sctp_input.c revision 1.6
1/* $KAME: sctp_input.c,v 1.28 2005/04/21 18:36:21 nishida Exp $ */ 2/* $NetBSD: sctp_input.c,v 1.6 2017/06/23 15:13:21 rjs Exp $ */ 3 4/* 5 * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc, 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33#include <sys/cdefs.h> 34__KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.6 2017/06/23 15:13:21 rjs Exp $"); 35 36#ifdef _KERNEL_OPT 37#include "opt_ipsec.h" 38#include "opt_inet.h" 39#include "opt_sctp.h" 40#endif /* _KERNEL_OPT */ 41 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/malloc.h> 45#include <sys/mbuf.h> 46#include <sys/socket.h> 47#include <sys/socketvar.h> 48#include <sys/sysctl.h> 49#include <sys/domain.h> 50#include <sys/protosw.h> 51#include <sys/kernel.h> 52#include <sys/errno.h> 53#include <sys/syslog.h> 54 55#include <machine/limits.h> 56#include <machine/cpu.h> 57 58#include <net/if.h> 59#include <net/route.h> 60#include <net/if_types.h> 61 62#include <netinet/in.h> 63#include <netinet/in_systm.h> 64#include <netinet/ip.h> 65#include <netinet/in_pcb.h> 66#include <netinet/in_var.h> 67#include <netinet/ip_var.h> 68 69#ifdef INET6 70#include <netinet/ip6.h> 71#include <netinet6/ip6_var.h> 72#endif /* INET6 */ 73 74#include <netinet/ip_icmp.h> 75#include <netinet/icmp_var.h> 76#include <netinet/sctp_var.h> 77#include <netinet/sctp_pcb.h> 78#include <netinet/sctp_header.h> 79#include <netinet/sctputil.h> 80#include <netinet/sctp_output.h> 81#include <netinet/sctp_input.h> 82#include <netinet/sctp_hashdriver.h> 83#include <netinet/sctp_indata.h> 84#include <netinet/sctp_asconf.h> 85 86#ifdef IPSEC 87#include <netipsec/ipsec.h> 88#include <netipsec/key.h> 89#endif /*IPSEC*/ 90 91#include <net/net_osdep.h> 92 93#ifdef SCTP_DEBUG 94extern u_int32_t sctp_debug_on; 95#endif 96 97/* INIT handler */ 98static void 99sctp_handle_init(struct mbuf *m, int iphlen, int offset, 100 struct sctphdr *sh, struct sctp_init_chunk *cp, struct sctp_inpcb *inp, 101 struct sctp_tcb *stcb, struct sctp_nets *net) 102{ 103 struct sctp_init *init; 104 struct mbuf *op_err; 105#ifdef SCTP_DEBUG 106 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 107 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 108 } 109#endif 110 op_err = NULL; 111 init = &cp->init; 112 /* First are we accepting? */ 113 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 114 (inp->sctp_socket->so_qlimit == 0)) { 115 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 116 return; 117 } 118 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 119 /* Invalid length */ 120 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 121 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 122 return; 123 } 124 /* validate parameters */ 125 if (init->initiate_tag == 0) { 126 /* protocol error... send abort */ 127 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 128 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 129 return; 130 } 131 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 132 /* invalid parameter... send abort */ 133 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 134 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 135 return; 136 } 137 if (init->num_inbound_streams == 0) { 138 /* protocol error... send abort */ 139 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 140 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 141 return; 142 } 143 if (init->num_outbound_streams == 0) { 144 /* protocol error... send abort */ 145 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 146 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 147 return; 148 } 149 150 /* send an INIT-ACK w/cookie */ 151#ifdef SCTP_DEBUG 152 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 153 printf("sctp_handle_init: sending INIT-ACK\n"); 154 } 155#endif 156 157 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 158} 159 160/* 161 * process peer "INIT/INIT-ACK" chunk 162 * returns value < 0 on error 163 */ 164 165static int 166sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 167 struct sctp_nets *net) 168{ 169 struct sctp_init *init; 170 struct sctp_association *asoc; 171 struct sctp_nets *lnet; 172 unsigned int i; 173 174 init = &cp->init; 175 asoc = &stcb->asoc; 176 /* save off parameters */ 177 asoc->peer_vtag = ntohl(init->initiate_tag); 178 asoc->peers_rwnd = ntohl(init->a_rwnd); 179 180 if (TAILQ_FIRST(&asoc->nets)) { 181 /* update any ssthresh's that may have a default */ 182 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 183 lnet->ssthresh = asoc->peers_rwnd; 184 } 185 } 186 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 187 unsigned int newcnt; 188 struct sctp_stream_out *outs; 189 struct sctp_tmit_chunk *chk; 190 191 /* cut back on number of streams */ 192 newcnt = ntohs(init->num_inbound_streams); 193 /* This if is probably not needed but I am cautious */ 194 if (asoc->strmout) { 195 /* First make sure no data chunks are trapped */ 196 for (i=newcnt; i < asoc->pre_open_streams; i++) { 197 outs = &asoc->strmout[i]; 198 chk = TAILQ_FIRST(&outs->outqueue); 199 while (chk) { 200 TAILQ_REMOVE(&outs->outqueue, chk, 201 sctp_next); 202 asoc->stream_queue_cnt--; 203 sctp_ulp_notify(SCTP_NOTIFY_DG_FAIL, 204 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 205 chk); 206 if (chk->data) { 207 sctp_m_freem(chk->data); 208 chk->data = NULL; 209 } 210 sctp_free_remote_addr(chk->whoTo); 211 chk->whoTo = NULL; 212 chk->asoc = NULL; 213 /* Free the chunk */ 214 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 215 sctppcbinfo.ipi_count_chunk--; 216 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 217 panic("Chunk count is negative"); 218 } 219 sctppcbinfo.ipi_gencnt_chunk++; 220 chk = TAILQ_FIRST(&outs->outqueue); 221 } 222 } 223 } 224 /* cut back the count and abandon the upper streams */ 225 asoc->pre_open_streams = newcnt; 226 } 227 asoc->streamincnt = ntohs(init->num_outbound_streams); 228 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 229 asoc->streamincnt = MAX_SCTP_STREAMS; 230 } 231 232 asoc->streamoutcnt = asoc->pre_open_streams; 233 /* init tsn's */ 234 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 235#ifdef SCTP_MAP_LOGGING 236 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 237#endif 238 /* This is the next one we expect */ 239 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 240 241 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 242 asoc->cumulative_tsn = asoc->asconf_seq_in; 243 asoc->last_echo_tsn = asoc->asconf_seq_in; 244 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 245 /* open the requested streams */ 246 if (asoc->strmin != NULL) { 247 /* Free the old ones */ 248 free(asoc->strmin, M_PCB); 249 } 250 asoc->strmin = malloc(asoc->streamincnt * sizeof(struct sctp_stream_in), 251 M_PCB, M_NOWAIT); 252 if (asoc->strmin == NULL) { 253 /* we didn't get memory for the streams! */ 254#ifdef SCTP_DEBUG 255 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 256 printf("process_init: couldn't get memory for the streams!\n"); 257 } 258#endif 259 return (-1); 260 } 261 for (i = 0; i < asoc->streamincnt; i++) { 262 asoc->strmin[i].stream_no = i; 263 asoc->strmin[i].last_sequence_delivered = 0xffff; 264 /* 265 * U-stream ranges will be set when the cookie 266 * is unpacked. Or for the INIT sender they 267 * are un set (if pr-sctp not supported) when the 268 * INIT-ACK arrives. 269 */ 270 TAILQ_INIT(&asoc->strmin[i].inqueue); 271 /* 272 * we are not on any wheel, pr-sctp streams 273 * will go on the wheel when they have data waiting 274 * for reorder. 275 */ 276 asoc->strmin[i].next_spoke.tqe_next = 0; 277 asoc->strmin[i].next_spoke.tqe_prev = 0; 278 } 279 280 /* 281 * load_address_from_init will put the addresses into the 282 * association when the COOKIE is processed or the INIT-ACK 283 * is processed. Both types of COOKIE's existing and new 284 * call this routine. It will remove addresses that 285 * are no longer in the association (for the restarting 286 * case where addresses are removed). Up front when the 287 * INIT arrives we will discard it if it is a restart 288 * and new addresses have been added. 289 */ 290 return (0); 291} 292 293/* 294 * INIT-ACK message processing/consumption 295 * returns value < 0 on error 296 */ 297static int 298sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 299 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 300 struct sctp_nets *net) 301{ 302 struct sctp_association *asoc; 303 struct mbuf *op_err; 304 int retval, abort_flag; 305 uint32_t initack_limit; 306 /* First verify that we have no illegal param's */ 307 abort_flag = 0; 308 op_err = NULL; 309 310 op_err = sctp_arethere_unrecognized_parameters(m, 311 (offset+sizeof(struct sctp_init_chunk)) , 312 &abort_flag, (struct sctp_chunkhdr *)cp); 313 if (abort_flag) { 314 /* Send an abort and notify peer */ 315 if (op_err != NULL) { 316 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 317 } else { 318 /* 319 * Just notify (abort_assoc does this if 320 * we send an abort). 321 */ 322 sctp_abort_notification(stcb, 0); 323 /* 324 * No sense in further INIT's since 325 * we will get the same param back 326 */ 327 sctp_free_assoc(stcb->sctp_ep, stcb); 328 } 329 return (-1); 330 } 331 asoc = &stcb->asoc; 332 /* process the peer's parameters in the INIT-ACK */ 333 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 334 if (retval < 0) { 335 return (retval); 336 } 337 338 initack_limit = offset + ntohs(cp->ch.chunk_length); 339 /* load all addresses */ 340 if (sctp_load_addresses_from_init(stcb, m, iphlen, 341 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 342 NULL)) { 343 /* Huh, we should abort */ 344 sctp_abort_notification(stcb, 0); 345 sctp_free_assoc(stcb->sctp_ep, stcb); 346 return (-1); 347 } 348 if (op_err) { 349 sctp_queue_op_err(stcb, op_err); 350 /* queuing will steal away the mbuf chain to the out queue */ 351 op_err = NULL; 352 } 353 /* extract the cookie and queue it to "echo" it back... */ 354 stcb->asoc.overall_error_count = 0; 355 net->error_count = 0; 356 retval = sctp_send_cookie_echo(m, offset, stcb, net); 357 if (retval < 0) { 358 /* 359 * No cookie, we probably should send a op error. 360 * But in any case if there is no cookie in the INIT-ACK, 361 * we can abandon the peer, its broke. 362 */ 363 if (retval == -3) { 364 /* We abort with an error of missing mandatory param */ 365 op_err = 366 sctp_generate_invmanparam(SCTP_CAUSE_MISS_PARAM); 367 if (op_err) { 368 /* 369 * Expand beyond to include the mandatory 370 * param cookie 371 */ 372 struct sctp_inv_mandatory_param *mp; 373 op_err->m_len = 374 sizeof(struct sctp_inv_mandatory_param); 375 mp = mtod(op_err, 376 struct sctp_inv_mandatory_param *); 377 /* Subtract the reserved param */ 378 mp->length = 379 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 380 mp->num_param = htonl(1); 381 mp->param = htons(SCTP_STATE_COOKIE); 382 mp->resv = 0; 383 } 384 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 385 sh, op_err); 386 } 387 return (retval); 388 } 389 390 /* 391 * Cancel the INIT timer, We do this first before queueing 392 * the cookie. We always cancel at the primary to assue that 393 * we are canceling the timer started by the INIT which always 394 * goes to the primary. 395 */ 396 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 397 asoc->primary_destination); 398 399 /* calculate the RTO */ 400 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 401 402 return (0); 403} 404 405static void 406sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 407 struct sctp_tcb *stcb, struct sctp_nets *net) 408{ 409 struct sockaddr_storage store; 410 struct sockaddr_in *sin; 411 struct sockaddr_in6 *sin6; 412 struct sctp_nets *r_net; 413 struct timeval tv; 414 415 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 416 /* Invalid length */ 417 return; 418 } 419 420 sin = (struct sockaddr_in *)&store; 421 sin6 = (struct sockaddr_in6 *)&store; 422 423 memset(&store, 0, sizeof(store)); 424 if (cp->heartbeat.hb_info.addr_family == AF_INET && 425 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 426 sin->sin_family = cp->heartbeat.hb_info.addr_family; 427 sin->sin_len = cp->heartbeat.hb_info.addr_len; 428 sin->sin_port = stcb->rport; 429 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 430 sizeof(sin->sin_addr)); 431 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 432 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 433 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 434 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 435 sin6->sin6_port = stcb->rport; 436 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 437 sizeof(sin6->sin6_addr)); 438 } else { 439#ifdef SCTP_DEBUG 440 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 441 printf("unsupported address family"); 442 } 443#endif 444 return; 445 } 446 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 447 if (r_net == NULL) { 448#ifdef SCTP_DEBUG 449 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 450 printf("Huh? I can't find the address I sent it to, discard\n"); 451 } 452#endif 453 return; 454 } 455 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 456 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 457 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 458 /* 459 * If the its a HB and it's random value is correct when 460 * can confirm the destination. 461 */ 462 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 463 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 464 stcb, 0, (void *)r_net); 465 } 466 r_net->error_count = 0; 467 r_net->hb_responded = 1; 468 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 469 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 470 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 471 r_net->dest_state = SCTP_ADDR_REACHABLE; 472 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 473 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 474 475 /* now was it the primary? if so restore */ 476 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 477 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 478 } 479 } 480 /* Now lets do a RTO with this */ 481 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 482} 483 484static void 485sctp_handle_abort(struct sctp_abort_chunk *cp, 486 struct sctp_tcb *stcb, struct sctp_nets *net) 487{ 488 489#ifdef SCTP_DEBUG 490 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 491 printf("sctp_handle_abort: handling ABORT\n"); 492 } 493#endif 494 if (stcb == NULL) 495 return; 496 /* verify that the destination addr is in the association */ 497 /* ignore abort for addresses being deleted */ 498 499 /* stop any receive timers */ 500 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net); 501 /* notify user of the abort and clean up... */ 502 sctp_abort_notification(stcb, 0); 503 /* free the tcb */ 504 sctp_free_assoc(stcb->sctp_ep, stcb); 505#ifdef SCTP_DEBUG 506 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 507 printf("sctp_handle_abort: finished\n"); 508 } 509#endif 510} 511 512static void 513sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 514 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 515{ 516 struct sctp_association *asoc; 517 int some_on_streamwheel; 518 519#ifdef SCTP_DEBUG 520 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 521 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 522 } 523#endif 524 if (stcb == NULL) 525 return; 526 527 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) || 528 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 529 return; 530 } 531 532 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 533 /* update current data status */ 534#ifdef SCTP_DEBUG 535 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 536 printf("Warning Shutdown NOT the expected size.. skipping (%d:%d)\n", 537 ntohs(cp->ch.chunk_length), 538 (int)sizeof(struct sctp_shutdown_chunk)); 539 } 540#endif 541 return; 542 } else { 543 sctp_update_acked(stcb, cp, net, abort_flag); 544 } 545 asoc = &stcb->asoc; 546 /* goto SHUTDOWN_RECEIVED state to block new requests */ 547 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 548 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 549 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 550#ifdef SCTP_DEBUG 551 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 552 printf("Moving to SHUTDOWN-RECEIVED state\n"); 553 } 554#endif 555 /* notify upper layer that peer has initiated a shutdown */ 556 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 557 558 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 559 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 560 561 /* Set the flag so we cannot send more, we 562 * would call the function but we don't want to 563 * wake up the ulp necessarily. 564 */ 565#if defined(__FreeBSD__) && __FreeBSD_version >= 502115 566 stcb->sctp_ep->sctp_socket->so_rcv.sb_state |= SBS_CANTSENDMORE; 567#else 568 stcb->sctp_ep->sctp_socket->so_state |= SS_CANTSENDMORE; 569#endif 570 } 571 /* reset time */ 572 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 573 } 574 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 575 /* 576 * stop the shutdown timer, since we WILL move 577 * to SHUTDOWN-ACK-SENT. 578 */ 579 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 580 } 581 /* Now are we there yet? */ 582 some_on_streamwheel = 0; 583 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 584 /* Check to see if some data queued */ 585 struct sctp_stream_out *outs; 586 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 587 if (!TAILQ_EMPTY(&outs->outqueue)) { 588 some_on_streamwheel = 1; 589 break; 590 } 591 } 592 } 593#ifdef SCTP_DEBUG 594 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 595 printf("some_on_streamwheel:%d send_q_empty:%d sent_q_empty:%d\n", 596 some_on_streamwheel, 597 !TAILQ_EMPTY(&asoc->send_queue), 598 !TAILQ_EMPTY(&asoc->sent_queue)); 599 } 600#endif 601 if (!TAILQ_EMPTY(&asoc->send_queue) || 602 !TAILQ_EMPTY(&asoc->sent_queue) || 603 some_on_streamwheel) { 604 /* By returning we will push more data out */ 605 return; 606 } else { 607 /* no outstanding data to send, so move on... */ 608 /* send SHUTDOWN-ACK */ 609 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 610 /* move to SHUTDOWN-ACK-SENT state */ 611 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 612#ifdef SCTP_DEBUG 613 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 614 printf("moving to SHUTDOWN_ACK state\n"); 615 } 616#endif 617 /* start SHUTDOWN timer */ 618 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 619 stcb, net); 620 } 621} 622 623static void 624sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 625 struct sctp_tcb *stcb, struct sctp_nets *net) 626{ 627 struct sctp_association *asoc; 628 629#ifdef SCTP_DEBUG 630 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 631 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 632 } 633#endif 634 if (stcb == NULL) 635 return; 636 637 asoc = &stcb->asoc; 638 /* process according to association state */ 639 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 640 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 641 /* unexpected SHUTDOWN-ACK... so ignore... */ 642 return; 643 } 644 /* are the queues empty? */ 645 if (!TAILQ_EMPTY(&asoc->send_queue) || 646 !TAILQ_EMPTY(&asoc->sent_queue) || 647 !TAILQ_EMPTY(&asoc->out_wheel)) { 648 sctp_report_all_outbound(stcb); 649 } 650 /* stop the timer */ 651 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 652 /* send SHUTDOWN-COMPLETE */ 653 sctp_send_shutdown_complete(stcb, net); 654 /* notify upper layer protocol */ 655 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 656 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 657 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 658 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 659 /* Set the connected flag to disconnected */ 660 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 661 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0; 662 soisdisconnected(stcb->sctp_ep->sctp_socket); 663 } 664 /* free the TCB but first save off the ep */ 665 sctp_free_assoc(stcb->sctp_ep, stcb); 666} 667 668/* 669 * Skip past the param header and then we will find the chunk that 670 * caused the problem. There are two possiblities ASCONF or FWD-TSN 671 * other than that and our peer must be broken. 672 */ 673static void 674sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 675 struct sctp_nets *net) 676{ 677 struct sctp_chunkhdr *chk; 678 679 chk = (struct sctp_chunkhdr *)((vaddr_t)phdr + sizeof(*phdr)); 680 switch (chk->chunk_type) { 681 case SCTP_ASCONF_ACK: 682#ifdef SCTP_DEBUG 683 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 684 printf("Strange peer, snds ASCONF but does not recongnize asconf-ack?\n"); 685 } 686#endif 687 case SCTP_ASCONF: 688#ifdef SCTP_DEBUG 689 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 690 printf("Peer does not support ASCONF/ASCONF-ACK chunks\n"); 691 } 692#endif /* SCTP_DEBUG */ 693 sctp_asconf_cleanup(stcb, net); 694 break; 695 case SCTP_FORWARD_CUM_TSN: 696 stcb->asoc.peer_supports_prsctp = 0; 697 break; 698 default: 699#ifdef SCTP_DEBUG 700 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 701 printf("Peer does not support chunk type %d(%x)??\n", 702 chk->chunk_type, (u_int)chk->chunk_type); 703 } 704#endif 705 break; 706 } 707} 708 709/* 710 * Skip past the param header and then we will find the param that 711 * caused the problem. There are a number of param's in a ASCONF 712 * OR the prsctp param these will turn of specific features. 713 */ 714static void 715sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 716{ 717 struct sctp_paramhdr *pbad; 718 719 pbad = phdr + 1; 720 switch (ntohs(pbad->param_type)) { 721 /* pr-sctp draft */ 722 case SCTP_PRSCTP_SUPPORTED: 723 stcb->asoc.peer_supports_prsctp = 0; 724 break; 725 case SCTP_SUPPORTED_CHUNK_EXT: 726 break; 727 /* draft-ietf-tsvwg-addip-sctp */ 728 case SCTP_ECN_NONCE_SUPPORTED: 729 stcb->asoc.peer_supports_ecn_nonce = 0; 730 stcb->asoc.ecn_nonce_allowed = 0; 731 stcb->asoc.ecn_allowed = 0; 732 break; 733 case SCTP_ADD_IP_ADDRESS: 734 case SCTP_DEL_IP_ADDRESS: 735 stcb->asoc.peer_supports_asconf = 0; 736 break; 737 case SCTP_SET_PRIM_ADDR: 738 stcb->asoc.peer_supports_asconf_setprim = 0; 739 break; 740 case SCTP_SUCCESS_REPORT: 741 case SCTP_ERROR_CAUSE_IND: 742#ifdef SCTP_DEBUG 743 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 744 printf("Huh, the peer does not support success? or error cause?\n"); 745 printf("Turning off ASCONF to this strange peer\n"); 746 } 747#endif 748 stcb->asoc.peer_supports_asconf = 0; 749 stcb->asoc.peer_supports_asconf_setprim = 0; 750 break; 751 default: 752#ifdef SCTP_DEBUG 753 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 754 printf("Peer does not support base param type %d(%x)??\n", 755 pbad->param_type, (u_int)pbad->param_type); 756 } 757#endif 758 break; 759 } 760} 761 762static int 763sctp_handle_error(struct sctp_chunkhdr *ch, 764 struct sctp_tcb *stcb, struct sctp_nets *net) 765{ 766 int chklen; 767 struct sctp_paramhdr *phdr; 768 uint16_t error_type; 769 uint16_t error_len; 770 struct sctp_association *asoc; 771 772 int adjust; 773 /* parse through all of the errors and process */ 774 asoc = &stcb->asoc; 775 phdr = (struct sctp_paramhdr *)((vaddr_t)ch + 776 sizeof(struct sctp_chunkhdr)); 777 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 778 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 779 /* Process an Error Cause */ 780 error_type = ntohs(phdr->param_type); 781 error_len = ntohs(phdr->param_length); 782 if ((error_len > chklen) || (error_len == 0)) { 783 /* invalid param length for this param */ 784#ifdef SCTP_DEBUG 785 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 786 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 787 chklen, error_len); 788 } 789#endif /* SCTP_DEBUG */ 790 return (0); 791 } 792 switch (error_type) { 793 case SCTP_CAUSE_INV_STRM: 794 case SCTP_CAUSE_MISS_PARAM: 795 case SCTP_CAUSE_INVALID_PARAM: 796 case SCTP_CAUSE_NOUSER_DATA: 797#ifdef SCTP_DEBUG 798 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 799 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 800 error_type); 801 } 802#endif 803 break; 804 case SCTP_CAUSE_STALE_COOKIE: 805 /* We only act if we have echoed a cookie and are waiting. */ 806 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 807 int *p; 808 p = (int *)((vaddr_t)phdr + sizeof(*phdr)); 809 /* Save the time doubled */ 810 asoc->cookie_preserve_req = ntohl(*p) << 1; 811 asoc->stale_cookie_count++; 812 if (asoc->stale_cookie_count > 813 asoc->max_init_times) { 814 sctp_abort_notification(stcb, 0); 815 /* now free the asoc */ 816 sctp_free_assoc(stcb->sctp_ep, stcb); 817 return (-1); 818 } 819 /* blast back to INIT state */ 820 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 821 asoc->state |= SCTP_STATE_COOKIE_WAIT; 822 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 823 stcb->sctp_ep, stcb, net); 824 sctp_send_initiate(stcb->sctp_ep, stcb); 825 } 826 break; 827 case SCTP_CAUSE_UNRESOLV_ADDR: 828 /* 829 * Nothing we can do here, we don't do hostname 830 * addresses so if the peer does not like my IPv6 (or 831 * IPv4 for that matter) it does not matter. If they 832 * don't support that type of address, they can NOT 833 * possibly get that packet type... i.e. with no IPv6 834 * you can't recieve a IPv6 packet. so we can safely 835 * ignore this one. If we ever added support for 836 * HOSTNAME Addresses, then we would need to do 837 * something here. 838 */ 839 break; 840 case SCTP_CAUSE_UNRECOG_CHUNK: 841 sctp_process_unrecog_chunk(stcb, phdr, net); 842 break; 843 case SCTP_CAUSE_UNRECOG_PARAM: 844 sctp_process_unrecog_param(stcb, phdr); 845 break; 846 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 847 /* 848 * We ignore this since the timer will drive out a new 849 * cookie anyway and there timer will drive us to send 850 * a SHUTDOWN_COMPLETE. We can't send one here since 851 * we don't have their tag. 852 */ 853 break; 854 case SCTP_CAUSE_DELETEING_LAST_ADDR: 855 case SCTP_CAUSE_OPERATION_REFUSED: 856 case SCTP_CAUSE_DELETING_SRC_ADDR: 857 /* We should NOT get these here, but in a ASCONF-ACK. */ 858#ifdef SCTP_DEBUG 859 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 860 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 861 error_type); 862 } 863#endif 864 break; 865 case SCTP_CAUSE_OUT_OF_RESC: 866 /* 867 * And what, pray tell do we do with the fact 868 * that the peer is out of resources? Not 869 * really sure we could do anything but abort. 870 * I suspect this should have came WITH an 871 * abort instead of in a OP-ERROR. 872 */ 873 break; 874 default: 875#ifdef SCTP_DEBUG 876 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 877 /* don't know what this error cause is... */ 878 printf("sctp_handle_error: unknown error type = 0x%xh\n", 879 error_type); 880 } 881#endif /* SCTP_DEBUG */ 882 break; 883 } 884 adjust = SCTP_SIZE32(error_len); 885 chklen -= adjust; 886 phdr = (struct sctp_paramhdr *)((vaddr_t)phdr + adjust); 887 } 888 return (0); 889} 890 891static int 892sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 893 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 894 struct sctp_nets *net) 895{ 896 struct sctp_init_ack *init_ack; 897 int *state; 898 struct mbuf *op_err; 899 900#ifdef SCTP_DEBUG 901 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 902 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 903 } 904#endif 905 if (stcb == NULL) { 906#ifdef SCTP_DEBUG 907 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 908 printf("sctp_handle_init_ack: TCB is null\n"); 909 } 910#endif 911 return (-1); 912 } 913 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 914 /* Invalid length */ 915 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 916 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 917 op_err); 918 return (-1); 919 } 920 init_ack = &cp->init; 921 /* validate parameters */ 922 if (init_ack->initiate_tag == 0) { 923 /* protocol error... send an abort */ 924 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 925 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 926 op_err); 927 return (-1); 928 } 929 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 930 /* protocol error... send an abort */ 931 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 932 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 933 op_err); 934 return (-1); 935 } 936 if (init_ack->num_inbound_streams == 0) { 937 /* protocol error... send an abort */ 938 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 939 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 940 op_err); 941 return (-1); 942 } 943 if (init_ack->num_outbound_streams == 0) { 944 /* protocol error... send an abort */ 945 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 946 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 947 op_err); 948 return (-1); 949 } 950 951 /* process according to association state... */ 952 state = &stcb->asoc.state; 953 switch (*state & SCTP_STATE_MASK) { 954 case SCTP_STATE_COOKIE_WAIT: 955 /* this is the expected state for this chunk */ 956 /* process the INIT-ACK parameters */ 957 if (stcb->asoc.primary_destination->dest_state & 958 SCTP_ADDR_UNCONFIRMED) { 959 /* 960 * The primary is where we sent the INIT, we can 961 * always consider it confirmed when the INIT-ACK 962 * is returned. Do this before we load addresses 963 * though. 964 */ 965 stcb->asoc.primary_destination->dest_state &= 966 ~SCTP_ADDR_UNCONFIRMED; 967 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 968 stcb, 0, (void *)stcb->asoc.primary_destination); 969 } 970 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 971 ) < 0) { 972 /* error in parsing parameters */ 973#ifdef SCTP_DEBUG 974 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 975 printf("sctp_process_init_ack: error in msg, discarding\n"); 976 } 977#endif 978 return (-1); 979 } 980 /* update our state */ 981#ifdef SCTP_DEBUG 982 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 983 printf("moving to COOKIE-ECHOED state\n"); 984 } 985#endif 986 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 987 *state = SCTP_STATE_COOKIE_ECHOED | 988 SCTP_STATE_SHUTDOWN_PENDING; 989 } else { 990 *state = SCTP_STATE_COOKIE_ECHOED; 991 } 992 993 /* reset the RTO calc */ 994 stcb->asoc.overall_error_count = 0; 995 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 996 /* 997 * collapse the init timer back in case of a exponential backoff 998 */ 999 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1000 stcb, net); 1001 /* 1002 * the send at the end of the inbound data processing will 1003 * cause the cookie to be sent 1004 */ 1005 break; 1006 case SCTP_STATE_SHUTDOWN_SENT: 1007 /* incorrect state... discard */ 1008 break; 1009 case SCTP_STATE_COOKIE_ECHOED: 1010 /* incorrect state... discard */ 1011 break; 1012 case SCTP_STATE_OPEN: 1013 /* incorrect state... discard */ 1014 break; 1015 case SCTP_STATE_EMPTY: 1016 case SCTP_STATE_INUSE: 1017 default: 1018 /* incorrect state... discard */ 1019#ifdef SCTP_DEBUG 1020 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1021 printf("Leaving handle-init-ack default\n"); 1022 } 1023#endif 1024 return (-1); 1025 break; 1026 } /* end switch asoc state */ 1027#ifdef SCTP_DEBUG 1028 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1029 printf("Leaving handle-init-ack end\n"); 1030 } 1031#endif 1032 return (0); 1033} 1034 1035 1036/* 1037 * handle a state cookie for an existing association 1038 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1039 * note: this is a "split" mbuf and the cookie signature does not exist 1040 * offset: offset into mbuf to the cookie-echo chunk 1041 */ 1042static struct sctp_tcb * 1043sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1044 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1045 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1046 struct sockaddr *init_src, int *notification) 1047{ 1048 struct sctp_association *asoc; 1049 struct sctp_init_chunk *init_cp, init_buf; 1050 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1051 int chk_length; 1052 int init_offset, initack_offset; 1053 int retval; 1054 1055 /* I know that the TCB is non-NULL from the caller */ 1056 asoc = &stcb->asoc; 1057 1058 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1059 /* SHUTDOWN came in after sending INIT-ACK */ 1060 struct mbuf *op_err; 1061 struct sctp_paramhdr *ph; 1062 1063 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1064#ifdef SCTP_DEBUG 1065 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1066 printf("sctp_handle_cookie: got a cookie, while shutting down!\n"); 1067 } 1068#endif 1069 MGETHDR(op_err, M_DONTWAIT, MT_HEADER); 1070 if (op_err == NULL) { 1071 /* FOOBAR */ 1072 return (NULL); 1073 } 1074 /* pre-reserve some space */ 1075 op_err->m_data += sizeof(struct ip6_hdr); 1076 op_err->m_data += sizeof(struct sctphdr); 1077 op_err->m_data += sizeof(struct sctp_chunkhdr); 1078 /* Set the len */ 1079 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); 1080 ph = mtod(op_err, struct sctp_paramhdr *); 1081 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1082 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1083 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1084 return (NULL); 1085 } 1086 /* 1087 * find and validate the INIT chunk in the cookie (peer's info) 1088 * the INIT should start after the cookie-echo header struct 1089 * (chunk header, state cookie header struct) 1090 */ 1091 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1092 1093 init_cp = (struct sctp_init_chunk *) 1094 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1095 (u_int8_t *)&init_buf); 1096 if (init_cp == NULL) { 1097 /* could not pull a INIT chunk in cookie */ 1098#ifdef SCTP_DEBUG 1099 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1100 printf("process_cookie_existing: could not pull INIT chunk hdr\n"); 1101 } 1102#endif /* SCTP_DEBUG */ 1103 return (NULL); 1104 } 1105 chk_length = ntohs(init_cp->ch.chunk_length); 1106 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1107#ifdef SCTP_DEBUG 1108 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1109 printf("process_cookie_existing: could not find INIT chunk!\n"); 1110 } 1111#endif /* SCTP_DEBUG */ 1112 return (NULL); 1113 } 1114 1115 /* 1116 * find and validate the INIT-ACK chunk in the cookie (my info) 1117 * the INIT-ACK follows the INIT chunk 1118 */ 1119 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1120 initack_cp = (struct sctp_init_ack_chunk *) 1121 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1122 (u_int8_t *)&initack_buf); 1123 if (initack_cp == NULL) { 1124 /* could not pull INIT-ACK chunk in cookie */ 1125#ifdef SCTP_DEBUG 1126 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1127 printf("process_cookie_existing: could not pull INIT-ACK chunk hdr\n"); 1128 } 1129#endif /* SCTP_DEBUG */ 1130 return (NULL); 1131 } 1132 chk_length = ntohs(initack_cp->ch.chunk_length); 1133 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1134#ifdef SCTP_DEBUG 1135 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1136 printf("process_cookie_existing: could not find INIT-ACK chunk!\n"); 1137 } 1138#endif /* SCTP_DEBUG */ 1139 return (NULL); 1140 } 1141 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1142 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1143 /* 1144 * case D in Section 5.2.4 Table 2: MMAA 1145 * process accordingly to get into the OPEN state 1146 */ 1147 switch SCTP_GET_STATE(asoc) { 1148 case SCTP_STATE_COOKIE_WAIT: 1149 /* 1150 * INIT was sent, but got got a COOKIE_ECHO with 1151 * the correct tags... just accept it... 1152 */ 1153 /* First we must process the INIT !! */ 1154 retval = sctp_process_init(init_cp, stcb, net); 1155 if (retval < 0) { 1156#ifdef SCTP_DEBUG 1157 printf("process_cookie_existing: INIT processing failed\n"); 1158#endif 1159 return (NULL); 1160 } 1161 /* intentional fall through to below... */ 1162 1163 case SCTP_STATE_COOKIE_ECHOED: 1164 /* Duplicate INIT case */ 1165 /* we have already processed the INIT so no problem */ 1166 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1167 net); 1168 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1169 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, 1170 net); 1171 /* update current state */ 1172 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1173 asoc->state = SCTP_STATE_OPEN | 1174 SCTP_STATE_SHUTDOWN_PENDING; 1175 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1176 /* if ok, move to OPEN state */ 1177 asoc->state = SCTP_STATE_OPEN; 1178 } 1179 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1180 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1181 (!(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING))) { 1182 /* 1183 * Here is where collision would go if we did a 1184 * connect() and instead got a 1185 * init/init-ack/cookie done before the 1186 * init-ack came back.. 1187 */ 1188 stcb->sctp_ep->sctp_flags |= 1189 SCTP_PCB_FLAGS_CONNECTED; 1190 soisconnected(stcb->sctp_ep->sctp_socket); 1191 } 1192 /* notify upper layer */ 1193 *notification = SCTP_NOTIFY_ASSOC_UP; 1194 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1195 net); 1196 /* 1197 * since we did not send a HB make sure we don't double 1198 * things 1199 */ 1200 net->hb_responded = 1; 1201 1202 if (stcb->asoc.sctp_autoclose_ticks && 1203 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1204 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1205 inp, stcb, NULL); 1206 } 1207 break; 1208 default: 1209 /* 1210 * we're in the OPEN state (or beyond), so peer 1211 * must have simply lost the COOKIE-ACK 1212 */ 1213 break; 1214 } /* end switch */ 1215 1216 /* 1217 * We ignore the return code here.. not sure if we should 1218 * somehow abort.. but we do have an existing asoc. This 1219 * really should not fail. 1220 */ 1221 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1222 init_offset + sizeof(struct sctp_init_chunk), 1223 initack_offset, sh, init_src)) { 1224#ifdef SCTP_DEBUG 1225 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1226 printf("Weird cookie load_address failure on cookie existing - 1\n"); 1227 } 1228#endif 1229 return (NULL); 1230 } 1231 1232 /* respond with a COOKIE-ACK */ 1233 sctp_send_cookie_ack(stcb); 1234 return (stcb); 1235 } /* end if */ 1236 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1237 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1238 cookie->tie_tag_my_vtag == 0 && 1239 cookie->tie_tag_peer_vtag == 0) { 1240 /* 1241 * case C in Section 5.2.4 Table 2: XMOO 1242 * silently discard 1243 */ 1244 return (NULL); 1245 } 1246 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1247 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1248 init_cp->init.initiate_tag == 0)) { 1249 /* 1250 * case B in Section 5.2.4 Table 2: MXAA or MOAA 1251 * my info should be ok, re-accept peer info 1252 */ 1253 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1254 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1255 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1256 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1257 /* 1258 * since we did not send a HB make sure we don't double things 1259 */ 1260 net->hb_responded = 1; 1261 if (stcb->asoc.sctp_autoclose_ticks && 1262 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1263 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1264 NULL); 1265 } 1266 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1267 asoc->pre_open_streams = 1268 ntohs(initack_cp->init.num_outbound_streams); 1269 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1270 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1271 asoc->init_seq_number; 1272 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1273 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1274 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1275 asoc->str_reset_seq_in = asoc->init_seq_number; 1276 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1277 1278 /* process the INIT info (peer's info) */ 1279 retval = sctp_process_init(init_cp, stcb, net); 1280 if (retval < 0) { 1281#ifdef SCTP_DEBUG 1282 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1283 printf("process_cookie_existing: INIT processing failed\n"); 1284 } 1285#endif 1286 return (NULL); 1287 } 1288 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1289 init_offset + sizeof(struct sctp_init_chunk), 1290 initack_offset, sh, init_src)) { 1291#ifdef SCTP_DEBUG 1292 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1293 printf("Weird cookie load_address failure on cookie existing - 2\n"); 1294 } 1295#endif 1296 return (NULL); 1297 } 1298 1299 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1300 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1301 *notification = SCTP_NOTIFY_ASSOC_UP; 1302 1303 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1304 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1305 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1306 stcb->sctp_ep->sctp_flags |= 1307 SCTP_PCB_FLAGS_CONNECTED; 1308 soisconnected(stcb->sctp_ep->sctp_socket); 1309 } 1310 } 1311 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1312 asoc->state = SCTP_STATE_OPEN | 1313 SCTP_STATE_SHUTDOWN_PENDING; 1314 } else { 1315 asoc->state = SCTP_STATE_OPEN; 1316 } 1317 sctp_send_cookie_ack(stcb); 1318 return (stcb); 1319 } 1320 1321 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1322 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1323 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1324 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1325 cookie->tie_tag_peer_vtag != 0) { 1326 /* 1327 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1328 */ 1329 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net); 1330 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net); 1331 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1332 1333 /* notify upper layer */ 1334 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1335 1336 /* send up all the data */ 1337 sctp_report_all_outbound(stcb); 1338 1339 /* process the INIT-ACK info (my info) */ 1340 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1341 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1342 asoc->pre_open_streams = 1343 ntohs(initack_cp->init.num_outbound_streams); 1344 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1345 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 1346 asoc->init_seq_number; 1347 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1348 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1349 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1350 asoc->str_reset_seq_in = asoc->init_seq_number; 1351 1352 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1353 if (asoc->mapping_array) 1354 memset(asoc->mapping_array, 0, 1355 asoc->mapping_array_size); 1356 /* process the INIT info (peer's info) */ 1357 retval = sctp_process_init(init_cp, stcb, net); 1358 if (retval < 0) { 1359#ifdef SCTP_DEBUG 1360 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1361 printf("process_cookie_existing: INIT processing failed\n"); 1362 } 1363#endif 1364 return (NULL); 1365 } 1366 1367 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); 1368 /* 1369 * since we did not send a HB make sure we don't double things 1370 */ 1371 net->hb_responded = 1; 1372 1373 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1374 init_offset + sizeof(struct sctp_init_chunk), 1375 initack_offset, sh, init_src)) { 1376#ifdef SCTP_DEBUG 1377 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1378 printf("Weird cookie load_address failure on cookie existing - 3\n"); 1379 } 1380#endif 1381 return (NULL); 1382 } 1383 1384 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1385 asoc->state = SCTP_STATE_OPEN | 1386 SCTP_STATE_SHUTDOWN_PENDING; 1387 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1388 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1389 asoc->state = SCTP_STATE_OPEN; 1390 } 1391 /* respond with a COOKIE-ACK */ 1392 sctp_send_cookie_ack(stcb); 1393 1394 return (stcb); 1395 } 1396 /* all other cases... */ 1397 return (NULL); 1398} 1399 1400/* 1401 * handle a state cookie for a new association 1402 * m: input packet mbuf chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk 1403 * note: this is a "split" mbuf and the cookie signature does not exist 1404 * offset: offset into mbuf to the cookie-echo chunk 1405 * length: length of the cookie chunk 1406 * to: where the init was from 1407 * returns a new TCB 1408 */ 1409static struct sctp_tcb * 1410sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1411 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1412 struct sctp_inpcb *inp, struct sctp_nets **netp, 1413 struct sockaddr *init_src, int *notification) 1414{ 1415 struct sctp_tcb *stcb; 1416 struct sctp_init_chunk *init_cp, init_buf; 1417 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1418 struct sockaddr_storage sa_store; 1419 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1420 struct sockaddr_in *sin; 1421 struct sockaddr_in6 *sin6; 1422 struct sctp_association *asoc; 1423 int chk_length; 1424 int init_offset, initack_offset, initack_limit; 1425 int retval; 1426 int error = 0; 1427 /* 1428 * find and validate the INIT chunk in the cookie (peer's info) 1429 * the INIT should start after the cookie-echo header struct 1430 * (chunk header, state cookie header struct) 1431 */ 1432 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1433 init_cp = (struct sctp_init_chunk *) 1434 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1435 (u_int8_t *)&init_buf); 1436 if (init_cp == NULL) { 1437 /* could not pull a INIT chunk in cookie */ 1438#ifdef SCTP_DEBUG 1439 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1440 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1441 } 1442#endif /* SCTP_DEBUG */ 1443 return (NULL); 1444 } 1445 chk_length = ntohs(init_cp->ch.chunk_length); 1446 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1447#ifdef SCTP_DEBUG 1448 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1449 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1450 } 1451#endif /* SCTP_DEBUG */ 1452 return (NULL); 1453 } 1454 1455 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1456 /* 1457 * find and validate the INIT-ACK chunk in the cookie (my info) 1458 * the INIT-ACK follows the INIT chunk 1459 */ 1460 initack_cp = (struct sctp_init_ack_chunk *) 1461 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1462 (u_int8_t *)&initack_buf); 1463 if (initack_cp == NULL) { 1464 /* could not pull INIT-ACK chunk in cookie */ 1465#ifdef SCTP_DEBUG 1466 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1467 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1468 } 1469#endif /* SCTP_DEBUG */ 1470 return (NULL); 1471 } 1472 chk_length = ntohs(initack_cp->ch.chunk_length); 1473 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1474#ifdef SCTP_DEBUG 1475 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1476 u_int8_t *pp; 1477 pp = (u_int8_t *)initack_cp; 1478 printf("process_cookie_new: could not find INIT-ACK chunk!\n"); 1479 printf("Found bytes %x %x %x %x at postion %d\n", 1480 (u_int)pp[0], (u_int)pp[1], (u_int)pp[2], 1481 (u_int)pp[3], initack_offset); 1482 } 1483#endif /* SCTP_DEBUG */ 1484 return (NULL); 1485 } 1486 initack_limit = initack_offset + SCTP_SIZE32(chk_length); 1487 1488 /* 1489 * now that we know the INIT/INIT-ACK are in place, 1490 * create a new TCB and popluate 1491 */ 1492 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, ntohl(initack_cp->init.initiate_tag)); 1493 if (stcb == NULL) { 1494 struct mbuf *op_err; 1495 /* memory problem? */ 1496#ifdef SCTP_DEBUG 1497 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1498 printf("process_cookie_new: no room for another TCB!\n"); 1499 } 1500#endif /* SCTP_DEBUG */ 1501 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1502 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1503 sh, op_err); 1504 return (NULL); 1505 } 1506 1507 /* get the correct sctp_nets */ 1508 *netp = sctp_findnet(stcb, init_src); 1509 asoc = &stcb->asoc; 1510 /* get scope variables out of cookie */ 1511 asoc->ipv4_local_scope = cookie->ipv4_scope; 1512 asoc->site_scope = cookie->site_scope; 1513 asoc->local_scope = cookie->local_scope; 1514 asoc->loopback_scope = cookie->loopback_scope; 1515 1516 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1517 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1518 struct mbuf *op_err; 1519 /* 1520 * Houston we have a problem. The EP changed while the cookie 1521 * was in flight. Only recourse is to abort the association. 1522 */ 1523 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1524 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1525 sh, op_err); 1526 return (NULL); 1527 } 1528 1529 /* process the INIT-ACK info (my info) */ 1530 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1531 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1532 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1533 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1534 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1535 asoc->t3timeout_highest_marked = asoc->asconf_seq_out; 1536 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1537 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1538 asoc->str_reset_seq_in = asoc->init_seq_number; 1539 1540 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1541 1542 /* process the INIT info (peer's info) */ 1543 retval = sctp_process_init(init_cp, stcb, *netp); 1544 if (retval < 0) { 1545#ifdef SCTP_DEBUG 1546 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1547 printf("process_cookie_new: INIT processing failed\n"); 1548 } 1549#endif 1550 sctp_free_assoc(inp, stcb); 1551 return (NULL); 1552 } 1553 /* load all addresses */ 1554 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1555 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1556 init_src)) { 1557 sctp_free_assoc(inp, stcb); 1558 return (NULL); 1559 } 1560 1561 /* update current state */ 1562#ifdef SCTP_DEBUG 1563 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1564 printf("moving to OPEN state\n"); 1565 } 1566#endif 1567 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1568 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1569 } else { 1570 asoc->state = SCTP_STATE_OPEN; 1571 } 1572 /* calculate the RTT */ 1573 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1574 &cookie->time_entered); 1575 1576 /* 1577 * if we're doing ASCONFs, check to see if we have any new 1578 * local addresses that need to get added to the peer (eg. 1579 * addresses changed while cookie echo in flight). This needs 1580 * to be done after we go to the OPEN state to do the correct 1581 * asconf processing. 1582 * else, make sure we have the correct addresses in our lists 1583 */ 1584 1585 /* warning, we re-use sin, sin6, sa_store here! */ 1586 /* pull in local_address (our "from" address) */ 1587 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1588 /* source addr is IPv4 */ 1589 sin = (struct sockaddr_in *)initack_src; 1590 memset(sin, 0, sizeof(*sin)); 1591 sin->sin_family = AF_INET; 1592 sin->sin_len = sizeof(struct sockaddr_in); 1593 sin->sin_addr.s_addr = cookie->laddress[0]; 1594 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1595 /* source addr is IPv6 */ 1596 sin6 = (struct sockaddr_in6 *)initack_src; 1597 memset(sin6, 0, sizeof(*sin6)); 1598 sin6->sin6_family = AF_INET6; 1599 sin6->sin6_len = sizeof(struct sockaddr_in6); 1600 sin6->sin6_scope_id = cookie->scope_id; 1601 memcpy(&sin6->sin6_addr, cookie->laddress, 1602 sizeof(sin6->sin6_addr)); 1603 } else { 1604 sctp_free_assoc(inp, stcb); 1605 return (NULL); 1606 } 1607 1608 sctp_check_address_list(stcb, m, initack_offset + 1609 sizeof(struct sctp_init_ack_chunk), initack_limit, 1610 initack_src, cookie->local_scope, cookie->site_scope, 1611 cookie->ipv4_scope, cookie->loopback_scope); 1612 1613 1614 /* set up to notify upper layer */ 1615 *notification = SCTP_NOTIFY_ASSOC_UP; 1616 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1617 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1618 !(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1619 /* 1620 * This is an endpoint that called connect() 1621 * how it got a cookie that is NEW is a bit of 1622 * a mystery. It must be that the INIT was sent, but 1623 * before it got there.. a complete INIT/INIT-ACK/COOKIE 1624 * arrived. But of course then it should have went to 1625 * the other code.. not here.. oh well.. a bit of protection 1626 * is worth having.. 1627 */ 1628 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1629 soisconnected(stcb->sctp_ep->sctp_socket); 1630 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1631 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1632 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING)) { 1633 /* 1634 * We don't want to do anything with this 1635 * one. Since it is the listening guy. The timer will 1636 * get started for accepted connections in the caller. 1637 */ 1638 ; 1639 } else { 1640 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, *netp); 1641 } 1642 /* since we did not send a HB make sure we don't double things */ 1643 (*netp)->hb_responded = 1; 1644 1645 if (stcb->asoc.sctp_autoclose_ticks && 1646 (inp->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 1647 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1648 } 1649 1650 /* respond with a COOKIE-ACK */ 1651 sctp_send_cookie_ack(stcb); 1652 1653 return (stcb); 1654} 1655 1656 1657/* 1658 * handles a COOKIE-ECHO message 1659 * stcb: modified to either a new or left as existing (non-NULL) TCB 1660 */ 1661static struct mbuf * 1662sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1663 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1664 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp) 1665{ 1666 struct sctp_state_cookie *cookie; 1667 struct sockaddr_in6 sin6; 1668 struct sockaddr_in sin; 1669 struct sctp_tcb *l_stcb=*stcb; 1670 struct sctp_inpcb *l_inp; 1671 struct sockaddr *to; 1672 struct sctp_pcb *ep; 1673 struct mbuf *m_sig; 1674 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1675 uint8_t *sig; 1676 uint8_t cookie_ok = 0; 1677 unsigned int size_of_pkt, sig_offset, cookie_offset; 1678 unsigned int cookie_len; 1679 struct timeval now; 1680 struct timeval time_expires; 1681 struct sockaddr_storage dest_store; 1682 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1683 struct ip *iph; 1684 int notification = 0; 1685 struct sctp_nets *netl; 1686 int had_a_existing_tcb = 0; 1687 1688#ifdef SCTP_DEBUG 1689 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1690 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1691 } 1692#endif 1693 1694 if (inp_p == NULL) { 1695#ifdef SCTP_DEBUG 1696 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1697 printf("sctp_handle_cookie: null inp_p!\n"); 1698 } 1699#endif 1700 return (NULL); 1701 } 1702 /* First get the destination address setup too. */ 1703 iph = mtod(m, struct ip *); 1704 if (iph->ip_v == IPVERSION) { 1705 /* its IPv4 */ 1706 struct sockaddr_in *sin_d; 1707 sin_d = (struct sockaddr_in *)(localep_sa); 1708 memset(sin_d, 0, sizeof(*sin_d)); 1709 sin_d->sin_family = AF_INET; 1710 sin_d->sin_len = sizeof(*sin_d); 1711 sin_d->sin_port = sh->dest_port; 1712 sin_d->sin_addr.s_addr = iph->ip_dst.s_addr ; 1713 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1714 /* its IPv6 */ 1715 struct ip6_hdr *ip6; 1716 struct sockaddr_in6 *sin6_d; 1717 sin6_d = (struct sockaddr_in6 *)(localep_sa); 1718 memset(sin6_d, 0, sizeof(*sin6_d)); 1719 sin6_d->sin6_family = AF_INET6; 1720 sin6_d->sin6_len = sizeof(struct sockaddr_in6); 1721 ip6 = mtod(m, struct ip6_hdr *); 1722 sin6_d->sin6_port = sh->dest_port; 1723 sin6_d->sin6_addr = ip6->ip6_dst; 1724 } else { 1725 return (NULL); 1726 } 1727 1728 cookie = &cp->cookie; 1729 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1730 cookie_len = ntohs(cp->ch.chunk_length); 1731 1732 if ((cookie->peerport != sh->src_port) && 1733 (cookie->myport != sh->dest_port) && 1734 (cookie->my_vtag != sh->v_tag)) { 1735 /* 1736 * invalid ports or bad tag. Note that we always leave 1737 * the v_tag in the header in network order and when we 1738 * stored it in the my_vtag slot we also left it in network 1739 * order. This maintians the match even though it may be in 1740 * the opposite byte order of the machine :-> 1741 */ 1742 return (NULL); 1743 } 1744 1745 /* compute size of packet */ 1746 if (m->m_flags & M_PKTHDR) { 1747 size_of_pkt = m->m_pkthdr.len; 1748 } else { 1749 /* Should have a pkt hdr really */ 1750 struct mbuf *mat; 1751 mat = m; 1752 size_of_pkt = 0; 1753 while (mat != NULL) { 1754 size_of_pkt += mat->m_len; 1755 mat = mat->m_next; 1756 } 1757 } 1758 if (cookie_len > size_of_pkt || 1759 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1760 sizeof(struct sctp_init_chunk) + 1761 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1762 /* cookie too long! or too small */ 1763#ifdef SCTP_DEBUG 1764 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1765 printf("sctp_handle_cookie: cookie_len=%u, pkt size=%u\n", cookie_len, size_of_pkt); 1766 } 1767#endif /* SCTP_DEBUG */ 1768 return (NULL); 1769 } 1770 /* 1771 * split off the signature into its own mbuf (since it 1772 * should not be calculated in the sctp_hash_digest_m() call). 1773 */ 1774 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1775 if (sig_offset > size_of_pkt) { 1776 /* packet not correct size! */ 1777 /* XXX this may already be accounted for earlier... */ 1778#ifdef SCTP_DEBUG 1779 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1780 printf("sctp_handle_cookie: sig offset=%u, pkt size=%u\n", sig_offset, size_of_pkt); 1781 } 1782#endif 1783 return (NULL); 1784 } 1785 1786 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1787 if (m_sig == NULL) { 1788 /* out of memory or ?? */ 1789#ifdef SCTP_DEBUG 1790 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1791 printf("sctp_handle_cookie: couldn't m_split the signature\n"); 1792 } 1793#endif 1794 return (NULL); 1795 } 1796 /* 1797 * compute the signature/digest for the cookie 1798 */ 1799 ep = &(*inp_p)->sctp_ep; 1800 l_inp = *inp_p; 1801 if (l_stcb) { 1802 SCTP_TCB_UNLOCK(l_stcb); 1803 } 1804 SCTP_INP_RLOCK(l_inp); 1805 if (l_stcb) { 1806 SCTP_TCB_LOCK(l_stcb); 1807 } 1808 /* which cookie is it? */ 1809 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1810 (ep->current_secret_number != ep->last_secret_number)) { 1811 /* it's the old cookie */ 1812#ifdef SCTP_DEBUG 1813 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1814 printf("sctp_handle_cookie: old cookie sig\n"); 1815 } 1816#endif 1817 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1818 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1819 } else { 1820 /* it's the current cookie */ 1821#ifdef SCTP_DEBUG 1822 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1823 printf("sctp_handle_cookie: current cookie sig\n"); 1824 } 1825#endif 1826 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->current_secret_number], 1827 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1828 } 1829 /* get the signature */ 1830 SCTP_INP_RUNLOCK(l_inp); 1831 sig = (u_int8_t *)sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (u_int8_t *)&tmp_sig); 1832 if (sig == NULL) { 1833 /* couldn't find signature */ 1834#ifdef SCTP_DEBUG 1835 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1836 printf("sctp_handle_cookie: couldn't pull the signature\n"); 1837 } 1838#endif 1839 return (NULL); 1840 } 1841 /* compare the received digest with the computed digest */ 1842 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1843 /* try the old cookie? */ 1844 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1845 (ep->current_secret_number != ep->last_secret_number)) { 1846 /* compute digest with old */ 1847#ifdef SCTP_DEBUG 1848 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1849 printf("sctp_handle_cookie: old cookie sig\n"); 1850 } 1851#endif 1852 sctp_hash_digest_m((char *)ep->secret_key[(int)ep->last_secret_number], 1853 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1854 /* compare */ 1855 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1856 cookie_ok = 1; 1857 } 1858 } else { 1859 cookie_ok = 1; 1860 } 1861 1862 /* 1863 * Now before we continue we must reconstruct our mbuf so 1864 * that normal processing of any other chunks will work. 1865 */ 1866 { 1867 struct mbuf *m_at; 1868 m_at = m; 1869 while (m_at->m_next != NULL) { 1870 m_at = m_at->m_next; 1871 } 1872 m_at->m_next = m_sig; 1873 if (m->m_flags & M_PKTHDR) { 1874 /* 1875 * We should only do this if and only if the front 1876 * mbuf has a m_pkthdr... it should in theory. 1877 */ 1878 if (m_sig->m_flags & M_PKTHDR) { 1879 /* Add back to the pkt hdr of main m chain */ 1880 m->m_pkthdr.len += m_sig->m_len; 1881 } else { 1882 /* 1883 * Got a problem, no pkthdr in split chain. 1884 * TSNH but we will handle it just in case 1885 */ 1886 int mmlen = 0; 1887 struct mbuf *lat; 1888 printf("Warning: Hitting m_split join TSNH code - fixed\n"); 1889 lat = m_sig; 1890 while (lat) { 1891 mmlen += lat->m_len; 1892 lat = lat->m_next; 1893 } 1894 m->m_pkthdr.len += mmlen; 1895 } 1896 } 1897 } 1898 1899 if (cookie_ok == 0) { 1900#ifdef SCTP_DEBUG 1901 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1902 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1903 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1904 (u_int32_t)offset, cookie_offset, sig_offset); 1905 } 1906#endif 1907 return (NULL); 1908 } 1909#ifdef SCTP_DEBUG 1910 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1911 printf("handle_cookie_echo: cookie signature validation passed\n"); 1912 } 1913#endif 1914 1915 /* 1916 * check the cookie timestamps to be sure it's not stale 1917 */ 1918 SCTP_GETTIME_TIMEVAL(&now); 1919 /* Expire time is in Ticks, so we convert to seconds */ 1920 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1921 time_expires.tv_usec = cookie->time_entered.tv_usec; 1922#ifndef __FreeBSD__ 1923 if (timercmp(&now, &time_expires, >)) 1924#else 1925 if (timevalcmp(&now, &time_expires, >)) 1926#endif 1927 { 1928 /* cookie is stale! */ 1929 struct mbuf *op_err; 1930 struct sctp_stale_cookie_msg *scm; 1931 u_int32_t tim; 1932#ifdef SCTP_DEBUG 1933 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 1934 printf("sctp_handle_cookie: got a STALE cookie!\n"); 1935 } 1936#endif 1937 MGETHDR(op_err, M_DONTWAIT, MT_HEADER); 1938 if (op_err == NULL) { 1939 /* FOOBAR */ 1940 return (NULL); 1941 } 1942 /* pre-reserve some space */ 1943 op_err->m_data += sizeof(struct ip6_hdr); 1944 op_err->m_data += sizeof(struct sctphdr); 1945 op_err->m_data += sizeof(struct sctp_chunkhdr); 1946 1947 /* Set the len */ 1948 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); 1949 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1950 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1951 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1952 (sizeof(u_int32_t)))); 1953 /* seconds to usec */ 1954 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 1955 /* add in usec */ 1956 if (tim == 0) 1957 tim = now.tv_usec - cookie->time_entered.tv_usec; 1958 scm->time_usec = htonl(tim); 1959 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1960 return (NULL); 1961 } 1962 /* 1963 * Now we must see with the lookup address if we have an existing 1964 * asoc. This will only happen if we were in the COOKIE-WAIT state 1965 * and a INIT collided with us and somewhere the peer sent the 1966 * cookie on another address besides the single address our assoc 1967 * had for him. In this case we will have one of the tie-tags set 1968 * at least AND the address field in the cookie can be used to 1969 * look it up. 1970 */ 1971 to = NULL; 1972 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 1973 memset(&sin6, 0, sizeof(sin6)); 1974 sin6.sin6_family = AF_INET6; 1975 sin6.sin6_len = sizeof(sin6); 1976 sin6.sin6_port = sh->src_port; 1977 sin6.sin6_scope_id = cookie->scope_id; 1978 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 1979 sizeof(sin6.sin6_addr.s6_addr)); 1980 to = (struct sockaddr *)&sin6; 1981 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 1982 memset(&sin, 0, sizeof(sin)); 1983 sin.sin_family = AF_INET; 1984 sin.sin_len = sizeof(sin); 1985 sin.sin_port = sh->src_port; 1986 sin.sin_addr.s_addr = cookie->address[0]; 1987 to = (struct sockaddr *)&sin; 1988 } 1989 1990 if ((*stcb == NULL) && to) { 1991 /* Yep, lets check */ 1992 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 1993 if (*stcb == NULL) { 1994 /* We should have only got back the same inp. If we 1995 * got back a different ep we have a problem. The original 1996 * findep got back l_inp and now 1997 */ 1998 if (l_inp != *inp_p) { 1999 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2000 } 2001 } 2002 } 2003 2004 cookie_len -= SCTP_SIGNATURE_SIZE; 2005 if (*stcb == NULL) { 2006 /* this is the "normal" case... get a new TCB */ 2007#ifdef SCTP_DEBUG 2008 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2009 printf("sctp_handle_cookie: processing NEW cookie\n"); 2010 } 2011#endif 2012 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2013 cookie_len, *inp_p, netp, to, ¬ification); 2014 /* now always decrement, since this is the normal 2015 * case.. we had no tcb when we entered. 2016 */ 2017 } else { 2018 /* this is abnormal... cookie-echo on existing TCB */ 2019#ifdef SCTP_DEBUG 2020 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2021 printf("sctp_handle_cookie: processing EXISTING cookie\n"); 2022 } 2023#endif 2024 had_a_existing_tcb = 1; 2025 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2026 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification); 2027 } 2028 2029 if (*stcb == NULL) { 2030 /* still no TCB... must be bad cookie-echo */ 2031#ifdef SCTP_DEBUG 2032 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2033 printf("handle_cookie_echo: ACK! don't have a TCB!\n"); 2034 } 2035#endif /* SCTP_DEBUG */ 2036 return (NULL); 2037 } 2038 2039 /* 2040 * Ok, we built an association so confirm the address 2041 * we sent the INIT-ACK to. 2042 */ 2043 netl = sctp_findnet(*stcb, to); 2044 /* This code should in theory NOT run but 2045 */ 2046 if (netl == NULL) { 2047#ifdef SCTP_DEBUG 2048 printf("TSNH! Huh, why do I need to add this address here?\n"); 2049#endif 2050 sctp_add_remote_addr(*stcb, to, 0, 100); 2051 netl = sctp_findnet(*stcb, to); 2052 } 2053 if (netl) { 2054 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2055 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2056 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2057 netl); 2058 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2059 (*stcb), 0, (void *)netl); 2060 } 2061 } 2062#ifdef SCTP_DEBUG 2063 else { 2064 printf("Could not add source address for some reason\n"); 2065 } 2066#endif 2067 2068 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2069 if (!had_a_existing_tcb || 2070 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2071 /* 2072 * If we have a NEW cookie or the connect never reached 2073 * the connected state during collision we must do the 2074 * TCP accept thing. 2075 */ 2076 struct socket *so, *oso; 2077 struct sctp_inpcb *inp; 2078 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2079 /* 2080 * For a restart we will keep the same socket, 2081 * no need to do anything. I THINK!! 2082 */ 2083 sctp_ulp_notify(notification, *stcb, 0, NULL); 2084 return (m); 2085 } 2086 oso = (*inp_p)->sctp_socket; 2087 SCTP_TCB_UNLOCK((*stcb)); 2088 so = sonewconn(oso, SS_ISCONNECTED); 2089 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2090 SCTP_TCB_LOCK((*stcb)); 2091 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2092 if (so == NULL) { 2093 struct mbuf *op_err; 2094 /* Too many sockets */ 2095#ifdef SCTP_DEBUG 2096 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2097 printf("process_cookie_new: no room for another socket!\n"); 2098 } 2099#endif /* SCTP_DEBUG */ 2100 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2101 sctp_abort_association(*inp_p, NULL, m, iphlen, 2102 sh, op_err); 2103 sctp_free_assoc(*inp_p, *stcb); 2104 return (NULL); 2105 } 2106 inp = (struct sctp_inpcb *)so->so_pcb; 2107 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2108 SCTP_PCB_FLAGS_CONNECTED | 2109 SCTP_PCB_FLAGS_IN_TCPPOOL | 2110 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2111 SCTP_PCB_FLAGS_DONT_WAKE); 2112 inp->sctp_socket = so; 2113 2114 /* 2115 * Now we must move it from one hash table to another 2116 * and get the tcb in the right place. 2117 */ 2118 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2119 2120 /* Switch over to the new guy */ 2121 *inp_p = inp; 2122 2123 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, 2124 *stcb, *netp); 2125 2126 sctp_ulp_notify(notification, *stcb, 0, NULL); 2127 return (m); 2128 } 2129 } 2130 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2131 sctp_ulp_notify(notification, *stcb, 0, NULL); 2132 } 2133 return (m); 2134} 2135 2136static void 2137sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2138 struct sctp_tcb *stcb, struct sctp_nets *net) 2139{ 2140 /* cp must not be used, others call this without a c-ack :-) */ 2141 struct sctp_association *asoc; 2142 2143#ifdef SCTP_DEBUG 2144 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2145 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2146 } 2147#endif 2148 if (stcb == NULL) 2149 return; 2150 2151 asoc = &stcb->asoc; 2152 2153 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2154 2155 /* process according to association state */ 2156 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2157 /* state change only needed when I am in right state */ 2158#ifdef SCTP_DEBUG 2159 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2160 printf("moving to OPEN state\n"); 2161 } 2162#endif 2163 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2164 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2165 } else { 2166 asoc->state = SCTP_STATE_OPEN; 2167 } 2168 2169 /* update RTO */ 2170 if (asoc->overall_error_count == 0) { 2171 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2172 &asoc->time_entered); 2173 } 2174 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2175 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2176 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2177 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2178 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2179 soisconnected(stcb->sctp_ep->sctp_socket); 2180 } 2181 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2182 stcb, net); 2183 /* since we did not send a HB make sure we don't double things */ 2184 net->hb_responded = 1; 2185 2186 if (stcb->asoc.sctp_autoclose_ticks && 2187 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_AUTOCLOSE)) { 2188 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2189 stcb->sctp_ep, stcb, NULL); 2190 } 2191 2192 /* 2193 * set ASCONF timer if ASCONFs are pending and allowed 2194 * (eg. addresses changed when init/cookie echo in flight) 2195 */ 2196 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_DO_ASCONF) && 2197 (stcb->asoc.peer_supports_asconf) && 2198 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2199 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2200 stcb->sctp_ep, stcb, 2201 stcb->asoc.primary_destination); 2202 } 2203 2204 } 2205 /* Toss the cookie if I can */ 2206 sctp_toss_old_cookies(asoc); 2207 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2208 /* Restart the timer if we have pending data */ 2209 struct sctp_tmit_chunk *chk; 2210 chk = TAILQ_FIRST(&asoc->sent_queue); 2211 if (chk) { 2212 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2213 stcb, chk->whoTo); 2214 } 2215 } 2216 2217} 2218 2219static void 2220sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2221 struct sctp_tcb *stcb) 2222{ 2223 struct sctp_nets *net; 2224 struct sctp_tmit_chunk *lchk; 2225 u_int32_t tsn; 2226 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2227 return; 2228 } 2229 sctp_pegs[SCTP_ECNE_RCVD]++; 2230 tsn = ntohl(cp->tsn); 2231 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2232 /* Also we make sure we disable the nonce_wait */ 2233 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2234 if (lchk == NULL) { 2235 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2236 } else { 2237 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2238 } 2239 stcb->asoc.nonce_wait_for_ecne = 0; 2240 stcb->asoc.nonce_sum_check = 0; 2241 2242 /* Find where it was sent, if possible */ 2243 net = NULL; 2244 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2245 while (lchk) { 2246 if (lchk->rec.data.TSN_seq == tsn) { 2247 net = lchk->whoTo; 2248 break; 2249 } 2250 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2251 break; 2252 lchk = TAILQ_NEXT(lchk, sctp_next); 2253 } 2254 if (net == NULL) 2255 /* default is we use the primary */ 2256 net = stcb->asoc.primary_destination; 2257 2258 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2259#ifdef SCTP_CWND_LOGGING 2260 int old_cwnd; 2261#endif 2262#ifdef SCTP_CWND_LOGGING 2263 old_cwnd = net->cwnd; 2264#endif 2265 sctp_pegs[SCTP_CWR_PERFO]++; 2266 net->ssthresh = net->cwnd / 2; 2267 if (net->ssthresh < net->mtu) { 2268 net->ssthresh = net->mtu; 2269 /* here back off the timer as well, to slow us down */ 2270 net->RTO <<= 2; 2271 } 2272 net->cwnd = net->ssthresh; 2273#ifdef SCTP_CWND_LOGGING 2274 sctp_log_cwnd(net, (net->cwnd-old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2275#endif 2276 /* we reduce once every RTT. So we will only lower 2277 * cwnd at the next sending seq i.e. the resync_tsn. 2278 */ 2279 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2280 } 2281 /* 2282 * We always send a CWR this way if our previous one was lost 2283 * our peer will get an update, or if it is not time again 2284 * to reduce we still get the cwr to the peer. 2285 */ 2286 sctp_send_cwr(stcb, net, tsn); 2287} 2288 2289static void 2290sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2291{ 2292 /* Here we get a CWR from the peer. We must look in 2293 * the outqueue and make sure that we have a covered 2294 * ECNE in teh control chunk part. If so remove it. 2295 */ 2296 struct sctp_tmit_chunk *chk; 2297 struct sctp_ecne_chunk *ecne; 2298 2299 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2300 if (chk->rec.chunk_id != SCTP_ECN_ECHO) { 2301 continue; 2302 } 2303 /* Look for and remove if it is the right TSN. Since 2304 * there is only ONE ECNE on the control queue at 2305 * any one time we don't need to worry about more than 2306 * one! 2307 */ 2308 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2309 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2310 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2311 /* this covers this ECNE, we can remove it */ 2312 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2313 sctp_next); 2314 if (chk->data) { 2315 sctp_m_freem(chk->data); 2316 chk->data = NULL; 2317 } 2318 stcb->asoc.ctrl_queue_cnt--; 2319 sctp_free_remote_addr(chk->whoTo); 2320 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2321 sctppcbinfo.ipi_count_chunk--; 2322 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2323 panic("Chunk count is negative"); 2324 } 2325 sctppcbinfo.ipi_gencnt_chunk++; 2326 break; 2327 } 2328 } 2329} 2330 2331static void 2332sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2333 struct sctp_tcb *stcb, struct sctp_nets *net) 2334{ 2335 struct sctp_association *asoc; 2336 2337#ifdef SCTP_DEBUG 2338 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2339 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2340 } 2341#endif 2342 if (stcb == NULL) 2343 return; 2344 2345 asoc = &stcb->asoc; 2346 /* process according to association state */ 2347 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2348 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2349 return; 2350 } 2351 /* notify upper layer protocol */ 2352 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2353 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2354 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2355 stcb->sctp_ep->sctp_flags &= ~SCTP_PCB_FLAGS_CONNECTED; 2356 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 2357 stcb->sctp_ep->sctp_socket->so_snd.sb_mbcnt = 0; 2358 soisdisconnected(stcb->sctp_ep->sctp_socket); 2359 } 2360 /* are the queues empty? they should be */ 2361 if (!TAILQ_EMPTY(&asoc->send_queue) || 2362 !TAILQ_EMPTY(&asoc->sent_queue) || 2363 !TAILQ_EMPTY(&asoc->out_wheel)) { 2364 sctp_report_all_outbound(stcb); 2365 } 2366 /* stop the timer */ 2367 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net); 2368 /* free the TCB */ 2369 sctp_free_assoc(stcb->sctp_ep, stcb); 2370 return; 2371} 2372 2373static int 2374process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2375 struct sctp_nets *net, u_int8_t flg) 2376{ 2377 switch (desc->chunk_type) { 2378 case SCTP_DATA: 2379 /* find the tsn to resend (possibly */ 2380 { 2381 u_int32_t tsn; 2382 struct sctp_tmit_chunk *tp1; 2383 tsn = ntohl(desc->tsn_ifany); 2384 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2385 while (tp1) { 2386 if (tp1->rec.data.TSN_seq == tsn) { 2387 /* found it */ 2388 break; 2389 } 2390 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2391 MAX_TSN)) { 2392 /* not found */ 2393 tp1 = NULL; 2394 break; 2395 } 2396 tp1 = TAILQ_NEXT(tp1, sctp_next); 2397 } 2398 if (tp1 == NULL) { 2399 /* Do it the other way */ 2400 sctp_pegs[SCTP_PDRP_DNFND]++; 2401 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2402 while (tp1) { 2403 if (tp1->rec.data.TSN_seq == tsn) { 2404 /* found it */ 2405 break; 2406 } 2407 tp1 = TAILQ_NEXT(tp1, sctp_next); 2408 } 2409 } 2410 if (tp1 == NULL) { 2411 sctp_pegs[SCTP_PDRP_TSNNF]++; 2412 } 2413 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2414 u_int8_t *ddp; 2415 if (((tp1->rec.data.state_flags & SCTP_WINDOW_PROBE) == SCTP_WINDOW_PROBE) && 2416 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2417 sctp_pegs[SCTP_PDRP_DIWNP]++; 2418 return (0); 2419 } 2420 if (stcb->asoc.peers_rwnd == 0 && 2421 (flg & SCTP_FROM_MIDDLE_BOX)) { 2422 sctp_pegs[SCTP_PDRP_DIZRW]++; 2423 return (0); 2424 } 2425 ddp = (u_int8_t *)(mtod(tp1->data, vaddr_t) + 2426 sizeof(struct sctp_data_chunk)); 2427 { 2428 unsigned int iii; 2429 for (iii = 0; iii < sizeof(desc->data_bytes); 2430 iii++) { 2431 if (ddp[iii] != desc->data_bytes[iii]) { 2432 sctp_pegs[SCTP_PDRP_BADD]++; 2433 return (-1); 2434 } 2435 } 2436 } 2437 if (tp1->sent != SCTP_DATAGRAM_RESEND) { 2438 stcb->asoc.sent_queue_retran_cnt++; 2439 } 2440 /* We zero out the nonce so resync not needed */ 2441 tp1->rec.data.ect_nonce = 0; 2442 2443 if (tp1->do_rtt) { 2444 /* 2445 * this guy had a RTO calculation pending on it, 2446 * cancel it 2447 */ 2448 tp1->whoTo->rto_pending = 0; 2449 tp1->do_rtt = 0; 2450 } 2451 sctp_pegs[SCTP_PDRP_MARK]++; 2452 tp1->sent = SCTP_DATAGRAM_RESEND; 2453 /* 2454 * mark it as if we were doing a FR, since we 2455 * will be getting gap ack reports behind the 2456 * info from the router. 2457 */ 2458 tp1->rec.data.doing_fast_retransmit = 1; 2459 /* 2460 * mark the tsn with what sequences can cause a new FR. 2461 */ 2462 if (TAILQ_EMPTY(&stcb->asoc.send_queue) ) { 2463 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2464 } else { 2465 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2466 } 2467 2468 /* restart the timer */ 2469 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2470 stcb, tp1->whoTo); 2471 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2472 stcb, tp1->whoTo); 2473 2474 /* fix counts and things */ 2475 sctp_flight_size_decrease(tp1); 2476 sctp_total_flight_decrease(stcb, tp1); 2477 tp1->snd_count--; 2478 } 2479 { 2480 /* audit code */ 2481 unsigned int audit; 2482 audit = 0; 2483 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2484 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2485 audit++; 2486 } 2487 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2488 sctp_next) { 2489 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2490 audit++; 2491 } 2492 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2493 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2494 audit, stcb->asoc.sent_queue_retran_cnt); 2495#ifndef SCTP_AUDITING_ENABLED 2496 stcb->asoc.sent_queue_retran_cnt = audit; 2497#endif 2498 } 2499 } 2500 } 2501 break; 2502 case SCTP_ASCONF: 2503 { 2504 struct sctp_tmit_chunk *asconf; 2505 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2506 sctp_next) { 2507 if (asconf->rec.chunk_id == SCTP_ASCONF) { 2508 break; 2509 } 2510 } 2511 if (asconf) { 2512 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2513 stcb->asoc.sent_queue_retran_cnt++; 2514 asconf->sent = SCTP_DATAGRAM_RESEND; 2515 asconf->snd_count--; 2516 } 2517 } 2518 break; 2519 case SCTP_INITIATION: 2520 /* resend the INIT */ 2521 stcb->asoc.dropped_special_cnt++; 2522 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2523 /* 2524 * If we can get it in, in a few attempts we do this, 2525 * otherwise we let the timer fire. 2526 */ 2527 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2528 stcb, net); 2529 sctp_send_initiate(stcb->sctp_ep, stcb); 2530 } 2531 break; 2532 case SCTP_SELECTIVE_ACK: 2533 /* resend the sack */ 2534 sctp_send_sack(stcb); 2535 break; 2536 case SCTP_HEARTBEAT_REQUEST: 2537 /* resend a demand HB */ 2538 sctp_send_hb(stcb, 1, net); 2539 break; 2540 case SCTP_SHUTDOWN: 2541#ifdef SCTP_DEBUG 2542 if (sctp_debug_on & SCTP_DEBUG_OUTPUT4) { 2543 printf("%s:%d sends a shutdown\n", 2544 __FILE__, 2545 __LINE__ 2546 ); 2547 } 2548#endif 2549 sctp_send_shutdown(stcb, net); 2550 break; 2551 case SCTP_SHUTDOWN_ACK: 2552 sctp_send_shutdown_ack(stcb, net); 2553 break; 2554 case SCTP_COOKIE_ECHO: 2555 { 2556 struct sctp_tmit_chunk *cookie; 2557 cookie = NULL; 2558 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2559 sctp_next) { 2560 if (cookie->rec.chunk_id == SCTP_COOKIE_ECHO) { 2561 break; 2562 } 2563 } 2564 if (cookie) { 2565 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2566 stcb->asoc.sent_queue_retran_cnt++; 2567 cookie->sent = SCTP_DATAGRAM_RESEND; 2568 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, stcb, net); 2569 } 2570 } 2571 break; 2572 case SCTP_COOKIE_ACK: 2573 sctp_send_cookie_ack(stcb); 2574 break; 2575 case SCTP_ASCONF_ACK: 2576 /* resend last asconf ack */ 2577 sctp_send_asconf_ack(stcb, 1); 2578 break; 2579 case SCTP_FORWARD_CUM_TSN: 2580 send_forward_tsn(stcb, &stcb->asoc); 2581 break; 2582 /* can't do anything with these */ 2583 case SCTP_PACKET_DROPPED: 2584 case SCTP_INITIATION_ACK: /* this should not happen */ 2585 case SCTP_HEARTBEAT_ACK: 2586 case SCTP_ABORT_ASSOCIATION: 2587 case SCTP_OPERATION_ERROR: 2588 case SCTP_SHUTDOWN_COMPLETE: 2589 case SCTP_ECN_ECHO: 2590 case SCTP_ECN_CWR: 2591 default: 2592 break; 2593 } 2594 return (0); 2595} 2596 2597static void 2598sctp_reset_in_stream(struct sctp_tcb *stcb, 2599 struct sctp_stream_reset_response *resp, int number_entries) 2600{ 2601 int i; 2602 uint16_t *list, temp; 2603 2604 /* We set things to 0xffff since this is the last delivered 2605 * sequence and we will be sending in 0 after the reset. 2606 */ 2607 2608 if (resp->reset_flags & SCTP_RESET_PERFORMED) { 2609 if (number_entries) { 2610 list = resp->list_of_streams; 2611 for (i = 0; i < number_entries; i++) { 2612 temp = ntohs(list[i]); 2613 list[i] = temp; 2614 if (list[i] >= stcb->asoc.streamincnt) { 2615 printf("Invalid stream in-stream reset %d\n", list[i]); 2616 continue; 2617 } 2618 stcb->asoc.strmin[(list[i])].last_sequence_delivered = 0xffff; 2619 } 2620 } else { 2621 list = NULL; 2622 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2623 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2624 } 2625 } 2626 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2627 } 2628} 2629 2630static void 2631sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2632{ 2633 struct sctp_tmit_chunk *chk, *nchk; 2634 struct sctp_association *asoc; 2635 2636 asoc = &stcb->asoc; 2637 2638 for (chk = TAILQ_FIRST(&asoc->control_send_queue); 2639 chk; chk = nchk) { 2640 nchk = TAILQ_NEXT(chk, sctp_next); 2641 if (chk->rec.chunk_id == SCTP_STREAM_RESET) { 2642 struct sctp_stream_reset_req *strreq; 2643 strreq = mtod(chk->data, struct sctp_stream_reset_req *); 2644 if (strreq->sr_req.ph.param_type == ntohs(SCTP_STR_RESET_RESPONSE)) { 2645 /* we only clean up the request */ 2646 continue; 2647 } else if (strreq->sr_req.ph.param_type != ntohs(SCTP_STR_RESET_REQUEST)) { 2648 printf("TSNH, an unknown stream reset request is in queue %x\n", 2649 (u_int)ntohs(strreq->sr_req.ph.param_type)); 2650 continue; 2651 } 2652 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2653 TAILQ_REMOVE(&asoc->control_send_queue, 2654 chk, 2655 sctp_next); 2656 if (chk->data) { 2657 sctp_m_freem(chk->data); 2658 chk->data = NULL; 2659 } 2660 asoc->ctrl_queue_cnt--; 2661 sctp_free_remote_addr(chk->whoTo); 2662 SCTP_ZONE_FREE(sctppcbinfo.ipi_zone_chunk, chk); 2663 sctppcbinfo.ipi_count_chunk--; 2664 if ((int)sctppcbinfo.ipi_count_chunk < 0) { 2665 panic("Chunk count is negative"); 2666 } 2667 sctppcbinfo.ipi_gencnt_chunk++; 2668 /* we can only have one of these so we break */ 2669 break; 2670 } 2671 } 2672} 2673 2674 2675void 2676sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2677 struct sctp_stream_reset_response *resp) 2678{ 2679 uint32_t seq, tsn; 2680 int number_entries, param_length; 2681 2682 param_length = ntohs(resp->ph.param_length); 2683 seq = ntohl(resp->reset_req_seq_resp); 2684 if (seq == stcb->asoc.str_reset_seq_out) { 2685 sctp_clean_up_stream_reset(stcb); 2686 stcb->asoc.str_reset_seq_out++; 2687 stcb->asoc.stream_reset_outstanding = 0; 2688 tsn = ntohl(resp->reset_at_tsn); 2689 number_entries = (param_length - sizeof(struct sctp_stream_reset_response))/sizeof(uint16_t); 2690 tsn--; 2691 if ((tsn == stcb->asoc.cumulative_tsn) || 2692 (compare_with_wrap(stcb->asoc.cumulative_tsn, tsn, MAX_TSN))) { 2693 /* no problem we are good to go */ 2694 sctp_reset_in_stream(stcb, resp, number_entries); 2695 } else { 2696 /* So, we have a stream reset but there 2697 * is pending data. We need to copy 2698 * out the stream_reset and then queue 2699 * any data = or > resp->reset_at_tsn 2700 */ 2701 if (stcb->asoc.pending_reply != NULL) { 2702 /* FIX ME FIX ME 2703 * This IS WRONG. We need 2704 * to queue each of these up 2705 * and only release the chunks 2706 * for each reset that the cum-ack 2707 * goes by. This is a short cut. 2708 */ 2709 free(stcb->asoc.pending_reply, M_PCB); 2710 } 2711 stcb->asoc.pending_reply = malloc(param_length, 2712 M_PCB, M_NOWAIT); 2713 memcpy(stcb->asoc.pending_reply, resp, param_length); 2714 } 2715 2716 } else { 2717 /* duplicate */ 2718#ifdef SCTP_DEBUG 2719 printf("Duplicate old stream reset resp next:%x this one:%x\n", 2720 stcb->asoc.str_reset_seq_out, seq); 2721#endif 2722 } 2723} 2724 2725 2726static void 2727sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_req *sr_req) 2728{ 2729 int chk_length, param_len; 2730 struct sctp_paramhdr *ph; 2731 /* now it may be a reset or a reset-response */ 2732 struct sctp_stream_reset_request *req; 2733 struct sctp_stream_reset_response *resp; 2734 chk_length = ntohs(sr_req->ch.chunk_length); 2735 2736 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 2737 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_request)) { 2738 param_len = ntohs(ph->param_length); 2739 if (ntohs(ph->param_type) == SCTP_STR_RESET_REQUEST) { 2740 /* this will send the ACK and do the reset if needed */ 2741 req = (struct sctp_stream_reset_request *)ph; 2742 sctp_send_str_reset_ack(stcb, req); 2743 } else if (ntohs(ph->param_type) == SCTP_STR_RESET_RESPONSE) { 2744 /* Now here is a tricky one. We reset our receive side 2745 * of the streams. But what happens if the peers 2746 * next sending TSN is NOT equal to 1 minus our cumack? 2747 * And if his cumack is not equal to our next one out - 1 2748 * we have another problem if this is receprical. 2749 */ 2750 resp = (struct sctp_stream_reset_response *)ph; 2751 sctp_handle_stream_reset_response(stcb, resp); 2752 } 2753 ph = (struct sctp_paramhdr *)((vaddr_t)ph + SCTP_SIZE32(param_len)); 2754 chk_length -= SCTP_SIZE32(param_len); 2755 } 2756} 2757 2758/* 2759 * Handle a router or endpoints report of a packet loss, there 2760 * are two ways to handle this, either we get the whole packet 2761 * and must disect it ourselves (possibly with truncation and 2762 * or corruption) or it is a summary from a middle box that did 2763 * the disectting for us. 2764 */ 2765static void 2766sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 2767 struct sctp_tcb *stcb, struct sctp_nets *net) 2768{ 2769 u_int32_t bottle_bw, on_queue; 2770 u_int16_t trunc_len; 2771 unsigned int chlen; 2772 unsigned int at; 2773 struct sctp_chunk_desc desc; 2774 struct sctp_chunkhdr *ch; 2775 2776 chlen = ntohs(cp->ch.chunk_length); 2777 chlen -= sizeof(struct sctp_pktdrop_chunk); 2778 /* XXX possible chlen underflow */ 2779 if (chlen == 0) { 2780 ch = NULL; 2781 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 2782 sctp_pegs[SCTP_PDRP_BWRPT]++; 2783 } else { 2784 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 2785 chlen -= sizeof(struct sctphdr); 2786 /* XXX possible chlen underflow */ 2787 memset(&desc, 0, sizeof(desc)); 2788 } 2789 2790 /* first update a rwnd possibly */ 2791 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 2792 /* From a peer, we get a rwnd report */ 2793 u_int32_t a_rwnd; 2794 2795 sctp_pegs[SCTP_PDRP_FEHOS]++; 2796 2797 bottle_bw = ntohl(cp->bottle_bw); 2798 on_queue = ntohl(cp->current_onq); 2799 if (bottle_bw && on_queue) { 2800 /* a rwnd report is in here */ 2801 if (bottle_bw > on_queue) 2802 a_rwnd = bottle_bw - on_queue; 2803 else 2804 a_rwnd = 0; 2805 2806 if (a_rwnd <= 0) 2807 stcb->asoc.peers_rwnd = 0; 2808 else { 2809 if (a_rwnd > stcb->asoc.total_flight) { 2810 stcb->asoc.peers_rwnd = 2811 a_rwnd - stcb->asoc.total_flight; 2812 } else { 2813 stcb->asoc.peers_rwnd = 0; 2814 } 2815 if (stcb->asoc.peers_rwnd < 2816 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 2817 /* SWS sender side engages */ 2818 stcb->asoc.peers_rwnd = 0; 2819 } 2820 } 2821 } 2822 } else { 2823 sctp_pegs[SCTP_PDRP_FMBOX]++; 2824 } 2825 trunc_len = (u_int16_t)ntohs(cp->trunc_len); 2826 /* now the chunks themselves */ 2827 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 2828 desc.chunk_type = ch->chunk_type; 2829 /* get amount we need to move */ 2830 at = ntohs(ch->chunk_length); 2831 if (at < sizeof(struct sctp_chunkhdr)) { 2832 /* corrupt chunk, maybe at the end? */ 2833 sctp_pegs[SCTP_PDRP_CRUPT]++; 2834 break; 2835 } 2836 if (trunc_len == 0) { 2837 /* we are supposed to have all of it */ 2838 if (at > chlen) { 2839 /* corrupt skip it */ 2840 sctp_pegs[SCTP_PDRP_CRUPT]++; 2841 break; 2842 } 2843 } else { 2844 /* is there enough of it left ? */ 2845 if (desc.chunk_type == SCTP_DATA) { 2846 if (chlen < (sizeof(struct sctp_data_chunk) + 2847 sizeof(desc.data_bytes))) { 2848 break; 2849 } 2850 } else { 2851 if (chlen < sizeof(struct sctp_chunkhdr)) { 2852 break; 2853 } 2854 } 2855 } 2856 if (desc.chunk_type == SCTP_DATA) { 2857 /* can we get out the tsn? */ 2858 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2859 sctp_pegs[SCTP_PDRP_MB_DA]++; 2860 2861 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(u_int32_t)) ) { 2862 /* yep */ 2863 struct sctp_data_chunk *dcp; 2864 u_int8_t *ddp; 2865 unsigned int iii; 2866 dcp = (struct sctp_data_chunk *)ch; 2867 ddp = (u_int8_t *)(dcp + 1); 2868 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 2869 desc.data_bytes[iii] = ddp[iii]; 2870 } 2871 desc.tsn_ifany = dcp->dp.tsn; 2872 } else { 2873 /* nope we are done. */ 2874 sctp_pegs[SCTP_PDRP_NEDAT]++; 2875 break; 2876 } 2877 } else { 2878 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 2879 sctp_pegs[SCTP_PDRP_MB_CT]++; 2880 } 2881 2882 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 2883 sctp_pegs[SCTP_PDRP_PDBRK]++; 2884 break; 2885 } 2886 if (SCTP_SIZE32(at) > chlen) { 2887 break; 2888 } 2889 chlen -= SCTP_SIZE32(at); 2890 if (chlen < sizeof(struct sctp_chunkhdr)) { 2891 /* done, none left */ 2892 break; 2893 } 2894 ch = (struct sctp_chunkhdr *)((vaddr_t)ch + SCTP_SIZE32(at)); 2895 } 2896 2897 /* now middle boxes in sat networks get a cwnd bump */ 2898 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 2899 (stcb->asoc.sat_t3_loss_recovery == 0) && 2900 (stcb->asoc.sat_network)) { 2901 /* 2902 * This is debateable but for sat networks it makes sense 2903 * Note if a T3 timer has went off, we will prohibit any 2904 * changes to cwnd until we exit the t3 loss recovery. 2905 */ 2906 u_int32_t bw_avail; 2907 int rtt, incr; 2908#ifdef SCTP_CWND_LOGGING 2909 int old_cwnd=net->cwnd; 2910#endif 2911 /* need real RTT for this calc */ 2912 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 2913 /* get bottle neck bw */ 2914 bottle_bw = ntohl(cp->bottle_bw); 2915 /* and whats on queue */ 2916 on_queue = ntohl(cp->current_onq); 2917 /* 2918 * adjust the on-queue if our flight is more it could be 2919 * that the router has not yet gotten data "in-flight" to it 2920 */ 2921 if (on_queue < net->flight_size) 2922 on_queue = net->flight_size; 2923 2924 /* calculate the available space */ 2925 bw_avail = (bottle_bw*rtt)/1000; 2926 if (bw_avail > bottle_bw) { 2927 /* 2928 * Cap the growth to no more than the bottle neck. 2929 * This can happen as RTT slides up due to queues. 2930 * It also means if you have more than a 1 second 2931 * RTT with a empty queue you will be limited to 2932 * the bottle_bw per second no matter if 2933 * other points have 1/2 the RTT and you could 2934 * get more out... 2935 */ 2936 bw_avail = bottle_bw; 2937 } 2938 2939 if (on_queue > bw_avail) { 2940 /* 2941 * No room for anything else don't allow anything 2942 * else to be "added to the fire". 2943 */ 2944 int seg_inflight, seg_onqueue, my_portion; 2945 net->partial_bytes_acked = 0; 2946 2947 /* how much are we over queue size? */ 2948 incr = on_queue - bw_avail; 2949 if (stcb->asoc.seen_a_sack_this_pkt) { 2950 /* undo any cwnd adjustment that 2951 * the sack might have made 2952 */ 2953 net->cwnd = net->prev_cwnd; 2954 } 2955 2956 /* Now how much of that is mine? */ 2957 seg_inflight = net->flight_size / net->mtu; 2958 seg_onqueue = on_queue / net->mtu; 2959 my_portion = (incr * seg_inflight)/seg_onqueue; 2960 2961 /* Have I made an adjustment already */ 2962 if (net->cwnd > net->flight_size) { 2963 /* for this flight I made an adjustment 2964 * we need to decrease the portion by a share 2965 * our previous adjustment. 2966 */ 2967 int diff_adj; 2968 diff_adj = net->cwnd - net->flight_size; 2969 if (diff_adj > my_portion) 2970 my_portion = 0; 2971 else 2972 my_portion -= diff_adj; 2973 } 2974 2975 /* back down to the previous cwnd (assume 2976 * we have had a sack before this packet). minus 2977 * what ever portion of the overage is my fault. 2978 */ 2979 net->cwnd -= my_portion; 2980 2981 /* we will NOT back down more than 1 MTU */ 2982 if (net->cwnd <= net->mtu) { 2983 net->cwnd = net->mtu; 2984 } 2985 /* force into CA */ 2986 net->ssthresh = net->cwnd - 1; 2987 } else { 2988 /* 2989 * Take 1/4 of the space left or 2990 * max burst up .. whichever is less. 2991 */ 2992 incr = min((bw_avail - on_queue) >> 2, 2993 (int)stcb->asoc.max_burst * (int)net->mtu); 2994 net->cwnd += incr; 2995 } 2996 if (net->cwnd > bw_avail) { 2997 /* We can't exceed the pipe size */ 2998 net->cwnd = bw_avail; 2999 } 3000 if (net->cwnd < net->mtu) { 3001 /* We always have 1 MTU */ 3002 net->cwnd = net->mtu; 3003 } 3004#ifdef SCTP_CWND_LOGGING 3005 if (net->cwnd - old_cwnd != 0) { 3006 /* log only changes */ 3007 sctp_log_cwnd(net, (net->cwnd - old_cwnd), 3008 SCTP_CWND_LOG_FROM_SAT); 3009 } 3010#endif 3011 } 3012} 3013 3014extern int sctp_strict_init; 3015 3016/* 3017 * handles all control chunks in a packet 3018 * inputs: 3019 * - m: mbuf chain, assumed to still contain IP/SCTP header 3020 * - stcb: is the tcb found for this packet 3021 * - offset: offset into the mbuf chain to first chunkhdr 3022 * - length: is the length of the complete packet 3023 * outputs: 3024 * - length: modified to remaining length after control processing 3025 * - netp: modified to new sctp_nets after cookie-echo processing 3026 * - return NULL to discard the packet (ie. no asoc, bad packet,...) 3027 * otherwise return the tcb for this packet 3028 */ 3029static struct sctp_tcb * 3030sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3031 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3032 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3033{ 3034 struct sctp_association *asoc; 3035 u_int32_t vtag_in; 3036 int num_chunks = 0; /* number of control chunks processed */ 3037 int chk_length; 3038 int ret; 3039 3040 /* 3041 * How big should this be, and should it be alloc'd? 3042 * Lets try the d-mtu-ceiling for now (2k) and that should 3043 * hopefully work ... until we get into jumbo grams and such.. 3044 */ 3045 u_int8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3046 struct sctp_tcb *locked_tcb = stcb; 3047 3048#ifdef SCTP_DEBUG 3049 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3050 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3051 iphlen, *offset, length, stcb); 3052 } 3053#endif /* SCTP_DEBUG */ 3054 3055 /* validate chunk header length... */ 3056 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3057 return (NULL); 3058 } 3059 3060 /* 3061 * validate the verification tag 3062 */ 3063#ifdef SCTP_DEBUG 3064 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3065 printf("sctp_process_control: validating vtags\n"); 3066 } 3067#endif /* SCTP_DEBUG */ 3068 vtag_in = ntohl(sh->v_tag); 3069 if (ch->chunk_type == SCTP_INITIATION) { 3070 if (vtag_in != 0) { 3071 /* protocol error- silently discard... */ 3072#ifdef SCTP_DEBUG 3073 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3074 printf("sctp_process_control: INIT with vtag != 0\n"); 3075 } 3076#endif /* SCTP_DEBUG */ 3077 sctp_pegs[SCTP_BAD_VTAGS]++; 3078 if (locked_tcb) { 3079 SCTP_TCB_UNLOCK(locked_tcb); 3080 } 3081 return (NULL); 3082 } 3083 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3084 /* 3085 * first check if it's an ASCONF with an unknown src addr 3086 * we need to look inside to find the association 3087 */ 3088 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3089 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3090 *offset, sh, &inp, netp); 3091 } 3092 if (stcb == NULL) { 3093 /* no association, so it's out of the blue... */ 3094 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3095#ifdef SCTP_DEBUG 3096 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3097 printf("sctp_process_control: handling OOTB packet, chunk type=%xh\n", 3098 ch->chunk_type); 3099 } 3100#endif /* SCTP_DEBUG */ 3101 *offset = length; 3102 if (locked_tcb) { 3103 SCTP_TCB_UNLOCK(locked_tcb); 3104 } 3105 return (NULL); 3106 } 3107 asoc = &stcb->asoc; 3108 /* ABORT and SHUTDOWN can use either v_tag... */ 3109 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3110 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3111 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3112 if ((vtag_in == asoc->my_vtag) || 3113 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3114 (vtag_in == asoc->peer_vtag))) { 3115 /* this is valid */ 3116 } else { 3117 /* drop this packet... */ 3118 sctp_pegs[SCTP_BAD_VTAGS]++; 3119 if (locked_tcb) { 3120 SCTP_TCB_UNLOCK(locked_tcb); 3121 } 3122 return (NULL); 3123 } 3124 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3125 if (vtag_in != asoc->my_vtag) { 3126 /* 3127 * this could be a stale SHUTDOWN-ACK or the 3128 * peer never got the SHUTDOWN-COMPLETE and 3129 * is still hung; we have started a new asoc 3130 * but it won't complete until the shutdown is 3131 * completed 3132 */ 3133 if (locked_tcb) { 3134 SCTP_TCB_UNLOCK(locked_tcb); 3135 } 3136 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3137 NULL); 3138 return (NULL); 3139 } 3140 } else { 3141 /* for all other chunks, vtag must match */ 3142 3143 if (vtag_in != asoc->my_vtag) { 3144 /* invalid vtag... */ 3145#ifdef SCTP_DEBUG 3146 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3147 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3148 } 3149#endif /* SCTP_DEBUG */ 3150 sctp_pegs[SCTP_BAD_VTAGS]++; 3151 if (locked_tcb) { 3152 SCTP_TCB_UNLOCK(locked_tcb); 3153 } 3154 *offset = length; 3155 return (NULL); 3156 } 3157 } 3158 } /* end if !SCTP_COOKIE_ECHO */ 3159 3160#ifdef SCTP_DEBUG 3161 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3162 printf("sctp_process_control: vtags ok, processing ctrl chunks\n"); 3163 } 3164#endif /* SCTP_DEBUG */ 3165 3166 /* 3167 * process all control chunks... 3168 */ 3169 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3170 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3171 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3172 /* implied cookie-ack.. we must have lost the ack */ 3173 stcb->asoc.overall_error_count = 0; 3174 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 3175 } 3176 3177 while (IS_SCTP_CONTROL(ch)) { 3178 /* validate chunk length */ 3179 chk_length = ntohs(ch->chunk_length); 3180#ifdef SCTP_DEBUG 3181 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3182 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", ch->chunk_type, chk_length); 3183 } 3184#endif /* SCTP_DEBUG */ 3185 if ((size_t)chk_length < sizeof(*ch) || 3186 (*offset + chk_length) > length) { 3187#ifdef SCTP_DEBUG 3188 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3189 printf("sctp_process_control: chunk length invalid! *offset:%u, chk_length:%u > length:%u\n", 3190 *offset, chk_length, length); 3191 } 3192#endif /* SCTP_DEBUG */ 3193 *offset = length; 3194 if (locked_tcb) { 3195 SCTP_TCB_UNLOCK(locked_tcb); 3196 } 3197 return (NULL); 3198 } 3199 3200 /* 3201 * INIT-ACK only gets the init ack "header" portion only 3202 * because we don't have to process the peer's COOKIE. 3203 * All others get a complete chunk. 3204 */ 3205 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3206 /* get an init-ack chunk */ 3207 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3208 sizeof(struct sctp_init_ack), chunk_buf); 3209 if (ch == NULL) { 3210 *offset = length; 3211 if (locked_tcb) { 3212 SCTP_TCB_UNLOCK(locked_tcb); 3213 } 3214 return (NULL); 3215 } 3216 } else { 3217 /* get a complete chunk... */ 3218 if ((size_t)chk_length > sizeof(chunk_buf)) { 3219 struct mbuf *oper; 3220 struct sctp_paramhdr *phdr; 3221 oper = NULL; 3222 MGETHDR(oper, M_DONTWAIT, MT_HEADER); 3223 if (oper) { 3224 /* pre-reserve some space */ 3225 oper->m_data += 3226 sizeof(struct sctp_chunkhdr); 3227 phdr = 3228 mtod(oper, struct sctp_paramhdr *); 3229 phdr->param_type = 3230 htons(SCTP_CAUSE_OUT_OF_RESC); 3231 phdr->param_length = 3232 htons(sizeof(struct sctp_paramhdr)); 3233 sctp_queue_op_err(stcb, oper); 3234 } 3235 if (locked_tcb) { 3236 SCTP_TCB_UNLOCK(locked_tcb); 3237 } 3238 return (NULL); 3239 } 3240 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3241 chk_length, chunk_buf); 3242 if (ch == NULL) { 3243 printf("sctp_process_control: Can't get the all data....\n"); 3244 *offset = length; 3245 if (locked_tcb) { 3246 SCTP_TCB_UNLOCK(locked_tcb); 3247 } 3248 return (NULL); 3249 } 3250 3251 } 3252 num_chunks++; 3253 /* Save off the last place we got a control from */ 3254 if ((*netp) && stcb) { 3255 stcb->asoc.last_control_chunk_from = *netp; 3256 } 3257#ifdef SCTP_AUDITING_ENABLED 3258 sctp_audit_log(0xB0, ch->chunk_type); 3259#endif 3260 switch (ch->chunk_type) { 3261 case SCTP_INITIATION: 3262 /* must be first and only chunk */ 3263#ifdef SCTP_DEBUG 3264 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3265 printf("SCTP_INIT\n"); 3266 } 3267#endif /* SCTP_DEBUG */ 3268 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3269 /* We are not interested anymore */ 3270 if (locked_tcb) { 3271 SCTP_TCB_UNLOCK(locked_tcb); 3272 } 3273 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3274 /* finish the job now */ 3275 sctp_inpcb_free(inp, 1); 3276 } 3277 *offset = length; 3278 return (NULL); 3279 } 3280 if ((num_chunks > 1) || 3281 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3282 *offset = length; 3283 if (locked_tcb) { 3284 SCTP_TCB_UNLOCK(locked_tcb); 3285 } 3286 return (NULL); 3287 } 3288 if ((stcb != NULL) && 3289 (SCTP_GET_STATE(&stcb->asoc) == 3290 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3291 sctp_send_shutdown_ack(stcb, 3292 stcb->asoc.primary_destination); 3293 *offset = length; 3294 if (locked_tcb) { 3295 SCTP_TCB_UNLOCK(locked_tcb); 3296 } 3297 return (NULL); 3298 } 3299 sctp_handle_init(m, iphlen, *offset, sh, 3300 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3301 *offset = length; 3302 if (locked_tcb) { 3303 SCTP_TCB_UNLOCK(locked_tcb); 3304 } 3305 return (NULL); 3306 break; 3307 case SCTP_INITIATION_ACK: 3308 /* must be first and only chunk */ 3309#ifdef SCTP_DEBUG 3310 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3311 printf("SCTP_INIT-ACK\n"); 3312 } 3313#endif /* SCTP_DEBUG */ 3314 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3315 /* We are not interested anymore */ 3316 if (locked_tcb) { 3317 SCTP_TCB_UNLOCK(locked_tcb); 3318 } 3319 *offset = length; 3320 if (stcb) { 3321 sctp_free_assoc(inp, stcb); 3322 } else { 3323 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3324 /* finish the job now */ 3325 sctp_inpcb_free(inp, 1); 3326 } 3327 } 3328 return (NULL); 3329 } 3330 if ((num_chunks > 1) || 3331 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3332#ifdef SCTP_DEBUG 3333 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3334 printf("Length is %d rounded chk_length:%d .. dropping\n", 3335 length - *offset, 3336 SCTP_SIZE32(chk_length)); 3337 } 3338#endif 3339 *offset = length; 3340 if (locked_tcb) { 3341 SCTP_TCB_UNLOCK(locked_tcb); 3342 } 3343 return (NULL); 3344 } 3345 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3346 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3347 /* 3348 * Special case, I must call the output routine 3349 * to get the cookie echoed 3350 */ 3351 if ((stcb) && ret == 0) 3352 sctp_chunk_output(stcb->sctp_ep, stcb, 2); 3353 *offset = length; 3354#ifdef SCTP_DEBUG 3355 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3356 printf("All done INIT-ACK processing\n"); 3357 } 3358#endif 3359 if (locked_tcb) { 3360 SCTP_TCB_UNLOCK(locked_tcb); 3361 } 3362 return (NULL); 3363 break; 3364 case SCTP_SELECTIVE_ACK: 3365#ifdef SCTP_DEBUG 3366 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3367 printf("SCTP_SACK\n"); 3368 } 3369#endif /* SCTP_DEBUG */ 3370 sctp_pegs[SCTP_PEG_SACKS_SEEN]++; 3371 { 3372 int abort_now = 0; 3373 stcb->asoc.seen_a_sack_this_pkt = 1; 3374 sctp_handle_sack((struct sctp_sack_chunk *)ch, 3375 stcb, *netp, &abort_now); 3376 if (abort_now) { 3377 /* ABORT signal from sack processing */ 3378 *offset = length; 3379 return (NULL); 3380 } 3381 } 3382 break; 3383 case SCTP_HEARTBEAT_REQUEST: 3384#ifdef SCTP_DEBUG 3385 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3386 printf("SCTP_HEARTBEAT\n"); 3387 } 3388#endif /* SCTP_DEBUG */ 3389 sctp_pegs[SCTP_HB_RECV]++; 3390 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3391 *netp); 3392 3393 /* He's alive so give him credit */ 3394 stcb->asoc.overall_error_count = 0; 3395 break; 3396 case SCTP_HEARTBEAT_ACK: 3397#ifdef SCTP_DEBUG 3398 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3399 printf("SCTP_HEARTBEAT-ACK\n"); 3400 } 3401#endif /* SCTP_DEBUG */ 3402 3403 /* He's alive so give him credit */ 3404 stcb->asoc.overall_error_count = 0; 3405 3406 sctp_pegs[SCTP_HB_ACK_RECV]++; 3407 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3408 stcb, *netp); 3409 break; 3410 case SCTP_ABORT_ASSOCIATION: 3411#ifdef SCTP_DEBUG 3412 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3413 printf("SCTP_ABORT\n"); 3414 } 3415#endif /* SCTP_DEBUG */ 3416 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3417 stcb, *netp); 3418 *offset = length; 3419 return (NULL); 3420 break; 3421 case SCTP_SHUTDOWN: 3422#ifdef SCTP_DEBUG 3423 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3424 printf("SCTP_SHUTDOWN\n"); 3425 } 3426#endif /* SCTP_DEBUG */ 3427 { 3428 int abort_flag = 0; 3429 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3430 stcb, *netp, &abort_flag); 3431 if (abort_flag) { 3432 *offset = length; 3433 return (NULL); 3434 } 3435 } 3436 break; 3437 case SCTP_SHUTDOWN_ACK: 3438#ifdef SCTP_DEBUG 3439 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3440 printf("SCTP_SHUTDOWN-ACK\n"); 3441 } 3442#endif /* SCTP_DEBUG */ 3443 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3444 *offset = length; 3445 return (NULL); 3446 break; 3447 case SCTP_OPERATION_ERROR: 3448#ifdef SCTP_DEBUG 3449 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3450 printf("SCTP_OP-ERR\n"); 3451 } 3452#endif /* SCTP_DEBUG */ 3453 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3454 *offset = length; 3455 return (NULL); 3456 } 3457 break; 3458 case SCTP_COOKIE_ECHO: 3459#ifdef SCTP_DEBUG 3460 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3461 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3462 } 3463#endif /* SCTP_DEBUG */ 3464 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3465 /* We are not interested anymore */ 3466 *offset = length; 3467 if (stcb) { 3468 sctp_free_assoc(inp, stcb); 3469 } else { 3470 if (LIST_FIRST(&inp->sctp_asoc_list) == NULL) { 3471 /* finish the job now */ 3472 sctp_inpcb_free(inp, 1); 3473 } 3474 } 3475 return (NULL); 3476 } 3477 /* 3478 * First are we accepting? 3479 * We do this again here since it is possible 3480 * that a previous endpoint WAS listening responded to 3481 * a INIT-ACK and then closed. We opened and bound.. 3482 * and are now no longer listening. 3483 */ 3484 if (((inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) == 0) || 3485 (inp->sctp_socket->so_qlimit == 0)) { 3486 sctp_abort_association(inp, stcb, m, iphlen, sh, 3487 NULL); 3488 *offset = length; 3489 return (NULL); 3490 } else if (inp->sctp_flags & SCTP_PCB_FLAGS_ACCEPTING) { 3491 /* we are accepting so check limits like TCP */ 3492 if (inp->sctp_socket->so_qlen > 3493 inp->sctp_socket->so_qlimit) { 3494 /* no space */ 3495 struct mbuf *oper; 3496 struct sctp_paramhdr *phdr; 3497 oper = NULL; 3498 MGETHDR(oper, M_DONTWAIT, MT_HEADER); 3499 if (oper) { 3500 oper->m_len = 3501 oper->m_pkthdr.len = 3502 sizeof(struct sctp_paramhdr); 3503 phdr = mtod(oper, 3504 struct sctp_paramhdr *); 3505 phdr->param_type = 3506 htons(SCTP_CAUSE_OUT_OF_RESC); 3507 phdr->param_length = 3508 htons(sizeof(struct sctp_paramhdr)); 3509 } 3510 sctp_abort_association(inp, stcb, m, 3511 iphlen, sh, oper); 3512 *offset = length; 3513 return (NULL); 3514 } 3515 } 3516 { 3517 struct mbuf *ret_buf; 3518 ret_buf = sctp_handle_cookie_echo(m, iphlen, 3519 *offset, sh, 3520 (struct sctp_cookie_echo_chunk *)ch, &inp, 3521 &stcb, netp); 3522#ifdef SCTP_DEBUG 3523 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3524 printf("ret_buf:%p length:%d off:%d\n", 3525 ret_buf, length, *offset); 3526 } 3527#endif /* SCTP_DEBUG */ 3528 3529 if (ret_buf == NULL) { 3530 if (locked_tcb) { 3531 SCTP_TCB_UNLOCK(locked_tcb); 3532 } 3533#ifdef SCTP_DEBUG 3534 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3535 printf("GAK, null buffer\n"); 3536 } 3537#endif /* SCTP_DEBUG */ 3538 *offset = length; 3539 return (NULL); 3540 } 3541 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 3542 /* 3543 * Restart the timer if we have pending 3544 * data 3545 */ 3546 struct sctp_tmit_chunk *chk; 3547 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 3548 if (chk) { 3549 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 3550 stcb->sctp_ep, stcb, 3551 chk->whoTo); 3552 } 3553 } 3554 } 3555 break; 3556 case SCTP_COOKIE_ACK: 3557#ifdef SCTP_DEBUG 3558 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3559 printf("SCTP_COOKIE-ACK\n"); 3560 } 3561#endif /* SCTP_DEBUG */ 3562 3563 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3564 /* We are not interested anymore */ 3565 sctp_free_assoc(inp, stcb); 3566 *offset = length; 3567 return (NULL); 3568 } 3569 /* He's alive so give him credit */ 3570 stcb->asoc.overall_error_count = 0; 3571 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, 3572 stcb, *netp); 3573 break; 3574 case SCTP_ECN_ECHO: 3575#ifdef SCTP_DEBUG 3576 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3577 printf("SCTP_ECN-ECHO\n"); 3578 } 3579#endif /* SCTP_DEBUG */ 3580 /* He's alive so give him credit */ 3581 stcb->asoc.overall_error_count = 0; 3582 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 3583 stcb); 3584 break; 3585 case SCTP_ECN_CWR: 3586#ifdef SCTP_DEBUG 3587 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3588 printf("SCTP_ECN-CWR\n"); 3589 } 3590#endif /* SCTP_DEBUG */ 3591 /* He's alive so give him credit */ 3592 stcb->asoc.overall_error_count = 0; 3593 3594 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 3595 break; 3596 case SCTP_SHUTDOWN_COMPLETE: 3597#ifdef SCTP_DEBUG 3598 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3599 printf("SCTP_SHUTDOWN-COMPLETE\n"); 3600 } 3601#endif /* SCTP_DEBUG */ 3602 /* must be first and only chunk */ 3603 if ((num_chunks > 1) || 3604 (length - *offset > SCTP_SIZE32(chk_length))) { 3605 *offset = length; 3606 if (locked_tcb) { 3607 SCTP_TCB_UNLOCK(locked_tcb); 3608 } 3609 return (NULL); 3610 } 3611 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 3612 stcb, *netp); 3613 *offset = length; 3614 return (NULL); 3615 break; 3616 case SCTP_ASCONF: 3617#ifdef SCTP_DEBUG 3618 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3619 printf("SCTP_ASCONF\n"); 3620 } 3621#endif /* SCTP_DEBUG */ 3622 /* He's alive so give him credit */ 3623 stcb->asoc.overall_error_count = 0; 3624 3625 sctp_handle_asconf(m, *offset, 3626 (struct sctp_asconf_chunk *)ch, stcb, *netp); 3627 break; 3628 case SCTP_ASCONF_ACK: 3629#ifdef SCTP_DEBUG 3630 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3631 printf("SCTP_ASCONF-ACK\n"); 3632 } 3633#endif /* SCTP_DEBUG */ 3634 /* He's alive so give him credit */ 3635 stcb->asoc.overall_error_count = 0; 3636 3637 sctp_handle_asconf_ack(m, *offset, 3638 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 3639 break; 3640 case SCTP_FORWARD_CUM_TSN: 3641#ifdef SCTP_DEBUG 3642 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3643 printf("SCTP_FWD-TSN\n"); 3644 } 3645#endif /* SCTP_DEBUG */ 3646 /* He's alive so give him credit */ 3647 { 3648 int abort_flag = 0; 3649 stcb->asoc.overall_error_count = 0; 3650 *fwd_tsn_seen = 1; 3651 sctp_handle_forward_tsn(stcb, 3652 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 3653 if (abort_flag) { 3654 *offset = length; 3655 return (NULL); 3656 } else { 3657 stcb->asoc.overall_error_count = 0; 3658 } 3659 3660 } 3661 break; 3662 case SCTP_STREAM_RESET: 3663#ifdef SCTP_DEBUG 3664 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3665 printf("SCTP_STREAM_RESET\n"); 3666 } 3667#endif /* SCTP_DEBUG */ 3668 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3669 chk_length, chunk_buf); 3670 if (stcb->asoc.peer_supports_strreset == 0) { 3671 /* hmm, peer should have annonced this, but 3672 * we will turn it on since he is sending us 3673 * a stream reset. 3674 */ 3675 stcb->asoc.peer_supports_strreset = 1; 3676 } 3677 sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_req *)ch); 3678 break; 3679 case SCTP_PACKET_DROPPED: 3680#ifdef SCTP_DEBUG 3681 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3682 printf("SCTP_PACKET_DROPPED\n"); 3683 } 3684#endif /* SCTP_DEBUG */ 3685 /* re-get it all please */ 3686 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3687 chk_length, chunk_buf); 3688 3689 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 3690 stcb, *netp); 3691 3692 3693 break; 3694 default: 3695 /* it's an unknown chunk! */ 3696 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 3697 struct mbuf *mm; 3698 struct sctp_paramhdr *phd; 3699 MGETHDR(mm, M_DONTWAIT, MT_HEADER); 3700 if (mm) { 3701 phd = mtod(mm, struct sctp_paramhdr *); 3702 /* We cheat and use param type since we 3703 * did not bother to define a error 3704 * cause struct. 3705 * They are the same basic format with 3706 * different names. 3707 */ 3708 phd->param_type = 3709 htons(SCTP_CAUSE_UNRECOG_CHUNK); 3710 phd->param_length = 3711 htons(chk_length + sizeof(*phd)); 3712 mm->m_len = sizeof(*phd); 3713 mm->m_next = sctp_m_copym(m, *offset, 3714 SCTP_SIZE32(chk_length), 3715 M_DONTWAIT); 3716 if (mm->m_next) { 3717 mm->m_pkthdr.len = 3718 SCTP_SIZE32(chk_length) + 3719 sizeof(*phd); 3720 sctp_queue_op_err(stcb, mm); 3721 } else { 3722 sctp_m_freem(mm); 3723#ifdef SCTP_DEBUG 3724 if (sctp_debug_on & 3725 SCTP_DEBUG_INPUT1) { 3726 printf("Gak can't copy the chunk into operr %d bytes\n", 3727 chk_length); 3728 } 3729#endif 3730 } 3731 } 3732#ifdef SCTP_DEBUG 3733 else { 3734 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3735 printf("Gak can't mgethdr for op-err of unrec chunk\n"); 3736 } 3737 } 3738#endif 3739 } 3740 if ((ch->chunk_type & 0x80) == 0) { 3741 /* discard this packet */ 3742 *offset = length; 3743 return (stcb); 3744 } /* else skip this bad chunk and continue... */ 3745 break; 3746 } /* switch (ch->chunk_type) */ 3747 /* get the next chunk */ 3748 *offset += SCTP_SIZE32(chk_length); 3749 if (*offset >= length) { 3750 /* no more data left in the mbuf chain */ 3751 break; 3752 } 3753 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3754 sizeof(struct sctp_chunkhdr), chunk_buf); 3755 if (ch == NULL) { 3756 if (locked_tcb) { 3757 SCTP_TCB_UNLOCK(locked_tcb); 3758 } 3759 *offset = length; 3760 return (NULL); 3761 } 3762 } /* while */ 3763 return (stcb); 3764} 3765 3766 3767/* 3768 * Process the ECN bits we have something set so 3769 * we must look to see if it is ECN(0) or ECN(1) or CE 3770 */ 3771static void 3772sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 3773 u_int8_t ecn_bits) 3774{ 3775 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3776 ; 3777 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 3778 /* 3779 * we only add to the nonce sum for ECT1, ECT0 3780 * does not change the NS bit (that we have 3781 * yet to find a way to send it yet). 3782 */ 3783 3784 /* ECN Nonce stuff */ 3785 stcb->asoc.receiver_nonce_sum++; 3786 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 3787 3788 /* 3789 * Drag up the last_echo point if cumack is larger since we 3790 * don't want the point falling way behind by more than 2^^31 3791 * and then having it be incorrect. 3792 */ 3793 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3794 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3795 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3796 } 3797 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 3798 /* 3799 * Drag up the last_echo point if cumack is larger since we 3800 * don't want the point falling way behind by more than 2^^31 3801 * and then having it be incorrect. 3802 */ 3803 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 3804 stcb->asoc.last_echo_tsn, MAX_TSN)) { 3805 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 3806 } 3807 } 3808} 3809 3810static void 3811sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 3812 u_int32_t high_tsn, u_int8_t ecn_bits) 3813{ 3814 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 3815 /* 3816 * we possibly must notify the sender that a congestion 3817 * window reduction is in order. We do this 3818 * by adding a ECNE chunk to the output chunk 3819 * queue. The incoming CWR will remove this chunk. 3820 */ 3821 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 3822 MAX_TSN)) { 3823 /* Yep, we need to add a ECNE */ 3824 sctp_send_ecn_echo(stcb, net, high_tsn); 3825 stcb->asoc.last_echo_tsn = high_tsn; 3826 } 3827 } 3828} 3829 3830/* 3831 * common input chunk processing (v4 and v6) 3832 */ 3833int 3834sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 3835 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 3836 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 3837 u_int8_t ecn_bits) 3838{ 3839 /* 3840 * Control chunk processing 3841 */ 3842 u_int32_t high_tsn; 3843 int fwd_tsn_seen = 0, data_processed = 0; 3844 struct mbuf *m = *mm; 3845 int abort_flag = 0; 3846 3847 sctp_pegs[SCTP_DATAGRAMS_RCVD]++; 3848#ifdef SCTP_AUDITING_ENABLED 3849 sctp_audit_log(0xE0, 1); 3850 sctp_auditing(0, inp, stcb, net); 3851#endif 3852 3853#ifdef SCTP_DEBUG 3854 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3855 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d\n", 3856 m, iphlen, offset, length); 3857 } 3858#endif /* SCTP_DEBUG */ 3859 if (IS_SCTP_CONTROL(ch)) { 3860 /* process the control portion of the SCTP packet */ 3861#ifdef SCTP_DEBUG 3862 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3863 printf("Processing control\n"); 3864 } 3865#endif /* SCTP_DEBUG */ 3866 3867 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 3868 inp, stcb, &net, &fwd_tsn_seen); 3869 } else { 3870 /* 3871 * no control chunks, so pre-process DATA chunks 3872 * (these checks are taken care of by control processing) 3873 */ 3874#ifdef SCTP_DEBUG 3875 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3876 printf("No control present\n"); 3877 } 3878#endif /* SCTP_DEBUG */ 3879 3880 if (stcb == NULL) { 3881 /* out of the blue DATA chunk */ 3882 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3883 return (1); 3884 } 3885 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 3886 /* v_tag mismatch! */ 3887 sctp_pegs[SCTP_BAD_VTAGS]++; 3888 SCTP_TCB_UNLOCK(stcb); 3889 return (1); 3890 } 3891 } 3892 if (stcb == NULL) { 3893 /* 3894 * no valid TCB for this packet, 3895 * or we found it's a bad packet while processing control, 3896 * or we're done with this packet (done or skip rest of data), 3897 * so we drop it... 3898 */ 3899 return (1); 3900 } 3901#ifdef SCTP_DEBUG 3902 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3903 printf("Ok, control finished time to look for data (%d) offset:%d\n", 3904 length, offset); 3905 } 3906#endif /* SCTP_DEBUG */ 3907 /* 3908 * DATA chunk processing 3909 */ 3910 /* plow through the data chunks while length > offset */ 3911 stcb->asoc.seen_a_sack_this_pkt = 0; 3912 3913 if (length > offset) { 3914 int retval; 3915 /* 3916 * First check to make sure our state is correct. 3917 * We would not get here unless we really did have a 3918 * tag, so we don't abort if this happens, just 3919 * dump the chunk silently. 3920 */ 3921 switch (SCTP_GET_STATE(&stcb->asoc)) { 3922 case SCTP_STATE_COOKIE_ECHOED: 3923 /* 3924 * we consider data with valid tags in 3925 * this state shows us the cookie-ack was lost. 3926 * Imply it was there. 3927 */ 3928 stcb->asoc.overall_error_count = 0; 3929 sctp_handle_cookie_ack( 3930 (struct sctp_cookie_ack_chunk *)ch, stcb, net); 3931 break; 3932 case SCTP_STATE_COOKIE_WAIT: 3933 /* 3934 * We consider OOTB any data sent during asoc setup. 3935 */ 3936 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 3937 SCTP_TCB_UNLOCK(stcb); 3938 return (1); 3939 break; 3940 case SCTP_STATE_EMPTY: /* should not happen */ 3941 case SCTP_STATE_INUSE: /* should not happen */ 3942 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 3943 case SCTP_STATE_SHUTDOWN_ACK_SENT: 3944 default: 3945#ifdef SCTP_DEBUG 3946 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3947 printf("Got data in invalid state %d.. dropping\n", stcb->asoc.state); 3948 } 3949#endif 3950 SCTP_TCB_UNLOCK(stcb); 3951 return (1); 3952 break; 3953 case SCTP_STATE_OPEN: 3954 case SCTP_STATE_SHUTDOWN_SENT: 3955 break; 3956 } 3957 /* take care of ECN, part 1. */ 3958 if (stcb->asoc.ecn_allowed && 3959 (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3960 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 3961 } 3962 /* plow through the data chunks while length > offset */ 3963 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 3964 inp, stcb, net, &high_tsn); 3965 if (retval == 2) { 3966 /* The association aborted, NO UNLOCK needed 3967 * since the association is destroyed. 3968 */ 3969 return (0); 3970 } 3971 3972 data_processed = 1; 3973 if (retval == 0) { 3974 /* take care of ecn part 2. */ 3975 if (stcb->asoc.ecn_allowed && (ecn_bits & (SCTP_ECT0_BIT|SCTP_ECT1_BIT)) ) { 3976 sctp_process_ecn_marked_b(stcb, net, high_tsn, ecn_bits); 3977 3978 } 3979 } 3980 3981 /* 3982 * Anything important needs to have been m_copy'ed in 3983 * process_data 3984 */ 3985 } 3986 if ((data_processed == 0) && (fwd_tsn_seen)) { 3987 int was_a_gap = 0; 3988 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 3989 stcb->asoc.cumulative_tsn, MAX_TSN)) { 3990 /* there was a gap before this data was processed */ 3991 was_a_gap = 1; 3992 } 3993 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 3994 if (abort_flag) { 3995 /* Again, we aborted so NO UNLOCK needed */ 3996 return (0); 3997 } 3998 } 3999 /* trigger send of any chunks in queue... */ 4000#ifdef SCTP_AUDITING_ENABLED 4001 sctp_audit_log(0xE0, 2); 4002 sctp_auditing(1, inp, stcb, net); 4003#endif 4004#ifdef SCTP_DEBUG 4005 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4006 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4007 stcb->asoc.peers_rwnd, 4008 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4009 stcb->asoc.total_flight); 4010 } 4011#endif 4012 if (stcb->asoc.peers_rwnd > 0 || 4013 !TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4014 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)) { 4015#ifdef SCTP_DEBUG 4016 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4017 printf("Calling chunk OUTPUT\n"); 4018 } 4019#endif 4020 sctp_chunk_output(inp, stcb, 3); 4021#ifdef SCTP_DEBUG 4022 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4023 printf("chunk OUTPUT returns\n"); 4024 } 4025#endif 4026 } 4027 4028#ifdef SCTP_AUDITING_ENABLED 4029 sctp_audit_log(0xE0, 3); 4030 sctp_auditing(2, inp, stcb, net); 4031#endif 4032 SCTP_TCB_UNLOCK(stcb); 4033 return (0); 4034} 4035 4036#if defined(__OpenBSD__) 4037static void 4038sctp_saveopt(struct sctp_inpcb *inp, struct mbuf **mp, struct ip *ip, 4039 struct mbuf *m) 4040{ 4041 if (inp->ip_inp.inp.inp_flags & INP_RECVDSTADDR) { 4042 *mp = sbcreatecontrol((vaddr_t) &ip->ip_dst, 4043 sizeof(struct in_addr), IP_RECVDSTADDR, IPPROTO_IP); 4044 if (*mp) 4045 mp = &(*mp)->m_next; 4046 } 4047} 4048#endif 4049 4050extern int sctp_no_csum_on_loopback; 4051 4052void 4053sctp_input(struct mbuf *m, ...) 4054{ 4055 int iphlen; 4056 u_int8_t ecn_bits; 4057 struct ip *ip; 4058 struct sctphdr *sh; 4059 struct sctp_inpcb *inp = NULL; 4060 struct mbuf *opts = 0; 4061/*#ifdef INET6*/ 4062/* Don't think this is needed */ 4063/* struct ip6_recvpktopts opts6;*/ 4064/*#endif INET6 */ 4065 4066 u_int32_t check, calc_check; 4067 struct sctp_nets *net; 4068 struct sctp_tcb *stcb = NULL; 4069 struct sctp_chunkhdr *ch; 4070 int refcount_up = 0; 4071 int length, mlen, offset; 4072 4073 int off; 4074 va_list ap; 4075 4076 va_start(ap, m); 4077 iphlen = off = va_arg(ap, int); 4078 va_end(ap); 4079 4080 net = NULL; 4081 sctp_pegs[SCTP_INPKTS]++; 4082#ifdef SCTP_DEBUG 4083 /*if (sctp_debug_on & SCTP_DEBUG_INPUT1) {*/ 4084 printf("V4 input gets a packet iphlen:%d pktlen:%d\n", iphlen, m->m_pkthdr.len); 4085 /*}*/ 4086#endif 4087/*#ifdef INET6*/ 4088/* Don't think this is needed */ 4089/* bzero(&opts6, sizeof(opts6));*/ 4090/*#endif INET6 */ 4091 4092 /* 4093 * Strip IP options, we don't allow any in or out. 4094 */ 4095 if ((size_t)iphlen > sizeof(struct ip)) { 4096 printf("sctp_input: got options\n"); 4097#if 0 /* XXX */ 4098 ip_stripoptions(m, (struct mbuf *)0); 4099#endif 4100 iphlen = sizeof(struct ip); 4101 } 4102 4103 /* 4104 * Get IP, SCTP, and first chunk header together in first mbuf. 4105 */ 4106 ip = mtod(m, struct ip *); 4107 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4108 if (m->m_len < offset) { 4109 if ((m = m_pullup(m, offset)) == 0) { 4110 sctp_pegs[SCTP_HDR_DROPS]++; 4111 return; 4112 } 4113 ip = mtod(m, struct ip *); 4114 } 4115 sh = (struct sctphdr *)((vaddr_t)ip + iphlen); 4116 ch = (struct sctp_chunkhdr *)((vaddr_t)sh + sizeof(*sh)); 4117 4118 /* SCTP does not allow broadcasts or multicasts */ 4119 if (IN_MULTICAST(ip->ip_dst.s_addr)) 4120 { 4121 sctp_pegs[SCTP_IN_MCAST]++; 4122 goto bad; 4123 } 4124 if (in_broadcast(ip->ip_dst, m_get_rcvif_NOMPSAFE(m))) { 4125 sctp_pegs[SCTP_IN_MCAST]++; 4126 goto bad; 4127 } 4128 4129 /* destination port of 0 is illegal, based on RFC2960. */ 4130 if (sh->dest_port == 0) { 4131 sctp_pegs[SCTP_HDR_DROPS]++; 4132 goto bad; 4133 } 4134 4135 /* validate SCTP checksum */ 4136 if ((sctp_no_csum_on_loopback == 0) || 4137 (m_get_rcvif_NOMPSAFE(m) == NULL) || 4138 (m_get_rcvif_NOMPSAFE(m)->if_type != IFT_LOOP)) { 4139 /* we do NOT validate things from the loopback if the 4140 * sysctl is set to 1. 4141 */ 4142 check = sh->checksum; /* save incoming checksum */ 4143 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4144 /* special hook for where we got a local address 4145 * somehow routed across a non IFT_LOOP type interface 4146 */ 4147 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4148 goto sctp_skip_csum_4; 4149 } 4150 sh->checksum = 0; /* prepare for calc */ 4151 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4152 if (calc_check != check) { 4153#ifdef SCTP_DEBUG 4154 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4155 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4156 calc_check, check, m, mlen, iphlen); 4157 } 4158#endif 4159 4160 stcb = sctp_findassociation_addr(m, iphlen, 4161 offset - sizeof(*ch), 4162 sh, ch, &inp, &net); 4163 if ((inp) && (stcb)) { 4164 sctp_send_packet_dropped(stcb, net, m, iphlen, 4165 1); 4166 sctp_chunk_output(inp, stcb, 2); 4167 } else if ((inp != NULL) && (stcb == NULL)) { 4168 refcount_up = 1; 4169 } 4170 sctp_pegs[SCTP_BAD_CSUM]++; 4171 goto bad; 4172 } 4173 sh->checksum = calc_check; 4174 } else { 4175 sctp_skip_csum_4: 4176 mlen = m->m_pkthdr.len; 4177 } 4178 /* validate mbuf chain length with IP payload length */ 4179#if defined(__NetBSD__) || defined(__OpenBSD__) 4180 /* Open BSD gives us the len in network order, fix it */ 4181 NTOHS(ip->ip_len); 4182#endif 4183 if (mlen < (ip->ip_len - iphlen)) { 4184 sctp_pegs[SCTP_HDR_DROPS]++; 4185 goto bad; 4186 } 4187 4188 /* 4189 * Locate pcb and tcb for datagram 4190 * sctp_findassociation_addr() wants IP/SCTP/first chunk header... 4191 */ 4192#ifdef SCTP_DEBUG 4193 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4194 printf("V4 find association\n"); 4195 } 4196#endif 4197 4198 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4199 sh, ch, &inp, &net); 4200 /* inp's ref-count increased && stcb locked */ 4201 if (inp == NULL) { 4202 struct sctp_init_chunk *init_chk, chunk_buf; 4203 4204 sctp_pegs[SCTP_NOPORTS]++; 4205#ifdef ICMP_BANDLIM 4206 /* 4207 * we use the bandwidth limiting to protect against 4208 * sending too many ABORTS all at once. In this case 4209 * these count the same as an ICMP message. 4210 */ 4211 if (badport_bandlim(0) < 0) 4212 goto bad; 4213#endif /* ICMP_BANDLIM */ 4214#ifdef SCTP_DEBUG 4215 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4216 printf("Sending a ABORT from packet entry!\n"); 4217 } 4218#endif 4219 if (ch->chunk_type == SCTP_INITIATION) { 4220 /* we do a trick here to get the INIT tag, 4221 * dig in and get the tag from the INIT and 4222 * put it in the common header. 4223 */ 4224 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4225 iphlen + sizeof(*sh), sizeof(*init_chk), 4226 (u_int8_t *)&chunk_buf); 4227 if (init_chk != NULL) 4228 sh->v_tag = init_chk->init.initiate_tag; 4229 } 4230 sctp_send_abort(m, iphlen, sh, 0, NULL); 4231 goto bad; 4232 } else if (stcb == NULL) { 4233 refcount_up = 1; 4234 } 4235#ifdef IPSEC 4236 /* 4237 * I very much doubt any of the IPSEC stuff will work but I have 4238 * no idea, so I will leave it in place. 4239 */ 4240 if (ipsec_used && ipsec4_in_reject(m, (struct inpcb *)inp)) { 4241#if 0 4242 ipsecstat.in_polvio++; 4243#endif 4244 sctp_pegs[SCTP_HDR_DROPS]++; 4245 goto bad; 4246 } 4247#endif /* IPSEC */ 4248 4249 /* 4250 * Construct sockaddr format source address. 4251 * Stuff source address and datagram in user buffer. 4252 */ 4253 if ((inp->ip_inp.inp.inp_flags & INP_CONTROLOPTS) 4254 || (inp->sctp_socket->so_options & SO_TIMESTAMP) 4255 ) { 4256 ip_savecontrol((struct inpcb *)inp, &opts, ip, m); 4257 } 4258 4259 /* 4260 * common chunk processing 4261 */ 4262 length = ip->ip_len - (ip->ip_hl << 2) + iphlen; 4263 offset -= sizeof(struct sctp_chunkhdr); 4264 4265 ecn_bits = ip->ip_tos; 4266 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4267 inp, stcb, net, ecn_bits); 4268 /* inp's ref-count reduced && stcb unlocked */ 4269 if (m) { 4270 sctp_m_freem(m); 4271 } 4272 if (opts) 4273 sctp_m_freem(opts); 4274 4275 if ((inp) && (refcount_up)) { 4276 /* reduce ref-count */ 4277 SCTP_INP_WLOCK(inp); 4278 SCTP_INP_DECR_REF(inp); 4279 SCTP_INP_WUNLOCK(inp); 4280 } 4281 4282 return; 4283bad: 4284 if (stcb) { 4285 SCTP_TCB_UNLOCK(stcb); 4286 } 4287 4288 if ((inp) && (refcount_up)) { 4289 /* reduce ref-count */ 4290 SCTP_INP_WLOCK(inp); 4291 SCTP_INP_DECR_REF(inp); 4292 SCTP_INP_WUNLOCK(inp); 4293 } 4294 4295 if (m) { 4296 sctp_m_freem(m); 4297 } 4298 if (opts) 4299 sctp_m_freem(opts); 4300 return; 4301} 4302