sctp_input.c revision 1.10
1/* $KAME: sctp_input.c,v 1.28 2005/04/21 18:36:21 nishida Exp $ */ 2/* $NetBSD: sctp_input.c,v 1.10 2018/09/03 16:29:36 riastradh Exp $ */ 3 4/* 5 * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc, 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.10 2018/09/03 16:29:36 riastradh Exp $"); 35 36#ifdef _KERNEL_OPT 37#include "opt_ipsec.h" 38#include "opt_inet.h" 39#include "opt_sctp.h" 40#endif /* _KERNEL_OPT */ 41 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/malloc.h> 45#include <sys/mbuf.h> 46#include <sys/socket.h> 47#include <sys/socketvar.h> 48#include <sys/sysctl.h> 49#include <sys/domain.h> 50#include <sys/protosw.h> 51#include <sys/kernel.h> 52#include <sys/errno.h> 53#include <sys/syslog.h> 54 55#include <machine/limits.h> 56#include <machine/cpu.h> 57 58#include <net/if.h> 59#include <net/route.h> 60#include <net/if_types.h> 61 62#include <netinet/in.h> 63#include <netinet/in_systm.h> 64#include <netinet/ip.h> 65#include <netinet/in_pcb.h> 66#include <netinet/in_var.h> 67#include <netinet/ip_var.h> 68 69#ifdef INET6 70#include <netinet/ip6.h> 71#include <netinet6/ip6_var.h> 72#endif /* INET6 */ 73 74#include <netinet/ip_icmp.h> 75#include <netinet/icmp_var.h> 76#include <netinet/sctp_var.h> 77#include <netinet/sctp_pcb.h> 78#include <netinet/sctp_header.h> 79#include <netinet/sctputil.h> 80#include <netinet/sctp_output.h> 81#include <netinet/sctp_input.h> 82#include <netinet/sctp_hashdriver.h> 83#include <netinet/sctp_indata.h> 84#include <netinet/sctp_asconf.h> 85 86#ifdef IPSEC 87#include <netipsec/ipsec.h> 88#include <netipsec/key.h> 89#endif /*IPSEC*/ 90 91#ifdef SCTP_DEBUG 92extern u_int32_t sctp_debug_on; 93#endif 94 95/* INIT handler */ 96static void 97sctp_handle_init(struct mbuf *m, int iphlen, int offset, 98 struct sctphdr *sh, struct sctp_init_chunk *cp, struct sctp_inpcb *inp, 99 struct sctp_tcb *stcb, struct sctp_nets *net) 100{ 101 struct sctp_init *init; 102 struct mbuf *op_err; 103#ifdef SCTP_DEBUG 104 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 105 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 106 } 107#endif 108 op_err = NULL; 109 init = &cp->init; 110 /* First are we accepting? */ 111 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 112 (inp->sctp_socket->so_qlimit == 0)) { 113 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 114 return; 115 } 116 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 117 /* Invalid length */ 118 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 119 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 120 return; 121 } 122 /* validate parameters */ 123 if (init->initiate_tag == 0) { 124 /* protocol error... send abort */ 125 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 126 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 127 return; 128 } 129 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 130 /* invalid parameter... send abort */ 131 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 132 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 133 return; 134 } 135 if (init->num_inbound_streams == 0) { 136 /* protocol error... send abort */ 137 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 138 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 139 return; 140 } 141 if (init->num_outbound_streams == 0) { 142 /* protocol error... send abort */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 145 return; 146 } 147 148 /* send an INIT-ACK w/cookie */ 149#ifdef SCTP_DEBUG 150 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 151 printf("sctp_handle_init: sending INIT-ACK\n"); 152 } 153#endif 154 155 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 156} 157 158/* 159 * process peer "INIT/INIT-ACK" chunk 160 * returns value < 0 on error 161 */ 162 163static int 164sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 165 struct sctp_nets *net) 166{ 167 struct sctp_init *init; 168 struct sctp_association *asoc; 169 struct sctp_nets *lnet; 170 unsigned int i; 171 172 init = &cp->init; 173 asoc = &stcb->asoc; 174 /* save off parameters */ 175 asoc->peer_vtag = ntohl(init->initiate_tag); 176 asoc->peers_rwnd = ntohl(init->a_rwnd); 177 178 if (TAILQ_FIRST(&asoc->nets)) { 179 /* update any ssthresh's that may have a default */ 180 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 181 lnet->ssthresh = asoc->peers_rwnd; 182 } 183 } 184 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 185 unsigned int newcnt; 186 struct sctp_stream_out *outs; 187 struct sctp_tmit_chunk *chk; 188 189 /* cut back on number of streams */ 190 newcnt = ntohs(init->num_inbound_streams); 191 /* This if is probably not needed but I am cautious */ 192 if (asoc->strmout) { 193 /* First make sure no data chunks are trapped */ 194 for (i=newcnt; i < asoc->pre_open_streams; i++) { 195 outs = &asoc->strmout[i]; 196 chk = TAILQ_FIRST(&outs->outqueue); 197 while (chk) { 198 TAILQ_REMOVE(&outs->outqueue, chk, 199 sctp_next); 200 asoc->stream_queue_cnt--; 201 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL, 202 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 203 chk); 204 if (chk->data) { 205 sctp_m_freem(chk->data); 206 chk->data = NULL; 207 } 208 sctp_free_remote_addr(chk->whoTo); 209 chk->whoTo = NULL; 210 chk->asoc = NULL; 211 /* Free the chunk */ 212 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 213 sctppcbinfo.ipi_count_chunk--; 214 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 215 panic("Chunk count is negative"); 216 } 217 sctppcbinfo.ipi_gencnt_chunk++; 218 chk = TAILQ_FIRST(&outs->outqueue); 219 } 220 } 221 } 222 /* cut back the count and abandon the upper streams */ 223 asoc->pre_open_streams = newcnt; 224 } 225 asoc->streamincnt = ntohs(init->num_outbound_streams); 226 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 227 asoc->streamincnt = MAX_SCTP_STREAMS; 228 } 229 230 asoc->streamoutcnt = asoc->pre_open_streams; 231 /* init tsn's */ 232 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 233#ifdef SCTP_MAP_LOGGING 234 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 235#endif 236 /* This is the next one we expect */ 237 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 238 239 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 240 asoc->cumulative_tsn = asoc->asconf_seq_in; 241 asoc->last_echo_tsn = asoc->asconf_seq_in; 242 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 243 /* open the requested streams */ 244 if (asoc->strmin != NULL) { 245 /* Free the old ones */ 246 free(asoc->strmin, M_PCB); 247 } 248 asoc->strmin = malloc(asoc->streamincnt * sizeof(struct sctp_stream_in), 249 M_PCB, M_NOWAIT); 250 if (asoc->strmin == NULL) { 251 /* we didn't get memory for the streams! */ 252#ifdef SCTP_DEBUG 253 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 254 printf("process_init: couldn't get memory for the streams!\n"); 255 } 256#endif 257 return (-1); 258 } 259 for (i = 0; i < asoc->streamincnt; i++) { 260 asoc->strmin[i].stream_no = i; 261 asoc->strmin[i].last_sequence_delivered = 0xffff; 262 /* 263 * U-stream ranges will be set when the cookie 264 * is unpacked. Or for the INIT sender they 265 * are un set (if pr-sctp not supported) when the 266 * INIT-ACK arrives. 267 */ 268 TAILQ_INIT(&asoc->strmin[i].inqueue); 269 /* 270 * we are not on any wheel, pr-sctp streams 271 * will go on the wheel when they have data waiting 272 * for reorder. 273 */ 274 asoc->strmin[i].next_spoke.tqe_next = 0; 275 asoc->strmin[i].next_spoke.tqe_prev = 0; 276 } 277 278 /* 279 * load_address_from_init will put the addresses into the 280 * association when the COOKIE is processed or the INIT-ACK 281 * is processed. Both types of COOKIE's existing and new 282 * call this routine. It will remove addresses that 283 * are no longer in the association (for the restarting 284 * case where addresses are removed). Up front when the 285 * INIT arrives we will discard it if it is a restart 286 * and new addresses have been added. 287 */ 288 return (0); 289} 290 291/* 292 * INIT-ACK message processing/consumption 293 * returns value < 0 on error 294 */ 295static int 296sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 297 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 298 struct sctp_nets *net) 299{ 300 struct sctp_association *asoc; 301 struct mbuf *op_err; 302 int retval, abort_flag; 303 uint32_t initack_limit; 304 /* First verify that we have no illegal param's */ 305 abort_flag = 0; 306 op_err = NULL; 307 308 op_err = sctp_arethere_unrecognized_parameters(m, 309 (offset+sizeof(struct sctp_init_chunk)) , 310 &abort_flag, (struct sctp_chunkhdr *)cp); 311 if (abort_flag) { 312 /* Send an abort and notify peer */ 313 if (op_err != NULL) { 314 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 315 } else { 316 /* 317 * Just notify (abort_assoc does this if 318 * we send an abort). 319 */ 320 sctp_abort_notification(stcb, 0); 321 /* 322 * No sense in further INIT's since 323 * we will get the same param back 324 */ 325 sctp_free_assoc(stcb->sctp_ep, stcb); 326 } 327 return (-1); 328 } 329 asoc = &stcb->asoc; 330 /* process the peer's parameters in the INIT-ACK */ 331 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 332 if (retval < 0) { 333 return (retval); 334 } 335 336 initack_limit = offset + ntohs(cp->ch.chunk_length); 337 /* load all addresses */ 338 if (sctp_load_addresses_from_init(stcb, m, iphlen, 339 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 340 NULL)) { 341 /* Huh, we should abort */ 342 sctp_abort_notification(stcb, 0); 343 sctp_free_assoc(stcb->sctp_ep, stcb); 344 return (-1); 345 } 346 if (op_err) { 347 sctp_queue_op_err(stcb, op_err); 348 /* queuing will steal away the mbuf chain to the out queue */ 349 op_err = NULL; 350 } 351 /* extract the cookie and queue it to "echo" it back... */ 352 stcb->asoc.overall_error_count = 0; 353 net->error_count = 0; 354 retval = sctp_send_cookie_echo(m, offset, stcb, net); 355 if (retval < 0) { 356 /* 357 * No cookie, we probably should send a op error. 358 * But in any case if there is no cookie in the INIT-ACK, 359 * we can abandon the peer, its broke. 360 */ 361 if (retval == -3) { 362 /* We abort with an error of missing mandatory param */ 363 op_err = 364 sctp_generate_invmanparam(SCTP_CAUSE_MISS_PARAM); 365 if (op_err) { 366 /* 367 * Expand beyond to include the mandatory 368 * param cookie 369 */ 370 struct sctp_inv_mandatory_param *mp; 371 op_err->m_len = 372 sizeof(struct sctp_inv_mandatory_param); 373 mp = mtod(op_err, 374 struct sctp_inv_mandatory_param *); 375 /* Subtract the reserved param */ 376 mp->length = 377 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 378 mp->num_param = htonl(1); 379 mp->param = htons(SCTP_STATE_COOKIE); 380 mp->resv = 0; 381 } 382 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 383 sh, op_err); 384 } 385 return (retval); 386 } 387 388 /* 389 * Cancel the INIT timer, We do this first before queueing 390 * the cookie. We always cancel at the primary to assue that 391 * we are canceling the timer started by the INIT which always 392 * goes to the primary. 393 */ 394 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 395 asoc->primary_destination); 396 397 /* calculate the RTO */ 398 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 399 400 return (0); 401} 402 403static void 404sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 405 struct sctp_tcb *stcb, struct sctp_nets *net) 406{ 407 struct sockaddr_storage store; 408 struct sockaddr_in *sin; 409 struct sockaddr_in6 *sin6; 410 struct sctp_nets *r_net; 411 struct timeval tv; 412 413 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 414 /* Invalid length */ 415 return; 416 } 417 418 sin = (struct sockaddr_in *)&store; 419 sin6 = (struct sockaddr_in6 *)&store; 420 421 memset(&store, 0, sizeof(store)); 422 if (cp->heartbeat.hb_info.addr_family == AF_INET && 423 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 424 sin->sin_family = cp->heartbeat.hb_info.addr_family; 425 sin->sin_len = cp->heartbeat.hb_info.addr_len; 426 sin->sin_port = stcb->rport; 427 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 428 sizeof(sin->sin_addr)); 429 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 430 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 431 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 432 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 433 sin6->sin6_port = stcb->rport; 434 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 435 sizeof(sin6->sin6_addr)); 436 } else { 437#ifdef SCTP_DEBUG 438 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 439 printf("unsupported address family"); 440 } 441#endif 442 return; 443 } 444 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 445 if (r_net == NULL) { 446#ifdef SCTP_DEBUG 447 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 448 printf("Huh? I can't find the address I sent it to, discard\n"); 449 } 450#endif 451 return; 452 } 453 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 454 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 455 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 456 /* 457 * If the its a HB and it's random value is correct when 458 * can confirm the destination. 459 */ 460 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 461 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 462 stcb, 0, (void *)r_net); 463 } 464 r_net->error_count = 0; 465 r_net->hb_responded = 1; 466 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 467 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 468 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 469 r_net->dest_state = SCTP_ADDR_REACHABLE; 470 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 471 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 472 473 /* now was it the primary? if so restore */ 474 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 475 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 476 } 477 } 478 /* Now lets do a RTO with this */ 479 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 480} 481 482static void 483sctp_handle_abort(struct sctp_abort_chunk *cp, 484 struct sctp_tcb *stcb, struct sctp_nets *net) 485{ 486 487#ifdef SCTP_DEBUG 488 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 489 printf("sctp_handle_abort: handling ABORT\n"); 490 } 491#endif 492 if (stcb == NULL) 493 return; 494 /* verify that the destination addr is in the association */ 495 /* ignore abort for addresses being deleted */ 496 497 /* stop any receive timers */ 498 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net); 499 /* notify user of the abort and clean up... */ 500 sctp_abort_notification(stcb, 0); 501 /* free the tcb */ 502 sctp_free_assoc(stcb->sctp_ep, stcb); 503#ifdef SCTP_DEBUG 504 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 505 printf("sctp_handle_abort: finished\n"); 506 } 507#endif 508} 509 510static void 511sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 512 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 513{ 514 struct sctp_association *asoc; 515 int some_on_streamwheel; 516 517#ifdef SCTP_DEBUG 518 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 519 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 520 } 521#endif 522 if (stcb == NULL) 523 return; 524 525 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) || 526 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 527 return; 528 } 529 530 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 531 /* update current data status */ 532#ifdef SCTP_DEBUG 533 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 534 printf("Warning Shutdown NOT the expected size.. skipping (%d:%d)\n", 535 ntohs(cp->ch.chunk_length), 536 (int)sizeof(struct sctp_shutdown_chunk)); 537 } 538#endif 539 return; 540 } else { 541 sctp_update_acked(stcb, cp, net, abort_flag); 542 } 543 asoc = &stcb->asoc; 544 /* goto SHUTDOWN_RECEIVED state to block new requests */ 545 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 546 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 547 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 548#ifdef SCTP_DEBUG 549 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 550 printf("Moving to SHUTDOWN-RECEIVED state\n"); 551 } 552#endif 553 /* notify upper layer that peer has initiated a shutdown */ 554 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 555 556 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 557 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 558 559 /* Set the flag so we cannot send more, we 560 * would call the function but we don't want to 561 * wake up the ulp necessarily. 562 */ 563#if defined(__FreeBSD__) && __FreeBSD_version >= 502115 564 stcb->sctp_ep->sctp_socket->so_rcv.sb_state |= SBS_CANTSENDMORE; 565#else 566 stcb->sctp_ep->sctp_socket->so_state |= SS_CANTSENDMORE; 567#endif 568 } 569 /* reset time */ 570 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 571 } 572 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 573 /* 574 * stop the shutdown timer, since we WILL move 575 * to SHUTDOWN-ACK-SENT. 576 */ 577 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 578 } 579 /* Now are we there yet? */ 580 some_on_streamwheel = 0; 581 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 582 /* Check to see if some data queued */ 583 struct sctp_stream_out *outs; 584 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 585 if (!TAILQ_EMPTY(&outs->outqueue)) { 586 some_on_streamwheel = 1; 587 break; 588 } 589 } 590 } 591#ifdef SCTP_DEBUG 592 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 593 printf("some_on_streamwheel:%d send_q_empty:%d sent_q_empty:%d\n", 594 some_on_streamwheel, 595 !TAILQ_EMPTY(&asoc->send_queue), 596 !TAILQ_EMPTY(&asoc->sent_queue)); 597 } 598#endif 599 if (!TAILQ_EMPTY(&asoc->send_queue) || 600 !TAILQ_EMPTY(&asoc->sent_queue) || 601 some_on_streamwheel) { 602 /* By returning we will push more data out */ 603 return; 604 } else { 605 /* no outstanding data to send, so move on... */ 606 /* send SHUTDOWN-ACK */ 607 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 608 /* move to SHUTDOWN-ACK-SENT state */ 609 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 610#ifdef SCTP_DEBUG 611 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 612 printf("moving to SHUTDOWN_ACK state\n"); 613 } 614#endif 615 /* start SHUTDOWN timer */ 616 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 617 stcb, net); 618 } 619} 620 621static void 622sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 623 struct sctp_tcb *stcb, struct sctp_nets *net) 624{ 625 struct sctp_association *asoc; 626 627#ifdef SCTP_DEBUG 628 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 629 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 630 } 631#endif 632 if (stcb == NULL) 633 return; 634 635 asoc = &stcb->asoc; 636 /* process according to association state */ 637 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 638 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 639 /* unexpected SHUTDOWN-ACK... so ignore... */ 640 return; 641 } 642 /* are the queues empty? */ 643 if (!TAILQ_EMPTY(&asoc->send_queue) || 644 !TAILQ_EMPTY(&asoc->sent_queue) || 645 !TAILQ_EMPTY(&asoc->out_wheel)) { 646 sctp_report_all_outbound(stcb); 647 } 648 /* stop the timer */ 649 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 650 /* send SHUTDOWN-COMPLETE */ 651 sctp_send_shutdown_complete(stcb, net); 652 /* notify upper layer protocol */ 653 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 654 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 655 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 656 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 657 /* Set the connected flag to disconnected */ 658 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 659 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0; 660 soisdisconnected(stcb->sctp_ep->sctp_socket); 661 } 662 /* free the TCB but first save off the ep */ 663 sctp_free_assoc(stcb->sctp_ep, stcb); 664} 665 666/* 667 * Skip past the param header and then we will find the chunk that 668 * caused the problem. There are two possiblities ASCONF or FWD-TSN 669 * other than that and our peer must be broken. 670 */ 671static void 672sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 673 struct sctp_nets *net) 674{ 675 struct sctp_chunkhdr *chk; 676 677 chk = (struct sctp_chunkhdr *)((vaddr_t)phdr + sizeof(*phdr)); 678 switch (chk->chunk_type) { 679 case SCTP_ASCONF_ACK: 680#ifdef SCTP_DEBUG 681 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 682 printf("Strange peer, snds ASCONF but does not recongnize asconf-ack?\n"); 683 } 684#endif 685 case SCTP_ASCONF: 686#ifdef SCTP_DEBUG 687 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 688 printf("Peer does not support ASCONF/ASCONF-ACK chunks\n"); 689 } 690#endif /* SCTP_DEBUG */ 691 sctp_asconf_cleanup(stcb, net); 692 break; 693 case SCTP_FORWARD_CUM_TSN: 694 stcb->asoc.peer_supports_prsctp = 0; 695 break; 696 default: 697#ifdef SCTP_DEBUG 698 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 699 printf("Peer does not support chunk type %d(%x)??\n", 700 chk->chunk_type, (u_int)chk->chunk_type); 701 } 702#endif 703 break; 704 } 705} 706 707/* 708 * Skip past the param header and then we will find the param that 709 * caused the problem. There are a number of param's in a ASCONF 710 * OR the prsctp param these will turn of specific features. 711 */ 712static void 713sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 714{ 715 struct sctp_paramhdr *pbad; 716 717 pbad = phdr + 1; 718 switch (ntohs(pbad->param_type)) { 719 /* pr-sctp draft */ 720 case SCTP_PRSCTP_SUPPORTED: 721 stcb->asoc.peer_supports_prsctp = 0; 722 break; 723 case SCTP_SUPPORTED_CHUNK_EXT: 724 break; 725 /* draft-ietf-tsvwg-addip-sctp */ 726 case SCTP_ECN_NONCE_SUPPORTED: 727 stcb->asoc.peer_supports_ecn_nonce = 0; 728 stcb->asoc.ecn_nonce_allowed = 0; 729 stcb->asoc.ecn_allowed = 0; 730 break; 731 case SCTP_ADD_IP_ADDRESS: 732 case SCTP_DEL_IP_ADDRESS: 733 stcb->asoc.peer_supports_asconf = 0; 734 break; 735 case SCTP_SET_PRIM_ADDR: 736 stcb->asoc.peer_supports_asconf_setprim = 0; 737 break; 738 case SCTP_SUCCESS_REPORT: 739 case SCTP_ERROR_CAUSE_IND: 740#ifdef SCTP_DEBUG 741 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 742 printf("Huh, the peer does not support success? or error cause?\n"); 743 printf("Turning off ASCONF to this strange peer\n"); 744 } 745#endif 746 stcb->asoc.peer_supports_asconf = 0; 747 stcb->asoc.peer_supports_asconf_setprim = 0; 748 break; 749 default: 750#ifdef SCTP_DEBUG 751 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 752 printf("Peer does not support base param type %d(%x)??\n", 753 pbad->param_type, (u_int)pbad->param_type); 754 } 755#endif 756 break; 757 } 758} 759 760static int 761sctp_handle_error(struct sctp_chunkhdr *ch, 762 struct sctp_tcb *stcb, struct sctp_nets *net) 763{ 764 int chklen; 765 struct sctp_paramhdr *phdr; 766 uint16_t error_type; 767 uint16_t error_len; 768 struct sctp_association *asoc; 769 770 int adjust; 771 /* parse through all of the errors and process */ 772 asoc = &stcb->asoc; 773 phdr = (struct sctp_paramhdr *)((vaddr_t)ch + 774 sizeof(struct sctp_chunkhdr)); 775 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 776 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 777 /* Process an Error Cause */ 778 error_type = ntohs(phdr->param_type); 779 error_len = ntohs(phdr->param_length); 780 if ((error_len > chklen) || (error_len == 0)) { 781 /* invalid param length for this param */ 782#ifdef SCTP_DEBUG 783 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 784 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 785 chklen, error_len); 786 } 787#endif /* SCTP_DEBUG */ 788 return (0); 789 } 790 switch (error_type) { 791 case SCTP_CAUSE_INV_STRM: 792 case SCTP_CAUSE_MISS_PARAM: 793 case SCTP_CAUSE_INVALID_PARAM: 794 case SCTP_CAUSE_NOUSER_DATA: 795#ifdef SCTP_DEBUG 796 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 797 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 798 error_type); 799 } 800#endif 801 break; 802 case SCTP_CAUSE_STALE_COOKIE: 803 /* We only act if we have echoed a cookie and are waiting. */ 804 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 805 int *p; 806 p = (int *)((vaddr_t)phdr + sizeof(*phdr)); 807 /* Save the time doubled */ 808 asoc->cookie_preserve_req = ntohl(*p) << 1; 809 asoc->stale_cookie_count++; 810 if (asoc->stale_cookie_count > 811 asoc->max_init_times) { 812 sctp_abort_notification(stcb, 0); 813 /* now free the asoc */ 814 sctp_free_assoc(stcb->sctp_ep, stcb); 815 return (-1); 816 } 817 /* blast back to INIT state */ 818 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 819 asoc->state |= SCTP_STATE_COOKIE_WAIT; 820 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 821 stcb->sctp_ep, stcb, net); 822 sctp_send_initiate(stcb->sctp_ep, stcb); 823 } 824 break; 825 case SCTP_CAUSE_UNRESOLV_ADDR: 826 /* 827 * Nothing we can do here, we don't do hostname 828 * addresses so if the peer does not like my IPv6 (or 829 * IPv4 for that matter) it does not matter. If they 830 * don't support that type of address, they can NOT 831 * possibly get that packet type... i.e. with no IPv6 832 * you can't recieve a IPv6 packet. so we can safely 833 * ignore this one. If we ever added support for 834 * HOSTNAME Addresses, then we would need to do 835 * something here. 836 */ 837 break; 838 case SCTP_CAUSE_UNRECOG_CHUNK: 839 sctp_process_unrecog_chunk(stcb, phdr, net); 840 break; 841 case SCTP_CAUSE_UNRECOG_PARAM: 842 sctp_process_unrecog_param(stcb, phdr); 843 break; 844 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 845 /* 846 * We ignore this since the timer will drive out a new 847 * cookie anyway and there timer will drive us to send 848 * a SHUTDOWN_COMPLETE. We can't send one here since 849 * we don't have their tag. 850 */ 851 break; 852 case SCTP_CAUSE_DELETEING_LAST_ADDR: 853 case SCTP_CAUSE_OPERATION_REFUSED: 854 case SCTP_CAUSE_DELETING_SRC_ADDR: 855 /* We should NOT get these here, but in a ASCONF-ACK. */ 856#ifdef SCTP_DEBUG 857 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 858 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 859 error_type); 860 } 861#endif 862 break; 863 case SCTP_CAUSE_OUT_OF_RESC: 864 /* 865 * And what, pray tell do we do with the fact 866 * that the peer is out of resources? Not 867 * really sure we could do anything but abort. 868 * I suspect this should have came WITH an 869 * abort instead of in a OP-ERROR. 870 */ 871 break; 872 default: 873#ifdef SCTP_DEBUG 874 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 875 /* don't know what this error cause is... */ 876 printf("sctp_handle_error: unknown error type = 0x%xh\n", 877 error_type); 878 } 879#endif /* SCTP_DEBUG */ 880 break; 881 } 882 adjust = SCTP_SIZE32(error_len); 883 chklen -= adjust; 884 phdr = (struct sctp_paramhdr *)((vaddr_t)phdr + adjust); 885 } 886 return (0); 887} 888 889static int 890sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 891 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 892 struct sctp_nets *net) 893{ 894 struct sctp_init_ack *init_ack; 895 int *state; 896 struct mbuf *op_err; 897 898#ifdef SCTP_DEBUG 899 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 900 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 901 } 902#endif 903 if (stcb == NULL) { 904#ifdef SCTP_DEBUG 905 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 906 printf("sctp_handle_init_ack: TCB is null\n"); 907 } 908#endif 909 return (-1); 910 } 911 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 912 /* Invalid length */ 913 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 914 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 915 op_err); 916 return (-1); 917 } 918 init_ack = &cp->init; 919 /* validate parameters */ 920 if (init_ack->initiate_tag == 0) { 921 /* protocol error... send an abort */ 922 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 923 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 924 op_err); 925 return (-1); 926 } 927 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 928 /* protocol error... send an abort */ 929 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 930 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 931 op_err); 932 return (-1); 933 } 934 if (init_ack->num_inbound_streams == 0) { 935 /* protocol error... send an abort */ 936 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 937 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 938 op_err); 939 return (-1); 940 } 941 if (init_ack->num_outbound_streams == 0) { 942 /* protocol error... send an abort */ 943 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 944 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 945 op_err); 946 return (-1); 947 } 948 949 /* process according to association state... */ 950 state = &stcb->asoc.state; 951 switch (*state & SCTP_STATE_MASK) { 952 case SCTP_STATE_COOKIE_WAIT: 953 /* this is the expected state for this chunk */ 954 /* process the INIT-ACK parameters */ 955 if (stcb->asoc.primary_destination->dest_state & 956 SCTP_ADDR_UNCONFIRMED) { 957 /* 958 * The primary is where we sent the INIT, we can 959 * always consider it confirmed when the INIT-ACK 960 * is returned. Do this before we load addresses 961 * though. 962 */ 963 stcb->asoc.primary_destination->dest_state &= 964 ~SCTP_ADDR_UNCONFIRMED; 965 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 966 stcb, 0, (void *)stcb->asoc.primary_destination); 967 } 968 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 969 ) < 0) { 970 /* error in parsing parameters */ 971#ifdef SCTP_DEBUG 972 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 973 printf("sctp_process_init_ack: error in msg, discarding\n"); 974 } 975#endif 976 return (-1); 977 } 978 /* update our state */ 979#ifdef SCTP_DEBUG 980 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 981 printf("moving to COOKIE-ECHOED state\n"); 982 } 983#endif 984 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 985 *state = SCTP_STATE_COOKIE_ECHOED | 986 SCTP_STATE_SHUTDOWN_PENDING; 987 } else { 988 *state = SCTP_STATE_COOKIE_ECHOED; 989 } 990 991 /* reset the RTO calc */ 992 stcb->asoc.overall_error_count = 0; 993 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 994 /* 995 * collapse the init timer back in case of a exponential backoff 996 */ 997 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 998 stcb, net); 999 /* 1000 * the send at the end of the inbound data processing will 1001 * cause the cookie to be sent 1002 */ 1003 break; 1004 case SCTP_STATE_SHUTDOWN_SENT: 1005 /* incorrect state... discard */ 1006 break; 1007 case SCTP_STATE_COOKIE_ECHOED: 1008 /* incorrect state... discard */ 1009 break; 1010 case SCTP_STATE_OPEN: 1011 /* incorrect state... discard */ 1012 break; 1013 case SCTP_STATE_EMPTY: 1014 case SCTP_STATE_INUSE: 1015 default: 1016 /* incorrect state... discard */ 1017#ifdef SCTP_DEBUG 1018 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1019 printf("Leaving handle-init-ack default\n"); 1020 } 1021#endif 1022 return (-1); 1023 break; 1024 } /* end switch asoc state */ 1025#ifdef SCTP_DEBUG 1026 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1027 printf("Leaving handle-init-ack end\n"); 1028 } 1029#endif 1030 return (0); 1031} 1032 1033 1034/* 1035 * handle a state cookie for an existing association 1036 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1037 * note: this is a "split" mbuf and the cookie signature does not exist 1038 * offset: offset into mbuf to the cookie-echo chunk 1039 */ 1040static struct sctp_tcb * 1041sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1042 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1043 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1044 struct sockaddr *init_src, int *notification) 1045{ 1046 struct sctp_association *asoc; 1047 struct sctp_init_chunk *init_cp, init_buf; 1048 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1049 int chk_length; 1050 int init_offset, initack_offset; 1051 int retval; 1052 1053 /* I know that the TCB is non-NULL from the caller */ 1054 asoc = &stcb->asoc; 1055 1056 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1057 /* SHUTDOWN came in after sending INIT-ACK */ 1058 struct mbuf *op_err; 1059 struct sctp_paramhdr *ph; 1060 1061 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1062#ifdef SCTP_DEBUG 1063 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1064 printf("sctp_handle_cookie: got a cookie, while shutting down!\n"); 1065 } 1066#endif 1067 MGETHDR(op_err, M_DONTWAIT, MT_HEADER); 1068 if (op_err == NULL) { 1069 /* FOOBAR */ 1070 return (NULL); 1071 } 1072 /* pre-reserve some space */ 1073 op_err->m_data += sizeof(struct ip6_hdr); 1074 op_err->m_data += sizeof(struct sctphdr); 1075 op_err->m_data += sizeof(struct sctp_chunkhdr); 1076 /* Set the len */ 1077 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); 1078 ph = mtod(op_err, struct sctp_paramhdr *); 1079 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1080 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1081 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1082 return (NULL); 1083 } 1084 /* 1085 * find and validate the INIT chunk in the cookie (peer's info) 1086 * the INIT should start after the cookie-echo header struct 1087 * (chunk header, state cookie header struct) 1088 */ 1089 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1090 1091 init_cp = (struct sctp_init_chunk *) 1092 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1093 (u_int8_t *)&init_buf); 1094 if (init_cp == NULL) { 1095 /* could not pull a INIT chunk in cookie */ 1096#ifdef SCTP_DEBUG 1097 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1098 printf("process_cookie_existing: could not pull INIT chunk hdr\n"); 1099 } 1100#endif /* SCTP_DEBUG */ 1101 return (NULL); 1102 } 1103 chk_length = ntohs(init_cp->ch.chunk_length); 1104 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1105#ifdef SCTP_DEBUG 1106 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1107 printf("process_cookie_existing: could not find INIT chunk!\n"); 1108 } 1109#endif /* SCTP_DEBUG */ 1110 return (NULL); 1111 } 1112 1113 /* 1114 * find and validate the INIT-ACK chunk in the cookie (my info) 1115 * the INIT-ACK follows the INIT chunk 1116 */ 1117 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1118 initack_cp = (struct sctp_init_ack_chunk *) 1119 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1120 (u_int8_t *)&initack_buf); 1121 if (initack_cp == NULL) { 1122 /* could not pull INIT-ACK chunk in cookie */ 1123#ifdef SCTP_DEBUG 1124 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1125 printf("process_cookie_existing: could not pull INIT-ACK chunk hdr\n"); 1126 } 1127#endif /* SCTP_DEBUG */ 1128 return (NULL); 1129 } 1130 chk_length = ntohs(initack_cp->ch.chunk_length); 1131 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1132#ifdef SCTP_DEBUG 1133 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1134 printf("process_cookie_existing: could not find INIT-ACK chunk!\n"); 1135 } 1136#endif /* SCTP_DEBUG */ 1137 return (NULL); 1138 } 1139 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1140 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1141 /* 1142 * case D in Section 5.2.4 Table 2: MMAA 1143 * process accordingly to get into the OPEN state 1144 */ 1145 switch SCTP_GET_STATE(asoc) { 1146 case SCTP_STATE_COOKIE_WAIT: 1147 /* 1148 * INIT was sent, but got got a COOKIE_ECHO with 1149 * the correct tags... just accept it... 1150 */ 1151 /* First we must process the INIT !! */ 1152 retval = sctp_process_init(init_cp, stcb, net); 1153 if (retval < 0) { 1154#ifdef SCTP_DEBUG 1155 printf("process_cookie_existing: INIT processing failed\n"); 1156#endif 1157 return (NULL); 1158 } 1159 /* intentional fall through to below... */ 1160 1161 case SCTP_STATE_COOKIE_ECHOED: 1162 /* Duplicate INIT case */ 1163 /* we have already processed the INIT so no problem */ 1164 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1165 net); 1166 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1167 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, 1168 net); 1169 /* update current state */ 1170 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1171 asoc->state = SCTP_STATE_OPEN | 1172 SCTP_STATE_SHUTDOWN_PENDING; 1173 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1174 /* if ok, move to OPEN state */ 1175 asoc->state = SCTP_STATE_OPEN; 1176 } 1177 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1178 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1179 (!(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING))) { 1180 /* 1181 * Here is where collision would go if we did a 1182 * connect() and instead got a 1183 * init/init-ack/cookie done before the 1184 * init-ack came back.. 1185 */ 1186 stcb->sctp_ep->sctp_flags |= 1187 SCTP_PCB_FLAGS_CONNECTED; 1188 soisconnected(stcb->sctp_ep->sctp_socket); 1189 } 1190 /* notify upper layer */ 1191 *notification = SCTP_NOTIFY_ASSOC_UP; 1192 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1193 net); 1194 /* 1195 * since we did not send a HB make sure we don't double 1196 * things 1197 */ 1198 net->hb_responded = 1; 1199 1200 if (stcb->asoc.sctp_autoclose_ticks && 1201 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1202 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1203 inp, stcb, NULL); 1204 } 1205 break; 1206 default: 1207 /* 1208 * we're in the OPEN state (or beyond), so peer 1209 * must have simply lost the COOKIE-ACK 1210 */ 1211 break; 1212 } /* end switch */ 1213 1214 /* 1215 * We ignore the return code here.. not sure if we should 1216 * somehow abort.. but we do have an existing asoc. This 1217 * really should not fail. 1218 */ 1219 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1220 init_offset + sizeof(struct sctp_init_chunk), 1221 initack_offset, sh, init_src)) { 1222#ifdef SCTP_DEBUG 1223 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1224 printf("Weird cookie load_address failure on cookie existing - 1\n"); 1225 } 1226#endif 1227 return (NULL); 1228 } 1229 1230 /* respond with a COOKIE-ACK */ 1231 sctp_send_cookie_ack(stcb); 1232 return (stcb); 1233 } /* end if */ 1234 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1235 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1236 cookie->tie_tag_my_vtag == 0 && 1237 cookie->tie_tag_peer_vtag == 0) { 1238 /* 1239 * case C in Section 5.2.4 Table 2: XMOO 1240 * silently discard 1241 */ 1242 return (NULL); 1243 } 1244 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1245 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1246 init_cp->init.initiate_tag == 0)) { 1247 /* 1248 * case B in Section 5.2.4 Table 2: MXAA or MOAA 1249 * my info should be ok, re-accept peer info 1250 */ 1251 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1252 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1253 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1254 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1255 /* 1256 * since we did not send a HB make sure we don't double things 1257 */ 1258 net->hb_responded = 1; 1259 if (stcb->asoc.sctp_autoclose_ticks && 1260 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1261 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1262 NULL); 1263 } 1264 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1265 asoc->pre_open_streams = 1266 ntohs(initack_cp->init.num_outbound_streams); 1267 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1268 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1269 asoc->init_seq_number; 1270 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1271 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1272 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1273 asoc->str_reset_seq_in = asoc->init_seq_number; 1274 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1275 1276 /* process the INIT info (peer's info) */ 1277 retval = sctp_process_init(init_cp, stcb, net); 1278 if (retval < 0) { 1279#ifdef SCTP_DEBUG 1280 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1281 printf("process_cookie_existing: INIT processing failed\n"); 1282 } 1283#endif 1284 return (NULL); 1285 } 1286 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1287 init_offset + sizeof(struct sctp_init_chunk), 1288 initack_offset, sh, init_src)) { 1289#ifdef SCTP_DEBUG 1290 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1291 printf("Weird cookie load_address failure on cookie existing - 2\n"); 1292 } 1293#endif 1294 return (NULL); 1295 } 1296 1297 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1298 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1299 *notification = SCTP_NOTIFY_ASSOC_UP; 1300 1301 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1302 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1303 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1304 stcb->sctp_ep->sctp_flags |= 1305 SCTP_PCB_FLAGS_CONNECTED; 1306 soisconnected(stcb->sctp_ep->sctp_socket); 1307 } 1308 } 1309 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1310 asoc->state = SCTP_STATE_OPEN | 1311 SCTP_STATE_SHUTDOWN_PENDING; 1312 } else { 1313 asoc->state = SCTP_STATE_OPEN; 1314 } 1315 sctp_send_cookie_ack(stcb); 1316 return (stcb); 1317 } 1318 1319 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1320 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1321 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1322 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1323 cookie->tie_tag_peer_vtag != 0) { 1324 /* 1325 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1326 */ 1327 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1328 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1329 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1330 1331 /* notify upper layer */ 1332 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1333 1334 /* send up all the data */ 1335 sctp_report_all_outbound(stcb); 1336 1337 /* process the INIT-ACK info (my info) */ 1338 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1339 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1340 asoc->pre_open_streams = 1341 ntohs(initack_cp->init.num_outbound_streams); 1342 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1343 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1344 asoc->init_seq_number; 1345 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1346 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1347 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1348 asoc->str_reset_seq_in = asoc->init_seq_number; 1349 1350 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1351 if (asoc->mapping_array) 1352 memset(asoc->mapping_array, 0, 1353 asoc->mapping_array_size); 1354 /* process the INIT info (peer's info) */ 1355 retval = sctp_process_init(init_cp, stcb, net); 1356 if (retval < 0) { 1357#ifdef SCTP_DEBUG 1358 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1359 printf("process_cookie_existing: INIT processing failed\n"); 1360 } 1361#endif 1362 return (NULL); 1363 } 1364 1365 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1366 /* 1367 * since we did not send a HB make sure we don't double things 1368 */ 1369 net->hb_responded = 1; 1370 1371 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1372 init_offset + sizeof(struct sctp_init_chunk), 1373 initack_offset, sh, init_src)) { 1374#ifdef SCTP_DEBUG 1375 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1376 printf("Weird cookie load_address failure on cookie existing - 3\n"); 1377 } 1378#endif 1379 return (NULL); 1380 } 1381 1382 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1383 asoc->state = SCTP_STATE_OPEN | 1384 SCTP_STATE_SHUTDOWN_PENDING; 1385 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1386 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1387 asoc->state = SCTP_STATE_OPEN; 1388 } 1389 /* respond with a COOKIE-ACK */ 1390 sctp_send_cookie_ack(stcb); 1391 1392 return (stcb); 1393 } 1394 /* all other cases... */ 1395 return (NULL); 1396} 1397 1398/* 1399 * handle a state cookie for a new association 1400 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1401 * note: this is a "split" mbuf and the cookie signature does not exist 1402 * offset: offset into mbuf to the cookie-echo chunk 1403 * length: length of the cookie chunk 1404 * to: where the init was from 1405 * returns a new TCB 1406 */ 1407static struct sctp_tcb * 1408sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1409 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1410 struct sctp_inpcb *inp, struct sctp_nets **netp, 1411 struct sockaddr *init_src, int *notification) 1412{ 1413 struct sctp_tcb *stcb; 1414 struct sctp_init_chunk *init_cp, init_buf; 1415 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1416 struct sockaddr_storage sa_store; 1417 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1418 struct sockaddr_in *sin; 1419 struct sockaddr_in6 *sin6; 1420 struct sctp_association *asoc; 1421 int chk_length; 1422 int init_offset, initack_offset, initack_limit; 1423 int retval; 1424 int error = 0; 1425 /* 1426 * find and validate the INIT chunk in the cookie (peer's info) 1427 * the INIT should start after the cookie-echo header struct 1428 * (chunk header, state cookie header struct) 1429 */ 1430 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1431 init_cp = (struct sctp_init_chunk *) 1432 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1433 (u_int8_t *)&init_buf); 1434 if (init_cp == NULL) { 1435 /* could not pull a INIT chunk in cookie */ 1436#ifdef SCTP_DEBUG 1437 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1438 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1439 } 1440#endif /* SCTP_DEBUG */ 1441 return (NULL); 1442 } 1443 chk_length = ntohs(init_cp->ch.chunk_length); 1444 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1445#ifdef SCTP_DEBUG 1446 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1447 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1448 } 1449#endif /* SCTP_DEBUG */ 1450 return (NULL); 1451 } 1452 1453 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1454 /* 1455 * find and validate the INIT-ACK chunk in the cookie (my info) 1456 * the INIT-ACK follows the INIT chunk 1457 */ 1458 initack_cp = (struct sctp_init_ack_chunk *) 1459 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1460 (u_int8_t *)&initack_buf); 1461 if (initack_cp == NULL) { 1462 /* could not pull INIT-ACK chunk in cookie */ 1463#ifdef SCTP_DEBUG 1464 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1465 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1466 } 1467#endif /* SCTP_DEBUG */ 1468 return (NULL); 1469 } 1470 chk_length = ntohs(initack_cp->ch.chunk_length); 1471 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1472#ifdef SCTP_DEBUG 1473 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1474 u_int8_t *pp; 1475 pp = (u_int8_t *)initack_cp; 1476 printf("process_cookie_new: could not find INIT-ACK chunk!\n"); 1477 printf("Found bytes %x %x %x %x at postion %d\n", 1478 (u_int)pp[0], (u_int)pp[1], (u_int)pp[2], 1479 (u_int)pp[3], initack_offset); 1480 } 1481#endif /* SCTP_DEBUG */ 1482 return (NULL); 1483 } 1484 initack_limit = initack_offset + SCTP_SIZE32(chk_length); 1485 1486 /* 1487 * now that we know the INIT/INIT-ACK are in place, 1488 * create a new TCB and popluate 1489 */ 1490 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, ntohl(initack_cp->init.initiate_tag)); 1491 if (stcb == NULL) { 1492 struct mbuf *op_err; 1493 /* memory problem? */ 1494#ifdef SCTP_DEBUG 1495 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1496 printf("process_cookie_new: no room for another TCB!\n"); 1497 } 1498#endif /* SCTP_DEBUG */ 1499 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1500 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1501 sh, op_err); 1502 return (NULL); 1503 } 1504 1505 /* get the correct sctp_nets */ 1506 *netp = sctp_findnet(stcb, init_src); 1507 asoc = &stcb->asoc; 1508 /* get scope variables out of cookie */ 1509 asoc->ipv4_local_scope = cookie->ipv4_scope; 1510 asoc->site_scope = cookie->site_scope; 1511 asoc->local_scope = cookie->local_scope; 1512 asoc->loopback_scope = cookie->loopback_scope; 1513 1514 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1515 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1516 struct mbuf *op_err; 1517 /* 1518 * Houston we have a problem. The EP changed while the cookie 1519 * was in flight. Only recourse is to abort the association. 1520 */ 1521 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1522 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1523 sh, op_err); 1524 return (NULL); 1525 } 1526 1527 /* process the INIT-ACK info (my info) */ 1528 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1529 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1530 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1531 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1532 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1533 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1534 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1535 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1536 asoc->str_reset_seq_in = asoc->init_seq_number; 1537 1538 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1539 1540 /* process the INIT info (peer's info) */ 1541 retval = sctp_process_init(init_cp, stcb, *netp); 1542 if (retval < 0) { 1543#ifdef SCTP_DEBUG 1544 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1545 printf("process_cookie_new: INIT processing failed\n"); 1546 } 1547#endif 1548 sctp_free_assoc(inp, stcb); 1549 return (NULL); 1550 } 1551 /* load all addresses */ 1552 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1553 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1554 init_src)) { 1555 sctp_free_assoc(inp, stcb); 1556 return (NULL); 1557 } 1558 1559 /* update current state */ 1560#ifdef SCTP_DEBUG 1561 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1562 printf("moving to OPEN state\n"); 1563 } 1564#endif 1565 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1566 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1567 } else { 1568 asoc->state = SCTP_STATE_OPEN; 1569 } 1570 /* calculate the RTT */ 1571 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1572 &cookie->time_entered); 1573 1574 /* 1575 * if we're doing ASCONFs, check to see if we have any new 1576 * local addresses that need to get added to the peer (eg. 1577 * addresses changed while cookie echo in flight). This needs 1578 * to be done after we go to the OPEN state to do the correct 1579 * asconf processing. 1580 * else, make sure we have the correct addresses in our lists 1581 */ 1582 1583 /* warning, we re-use sin, sin6, sa_store here! */ 1584 /* pull in local_address (our "from" address) */ 1585 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1586 /* source addr is IPv4 */ 1587 sin = (struct sockaddr_in *)initack_src; 1588 memset(sin, 0, sizeof(*sin)); 1589 sin->sin_family = AF_INET; 1590 sin->sin_len = sizeof(struct sockaddr_in); 1591 sin->sin_addr.s_addr = cookie->laddress[0]; 1592 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1593 /* source addr is IPv6 */ 1594 sin6 = (struct sockaddr_in6 *)initack_src; 1595 memset(sin6, 0, sizeof(*sin6)); 1596 sin6->sin6_family = AF_INET6; 1597 sin6->sin6_len = sizeof(struct sockaddr_in6); 1598 sin6->sin6_scope_id = cookie->scope_id; 1599 memcpy(&sin6->sin6_addr, cookie->laddress, 1600 sizeof(sin6->sin6_addr)); 1601 } else { 1602 sctp_free_assoc(inp, stcb); 1603 return (NULL); 1604 } 1605 1606 sctp_check_address_list(stcb, m, initack_offset + 1607 sizeof(struct sctp_init_ack_chunk), initack_limit, 1608 initack_src, cookie->local_scope, cookie->site_scope, 1609 cookie->ipv4_scope, cookie->loopback_scope); 1610 1611 1612 /* set up to notify upper layer */ 1613 *notification = SCTP_NOTIFY_ASSOC_UP; 1614 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1615 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1616 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1617 /* 1618 * This is an endpoint that called connect() 1619 * how it got a cookie that is NEW is a bit of 1620 * a mystery. It must be that the INIT was sent, but 1621 * before it got there.. a complete INIT/INIT-ACK/COOKIE 1622 * arrived. But of course then it should have went to 1623 * the other code.. not here.. oh well.. a bit of protection 1624 * is worth having.. 1625 */ 1626 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1627 soisconnected(stcb->sctp_ep->sctp_socket); 1628 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1629 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1630 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1631 /* 1632 * We don't want to do anything with this 1633 * one. Since it is the listening guy. The timer will 1634 * get started for accepted connections in the caller. 1635 */ 1636 ; 1637 } else { 1638 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1639 } 1640 /* since we did not send a HB make sure we don't double things */ 1641 (*netp)->hb_responded = 1; 1642 1643 if (stcb->asoc.sctp_autoclose_ticks && 1644 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1645 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1646 } 1647 1648 /* respond with a COOKIE-ACK */ 1649 sctp_send_cookie_ack(stcb); 1650 1651 return (stcb); 1652} 1653 1654 1655/* 1656 * handles a COOKIE-ECHO message 1657 * stcb: modified to either a new or left as existing (non-NULL) TCB 1658 */ 1659static struct mbuf * 1660sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1661 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1662 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp) 1663{ 1664 struct sctp_state_cookie *cookie; 1665 struct sockaddr_in6 sin6; 1666 struct sockaddr_in sin; 1667 struct sctp_tcb *l_stcb=*stcb; 1668 struct sctp_inpcb *l_inp; 1669 struct sockaddr *to; 1670 struct sctp_pcb *ep; 1671 struct mbuf *m_sig; 1672 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1673 uint8_t *sig; 1674 uint8_t cookie_ok = 0; 1675 unsigned int size_of_pkt, sig_offset, cookie_offset; 1676 unsigned int cookie_len; 1677 struct timeval now; 1678 struct timeval time_expires; 1679 struct sockaddr_storage dest_store; 1680 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1681 struct ip *iph; 1682 int notification = 0; 1683 struct sctp_nets *netl; 1684 int had_a_existing_tcb = 0; 1685 1686#ifdef SCTP_DEBUG 1687 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1688 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1689 } 1690#endif 1691 1692 if (inp_p == NULL) { 1693#ifdef SCTP_DEBUG 1694 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1695 printf("sctp_handle_cookie: null inp_p!\n"); 1696 } 1697#endif 1698 return (NULL); 1699 } 1700 /* First get the destination address setup too. */ 1701 iph = mtod(m, struct ip *); 1702 if (iph->ip_v == IPVERSION) { 1703 /* its IPv4 */ 1704 struct sockaddr_in *sin_d; 1705 sin_d = (struct sockaddr_in *)(localep_sa); 1706 memset(sin_d, 0, sizeof(*sin_d)); 1707 sin_d->sin_family = AF_INET; 1708 sin_d->sin_len = sizeof(*sin_d); 1709 sin_d->sin_port = sh->dest_port; 1710 sin_d->sin_addr.s_addr = iph->ip_dst.s_addr ; 1711 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1712 /* its IPv6 */ 1713 struct ip6_hdr *ip6; 1714 struct sockaddr_in6 *sin6_d; 1715 sin6_d = (struct sockaddr_in6 *)(localep_sa); 1716 memset(sin6_d, 0, sizeof(*sin6_d)); 1717 sin6_d->sin6_family = AF_INET6; 1718 sin6_d->sin6_len = sizeof(struct sockaddr_in6); 1719 ip6 = mtod(m, struct ip6_hdr *); 1720 sin6_d->sin6_port = sh->dest_port; 1721 sin6_d->sin6_addr = ip6->ip6_dst; 1722 } else { 1723 return (NULL); 1724 } 1725 1726 cookie = &cp->cookie; 1727 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1728 cookie_len = ntohs(cp->ch.chunk_length); 1729 1730 /* compute size of packet */ 1731 if (m->m_flags & M_PKTHDR) { 1732 size_of_pkt = m->m_pkthdr.len; 1733 } else { 1734 /* Should have a pkt hdr really */ 1735 struct mbuf *mat; 1736 mat = m; 1737 size_of_pkt = 0; 1738 while (mat != NULL) { 1739 size_of_pkt += mat->m_len; 1740 mat = mat->m_next; 1741 } 1742 } 1743 if (cookie_len > size_of_pkt || 1744 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1745 sizeof(struct sctp_init_chunk) + 1746 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1747 /* cookie too long! or too small */ 1748#ifdef SCTP_DEBUG 1749 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1750 printf("sctp_handle_cookie: cookie_len=%u, pkt size=%u\n", cookie_len, size_of_pkt); 1751 } 1752#endif /* SCTP_DEBUG */ 1753 return (NULL); 1754 } 1755 1756 if ((cookie->peerport != sh->src_port) && 1757 (cookie->myport != sh->dest_port) && 1758 (cookie->my_vtag != sh->v_tag)) { 1759 /* 1760 * invalid ports or bad tag. Note that we always leave 1761 * the v_tag in the header in network order and when we 1762 * stored it in the my_vtag slot we also left it in network 1763 * order. This maintians the match even though it may be in 1764 * the opposite byte order of the machine :-> 1765 */ 1766 return (NULL); 1767 } 1768 1769 /* 1770 * split off the signature into its own mbuf (since it 1771 * should not be calculated in the sctp_hash_digest_m() call). 1772 */ 1773 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1774 if (sig_offset > size_of_pkt) { 1775 /* packet not correct size! */ 1776 /* XXX this may already be accounted for earlier... */ 1777#ifdef SCTP_DEBUG 1778 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1779 printf("sctp_handle_cookie: sig offset=%u, pkt size=%u\n", sig_offset, size_of_pkt); 1780 } 1781#endif 1782 return (NULL); 1783 } 1784 1785 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1786 if (m_sig == NULL) { 1787 /* out of memory or ?? */ 1788#ifdef SCTP_DEBUG 1789 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1790 printf("sctp_handle_cookie: couldn't m_split the signature\n"); 1791 } 1792#endif 1793 return (NULL); 1794 } 1795 /* 1796 * compute the signature/digest for the cookie 1797 */ 1798 ep = &(*inp_p)->sctp_ep; 1799 l_inp = *inp_p; 1800 if (l_stcb) { 1801 SCTP_TCB_UNLOCK(l_stcb); 1802 } 1803 SCTP_INP_RLOCK(l_inp); 1804 if (l_stcb) { 1805 SCTP_TCB_LOCK(l_stcb); 1806 } 1807 /* which cookie is it? */ 1808 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1809 (ep->current_secret_number != ep->last_secret_number)) { 1810 /* it's the old cookie */ 1811#ifdef SCTP_DEBUG 1812 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1813 printf("sctp_handle_cookie: old cookie sig\n"); 1814 } 1815#endif 1816 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1817 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1818 } else { 1819 /* it's the current cookie */ 1820#ifdef SCTP_DEBUG 1821 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1822 printf("sctp_handle_cookie: current cookie sig\n"); 1823 } 1824#endif 1825 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->current_secret_number], 1826 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1827 } 1828 /* get the signature */ 1829 SCTP_INP_RUNLOCK(l_inp); 1830 sig = (u_int8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (u_int8_t *)&tmp_sig); 1831 if (sig == NULL) { 1832 /* couldn't find signature */ 1833#ifdef SCTP_DEBUG 1834 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1835 printf("sctp_handle_cookie: couldn't pull the signature\n"); 1836 } 1837#endif 1838 return (NULL); 1839 } 1840 /* compare the received digest with the computed digest */ 1841 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1842 /* try the old cookie? */ 1843 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1844 (ep->current_secret_number != ep->last_secret_number)) { 1845 /* compute digest with old */ 1846#ifdef SCTP_DEBUG 1847 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1848 printf("sctp_handle_cookie: old cookie sig\n"); 1849 } 1850#endif 1851 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1852 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1853 /* compare */ 1854 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1855 cookie_ok = 1; 1856 } 1857 } else { 1858 cookie_ok = 1; 1859 } 1860 1861 /* 1862 * Now before we continue we must reconstruct our mbuf so 1863 * that normal processing of any other chunks will work. 1864 */ 1865 { 1866 struct mbuf *m_at; 1867 m_at = m; 1868 while (m_at->m_next != NULL) { 1869 m_at = m_at->m_next; 1870 } 1871 m_at->m_next = m_sig; 1872 if (m->m_flags & M_PKTHDR) { 1873 /* 1874 * We should only do this if and only if the front 1875 * mbuf has a m_pkthdr... it should in theory. 1876 */ 1877 if (m_sig->m_flags & M_PKTHDR) { 1878 /* Add back to the pkt hdr of main m chain */ 1879 m->m_pkthdr.len += m_sig->m_len; 1880 } else { 1881 /* 1882 * Got a problem, no pkthdr in split chain. 1883 * TSNH but we will handle it just in case 1884 */ 1885 int mmlen = 0; 1886 struct mbuf *lat; 1887 printf("Warning: Hitting m_split join TSNH code - fixed\n"); 1888 lat = m_sig; 1889 while (lat) { 1890 mmlen += lat->m_len; 1891 lat = lat->m_next; 1892 } 1893 m->m_pkthdr.len += mmlen; 1894 } 1895 } 1896 } 1897 1898 if (cookie_ok == 0) { 1899#ifdef SCTP_DEBUG 1900 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1901 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1902 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1903 (u_int32_t)offset, cookie_offset, sig_offset); 1904 } 1905#endif 1906 return (NULL); 1907 } 1908#ifdef SCTP_DEBUG 1909 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1910 printf("handle_cookie_echo: cookie signature validation passed\n"); 1911 } 1912#endif 1913 1914 /* 1915 * check the cookie timestamps to be sure it's not stale 1916 */ 1917 SCTP_GETTIME_TIMEVAL(&now); 1918 /* Expire time is in Ticks, so we convert to seconds */ 1919 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1920 time_expires.tv_usec = cookie->time_entered.tv_usec; 1921#ifndef __FreeBSD__ 1922 if (timercmp(&now, &time_expires, >)) 1923#else 1924 if (timevalcmp(&now, &time_expires, >)) 1925#endif 1926 { 1927 /* cookie is stale! */ 1928 struct mbuf *op_err; 1929 struct sctp_stale_cookie_msg *scm; 1930 u_int32_t tim; 1931#ifdef SCTP_DEBUG 1932 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 1933 printf("sctp_handle_cookie: got a STALE cookie!\n"); 1934 } 1935#endif 1936 MGETHDR(op_err, M_DONTWAIT, MT_HEADER); 1937 if (op_err == NULL) { 1938 /* FOOBAR */ 1939 return (NULL); 1940 } 1941 /* pre-reserve some space */ 1942 op_err->m_data += sizeof(struct ip6_hdr); 1943 op_err->m_data += sizeof(struct sctphdr); 1944 op_err->m_data += sizeof(struct sctp_chunkhdr); 1945 1946 /* Set the len */ 1947 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); 1948 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1949 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1950 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1951 (sizeof(u_int32_t)))); 1952 /* seconds to usec */ 1953 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1954 /* add in usec */ 1955 if (tim == 0) 1956 tim = now.tv_usec - cookie->time_entered.tv_usec; 1957 scm->time_usec = htonl(tim); 1958 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1959 return (NULL); 1960 } 1961 /* 1962 * Now we must see with the lookup address if we have an existing 1963 * asoc. This will only happen if we were in the COOKIE-WAIT state 1964 * and a INIT collided with us and somewhere the peer sent the 1965 * cookie on another address besides the single address our assoc 1966 * had for him. In this case we will have one of the tie-tags set 1967 * at least AND the address field in the cookie can be used to 1968 * look it up. 1969 */ 1970 to = NULL; 1971 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1972 memset(&sin6, 0, sizeof(sin6)); 1973 sin6.sin6_family = AF_INET6; 1974 sin6.sin6_len = sizeof(sin6); 1975 sin6.sin6_port = sh->src_port; 1976 sin6.sin6_scope_id = cookie->scope_id; 1977 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 1978 sizeof(sin6.sin6_addr.s6_addr)); 1979 to = (struct sockaddr *)&sin6; 1980 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 1981 memset(&sin, 0, sizeof(sin)); 1982 sin.sin_family = AF_INET; 1983 sin.sin_len = sizeof(sin); 1984 sin.sin_port = sh->src_port; 1985 sin.sin_addr.s_addr = cookie->address[0]; 1986 to = (struct sockaddr *)&sin; 1987 } 1988 1989 if ((*stcb == NULL) && to) { 1990 /* Yep, lets check */ 1991 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 1992 if (*stcb == NULL) { 1993 /* We should have only got back the same inp. If we 1994 * got back a different ep we have a problem. The original 1995 * findep got back l_inp and now 1996 */ 1997 if (l_inp != *inp_p) { 1998 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 1999 } 2000 } 2001 } 2002 2003 cookie_len -= SCTP_SIGNATURE_SIZE; 2004 if (*stcb == NULL) { 2005 /* this is the "normal" case... get a new TCB */ 2006#ifdef SCTP_DEBUG 2007 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2008 printf("sctp_handle_cookie: processing NEW cookie\n"); 2009 } 2010#endif 2011 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2012 cookie_len, *inp_p, netp, to, ¬ification); 2013 /* now always decrement, since this is the normal 2014 * case.. we had no tcb when we entered. 2015 */ 2016 } else { 2017 /* this is abnormal... cookie-echo on existing TCB */ 2018#ifdef SCTP_DEBUG 2019 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2020 printf("sctp_handle_cookie: processing EXISTING cookie\n"); 2021 } 2022#endif 2023 had_a_existing_tcb = 1; 2024 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2025 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification); 2026 } 2027 2028 if (*stcb == NULL) { 2029 /* still no TCB... must be bad cookie-echo */ 2030#ifdef SCTP_DEBUG 2031 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2032 printf("handle_cookie_echo: ACK! don't have a TCB!\n"); 2033 } 2034#endif /* SCTP_DEBUG */ 2035 return (NULL); 2036 } 2037 2038 /* 2039 * Ok, we built an association so confirm the address 2040 * we sent the INIT-ACK to. 2041 */ 2042 netl = sctp_findnet(*stcb, to); 2043 /* This code should in theory NOT run but 2044 */ 2045 if (netl == NULL) { 2046#ifdef SCTP_DEBUG 2047 printf("TSNH! Huh, why do I need to add this address here?\n"); 2048#endif 2049 sctp_add_remote_addr(*stcb, to, 0, 100); 2050 netl = sctp_findnet(*stcb, to); 2051 } 2052 if (netl) { 2053 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2054 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2055 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2056 netl); 2057 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2058 (*stcb), 0, (void *)netl); 2059 } 2060 } 2061#ifdef SCTP_DEBUG 2062 else { 2063 printf("Could not add source address for some reason\n"); 2064 } 2065#endif 2066 2067 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2068 if (!had_a_existing_tcb || 2069 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2070 /* 2071 * If we have a NEW cookie or the connect never reached 2072 * the connected state during collision we must do the 2073 * TCP accept thing. 2074 */ 2075 struct socket *so, *oso; 2076 struct sctp_inpcb *inp; 2077 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2078 /* 2079 * For a restart we will keep the same socket, 2080 * no need to do anything. I THINK!! 2081 */ 2082 sctp_ulp_notify(notification, *stcb, 0, NULL); 2083 return (m); 2084 } 2085 oso = (*inp_p)->sctp_socket; 2086 SCTP_TCB_UNLOCK((*stcb)); 2087 so = sonewconn(oso, SS_ISCONNECTED); 2088 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2089 SCTP_TCB_LOCK((*stcb)); 2090 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2091 if (so == NULL) { 2092 struct mbuf *op_err; 2093 /* Too many sockets */ 2094#ifdef SCTP_DEBUG 2095 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2096 printf("process_cookie_new: no room for another socket!\n"); 2097 } 2098#endif /* SCTP_DEBUG */ 2099 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2100 sctp_abort_association(*inp_p, NULL, m, iphlen, 2101 sh, op_err); 2102 sctp_free_assoc(*inp_p, *stcb); 2103 return (NULL); 2104 } 2105 inp = (struct sctp_inpcb *)so->so_pcb; 2106 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2107 SCTP_PCB_FLAGS_CONNECTED | 2108 SCTP_PCB_FLAGS_IN_TCPPOOL | 2109 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2110 SCTP_PCB_FLAGS_DONT_WAKE); 2111 inp->sctp_socket = so; 2112 2113 /* 2114 * Now we must move it from one hash table to another 2115 * and get the tcb in the right place. 2116 */ 2117 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2118 2119 /* Switch over to the new guy */ 2120 *inp_p = inp; 2121 2122 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, 2123 *stcb, *netp); 2124 2125 sctp_ulp_notify(notification, *stcb, 0, NULL); 2126 return (m); 2127 } 2128 } 2129 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2130 sctp_ulp_notify(notification, *stcb, 0, NULL); 2131 } 2132 return (m); 2133} 2134 2135static void 2136sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2137 struct sctp_tcb *stcb, struct sctp_nets *net) 2138{ 2139 /* cp must not be used, others call this without a c-ack :-) */ 2140 struct sctp_association *asoc; 2141 2142#ifdef SCTP_DEBUG 2143 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2144 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2145 } 2146#endif 2147 if (stcb == NULL) 2148 return; 2149 2150 asoc = &stcb->asoc; 2151 2152 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2153 2154 /* process according to association state */ 2155 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2156 /* state change only needed when I am in right state */ 2157#ifdef SCTP_DEBUG 2158 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2159 printf("moving to OPEN state\n"); 2160 } 2161#endif 2162 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2163 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2164 } else { 2165 asoc->state = SCTP_STATE_OPEN; 2166 } 2167 2168 /* update RTO */ 2169 if (asoc->overall_error_count == 0) { 2170 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2171 &asoc->time_entered); 2172 } 2173 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2174 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2175 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2176 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2177 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2178 soisconnected(stcb->sctp_ep->sctp_socket); 2179 } 2180 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2181 stcb, net); 2182 /* since we did not send a HB make sure we don't double things */ 2183 net->hb_responded = 1; 2184 2185 if (stcb->asoc.sctp_autoclose_ticks && 2186 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 2187 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2188 stcb->sctp_ep, stcb, NULL); 2189 } 2190 2191 /* 2192 * set ASCONF timer if ASCONFs are pending and allowed 2193 * (eg. addresses changed when init/cookie echo in flight) 2194 */ 2195 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DO_ASCONF) && 2196 (stcb->asoc.peer_supports_asconf) && 2197 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2198 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2199 stcb->sctp_ep, stcb, 2200 stcb->asoc.primary_destination); 2201 } 2202 2203 } 2204 /* Toss the cookie if I can */ 2205 sctp_toss_old_cookies(asoc); 2206 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2207 /* Restart the timer if we have pending data */ 2208 struct sctp_tmit_chunk *chk; 2209 chk = TAILQ_FIRST(&asoc->sent_queue); 2210 if (chk) { 2211 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2212 stcb, chk->whoTo); 2213 } 2214 } 2215 2216} 2217 2218static void 2219sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2220 struct sctp_tcb *stcb) 2221{ 2222 struct sctp_nets *net; 2223 struct sctp_tmit_chunk *lchk; 2224 u_int32_t tsn; 2225 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2226 return; 2227 } 2228 sctp_pegs[SCTP_ECNE_RCVD]++; 2229 tsn = ntohl(cp->tsn); 2230 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2231 /* Also we make sure we disable the nonce_wait */ 2232 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2233 if (lchk == NULL) { 2234 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2235 } else { 2236 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2237 } 2238 stcb->asoc.nonce_wait_for_ecne = 0; 2239 stcb->asoc.nonce_sum_check = 0; 2240 2241 /* Find where it was sent, if possible */ 2242 net = NULL; 2243 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2244 while (lchk) { 2245 if (lchk->rec.data.TSN_seq == tsn) { 2246 net = lchk->whoTo; 2247 break; 2248 } 2249 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2250 break; 2251 lchk = TAILQ_NEXT(lchk, sctp_next); 2252 } 2253 if (net == NULL) 2254 /* default is we use the primary */ 2255 net = stcb->asoc.primary_destination; 2256 2257 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2258#ifdef SCTP_CWND_LOGGING 2259 int old_cwnd; 2260#endif 2261#ifdef SCTP_CWND_LOGGING 2262 old_cwnd = net->cwnd; 2263#endif 2264 sctp_pegs[SCTP_CWR_PERFO]++; 2265 net->ssthresh = net->cwnd / 2; 2266 if (net->ssthresh < net->mtu) { 2267 net->ssthresh = net->mtu; 2268 /* here back off the timer as well, to slow us down */ 2269 net->RTO <<= 2; 2270 } 2271 net->cwnd = net->ssthresh; 2272#ifdef SCTP_CWND_LOGGING 2273 sctp_log_cwnd(net, (net->cwnd-old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2274#endif 2275 /* we reduce once every RTT. So we will only lower 2276 * cwnd at the next sending seq i.e. the resync_tsn. 2277 */ 2278 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2279 } 2280 /* 2281 * We always send a CWR this way if our previous one was lost 2282 * our peer will get an update, or if it is not time again 2283 * to reduce we still get the cwr to the peer. 2284 */ 2285 sctp_send_cwr(stcb, net, tsn); 2286} 2287 2288static void 2289sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2290{ 2291 /* Here we get a CWR from the peer. We must look in 2292 * the outqueue and make sure that we have a covered 2293 * ECNE in teh control chunk part. If so remove it. 2294 */ 2295 struct sctp_tmit_chunk *chk; 2296 struct sctp_ecne_chunk *ecne; 2297 2298 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2299 if (chk->rec.chunk_id != SCTP_ECN_ECHO) { 2300 continue; 2301 } 2302 /* Look for and remove if it is the right TSN. Since 2303 * there is only ONE ECNE on the control queue at 2304 * any one time we don't need to worry about more than 2305 * one! 2306 */ 2307 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2308 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2309 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2310 /* this covers this ECNE, we can remove it */ 2311 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2312 sctp_next); 2313 if (chk->data) { 2314 sctp_m_freem(chk->data); 2315 chk->data = NULL; 2316 } 2317 stcb->asoc.ctrl_queue_cnt--; 2318 sctp_free_remote_addr(chk->whoTo); 2319 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2320 sctppcbinfo.ipi_count_chunk--; 2321 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2322 panic("Chunk count is negative"); 2323 } 2324 sctppcbinfo.ipi_gencnt_chunk++; 2325 break; 2326 } 2327 } 2328} 2329 2330static void 2331sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2332 struct sctp_tcb *stcb, struct sctp_nets *net) 2333{ 2334 struct sctp_association *asoc; 2335 2336#ifdef SCTP_DEBUG 2337 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2338 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2339 } 2340#endif 2341 if (stcb == NULL) 2342 return; 2343 2344 asoc = &stcb->asoc; 2345 /* process according to association state */ 2346 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2347 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2348 return; 2349 } 2350 /* notify upper layer protocol */ 2351 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2352 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2353 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2354 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 2355 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 2356 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0; 2357 soisdisconnected(stcb->sctp_ep->sctp_socket); 2358 } 2359 /* are the queues empty? they should be */ 2360 if (!TAILQ_EMPTY(&asoc->send_queue) || 2361 !TAILQ_EMPTY(&asoc->sent_queue) || 2362 !TAILQ_EMPTY(&asoc->out_wheel)) { 2363 sctp_report_all_outbound(stcb); 2364 } 2365 /* stop the timer */ 2366 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 2367 /* free the TCB */ 2368 sctp_free_assoc(stcb->sctp_ep, stcb); 2369 return; 2370} 2371 2372static int 2373process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2374 struct sctp_nets *net, u_int8_t flg) 2375{ 2376 switch (desc->chunk_type) { 2377 case SCTP_DATA: 2378 /* find the tsn to resend (possibly */ 2379 { 2380 u_int32_t tsn; 2381 struct sctp_tmit_chunk *tp1; 2382 tsn = ntohl(desc->tsn_ifany); 2383 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2384 while (tp1) { 2385 if (tp1->rec.data.TSN_seq == tsn) { 2386 /* found it */ 2387 break; 2388 } 2389 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2390 MAX_TSN)) { 2391 /* not found */ 2392 tp1 = NULL; 2393 break; 2394 } 2395 tp1 = TAILQ_NEXT(tp1, sctp_next); 2396 } 2397 if (tp1 == NULL) { 2398 /* Do it the other way */ 2399 sctp_pegs[SCTP_PDRP_DNFND]++; 2400 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2401 while (tp1) { 2402 if (tp1->rec.data.TSN_seq == tsn) { 2403 /* found it */ 2404 break; 2405 } 2406 tp1 = TAILQ_NEXT(tp1, sctp_next); 2407 } 2408 } 2409 if (tp1 == NULL) { 2410 sctp_pegs[SCTP_PDRP_TSNNF]++; 2411 } 2412 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2413 u_int8_t *ddp; 2414 if (((tp1->rec.data.state_flags & SCTP_WINDOW_PROBE) == SCTP_WINDOW_PROBE) && 2415 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2416 sctp_pegs[SCTP_PDRP_DIWNP]++; 2417 return (0); 2418 } 2419 if (stcb->asoc.peers_rwnd == 0 && 2420 (flg & SCTP_FROM_MIDDLE_BOX)) { 2421 sctp_pegs[SCTP_PDRP_DIZRW]++; 2422 return (0); 2423 } 2424 ddp = (u_int8_t *)(mtod(tp1->data, vaddr_t) + 2425 sizeof(struct sctp_data_chunk)); 2426 { 2427 unsigned int iii; 2428 for (iii = 0; iii < sizeof(desc->data_bytes); 2429 iii++) { 2430 if (ddp[iii] != desc->data_bytes[iii]) { 2431 sctp_pegs[SCTP_PDRP_BADD]++; 2432 return (-1); 2433 } 2434 } 2435 } 2436 if (tp1->sent != SCTP_DATAGRAM_RESEND) { 2437 stcb->asoc.sent_queue_retran_cnt++; 2438 } 2439 /* We zero out the nonce so resync not needed */ 2440 tp1->rec.data.ect_nonce = 0; 2441 2442 if (tp1->do_rtt) { 2443 /* 2444 * this guy had a RTO calculation pending on it, 2445 * cancel it 2446 */ 2447 tp1->whoTo->rto_pending = 0; 2448 tp1->do_rtt = 0; 2449 } 2450 sctp_pegs[SCTP_PDRP_MARK]++; 2451 tp1->sent = SCTP_DATAGRAM_RESEND; 2452 /* 2453 * mark it as if we were doing a FR, since we 2454 * will be getting gap ack reports behind the 2455 * info from the router. 2456 */ 2457 tp1->rec.data.doing_fast_retransmit = 1; 2458 /* 2459 * mark the tsn with what sequences can cause a new FR. 2460 */ 2461 if (TAILQ_EMPTY(&stcb->asoc.send_queue) ) { 2462 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2463 } else { 2464 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2465 } 2466 2467 /* restart the timer */ 2468 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2469 stcb, tp1->whoTo); 2470 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2471 stcb, tp1->whoTo); 2472 2473 /* fix counts and things */ 2474 sctp_flight_size_decrease(tp1); 2475 sctp_total_flight_decrease(stcb, tp1); 2476 tp1->snd_count--; 2477 } 2478 { 2479 /* audit code */ 2480 unsigned int audit; 2481 audit = 0; 2482 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2483 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2484 audit++; 2485 } 2486 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2487 sctp_next) { 2488 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2489 audit++; 2490 } 2491 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2492 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2493 audit, stcb->asoc.sent_queue_retran_cnt); 2494#ifndef SCTP_AUDITING_ENABLED 2495 stcb->asoc.sent_queue_retran_cnt = audit; 2496#endif 2497 } 2498 } 2499 } 2500 break; 2501 case SCTP_ASCONF: 2502 { 2503 struct sctp_tmit_chunk *asconf; 2504 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2505 sctp_next) { 2506 if (asconf->rec.chunk_id == SCTP_ASCONF) { 2507 break; 2508 } 2509 } 2510 if (asconf) { 2511 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2512 stcb->asoc.sent_queue_retran_cnt++; 2513 asconf->sent = SCTP_DATAGRAM_RESEND; 2514 asconf->snd_count--; 2515 } 2516 } 2517 break; 2518 case SCTP_INITIATION: 2519 /* resend the INIT */ 2520 stcb->asoc.dropped_special_cnt++; 2521 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2522 /* 2523 * If we can get it in, in a few attempts we do this, 2524 * otherwise we let the timer fire. 2525 */ 2526 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2527 stcb, net); 2528 sctp_send_initiate(stcb->sctp_ep, stcb); 2529 } 2530 break; 2531 case SCTP_SELECTIVE_ACK: 2532 /* resend the sack */ 2533 sctp_send_sack(stcb); 2534 break; 2535 case SCTP_HEARTBEAT_REQUEST: 2536 /* resend a demand HB */ 2537 sctp_send_hb(stcb, 1, net); 2538 break; 2539 case SCTP_SHUTDOWN: 2540#ifdef SCTP_DEBUG 2541 if (sctp_debug_on & SCTP_DEBUG_OUTPUT4) { 2542 printf("%s:%d sends a shutdown\n", 2543 __FILE__, 2544 __LINE__ 2545 ); 2546 } 2547#endif 2548 sctp_send_shutdown(stcb, net); 2549 break; 2550 case SCTP_SHUTDOWN_ACK: 2551 sctp_send_shutdown_ack(stcb, net); 2552 break; 2553 case SCTP_COOKIE_ECHO: 2554 { 2555 struct sctp_tmit_chunk *cookie; 2556 cookie = NULL; 2557 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2558 sctp_next) { 2559 if (cookie->rec.chunk_id == SCTP_COOKIE_ECHO) { 2560 break; 2561 } 2562 } 2563 if (cookie) { 2564 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2565 stcb->asoc.sent_queue_retran_cnt++; 2566 cookie->sent = SCTP_DATAGRAM_RESEND; 2567 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2568 } 2569 } 2570 break; 2571 case SCTP_COOKIE_ACK: 2572 sctp_send_cookie_ack(stcb); 2573 break; 2574 case SCTP_ASCONF_ACK: 2575 /* resend last asconf ack */ 2576 sctp_send_asconf_ack(stcb, 1); 2577 break; 2578 case SCTP_FORWARD_CUM_TSN: 2579 send_forward_tsn(stcb, &stcb->asoc); 2580 break; 2581 /* can't do anything with these */ 2582 case SCTP_PACKET_DROPPED: 2583 case SCTP_INITIATION_ACK: /* this should not happen */ 2584 case SCTP_HEARTBEAT_ACK: 2585 case SCTP_ABORT_ASSOCIATION: 2586 case SCTP_OPERATION_ERROR: 2587 case SCTP_SHUTDOWN_COMPLETE: 2588 case SCTP_ECN_ECHO: 2589 case SCTP_ECN_CWR: 2590 default: 2591 break; 2592 } 2593 return (0); 2594} 2595 2596static void 2597sctp_reset_in_stream(struct sctp_tcb *stcb, 2598 struct sctp_stream_reset_response *resp, int number_entries) 2599{ 2600 int i; 2601 uint16_t *list, temp; 2602 2603 /* We set things to 0xffff since this is the last delivered 2604 * sequence and we will be sending in 0 after the reset. 2605 */ 2606 2607 if (resp->reset_flags & SCTP_RESET_PERFORMED) { 2608 if (number_entries) { 2609 list = resp->list_of_streams; 2610 for (i = 0; i < number_entries; i++) { 2611 temp = ntohs(list[i]); 2612 list[i] = temp; 2613 if (list[i] >= stcb->asoc.streamincnt) { 2614 printf("Invalid stream in-stream reset %d\n", list[i]); 2615 continue; 2616 } 2617 stcb->asoc.strmin[(list[i])].last_sequence_delivered = 0xffff; 2618 } 2619 } else { 2620 list = NULL; 2621 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2622 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2623 } 2624 } 2625 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2626 } 2627} 2628 2629static void 2630sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2631{ 2632 struct sctp_tmit_chunk *chk, *nchk; 2633 struct sctp_association *asoc; 2634 2635 asoc = &stcb->asoc; 2636 2637 for (chk = TAILQ_FIRST(&asoc->control_send_queue); 2638 chk; chk = nchk) { 2639 nchk = TAILQ_NEXT(chk, sctp_next); 2640 if (chk->rec.chunk_id == SCTP_STREAM_RESET) { 2641 struct sctp_stream_reset_req *strreq; 2642 strreq = mtod(chk->data, struct sctp_stream_reset_req *); 2643 if (strreq->sr_req.ph.param_type == ntohs(SCTP_STR_RESET_RESPONSE)) { 2644 /* we only clean up the request */ 2645 continue; 2646 } else if (strreq->sr_req.ph.param_type != ntohs(SCTP_STR_RESET_REQUEST)) { 2647 printf("TSNH, an unknown stream reset request is in queue %x\n", 2648 (u_int)ntohs(strreq->sr_req.ph.param_type)); 2649 continue; 2650 } 2651 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2652 TAILQ_REMOVE(&asoc->control_send_queue, 2653 chk, 2654 sctp_next); 2655 if (chk->data) { 2656 sctp_m_freem(chk->data); 2657 chk->data = NULL; 2658 } 2659 asoc->ctrl_queue_cnt--; 2660 sctp_free_remote_addr(chk->whoTo); 2661 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2662 sctppcbinfo.ipi_count_chunk--; 2663 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2664 panic("Chunk count is negative"); 2665 } 2666 sctppcbinfo.ipi_gencnt_chunk++; 2667 /* we can only have one of these so we break */ 2668 break; 2669 } 2670 } 2671} 2672 2673 2674void 2675sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2676 struct sctp_stream_reset_response *resp) 2677{ 2678 uint32_t seq, tsn; 2679 int number_entries, param_length; 2680 2681 param_length = ntohs(resp->ph.param_length); 2682 seq = ntohl(resp->reset_req_seq_resp); 2683 if (seq == stcb->asoc.str_reset_seq_out) { 2684 sctp_clean_up_stream_reset(stcb); 2685 stcb->asoc.str_reset_seq_out++; 2686 stcb->asoc.stream_reset_outstanding = 0; 2687 tsn = ntohl(resp->reset_at_tsn); 2688 number_entries = (param_length - sizeof(struct sctp_stream_reset_response))/sizeof(uint16_t); 2689 tsn--; 2690 if ((tsn == stcb->asoc.cumulative_tsn) || 2691 (compare_with_wrap(stcb->asoc.cumulative_tsn, tsn, MAX_TSN))) { 2692 /* no problem we are good to go */ 2693 sctp_reset_in_stream(stcb, resp, number_entries); 2694 } else { 2695 /* So, we have a stream reset but there 2696 * is pending data. We need to copy 2697 * out the stream_reset and then queue 2698 * any data = or > resp->reset_at_tsn 2699 */ 2700 if (stcb->asoc.pending_reply != NULL) { 2701 /* FIX ME FIX ME 2702 * This IS WRONG. We need 2703 * to queue each of these up 2704 * and only release the chunks 2705 * for each reset that the cum-ack 2706 * goes by. This is a short cut. 2707 */ 2708 free(stcb->asoc.pending_reply, M_PCB); 2709 } 2710 stcb->asoc.pending_reply = malloc(param_length, 2711 M_PCB, M_NOWAIT); 2712 memcpy(stcb->asoc.pending_reply, resp, param_length); 2713 } 2714 2715 } else { 2716 /* duplicate */ 2717#ifdef SCTP_DEBUG 2718 printf("Duplicate old stream reset resp next:%x this one:%x\n", 2719 stcb->asoc.str_reset_seq_out, seq); 2720#endif 2721 } 2722} 2723 2724 2725static void 2726sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_req *sr_req) 2727{ 2728 int chk_length, param_len; 2729 struct sctp_paramhdr *ph; 2730 /* now it may be a reset or a reset-response */ 2731 struct sctp_stream_reset_request *req; 2732 struct sctp_stream_reset_response *resp; 2733 chk_length = ntohs(sr_req->ch.chunk_length); 2734 2735 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 2736 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_request)) { 2737 param_len = ntohs(ph->param_length); 2738 if (ntohs(ph->param_type) == SCTP_STR_RESET_REQUEST) { 2739 /* this will send the ACK and do the reset if needed */ 2740 req = (struct sctp_stream_reset_request *)ph; 2741 sctp_send_str_reset_ack(stcb, req); 2742 } else if (ntohs(ph->param_type) == SCTP_STR_RESET_RESPONSE) { 2743 /* Now here is a tricky one. We reset our receive side 2744 * of the streams. But what happens if the peers 2745 * next sending TSN is NOT equal to 1 minus our cumack? 2746 * And if his cumack is not equal to our next one out - 1 2747 * we have another problem if this is receprical. 2748 */ 2749 resp = (struct sctp_stream_reset_response *)ph; 2750 sctp_handle_stream_reset_response(stcb, resp); 2751 } 2752 ph = (struct sctp_paramhdr *)((vaddr_t)ph + SCTP_SIZE32(param_len)); 2753 chk_length -= SCTP_SIZE32(param_len); 2754 } 2755} 2756 2757/* 2758 * Handle a router or endpoints report of a packet loss, there 2759 * are two ways to handle this, either we get the whole packet 2760 * and must disect it ourselves (possibly with truncation and 2761 * or corruption) or it is a summary from a middle box that did 2762 * the disectting for us. 2763 */ 2764static void 2765sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 2766 struct sctp_tcb *stcb, struct sctp_nets *net) 2767{ 2768 u_int32_t bottle_bw, on_queue; 2769 u_int16_t trunc_len; 2770 unsigned int chlen; 2771 unsigned int at; 2772 struct sctp_chunk_desc desc; 2773 struct sctp_chunkhdr *ch; 2774 2775 chlen = ntohs(cp->ch.chunk_length); 2776 chlen -= sizeof(struct sctp_pktdrop_chunk); 2777 /* XXX possible chlen underflow */ 2778 if (chlen == 0) { 2779 ch = NULL; 2780 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 2781 sctp_pegs[SCTP_PDRP_BWRPT]++; 2782 } else { 2783 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 2784 chlen -= sizeof(struct sctphdr); 2785 /* XXX possible chlen underflow */ 2786 memset(&desc, 0, sizeof(desc)); 2787 } 2788 2789 /* first update a rwnd possibly */ 2790 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 2791 /* From a peer, we get a rwnd report */ 2792 u_int32_t a_rwnd; 2793 2794 sctp_pegs[SCTP_PDRP_FEHOS]++; 2795 2796 bottle_bw = ntohl(cp->bottle_bw); 2797 on_queue = ntohl(cp->current_onq); 2798 if (bottle_bw && on_queue) { 2799 /* a rwnd report is in here */ 2800 if (bottle_bw > on_queue) 2801 a_rwnd = bottle_bw - on_queue; 2802 else 2803 a_rwnd = 0; 2804 2805 if (a_rwnd <= 0) 2806 stcb->asoc.peers_rwnd = 0; 2807 else { 2808 if (a_rwnd > stcb->asoc.total_flight) { 2809 stcb->asoc.peers_rwnd = 2810 a_rwnd - stcb->asoc.total_flight; 2811 } else { 2812 stcb->asoc.peers_rwnd = 0; 2813 } 2814 if (stcb->asoc.peers_rwnd < 2815 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 2816 /* SWS sender side engages */ 2817 stcb->asoc.peers_rwnd = 0; 2818 } 2819 } 2820 } 2821 } else { 2822 sctp_pegs[SCTP_PDRP_FMBOX]++; 2823 } 2824 trunc_len = (u_int16_t)ntohs(cp->trunc_len); 2825 /* now the chunks themselves */ 2826 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 2827 desc.chunk_type = ch->chunk_type; 2828 /* get amount we need to move */ 2829 at = ntohs(ch->chunk_length); 2830 if (at < sizeof(struct sctp_chunkhdr)) { 2831 /* corrupt chunk, maybe at the end? */ 2832 sctp_pegs[SCTP_PDRP_CRUPT]++; 2833 break; 2834 } 2835 if (trunc_len == 0) { 2836 /* we are supposed to have all of it */ 2837 if (at > chlen) { 2838 /* corrupt skip it */ 2839 sctp_pegs[SCTP_PDRP_CRUPT]++; 2840 break; 2841 } 2842 } else { 2843 /* is there enough of it left ? */ 2844 if (desc.chunk_type == SCTP_DATA) { 2845 if (chlen < (sizeof(struct sctp_data_chunk) + 2846 sizeof(desc.data_bytes))) { 2847 break; 2848 } 2849 } else { 2850 if (chlen < sizeof(struct sctp_chunkhdr)) { 2851 break; 2852 } 2853 } 2854 } 2855 if (desc.chunk_type == SCTP_DATA) { 2856 /* can we get out the tsn? */ 2857 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2858 sctp_pegs[SCTP_PDRP_MB_DA]++; 2859 2860 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(u_int32_t)) ) { 2861 /* yep */ 2862 struct sctp_data_chunk *dcp; 2863 u_int8_t *ddp; 2864 unsigned int iii; 2865 dcp = (struct sctp_data_chunk *)ch; 2866 ddp = (u_int8_t *)(dcp + 1); 2867 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 2868 desc.data_bytes[iii] = ddp[iii]; 2869 } 2870 desc.tsn_ifany = dcp->dp.tsn; 2871 } else { 2872 /* nope we are done. */ 2873 sctp_pegs[SCTP_PDRP_NEDAT]++; 2874 break; 2875 } 2876 } else { 2877 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2878 sctp_pegs[SCTP_PDRP_MB_CT]++; 2879 } 2880 2881 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 2882 sctp_pegs[SCTP_PDRP_PDBRK]++; 2883 break; 2884 } 2885 if (SCTP_SIZE32(at) > chlen) { 2886 break; 2887 } 2888 chlen -= SCTP_SIZE32(at); 2889 if (chlen < sizeof(struct sctp_chunkhdr)) { 2890 /* done, none left */ 2891 break; 2892 } 2893 ch = (struct sctp_chunkhdr *)((vaddr_t)ch + SCTP_SIZE32(at)); 2894 } 2895 2896 /* now middle boxes in sat networks get a cwnd bump */ 2897 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 2898 (stcb->asoc.sat_t3_loss_recovery == 0) && 2899 (stcb->asoc.sat_network)) { 2900 /* 2901 * This is debateable but for sat networks it makes sense 2902 * Note if a T3 timer has went off, we will prohibit any 2903 * changes to cwnd until we exit the t3 loss recovery. 2904 */ 2905 u_int32_t bw_avail; 2906 int rtt, incr; 2907#ifdef SCTP_CWND_LOGGING 2908 int old_cwnd=net->cwnd; 2909#endif 2910 /* need real RTT for this calc */ 2911 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 2912 /* get bottle neck bw */ 2913 bottle_bw = ntohl(cp->bottle_bw); 2914 /* and whats on queue */ 2915 on_queue = ntohl(cp->current_onq); 2916 /* 2917 * adjust the on-queue if our flight is more it could be 2918 * that the router has not yet gotten data "in-flight" to it 2919 */ 2920 if (on_queue < net->flight_size) 2921 on_queue = net->flight_size; 2922 2923 /* calculate the available space */ 2924 bw_avail = (bottle_bw*rtt)/1000; 2925 if (bw_avail > bottle_bw) { 2926 /* 2927 * Cap the growth to no more than the bottle neck. 2928 * This can happen as RTT slides up due to queues. 2929 * It also means if you have more than a 1 second 2930 * RTT with a empty queue you will be limited to 2931 * the bottle_bw per second no matter if 2932 * other points have 1/2 the RTT and you could 2933 * get more out... 2934 */ 2935 bw_avail = bottle_bw; 2936 } 2937 2938 if (on_queue > bw_avail) { 2939 /* 2940 * No room for anything else don't allow anything 2941 * else to be "added to the fire". 2942 */ 2943 int seg_inflight, seg_onqueue, my_portion; 2944 net->partial_bytes_acked = 0; 2945 2946 /* how much are we over queue size? */ 2947 incr = on_queue - bw_avail; 2948 if (stcb->asoc.seen_a_sack_this_pkt) { 2949 /* undo any cwnd adjustment that 2950 * the sack might have made 2951 */ 2952 net->cwnd = net->prev_cwnd; 2953 } 2954 2955 /* Now how much of that is mine? */ 2956 seg_inflight = net->flight_size / net->mtu; 2957 seg_onqueue = on_queue / net->mtu; 2958 my_portion = (incr * seg_inflight)/seg_onqueue; 2959 2960 /* Have I made an adjustment already */ 2961 if (net->cwnd > net->flight_size) { 2962 /* for this flight I made an adjustment 2963 * we need to decrease the portion by a share 2964 * our previous adjustment. 2965 */ 2966 int diff_adj; 2967 diff_adj = net->cwnd - net->flight_size; 2968 if (diff_adj > my_portion) 2969 my_portion = 0; 2970 else 2971 my_portion -= diff_adj; 2972 } 2973 2974 /* back down to the previous cwnd (assume 2975 * we have had a sack before this packet). minus 2976 * what ever portion of the overage is my fault. 2977 */ 2978 net->cwnd -= my_portion; 2979 2980 /* we will NOT back down more than 1 MTU */ 2981 if (net->cwnd <= net->mtu) { 2982 net->cwnd = net->mtu; 2983 } 2984 /* force into CA */ 2985 net->ssthresh = net->cwnd - 1; 2986 } else { 2987 /* 2988 * Take 1/4 of the space left or 2989 * max burst up .. whichever is less. 2990 */ 2991 incr = uimin((bw_avail - on_queue) >> 2, 2992 (int)stcb->asoc.max_burst * (int)net->mtu); 2993 net->cwnd += incr; 2994 } 2995 if (net->cwnd > bw_avail) { 2996 /* We can't exceed the pipe size */ 2997 net->cwnd = bw_avail; 2998 } 2999 if (net->cwnd < net->mtu) { 3000 /* We always have 1 MTU */ 3001 net->cwnd = net->mtu; 3002 } 3003#ifdef SCTP_CWND_LOGGING 3004 if (net->cwnd - old_cwnd != 0) { 3005 /* log only changes */ 3006 sctp_log_cwnd(net, (net->cwnd - old_cwnd), 3007 SCTP_CWND_LOG_FROM_SAT); 3008 } 3009#endif 3010 } 3011} 3012 3013extern int sctp_strict_init; 3014 3015/* 3016 * handles all control chunks in a packet 3017 * inputs: 3018 * - m: mbuf chain, assumed to still contain IP/SCTP header 3019 * - stcb: is the tcb found for this packet 3020 * - offset: offset into the mbuf chain to first chunkhdr 3021 * - length: is the length of the complete packet 3022 * outputs: 3023 * - length: modified to remaining length after control processing 3024 * - netp: modified to new sctp_nets after cookie-echo processing 3025 * - return NULL to discard the packet (ie. no asoc, bad packet,...) 3026 * otherwise return the tcb for this packet 3027 */ 3028static struct sctp_tcb * 3029sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3030 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3031 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3032{ 3033 struct sctp_association *asoc; 3034 u_int32_t vtag_in; 3035 int num_chunks = 0; /* number of control chunks processed */ 3036 int chk_length; 3037 int ret; 3038 3039 /* 3040 * How big should this be, and should it be alloc'd? 3041 * Lets try the d-mtu-ceiling for now (2k) and that should 3042 * hopefully work ... until we get into jumbo grams and such.. 3043 */ 3044 u_int8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3045 struct sctp_tcb *locked_tcb = stcb; 3046 3047#ifdef SCTP_DEBUG 3048 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3049 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3050 iphlen, *offset, length, stcb); 3051 } 3052#endif /* SCTP_DEBUG */ 3053 3054 /* validate chunk header length... */ 3055 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3056 return (NULL); 3057 } 3058 3059 /* 3060 * validate the verification tag 3061 */ 3062#ifdef SCTP_DEBUG 3063 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3064 printf("sctp_process_control: validating vtags\n"); 3065 } 3066#endif /* SCTP_DEBUG */ 3067 vtag_in = ntohl(sh->v_tag); 3068 if (ch->chunk_type == SCTP_INITIATION) { 3069 if (vtag_in != 0) { 3070 /* protocol error- silently discard... */ 3071#ifdef SCTP_DEBUG 3072 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3073 printf("sctp_process_control: INIT with vtag != 0\n"); 3074 } 3075#endif /* SCTP_DEBUG */ 3076 sctp_pegs[SCTP_BAD_VTAGS]++; 3077 if (locked_tcb) { 3078 SCTP_TCB_UNLOCK(locked_tcb); 3079 } 3080 return (NULL); 3081 } 3082 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3083 /* 3084 * first check if it's an ASCONF with an unknown src addr 3085 * we need to look inside to find the association 3086 */ 3087 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3088 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3089 *offset, sh, &inp, netp); 3090 } 3091 if (stcb == NULL) { 3092 /* no association, so it's out of the blue... */ 3093 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3094#ifdef SCTP_DEBUG 3095 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3096 printf("sctp_process_control: handling OOTB packet, chunk type=%xh\n", 3097 ch->chunk_type); 3098 } 3099#endif /* SCTP_DEBUG */ 3100 *offset = length; 3101 if (locked_tcb) { 3102 SCTP_TCB_UNLOCK(locked_tcb); 3103 } 3104 return (NULL); 3105 } 3106 asoc = &stcb->asoc; 3107 /* ABORT and SHUTDOWN can use either v_tag... */ 3108 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3109 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3110 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3111 if ((vtag_in == asoc->my_vtag) || 3112 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3113 (vtag_in == asoc->peer_vtag))) { 3114 /* this is valid */ 3115 } else { 3116 /* drop this packet... */ 3117 sctp_pegs[SCTP_BAD_VTAGS]++; 3118 if (locked_tcb) { 3119 SCTP_TCB_UNLOCK(locked_tcb); 3120 } 3121 return (NULL); 3122 } 3123 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3124 if (vtag_in != asoc->my_vtag) { 3125 /* 3126 * this could be a stale SHUTDOWN-ACK or the 3127 * peer never got the SHUTDOWN-COMPLETE and 3128 * is still hung; we have started a new asoc 3129 * but it won't complete until the shutdown is 3130 * completed 3131 */ 3132 if (locked_tcb) { 3133 SCTP_TCB_UNLOCK(locked_tcb); 3134 } 3135 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3136 NULL); 3137 return (NULL); 3138 } 3139 } else { 3140 /* for all other chunks, vtag must match */ 3141 3142 if (vtag_in != asoc->my_vtag) { 3143 /* invalid vtag... */ 3144#ifdef SCTP_DEBUG 3145 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3146 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3147 } 3148#endif /* SCTP_DEBUG */ 3149 sctp_pegs[SCTP_BAD_VTAGS]++; 3150 if (locked_tcb) { 3151 SCTP_TCB_UNLOCK(locked_tcb); 3152 } 3153 *offset = length; 3154 return (NULL); 3155 } 3156 } 3157 } /* end if !SCTP_COOKIE_ECHO */ 3158 3159#ifdef SCTP_DEBUG 3160 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3161 printf("sctp_process_control: vtags ok, processing ctrl chunks\n"); 3162 } 3163#endif /* SCTP_DEBUG */ 3164 3165 /* 3166 * process all control chunks... 3167 */ 3168 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3169 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3170 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3171 /* implied cookie-ack.. we must have lost the ack */ 3172 stcb->asoc.overall_error_count = 0; 3173 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 3174 } 3175 3176 while (IS_SCTP_CONTROL(ch)) { 3177 /* validate chunk length */ 3178 chk_length = ntohs(ch->chunk_length); 3179#ifdef SCTP_DEBUG 3180 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3181 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", ch->chunk_type, chk_length); 3182 } 3183#endif /* SCTP_DEBUG */ 3184 if ((size_t)chk_length < sizeof(*ch) || 3185 (*offset + chk_length) > length) { 3186#ifdef SCTP_DEBUG 3187 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3188 printf("sctp_process_control: chunk length invalid! *offset:%u, chk_length:%u > length:%u\n", 3189 *offset, chk_length, length); 3190 } 3191#endif /* SCTP_DEBUG */ 3192 *offset = length; 3193 if (locked_tcb) { 3194 SCTP_TCB_UNLOCK(locked_tcb); 3195 } 3196 return (NULL); 3197 } 3198 3199 /* 3200 * INIT-ACK only gets the init ack "header" portion only 3201 * because we don't have to process the peer's COOKIE. 3202 * All others get a complete chunk. 3203 */ 3204 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3205 /* get an init-ack chunk */ 3206 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3207 sizeof(struct sctp_init_ack), chunk_buf); 3208 if (ch == NULL) { 3209 *offset = length; 3210 if (locked_tcb) { 3211 SCTP_TCB_UNLOCK(locked_tcb); 3212 } 3213 return (NULL); 3214 } 3215 } else { 3216 /* get a complete chunk... */ 3217 if ((size_t)chk_length > sizeof(chunk_buf)) { 3218 struct mbuf *oper; 3219 struct sctp_paramhdr *phdr; 3220 oper = NULL; 3221 MGETHDR(oper, M_DONTWAIT, MT_HEADER); 3222 if (oper) { 3223 /* pre-reserve some space */ 3224 oper->m_data += 3225 sizeof(struct sctp_chunkhdr); 3226 phdr = 3227 mtod(oper, struct sctp_paramhdr *); 3228 phdr->param_type = 3229 htons(SCTP_CAUSE_OUT_OF_RESC); 3230 phdr->param_length = 3231 htons(sizeof(struct sctp_paramhdr)); 3232 sctp_queue_op_err(stcb, oper); 3233 } 3234 if (locked_tcb) { 3235 SCTP_TCB_UNLOCK(locked_tcb); 3236 } 3237 return (NULL); 3238 } 3239 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3240 chk_length, chunk_buf); 3241 if (ch == NULL) { 3242 printf("sctp_process_control: Can't get the all data....\n"); 3243 *offset = length; 3244 if (locked_tcb) { 3245 SCTP_TCB_UNLOCK(locked_tcb); 3246 } 3247 return (NULL); 3248 } 3249 3250 } 3251 num_chunks++; 3252 /* Save off the last place we got a control from */ 3253 if ((*netp) && stcb) { 3254 stcb->asoc.last_control_chunk_from = *netp; 3255 } 3256#ifdef SCTP_AUDITING_ENABLED 3257 sctp_audit_log(0xB0, ch->chunk_type); 3258#endif 3259 switch (ch->chunk_type) { 3260 case SCTP_INITIATION: 3261 /* must be first and only chunk */ 3262#ifdef SCTP_DEBUG 3263 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3264 printf("SCTP_INIT\n"); 3265 } 3266#endif /* SCTP_DEBUG */ 3267 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3268 /* We are not interested anymore */ 3269 if (locked_tcb) { 3270 SCTP_TCB_UNLOCK(locked_tcb); 3271 } 3272 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3273 /* finish the job now */ 3274 sctp_inpcb_free(inp, 1); 3275 } 3276 *offset = length; 3277 return (NULL); 3278 } 3279 if ((num_chunks > 1) || 3280 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3281 *offset = length; 3282 if (locked_tcb) { 3283 SCTP_TCB_UNLOCK(locked_tcb); 3284 } 3285 return (NULL); 3286 } 3287 if ((stcb != NULL) && 3288 (SCTP_GET_STATE(&stcb->asoc) == 3289 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3290 sctp_send_shutdown_ack(stcb, 3291 stcb->asoc.primary_destination); 3292 *offset = length; 3293 if (locked_tcb) { 3294 SCTP_TCB_UNLOCK(locked_tcb); 3295 } 3296 return (NULL); 3297 } 3298 sctp_handle_init(m, iphlen, *offset, sh, 3299 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3300 *offset = length; 3301 if (locked_tcb) { 3302 SCTP_TCB_UNLOCK(locked_tcb); 3303 } 3304 return (NULL); 3305 break; 3306 case SCTP_INITIATION_ACK: 3307 /* must be first and only chunk */ 3308#ifdef SCTP_DEBUG 3309 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3310 printf("SCTP_INIT-ACK\n"); 3311 } 3312#endif /* SCTP_DEBUG */ 3313 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3314 /* We are not interested anymore */ 3315 if (locked_tcb) { 3316 SCTP_TCB_UNLOCK(locked_tcb); 3317 } 3318 *offset = length; 3319 if (stcb) { 3320 sctp_free_assoc(inp, stcb); 3321 } else { 3322 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3323 /* finish the job now */ 3324 sctp_inpcb_free(inp, 1); 3325 } 3326 } 3327 return (NULL); 3328 } 3329 if ((num_chunks > 1) || 3330 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3331#ifdef SCTP_DEBUG 3332 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3333 printf("Length is %d rounded chk_length:%d .. dropping\n", 3334 length - *offset, 3335 SCTP_SIZE32(chk_length)); 3336 } 3337#endif 3338 *offset = length; 3339 if (locked_tcb) { 3340 SCTP_TCB_UNLOCK(locked_tcb); 3341 } 3342 return (NULL); 3343 } 3344 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3345 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3346 /* 3347 * Special case, I must call the output routine 3348 * to get the cookie echoed 3349 */ 3350 if ((stcb) && ret == 0) 3351 sctp_chunk_output(stcb->sctp_ep, stcb, 2); 3352 *offset = length; 3353#ifdef SCTP_DEBUG 3354 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3355 printf("All done INIT-ACK processing\n"); 3356 } 3357#endif 3358 if (locked_tcb) { 3359 SCTP_TCB_UNLOCK(locked_tcb); 3360 } 3361 return (NULL); 3362 break; 3363 case SCTP_SELECTIVE_ACK: 3364#ifdef SCTP_DEBUG 3365 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3366 printf("SCTP_SACK\n"); 3367 } 3368#endif /* SCTP_DEBUG */ 3369 sctp_pegs[SCTP_PEG_SACKS_SEEN]++; 3370 { 3371 int abort_now = 0; 3372 stcb->asoc.seen_a_sack_this_pkt = 1; 3373 sctp_handle_sack((struct sctp_sack_chunk *)ch, 3374 stcb, *netp, &abort_now); 3375 if (abort_now) { 3376 /* ABORT signal from sack processing */ 3377 *offset = length; 3378 return (NULL); 3379 } 3380 } 3381 break; 3382 case SCTP_HEARTBEAT_REQUEST: 3383#ifdef SCTP_DEBUG 3384 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3385 printf("SCTP_HEARTBEAT\n"); 3386 } 3387#endif /* SCTP_DEBUG */ 3388 sctp_pegs[SCTP_HB_RECV]++; 3389 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3390 *netp); 3391 3392 /* He's alive so give him credit */ 3393 stcb->asoc.overall_error_count = 0; 3394 break; 3395 case SCTP_HEARTBEAT_ACK: 3396#ifdef SCTP_DEBUG 3397 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3398 printf("SCTP_HEARTBEAT-ACK\n"); 3399 } 3400#endif /* SCTP_DEBUG */ 3401 3402 /* He's alive so give him credit */ 3403 stcb->asoc.overall_error_count = 0; 3404 3405 sctp_pegs[SCTP_HB_ACK_RECV]++; 3406 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3407 stcb, *netp); 3408 break; 3409 case SCTP_ABORT_ASSOCIATION: 3410#ifdef SCTP_DEBUG 3411 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3412 printf("SCTP_ABORT\n"); 3413 } 3414#endif /* SCTP_DEBUG */ 3415 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3416 stcb, *netp); 3417 *offset = length; 3418 return (NULL); 3419 break; 3420 case SCTP_SHUTDOWN: 3421#ifdef SCTP_DEBUG 3422 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3423 printf("SCTP_SHUTDOWN\n"); 3424 } 3425#endif /* SCTP_DEBUG */ 3426 { 3427 int abort_flag = 0; 3428 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3429 stcb, *netp, &abort_flag); 3430 if (abort_flag) { 3431 *offset = length; 3432 return (NULL); 3433 } 3434 } 3435 break; 3436 case SCTP_SHUTDOWN_ACK: 3437#ifdef SCTP_DEBUG 3438 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3439 printf("SCTP_SHUTDOWN-ACK\n"); 3440 } 3441#endif /* SCTP_DEBUG */ 3442 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3443 *offset = length; 3444 return (NULL); 3445 break; 3446 case SCTP_OPERATION_ERROR: 3447#ifdef SCTP_DEBUG 3448 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3449 printf("SCTP_OP-ERR\n"); 3450 } 3451#endif /* SCTP_DEBUG */ 3452 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3453 *offset = length; 3454 return (NULL); 3455 } 3456 break; 3457 case SCTP_COOKIE_ECHO: 3458#ifdef SCTP_DEBUG 3459 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3460 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3461 } 3462#endif /* SCTP_DEBUG */ 3463 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3464 /* We are not interested anymore */ 3465 *offset = length; 3466 if (stcb) { 3467 sctp_free_assoc(inp, stcb); 3468 } else { 3469 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3470 /* finish the job now */ 3471 sctp_inpcb_free(inp, 1); 3472 } 3473 } 3474 return (NULL); 3475 } 3476 /* 3477 * First are we accepting? 3478 * We do this again here since it is possible 3479 * that a previous endpoint WAS listening responded to 3480 * a INIT-ACK and then closed. We opened and bound.. 3481 * and are now no longer listening. 3482 */ 3483 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 3484 (inp->sctp_socket->so_qlimit == 0)) { 3485 sctp_abort_association(inp, stcb, m, iphlen, sh, 3486 NULL); 3487 *offset = length; 3488 return (NULL); 3489 } else if (inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) { 3490 /* we are accepting so check limits like TCP */ 3491 if (inp->sctp_socket->so_qlen > 3492 inp->sctp_socket->so_qlimit) { 3493 /* no space */ 3494 struct mbuf *oper; 3495 struct sctp_paramhdr *phdr; 3496 oper = NULL; 3497 MGETHDR(oper, M_DONTWAIT, MT_HEADER); 3498 if (oper) { 3499 oper->m_len = 3500 oper->m_pkthdr.len = 3501 sizeof(struct sctp_paramhdr); 3502 phdr = mtod(oper, 3503 struct sctp_paramhdr *); 3504 phdr->param_type = 3505 htons(SCTP_CAUSE_OUT_OF_RESC); 3506 phdr->param_length = 3507 htons(sizeof(struct sctp_paramhdr)); 3508 } 3509 sctp_abort_association(inp, stcb, m, 3510 iphlen, sh, oper); 3511 *offset = length; 3512 return (NULL); 3513 } 3514 } 3515 { 3516 struct mbuf *ret_buf; 3517 ret_buf = sctp_handle_cookie_echo(m, iphlen, 3518 *offset, sh, 3519 (struct sctp_cookie_echo_chunk *)ch, &inp, 3520 &stcb, netp); 3521#ifdef SCTP_DEBUG 3522 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3523 printf("ret_buf:%p length:%d off:%d\n", 3524 ret_buf, length, *offset); 3525 } 3526#endif /* SCTP_DEBUG */ 3527 3528 if (ret_buf == NULL) { 3529 if (locked_tcb) { 3530 SCTP_TCB_UNLOCK(locked_tcb); 3531 } 3532#ifdef SCTP_DEBUG 3533 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3534 printf("GAK, null buffer\n"); 3535 } 3536#endif /* SCTP_DEBUG */ 3537 *offset = length; 3538 return (NULL); 3539 } 3540 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 3541 /* 3542 * Restart the timer if we have pending 3543 * data 3544 */ 3545 struct sctp_tmit_chunk *chk; 3546 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 3547 if (chk) { 3548 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 3549 stcb->sctp_ep, stcb, 3550 chk->whoTo); 3551 } 3552 } 3553 } 3554 break; 3555 case SCTP_COOKIE_ACK: 3556#ifdef SCTP_DEBUG 3557 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3558 printf("SCTP_COOKIE-ACK\n"); 3559 } 3560#endif /* SCTP_DEBUG */ 3561 3562 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3563 /* We are not interested anymore */ 3564 sctp_free_assoc(inp, stcb); 3565 *offset = length; 3566 return (NULL); 3567 } 3568 /* He's alive so give him credit */ 3569 stcb->asoc.overall_error_count = 0; 3570 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, 3571 stcb, *netp); 3572 break; 3573 case SCTP_ECN_ECHO: 3574#ifdef SCTP_DEBUG 3575 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3576 printf("SCTP_ECN-ECHO\n"); 3577 } 3578#endif /* SCTP_DEBUG */ 3579 /* He's alive so give him credit */ 3580 stcb->asoc.overall_error_count = 0; 3581 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 3582 stcb); 3583 break; 3584 case SCTP_ECN_CWR: 3585#ifdef SCTP_DEBUG 3586 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3587 printf("SCTP_ECN-CWR\n"); 3588 } 3589#endif /* SCTP_DEBUG */ 3590 /* He's alive so give him credit */ 3591 stcb->asoc.overall_error_count = 0; 3592 3593 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 3594 break; 3595 case SCTP_SHUTDOWN_COMPLETE: 3596#ifdef SCTP_DEBUG 3597 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3598 printf("SCTP_SHUTDOWN-COMPLETE\n"); 3599 } 3600#endif /* SCTP_DEBUG */ 3601 /* must be first and only chunk */ 3602 if ((num_chunks > 1) || 3603 (length - *offset > SCTP_SIZE32(chk_length))) { 3604 *offset = length; 3605 if (locked_tcb) { 3606 SCTP_TCB_UNLOCK(locked_tcb); 3607 } 3608 return (NULL); 3609 } 3610 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 3611 stcb, *netp); 3612 *offset = length; 3613 return (NULL); 3614 break; 3615 case SCTP_ASCONF: 3616#ifdef SCTP_DEBUG 3617 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3618 printf("SCTP_ASCONF\n"); 3619 } 3620#endif /* SCTP_DEBUG */ 3621 /* He's alive so give him credit */ 3622 stcb->asoc.overall_error_count = 0; 3623 3624 sctp_handle_asconf(m, *offset, 3625 (struct sctp_asconf_chunk *)ch, stcb, *netp); 3626 break; 3627 case SCTP_ASCONF_ACK: 3628#ifdef SCTP_DEBUG 3629 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3630 printf("SCTP_ASCONF-ACK\n"); 3631 } 3632#endif /* SCTP_DEBUG */ 3633 /* He's alive so give him credit */ 3634 stcb->asoc.overall_error_count = 0; 3635 3636 sctp_handle_asconf_ack(m, *offset, 3637 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 3638 break; 3639 case SCTP_FORWARD_CUM_TSN: 3640#ifdef SCTP_DEBUG 3641 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3642 printf("SCTP_FWD-TSN\n"); 3643 } 3644#endif /* SCTP_DEBUG */ 3645 /* He's alive so give him credit */ 3646 { 3647 int abort_flag = 0; 3648 stcb->asoc.overall_error_count = 0; 3649 *fwd_tsn_seen = 1; 3650 sctp_handle_forward_tsn(stcb, 3651 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 3652 if (abort_flag) { 3653 *offset = length; 3654 return (NULL); 3655 } else { 3656 stcb->asoc.overall_error_count = 0; 3657 } 3658 3659 } 3660 break; 3661 case SCTP_STREAM_RESET: 3662#ifdef SCTP_DEBUG 3663 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3664 printf("SCTP_STREAM_RESET\n"); 3665 } 3666#endif /* SCTP_DEBUG */ 3667 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3668 chk_length, chunk_buf); 3669 if (stcb->asoc.peer_supports_strreset == 0) { 3670 /* hmm, peer should have annonced this, but 3671 * we will turn it on since he is sending us 3672 * a stream reset. 3673 */ 3674 stcb->asoc.peer_supports_strreset = 1; 3675 } 3676 sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_req *)ch); 3677 break; 3678 case SCTP_PACKET_DROPPED: 3679#ifdef SCTP_DEBUG 3680 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3681 printf("SCTP_PACKET_DROPPED\n"); 3682 } 3683#endif /* SCTP_DEBUG */ 3684 /* re-get it all please */ 3685 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3686 chk_length, chunk_buf); 3687 3688 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 3689 stcb, *netp); 3690 3691 3692 break; 3693 default: 3694 /* it's an unknown chunk! */ 3695 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 3696 struct mbuf *mm; 3697 struct sctp_paramhdr *phd; 3698 MGETHDR(mm, M_DONTWAIT, MT_HEADER); 3699 if (mm) { 3700 phd = mtod(mm, struct sctp_paramhdr *); 3701 /* We cheat and use param type since we 3702 * did not bother to define a error 3703 * cause struct. 3704 * They are the same basic format with 3705 * different names. 3706 */ 3707 phd->param_type = 3708 htons(SCTP_CAUSE_UNRECOG_CHUNK); 3709 phd->param_length = 3710 htons(chk_length + sizeof(*phd)); 3711 mm->m_len = sizeof(*phd); 3712 mm->m_next = sctp_m_copym(m, *offset, 3713 SCTP_SIZE32(chk_length), 3714 M_DONTWAIT); 3715 if (mm->m_next) { 3716 mm->m_pkthdr.len = 3717 SCTP_SIZE32(chk_length) + 3718 sizeof(*phd); 3719 sctp_queue_op_err(stcb, mm); 3720 } else { 3721 sctp_m_freem(mm); 3722#ifdef SCTP_DEBUG 3723 if (sctp_debug_on & 3724 SCTP_DEBUG_INPUT1) { 3725 printf("Gak can't copy the chunk into operr %d bytes\n", 3726 chk_length); 3727 } 3728#endif 3729 } 3730 } 3731#ifdef SCTP_DEBUG 3732 else { 3733 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3734 printf("Gak can't mgethdr for op-err of unrec chunk\n"); 3735 } 3736 } 3737#endif 3738 } 3739 if ((ch->chunk_type & 0x80) == 0) { 3740 /* discard this packet */ 3741 *offset = length; 3742 return (stcb); 3743 } /* else skip this bad chunk and continue... */ 3744 break; 3745 } /* switch (ch->chunk_type) */ 3746 /* get the next chunk */ 3747 *offset += SCTP_SIZE32(chk_length); 3748 if (*offset >= length) { 3749 /* no more data left in the mbuf chain */ 3750 break; 3751 } 3752 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3753 sizeof(struct sctp_chunkhdr), chunk_buf); 3754 if (ch == NULL) { 3755 if (locked_tcb) { 3756 SCTP_TCB_UNLOCK(locked_tcb); 3757 } 3758 *offset = length; 3759 return (NULL); 3760 } 3761 } /* while */ 3762 return (stcb); 3763} 3764 3765 3766/* 3767 * Process the ECN bits we have something set so 3768 * we must look to see if it is ECN(0) or ECN(1) or CE 3769 */ 3770static void 3771sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 3772 u_int8_t ecn_bits) 3773{ 3774 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3775 ; 3776 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 3777 /* 3778 * we only add to the nonce sum for ECT1, ECT0 3779 * does not change the NS bit (that we have 3780 * yet to find a way to send it yet). 3781 */ 3782 3783 /* ECN Nonce stuff */ 3784 stcb->asoc.receiver_nonce_sum++; 3785 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 3786 3787 /* 3788 * Drag up the last_echo point if cumack is larger since we 3789 * don't want the point falling way behind by more than 2^^31 3790 * and then having it be incorrect. 3791 */ 3792 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3793 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3794 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3795 } 3796 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 3797 /* 3798 * Drag up the last_echo point if cumack is larger since we 3799 * don't want the point falling way behind by more than 2^^31 3800 * and then having it be incorrect. 3801 */ 3802 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3803 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3804 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3805 } 3806 } 3807} 3808 3809static void 3810sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 3811 u_int32_t high_tsn, u_int8_t ecn_bits) 3812{ 3813 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3814 /* 3815 * we possibly must notify the sender that a congestion 3816 * window reduction is in order. We do this 3817 * by adding a ECNE chunk to the output chunk 3818 * queue. The incoming CWR will remove this chunk. 3819 */ 3820 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 3821 MAX_TSN)) { 3822 /* Yep, we need to add a ECNE */ 3823 sctp_send_ecn_echo(stcb, net, high_tsn); 3824 stcb->asoc.last_echo_tsn = high_tsn; 3825 } 3826 } 3827} 3828 3829/* 3830 * common input chunk processing (v4 and v6) 3831 */ 3832int 3833sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 3834 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 3835 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 3836 u_int8_t ecn_bits) 3837{ 3838 /* 3839 * Control chunk processing 3840 */ 3841 u_int32_t high_tsn; 3842 int fwd_tsn_seen = 0, data_processed = 0; 3843 struct mbuf *m = *mm; 3844 int abort_flag = 0; 3845 3846 sctp_pegs[SCTP_DATAGRAMS_RCVD]++; 3847#ifdef SCTP_AUDITING_ENABLED 3848 sctp_audit_log(0xE0, 1); 3849 sctp_auditing(0, inp, stcb, net); 3850#endif 3851 3852#ifdef SCTP_DEBUG 3853 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3854 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d\n", 3855 m, iphlen, offset, length); 3856 } 3857#endif /* SCTP_DEBUG */ 3858 if (IS_SCTP_CONTROL(ch)) { 3859 /* process the control portion of the SCTP packet */ 3860#ifdef SCTP_DEBUG 3861 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3862 printf("Processing control\n"); 3863 } 3864#endif /* SCTP_DEBUG */ 3865 3866 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 3867 inp, stcb, &net, &fwd_tsn_seen); 3868 } else { 3869 /* 3870 * no control chunks, so pre-process DATA chunks 3871 * (these checks are taken care of by control processing) 3872 */ 3873#ifdef SCTP_DEBUG 3874 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3875 printf("No control present\n"); 3876 } 3877#endif /* SCTP_DEBUG */ 3878 3879 if (stcb == NULL) { 3880 /* out of the blue DATA chunk */ 3881 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3882 return (1); 3883 } 3884 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 3885 /* v_tag mismatch! */ 3886 sctp_pegs[SCTP_BAD_VTAGS]++; 3887 SCTP_TCB_UNLOCK(stcb); 3888 return (1); 3889 } 3890 } 3891 if (stcb == NULL) { 3892 /* 3893 * no valid TCB for this packet, 3894 * or we found it's a bad packet while processing control, 3895 * or we're done with this packet (done or skip rest of data), 3896 * so we drop it... 3897 */ 3898 return (1); 3899 } 3900#ifdef SCTP_DEBUG 3901 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3902 printf("Ok, control finished time to look for data (%d) offset:%d\n", 3903 length, offset); 3904 } 3905#endif /* SCTP_DEBUG */ 3906 /* 3907 * DATA chunk processing 3908 */ 3909 /* plow through the data chunks while length > offset */ 3910 stcb->asoc.seen_a_sack_this_pkt = 0; 3911 3912 if (length > offset) { 3913 int retval; 3914 /* 3915 * First check to make sure our state is correct. 3916 * We would not get here unless we really did have a 3917 * tag, so we don't abort if this happens, just 3918 * dump the chunk silently. 3919 */ 3920 switch (SCTP_GET_STATE(&stcb->asoc)) { 3921 case SCTP_STATE_COOKIE_ECHOED: 3922 /* 3923 * we consider data with valid tags in 3924 * this state shows us the cookie-ack was lost. 3925 * Imply it was there. 3926 */ 3927 stcb->asoc.overall_error_count = 0; 3928 sctp_handle_cookie_ack( 3929 (struct sctp_cookie_ack_chunk *)ch, stcb, net); 3930 break; 3931 case SCTP_STATE_COOKIE_WAIT: 3932 /* 3933 * We consider OOTB any data sent during asoc setup. 3934 */ 3935 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3936 SCTP_TCB_UNLOCK(stcb); 3937 return (1); 3938 break; 3939 case SCTP_STATE_EMPTY: /* should not happen */ 3940 case SCTP_STATE_INUSE: /* should not happen */ 3941 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 3942 case SCTP_STATE_SHUTDOWN_ACK_SENT: 3943 default: 3944#ifdef SCTP_DEBUG 3945 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3946 printf("Got data in invalid state %d.. dropping\n", stcb->asoc.state); 3947 } 3948#endif 3949 SCTP_TCB_UNLOCK(stcb); 3950 return (1); 3951 break; 3952 case SCTP_STATE_OPEN: 3953 case SCTP_STATE_SHUTDOWN_SENT: 3954 break; 3955 } 3956 /* take care of ECN, part 1. */ 3957 if (stcb->asoc.ecn_allowed && 3958 (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3959 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 3960 } 3961 /* plow through the data chunks while length > offset */ 3962 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 3963 inp, stcb, net, &high_tsn); 3964 if (retval == 2) { 3965 /* The association aborted, NO UNLOCK needed 3966 * since the association is destroyed. 3967 */ 3968 return (0); 3969 } 3970 3971 data_processed = 1; 3972 if (retval == 0) { 3973 /* take care of ecn part 2. */ 3974 if (stcb->asoc.ecn_allowed && (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3975 sctp_process_ecn_marked_b(stcb, net, high_tsn, ecn_bits); 3976 3977 } 3978 } 3979 3980 /* 3981 * Anything important needs to have been m_copy'ed in 3982 * process_data 3983 */ 3984 } 3985 if ((data_processed == 0) && (fwd_tsn_seen)) { 3986 int was_a_gap = 0; 3987 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 3988 stcb->asoc.cumulative_tsn, MAX_TSN)) { 3989 /* there was a gap before this data was processed */ 3990 was_a_gap = 1; 3991 } 3992 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 3993 if (abort_flag) { 3994 /* Again, we aborted so NO UNLOCK needed */ 3995 return (0); 3996 } 3997 } 3998 /* trigger send of any chunks in queue... */ 3999#ifdef SCTP_AUDITING_ENABLED 4000 sctp_audit_log(0xE0, 2); 4001 sctp_auditing(1, inp, stcb, net); 4002#endif 4003#ifdef SCTP_DEBUG 4004 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4005 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4006 stcb->asoc.peers_rwnd, 4007 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4008 stcb->asoc.total_flight); 4009 } 4010#endif 4011 if (stcb->asoc.peers_rwnd > 0 || 4012 !TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4013 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)) { 4014#ifdef SCTP_DEBUG 4015 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4016 printf("Calling chunk OUTPUT\n"); 4017 } 4018#endif 4019 sctp_chunk_output(inp, stcb, 3); 4020#ifdef SCTP_DEBUG 4021 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4022 printf("chunk OUTPUT returns\n"); 4023 } 4024#endif 4025 } 4026 4027#ifdef SCTP_AUDITING_ENABLED 4028 sctp_audit_log(0xE0, 3); 4029 sctp_auditing(2, inp, stcb, net); 4030#endif 4031 SCTP_TCB_UNLOCK(stcb); 4032 return (0); 4033} 4034 4035#if defined(__OpenBSD__) 4036static void 4037sctp_saveopt(struct sctp_inpcb *inp, struct mbuf **mp, struct ip *ip, 4038 struct mbuf *m) 4039{ 4040 if (inp->ip_inp.inp.inp_flags & INP_RECVDSTADDR) { 4041 *mp = sbcreatecontrol((vaddr_t) &ip->ip_dst, 4042 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP); 4043 if (*mp) 4044 mp = &(*mp)->m_next; 4045 } 4046} 4047#endif 4048 4049extern int sctp_no_csum_on_loopback; 4050 4051void 4052sctp_input(struct mbuf *m, ...) 4053{ 4054 int iphlen; 4055 u_int8_t ecn_bits; 4056 struct ip *ip; 4057 struct sctphdr *sh; 4058 struct sctp_inpcb *inp = NULL; 4059 struct mbuf *opts = 0; 4060/*#ifdef INET6*/ 4061/* Don't think this is needed */ 4062/* struct ip6_recvpktopts opts6;*/ 4063/*#endif INET6 */ 4064 4065 u_int32_t check, calc_check; 4066 struct sctp_nets *net; 4067 struct sctp_tcb *stcb = NULL; 4068 struct sctp_chunkhdr *ch; 4069 int refcount_up = 0; 4070 int length, mlen, offset; 4071 4072 int off; 4073 va_list ap; 4074 4075 va_start(ap, m); 4076 iphlen = off = va_arg(ap, int); 4077 va_end(ap); 4078 4079 net = NULL; 4080 sctp_pegs[SCTP_INPKTS]++; 4081#ifdef SCTP_DEBUG 4082 /*if (sctp_debug_on & SCTP_DEBUG_INPUT1) {*/ 4083 printf("V4 input gets a packet iphlen:%d pktlen:%d\n", iphlen, m->m_pkthdr.len); 4084 /*}*/ 4085#endif 4086/*#ifdef INET6*/ 4087/* Don't think this is needed */ 4088/* bzero(&opts6, sizeof(opts6));*/ 4089/*#endif INET6 */ 4090 4091 /* 4092 * Strip IP options, we don't allow any in or out. 4093 */ 4094 if ((size_t)iphlen > sizeof(struct ip)) { 4095 printf("sctp_input: got options\n"); 4096#if 0 /* XXX */ 4097 ip_stripoptions(m, (struct mbuf *)0); 4098#endif 4099 iphlen = sizeof(struct ip); 4100 } 4101 4102 /* 4103 * Get IP, SCTP, and first chunk header together in first mbuf. 4104 */ 4105 ip = mtod(m, struct ip *); 4106 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4107 if (m->m_len < offset) { 4108 if ((m = m_pullup(m, offset)) == 0) { 4109 sctp_pegs[SCTP_HDR_DROPS]++; 4110 return; 4111 } 4112 ip = mtod(m, struct ip *); 4113 } 4114 sh = (struct sctphdr *)((vaddr_t)ip + iphlen); 4115 ch = (struct sctp_chunkhdr *)((vaddr_t)sh + sizeof(*sh)); 4116 4117 /* SCTP does not allow broadcasts or multicasts */ 4118 if (IN_MULTICAST(ip->ip_dst.s_addr)) 4119 { 4120 sctp_pegs[SCTP_IN_MCAST]++; 4121 goto bad; 4122 } 4123 if (in_broadcast(ip->ip_dst, m_get_rcvif_NOMPSAFE(m))) { 4124 sctp_pegs[SCTP_IN_MCAST]++; 4125 goto bad; 4126 } 4127 4128 /* destination port of 0 is illegal, based on RFC2960. */ 4129 if (sh->dest_port == 0) { 4130 sctp_pegs[SCTP_HDR_DROPS]++; 4131 goto bad; 4132 } 4133 4134 /* validate SCTP checksum */ 4135 if ((sctp_no_csum_on_loopback == 0) || 4136 (m_get_rcvif_NOMPSAFE(m) == NULL) || 4137 (m_get_rcvif_NOMPSAFE(m)->if_type != IFT_LOOP)) { 4138 /* we do NOT validate things from the loopback if the 4139 * sysctl is set to 1. 4140 */ 4141 check = sh->checksum; /* save incoming checksum */ 4142 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4143 /* special hook for where we got a local address 4144 * somehow routed across a non IFT_LOOP type interface 4145 */ 4146 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4147 goto sctp_skip_csum_4; 4148 } 4149 sh->checksum = 0; /* prepare for calc */ 4150 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4151 if (calc_check != check) { 4152#ifdef SCTP_DEBUG 4153 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4154 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4155 calc_check, check, m, mlen, iphlen); 4156 } 4157#endif 4158 4159 stcb = sctp_findassociation_addr(m, iphlen, 4160 offset - sizeof(*ch), 4161 sh, ch, &inp, &net); 4162 if ((inp) && (stcb)) { 4163 sctp_send_packet_dropped(stcb, net, m, iphlen, 4164 1); 4165 sctp_chunk_output(inp, stcb, 2); 4166 } else if ((inp != NULL) && (stcb == NULL)) { 4167 refcount_up = 1; 4168 } 4169 sctp_pegs[SCTP_BAD_CSUM]++; 4170 goto bad; 4171 } 4172 sh->checksum = calc_check; 4173 } else { 4174 sctp_skip_csum_4: 4175 mlen = m->m_pkthdr.len; 4176 } 4177 /* validate mbuf chain length with IP payload length */ 4178#if defined(__NetBSD__) || defined(__OpenBSD__) 4179 /* Open BSD gives us the len in network order, fix it */ 4180 NTOHS(ip->ip_len); 4181#endif 4182 if (mlen < (ip->ip_len - iphlen)) { 4183 sctp_pegs[SCTP_HDR_DROPS]++; 4184 goto bad; 4185 } 4186 4187 /* 4188 * Locate pcb and tcb for datagram 4189 * sctp_findassociation_addr() wants IP/SCTP/first chunk header... 4190 */ 4191#ifdef SCTP_DEBUG 4192 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4193 printf("V4 find association\n"); 4194 } 4195#endif 4196 4197 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4198 sh, ch, &inp, &net); 4199 /* inp's ref-count increased && stcb locked */ 4200 if (inp == NULL) { 4201 struct sctp_init_chunk *init_chk, chunk_buf; 4202 4203 sctp_pegs[SCTP_NOPORTS]++; 4204#ifdef ICMP_BANDLIM 4205 /* 4206 * we use the bandwidth limiting to protect against 4207 * sending too many ABORTS all at once. In this case 4208 * these count the same as an ICMP message. 4209 */ 4210 if (badport_bandlim(0) < 0) 4211 goto bad; 4212#endif /* ICMP_BANDLIM */ 4213#ifdef SCTP_DEBUG 4214 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4215 printf("Sending a ABORT from packet entry!\n"); 4216 } 4217#endif 4218 if (ch->chunk_type == SCTP_INITIATION) { 4219 /* we do a trick here to get the INIT tag, 4220 * dig in and get the tag from the INIT and 4221 * put it in the common header. 4222 */ 4223 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4224 iphlen + sizeof(*sh), sizeof(*init_chk), 4225 (u_int8_t *)&chunk_buf); 4226 if (init_chk != NULL) 4227 sh->v_tag = init_chk->init.initiate_tag; 4228 } 4229 sctp_send_abort(m, iphlen, sh, 0, NULL); 4230 goto bad; 4231 } else if (stcb == NULL) { 4232 refcount_up = 1; 4233 } 4234#ifdef IPSEC 4235 /* 4236 * I very much doubt any of the IPSEC stuff will work but I have 4237 * no idea, so I will leave it in place. 4238 */ 4239 if (ipsec_used && ipsec_in_reject(m, (struct inpcb *)inp)) { 4240#if 0 4241 ipsecstat.in_polvio++; 4242#endif 4243 sctp_pegs[SCTP_HDR_DROPS]++; 4244 goto bad; 4245 } 4246#endif /* IPSEC */ 4247 4248 /* 4249 * Construct sockaddr format source address. 4250 * Stuff source address and datagram in user buffer. 4251 */ 4252 if ((inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS) 4253 || (inp->sctp_socket->so_options & SO_TIMESTAMP) 4254 ) { 4255 ip_savecontrol((struct inpcb *)inp, &opts, ip, m); 4256 } 4257 4258 /* 4259 * common chunk processing 4260 */ 4261 length = ip->ip_len - (ip->ip_hl << 2) + iphlen; 4262 offset -= sizeof(struct sctp_chunkhdr); 4263 4264 ecn_bits = ip->ip_tos; 4265 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4266 inp, stcb, net, ecn_bits); 4267 /* inp's ref-count reduced && stcb unlocked */ 4268 if (m) { 4269 sctp_m_freem(m); 4270 } 4271 if (opts) 4272 sctp_m_freem(opts); 4273 4274 if ((inp) && (refcount_up)) { 4275 /* reduce ref-count */ 4276 SCTP_INP_WLOCK(inp); 4277 SCTP_INP_DECR_REF(inp); 4278 SCTP_INP_WUNLOCK(inp); 4279 } 4280 4281 return; 4282bad: 4283 if (stcb) { 4284 SCTP_TCB_UNLOCK(stcb); 4285 } 4286 4287 if ((inp) && (refcount_up)) { 4288 /* reduce ref-count */ 4289 SCTP_INP_WLOCK(inp); 4290 SCTP_INP_DECR_REF(inp); 4291 SCTP_INP_WUNLOCK(inp); 4292 } 4293 4294 if (m) { 4295 sctp_m_freem(m); 4296 } 4297 if (opts) 4298 sctp_m_freem(opts); 4299 return; 4300} 4301