sctp_input.c revision 229774
1/*- 2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved. 3 * Copyright (c) 2008-2011, by Randall Stewart. All rights reserved. 4 * Copyright (c) 2008-2011, by Michael Tuexen. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions are met: 8 * 9 * a) Redistributions of source code must retain the above copyright notice, 10 * this list of conditions and the following disclaimer. 11 * 12 * b) Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the distribution. 15 * 16 * c) Neither the name of Cisco Systems, Inc. nor the names of its 17 * contributors may be used to endorse or promote products derived 18 * from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 30 * THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33/* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 34 35#include <sys/cdefs.h> 36__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 229774 2012-01-07 13:03:33Z tuexen $"); 37 38#include <netinet/sctp_os.h> 39#include <netinet/sctp_var.h> 40#include <netinet/sctp_sysctl.h> 41#include <netinet/sctp_pcb.h> 42#include <netinet/sctp_header.h> 43#include <netinet/sctputil.h> 44#include <netinet/sctp_output.h> 45#include <netinet/sctp_input.h> 46#include <netinet/sctp_auth.h> 47#include <netinet/sctp_indata.h> 48#include <netinet/sctp_asconf.h> 49#include <netinet/sctp_bsd_addr.h> 50#include <netinet/sctp_timer.h> 51#include <netinet/sctp_crc32.h> 52#include <netinet/udp.h> 53#include <sys/smp.h> 54 55 56 57static void 58sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 59{ 60 struct sctp_nets *net; 61 62 /* 63 * This now not only stops all cookie timers it also stops any INIT 64 * timers as well. This will make sure that the timers are stopped 65 * in all collision cases. 66 */ 67 SCTP_TCB_LOCK_ASSERT(stcb); 68 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 69 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 70 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 71 stcb->sctp_ep, 72 stcb, 73 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 74 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 75 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 76 stcb->sctp_ep, 77 stcb, 78 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 79 } 80 } 81} 82 83/* INIT handler */ 84static void 85sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 86 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 87 int *abort_no_unlock, uint32_t vrf_id, uint16_t port) 88{ 89 struct sctp_init *init; 90 struct mbuf *op_err; 91 92 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n", 93 stcb); 94 if (stcb == NULL) { 95 SCTP_INP_RLOCK(inp); 96 } 97 /* validate length */ 98 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 99 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 100 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 101 vrf_id, port); 102 if (stcb) 103 *abort_no_unlock = 1; 104 goto outnow; 105 } 106 /* validate parameters */ 107 init = &cp->init; 108 if (init->initiate_tag == 0) { 109 /* protocol error... send abort */ 110 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 111 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 112 vrf_id, port); 113 if (stcb) 114 *abort_no_unlock = 1; 115 goto outnow; 116 } 117 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 118 /* invalid parameter... send abort */ 119 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 120 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 121 vrf_id, port); 122 if (stcb) 123 *abort_no_unlock = 1; 124 goto outnow; 125 } 126 if (init->num_inbound_streams == 0) { 127 /* protocol error... send abort */ 128 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 129 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 130 vrf_id, port); 131 if (stcb) 132 *abort_no_unlock = 1; 133 goto outnow; 134 } 135 if (init->num_outbound_streams == 0) { 136 /* protocol error... send abort */ 137 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 138 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err, 139 vrf_id, port); 140 if (stcb) 141 *abort_no_unlock = 1; 142 goto outnow; 143 } 144 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 145 offset + ntohs(cp->ch.chunk_length))) { 146 /* auth parameter(s) error... send abort */ 147 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, vrf_id, port); 148 if (stcb) 149 *abort_no_unlock = 1; 150 goto outnow; 151 } 152 /* 153 * We are only accepting if we have a socket with positive 154 * so_qlimit. 155 */ 156 if ((stcb == NULL) && 157 ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || 158 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || 159 (inp->sctp_socket == NULL) || 160 (inp->sctp_socket->so_qlimit == 0))) { 161 /* 162 * FIX ME ?? What about TCP model and we have a 163 * match/restart case? Actually no fix is needed. the lookup 164 * will always find the existing assoc so stcb would not be 165 * NULL. It may be questionable to do this since we COULD 166 * just send back the INIT-ACK and hope that the app did 167 * accept()'s by the time the COOKIE was sent. But there is 168 * a price to pay for COOKIE generation and I don't want to 169 * pay it on the chance that the app will actually do some 170 * accepts(). The App just looses and should NOT be in this 171 * state :-) 172 */ 173 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL, 174 vrf_id, port); 175 goto outnow; 176 } 177 if ((stcb != NULL) && 178 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT)) { 179 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending SHUTDOWN-ACK\n"); 180 sctp_send_shutdown_ack(stcb, NULL); 181 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 182 } else { 183 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n"); 184 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp, vrf_id, port, 185 ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED)); 186 } 187outnow: 188 if (stcb == NULL) { 189 SCTP_INP_RUNLOCK(inp); 190 } 191} 192 193/* 194 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 195 */ 196 197int 198sctp_is_there_unsent_data(struct sctp_tcb *stcb, int so_locked 199#if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING) 200 SCTP_UNUSED 201#endif 202) 203{ 204 int unsent_data = 0; 205 unsigned int i; 206 struct sctp_stream_queue_pending *sp; 207 struct sctp_association *asoc; 208 209 /* 210 * This function returns the number of streams that have true unsent 211 * data on them. Note that as it looks through it will clean up any 212 * places that have old data that has been sent but left at top of 213 * stream queue. 214 */ 215 asoc = &stcb->asoc; 216 SCTP_TCB_SEND_LOCK(stcb); 217 if (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) { 218 /* Check to see if some data queued */ 219 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 220 /* sa_ignore FREED_MEMORY */ 221 sp = TAILQ_FIRST(&stcb->asoc.strmout[i].outqueue); 222 if (sp == NULL) { 223 continue; 224 } 225 if ((sp->msg_is_complete) && 226 (sp->length == 0) && 227 (sp->sender_all_done)) { 228 /* 229 * We are doing differed cleanup. Last time 230 * through when we took all the data the 231 * sender_all_done was not set. 232 */ 233 if (sp->put_last_out == 0) { 234 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n"); 235 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n", 236 sp->sender_all_done, 237 sp->length, 238 sp->msg_is_complete, 239 sp->put_last_out); 240 } 241 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1); 242 TAILQ_REMOVE(&stcb->asoc.strmout[i].outqueue, sp, next); 243 if (sp->net) { 244 sctp_free_remote_addr(sp->net); 245 sp->net = NULL; 246 } 247 if (sp->data) { 248 sctp_m_freem(sp->data); 249 sp->data = NULL; 250 } 251 sctp_free_a_strmoq(stcb, sp, so_locked); 252 } else { 253 unsent_data++; 254 break; 255 } 256 } 257 } 258 SCTP_TCB_SEND_UNLOCK(stcb); 259 return (unsent_data); 260} 261 262static int 263sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb) 264{ 265 struct sctp_init *init; 266 struct sctp_association *asoc; 267 struct sctp_nets *lnet; 268 unsigned int i; 269 270 init = &cp->init; 271 asoc = &stcb->asoc; 272 /* save off parameters */ 273 asoc->peer_vtag = ntohl(init->initiate_tag); 274 asoc->peers_rwnd = ntohl(init->a_rwnd); 275 /* init tsn's */ 276 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 277 278 if (!TAILQ_EMPTY(&asoc->nets)) { 279 /* update any ssthresh's that may have a default */ 280 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 281 lnet->ssthresh = asoc->peers_rwnd; 282 if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE | SCTP_CWND_LOGGING_ENABLE)) { 283 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 284 } 285 } 286 } 287 SCTP_TCB_SEND_LOCK(stcb); 288 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 289 unsigned int newcnt; 290 struct sctp_stream_out *outs; 291 struct sctp_stream_queue_pending *sp, *nsp; 292 struct sctp_tmit_chunk *chk, *nchk; 293 294 /* abandon the upper streams */ 295 newcnt = ntohs(init->num_inbound_streams); 296 TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) { 297 if (chk->rec.data.stream_number >= newcnt) { 298 TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next); 299 asoc->send_queue_cnt--; 300 if (chk->data != NULL) { 301 sctp_free_bufspace(stcb, asoc, chk, 1); 302 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL, stcb, 303 SCTP_NOTIFY_DATAGRAM_UNSENT, chk, SCTP_SO_NOT_LOCKED); 304 if (chk->data) { 305 sctp_m_freem(chk->data); 306 chk->data = NULL; 307 } 308 } 309 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 310 /* sa_ignore FREED_MEMORY */ 311 } 312 } 313 if (asoc->strmout) { 314 for (i = newcnt; i < asoc->pre_open_streams; i++) { 315 outs = &asoc->strmout[i]; 316 TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) { 317 TAILQ_REMOVE(&outs->outqueue, sp, next); 318 asoc->stream_queue_cnt--; 319 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 320 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 321 sp, SCTP_SO_NOT_LOCKED); 322 if (sp->data) { 323 sctp_m_freem(sp->data); 324 sp->data = NULL; 325 } 326 if (sp->net) { 327 sctp_free_remote_addr(sp->net); 328 sp->net = NULL; 329 } 330 /* Free the chunk */ 331 sctp_free_a_strmoq(stcb, sp, SCTP_SO_NOT_LOCKED); 332 /* sa_ignore FREED_MEMORY */ 333 } 334 } 335 } 336 /* cut back the count */ 337 asoc->pre_open_streams = newcnt; 338 } 339 SCTP_TCB_SEND_UNLOCK(stcb); 340 asoc->strm_realoutsize = asoc->streamoutcnt = asoc->pre_open_streams; 341 342 /* EY - nr_sack: initialize highest tsn in nr_mapping_array */ 343 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map; 344 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 345 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 346 } 347 /* This is the next one we expect */ 348 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 349 350 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 351 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in; 352 353 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 354 /* open the requested streams */ 355 356 if (asoc->strmin != NULL) { 357 /* Free the old ones */ 358 struct sctp_queued_to_read *ctl, *nctl; 359 360 for (i = 0; i < asoc->streamincnt; i++) { 361 TAILQ_FOREACH_SAFE(ctl, &asoc->strmin[i].inqueue, next, nctl) { 362 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 363 sctp_free_remote_addr(ctl->whoFrom); 364 ctl->whoFrom = NULL; 365 sctp_m_freem(ctl->data); 366 ctl->data = NULL; 367 sctp_free_a_readq(stcb, ctl); 368 } 369 } 370 SCTP_FREE(asoc->strmin, SCTP_M_STRMI); 371 } 372 asoc->streamincnt = ntohs(init->num_outbound_streams); 373 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 374 asoc->streamincnt = MAX_SCTP_STREAMS; 375 } 376 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 377 sizeof(struct sctp_stream_in), SCTP_M_STRMI); 378 if (asoc->strmin == NULL) { 379 /* we didn't get memory for the streams! */ 380 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n"); 381 return (-1); 382 } 383 for (i = 0; i < asoc->streamincnt; i++) { 384 asoc->strmin[i].stream_no = i; 385 asoc->strmin[i].last_sequence_delivered = 0xffff; 386 /* 387 * U-stream ranges will be set when the cookie is unpacked. 388 * Or for the INIT sender they are un set (if pr-sctp not 389 * supported) when the INIT-ACK arrives. 390 */ 391 TAILQ_INIT(&asoc->strmin[i].inqueue); 392 asoc->strmin[i].delivery_started = 0; 393 } 394 /* 395 * load_address_from_init will put the addresses into the 396 * association when the COOKIE is processed or the INIT-ACK is 397 * processed. Both types of COOKIE's existing and new call this 398 * routine. It will remove addresses that are no longer in the 399 * association (for the restarting case where addresses are 400 * removed). Up front when the INIT arrives we will discard it if it 401 * is a restart and new addresses have been added. 402 */ 403 /* sa_ignore MEMLEAK */ 404 return (0); 405} 406 407/* 408 * INIT-ACK message processing/consumption returns value < 0 on error 409 */ 410static int 411sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 412 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 413 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 414{ 415 struct sctp_association *asoc; 416 struct mbuf *op_err; 417 int retval, abort_flag; 418 uint32_t initack_limit; 419 int nat_friendly = 0; 420 421 /* First verify that we have no illegal param's */ 422 abort_flag = 0; 423 op_err = NULL; 424 425 op_err = sctp_arethere_unrecognized_parameters(m, 426 (offset + sizeof(struct sctp_init_chunk)), 427 &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly); 428 if (abort_flag) { 429 /* Send an abort and notify peer */ 430 sctp_abort_an_association(stcb->sctp_ep, stcb, SCTP_CAUSE_PROTOCOL_VIOLATION, op_err, SCTP_SO_NOT_LOCKED); 431 *abort_no_unlock = 1; 432 return (-1); 433 } 434 asoc = &stcb->asoc; 435 asoc->peer_supports_nat = (uint8_t) nat_friendly; 436 /* process the peer's parameters in the INIT-ACK */ 437 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb); 438 if (retval < 0) { 439 return (retval); 440 } 441 initack_limit = offset + ntohs(cp->ch.chunk_length); 442 /* load all addresses */ 443 if ((retval = sctp_load_addresses_from_init(stcb, m, 444 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 445 NULL))) { 446 /* Huh, we should abort */ 447 SCTPDBG(SCTP_DEBUG_INPUT1, 448 "Load addresses from INIT causes an abort %d\n", 449 retval); 450 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 451 NULL, 0, net->port); 452 *abort_no_unlock = 1; 453 return (-1); 454 } 455 /* if the peer doesn't support asconf, flush the asconf queue */ 456 if (asoc->peer_supports_asconf == 0) { 457 struct sctp_asconf_addr *param, *nparam; 458 459 TAILQ_FOREACH_SAFE(param, &asoc->asconf_queue, next, nparam) { 460 TAILQ_REMOVE(&asoc->asconf_queue, param, next); 461 SCTP_FREE(param, SCTP_M_ASC_ADDR); 462 } 463 } 464 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 465 stcb->asoc.local_hmacs); 466 if (op_err) { 467 sctp_queue_op_err(stcb, op_err); 468 /* queuing will steal away the mbuf chain to the out queue */ 469 op_err = NULL; 470 } 471 /* extract the cookie and queue it to "echo" it back... */ 472 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 473 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 474 stcb->asoc.overall_error_count, 475 0, 476 SCTP_FROM_SCTP_INPUT, 477 __LINE__); 478 } 479 stcb->asoc.overall_error_count = 0; 480 net->error_count = 0; 481 482 /* 483 * Cancel the INIT timer, We do this first before queueing the 484 * cookie. We always cancel at the primary to assue that we are 485 * canceling the timer started by the INIT which always goes to the 486 * primary. 487 */ 488 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 489 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 490 491 /* calculate the RTO */ 492 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy, 493 SCTP_RTT_FROM_NON_DATA); 494 495 retval = sctp_send_cookie_echo(m, offset, stcb, net); 496 if (retval < 0) { 497 /* 498 * No cookie, we probably should send a op error. But in any 499 * case if there is no cookie in the INIT-ACK, we can 500 * abandon the peer, its broke. 501 */ 502 if (retval == -3) { 503 /* We abort with an error of missing mandatory param */ 504 op_err = 505 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 506 if (op_err) { 507 /* 508 * Expand beyond to include the mandatory 509 * param cookie 510 */ 511 struct sctp_inv_mandatory_param *mp; 512 513 SCTP_BUF_LEN(op_err) = 514 sizeof(struct sctp_inv_mandatory_param); 515 mp = mtod(op_err, 516 struct sctp_inv_mandatory_param *); 517 /* Subtract the reserved param */ 518 mp->length = 519 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 520 mp->num_param = htonl(1); 521 mp->param = htons(SCTP_STATE_COOKIE); 522 mp->resv = 0; 523 } 524 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 525 sh, op_err, vrf_id, net->port); 526 *abort_no_unlock = 1; 527 } 528 return (retval); 529 } 530 return (0); 531} 532 533static void 534sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 535 struct sctp_tcb *stcb, struct sctp_nets *net) 536{ 537 struct sockaddr_storage store; 538 struct sctp_nets *r_net, *f_net; 539 struct timeval tv; 540 int req_prim = 0; 541 uint16_t old_error_counter; 542 543#ifdef INET 544 struct sockaddr_in *sin; 545 546#endif 547#ifdef INET6 548 struct sockaddr_in6 *sin6; 549 550#endif 551 552 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 553 /* Invalid length */ 554 return; 555 } 556 memset(&store, 0, sizeof(store)); 557 switch (cp->heartbeat.hb_info.addr_family) { 558#ifdef INET 559 case AF_INET: 560 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 561 sin = (struct sockaddr_in *)&store; 562 sin->sin_family = cp->heartbeat.hb_info.addr_family; 563 sin->sin_len = cp->heartbeat.hb_info.addr_len; 564 sin->sin_port = stcb->rport; 565 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 566 sizeof(sin->sin_addr)); 567 } else { 568 return; 569 } 570 break; 571#endif 572#ifdef INET6 573 case AF_INET6: 574 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 575 sin6 = (struct sockaddr_in6 *)&store; 576 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 577 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 578 sin6->sin6_port = stcb->rport; 579 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 580 sizeof(sin6->sin6_addr)); 581 } else { 582 return; 583 } 584 break; 585#endif 586 default: 587 return; 588 } 589 r_net = sctp_findnet(stcb, (struct sockaddr *)&store); 590 if (r_net == NULL) { 591 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n"); 592 return; 593 } 594 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 595 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 596 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 597 /* 598 * If the its a HB and it's random value is correct when can 599 * confirm the destination. 600 */ 601 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 602 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 603 stcb->asoc.primary_destination = r_net; 604 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 605 f_net = TAILQ_FIRST(&stcb->asoc.nets); 606 if (f_net != r_net) { 607 /* 608 * first one on the list is NOT the primary 609 * sctp_cmpaddr() is much more efficent if 610 * the primary is the first on the list, 611 * make it so. 612 */ 613 TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next); 614 TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next); 615 } 616 req_prim = 1; 617 } 618 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 619 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED); 620 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 621 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net); 622 } 623 old_error_counter = r_net->error_count; 624 r_net->error_count = 0; 625 r_net->hb_responded = 1; 626 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 627 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 628 /* Now lets do a RTO with this */ 629 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy, 630 SCTP_RTT_FROM_NON_DATA); 631 if (!(r_net->dest_state & SCTP_ADDR_REACHABLE)) { 632 r_net->dest_state |= SCTP_ADDR_REACHABLE; 633 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 634 SCTP_HEARTBEAT_SUCCESS, (void *)r_net, SCTP_SO_NOT_LOCKED); 635 } 636 if (r_net->dest_state & SCTP_ADDR_PF) { 637 r_net->dest_state &= ~SCTP_ADDR_PF; 638 stcb->asoc.cc_functions.sctp_cwnd_update_exit_pf(stcb, net); 639 } 640 if (old_error_counter > 0) { 641 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 642 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net); 643 } 644 if (r_net == stcb->asoc.primary_destination) { 645 if (stcb->asoc.alternate) { 646 /* release the alternate, primary is good */ 647 sctp_free_remote_addr(stcb->asoc.alternate); 648 stcb->asoc.alternate = NULL; 649 } 650 } 651 /* Mobility adaptation */ 652 if (req_prim) { 653 if ((sctp_is_mobility_feature_on(stcb->sctp_ep, 654 SCTP_MOBILITY_BASE) || 655 sctp_is_mobility_feature_on(stcb->sctp_ep, 656 SCTP_MOBILITY_FASTHANDOFF)) && 657 sctp_is_mobility_feature_on(stcb->sctp_ep, 658 SCTP_MOBILITY_PRIM_DELETED)) { 659 660 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER + SCTP_LOC_7); 661 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 662 SCTP_MOBILITY_FASTHANDOFF)) { 663 sctp_assoc_immediate_retrans(stcb, 664 stcb->asoc.primary_destination); 665 } 666 if (sctp_is_mobility_feature_on(stcb->sctp_ep, 667 SCTP_MOBILITY_BASE)) { 668 sctp_move_chunks_from_net(stcb, 669 stcb->asoc.deleted_primary); 670 } 671 sctp_delete_prim_timer(stcb->sctp_ep, stcb, 672 stcb->asoc.deleted_primary); 673 } 674 } 675} 676 677static int 678sctp_handle_nat_colliding_state(struct sctp_tcb *stcb) 679{ 680 /* 681 * return 0 means we want you to proceed with the abort non-zero 682 * means no abort processing 683 */ 684 struct sctpasochead *head; 685 686 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) { 687 /* generate a new vtag and send init */ 688 LIST_REMOVE(stcb, sctp_asocs); 689 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1); 690 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))]; 691 /* 692 * put it in the bucket in the vtag hash of assoc's for the 693 * system 694 */ 695 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 696 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 697 return (1); 698 } 699 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED) { 700 /* 701 * treat like a case where the cookie expired i.e.: - dump 702 * current cookie. - generate a new vtag. - resend init. 703 */ 704 /* generate a new vtag and send init */ 705 LIST_REMOVE(stcb, sctp_asocs); 706 stcb->asoc.state &= ~SCTP_STATE_COOKIE_ECHOED; 707 stcb->asoc.state |= SCTP_STATE_COOKIE_WAIT; 708 sctp_stop_all_cookie_timers(stcb); 709 sctp_toss_old_cookies(stcb, &stcb->asoc); 710 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1); 711 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))]; 712 /* 713 * put it in the bucket in the vtag hash of assoc's for the 714 * system 715 */ 716 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 717 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 718 return (1); 719 } 720 return (0); 721} 722 723static int 724sctp_handle_nat_missing_state(struct sctp_tcb *stcb, 725 struct sctp_nets *net) 726{ 727 /* 728 * return 0 means we want you to proceed with the abort non-zero 729 * means no abort processing 730 */ 731 if (stcb->asoc.peer_supports_auth == 0) { 732 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n"); 733 return (0); 734 } 735 sctp_asconf_send_nat_state_update(stcb, net); 736 return (1); 737} 738 739 740static void 741sctp_handle_abort(struct sctp_abort_chunk *cp, 742 struct sctp_tcb *stcb, struct sctp_nets *net) 743{ 744#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 745 struct socket *so; 746 747#endif 748 uint16_t len; 749 750 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n"); 751 if (stcb == NULL) 752 return; 753 754 len = ntohs(cp->ch.chunk_length); 755 if (len > sizeof(struct sctp_chunkhdr)) { 756 /* 757 * Need to check the cause codes for our two magic nat 758 * aborts which don't kill the assoc necessarily. 759 */ 760 struct sctp_abort_chunk *cpnext; 761 struct sctp_missing_nat_state *natc; 762 uint16_t cause; 763 764 cpnext = cp; 765 cpnext++; 766 natc = (struct sctp_missing_nat_state *)cpnext; 767 cause = ntohs(natc->cause); 768 if (cause == SCTP_CAUSE_NAT_COLLIDING_STATE) { 769 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n", 770 cp->ch.chunk_flags); 771 if (sctp_handle_nat_colliding_state(stcb)) { 772 return; 773 } 774 } else if (cause == SCTP_CAUSE_NAT_MISSING_STATE) { 775 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n", 776 cp->ch.chunk_flags); 777 if (sctp_handle_nat_missing_state(stcb, net)) { 778 return; 779 } 780 } 781 } 782 /* stop any receive timers */ 783 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 784 /* notify user of the abort and clean up... */ 785 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED); 786 /* free the tcb */ 787#if defined(SCTP_PANIC_ON_ABORT) 788 printf("stcb:%p state:%d rport:%d net:%p\n", 789 stcb, stcb->asoc.state, stcb->rport, net); 790 if (!(stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { 791 panic("Received an ABORT"); 792 } else { 793 printf("No panic its in state %x closed\n", stcb->asoc.state); 794 } 795#endif 796 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 797 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 798 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 799 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 800 } 801#ifdef SCTP_ASOCLOG_OF_TSNS 802 sctp_print_out_track_log(stcb); 803#endif 804#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 805 so = SCTP_INP_SO(stcb->sctp_ep); 806 atomic_add_int(&stcb->asoc.refcnt, 1); 807 SCTP_TCB_UNLOCK(stcb); 808 SCTP_SOCKET_LOCK(so, 1); 809 SCTP_TCB_LOCK(stcb); 810 atomic_subtract_int(&stcb->asoc.refcnt, 1); 811#endif 812 stcb->asoc.state |= SCTP_STATE_WAS_ABORTED; 813 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 814 SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 815#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 816 SCTP_SOCKET_UNLOCK(so, 1); 817#endif 818 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n"); 819} 820 821static void 822sctp_start_net_timers(struct sctp_tcb *stcb) 823{ 824 uint32_t cnt_hb_sent; 825 struct sctp_nets *net; 826 827 cnt_hb_sent = 0; 828 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 829 /* 830 * For each network start: 1) A pmtu timer. 2) A HB timer 3) 831 * If the dest in unconfirmed send a hb as well if under 832 * max_hb_burst have been sent. 833 */ 834 sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, stcb->sctp_ep, stcb, net); 835 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net); 836 if ((net->dest_state & SCTP_ADDR_UNCONFIRMED) && 837 (cnt_hb_sent < SCTP_BASE_SYSCTL(sctp_hb_maxburst))) { 838 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED); 839 cnt_hb_sent++; 840 } 841 } 842 if (cnt_hb_sent) { 843 sctp_chunk_output(stcb->sctp_ep, stcb, 844 SCTP_OUTPUT_FROM_COOKIE_ACK, 845 SCTP_SO_NOT_LOCKED); 846 } 847} 848 849 850static void 851sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 852 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 853{ 854 struct sctp_association *asoc; 855 int some_on_streamwheel; 856 857#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 858 struct socket *so; 859 860#endif 861 862 SCTPDBG(SCTP_DEBUG_INPUT2, 863 "sctp_handle_shutdown: handling SHUTDOWN\n"); 864 if (stcb == NULL) 865 return; 866 asoc = &stcb->asoc; 867 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 868 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 869 return; 870 } 871 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 872 /* Shutdown NOT the expected size */ 873 return; 874 } else { 875 sctp_update_acked(stcb, cp, abort_flag); 876 if (*abort_flag) { 877 return; 878 } 879 } 880 if (asoc->control_pdapi) { 881 /* 882 * With a normal shutdown we assume the end of last record. 883 */ 884 SCTP_INP_READ_LOCK(stcb->sctp_ep); 885 asoc->control_pdapi->end_added = 1; 886 asoc->control_pdapi->pdapi_aborted = 1; 887 asoc->control_pdapi = NULL; 888 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 889#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 890 so = SCTP_INP_SO(stcb->sctp_ep); 891 atomic_add_int(&stcb->asoc.refcnt, 1); 892 SCTP_TCB_UNLOCK(stcb); 893 SCTP_SOCKET_LOCK(so, 1); 894 SCTP_TCB_LOCK(stcb); 895 atomic_subtract_int(&stcb->asoc.refcnt, 1); 896 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 897 /* assoc was freed while we were unlocked */ 898 SCTP_SOCKET_UNLOCK(so, 1); 899 return; 900 } 901#endif 902 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 903#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 904 SCTP_SOCKET_UNLOCK(so, 1); 905#endif 906 } 907 /* goto SHUTDOWN_RECEIVED state to block new requests */ 908 if (stcb->sctp_socket) { 909 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 910 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) && 911 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 912 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED); 913 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 914 /* 915 * notify upper layer that peer has initiated a 916 * shutdown 917 */ 918 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 919 920 /* reset time */ 921 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 922 } 923 } 924 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 925 /* 926 * stop the shutdown timer, since we WILL move to 927 * SHUTDOWN-ACK-SENT. 928 */ 929 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 930 } 931 /* Now is there unsent data on a stream somewhere? */ 932 some_on_streamwheel = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED); 933 934 if (!TAILQ_EMPTY(&asoc->send_queue) || 935 !TAILQ_EMPTY(&asoc->sent_queue) || 936 some_on_streamwheel) { 937 /* By returning we will push more data out */ 938 return; 939 } else { 940 /* no outstanding data to send, so move on... */ 941 /* send SHUTDOWN-ACK */ 942 sctp_send_shutdown_ack(stcb, net); 943 /* move to SHUTDOWN-ACK-SENT state */ 944 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 945 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 946 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 947 } 948 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT); 949 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 950 sctp_stop_timers_for_shutdown(stcb); 951 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 952 stcb, net); 953 } 954} 955 956static void 957sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp SCTP_UNUSED, 958 struct sctp_tcb *stcb, 959 struct sctp_nets *net) 960{ 961 struct sctp_association *asoc; 962 963#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 964 struct socket *so; 965 966 so = SCTP_INP_SO(stcb->sctp_ep); 967#endif 968 SCTPDBG(SCTP_DEBUG_INPUT2, 969 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 970 if (stcb == NULL) 971 return; 972 973 asoc = &stcb->asoc; 974 /* process according to association state */ 975 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 976 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 977 /* unexpected SHUTDOWN-ACK... do OOTB handling... */ 978 sctp_send_shutdown_complete(stcb, net, 1); 979 SCTP_TCB_UNLOCK(stcb); 980 return; 981 } 982 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 983 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 984 /* unexpected SHUTDOWN-ACK... so ignore... */ 985 SCTP_TCB_UNLOCK(stcb); 986 return; 987 } 988 if (asoc->control_pdapi) { 989 /* 990 * With a normal shutdown we assume the end of last record. 991 */ 992 SCTP_INP_READ_LOCK(stcb->sctp_ep); 993 asoc->control_pdapi->end_added = 1; 994 asoc->control_pdapi->pdapi_aborted = 1; 995 asoc->control_pdapi = NULL; 996 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 997#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 998 atomic_add_int(&stcb->asoc.refcnt, 1); 999 SCTP_TCB_UNLOCK(stcb); 1000 SCTP_SOCKET_LOCK(so, 1); 1001 SCTP_TCB_LOCK(stcb); 1002 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1003 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1004 /* assoc was freed while we were unlocked */ 1005 SCTP_SOCKET_UNLOCK(so, 1); 1006 return; 1007 } 1008#endif 1009 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 1010#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1011 SCTP_SOCKET_UNLOCK(so, 1); 1012#endif 1013 } 1014 /* are the queues empty? */ 1015 if (!TAILQ_EMPTY(&asoc->send_queue) || 1016 !TAILQ_EMPTY(&asoc->sent_queue) || 1017 !stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) { 1018 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED); 1019 } 1020 /* stop the timer */ 1021 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 1022 /* send SHUTDOWN-COMPLETE */ 1023 sctp_send_shutdown_complete(stcb, net, 0); 1024 /* notify upper layer protocol */ 1025 if (stcb->sctp_socket) { 1026 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 1027 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1028 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 1029 /* Set the connected flag to disconnected */ 1030 stcb->sctp_socket->so_snd.sb_cc = 0; 1031 } 1032 } 1033 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 1034 /* free the TCB but first save off the ep */ 1035#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1036 atomic_add_int(&stcb->asoc.refcnt, 1); 1037 SCTP_TCB_UNLOCK(stcb); 1038 SCTP_SOCKET_LOCK(so, 1); 1039 SCTP_TCB_LOCK(stcb); 1040 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1041#endif 1042 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 1043 SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 1044#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1045 SCTP_SOCKET_UNLOCK(so, 1); 1046#endif 1047} 1048 1049/* 1050 * Skip past the param header and then we will find the chunk that caused the 1051 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 1052 * our peer must be broken. 1053 */ 1054static void 1055sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 1056 struct sctp_nets *net) 1057{ 1058 struct sctp_chunkhdr *chk; 1059 1060 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 1061 switch (chk->chunk_type) { 1062 case SCTP_ASCONF_ACK: 1063 case SCTP_ASCONF: 1064 sctp_asconf_cleanup(stcb, net); 1065 break; 1066 case SCTP_FORWARD_CUM_TSN: 1067 stcb->asoc.peer_supports_prsctp = 0; 1068 break; 1069 default: 1070 SCTPDBG(SCTP_DEBUG_INPUT2, 1071 "Peer does not support chunk type %d(%x)??\n", 1072 chk->chunk_type, (uint32_t) chk->chunk_type); 1073 break; 1074 } 1075} 1076 1077/* 1078 * Skip past the param header and then we will find the param that caused the 1079 * problem. There are a number of param's in a ASCONF OR the prsctp param 1080 * these will turn of specific features. 1081 */ 1082static void 1083sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 1084{ 1085 struct sctp_paramhdr *pbad; 1086 1087 pbad = phdr + 1; 1088 switch (ntohs(pbad->param_type)) { 1089 /* pr-sctp draft */ 1090 case SCTP_PRSCTP_SUPPORTED: 1091 stcb->asoc.peer_supports_prsctp = 0; 1092 break; 1093 case SCTP_SUPPORTED_CHUNK_EXT: 1094 break; 1095 /* draft-ietf-tsvwg-addip-sctp */ 1096 case SCTP_HAS_NAT_SUPPORT: 1097 stcb->asoc.peer_supports_nat = 0; 1098 break; 1099 case SCTP_ADD_IP_ADDRESS: 1100 case SCTP_DEL_IP_ADDRESS: 1101 case SCTP_SET_PRIM_ADDR: 1102 stcb->asoc.peer_supports_asconf = 0; 1103 break; 1104 case SCTP_SUCCESS_REPORT: 1105 case SCTP_ERROR_CAUSE_IND: 1106 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n"); 1107 SCTPDBG(SCTP_DEBUG_INPUT2, 1108 "Turning off ASCONF to this strange peer\n"); 1109 stcb->asoc.peer_supports_asconf = 0; 1110 break; 1111 default: 1112 SCTPDBG(SCTP_DEBUG_INPUT2, 1113 "Peer does not support param type %d(%x)??\n", 1114 pbad->param_type, (uint32_t) pbad->param_type); 1115 break; 1116 } 1117} 1118 1119static int 1120sctp_handle_error(struct sctp_chunkhdr *ch, 1121 struct sctp_tcb *stcb, struct sctp_nets *net) 1122{ 1123 int chklen; 1124 struct sctp_paramhdr *phdr; 1125 uint16_t error_type; 1126 uint16_t error_len; 1127 struct sctp_association *asoc; 1128 int adjust; 1129 1130#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1131 struct socket *so; 1132 1133#endif 1134 1135 /* parse through all of the errors and process */ 1136 asoc = &stcb->asoc; 1137 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 1138 sizeof(struct sctp_chunkhdr)); 1139 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 1140 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 1141 /* Process an Error Cause */ 1142 error_type = ntohs(phdr->param_type); 1143 error_len = ntohs(phdr->param_length); 1144 if ((error_len > chklen) || (error_len == 0)) { 1145 /* invalid param length for this param */ 1146 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n", 1147 chklen, error_len); 1148 return (0); 1149 } 1150 switch (error_type) { 1151 case SCTP_CAUSE_INVALID_STREAM: 1152 case SCTP_CAUSE_MISSING_PARAM: 1153 case SCTP_CAUSE_INVALID_PARAM: 1154 case SCTP_CAUSE_NO_USER_DATA: 1155 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n", 1156 error_type); 1157 break; 1158 case SCTP_CAUSE_NAT_COLLIDING_STATE: 1159 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n", 1160 ch->chunk_flags); 1161 if (sctp_handle_nat_colliding_state(stcb)) { 1162 return (0); 1163 } 1164 break; 1165 case SCTP_CAUSE_NAT_MISSING_STATE: 1166 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n", 1167 ch->chunk_flags); 1168 if (sctp_handle_nat_missing_state(stcb, net)) { 1169 return (0); 1170 } 1171 break; 1172 case SCTP_CAUSE_STALE_COOKIE: 1173 /* 1174 * We only act if we have echoed a cookie and are 1175 * waiting. 1176 */ 1177 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 1178 int *p; 1179 1180 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 1181 /* Save the time doubled */ 1182 asoc->cookie_preserve_req = ntohl(*p) << 1; 1183 asoc->stale_cookie_count++; 1184 if (asoc->stale_cookie_count > 1185 asoc->max_init_times) { 1186 sctp_abort_notification(stcb, 0, SCTP_SO_NOT_LOCKED); 1187 /* now free the asoc */ 1188#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1189 so = SCTP_INP_SO(stcb->sctp_ep); 1190 atomic_add_int(&stcb->asoc.refcnt, 1); 1191 SCTP_TCB_UNLOCK(stcb); 1192 SCTP_SOCKET_LOCK(so, 1); 1193 SCTP_TCB_LOCK(stcb); 1194 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1195#endif 1196 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 1197 SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1198#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1199 SCTP_SOCKET_UNLOCK(so, 1); 1200#endif 1201 return (-1); 1202 } 1203 /* blast back to INIT state */ 1204 sctp_toss_old_cookies(stcb, &stcb->asoc); 1205 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 1206 asoc->state |= SCTP_STATE_COOKIE_WAIT; 1207 sctp_stop_all_cookie_timers(stcb); 1208 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 1209 } 1210 break; 1211 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 1212 /* 1213 * Nothing we can do here, we don't do hostname 1214 * addresses so if the peer does not like my IPv6 1215 * (or IPv4 for that matter) it does not matter. If 1216 * they don't support that type of address, they can 1217 * NOT possibly get that packet type... i.e. with no 1218 * IPv6 you can't recieve a IPv6 packet. so we can 1219 * safely ignore this one. If we ever added support 1220 * for HOSTNAME Addresses, then we would need to do 1221 * something here. 1222 */ 1223 break; 1224 case SCTP_CAUSE_UNRECOG_CHUNK: 1225 sctp_process_unrecog_chunk(stcb, phdr, net); 1226 break; 1227 case SCTP_CAUSE_UNRECOG_PARAM: 1228 sctp_process_unrecog_param(stcb, phdr); 1229 break; 1230 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 1231 /* 1232 * We ignore this since the timer will drive out a 1233 * new cookie anyway and there timer will drive us 1234 * to send a SHUTDOWN_COMPLETE. We can't send one 1235 * here since we don't have their tag. 1236 */ 1237 break; 1238 case SCTP_CAUSE_DELETING_LAST_ADDR: 1239 case SCTP_CAUSE_RESOURCE_SHORTAGE: 1240 case SCTP_CAUSE_DELETING_SRC_ADDR: 1241 /* 1242 * We should NOT get these here, but in a 1243 * ASCONF-ACK. 1244 */ 1245 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n", 1246 error_type); 1247 break; 1248 case SCTP_CAUSE_OUT_OF_RESC: 1249 /* 1250 * And what, pray tell do we do with the fact that 1251 * the peer is out of resources? Not really sure we 1252 * could do anything but abort. I suspect this 1253 * should have came WITH an abort instead of in a 1254 * OP-ERROR. 1255 */ 1256 break; 1257 default: 1258 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n", 1259 error_type); 1260 break; 1261 } 1262 adjust = SCTP_SIZE32(error_len); 1263 chklen -= adjust; 1264 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 1265 } 1266 return (0); 1267} 1268 1269static int 1270sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, 1271 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 1272 struct sctp_nets *net, int *abort_no_unlock, uint32_t vrf_id) 1273{ 1274 struct sctp_init_ack *init_ack; 1275 struct mbuf *op_err; 1276 1277 SCTPDBG(SCTP_DEBUG_INPUT2, 1278 "sctp_handle_init_ack: handling INIT-ACK\n"); 1279 1280 if (stcb == NULL) { 1281 SCTPDBG(SCTP_DEBUG_INPUT2, 1282 "sctp_handle_init_ack: TCB is null\n"); 1283 return (-1); 1284 } 1285 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 1286 /* Invalid length */ 1287 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1288 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1289 op_err, 0, net->port); 1290 *abort_no_unlock = 1; 1291 return (-1); 1292 } 1293 init_ack = &cp->init; 1294 /* validate parameters */ 1295 if (init_ack->initiate_tag == 0) { 1296 /* protocol error... send an abort */ 1297 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1298 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1299 op_err, 0, net->port); 1300 *abort_no_unlock = 1; 1301 return (-1); 1302 } 1303 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 1304 /* protocol error... send an abort */ 1305 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1306 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1307 op_err, 0, net->port); 1308 *abort_no_unlock = 1; 1309 return (-1); 1310 } 1311 if (init_ack->num_inbound_streams == 0) { 1312 /* protocol error... send an abort */ 1313 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1314 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1315 op_err, 0, net->port); 1316 *abort_no_unlock = 1; 1317 return (-1); 1318 } 1319 if (init_ack->num_outbound_streams == 0) { 1320 /* protocol error... send an abort */ 1321 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1322 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1323 op_err, 0, net->port); 1324 *abort_no_unlock = 1; 1325 return (-1); 1326 } 1327 /* process according to association state... */ 1328 switch (stcb->asoc.state & SCTP_STATE_MASK) { 1329 case SCTP_STATE_COOKIE_WAIT: 1330 /* this is the expected state for this chunk */ 1331 /* process the INIT-ACK parameters */ 1332 if (stcb->asoc.primary_destination->dest_state & 1333 SCTP_ADDR_UNCONFIRMED) { 1334 /* 1335 * The primary is where we sent the INIT, we can 1336 * always consider it confirmed when the INIT-ACK is 1337 * returned. Do this before we load addresses 1338 * though. 1339 */ 1340 stcb->asoc.primary_destination->dest_state &= 1341 ~SCTP_ADDR_UNCONFIRMED; 1342 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1343 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED); 1344 } 1345 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, 1346 net, abort_no_unlock, vrf_id) < 0) { 1347 /* error in parsing parameters */ 1348 return (-1); 1349 } 1350 /* update our state */ 1351 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n"); 1352 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED); 1353 1354 /* reset the RTO calc */ 1355 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 1356 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 1357 stcb->asoc.overall_error_count, 1358 0, 1359 SCTP_FROM_SCTP_INPUT, 1360 __LINE__); 1361 } 1362 stcb->asoc.overall_error_count = 0; 1363 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1364 /* 1365 * collapse the init timer back in case of a exponential 1366 * backoff 1367 */ 1368 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1369 stcb, net); 1370 /* 1371 * the send at the end of the inbound data processing will 1372 * cause the cookie to be sent 1373 */ 1374 break; 1375 case SCTP_STATE_SHUTDOWN_SENT: 1376 /* incorrect state... discard */ 1377 break; 1378 case SCTP_STATE_COOKIE_ECHOED: 1379 /* incorrect state... discard */ 1380 break; 1381 case SCTP_STATE_OPEN: 1382 /* incorrect state... discard */ 1383 break; 1384 case SCTP_STATE_EMPTY: 1385 case SCTP_STATE_INUSE: 1386 default: 1387 /* incorrect state... discard */ 1388 return (-1); 1389 break; 1390 } 1391 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n"); 1392 return (0); 1393} 1394 1395static struct sctp_tcb * 1396sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1397 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1398 struct sctp_inpcb *inp, struct sctp_nets **netp, 1399 struct sockaddr *init_src, int *notification, 1400 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1401 uint32_t vrf_id, uint16_t port); 1402 1403 1404/* 1405 * handle a state cookie for an existing association m: input packet mbuf 1406 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1407 * "split" mbuf and the cookie signature does not exist offset: offset into 1408 * mbuf to the cookie-echo chunk 1409 */ 1410static struct sctp_tcb * 1411sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1412 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1413 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp, 1414 struct sockaddr *init_src, int *notification, 1415 uint32_t vrf_id, int auth_skipped, uint32_t auth_offset, uint32_t auth_len, uint16_t port) 1416{ 1417 struct sctp_association *asoc; 1418 struct sctp_init_chunk *init_cp, init_buf; 1419 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1420 struct sctp_nets *net; 1421 struct mbuf *op_err; 1422 struct sctp_paramhdr *ph; 1423 int init_offset, initack_offset, i; 1424 int retval; 1425 int spec_flag = 0; 1426 uint32_t how_indx; 1427 1428 net = *netp; 1429 /* I know that the TCB is non-NULL from the caller */ 1430 asoc = &stcb->asoc; 1431 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1432 if (asoc->cookie_how[how_indx] == 0) 1433 break; 1434 } 1435 if (how_indx < sizeof(asoc->cookie_how)) { 1436 asoc->cookie_how[how_indx] = 1; 1437 } 1438 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1439 /* SHUTDOWN came in after sending INIT-ACK */ 1440 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1441 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1442 0, M_DONTWAIT, 1, MT_DATA); 1443 if (op_err == NULL) { 1444 /* FOOBAR */ 1445 return (NULL); 1446 } 1447 /* Set the len */ 1448 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1449 ph = mtod(op_err, struct sctp_paramhdr *); 1450 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1451 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1452 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 1453 vrf_id, net->port); 1454 if (how_indx < sizeof(asoc->cookie_how)) 1455 asoc->cookie_how[how_indx] = 2; 1456 return (NULL); 1457 } 1458 /* 1459 * find and validate the INIT chunk in the cookie (peer's info) the 1460 * INIT should start after the cookie-echo header struct (chunk 1461 * header, state cookie header struct) 1462 */ 1463 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1464 1465 init_cp = (struct sctp_init_chunk *) 1466 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1467 (uint8_t *) & init_buf); 1468 if (init_cp == NULL) { 1469 /* could not pull a INIT chunk in cookie */ 1470 return (NULL); 1471 } 1472 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1473 return (NULL); 1474 } 1475 /* 1476 * find and validate the INIT-ACK chunk in the cookie (my info) the 1477 * INIT-ACK follows the INIT chunk 1478 */ 1479 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length)); 1480 initack_cp = (struct sctp_init_ack_chunk *) 1481 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1482 (uint8_t *) & initack_buf); 1483 if (initack_cp == NULL) { 1484 /* could not pull INIT-ACK chunk in cookie */ 1485 return (NULL); 1486 } 1487 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1488 return (NULL); 1489 } 1490 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1491 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1492 /* 1493 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1494 * to get into the OPEN state 1495 */ 1496 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1497 /*- 1498 * Opps, this means that we somehow generated two vtag's 1499 * the same. I.e. we did: 1500 * Us Peer 1501 * <---INIT(tag=a)------ 1502 * ----INIT-ACK(tag=t)--> 1503 * ----INIT(tag=t)------> *1 1504 * <---INIT-ACK(tag=a)--- 1505 * <----CE(tag=t)------------- *2 1506 * 1507 * At point *1 we should be generating a different 1508 * tag t'. Which means we would throw away the CE and send 1509 * ours instead. Basically this is case C (throw away side). 1510 */ 1511 if (how_indx < sizeof(asoc->cookie_how)) 1512 asoc->cookie_how[how_indx] = 17; 1513 return (NULL); 1514 1515 } 1516 switch SCTP_GET_STATE 1517 (asoc) { 1518 case SCTP_STATE_COOKIE_WAIT: 1519 case SCTP_STATE_COOKIE_ECHOED: 1520 /* 1521 * INIT was sent but got a COOKIE_ECHO with the 1522 * correct tags... just accept it...but we must 1523 * process the init so that we can make sure we have 1524 * the right seq no's. 1525 */ 1526 /* First we must process the INIT !! */ 1527 retval = sctp_process_init(init_cp, stcb); 1528 if (retval < 0) { 1529 if (how_indx < sizeof(asoc->cookie_how)) 1530 asoc->cookie_how[how_indx] = 3; 1531 return (NULL); 1532 } 1533 /* we have already processed the INIT so no problem */ 1534 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1535 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1536 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1537 /* update current state */ 1538 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1539 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1540 else 1541 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1542 1543 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1544 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1545 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1546 stcb->sctp_ep, stcb, asoc->primary_destination); 1547 } 1548 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1549 sctp_stop_all_cookie_timers(stcb); 1550 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1551 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1552 (inp->sctp_socket->so_qlimit == 0) 1553 ) { 1554#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1555 struct socket *so; 1556 1557#endif 1558 /* 1559 * Here is where collision would go if we 1560 * did a connect() and instead got a 1561 * init/init-ack/cookie done before the 1562 * init-ack came back.. 1563 */ 1564 stcb->sctp_ep->sctp_flags |= 1565 SCTP_PCB_FLAGS_CONNECTED; 1566#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1567 so = SCTP_INP_SO(stcb->sctp_ep); 1568 atomic_add_int(&stcb->asoc.refcnt, 1); 1569 SCTP_TCB_UNLOCK(stcb); 1570 SCTP_SOCKET_LOCK(so, 1); 1571 SCTP_TCB_LOCK(stcb); 1572 atomic_add_int(&stcb->asoc.refcnt, -1); 1573 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1574 SCTP_SOCKET_UNLOCK(so, 1); 1575 return (NULL); 1576 } 1577#endif 1578 soisconnected(stcb->sctp_socket); 1579#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1580 SCTP_SOCKET_UNLOCK(so, 1); 1581#endif 1582 } 1583 /* notify upper layer */ 1584 *notification = SCTP_NOTIFY_ASSOC_UP; 1585 /* 1586 * since we did not send a HB make sure we don't 1587 * double things 1588 */ 1589 net->hb_responded = 1; 1590 net->RTO = sctp_calculate_rto(stcb, asoc, net, 1591 &cookie->time_entered, 1592 sctp_align_unsafe_makecopy, 1593 SCTP_RTT_FROM_NON_DATA); 1594 1595 if (stcb->asoc.sctp_autoclose_ticks && 1596 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1597 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1598 inp, stcb, NULL); 1599 } 1600 break; 1601 default: 1602 /* 1603 * we're in the OPEN state (or beyond), so peer must 1604 * have simply lost the COOKIE-ACK 1605 */ 1606 break; 1607 } /* end switch */ 1608 sctp_stop_all_cookie_timers(stcb); 1609 /* 1610 * We ignore the return code here.. not sure if we should 1611 * somehow abort.. but we do have an existing asoc. This 1612 * really should not fail. 1613 */ 1614 if (sctp_load_addresses_from_init(stcb, m, 1615 init_offset + sizeof(struct sctp_init_chunk), 1616 initack_offset, sh, init_src)) { 1617 if (how_indx < sizeof(asoc->cookie_how)) 1618 asoc->cookie_how[how_indx] = 4; 1619 return (NULL); 1620 } 1621 /* respond with a COOKIE-ACK */ 1622 sctp_toss_old_cookies(stcb, asoc); 1623 sctp_send_cookie_ack(stcb); 1624 if (how_indx < sizeof(asoc->cookie_how)) 1625 asoc->cookie_how[how_indx] = 5; 1626 return (stcb); 1627 } 1628 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1629 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1630 cookie->tie_tag_my_vtag == 0 && 1631 cookie->tie_tag_peer_vtag == 0) { 1632 /* 1633 * case C in Section 5.2.4 Table 2: XMOO silently discard 1634 */ 1635 if (how_indx < sizeof(asoc->cookie_how)) 1636 asoc->cookie_how[how_indx] = 6; 1637 return (NULL); 1638 } 1639 /* 1640 * If nat support, and the below and stcb is established, send back 1641 * a ABORT(colliding state) if we are established. 1642 */ 1643 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) && 1644 (asoc->peer_supports_nat) && 1645 ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1646 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) || 1647 (asoc->peer_vtag == 0)))) { 1648 /* 1649 * Special case - Peer's support nat. We may have two init's 1650 * that we gave out the same tag on since one was not 1651 * established.. i.e. we get INIT from host-1 behind the nat 1652 * and we respond tag-a, we get a INIT from host-2 behind 1653 * the nat and we get tag-a again. Then we bring up host-1 1654 * (or 2's) assoc, Then comes the cookie from hsot-2 (or 1). 1655 * Now we have colliding state. We must send an abort here 1656 * with colliding state indication. 1657 */ 1658 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1659 0, M_DONTWAIT, 1, MT_DATA); 1660 if (op_err == NULL) { 1661 /* FOOBAR */ 1662 return (NULL); 1663 } 1664 /* pre-reserve some space */ 1665#ifdef INET6 1666 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1667#else 1668 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip)); 1669#endif 1670 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1671 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1672 /* Set the len */ 1673 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1674 ph = mtod(op_err, struct sctp_paramhdr *); 1675 ph->param_type = htons(SCTP_CAUSE_NAT_COLLIDING_STATE); 1676 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1677 sctp_send_abort(m, iphlen, sh, 0, op_err, vrf_id, port); 1678 return (NULL); 1679 } 1680 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1681 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) || 1682 (asoc->peer_vtag == 0))) { 1683 /* 1684 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1685 * should be ok, re-accept peer info 1686 */ 1687 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1688 /* 1689 * Extension of case C. If we hit this, then the 1690 * random number generator returned the same vtag 1691 * when we first sent our INIT-ACK and when we later 1692 * sent our INIT. The side with the seq numbers that 1693 * are different will be the one that normnally 1694 * would have hit case C. This in effect "extends" 1695 * our vtags in this collision case to be 64 bits. 1696 * The same collision could occur aka you get both 1697 * vtag and seq number the same twice in a row.. but 1698 * is much less likely. If it did happen then we 1699 * would proceed through and bring up the assoc.. we 1700 * may end up with the wrong stream setup however.. 1701 * which would be bad.. but there is no way to 1702 * tell.. until we send on a stream that does not 1703 * exist :-) 1704 */ 1705 if (how_indx < sizeof(asoc->cookie_how)) 1706 asoc->cookie_how[how_indx] = 7; 1707 1708 return (NULL); 1709 } 1710 if (how_indx < sizeof(asoc->cookie_how)) 1711 asoc->cookie_how[how_indx] = 8; 1712 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1713 sctp_stop_all_cookie_timers(stcb); 1714 /* 1715 * since we did not send a HB make sure we don't double 1716 * things 1717 */ 1718 net->hb_responded = 1; 1719 if (stcb->asoc.sctp_autoclose_ticks && 1720 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1721 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1722 NULL); 1723 } 1724 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1725 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1726 1727 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1728 /* 1729 * Ok the peer probably discarded our data (if we 1730 * echoed a cookie+data). So anything on the 1731 * sent_queue should be marked for retransmit, we 1732 * may not get something to kick us so it COULD 1733 * still take a timeout to move these.. but it can't 1734 * hurt to mark them. 1735 */ 1736 struct sctp_tmit_chunk *chk; 1737 1738 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1739 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1740 chk->sent = SCTP_DATAGRAM_RESEND; 1741 sctp_flight_size_decrease(chk); 1742 sctp_total_flight_decrease(stcb, chk); 1743 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1744 spec_flag++; 1745 } 1746 } 1747 1748 } 1749 /* process the INIT info (peer's info) */ 1750 retval = sctp_process_init(init_cp, stcb); 1751 if (retval < 0) { 1752 if (how_indx < sizeof(asoc->cookie_how)) 1753 asoc->cookie_how[how_indx] = 9; 1754 return (NULL); 1755 } 1756 if (sctp_load_addresses_from_init(stcb, m, 1757 init_offset + sizeof(struct sctp_init_chunk), 1758 initack_offset, sh, init_src)) { 1759 if (how_indx < sizeof(asoc->cookie_how)) 1760 asoc->cookie_how[how_indx] = 10; 1761 return (NULL); 1762 } 1763 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1764 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1765 *notification = SCTP_NOTIFY_ASSOC_UP; 1766 1767 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1768 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1769 (inp->sctp_socket->so_qlimit == 0)) { 1770#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1771 struct socket *so; 1772 1773#endif 1774 stcb->sctp_ep->sctp_flags |= 1775 SCTP_PCB_FLAGS_CONNECTED; 1776#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1777 so = SCTP_INP_SO(stcb->sctp_ep); 1778 atomic_add_int(&stcb->asoc.refcnt, 1); 1779 SCTP_TCB_UNLOCK(stcb); 1780 SCTP_SOCKET_LOCK(so, 1); 1781 SCTP_TCB_LOCK(stcb); 1782 atomic_add_int(&stcb->asoc.refcnt, -1); 1783 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1784 SCTP_SOCKET_UNLOCK(so, 1); 1785 return (NULL); 1786 } 1787#endif 1788 soisconnected(stcb->sctp_socket); 1789#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1790 SCTP_SOCKET_UNLOCK(so, 1); 1791#endif 1792 } 1793 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1794 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1795 else 1796 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1797 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1798 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1799 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1800 } else { 1801 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1802 } 1803 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1804 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1805 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1806 stcb->sctp_ep, stcb, asoc->primary_destination); 1807 } 1808 sctp_stop_all_cookie_timers(stcb); 1809 sctp_toss_old_cookies(stcb, asoc); 1810 sctp_send_cookie_ack(stcb); 1811 if (spec_flag) { 1812 /* 1813 * only if we have retrans set do we do this. What 1814 * this call does is get only the COOKIE-ACK out and 1815 * then when we return the normal call to 1816 * sctp_chunk_output will get the retrans out behind 1817 * this. 1818 */ 1819 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED); 1820 } 1821 if (how_indx < sizeof(asoc->cookie_how)) 1822 asoc->cookie_how[how_indx] = 11; 1823 1824 return (stcb); 1825 } 1826 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1827 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1828 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1829 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1830 cookie->tie_tag_peer_vtag != 0) { 1831 struct sctpasochead *head; 1832 1833 if (asoc->peer_supports_nat) { 1834 /* 1835 * This is a gross gross hack. just call the 1836 * cookie_new code since we are allowing a duplicate 1837 * association. I hope this works... 1838 */ 1839 return (sctp_process_cookie_new(m, iphlen, offset, sh, cookie, cookie_len, 1840 inp, netp, init_src, notification, 1841 auth_skipped, auth_offset, auth_len, 1842 vrf_id, port)); 1843 } 1844 /* 1845 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1846 */ 1847 /* temp code */ 1848 if (how_indx < sizeof(asoc->cookie_how)) 1849 asoc->cookie_how[how_indx] = 12; 1850 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1851 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1852 1853 /* notify upper layer */ 1854 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1855 atomic_add_int(&stcb->asoc.refcnt, 1); 1856 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1857 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1858 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1859 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1860 } 1861 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1862 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1863 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1864 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1865 } 1866 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1867 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1868 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1869 stcb->sctp_ep, stcb, asoc->primary_destination); 1870 1871 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1872 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1873 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 1874 } 1875 asoc->pre_open_streams = 1876 ntohs(initack_cp->init.num_outbound_streams); 1877 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1878 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1879 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 1880 1881 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1882 1883 asoc->str_reset_seq_in = asoc->init_seq_number; 1884 1885 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1886 if (asoc->mapping_array) { 1887 memset(asoc->mapping_array, 0, 1888 asoc->mapping_array_size); 1889 } 1890 if (asoc->nr_mapping_array) { 1891 memset(asoc->nr_mapping_array, 0, 1892 asoc->mapping_array_size); 1893 } 1894 SCTP_TCB_UNLOCK(stcb); 1895 SCTP_INP_INFO_WLOCK(); 1896 SCTP_INP_WLOCK(stcb->sctp_ep); 1897 SCTP_TCB_LOCK(stcb); 1898 atomic_add_int(&stcb->asoc.refcnt, -1); 1899 /* send up all the data */ 1900 SCTP_TCB_SEND_LOCK(stcb); 1901 1902 sctp_report_all_outbound(stcb, 1, SCTP_SO_NOT_LOCKED); 1903 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1904 stcb->asoc.strmout[i].stream_no = i; 1905 stcb->asoc.strmout[i].next_sequence_sent = 0; 1906 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1907 } 1908 /* process the INIT-ACK info (my info) */ 1909 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1910 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1911 1912 /* pull from vtag hash */ 1913 LIST_REMOVE(stcb, sctp_asocs); 1914 /* re-insert to new vtag position */ 1915 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1916 SCTP_BASE_INFO(hashasocmark))]; 1917 /* 1918 * put it in the bucket in the vtag hash of assoc's for the 1919 * system 1920 */ 1921 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1922 1923 /* process the INIT info (peer's info) */ 1924 SCTP_TCB_SEND_UNLOCK(stcb); 1925 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1926 SCTP_INP_INFO_WUNLOCK(); 1927 1928 retval = sctp_process_init(init_cp, stcb); 1929 if (retval < 0) { 1930 if (how_indx < sizeof(asoc->cookie_how)) 1931 asoc->cookie_how[how_indx] = 13; 1932 1933 return (NULL); 1934 } 1935 /* 1936 * since we did not send a HB make sure we don't double 1937 * things 1938 */ 1939 net->hb_responded = 1; 1940 1941 if (sctp_load_addresses_from_init(stcb, m, 1942 init_offset + sizeof(struct sctp_init_chunk), 1943 initack_offset, sh, init_src)) { 1944 if (how_indx < sizeof(asoc->cookie_how)) 1945 asoc->cookie_how[how_indx] = 14; 1946 1947 return (NULL); 1948 } 1949 /* respond with a COOKIE-ACK */ 1950 sctp_stop_all_cookie_timers(stcb); 1951 sctp_toss_old_cookies(stcb, asoc); 1952 sctp_send_cookie_ack(stcb); 1953 if (how_indx < sizeof(asoc->cookie_how)) 1954 asoc->cookie_how[how_indx] = 15; 1955 1956 return (stcb); 1957 } 1958 if (how_indx < sizeof(asoc->cookie_how)) 1959 asoc->cookie_how[how_indx] = 16; 1960 /* all other cases... */ 1961 return (NULL); 1962} 1963 1964 1965/* 1966 * handle a state cookie for a new association m: input packet mbuf chain-- 1967 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1968 * and the cookie signature does not exist offset: offset into mbuf to the 1969 * cookie-echo chunk length: length of the cookie chunk to: where the init 1970 * was from returns a new TCB 1971 */ 1972struct sctp_tcb * 1973sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1974 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1975 struct sctp_inpcb *inp, struct sctp_nets **netp, 1976 struct sockaddr *init_src, int *notification, 1977 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 1978 uint32_t vrf_id, uint16_t port) 1979{ 1980 struct sctp_tcb *stcb; 1981 struct sctp_init_chunk *init_cp, init_buf; 1982 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1983 struct sockaddr_storage sa_store; 1984 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1985 struct sctp_association *asoc; 1986 int init_offset, initack_offset, initack_limit; 1987 int retval; 1988 int error = 0; 1989 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1990 1991#ifdef INET 1992 struct sockaddr_in *sin; 1993 1994#endif 1995#ifdef INET6 1996 struct sockaddr_in6 *sin6; 1997 1998#endif 1999#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2000 struct socket *so; 2001 2002 so = SCTP_INP_SO(inp); 2003#endif 2004 2005 /* 2006 * find and validate the INIT chunk in the cookie (peer's info) the 2007 * INIT should start after the cookie-echo header struct (chunk 2008 * header, state cookie header struct) 2009 */ 2010 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 2011 init_cp = (struct sctp_init_chunk *) 2012 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 2013 (uint8_t *) & init_buf); 2014 if (init_cp == NULL) { 2015 /* could not pull a INIT chunk in cookie */ 2016 SCTPDBG(SCTP_DEBUG_INPUT1, 2017 "process_cookie_new: could not pull INIT chunk hdr\n"); 2018 return (NULL); 2019 } 2020 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 2021 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n"); 2022 return (NULL); 2023 } 2024 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length)); 2025 /* 2026 * find and validate the INIT-ACK chunk in the cookie (my info) the 2027 * INIT-ACK follows the INIT chunk 2028 */ 2029 initack_cp = (struct sctp_init_ack_chunk *) 2030 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 2031 (uint8_t *) & initack_buf); 2032 if (initack_cp == NULL) { 2033 /* could not pull INIT-ACK chunk in cookie */ 2034 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 2035 return (NULL); 2036 } 2037 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 2038 return (NULL); 2039 } 2040 /* 2041 * NOTE: We can't use the INIT_ACK's chk_length to determine the 2042 * "initack_limit" value. This is because the chk_length field 2043 * includes the length of the cookie, but the cookie is omitted when 2044 * the INIT and INIT_ACK are tacked onto the cookie... 2045 */ 2046 initack_limit = offset + cookie_len; 2047 2048 /* 2049 * now that we know the INIT/INIT-ACK are in place, create a new TCB 2050 * and popluate 2051 */ 2052 2053 /* 2054 * Here we do a trick, we set in NULL for the proc/thread argument. 2055 * We do this since in effect we only use the p argument when the 2056 * socket is unbound and we must do an implicit bind. Since we are 2057 * getting a cookie, we cannot be unbound. 2058 */ 2059 stcb = sctp_aloc_assoc(inp, init_src, &error, 2060 ntohl(initack_cp->init.initiate_tag), vrf_id, 2061 (struct thread *)NULL 2062 ); 2063 if (stcb == NULL) { 2064 struct mbuf *op_err; 2065 2066 /* memory problem? */ 2067 SCTPDBG(SCTP_DEBUG_INPUT1, 2068 "process_cookie_new: no room for another TCB!\n"); 2069 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2070 2071 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 2072 sh, op_err, vrf_id, port); 2073 return (NULL); 2074 } 2075 /* get the correct sctp_nets */ 2076 if (netp) 2077 *netp = sctp_findnet(stcb, init_src); 2078 2079 asoc = &stcb->asoc; 2080 /* get scope variables out of cookie */ 2081 asoc->ipv4_local_scope = cookie->ipv4_scope; 2082 asoc->site_scope = cookie->site_scope; 2083 asoc->local_scope = cookie->local_scope; 2084 asoc->loopback_scope = cookie->loopback_scope; 2085 2086 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 2087 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 2088 struct mbuf *op_err; 2089 2090 /* 2091 * Houston we have a problem. The EP changed while the 2092 * cookie was in flight. Only recourse is to abort the 2093 * association. 2094 */ 2095 atomic_add_int(&stcb->asoc.refcnt, 1); 2096 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2097 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 2098 sh, op_err, vrf_id, port); 2099#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2100 SCTP_TCB_UNLOCK(stcb); 2101 SCTP_SOCKET_LOCK(so, 1); 2102 SCTP_TCB_LOCK(stcb); 2103#endif 2104 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, 2105 SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 2106#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2107 SCTP_SOCKET_UNLOCK(so, 1); 2108#endif 2109 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2110 return (NULL); 2111 } 2112 /* process the INIT-ACK info (my info) */ 2113 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 2114 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 2115 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 2116 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 2117 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 2118 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1; 2119 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 2120 asoc->str_reset_seq_in = asoc->init_seq_number; 2121 2122 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 2123 2124 /* process the INIT info (peer's info) */ 2125 if (netp) 2126 retval = sctp_process_init(init_cp, stcb); 2127 else 2128 retval = 0; 2129 if (retval < 0) { 2130 atomic_add_int(&stcb->asoc.refcnt, 1); 2131#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2132 SCTP_TCB_UNLOCK(stcb); 2133 SCTP_SOCKET_LOCK(so, 1); 2134 SCTP_TCB_LOCK(stcb); 2135#endif 2136 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 2137#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2138 SCTP_SOCKET_UNLOCK(so, 1); 2139#endif 2140 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2141 return (NULL); 2142 } 2143 /* load all addresses */ 2144 if (sctp_load_addresses_from_init(stcb, m, 2145 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 2146 init_src)) { 2147 atomic_add_int(&stcb->asoc.refcnt, 1); 2148#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2149 SCTP_TCB_UNLOCK(stcb); 2150 SCTP_SOCKET_LOCK(so, 1); 2151 SCTP_TCB_LOCK(stcb); 2152#endif 2153 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 2154#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2155 SCTP_SOCKET_UNLOCK(so, 1); 2156#endif 2157 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2158 return (NULL); 2159 } 2160 /* 2161 * verify any preceding AUTH chunk that was skipped 2162 */ 2163 /* pull the local authentication parameters from the cookie/init-ack */ 2164 sctp_auth_get_cookie_params(stcb, m, 2165 initack_offset + sizeof(struct sctp_init_ack_chunk), 2166 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 2167 if (auth_skipped) { 2168 struct sctp_auth_chunk *auth; 2169 2170 auth = (struct sctp_auth_chunk *) 2171 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 2172 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { 2173 /* auth HMAC failed, dump the assoc and packet */ 2174 SCTPDBG(SCTP_DEBUG_AUTH1, 2175 "COOKIE-ECHO: AUTH failed\n"); 2176 atomic_add_int(&stcb->asoc.refcnt, 1); 2177#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2178 SCTP_TCB_UNLOCK(stcb); 2179 SCTP_SOCKET_LOCK(so, 1); 2180 SCTP_TCB_LOCK(stcb); 2181#endif 2182 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 2183#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2184 SCTP_SOCKET_UNLOCK(so, 1); 2185#endif 2186 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2187 return (NULL); 2188 } else { 2189 /* remaining chunks checked... good to go */ 2190 stcb->asoc.authenticated = 1; 2191 } 2192 } 2193 /* update current state */ 2194 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2195 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 2196 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2197 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2198 stcb->sctp_ep, stcb, asoc->primary_destination); 2199 } 2200 sctp_stop_all_cookie_timers(stcb); 2201 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 2202 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2203 2204 /* 2205 * if we're doing ASCONFs, check to see if we have any new local 2206 * addresses that need to get added to the peer (eg. addresses 2207 * changed while cookie echo in flight). This needs to be done 2208 * after we go to the OPEN state to do the correct asconf 2209 * processing. else, make sure we have the correct addresses in our 2210 * lists 2211 */ 2212 2213 /* warning, we re-use sin, sin6, sa_store here! */ 2214 /* pull in local_address (our "from" address) */ 2215 switch (cookie->laddr_type) { 2216#ifdef INET 2217 case SCTP_IPV4_ADDRESS: 2218 /* source addr is IPv4 */ 2219 sin = (struct sockaddr_in *)initack_src; 2220 memset(sin, 0, sizeof(*sin)); 2221 sin->sin_family = AF_INET; 2222 sin->sin_len = sizeof(struct sockaddr_in); 2223 sin->sin_addr.s_addr = cookie->laddress[0]; 2224 break; 2225#endif 2226#ifdef INET6 2227 case SCTP_IPV6_ADDRESS: 2228 /* source addr is IPv6 */ 2229 sin6 = (struct sockaddr_in6 *)initack_src; 2230 memset(sin6, 0, sizeof(*sin6)); 2231 sin6->sin6_family = AF_INET6; 2232 sin6->sin6_len = sizeof(struct sockaddr_in6); 2233 sin6->sin6_scope_id = cookie->scope_id; 2234 memcpy(&sin6->sin6_addr, cookie->laddress, 2235 sizeof(sin6->sin6_addr)); 2236 break; 2237#endif 2238 default: 2239 atomic_add_int(&stcb->asoc.refcnt, 1); 2240#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2241 SCTP_TCB_UNLOCK(stcb); 2242 SCTP_SOCKET_LOCK(so, 1); 2243 SCTP_TCB_LOCK(stcb); 2244#endif 2245 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 2246#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2247 SCTP_SOCKET_UNLOCK(so, 1); 2248#endif 2249 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2250 return (NULL); 2251 } 2252 2253 /* set up to notify upper layer */ 2254 *notification = SCTP_NOTIFY_ASSOC_UP; 2255 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2256 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 2257 (inp->sctp_socket->so_qlimit == 0)) { 2258 /* 2259 * This is an endpoint that called connect() how it got a 2260 * cookie that is NEW is a bit of a mystery. It must be that 2261 * the INIT was sent, but before it got there.. a complete 2262 * INIT/INIT-ACK/COOKIE arrived. But of course then it 2263 * should have went to the other code.. not here.. oh well.. 2264 * a bit of protection is worth having.. 2265 */ 2266 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2267#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2268 atomic_add_int(&stcb->asoc.refcnt, 1); 2269 SCTP_TCB_UNLOCK(stcb); 2270 SCTP_SOCKET_LOCK(so, 1); 2271 SCTP_TCB_LOCK(stcb); 2272 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2273 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2274 SCTP_SOCKET_UNLOCK(so, 1); 2275 return (NULL); 2276 } 2277#endif 2278 soisconnected(stcb->sctp_socket); 2279#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2280 SCTP_SOCKET_UNLOCK(so, 1); 2281#endif 2282 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 2283 (inp->sctp_socket->so_qlimit)) { 2284 /* 2285 * We don't want to do anything with this one. Since it is 2286 * the listening guy. The timer will get started for 2287 * accepted connections in the caller. 2288 */ 2289 ; 2290 } 2291 /* since we did not send a HB make sure we don't double things */ 2292 if ((netp) && (*netp)) 2293 (*netp)->hb_responded = 1; 2294 2295 if (stcb->asoc.sctp_autoclose_ticks && 2296 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2297 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 2298 } 2299 /* calculate the RTT */ 2300 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 2301 if ((netp) && (*netp)) { 2302 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 2303 &cookie->time_entered, sctp_align_unsafe_makecopy, 2304 SCTP_RTT_FROM_NON_DATA); 2305 } 2306 /* respond with a COOKIE-ACK */ 2307 sctp_send_cookie_ack(stcb); 2308 2309 /* 2310 * check the address lists for any ASCONFs that need to be sent 2311 * AFTER the cookie-ack is sent 2312 */ 2313 sctp_check_address_list(stcb, m, 2314 initack_offset + sizeof(struct sctp_init_ack_chunk), 2315 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 2316 initack_src, cookie->local_scope, cookie->site_scope, 2317 cookie->ipv4_scope, cookie->loopback_scope); 2318 2319 2320 return (stcb); 2321} 2322 2323/* 2324 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e 2325 * we NEED to make sure we are not already using the vtag. If so we 2326 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit! 2327 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag, 2328 SCTP_BASE_INFO(hashasocmark))]; 2329 LIST_FOREACH(stcb, head, sctp_asocs) { 2330 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) { 2331 -- SEND ABORT - TRY AGAIN -- 2332 } 2333 } 2334*/ 2335 2336/* 2337 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 2338 * existing (non-NULL) TCB 2339 */ 2340static struct mbuf * 2341sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 2342 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 2343 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 2344 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, 2345 struct sctp_tcb **locked_tcb, uint32_t vrf_id, uint16_t port) 2346{ 2347 struct sctp_state_cookie *cookie; 2348 struct sctp_tcb *l_stcb = *stcb; 2349 struct sctp_inpcb *l_inp; 2350 struct sockaddr *to; 2351 struct sctp_pcb *ep; 2352 struct mbuf *m_sig; 2353 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 2354 uint8_t *sig; 2355 uint8_t cookie_ok = 0; 2356 unsigned int size_of_pkt, sig_offset, cookie_offset; 2357 unsigned int cookie_len; 2358 struct timeval now; 2359 struct timeval time_expires; 2360 struct sockaddr_storage dest_store; 2361 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 2362 struct ip *iph; 2363 int notification = 0; 2364 struct sctp_nets *netl; 2365 int had_a_existing_tcb = 0; 2366 int send_int_conf = 0; 2367 2368#ifdef INET 2369 struct sockaddr_in sin; 2370 2371#endif 2372#ifdef INET6 2373 struct sockaddr_in6 sin6; 2374 2375#endif 2376 2377 SCTPDBG(SCTP_DEBUG_INPUT2, 2378 "sctp_handle_cookie: handling COOKIE-ECHO\n"); 2379 2380 if (inp_p == NULL) { 2381 return (NULL); 2382 } 2383 /* First get the destination address setup too. */ 2384 iph = mtod(m, struct ip *); 2385 switch (iph->ip_v) { 2386#ifdef INET 2387 case IPVERSION: 2388 { 2389 /* its IPv4 */ 2390 struct sockaddr_in *lsin; 2391 2392 lsin = (struct sockaddr_in *)(localep_sa); 2393 memset(lsin, 0, sizeof(*lsin)); 2394 lsin->sin_family = AF_INET; 2395 lsin->sin_len = sizeof(*lsin); 2396 lsin->sin_port = sh->dest_port; 2397 lsin->sin_addr.s_addr = iph->ip_dst.s_addr; 2398 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 2399 break; 2400 } 2401#endif 2402#ifdef INET6 2403 case IPV6_VERSION >> 4: 2404 { 2405 /* its IPv6 */ 2406 struct ip6_hdr *ip6; 2407 struct sockaddr_in6 *lsin6; 2408 2409 lsin6 = (struct sockaddr_in6 *)(localep_sa); 2410 memset(lsin6, 0, sizeof(*lsin6)); 2411 lsin6->sin6_family = AF_INET6; 2412 lsin6->sin6_len = sizeof(struct sockaddr_in6); 2413 ip6 = mtod(m, struct ip6_hdr *); 2414 lsin6->sin6_port = sh->dest_port; 2415 lsin6->sin6_addr = ip6->ip6_dst; 2416 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 2417 break; 2418 } 2419#endif 2420 default: 2421 return (NULL); 2422 } 2423 2424 cookie = &cp->cookie; 2425 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 2426 cookie_len = ntohs(cp->ch.chunk_length); 2427 2428 if ((cookie->peerport != sh->src_port) && 2429 (cookie->myport != sh->dest_port) && 2430 (cookie->my_vtag != sh->v_tag)) { 2431 /* 2432 * invalid ports or bad tag. Note that we always leave the 2433 * v_tag in the header in network order and when we stored 2434 * it in the my_vtag slot we also left it in network order. 2435 * This maintains the match even though it may be in the 2436 * opposite byte order of the machine :-> 2437 */ 2438 return (NULL); 2439 } 2440 if (cookie_len > size_of_pkt || 2441 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 2442 sizeof(struct sctp_init_chunk) + 2443 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 2444 /* cookie too long! or too small */ 2445 return (NULL); 2446 } 2447 /* 2448 * split off the signature into its own mbuf (since it should not be 2449 * calculated in the sctp_hmac_m() call). 2450 */ 2451 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 2452 if (sig_offset > size_of_pkt) { 2453 /* packet not correct size! */ 2454 /* XXX this may already be accounted for earlier... */ 2455 return (NULL); 2456 } 2457 m_sig = m_split(m, sig_offset, M_DONTWAIT); 2458 if (m_sig == NULL) { 2459 /* out of memory or ?? */ 2460 return (NULL); 2461 } 2462#ifdef SCTP_MBUF_LOGGING 2463 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 2464 struct mbuf *mat; 2465 2466 mat = m_sig; 2467 while (mat) { 2468 if (SCTP_BUF_IS_EXTENDED(mat)) { 2469 sctp_log_mb(mat, SCTP_MBUF_SPLIT); 2470 } 2471 mat = SCTP_BUF_NEXT(mat); 2472 } 2473 } 2474#endif 2475 2476 /* 2477 * compute the signature/digest for the cookie 2478 */ 2479 ep = &(*inp_p)->sctp_ep; 2480 l_inp = *inp_p; 2481 if (l_stcb) { 2482 SCTP_TCB_UNLOCK(l_stcb); 2483 } 2484 SCTP_INP_RLOCK(l_inp); 2485 if (l_stcb) { 2486 SCTP_TCB_LOCK(l_stcb); 2487 } 2488 /* which cookie is it? */ 2489 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 2490 (ep->current_secret_number != ep->last_secret_number)) { 2491 /* it's the old cookie */ 2492 (void)sctp_hmac_m(SCTP_HMAC, 2493 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 2494 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2495 } else { 2496 /* it's the current cookie */ 2497 (void)sctp_hmac_m(SCTP_HMAC, 2498 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 2499 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2500 } 2501 /* get the signature */ 2502 SCTP_INP_RUNLOCK(l_inp); 2503 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 2504 if (sig == NULL) { 2505 /* couldn't find signature */ 2506 sctp_m_freem(m_sig); 2507 return (NULL); 2508 } 2509 /* compare the received digest with the computed digest */ 2510 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 2511 /* try the old cookie? */ 2512 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 2513 (ep->current_secret_number != ep->last_secret_number)) { 2514 /* compute digest with old */ 2515 (void)sctp_hmac_m(SCTP_HMAC, 2516 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 2517 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0); 2518 /* compare */ 2519 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 2520 cookie_ok = 1; 2521 } 2522 } else { 2523 cookie_ok = 1; 2524 } 2525 2526 /* 2527 * Now before we continue we must reconstruct our mbuf so that 2528 * normal processing of any other chunks will work. 2529 */ 2530 { 2531 struct mbuf *m_at; 2532 2533 m_at = m; 2534 while (SCTP_BUF_NEXT(m_at) != NULL) { 2535 m_at = SCTP_BUF_NEXT(m_at); 2536 } 2537 SCTP_BUF_NEXT(m_at) = m_sig; 2538 } 2539 2540 if (cookie_ok == 0) { 2541 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n"); 2542 SCTPDBG(SCTP_DEBUG_INPUT2, 2543 "offset = %u, cookie_offset = %u, sig_offset = %u\n", 2544 (uint32_t) offset, cookie_offset, sig_offset); 2545 return (NULL); 2546 } 2547 /* 2548 * check the cookie timestamps to be sure it's not stale 2549 */ 2550 (void)SCTP_GETTIME_TIMEVAL(&now); 2551 /* Expire time is in Ticks, so we convert to seconds */ 2552 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life); 2553 time_expires.tv_usec = cookie->time_entered.tv_usec; 2554 /* 2555 * TODO sctp_constants.h needs alternative time macros when _KERNEL 2556 * is undefined. 2557 */ 2558 if (timevalcmp(&now, &time_expires, >)) { 2559 /* cookie is stale! */ 2560 struct mbuf *op_err; 2561 struct sctp_stale_cookie_msg *scm; 2562 uint32_t tim; 2563 2564 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2565 0, M_DONTWAIT, 1, MT_DATA); 2566 if (op_err == NULL) { 2567 /* FOOBAR */ 2568 return (NULL); 2569 } 2570 /* Set the len */ 2571 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2572 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2573 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2574 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2575 (sizeof(uint32_t)))); 2576 /* seconds to usec */ 2577 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2578 /* add in usec */ 2579 if (tim == 0) 2580 tim = now.tv_usec - cookie->time_entered.tv_usec; 2581 scm->time_usec = htonl(tim); 2582 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag, 2583 vrf_id, port); 2584 return (NULL); 2585 } 2586 /* 2587 * Now we must see with the lookup address if we have an existing 2588 * asoc. This will only happen if we were in the COOKIE-WAIT state 2589 * and a INIT collided with us and somewhere the peer sent the 2590 * cookie on another address besides the single address our assoc 2591 * had for him. In this case we will have one of the tie-tags set at 2592 * least AND the address field in the cookie can be used to look it 2593 * up. 2594 */ 2595 to = NULL; 2596 switch (cookie->addr_type) { 2597#ifdef INET6 2598 case SCTP_IPV6_ADDRESS: 2599 memset(&sin6, 0, sizeof(sin6)); 2600 sin6.sin6_family = AF_INET6; 2601 sin6.sin6_len = sizeof(sin6); 2602 sin6.sin6_port = sh->src_port; 2603 sin6.sin6_scope_id = cookie->scope_id; 2604 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2605 sizeof(sin6.sin6_addr.s6_addr)); 2606 to = (struct sockaddr *)&sin6; 2607 break; 2608#endif 2609#ifdef INET 2610 case SCTP_IPV4_ADDRESS: 2611 memset(&sin, 0, sizeof(sin)); 2612 sin.sin_family = AF_INET; 2613 sin.sin_len = sizeof(sin); 2614 sin.sin_port = sh->src_port; 2615 sin.sin_addr.s_addr = cookie->address[0]; 2616 to = (struct sockaddr *)&sin; 2617 break; 2618#endif 2619 default: 2620 /* This should not happen */ 2621 return (NULL); 2622 } 2623 if ((*stcb == NULL) && to) { 2624 /* Yep, lets check */ 2625 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2626 if (*stcb == NULL) { 2627 /* 2628 * We should have only got back the same inp. If we 2629 * got back a different ep we have a problem. The 2630 * original findep got back l_inp and now 2631 */ 2632 if (l_inp != *inp_p) { 2633 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n"); 2634 } 2635 } else { 2636 if (*locked_tcb == NULL) { 2637 /* 2638 * In this case we found the assoc only 2639 * after we locked the create lock. This 2640 * means we are in a colliding case and we 2641 * must make sure that we unlock the tcb if 2642 * its one of the cases where we throw away 2643 * the incoming packets. 2644 */ 2645 *locked_tcb = *stcb; 2646 2647 /* 2648 * We must also increment the inp ref count 2649 * since the ref_count flags was set when we 2650 * did not find the TCB, now we found it 2651 * which reduces the refcount.. we must 2652 * raise it back out to balance it all :-) 2653 */ 2654 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2655 if ((*stcb)->sctp_ep != l_inp) { 2656 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n", 2657 (*stcb)->sctp_ep, l_inp); 2658 } 2659 } 2660 } 2661 } 2662 if (to == NULL) { 2663 return (NULL); 2664 } 2665 cookie_len -= SCTP_SIGNATURE_SIZE; 2666 if (*stcb == NULL) { 2667 /* this is the "normal" case... get a new TCB */ 2668 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2669 cookie_len, *inp_p, netp, to, ¬ification, 2670 auth_skipped, auth_offset, auth_len, vrf_id, port); 2671 } else { 2672 /* this is abnormal... cookie-echo on existing TCB */ 2673 had_a_existing_tcb = 1; 2674 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2675 cookie, cookie_len, *inp_p, *stcb, netp, to, 2676 ¬ification, vrf_id, auth_skipped, auth_offset, auth_len, port); 2677 } 2678 2679 if (*stcb == NULL) { 2680 /* still no TCB... must be bad cookie-echo */ 2681 return (NULL); 2682 } 2683 if ((*netp != NULL) && (m->m_flags & M_FLOWID)) { 2684 (*netp)->flowid = m->m_pkthdr.flowid; 2685#ifdef INVARIANTS 2686 (*netp)->flowidset = 1; 2687#endif 2688 } 2689 /* 2690 * Ok, we built an association so confirm the address we sent the 2691 * INIT-ACK to. 2692 */ 2693 netl = sctp_findnet(*stcb, to); 2694 /* 2695 * This code should in theory NOT run but 2696 */ 2697 if (netl == NULL) { 2698 /* TSNH! Huh, why do I need to add this address here? */ 2699 if (sctp_add_remote_addr(*stcb, to, NULL, SCTP_DONOT_SETSCOPE, SCTP_IN_COOKIE_PROC)) { 2700 return (NULL); 2701 } 2702 netl = sctp_findnet(*stcb, to); 2703 } 2704 if (netl) { 2705 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2706 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2707 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2708 netl); 2709 send_int_conf = 1; 2710 } 2711 } 2712 sctp_start_net_timers(*stcb); 2713 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2714 if (!had_a_existing_tcb || 2715 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2716 /* 2717 * If we have a NEW cookie or the connect never 2718 * reached the connected state during collision we 2719 * must do the TCP accept thing. 2720 */ 2721 struct socket *so, *oso; 2722 struct sctp_inpcb *inp; 2723 2724 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2725 /* 2726 * For a restart we will keep the same 2727 * socket, no need to do anything. I THINK!! 2728 */ 2729 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2730 if (send_int_conf) { 2731 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2732 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2733 } 2734 return (m); 2735 } 2736 oso = (*inp_p)->sctp_socket; 2737 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2738 SCTP_TCB_UNLOCK((*stcb)); 2739 CURVNET_SET(oso->so_vnet); 2740 so = sonewconn(oso, 0 2741 ); 2742 CURVNET_RESTORE(); 2743 SCTP_TCB_LOCK((*stcb)); 2744 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2745 2746 if (so == NULL) { 2747 struct mbuf *op_err; 2748 2749#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2750 struct socket *pcb_so; 2751 2752#endif 2753 /* Too many sockets */ 2754 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n"); 2755 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2756 sctp_abort_association(*inp_p, NULL, m, iphlen, 2757 sh, op_err, vrf_id, port); 2758#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2759 pcb_so = SCTP_INP_SO(*inp_p); 2760 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2761 SCTP_TCB_UNLOCK((*stcb)); 2762 SCTP_SOCKET_LOCK(pcb_so, 1); 2763 SCTP_TCB_LOCK((*stcb)); 2764 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2765#endif 2766 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2767#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2768 SCTP_SOCKET_UNLOCK(pcb_so, 1); 2769#endif 2770 return (NULL); 2771 } 2772 inp = (struct sctp_inpcb *)so->so_pcb; 2773 SCTP_INP_INCR_REF(inp); 2774 /* 2775 * We add the unbound flag here so that if we get an 2776 * soabort() before we get the move_pcb done, we 2777 * will properly cleanup. 2778 */ 2779 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2780 SCTP_PCB_FLAGS_CONNECTED | 2781 SCTP_PCB_FLAGS_IN_TCPPOOL | 2782 SCTP_PCB_FLAGS_UNBOUND | 2783 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2784 SCTP_PCB_FLAGS_DONT_WAKE); 2785 inp->sctp_features = (*inp_p)->sctp_features; 2786 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features; 2787 inp->sctp_socket = so; 2788 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2789 inp->sctp_cmt_on_off = (*inp_p)->sctp_cmt_on_off; 2790 inp->sctp_ecn_enable = (*inp_p)->sctp_ecn_enable; 2791 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2792 inp->sctp_context = (*inp_p)->sctp_context; 2793 inp->inp_starting_point_for_iterator = NULL; 2794 /* 2795 * copy in the authentication parameters from the 2796 * original endpoint 2797 */ 2798 if (inp->sctp_ep.local_hmacs) 2799 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2800 inp->sctp_ep.local_hmacs = 2801 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2802 if (inp->sctp_ep.local_auth_chunks) 2803 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2804 inp->sctp_ep.local_auth_chunks = 2805 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2806 2807 /* 2808 * Now we must move it from one hash table to 2809 * another and get the tcb in the right place. 2810 */ 2811 2812 /* 2813 * This is where the one-2-one socket is put into 2814 * the accept state waiting for the accept! 2815 */ 2816 if (*stcb) { 2817 (*stcb)->asoc.state |= SCTP_STATE_IN_ACCEPT_QUEUE; 2818 } 2819 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2820 2821 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2822 SCTP_TCB_UNLOCK((*stcb)); 2823 2824 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, 2825 0); 2826 SCTP_TCB_LOCK((*stcb)); 2827 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2828 2829 2830 /* 2831 * now we must check to see if we were aborted while 2832 * the move was going on and the lock/unlock 2833 * happened. 2834 */ 2835 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2836 /* 2837 * yep it was, we leave the assoc attached 2838 * to the socket since the sctp_inpcb_free() 2839 * call will send an abort for us. 2840 */ 2841 SCTP_INP_DECR_REF(inp); 2842 return (NULL); 2843 } 2844 SCTP_INP_DECR_REF(inp); 2845 /* Switch over to the new guy */ 2846 *inp_p = inp; 2847 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2848 if (send_int_conf) { 2849 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2850 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2851 } 2852 /* 2853 * Pull it from the incomplete queue and wake the 2854 * guy 2855 */ 2856#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2857 atomic_add_int(&(*stcb)->asoc.refcnt, 1); 2858 SCTP_TCB_UNLOCK((*stcb)); 2859 SCTP_SOCKET_LOCK(so, 1); 2860#endif 2861 soisconnected(so); 2862#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2863 SCTP_TCB_LOCK((*stcb)); 2864 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1); 2865 SCTP_SOCKET_UNLOCK(so, 1); 2866#endif 2867 return (m); 2868 } 2869 } 2870 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE) { 2871 if (notification) { 2872 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2873 } 2874 if (send_int_conf) { 2875 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2876 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED); 2877 } 2878 } 2879 return (m); 2880} 2881 2882static void 2883sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp SCTP_UNUSED, 2884 struct sctp_tcb *stcb, struct sctp_nets *net) 2885{ 2886 /* cp must not be used, others call this without a c-ack :-) */ 2887 struct sctp_association *asoc; 2888 2889 SCTPDBG(SCTP_DEBUG_INPUT2, 2890 "sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2891 if (stcb == NULL) 2892 return; 2893 2894 asoc = &stcb->asoc; 2895 2896 sctp_stop_all_cookie_timers(stcb); 2897 /* process according to association state */ 2898 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2899 /* state change only needed when I am in right state */ 2900 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n"); 2901 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN); 2902 sctp_start_net_timers(stcb); 2903 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2904 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2905 stcb->sctp_ep, stcb, asoc->primary_destination); 2906 2907 } 2908 /* update RTO */ 2909 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2910 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2911 if (asoc->overall_error_count == 0) { 2912 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2913 &asoc->time_entered, sctp_align_safe_nocopy, 2914 SCTP_RTT_FROM_NON_DATA); 2915 } 2916 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2917 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 2918 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2919 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2920#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2921 struct socket *so; 2922 2923#endif 2924 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2925#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2926 so = SCTP_INP_SO(stcb->sctp_ep); 2927 atomic_add_int(&stcb->asoc.refcnt, 1); 2928 SCTP_TCB_UNLOCK(stcb); 2929 SCTP_SOCKET_LOCK(so, 1); 2930 SCTP_TCB_LOCK(stcb); 2931 atomic_subtract_int(&stcb->asoc.refcnt, 1); 2932#endif 2933 if ((stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) == 0) { 2934 soisconnected(stcb->sctp_socket); 2935 } 2936#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 2937 SCTP_SOCKET_UNLOCK(so, 1); 2938#endif 2939 } 2940 /* 2941 * since we did not send a HB make sure we don't double 2942 * things 2943 */ 2944 net->hb_responded = 1; 2945 2946 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 2947 /* 2948 * We don't need to do the asconf thing, nor hb or 2949 * autoclose if the socket is closed. 2950 */ 2951 goto closed_socket; 2952 } 2953 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2954 stcb, net); 2955 2956 2957 if (stcb->asoc.sctp_autoclose_ticks && 2958 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2959 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2960 stcb->sctp_ep, stcb, NULL); 2961 } 2962 /* 2963 * send ASCONF if parameters are pending and ASCONFs are 2964 * allowed (eg. addresses changed when init/cookie echo were 2965 * in flight) 2966 */ 2967 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2968 (stcb->asoc.peer_supports_asconf) && 2969 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2970#ifdef SCTP_TIMER_BASED_ASCONF 2971 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2972 stcb->sctp_ep, stcb, 2973 stcb->asoc.primary_destination); 2974#else 2975 sctp_send_asconf(stcb, stcb->asoc.primary_destination, 2976 SCTP_ADDR_NOT_LOCKED); 2977#endif 2978 } 2979 } 2980closed_socket: 2981 /* Toss the cookie if I can */ 2982 sctp_toss_old_cookies(stcb, asoc); 2983 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2984 /* Restart the timer if we have pending data */ 2985 struct sctp_tmit_chunk *chk; 2986 2987 chk = TAILQ_FIRST(&asoc->sent_queue); 2988 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo); 2989 } 2990} 2991 2992static void 2993sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2994 struct sctp_tcb *stcb) 2995{ 2996 struct sctp_nets *net; 2997 struct sctp_tmit_chunk *lchk; 2998 struct sctp_ecne_chunk bkup; 2999 uint8_t override_bit; 3000 uint32_t tsn, window_data_tsn; 3001 int len; 3002 unsigned int pkt_cnt; 3003 3004 len = ntohs(cp->ch.chunk_length); 3005 if ((len != sizeof(struct sctp_ecne_chunk)) && 3006 (len != sizeof(struct old_sctp_ecne_chunk))) { 3007 return; 3008 } 3009 if (len == sizeof(struct old_sctp_ecne_chunk)) { 3010 /* Its the old format */ 3011 memcpy(&bkup, cp, sizeof(struct old_sctp_ecne_chunk)); 3012 bkup.num_pkts_since_cwr = htonl(1); 3013 cp = &bkup; 3014 } 3015 SCTP_STAT_INCR(sctps_recvecne); 3016 tsn = ntohl(cp->tsn); 3017 pkt_cnt = ntohl(cp->num_pkts_since_cwr); 3018 lchk = TAILQ_LAST(&stcb->asoc.send_queue, sctpchunk_listhead); 3019 if (lchk == NULL) { 3020 window_data_tsn = stcb->asoc.sending_seq - 1; 3021 } else { 3022 window_data_tsn = lchk->rec.data.TSN_seq; 3023 } 3024 3025 /* Find where it was sent to if possible. */ 3026 net = NULL; 3027 TAILQ_FOREACH(lchk, &stcb->asoc.sent_queue, sctp_next) { 3028 if (lchk->rec.data.TSN_seq == tsn) { 3029 net = lchk->whoTo; 3030 net->ecn_prev_cwnd = lchk->rec.data.cwnd_at_send; 3031 break; 3032 } 3033 if (SCTP_TSN_GT(lchk->rec.data.TSN_seq, tsn)) { 3034 break; 3035 } 3036 } 3037 if (net == NULL) { 3038 /* 3039 * What to do. A previous send of a CWR was possibly lost. 3040 * See how old it is, we may have it marked on the actual 3041 * net. 3042 */ 3043 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 3044 if (tsn == net->last_cwr_tsn) { 3045 /* Found him, send it off */ 3046 break; 3047 } 3048 } 3049 if (net == NULL) { 3050 /* 3051 * If we reach here, we need to send a special CWR 3052 * that says hey, we did this a long time ago and 3053 * you lost the response. 3054 */ 3055 net = TAILQ_FIRST(&stcb->asoc.nets); 3056 if (net == NULL) { 3057 /* TSNH */ 3058 return; 3059 } 3060 override_bit = SCTP_CWR_REDUCE_OVERRIDE; 3061 } else { 3062 override_bit = 0; 3063 } 3064 } else { 3065 override_bit = 0; 3066 } 3067 if (SCTP_TSN_GT(tsn, net->cwr_window_tsn) && 3068 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) { 3069 /* 3070 * JRS - Use the congestion control given in the pluggable 3071 * CC module 3072 */ 3073 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 0, pkt_cnt); 3074 /* 3075 * We reduce once every RTT. So we will only lower cwnd at 3076 * the next sending seq i.e. the window_data_tsn 3077 */ 3078 net->cwr_window_tsn = window_data_tsn; 3079 net->ecn_ce_pkt_cnt += pkt_cnt; 3080 net->lost_cnt = pkt_cnt; 3081 net->last_cwr_tsn = tsn; 3082 } else { 3083 override_bit |= SCTP_CWR_IN_SAME_WINDOW; 3084 if (SCTP_TSN_GT(tsn, net->last_cwr_tsn) && 3085 ((override_bit & SCTP_CWR_REDUCE_OVERRIDE) == 0)) { 3086 /* 3087 * Another loss in the same window update how many 3088 * marks/packets lost we have had. 3089 */ 3090 int cnt = 1; 3091 3092 if (pkt_cnt > net->lost_cnt) { 3093 /* Should be the case */ 3094 cnt = (pkt_cnt - net->lost_cnt); 3095 net->ecn_ce_pkt_cnt += cnt; 3096 } 3097 net->lost_cnt = pkt_cnt; 3098 net->last_cwr_tsn = tsn; 3099 /* 3100 * Most CC functions will ignore this call, since we 3101 * are in-window yet of the initial CE the peer saw. 3102 */ 3103 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 1, cnt); 3104 } 3105 } 3106 /* 3107 * We always send a CWR this way if our previous one was lost our 3108 * peer will get an update, or if it is not time again to reduce we 3109 * still get the cwr to the peer. Note we set the override when we 3110 * could not find the TSN on the chunk or the destination network. 3111 */ 3112 sctp_send_cwr(stcb, net, net->last_cwr_tsn, override_bit); 3113} 3114 3115static void 3116sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb, struct sctp_nets *net) 3117{ 3118 /* 3119 * Here we get a CWR from the peer. We must look in the outqueue and 3120 * make sure that we have a covered ECNE in teh control chunk part. 3121 * If so remove it. 3122 */ 3123 struct sctp_tmit_chunk *chk; 3124 struct sctp_ecne_chunk *ecne; 3125 int override; 3126 uint32_t cwr_tsn; 3127 3128 cwr_tsn = ntohl(cp->tsn); 3129 3130 override = cp->ch.chunk_flags & SCTP_CWR_REDUCE_OVERRIDE; 3131 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 3132 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 3133 continue; 3134 } 3135 if ((override == 0) && (chk->whoTo != net)) { 3136 /* Must be from the right src unless override is set */ 3137 continue; 3138 } 3139 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 3140 if (SCTP_TSN_GE(cwr_tsn, ntohl(ecne->tsn))) { 3141 /* this covers this ECNE, we can remove it */ 3142 stcb->asoc.ecn_echo_cnt_onq--; 3143 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 3144 sctp_next); 3145 if (chk->data) { 3146 sctp_m_freem(chk->data); 3147 chk->data = NULL; 3148 } 3149 stcb->asoc.ctrl_queue_cnt--; 3150 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 3151 if (override == 0) { 3152 break; 3153 } 3154 } 3155 } 3156} 3157 3158static void 3159sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp SCTP_UNUSED, 3160 struct sctp_tcb *stcb, struct sctp_nets *net) 3161{ 3162 struct sctp_association *asoc; 3163 3164#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3165 struct socket *so; 3166 3167#endif 3168 3169 SCTPDBG(SCTP_DEBUG_INPUT2, 3170 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 3171 if (stcb == NULL) 3172 return; 3173 3174 asoc = &stcb->asoc; 3175 /* process according to association state */ 3176 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 3177 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 3178 SCTPDBG(SCTP_DEBUG_INPUT2, 3179 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n"); 3180 SCTP_TCB_UNLOCK(stcb); 3181 return; 3182 } 3183 /* notify upper layer protocol */ 3184 if (stcb->sctp_socket) { 3185 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 3186 /* are the queues empty? they should be */ 3187 if (!TAILQ_EMPTY(&asoc->send_queue) || 3188 !TAILQ_EMPTY(&asoc->sent_queue) || 3189 !stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) { 3190 sctp_report_all_outbound(stcb, 0, SCTP_SO_NOT_LOCKED); 3191 } 3192 } 3193 /* stop the timer */ 3194 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 3195 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 3196 /* free the TCB */ 3197 SCTPDBG(SCTP_DEBUG_INPUT2, 3198 "sctp_handle_shutdown_complete: calls free-asoc\n"); 3199#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3200 so = SCTP_INP_SO(stcb->sctp_ep); 3201 atomic_add_int(&stcb->asoc.refcnt, 1); 3202 SCTP_TCB_UNLOCK(stcb); 3203 SCTP_SOCKET_LOCK(so, 1); 3204 SCTP_TCB_LOCK(stcb); 3205 atomic_subtract_int(&stcb->asoc.refcnt, 1); 3206#endif 3207 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 3208#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 3209 SCTP_SOCKET_UNLOCK(so, 1); 3210#endif 3211 return; 3212} 3213 3214static int 3215process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 3216 struct sctp_nets *net, uint8_t flg) 3217{ 3218 switch (desc->chunk_type) { 3219 case SCTP_DATA: 3220 /* find the tsn to resend (possibly */ 3221 { 3222 uint32_t tsn; 3223 struct sctp_tmit_chunk *tp1; 3224 3225 tsn = ntohl(desc->tsn_ifany); 3226 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3227 if (tp1->rec.data.TSN_seq == tsn) { 3228 /* found it */ 3229 break; 3230 } 3231 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, tsn)) { 3232 /* not found */ 3233 tp1 = NULL; 3234 break; 3235 } 3236 } 3237 if (tp1 == NULL) { 3238 /* 3239 * Do it the other way , aka without paying 3240 * attention to queue seq order. 3241 */ 3242 SCTP_STAT_INCR(sctps_pdrpdnfnd); 3243 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3244 if (tp1->rec.data.TSN_seq == tsn) { 3245 /* found it */ 3246 break; 3247 } 3248 } 3249 } 3250 if (tp1 == NULL) { 3251 SCTP_STAT_INCR(sctps_pdrptsnnf); 3252 } 3253 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 3254 uint8_t *ddp; 3255 3256 if (((flg & SCTP_BADCRC) == 0) && 3257 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 3258 return (0); 3259 } 3260 if ((stcb->asoc.peers_rwnd == 0) && 3261 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 3262 SCTP_STAT_INCR(sctps_pdrpdiwnp); 3263 return (0); 3264 } 3265 if (stcb->asoc.peers_rwnd == 0 && 3266 (flg & SCTP_FROM_MIDDLE_BOX)) { 3267 SCTP_STAT_INCR(sctps_pdrpdizrw); 3268 return (0); 3269 } 3270 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 3271 sizeof(struct sctp_data_chunk)); 3272 { 3273 unsigned int iii; 3274 3275 for (iii = 0; iii < sizeof(desc->data_bytes); 3276 iii++) { 3277 if (ddp[iii] != desc->data_bytes[iii]) { 3278 SCTP_STAT_INCR(sctps_pdrpbadd); 3279 return (-1); 3280 } 3281 } 3282 } 3283 3284 if (tp1->do_rtt) { 3285 /* 3286 * this guy had a RTO calculation 3287 * pending on it, cancel it 3288 */ 3289 if (tp1->whoTo->rto_needed == 0) { 3290 tp1->whoTo->rto_needed = 1; 3291 } 3292 tp1->do_rtt = 0; 3293 } 3294 SCTP_STAT_INCR(sctps_pdrpmark); 3295 if (tp1->sent != SCTP_DATAGRAM_RESEND) 3296 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3297 /* 3298 * mark it as if we were doing a FR, since 3299 * we will be getting gap ack reports behind 3300 * the info from the router. 3301 */ 3302 tp1->rec.data.doing_fast_retransmit = 1; 3303 /* 3304 * mark the tsn with what sequences can 3305 * cause a new FR. 3306 */ 3307 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 3308 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 3309 } else { 3310 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 3311 } 3312 3313 /* restart the timer */ 3314 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 3315 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 3316 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 3317 stcb, tp1->whoTo); 3318 3319 /* fix counts and things */ 3320 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3321 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 3322 tp1->whoTo->flight_size, 3323 tp1->book_size, 3324 (uintptr_t) stcb, 3325 tp1->rec.data.TSN_seq); 3326 } 3327 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3328 sctp_flight_size_decrease(tp1); 3329 sctp_total_flight_decrease(stcb, tp1); 3330 } 3331 tp1->sent = SCTP_DATAGRAM_RESEND; 3332 } { 3333 /* audit code */ 3334 unsigned int audit; 3335 3336 audit = 0; 3337 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 3338 if (tp1->sent == SCTP_DATAGRAM_RESEND) 3339 audit++; 3340 } 3341 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 3342 sctp_next) { 3343 if (tp1->sent == SCTP_DATAGRAM_RESEND) 3344 audit++; 3345 } 3346 if (audit != stcb->asoc.sent_queue_retran_cnt) { 3347 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n", 3348 audit, stcb->asoc.sent_queue_retran_cnt); 3349#ifndef SCTP_AUDITING_ENABLED 3350 stcb->asoc.sent_queue_retran_cnt = audit; 3351#endif 3352 } 3353 } 3354 } 3355 break; 3356 case SCTP_ASCONF: 3357 { 3358 struct sctp_tmit_chunk *asconf; 3359 3360 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 3361 sctp_next) { 3362 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 3363 break; 3364 } 3365 } 3366 if (asconf) { 3367 if (asconf->sent != SCTP_DATAGRAM_RESEND) 3368 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3369 asconf->sent = SCTP_DATAGRAM_RESEND; 3370 asconf->snd_count--; 3371 } 3372 } 3373 break; 3374 case SCTP_INITIATION: 3375 /* resend the INIT */ 3376 stcb->asoc.dropped_special_cnt++; 3377 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 3378 /* 3379 * If we can get it in, in a few attempts we do 3380 * this, otherwise we let the timer fire. 3381 */ 3382 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 3383 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 3384 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 3385 } 3386 break; 3387 case SCTP_SELECTIVE_ACK: 3388 case SCTP_NR_SELECTIVE_ACK: 3389 /* resend the sack */ 3390 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED); 3391 break; 3392 case SCTP_HEARTBEAT_REQUEST: 3393 /* resend a demand HB */ 3394 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) { 3395 /* 3396 * Only retransmit if we KNOW we wont destroy the 3397 * tcb 3398 */ 3399 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED); 3400 } 3401 break; 3402 case SCTP_SHUTDOWN: 3403 sctp_send_shutdown(stcb, net); 3404 break; 3405 case SCTP_SHUTDOWN_ACK: 3406 sctp_send_shutdown_ack(stcb, net); 3407 break; 3408 case SCTP_COOKIE_ECHO: 3409 { 3410 struct sctp_tmit_chunk *cookie; 3411 3412 cookie = NULL; 3413 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 3414 sctp_next) { 3415 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 3416 break; 3417 } 3418 } 3419 if (cookie) { 3420 if (cookie->sent != SCTP_DATAGRAM_RESEND) 3421 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3422 cookie->sent = SCTP_DATAGRAM_RESEND; 3423 sctp_stop_all_cookie_timers(stcb); 3424 } 3425 } 3426 break; 3427 case SCTP_COOKIE_ACK: 3428 sctp_send_cookie_ack(stcb); 3429 break; 3430 case SCTP_ASCONF_ACK: 3431 /* resend last asconf ack */ 3432 sctp_send_asconf_ack(stcb); 3433 break; 3434 case SCTP_FORWARD_CUM_TSN: 3435 send_forward_tsn(stcb, &stcb->asoc); 3436 break; 3437 /* can't do anything with these */ 3438 case SCTP_PACKET_DROPPED: 3439 case SCTP_INITIATION_ACK: /* this should not happen */ 3440 case SCTP_HEARTBEAT_ACK: 3441 case SCTP_ABORT_ASSOCIATION: 3442 case SCTP_OPERATION_ERROR: 3443 case SCTP_SHUTDOWN_COMPLETE: 3444 case SCTP_ECN_ECHO: 3445 case SCTP_ECN_CWR: 3446 default: 3447 break; 3448 } 3449 return (0); 3450} 3451 3452void 3453sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 3454{ 3455 int i; 3456 uint16_t temp; 3457 3458 /* 3459 * We set things to 0xffff since this is the last delivered sequence 3460 * and we will be sending in 0 after the reset. 3461 */ 3462 3463 if (number_entries) { 3464 for (i = 0; i < number_entries; i++) { 3465 temp = ntohs(list[i]); 3466 if (temp >= stcb->asoc.streamincnt) { 3467 continue; 3468 } 3469 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 3470 } 3471 } else { 3472 list = NULL; 3473 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3474 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 3475 } 3476 } 3477 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3478} 3479 3480static void 3481sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 3482{ 3483 int i; 3484 3485 if (number_entries == 0) { 3486 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 3487 stcb->asoc.strmout[i].next_sequence_sent = 0; 3488 } 3489 } else if (number_entries) { 3490 for (i = 0; i < number_entries; i++) { 3491 uint16_t temp; 3492 3493 temp = ntohs(list[i]); 3494 if (temp >= stcb->asoc.streamoutcnt) { 3495 /* no such stream */ 3496 continue; 3497 } 3498 stcb->asoc.strmout[temp].next_sequence_sent = 0; 3499 } 3500 } 3501 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED); 3502} 3503 3504 3505struct sctp_stream_reset_out_request * 3506sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 3507{ 3508 struct sctp_association *asoc; 3509 struct sctp_stream_reset_out_req *req; 3510 struct sctp_stream_reset_out_request *r; 3511 struct sctp_tmit_chunk *chk; 3512 int len, clen; 3513 3514 asoc = &stcb->asoc; 3515 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 3516 asoc->stream_reset_outstanding = 0; 3517 return (NULL); 3518 } 3519 if (stcb->asoc.str_reset == NULL) { 3520 asoc->stream_reset_outstanding = 0; 3521 return (NULL); 3522 } 3523 chk = stcb->asoc.str_reset; 3524 if (chk->data == NULL) { 3525 return (NULL); 3526 } 3527 if (bchk) { 3528 /* he wants a copy of the chk pointer */ 3529 *bchk = chk; 3530 } 3531 clen = chk->send_size; 3532 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 3533 r = &req->sr_req; 3534 if (ntohl(r->request_seq) == seq) { 3535 /* found it */ 3536 return (r); 3537 } 3538 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 3539 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 3540 /* move to the next one, there can only be a max of two */ 3541 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 3542 if (ntohl(r->request_seq) == seq) { 3543 return (r); 3544 } 3545 } 3546 /* that seq is not here */ 3547 return (NULL); 3548} 3549 3550static void 3551sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 3552{ 3553 struct sctp_association *asoc; 3554 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 3555 3556 if (stcb->asoc.str_reset == NULL) { 3557 return; 3558 } 3559 asoc = &stcb->asoc; 3560 3561 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3562 TAILQ_REMOVE(&asoc->control_send_queue, 3563 chk, 3564 sctp_next); 3565 if (chk->data) { 3566 sctp_m_freem(chk->data); 3567 chk->data = NULL; 3568 } 3569 asoc->ctrl_queue_cnt--; 3570 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 3571 /* sa_ignore NO_NULL_CHK */ 3572 stcb->asoc.str_reset = NULL; 3573} 3574 3575 3576static int 3577sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 3578 uint32_t seq, uint32_t action, 3579 struct sctp_stream_reset_response *respin) 3580{ 3581 uint16_t type; 3582 int lparm_len; 3583 struct sctp_association *asoc = &stcb->asoc; 3584 struct sctp_tmit_chunk *chk; 3585 struct sctp_stream_reset_out_request *srparam; 3586 int number_entries; 3587 3588 if (asoc->stream_reset_outstanding == 0) { 3589 /* duplicate */ 3590 return (0); 3591 } 3592 if (seq == stcb->asoc.str_reset_seq_out) { 3593 srparam = sctp_find_stream_reset(stcb, seq, &chk); 3594 if (srparam) { 3595 stcb->asoc.str_reset_seq_out++; 3596 type = ntohs(srparam->ph.param_type); 3597 lparm_len = ntohs(srparam->ph.param_length); 3598 if (type == SCTP_STR_RESET_OUT_REQUEST) { 3599 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 3600 asoc->stream_reset_out_is_outstanding = 0; 3601 if (asoc->stream_reset_outstanding) 3602 asoc->stream_reset_outstanding--; 3603 if (action == SCTP_STREAM_RESET_PERFORMED) { 3604 /* do it */ 3605 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 3606 } else { 3607 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); 3608 } 3609 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 3610 /* Answered my request */ 3611 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 3612 if (asoc->stream_reset_outstanding) 3613 asoc->stream_reset_outstanding--; 3614 if (action != SCTP_STREAM_RESET_PERFORMED) { 3615 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); 3616 } 3617 } else if (type == SCTP_STR_RESET_ADD_STREAMS) { 3618 /* Ok we now may have more streams */ 3619 if (asoc->stream_reset_outstanding) 3620 asoc->stream_reset_outstanding--; 3621 if (action == SCTP_STREAM_RESET_PERFORMED) { 3622 /* Put the new streams into effect */ 3623 stcb->asoc.streamoutcnt = stcb->asoc.strm_realoutsize; 3624 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_ADD_OK, stcb, 3625 (uint32_t) stcb->asoc.streamoutcnt, NULL, SCTP_SO_NOT_LOCKED); 3626 } else { 3627 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_ADD_FAIL, stcb, 3628 (uint32_t) stcb->asoc.streamoutcnt, NULL, SCTP_SO_NOT_LOCKED); 3629 } 3630 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 3631 /** 3632 * a) Adopt the new in tsn. 3633 * b) reset the map 3634 * c) Adopt the new out-tsn 3635 */ 3636 struct sctp_stream_reset_response_tsn *resp; 3637 struct sctp_forward_tsn_chunk fwdtsn; 3638 int abort_flag = 0; 3639 3640 if (respin == NULL) { 3641 /* huh ? */ 3642 return (0); 3643 } 3644 if (action == SCTP_STREAM_RESET_PERFORMED) { 3645 resp = (struct sctp_stream_reset_response_tsn *)respin; 3646 asoc->stream_reset_outstanding--; 3647 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3648 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3649 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 3650 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3651 if (abort_flag) { 3652 return (1); 3653 } 3654 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 3655 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 3656 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 3657 } 3658 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3659 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 3660 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3661 3662 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map; 3663 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 3664 3665 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 3666 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 3667 3668 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3669 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3670 3671 } 3672 } 3673 /* get rid of the request and get the request flags */ 3674 if (asoc->stream_reset_outstanding == 0) { 3675 sctp_clean_up_stream_reset(stcb); 3676 } 3677 } 3678 } 3679 return (0); 3680} 3681 3682static void 3683sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 3684 struct sctp_tmit_chunk *chk, 3685 struct sctp_stream_reset_in_request *req, int trunc) 3686{ 3687 uint32_t seq; 3688 int len, i; 3689 int number_entries; 3690 uint16_t temp; 3691 3692 /* 3693 * peer wants me to send a str-reset to him for my outgoing seq's if 3694 * seq_in is right. 3695 */ 3696 struct sctp_association *asoc = &stcb->asoc; 3697 3698 seq = ntohl(req->request_seq); 3699 if (asoc->str_reset_seq_in == seq) { 3700 if (trunc) { 3701 /* Can't do it, since they exceeded our buffer size */ 3702 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3703 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3704 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3705 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 3706 len = ntohs(req->ph.param_length); 3707 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 3708 for (i = 0; i < number_entries; i++) { 3709 temp = ntohs(req->list_of_streams[i]); 3710 req->list_of_streams[i] = temp; 3711 } 3712 /* move the reset action back one */ 3713 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3714 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3715 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 3716 asoc->str_reset_seq_out, 3717 seq, (asoc->sending_seq - 1)); 3718 asoc->stream_reset_out_is_outstanding = 1; 3719 asoc->str_reset = chk; 3720 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 3721 stcb->asoc.stream_reset_outstanding++; 3722 } else { 3723 /* Can't do it, since we have sent one out */ 3724 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3725 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 3726 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3727 } 3728 asoc->str_reset_seq_in++; 3729 } else if (asoc->str_reset_seq_in - 1 == seq) { 3730 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3731 } else if (asoc->str_reset_seq_in - 2 == seq) { 3732 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3733 } else { 3734 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3735 } 3736} 3737 3738static int 3739sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 3740 struct sctp_tmit_chunk *chk, 3741 struct sctp_stream_reset_tsn_request *req) 3742{ 3743 /* reset all in and out and update the tsn */ 3744 /* 3745 * A) reset my str-seq's on in and out. B) Select a receive next, 3746 * and set cum-ack to it. Also process this selected number as a 3747 * fwd-tsn as well. C) set in the response my next sending seq. 3748 */ 3749 struct sctp_forward_tsn_chunk fwdtsn; 3750 struct sctp_association *asoc = &stcb->asoc; 3751 int abort_flag = 0; 3752 uint32_t seq; 3753 3754 seq = ntohl(req->request_seq); 3755 if (asoc->str_reset_seq_in == seq) { 3756 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3757 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3758 fwdtsn.ch.chunk_flags = 0; 3759 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3760 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0); 3761 if (abort_flag) { 3762 return (1); 3763 } 3764 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3765 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 3766 sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 3767 } 3768 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3769 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3770 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3771 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map; 3772 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 3773 atomic_add_int(&stcb->asoc.sending_seq, 1); 3774 /* save off historical data for retrans */ 3775 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3776 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3777 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3778 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3779 3780 sctp_add_stream_reset_result_tsn(chk, 3781 ntohl(req->request_seq), 3782 SCTP_STREAM_RESET_PERFORMED, 3783 stcb->asoc.sending_seq, 3784 stcb->asoc.mapping_array_base_tsn); 3785 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3786 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3787 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3788 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3789 3790 asoc->str_reset_seq_in++; 3791 } else if (asoc->str_reset_seq_in - 1 == seq) { 3792 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3793 stcb->asoc.last_sending_seq[0], 3794 stcb->asoc.last_base_tsnsent[0] 3795 ); 3796 } else if (asoc->str_reset_seq_in - 2 == seq) { 3797 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3798 stcb->asoc.last_sending_seq[1], 3799 stcb->asoc.last_base_tsnsent[1] 3800 ); 3801 } else { 3802 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3803 } 3804 return (0); 3805} 3806 3807static void 3808sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3809 struct sctp_tmit_chunk *chk, 3810 struct sctp_stream_reset_out_request *req, int trunc) 3811{ 3812 uint32_t seq, tsn; 3813 int number_entries, len; 3814 struct sctp_association *asoc = &stcb->asoc; 3815 3816 seq = ntohl(req->request_seq); 3817 3818 /* now if its not a duplicate we process it */ 3819 if (asoc->str_reset_seq_in == seq) { 3820 len = ntohs(req->ph.param_length); 3821 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3822 /* 3823 * the sender is resetting, handle the list issue.. we must 3824 * a) verify if we can do the reset, if so no problem b) If 3825 * we can't do the reset we must copy the request. c) queue 3826 * it, and setup the data in processor to trigger it off 3827 * when needed and dequeue all the queued data. 3828 */ 3829 tsn = ntohl(req->send_reset_at_tsn); 3830 3831 /* move the reset action back one */ 3832 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3833 if (trunc) { 3834 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3835 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3836 } else if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) { 3837 /* we can do it now */ 3838 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3839 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3840 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3841 } else { 3842 /* 3843 * we must queue it up and thus wait for the TSN's 3844 * to arrive that are at or before tsn 3845 */ 3846 struct sctp_stream_reset_list *liste; 3847 int siz; 3848 3849 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3850 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3851 siz, SCTP_M_STRESET); 3852 if (liste == NULL) { 3853 /* gak out of memory */ 3854 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3855 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3856 return; 3857 } 3858 liste->tsn = tsn; 3859 liste->number_entries = number_entries; 3860 memcpy(&liste->req, req, 3861 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3862 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3863 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3864 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3865 } 3866 asoc->str_reset_seq_in++; 3867 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3868 /* 3869 * one seq back, just echo back last action since my 3870 * response was lost. 3871 */ 3872 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3873 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3874 /* 3875 * two seq back, just echo back last action since my 3876 * response was lost. 3877 */ 3878 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3879 } else { 3880 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3881 } 3882} 3883 3884static void 3885sctp_handle_str_reset_add_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk, 3886 struct sctp_stream_reset_add_strm *str_add) 3887{ 3888 /* 3889 * Peer is requesting to add more streams. If its within our 3890 * max-streams we will allow it. 3891 */ 3892 uint16_t num_stream, i; 3893 uint32_t seq; 3894 struct sctp_association *asoc = &stcb->asoc; 3895 struct sctp_queued_to_read *ctl, *nctl; 3896 3897 /* Get the number. */ 3898 seq = ntohl(str_add->request_seq); 3899 num_stream = ntohs(str_add->number_of_streams); 3900 /* Now what would be the new total? */ 3901 if (asoc->str_reset_seq_in == seq) { 3902 num_stream += stcb->asoc.streamincnt; 3903 if (num_stream > stcb->asoc.max_inbound_streams) { 3904 /* We must reject it they ask for to many */ 3905 denied: 3906 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3907 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3908 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3909 } else { 3910 /* Ok, we can do that :-) */ 3911 struct sctp_stream_in *oldstrm; 3912 3913 /* save off the old */ 3914 oldstrm = stcb->asoc.strmin; 3915 SCTP_MALLOC(stcb->asoc.strmin, struct sctp_stream_in *, 3916 (num_stream * sizeof(struct sctp_stream_in)), 3917 SCTP_M_STRMI); 3918 if (stcb->asoc.strmin == NULL) { 3919 stcb->asoc.strmin = oldstrm; 3920 goto denied; 3921 } 3922 /* copy off the old data */ 3923 for (i = 0; i < stcb->asoc.streamincnt; i++) { 3924 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue); 3925 stcb->asoc.strmin[i].stream_no = i; 3926 stcb->asoc.strmin[i].last_sequence_delivered = oldstrm[i].last_sequence_delivered; 3927 stcb->asoc.strmin[i].delivery_started = oldstrm[i].delivery_started; 3928 /* now anything on those queues? */ 3929 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].inqueue, next, nctl) { 3930 TAILQ_REMOVE(&oldstrm[i].inqueue, ctl, next); 3931 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].inqueue, ctl, next); 3932 } 3933 } 3934 /* Init the new streams */ 3935 for (i = stcb->asoc.streamincnt; i < num_stream; i++) { 3936 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue); 3937 stcb->asoc.strmin[i].stream_no = i; 3938 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 3939 stcb->asoc.strmin[i].delivery_started = 0; 3940 } 3941 SCTP_FREE(oldstrm, SCTP_M_STRMI); 3942 /* update the size */ 3943 stcb->asoc.streamincnt = num_stream; 3944 /* Send the ack */ 3945 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3946 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3947 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3948 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_INSTREAM_ADD_OK, stcb, 3949 (uint32_t) stcb->asoc.streamincnt, NULL, SCTP_SO_NOT_LOCKED); 3950 } 3951 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3952 /* 3953 * one seq back, just echo back last action since my 3954 * response was lost. 3955 */ 3956 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3957 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3958 /* 3959 * two seq back, just echo back last action since my 3960 * response was lost. 3961 */ 3962 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3963 } else { 3964 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3965 3966 } 3967} 3968 3969#ifdef __GNUC__ 3970__attribute__((noinline)) 3971#endif 3972 static int 3973 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset, 3974 struct sctp_stream_reset_out_req *sr_req) 3975{ 3976 int chk_length, param_len, ptype; 3977 struct sctp_paramhdr pstore; 3978 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE]; 3979 3980 uint32_t seq; 3981 int num_req = 0; 3982 int trunc = 0; 3983 struct sctp_tmit_chunk *chk; 3984 struct sctp_chunkhdr *ch; 3985 struct sctp_paramhdr *ph; 3986 int ret_code = 0; 3987 int num_param = 0; 3988 3989 /* now it may be a reset or a reset-response */ 3990 chk_length = ntohs(sr_req->ch.chunk_length); 3991 3992 /* setup for adding the response */ 3993 sctp_alloc_a_chunk(stcb, chk); 3994 if (chk == NULL) { 3995 return (ret_code); 3996 } 3997 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3998 chk->rec.chunk_id.can_take_data = 0; 3999 chk->asoc = &stcb->asoc; 4000 chk->no_fr_allowed = 0; 4001 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 4002 chk->book_size_scale = 0; 4003 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 4004 if (chk->data == NULL) { 4005strres_nochunk: 4006 if (chk->data) { 4007 sctp_m_freem(chk->data); 4008 chk->data = NULL; 4009 } 4010 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 4011 return (ret_code); 4012 } 4013 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 4014 4015 /* setup chunk parameters */ 4016 chk->sent = SCTP_DATAGRAM_UNSENT; 4017 chk->snd_count = 0; 4018 chk->whoTo = NULL; 4019 4020 ch = mtod(chk->data, struct sctp_chunkhdr *); 4021 ch->chunk_type = SCTP_STREAM_RESET; 4022 ch->chunk_flags = 0; 4023 ch->chunk_length = htons(chk->send_size); 4024 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 4025 offset += sizeof(struct sctp_chunkhdr); 4026 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 4027 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *) & pstore); 4028 if (ph == NULL) 4029 break; 4030 param_len = ntohs(ph->param_length); 4031 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 4032 /* bad param */ 4033 break; 4034 } 4035 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)), 4036 (uint8_t *) & cstore); 4037 ptype = ntohs(ph->param_type); 4038 num_param++; 4039 if (param_len > (int)sizeof(cstore)) { 4040 trunc = 1; 4041 } else { 4042 trunc = 0; 4043 } 4044 4045 if (num_param > SCTP_MAX_RESET_PARAMS) { 4046 /* hit the max of parameters already sorry.. */ 4047 break; 4048 } 4049 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 4050 struct sctp_stream_reset_out_request *req_out; 4051 4052 req_out = (struct sctp_stream_reset_out_request *)ph; 4053 num_req++; 4054 if (stcb->asoc.stream_reset_outstanding) { 4055 seq = ntohl(req_out->response_seq); 4056 if (seq == stcb->asoc.str_reset_seq_out) { 4057 /* implicit ack */ 4058 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 4059 } 4060 } 4061 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc); 4062 } else if (ptype == SCTP_STR_RESET_ADD_STREAMS) { 4063 struct sctp_stream_reset_add_strm *str_add; 4064 4065 str_add = (struct sctp_stream_reset_add_strm *)ph; 4066 num_req++; 4067 sctp_handle_str_reset_add_strm(stcb, chk, str_add); 4068 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 4069 struct sctp_stream_reset_in_request *req_in; 4070 4071 num_req++; 4072 4073 req_in = (struct sctp_stream_reset_in_request *)ph; 4074 4075 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc); 4076 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 4077 struct sctp_stream_reset_tsn_request *req_tsn; 4078 4079 num_req++; 4080 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 4081 4082 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 4083 ret_code = 1; 4084 goto strres_nochunk; 4085 } 4086 /* no more */ 4087 break; 4088 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 4089 struct sctp_stream_reset_response *resp; 4090 uint32_t result; 4091 4092 resp = (struct sctp_stream_reset_response *)ph; 4093 seq = ntohl(resp->response_seq); 4094 result = ntohl(resp->result); 4095 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 4096 ret_code = 1; 4097 goto strres_nochunk; 4098 } 4099 } else { 4100 break; 4101 } 4102 offset += SCTP_SIZE32(param_len); 4103 chk_length -= SCTP_SIZE32(param_len); 4104 } 4105 if (num_req == 0) { 4106 /* we have no response free the stuff */ 4107 goto strres_nochunk; 4108 } 4109 /* ok we have a chunk to link in */ 4110 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 4111 chk, 4112 sctp_next); 4113 stcb->asoc.ctrl_queue_cnt++; 4114 return (ret_code); 4115} 4116 4117/* 4118 * Handle a router or endpoints report of a packet loss, there are two ways 4119 * to handle this, either we get the whole packet and must disect it 4120 * ourselves (possibly with truncation and or corruption) or it is a summary 4121 * from a middle box that did the disectting for us. 4122 */ 4123static void 4124sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 4125 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit) 4126{ 4127 uint32_t bottle_bw, on_queue; 4128 uint16_t trunc_len; 4129 unsigned int chlen; 4130 unsigned int at; 4131 struct sctp_chunk_desc desc; 4132 struct sctp_chunkhdr *ch; 4133 4134 chlen = ntohs(cp->ch.chunk_length); 4135 chlen -= sizeof(struct sctp_pktdrop_chunk); 4136 /* XXX possible chlen underflow */ 4137 if (chlen == 0) { 4138 ch = NULL; 4139 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 4140 SCTP_STAT_INCR(sctps_pdrpbwrpt); 4141 } else { 4142 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 4143 chlen -= sizeof(struct sctphdr); 4144 /* XXX possible chlen underflow */ 4145 memset(&desc, 0, sizeof(desc)); 4146 } 4147 trunc_len = (uint16_t) ntohs(cp->trunc_len); 4148 if (trunc_len > limit) { 4149 trunc_len = limit; 4150 } 4151 /* now the chunks themselves */ 4152 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 4153 desc.chunk_type = ch->chunk_type; 4154 /* get amount we need to move */ 4155 at = ntohs(ch->chunk_length); 4156 if (at < sizeof(struct sctp_chunkhdr)) { 4157 /* corrupt chunk, maybe at the end? */ 4158 SCTP_STAT_INCR(sctps_pdrpcrupt); 4159 break; 4160 } 4161 if (trunc_len == 0) { 4162 /* we are supposed to have all of it */ 4163 if (at > chlen) { 4164 /* corrupt skip it */ 4165 SCTP_STAT_INCR(sctps_pdrpcrupt); 4166 break; 4167 } 4168 } else { 4169 /* is there enough of it left ? */ 4170 if (desc.chunk_type == SCTP_DATA) { 4171 if (chlen < (sizeof(struct sctp_data_chunk) + 4172 sizeof(desc.data_bytes))) { 4173 break; 4174 } 4175 } else { 4176 if (chlen < sizeof(struct sctp_chunkhdr)) { 4177 break; 4178 } 4179 } 4180 } 4181 if (desc.chunk_type == SCTP_DATA) { 4182 /* can we get out the tsn? */ 4183 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 4184 SCTP_STAT_INCR(sctps_pdrpmbda); 4185 4186 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 4187 /* yep */ 4188 struct sctp_data_chunk *dcp; 4189 uint8_t *ddp; 4190 unsigned int iii; 4191 4192 dcp = (struct sctp_data_chunk *)ch; 4193 ddp = (uint8_t *) (dcp + 1); 4194 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 4195 desc.data_bytes[iii] = ddp[iii]; 4196 } 4197 desc.tsn_ifany = dcp->dp.tsn; 4198 } else { 4199 /* nope we are done. */ 4200 SCTP_STAT_INCR(sctps_pdrpnedat); 4201 break; 4202 } 4203 } else { 4204 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 4205 SCTP_STAT_INCR(sctps_pdrpmbct); 4206 } 4207 4208 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 4209 SCTP_STAT_INCR(sctps_pdrppdbrk); 4210 break; 4211 } 4212 if (SCTP_SIZE32(at) > chlen) { 4213 break; 4214 } 4215 chlen -= SCTP_SIZE32(at); 4216 if (chlen < sizeof(struct sctp_chunkhdr)) { 4217 /* done, none left */ 4218 break; 4219 } 4220 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 4221 } 4222 /* Now update any rwnd --- possibly */ 4223 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 4224 /* From a peer, we get a rwnd report */ 4225 uint32_t a_rwnd; 4226 4227 SCTP_STAT_INCR(sctps_pdrpfehos); 4228 4229 bottle_bw = ntohl(cp->bottle_bw); 4230 on_queue = ntohl(cp->current_onq); 4231 if (bottle_bw && on_queue) { 4232 /* a rwnd report is in here */ 4233 if (bottle_bw > on_queue) 4234 a_rwnd = bottle_bw - on_queue; 4235 else 4236 a_rwnd = 0; 4237 4238 if (a_rwnd == 0) 4239 stcb->asoc.peers_rwnd = 0; 4240 else { 4241 if (a_rwnd > stcb->asoc.total_flight) { 4242 stcb->asoc.peers_rwnd = 4243 a_rwnd - stcb->asoc.total_flight; 4244 } else { 4245 stcb->asoc.peers_rwnd = 0; 4246 } 4247 if (stcb->asoc.peers_rwnd < 4248 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4249 /* SWS sender side engages */ 4250 stcb->asoc.peers_rwnd = 0; 4251 } 4252 } 4253 } 4254 } else { 4255 SCTP_STAT_INCR(sctps_pdrpfmbox); 4256 } 4257 4258 /* now middle boxes in sat networks get a cwnd bump */ 4259 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 4260 (stcb->asoc.sat_t3_loss_recovery == 0) && 4261 (stcb->asoc.sat_network)) { 4262 /* 4263 * This is debateable but for sat networks it makes sense 4264 * Note if a T3 timer has went off, we will prohibit any 4265 * changes to cwnd until we exit the t3 loss recovery. 4266 */ 4267 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb, 4268 net, cp, &bottle_bw, &on_queue); 4269 } 4270} 4271 4272/* 4273 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 4274 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 4275 * offset: offset into the mbuf chain to first chunkhdr - length: is the 4276 * length of the complete packet outputs: - length: modified to remaining 4277 * length after control processing - netp: modified to new sctp_nets after 4278 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 4279 * bad packet,...) otherwise return the tcb for this packet 4280 */ 4281#ifdef __GNUC__ 4282__attribute__((noinline)) 4283#endif 4284 static struct sctp_tcb * 4285 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 4286 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 4287 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen, 4288 uint32_t vrf_id, uint16_t port) 4289{ 4290 struct sctp_association *asoc; 4291 uint32_t vtag_in; 4292 int num_chunks = 0; /* number of control chunks processed */ 4293 uint32_t chk_length; 4294 int ret; 4295 int abort_no_unlock = 0; 4296 int ecne_seen = 0; 4297 4298 /* 4299 * How big should this be, and should it be alloc'd? Lets try the 4300 * d-mtu-ceiling for now (2k) and that should hopefully work ... 4301 * until we get into jumbo grams and such.. 4302 */ 4303 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 4304 struct sctp_tcb *locked_tcb = stcb; 4305 int got_auth = 0; 4306 uint32_t auth_offset = 0, auth_len = 0; 4307 int auth_skipped = 0; 4308 int asconf_cnt = 0; 4309 4310#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4311 struct socket *so; 4312 4313#endif 4314 4315 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 4316 iphlen, *offset, length, stcb); 4317 4318 /* validate chunk header length... */ 4319 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 4320 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n", 4321 ntohs(ch->chunk_length)); 4322 if (locked_tcb) { 4323 SCTP_TCB_UNLOCK(locked_tcb); 4324 } 4325 return (NULL); 4326 } 4327 /* 4328 * validate the verification tag 4329 */ 4330 vtag_in = ntohl(sh->v_tag); 4331 4332 if (locked_tcb) { 4333 SCTP_TCB_LOCK_ASSERT(locked_tcb); 4334 } 4335 if (ch->chunk_type == SCTP_INITIATION) { 4336 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n", 4337 ntohs(ch->chunk_length), vtag_in); 4338 if (vtag_in != 0) { 4339 /* protocol error- silently discard... */ 4340 SCTP_STAT_INCR(sctps_badvtag); 4341 if (locked_tcb) { 4342 SCTP_TCB_UNLOCK(locked_tcb); 4343 } 4344 return (NULL); 4345 } 4346 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 4347 /* 4348 * If there is no stcb, skip the AUTH chunk and process 4349 * later after a stcb is found (to validate the lookup was 4350 * valid. 4351 */ 4352 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 4353 (stcb == NULL) && 4354 !SCTP_BASE_SYSCTL(sctp_auth_disable)) { 4355 /* save this chunk for later processing */ 4356 auth_skipped = 1; 4357 auth_offset = *offset; 4358 auth_len = ntohs(ch->chunk_length); 4359 4360 /* (temporarily) move past this chunk */ 4361 *offset += SCTP_SIZE32(auth_len); 4362 if (*offset >= length) { 4363 /* no more data left in the mbuf chain */ 4364 *offset = length; 4365 if (locked_tcb) { 4366 SCTP_TCB_UNLOCK(locked_tcb); 4367 } 4368 return (NULL); 4369 } 4370 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4371 sizeof(struct sctp_chunkhdr), chunk_buf); 4372 } 4373 if (ch == NULL) { 4374 /* Help */ 4375 *offset = length; 4376 if (locked_tcb) { 4377 SCTP_TCB_UNLOCK(locked_tcb); 4378 } 4379 return (NULL); 4380 } 4381 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 4382 goto process_control_chunks; 4383 } 4384 /* 4385 * first check if it's an ASCONF with an unknown src addr we 4386 * need to look inside to find the association 4387 */ 4388 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 4389 struct sctp_chunkhdr *asconf_ch = ch; 4390 uint32_t asconf_offset = 0, asconf_len = 0; 4391 4392 /* inp's refcount may be reduced */ 4393 SCTP_INP_INCR_REF(inp); 4394 4395 asconf_offset = *offset; 4396 do { 4397 asconf_len = ntohs(asconf_ch->chunk_length); 4398 if (asconf_len < sizeof(struct sctp_asconf_paramhdr)) 4399 break; 4400 stcb = sctp_findassociation_ep_asconf(m, 4401 *offset, sh, &inp, netp, vrf_id); 4402 if (stcb != NULL) 4403 break; 4404 asconf_offset += SCTP_SIZE32(asconf_len); 4405 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset, 4406 sizeof(struct sctp_chunkhdr), chunk_buf); 4407 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF); 4408 if (stcb == NULL) { 4409 /* 4410 * reduce inp's refcount if not reduced in 4411 * sctp_findassociation_ep_asconf(). 4412 */ 4413 SCTP_INP_DECR_REF(inp); 4414 } else { 4415 locked_tcb = stcb; 4416 } 4417 4418 /* now go back and verify any auth chunk to be sure */ 4419 if (auth_skipped && (stcb != NULL)) { 4420 struct sctp_auth_chunk *auth; 4421 4422 auth = (struct sctp_auth_chunk *) 4423 sctp_m_getptr(m, auth_offset, 4424 auth_len, chunk_buf); 4425 got_auth = 1; 4426 auth_skipped = 0; 4427 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, 4428 auth_offset)) { 4429 /* auth HMAC failed so dump it */ 4430 *offset = length; 4431 if (locked_tcb) { 4432 SCTP_TCB_UNLOCK(locked_tcb); 4433 } 4434 return (NULL); 4435 } else { 4436 /* remaining chunks are HMAC checked */ 4437 stcb->asoc.authenticated = 1; 4438 } 4439 } 4440 } 4441 if (stcb == NULL) { 4442 /* no association, so it's out of the blue... */ 4443 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL, 4444 vrf_id, port); 4445 *offset = length; 4446 if (locked_tcb) { 4447 SCTP_TCB_UNLOCK(locked_tcb); 4448 } 4449 return (NULL); 4450 } 4451 asoc = &stcb->asoc; 4452 /* ABORT and SHUTDOWN can use either v_tag... */ 4453 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 4454 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 4455 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 4456 if ((vtag_in == asoc->my_vtag) || 4457 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 4458 (vtag_in == asoc->peer_vtag))) { 4459 /* this is valid */ 4460 } else { 4461 /* drop this packet... */ 4462 SCTP_STAT_INCR(sctps_badvtag); 4463 if (locked_tcb) { 4464 SCTP_TCB_UNLOCK(locked_tcb); 4465 } 4466 return (NULL); 4467 } 4468 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4469 if (vtag_in != asoc->my_vtag) { 4470 /* 4471 * this could be a stale SHUTDOWN-ACK or the 4472 * peer never got the SHUTDOWN-COMPLETE and 4473 * is still hung; we have started a new asoc 4474 * but it won't complete until the shutdown 4475 * is completed 4476 */ 4477 if (locked_tcb) { 4478 SCTP_TCB_UNLOCK(locked_tcb); 4479 } 4480 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 4481 NULL, vrf_id, port); 4482 return (NULL); 4483 } 4484 } else { 4485 /* for all other chunks, vtag must match */ 4486 if (vtag_in != asoc->my_vtag) { 4487 /* invalid vtag... */ 4488 SCTPDBG(SCTP_DEBUG_INPUT3, 4489 "invalid vtag: %xh, expect %xh\n", 4490 vtag_in, asoc->my_vtag); 4491 SCTP_STAT_INCR(sctps_badvtag); 4492 if (locked_tcb) { 4493 SCTP_TCB_UNLOCK(locked_tcb); 4494 } 4495 *offset = length; 4496 return (NULL); 4497 } 4498 } 4499 } /* end if !SCTP_COOKIE_ECHO */ 4500 /* 4501 * process all control chunks... 4502 */ 4503 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 4504 (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) || 4505 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 4506 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 4507 /* implied cookie-ack.. we must have lost the ack */ 4508 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4509 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4510 stcb->asoc.overall_error_count, 4511 0, 4512 SCTP_FROM_SCTP_INPUT, 4513 __LINE__); 4514 } 4515 stcb->asoc.overall_error_count = 0; 4516 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 4517 *netp); 4518 } 4519process_control_chunks: 4520 while (IS_SCTP_CONTROL(ch)) { 4521 /* validate chunk length */ 4522 chk_length = ntohs(ch->chunk_length); 4523 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n", 4524 ch->chunk_type, chk_length); 4525 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length); 4526 if (chk_length < sizeof(*ch) || 4527 (*offset + (int)chk_length) > length) { 4528 *offset = length; 4529 if (locked_tcb) { 4530 SCTP_TCB_UNLOCK(locked_tcb); 4531 } 4532 return (NULL); 4533 } 4534 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 4535 /* 4536 * INIT-ACK only gets the init ack "header" portion only 4537 * because we don't have to process the peer's COOKIE. All 4538 * others get a complete chunk. 4539 */ 4540 if ((ch->chunk_type == SCTP_INITIATION_ACK) || 4541 (ch->chunk_type == SCTP_INITIATION)) { 4542 /* get an init-ack chunk */ 4543 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4544 sizeof(struct sctp_init_ack_chunk), chunk_buf); 4545 if (ch == NULL) { 4546 *offset = length; 4547 if (locked_tcb) { 4548 SCTP_TCB_UNLOCK(locked_tcb); 4549 } 4550 return (NULL); 4551 } 4552 } else { 4553 /* For cookies and all other chunks. */ 4554 if (chk_length > sizeof(chunk_buf)) { 4555 /* 4556 * use just the size of the chunk buffer so 4557 * the front part of our chunks fit in 4558 * contiguous space up to the chunk buffer 4559 * size (508 bytes). For chunks that need to 4560 * get more than that they must use the 4561 * sctp_m_getptr() function or other means 4562 * (e.g. know how to parse mbuf chains). 4563 * Cookies do this already. 4564 */ 4565 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4566 (sizeof(chunk_buf) - 4), 4567 chunk_buf); 4568 if (ch == NULL) { 4569 *offset = length; 4570 if (locked_tcb) { 4571 SCTP_TCB_UNLOCK(locked_tcb); 4572 } 4573 return (NULL); 4574 } 4575 } else { 4576 /* We can fit it all */ 4577 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4578 chk_length, chunk_buf); 4579 if (ch == NULL) { 4580 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n"); 4581 *offset = length; 4582 if (locked_tcb) { 4583 SCTP_TCB_UNLOCK(locked_tcb); 4584 } 4585 return (NULL); 4586 } 4587 } 4588 } 4589 num_chunks++; 4590 /* Save off the last place we got a control from */ 4591 if (stcb != NULL) { 4592 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) { 4593 /* 4594 * allow last_control to be NULL if 4595 * ASCONF... ASCONF processing will find the 4596 * right net later 4597 */ 4598 if ((netp != NULL) && (*netp != NULL)) 4599 stcb->asoc.last_control_chunk_from = *netp; 4600 } 4601 } 4602#ifdef SCTP_AUDITING_ENABLED 4603 sctp_audit_log(0xB0, ch->chunk_type); 4604#endif 4605 4606 /* check to see if this chunk required auth, but isn't */ 4607 if ((stcb != NULL) && 4608 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 4609 sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) && 4610 !stcb->asoc.authenticated) { 4611 /* "silently" ignore */ 4612 SCTP_STAT_INCR(sctps_recvauthmissing); 4613 goto next_chunk; 4614 } 4615 switch (ch->chunk_type) { 4616 case SCTP_INITIATION: 4617 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n"); 4618 /* The INIT chunk must be the only chunk. */ 4619 if ((num_chunks > 1) || 4620 (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 4621 sctp_abort_association(inp, stcb, m, 4622 iphlen, sh, NULL, vrf_id, port); 4623 *offset = length; 4624 return (NULL); 4625 } 4626 /* Honor our resource limit. */ 4627 if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) { 4628 struct mbuf *op_err; 4629 4630 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 4631 sctp_abort_association(inp, stcb, m, 4632 iphlen, sh, op_err, vrf_id, port); 4633 *offset = length; 4634 return (NULL); 4635 } 4636 sctp_handle_init(m, iphlen, *offset, sh, 4637 (struct sctp_init_chunk *)ch, inp, 4638 stcb, &abort_no_unlock, vrf_id, port); 4639 *offset = length; 4640 if ((!abort_no_unlock) && (locked_tcb)) { 4641 SCTP_TCB_UNLOCK(locked_tcb); 4642 } 4643 return (NULL); 4644 break; 4645 case SCTP_PAD_CHUNK: 4646 break; 4647 case SCTP_INITIATION_ACK: 4648 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n"); 4649 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4650 /* We are not interested anymore */ 4651 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4652 ; 4653 } else { 4654 if (locked_tcb != stcb) { 4655 /* Very unlikely */ 4656 SCTP_TCB_UNLOCK(locked_tcb); 4657 } 4658 *offset = length; 4659 if (stcb) { 4660#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4661 so = SCTP_INP_SO(inp); 4662 atomic_add_int(&stcb->asoc.refcnt, 1); 4663 SCTP_TCB_UNLOCK(stcb); 4664 SCTP_SOCKET_LOCK(so, 1); 4665 SCTP_TCB_LOCK(stcb); 4666 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4667#endif 4668 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4669#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4670 SCTP_SOCKET_UNLOCK(so, 1); 4671#endif 4672 } 4673 return (NULL); 4674 } 4675 } 4676 /* The INIT-CK chunk must be the only chunk. */ 4677 if ((num_chunks > 1) || 4678 (SCTP_BASE_SYSCTL(sctp_strict_init) && (length - *offset > (int)SCTP_SIZE32(chk_length)))) { 4679 *offset = length; 4680 if (locked_tcb) { 4681 SCTP_TCB_UNLOCK(locked_tcb); 4682 } 4683 return (NULL); 4684 } 4685 if ((netp) && (*netp)) { 4686 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 4687 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock, vrf_id); 4688 } else { 4689 ret = -1; 4690 } 4691 *offset = length; 4692 if (abort_no_unlock) { 4693 return (NULL); 4694 } 4695 /* 4696 * Special case, I must call the output routine to 4697 * get the cookie echoed 4698 */ 4699 if ((stcb != NULL) && (ret == 0)) { 4700 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 4701 } 4702 if (locked_tcb) { 4703 SCTP_TCB_UNLOCK(locked_tcb); 4704 } 4705 return (NULL); 4706 break; 4707 case SCTP_SELECTIVE_ACK: 4708 { 4709 struct sctp_sack_chunk *sack; 4710 int abort_now = 0; 4711 uint32_t a_rwnd, cum_ack; 4712 uint16_t num_seg, num_dup; 4713 uint8_t flags; 4714 int offset_seg, offset_dup; 4715 4716 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n"); 4717 SCTP_STAT_INCR(sctps_recvsacks); 4718 if (stcb == NULL) { 4719 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing SACK chunk\n"); 4720 break; 4721 } 4722 if (chk_length < sizeof(struct sctp_sack_chunk)) { 4723 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on SACK chunk, too small\n"); 4724 break; 4725 } 4726 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 4727 /*- 4728 * If we have sent a shutdown-ack, we will pay no 4729 * attention to a sack sent in to us since 4730 * we don't care anymore. 4731 */ 4732 break; 4733 } 4734 sack = (struct sctp_sack_chunk *)ch; 4735 flags = ch->chunk_flags; 4736 cum_ack = ntohl(sack->sack.cum_tsn_ack); 4737 num_seg = ntohs(sack->sack.num_gap_ack_blks); 4738 num_dup = ntohs(sack->sack.num_dup_tsns); 4739 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 4740 if (sizeof(struct sctp_sack_chunk) + 4741 num_seg * sizeof(struct sctp_gap_ack_block) + 4742 num_dup * sizeof(uint32_t) != chk_length) { 4743 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of SACK chunk\n"); 4744 break; 4745 } 4746 offset_seg = *offset + sizeof(struct sctp_sack_chunk); 4747 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block); 4748 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n", 4749 cum_ack, num_seg, a_rwnd); 4750 stcb->asoc.seen_a_sack_this_pkt = 1; 4751 if ((stcb->asoc.pr_sctp_cnt == 0) && 4752 (num_seg == 0) && 4753 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) && 4754 (stcb->asoc.saw_sack_with_frags == 0) && 4755 (stcb->asoc.saw_sack_with_nr_frags == 0) && 4756 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 4757 ) { 4758 /* 4759 * We have a SIMPLE sack having no 4760 * prior segments and data on sent 4761 * queue to be acked.. Use the 4762 * faster path sack processing. We 4763 * also allow window update sacks 4764 * with no missing segments to go 4765 * this way too. 4766 */ 4767 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, &abort_now, ecne_seen); 4768 } else { 4769 if (netp && *netp) 4770 sctp_handle_sack(m, offset_seg, offset_dup, stcb, 4771 num_seg, 0, num_dup, &abort_now, flags, 4772 cum_ack, a_rwnd, ecne_seen); 4773 } 4774 if (abort_now) { 4775 /* ABORT signal from sack processing */ 4776 *offset = length; 4777 return (NULL); 4778 } 4779 if (TAILQ_EMPTY(&stcb->asoc.send_queue) && 4780 TAILQ_EMPTY(&stcb->asoc.sent_queue) && 4781 (stcb->asoc.stream_queue_cnt == 0)) { 4782 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 4783 } 4784 } 4785 break; 4786 /* 4787 * EY - nr_sack: If the received chunk is an 4788 * nr_sack chunk 4789 */ 4790 case SCTP_NR_SELECTIVE_ACK: 4791 { 4792 struct sctp_nr_sack_chunk *nr_sack; 4793 int abort_now = 0; 4794 uint32_t a_rwnd, cum_ack; 4795 uint16_t num_seg, num_nr_seg, num_dup; 4796 uint8_t flags; 4797 int offset_seg, offset_dup; 4798 4799 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n"); 4800 SCTP_STAT_INCR(sctps_recvsacks); 4801 if (stcb == NULL) { 4802 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing NR-SACK chunk\n"); 4803 break; 4804 } 4805 if ((stcb->asoc.sctp_nr_sack_on_off == 0) || 4806 (stcb->asoc.peer_supports_nr_sack == 0)) { 4807 goto unknown_chunk; 4808 } 4809 if (chk_length < sizeof(struct sctp_nr_sack_chunk)) { 4810 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR-SACK chunk, too small\n"); 4811 break; 4812 } 4813 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 4814 /*- 4815 * If we have sent a shutdown-ack, we will pay no 4816 * attention to a sack sent in to us since 4817 * we don't care anymore. 4818 */ 4819 break; 4820 } 4821 nr_sack = (struct sctp_nr_sack_chunk *)ch; 4822 flags = ch->chunk_flags; 4823 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack); 4824 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks); 4825 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks); 4826 num_dup = ntohs(nr_sack->nr_sack.num_dup_tsns); 4827 a_rwnd = (uint32_t) ntohl(nr_sack->nr_sack.a_rwnd); 4828 if (sizeof(struct sctp_nr_sack_chunk) + 4829 (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block) + 4830 num_dup * sizeof(uint32_t) != chk_length) { 4831 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of NR_SACK chunk\n"); 4832 break; 4833 } 4834 offset_seg = *offset + sizeof(struct sctp_nr_sack_chunk); 4835 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block); 4836 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n", 4837 cum_ack, num_seg, a_rwnd); 4838 stcb->asoc.seen_a_sack_this_pkt = 1; 4839 if ((stcb->asoc.pr_sctp_cnt == 0) && 4840 (num_seg == 0) && (num_nr_seg == 0) && 4841 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) && 4842 (stcb->asoc.saw_sack_with_frags == 0) && 4843 (stcb->asoc.saw_sack_with_nr_frags == 0) && 4844 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))) { 4845 /* 4846 * We have a SIMPLE sack having no 4847 * prior segments and data on sent 4848 * queue to be acked. Use the faster 4849 * path sack processing. We also 4850 * allow window update sacks with no 4851 * missing segments to go this way 4852 * too. 4853 */ 4854 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, 4855 &abort_now, ecne_seen); 4856 } else { 4857 if (netp && *netp) 4858 sctp_handle_sack(m, offset_seg, offset_dup, stcb, 4859 num_seg, num_nr_seg, num_dup, &abort_now, flags, 4860 cum_ack, a_rwnd, ecne_seen); 4861 } 4862 if (abort_now) { 4863 /* ABORT signal from sack processing */ 4864 *offset = length; 4865 return (NULL); 4866 } 4867 if (TAILQ_EMPTY(&stcb->asoc.send_queue) && 4868 TAILQ_EMPTY(&stcb->asoc.sent_queue) && 4869 (stcb->asoc.stream_queue_cnt == 0)) { 4870 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED); 4871 } 4872 } 4873 break; 4874 4875 case SCTP_HEARTBEAT_REQUEST: 4876 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n"); 4877 if ((stcb) && netp && *netp) { 4878 SCTP_STAT_INCR(sctps_recvheartbeat); 4879 sctp_send_heartbeat_ack(stcb, m, *offset, 4880 chk_length, *netp); 4881 4882 /* He's alive so give him credit */ 4883 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4884 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4885 stcb->asoc.overall_error_count, 4886 0, 4887 SCTP_FROM_SCTP_INPUT, 4888 __LINE__); 4889 } 4890 stcb->asoc.overall_error_count = 0; 4891 } 4892 break; 4893 case SCTP_HEARTBEAT_ACK: 4894 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n"); 4895 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) { 4896 /* Its not ours */ 4897 *offset = length; 4898 if (locked_tcb) { 4899 SCTP_TCB_UNLOCK(locked_tcb); 4900 } 4901 return (NULL); 4902 } 4903 /* He's alive so give him credit */ 4904 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4905 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4906 stcb->asoc.overall_error_count, 4907 0, 4908 SCTP_FROM_SCTP_INPUT, 4909 __LINE__); 4910 } 4911 stcb->asoc.overall_error_count = 0; 4912 SCTP_STAT_INCR(sctps_recvheartbeatack); 4913 if (netp && *netp) 4914 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 4915 stcb, *netp); 4916 break; 4917 case SCTP_ABORT_ASSOCIATION: 4918 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n", 4919 stcb); 4920 if ((stcb) && netp && *netp) 4921 sctp_handle_abort((struct sctp_abort_chunk *)ch, 4922 stcb, *netp); 4923 *offset = length; 4924 return (NULL); 4925 break; 4926 case SCTP_SHUTDOWN: 4927 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n", 4928 stcb); 4929 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) { 4930 *offset = length; 4931 if (locked_tcb) { 4932 SCTP_TCB_UNLOCK(locked_tcb); 4933 } 4934 return (NULL); 4935 } 4936 if (netp && *netp) { 4937 int abort_flag = 0; 4938 4939 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 4940 stcb, *netp, &abort_flag); 4941 if (abort_flag) { 4942 *offset = length; 4943 return (NULL); 4944 } 4945 } 4946 break; 4947 case SCTP_SHUTDOWN_ACK: 4948 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", stcb); 4949 if ((stcb) && (netp) && (*netp)) 4950 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4951 *offset = length; 4952 return (NULL); 4953 break; 4954 4955 case SCTP_OPERATION_ERROR: 4956 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n"); 4957 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) { 4958 *offset = length; 4959 return (NULL); 4960 } 4961 break; 4962 case SCTP_COOKIE_ECHO: 4963 SCTPDBG(SCTP_DEBUG_INPUT3, 4964 "SCTP_COOKIE-ECHO, stcb %p\n", stcb); 4965 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4966 ; 4967 } else { 4968 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4969 /* We are not interested anymore */ 4970 abend: 4971 if (stcb) { 4972 SCTP_TCB_UNLOCK(stcb); 4973 } 4974 *offset = length; 4975 return (NULL); 4976 } 4977 } 4978 /* 4979 * First are we accepting? We do this again here 4980 * since it is possible that a previous endpoint WAS 4981 * listening responded to a INIT-ACK and then 4982 * closed. We opened and bound.. and are now no 4983 * longer listening. 4984 */ 4985 4986 if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) { 4987 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 4988 (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) { 4989 struct mbuf *op_err; 4990 4991 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 4992 sctp_abort_association(inp, stcb, m, 4993 iphlen, sh, op_err, vrf_id, port); 4994 } 4995 *offset = length; 4996 return (NULL); 4997 } else { 4998 struct mbuf *ret_buf; 4999 struct sctp_inpcb *linp; 5000 5001 if (stcb) { 5002 linp = NULL; 5003 } else { 5004 linp = inp; 5005 } 5006 5007 if (linp) { 5008 SCTP_ASOC_CREATE_LOCK(linp); 5009 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || 5010 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) { 5011 SCTP_ASOC_CREATE_UNLOCK(linp); 5012 goto abend; 5013 } 5014 } 5015 if (netp) { 5016 ret_buf = 5017 sctp_handle_cookie_echo(m, iphlen, 5018 *offset, sh, 5019 (struct sctp_cookie_echo_chunk *)ch, 5020 &inp, &stcb, netp, 5021 auth_skipped, 5022 auth_offset, 5023 auth_len, 5024 &locked_tcb, 5025 vrf_id, 5026 port); 5027 } else { 5028 ret_buf = NULL; 5029 } 5030 if (linp) { 5031 SCTP_ASOC_CREATE_UNLOCK(linp); 5032 } 5033 if (ret_buf == NULL) { 5034 if (locked_tcb) { 5035 SCTP_TCB_UNLOCK(locked_tcb); 5036 } 5037 SCTPDBG(SCTP_DEBUG_INPUT3, 5038 "GAK, null buffer\n"); 5039 *offset = length; 5040 return (NULL); 5041 } 5042 /* if AUTH skipped, see if it verified... */ 5043 if (auth_skipped) { 5044 got_auth = 1; 5045 auth_skipped = 0; 5046 } 5047 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 5048 /* 5049 * Restart the timer if we have 5050 * pending data 5051 */ 5052 struct sctp_tmit_chunk *chk; 5053 5054 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 5055 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo); 5056 } 5057 } 5058 break; 5059 case SCTP_COOKIE_ACK: 5060 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", stcb); 5061 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) { 5062 if (locked_tcb) { 5063 SCTP_TCB_UNLOCK(locked_tcb); 5064 } 5065 return (NULL); 5066 } 5067 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5068 /* We are not interested anymore */ 5069 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 5070 ; 5071 } else if (stcb) { 5072#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5073 so = SCTP_INP_SO(inp); 5074 atomic_add_int(&stcb->asoc.refcnt, 1); 5075 SCTP_TCB_UNLOCK(stcb); 5076 SCTP_SOCKET_LOCK(so, 1); 5077 SCTP_TCB_LOCK(stcb); 5078 atomic_subtract_int(&stcb->asoc.refcnt, 1); 5079#endif 5080 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 5081#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5082 SCTP_SOCKET_UNLOCK(so, 1); 5083#endif 5084 *offset = length; 5085 return (NULL); 5086 } 5087 } 5088 /* He's alive so give him credit */ 5089 if ((stcb) && netp && *netp) { 5090 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5091 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5092 stcb->asoc.overall_error_count, 5093 0, 5094 SCTP_FROM_SCTP_INPUT, 5095 __LINE__); 5096 } 5097 stcb->asoc.overall_error_count = 0; 5098 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 5099 } 5100 break; 5101 case SCTP_ECN_ECHO: 5102 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n"); 5103 /* He's alive so give him credit */ 5104 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) { 5105 /* Its not ours */ 5106 if (locked_tcb) { 5107 SCTP_TCB_UNLOCK(locked_tcb); 5108 } 5109 *offset = length; 5110 return (NULL); 5111 } 5112 if (stcb) { 5113 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5114 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5115 stcb->asoc.overall_error_count, 5116 0, 5117 SCTP_FROM_SCTP_INPUT, 5118 __LINE__); 5119 } 5120 stcb->asoc.overall_error_count = 0; 5121 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 5122 stcb); 5123 ecne_seen = 1; 5124 } 5125 break; 5126 case SCTP_ECN_CWR: 5127 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n"); 5128 /* He's alive so give him credit */ 5129 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) { 5130 /* Its not ours */ 5131 if (locked_tcb) { 5132 SCTP_TCB_UNLOCK(locked_tcb); 5133 } 5134 *offset = length; 5135 return (NULL); 5136 } 5137 if (stcb) { 5138 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5139 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5140 stcb->asoc.overall_error_count, 5141 0, 5142 SCTP_FROM_SCTP_INPUT, 5143 __LINE__); 5144 } 5145 stcb->asoc.overall_error_count = 0; 5146 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb, *netp); 5147 } 5148 break; 5149 case SCTP_SHUTDOWN_COMPLETE: 5150 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", stcb); 5151 /* must be first and only chunk */ 5152 if ((num_chunks > 1) || 5153 (length - *offset > (int)SCTP_SIZE32(chk_length))) { 5154 *offset = length; 5155 if (locked_tcb) { 5156 SCTP_TCB_UNLOCK(locked_tcb); 5157 } 5158 return (NULL); 5159 } 5160 if ((stcb) && netp && *netp) { 5161 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 5162 stcb, *netp); 5163 } 5164 *offset = length; 5165 return (NULL); 5166 break; 5167 case SCTP_ASCONF: 5168 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n"); 5169 /* He's alive so give him credit */ 5170 if (stcb) { 5171 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5172 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5173 stcb->asoc.overall_error_count, 5174 0, 5175 SCTP_FROM_SCTP_INPUT, 5176 __LINE__); 5177 } 5178 stcb->asoc.overall_error_count = 0; 5179 sctp_handle_asconf(m, *offset, 5180 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0); 5181 asconf_cnt++; 5182 } 5183 break; 5184 case SCTP_ASCONF_ACK: 5185 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n"); 5186 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) { 5187 /* Its not ours */ 5188 if (locked_tcb) { 5189 SCTP_TCB_UNLOCK(locked_tcb); 5190 } 5191 *offset = length; 5192 return (NULL); 5193 } 5194 if ((stcb) && netp && *netp) { 5195 /* He's alive so give him credit */ 5196 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5197 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5198 stcb->asoc.overall_error_count, 5199 0, 5200 SCTP_FROM_SCTP_INPUT, 5201 __LINE__); 5202 } 5203 stcb->asoc.overall_error_count = 0; 5204 sctp_handle_asconf_ack(m, *offset, 5205 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 5206 if (abort_no_unlock) 5207 return (NULL); 5208 } 5209 break; 5210 case SCTP_FORWARD_CUM_TSN: 5211 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n"); 5212 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) { 5213 /* Its not ours */ 5214 if (locked_tcb) { 5215 SCTP_TCB_UNLOCK(locked_tcb); 5216 } 5217 *offset = length; 5218 return (NULL); 5219 } 5220 /* He's alive so give him credit */ 5221 if (stcb) { 5222 int abort_flag = 0; 5223 5224 stcb->asoc.overall_error_count = 0; 5225 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5226 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5227 stcb->asoc.overall_error_count, 5228 0, 5229 SCTP_FROM_SCTP_INPUT, 5230 __LINE__); 5231 } 5232 *fwd_tsn_seen = 1; 5233 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5234 /* We are not interested anymore */ 5235#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5236 so = SCTP_INP_SO(inp); 5237 atomic_add_int(&stcb->asoc.refcnt, 1); 5238 SCTP_TCB_UNLOCK(stcb); 5239 SCTP_SOCKET_LOCK(so, 1); 5240 SCTP_TCB_LOCK(stcb); 5241 atomic_subtract_int(&stcb->asoc.refcnt, 1); 5242#endif 5243 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 5244#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5245 SCTP_SOCKET_UNLOCK(so, 1); 5246#endif 5247 *offset = length; 5248 return (NULL); 5249 } 5250 sctp_handle_forward_tsn(stcb, 5251 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset); 5252 if (abort_flag) { 5253 *offset = length; 5254 return (NULL); 5255 } else { 5256 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5257 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5258 stcb->asoc.overall_error_count, 5259 0, 5260 SCTP_FROM_SCTP_INPUT, 5261 __LINE__); 5262 } 5263 stcb->asoc.overall_error_count = 0; 5264 } 5265 5266 } 5267 break; 5268 case SCTP_STREAM_RESET: 5269 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n"); 5270 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) { 5271 /* Its not ours */ 5272 if (locked_tcb) { 5273 SCTP_TCB_UNLOCK(locked_tcb); 5274 } 5275 *offset = length; 5276 return (NULL); 5277 } 5278 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 5279 /* We are not interested anymore */ 5280#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5281 so = SCTP_INP_SO(inp); 5282 atomic_add_int(&stcb->asoc.refcnt, 1); 5283 SCTP_TCB_UNLOCK(stcb); 5284 SCTP_SOCKET_LOCK(so, 1); 5285 SCTP_TCB_LOCK(stcb); 5286 atomic_subtract_int(&stcb->asoc.refcnt, 1); 5287#endif 5288 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_30); 5289#if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 5290 SCTP_SOCKET_UNLOCK(so, 1); 5291#endif 5292 *offset = length; 5293 return (NULL); 5294 } 5295 if (stcb->asoc.peer_supports_strreset == 0) { 5296 /* 5297 * hmm, peer should have announced this, but 5298 * we will turn it on since he is sending us 5299 * a stream reset. 5300 */ 5301 stcb->asoc.peer_supports_strreset = 1; 5302 } 5303 if (sctp_handle_stream_reset(stcb, m, *offset, (struct sctp_stream_reset_out_req *)ch)) { 5304 /* stop processing */ 5305 *offset = length; 5306 return (NULL); 5307 } 5308 break; 5309 case SCTP_PACKET_DROPPED: 5310 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n"); 5311 /* re-get it all please */ 5312 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) { 5313 /* Its not ours */ 5314 if (locked_tcb) { 5315 SCTP_TCB_UNLOCK(locked_tcb); 5316 } 5317 *offset = length; 5318 return (NULL); 5319 } 5320 if (ch && (stcb) && netp && (*netp)) { 5321 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 5322 stcb, *netp, 5323 min(chk_length, (sizeof(chunk_buf) - 4))); 5324 5325 } 5326 break; 5327 5328 case SCTP_AUTHENTICATION: 5329 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n"); 5330 if (SCTP_BASE_SYSCTL(sctp_auth_disable)) 5331 goto unknown_chunk; 5332 5333 if (stcb == NULL) { 5334 /* save the first AUTH for later processing */ 5335 if (auth_skipped == 0) { 5336 auth_offset = *offset; 5337 auth_len = chk_length; 5338 auth_skipped = 1; 5339 } 5340 /* skip this chunk (temporarily) */ 5341 goto next_chunk; 5342 } 5343 if ((chk_length < (sizeof(struct sctp_auth_chunk))) || 5344 (chk_length > (sizeof(struct sctp_auth_chunk) + 5345 SCTP_AUTH_DIGEST_LEN_MAX))) { 5346 /* Its not ours */ 5347 if (locked_tcb) { 5348 SCTP_TCB_UNLOCK(locked_tcb); 5349 } 5350 *offset = length; 5351 return (NULL); 5352 } 5353 if (got_auth == 1) { 5354 /* skip this chunk... it's already auth'd */ 5355 goto next_chunk; 5356 } 5357 got_auth = 1; 5358 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 5359 m, *offset)) { 5360 /* auth HMAC failed so dump the packet */ 5361 *offset = length; 5362 return (stcb); 5363 } else { 5364 /* remaining chunks are HMAC checked */ 5365 stcb->asoc.authenticated = 1; 5366 } 5367 break; 5368 5369 default: 5370 unknown_chunk: 5371 /* it's an unknown chunk! */ 5372 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 5373 struct mbuf *mm; 5374 struct sctp_paramhdr *phd; 5375 5376 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 5377 0, M_DONTWAIT, 1, MT_DATA); 5378 if (mm) { 5379 phd = mtod(mm, struct sctp_paramhdr *); 5380 /* 5381 * We cheat and use param type since 5382 * we did not bother to define a 5383 * error cause struct. They are the 5384 * same basic format with different 5385 * names. 5386 */ 5387 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 5388 phd->param_length = htons(chk_length + sizeof(*phd)); 5389 SCTP_BUF_LEN(mm) = sizeof(*phd); 5390 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 5391 M_DONTWAIT); 5392 if (SCTP_BUF_NEXT(mm)) { 5393#ifdef SCTP_MBUF_LOGGING 5394 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 5395 struct mbuf *mat; 5396 5397 mat = SCTP_BUF_NEXT(mm); 5398 while (mat) { 5399 if (SCTP_BUF_IS_EXTENDED(mat)) { 5400 sctp_log_mb(mat, SCTP_MBUF_ICOPY); 5401 } 5402 mat = SCTP_BUF_NEXT(mat); 5403 } 5404 } 5405#endif 5406 sctp_queue_op_err(stcb, mm); 5407 } else { 5408 sctp_m_freem(mm); 5409 } 5410 } 5411 } 5412 if ((ch->chunk_type & 0x80) == 0) { 5413 /* discard this packet */ 5414 *offset = length; 5415 return (stcb); 5416 } /* else skip this bad chunk and continue... */ 5417 break; 5418 } /* switch (ch->chunk_type) */ 5419 5420 5421next_chunk: 5422 /* get the next chunk */ 5423 *offset += SCTP_SIZE32(chk_length); 5424 if (*offset >= length) { 5425 /* no more data left in the mbuf chain */ 5426 break; 5427 } 5428 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 5429 sizeof(struct sctp_chunkhdr), chunk_buf); 5430 if (ch == NULL) { 5431 if (locked_tcb) { 5432 SCTP_TCB_UNLOCK(locked_tcb); 5433 } 5434 *offset = length; 5435 return (NULL); 5436 } 5437 } /* while */ 5438 5439 if (asconf_cnt > 0 && stcb != NULL) { 5440 sctp_send_asconf_ack(stcb); 5441 } 5442 return (stcb); 5443} 5444 5445 5446#ifdef INVARIANTS 5447#ifdef __GNUC__ 5448__attribute__((noinline)) 5449#endif 5450 void 5451 sctp_validate_no_locks(struct sctp_inpcb *inp) 5452{ 5453 struct sctp_tcb *lstcb; 5454 5455 LIST_FOREACH(lstcb, &inp->sctp_asoc_list, sctp_tcblist) { 5456 if (mtx_owned(&lstcb->tcb_mtx)) { 5457 panic("Own lock on stcb at return from input"); 5458 } 5459 } 5460 if (mtx_owned(&inp->inp_create_mtx)) { 5461 panic("Own create lock on inp"); 5462 } 5463 if (mtx_owned(&inp->inp_mtx)) { 5464 panic("Own inp lock on inp"); 5465 } 5466} 5467 5468#endif 5469 5470/* 5471 * common input chunk processing (v4 and v6) 5472 */ 5473void 5474sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 5475 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 5476 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 5477 uint8_t ecn_bits, uint32_t vrf_id, uint16_t port) 5478{ 5479 /* 5480 * Control chunk processing 5481 */ 5482 uint32_t high_tsn; 5483 int fwd_tsn_seen = 0, data_processed = 0; 5484 struct mbuf *m = *mm; 5485 int un_sent; 5486 int cnt_ctrl_ready = 0; 5487 5488 SCTP_STAT_INCR(sctps_recvdatagrams); 5489#ifdef SCTP_AUDITING_ENABLED 5490 sctp_audit_log(0xE0, 1); 5491 sctp_auditing(0, inp, stcb, net); 5492#endif 5493 5494 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n", 5495 m, iphlen, offset, length, stcb); 5496 if (stcb) { 5497 /* always clear this before beginning a packet */ 5498 stcb->asoc.authenticated = 0; 5499 stcb->asoc.seen_a_sack_this_pkt = 0; 5500 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n", 5501 stcb, stcb->asoc.state); 5502 5503 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) || 5504 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) { 5505 /*- 5506 * If we hit here, we had a ref count 5507 * up when the assoc was aborted and the 5508 * timer is clearing out the assoc, we should 5509 * NOT respond to any packet.. its OOTB. 5510 */ 5511 SCTP_TCB_UNLOCK(stcb); 5512 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5513 vrf_id, port); 5514 goto out_now; 5515 } 5516 } 5517 if (IS_SCTP_CONTROL(ch)) { 5518 /* process the control portion of the SCTP packet */ 5519 /* sa_ignore NO_NULL_CHK */ 5520 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 5521 inp, stcb, &net, &fwd_tsn_seen, vrf_id, port); 5522 if (stcb) { 5523 /* 5524 * This covers us if the cookie-echo was there and 5525 * it changes our INP. 5526 */ 5527 inp = stcb->sctp_ep; 5528 if ((net) && (port)) { 5529 if (net->port == 0) { 5530 sctp_pathmtu_adjustment(stcb, net->mtu - sizeof(struct udphdr)); 5531 } 5532 net->port = port; 5533 } 5534 } 5535 } else { 5536 /* 5537 * no control chunks, so pre-process DATA chunks (these 5538 * checks are taken care of by control processing) 5539 */ 5540 5541 /* 5542 * if DATA only packet, and auth is required, then punt... 5543 * can't have authenticated without any AUTH (control) 5544 * chunks 5545 */ 5546 if ((stcb != NULL) && 5547 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 5548 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) { 5549 /* "silently" ignore */ 5550 SCTP_STAT_INCR(sctps_recvauthmissing); 5551 SCTP_TCB_UNLOCK(stcb); 5552 goto out_now; 5553 } 5554 if (stcb == NULL) { 5555 /* out of the blue DATA chunk */ 5556 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5557 vrf_id, port); 5558 goto out_now; 5559 } 5560 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 5561 /* v_tag mismatch! */ 5562 SCTP_STAT_INCR(sctps_badvtag); 5563 SCTP_TCB_UNLOCK(stcb); 5564 goto out_now; 5565 } 5566 } 5567 5568 if (stcb == NULL) { 5569 /* 5570 * no valid TCB for this packet, or we found it's a bad 5571 * packet while processing control, or we're done with this 5572 * packet (done or skip rest of data), so we drop it... 5573 */ 5574 goto out_now; 5575 } 5576 /* 5577 * DATA chunk processing 5578 */ 5579 /* plow through the data chunks while length > offset */ 5580 5581 /* 5582 * Rest should be DATA only. Check authentication state if AUTH for 5583 * DATA is required. 5584 */ 5585 if ((length > offset) && 5586 (stcb != NULL) && 5587 !SCTP_BASE_SYSCTL(sctp_auth_disable) && 5588 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) && 5589 !stcb->asoc.authenticated) { 5590 /* "silently" ignore */ 5591 SCTP_STAT_INCR(sctps_recvauthmissing); 5592 SCTPDBG(SCTP_DEBUG_AUTH1, 5593 "Data chunk requires AUTH, skipped\n"); 5594 goto trigger_send; 5595 } 5596 if (length > offset) { 5597 int retval; 5598 5599 /* 5600 * First check to make sure our state is correct. We would 5601 * not get here unless we really did have a tag, so we don't 5602 * abort if this happens, just dump the chunk silently. 5603 */ 5604 switch (SCTP_GET_STATE(&stcb->asoc)) { 5605 case SCTP_STATE_COOKIE_ECHOED: 5606 /* 5607 * we consider data with valid tags in this state 5608 * shows us the cookie-ack was lost. Imply it was 5609 * there. 5610 */ 5611 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 5612 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 5613 stcb->asoc.overall_error_count, 5614 0, 5615 SCTP_FROM_SCTP_INPUT, 5616 __LINE__); 5617 } 5618 stcb->asoc.overall_error_count = 0; 5619 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 5620 break; 5621 case SCTP_STATE_COOKIE_WAIT: 5622 /* 5623 * We consider OOTB any data sent during asoc setup. 5624 */ 5625 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL, 5626 vrf_id, port); 5627 SCTP_TCB_UNLOCK(stcb); 5628 goto out_now; 5629 /* sa_ignore NOTREACHED */ 5630 break; 5631 case SCTP_STATE_EMPTY: /* should not happen */ 5632 case SCTP_STATE_INUSE: /* should not happen */ 5633 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 5634 case SCTP_STATE_SHUTDOWN_ACK_SENT: 5635 default: 5636 SCTP_TCB_UNLOCK(stcb); 5637 goto out_now; 5638 /* sa_ignore NOTREACHED */ 5639 break; 5640 case SCTP_STATE_OPEN: 5641 case SCTP_STATE_SHUTDOWN_SENT: 5642 break; 5643 } 5644 /* plow through the data chunks while length > offset */ 5645 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 5646 inp, stcb, net, &high_tsn); 5647 if (retval == 2) { 5648 /* 5649 * The association aborted, NO UNLOCK needed since 5650 * the association is destroyed. 5651 */ 5652 goto out_now; 5653 } 5654 data_processed = 1; 5655 /* 5656 * Anything important needs to have been m_copy'ed in 5657 * process_data 5658 */ 5659 } 5660 /* take care of ecn */ 5661 if ((data_processed == 1) && 5662 (stcb->asoc.ecn_allowed == 1) && 5663 ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS)) { 5664 /* Yep, we need to add a ECNE */ 5665 sctp_send_ecn_echo(stcb, net, high_tsn); 5666 } 5667 if ((data_processed == 0) && (fwd_tsn_seen)) { 5668 int was_a_gap; 5669 uint32_t highest_tsn; 5670 5671 if (SCTP_TSN_GT(stcb->asoc.highest_tsn_inside_nr_map, stcb->asoc.highest_tsn_inside_map)) { 5672 highest_tsn = stcb->asoc.highest_tsn_inside_nr_map; 5673 } else { 5674 highest_tsn = stcb->asoc.highest_tsn_inside_map; 5675 } 5676 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn); 5677 stcb->asoc.send_sack = 1; 5678 sctp_sack_check(stcb, was_a_gap); 5679 } else if (fwd_tsn_seen) { 5680 stcb->asoc.send_sack = 1; 5681 } 5682 /* trigger send of any chunks in queue... */ 5683trigger_send: 5684#ifdef SCTP_AUDITING_ENABLED 5685 sctp_audit_log(0xE0, 2); 5686 sctp_auditing(1, inp, stcb, net); 5687#endif 5688 SCTPDBG(SCTP_DEBUG_INPUT1, 5689 "Check for chunk output prw:%d tqe:%d tf=%d\n", 5690 stcb->asoc.peers_rwnd, 5691 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 5692 stcb->asoc.total_flight); 5693 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 5694 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 5695 cnt_ctrl_ready = stcb->asoc.ctrl_queue_cnt - stcb->asoc.ecn_echo_cnt_onq; 5696 } 5697 if (cnt_ctrl_ready || 5698 ((un_sent) && 5699 (stcb->asoc.peers_rwnd > 0 || 5700 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 5701 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n"); 5702 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED); 5703 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n"); 5704 } 5705#ifdef SCTP_AUDITING_ENABLED 5706 sctp_audit_log(0xE0, 3); 5707 sctp_auditing(2, inp, stcb, net); 5708#endif 5709 SCTP_TCB_UNLOCK(stcb); 5710out_now: 5711#ifdef INVARIANTS 5712 sctp_validate_no_locks(inp); 5713#endif 5714 return; 5715} 5716 5717#if 0 5718static void 5719sctp_print_mbuf_chain(struct mbuf *m) 5720{ 5721 for (; m; m = SCTP_BUF_NEXT(m)) { 5722 printf("%p: m_len = %ld\n", m, SCTP_BUF_LEN(m)); 5723 if (SCTP_BUF_IS_EXTENDED(m)) 5724 printf("%p: extend_size = %d\n", m, SCTP_BUF_EXTEND_SIZE(m)); 5725 } 5726} 5727 5728#endif 5729 5730#ifdef INET 5731void 5732sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port) 5733{ 5734#ifdef SCTP_MBUF_LOGGING 5735 struct mbuf *mat; 5736 5737#endif 5738 struct mbuf *m; 5739 int iphlen; 5740 uint32_t vrf_id = 0; 5741 uint8_t ecn_bits; 5742 struct ip *ip; 5743 struct sctphdr *sh; 5744 struct sctp_inpcb *inp = NULL; 5745 struct sctp_nets *net; 5746 struct sctp_tcb *stcb = NULL; 5747 struct sctp_chunkhdr *ch; 5748 int refcount_up = 0; 5749 int length, mlen, offset; 5750 5751#if !defined(SCTP_WITH_NO_CSUM) 5752 uint32_t check, calc_check; 5753 5754#endif 5755 5756 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) { 5757 SCTP_RELEASE_PKT(i_pak); 5758 return; 5759 } 5760 mlen = SCTP_HEADER_LEN(i_pak); 5761 iphlen = off; 5762 m = SCTP_HEADER_TO_CHAIN(i_pak); 5763 5764 net = NULL; 5765 SCTP_STAT_INCR(sctps_recvpackets); 5766 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 5767 5768 5769#ifdef SCTP_MBUF_LOGGING 5770 /* Log in any input mbufs */ 5771 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 5772 for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) { 5773 if (SCTP_BUF_IS_EXTENDED(mat)) { 5774 sctp_log_mb(mat, SCTP_MBUF_INPUT); 5775 } 5776 } 5777 } 5778#endif 5779#ifdef SCTP_PACKET_LOGGING 5780 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) 5781 sctp_packet_log(m, mlen); 5782#endif 5783 /* 5784 * Must take out the iphlen, since mlen expects this (only effect lb 5785 * case) 5786 */ 5787 mlen -= iphlen; 5788 5789 /* 5790 * Get IP, SCTP, and first chunk header together in first mbuf. 5791 */ 5792 ip = mtod(m, struct ip *); 5793 offset = iphlen + sizeof(*sh) + sizeof(*ch); 5794 if (SCTP_BUF_LEN(m) < offset) { 5795 if ((m = m_pullup(m, offset)) == 0) { 5796 SCTP_STAT_INCR(sctps_hdrops); 5797 return; 5798 } 5799 ip = mtod(m, struct ip *); 5800 } 5801 /* validate mbuf chain length with IP payload length */ 5802 if (mlen < (SCTP_GET_IPV4_LENGTH(ip) - iphlen)) { 5803 SCTP_STAT_INCR(sctps_hdrops); 5804 goto bad; 5805 } 5806 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 5807 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 5808 SCTPDBG(SCTP_DEBUG_INPUT1, 5809 "sctp_input() length:%d iphlen:%d\n", mlen, iphlen); 5810 5811 /* SCTP does not allow broadcasts or multicasts */ 5812 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 5813 goto bad; 5814 } 5815 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 5816 /* 5817 * We only look at broadcast if its a front state, All 5818 * others we will not have a tcb for anyway. 5819 */ 5820 goto bad; 5821 } 5822 /* validate SCTP checksum */ 5823 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD, 5824 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%x.\n", 5825 m->m_pkthdr.len, 5826 if_name(m->m_pkthdr.rcvif), 5827 m->m_pkthdr.csum_flags); 5828#if defined(SCTP_WITH_NO_CSUM) 5829 SCTP_STAT_INCR(sctps_recvnocrc); 5830#else 5831 if (m->m_pkthdr.csum_flags & CSUM_SCTP_VALID) { 5832 SCTP_STAT_INCR(sctps_recvhwcrc); 5833 goto sctp_skip_csum_4; 5834 } 5835 check = sh->checksum; /* save incoming checksum */ 5836 sh->checksum = 0; /* prepare for calc */ 5837 calc_check = sctp_calculate_cksum(m, iphlen); 5838 sh->checksum = check; 5839 SCTP_STAT_INCR(sctps_recvswcrc); 5840 if (calc_check != check) { 5841 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 5842 calc_check, check, m, mlen, iphlen); 5843 5844 stcb = sctp_findassociation_addr(m, 5845 offset - sizeof(*ch), 5846 sh, ch, &inp, &net, 5847 vrf_id); 5848 if ((net) && (port)) { 5849 if (net->port == 0) { 5850 sctp_pathmtu_adjustment(stcb, net->mtu - sizeof(struct udphdr)); 5851 } 5852 net->port = port; 5853 } 5854 if ((net != NULL) && (m->m_flags & M_FLOWID)) { 5855 net->flowid = m->m_pkthdr.flowid; 5856#ifdef INVARIANTS 5857 net->flowidset = 1; 5858#endif 5859 } 5860 if ((inp) && (stcb)) { 5861 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 5862 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED); 5863 } else if ((inp != NULL) && (stcb == NULL)) { 5864 refcount_up = 1; 5865 } 5866 SCTP_STAT_INCR(sctps_badsum); 5867 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 5868 goto bad; 5869 } 5870sctp_skip_csum_4: 5871#endif 5872 /* destination port of 0 is illegal, based on RFC2960. */ 5873 if (sh->dest_port == 0) { 5874 SCTP_STAT_INCR(sctps_hdrops); 5875 goto bad; 5876 } 5877 /* 5878 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 5879 * IP/SCTP/first chunk header... 5880 */ 5881 stcb = sctp_findassociation_addr(m, offset - sizeof(*ch), 5882 sh, ch, &inp, &net, vrf_id); 5883 if ((net) && (port)) { 5884 if (net->port == 0) { 5885 sctp_pathmtu_adjustment(stcb, net->mtu - sizeof(struct udphdr)); 5886 } 5887 net->port = port; 5888 } 5889 if ((net != NULL) && (m->m_flags & M_FLOWID)) { 5890 net->flowid = m->m_pkthdr.flowid; 5891#ifdef INVARIANTS 5892 net->flowidset = 1; 5893#endif 5894 } 5895 /* inp's ref-count increased && stcb locked */ 5896 if (inp == NULL) { 5897 struct sctp_init_chunk *init_chk, chunk_buf; 5898 5899 SCTP_STAT_INCR(sctps_noport); 5900#ifdef ICMP_BANDLIM 5901 /* 5902 * we use the bandwidth limiting to protect against sending 5903 * too many ABORTS all at once. In this case these count the 5904 * same as an ICMP message. 5905 */ 5906 if (badport_bandlim(0) < 0) 5907 goto bad; 5908#endif /* ICMP_BANDLIM */ 5909 SCTPDBG(SCTP_DEBUG_INPUT1, 5910 "Sending a ABORT from packet entry!\n"); 5911 if (ch->chunk_type == SCTP_INITIATION) { 5912 /* 5913 * we do a trick here to get the INIT tag, dig in 5914 * and get the tag from the INIT and put it in the 5915 * common header. 5916 */ 5917 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 5918 iphlen + sizeof(*sh), sizeof(*init_chk), 5919 (uint8_t *) & chunk_buf); 5920 if (init_chk != NULL) 5921 sh->v_tag = init_chk->init.initiate_tag; 5922 } 5923 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 5924 sctp_send_shutdown_complete2(m, sh, vrf_id, port); 5925 goto bad; 5926 } 5927 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 5928 goto bad; 5929 } 5930 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 5931 sctp_send_abort(m, iphlen, sh, 0, NULL, vrf_id, port); 5932 goto bad; 5933 } else if (stcb == NULL) { 5934 refcount_up = 1; 5935 } 5936#ifdef IPSEC 5937 /* 5938 * I very much doubt any of the IPSEC stuff will work but I have no 5939 * idea, so I will leave it in place. 5940 */ 5941 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 5942 MODULE_GLOBAL(ipsec4stat).in_polvio++; 5943 SCTP_STAT_INCR(sctps_hdrops); 5944 goto bad; 5945 } 5946#endif /* IPSEC */ 5947 5948 /* 5949 * common chunk processing 5950 */ 5951 length = ip->ip_len + iphlen; 5952 offset -= sizeof(struct sctp_chunkhdr); 5953 5954 ecn_bits = ip->ip_tos; 5955 5956 /* sa_ignore NO_NULL_CHK */ 5957 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 5958 inp, stcb, net, ecn_bits, vrf_id, port); 5959 /* inp's ref-count reduced && stcb unlocked */ 5960 if (m) { 5961 sctp_m_freem(m); 5962 } 5963 if ((inp) && (refcount_up)) { 5964 /* reduce ref-count */ 5965 SCTP_INP_DECR_REF(inp); 5966 } 5967 return; 5968bad: 5969 if (stcb) { 5970 SCTP_TCB_UNLOCK(stcb); 5971 } 5972 if ((inp) && (refcount_up)) { 5973 /* reduce ref-count */ 5974 SCTP_INP_DECR_REF(inp); 5975 } 5976 if (m) { 5977 sctp_m_freem(m); 5978 } 5979 return; 5980} 5981 5982#if defined(__FreeBSD__) && defined(SCTP_MCORE_INPUT) && defined(SMP) 5983extern int *sctp_cpuarry; 5984 5985#endif 5986 5987void 5988sctp_input(struct mbuf *m, int off) 5989{ 5990#if defined(__FreeBSD__) && defined(SCTP_MCORE_INPUT) && defined(SMP) 5991 struct ip *ip; 5992 struct sctphdr *sh; 5993 int offset; 5994 int cpu_to_use; 5995 uint32_t flowid, tag; 5996 5997 if (mp_ncpus > 1) { 5998 if (m->m_flags & M_FLOWID) { 5999 flowid = m->m_pkthdr.flowid; 6000 } else { 6001 /* 6002 * No flow id built by lower layers fix it so we 6003 * create one. 6004 */ 6005 ip = mtod(m, struct ip *); 6006 offset = off + sizeof(*sh); 6007 if (SCTP_BUF_LEN(m) < offset) { 6008 if ((m = m_pullup(m, offset)) == 0) { 6009 SCTP_STAT_INCR(sctps_hdrops); 6010 return; 6011 } 6012 ip = mtod(m, struct ip *); 6013 } 6014 sh = (struct sctphdr *)((caddr_t)ip + off); 6015 tag = htonl(sh->v_tag); 6016 flowid = tag ^ ntohs(sh->dest_port) ^ ntohs(sh->src_port); 6017 m->m_pkthdr.flowid = flowid; 6018 m->m_flags |= M_FLOWID; 6019 } 6020 cpu_to_use = sctp_cpuarry[flowid % mp_ncpus]; 6021 sctp_queue_to_mcore(m, off, cpu_to_use); 6022 return; 6023 } 6024#endif 6025 sctp_input_with_port(m, off, 0); 6026} 6027 6028#endif 6029