asconf_offset = *offset; 4306 do { 4307 asconf_len = ntohs(asconf_ch->chunk_length); 4308 if (asconf_len < sizeof(struct sctp_asconf_paramhdr)) 4309 break; 4310 stcb = sctp_findassociation_ep_asconf(m, iphlen, 4311 *offset, sh, &inp, netp, vrf_id); 4312 if (stcb != NULL) 4313 break; 4314 asconf_offset += SCTP_SIZE32(asconf_len); 4315 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset, 4316 sizeof(struct sctp_chunkhdr), chunk_buf); 4317 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF); 4318 if (stcb == NULL) { 4319 /* 4320 * reduce inp's refcount if not reduced in 4321 * sctp_findassociation_ep_asconf(). 4322 */ 4323 SCTP_INP_DECR_REF(inp); 4324 } else { 4325 locked_tcb = stcb; 4326 } 4327 4328 /* now go back and verify any auth chunk to be sure */ 4329 if (auth_skipped && (stcb != NULL)) { 4330 struct sctp_auth_chunk *auth; 4331 4332 auth = (struct sctp_auth_chunk *) 4333 sctp_m_getptr(m, auth_offset, 4334 auth_len, chunk_buf); 4335 got_auth = 1; 4336 auth_skipped = 0; 4337 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, 4338 auth_offset)) { 4339 /* auth HMAC failed so dump it */ 4340 *offset = length; 4341 if (locked_tcb) { 4342 SCTP_TCB_UNLOCK(locked_tcb); 4343 } 4344 return (NULL); 4345 } else { 4346 /* remaining chunks are HMAC checked */ 4347 stcb->asoc.authenticated = 1; 4348 } 4349 } 4350 } 4351 if (stcb == NULL) { 4352 /* no association, so it's out of the blue... */ 4353 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL, 4354 vrf_id, port); 4355 *offset = length; 4356 if (locked_tcb) { 4357 SCTP_TCB_UNLOCK(locked_tcb); 4358 } 4359 return (NULL); 4360 } 4361 asoc = &stcb->asoc; 4362 /* ABORT and SHUTDOWN can use either v_tag... */ 4363 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 4364 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 4365 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 4366 if ((vtag_in == asoc->my_vtag) || 4367 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 4368 (vtag_in == asoc->peer_vtag))) { 4369 /* this is valid */ 4370 } else { 4371 /* drop this packet... */ 4372 SCTP_STAT_INCR(sctps_badvtag); 4373 if (locked_tcb) { 4374 SCTP_TCB_UNLOCK(locked_tcb); 4375 } 4376 return (NULL); 4377 } 4378 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4379 if (vtag_in != asoc->my_vtag) { 4380 /* 4381 * this could be a stale SHUTDOWN-ACK or the 4382 * peer never got the SHUTDOWN-COMPLETE and 4383 * is still hung; we have started a new asoc 4384 * but it won't complete until the shutdown 4385 * is completed 4386 */ 4387 if (locked_tcb) { 4388 SCTP_TCB_UNLOCK(locked_tcb); 4389 } 4390 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 4391 NULL, vrf_id, port); 4392 return (NULL); 4393 } 4394 } else { 4395 /* for all other chunks, vtag must match */ 4396 if (vtag_in != asoc->my_vtag) { 4397 /* invalid vtag... */ 4398 SCTPDBG(SCTP_DEBUG_INPUT3, 4399 "invalid vtag: %xh, expect %xh\n", 4400 vtag_in, asoc->my_vtag); 4401 SCTP_STAT_INCR(sctps_badvtag); 4402 if (locked_tcb) { 4403 SCTP_TCB_UNLOCK(locked_tcb); 4404 } 4405 *offset = length; 4406 return (NULL); 4407 } 4408 } 4409 } /* end if !SCTP_COOKIE_ECHO */ 4410 /* 4411 * process all control chunks... 4412 */ 4413 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 4414 /* EY */ 4415 (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) || 4416 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 4417 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 4418 /* implied cookie-ack.. we must have lost the ack */ 4419 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4420 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4421 stcb->asoc.overall_error_count, 4422 0, 4423 SCTP_FROM_SCTP_INPUT, 4424 __LINE__); 4425 } 4426 stcb->asoc.overall_error_count = 0; 4427 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 4428 *netp); 4429 } 4430process_control_chunks: 4431 while (IS_SCTP_CONTROL(ch)) { 4432 /* validate chunk length */ 4433 chk_length = ntohs(ch->chunk_length); 4434 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n", 4435 ch->chunk_type, chk_length); 4436 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length); 4437 if (chk_length < sizeof(*ch) || 4438 (*offset + (int)chk_length) > length) { 4439 *offset = length; 4440 if (locked_tcb) { 4441 SCTP_TCB_UNLOCK(locked_tcb); 4442 } 4443 return (NULL); 4444 } 4445 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 4446 /* 4447 * INIT-ACK only gets the init ack "header" portion only 4448 * because we don't have to process the peer's COOKIE. All 4449 * others get a complete chunk. 4450 */ 4451 if ((ch->chunk_type == SCTP_INITIATION_ACK) || 4452 (ch->chunk_type == SCTP_INITIATION)) { 4453 /* get an init-ack chunk */ 4454 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4455 sizeof(struct sctp_init_ack_chunk), chunk_buf); 4456 if (ch == NULL) { 4457 *offset = length; 4458 if (locked_tcb) { 4459 SCTP_TCB_UNLOCK(locked_tcb); 4460 } 4461 return (NULL); 4462 } 4463 } else { 4464 /* For cookies and all other chunks. */ 4465 if (chk_length > sizeof(chunk_buf)) { 4466 /* 4467 * use just the size of the chunk buffer so 4468 * the front part of our chunks fit in 4469 * contiguous space up to the chunk buffer 4470 * size (508 bytes). For chunks that need to 4471 * get more than that they must use the 4472 * sctp_m_getptr() function or other means 4473 * (e.g. know how to parse mbuf chains). 4474 * Cookies do this already. 4475 */ 4476 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4477 (sizeof(chunk_buf) - 4), 4478 chunk_buf); 4479 if (ch == NULL) { 4480 *offset = length; 4481 if (locked_tcb) { 4482 SCTP_TCB_UNLOCK(locked_tcb); 4483 } 4484 return (NULL); 4485 } 4486 } else { 4487 /* We can fit it all */ 4488 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4489 chk_length, chunk_buf); 4490 if (ch == NULL) { 4491 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n"); 4492 *offset = length; 4493 if (locked_tcb) { 4494 SCTP_TCB_UNLOCK(locked_tcb); 4495 } 4496 return (NULL); 4497 } 4498 } 4499 } 4500 num_chunks++; 4501 /* Save off the last place we got a control from */ 4502 if (stcb != NULL) { 4503 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) { 4504 /* 4505 * allow last_control to be NULL if 4506 * ASCONF... ASCONF processing will find the 4507 * right net later 4508 */ 4509 if ((netp != NULL) && (*netp != NULL)) 4510 stcb->asoc.last_control_chunk_from = *netp; 4511 } 4512 } 4513#ifdef SCTP_AUDITING_ENABLED 4514 sctp_audit_log(0xB0, ch->chunk_type); 4515#endif 4516 4517 /* check to see if this chunk required auth, but isn't */ 4518 if ((stcb != NULL) && 4519 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 4520 sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) && 4521 !stcb->asoc.authenticated) { 4522 /* "silently" ignore */ 4523 SCTP_STAT_INCR(sctps_recvauthmissing); 4524 goto next_chunk; 4525 } 4526 switch (ch->chunk_type) { 4527 case SCTP_INITIATION: 4528 /* must be first and only chunk */ 4529 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n"); 4530 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4531 /* We are not interested anymore? */ 4532 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4533 /* 4534 * collision case where we are 4535 * sending to them too 4536 */ 4537 ; 4538 } else { 4539 if (locked_tcb) { 4540 SCTP_TCB_UNLOCK(locked_tcb); 4541 } 4542 *offset = length; 4543 return (NULL); 4544 } 4545 } 4546 if ((chk_length > SCTP_LARGEST_INIT_ACCEPTED) || 4547 (num_chunks > 1) || 4548 (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 4549 *offset = length; 4550 if (locked_tcb) { 4551 SCTP_TCB_UNLOCK(locked_tcb); 4552 } 4553 return (NULL); 4554 } 4555 if ((stcb != NULL) && 4556 (SCTP_GET_STATE(&stcb->asoc) == 4557 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 4558 sctp_send_shutdown_ack(stcb, 4559 stcb->asoc.primary_destination); 4560 *offset = length; 4561 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 4562 if (locked_tcb) { 4563 SCTP_TCB_UNLOCK(locked_tcb); 4564 } 4565 return (NULL); 4566 } 4567 if (netp) { 4568 sctp_handle_init(m, iphlen, *offset, sh, 4569 (struct sctp_init_chunk *)ch, inp, 4570 stcb, *netp, &abort_no_unlock, vrf_id, port); 4571 } 4572 if (abort_no_unlock) 4573 return (NULL); 4574 4575 *offset = length; 4576 if (locked_tcb) { 4577 SCTP_TCB_UNLOCK(locked_tcb); 4578 } 4579 return (NULL); 4580 break; 4581 case SCTP_PAD_CHUNK: 4582 break; 4583 case SCTP_INITIATION_ACK: 4584 /* must be first and only chunk */ 4585 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n"); 4586 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4587 /* We are not interested anymore */ 4588 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4589 ; 4590 } else { 4591 if (locked_tcb != stcb) { 4592 /* Very unlikely */ 4593 SCTP_TCB_UNLOCK(locked_tcb); 4594 } 4595 *offset = length; 4596 if (stcb) { 4597#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4598 so = SCTP_INP_SO(inp); 4599 atomic_add_int(&stcb->asoc.refcnt, 1); 4600 SCTP_TCB_UNLOCK(stcb); 4601 SCTP_SOCKET_LOCK(so, 1); 4602 SCTP_TCB_LOCK(stcb); 4603 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4604#endif 4605 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4606#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4607 SCTP_SOCKET_UNLOCK(so, 1); 4608#endif 4609 } 4610 return (NULL); 4611 } 4612 } 4613 if ((num_chunks > 1) || 4614 (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 4615 *offset = length; 4616 if (locked_tcb) { 4617 SCTP_TCB_UNLOCK(locked_tcb); 4618 } 4619 return (NULL); 4620 } 4621 if ((netp) && (*netp)) { 4622 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 4623 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id); 4624 } else { 4625 ret = -1; 4626 } 4627 /* 4628 * Special case, I must call the output routine to 4629 * get the cookie echoed 4630 */ 4631 if (abort_no_unlock) 4632 return (NULL); 4633 4634 if ((stcb) && ret == 0) 4635 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 4636 *offset = length; 4637 if (locked_tcb) { 4638 SCTP_TCB_UNLOCK(locked_tcb); 4639 } 4640 return (NULL); 4641 break; 4642 case SCTP_SELECTIVE_ACK: 4643 { 4644 struct sctp_sack_chunk *sack; 4645 int abort_now = 0; 4646 uint32_t a_rwnd, cum_ack; 4647 uint16_t num_seg, num_dup; 4648 uint8_t flags; 4649 int offset_seg, offset_dup; 4650 4651 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n"); 4652 SCTP_STAT_INCR(sctps_recvsacks); 4653 if (stcb == NULL) { 4654 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing SACK chunk\n"); 4655 break; 4656 } 4657 if (chk_length < sizeof(struct sctp_sack_chunk)) { 4658 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on SACK chunk, too small\n"); 4659 break; 4660 } 4661 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 4662 /*- 4663 * If we have sent a shutdown-ack, we will pay no 4664 * attention to a sack sent in to us since 4665 * we don't care anymore. 4666 */ 4667 break; 4668 } 4669 sack = (struct sctp_sack_chunk *)ch; 4670 flags = ch->chunk_flags; 4671 cum_ack = ntohl(sack->sack.cum_tsn_ack); 4672 num_seg = ntohs(sack->sack.num_gap_ack_blks); 4673 num_dup = ntohs(sack->sack.num_dup_tsns); 4674 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 4675 if (sizeof(struct sctp_sack_chunk) + 4676 num_seg * sizeof(struct sctp_gap_ack_block) + 4677 num_dup * sizeof(uint32_t) != chk_length) { 4678 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of SACK chunk\n"); 4679 break; 4680 } 4681 offset_seg = *offset + sizeof(struct sctp_sack_chunk); 4682 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block); 4683 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n", 4684 cum_ack, num_seg, a_rwnd); 4685 stcb->asoc.seen_a_sack_this_pkt = 1; 4686 if ((stcb->asoc.pr_sctp_cnt == 0) && 4687 (num_seg == 0) && 4688 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) && 4689 (stcb->asoc.saw_sack_with_frags == 0) && 4690 (stcb->asoc.saw_sack_with_nr_frags == 0) && 4691 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 4692 ) { 4693 /* 4694 * We have a SIMPLE sack having no 4695 * prior segments and data on sent 4696 * queue to be acked.. Use the 4697 * faster path sack processing. We 4698 * also allow window update sacks 4699 * with no missing segments to go 4700 * this way too. 4701 */ 4702 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, &abort_now, ecne_seen); 4703 } else { 4704 if (netp && *netp) 4705 sctp_handle_sack(m, offset_seg, offset_dup, 4706 stcb, *netp, 4707 num_seg, 0, num_dup, &abort_now, flags, 4708 cum_ack, a_rwnd, ecne_seen); 4709 } 4710 if (abort_now) { 4711 /* ABORT signal from sack processing */ 4712 *offset = length; 4713 return (NULL); 4714 } 4715 if (TAILQ_EMPTY(&stcb->asoc.send_queue) && 4716 TAILQ_EMPTY(&stcb->asoc.sent_queue) && 4717 (stcb->asoc.stream_queue_cnt == 0)) { 4718 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 4719 } 4720 } 4721 break; 4722 /* 4723 * EY - nr_sack: If the received chunk is an 4724 * nr_sack chunk 4725 */ 4726 case SCTP_NR_SELECTIVE_ACK: 4727 { 4728 struct sctp_nr_sack_chunk *nr_sack; 4729 int abort_now = 0; 4730 uint32_t a_rwnd, cum_ack; 4731 uint16_t num_seg, num_nr_seg, num_dup; 4732 uint8_t flags; 4733 int offset_seg, offset_dup; 4734 4735 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n"); 4736 SCTP_STAT_INCR(sctps_recvsacks); 4737 if (stcb == NULL) { 4738 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing NR-SACK chunk\n"); 4739 break; 4740 } 4741 if ((stcb->asoc.sctp_nr_sack_on_off == 0) || 4742 (stcb->asoc.peer_supports_nr_sack == 0)) { 4743 goto unknown_chunk; 4744 } 4745 if (chk_length < sizeof(struct sctp_nr_sack_chunk)) { 4746 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR-SACK chunk, too small\n"); 4747 break; 4748 } 4749 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 4750 /*- 4751 * If we have sent a shutdown-ack, we will pay no 4752 * attention to a sack sent in to us since 4753 * we don't care anymore. 4754 */ 4755 break; 4756 } 4757 nr_sack = (struct sctp_nr_sack_chunk *)ch; 4758 flags = ch->chunk_flags; 4759 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack); 4760 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks); 4761 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks); 4762 num_dup = ntohs(nr_sack->nr_sack.num_dup_tsns); 4763 a_rwnd = (uint32_t) ntohl(nr_sack->nr_sack.a_rwnd); 4764 if (sizeof(struct sctp_nr_sack_chunk) + 4765 (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block) + 4766 num_dup * sizeof(uint32_t) != chk_length) { 4767 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of NR_SACK chunk\n"); 4768 break; 4769 } 4770 offset_seg = *offset + sizeof(struct sctp_nr_sack_chunk); 4771 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block); 4772 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n", 4773 cum_ack, num_seg, a_rwnd); 4774 stcb->asoc.seen_a_sack_this_pkt = 1; 4775 if ((stcb->asoc.pr_sctp_cnt == 0) && 4776 (num_seg == 0) && (num_nr_seg == 0) && 4777 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) && 4778 (stcb->asoc.saw_sack_with_frags == 0) && 4779 (stcb->asoc.saw_sack_with_nr_frags == 0) && 4780 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))) { 4781 /* 4782 * We have a SIMPLE sack having no 4783 * prior segments and data on sent 4784 * queue to be acked. Use the faster 4785 * path sack processing. We also 4786 * allow window update sacks with no 4787 * missing segments to go this way 4788 * too. 4789 */ 4790 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, 4791 &abort_now, ecne_seen); 4792 } else { 4793 if (netp && *netp) 4794 sctp_handle_sack(m, offset_seg, offset_dup, 4795 stcb, *netp, 4796 num_seg, num_nr_seg, num_dup, &abort_now, flags, 4797 cum_ack, a_rwnd, ecne_seen); 4798 } 4799 if (abort_now) { 4800 /* ABORT signal from sack processing */ 4801 *offset = length; 4802 return (NULL); 4803 } 4804 if (TAILQ_EMPTY(&stcb->asoc.send_queue) && 4805 TAILQ_EMPTY(&stcb->asoc.sent_queue) && 4806 (stcb->asoc.stream_queue_cnt == 0)) { 4807 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 4808 } 4809 } 4810 break; 4811 4812 case SCTP_HEARTBEAT_REQUEST: 4813 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n"); 4814 if ((stcb) && netp && *netp) { 4815 SCTP_STAT_INCR(sctps_recvheartbeat); 4816 sctp_send_heartbeat_ack(stcb, m, *offset, 4817 chk_length, *netp); 4818 4819 /* He's alive so give him credit */ 4820 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4821 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4822 stcb->asoc.overall_error_count, 4823 0, 4824 SCTP_FROM_SCTP_INPUT, 4825 __LINE__); 4826 } 4827 stcb->asoc.overall_error_count = 0; 4828 } 4829 break; 4830 case SCTP_HEARTBEAT_ACK: 4831 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n"); 4832 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) { 4833 /* Its not ours */ 4834 *offset = length; 4835 if (locked_tcb) { 4836 SCTP_TCB_UNLOCK(locked_tcb); 4837 } 4838 return (NULL); 4839 } 4840 /* He's alive so give him credit */ 4841 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4842 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4843 stcb->asoc.overall_error_count, 4844 0, 4845 SCTP_FROM_SCTP_INPUT, 4846 __LINE__); 4847 } 4848 stcb->asoc.overall_error_count = 0; 4849 SCTP_STAT_INCR(sctps_recvheartbeatack); 4850 if (netp && *netp) 4851 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 4852 stcb, *netp); 4853 break; 4854 case SCTP_ABORT_ASSOCIATION: 4855 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n", 4856 stcb); 4857 if ((stcb) && netp && *netp) 4858 sctp_handle_abort((struct sctp_abort_chunk *)ch, 4859 stcb, *netp); 4860 *offset = length; 4861 return (NULL); 4862 break; 4863 case SCTP_SHUTDOWN: 4864 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n", 4865 stcb); 4866 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) { 4867 *offset = length; 4868 if (locked_tcb) { 4869 SCTP_TCB_UNLOCK(locked_tcb); 4870 } 4871 return (NULL); 4872 } 4873 if (netp && *netp) { 4874 int abort_flag = 0; 4875 4876 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 4877 stcb, *netp, &abort_flag); 4878 if (abort_flag) { 4879 *offset = length; 4880 return (NULL); 4881 } 4882 } 4883 break; 4884 case SCTP_SHUTDOWN_ACK: 4885 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb); 4886 if ((stcb) && (netp) && (*netp)) 4887 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4888 *offset = length; 4889 return (NULL); 4890 break; 4891 4892 case SCTP_OPERATION_ERROR: 4893 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n"); 4894 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) { 4895 4896 *offset = length; 4897 return (NULL); 4898 } 4899 break; 4900 case SCTP_COOKIE_ECHO: 4901 SCTPDBG(SCTP_DEBUG_INPUT3, 4902 "SCTP_COOKIE-ECHO, stcb %p\n", stcb); 4903 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4904 ; 4905 } else { 4906 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4907 /* We are not interested anymore */ 4908 abend: 4909 if (stcb) { 4910 SCTP_TCB_UNLOCK(stcb); 4911 } 4912 *offset = length; 4913 return (NULL); 4914 } 4915 } 4916 /* 4917 * First are we accepting? We do this again here 4918 * since it is possible that a previous endpoint WAS 4919 * listening responded to a INIT-ACK and then 4920 * closed. We opened and bound.. and are now no 4921 * longer listening. 4922 */ 4923 4924 if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) { 4925 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 4926 (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) { 4927 struct mbuf *oper; 4928 struct sctp_paramhdr *phdr; 4929 4930 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4931 0, M_DONTWAIT, 1, MT_DATA); 4932 if (oper) { 4933 SCTP_BUF_LEN(oper) = 4934 sizeof(struct sctp_paramhdr); 4935 phdr = mtod(oper, 4936 struct sctp_paramhdr *); 4937 phdr->param_type = 4938 htons(SCTP_CAUSE_OUT_OF_RESC); 4939 phdr->param_length = 4940 htons(sizeof(struct sctp_paramhdr)); 4941 } 4942 sctp_abort_association(inp, stcb, m, 4943 iphlen, sh, oper, vrf_id, port); 4944 } 4945 *offset = length; 4946 return (NULL); 4947 } else { 4948 struct mbuf *ret_buf; 4949 struct sctp_inpcb *linp; 4950 4951 if (stcb) { 4952 linp = NULL; 4953 } else { 4954 linp = inp; 4955 } 4956 4957 if (linp) { 4958 SCTP_ASOC_CREATE_LOCK(linp); 4959 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || 4960 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) { 4961 SCTP_ASOC_CREATE_UNLOCK(linp); 4962 goto abend; 4963 } 4964 } 4965 if (netp) { 4966 ret_buf = 4967 sctp_handle_cookie_echo(m, iphlen, 4968 *offset, sh, 4969 (struct sctp_cookie_echo_chunk *)ch, 4970 &inp, &stcb, netp, 4971 auth_skipped, 4972 auth_offset, 4973 auth_len, 4974 &locked_tcb, 4975 vrf_id, 4976 port); 4977 } else { 4978 ret_buf = NULL; 4979 } 4980 if (linp) { 4981 SCTP_ASOC_CREATE_UNLOCK(linp); 4982 } 4983 if (ret_buf == NULL) { 4984 if (locked_tcb) { 4985 SCTP_TCB_UNLOCK(locked_tcb); 4986 } 4987 SCTPDBG(SCTP_DEBUG_INPUT3, 4988 "GAK, null buffer\n"); 4989 auth_skipped = 0; 4990 *offset = length; 4991 return (NULL); 4992 } 4993 /* if AUTH skipped, see if it verified... */ 4994 if (auth_skipped) { 4995 got_auth = 1; 4996 auth_skipped = 0; 4997 } 4998 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4999 /* 5000 * Restart the timer if we have 5001 * pending data 5002 */ 5003 struct sctp_tmit_chunk *chk; 5004 5005 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 5006 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo); 5007 } 5008 } 5009 break; 5010 case SCTP_COOKIE_ACK: 5011 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb); 5012 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) { 5013 if (locked_tcb) { 5014 SCTP_TCB_UNLOCK(locked_tcb); 5015 } 5016 return (NULL); 5017 } 5018 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5019 /* We are not interested anymore */ 5020 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 5021 ; 5022 } else if (stcb) { 5023#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5024 so = SCTP_INP_SO(inp); 5025 atomic_add_int(&stcb->asoc.refcnt, 1); 5026 SCTP_TCB_UNLOCK(stcb); 5027 SCTP_SOCKET_LOCK(so, 1); 5028 SCTP_TCB_LOCK(stcb); 5029 atomic_subtract_int(&stcb->asoc.refcnt, 1); 5030#endif 5031 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 5032#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5033 SCTP_SOCKET_UNLOCK(so, 1); 5034#endif 5035 *offset = length; 5036 return (NULL); 5037 } 5038 } 5039 /* He's alive so give him credit */ 5040 if ((stcb) && netp && *netp) { 5041 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5042 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5043 stcb->asoc.overall_error_count, 5044 0, 5045 SCTP_FROM_SCTP_INPUT, 5046 __LINE__); 5047 } 5048 stcb->asoc.overall_error_count = 0; 5049 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 5050 } 5051 break; 5052 case SCTP_ECN_ECHO: 5053 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n"); 5054 /* He's alive so give him credit */ 5055 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) { 5056 /* Its not ours */ 5057 if (locked_tcb) { 5058 SCTP_TCB_UNLOCK(locked_tcb); 5059 } 5060 *offset = length; 5061 return (NULL); 5062 } 5063 if (stcb) { 5064 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5065 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5066 stcb->asoc.overall_error_count, 5067 0, 5068 SCTP_FROM_SCTP_INPUT, 5069 __LINE__); 5070 } 5071 stcb->asoc.overall_error_count = 0; 5072 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 5073 stcb); 5074 ecne_seen = 1; 5075 } 5076 break; 5077 case SCTP_ECN_CWR: 5078 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n"); 5079 /* He's alive so give him credit */ 5080 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) { 5081 /* Its not ours */ 5082 if (locked_tcb) { 5083 SCTP_TCB_UNLOCK(locked_tcb); 5084 } 5085 *offset = length; 5086 return (NULL); 5087 } 5088 if (stcb) { 5089 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5090 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5091 stcb->asoc.overall_error_count, 5092 0, 5093 SCTP_FROM_SCTP_INPUT, 5094 __LINE__); 5095 } 5096 stcb->asoc.overall_error_count = 0; 5097 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb, *netp); 5098 } 5099 break; 5100 case SCTP_SHUTDOWN_COMPLETE: 5101 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb); 5102 /* must be first and only chunk */ 5103 if ((num_chunks > 1) || 5104 (length - *offset > (int)SCTP_SIZE32(chk_length))) { 5105 *offset = length; 5106 if (locked_tcb) { 5107 SCTP_TCB_UNLOCK(locked_tcb); 5108 } 5109 return (NULL); 5110 } 5111 if ((stcb) && netp && *netp) { 5112 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 5113 stcb, *netp); 5114 } 5115 *offset = length; 5116 return (NULL); 5117 break; 5118 case SCTP_ASCONF: 5119 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n"); 5120 /* He's alive so give him credit */ 5121 if (stcb) { 5122 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5123 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5124 stcb->asoc.overall_error_count, 5125 0, 5126 SCTP_FROM_SCTP_INPUT, 5127 __LINE__); 5128 } 5129 stcb->asoc.overall_error_count = 0; 5130 sctp_handle_asconf(m, *offset, 5131 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0); 5132 asconf_cnt++; 5133 } 5134 break; 5135 case SCTP_ASCONF_ACK: 5136 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n"); 5137 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) { 5138 /* Its not ours */ 5139 if (locked_tcb) { 5140 SCTP_TCB_UNLOCK(locked_tcb); 5141 } 5142 *offset = length; 5143 return (NULL); 5144 } 5145 if ((stcb) && netp && *netp) { 5146 /* He's alive so give him credit */ 5147 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5148 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5149 stcb->asoc.overall_error_count, 5150 0, 5151 SCTP_FROM_SCTP_INPUT, 5152 __LINE__); 5153 } 5154 stcb->asoc.overall_error_count = 0; 5155 sctp_handle_asconf_ack(m, *offset, 5156 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 5157 if (abort_no_unlock) 5158 return (NULL); 5159 } 5160 break; 5161 case SCTP_FORWARD_CUM_TSN: 5162 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n"); 5163 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { 5164 /* Its not ours */ 5165 if (locked_tcb) { 5166 SCTP_TCB_UNLOCK(locked_tcb); 5167 } 5168 *offset = length; 5169 return (NULL); 5170 } 5171 /* He's alive so give him credit */ 5172 if (stcb) { 5173 int abort_flag = 0; 5174 5175 stcb->asoc.overall_error_count = 0; 5176 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5177 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5178 stcb->asoc.overall_error_count, 5179 0, 5180 SCTP_FROM_SCTP_INPUT, 5181 __LINE__); 5182 } 5183 *fwd_tsn_seen = 1; 5184 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5185 /* We are not interested anymore */ 5186#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5187 so = SCTP_INP_SO(inp); 5188 atomic_add_int(&stcb->asoc.refcnt, 1); 5189 SCTP_TCB_UNLOCK(stcb); 5190 SCTP_SOCKET_LOCK(so, 1); 5191 SCTP_TCB_LOCK(stcb); 5192 atomic_subtract_int(&stcb->asoc.refcnt, 1); 5193#endif 5194 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 5195#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5196 SCTP_SOCKET_UNLOCK(so, 1); 5197#endif 5198 *offset = length; 5199 return (NULL); 5200 } 5201 sctp_handle_forward_tsn(stcb, 5202 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset); 5203 if (abort_flag) { 5204 *offset = length; 5205 return (NULL); 5206 } else { 5207 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5208 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5209 stcb->asoc.overall_error_count, 5210 0, 5211 SCTP_FROM_SCTP_INPUT, 5212 __LINE__); 5213 } 5214 stcb->asoc.overall_error_count = 0; 5215 } 5216 5217 } 5218 break; 5219 case SCTP_STREAM_RESET: 5220 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n"); 5221 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) { 5222 /* Its not ours */ 5223 if (locked_tcb) { 5224 SCTP_TCB_UNLOCK(locked_tcb); 5225 } 5226 *offset = length; 5227 return (NULL); 5228 } 5229 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5230 /* We are not interested anymore */ 5231#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5232 so = SCTP_INP_SO(inp); 5233 atomic_add_int(&stcb->asoc.refcnt, 1); 5234 SCTP_TCB_UNLOCK(stcb); 5235 SCTP_SOCKET_LOCK(so, 1); 5236 SCTP_TCB_LOCK(stcb); 5237 atomic_subtract_int(&stcb->asoc.refcnt, 1); 5238#endif 5239 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_30); 5240#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5241 SCTP_SOCKET_UNLOCK(so, 1); 5242#endif 5243 *offset = length; 5244 return (NULL); 5245 } 5246 if (stcb->asoc.peer_supports_strreset == 0) { 5247 /* 5248 * hmm, peer should have announced this, but 5249 * we will turn it on since he is sending us 5250 * a stream reset. 5251 */ 5252 stcb->asoc.peer_supports_strreset = 1; 5253 } 5254 if (sctp_handle_stream_reset(stcb, m, *offset, (struct sctp_stream_reset_out_req *)ch)) { 5255 /* stop processing */ 5256 *offset = length; 5257 return (NULL); 5258 } 5259 break; 5260 case SCTP_PACKET_DROPPED: 5261 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n"); 5262 /* re-get it all please */ 5263 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) { 5264 /* Its not ours */ 5265 if (locked_tcb) { 5266 SCTP_TCB_UNLOCK(locked_tcb); 5267 } 5268 *offset = length; 5269 return (NULL); 5270 } 5271 if (ch && (stcb) && netp && (*netp)) { 5272 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 5273 stcb, *netp, 5274 min(chk_length, (sizeof(chunk_buf) - 4))); 5275 5276 } 5277 break; 5278 5279 case SCTP_AUTHENTICATION: 5280 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n"); 5281 if (SCTP_BASE_SYSCTL(sctp_auth_disable)) 5282 goto unknown_chunk; 5283 5284 if (stcb == NULL) { 5285 /* save the first AUTH for later processing */ 5286 if (auth_skipped == 0) { 5287 auth_offset = *offset; 5288 auth_len = chk_length; 5289 auth_skipped = 1; 5290 } 5291 /* skip this chunk (temporarily) */ 5292 goto next_chunk; 5293 } 5294 if ((chk_length < (sizeof(struct sctp_auth_chunk))) || 5295 (chk_length > (sizeof(struct sctp_auth_chunk) + 5296 SCTP_AUTH_DIGEST_LEN_MAX))) { 5297 /* Its not ours */ 5298 if (locked_tcb) { 5299 SCTP_TCB_UNLOCK(locked_tcb); 5300 } 5301 *offset = length; 5302 return (NULL); 5303 } 5304 if (got_auth == 1) { 5305 /* skip this chunk... it's already auth'd */ 5306 goto next_chunk; 5307 } 5308 got_auth = 1; 5309 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 5310 m, *offset)) { 5311 /* auth HMAC failed so dump the packet */ 5312 *offset = length; 5313 return (stcb); 5314 } else { 5315 /* remaining chunks are HMAC checked */ 5316 stcb->asoc.authenticated = 1; 5317 } 5318 break; 5319 5320 default: 5321 unknown_chunk: 5322 /* it's an unknown chunk! */ 5323 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 5324 struct mbuf *mm; 5325 struct sctp_paramhdr *phd; 5326 5327 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 5328 0, M_DONTWAIT, 1, MT_DATA); 5329 if (mm) { 5330 phd = mtod(mm, struct sctp_paramhdr *); 5331 /* 5332 * We cheat and use param type since 5333 * we did not bother to define a 5334 * error cause struct. They are the 5335 * same basic format with different 5336 * names. 5337 */ 5338 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 5339 phd->param_length = htons(chk_length + sizeof(*phd)); 5340 SCTP_BUF_LEN(mm) = sizeof(*phd); 5341 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 5342 M_DONTWAIT); 5343 if (SCTP_BUF_NEXT(mm)) { 5344#ifdef SCTP_MBUF_LOGGING 5345 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 5346 struct mbuf *mat; 5347 5348 mat = SCTP_BUF_NEXT(mm); 5349 while (mat) { 5350 if (SCTP_BUF_IS_EXTENDED(mat)) { 5351 sctp_log_mb(mat, SCTP_MBUF_ICOPY); 5352 } 5353 mat = SCTP_BUF_NEXT(mat); 5354 } 5355 } 5356#endif 5357 sctp_queue_op_err(stcb, mm); 5358 } else { 5359 sctp_m_freem(mm); 5360 } 5361 } 5362 } 5363 if ((ch->chunk_type & 0x80) == 0) { 5364 /* discard this packet */ 5365 *offset = length; 5366 return (stcb); 5367 } /* else skip this bad chunk and continue... */ 5368 break; 5369 } /* switch (ch->chunk_type) */ 5370 5371 5372next_chunk: 5373 /* get the next chunk */ 5374 *offset += SCTP_SIZE32(chk_length); 5375 if (*offset >= length) { 5376 /* no more data left in the mbuf chain */ 5377 break; 5378 } 5379 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 5380 sizeof(struct sctp_chunkhdr), chunk_buf); 5381 if (ch == NULL) { 5382 if (locked_tcb) { 5383 SCTP_TCB_UNLOCK(locked_tcb); 5384 } 5385 *offset = length; 5386 return (NULL); 5387 } 5388 } /* while */ 5389 5390 if (asconf_cnt > 0 && stcb != NULL) { 5391 sctp_send_asconf_ack(stcb); 5392 } 5393 return (stcb); 5394} 5395 5396 5397#ifdef INVARIANTS 5398#ifdef __GNUC__ 5399__attribute__((noinline)) 5400#endif 5401 void 5402 sctp_validate_no_locks(struct sctp_inpcb *inp) 5403{ 5404 struct sctp_tcb *lstcb; 5405 5406 LIST_FOREACH(lstcb, &inp->sctp_asoc_list, sctp_tcblist) { 5407 if (mtx_owned(&lstcb->tcb_mtx)) { 5408 panic("Own lock on stcb at return from input"); 5409 } 5410 } 5411 if (mtx_owned(&inp->inp_create_mtx)) { 5412 panic("Own create lock on inp"); 5413 } 5414 if (mtx_owned(&inp->inp_mtx)) { 5415 panic("Own inp lock on inp"); 5416 } 5417} 5418 5419#endif 5420 5421/* 5422 * common input chunk processing (v4 and v6) 5423 */ 5424void 5425sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 5426 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 5427 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 5428 uint8_t ecn_bits, uint32_t vrf_id, uint16_t port) 5429{ 5430 /* 5431 * Control chunk processing 5432 */ 5433 uint32_t high_tsn; 5434 int fwd_tsn_seen = 0, data_processed = 0; 5435 struct mbuf *m = *mm; 5436 int abort_flag = 0; 5437 int un_sent; 5438 int cnt_ctrl_ready = 0; 5439 5440 SCTP_STAT_INCR(sctps_recvdatagrams); 5441#ifdef SCTP_AUDITING_ENABLED 5442 sctp_audit_log(0xE0, 1); 5443 sctp_auditing(0, inp, stcb, net); 5444#endif 5445 5446 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n", 5447 m, iphlen, offset, length, stcb); 5448 if (stcb) { 5449 /* always clear this before beginning a packet */ 5450 stcb->asoc.authenticated = 0; 5451 stcb->asoc.seen_a_sack_this_pkt = 0; 5452 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n", 5453 stcb, stcb->asoc.state); 5454 5455 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) || 5456 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) { 5457 /*- 5458 * If we hit here, we had a ref count 5459 * up when the assoc was aborted and the 5460 * timer is clearing out the assoc, we should 5461 * NOT respond to any packet.. its OOTB. 5462 */ 5463 SCTP_TCB_UNLOCK(stcb); 5464 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5465 vrf_id, port); 5466 goto out_now; 5467 } 5468 } 5469 if (IS_SCTP_CONTROL(ch)) { 5470 /* process the control portion of the SCTP packet */ 5471 /* sa_ignore NO_NULL_CHK */ 5472 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 5473 inp, stcb, &net, &fwd_tsn_seen, vrf_id, port); 5474 if (stcb) { 5475 /* 5476 * This covers us if the cookie-echo was there and 5477 * it changes our INP. 5478 */ 5479 inp = stcb->sctp_ep; 5480 if ((net) && (port)) { 5481 if (net->port == 0) { 5482 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr)); 5483 } 5484 net->port = port; 5485 } 5486 } 5487 } else { 5488 /* 5489 * no control chunks, so pre-process DATA chunks (these 5490 * checks are taken care of by control processing) 5491 */ 5492 5493 /* 5494 * if DATA only packet, and auth is required, then punt... 5495 * can't have authenticated without any AUTH (control) 5496 * chunks 5497 */ 5498 if ((stcb != NULL) && 5499 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 5500 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) { 5501 /* "silently" ignore */ 5502 SCTP_STAT_INCR(sctps_recvauthmissing); 5503 SCTP_TCB_UNLOCK(stcb); 5504 goto out_now; 5505 } 5506 if (stcb == NULL) { 5507 /* out of the blue DATA chunk */ 5508 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5509 vrf_id, port); 5510 goto out_now; 5511 } 5512 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 5513 /* v_tag mismatch! */ 5514 SCTP_STAT_INCR(sctps_badvtag); 5515 SCTP_TCB_UNLOCK(stcb); 5516 goto out_now; 5517 } 5518 } 5519 5520 if (stcb == NULL) { 5521 /* 5522 * no valid TCB for this packet, or we found it's a bad 5523 * packet while processing control, or we're done with this 5524 * packet (done or skip rest of data), so we drop it... 5525 */ 5526 goto out_now; 5527 } 5528 /* 5529 * DATA chunk processing 5530 */ 5531 /* plow through the data chunks while length > offset */ 5532 5533 /* 5534 * Rest should be DATA only. Check authentication state if AUTH for 5535 * DATA is required. 5536 */ 5537 if ((length > offset) && 5538 (stcb != NULL) && 5539 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 5540 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) && 5541 !stcb->asoc.authenticated) { 5542 /* "silently" ignore */ 5543 SCTP_STAT_INCR(sctps_recvauthmissing); 5544 SCTPDBG(SCTP_DEBUG_AUTH1, 5545 "Data chunk requires AUTH, skipped\n"); 5546 goto trigger_send; 5547 } 5548 if (length > offset) { 5549 int retval; 5550 5551 /* 5552 * First check to make sure our state is correct. We would 5553 * not get here unless we really did have a tag, so we don't 5554 * abort if this happens, just dump the chunk silently. 5555 */ 5556 switch (SCTP_GET_STATE(&stcb->asoc)) { 5557 case SCTP_STATE_COOKIE_ECHOED: 5558 /* 5559 * we consider data with valid tags in this state 5560 * shows us the cookie-ack was lost. Imply it was 5561 * there. 5562 */ 5563 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5564 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5565 stcb->asoc.overall_error_count, 5566 0, 5567 SCTP_FROM_SCTP_INPUT, 5568 __LINE__); 5569 } 5570 stcb->asoc.overall_error_count = 0; 5571 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 5572 break; 5573 case SCTP_STATE_COOKIE_WAIT: 5574 /* 5575 * We consider OOTB any data sent during asoc setup. 5576 */ 5577 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5578 vrf_id, port); 5579 SCTP_TCB_UNLOCK(stcb); 5580 goto out_now; 5581 /* sa_ignore NOTREACHED */ 5582 break; 5583 case SCTP_STATE_EMPTY: /* should not happen */ 5584 case SCTP_STATE_INUSE: /* should not happen */ 5585 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 5586 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5587 default: 5588 SCTP_TCB_UNLOCK(stcb); 5589 goto out_now; 5590 /* sa_ignore NOTREACHED */ 5591 break; 5592 case SCTP_STATE_OPEN: 5593 case SCTP_STATE_SHUTDOWN_SENT: 5594 break; 5595 } 5596 /* plow through the data chunks while length > offset */ 5597 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 5598 inp, stcb, net, &high_tsn); 5599 if (retval == 2) { 5600 /* 5601 * The association aborted, NO UNLOCK needed since 5602 * the association is destroyed. 5603 */ 5604 goto out_now; 5605 } 5606 data_processed = 1; 5607 /* 5608 * Anything important needs to have been m_copy'ed in 5609 * process_data 5610 */ 5611 } 5612 /* take care of ecn */ 5613 if (stcb->asoc.ecn_allowed && ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS)) { 5614 /* Yep, we need to add a ECNE */ 5615 sctp_send_ecn_echo(stcb, net, high_tsn); 5616 } 5617 if ((data_processed == 0) && (fwd_tsn_seen)) { 5618 int was_a_gap; 5619 uint32_t highest_tsn; 5620 5621 if (SCTP_TSN_GT(stcb->asoc.highest_tsn_inside_nr_map, stcb->asoc.highest_tsn_inside_map)) { 5622 highest_tsn = stcb->asoc.highest_tsn_inside_nr_map; 5623 } else { 5624 highest_tsn = stcb->asoc.highest_tsn_inside_map; 5625 } 5626 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn); 5627 stcb->asoc.send_sack = 1; 5628 sctp_sack_check(stcb, was_a_gap, &abort_flag); 5629 if (abort_flag) { 5630 /* Again, we aborted so NO UNLOCK needed */ 5631 goto out_now; 5632 } 5633 } else if (fwd_tsn_seen) { 5634 stcb->asoc.send_sack = 1; 5635 } 5636 /* trigger send of any chunks in queue... */ 5637trigger_send: 5638#ifdef SCTP_AUDITING_ENABLED 5639 sctp_audit_log(0xE0, 2); 5640 sctp_auditing(1, inp, stcb, net); 5641#endif 5642 SCTPDBG(SCTP_DEBUG_INPUT1, 5643 "Check for chunk output prw:%d tqe:%d tf=%d\n", 5644 stcb->asoc.peers_rwnd, 5645 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 5646 stcb->asoc.total_flight); 5647 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 5648 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 5649 cnt_ctrl_ready = stcb->asoc.ctrl_queue_cnt - stcb->asoc.ecn_echo_cnt_onq; 5650 } 5651 if (cnt_ctrl_ready || 5652 ((un_sent) && 5653 (stcb->asoc.peers_rwnd > 0 || 5654 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 5655 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n"); 5656 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 5657 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n"); 5658 } 5659#ifdef SCTP_AUDITING_ENABLED 5660 sctp_audit_log(0xE0, 3); 5661 sctp_auditing(2, inp, stcb, net); 5662#endif 5663 SCTP_TCB_UNLOCK(stcb); 5664out_now: 5665#ifdef INVARIANTS 5666 sctp_validate_no_locks(inp); 5667#endif 5668 return; 5669} 5670 5671#if 0 5672static void 5673sctp_print_mbuf_chain(struct mbuf *m) 5674{ 5675 for (; m; m = SCTP_BUF_NEXT(m)) { 5676 printf("%p: m_len = %ld\n", m, SCTP_BUF_LEN(m)); 5677 if (SCTP_BUF_IS_EXTENDED(m)) 5678 printf("%p: extend_size = %d\n", m, SCTP_BUF_EXTEND_SIZE(m)); 5679 } 5680} 5681 5682#endif 5683 5684void 5685sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port) 5686{ 5687#ifdef SCTP_MBUF_LOGGING 5688 struct mbuf *mat; 5689 5690#endif 5691 struct mbuf *m; 5692 int iphlen; 5693 uint32_t vrf_id = 0; 5694 uint8_t ecn_bits; 5695 struct ip *ip; 5696 struct sctphdr *sh; 5697 struct sctp_inpcb *inp = NULL; 5698 struct sctp_nets *net; 5699 struct sctp_tcb *stcb = NULL; 5700 struct sctp_chunkhdr *ch; 5701 int refcount_up = 0; 5702 int length, mlen, offset; 5703 5704#if !defined(SCTP_WITH_NO_CSUM) 5705 uint32_t check, calc_check; 5706 5707#endif 5708 5709 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) { 5710 SCTP_RELEASE_PKT(i_pak); 5711 return; 5712 } 5713 mlen = SCTP_HEADER_LEN(i_pak); 5714 iphlen = off; 5715 m = SCTP_HEADER_TO_CHAIN(i_pak); 5716 5717 net = NULL; 5718 SCTP_STAT_INCR(sctps_recvpackets); 5719 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 5720 5721 5722#ifdef SCTP_MBUF_LOGGING 5723 /* Log in any input mbufs */ 5724 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 5725 mat = m; 5726 while (mat) { 5727 if (SCTP_BUF_IS_EXTENDED(mat)) { 5728 sctp_log_mb(mat, SCTP_MBUF_INPUT); 5729 } 5730 mat = SCTP_BUF_NEXT(mat); 5731 } 5732 } 5733#endif 5734#ifdef SCTP_PACKET_LOGGING 5735 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) 5736 sctp_packet_log(m, mlen); 5737#endif 5738 /* 5739 * Must take out the iphlen, since mlen expects this (only effect lb 5740 * case) 5741 */ 5742 mlen -= iphlen; 5743 5744 /* 5745 * Get IP, SCTP, and first chunk header together in first mbuf. 5746 */ 5747 ip = mtod(m, struct ip *); 5748 offset = iphlen + sizeof(*sh) + sizeof(*ch); 5749 if (SCTP_BUF_LEN(m) < offset) { 5750 if ((m = m_pullup(m, offset)) == 0) { 5751 SCTP_STAT_INCR(sctps_hdrops); 5752 return; 5753 } 5754 ip = mtod(m, struct ip *); 5755 } 5756 /* validate mbuf chain length with IP payload length */ 5757 if (mlen < (SCTP_GET_IPV4_LENGTH(ip) - iphlen)) { 5758 SCTP_STAT_INCR(sctps_hdrops); 5759 goto bad; 5760 } 5761 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 5762 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 5763 SCTPDBG(SCTP_DEBUG_INPUT1, 5764 "sctp_input() length:%d iphlen:%d\n", mlen, iphlen); 5765 5766 /* SCTP does not allow broadcasts or multicasts */ 5767 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 5768 goto bad; 5769 } 5770 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 5771 /* 5772 * We only look at broadcast if its a front state, All 5773 * others we will not have a tcb for anyway. 5774 */ 5775 goto bad; 5776 } 5777 /* validate SCTP checksum */ 5778 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD, 5779 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%x.\n", 5780 m->m_pkthdr.len, 5781 if_name(m->m_pkthdr.rcvif), 5782 m->m_pkthdr.csum_flags); 5783#if defined(SCTP_WITH_NO_CSUM) 5784 SCTP_STAT_INCR(sctps_recvnocrc); 5785#else 5786 if (m->m_pkthdr.csum_flags & CSUM_SCTP_VALID) { 5787 SCTP_STAT_INCR(sctps_recvhwcrc); 5788 goto sctp_skip_csum_4; 5789 } 5790 check = sh->checksum; /* save incoming checksum */ 5791 sh->checksum = 0; /* prepare for calc */ 5792 calc_check = sctp_calculate_cksum(m, iphlen); 5793 sh->checksum = check; 5794 SCTP_STAT_INCR(sctps_recvswcrc); 5795 if (calc_check != check) { 5796 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 5797 calc_check, check, m, mlen, iphlen); 5798 5799 stcb = sctp_findassociation_addr(m, iphlen, 5800 offset - sizeof(*ch), 5801 sh, ch, &inp, &net, 5802 vrf_id); 5803 if ((net) && (port)) { 5804 if (net->port == 0) { 5805 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr)); 5806 } 5807 net->port = port; 5808 } 5809 if ((inp) && (stcb)) { 5810 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 5811 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED); 5812 } else if ((inp != NULL) && (stcb == NULL)) { 5813 refcount_up = 1; 5814 } 5815 SCTP_STAT_INCR(sctps_badsum); 5816 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 5817 goto bad; 5818 } 5819sctp_skip_csum_4: 5820#endif 5821 /* destination port of 0 is illegal, based on RFC2960. */ 5822 if (sh->dest_port == 0) { 5823 SCTP_STAT_INCR(sctps_hdrops); 5824 goto bad; 5825 } 5826 /* 5827 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 5828 * IP/SCTP/first chunk header... 5829 */ 5830 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 5831 sh, ch, &inp, &net, vrf_id); 5832 if ((net) && (port)) { 5833 if (net->port == 0) { 5834 sctp_pathmtu_adjustment(inp, stcb, net, net->mtu - sizeof(struct udphdr)); 5835 } 5836 net->port = port; 5837 } 5838 /* inp's ref-count increased && stcb locked */ 5839 if (inp == NULL) { 5840 struct sctp_init_chunk *init_chk, chunk_buf; 5841 5842 SCTP_STAT_INCR(sctps_noport); 5843#ifdef ICMP_BANDLIM 5844 /* 5845 * we use the bandwidth limiting to protect against sending 5846 * too many ABORTS all at once. In this case these count the 5847 * same as an ICMP message. 5848 */ 5849 if (badport_bandlim(0) < 0) 5850 goto bad; 5851#endif /* ICMP_BANDLIM */ 5852 SCTPDBG(SCTP_DEBUG_INPUT1, 5853 "Sending a ABORT from packet entry!\n"); 5854 if (ch->chunk_type == SCTP_INITIATION) { 5855 /* 5856 * we do a trick here to get the INIT tag, dig in 5857 * and get the tag from the INIT and put it in the 5858 * common header. 5859 */ 5860 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 5861 iphlen + sizeof(*sh), sizeof(*init_chk), 5862 (uint8_t *) & chunk_buf); 5863 if (init_chk != NULL) 5864 sh->v_tag = init_chk->init.initiate_tag; 5865 } 5866 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 5867 sctp_send_shutdown_complete2(m, iphlen, sh, vrf_id, port); 5868 goto bad; 5869 } 5870 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 5871 goto bad; 5872 } 5873 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 5874 sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, port); 5875 goto bad; 5876 } else if (stcb == NULL) { 5877 refcount_up = 1; 5878 } 5879#ifdef IPSEC 5880 /* 5881 * I very much doubt any of the IPSEC stuff will work but I have no 5882 * idea, so I will leave it in place. 5883 */ 5884 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 5885 MODULE_GLOBAL(ipsec4stat).in_polvio++; 5886 SCTP_STAT_INCR(sctps_hdrops); 5887 goto bad; 5888 } 5889#endif /* IPSEC */ 5890 5891 /* 5892 * common chunk processing 5893 */ 5894 length = ip->ip_len + iphlen; 5895 offset -= sizeof(struct sctp_chunkhdr); 5896 5897 ecn_bits = ip->ip_tos; 5898 5899 /* sa_ignore NO_NULL_CHK */ 5900 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 5901 inp, stcb, net, ecn_bits, vrf_id, port); 5902 /* inp's ref-count reduced && stcb unlocked */ 5903 if (m) { 5904 sctp_m_freem(m); 5905 } 5906 if ((inp) && (refcount_up)) { 5907 /* reduce ref-count */ 5908 SCTP_INP_DECR_REF(inp); 5909 } 5910 return; 5911bad: 5912 if (stcb) { 5913 SCTP_TCB_UNLOCK(stcb); 5914 } 5915 if ((inp) && (refcount_up)) { 5916 /* reduce ref-count */ 5917 SCTP_INP_DECR_REF(inp); 5918 } 5919 if (m) { 5920 sctp_m_freem(m); 5921 } 5922 return; 5923} 5924void 5925sctp_input(i_pak, off) 5926 struct mbuf *i_pak; 5927 int off; 5928{ 5929 sctp_input_with_port(i_pak, off, 0); 5930} 5931