1/* $KAME: sctp_input.c,v 1.28 2005/04/21 18:36:21 nishida Exp $ */ 2/* $NetBSD: sctp_input.c,v 1.17 2024/02/02 22:39:09 andvar Exp $ */ 3 4/* 5 * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc, 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.17 2024/02/02 22:39:09 andvar Exp $"); 35 36#ifdef _KERNEL_OPT 37#include "opt_ipsec.h" 38#include "opt_inet.h" 39#include "opt_sctp.h" 40#endif /* _KERNEL_OPT */ 41 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/malloc.h> 45#include <sys/mbuf.h> 46#include <sys/socket.h> 47#include <sys/socketvar.h> 48#include <sys/sysctl.h> 49#include <sys/domain.h> 50#include <sys/protosw.h> 51#include <sys/kernel.h> 52#include <sys/errno.h> 53#include <sys/syslog.h> 54 55#include <machine/limits.h> 56#include <machine/cpu.h> 57 58#include <net/if.h> 59#include <net/route.h> 60#include <net/if_types.h> 61 62#include <netinet/in.h> 63#include <netinet/in_systm.h> 64#include <netinet/ip.h> 65#include <netinet/in_pcb.h> 66#include <netinet/in_var.h> 67#include <netinet/ip_var.h> 68 69#ifdef INET6 70#include <netinet/ip6.h> 71#include <netinet6/ip6_var.h> 72#endif /* INET6 */ 73 74#include <netinet/ip_icmp.h> 75#include <netinet/icmp_var.h> 76#include <netinet/sctp_var.h> 77#include <netinet/sctp_pcb.h> 78#include <netinet/sctp_header.h> 79#include <netinet/sctputil.h> 80#include <netinet/sctp_output.h> 81#include <netinet/sctp_input.h> 82#include <netinet/sctp_hashdriver.h> 83#include <netinet/sctp_indata.h> 84#include <netinet/sctp_asconf.h> 85 86#ifdef IPSEC 87#include <netipsec/ipsec.h> 88#include <netipsec/key.h> 89#endif /*IPSEC*/ 90 91#ifdef SCTP_DEBUG 92extern u_int32_t sctp_debug_on; 93#endif 94 95/* INIT handler */ 96static void 97sctp_handle_init(struct mbuf *m, int iphlen, int offset, 98 struct sctphdr *sh, struct sctp_init_chunk *cp, struct sctp_inpcb *inp, 99 struct sctp_tcb *stcb, struct sctp_nets *net) 100{ 101 struct sctp_init *init; 102 struct mbuf *op_err; 103#ifdef SCTP_DEBUG 104 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 105 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 106 } 107#endif 108 op_err = NULL; 109 init = &cp->init; 110 /* First are we accepting? */ 111 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 112 (inp->sctp_socket->so_qlimit == 0)) { 113 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 114 return; 115 } 116 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 117 /* Invalid length */ 118 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 119 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 120 return; 121 } 122 /* validate parameters */ 123 if (init->initiate_tag == 0) { 124 /* protocol error... send abort */ 125 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 126 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 127 return; 128 } 129 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 130 /* invalid parameter... send abort */ 131 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 132 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 133 return; 134 } 135 if (init->num_inbound_streams == 0) { 136 /* protocol error... send abort */ 137 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 138 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 139 return; 140 } 141 if (init->num_outbound_streams == 0) { 142 /* protocol error... send abort */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 145 return; 146 } 147 148 /* send an INIT-ACK w/cookie */ 149#ifdef SCTP_DEBUG 150 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 151 printf("sctp_handle_init: sending INIT-ACK\n"); 152 } 153#endif 154 155 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 156} 157 158/* 159 * process peer "INIT/INIT-ACK" chunk 160 * returns value < 0 on error 161 */ 162 163static int 164sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 165 struct sctp_nets *net) 166{ 167 struct sctp_init *init; 168 struct sctp_association *asoc; 169 struct sctp_nets *lnet; 170 unsigned int i; 171 172 init = &cp->init; 173 asoc = &stcb->asoc; 174 /* save off parameters */ 175 asoc->peer_vtag = ntohl(init->initiate_tag); 176 asoc->peers_rwnd = ntohl(init->a_rwnd); 177 178 if (TAILQ_FIRST(&asoc->nets)) { 179 /* update any ssthresh's that may have a default */ 180 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 181 lnet->ssthresh = asoc->peers_rwnd; 182 } 183 } 184 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 185 unsigned int newcnt; 186 struct sctp_stream_out *outs; 187 struct sctp_tmit_chunk *chk; 188 189 /* cut back on number of streams */ 190 newcnt = ntohs(init->num_inbound_streams); 191 /* This if is probably not needed but I am cautious */ 192 if (asoc->strmout) { 193 /* First make sure no data chunks are trapped */ 194 for (i=newcnt; i < asoc->pre_open_streams; i++) { 195 outs = &asoc->strmout[i]; 196 chk = TAILQ_FIRST(&outs->outqueue); 197 while (chk) { 198 TAILQ_REMOVE(&outs->outqueue, chk, 199 sctp_next); 200 asoc->stream_queue_cnt--; 201 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL, 202 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 203 chk); 204 if (chk->data) { 205 sctp_m_freem(chk->data); 206 chk->data = NULL; 207 } 208 sctp_free_remote_addr(chk->whoTo); 209 chk->whoTo = NULL; 210 chk->asoc = NULL; 211 /* Free the chunk */ 212 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 213 sctppcbinfo.ipi_count_chunk--; 214 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 215 panic("Chunk count is negative"); 216 } 217 sctppcbinfo.ipi_gencnt_chunk++; 218 chk = TAILQ_FIRST(&outs->outqueue); 219 } 220 } 221 } 222 /* cut back the count and abandon the upper streams */ 223 asoc->pre_open_streams = newcnt; 224 } 225 asoc->streamincnt = ntohs(init->num_outbound_streams); 226 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 227 asoc->streamincnt = MAX_SCTP_STREAMS; 228 } 229 230 asoc->streamoutcnt = asoc->pre_open_streams; 231 /* init tsn's */ 232 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 233#ifdef SCTP_MAP_LOGGING 234 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 235#endif 236 /* This is the next one we expect */ 237 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 238 239 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 240 asoc->cumulative_tsn = asoc->asconf_seq_in; 241 asoc->last_echo_tsn = asoc->asconf_seq_in; 242 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 243 /* open the requested streams */ 244 if (asoc->strmin != NULL) { 245 /* Free the old ones */ 246 free(asoc->strmin, M_PCB); 247 } 248 asoc->strmin = malloc(asoc->streamincnt * sizeof(struct sctp_stream_in), 249 M_PCB, M_NOWAIT); 250 if (asoc->strmin == NULL) { 251 /* we didn't get memory for the streams! */ 252#ifdef SCTP_DEBUG 253 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 254 printf("process_init: couldn't get memory for the streams!\n"); 255 } 256#endif 257 return (-1); 258 } 259 for (i = 0; i < asoc->streamincnt; i++) { 260 asoc->strmin[i].stream_no = i; 261 asoc->strmin[i].last_sequence_delivered = 0xffff; 262 /* 263 * U-stream ranges will be set when the cookie 264 * is unpacked. Or for the INIT sender they 265 * are un set (if pr-sctp not supported) when the 266 * INIT-ACK arrives. 267 */ 268 TAILQ_INIT(&asoc->strmin[i].inqueue); 269 /* 270 * we are not on any wheel, pr-sctp streams 271 * will go on the wheel when they have data waiting 272 * for reorder. 273 */ 274 asoc->strmin[i].next_spoke.tqe_next = 0; 275 asoc->strmin[i].next_spoke.tqe_prev = 0; 276 } 277 278 /* 279 * load_address_from_init will put the addresses into the 280 * association when the COOKIE is processed or the INIT-ACK 281 * is processed. Both types of COOKIE's existing and new 282 * call this routine. It will remove addresses that 283 * are no longer in the association (for the restarting 284 * case where addresses are removed). Up front when the 285 * INIT arrives we will discard it if it is a restart 286 * and new addresses have been added. 287 */ 288 return (0); 289} 290 291/* 292 * INIT-ACK message processing/consumption 293 * returns value < 0 on error 294 */ 295static int 296sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 297 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 298 struct sctp_nets *net) 299{ 300 struct sctp_association *asoc; 301 struct mbuf *op_err; 302 int retval, abort_flag; 303 uint32_t initack_limit; 304 /* First verify that we have no illegal param's */ 305 abort_flag = 0; 306 op_err = NULL; 307 308 op_err = sctp_arethere_unrecognized_parameters(m, 309 (offset+sizeof(struct sctp_init_chunk)) , 310 &abort_flag, (struct sctp_chunkhdr *)cp); 311 if (abort_flag) { 312 /* Send an abort and notify peer */ 313 if (op_err != NULL) { 314 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 315 } else { 316 /* 317 * Just notify (abort_assoc does this if 318 * we send an abort). 319 */ 320 sctp_abort_notification(stcb, 0); 321 /* 322 * No sense in further INIT's since 323 * we will get the same param back 324 */ 325 sctp_free_assoc(stcb->sctp_ep, stcb); 326 } 327 return (-1); 328 } 329 asoc = &stcb->asoc; 330 /* process the peer's parameters in the INIT-ACK */ 331 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 332 if (retval < 0) { 333 return (retval); 334 } 335 336 initack_limit = offset + ntohs(cp->ch.chunk_length); 337 /* load all addresses */ 338 if (sctp_load_addresses_from_init(stcb, m, iphlen, 339 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 340 NULL)) { 341 /* Huh, we should abort */ 342 sctp_abort_notification(stcb, 0); 343 sctp_free_assoc(stcb->sctp_ep, stcb); 344 return (-1); 345 } 346 if (op_err) { 347 sctp_queue_op_err(stcb, op_err); 348 /* queuing will steal away the mbuf chain to the out queue */ 349 op_err = NULL; 350 } 351 /* extract the cookie and queue it to "echo" it back... */ 352 stcb->asoc.overall_error_count = 0; 353 net->error_count = 0; 354 retval = sctp_send_cookie_echo(m, offset, stcb, net); 355 if (retval < 0) { 356 /* 357 * No cookie, we probably should send a op error. 358 * But in any case if there is no cookie in the INIT-ACK, 359 * we can abandon the peer, its broke. 360 */ 361 if (retval == -3) { 362 /* We abort with an error of missing mandatory param */ 363 op_err = 364 sctp_generate_invmanparam(SCTP_CAUSE_MISS_PARAM); 365 if (op_err) { 366 /* 367 * Expand beyond to include the mandatory 368 * param cookie 369 */ 370 struct sctp_inv_mandatory_param *mp; 371 op_err->m_len = 372 sizeof(struct sctp_inv_mandatory_param); 373 mp = mtod(op_err, 374 struct sctp_inv_mandatory_param *); 375 /* Subtract the reserved param */ 376 mp->length = 377 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 378 mp->num_param = htonl(1); 379 mp->param = htons(SCTP_STATE_COOKIE); 380 mp->resv = 0; 381 } 382 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 383 sh, op_err); 384 } 385 return (retval); 386 } 387 388 /* 389 * Cancel the INIT timer, We do this first before queueing 390 * the cookie. We always cancel at the primary to assume that 391 * we are cancelling the timer started by the INIT which always 392 * goes to the primary. 393 */ 394 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 395 asoc->primary_destination); 396 397 /* calculate the RTO */ 398 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 399 400 return (0); 401} 402 403static void 404sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 405 struct sctp_tcb *stcb, struct sctp_nets *net) 406{ 407 struct sockaddr_storage store; 408 struct sockaddr_in *sin; 409 struct sockaddr_in6 *sin6; 410 struct sctp_nets *r_net; 411 struct timeval tv; 412 413 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 414 /* Invalid length */ 415 return; 416 } 417 418 sin = (struct sockaddr_in *)&store; 419 sin6 = (struct sockaddr_in6 *)&store; 420 421 memset(&store, 0, sizeof(store)); 422 if (cp->heartbeat.hb_info.addr_family == AF_INET && 423 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 424 sin->sin_family = cp->heartbeat.hb_info.addr_family; 425 sin->sin_len = cp->heartbeat.hb_info.addr_len; 426 sin->sin_port = stcb->rport; 427 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 428 sizeof(sin->sin_addr)); 429 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 430 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 431 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 432 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 433 sin6->sin6_port = stcb->rport; 434 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 435 sizeof(sin6->sin6_addr)); 436 } else { 437#ifdef SCTP_DEBUG 438 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 439 printf("unsupported address family"); 440 } 441#endif 442 return; 443 } 444 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 445 if (r_net == NULL) { 446#ifdef SCTP_DEBUG 447 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 448 printf("Huh? I can't find the address I sent it to, discard\n"); 449 } 450#endif 451 return; 452 } 453 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 454 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 455 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 456 /* 457 * If the its a HB and it's random value is correct when 458 * can confirm the destination. 459 */ 460 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 461 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 462 stcb, 0, (void *)r_net); 463 } 464 r_net->error_count = 0; 465 r_net->hb_responded = 1; 466 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 467 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 468 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 469 r_net->dest_state = SCTP_ADDR_REACHABLE; 470 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 471 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 472 473 /* now was it the primary? if so restore */ 474 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 475 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 476 } 477 } 478 /* Now lets do a RTO with this */ 479 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 480} 481 482static void 483sctp_handle_abort(struct sctp_abort_chunk *cp, 484 struct sctp_tcb *stcb, struct sctp_nets *net) 485{ 486 487#ifdef SCTP_DEBUG 488 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 489 printf("sctp_handle_abort: handling ABORT\n"); 490 } 491#endif 492 if (stcb == NULL) 493 return; 494 /* verify that the destination addr is in the association */ 495 /* ignore abort for addresses being deleted */ 496 497 /* stop any receive timers */ 498 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net); 499 /* notify user of the abort and clean up... */ 500 sctp_abort_notification(stcb, 0); 501 /* free the tcb */ 502 sctp_free_assoc(stcb->sctp_ep, stcb); 503#ifdef SCTP_DEBUG 504 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 505 printf("sctp_handle_abort: finished\n"); 506 } 507#endif 508} 509 510static void 511sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 512 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 513{ 514 struct sctp_association *asoc; 515 int some_on_streamwheel; 516 517#ifdef SCTP_DEBUG 518 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 519 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 520 } 521#endif 522 if (stcb == NULL) 523 return; 524 525 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) || 526 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 527 return; 528 } 529 530 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 531 /* update current data status */ 532#ifdef SCTP_DEBUG 533 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 534 printf("Warning Shutdown NOT the expected size.. skipping (%d:%d)\n", 535 ntohs(cp->ch.chunk_length), 536 (int)sizeof(struct sctp_shutdown_chunk)); 537 } 538#endif 539 return; 540 } else { 541 sctp_update_acked(stcb, cp, net, abort_flag); 542 } 543 asoc = &stcb->asoc; 544 /* goto SHUTDOWN_RECEIVED state to block new requests */ 545 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 546 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 547 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 548#ifdef SCTP_DEBUG 549 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 550 printf("Moving to SHUTDOWN-RECEIVED state\n"); 551 } 552#endif 553 /* notify upper layer that peer has initiated a shutdown */ 554 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 555 556 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 557 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 558 559 /* Set the flag so we cannot send more, we 560 * would call the function but we don't want to 561 * wake up the ulp necessarily. 562 */ 563#if defined(__FreeBSD__) && __FreeBSD_version >= 502115 564 stcb->sctp_ep->sctp_socket->so_rcv.sb_state |= SBS_CANTSENDMORE; 565#else 566 stcb->sctp_ep->sctp_socket->so_state |= SS_CANTSENDMORE; 567#endif 568 } 569 /* reset time */ 570 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 571 } 572 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 573 /* 574 * stop the shutdown timer, since we WILL move 575 * to SHUTDOWN-ACK-SENT. 576 */ 577 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 578 } 579 /* Now are we there yet? */ 580 some_on_streamwheel = 0; 581 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 582 /* Check to see if some data queued */ 583 struct sctp_stream_out *outs; 584 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 585 if (!TAILQ_EMPTY(&outs->outqueue)) { 586 some_on_streamwheel = 1; 587 break; 588 } 589 } 590 } 591#ifdef SCTP_DEBUG 592 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 593 printf("some_on_streamwheel:%d send_q_empty:%d sent_q_empty:%d\n", 594 some_on_streamwheel, 595 !TAILQ_EMPTY(&asoc->send_queue), 596 !TAILQ_EMPTY(&asoc->sent_queue)); 597 } 598#endif 599 if (!TAILQ_EMPTY(&asoc->send_queue) || 600 !TAILQ_EMPTY(&asoc->sent_queue) || 601 some_on_streamwheel) { 602 /* By returning we will push more data out */ 603 return; 604 } else { 605 /* no outstanding data to send, so move on... */ 606 /* send SHUTDOWN-ACK */ 607 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 608 /* move to SHUTDOWN-ACK-SENT state */ 609 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 610#ifdef SCTP_DEBUG 611 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 612 printf("moving to SHUTDOWN_ACK state\n"); 613 } 614#endif 615 /* start SHUTDOWN timer */ 616 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 617 stcb, net); 618 } 619} 620 621static void 622sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 623 struct sctp_tcb *stcb, struct sctp_nets *net) 624{ 625 struct sctp_association *asoc; 626 627#ifdef SCTP_DEBUG 628 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 629 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 630 } 631#endif 632 if (stcb == NULL) 633 return; 634 635 asoc = &stcb->asoc; 636 /* process according to association state */ 637 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 638 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 639 /* unexpected SHUTDOWN-ACK... so ignore... */ 640 return; 641 } 642 /* are the queues empty? */ 643 if (!TAILQ_EMPTY(&asoc->send_queue) || 644 !TAILQ_EMPTY(&asoc->sent_queue) || 645 !TAILQ_EMPTY(&asoc->out_wheel)) { 646 sctp_report_all_outbound(stcb); 647 } 648 /* stop the timer */ 649 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 650 /* send SHUTDOWN-COMPLETE */ 651 sctp_send_shutdown_complete(stcb, net); 652 /* notify upper layer protocol */ 653 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 654 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 655 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 656 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 657 /* Set the connected flag to disconnected */ 658 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 659 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0; 660 soisdisconnected(stcb->sctp_ep->sctp_socket); 661 } 662 /* free the TCB but first save off the ep */ 663 sctp_free_assoc(stcb->sctp_ep, stcb); 664} 665 666/* 667 * Skip past the param header and then we will find the chunk that 668 * caused the problem. There are two possiblities ASCONF or FWD-TSN 669 * other than that and our peer must be broken. 670 */ 671static void 672sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 673 struct sctp_nets *net) 674{ 675 struct sctp_chunkhdr *chk; 676 677 chk = (struct sctp_chunkhdr *)((vaddr_t)phdr + sizeof(*phdr)); 678 switch (chk->chunk_type) { 679 case SCTP_ASCONF_ACK: 680#ifdef SCTP_DEBUG 681 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 682 printf("Strange peer, snds ASCONF but does not recongnize asconf-ack?\n"); 683 } 684#endif 685 /* FALLTHROUGH */ 686 case SCTP_ASCONF: 687#ifdef SCTP_DEBUG 688 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 689 printf("Peer does not support ASCONF/ASCONF-ACK chunks\n"); 690 } 691#endif /* SCTP_DEBUG */ 692 sctp_asconf_cleanup(stcb, net); 693 break; 694 case SCTP_FORWARD_CUM_TSN: 695 stcb->asoc.peer_supports_prsctp = 0; 696 break; 697 default: 698#ifdef SCTP_DEBUG 699 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 700 printf("Peer does not support chunk type %d(%x)??\n", 701 chk->chunk_type, (u_int)chk->chunk_type); 702 } 703#endif 704 break; 705 } 706} 707 708/* 709 * Skip past the param header and then we will find the param that 710 * caused the problem. There are a number of param's in a ASCONF 711 * OR the prsctp param these will turn of specific features. 712 */ 713static void 714sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 715{ 716 struct sctp_paramhdr *pbad; 717 718 pbad = phdr + 1; 719 switch (ntohs(pbad->param_type)) { 720 /* pr-sctp draft */ 721 case SCTP_PRSCTP_SUPPORTED: 722 stcb->asoc.peer_supports_prsctp = 0; 723 break; 724 case SCTP_SUPPORTED_CHUNK_EXT: 725 break; 726 /* draft-ietf-tsvwg-addip-sctp */ 727 case SCTP_ECN_NONCE_SUPPORTED: 728 stcb->asoc.peer_supports_ecn_nonce = 0; 729 stcb->asoc.ecn_nonce_allowed = 0; 730 stcb->asoc.ecn_allowed = 0; 731 break; 732 case SCTP_ADD_IP_ADDRESS: 733 case SCTP_DEL_IP_ADDRESS: 734 stcb->asoc.peer_supports_asconf = 0; 735 break; 736 case SCTP_SET_PRIM_ADDR: 737 stcb->asoc.peer_supports_asconf_setprim = 0; 738 break; 739 case SCTP_SUCCESS_REPORT: 740 case SCTP_ERROR_CAUSE_IND: 741#ifdef SCTP_DEBUG 742 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 743 printf("Huh, the peer does not support success? or error cause?\n"); 744 printf("Turning off ASCONF to this strange peer\n"); 745 } 746#endif 747 stcb->asoc.peer_supports_asconf = 0; 748 stcb->asoc.peer_supports_asconf_setprim = 0; 749 break; 750 default: 751#ifdef SCTP_DEBUG 752 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 753 printf("Peer does not support base param type %d(%x)??\n", 754 pbad->param_type, (u_int)pbad->param_type); 755 } 756#endif 757 break; 758 } 759} 760 761static int 762sctp_handle_error(struct sctp_chunkhdr *ch, 763 struct sctp_tcb *stcb, struct sctp_nets *net) 764{ 765 int chklen; 766 struct sctp_paramhdr *phdr; 767 uint16_t error_type; 768 uint16_t error_len; 769 struct sctp_association *asoc; 770 771 int adjust; 772 /* parse through all of the errors and process */ 773 asoc = &stcb->asoc; 774 phdr = (struct sctp_paramhdr *)((vaddr_t)ch + 775 sizeof(struct sctp_chunkhdr)); 776 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 777 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 778 /* Process an Error Cause */ 779 error_type = ntohs(phdr->param_type); 780 error_len = ntohs(phdr->param_length); 781 if ((error_len > chklen) || (error_len == 0)) { 782 /* invalid param length for this param */ 783#ifdef SCTP_DEBUG 784 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 785 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 786 chklen, error_len); 787 } 788#endif /* SCTP_DEBUG */ 789 return (0); 790 } 791 switch (error_type) { 792 case SCTP_CAUSE_INV_STRM: 793 case SCTP_CAUSE_MISS_PARAM: 794 case SCTP_CAUSE_INVALID_PARAM: 795 case SCTP_CAUSE_NOUSER_DATA: 796#ifdef SCTP_DEBUG 797 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 798 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 799 error_type); 800 } 801#endif 802 break; 803 case SCTP_CAUSE_STALE_COOKIE: 804 /* We only act if we have echoed a cookie and are waiting. */ 805 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 806 int *p; 807 p = (int *)((vaddr_t)phdr + sizeof(*phdr)); 808 /* Save the time doubled */ 809 asoc->cookie_preserve_req = ntohl(*p) << 1; 810 asoc->stale_cookie_count++; 811 if (asoc->stale_cookie_count > 812 asoc->max_init_times) { 813 sctp_abort_notification(stcb, 0); 814 /* now free the asoc */ 815 sctp_free_assoc(stcb->sctp_ep, stcb); 816 return (-1); 817 } 818 /* blast back to INIT state */ 819 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 820 asoc->state |= SCTP_STATE_COOKIE_WAIT; 821 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 822 stcb->sctp_ep, stcb, net); 823 sctp_send_initiate(stcb->sctp_ep, stcb); 824 } 825 break; 826 case SCTP_CAUSE_UNRESOLV_ADDR: 827 /* 828 * Nothing we can do here, we don't do hostname 829 * addresses so if the peer does not like my IPv6 (or 830 * IPv4 for that matter) it does not matter. If they 831 * don't support that type of address, they can NOT 832 * possibly get that packet type... i.e. with no IPv6 833 * you can't receive a IPv6 packet. so we can safely 834 * ignore this one. If we ever added support for 835 * HOSTNAME Addresses, then we would need to do 836 * something here. 837 */ 838 break; 839 case SCTP_CAUSE_UNRECOG_CHUNK: 840 sctp_process_unrecog_chunk(stcb, phdr, net); 841 break; 842 case SCTP_CAUSE_UNRECOG_PARAM: 843 sctp_process_unrecog_param(stcb, phdr); 844 break; 845 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 846 /* 847 * We ignore this since the timer will drive out a new 848 * cookie anyway and there timer will drive us to send 849 * a SHUTDOWN_COMPLETE. We can't send one here since 850 * we don't have their tag. 851 */ 852 break; 853 case SCTP_CAUSE_DELETEING_LAST_ADDR: 854 case SCTP_CAUSE_OPERATION_REFUSED: 855 case SCTP_CAUSE_DELETING_SRC_ADDR: 856 /* We should NOT get these here, but in a ASCONF-ACK. */ 857#ifdef SCTP_DEBUG 858 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 859 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 860 error_type); 861 } 862#endif 863 break; 864 case SCTP_CAUSE_OUT_OF_RESC: 865 /* 866 * And what, pray tell do we do with the fact 867 * that the peer is out of resources? Not 868 * really sure we could do anything but abort. 869 * I suspect this should have came WITH an 870 * abort instead of in a OP-ERROR. 871 */ 872 break; 873 default: 874#ifdef SCTP_DEBUG 875 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 876 /* don't know what this error cause is... */ 877 printf("sctp_handle_error: unknown error type = 0x%xh\n", 878 error_type); 879 } 880#endif /* SCTP_DEBUG */ 881 break; 882 } 883 adjust = SCTP_SIZE32(error_len); 884 chklen -= adjust; 885 phdr = (struct sctp_paramhdr *)((vaddr_t)phdr + adjust); 886 } 887 return (0); 888} 889 890static int 891sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 892 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 893 struct sctp_nets *net) 894{ 895 struct sctp_init_ack *init_ack; 896 int *state; 897 struct mbuf *op_err; 898 899#ifdef SCTP_DEBUG 900 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 901 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 902 } 903#endif 904 if (stcb == NULL) { 905#ifdef SCTP_DEBUG 906 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 907 printf("sctp_handle_init_ack: TCB is null\n"); 908 } 909#endif 910 return (-1); 911 } 912 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 913 /* Invalid length */ 914 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 915 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 916 op_err); 917 return (-1); 918 } 919 init_ack = &cp->init; 920 /* validate parameters */ 921 if (init_ack->initiate_tag == 0) { 922 /* protocol error... send an abort */ 923 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 924 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 925 op_err); 926 return (-1); 927 } 928 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 929 /* protocol error... send an abort */ 930 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 931 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 932 op_err); 933 return (-1); 934 } 935 if (init_ack->num_inbound_streams == 0) { 936 /* protocol error... send an abort */ 937 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 938 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 939 op_err); 940 return (-1); 941 } 942 if (init_ack->num_outbound_streams == 0) { 943 /* protocol error... send an abort */ 944 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 945 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 946 op_err); 947 return (-1); 948 } 949 950 /* process according to association state... */ 951 state = &stcb->asoc.state; 952 switch (*state & SCTP_STATE_MASK) { 953 case SCTP_STATE_COOKIE_WAIT: 954 /* this is the expected state for this chunk */ 955 /* process the INIT-ACK parameters */ 956 if (stcb->asoc.primary_destination->dest_state & 957 SCTP_ADDR_UNCONFIRMED) { 958 /* 959 * The primary is where we sent the INIT, we can 960 * always consider it confirmed when the INIT-ACK 961 * is returned. Do this before we load addresses 962 * though. 963 */ 964 stcb->asoc.primary_destination->dest_state &= 965 ~SCTP_ADDR_UNCONFIRMED; 966 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 967 stcb, 0, (void *)stcb->asoc.primary_destination); 968 } 969 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 970 ) < 0) { 971 /* error in parsing parameters */ 972#ifdef SCTP_DEBUG 973 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 974 printf("sctp_process_init_ack: error in msg, discarding\n"); 975 } 976#endif 977 return (-1); 978 } 979 /* update our state */ 980#ifdef SCTP_DEBUG 981 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 982 printf("moving to COOKIE-ECHOED state\n"); 983 } 984#endif 985 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 986 *state = SCTP_STATE_COOKIE_ECHOED | 987 SCTP_STATE_SHUTDOWN_PENDING; 988 } else { 989 *state = SCTP_STATE_COOKIE_ECHOED; 990 } 991 992 /* reset the RTO calc */ 993 stcb->asoc.overall_error_count = 0; 994 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 995 /* 996 * collapse the init timer back in case of a exponential backoff 997 */ 998 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 999 stcb, net); 1000 /* 1001 * the send at the end of the inbound data processing will 1002 * cause the cookie to be sent 1003 */ 1004 break; 1005 case SCTP_STATE_SHUTDOWN_SENT: 1006 /* incorrect state... discard */ 1007 break; 1008 case SCTP_STATE_COOKIE_ECHOED: 1009 /* incorrect state... discard */ 1010 break; 1011 case SCTP_STATE_OPEN: 1012 /* incorrect state... discard */ 1013 break; 1014 case SCTP_STATE_EMPTY: 1015 case SCTP_STATE_INUSE: 1016 default: 1017 /* incorrect state... discard */ 1018#ifdef SCTP_DEBUG 1019 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1020 printf("Leaving handle-init-ack default\n"); 1021 } 1022#endif 1023 return (-1); 1024 break; 1025 } /* end switch asoc state */ 1026#ifdef SCTP_DEBUG 1027 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1028 printf("Leaving handle-init-ack end\n"); 1029 } 1030#endif 1031 return (0); 1032} 1033 1034 1035/* 1036 * handle a state cookie for an existing association 1037 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1038 * note: this is a "split" mbuf and the cookie signature does not exist 1039 * offset: offset into mbuf to the cookie-echo chunk 1040 */ 1041static struct sctp_tcb * 1042sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1043 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1044 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1045 struct sockaddr *init_src, int *notification) 1046{ 1047 struct sctp_association *asoc; 1048 struct sctp_init_chunk *init_cp, init_buf; 1049 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1050 int chk_length; 1051 int init_offset, initack_offset; 1052 int retval; 1053 1054 /* I know that the TCB is non-NULL from the caller */ 1055 asoc = &stcb->asoc; 1056 1057 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1058 /* SHUTDOWN came in after sending INIT-ACK */ 1059 struct mbuf *op_err; 1060 struct sctp_paramhdr *ph; 1061 1062 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1063#ifdef SCTP_DEBUG 1064 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1065 printf("sctp_handle_cookie: got a cookie, while shutting down!\n"); 1066 } 1067#endif 1068 MGETHDR(op_err, M_DONTWAIT, MT_HEADER); 1069 if (op_err == NULL) { 1070 /* FOOBAR */ 1071 return (NULL); 1072 } 1073 /* pre-reserve some space */ 1074 op_err->m_data += sizeof(struct ip6_hdr); 1075 op_err->m_data += sizeof(struct sctphdr); 1076 op_err->m_data += sizeof(struct sctp_chunkhdr); 1077 /* Set the len */ 1078 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); 1079 ph = mtod(op_err, struct sctp_paramhdr *); 1080 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1081 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1082 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1083 return (NULL); 1084 } 1085 /* 1086 * find and validate the INIT chunk in the cookie (peer's info) 1087 * the INIT should start after the cookie-echo header struct 1088 * (chunk header, state cookie header struct) 1089 */ 1090 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1091 1092 init_cp = (struct sctp_init_chunk *) 1093 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1094 (u_int8_t *)&init_buf); 1095 if (init_cp == NULL) { 1096 /* could not pull a INIT chunk in cookie */ 1097#ifdef SCTP_DEBUG 1098 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1099 printf("process_cookie_existing: could not pull INIT chunk hdr\n"); 1100 } 1101#endif /* SCTP_DEBUG */ 1102 return (NULL); 1103 } 1104 chk_length = ntohs(init_cp->ch.chunk_length); 1105 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1106#ifdef SCTP_DEBUG 1107 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1108 printf("process_cookie_existing: could not find INIT chunk!\n"); 1109 } 1110#endif /* SCTP_DEBUG */ 1111 return (NULL); 1112 } 1113 1114 /* 1115 * find and validate the INIT-ACK chunk in the cookie (my info) 1116 * the INIT-ACK follows the INIT chunk 1117 */ 1118 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1119 initack_cp = (struct sctp_init_ack_chunk *) 1120 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1121 (u_int8_t *)&initack_buf); 1122 if (initack_cp == NULL) { 1123 /* could not pull INIT-ACK chunk in cookie */ 1124#ifdef SCTP_DEBUG 1125 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1126 printf("process_cookie_existing: could not pull INIT-ACK chunk hdr\n"); 1127 } 1128#endif /* SCTP_DEBUG */ 1129 return (NULL); 1130 } 1131 chk_length = ntohs(initack_cp->ch.chunk_length); 1132 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1133#ifdef SCTP_DEBUG 1134 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1135 printf("process_cookie_existing: could not find INIT-ACK chunk!\n"); 1136 } 1137#endif /* SCTP_DEBUG */ 1138 return (NULL); 1139 } 1140 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1141 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1142 /* 1143 * case D in Section 5.2.4 Table 2: MMAA 1144 * process accordingly to get into the OPEN state 1145 */ 1146 switch SCTP_GET_STATE(asoc) { 1147 case SCTP_STATE_COOKIE_WAIT: 1148 /* 1149 * INIT was sent, but got got a COOKIE_ECHO with 1150 * the correct tags... just accept it... 1151 */ 1152 /* First we must process the INIT !! */ 1153 retval = sctp_process_init(init_cp, stcb, net); 1154 if (retval < 0) { 1155#ifdef SCTP_DEBUG 1156 printf("process_cookie_existing: INIT processing failed\n"); 1157#endif 1158 return (NULL); 1159 } 1160 /* FALLTHROUGH */ 1161 /* intentional fall through to below... */ 1162 1163 case SCTP_STATE_COOKIE_ECHOED: 1164 /* Duplicate INIT case */ 1165 /* we have already processed the INIT so no problem */ 1166 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1167 net); 1168 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1169 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, 1170 net); 1171 /* update current state */ 1172 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1173 asoc->state = SCTP_STATE_OPEN | 1174 SCTP_STATE_SHUTDOWN_PENDING; 1175 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1176 /* if ok, move to OPEN state */ 1177 asoc->state = SCTP_STATE_OPEN; 1178 } 1179 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1180 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1181 (!(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING))) { 1182 /* 1183 * Here is where collision would go if we did a 1184 * connect() and instead got a 1185 * init/init-ack/cookie done before the 1186 * init-ack came back.. 1187 */ 1188 stcb->sctp_ep->sctp_flags |= 1189 SCTP_PCB_FLAGS_CONNECTED; 1190 soisconnected(stcb->sctp_ep->sctp_socket); 1191 } 1192 /* notify upper layer */ 1193 *notification = SCTP_NOTIFY_ASSOC_UP; 1194 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1195 net); 1196 /* 1197 * since we did not send a HB make sure we don't double 1198 * things 1199 */ 1200 net->hb_responded = 1; 1201 1202 if (stcb->asoc.sctp_autoclose_ticks && 1203 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1204 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1205 inp, stcb, NULL); 1206 } 1207 break; 1208 default: 1209 /* 1210 * we're in the OPEN state (or beyond), so peer 1211 * must have simply lost the COOKIE-ACK 1212 */ 1213 break; 1214 } /* end switch */ 1215 1216 /* 1217 * We ignore the return code here.. not sure if we should 1218 * somehow abort.. but we do have an existing asoc. This 1219 * really should not fail. 1220 */ 1221 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1222 init_offset + sizeof(struct sctp_init_chunk), 1223 initack_offset, sh, init_src)) { 1224#ifdef SCTP_DEBUG 1225 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1226 printf("Weird cookie load_address failure on cookie existing - 1\n"); 1227 } 1228#endif 1229 return (NULL); 1230 } 1231 1232 /* respond with a COOKIE-ACK */ 1233 sctp_send_cookie_ack(stcb); 1234 return (stcb); 1235 } /* end if */ 1236 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1237 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1238 cookie->tie_tag_my_vtag == 0 && 1239 cookie->tie_tag_peer_vtag == 0) { 1240 /* 1241 * case C in Section 5.2.4 Table 2: XMOO 1242 * silently discard 1243 */ 1244 return (NULL); 1245 } 1246 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1247 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1248 init_cp->init.initiate_tag == 0)) { 1249 /* 1250 * case B in Section 5.2.4 Table 2: MXAA or MOAA 1251 * my info should be ok, re-accept peer info 1252 */ 1253 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1254 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1255 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1256 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1257 /* 1258 * since we did not send a HB make sure we don't double things 1259 */ 1260 net->hb_responded = 1; 1261 if (stcb->asoc.sctp_autoclose_ticks && 1262 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1263 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1264 NULL); 1265 } 1266 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1267 asoc->pre_open_streams = 1268 ntohs(initack_cp->init.num_outbound_streams); 1269 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1270 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1271 asoc->init_seq_number; 1272 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1273 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1274 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1275 asoc->str_reset_seq_in = asoc->init_seq_number; 1276 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1277 1278 /* process the INIT info (peer's info) */ 1279 retval = sctp_process_init(init_cp, stcb, net); 1280 if (retval < 0) { 1281#ifdef SCTP_DEBUG 1282 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1283 printf("process_cookie_existing: INIT processing failed\n"); 1284 } 1285#endif 1286 return (NULL); 1287 } 1288 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1289 init_offset + sizeof(struct sctp_init_chunk), 1290 initack_offset, sh, init_src)) { 1291#ifdef SCTP_DEBUG 1292 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1293 printf("Weird cookie load_address failure on cookie existing - 2\n"); 1294 } 1295#endif 1296 return (NULL); 1297 } 1298 1299 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1300 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1301 *notification = SCTP_NOTIFY_ASSOC_UP; 1302 1303 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1304 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1305 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1306 stcb->sctp_ep->sctp_flags |= 1307 SCTP_PCB_FLAGS_CONNECTED; 1308 soisconnected(stcb->sctp_ep->sctp_socket); 1309 } 1310 } 1311 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1312 asoc->state = SCTP_STATE_OPEN | 1313 SCTP_STATE_SHUTDOWN_PENDING; 1314 } else { 1315 asoc->state = SCTP_STATE_OPEN; 1316 } 1317 sctp_send_cookie_ack(stcb); 1318 return (stcb); 1319 } 1320 1321 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1322 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1323 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1324 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1325 cookie->tie_tag_peer_vtag != 0) { 1326 /* 1327 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1328 */ 1329 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1330 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1331 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1332 1333 /* notify upper layer */ 1334 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1335 1336 /* send up all the data */ 1337 sctp_report_all_outbound(stcb); 1338 1339 /* process the INIT-ACK info (my info) */ 1340 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1341 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1342 asoc->pre_open_streams = 1343 ntohs(initack_cp->init.num_outbound_streams); 1344 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1345 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1346 asoc->init_seq_number; 1347 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1348 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1349 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1350 asoc->str_reset_seq_in = asoc->init_seq_number; 1351 1352 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1353 if (asoc->mapping_array) 1354 memset(asoc->mapping_array, 0, 1355 asoc->mapping_array_size); 1356 /* process the INIT info (peer's info) */ 1357 retval = sctp_process_init(init_cp, stcb, net); 1358 if (retval < 0) { 1359#ifdef SCTP_DEBUG 1360 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1361 printf("process_cookie_existing: INIT processing failed\n"); 1362 } 1363#endif 1364 return (NULL); 1365 } 1366 1367 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1368 /* 1369 * since we did not send a HB make sure we don't double things 1370 */ 1371 net->hb_responded = 1; 1372 1373 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1374 init_offset + sizeof(struct sctp_init_chunk), 1375 initack_offset, sh, init_src)) { 1376#ifdef SCTP_DEBUG 1377 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1378 printf("Weird cookie load_address failure on cookie existing - 3\n"); 1379 } 1380#endif 1381 return (NULL); 1382 } 1383 1384 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1385 asoc->state = SCTP_STATE_OPEN | 1386 SCTP_STATE_SHUTDOWN_PENDING; 1387 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1388 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1389 asoc->state = SCTP_STATE_OPEN; 1390 } 1391 /* respond with a COOKIE-ACK */ 1392 sctp_send_cookie_ack(stcb); 1393 1394 return (stcb); 1395 } 1396 /* all other cases... */ 1397 return (NULL); 1398} 1399 1400/* 1401 * handle a state cookie for a new association 1402 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1403 * note: this is a "split" mbuf and the cookie signature does not exist 1404 * offset: offset into mbuf to the cookie-echo chunk 1405 * length: length of the cookie chunk 1406 * to: where the init was from 1407 * returns a new TCB 1408 */ 1409static struct sctp_tcb * 1410sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1411 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1412 struct sctp_inpcb *inp, struct sctp_nets **netp, 1413 struct sockaddr *init_src, int *notification) 1414{ 1415 struct sctp_tcb *stcb; 1416 struct sctp_init_chunk *init_cp, init_buf; 1417 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1418 struct sockaddr_storage sa_store; 1419 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1420 struct sockaddr_in *sin; 1421 struct sockaddr_in6 *sin6; 1422 struct sctp_association *asoc; 1423 int chk_length; 1424 int init_offset, initack_offset, initack_limit; 1425 int retval; 1426 int error = 0; 1427 /* 1428 * find and validate the INIT chunk in the cookie (peer's info) 1429 * the INIT should start after the cookie-echo header struct 1430 * (chunk header, state cookie header struct) 1431 */ 1432 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1433 init_cp = (struct sctp_init_chunk *) 1434 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1435 (u_int8_t *)&init_buf); 1436 if (init_cp == NULL) { 1437 /* could not pull a INIT chunk in cookie */ 1438#ifdef SCTP_DEBUG 1439 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1440 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1441 } 1442#endif /* SCTP_DEBUG */ 1443 return (NULL); 1444 } 1445 chk_length = ntohs(init_cp->ch.chunk_length); 1446 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1447#ifdef SCTP_DEBUG 1448 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1449 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1450 } 1451#endif /* SCTP_DEBUG */ 1452 return (NULL); 1453 } 1454 1455 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1456 /* 1457 * find and validate the INIT-ACK chunk in the cookie (my info) 1458 * the INIT-ACK follows the INIT chunk 1459 */ 1460 initack_cp = (struct sctp_init_ack_chunk *) 1461 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1462 (u_int8_t *)&initack_buf); 1463 if (initack_cp == NULL) { 1464 /* could not pull INIT-ACK chunk in cookie */ 1465#ifdef SCTP_DEBUG 1466 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1467 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1468 } 1469#endif /* SCTP_DEBUG */ 1470 return (NULL); 1471 } 1472 chk_length = ntohs(initack_cp->ch.chunk_length); 1473 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1474#ifdef SCTP_DEBUG 1475 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1476 u_int8_t *pp; 1477 pp = (u_int8_t *)initack_cp; 1478 printf("process_cookie_new: could not find INIT-ACK chunk!\n"); 1479 printf("Found bytes %x %x %x %x at position %d\n", 1480 (u_int)pp[0], (u_int)pp[1], (u_int)pp[2], 1481 (u_int)pp[3], initack_offset); 1482 } 1483#endif /* SCTP_DEBUG */ 1484 return (NULL); 1485 } 1486 initack_limit = initack_offset + SCTP_SIZE32(chk_length); 1487 1488 /* 1489 * now that we know the INIT/INIT-ACK are in place, 1490 * create a new TCB and popluate 1491 */ 1492 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, ntohl(initack_cp->init.initiate_tag)); 1493 if (stcb == NULL) { 1494 struct mbuf *op_err; 1495 /* memory problem? */ 1496#ifdef SCTP_DEBUG 1497 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1498 printf("process_cookie_new: no room for another TCB!\n"); 1499 } 1500#endif /* SCTP_DEBUG */ 1501 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1502 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1503 sh, op_err); 1504 return (NULL); 1505 } 1506 1507 /* get the correct sctp_nets */ 1508 *netp = sctp_findnet(stcb, init_src); 1509 asoc = &stcb->asoc; 1510 /* get scope variables out of cookie */ 1511 asoc->ipv4_local_scope = cookie->ipv4_scope; 1512 asoc->site_scope = cookie->site_scope; 1513 asoc->local_scope = cookie->local_scope; 1514 asoc->loopback_scope = cookie->loopback_scope; 1515 1516 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1517 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1518 struct mbuf *op_err; 1519 /* 1520 * Houston we have a problem. The EP changed while the cookie 1521 * was in flight. Only recourse is to abort the association. 1522 */ 1523 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1524 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1525 sh, op_err); 1526 return (NULL); 1527 } 1528 1529 /* process the INIT-ACK info (my info) */ 1530 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1531 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1532 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1533 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1534 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1535 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1536 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1537 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1538 asoc->str_reset_seq_in = asoc->init_seq_number; 1539 1540 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1541 1542 /* process the INIT info (peer's info) */ 1543 retval = sctp_process_init(init_cp, stcb, *netp); 1544 if (retval < 0) { 1545#ifdef SCTP_DEBUG 1546 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1547 printf("process_cookie_new: INIT processing failed\n"); 1548 } 1549#endif 1550 sctp_free_assoc(inp, stcb); 1551 return (NULL); 1552 } 1553 /* load all addresses */ 1554 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1555 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1556 init_src)) { 1557 sctp_free_assoc(inp, stcb); 1558 return (NULL); 1559 } 1560 1561 /* update current state */ 1562#ifdef SCTP_DEBUG 1563 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1564 printf("moving to OPEN state\n"); 1565 } 1566#endif 1567 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1568 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1569 } else { 1570 asoc->state = SCTP_STATE_OPEN; 1571 } 1572 /* calculate the RTT */ 1573 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1574 &cookie->time_entered); 1575 1576 /* 1577 * if we're doing ASCONFs, check to see if we have any new 1578 * local addresses that need to get added to the peer (eg. 1579 * addresses changed while cookie echo in flight). This needs 1580 * to be done after we go to the OPEN state to do the correct 1581 * asconf processing. 1582 * else, make sure we have the correct addresses in our lists 1583 */ 1584 1585 /* warning, we re-use sin, sin6, sa_store here! */ 1586 /* pull in local_address (our "from" address) */ 1587 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1588 /* source addr is IPv4 */ 1589 sin = (struct sockaddr_in *)initack_src; 1590 memset(sin, 0, sizeof(*sin)); 1591 sin->sin_family = AF_INET; 1592 sin->sin_len = sizeof(struct sockaddr_in); 1593 sin->sin_addr.s_addr = cookie->laddress[0]; 1594 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1595 /* source addr is IPv6 */ 1596 sin6 = (struct sockaddr_in6 *)initack_src; 1597 memset(sin6, 0, sizeof(*sin6)); 1598 sin6->sin6_family = AF_INET6; 1599 sin6->sin6_len = sizeof(struct sockaddr_in6); 1600 sin6->sin6_scope_id = cookie->scope_id; 1601 memcpy(&sin6->sin6_addr, cookie->laddress, 1602 sizeof(sin6->sin6_addr)); 1603 } else { 1604 sctp_free_assoc(inp, stcb); 1605 return (NULL); 1606 } 1607 1608 sctp_check_address_list(stcb, m, initack_offset + 1609 sizeof(struct sctp_init_ack_chunk), initack_limit, 1610 initack_src, cookie->local_scope, cookie->site_scope, 1611 cookie->ipv4_scope, cookie->loopback_scope); 1612 1613 1614 /* set up to notify upper layer */ 1615 *notification = SCTP_NOTIFY_ASSOC_UP; 1616 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1617 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1618 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1619 /* 1620 * This is an endpoint that called connect() 1621 * how it got a cookie that is NEW is a bit of 1622 * a mystery. It must be that the INIT was sent, but 1623 * before it got there.. a complete INIT/INIT-ACK/COOKIE 1624 * arrived. But of course then it should have went to 1625 * the other code.. not here.. oh well.. a bit of protection 1626 * is worth having.. 1627 */ 1628 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1629 soisconnected(stcb->sctp_ep->sctp_socket); 1630 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1631 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1632 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1633 /* 1634 * We don't want to do anything with this 1635 * one. Since it is the listening guy. The timer will 1636 * get started for accepted connections in the caller. 1637 */ 1638 ; 1639 } else { 1640 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1641 } 1642 /* since we did not send a HB make sure we don't double things */ 1643 (*netp)->hb_responded = 1; 1644 1645 if (stcb->asoc.sctp_autoclose_ticks && 1646 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1647 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1648 } 1649 1650 /* respond with a COOKIE-ACK */ 1651 sctp_send_cookie_ack(stcb); 1652 1653 return (stcb); 1654} 1655 1656 1657/* 1658 * handles a COOKIE-ECHO message 1659 * stcb: modified to either a new or left as existing (non-NULL) TCB 1660 */ 1661static struct mbuf * 1662sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1663 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1664 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp) 1665{ 1666 struct sctp_state_cookie *cookie; 1667 struct sockaddr_in6 sin6; 1668 struct sockaddr_in sin; 1669 struct sctp_tcb *l_stcb=*stcb; 1670 struct sctp_inpcb *l_inp; 1671 struct sockaddr *to; 1672 struct sctp_pcb *ep; 1673 struct mbuf *m_sig; 1674 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1675 uint8_t *sig; 1676 uint8_t cookie_ok = 0; 1677 unsigned int size_of_pkt, sig_offset, cookie_offset; 1678 unsigned int cookie_len; 1679 struct timeval now; 1680 struct timeval time_expires; 1681 struct sockaddr_storage dest_store; 1682 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1683 struct ip *iph; 1684 int notification = 0; 1685 struct sctp_nets *netl; 1686 int had_a_existing_tcb = 0; 1687 1688#ifdef SCTP_DEBUG 1689 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1690 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1691 } 1692#endif 1693 1694 if (inp_p == NULL) { 1695#ifdef SCTP_DEBUG 1696 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1697 printf("sctp_handle_cookie: null inp_p!\n"); 1698 } 1699#endif 1700 return (NULL); 1701 } 1702 /* First get the destination address setup too. */ 1703 iph = mtod(m, struct ip *); 1704 if (iph->ip_v == IPVERSION) { 1705 /* its IPv4 */ 1706 struct sockaddr_in *sin_d; 1707 sin_d = (struct sockaddr_in *)(localep_sa); 1708 memset(sin_d, 0, sizeof(*sin_d)); 1709 sin_d->sin_family = AF_INET; 1710 sin_d->sin_len = sizeof(*sin_d); 1711 sin_d->sin_port = sh->dest_port; 1712 sin_d->sin_addr.s_addr = iph->ip_dst.s_addr ; 1713 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1714 /* its IPv6 */ 1715 struct ip6_hdr *ip6; 1716 struct sockaddr_in6 *sin6_d; 1717 sin6_d = (struct sockaddr_in6 *)(localep_sa); 1718 memset(sin6_d, 0, sizeof(*sin6_d)); 1719 sin6_d->sin6_family = AF_INET6; 1720 sin6_d->sin6_len = sizeof(struct sockaddr_in6); 1721 ip6 = mtod(m, struct ip6_hdr *); 1722 sin6_d->sin6_port = sh->dest_port; 1723 sin6_d->sin6_addr = ip6->ip6_dst; 1724 } else { 1725 return (NULL); 1726 } 1727 1728 cookie = &cp->cookie; 1729 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1730 cookie_len = ntohs(cp->ch.chunk_length); 1731 1732 /* compute size of packet */ 1733 if (m->m_flags & M_PKTHDR) { 1734 size_of_pkt = m->m_pkthdr.len; 1735 } else { 1736 /* Should have a pkt hdr really */ 1737 struct mbuf *mat; 1738 mat = m; 1739 size_of_pkt = 0; 1740 while (mat != NULL) { 1741 size_of_pkt += mat->m_len; 1742 mat = mat->m_next; 1743 } 1744 } 1745 if (cookie_len > size_of_pkt || 1746 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1747 sizeof(struct sctp_init_chunk) + 1748 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1749 /* cookie too long! or too small */ 1750#ifdef SCTP_DEBUG 1751 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1752 printf("sctp_handle_cookie: cookie_len=%u, pkt size=%u\n", cookie_len, size_of_pkt); 1753 } 1754#endif /* SCTP_DEBUG */ 1755 return (NULL); 1756 } 1757 1758 if ((cookie->peerport != sh->src_port) && 1759 (cookie->myport != sh->dest_port) && 1760 (cookie->my_vtag != sh->v_tag)) { 1761 /* 1762 * invalid ports or bad tag. Note that we always leave 1763 * the v_tag in the header in network order and when we 1764 * stored it in the my_vtag slot we also left it in network 1765 * order. This maintians the match even though it may be in 1766 * the opposite byte order of the machine :-> 1767 */ 1768 return (NULL); 1769 } 1770 1771 /* 1772 * split off the signature into its own mbuf (since it 1773 * should not be calculated in the sctp_hash_digest_m() call). 1774 */ 1775 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1776 if (sig_offset > size_of_pkt) { 1777 /* packet not correct size! */ 1778 /* XXX this may already be accounted for earlier... */ 1779#ifdef SCTP_DEBUG 1780 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1781 printf("sctp_handle_cookie: sig offset=%u, pkt size=%u\n", sig_offset, size_of_pkt); 1782 } 1783#endif 1784 return (NULL); 1785 } 1786 1787 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1788 if (m_sig == NULL) { 1789 /* out of memory or ?? */ 1790#ifdef SCTP_DEBUG 1791 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1792 printf("sctp_handle_cookie: couldn't m_split the signature\n"); 1793 } 1794#endif 1795 return (NULL); 1796 } 1797 /* 1798 * compute the signature/digest for the cookie 1799 */ 1800 ep = &(*inp_p)->sctp_ep; 1801 l_inp = *inp_p; 1802 if (l_stcb) { 1803 SCTP_TCB_UNLOCK(l_stcb); 1804 } 1805 SCTP_INP_RLOCK(l_inp); 1806 if (l_stcb) { 1807 SCTP_TCB_LOCK(l_stcb); 1808 } 1809 /* which cookie is it? */ 1810 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1811 (ep->current_secret_number != ep->last_secret_number)) { 1812 /* it's the old cookie */ 1813#ifdef SCTP_DEBUG 1814 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1815 printf("sctp_handle_cookie: old cookie sig\n"); 1816 } 1817#endif 1818 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1819 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1820 } else { 1821 /* it's the current cookie */ 1822#ifdef SCTP_DEBUG 1823 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1824 printf("sctp_handle_cookie: current cookie sig\n"); 1825 } 1826#endif 1827 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->current_secret_number], 1828 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1829 } 1830 /* get the signature */ 1831 SCTP_INP_RUNLOCK(l_inp); 1832 sig = (u_int8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (u_int8_t *)&tmp_sig); 1833 if (sig == NULL) { 1834 /* couldn't find signature */ 1835#ifdef SCTP_DEBUG 1836 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1837 printf("sctp_handle_cookie: couldn't pull the signature\n"); 1838 } 1839#endif 1840 return (NULL); 1841 } 1842 /* compare the received digest with the computed digest */ 1843 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1844 /* try the old cookie? */ 1845 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1846 (ep->current_secret_number != ep->last_secret_number)) { 1847 /* compute digest with old */ 1848#ifdef SCTP_DEBUG 1849 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1850 printf("sctp_handle_cookie: old cookie sig\n"); 1851 } 1852#endif 1853 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1854 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1855 /* compare */ 1856 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1857 cookie_ok = 1; 1858 } 1859 } else { 1860 cookie_ok = 1; 1861 } 1862 1863 /* 1864 * Now before we continue we must reconstruct our mbuf so 1865 * that normal processing of any other chunks will work. 1866 */ 1867 { 1868 struct mbuf *m_at; 1869 m_at = m; 1870 while (m_at->m_next != NULL) { 1871 m_at = m_at->m_next; 1872 } 1873 m_at->m_next = m_sig; 1874 if (m->m_flags & M_PKTHDR) { 1875 /* 1876 * We should only do this if and only if the front 1877 * mbuf has a m_pkthdr... it should in theory. 1878 */ 1879 if (m_sig->m_flags & M_PKTHDR) { 1880 /* Add back to the pkt hdr of main m chain */ 1881 m->m_pkthdr.len += m_sig->m_len; 1882 } else { 1883 /* 1884 * Got a problem, no pkthdr in split chain. 1885 * TSNH but we will handle it just in case 1886 */ 1887 int mmlen = 0; 1888 struct mbuf *lat; 1889 printf("Warning: Hitting m_split join TSNH code - fixed\n"); 1890 lat = m_sig; 1891 while (lat) { 1892 mmlen += lat->m_len; 1893 lat = lat->m_next; 1894 } 1895 m->m_pkthdr.len += mmlen; 1896 } 1897 } 1898 } 1899 1900 if (cookie_ok == 0) { 1901#ifdef SCTP_DEBUG 1902 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1903 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1904 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1905 (u_int32_t)offset, cookie_offset, sig_offset); 1906 } 1907#endif 1908 return (NULL); 1909 } 1910#ifdef SCTP_DEBUG 1911 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1912 printf("handle_cookie_echo: cookie signature validation passed\n"); 1913 } 1914#endif 1915 1916 /* 1917 * check the cookie timestamps to be sure it's not stale 1918 */ 1919 SCTP_GETTIME_TIMEVAL(&now); 1920 /* Expire time is in Ticks, so we convert to seconds */ 1921 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1922 time_expires.tv_usec = cookie->time_entered.tv_usec; 1923#ifndef __FreeBSD__ 1924 if (timercmp(&now, &time_expires, >)) 1925#else 1926 if (timevalcmp(&now, &time_expires, >)) 1927#endif 1928 { 1929 /* cookie is stale! */ 1930 struct mbuf *op_err; 1931 struct sctp_stale_cookie_msg *scm; 1932 u_int32_t tim; 1933#ifdef SCTP_DEBUG 1934 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 1935 printf("sctp_handle_cookie: got a STALE cookie!\n"); 1936 } 1937#endif 1938 MGETHDR(op_err, M_DONTWAIT, MT_HEADER); 1939 if (op_err == NULL) { 1940 /* FOOBAR */ 1941 return (NULL); 1942 } 1943 /* pre-reserve some space */ 1944 op_err->m_data += sizeof(struct ip6_hdr); 1945 op_err->m_data += sizeof(struct sctphdr); 1946 op_err->m_data += sizeof(struct sctp_chunkhdr); 1947 1948 /* Set the len */ 1949 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); 1950 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1951 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1952 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1953 (sizeof(u_int32_t)))); 1954 /* seconds to usec */ 1955 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1956 /* add in usec */ 1957 if (tim == 0) 1958 tim = now.tv_usec - cookie->time_entered.tv_usec; 1959 scm->time_usec = htonl(tim); 1960 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1961 return (NULL); 1962 } 1963 /* 1964 * Now we must see with the lookup address if we have an existing 1965 * asoc. This will only happen if we were in the COOKIE-WAIT state 1966 * and a INIT collided with us and somewhere the peer sent the 1967 * cookie on another address besides the single address our assoc 1968 * had for him. In this case we will have one of the tie-tags set 1969 * at least AND the address field in the cookie can be used to 1970 * look it up. 1971 */ 1972 to = NULL; 1973 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1974 memset(&sin6, 0, sizeof(sin6)); 1975 sin6.sin6_family = AF_INET6; 1976 sin6.sin6_len = sizeof(sin6); 1977 sin6.sin6_port = sh->src_port; 1978 sin6.sin6_scope_id = cookie->scope_id; 1979 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 1980 sizeof(sin6.sin6_addr.s6_addr)); 1981 to = (struct sockaddr *)&sin6; 1982 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 1983 memset(&sin, 0, sizeof(sin)); 1984 sin.sin_family = AF_INET; 1985 sin.sin_len = sizeof(sin); 1986 sin.sin_port = sh->src_port; 1987 sin.sin_addr.s_addr = cookie->address[0]; 1988 to = (struct sockaddr *)&sin; 1989 } 1990 1991 if ((*stcb == NULL) && to) { 1992 /* Yep, lets check */ 1993 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 1994 if (*stcb == NULL) { 1995 /* We should have only got back the same inp. If we 1996 * got back a different ep we have a problem. The original 1997 * findep got back l_inp and now 1998 */ 1999 if (l_inp != *inp_p) { 2000 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2001 } 2002 } 2003 } 2004 2005 cookie_len -= SCTP_SIGNATURE_SIZE; 2006 if (*stcb == NULL) { 2007 /* this is the "normal" case... get a new TCB */ 2008#ifdef SCTP_DEBUG 2009 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2010 printf("sctp_handle_cookie: processing NEW cookie\n"); 2011 } 2012#endif 2013 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2014 cookie_len, *inp_p, netp, to, ¬ification); 2015 /* now always decrement, since this is the normal 2016 * case.. we had no tcb when we entered. 2017 */ 2018 } else { 2019 /* this is abnormal... cookie-echo on existing TCB */ 2020#ifdef SCTP_DEBUG 2021 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2022 printf("sctp_handle_cookie: processing EXISTING cookie\n"); 2023 } 2024#endif 2025 had_a_existing_tcb = 1; 2026 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2027 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification); 2028 } 2029 2030 if (*stcb == NULL) { 2031 /* still no TCB... must be bad cookie-echo */ 2032#ifdef SCTP_DEBUG 2033 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2034 printf("handle_cookie_echo: ACK! don't have a TCB!\n"); 2035 } 2036#endif /* SCTP_DEBUG */ 2037 return (NULL); 2038 } 2039 2040 /* 2041 * Ok, we built an association so confirm the address 2042 * we sent the INIT-ACK to. 2043 */ 2044 netl = sctp_findnet(*stcb, to); 2045 /* This code should in theory NOT run but 2046 */ 2047 if (netl == NULL) { 2048#ifdef SCTP_DEBUG 2049 printf("TSNH! Huh, why do I need to add this address here?\n"); 2050#endif 2051 sctp_add_remote_addr(*stcb, to, 0, 100); 2052 netl = sctp_findnet(*stcb, to); 2053 } 2054 if (netl) { 2055 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2056 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2057 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2058 netl); 2059 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2060 (*stcb), 0, (void *)netl); 2061 } 2062 } 2063#ifdef SCTP_DEBUG 2064 else { 2065 printf("Could not add source address for some reason\n"); 2066 } 2067#endif 2068 2069 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2070 if (!had_a_existing_tcb || 2071 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2072 /* 2073 * If we have a NEW cookie or the connect never reached 2074 * the connected state during collision we must do the 2075 * TCP accept thing. 2076 */ 2077 struct socket *so, *oso; 2078 struct sctp_inpcb *inp; 2079 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2080 /* 2081 * For a restart we will keep the same socket, 2082 * no need to do anything. I THINK!! 2083 */ 2084 sctp_ulp_notify(notification, *stcb, 0, NULL); 2085 return (m); 2086 } 2087 oso = (*inp_p)->sctp_socket; 2088 SCTP_TCB_UNLOCK((*stcb)); 2089 so = sonewconn(oso, SS_ISCONNECTED); 2090 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2091 SCTP_TCB_LOCK((*stcb)); 2092 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2093 if (so == NULL) { 2094 struct mbuf *op_err; 2095 /* Too many sockets */ 2096#ifdef SCTP_DEBUG 2097 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2098 printf("process_cookie_new: no room for another socket!\n"); 2099 } 2100#endif /* SCTP_DEBUG */ 2101 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2102 sctp_abort_association(*inp_p, NULL, m, iphlen, 2103 sh, op_err); 2104 sctp_free_assoc(*inp_p, *stcb); 2105 return (NULL); 2106 } 2107 inp = (struct sctp_inpcb *)so->so_pcb; 2108 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2109 SCTP_PCB_FLAGS_CONNECTED | 2110 SCTP_PCB_FLAGS_IN_TCPPOOL | 2111 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2112 SCTP_PCB_FLAGS_DONT_WAKE); 2113 inp->sctp_socket = so; 2114 2115 /* 2116 * Now we must move it from one hash table to another 2117 * and get the tcb in the right place. 2118 */ 2119 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2120 2121 /* Switch over to the new guy */ 2122 *inp_p = inp; 2123 2124 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, 2125 *stcb, *netp); 2126 2127 sctp_ulp_notify(notification, *stcb, 0, NULL); 2128 return (m); 2129 } 2130 } 2131 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2132 sctp_ulp_notify(notification, *stcb, 0, NULL); 2133 } 2134 return (m); 2135} 2136 2137static void 2138sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2139 struct sctp_tcb *stcb, struct sctp_nets *net) 2140{ 2141 /* cp must not be used, others call this without a c-ack :-) */ 2142 struct sctp_association *asoc; 2143 2144#ifdef SCTP_DEBUG 2145 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2146 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2147 } 2148#endif 2149 if (stcb == NULL) 2150 return; 2151 2152 asoc = &stcb->asoc; 2153 2154 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2155 2156 /* process according to association state */ 2157 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2158 /* state change only needed when I am in right state */ 2159#ifdef SCTP_DEBUG 2160 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2161 printf("moving to OPEN state\n"); 2162 } 2163#endif 2164 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2165 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2166 } else { 2167 asoc->state = SCTP_STATE_OPEN; 2168 } 2169 2170 /* update RTO */ 2171 if (asoc->overall_error_count == 0) { 2172 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2173 &asoc->time_entered); 2174 } 2175 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2176 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2177 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2178 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2179 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2180 soisconnected(stcb->sctp_ep->sctp_socket); 2181 } 2182 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2183 stcb, net); 2184 /* since we did not send a HB make sure we don't double things */ 2185 net->hb_responded = 1; 2186 2187 if (stcb->asoc.sctp_autoclose_ticks && 2188 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 2189 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2190 stcb->sctp_ep, stcb, NULL); 2191 } 2192 2193 /* 2194 * set ASCONF timer if ASCONFs are pending and allowed 2195 * (eg. addresses changed when init/cookie echo in flight) 2196 */ 2197 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DO_ASCONF) && 2198 (stcb->asoc.peer_supports_asconf) && 2199 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2200 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2201 stcb->sctp_ep, stcb, 2202 stcb->asoc.primary_destination); 2203 } 2204 2205 } 2206 /* Toss the cookie if I can */ 2207 sctp_toss_old_cookies(asoc); 2208 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2209 /* Restart the timer if we have pending data */ 2210 struct sctp_tmit_chunk *chk; 2211 chk = TAILQ_FIRST(&asoc->sent_queue); 2212 if (chk) { 2213 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2214 stcb, chk->whoTo); 2215 } 2216 } 2217 2218} 2219 2220static void 2221sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2222 struct sctp_tcb *stcb) 2223{ 2224 struct sctp_nets *net; 2225 struct sctp_tmit_chunk *lchk; 2226 u_int32_t tsn; 2227 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2228 return; 2229 } 2230 sctp_pegs[SCTP_ECNE_RCVD]++; 2231 tsn = ntohl(cp->tsn); 2232 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2233 /* Also we make sure we disable the nonce_wait */ 2234 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2235 if (lchk == NULL) { 2236 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2237 } else { 2238 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2239 } 2240 stcb->asoc.nonce_wait_for_ecne = 0; 2241 stcb->asoc.nonce_sum_check = 0; 2242 2243 /* Find where it was sent, if possible */ 2244 net = NULL; 2245 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2246 while (lchk) { 2247 if (lchk->rec.data.TSN_seq == tsn) { 2248 net = lchk->whoTo; 2249 break; 2250 } 2251 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2252 break; 2253 lchk = TAILQ_NEXT(lchk, sctp_next); 2254 } 2255 if (net == NULL) 2256 /* default is we use the primary */ 2257 net = stcb->asoc.primary_destination; 2258 2259 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2260#ifdef SCTP_CWND_LOGGING 2261 int old_cwnd; 2262#endif 2263#ifdef SCTP_CWND_LOGGING 2264 old_cwnd = net->cwnd; 2265#endif 2266 sctp_pegs[SCTP_CWR_PERFO]++; 2267 net->ssthresh = net->cwnd / 2; 2268 if (net->ssthresh < net->mtu) { 2269 net->ssthresh = net->mtu; 2270 /* here back off the timer as well, to slow us down */ 2271 net->RTO <<= 2; 2272 } 2273 net->cwnd = net->ssthresh; 2274#ifdef SCTP_CWND_LOGGING 2275 sctp_log_cwnd(net, (net->cwnd-old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2276#endif 2277 /* we reduce once every RTT. So we will only lower 2278 * cwnd at the next sending seq i.e. the resync_tsn. 2279 */ 2280 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2281 } 2282 /* 2283 * We always send a CWR this way if our previous one was lost 2284 * our peer will get an update, or if it is not time again 2285 * to reduce we still get the cwr to the peer. 2286 */ 2287 sctp_send_cwr(stcb, net, tsn); 2288} 2289 2290static void 2291sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2292{ 2293 /* Here we get a CWR from the peer. We must look in 2294 * the outqueue and make sure that we have a covered 2295 * ECNE in teh control chunk part. If so remove it. 2296 */ 2297 struct sctp_tmit_chunk *chk; 2298 struct sctp_ecne_chunk *ecne; 2299 2300 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2301 if (chk->rec.chunk_id != SCTP_ECN_ECHO) { 2302 continue; 2303 } 2304 /* Look for and remove if it is the right TSN. Since 2305 * there is only ONE ECNE on the control queue at 2306 * any one time we don't need to worry about more than 2307 * one! 2308 */ 2309 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2310 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2311 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2312 /* this covers this ECNE, we can remove it */ 2313 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2314 sctp_next); 2315 if (chk->data) { 2316 sctp_m_freem(chk->data); 2317 chk->data = NULL; 2318 } 2319 stcb->asoc.ctrl_queue_cnt--; 2320 sctp_free_remote_addr(chk->whoTo); 2321 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2322 sctppcbinfo.ipi_count_chunk--; 2323 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2324 panic("Chunk count is negative"); 2325 } 2326 sctppcbinfo.ipi_gencnt_chunk++; 2327 break; 2328 } 2329 } 2330} 2331 2332static void 2333sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2334 struct sctp_tcb *stcb, struct sctp_nets *net) 2335{ 2336 struct sctp_association *asoc; 2337 2338#ifdef SCTP_DEBUG 2339 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2340 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2341 } 2342#endif 2343 if (stcb == NULL) 2344 return; 2345 2346 asoc = &stcb->asoc; 2347 /* process according to association state */ 2348 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2349 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2350 return; 2351 } 2352 /* notify upper layer protocol */ 2353 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2354 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2355 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2356 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 2357 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 2358 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0; 2359 soisdisconnected(stcb->sctp_ep->sctp_socket); 2360 } 2361 /* are the queues empty? they should be */ 2362 if (!TAILQ_EMPTY(&asoc->send_queue) || 2363 !TAILQ_EMPTY(&asoc->sent_queue) || 2364 !TAILQ_EMPTY(&asoc->out_wheel)) { 2365 sctp_report_all_outbound(stcb); 2366 } 2367 /* stop the timer */ 2368 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 2369 /* free the TCB */ 2370 sctp_free_assoc(stcb->sctp_ep, stcb); 2371 return; 2372} 2373 2374static int 2375process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2376 struct sctp_nets *net, u_int8_t flg) 2377{ 2378 switch (desc->chunk_type) { 2379 case SCTP_DATA: 2380 /* find the tsn to resend (possibly */ 2381 { 2382 u_int32_t tsn; 2383 struct sctp_tmit_chunk *tp1; 2384 tsn = ntohl(desc->tsn_ifany); 2385 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2386 while (tp1) { 2387 if (tp1->rec.data.TSN_seq == tsn) { 2388 /* found it */ 2389 break; 2390 } 2391 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2392 MAX_TSN)) { 2393 /* not found */ 2394 tp1 = NULL; 2395 break; 2396 } 2397 tp1 = TAILQ_NEXT(tp1, sctp_next); 2398 } 2399 if (tp1 == NULL) { 2400 /* Do it the other way */ 2401 sctp_pegs[SCTP_PDRP_DNFND]++; 2402 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2403 while (tp1) { 2404 if (tp1->rec.data.TSN_seq == tsn) { 2405 /* found it */ 2406 break; 2407 } 2408 tp1 = TAILQ_NEXT(tp1, sctp_next); 2409 } 2410 } 2411 if (tp1 == NULL) { 2412 sctp_pegs[SCTP_PDRP_TSNNF]++; 2413 } 2414 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2415 u_int8_t *ddp; 2416 if (((tp1->rec.data.state_flags & SCTP_WINDOW_PROBE) == SCTP_WINDOW_PROBE) && 2417 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2418 sctp_pegs[SCTP_PDRP_DIWNP]++; 2419 return (0); 2420 } 2421 if (stcb->asoc.peers_rwnd == 0 && 2422 (flg & SCTP_FROM_MIDDLE_BOX)) { 2423 sctp_pegs[SCTP_PDRP_DIZRW]++; 2424 return (0); 2425 } 2426 ddp = (u_int8_t *)(mtod(tp1->data, vaddr_t) + 2427 sizeof(struct sctp_data_chunk)); 2428 { 2429 unsigned int iii; 2430 for (iii = 0; iii < sizeof(desc->data_bytes); 2431 iii++) { 2432 if (ddp[iii] != desc->data_bytes[iii]) { 2433 sctp_pegs[SCTP_PDRP_BADD]++; 2434 return (-1); 2435 } 2436 } 2437 } 2438 if (tp1->sent != SCTP_DATAGRAM_RESEND) { 2439 stcb->asoc.sent_queue_retran_cnt++; 2440 } 2441 /* We zero out the nonce so resync not needed */ 2442 tp1->rec.data.ect_nonce = 0; 2443 2444 if (tp1->do_rtt) { 2445 /* 2446 * this guy had a RTO calculation pending on it, 2447 * cancel it 2448 */ 2449 tp1->whoTo->rto_pending = 0; 2450 tp1->do_rtt = 0; 2451 } 2452 sctp_pegs[SCTP_PDRP_MARK]++; 2453 tp1->sent = SCTP_DATAGRAM_RESEND; 2454 /* 2455 * mark it as if we were doing a FR, since we 2456 * will be getting gap ack reports behind the 2457 * info from the router. 2458 */ 2459 tp1->rec.data.doing_fast_retransmit = 1; 2460 /* 2461 * mark the tsn with what sequences can cause a new FR. 2462 */ 2463 if (TAILQ_EMPTY(&stcb->asoc.send_queue) ) { 2464 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2465 } else { 2466 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2467 } 2468 2469 /* restart the timer */ 2470 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2471 stcb, tp1->whoTo); 2472 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2473 stcb, tp1->whoTo); 2474 2475 /* fix counts and things */ 2476 sctp_flight_size_decrease(tp1); 2477 sctp_total_flight_decrease(stcb, tp1); 2478 tp1->snd_count--; 2479 } 2480 { 2481 /* audit code */ 2482 unsigned int audit; 2483 audit = 0; 2484 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2485 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2486 audit++; 2487 } 2488 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2489 sctp_next) { 2490 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2491 audit++; 2492 } 2493 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2494 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2495 audit, stcb->asoc.sent_queue_retran_cnt); 2496#ifndef SCTP_AUDITING_ENABLED 2497 stcb->asoc.sent_queue_retran_cnt = audit; 2498#endif 2499 } 2500 } 2501 } 2502 break; 2503 case SCTP_ASCONF: 2504 { 2505 struct sctp_tmit_chunk *asconf; 2506 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2507 sctp_next) { 2508 if (asconf->rec.chunk_id == SCTP_ASCONF) { 2509 break; 2510 } 2511 } 2512 if (asconf) { 2513 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2514 stcb->asoc.sent_queue_retran_cnt++; 2515 asconf->sent = SCTP_DATAGRAM_RESEND; 2516 asconf->snd_count--; 2517 } 2518 } 2519 break; 2520 case SCTP_INITIATION: 2521 /* resend the INIT */ 2522 stcb->asoc.dropped_special_cnt++; 2523 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2524 /* 2525 * If we can get it in, in a few attempts we do this, 2526 * otherwise we let the timer fire. 2527 */ 2528 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2529 stcb, net); 2530 sctp_send_initiate(stcb->sctp_ep, stcb); 2531 } 2532 break; 2533 case SCTP_SELECTIVE_ACK: 2534 /* resend the sack */ 2535 sctp_send_sack(stcb); 2536 break; 2537 case SCTP_HEARTBEAT_REQUEST: 2538 /* resend a demand HB */ 2539 sctp_send_hb(stcb, 1, net); 2540 break; 2541 case SCTP_SHUTDOWN: 2542#ifdef SCTP_DEBUG 2543 if (sctp_debug_on & SCTP_DEBUG_OUTPUT4) { 2544 printf("%s:%d sends a shutdown\n", 2545 __FILE__, 2546 __LINE__ 2547 ); 2548 } 2549#endif 2550 sctp_send_shutdown(stcb, net); 2551 break; 2552 case SCTP_SHUTDOWN_ACK: 2553 sctp_send_shutdown_ack(stcb, net); 2554 break; 2555 case SCTP_COOKIE_ECHO: 2556 { 2557 struct sctp_tmit_chunk *cookie; 2558 cookie = NULL; 2559 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2560 sctp_next) { 2561 if (cookie->rec.chunk_id == SCTP_COOKIE_ECHO) { 2562 break; 2563 } 2564 } 2565 if (cookie) { 2566 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2567 stcb->asoc.sent_queue_retran_cnt++; 2568 cookie->sent = SCTP_DATAGRAM_RESEND; 2569 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2570 } 2571 } 2572 break; 2573 case SCTP_COOKIE_ACK: 2574 sctp_send_cookie_ack(stcb); 2575 break; 2576 case SCTP_ASCONF_ACK: 2577 /* resend last asconf ack */ 2578 sctp_send_asconf_ack(stcb, 1); 2579 break; 2580 case SCTP_FORWARD_CUM_TSN: 2581 send_forward_tsn(stcb, &stcb->asoc); 2582 break; 2583 /* can't do anything with these */ 2584 case SCTP_PACKET_DROPPED: 2585 case SCTP_INITIATION_ACK: /* this should not happen */ 2586 case SCTP_HEARTBEAT_ACK: 2587 case SCTP_ABORT_ASSOCIATION: 2588 case SCTP_OPERATION_ERROR: 2589 case SCTP_SHUTDOWN_COMPLETE: 2590 case SCTP_ECN_ECHO: 2591 case SCTP_ECN_CWR: 2592 default: 2593 break; 2594 } 2595 return (0); 2596} 2597 2598static void 2599sctp_reset_in_stream(struct sctp_tcb *stcb, 2600 struct sctp_stream_reset_response *resp, int number_entries) 2601{ 2602 int i; 2603 uint16_t *list, temp; 2604 2605 /* We set things to 0xffff since this is the last delivered 2606 * sequence and we will be sending in 0 after the reset. 2607 */ 2608 2609 if (resp->reset_flags & SCTP_RESET_PERFORMED) { 2610 if (number_entries) { 2611 list = resp->list_of_streams; 2612 for (i = 0; i < number_entries; i++) { 2613 temp = ntohs(list[i]); 2614 list[i] = temp; 2615 if (list[i] >= stcb->asoc.streamincnt) { 2616 printf("Invalid stream in-stream reset %d\n", list[i]); 2617 continue; 2618 } 2619 stcb->asoc.strmin[(list[i])].last_sequence_delivered = 0xffff; 2620 } 2621 } else { 2622 list = NULL; 2623 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2624 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2625 } 2626 } 2627 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2628 } 2629} 2630 2631static void 2632sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2633{ 2634 struct sctp_tmit_chunk *chk, *nchk; 2635 struct sctp_association *asoc; 2636 2637 asoc = &stcb->asoc; 2638 2639 for (chk = TAILQ_FIRST(&asoc->control_send_queue); 2640 chk; chk = nchk) { 2641 nchk = TAILQ_NEXT(chk, sctp_next); 2642 if (chk->rec.chunk_id == SCTP_STREAM_RESET) { 2643 struct sctp_stream_reset_req *strreq; 2644 strreq = mtod(chk->data, struct sctp_stream_reset_req *); 2645 if (strreq->sr_req.ph.param_type == ntohs(SCTP_STR_RESET_RESPONSE)) { 2646 /* we only clean up the request */ 2647 continue; 2648 } else if (strreq->sr_req.ph.param_type != ntohs(SCTP_STR_RESET_REQUEST)) { 2649 printf("TSNH, an unknown stream reset request is in queue %x\n", 2650 (u_int)ntohs(strreq->sr_req.ph.param_type)); 2651 continue; 2652 } 2653 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2654 TAILQ_REMOVE(&asoc->control_send_queue, 2655 chk, 2656 sctp_next); 2657 if (chk->data) { 2658 sctp_m_freem(chk->data); 2659 chk->data = NULL; 2660 } 2661 asoc->ctrl_queue_cnt--; 2662 sctp_free_remote_addr(chk->whoTo); 2663 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2664 sctppcbinfo.ipi_count_chunk--; 2665 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2666 panic("Chunk count is negative"); 2667 } 2668 sctppcbinfo.ipi_gencnt_chunk++; 2669 /* we can only have one of these so we break */ 2670 break; 2671 } 2672 } 2673} 2674 2675 2676void 2677sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2678 struct sctp_stream_reset_response *resp) 2679{ 2680 uint32_t seq, tsn; 2681 int number_entries, param_length; 2682 2683 param_length = ntohs(resp->ph.param_length); 2684 seq = ntohl(resp->reset_req_seq_resp); 2685 if (seq == stcb->asoc.str_reset_seq_out) { 2686 sctp_clean_up_stream_reset(stcb); 2687 stcb->asoc.str_reset_seq_out++; 2688 stcb->asoc.stream_reset_outstanding = 0; 2689 tsn = ntohl(resp->reset_at_tsn); 2690 number_entries = (param_length - sizeof(struct sctp_stream_reset_response))/sizeof(uint16_t); 2691 tsn--; 2692 if ((tsn == stcb->asoc.cumulative_tsn) || 2693 (compare_with_wrap(stcb->asoc.cumulative_tsn, tsn, MAX_TSN))) { 2694 /* no problem we are good to go */ 2695 sctp_reset_in_stream(stcb, resp, number_entries); 2696 } else { 2697 /* So, we have a stream reset but there 2698 * is pending data. We need to copy 2699 * out the stream_reset and then queue 2700 * any data = or > resp->reset_at_tsn 2701 */ 2702 if (stcb->asoc.pending_reply != NULL) { 2703 /* FIX ME FIX ME 2704 * This IS WRONG. We need 2705 * to queue each of these up 2706 * and only release the chunks 2707 * for each reset that the cum-ack 2708 * goes by. This is a short cut. 2709 */ 2710 free(stcb->asoc.pending_reply, M_PCB); 2711 } 2712 stcb->asoc.pending_reply = malloc(param_length, 2713 M_PCB, M_NOWAIT); 2714 memcpy(stcb->asoc.pending_reply, resp, param_length); 2715 } 2716 2717 } else { 2718 /* duplicate */ 2719#ifdef SCTP_DEBUG 2720 printf("Duplicate old stream reset resp next:%x this one:%x\n", 2721 stcb->asoc.str_reset_seq_out, seq); 2722#endif 2723 } 2724} 2725 2726 2727static void 2728sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_req *sr_req) 2729{ 2730 int chk_length, param_len; 2731 struct sctp_paramhdr *ph; 2732 /* now it may be a reset or a reset-response */ 2733 struct sctp_stream_reset_request *req; 2734 struct sctp_stream_reset_response *resp; 2735 chk_length = ntohs(sr_req->ch.chunk_length); 2736 2737 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 2738 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_request)) { 2739 param_len = ntohs(ph->param_length); 2740 if (ntohs(ph->param_type) == SCTP_STR_RESET_REQUEST) { 2741 /* this will send the ACK and do the reset if needed */ 2742 req = (struct sctp_stream_reset_request *)ph; 2743 sctp_send_str_reset_ack(stcb, req); 2744 } else if (ntohs(ph->param_type) == SCTP_STR_RESET_RESPONSE) { 2745 /* Now here is a tricky one. We reset our receive side 2746 * of the streams. But what happens if the peers 2747 * next sending TSN is NOT equal to 1 minus our cumack? 2748 * And if his cumack is not equal to our next one out - 1 2749 * we have another problem if this is receprical. 2750 */ 2751 resp = (struct sctp_stream_reset_response *)ph; 2752 sctp_handle_stream_reset_response(stcb, resp); 2753 } 2754 ph = (struct sctp_paramhdr *)((vaddr_t)ph + SCTP_SIZE32(param_len)); 2755 chk_length -= SCTP_SIZE32(param_len); 2756 } 2757} 2758 2759/* 2760 * Handle a router or endpoints report of a packet loss, there 2761 * are two ways to handle this, either we get the whole packet 2762 * and must disect it ourselves (possibly with truncation and 2763 * or corruption) or it is a summary from a middle box that did 2764 * the disectting for us. 2765 */ 2766static void 2767sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 2768 struct sctp_tcb *stcb, struct sctp_nets *net) 2769{ 2770 u_int32_t bottle_bw, on_queue; 2771 u_int16_t trunc_len; 2772 unsigned int chlen; 2773 unsigned int at; 2774 struct sctp_chunk_desc desc; 2775 struct sctp_chunkhdr *ch; 2776 2777 chlen = ntohs(cp->ch.chunk_length); 2778 chlen -= sizeof(struct sctp_pktdrop_chunk); 2779 /* XXX possible chlen underflow */ 2780 if (chlen == 0) { 2781 ch = NULL; 2782 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 2783 sctp_pegs[SCTP_PDRP_BWRPT]++; 2784 } else { 2785 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 2786 chlen -= sizeof(struct sctphdr); 2787 /* XXX possible chlen underflow */ 2788 memset(&desc, 0, sizeof(desc)); 2789 } 2790 2791 /* first update a rwnd possibly */ 2792 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 2793 /* From a peer, we get a rwnd report */ 2794 u_int32_t a_rwnd; 2795 2796 sctp_pegs[SCTP_PDRP_FEHOS]++; 2797 2798 bottle_bw = ntohl(cp->bottle_bw); 2799 on_queue = ntohl(cp->current_onq); 2800 if (bottle_bw && on_queue) { 2801 /* a rwnd report is in here */ 2802 if (bottle_bw > on_queue) 2803 a_rwnd = bottle_bw - on_queue; 2804 else 2805 a_rwnd = 0; 2806 2807 if (a_rwnd <= 0) 2808 stcb->asoc.peers_rwnd = 0; 2809 else { 2810 if (a_rwnd > stcb->asoc.total_flight) { 2811 stcb->asoc.peers_rwnd = 2812 a_rwnd - stcb->asoc.total_flight; 2813 } else { 2814 stcb->asoc.peers_rwnd = 0; 2815 } 2816 if (stcb->asoc.peers_rwnd < 2817 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 2818 /* SWS sender side engages */ 2819 stcb->asoc.peers_rwnd = 0; 2820 } 2821 } 2822 } 2823 } else { 2824 sctp_pegs[SCTP_PDRP_FMBOX]++; 2825 } 2826 trunc_len = (u_int16_t)ntohs(cp->trunc_len); 2827 /* now the chunks themselves */ 2828 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 2829 desc.chunk_type = ch->chunk_type; 2830 /* get amount we need to move */ 2831 at = ntohs(ch->chunk_length); 2832 if (at < sizeof(struct sctp_chunkhdr)) { 2833 /* corrupt chunk, maybe at the end? */ 2834 sctp_pegs[SCTP_PDRP_CRUPT]++; 2835 break; 2836 } 2837 if (trunc_len == 0) { 2838 /* we are supposed to have all of it */ 2839 if (at > chlen) { 2840 /* corrupt skip it */ 2841 sctp_pegs[SCTP_PDRP_CRUPT]++; 2842 break; 2843 } 2844 } else { 2845 /* is there enough of it left ? */ 2846 if (desc.chunk_type == SCTP_DATA) { 2847 if (chlen < (sizeof(struct sctp_data_chunk) + 2848 sizeof(desc.data_bytes))) { 2849 break; 2850 } 2851 } else { 2852 if (chlen < sizeof(struct sctp_chunkhdr)) { 2853 break; 2854 } 2855 } 2856 } 2857 if (desc.chunk_type == SCTP_DATA) { 2858 /* can we get out the tsn? */ 2859 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2860 sctp_pegs[SCTP_PDRP_MB_DA]++; 2861 2862 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(u_int32_t)) ) { 2863 /* yep */ 2864 struct sctp_data_chunk *dcp; 2865 u_int8_t *ddp; 2866 unsigned int iii; 2867 dcp = (struct sctp_data_chunk *)ch; 2868 ddp = (u_int8_t *)(dcp + 1); 2869 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 2870 desc.data_bytes[iii] = ddp[iii]; 2871 } 2872 desc.tsn_ifany = dcp->dp.tsn; 2873 } else { 2874 /* nope we are done. */ 2875 sctp_pegs[SCTP_PDRP_NEDAT]++; 2876 break; 2877 } 2878 } else { 2879 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2880 sctp_pegs[SCTP_PDRP_MB_CT]++; 2881 } 2882 2883 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 2884 sctp_pegs[SCTP_PDRP_PDBRK]++; 2885 break; 2886 } 2887 if (SCTP_SIZE32(at) > chlen) { 2888 break; 2889 } 2890 chlen -= SCTP_SIZE32(at); 2891 if (chlen < sizeof(struct sctp_chunkhdr)) { 2892 /* done, none left */ 2893 break; 2894 } 2895 ch = (struct sctp_chunkhdr *)((vaddr_t)ch + SCTP_SIZE32(at)); 2896 } 2897 2898 /* now middle boxes in sat networks get a cwnd bump */ 2899 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 2900 (stcb->asoc.sat_t3_loss_recovery == 0) && 2901 (stcb->asoc.sat_network)) { 2902 /* 2903 * This is debateable but for sat networks it makes sense 2904 * Note if a T3 timer has went off, we will prohibit any 2905 * changes to cwnd until we exit the t3 loss recovery. 2906 */ 2907 u_int32_t bw_avail; 2908 int rtt, incr; 2909#ifdef SCTP_CWND_LOGGING 2910 int old_cwnd=net->cwnd; 2911#endif 2912 /* need real RTT for this calc */ 2913 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 2914 /* get bottle neck bw */ 2915 bottle_bw = ntohl(cp->bottle_bw); 2916 /* and whats on queue */ 2917 on_queue = ntohl(cp->current_onq); 2918 /* 2919 * adjust the on-queue if our flight is more it could be 2920 * that the router has not yet gotten data "in-flight" to it 2921 */ 2922 if (on_queue < net->flight_size) 2923 on_queue = net->flight_size; 2924 2925 /* calculate the available space */ 2926 bw_avail = (bottle_bw*rtt)/1000; 2927 if (bw_avail > bottle_bw) { 2928 /* 2929 * Cap the growth to no more than the bottle neck. 2930 * This can happen as RTT slides up due to queues. 2931 * It also means if you have more than a 1 second 2932 * RTT with a empty queue you will be limited to 2933 * the bottle_bw per second no matter if 2934 * other points have 1/2 the RTT and you could 2935 * get more out... 2936 */ 2937 bw_avail = bottle_bw; 2938 } 2939 2940 if (on_queue > bw_avail) { 2941 /* 2942 * No room for anything else don't allow anything 2943 * else to be "added to the fire". 2944 */ 2945 int seg_inflight, seg_onqueue, my_portion; 2946 net->partial_bytes_acked = 0; 2947 2948 /* how much are we over queue size? */ 2949 incr = on_queue - bw_avail; 2950 if (stcb->asoc.seen_a_sack_this_pkt) { 2951 /* undo any cwnd adjustment that 2952 * the sack might have made 2953 */ 2954 net->cwnd = net->prev_cwnd; 2955 } 2956 2957 /* Now how much of that is mine? */ 2958 seg_inflight = net->flight_size / net->mtu; 2959 seg_onqueue = on_queue / net->mtu; 2960 my_portion = (incr * seg_inflight)/seg_onqueue; 2961 2962 /* Have I made an adjustment already */ 2963 if (net->cwnd > net->flight_size) { 2964 /* for this flight I made an adjustment 2965 * we need to decrease the portion by a share 2966 * our previous adjustment. 2967 */ 2968 int diff_adj; 2969 diff_adj = net->cwnd - net->flight_size; 2970 if (diff_adj > my_portion) 2971 my_portion = 0; 2972 else 2973 my_portion -= diff_adj; 2974 } 2975 2976 /* back down to the previous cwnd (assume 2977 * we have had a sack before this packet). minus 2978 * what ever portion of the overage is my fault. 2979 */ 2980 net->cwnd -= my_portion; 2981 2982 /* we will NOT back down more than 1 MTU */ 2983 if (net->cwnd <= net->mtu) { 2984 net->cwnd = net->mtu; 2985 } 2986 /* force into CA */ 2987 net->ssthresh = net->cwnd - 1; 2988 } else { 2989 /* 2990 * Take 1/4 of the space left or 2991 * max burst up .. whichever is less. 2992 */ 2993 incr = uimin((bw_avail - on_queue) >> 2, 2994 (int)stcb->asoc.max_burst * (int)net->mtu); 2995 net->cwnd += incr; 2996 } 2997 if (net->cwnd > bw_avail) { 2998 /* We can't exceed the pipe size */ 2999 net->cwnd = bw_avail; 3000 } 3001 if (net->cwnd < net->mtu) { 3002 /* We always have 1 MTU */ 3003 net->cwnd = net->mtu; 3004 } 3005#ifdef SCTP_CWND_LOGGING 3006 if (net->cwnd - old_cwnd != 0) { 3007 /* log only changes */ 3008 sctp_log_cwnd(net, (net->cwnd - old_cwnd), 3009 SCTP_CWND_LOG_FROM_SAT); 3010 } 3011#endif 3012 } 3013} 3014 3015extern int sctp_strict_init; 3016 3017/* 3018 * handles all control chunks in a packet 3019 * inputs: 3020 * - m: mbuf chain, assumed to still contain IP/SCTP header 3021 * - stcb: is the tcb found for this packet 3022 * - offset: offset into the mbuf chain to first chunkhdr 3023 * - length: is the length of the complete packet 3024 * outputs: 3025 * - length: modified to remaining length after control processing 3026 * - netp: modified to new sctp_nets after cookie-echo processing 3027 * - return NULL to discard the packet (ie. no asoc, bad packet,...) 3028 * otherwise return the tcb for this packet 3029 */ 3030static struct sctp_tcb * 3031sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3032 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3033 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3034{ 3035 struct sctp_association *asoc; 3036 u_int32_t vtag_in; 3037 int num_chunks = 0; /* number of control chunks processed */ 3038 int chk_length; 3039 int ret; 3040 3041 /* 3042 * How big should this be, and should it be alloc'd? 3043 * Lets try the d-mtu-ceiling for now (2k) and that should 3044 * hopefully work ... until we get into jumbo grams and such.. 3045 */ 3046 u_int8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3047 struct sctp_tcb *locked_tcb = stcb; 3048 3049#ifdef SCTP_DEBUG 3050 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3051 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3052 iphlen, *offset, length, stcb); 3053 } 3054#endif /* SCTP_DEBUG */ 3055 3056 /* validate chunk header length... */ 3057 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3058 return (NULL); 3059 } 3060 3061 /* 3062 * validate the verification tag 3063 */ 3064#ifdef SCTP_DEBUG 3065 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3066 printf("sctp_process_control: validating vtags\n"); 3067 } 3068#endif /* SCTP_DEBUG */ 3069 vtag_in = ntohl(sh->v_tag); 3070 if (ch->chunk_type == SCTP_INITIATION) { 3071 if (vtag_in != 0) { 3072 /* protocol error- silently discard... */ 3073#ifdef SCTP_DEBUG 3074 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3075 printf("sctp_process_control: INIT with vtag != 0\n"); 3076 } 3077#endif /* SCTP_DEBUG */ 3078 sctp_pegs[SCTP_BAD_VTAGS]++; 3079 if (locked_tcb) { 3080 SCTP_TCB_UNLOCK(locked_tcb); 3081 } 3082 return (NULL); 3083 } 3084 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3085 /* 3086 * first check if it's an ASCONF with an unknown src addr 3087 * we need to look inside to find the association 3088 */ 3089 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3090 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3091 *offset, sh, &inp, netp); 3092 } 3093 if (stcb == NULL) { 3094 /* no association, so it's out of the blue... */ 3095 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3096#ifdef SCTP_DEBUG 3097 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3098 printf("sctp_process_control: handling OOTB packet, chunk type=%xh\n", 3099 ch->chunk_type); 3100 } 3101#endif /* SCTP_DEBUG */ 3102 *offset = length; 3103 if (locked_tcb) { 3104 SCTP_TCB_UNLOCK(locked_tcb); 3105 } 3106 return (NULL); 3107 } 3108 asoc = &stcb->asoc; 3109 /* ABORT and SHUTDOWN can use either v_tag... */ 3110 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3111 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3112 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3113 if ((vtag_in == asoc->my_vtag) || 3114 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3115 (vtag_in == asoc->peer_vtag))) { 3116 /* this is valid */ 3117 } else { 3118 /* drop this packet... */ 3119 sctp_pegs[SCTP_BAD_VTAGS]++; 3120 if (locked_tcb) { 3121 SCTP_TCB_UNLOCK(locked_tcb); 3122 } 3123 return (NULL); 3124 } 3125 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3126 if (vtag_in != asoc->my_vtag) { 3127 /* 3128 * this could be a stale SHUTDOWN-ACK or the 3129 * peer never got the SHUTDOWN-COMPLETE and 3130 * is still hung; we have started a new asoc 3131 * but it won't complete until the shutdown is 3132 * completed 3133 */ 3134 if (locked_tcb) { 3135 SCTP_TCB_UNLOCK(locked_tcb); 3136 } 3137 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3138 NULL); 3139 return (NULL); 3140 } 3141 } else { 3142 /* for all other chunks, vtag must match */ 3143 3144 if (vtag_in != asoc->my_vtag) { 3145 /* invalid vtag... */ 3146#ifdef SCTP_DEBUG 3147 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3148 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3149 } 3150#endif /* SCTP_DEBUG */ 3151 sctp_pegs[SCTP_BAD_VTAGS]++; 3152 if (locked_tcb) { 3153 SCTP_TCB_UNLOCK(locked_tcb); 3154 } 3155 *offset = length; 3156 return (NULL); 3157 } 3158 } 3159 } /* end if !SCTP_COOKIE_ECHO */ 3160 3161#ifdef SCTP_DEBUG 3162 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3163 printf("sctp_process_control: vtags ok, processing ctrl chunks\n"); 3164 } 3165#endif /* SCTP_DEBUG */ 3166 3167 /* 3168 * process all control chunks... 3169 */ 3170 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3171 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3172 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3173 /* implied cookie-ack.. we must have lost the ack */ 3174 stcb->asoc.overall_error_count = 0; 3175 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 3176 } 3177 3178 while (IS_SCTP_CONTROL(ch)) { 3179 /* validate chunk length */ 3180 chk_length = ntohs(ch->chunk_length); 3181#ifdef SCTP_DEBUG 3182 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3183 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", ch->chunk_type, chk_length); 3184 } 3185#endif /* SCTP_DEBUG */ 3186 if ((size_t)chk_length < sizeof(*ch) || 3187 (*offset + chk_length) > length) { 3188#ifdef SCTP_DEBUG 3189 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3190 printf("sctp_process_control: chunk length invalid! *offset:%u, chk_length:%u > length:%u\n", 3191 *offset, chk_length, length); 3192 } 3193#endif /* SCTP_DEBUG */ 3194 *offset = length; 3195 if (locked_tcb) { 3196 SCTP_TCB_UNLOCK(locked_tcb); 3197 } 3198 return (NULL); 3199 } 3200 3201 /* 3202 * INIT-ACK only gets the init ack "header" portion only 3203 * because we don't have to process the peer's COOKIE. 3204 * All others get a complete chunk. 3205 */ 3206 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3207 /* get an init-ack chunk */ 3208 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3209 sizeof(struct sctp_init_ack), chunk_buf); 3210 if (ch == NULL) { 3211 *offset = length; 3212 if (locked_tcb) { 3213 SCTP_TCB_UNLOCK(locked_tcb); 3214 } 3215 return (NULL); 3216 } 3217 } else { 3218 /* get a complete chunk... */ 3219 if ((size_t)chk_length > sizeof(chunk_buf)) { 3220 struct mbuf *oper; 3221 struct sctp_paramhdr *phdr; 3222 oper = NULL; 3223 MGETHDR(oper, M_DONTWAIT, MT_HEADER); 3224 if (oper) { 3225 /* pre-reserve some space */ 3226 oper->m_data += 3227 sizeof(struct sctp_chunkhdr); 3228 phdr = 3229 mtod(oper, struct sctp_paramhdr *); 3230 phdr->param_type = 3231 htons(SCTP_CAUSE_OUT_OF_RESC); 3232 phdr->param_length = 3233 htons(sizeof(struct sctp_paramhdr)); 3234 sctp_queue_op_err(stcb, oper); 3235 } 3236 if (locked_tcb) { 3237 SCTP_TCB_UNLOCK(locked_tcb); 3238 } 3239 return (NULL); 3240 } 3241 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3242 chk_length, chunk_buf); 3243 if (ch == NULL) { 3244 printf("sctp_process_control: Can't get the all data....\n"); 3245 *offset = length; 3246 if (locked_tcb) { 3247 SCTP_TCB_UNLOCK(locked_tcb); 3248 } 3249 return (NULL); 3250 } 3251 3252 } 3253 num_chunks++; 3254 /* Save off the last place we got a control from */ 3255 if ((*netp) && stcb) { 3256 stcb->asoc.last_control_chunk_from = *netp; 3257 } 3258#ifdef SCTP_AUDITING_ENABLED 3259 sctp_audit_log(0xB0, ch->chunk_type); 3260#endif 3261 switch (ch->chunk_type) { 3262 case SCTP_INITIATION: 3263 /* must be first and only chunk */ 3264#ifdef SCTP_DEBUG 3265 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3266 printf("SCTP_INIT\n"); 3267 } 3268#endif /* SCTP_DEBUG */ 3269 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3270 /* We are not interested anymore */ 3271 if (locked_tcb) { 3272 SCTP_TCB_UNLOCK(locked_tcb); 3273 } 3274 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3275 /* finish the job now */ 3276 sctp_inpcb_free(inp, 1); 3277 } 3278 *offset = length; 3279 return (NULL); 3280 } 3281 if ((num_chunks > 1) || 3282 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3283 *offset = length; 3284 if (locked_tcb) { 3285 SCTP_TCB_UNLOCK(locked_tcb); 3286 } 3287 return (NULL); 3288 } 3289 if ((stcb != NULL) && 3290 (SCTP_GET_STATE(&stcb->asoc) == 3291 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3292 sctp_send_shutdown_ack(stcb, 3293 stcb->asoc.primary_destination); 3294 *offset = length; 3295 if (locked_tcb) { 3296 SCTP_TCB_UNLOCK(locked_tcb); 3297 } 3298 return (NULL); 3299 } 3300 sctp_handle_init(m, iphlen, *offset, sh, 3301 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3302 *offset = length; 3303 if (locked_tcb) { 3304 SCTP_TCB_UNLOCK(locked_tcb); 3305 } 3306 return (NULL); 3307 break; 3308 case SCTP_INITIATION_ACK: 3309 /* must be first and only chunk */ 3310#ifdef SCTP_DEBUG 3311 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3312 printf("SCTP_INIT-ACK\n"); 3313 } 3314#endif /* SCTP_DEBUG */ 3315 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3316 /* We are not interested anymore */ 3317 if (locked_tcb) { 3318 SCTP_TCB_UNLOCK(locked_tcb); 3319 } 3320 *offset = length; 3321 if (stcb) { 3322 sctp_free_assoc(inp, stcb); 3323 } else { 3324 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3325 /* finish the job now */ 3326 sctp_inpcb_free(inp, 1); 3327 } 3328 } 3329 return (NULL); 3330 } 3331 if ((num_chunks > 1) || 3332 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3333#ifdef SCTP_DEBUG 3334 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3335 printf("Length is %d rounded chk_length:%d .. dropping\n", 3336 length - *offset, 3337 SCTP_SIZE32(chk_length)); 3338 } 3339#endif 3340 *offset = length; 3341 if (locked_tcb) { 3342 SCTP_TCB_UNLOCK(locked_tcb); 3343 } 3344 return (NULL); 3345 } 3346 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3347 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3348 /* 3349 * Special case, I must call the output routine 3350 * to get the cookie echoed 3351 */ 3352 if ((stcb) && ret == 0) 3353 sctp_chunk_output(stcb->sctp_ep, stcb, 2); 3354 *offset = length; 3355#ifdef SCTP_DEBUG 3356 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3357 printf("All done INIT-ACK processing\n"); 3358 } 3359#endif 3360 if (locked_tcb) { 3361 SCTP_TCB_UNLOCK(locked_tcb); 3362 } 3363 return (NULL); 3364 break; 3365 case SCTP_SELECTIVE_ACK: 3366#ifdef SCTP_DEBUG 3367 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3368 printf("SCTP_SACK\n"); 3369 } 3370#endif /* SCTP_DEBUG */ 3371 sctp_pegs[SCTP_PEG_SACKS_SEEN]++; 3372 { 3373 int abort_now = 0; 3374 stcb->asoc.seen_a_sack_this_pkt = 1; 3375 sctp_handle_sack((struct sctp_sack_chunk *)ch, 3376 stcb, *netp, &abort_now); 3377 if (abort_now) { 3378 /* ABORT signal from sack processing */ 3379 *offset = length; 3380 return (NULL); 3381 } 3382 } 3383 break; 3384 case SCTP_HEARTBEAT_REQUEST: 3385#ifdef SCTP_DEBUG 3386 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3387 printf("SCTP_HEARTBEAT\n"); 3388 } 3389#endif /* SCTP_DEBUG */ 3390 sctp_pegs[SCTP_HB_RECV]++; 3391 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3392 *netp); 3393 3394 /* He's alive so give him credit */ 3395 stcb->asoc.overall_error_count = 0; 3396 break; 3397 case SCTP_HEARTBEAT_ACK: 3398#ifdef SCTP_DEBUG 3399 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3400 printf("SCTP_HEARTBEAT-ACK\n"); 3401 } 3402#endif /* SCTP_DEBUG */ 3403 3404 /* He's alive so give him credit */ 3405 stcb->asoc.overall_error_count = 0; 3406 3407 sctp_pegs[SCTP_HB_ACK_RECV]++; 3408 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3409 stcb, *netp); 3410 break; 3411 case SCTP_ABORT_ASSOCIATION: 3412#ifdef SCTP_DEBUG 3413 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3414 printf("SCTP_ABORT\n"); 3415 } 3416#endif /* SCTP_DEBUG */ 3417 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3418 stcb, *netp); 3419 *offset = length; 3420 return (NULL); 3421 break; 3422 case SCTP_SHUTDOWN: 3423#ifdef SCTP_DEBUG 3424 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3425 printf("SCTP_SHUTDOWN\n"); 3426 } 3427#endif /* SCTP_DEBUG */ 3428 { 3429 int abort_flag = 0; 3430 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3431 stcb, *netp, &abort_flag); 3432 if (abort_flag) { 3433 *offset = length; 3434 return (NULL); 3435 } 3436 } 3437 break; 3438 case SCTP_SHUTDOWN_ACK: 3439#ifdef SCTP_DEBUG 3440 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3441 printf("SCTP_SHUTDOWN-ACK\n"); 3442 } 3443#endif /* SCTP_DEBUG */ 3444 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3445 *offset = length; 3446 return (NULL); 3447 break; 3448 case SCTP_OPERATION_ERROR: 3449#ifdef SCTP_DEBUG 3450 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3451 printf("SCTP_OP-ERR\n"); 3452 } 3453#endif /* SCTP_DEBUG */ 3454 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3455 *offset = length; 3456 return (NULL); 3457 } 3458 break; 3459 case SCTP_COOKIE_ECHO: 3460#ifdef SCTP_DEBUG 3461 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3462 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3463 } 3464#endif /* SCTP_DEBUG */ 3465 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3466 /* We are not interested anymore */ 3467 *offset = length; 3468 if (stcb) { 3469 sctp_free_assoc(inp, stcb); 3470 } else { 3471 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3472 /* finish the job now */ 3473 sctp_inpcb_free(inp, 1); 3474 } 3475 } 3476 return (NULL); 3477 } 3478 /* 3479 * First are we accepting? 3480 * We do this again here since it is possible 3481 * that a previous endpoint WAS listening responded to 3482 * a INIT-ACK and then closed. We opened and bound.. 3483 * and are now no longer listening. 3484 */ 3485 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 3486 (inp->sctp_socket->so_qlimit == 0)) { 3487 sctp_abort_association(inp, stcb, m, iphlen, sh, 3488 NULL); 3489 *offset = length; 3490 return (NULL); 3491 } else if (inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) { 3492 /* we are accepting so check limits like TCP */ 3493 if (inp->sctp_socket->so_qlen > 3494 inp->sctp_socket->so_qlimit) { 3495 /* no space */ 3496 struct mbuf *oper; 3497 struct sctp_paramhdr *phdr; 3498 oper = NULL; 3499 MGETHDR(oper, M_DONTWAIT, MT_HEADER); 3500 if (oper) { 3501 oper->m_len = 3502 oper->m_pkthdr.len = 3503 sizeof(struct sctp_paramhdr); 3504 phdr = mtod(oper, 3505 struct sctp_paramhdr *); 3506 phdr->param_type = 3507 htons(SCTP_CAUSE_OUT_OF_RESC); 3508 phdr->param_length = 3509 htons(sizeof(struct sctp_paramhdr)); 3510 } 3511 sctp_abort_association(inp, stcb, m, 3512 iphlen, sh, oper); 3513 *offset = length; 3514 return (NULL); 3515 } 3516 } 3517 { 3518 struct mbuf *ret_buf; 3519 ret_buf = sctp_handle_cookie_echo(m, iphlen, 3520 *offset, sh, 3521 (struct sctp_cookie_echo_chunk *)ch, &inp, 3522 &stcb, netp); 3523#ifdef SCTP_DEBUG 3524 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3525 printf("ret_buf:%p length:%d off:%d\n", 3526 ret_buf, length, *offset); 3527 } 3528#endif /* SCTP_DEBUG */ 3529 3530 if (ret_buf == NULL) { 3531 if (locked_tcb) { 3532 SCTP_TCB_UNLOCK(locked_tcb); 3533 } 3534#ifdef SCTP_DEBUG 3535 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3536 printf("GAK, null buffer\n"); 3537 } 3538#endif /* SCTP_DEBUG */ 3539 *offset = length; 3540 return (NULL); 3541 } 3542 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 3543 /* 3544 * Restart the timer if we have pending 3545 * data 3546 */ 3547 struct sctp_tmit_chunk *chk; 3548 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 3549 if (chk) { 3550 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 3551 stcb->sctp_ep, stcb, 3552 chk->whoTo); 3553 } 3554 } 3555 } 3556 break; 3557 case SCTP_COOKIE_ACK: 3558#ifdef SCTP_DEBUG 3559 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3560 printf("SCTP_COOKIE-ACK\n"); 3561 } 3562#endif /* SCTP_DEBUG */ 3563 3564 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3565 /* We are not interested anymore */ 3566 sctp_free_assoc(inp, stcb); 3567 *offset = length; 3568 return (NULL); 3569 } 3570 /* He's alive so give him credit */ 3571 stcb->asoc.overall_error_count = 0; 3572 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, 3573 stcb, *netp); 3574 break; 3575 case SCTP_ECN_ECHO: 3576#ifdef SCTP_DEBUG 3577 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3578 printf("SCTP_ECN-ECHO\n"); 3579 } 3580#endif /* SCTP_DEBUG */ 3581 /* He's alive so give him credit */ 3582 stcb->asoc.overall_error_count = 0; 3583 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 3584 stcb); 3585 break; 3586 case SCTP_ECN_CWR: 3587#ifdef SCTP_DEBUG 3588 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3589 printf("SCTP_ECN-CWR\n"); 3590 } 3591#endif /* SCTP_DEBUG */ 3592 /* He's alive so give him credit */ 3593 stcb->asoc.overall_error_count = 0; 3594 3595 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 3596 break; 3597 case SCTP_SHUTDOWN_COMPLETE: 3598#ifdef SCTP_DEBUG 3599 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3600 printf("SCTP_SHUTDOWN-COMPLETE\n"); 3601 } 3602#endif /* SCTP_DEBUG */ 3603 /* must be first and only chunk */ 3604 if ((num_chunks > 1) || 3605 (length - *offset > SCTP_SIZE32(chk_length))) { 3606 *offset = length; 3607 if (locked_tcb) { 3608 SCTP_TCB_UNLOCK(locked_tcb); 3609 } 3610 return (NULL); 3611 } 3612 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 3613 stcb, *netp); 3614 *offset = length; 3615 return (NULL); 3616 break; 3617 case SCTP_ASCONF: 3618#ifdef SCTP_DEBUG 3619 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3620 printf("SCTP_ASCONF\n"); 3621 } 3622#endif /* SCTP_DEBUG */ 3623 /* He's alive so give him credit */ 3624 stcb->asoc.overall_error_count = 0; 3625 3626 sctp_handle_asconf(m, *offset, 3627 (struct sctp_asconf_chunk *)ch, stcb, *netp); 3628 break; 3629 case SCTP_ASCONF_ACK: 3630#ifdef SCTP_DEBUG 3631 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3632 printf("SCTP_ASCONF-ACK\n"); 3633 } 3634#endif /* SCTP_DEBUG */ 3635 /* He's alive so give him credit */ 3636 stcb->asoc.overall_error_count = 0; 3637 3638 sctp_handle_asconf_ack(m, *offset, 3639 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 3640 break; 3641 case SCTP_FORWARD_CUM_TSN: 3642#ifdef SCTP_DEBUG 3643 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3644 printf("SCTP_FWD-TSN\n"); 3645 } 3646#endif /* SCTP_DEBUG */ 3647 /* He's alive so give him credit */ 3648 { 3649 int abort_flag = 0; 3650 stcb->asoc.overall_error_count = 0; 3651 *fwd_tsn_seen = 1; 3652 sctp_handle_forward_tsn(stcb, 3653 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 3654 if (abort_flag) { 3655 *offset = length; 3656 return (NULL); 3657 } else { 3658 stcb->asoc.overall_error_count = 0; 3659 } 3660 3661 } 3662 break; 3663 case SCTP_STREAM_RESET: 3664#ifdef SCTP_DEBUG 3665 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3666 printf("SCTP_STREAM_RESET\n"); 3667 } 3668#endif /* SCTP_DEBUG */ 3669 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3670 chk_length, chunk_buf); 3671 if (stcb->asoc.peer_supports_strreset == 0) { 3672 /* hmm, peer should have annonced this, but 3673 * we will turn it on since he is sending us 3674 * a stream reset. 3675 */ 3676 stcb->asoc.peer_supports_strreset = 1; 3677 } 3678 sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_req *)ch); 3679 break; 3680 case SCTP_PACKET_DROPPED: 3681#ifdef SCTP_DEBUG 3682 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3683 printf("SCTP_PACKET_DROPPED\n"); 3684 } 3685#endif /* SCTP_DEBUG */ 3686 /* re-get it all please */ 3687 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3688 chk_length, chunk_buf); 3689 3690 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 3691 stcb, *netp); 3692 3693 3694 break; 3695 default: 3696 /* it's an unknown chunk! */ 3697 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 3698 struct mbuf *mm; 3699 struct sctp_paramhdr *phd; 3700 MGETHDR(mm, M_DONTWAIT, MT_HEADER); 3701 if (mm) { 3702 phd = mtod(mm, struct sctp_paramhdr *); 3703 /* We cheat and use param type since we 3704 * did not bother to define a error 3705 * cause struct. 3706 * They are the same basic format with 3707 * different names. 3708 */ 3709 phd->param_type = 3710 htons(SCTP_CAUSE_UNRECOG_CHUNK); 3711 phd->param_length = 3712 htons(chk_length + sizeof(*phd)); 3713 mm->m_len = sizeof(*phd); 3714 mm->m_next = sctp_m_copym(m, *offset, 3715 SCTP_SIZE32(chk_length), 3716 M_DONTWAIT); 3717 if (mm->m_next) { 3718 mm->m_pkthdr.len = 3719 SCTP_SIZE32(chk_length) + 3720 sizeof(*phd); 3721 sctp_queue_op_err(stcb, mm); 3722 } else { 3723 sctp_m_freem(mm); 3724#ifdef SCTP_DEBUG 3725 if (sctp_debug_on & 3726 SCTP_DEBUG_INPUT1) { 3727 printf("Gak can't copy the chunk into operr %d bytes\n", 3728 chk_length); 3729 } 3730#endif 3731 } 3732 } 3733#ifdef SCTP_DEBUG 3734 else { 3735 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3736 printf("Gak can't mgethdr for op-err of unrec chunk\n"); 3737 } 3738 } 3739#endif 3740 } 3741 if ((ch->chunk_type & 0x80) == 0) { 3742 /* discard this packet */ 3743 *offset = length; 3744 return (stcb); 3745 } /* else skip this bad chunk and continue... */ 3746 break; 3747 } /* switch (ch->chunk_type) */ 3748 /* get the next chunk */ 3749 *offset += SCTP_SIZE32(chk_length); 3750 if (*offset >= length) { 3751 /* no more data left in the mbuf chain */ 3752 break; 3753 } 3754 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3755 sizeof(struct sctp_chunkhdr), chunk_buf); 3756 if (ch == NULL) { 3757 if (locked_tcb) { 3758 SCTP_TCB_UNLOCK(locked_tcb); 3759 } 3760 *offset = length; 3761 return (NULL); 3762 } 3763 } /* while */ 3764 return (stcb); 3765} 3766 3767 3768/* 3769 * Process the ECN bits we have something set so 3770 * we must look to see if it is ECN(0) or ECN(1) or CE 3771 */ 3772static void 3773sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 3774 u_int8_t ecn_bits) 3775{ 3776 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3777 ; 3778 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 3779 /* 3780 * we only add to the nonce sum for ECT1, ECT0 3781 * does not change the NS bit (that we have 3782 * yet to find a way to send it yet). 3783 */ 3784 3785 /* ECN Nonce stuff */ 3786 stcb->asoc.receiver_nonce_sum++; 3787 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 3788 3789 /* 3790 * Drag up the last_echo point if cumack is larger since we 3791 * don't want the point falling way behind by more than 2^^31 3792 * and then having it be incorrect. 3793 */ 3794 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3795 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3796 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3797 } 3798 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 3799 /* 3800 * Drag up the last_echo point if cumack is larger since we 3801 * don't want the point falling way behind by more than 2^^31 3802 * and then having it be incorrect. 3803 */ 3804 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3805 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3806 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3807 } 3808 } 3809} 3810 3811static void 3812sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 3813 u_int32_t high_tsn, u_int8_t ecn_bits) 3814{ 3815 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3816 /* 3817 * we possibly must notify the sender that a congestion 3818 * window reduction is in order. We do this 3819 * by adding a ECNE chunk to the output chunk 3820 * queue. The incoming CWR will remove this chunk. 3821 */ 3822 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 3823 MAX_TSN)) { 3824 /* Yep, we need to add a ECNE */ 3825 sctp_send_ecn_echo(stcb, net, high_tsn); 3826 stcb->asoc.last_echo_tsn = high_tsn; 3827 } 3828 } 3829} 3830 3831/* 3832 * common input chunk processing (v4 and v6) 3833 */ 3834int 3835sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 3836 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 3837 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 3838 u_int8_t ecn_bits) 3839{ 3840 /* 3841 * Control chunk processing 3842 */ 3843 u_int32_t high_tsn; 3844 int fwd_tsn_seen = 0, data_processed = 0; 3845 struct mbuf *m = *mm; 3846 int abort_flag = 0; 3847 3848 sctp_pegs[SCTP_DATAGRAMS_RCVD]++; 3849#ifdef SCTP_AUDITING_ENABLED 3850 sctp_audit_log(0xE0, 1); 3851 sctp_auditing(0, inp, stcb, net); 3852#endif 3853 3854#ifdef SCTP_DEBUG 3855 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3856 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d\n", 3857 m, iphlen, offset, length); 3858 } 3859#endif /* SCTP_DEBUG */ 3860 if (IS_SCTP_CONTROL(ch)) { 3861 /* process the control portion of the SCTP packet */ 3862#ifdef SCTP_DEBUG 3863 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3864 printf("Processing control\n"); 3865 } 3866#endif /* SCTP_DEBUG */ 3867 3868 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 3869 inp, stcb, &net, &fwd_tsn_seen); 3870 } else { 3871 /* 3872 * no control chunks, so pre-process DATA chunks 3873 * (these checks are taken care of by control processing) 3874 */ 3875#ifdef SCTP_DEBUG 3876 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3877 printf("No control present\n"); 3878 } 3879#endif /* SCTP_DEBUG */ 3880 3881 if (stcb == NULL) { 3882 /* out of the blue DATA chunk */ 3883 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3884 return (1); 3885 } 3886 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 3887 /* v_tag mismatch! */ 3888 sctp_pegs[SCTP_BAD_VTAGS]++; 3889 SCTP_TCB_UNLOCK(stcb); 3890 return (1); 3891 } 3892 } 3893 if (stcb == NULL) { 3894 /* 3895 * no valid TCB for this packet, 3896 * or we found it's a bad packet while processing control, 3897 * or we're done with this packet (done or skip rest of data), 3898 * so we drop it... 3899 */ 3900 return (1); 3901 } 3902#ifdef SCTP_DEBUG 3903 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3904 printf("Ok, control finished time to look for data (%d) offset:%d\n", 3905 length, offset); 3906 } 3907#endif /* SCTP_DEBUG */ 3908 /* 3909 * DATA chunk processing 3910 */ 3911 /* plow through the data chunks while length > offset */ 3912 stcb->asoc.seen_a_sack_this_pkt = 0; 3913 3914 if (length > offset) { 3915 int retval; 3916 /* 3917 * First check to make sure our state is correct. 3918 * We would not get here unless we really did have a 3919 * tag, so we don't abort if this happens, just 3920 * dump the chunk silently. 3921 */ 3922 switch (SCTP_GET_STATE(&stcb->asoc)) { 3923 case SCTP_STATE_COOKIE_ECHOED: 3924 /* 3925 * we consider data with valid tags in 3926 * this state shows us the cookie-ack was lost. 3927 * Imply it was there. 3928 */ 3929 stcb->asoc.overall_error_count = 0; 3930 sctp_handle_cookie_ack( 3931 (struct sctp_cookie_ack_chunk *)ch, stcb, net); 3932 break; 3933 case SCTP_STATE_COOKIE_WAIT: 3934 /* 3935 * We consider OOTB any data sent during asoc setup. 3936 */ 3937 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3938 SCTP_TCB_UNLOCK(stcb); 3939 return (1); 3940 break; 3941 case SCTP_STATE_EMPTY: /* should not happen */ 3942 case SCTP_STATE_INUSE: /* should not happen */ 3943 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 3944 case SCTP_STATE_SHUTDOWN_ACK_SENT: 3945 default: 3946#ifdef SCTP_DEBUG 3947 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3948 printf("Got data in invalid state %d.. dropping\n", stcb->asoc.state); 3949 } 3950#endif 3951 SCTP_TCB_UNLOCK(stcb); 3952 return (1); 3953 break; 3954 case SCTP_STATE_OPEN: 3955 case SCTP_STATE_SHUTDOWN_SENT: 3956 break; 3957 } 3958 /* take care of ECN, part 1. */ 3959 if (stcb->asoc.ecn_allowed && 3960 (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3961 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 3962 } 3963 /* plow through the data chunks while length > offset */ 3964 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 3965 inp, stcb, net, &high_tsn); 3966 if (retval == 2) { 3967 /* The association aborted, NO UNLOCK needed 3968 * since the association is destroyed. 3969 */ 3970 return (0); 3971 } 3972 3973 data_processed = 1; 3974 if (retval == 0) { 3975 /* take care of ecn part 2. */ 3976 if (stcb->asoc.ecn_allowed && (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3977 sctp_process_ecn_marked_b(stcb, net, high_tsn, ecn_bits); 3978 3979 } 3980 } 3981 3982 /* 3983 * Anything important needs to have been m_copy'ed in 3984 * process_data 3985 */ 3986 } 3987 if ((data_processed == 0) && (fwd_tsn_seen)) { 3988 int was_a_gap = 0; 3989 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 3990 stcb->asoc.cumulative_tsn, MAX_TSN)) { 3991 /* there was a gap before this data was processed */ 3992 was_a_gap = 1; 3993 } 3994 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 3995 if (abort_flag) { 3996 /* Again, we aborted so NO UNLOCK needed */ 3997 return (0); 3998 } 3999 } 4000 /* trigger send of any chunks in queue... */ 4001#ifdef SCTP_AUDITING_ENABLED 4002 sctp_audit_log(0xE0, 2); 4003 sctp_auditing(1, inp, stcb, net); 4004#endif 4005#ifdef SCTP_DEBUG 4006 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4007 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4008 stcb->asoc.peers_rwnd, 4009 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4010 stcb->asoc.total_flight); 4011 } 4012#endif 4013 if (stcb->asoc.peers_rwnd > 0 || 4014 !TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4015 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)) { 4016#ifdef SCTP_DEBUG 4017 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4018 printf("Calling chunk OUTPUT\n"); 4019 } 4020#endif 4021 sctp_chunk_output(inp, stcb, 3); 4022#ifdef SCTP_DEBUG 4023 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4024 printf("chunk OUTPUT returns\n"); 4025 } 4026#endif 4027 } 4028 4029#ifdef SCTP_AUDITING_ENABLED 4030 sctp_audit_log(0xE0, 3); 4031 sctp_auditing(2, inp, stcb, net); 4032#endif 4033 SCTP_TCB_UNLOCK(stcb); 4034 return (0); 4035} 4036 4037#if defined(__OpenBSD__) 4038static void 4039sctp_saveopt(struct sctp_inpcb *inp, struct mbuf **mp, struct ip *ip, 4040 struct mbuf *m) 4041{ 4042 if (inp->ip_inp.inp.inp_flags & INP_RECVDSTADDR) { 4043 *mp = sbcreatecontrol((vaddr_t) &ip->ip_dst, 4044 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP); 4045 if (*mp) 4046 mp = &(*mp)->m_next; 4047 } 4048} 4049#endif 4050 4051extern int sctp_no_csum_on_loopback; 4052 4053void 4054sctp_input(struct mbuf *m, int off, int proto) 4055{ 4056 int iphlen; 4057 u_int8_t ecn_bits; 4058 struct ip *ip; 4059 struct sctphdr *sh; 4060 struct sctp_inpcb *inp = NULL; 4061 struct mbuf *opts = 0; 4062/*#ifdef INET6*/ 4063/* Don't think this is needed */ 4064/* struct ip6_recvpktopts opts6;*/ 4065/*#endif INET6 */ 4066 4067 u_int32_t check, calc_check; 4068 struct sctp_nets *net; 4069 struct sctp_tcb *stcb = NULL; 4070 struct sctp_chunkhdr *ch; 4071 int refcount_up = 0; 4072 int length, mlen, offset; 4073 4074 iphlen = off; 4075 4076 net = NULL; 4077 sctp_pegs[SCTP_INPKTS]++; 4078#ifdef SCTP_DEBUG 4079 /*if (sctp_debug_on & SCTP_DEBUG_INPUT1) {*/ 4080 printf("V4 input gets a packet iphlen:%d pktlen:%d\n", iphlen, m->m_pkthdr.len); 4081 /*}*/ 4082#endif 4083/*#ifdef INET6*/ 4084/* Don't think this is needed */ 4085/* bzero(&opts6, sizeof(opts6));*/ 4086/*#endif INET6 */ 4087 4088 /* 4089 * Strip IP options, we don't allow any in or out. 4090 */ 4091 if ((size_t)iphlen > sizeof(struct ip)) { 4092 printf("sctp_input: got options\n"); 4093#if 0 /* XXX */ 4094 ip_stripoptions(m, (struct mbuf *)0); 4095#endif 4096 iphlen = sizeof(struct ip); 4097 } 4098 4099 /* 4100 * Get IP, SCTP, and first chunk header together in first mbuf. 4101 */ 4102 ip = mtod(m, struct ip *); 4103 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4104 if (m->m_len < offset) { 4105 if ((m = m_pullup(m, offset)) == 0) { 4106 sctp_pegs[SCTP_HDR_DROPS]++; 4107 return; 4108 } 4109 ip = mtod(m, struct ip *); 4110 } 4111 sh = (struct sctphdr *)((vaddr_t)ip + iphlen); 4112 ch = (struct sctp_chunkhdr *)((vaddr_t)sh + sizeof(*sh)); 4113 4114 /* SCTP does not allow broadcasts or multicasts */ 4115 if (IN_MULTICAST(ip->ip_dst.s_addr)) 4116 { 4117 sctp_pegs[SCTP_IN_MCAST]++; 4118 goto bad; 4119 } 4120 if (in_broadcast(ip->ip_dst, m_get_rcvif_NOMPSAFE(m))) { 4121 sctp_pegs[SCTP_IN_MCAST]++; 4122 goto bad; 4123 } 4124 4125 /* destination port of 0 is illegal, based on RFC2960. */ 4126 if (sh->dest_port == 0) { 4127 sctp_pegs[SCTP_HDR_DROPS]++; 4128 goto bad; 4129 } 4130 4131 /* validate SCTP checksum */ 4132 if ((sctp_no_csum_on_loopback == 0) || 4133 (m_get_rcvif_NOMPSAFE(m) == NULL) || 4134 (m_get_rcvif_NOMPSAFE(m)->if_type != IFT_LOOP)) { 4135 /* we do NOT validate things from the loopback if the 4136 * sysctl is set to 1. 4137 */ 4138 check = sh->checksum; /* save incoming checksum */ 4139 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4140 /* special hook for where we got a local address 4141 * somehow routed across a non IFT_LOOP type interface 4142 */ 4143 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4144 goto sctp_skip_csum_4; 4145 } 4146 sh->checksum = 0; /* prepare for calc */ 4147 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4148 if (calc_check != check) { 4149#ifdef SCTP_DEBUG 4150 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4151 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4152 calc_check, check, m, mlen, iphlen); 4153 } 4154#endif 4155 4156 stcb = sctp_findassociation_addr(m, iphlen, 4157 offset - sizeof(*ch), 4158 sh, ch, &inp, &net); 4159 if ((inp) && (stcb)) { 4160 sctp_send_packet_dropped(stcb, net, m, iphlen, 4161 1); 4162 sctp_chunk_output(inp, stcb, 2); 4163 } else if ((inp != NULL) && (stcb == NULL)) { 4164 refcount_up = 1; 4165 } 4166 sctp_pegs[SCTP_BAD_CSUM]++; 4167 goto bad; 4168 } 4169 sh->checksum = calc_check; 4170 } else { 4171 sctp_skip_csum_4: 4172 mlen = m->m_pkthdr.len; 4173 } 4174 /* validate mbuf chain length with IP payload length */ 4175#if defined(__NetBSD__) || defined(__OpenBSD__) 4176 /* Open BSD gives us the len in network order, fix it */ 4177 NTOHS(ip->ip_len); 4178#endif 4179 if (mlen < (ip->ip_len - iphlen)) { 4180 sctp_pegs[SCTP_HDR_DROPS]++; 4181 goto bad; 4182 } 4183 4184 /* 4185 * Locate pcb and tcb for datagram 4186 * sctp_findassociation_addr() wants IP/SCTP/first chunk header... 4187 */ 4188#ifdef SCTP_DEBUG 4189 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4190 printf("V4 find association\n"); 4191 } 4192#endif 4193 4194 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4195 sh, ch, &inp, &net); 4196 /* inp's ref-count increased && stcb locked */ 4197 if (inp == NULL) { 4198 struct sctp_init_chunk *init_chk, chunk_buf; 4199 4200 sctp_pegs[SCTP_NOPORTS]++; 4201#ifdef ICMP_BANDLIM 4202 /* 4203 * we use the bandwidth limiting to protect against 4204 * sending too many ABORTS all at once. In this case 4205 * these count the same as an ICMP message. 4206 */ 4207 if (badport_bandlim(0) < 0) 4208 goto bad; 4209#endif /* ICMP_BANDLIM */ 4210#ifdef SCTP_DEBUG 4211 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4212 printf("Sending a ABORT from packet entry!\n"); 4213 } 4214#endif 4215 if (ch->chunk_type == SCTP_INITIATION) { 4216 /* we do a trick here to get the INIT tag, 4217 * dig in and get the tag from the INIT and 4218 * put it in the common header. 4219 */ 4220 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4221 iphlen + sizeof(*sh), sizeof(*init_chk), 4222 (u_int8_t *)&chunk_buf); 4223 if (init_chk != NULL) 4224 sh->v_tag = init_chk->init.initiate_tag; 4225 } 4226 sctp_send_abort(m, iphlen, sh, 0, NULL); 4227 goto bad; 4228 } else if (stcb == NULL) { 4229 refcount_up = 1; 4230 } 4231#ifdef IPSEC 4232 /* 4233 * I very much doubt any of the IPSEC stuff will work but I have 4234 * no idea, so I will leave it in place. 4235 */ 4236 if (ipsec_used && ipsec_in_reject(m, (struct inpcb *)inp)) { 4237#if 0 4238 ipsecstat.in_polvio++; 4239#endif 4240 sctp_pegs[SCTP_HDR_DROPS]++; 4241 goto bad; 4242 } 4243#endif /* IPSEC */ 4244 4245 /* 4246 * Construct sockaddr format source address. 4247 * Stuff source address and datagram in user buffer. 4248 */ 4249 if ((inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS) 4250 || (inp->sctp_socket->so_options & SO_TIMESTAMP) 4251 ) { 4252 ip_savecontrol((struct inpcb *)inp, &opts, ip, m); 4253 } 4254 4255 /* 4256 * common chunk processing 4257 */ 4258 length = ip->ip_len - (ip->ip_hl << 2) + iphlen; 4259 offset -= sizeof(struct sctp_chunkhdr); 4260 4261 ecn_bits = ip->ip_tos; 4262 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4263 inp, stcb, net, ecn_bits); 4264 /* inp's ref-count reduced && stcb unlocked */ 4265 if (m) { 4266 sctp_m_freem(m); 4267 } 4268 if (opts) 4269 sctp_m_freem(opts); 4270 4271 if ((inp) && (refcount_up)) { 4272 /* reduce ref-count */ 4273 SCTP_INP_WLOCK(inp); 4274 SCTP_INP_DECR_REF(inp); 4275 SCTP_INP_WUNLOCK(inp); 4276 } 4277 4278 return; 4279bad: 4280 if (stcb) { 4281 SCTP_TCB_UNLOCK(stcb); 4282 } 4283 4284 if ((inp) && (refcount_up)) { 4285 /* reduce ref-count */ 4286 SCTP_INP_WLOCK(inp); 4287 SCTP_INP_DECR_REF(inp); 4288 SCTP_INP_WUNLOCK(inp); 4289 } 4290 4291 if (m) { 4292 sctp_m_freem(m); 4293 } 4294 if (opts) 4295 sctp_m_freem(opts); 4296 return; 4297} 4298