• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*-
2  * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3  * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4  * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions are met:
8  *
9  * a) Redistributions of source code must retain the above copyright notice,
10  *    this list of conditions and the following disclaimer.
11  *
12  * b) Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in
14  *    the documentation and/or other materials provided with the distribution.
15  *
16  * c) Neither the name of Cisco Systems, Inc. nor the names of its
17  *    contributors may be used to endorse or promote products derived
18  *    from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30  * THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #ifdef __FreeBSD__
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 264017 2014-04-01 18:38:04Z tuexen $");
36 #endif
37 
38 #include <netinet/sctp_os.h>
39 #ifdef __FreeBSD__
40 #include <sys/proc.h>
41 #endif
42 #include <netinet/sctp_var.h>
43 #include <netinet/sctp_sysctl.h>
44 #include <netinet/sctp_header.h>
45 #include <netinet/sctp_pcb.h>
46 #include <netinet/sctputil.h>
47 #include <netinet/sctp_output.h>
48 #include <netinet/sctp_uio.h>
49 #include <netinet/sctputil.h>
50 #include <netinet/sctp_auth.h>
51 #include <netinet/sctp_timer.h>
52 #include <netinet/sctp_asconf.h>
53 #include <netinet/sctp_indata.h>
54 #include <netinet/sctp_bsd_addr.h>
55 #include <netinet/sctp_input.h>
56 #include <netinet/sctp_crc32.h>
57 #if defined(__Userspace_os_Linux)
58 #define __FAVOR_BSD    /* (on Ubuntu at least) enables UDP header field names like BSD in RFC 768 */
59 #endif
60 #if !defined(__Userspace_os_Windows)
61 #include <netinet/udp.h>
62 #endif
63 #if defined(__APPLE__)
64 #include <netinet/in.h>
65 #endif
66 #if defined(__FreeBSD__)
67 #if defined(__FreeBSD__) && __FreeBSD_version >= 800000
68 #include <netinet/udp_var.h>
69 #endif
70 #include <machine/in_cksum.h>
71 #endif
72 #if defined(__Userspace__) && defined(INET6)
73 #include <netinet6/sctp6_var.h>
74 #endif
75 
76 #if defined(__APPLE__)
77 #define APPLE_FILE_NO 3
78 #endif
79 
80 #if defined(__APPLE__)
81 #if !(defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD))
82 #define SCTP_MAX_LINKHDR 16
83 #endif
84 #endif
85 
86 #define SCTP_MAX_GAPS_INARRAY 4
87 struct sack_track {
88 	uint8_t right_edge;	/* mergable on the right edge */
89 	uint8_t left_edge;	/* mergable on the left edge */
90 	uint8_t num_entries;
91 	uint8_t spare;
92 	struct sctp_gap_ack_block gaps[SCTP_MAX_GAPS_INARRAY];
93 };
94 
95 struct sack_track sack_array[256] = {
96 	{0, 0, 0, 0,		/* 0x00 */
97 		{{0, 0},
98 		{0, 0},
99 		{0, 0},
100 		{0, 0}
101 		}
102 	},
103 	{1, 0, 1, 0,		/* 0x01 */
104 		{{0, 0},
105 		{0, 0},
106 		{0, 0},
107 		{0, 0}
108 		}
109 	},
110 	{0, 0, 1, 0,		/* 0x02 */
111 		{{1, 1},
112 		{0, 0},
113 		{0, 0},
114 		{0, 0}
115 		}
116 	},
117 	{1, 0, 1, 0,		/* 0x03 */
118 		{{0, 1},
119 		{0, 0},
120 		{0, 0},
121 		{0, 0}
122 		}
123 	},
124 	{0, 0, 1, 0,		/* 0x04 */
125 		{{2, 2},
126 		{0, 0},
127 		{0, 0},
128 		{0, 0}
129 		}
130 	},
131 	{1, 0, 2, 0,		/* 0x05 */
132 		{{0, 0},
133 		{2, 2},
134 		{0, 0},
135 		{0, 0}
136 		}
137 	},
138 	{0, 0, 1, 0,		/* 0x06 */
139 		{{1, 2},
140 		{0, 0},
141 		{0, 0},
142 		{0, 0}
143 		}
144 	},
145 	{1, 0, 1, 0,		/* 0x07 */
146 		{{0, 2},
147 		{0, 0},
148 		{0, 0},
149 		{0, 0}
150 		}
151 	},
152 	{0, 0, 1, 0,		/* 0x08 */
153 		{{3, 3},
154 		{0, 0},
155 		{0, 0},
156 		{0, 0}
157 		}
158 	},
159 	{1, 0, 2, 0,		/* 0x09 */
160 		{{0, 0},
161 		{3, 3},
162 		{0, 0},
163 		{0, 0}
164 		}
165 	},
166 	{0, 0, 2, 0,		/* 0x0a */
167 		{{1, 1},
168 		{3, 3},
169 		{0, 0},
170 		{0, 0}
171 		}
172 	},
173 	{1, 0, 2, 0,		/* 0x0b */
174 		{{0, 1},
175 		{3, 3},
176 		{0, 0},
177 		{0, 0}
178 		}
179 	},
180 	{0, 0, 1, 0,		/* 0x0c */
181 		{{2, 3},
182 		{0, 0},
183 		{0, 0},
184 		{0, 0}
185 		}
186 	},
187 	{1, 0, 2, 0,		/* 0x0d */
188 		{{0, 0},
189 		{2, 3},
190 		{0, 0},
191 		{0, 0}
192 		}
193 	},
194 	{0, 0, 1, 0,		/* 0x0e */
195 		{{1, 3},
196 		{0, 0},
197 		{0, 0},
198 		{0, 0}
199 		}
200 	},
201 	{1, 0, 1, 0,		/* 0x0f */
202 		{{0, 3},
203 		{0, 0},
204 		{0, 0},
205 		{0, 0}
206 		}
207 	},
208 	{0, 0, 1, 0,		/* 0x10 */
209 		{{4, 4},
210 		{0, 0},
211 		{0, 0},
212 		{0, 0}
213 		}
214 	},
215 	{1, 0, 2, 0,		/* 0x11 */
216 		{{0, 0},
217 		{4, 4},
218 		{0, 0},
219 		{0, 0}
220 		}
221 	},
222 	{0, 0, 2, 0,		/* 0x12 */
223 		{{1, 1},
224 		{4, 4},
225 		{0, 0},
226 		{0, 0}
227 		}
228 	},
229 	{1, 0, 2, 0,		/* 0x13 */
230 		{{0, 1},
231 		{4, 4},
232 		{0, 0},
233 		{0, 0}
234 		}
235 	},
236 	{0, 0, 2, 0,		/* 0x14 */
237 		{{2, 2},
238 		{4, 4},
239 		{0, 0},
240 		{0, 0}
241 		}
242 	},
243 	{1, 0, 3, 0,		/* 0x15 */
244 		{{0, 0},
245 		{2, 2},
246 		{4, 4},
247 		{0, 0}
248 		}
249 	},
250 	{0, 0, 2, 0,		/* 0x16 */
251 		{{1, 2},
252 		{4, 4},
253 		{0, 0},
254 		{0, 0}
255 		}
256 	},
257 	{1, 0, 2, 0,		/* 0x17 */
258 		{{0, 2},
259 		{4, 4},
260 		{0, 0},
261 		{0, 0}
262 		}
263 	},
264 	{0, 0, 1, 0,		/* 0x18 */
265 		{{3, 4},
266 		{0, 0},
267 		{0, 0},
268 		{0, 0}
269 		}
270 	},
271 	{1, 0, 2, 0,		/* 0x19 */
272 		{{0, 0},
273 		{3, 4},
274 		{0, 0},
275 		{0, 0}
276 		}
277 	},
278 	{0, 0, 2, 0,		/* 0x1a */
279 		{{1, 1},
280 		{3, 4},
281 		{0, 0},
282 		{0, 0}
283 		}
284 	},
285 	{1, 0, 2, 0,		/* 0x1b */
286 		{{0, 1},
287 		{3, 4},
288 		{0, 0},
289 		{0, 0}
290 		}
291 	},
292 	{0, 0, 1, 0,		/* 0x1c */
293 		{{2, 4},
294 		{0, 0},
295 		{0, 0},
296 		{0, 0}
297 		}
298 	},
299 	{1, 0, 2, 0,		/* 0x1d */
300 		{{0, 0},
301 		{2, 4},
302 		{0, 0},
303 		{0, 0}
304 		}
305 	},
306 	{0, 0, 1, 0,		/* 0x1e */
307 		{{1, 4},
308 		{0, 0},
309 		{0, 0},
310 		{0, 0}
311 		}
312 	},
313 	{1, 0, 1, 0,		/* 0x1f */
314 		{{0, 4},
315 		{0, 0},
316 		{0, 0},
317 		{0, 0}
318 		}
319 	},
320 	{0, 0, 1, 0,		/* 0x20 */
321 		{{5, 5},
322 		{0, 0},
323 		{0, 0},
324 		{0, 0}
325 		}
326 	},
327 	{1, 0, 2, 0,		/* 0x21 */
328 		{{0, 0},
329 		{5, 5},
330 		{0, 0},
331 		{0, 0}
332 		}
333 	},
334 	{0, 0, 2, 0,		/* 0x22 */
335 		{{1, 1},
336 		{5, 5},
337 		{0, 0},
338 		{0, 0}
339 		}
340 	},
341 	{1, 0, 2, 0,		/* 0x23 */
342 		{{0, 1},
343 		{5, 5},
344 		{0, 0},
345 		{0, 0}
346 		}
347 	},
348 	{0, 0, 2, 0,		/* 0x24 */
349 		{{2, 2},
350 		{5, 5},
351 		{0, 0},
352 		{0, 0}
353 		}
354 	},
355 	{1, 0, 3, 0,		/* 0x25 */
356 		{{0, 0},
357 		{2, 2},
358 		{5, 5},
359 		{0, 0}
360 		}
361 	},
362 	{0, 0, 2, 0,		/* 0x26 */
363 		{{1, 2},
364 		{5, 5},
365 		{0, 0},
366 		{0, 0}
367 		}
368 	},
369 	{1, 0, 2, 0,		/* 0x27 */
370 		{{0, 2},
371 		{5, 5},
372 		{0, 0},
373 		{0, 0}
374 		}
375 	},
376 	{0, 0, 2, 0,		/* 0x28 */
377 		{{3, 3},
378 		{5, 5},
379 		{0, 0},
380 		{0, 0}
381 		}
382 	},
383 	{1, 0, 3, 0,		/* 0x29 */
384 		{{0, 0},
385 		{3, 3},
386 		{5, 5},
387 		{0, 0}
388 		}
389 	},
390 	{0, 0, 3, 0,		/* 0x2a */
391 		{{1, 1},
392 		{3, 3},
393 		{5, 5},
394 		{0, 0}
395 		}
396 	},
397 	{1, 0, 3, 0,		/* 0x2b */
398 		{{0, 1},
399 		{3, 3},
400 		{5, 5},
401 		{0, 0}
402 		}
403 	},
404 	{0, 0, 2, 0,		/* 0x2c */
405 		{{2, 3},
406 		{5, 5},
407 		{0, 0},
408 		{0, 0}
409 		}
410 	},
411 	{1, 0, 3, 0,		/* 0x2d */
412 		{{0, 0},
413 		{2, 3},
414 		{5, 5},
415 		{0, 0}
416 		}
417 	},
418 	{0, 0, 2, 0,		/* 0x2e */
419 		{{1, 3},
420 		{5, 5},
421 		{0, 0},
422 		{0, 0}
423 		}
424 	},
425 	{1, 0, 2, 0,		/* 0x2f */
426 		{{0, 3},
427 		{5, 5},
428 		{0, 0},
429 		{0, 0}
430 		}
431 	},
432 	{0, 0, 1, 0,		/* 0x30 */
433 		{{4, 5},
434 		{0, 0},
435 		{0, 0},
436 		{0, 0}
437 		}
438 	},
439 	{1, 0, 2, 0,		/* 0x31 */
440 		{{0, 0},
441 		{4, 5},
442 		{0, 0},
443 		{0, 0}
444 		}
445 	},
446 	{0, 0, 2, 0,		/* 0x32 */
447 		{{1, 1},
448 		{4, 5},
449 		{0, 0},
450 		{0, 0}
451 		}
452 	},
453 	{1, 0, 2, 0,		/* 0x33 */
454 		{{0, 1},
455 		{4, 5},
456 		{0, 0},
457 		{0, 0}
458 		}
459 	},
460 	{0, 0, 2, 0,		/* 0x34 */
461 		{{2, 2},
462 		{4, 5},
463 		{0, 0},
464 		{0, 0}
465 		}
466 	},
467 	{1, 0, 3, 0,		/* 0x35 */
468 		{{0, 0},
469 		{2, 2},
470 		{4, 5},
471 		{0, 0}
472 		}
473 	},
474 	{0, 0, 2, 0,		/* 0x36 */
475 		{{1, 2},
476 		{4, 5},
477 		{0, 0},
478 		{0, 0}
479 		}
480 	},
481 	{1, 0, 2, 0,		/* 0x37 */
482 		{{0, 2},
483 		{4, 5},
484 		{0, 0},
485 		{0, 0}
486 		}
487 	},
488 	{0, 0, 1, 0,		/* 0x38 */
489 		{{3, 5},
490 		{0, 0},
491 		{0, 0},
492 		{0, 0}
493 		}
494 	},
495 	{1, 0, 2, 0,		/* 0x39 */
496 		{{0, 0},
497 		{3, 5},
498 		{0, 0},
499 		{0, 0}
500 		}
501 	},
502 	{0, 0, 2, 0,		/* 0x3a */
503 		{{1, 1},
504 		{3, 5},
505 		{0, 0},
506 		{0, 0}
507 		}
508 	},
509 	{1, 0, 2, 0,		/* 0x3b */
510 		{{0, 1},
511 		{3, 5},
512 		{0, 0},
513 		{0, 0}
514 		}
515 	},
516 	{0, 0, 1, 0,		/* 0x3c */
517 		{{2, 5},
518 		{0, 0},
519 		{0, 0},
520 		{0, 0}
521 		}
522 	},
523 	{1, 0, 2, 0,		/* 0x3d */
524 		{{0, 0},
525 		{2, 5},
526 		{0, 0},
527 		{0, 0}
528 		}
529 	},
530 	{0, 0, 1, 0,		/* 0x3e */
531 		{{1, 5},
532 		{0, 0},
533 		{0, 0},
534 		{0, 0}
535 		}
536 	},
537 	{1, 0, 1, 0,		/* 0x3f */
538 		{{0, 5},
539 		{0, 0},
540 		{0, 0},
541 		{0, 0}
542 		}
543 	},
544 	{0, 0, 1, 0,		/* 0x40 */
545 		{{6, 6},
546 		{0, 0},
547 		{0, 0},
548 		{0, 0}
549 		}
550 	},
551 	{1, 0, 2, 0,		/* 0x41 */
552 		{{0, 0},
553 		{6, 6},
554 		{0, 0},
555 		{0, 0}
556 		}
557 	},
558 	{0, 0, 2, 0,		/* 0x42 */
559 		{{1, 1},
560 		{6, 6},
561 		{0, 0},
562 		{0, 0}
563 		}
564 	},
565 	{1, 0, 2, 0,		/* 0x43 */
566 		{{0, 1},
567 		{6, 6},
568 		{0, 0},
569 		{0, 0}
570 		}
571 	},
572 	{0, 0, 2, 0,		/* 0x44 */
573 		{{2, 2},
574 		{6, 6},
575 		{0, 0},
576 		{0, 0}
577 		}
578 	},
579 	{1, 0, 3, 0,		/* 0x45 */
580 		{{0, 0},
581 		{2, 2},
582 		{6, 6},
583 		{0, 0}
584 		}
585 	},
586 	{0, 0, 2, 0,		/* 0x46 */
587 		{{1, 2},
588 		{6, 6},
589 		{0, 0},
590 		{0, 0}
591 		}
592 	},
593 	{1, 0, 2, 0,		/* 0x47 */
594 		{{0, 2},
595 		{6, 6},
596 		{0, 0},
597 		{0, 0}
598 		}
599 	},
600 	{0, 0, 2, 0,		/* 0x48 */
601 		{{3, 3},
602 		{6, 6},
603 		{0, 0},
604 		{0, 0}
605 		}
606 	},
607 	{1, 0, 3, 0,		/* 0x49 */
608 		{{0, 0},
609 		{3, 3},
610 		{6, 6},
611 		{0, 0}
612 		}
613 	},
614 	{0, 0, 3, 0,		/* 0x4a */
615 		{{1, 1},
616 		{3, 3},
617 		{6, 6},
618 		{0, 0}
619 		}
620 	},
621 	{1, 0, 3, 0,		/* 0x4b */
622 		{{0, 1},
623 		{3, 3},
624 		{6, 6},
625 		{0, 0}
626 		}
627 	},
628 	{0, 0, 2, 0,		/* 0x4c */
629 		{{2, 3},
630 		{6, 6},
631 		{0, 0},
632 		{0, 0}
633 		}
634 	},
635 	{1, 0, 3, 0,		/* 0x4d */
636 		{{0, 0},
637 		{2, 3},
638 		{6, 6},
639 		{0, 0}
640 		}
641 	},
642 	{0, 0, 2, 0,		/* 0x4e */
643 		{{1, 3},
644 		{6, 6},
645 		{0, 0},
646 		{0, 0}
647 		}
648 	},
649 	{1, 0, 2, 0,		/* 0x4f */
650 		{{0, 3},
651 		{6, 6},
652 		{0, 0},
653 		{0, 0}
654 		}
655 	},
656 	{0, 0, 2, 0,		/* 0x50 */
657 		{{4, 4},
658 		{6, 6},
659 		{0, 0},
660 		{0, 0}
661 		}
662 	},
663 	{1, 0, 3, 0,		/* 0x51 */
664 		{{0, 0},
665 		{4, 4},
666 		{6, 6},
667 		{0, 0}
668 		}
669 	},
670 	{0, 0, 3, 0,		/* 0x52 */
671 		{{1, 1},
672 		{4, 4},
673 		{6, 6},
674 		{0, 0}
675 		}
676 	},
677 	{1, 0, 3, 0,		/* 0x53 */
678 		{{0, 1},
679 		{4, 4},
680 		{6, 6},
681 		{0, 0}
682 		}
683 	},
684 	{0, 0, 3, 0,		/* 0x54 */
685 		{{2, 2},
686 		{4, 4},
687 		{6, 6},
688 		{0, 0}
689 		}
690 	},
691 	{1, 0, 4, 0,		/* 0x55 */
692 		{{0, 0},
693 		{2, 2},
694 		{4, 4},
695 		{6, 6}
696 		}
697 	},
698 	{0, 0, 3, 0,		/* 0x56 */
699 		{{1, 2},
700 		{4, 4},
701 		{6, 6},
702 		{0, 0}
703 		}
704 	},
705 	{1, 0, 3, 0,		/* 0x57 */
706 		{{0, 2},
707 		{4, 4},
708 		{6, 6},
709 		{0, 0}
710 		}
711 	},
712 	{0, 0, 2, 0,		/* 0x58 */
713 		{{3, 4},
714 		{6, 6},
715 		{0, 0},
716 		{0, 0}
717 		}
718 	},
719 	{1, 0, 3, 0,		/* 0x59 */
720 		{{0, 0},
721 		{3, 4},
722 		{6, 6},
723 		{0, 0}
724 		}
725 	},
726 	{0, 0, 3, 0,		/* 0x5a */
727 		{{1, 1},
728 		{3, 4},
729 		{6, 6},
730 		{0, 0}
731 		}
732 	},
733 	{1, 0, 3, 0,		/* 0x5b */
734 		{{0, 1},
735 		{3, 4},
736 		{6, 6},
737 		{0, 0}
738 		}
739 	},
740 	{0, 0, 2, 0,		/* 0x5c */
741 		{{2, 4},
742 		{6, 6},
743 		{0, 0},
744 		{0, 0}
745 		}
746 	},
747 	{1, 0, 3, 0,		/* 0x5d */
748 		{{0, 0},
749 		{2, 4},
750 		{6, 6},
751 		{0, 0}
752 		}
753 	},
754 	{0, 0, 2, 0,		/* 0x5e */
755 		{{1, 4},
756 		{6, 6},
757 		{0, 0},
758 		{0, 0}
759 		}
760 	},
761 	{1, 0, 2, 0,		/* 0x5f */
762 		{{0, 4},
763 		{6, 6},
764 		{0, 0},
765 		{0, 0}
766 		}
767 	},
768 	{0, 0, 1, 0,		/* 0x60 */
769 		{{5, 6},
770 		{0, 0},
771 		{0, 0},
772 		{0, 0}
773 		}
774 	},
775 	{1, 0, 2, 0,		/* 0x61 */
776 		{{0, 0},
777 		{5, 6},
778 		{0, 0},
779 		{0, 0}
780 		}
781 	},
782 	{0, 0, 2, 0,		/* 0x62 */
783 		{{1, 1},
784 		{5, 6},
785 		{0, 0},
786 		{0, 0}
787 		}
788 	},
789 	{1, 0, 2, 0,		/* 0x63 */
790 		{{0, 1},
791 		{5, 6},
792 		{0, 0},
793 		{0, 0}
794 		}
795 	},
796 	{0, 0, 2, 0,		/* 0x64 */
797 		{{2, 2},
798 		{5, 6},
799 		{0, 0},
800 		{0, 0}
801 		}
802 	},
803 	{1, 0, 3, 0,		/* 0x65 */
804 		{{0, 0},
805 		{2, 2},
806 		{5, 6},
807 		{0, 0}
808 		}
809 	},
810 	{0, 0, 2, 0,		/* 0x66 */
811 		{{1, 2},
812 		{5, 6},
813 		{0, 0},
814 		{0, 0}
815 		}
816 	},
817 	{1, 0, 2, 0,		/* 0x67 */
818 		{{0, 2},
819 		{5, 6},
820 		{0, 0},
821 		{0, 0}
822 		}
823 	},
824 	{0, 0, 2, 0,		/* 0x68 */
825 		{{3, 3},
826 		{5, 6},
827 		{0, 0},
828 		{0, 0}
829 		}
830 	},
831 	{1, 0, 3, 0,		/* 0x69 */
832 		{{0, 0},
833 		{3, 3},
834 		{5, 6},
835 		{0, 0}
836 		}
837 	},
838 	{0, 0, 3, 0,		/* 0x6a */
839 		{{1, 1},
840 		{3, 3},
841 		{5, 6},
842 		{0, 0}
843 		}
844 	},
845 	{1, 0, 3, 0,		/* 0x6b */
846 		{{0, 1},
847 		{3, 3},
848 		{5, 6},
849 		{0, 0}
850 		}
851 	},
852 	{0, 0, 2, 0,		/* 0x6c */
853 		{{2, 3},
854 		{5, 6},
855 		{0, 0},
856 		{0, 0}
857 		}
858 	},
859 	{1, 0, 3, 0,		/* 0x6d */
860 		{{0, 0},
861 		{2, 3},
862 		{5, 6},
863 		{0, 0}
864 		}
865 	},
866 	{0, 0, 2, 0,		/* 0x6e */
867 		{{1, 3},
868 		{5, 6},
869 		{0, 0},
870 		{0, 0}
871 		}
872 	},
873 	{1, 0, 2, 0,		/* 0x6f */
874 		{{0, 3},
875 		{5, 6},
876 		{0, 0},
877 		{0, 0}
878 		}
879 	},
880 	{0, 0, 1, 0,		/* 0x70 */
881 		{{4, 6},
882 		{0, 0},
883 		{0, 0},
884 		{0, 0}
885 		}
886 	},
887 	{1, 0, 2, 0,		/* 0x71 */
888 		{{0, 0},
889 		{4, 6},
890 		{0, 0},
891 		{0, 0}
892 		}
893 	},
894 	{0, 0, 2, 0,		/* 0x72 */
895 		{{1, 1},
896 		{4, 6},
897 		{0, 0},
898 		{0, 0}
899 		}
900 	},
901 	{1, 0, 2, 0,		/* 0x73 */
902 		{{0, 1},
903 		{4, 6},
904 		{0, 0},
905 		{0, 0}
906 		}
907 	},
908 	{0, 0, 2, 0,		/* 0x74 */
909 		{{2, 2},
910 		{4, 6},
911 		{0, 0},
912 		{0, 0}
913 		}
914 	},
915 	{1, 0, 3, 0,		/* 0x75 */
916 		{{0, 0},
917 		{2, 2},
918 		{4, 6},
919 		{0, 0}
920 		}
921 	},
922 	{0, 0, 2, 0,		/* 0x76 */
923 		{{1, 2},
924 		{4, 6},
925 		{0, 0},
926 		{0, 0}
927 		}
928 	},
929 	{1, 0, 2, 0,		/* 0x77 */
930 		{{0, 2},
931 		{4, 6},
932 		{0, 0},
933 		{0, 0}
934 		}
935 	},
936 	{0, 0, 1, 0,		/* 0x78 */
937 		{{3, 6},
938 		{0, 0},
939 		{0, 0},
940 		{0, 0}
941 		}
942 	},
943 	{1, 0, 2, 0,		/* 0x79 */
944 		{{0, 0},
945 		{3, 6},
946 		{0, 0},
947 		{0, 0}
948 		}
949 	},
950 	{0, 0, 2, 0,		/* 0x7a */
951 		{{1, 1},
952 		{3, 6},
953 		{0, 0},
954 		{0, 0}
955 		}
956 	},
957 	{1, 0, 2, 0,		/* 0x7b */
958 		{{0, 1},
959 		{3, 6},
960 		{0, 0},
961 		{0, 0}
962 		}
963 	},
964 	{0, 0, 1, 0,		/* 0x7c */
965 		{{2, 6},
966 		{0, 0},
967 		{0, 0},
968 		{0, 0}
969 		}
970 	},
971 	{1, 0, 2, 0,		/* 0x7d */
972 		{{0, 0},
973 		{2, 6},
974 		{0, 0},
975 		{0, 0}
976 		}
977 	},
978 	{0, 0, 1, 0,		/* 0x7e */
979 		{{1, 6},
980 		{0, 0},
981 		{0, 0},
982 		{0, 0}
983 		}
984 	},
985 	{1, 0, 1, 0,		/* 0x7f */
986 		{{0, 6},
987 		{0, 0},
988 		{0, 0},
989 		{0, 0}
990 		}
991 	},
992 	{0, 1, 1, 0,		/* 0x80 */
993 		{{7, 7},
994 		{0, 0},
995 		{0, 0},
996 		{0, 0}
997 		}
998 	},
999 	{1, 1, 2, 0,		/* 0x81 */
1000 		{{0, 0},
1001 		{7, 7},
1002 		{0, 0},
1003 		{0, 0}
1004 		}
1005 	},
1006 	{0, 1, 2, 0,		/* 0x82 */
1007 		{{1, 1},
1008 		{7, 7},
1009 		{0, 0},
1010 		{0, 0}
1011 		}
1012 	},
1013 	{1, 1, 2, 0,		/* 0x83 */
1014 		{{0, 1},
1015 		{7, 7},
1016 		{0, 0},
1017 		{0, 0}
1018 		}
1019 	},
1020 	{0, 1, 2, 0,		/* 0x84 */
1021 		{{2, 2},
1022 		{7, 7},
1023 		{0, 0},
1024 		{0, 0}
1025 		}
1026 	},
1027 	{1, 1, 3, 0,		/* 0x85 */
1028 		{{0, 0},
1029 		{2, 2},
1030 		{7, 7},
1031 		{0, 0}
1032 		}
1033 	},
1034 	{0, 1, 2, 0,		/* 0x86 */
1035 		{{1, 2},
1036 		{7, 7},
1037 		{0, 0},
1038 		{0, 0}
1039 		}
1040 	},
1041 	{1, 1, 2, 0,		/* 0x87 */
1042 		{{0, 2},
1043 		{7, 7},
1044 		{0, 0},
1045 		{0, 0}
1046 		}
1047 	},
1048 	{0, 1, 2, 0,		/* 0x88 */
1049 		{{3, 3},
1050 		{7, 7},
1051 		{0, 0},
1052 		{0, 0}
1053 		}
1054 	},
1055 	{1, 1, 3, 0,		/* 0x89 */
1056 		{{0, 0},
1057 		{3, 3},
1058 		{7, 7},
1059 		{0, 0}
1060 		}
1061 	},
1062 	{0, 1, 3, 0,		/* 0x8a */
1063 		{{1, 1},
1064 		{3, 3},
1065 		{7, 7},
1066 		{0, 0}
1067 		}
1068 	},
1069 	{1, 1, 3, 0,		/* 0x8b */
1070 		{{0, 1},
1071 		{3, 3},
1072 		{7, 7},
1073 		{0, 0}
1074 		}
1075 	},
1076 	{0, 1, 2, 0,		/* 0x8c */
1077 		{{2, 3},
1078 		{7, 7},
1079 		{0, 0},
1080 		{0, 0}
1081 		}
1082 	},
1083 	{1, 1, 3, 0,		/* 0x8d */
1084 		{{0, 0},
1085 		{2, 3},
1086 		{7, 7},
1087 		{0, 0}
1088 		}
1089 	},
1090 	{0, 1, 2, 0,		/* 0x8e */
1091 		{{1, 3},
1092 		{7, 7},
1093 		{0, 0},
1094 		{0, 0}
1095 		}
1096 	},
1097 	{1, 1, 2, 0,		/* 0x8f */
1098 		{{0, 3},
1099 		{7, 7},
1100 		{0, 0},
1101 		{0, 0}
1102 		}
1103 	},
1104 	{0, 1, 2, 0,		/* 0x90 */
1105 		{{4, 4},
1106 		{7, 7},
1107 		{0, 0},
1108 		{0, 0}
1109 		}
1110 	},
1111 	{1, 1, 3, 0,		/* 0x91 */
1112 		{{0, 0},
1113 		{4, 4},
1114 		{7, 7},
1115 		{0, 0}
1116 		}
1117 	},
1118 	{0, 1, 3, 0,		/* 0x92 */
1119 		{{1, 1},
1120 		{4, 4},
1121 		{7, 7},
1122 		{0, 0}
1123 		}
1124 	},
1125 	{1, 1, 3, 0,		/* 0x93 */
1126 		{{0, 1},
1127 		{4, 4},
1128 		{7, 7},
1129 		{0, 0}
1130 		}
1131 	},
1132 	{0, 1, 3, 0,		/* 0x94 */
1133 		{{2, 2},
1134 		{4, 4},
1135 		{7, 7},
1136 		{0, 0}
1137 		}
1138 	},
1139 	{1, 1, 4, 0,		/* 0x95 */
1140 		{{0, 0},
1141 		{2, 2},
1142 		{4, 4},
1143 		{7, 7}
1144 		}
1145 	},
1146 	{0, 1, 3, 0,		/* 0x96 */
1147 		{{1, 2},
1148 		{4, 4},
1149 		{7, 7},
1150 		{0, 0}
1151 		}
1152 	},
1153 	{1, 1, 3, 0,		/* 0x97 */
1154 		{{0, 2},
1155 		{4, 4},
1156 		{7, 7},
1157 		{0, 0}
1158 		}
1159 	},
1160 	{0, 1, 2, 0,		/* 0x98 */
1161 		{{3, 4},
1162 		{7, 7},
1163 		{0, 0},
1164 		{0, 0}
1165 		}
1166 	},
1167 	{1, 1, 3, 0,		/* 0x99 */
1168 		{{0, 0},
1169 		{3, 4},
1170 		{7, 7},
1171 		{0, 0}
1172 		}
1173 	},
1174 	{0, 1, 3, 0,		/* 0x9a */
1175 		{{1, 1},
1176 		{3, 4},
1177 		{7, 7},
1178 		{0, 0}
1179 		}
1180 	},
1181 	{1, 1, 3, 0,		/* 0x9b */
1182 		{{0, 1},
1183 		{3, 4},
1184 		{7, 7},
1185 		{0, 0}
1186 		}
1187 	},
1188 	{0, 1, 2, 0,		/* 0x9c */
1189 		{{2, 4},
1190 		{7, 7},
1191 		{0, 0},
1192 		{0, 0}
1193 		}
1194 	},
1195 	{1, 1, 3, 0,		/* 0x9d */
1196 		{{0, 0},
1197 		{2, 4},
1198 		{7, 7},
1199 		{0, 0}
1200 		}
1201 	},
1202 	{0, 1, 2, 0,		/* 0x9e */
1203 		{{1, 4},
1204 		{7, 7},
1205 		{0, 0},
1206 		{0, 0}
1207 		}
1208 	},
1209 	{1, 1, 2, 0,		/* 0x9f */
1210 		{{0, 4},
1211 		{7, 7},
1212 		{0, 0},
1213 		{0, 0}
1214 		}
1215 	},
1216 	{0, 1, 2, 0,		/* 0xa0 */
1217 		{{5, 5},
1218 		{7, 7},
1219 		{0, 0},
1220 		{0, 0}
1221 		}
1222 	},
1223 	{1, 1, 3, 0,		/* 0xa1 */
1224 		{{0, 0},
1225 		{5, 5},
1226 		{7, 7},
1227 		{0, 0}
1228 		}
1229 	},
1230 	{0, 1, 3, 0,		/* 0xa2 */
1231 		{{1, 1},
1232 		{5, 5},
1233 		{7, 7},
1234 		{0, 0}
1235 		}
1236 	},
1237 	{1, 1, 3, 0,		/* 0xa3 */
1238 		{{0, 1},
1239 		{5, 5},
1240 		{7, 7},
1241 		{0, 0}
1242 		}
1243 	},
1244 	{0, 1, 3, 0,		/* 0xa4 */
1245 		{{2, 2},
1246 		{5, 5},
1247 		{7, 7},
1248 		{0, 0}
1249 		}
1250 	},
1251 	{1, 1, 4, 0,		/* 0xa5 */
1252 		{{0, 0},
1253 		{2, 2},
1254 		{5, 5},
1255 		{7, 7}
1256 		}
1257 	},
1258 	{0, 1, 3, 0,		/* 0xa6 */
1259 		{{1, 2},
1260 		{5, 5},
1261 		{7, 7},
1262 		{0, 0}
1263 		}
1264 	},
1265 	{1, 1, 3, 0,		/* 0xa7 */
1266 		{{0, 2},
1267 		{5, 5},
1268 		{7, 7},
1269 		{0, 0}
1270 		}
1271 	},
1272 	{0, 1, 3, 0,		/* 0xa8 */
1273 		{{3, 3},
1274 		{5, 5},
1275 		{7, 7},
1276 		{0, 0}
1277 		}
1278 	},
1279 	{1, 1, 4, 0,		/* 0xa9 */
1280 		{{0, 0},
1281 		{3, 3},
1282 		{5, 5},
1283 		{7, 7}
1284 		}
1285 	},
1286 	{0, 1, 4, 0,		/* 0xaa */
1287 		{{1, 1},
1288 		{3, 3},
1289 		{5, 5},
1290 		{7, 7}
1291 		}
1292 	},
1293 	{1, 1, 4, 0,		/* 0xab */
1294 		{{0, 1},
1295 		{3, 3},
1296 		{5, 5},
1297 		{7, 7}
1298 		}
1299 	},
1300 	{0, 1, 3, 0,		/* 0xac */
1301 		{{2, 3},
1302 		{5, 5},
1303 		{7, 7},
1304 		{0, 0}
1305 		}
1306 	},
1307 	{1, 1, 4, 0,		/* 0xad */
1308 		{{0, 0},
1309 		{2, 3},
1310 		{5, 5},
1311 		{7, 7}
1312 		}
1313 	},
1314 	{0, 1, 3, 0,		/* 0xae */
1315 		{{1, 3},
1316 		{5, 5},
1317 		{7, 7},
1318 		{0, 0}
1319 		}
1320 	},
1321 	{1, 1, 3, 0,		/* 0xaf */
1322 		{{0, 3},
1323 		{5, 5},
1324 		{7, 7},
1325 		{0, 0}
1326 		}
1327 	},
1328 	{0, 1, 2, 0,		/* 0xb0 */
1329 		{{4, 5},
1330 		{7, 7},
1331 		{0, 0},
1332 		{0, 0}
1333 		}
1334 	},
1335 	{1, 1, 3, 0,		/* 0xb1 */
1336 		{{0, 0},
1337 		{4, 5},
1338 		{7, 7},
1339 		{0, 0}
1340 		}
1341 	},
1342 	{0, 1, 3, 0,		/* 0xb2 */
1343 		{{1, 1},
1344 		{4, 5},
1345 		{7, 7},
1346 		{0, 0}
1347 		}
1348 	},
1349 	{1, 1, 3, 0,		/* 0xb3 */
1350 		{{0, 1},
1351 		{4, 5},
1352 		{7, 7},
1353 		{0, 0}
1354 		}
1355 	},
1356 	{0, 1, 3, 0,		/* 0xb4 */
1357 		{{2, 2},
1358 		{4, 5},
1359 		{7, 7},
1360 		{0, 0}
1361 		}
1362 	},
1363 	{1, 1, 4, 0,		/* 0xb5 */
1364 		{{0, 0},
1365 		{2, 2},
1366 		{4, 5},
1367 		{7, 7}
1368 		}
1369 	},
1370 	{0, 1, 3, 0,		/* 0xb6 */
1371 		{{1, 2},
1372 		{4, 5},
1373 		{7, 7},
1374 		{0, 0}
1375 		}
1376 	},
1377 	{1, 1, 3, 0,		/* 0xb7 */
1378 		{{0, 2},
1379 		{4, 5},
1380 		{7, 7},
1381 		{0, 0}
1382 		}
1383 	},
1384 	{0, 1, 2, 0,		/* 0xb8 */
1385 		{{3, 5},
1386 		{7, 7},
1387 		{0, 0},
1388 		{0, 0}
1389 		}
1390 	},
1391 	{1, 1, 3, 0,		/* 0xb9 */
1392 		{{0, 0},
1393 		{3, 5},
1394 		{7, 7},
1395 		{0, 0}
1396 		}
1397 	},
1398 	{0, 1, 3, 0,		/* 0xba */
1399 		{{1, 1},
1400 		{3, 5},
1401 		{7, 7},
1402 		{0, 0}
1403 		}
1404 	},
1405 	{1, 1, 3, 0,		/* 0xbb */
1406 		{{0, 1},
1407 		{3, 5},
1408 		{7, 7},
1409 		{0, 0}
1410 		}
1411 	},
1412 	{0, 1, 2, 0,		/* 0xbc */
1413 		{{2, 5},
1414 		{7, 7},
1415 		{0, 0},
1416 		{0, 0}
1417 		}
1418 	},
1419 	{1, 1, 3, 0,		/* 0xbd */
1420 		{{0, 0},
1421 		{2, 5},
1422 		{7, 7},
1423 		{0, 0}
1424 		}
1425 	},
1426 	{0, 1, 2, 0,		/* 0xbe */
1427 		{{1, 5},
1428 		{7, 7},
1429 		{0, 0},
1430 		{0, 0}
1431 		}
1432 	},
1433 	{1, 1, 2, 0,		/* 0xbf */
1434 		{{0, 5},
1435 		{7, 7},
1436 		{0, 0},
1437 		{0, 0}
1438 		}
1439 	},
1440 	{0, 1, 1, 0,		/* 0xc0 */
1441 		{{6, 7},
1442 		{0, 0},
1443 		{0, 0},
1444 		{0, 0}
1445 		}
1446 	},
1447 	{1, 1, 2, 0,		/* 0xc1 */
1448 		{{0, 0},
1449 		{6, 7},
1450 		{0, 0},
1451 		{0, 0}
1452 		}
1453 	},
1454 	{0, 1, 2, 0,		/* 0xc2 */
1455 		{{1, 1},
1456 		{6, 7},
1457 		{0, 0},
1458 		{0, 0}
1459 		}
1460 	},
1461 	{1, 1, 2, 0,		/* 0xc3 */
1462 		{{0, 1},
1463 		{6, 7},
1464 		{0, 0},
1465 		{0, 0}
1466 		}
1467 	},
1468 	{0, 1, 2, 0,		/* 0xc4 */
1469 		{{2, 2},
1470 		{6, 7},
1471 		{0, 0},
1472 		{0, 0}
1473 		}
1474 	},
1475 	{1, 1, 3, 0,		/* 0xc5 */
1476 		{{0, 0},
1477 		{2, 2},
1478 		{6, 7},
1479 		{0, 0}
1480 		}
1481 	},
1482 	{0, 1, 2, 0,		/* 0xc6 */
1483 		{{1, 2},
1484 		{6, 7},
1485 		{0, 0},
1486 		{0, 0}
1487 		}
1488 	},
1489 	{1, 1, 2, 0,		/* 0xc7 */
1490 		{{0, 2},
1491 		{6, 7},
1492 		{0, 0},
1493 		{0, 0}
1494 		}
1495 	},
1496 	{0, 1, 2, 0,		/* 0xc8 */
1497 		{{3, 3},
1498 		{6, 7},
1499 		{0, 0},
1500 		{0, 0}
1501 		}
1502 	},
1503 	{1, 1, 3, 0,		/* 0xc9 */
1504 		{{0, 0},
1505 		{3, 3},
1506 		{6, 7},
1507 		{0, 0}
1508 		}
1509 	},
1510 	{0, 1, 3, 0,		/* 0xca */
1511 		{{1, 1},
1512 		{3, 3},
1513 		{6, 7},
1514 		{0, 0}
1515 		}
1516 	},
1517 	{1, 1, 3, 0,		/* 0xcb */
1518 		{{0, 1},
1519 		{3, 3},
1520 		{6, 7},
1521 		{0, 0}
1522 		}
1523 	},
1524 	{0, 1, 2, 0,		/* 0xcc */
1525 		{{2, 3},
1526 		{6, 7},
1527 		{0, 0},
1528 		{0, 0}
1529 		}
1530 	},
1531 	{1, 1, 3, 0,		/* 0xcd */
1532 		{{0, 0},
1533 		{2, 3},
1534 		{6, 7},
1535 		{0, 0}
1536 		}
1537 	},
1538 	{0, 1, 2, 0,		/* 0xce */
1539 		{{1, 3},
1540 		{6, 7},
1541 		{0, 0},
1542 		{0, 0}
1543 		}
1544 	},
1545 	{1, 1, 2, 0,		/* 0xcf */
1546 		{{0, 3},
1547 		{6, 7},
1548 		{0, 0},
1549 		{0, 0}
1550 		}
1551 	},
1552 	{0, 1, 2, 0,		/* 0xd0 */
1553 		{{4, 4},
1554 		{6, 7},
1555 		{0, 0},
1556 		{0, 0}
1557 		}
1558 	},
1559 	{1, 1, 3, 0,		/* 0xd1 */
1560 		{{0, 0},
1561 		{4, 4},
1562 		{6, 7},
1563 		{0, 0}
1564 		}
1565 	},
1566 	{0, 1, 3, 0,		/* 0xd2 */
1567 		{{1, 1},
1568 		{4, 4},
1569 		{6, 7},
1570 		{0, 0}
1571 		}
1572 	},
1573 	{1, 1, 3, 0,		/* 0xd3 */
1574 		{{0, 1},
1575 		{4, 4},
1576 		{6, 7},
1577 		{0, 0}
1578 		}
1579 	},
1580 	{0, 1, 3, 0,		/* 0xd4 */
1581 		{{2, 2},
1582 		{4, 4},
1583 		{6, 7},
1584 		{0, 0}
1585 		}
1586 	},
1587 	{1, 1, 4, 0,		/* 0xd5 */
1588 		{{0, 0},
1589 		{2, 2},
1590 		{4, 4},
1591 		{6, 7}
1592 		}
1593 	},
1594 	{0, 1, 3, 0,		/* 0xd6 */
1595 		{{1, 2},
1596 		{4, 4},
1597 		{6, 7},
1598 		{0, 0}
1599 		}
1600 	},
1601 	{1, 1, 3, 0,		/* 0xd7 */
1602 		{{0, 2},
1603 		{4, 4},
1604 		{6, 7},
1605 		{0, 0}
1606 		}
1607 	},
1608 	{0, 1, 2, 0,		/* 0xd8 */
1609 		{{3, 4},
1610 		{6, 7},
1611 		{0, 0},
1612 		{0, 0}
1613 		}
1614 	},
1615 	{1, 1, 3, 0,		/* 0xd9 */
1616 		{{0, 0},
1617 		{3, 4},
1618 		{6, 7},
1619 		{0, 0}
1620 		}
1621 	},
1622 	{0, 1, 3, 0,		/* 0xda */
1623 		{{1, 1},
1624 		{3, 4},
1625 		{6, 7},
1626 		{0, 0}
1627 		}
1628 	},
1629 	{1, 1, 3, 0,		/* 0xdb */
1630 		{{0, 1},
1631 		{3, 4},
1632 		{6, 7},
1633 		{0, 0}
1634 		}
1635 	},
1636 	{0, 1, 2, 0,		/* 0xdc */
1637 		{{2, 4},
1638 		{6, 7},
1639 		{0, 0},
1640 		{0, 0}
1641 		}
1642 	},
1643 	{1, 1, 3, 0,		/* 0xdd */
1644 		{{0, 0},
1645 		{2, 4},
1646 		{6, 7},
1647 		{0, 0}
1648 		}
1649 	},
1650 	{0, 1, 2, 0,		/* 0xde */
1651 		{{1, 4},
1652 		{6, 7},
1653 		{0, 0},
1654 		{0, 0}
1655 		}
1656 	},
1657 	{1, 1, 2, 0,		/* 0xdf */
1658 		{{0, 4},
1659 		{6, 7},
1660 		{0, 0},
1661 		{0, 0}
1662 		}
1663 	},
1664 	{0, 1, 1, 0,		/* 0xe0 */
1665 		{{5, 7},
1666 		{0, 0},
1667 		{0, 0},
1668 		{0, 0}
1669 		}
1670 	},
1671 	{1, 1, 2, 0,		/* 0xe1 */
1672 		{{0, 0},
1673 		{5, 7},
1674 		{0, 0},
1675 		{0, 0}
1676 		}
1677 	},
1678 	{0, 1, 2, 0,		/* 0xe2 */
1679 		{{1, 1},
1680 		{5, 7},
1681 		{0, 0},
1682 		{0, 0}
1683 		}
1684 	},
1685 	{1, 1, 2, 0,		/* 0xe3 */
1686 		{{0, 1},
1687 		{5, 7},
1688 		{0, 0},
1689 		{0, 0}
1690 		}
1691 	},
1692 	{0, 1, 2, 0,		/* 0xe4 */
1693 		{{2, 2},
1694 		{5, 7},
1695 		{0, 0},
1696 		{0, 0}
1697 		}
1698 	},
1699 	{1, 1, 3, 0,		/* 0xe5 */
1700 		{{0, 0},
1701 		{2, 2},
1702 		{5, 7},
1703 		{0, 0}
1704 		}
1705 	},
1706 	{0, 1, 2, 0,		/* 0xe6 */
1707 		{{1, 2},
1708 		{5, 7},
1709 		{0, 0},
1710 		{0, 0}
1711 		}
1712 	},
1713 	{1, 1, 2, 0,		/* 0xe7 */
1714 		{{0, 2},
1715 		{5, 7},
1716 		{0, 0},
1717 		{0, 0}
1718 		}
1719 	},
1720 	{0, 1, 2, 0,		/* 0xe8 */
1721 		{{3, 3},
1722 		{5, 7},
1723 		{0, 0},
1724 		{0, 0}
1725 		}
1726 	},
1727 	{1, 1, 3, 0,		/* 0xe9 */
1728 		{{0, 0},
1729 		{3, 3},
1730 		{5, 7},
1731 		{0, 0}
1732 		}
1733 	},
1734 	{0, 1, 3, 0,		/* 0xea */
1735 		{{1, 1},
1736 		{3, 3},
1737 		{5, 7},
1738 		{0, 0}
1739 		}
1740 	},
1741 	{1, 1, 3, 0,		/* 0xeb */
1742 		{{0, 1},
1743 		{3, 3},
1744 		{5, 7},
1745 		{0, 0}
1746 		}
1747 	},
1748 	{0, 1, 2, 0,		/* 0xec */
1749 		{{2, 3},
1750 		{5, 7},
1751 		{0, 0},
1752 		{0, 0}
1753 		}
1754 	},
1755 	{1, 1, 3, 0,		/* 0xed */
1756 		{{0, 0},
1757 		{2, 3},
1758 		{5, 7},
1759 		{0, 0}
1760 		}
1761 	},
1762 	{0, 1, 2, 0,		/* 0xee */
1763 		{{1, 3},
1764 		{5, 7},
1765 		{0, 0},
1766 		{0, 0}
1767 		}
1768 	},
1769 	{1, 1, 2, 0,		/* 0xef */
1770 		{{0, 3},
1771 		{5, 7},
1772 		{0, 0},
1773 		{0, 0}
1774 		}
1775 	},
1776 	{0, 1, 1, 0,		/* 0xf0 */
1777 		{{4, 7},
1778 		{0, 0},
1779 		{0, 0},
1780 		{0, 0}
1781 		}
1782 	},
1783 	{1, 1, 2, 0,		/* 0xf1 */
1784 		{{0, 0},
1785 		{4, 7},
1786 		{0, 0},
1787 		{0, 0}
1788 		}
1789 	},
1790 	{0, 1, 2, 0,		/* 0xf2 */
1791 		{{1, 1},
1792 		{4, 7},
1793 		{0, 0},
1794 		{0, 0}
1795 		}
1796 	},
1797 	{1, 1, 2, 0,		/* 0xf3 */
1798 		{{0, 1},
1799 		{4, 7},
1800 		{0, 0},
1801 		{0, 0}
1802 		}
1803 	},
1804 	{0, 1, 2, 0,		/* 0xf4 */
1805 		{{2, 2},
1806 		{4, 7},
1807 		{0, 0},
1808 		{0, 0}
1809 		}
1810 	},
1811 	{1, 1, 3, 0,		/* 0xf5 */
1812 		{{0, 0},
1813 		{2, 2},
1814 		{4, 7},
1815 		{0, 0}
1816 		}
1817 	},
1818 	{0, 1, 2, 0,		/* 0xf6 */
1819 		{{1, 2},
1820 		{4, 7},
1821 		{0, 0},
1822 		{0, 0}
1823 		}
1824 	},
1825 	{1, 1, 2, 0,		/* 0xf7 */
1826 		{{0, 2},
1827 		{4, 7},
1828 		{0, 0},
1829 		{0, 0}
1830 		}
1831 	},
1832 	{0, 1, 1, 0,		/* 0xf8 */
1833 		{{3, 7},
1834 		{0, 0},
1835 		{0, 0},
1836 		{0, 0}
1837 		}
1838 	},
1839 	{1, 1, 2, 0,		/* 0xf9 */
1840 		{{0, 0},
1841 		{3, 7},
1842 		{0, 0},
1843 		{0, 0}
1844 		}
1845 	},
1846 	{0, 1, 2, 0,		/* 0xfa */
1847 		{{1, 1},
1848 		{3, 7},
1849 		{0, 0},
1850 		{0, 0}
1851 		}
1852 	},
1853 	{1, 1, 2, 0,		/* 0xfb */
1854 		{{0, 1},
1855 		{3, 7},
1856 		{0, 0},
1857 		{0, 0}
1858 		}
1859 	},
1860 	{0, 1, 1, 0,		/* 0xfc */
1861 		{{2, 7},
1862 		{0, 0},
1863 		{0, 0},
1864 		{0, 0}
1865 		}
1866 	},
1867 	{1, 1, 2, 0,		/* 0xfd */
1868 		{{0, 0},
1869 		{2, 7},
1870 		{0, 0},
1871 		{0, 0}
1872 		}
1873 	},
1874 	{0, 1, 1, 0,		/* 0xfe */
1875 		{{1, 7},
1876 		{0, 0},
1877 		{0, 0},
1878 		{0, 0}
1879 		}
1880 	},
1881 	{1, 1, 1, 0,		/* 0xff */
1882 		{{0, 7},
1883 		{0, 0},
1884 		{0, 0},
1885 		{0, 0}
1886 		}
1887 	}
1888 };
1889 
1890 
1891 int
sctp_is_address_in_scope(struct sctp_ifa * ifa,struct sctp_scoping * scope,int do_update)1892 sctp_is_address_in_scope(struct sctp_ifa *ifa,
1893                          struct sctp_scoping *scope,
1894                          int do_update)
1895 {
1896 	if ((scope->loopback_scope == 0) &&
1897 	    (ifa->ifn_p) && SCTP_IFN_IS_IFT_LOOP(ifa->ifn_p)) {
1898 		/*
1899 		 * skip loopback if not in scope *
1900 		 */
1901 		return (0);
1902 	}
1903 	switch (ifa->address.sa.sa_family) {
1904 #ifdef INET
1905 	case AF_INET:
1906 		if (scope->ipv4_addr_legal) {
1907 			struct sockaddr_in *sin;
1908 
1909 			sin = (struct sockaddr_in *)&ifa->address.sin;
1910 			if (sin->sin_addr.s_addr == 0) {
1911 				/* not in scope , unspecified */
1912 				return (0);
1913 			}
1914 			if ((scope->ipv4_local_scope == 0) &&
1915 			    (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
1916 				/* private address not in scope */
1917 				return (0);
1918 			}
1919 		} else {
1920 			return (0);
1921 		}
1922 		break;
1923 #endif
1924 #ifdef INET6
1925 	case AF_INET6:
1926 		if (scope->ipv6_addr_legal) {
1927 			struct sockaddr_in6 *sin6;
1928 
1929 #if !defined(__Panda__)
1930 			/* Must update the flags,  bummer, which
1931 			 * means any IFA locks must now be applied HERE <->
1932 			 */
1933 			if (do_update) {
1934 				sctp_gather_internal_ifa_flags(ifa);
1935 			}
1936 #endif
1937 			if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
1938 				return (0);
1939 			}
1940 			/* ok to use deprecated addresses? */
1941 			sin6 = (struct sockaddr_in6 *)&ifa->address.sin6;
1942 			if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1943 				/* skip unspecifed addresses */
1944 				return (0);
1945 			}
1946 			if (		/* (local_scope == 0) && */
1947 			    (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))) {
1948 				return (0);
1949 			}
1950 			if ((scope->site_scope == 0) &&
1951 			    (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1952 				return (0);
1953 			}
1954 		} else {
1955 			return (0);
1956 		}
1957 		break;
1958 #endif
1959 #if defined(__Userspace__)
1960 	case AF_CONN:
1961 		if (!scope->conn_addr_legal) {
1962 			return (0);
1963 		}
1964 		break;
1965 #endif
1966 	default:
1967 		return (0);
1968 	}
1969 	return (1);
1970 }
1971 
1972 static struct mbuf *
sctp_add_addr_to_mbuf(struct mbuf * m,struct sctp_ifa * ifa,uint16_t * len)1973 sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len)
1974 {
1975 #if defined(INET) || defined(INET6)
1976 	struct sctp_paramhdr *parmh;
1977 	struct mbuf *mret;
1978 	uint16_t plen;
1979 #endif
1980 
1981 	switch (ifa->address.sa.sa_family) {
1982 #ifdef INET
1983 	case AF_INET:
1984 		plen = (uint16_t)sizeof(struct sctp_ipv4addr_param);
1985 		break;
1986 #endif
1987 #ifdef INET6
1988 	case AF_INET6:
1989 		plen = (uint16_t)sizeof(struct sctp_ipv6addr_param);
1990 		break;
1991 #endif
1992 	default:
1993 		return (m);
1994 	}
1995 #if defined(INET) || defined(INET6)
1996 	if (M_TRAILINGSPACE(m) >= plen) {
1997 		/* easy side we just drop it on the end */
1998 		parmh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m)));
1999 		mret = m;
2000 	} else {
2001 		/* Need more space */
2002 		mret = m;
2003 		while (SCTP_BUF_NEXT(mret) != NULL) {
2004 			mret = SCTP_BUF_NEXT(mret);
2005 		}
2006 		SCTP_BUF_NEXT(mret) = sctp_get_mbuf_for_msg(plen, 0, M_NOWAIT, 1, MT_DATA);
2007 		if (SCTP_BUF_NEXT(mret) == NULL) {
2008 			/* We are hosed, can't add more addresses */
2009 			return (m);
2010 		}
2011 		mret = SCTP_BUF_NEXT(mret);
2012 		parmh = mtod(mret, struct sctp_paramhdr *);
2013 	}
2014 	/* now add the parameter */
2015 	switch (ifa->address.sa.sa_family) {
2016 #ifdef INET
2017 	case AF_INET:
2018 	{
2019 		struct sctp_ipv4addr_param *ipv4p;
2020 		struct sockaddr_in *sin;
2021 
2022 		sin = (struct sockaddr_in *)&ifa->address.sin;
2023 		ipv4p = (struct sctp_ipv4addr_param *)parmh;
2024 		parmh->param_type = htons(SCTP_IPV4_ADDRESS);
2025 		parmh->param_length = htons(plen);
2026 		ipv4p->addr = sin->sin_addr.s_addr;
2027 		SCTP_BUF_LEN(mret) += plen;
2028 		break;
2029 	}
2030 #endif
2031 #ifdef INET6
2032 	case AF_INET6:
2033 	{
2034 		struct sctp_ipv6addr_param *ipv6p;
2035 		struct sockaddr_in6 *sin6;
2036 
2037 		sin6 = (struct sockaddr_in6 *)&ifa->address.sin6;
2038 		ipv6p = (struct sctp_ipv6addr_param *)parmh;
2039 		parmh->param_type = htons(SCTP_IPV6_ADDRESS);
2040 		parmh->param_length = htons(plen);
2041 		memcpy(ipv6p->addr, &sin6->sin6_addr,
2042 		    sizeof(ipv6p->addr));
2043 #if defined(SCTP_EMBEDDED_V6_SCOPE)
2044 		/* clear embedded scope in the address */
2045 		in6_clearscope((struct in6_addr *)ipv6p->addr);
2046 #endif
2047 		SCTP_BUF_LEN(mret) += plen;
2048 		break;
2049 	}
2050 #endif
2051 	default:
2052 		return (m);
2053 	}
2054 	if (len != NULL) {
2055 		*len += plen;
2056 	}
2057 	return (mret);
2058 #endif
2059 }
2060 
2061 
2062 struct mbuf *
sctp_add_addresses_to_i_ia(struct sctp_inpcb * inp,struct sctp_tcb * stcb,struct sctp_scoping * scope,struct mbuf * m_at,int cnt_inits_to,uint16_t * padding_len,uint16_t * chunk_len)2063 sctp_add_addresses_to_i_ia(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
2064                            struct sctp_scoping *scope,
2065 			   struct mbuf *m_at, int cnt_inits_to,
2066 			   uint16_t *padding_len, uint16_t *chunk_len)
2067 {
2068 	struct sctp_vrf *vrf = NULL;
2069 	int cnt, limit_out = 0, total_count;
2070 	uint32_t vrf_id;
2071 
2072 	vrf_id = inp->def_vrf_id;
2073 	SCTP_IPI_ADDR_RLOCK();
2074 	vrf = sctp_find_vrf(vrf_id);
2075 	if (vrf == NULL) {
2076 		SCTP_IPI_ADDR_RUNLOCK();
2077 		return (m_at);
2078 	}
2079 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
2080 		struct sctp_ifa *sctp_ifap;
2081 		struct sctp_ifn *sctp_ifnp;
2082 
2083 		cnt = cnt_inits_to;
2084 		if (vrf->total_ifa_count > SCTP_COUNT_LIMIT) {
2085 			limit_out = 1;
2086 			cnt = SCTP_ADDRESS_LIMIT;
2087 			goto skip_count;
2088 		}
2089 		LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2090 			if ((scope->loopback_scope == 0) &&
2091 			    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2092 				/*
2093 				 * Skip loopback devices if loopback_scope
2094 				 * not set
2095 				 */
2096 				continue;
2097 			}
2098 			LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2099 				if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2100 					continue;
2101 				}
2102 #if defined(__Userspace__)
2103 				if (sctp_ifap->address.sa.sa_family == AF_CONN) {
2104 					continue;
2105 				}
2106 #endif
2107 				if (sctp_is_address_in_scope(sctp_ifap, scope, 1) == 0) {
2108 					continue;
2109 				}
2110 				cnt++;
2111 				if (cnt > SCTP_ADDRESS_LIMIT) {
2112 					break;
2113 				}
2114 			}
2115 			if (cnt > SCTP_ADDRESS_LIMIT) {
2116 				break;
2117 			}
2118 		}
2119 	skip_count:
2120 		if (cnt > 1) {
2121 			total_count = 0;
2122 			LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2123 				cnt = 0;
2124 				if ((scope->loopback_scope == 0) &&
2125 				    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2126 					/*
2127 					 * Skip loopback devices if
2128 					 * loopback_scope not set
2129 					 */
2130 					continue;
2131 				}
2132 				LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2133 					if (sctp_is_addr_restricted(stcb, sctp_ifap)) {
2134 						continue;
2135 					}
2136 #if defined(__Userspace__)
2137 					if (sctp_ifap->address.sa.sa_family == AF_CONN) {
2138 						continue;
2139 					}
2140 #endif
2141 					if (sctp_is_address_in_scope(sctp_ifap,
2142 								     scope, 0) == 0) {
2143 						continue;
2144 					}
2145 					if ((chunk_len != NULL) &&
2146 					    (padding_len != NULL) &&
2147 					    (*padding_len > 0)) {
2148 						memset(mtod(m_at, caddr_t) + *chunk_len, 0, *padding_len);
2149 						SCTP_BUF_LEN(m_at) += *padding_len;
2150 						*chunk_len += *padding_len;
2151 						*padding_len = 0;
2152 					}
2153 					m_at = sctp_add_addr_to_mbuf(m_at, sctp_ifap, chunk_len);
2154 					if (limit_out) {
2155 						cnt++;
2156 						total_count++;
2157 						if (cnt >= 2) {
2158 							/* two from each address */
2159 							break;
2160 						}
2161 						if (total_count > SCTP_ADDRESS_LIMIT) {
2162 							/* No more addresses */
2163 							break;
2164 						}
2165 					}
2166 				}
2167 			}
2168 		}
2169 	} else {
2170 		struct sctp_laddr *laddr;
2171 
2172 		cnt = cnt_inits_to;
2173 		/* First, how many ? */
2174 		LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2175 			if (laddr->ifa == NULL) {
2176 				continue;
2177 			}
2178 			if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2179                                 /* Address being deleted by the system, dont
2180 				 * list.
2181 				 */
2182 				continue;
2183 			if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2184 				/* Address being deleted on this ep
2185 				 * don't list.
2186 				 */
2187 				continue;
2188 			}
2189 #if defined(__Userspace__)
2190 			if (laddr->ifa->address.sa.sa_family == AF_CONN) {
2191 				continue;
2192 			}
2193 #endif
2194 			if (sctp_is_address_in_scope(laddr->ifa,
2195 						     scope, 1) == 0) {
2196 				continue;
2197 			}
2198 			cnt++;
2199 		}
2200 		/*
2201 		 * To get through a NAT we only list addresses if we have
2202 		 * more than one. That way if you just bind a single address
2203 		 * we let the source of the init dictate our address.
2204 		 */
2205 		if (cnt > 1) {
2206 			cnt = cnt_inits_to;
2207 			LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2208 				if (laddr->ifa == NULL) {
2209 					continue;
2210 				}
2211 				if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED) {
2212 					continue;
2213 				}
2214 #if defined(__Userspace__)
2215 				if (laddr->ifa->address.sa.sa_family == AF_CONN) {
2216 					continue;
2217 				}
2218 #endif
2219 				if (sctp_is_address_in_scope(laddr->ifa,
2220 							     scope, 0) == 0) {
2221 					continue;
2222 				}
2223 				if ((chunk_len != NULL) &&
2224 				    (padding_len != NULL) &&
2225 				    (*padding_len > 0)) {
2226 					memset(mtod(m_at, caddr_t) + *chunk_len, 0, *padding_len);
2227 					SCTP_BUF_LEN(m_at) += *padding_len;
2228 					*chunk_len += *padding_len;
2229 					*padding_len = 0;
2230 				}
2231 				m_at = sctp_add_addr_to_mbuf(m_at, laddr->ifa, chunk_len);
2232 				cnt++;
2233 				if (cnt >= SCTP_ADDRESS_LIMIT) {
2234 					break;
2235 				}
2236 			}
2237 		}
2238 	}
2239 	SCTP_IPI_ADDR_RUNLOCK();
2240 	return (m_at);
2241 }
2242 
2243 static struct sctp_ifa *
sctp_is_ifa_addr_preferred(struct sctp_ifa * ifa,uint8_t dest_is_loop,uint8_t dest_is_priv,sa_family_t fam)2244 sctp_is_ifa_addr_preferred(struct sctp_ifa *ifa,
2245 			   uint8_t dest_is_loop,
2246 			   uint8_t dest_is_priv,
2247 			   sa_family_t fam)
2248 {
2249 	uint8_t dest_is_global = 0;
2250 	/* dest_is_priv is true if destination is a private address */
2251 	/* dest_is_loop is true if destination is a loopback addresses */
2252 
2253 	/**
2254 	 * Here we determine if its a preferred address. A preferred address
2255 	 * means it is the same scope or higher scope then the destination.
2256 	 * L = loopback, P = private, G = global
2257 	 * -----------------------------------------
2258 	 *    src    |  dest | result
2259 	 *  ----------------------------------------
2260 	 *     L     |    L  |    yes
2261 	 *  -----------------------------------------
2262 	 *     P     |    L  |    yes-v4 no-v6
2263 	 *  -----------------------------------------
2264 	 *     G     |    L  |    yes-v4 no-v6
2265 	 *  -----------------------------------------
2266 	 *     L     |    P  |    no
2267 	 *  -----------------------------------------
2268 	 *     P     |    P  |    yes
2269 	 *  -----------------------------------------
2270 	 *     G     |    P  |    no
2271 	 *   -----------------------------------------
2272 	 *     L     |    G  |    no
2273 	 *   -----------------------------------------
2274 	 *     P     |    G  |    no
2275 	 *    -----------------------------------------
2276 	 *     G     |    G  |    yes
2277 	 *    -----------------------------------------
2278 	 */
2279 
2280 	if (ifa->address.sa.sa_family != fam) {
2281 		/* forget mis-matched family */
2282 		return (NULL);
2283 	}
2284 	if ((dest_is_priv == 0) && (dest_is_loop == 0)) {
2285 		dest_is_global = 1;
2286 	}
2287 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Is destination preferred:");
2288 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ifa->address.sa);
2289 	/* Ok the address may be ok */
2290 #ifdef INET6
2291 	if (fam == AF_INET6) {
2292 		/* ok to use deprecated addresses? no lets not! */
2293 		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2294 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:1\n");
2295 			return (NULL);
2296 		}
2297 		if (ifa->src_is_priv && !ifa->src_is_loop) {
2298 			if (dest_is_loop) {
2299 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:2\n");
2300 				return (NULL);
2301 			}
2302 		}
2303 		if (ifa->src_is_glob) {
2304 			if (dest_is_loop) {
2305 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:3\n");
2306 				return (NULL);
2307 			}
2308 		}
2309 	}
2310 #endif
2311 	/* Now that we know what is what, implement or table
2312 	 * this could in theory be done slicker (it used to be), but this
2313 	 * is straightforward and easier to validate :-)
2314 	 */
2315 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "src_loop:%d src_priv:%d src_glob:%d\n",
2316 		ifa->src_is_loop, ifa->src_is_priv, ifa->src_is_glob);
2317 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dest_loop:%d dest_priv:%d dest_glob:%d\n",
2318 		dest_is_loop, dest_is_priv, dest_is_global);
2319 
2320 	if ((ifa->src_is_loop) && (dest_is_priv)) {
2321 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:4\n");
2322 		return (NULL);
2323 	}
2324 	if ((ifa->src_is_glob) && (dest_is_priv)) {
2325 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:5\n");
2326 		return (NULL);
2327 	}
2328 	if ((ifa->src_is_loop) && (dest_is_global)) {
2329 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:6\n");
2330 		return (NULL);
2331 	}
2332 	if ((ifa->src_is_priv) && (dest_is_global)) {
2333 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:7\n");
2334 		return (NULL);
2335 	}
2336 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "YES\n");
2337 	/* its a preferred address */
2338 	return (ifa);
2339 }
2340 
2341 static struct sctp_ifa *
sctp_is_ifa_addr_acceptable(struct sctp_ifa * ifa,uint8_t dest_is_loop,uint8_t dest_is_priv,sa_family_t fam)2342 sctp_is_ifa_addr_acceptable(struct sctp_ifa *ifa,
2343 			    uint8_t dest_is_loop,
2344 			    uint8_t dest_is_priv,
2345 			    sa_family_t fam)
2346 {
2347 	uint8_t dest_is_global = 0;
2348 
2349 	/**
2350 	 * Here we determine if its a acceptable address. A acceptable
2351 	 * address means it is the same scope or higher scope but we can
2352 	 * allow for NAT which means its ok to have a global dest and a
2353 	 * private src.
2354 	 *
2355 	 * L = loopback, P = private, G = global
2356 	 * -----------------------------------------
2357 	 *  src    |  dest | result
2358 	 * -----------------------------------------
2359 	 *   L     |   L   |    yes
2360 	 *  -----------------------------------------
2361 	 *   P     |   L   |    yes-v4 no-v6
2362 	 *  -----------------------------------------
2363 	 *   G     |   L   |    yes
2364 	 * -----------------------------------------
2365 	 *   L     |   P   |    no
2366 	 * -----------------------------------------
2367 	 *   P     |   P   |    yes
2368 	 * -----------------------------------------
2369 	 *   G     |   P   |    yes - May not work
2370 	 * -----------------------------------------
2371 	 *   L     |   G   |    no
2372 	 * -----------------------------------------
2373 	 *   P     |   G   |    yes - May not work
2374 	 * -----------------------------------------
2375 	 *   G     |   G   |    yes
2376 	 * -----------------------------------------
2377 	 */
2378 
2379 	if (ifa->address.sa.sa_family != fam) {
2380 		/* forget non matching family */
2381 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa_fam:%d fam:%d\n",
2382 			ifa->address.sa.sa_family, fam);
2383 		return (NULL);
2384 	}
2385 	/* Ok the address may be ok */
2386 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, &ifa->address.sa);
2387 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst_is_loop:%d dest_is_priv:%d\n",
2388 		dest_is_loop, dest_is_priv);
2389 	if ((dest_is_loop == 0) && (dest_is_priv == 0)) {
2390 		dest_is_global = 1;
2391 	}
2392 #ifdef INET6
2393 	if (fam == AF_INET6) {
2394 		/* ok to use deprecated addresses? */
2395 		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2396 			return (NULL);
2397 		}
2398 		if (ifa->src_is_priv) {
2399 			/* Special case, linklocal to loop */
2400 			if (dest_is_loop)
2401 				return (NULL);
2402 		}
2403 	}
2404 #endif
2405 	/*
2406 	 * Now that we know what is what, implement our table.
2407 	 * This could in theory be done slicker (it used to be), but this
2408 	 * is straightforward and easier to validate :-)
2409 	 */
2410 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_priv:%d\n",
2411 		ifa->src_is_loop,
2412 		dest_is_priv);
2413 	if ((ifa->src_is_loop == 1) && (dest_is_priv)) {
2414 		return (NULL);
2415 	}
2416 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "ifa->src_is_loop:%d dest_is_glob:%d\n",
2417 		ifa->src_is_loop,
2418 		dest_is_global);
2419 	if ((ifa->src_is_loop == 1) && (dest_is_global)) {
2420 		return (NULL);
2421 	}
2422 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "address is acceptable\n");
2423 	/* its an acceptable address */
2424 	return (ifa);
2425 }
2426 
2427 int
sctp_is_addr_restricted(struct sctp_tcb * stcb,struct sctp_ifa * ifa)2428 sctp_is_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
2429 {
2430 	struct sctp_laddr *laddr;
2431 
2432 	if (stcb == NULL) {
2433 		/* There are no restrictions, no TCB :-) */
2434 		return (0);
2435 	}
2436 	LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
2437 		if (laddr->ifa == NULL) {
2438 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2439 				__FUNCTION__);
2440 			continue;
2441 		}
2442 		if (laddr->ifa == ifa) {
2443 			/* Yes it is on the list */
2444 			return (1);
2445 		}
2446 	}
2447 	return (0);
2448 }
2449 
2450 
2451 int
sctp_is_addr_in_ep(struct sctp_inpcb * inp,struct sctp_ifa * ifa)2452 sctp_is_addr_in_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
2453 {
2454 	struct sctp_laddr *laddr;
2455 
2456 	if (ifa == NULL)
2457 		return (0);
2458 	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2459 		if (laddr->ifa == NULL) {
2460 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2461 				__FUNCTION__);
2462 			continue;
2463 		}
2464 		if ((laddr->ifa == ifa) && laddr->action == 0)
2465 			/* same pointer */
2466 			return (1);
2467 	}
2468 	return (0);
2469 }
2470 
2471 
2472 
2473 static struct sctp_ifa *
sctp_choose_boundspecific_inp(struct sctp_inpcb * inp,sctp_route_t * ro,uint32_t vrf_id,int non_asoc_addr_ok,uint8_t dest_is_priv,uint8_t dest_is_loop,sa_family_t fam)2474 sctp_choose_boundspecific_inp(struct sctp_inpcb *inp,
2475 			      sctp_route_t *ro,
2476 			      uint32_t vrf_id,
2477 			      int non_asoc_addr_ok,
2478 			      uint8_t dest_is_priv,
2479 			      uint8_t dest_is_loop,
2480 			      sa_family_t fam)
2481 {
2482 	struct sctp_laddr *laddr, *starting_point;
2483 	void *ifn;
2484 	int resettotop = 0;
2485 	struct sctp_ifn *sctp_ifn;
2486 	struct sctp_ifa *sctp_ifa, *sifa;
2487 	struct sctp_vrf *vrf;
2488 	uint32_t ifn_index;
2489 
2490 	vrf = sctp_find_vrf(vrf_id);
2491 	if (vrf == NULL)
2492 		return (NULL);
2493 
2494 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2495 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2496 	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2497 	/*
2498 	 * first question, is the ifn we will emit on in our list, if so, we
2499 	 * want such an address. Note that we first looked for a
2500 	 * preferred address.
2501 	 */
2502 	if (sctp_ifn) {
2503 		/* is a preferred one on the interface we route out? */
2504 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2505 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2506 			    (non_asoc_addr_ok == 0))
2507 				continue;
2508 			sifa = sctp_is_ifa_addr_preferred(sctp_ifa,
2509 							  dest_is_loop,
2510 							  dest_is_priv, fam);
2511 			if (sifa == NULL)
2512 				continue;
2513 			if (sctp_is_addr_in_ep(inp, sifa)) {
2514 				atomic_add_int(&sifa->refcount, 1);
2515 				return (sifa);
2516 			}
2517 		}
2518 	}
2519 	/*
2520 	 * ok, now we now need to find one on the list of the addresses.
2521 	 * We can't get one on the emitting interface so let's find first
2522 	 * a preferred one. If not that an acceptable one otherwise...
2523 	 * we return NULL.
2524 	 */
2525 	starting_point = inp->next_addr_touse;
2526  once_again:
2527 	if (inp->next_addr_touse == NULL) {
2528 		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2529 		resettotop = 1;
2530 	}
2531 	for (laddr = inp->next_addr_touse; laddr;
2532 	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2533 		if (laddr->ifa == NULL) {
2534 			/* address has been removed */
2535 			continue;
2536 		}
2537 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2538 			/* address is being deleted */
2539 			continue;
2540 		}
2541 		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop,
2542 						  dest_is_priv, fam);
2543 		if (sifa == NULL)
2544 			continue;
2545 		atomic_add_int(&sifa->refcount, 1);
2546 		return (sifa);
2547 	}
2548 	if (resettotop == 0) {
2549 		inp->next_addr_touse = NULL;
2550 		goto once_again;
2551 	}
2552 
2553 	inp->next_addr_touse = starting_point;
2554 	resettotop = 0;
2555  once_again_too:
2556 	if (inp->next_addr_touse == NULL) {
2557 		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2558 		resettotop = 1;
2559 	}
2560 
2561 	/* ok, what about an acceptable address in the inp */
2562 	for (laddr = inp->next_addr_touse; laddr;
2563 	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2564 		if (laddr->ifa == NULL) {
2565 			/* address has been removed */
2566 			continue;
2567 		}
2568 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2569 			/* address is being deleted */
2570 			continue;
2571 		}
2572 		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2573 						   dest_is_priv, fam);
2574 		if (sifa == NULL)
2575 			continue;
2576 		atomic_add_int(&sifa->refcount, 1);
2577 		return (sifa);
2578 	}
2579 	if (resettotop == 0) {
2580 		inp->next_addr_touse = NULL;
2581 		goto once_again_too;
2582 	}
2583 
2584 	/*
2585 	 * no address bound can be a source for the destination we are in
2586 	 * trouble
2587 	 */
2588 	return (NULL);
2589 }
2590 
2591 
2592 
2593 static struct sctp_ifa *
sctp_choose_boundspecific_stcb(struct sctp_inpcb * inp,struct sctp_tcb * stcb,sctp_route_t * ro,uint32_t vrf_id,uint8_t dest_is_priv,uint8_t dest_is_loop,int non_asoc_addr_ok,sa_family_t fam)2594 sctp_choose_boundspecific_stcb(struct sctp_inpcb *inp,
2595 			       struct sctp_tcb *stcb,
2596 			       sctp_route_t *ro,
2597 			       uint32_t vrf_id,
2598 			       uint8_t dest_is_priv,
2599 			       uint8_t dest_is_loop,
2600 			       int non_asoc_addr_ok,
2601 			       sa_family_t fam)
2602 {
2603 	struct sctp_laddr *laddr, *starting_point;
2604 	void *ifn;
2605 	struct sctp_ifn *sctp_ifn;
2606 	struct sctp_ifa *sctp_ifa, *sifa;
2607 	uint8_t start_at_beginning = 0;
2608 	struct sctp_vrf *vrf;
2609 	uint32_t ifn_index;
2610 
2611 	/*
2612 	 * first question, is the ifn we will emit on in our list, if so, we
2613 	 * want that one.
2614 	 */
2615 	vrf = sctp_find_vrf(vrf_id);
2616 	if (vrf == NULL)
2617 		return (NULL);
2618 
2619 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2620 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2621 	sctp_ifn = sctp_find_ifn( ifn, ifn_index);
2622 
2623 	/*
2624  	 * first question, is the ifn we will emit on in our list?  If so,
2625 	 * we want that one. First we look for a preferred. Second, we go
2626 	 * for an acceptable.
2627 	 */
2628 	if (sctp_ifn) {
2629 		/* first try for a preferred address on the ep */
2630 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2631 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2632 				continue;
2633 			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2634 				sifa = sctp_is_ifa_addr_preferred(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2635 				if (sifa == NULL)
2636 					continue;
2637 				if (((non_asoc_addr_ok == 0) &&
2638 				     (sctp_is_addr_restricted(stcb, sifa))) ||
2639 				    (non_asoc_addr_ok &&
2640 				     (sctp_is_addr_restricted(stcb, sifa)) &&
2641 				     (!sctp_is_addr_pending(stcb, sifa)))) {
2642 					/* on the no-no list */
2643 					continue;
2644 				}
2645 				atomic_add_int(&sifa->refcount, 1);
2646 				return (sifa);
2647 			}
2648 		}
2649 		/* next try for an acceptable address on the ep */
2650 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2651 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2652 				continue;
2653 			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2654 				sifa= sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop, dest_is_priv,fam);
2655 				if (sifa == NULL)
2656 					continue;
2657 				if (((non_asoc_addr_ok == 0) &&
2658 				     (sctp_is_addr_restricted(stcb, sifa))) ||
2659 				    (non_asoc_addr_ok &&
2660 				     (sctp_is_addr_restricted(stcb, sifa)) &&
2661 				     (!sctp_is_addr_pending(stcb, sifa)))) {
2662 					/* on the no-no list */
2663 					continue;
2664 				}
2665 				atomic_add_int(&sifa->refcount, 1);
2666 				return (sifa);
2667 			}
2668 		}
2669 
2670 	}
2671 	/*
2672 	 * if we can't find one like that then we must look at all
2673 	 * addresses bound to pick one at first preferable then
2674 	 * secondly acceptable.
2675 	 */
2676 	starting_point = stcb->asoc.last_used_address;
2677  sctp_from_the_top:
2678 	if (stcb->asoc.last_used_address == NULL) {
2679 		start_at_beginning = 1;
2680 		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2681 	}
2682 	/* search beginning with the last used address */
2683 	for (laddr = stcb->asoc.last_used_address; laddr;
2684 	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2685 		if (laddr->ifa == NULL) {
2686 			/* address has been removed */
2687 			continue;
2688 		}
2689 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2690 			/* address is being deleted */
2691 			continue;
2692 		}
2693 		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop, dest_is_priv, fam);
2694 		if (sifa == NULL)
2695 			continue;
2696 		if (((non_asoc_addr_ok == 0) &&
2697 		     (sctp_is_addr_restricted(stcb, sifa))) ||
2698 		    (non_asoc_addr_ok &&
2699 		     (sctp_is_addr_restricted(stcb, sifa)) &&
2700 		     (!sctp_is_addr_pending(stcb, sifa)))) {
2701 			/* on the no-no list */
2702 			continue;
2703 		}
2704 		stcb->asoc.last_used_address = laddr;
2705 		atomic_add_int(&sifa->refcount, 1);
2706 		return (sifa);
2707 	}
2708 	if (start_at_beginning == 0) {
2709 		stcb->asoc.last_used_address = NULL;
2710 		goto sctp_from_the_top;
2711 	}
2712 	/* now try for any higher scope than the destination */
2713 	stcb->asoc.last_used_address = starting_point;
2714 	start_at_beginning = 0;
2715  sctp_from_the_top2:
2716 	if (stcb->asoc.last_used_address == NULL) {
2717 		start_at_beginning = 1;
2718 		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2719 	}
2720 	/* search beginning with the last used address */
2721 	for (laddr = stcb->asoc.last_used_address; laddr;
2722 	     laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2723 		if (laddr->ifa == NULL) {
2724 			/* address has been removed */
2725 			continue;
2726 		}
2727 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2728 			/* address is being deleted */
2729 			continue;
2730 		}
2731 		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2732 						   dest_is_priv, fam);
2733 		if (sifa == NULL)
2734 			continue;
2735 		if (((non_asoc_addr_ok == 0) &&
2736 		     (sctp_is_addr_restricted(stcb, sifa))) ||
2737 		    (non_asoc_addr_ok &&
2738 		     (sctp_is_addr_restricted(stcb, sifa)) &&
2739 		     (!sctp_is_addr_pending(stcb, sifa)))) {
2740 			/* on the no-no list */
2741 			continue;
2742 		}
2743 		stcb->asoc.last_used_address = laddr;
2744 		atomic_add_int(&sifa->refcount, 1);
2745 		return (sifa);
2746 	}
2747 	if (start_at_beginning == 0) {
2748 		stcb->asoc.last_used_address = NULL;
2749 		goto sctp_from_the_top2;
2750 	}
2751 	return (NULL);
2752 }
2753 
2754 static struct sctp_ifa *
sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn * ifn,struct sctp_tcb * stcb,int non_asoc_addr_ok,uint8_t dest_is_loop,uint8_t dest_is_priv,int addr_wanted,sa_family_t fam,sctp_route_t * ro)2755 sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn *ifn,
2756 						 struct sctp_tcb *stcb,
2757 						 int non_asoc_addr_ok,
2758 						 uint8_t dest_is_loop,
2759 						 uint8_t dest_is_priv,
2760 						 int addr_wanted,
2761 						 sa_family_t fam,
2762 						 sctp_route_t *ro
2763 						 )
2764 {
2765 	struct sctp_ifa *ifa, *sifa;
2766 	int num_eligible_addr = 0;
2767 #ifdef INET6
2768 #ifdef SCTP_EMBEDDED_V6_SCOPE
2769 	struct sockaddr_in6 sin6, lsa6;
2770 
2771 	if (fam == AF_INET6) {
2772 		memcpy(&sin6, &ro->ro_dst, sizeof(struct sockaddr_in6));
2773 #ifdef SCTP_KAME
2774 		(void)sa6_recoverscope(&sin6);
2775 #else
2776 		(void)in6_recoverscope(&sin6, &sin6.sin6_addr, NULL);
2777 #endif  /* SCTP_KAME */
2778 	}
2779 #endif  /* SCTP_EMBEDDED_V6_SCOPE */
2780 #endif	/* INET6 */
2781 	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2782 		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2783 		    (non_asoc_addr_ok == 0))
2784 			continue;
2785 		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2786 						  dest_is_priv, fam);
2787 		if (sifa == NULL)
2788 			continue;
2789 #ifdef INET6
2790 		if (fam == AF_INET6 &&
2791 		    dest_is_loop &&
2792 		    sifa->src_is_loop && sifa->src_is_priv) {
2793 			/* don't allow fe80::1 to be a src on loop ::1, we don't list it
2794 			 * to the peer so we will get an abort.
2795 			 */
2796 			continue;
2797 		}
2798 #ifdef SCTP_EMBEDDED_V6_SCOPE
2799 		if (fam == AF_INET6 &&
2800 		    IN6_IS_ADDR_LINKLOCAL(&sifa->address.sin6.sin6_addr) &&
2801 		    IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
2802 			/* link-local <-> link-local must belong to the same scope. */
2803 			memcpy(&lsa6, &sifa->address.sin6, sizeof(struct sockaddr_in6));
2804 #ifdef SCTP_KAME
2805 			(void)sa6_recoverscope(&lsa6);
2806 #else
2807 			(void)in6_recoverscope(&lsa6, &lsa6.sin6_addr, NULL);
2808 #endif  /* SCTP_KAME */
2809 			if (sin6.sin6_scope_id != lsa6.sin6_scope_id) {
2810 				continue;
2811 			}
2812 		}
2813 #endif  /* SCTP_EMBEDDED_V6_SCOPE */
2814 #endif	/* INET6 */
2815 
2816 #if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Userspace__)
2817 		/* Check if the IPv6 address matches to next-hop.
2818 		   In the mobile case, old IPv6 address may be not deleted
2819 		   from the interface. Then, the interface has previous and
2820 		   new addresses.  We should use one corresponding to the
2821 		   next-hop.  (by micchie)
2822 		 */
2823 #ifdef INET6
2824 		if (stcb && fam == AF_INET6 &&
2825 		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2826 			if (sctp_v6src_match_nexthop(&sifa->address.sin6, ro)
2827 			    == 0) {
2828 				continue;
2829 			}
2830 		}
2831 #endif
2832 #ifdef INET
2833 		/* Avoid topologically incorrect IPv4 address */
2834 		if (stcb && fam == AF_INET &&
2835 		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2836 			if (sctp_v4src_match_nexthop(sifa, ro) == 0) {
2837 				continue;
2838 			}
2839 		}
2840 #endif
2841 #endif
2842 		if (stcb) {
2843 			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2844 				continue;
2845 			}
2846 			if (((non_asoc_addr_ok == 0) &&
2847 			     (sctp_is_addr_restricted(stcb, sifa))) ||
2848 			    (non_asoc_addr_ok &&
2849 			     (sctp_is_addr_restricted(stcb, sifa)) &&
2850 			     (!sctp_is_addr_pending(stcb, sifa)))) {
2851 				/*
2852 				 * It is restricted for some reason..
2853 				 * probably not yet added.
2854 				 */
2855 				continue;
2856 			}
2857 		}
2858 		if (num_eligible_addr >= addr_wanted) {
2859 			return (sifa);
2860 		}
2861 		num_eligible_addr++;
2862 	}
2863 	return (NULL);
2864 }
2865 
2866 
2867 static int
sctp_count_num_preferred_boundall(struct sctp_ifn * ifn,struct sctp_tcb * stcb,int non_asoc_addr_ok,uint8_t dest_is_loop,uint8_t dest_is_priv,sa_family_t fam)2868 sctp_count_num_preferred_boundall(struct sctp_ifn *ifn,
2869 				  struct sctp_tcb *stcb,
2870 				  int non_asoc_addr_ok,
2871 				  uint8_t dest_is_loop,
2872 				  uint8_t dest_is_priv,
2873 				  sa_family_t fam)
2874 {
2875 	struct sctp_ifa *ifa, *sifa;
2876 	int num_eligible_addr = 0;
2877 
2878 	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2879 		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2880 		    (non_asoc_addr_ok == 0)) {
2881 			continue;
2882 		}
2883 		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2884 						  dest_is_priv, fam);
2885 		if (sifa == NULL) {
2886 			continue;
2887 		}
2888 		if (stcb) {
2889 			if (sctp_is_address_in_scope(ifa, &stcb->asoc.scope, 0) == 0) {
2890 				continue;
2891 			}
2892 			if (((non_asoc_addr_ok == 0) &&
2893 			     (sctp_is_addr_restricted(stcb, sifa))) ||
2894 			    (non_asoc_addr_ok &&
2895 			     (sctp_is_addr_restricted(stcb, sifa)) &&
2896 			     (!sctp_is_addr_pending(stcb, sifa)))) {
2897 				/*
2898 				 * It is restricted for some reason..
2899 				 * probably not yet added.
2900 				 */
2901 				continue;
2902 			}
2903 		}
2904 		num_eligible_addr++;
2905 	}
2906 	return (num_eligible_addr);
2907 }
2908 
2909 static struct sctp_ifa *
sctp_choose_boundall(struct sctp_tcb * stcb,struct sctp_nets * net,sctp_route_t * ro,uint32_t vrf_id,uint8_t dest_is_priv,uint8_t dest_is_loop,int non_asoc_addr_ok,sa_family_t fam)2910 sctp_choose_boundall(struct sctp_tcb *stcb,
2911 		     struct sctp_nets *net,
2912 		     sctp_route_t *ro,
2913 		     uint32_t vrf_id,
2914 		     uint8_t dest_is_priv,
2915 		     uint8_t dest_is_loop,
2916 		     int non_asoc_addr_ok,
2917 		     sa_family_t fam)
2918 {
2919 	int cur_addr_num = 0, num_preferred = 0;
2920 	void *ifn;
2921 	struct sctp_ifn *sctp_ifn, *looked_at = NULL, *emit_ifn;
2922 	struct sctp_ifa *sctp_ifa, *sifa;
2923 	uint32_t ifn_index;
2924 	struct sctp_vrf *vrf;
2925 #ifdef INET
2926 	int retried = 0;
2927 #endif
2928 
2929 	/*-
2930 	 * For boundall we can use any address in the association.
2931 	 * If non_asoc_addr_ok is set we can use any address (at least in
2932 	 * theory). So we look for preferred addresses first. If we find one,
2933 	 * we use it. Otherwise we next try to get an address on the
2934 	 * interface, which we should be able to do (unless non_asoc_addr_ok
2935 	 * is false and we are routed out that way). In these cases where we
2936 	 * can't use the address of the interface we go through all the
2937 	 * ifn's looking for an address we can use and fill that in. Punting
2938 	 * means we send back address 0, which will probably cause problems
2939 	 * actually since then IP will fill in the address of the route ifn,
2940 	 * which means we probably already rejected it.. i.e. here comes an
2941 	 * abort :-<.
2942 	 */
2943 	vrf = sctp_find_vrf(vrf_id);
2944 	if (vrf == NULL)
2945 		return (NULL);
2946 
2947 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2948 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2949 	SCTPDBG(SCTP_DEBUG_OUTPUT2,"ifn from route:%p ifn_index:%d\n", ifn, ifn_index);
2950 	emit_ifn = looked_at = sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2951 	if (sctp_ifn == NULL) {
2952 		/* ?? We don't have this guy ?? */
2953 		SCTPDBG(SCTP_DEBUG_OUTPUT2,"No ifn emit interface?\n");
2954 		goto bound_all_plan_b;
2955 	}
2956 	SCTPDBG(SCTP_DEBUG_OUTPUT2,"ifn_index:%d name:%s is emit interface\n",
2957 		ifn_index, sctp_ifn->ifn_name);
2958 
2959 	if (net) {
2960 		cur_addr_num = net->indx_of_eligible_next_to_use;
2961 	}
2962 	num_preferred = sctp_count_num_preferred_boundall(sctp_ifn,
2963 							  stcb,
2964 							  non_asoc_addr_ok,
2965 							  dest_is_loop,
2966 							  dest_is_priv, fam);
2967 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Found %d preferred source addresses for intf:%s\n",
2968 		num_preferred, sctp_ifn->ifn_name);
2969 	if (num_preferred == 0) {
2970 		/*
2971 		 * no eligible addresses, we must use some other interface
2972 		 * address if we can find one.
2973 		 */
2974 		goto bound_all_plan_b;
2975 	}
2976 	/*
2977 	 * Ok we have num_eligible_addr set with how many we can use, this
2978 	 * may vary from call to call due to addresses being deprecated
2979 	 * etc..
2980 	 */
2981 	if (cur_addr_num >= num_preferred) {
2982 		cur_addr_num = 0;
2983 	}
2984 	/*
2985 	 * select the nth address from the list (where cur_addr_num is the
2986 	 * nth) and 0 is the first one, 1 is the second one etc...
2987 	 */
2988 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "cur_addr_num:%d\n", cur_addr_num);
2989 
2990 	sctp_ifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, stcb, non_asoc_addr_ok, dest_is_loop,
2991                                                                     dest_is_priv, cur_addr_num, fam, ro);
2992 
2993 	/* if sctp_ifa is NULL something changed??, fall to plan b. */
2994 	if (sctp_ifa) {
2995 		atomic_add_int(&sctp_ifa->refcount, 1);
2996 		if (net) {
2997 			/* save off where the next one we will want */
2998 			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
2999 		}
3000 		return (sctp_ifa);
3001 	}
3002 	/*
3003 	 * plan_b: Look at all interfaces and find a preferred address. If
3004 	 * no preferred fall through to plan_c.
3005 	 */
3006  bound_all_plan_b:
3007 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan B\n");
3008 	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3009 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Examine interface %s\n",
3010 			sctp_ifn->ifn_name);
3011 		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3012 			/* wrong base scope */
3013 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "skip\n");
3014 			continue;
3015 		}
3016 		if ((sctp_ifn == looked_at) && looked_at) {
3017 			/* already looked at this guy */
3018 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "already seen\n");
3019 			continue;
3020 		}
3021 		num_preferred = sctp_count_num_preferred_boundall(sctp_ifn, stcb, non_asoc_addr_ok,
3022                                                                   dest_is_loop, dest_is_priv, fam);
3023 		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3024 			"Found ifn:%p %d preferred source addresses\n",
3025 			ifn, num_preferred);
3026 		if (num_preferred == 0) {
3027 			/* None on this interface. */
3028 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefered -- skipping to next\n");
3029 			continue;
3030 		}
3031 		SCTPDBG(SCTP_DEBUG_OUTPUT2,
3032 			"num preferred:%d on interface:%p cur_addr_num:%d\n",
3033 			num_preferred, (void *)sctp_ifn, cur_addr_num);
3034 
3035 		/*
3036 		 * Ok we have num_eligible_addr set with how many we can
3037 		 * use, this may vary from call to call due to addresses
3038 		 * being deprecated etc..
3039 		 */
3040 		if (cur_addr_num >= num_preferred) {
3041 			cur_addr_num = 0;
3042 		}
3043 		sifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, stcb, non_asoc_addr_ok, dest_is_loop,
3044                                                                         dest_is_priv, cur_addr_num, fam, ro);
3045 		if (sifa == NULL)
3046 			continue;
3047 		if (net) {
3048 			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
3049 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "we selected %d\n",
3050 				cur_addr_num);
3051 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Source:");
3052 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
3053 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Dest:");
3054 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &net->ro._l_addr.sa);
3055 		}
3056 		atomic_add_int(&sifa->refcount, 1);
3057 		return (sifa);
3058 	}
3059 #ifdef INET
3060 again_with_private_addresses_allowed:
3061 #endif
3062 	/* plan_c: do we have an acceptable address on the emit interface */
3063 	sifa = NULL;
3064 	SCTPDBG(SCTP_DEBUG_OUTPUT2,"Trying Plan C: find acceptable on interface\n");
3065 	if (emit_ifn == NULL) {
3066 		SCTPDBG(SCTP_DEBUG_OUTPUT2,"Jump to Plan D - no emit_ifn\n");
3067 		goto plan_d;
3068 	}
3069 	LIST_FOREACH(sctp_ifa, &emit_ifn->ifalist, next_ifa) {
3070 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifa:%p\n", (void *)sctp_ifa);
3071 		if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3072 		    (non_asoc_addr_ok == 0)) {
3073 			SCTPDBG(SCTP_DEBUG_OUTPUT2,"Defer\n");
3074 			continue;
3075 		}
3076 		sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop,
3077 						   dest_is_priv, fam);
3078 		if (sifa == NULL) {
3079 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "IFA not acceptable\n");
3080 			continue;
3081 		}
3082 		if (stcb) {
3083 			if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3084 				SCTPDBG(SCTP_DEBUG_OUTPUT2, "NOT in scope\n");
3085 				sifa = NULL;
3086 				continue;
3087 			}
3088 			if (((non_asoc_addr_ok == 0) &&
3089 			     (sctp_is_addr_restricted(stcb, sifa))) ||
3090 			    (non_asoc_addr_ok &&
3091 			     (sctp_is_addr_restricted(stcb, sifa)) &&
3092 			     (!sctp_is_addr_pending(stcb, sifa)))) {
3093 				/*
3094 				 * It is restricted for some
3095 				 * reason.. probably not yet added.
3096 				 */
3097 				SCTPDBG(SCTP_DEBUG_OUTPUT2, "Its resticted\n");
3098 				sifa = NULL;
3099 				continue;
3100 			}
3101 		} else {
3102 			SCTP_PRINTF("Stcb is null - no print\n");
3103 		}
3104 		atomic_add_int(&sifa->refcount, 1);
3105 		goto out;
3106 	}
3107  plan_d:
3108 	/*
3109 	 * plan_d: We are in trouble. No preferred address on the emit
3110 	 * interface. And not even a preferred address on all interfaces.
3111 	 * Go out and see if we can find an acceptable address somewhere
3112 	 * amongst all interfaces.
3113 	 */
3114 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan D looked_at is %p\n", (void *)looked_at);
3115 	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3116 		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3117 			/* wrong base scope */
3118 			continue;
3119 		}
3120 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3121 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3122 			    (non_asoc_addr_ok == 0))
3123 				continue;
3124 			sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3125 							   dest_is_loop,
3126 							   dest_is_priv, fam);
3127 			if (sifa == NULL)
3128 				continue;
3129 			if (stcb) {
3130 				if (sctp_is_address_in_scope(sifa, &stcb->asoc.scope, 0) == 0) {
3131 					sifa = NULL;
3132 					continue;
3133 				}
3134 				if (((non_asoc_addr_ok == 0) &&
3135 				     (sctp_is_addr_restricted(stcb, sifa))) ||
3136 				    (non_asoc_addr_ok &&
3137 				     (sctp_is_addr_restricted(stcb, sifa)) &&
3138 				     (!sctp_is_addr_pending(stcb, sifa)))) {
3139 					/*
3140 					 * It is restricted for some
3141 					 * reason.. probably not yet added.
3142 					 */
3143 					sifa = NULL;
3144 					continue;
3145 				}
3146 			}
3147 			goto out;
3148 		}
3149 	}
3150 #ifdef INET
3151 	if ((retried == 0) && (stcb->asoc.scope.ipv4_local_scope == 0)) {
3152 		stcb->asoc.scope.ipv4_local_scope = 1;
3153 		retried = 1;
3154 		goto again_with_private_addresses_allowed;
3155 	} else if (retried == 1) {
3156 		stcb->asoc.scope.ipv4_local_scope = 0;
3157 	}
3158 #endif
3159 out:
3160 #ifdef INET
3161 	if (sifa) {
3162 		if (retried == 1) {
3163 			LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3164 				if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3165 					/* wrong base scope */
3166 					continue;
3167 				}
3168 				LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3169 					struct sctp_ifa *tmp_sifa;
3170 
3171 					if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3172 					    (non_asoc_addr_ok == 0))
3173 						continue;
3174 					tmp_sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3175 					                                       dest_is_loop,
3176 					                                       dest_is_priv, fam);
3177 					if (tmp_sifa == NULL) {
3178 						continue;
3179 					}
3180 					if (tmp_sifa == sifa) {
3181 						continue;
3182 					}
3183 					if (stcb) {
3184 						if (sctp_is_address_in_scope(tmp_sifa,
3185 						                             &stcb->asoc.scope, 0) == 0) {
3186 							continue;
3187 						}
3188 						if (((non_asoc_addr_ok == 0) &&
3189 						     (sctp_is_addr_restricted(stcb, tmp_sifa))) ||
3190 						    (non_asoc_addr_ok &&
3191 						     (sctp_is_addr_restricted(stcb, tmp_sifa)) &&
3192 						     (!sctp_is_addr_pending(stcb, tmp_sifa)))) {
3193 							/*
3194 							 * It is restricted for some
3195 							 * reason.. probably not yet added.
3196 							 */
3197 							continue;
3198 						}
3199 					}
3200 					if ((tmp_sifa->address.sin.sin_family == AF_INET) &&
3201 					    (IN4_ISPRIVATE_ADDRESS(&(tmp_sifa->address.sin.sin_addr)))) {
3202 						sctp_add_local_addr_restricted(stcb, tmp_sifa);
3203 					}
3204 				}
3205 			}
3206 		}
3207 		atomic_add_int(&sifa->refcount, 1);
3208 	}
3209 #endif
3210 	return (sifa);
3211 }
3212 
3213 
3214 
3215 /* tcb may be NULL */
3216 struct sctp_ifa *
sctp_source_address_selection(struct sctp_inpcb * inp,struct sctp_tcb * stcb,sctp_route_t * ro,struct sctp_nets * net,int non_asoc_addr_ok,uint32_t vrf_id)3217 sctp_source_address_selection(struct sctp_inpcb *inp,
3218 			      struct sctp_tcb *stcb,
3219 			      sctp_route_t *ro,
3220 			      struct sctp_nets *net,
3221 			      int non_asoc_addr_ok, uint32_t vrf_id)
3222 {
3223 	struct sctp_ifa *answer;
3224 	uint8_t dest_is_priv, dest_is_loop;
3225 	sa_family_t fam;
3226 #ifdef INET
3227 	struct sockaddr_in *to = (struct sockaddr_in *)&ro->ro_dst;
3228 #endif
3229 #ifdef INET6
3230 	struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&ro->ro_dst;
3231 #endif
3232 
3233 	/**
3234 	 * Rules: - Find the route if needed, cache if I can. - Look at
3235 	 * interface address in route, Is it in the bound list. If so we
3236 	 * have the best source. - If not we must rotate amongst the
3237 	 * addresses.
3238 	 *
3239 	 * Cavets and issues
3240 	 *
3241 	 * Do we need to pay attention to scope. We can have a private address
3242 	 * or a global address we are sourcing or sending to. So if we draw
3243 	 * it out
3244 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3245 	 * For V4
3246 	 * ------------------------------------------
3247 	 *      source     *      dest  *  result
3248 	 * -----------------------------------------
3249 	 * <a>  Private    *    Global  *  NAT
3250 	 * -----------------------------------------
3251 	 * <b>  Private    *    Private *  No problem
3252 	 * -----------------------------------------
3253 	 * <c>  Global     *    Private *  Huh, How will this work?
3254 	 * -----------------------------------------
3255 	 * <d>  Global     *    Global  *  No Problem
3256 	 *------------------------------------------
3257 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3258 	 * For V6
3259 	 *------------------------------------------
3260 	 *      source     *      dest  *  result
3261 	 * -----------------------------------------
3262 	 * <a>  Linklocal  *    Global  *
3263 	 * -----------------------------------------
3264 	 * <b>  Linklocal  * Linklocal  *  No problem
3265 	 * -----------------------------------------
3266 	 * <c>  Global     * Linklocal  *  Huh, How will this work?
3267 	 * -----------------------------------------
3268 	 * <d>  Global     *    Global  *  No Problem
3269 	 *------------------------------------------
3270 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3271 	 *
3272 	 * And then we add to that what happens if there are multiple addresses
3273 	 * assigned to an interface. Remember the ifa on a ifn is a linked
3274 	 * list of addresses. So one interface can have more than one IP
3275 	 * address. What happens if we have both a private and a global
3276 	 * address? Do we then use context of destination to sort out which
3277 	 * one is best? And what about NAT's sending P->G may get you a NAT
3278 	 * translation, or should you select the G thats on the interface in
3279 	 * preference.
3280 	 *
3281 	 * Decisions:
3282 	 *
3283 	 * - count the number of addresses on the interface.
3284 	 * - if it is one, no problem except case <c>.
3285 	 *   For <a> we will assume a NAT out there.
3286 	 * - if there are more than one, then we need to worry about scope P
3287 	 *   or G. We should prefer G -> G and P -> P if possible.
3288 	 *   Then as a secondary fall back to mixed types G->P being a last
3289 	 *   ditch one.
3290 	 * - The above all works for bound all, but bound specific we need to
3291 	 *   use the same concept but instead only consider the bound
3292 	 *   addresses. If the bound set is NOT assigned to the interface then
3293 	 *   we must use rotation amongst the bound addresses..
3294 	 */
3295 	if (ro->ro_rt == NULL) {
3296 		/*
3297 		 * Need a route to cache.
3298 		 */
3299 		SCTP_RTALLOC(ro, vrf_id);
3300 	}
3301 	if (ro->ro_rt == NULL) {
3302 		return (NULL);
3303 	}
3304 	fam = ro->ro_dst.sa_family;
3305 	dest_is_priv = dest_is_loop = 0;
3306 	/* Setup our scopes for the destination */
3307 	switch (fam) {
3308 #ifdef INET
3309 	case AF_INET:
3310 		/* Scope based on outbound address */
3311 		if (IN4_ISLOOPBACK_ADDRESS(&to->sin_addr)) {
3312 			dest_is_loop = 1;
3313 			if (net != NULL) {
3314 				/* mark it as local */
3315 				net->addr_is_local = 1;
3316 			}
3317 		} else if ((IN4_ISPRIVATE_ADDRESS(&to->sin_addr))) {
3318 			dest_is_priv = 1;
3319 		}
3320 		break;
3321 #endif
3322 #ifdef INET6
3323 	case AF_INET6:
3324 		/* Scope based on outbound address */
3325 #if defined(__Userspace_os_Windows)
3326 		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr)) {
3327 #else
3328 		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr) ||
3329 		    SCTP_ROUTE_IS_REAL_LOOP(ro)) {
3330 #endif
3331 			/*
3332 			 * If the address is a loopback address, which
3333 			 * consists of "::1" OR "fe80::1%lo0", we are loopback
3334 			 * scope. But we don't use dest_is_priv (link local
3335 			 * addresses).
3336 			 */
3337 			dest_is_loop = 1;
3338 			if (net != NULL) {
3339 				/* mark it as local */
3340 				net->addr_is_local = 1;
3341 			}
3342 		} else if (IN6_IS_ADDR_LINKLOCAL(&to6->sin6_addr)) {
3343 			dest_is_priv = 1;
3344 		}
3345 		break;
3346 #endif
3347 	}
3348 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Select source addr for:");
3349 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&ro->ro_dst);
3350 	SCTP_IPI_ADDR_RLOCK();
3351 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
3352 		/*
3353 		 * Bound all case
3354 		 */
3355 		answer = sctp_choose_boundall(stcb, net, ro, vrf_id,
3356 					      dest_is_priv, dest_is_loop,
3357 					      non_asoc_addr_ok, fam);
3358 		SCTP_IPI_ADDR_RUNLOCK();
3359 		return (answer);
3360 	}
3361 	/*
3362 	 * Subset bound case
3363 	 */
3364 	if (stcb) {
3365 		answer = sctp_choose_boundspecific_stcb(inp, stcb, ro,
3366 							vrf_id,	dest_is_priv,
3367 							dest_is_loop,
3368 							non_asoc_addr_ok, fam);
3369 	} else {
3370 		answer = sctp_choose_boundspecific_inp(inp, ro, vrf_id,
3371 						       non_asoc_addr_ok,
3372 						       dest_is_priv,
3373 						       dest_is_loop, fam);
3374 	}
3375 	SCTP_IPI_ADDR_RUNLOCK();
3376 	return (answer);
3377 }
3378 
3379 static int
3380 sctp_find_cmsg(int c_type, void *data, struct mbuf *control, size_t cpsize)
3381 {
3382 #if defined(__Userspace_os_Windows)
3383 	WSACMSGHDR cmh;
3384 #else
3385 	struct cmsghdr cmh;
3386 #endif
3387 	int tlen, at, found;
3388 	struct sctp_sndinfo sndinfo;
3389 	struct sctp_prinfo prinfo;
3390 	struct sctp_authinfo authinfo;
3391 
3392 	tlen = SCTP_BUF_LEN(control);
3393 	at = 0;
3394 	found = 0;
3395 	/*
3396 	 * Independent of how many mbufs, find the c_type inside the control
3397 	 * structure and copy out the data.
3398 	 */
3399 	while (at < tlen) {
3400 		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3401 			/* There is not enough room for one more. */
3402 			return (found);
3403 		}
3404 		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3405 		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3406 			/* We dont't have a complete CMSG header. */
3407 			return (found);
3408 		}
3409 		if (((int)cmh.cmsg_len + at) > tlen) {
3410 			/* We don't have the complete CMSG. */
3411 			return (found);
3412 		}
3413 		if ((cmh.cmsg_level == IPPROTO_SCTP) &&
3414 		    ((c_type == cmh.cmsg_type) ||
3415 		     ((c_type == SCTP_SNDRCV) &&
3416 		      ((cmh.cmsg_type == SCTP_SNDINFO) ||
3417 		       (cmh.cmsg_type == SCTP_PRINFO) ||
3418 		       (cmh.cmsg_type == SCTP_AUTHINFO))))) {
3419 			if (c_type == cmh.cmsg_type) {
3420 				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < cpsize) {
3421 					return (found);
3422 				}
3423 				/* It is exactly what we want. Copy it out. */
3424 				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), cpsize, (caddr_t)data);
3425 				return (1);
3426 			} else {
3427 				struct sctp_sndrcvinfo *sndrcvinfo;
3428 
3429 				sndrcvinfo = (struct sctp_sndrcvinfo *)data;
3430 				if (found == 0) {
3431 					if (cpsize < sizeof(struct sctp_sndrcvinfo)) {
3432 						return (found);
3433 					}
3434 					memset(sndrcvinfo, 0, sizeof(struct sctp_sndrcvinfo));
3435 				}
3436 				switch (cmh.cmsg_type) {
3437 				case SCTP_SNDINFO:
3438 					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_sndinfo)) {
3439 						return (found);
3440 					}
3441 					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_sndinfo), (caddr_t)&sndinfo);
3442 					sndrcvinfo->sinfo_stream = sndinfo.snd_sid;
3443 					sndrcvinfo->sinfo_flags = sndinfo.snd_flags;
3444 					sndrcvinfo->sinfo_ppid = sndinfo.snd_ppid;
3445 					sndrcvinfo->sinfo_context = sndinfo.snd_context;
3446 					sndrcvinfo->sinfo_assoc_id = sndinfo.snd_assoc_id;
3447 					break;
3448 				case SCTP_PRINFO:
3449 					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_prinfo)) {
3450 						return (found);
3451 					}
3452 					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_prinfo), (caddr_t)&prinfo);
3453 					if (prinfo.pr_policy != SCTP_PR_SCTP_NONE) {
3454 						sndrcvinfo->sinfo_timetolive = prinfo.pr_value;
3455 					} else {
3456 						sndrcvinfo->sinfo_timetolive = 0;
3457 					}
3458 					sndrcvinfo->sinfo_flags |= prinfo.pr_policy;
3459 					break;
3460 				case SCTP_AUTHINFO:
3461 					if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_authinfo)) {
3462 						return (found);
3463 					}
3464 					m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_authinfo), (caddr_t)&authinfo);
3465 					sndrcvinfo->sinfo_keynumber_valid = 1;
3466 					sndrcvinfo->sinfo_keynumber = authinfo.auth_keynumber;
3467 					break;
3468 				default:
3469 					return (found);
3470 				}
3471 				found = 1;
3472 			}
3473 		}
3474 		at += CMSG_ALIGN(cmh.cmsg_len);
3475 	}
3476 	return (found);
3477 }
3478 
3479 static int
3480 sctp_process_cmsgs_for_init(struct sctp_tcb *stcb, struct mbuf *control, int *error)
3481 {
3482 #if defined(__Userspace_os_Windows)
3483 	WSACMSGHDR cmh;
3484 #else
3485 	struct cmsghdr cmh;
3486 #endif
3487 	int tlen, at;
3488 	struct sctp_initmsg initmsg;
3489 #ifdef INET
3490 	struct sockaddr_in sin;
3491 #endif
3492 #ifdef INET6
3493 	struct sockaddr_in6 sin6;
3494 #endif
3495 
3496 	tlen = SCTP_BUF_LEN(control);
3497 	at = 0;
3498 	while (at < tlen) {
3499 		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3500 			/* There is not enough room for one more. */
3501 			*error = EINVAL;
3502 			return (1);
3503 		}
3504 		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3505 		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3506 			/* We dont't have a complete CMSG header. */
3507 			*error = EINVAL;
3508 			return (1);
3509 		}
3510 		if (((int)cmh.cmsg_len + at) > tlen) {
3511 			/* We don't have the complete CMSG. */
3512 			*error = EINVAL;
3513 			return (1);
3514 		}
3515 		if (cmh.cmsg_level == IPPROTO_SCTP) {
3516 			switch (cmh.cmsg_type) {
3517 			case SCTP_INIT:
3518 				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct sctp_initmsg)) {
3519 					*error = EINVAL;
3520 					return (1);
3521 				}
3522 				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct sctp_initmsg), (caddr_t)&initmsg);
3523 				if (initmsg.sinit_max_attempts)
3524 					stcb->asoc.max_init_times = initmsg.sinit_max_attempts;
3525 				if (initmsg.sinit_num_ostreams)
3526 					stcb->asoc.pre_open_streams = initmsg.sinit_num_ostreams;
3527 				if (initmsg.sinit_max_instreams)
3528 					stcb->asoc.max_inbound_streams = initmsg.sinit_max_instreams;
3529 				if (initmsg.sinit_max_init_timeo)
3530 					stcb->asoc.initial_init_rto_max = initmsg.sinit_max_init_timeo;
3531 				if (stcb->asoc.streamoutcnt < stcb->asoc.pre_open_streams) {
3532 					struct sctp_stream_out *tmp_str;
3533 					unsigned int i;
3534 
3535 					/* Default is NOT correct */
3536 					SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, default:%d pre_open:%d\n",
3537 						stcb->asoc.streamoutcnt, stcb->asoc.pre_open_streams);
3538 					SCTP_TCB_UNLOCK(stcb);
3539 					SCTP_MALLOC(tmp_str,
3540 					            struct sctp_stream_out *,
3541 					            (stcb->asoc.pre_open_streams * sizeof(struct sctp_stream_out)),
3542 					            SCTP_M_STRMO);
3543 					SCTP_TCB_LOCK(stcb);
3544 					if (tmp_str != NULL) {
3545 						SCTP_FREE(stcb->asoc.strmout, SCTP_M_STRMO);
3546 						stcb->asoc.strmout = tmp_str;
3547 						stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt = stcb->asoc.pre_open_streams;
3548 					} else {
3549 						stcb->asoc.pre_open_streams = stcb->asoc.streamoutcnt;
3550 					}
3551 					for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3552 						TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
3553 						stcb->asoc.strmout[i].chunks_on_queues = 0;
3554 						stcb->asoc.strmout[i].next_sequence_send = 0;
3555 						stcb->asoc.strmout[i].stream_no = i;
3556 						stcb->asoc.strmout[i].last_msg_incomplete = 0;
3557 						stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], NULL);
3558 					}
3559 				}
3560 				break;
3561 #ifdef INET
3562 			case SCTP_DSTADDRV4:
3563 				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in_addr)) {
3564 					*error = EINVAL;
3565 					return (1);
3566 				}
3567 				memset(&sin, 0, sizeof(struct sockaddr_in));
3568 				sin.sin_family = AF_INET;
3569 #ifdef HAVE_SIN_LEN
3570 				sin.sin_len = sizeof(struct sockaddr_in);
3571 #endif
3572 				sin.sin_port = stcb->rport;
3573 				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3574 				if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3575 				    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3576 				    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3577 					*error = EINVAL;
3578 					return (1);
3579 				}
3580 				if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL,
3581 				                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3582 					*error = ENOBUFS;
3583 					return (1);
3584 				}
3585 				break;
3586 #endif
3587 #ifdef INET6
3588 			case SCTP_DSTADDRV6:
3589 				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in6_addr)) {
3590 					*error = EINVAL;
3591 					return (1);
3592 				}
3593 				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3594 				sin6.sin6_family = AF_INET6;
3595 #ifdef HAVE_SIN6_LEN
3596 				sin6.sin6_len = sizeof(struct sockaddr_in6);
3597 #endif
3598 				sin6.sin6_port = stcb->rport;
3599 				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3600 				if (IN6_IS_ADDR_UNSPECIFIED(&sin6.sin6_addr) ||
3601 				    IN6_IS_ADDR_MULTICAST(&sin6.sin6_addr)) {
3602 					*error = EINVAL;
3603 					return (1);
3604 				}
3605 #ifdef INET
3606 				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3607 					in6_sin6_2_sin(&sin, &sin6);
3608 					if ((sin.sin_addr.s_addr == INADDR_ANY) ||
3609 					    (sin.sin_addr.s_addr == INADDR_BROADCAST) ||
3610 					    IN_MULTICAST(ntohl(sin.sin_addr.s_addr))) {
3611 						*error = EINVAL;
3612 						return (1);
3613 					}
3614 					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin, NULL,
3615 					                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3616 						*error = ENOBUFS;
3617 						return (1);
3618 					}
3619 				} else
3620 #endif
3621 					if (sctp_add_remote_addr(stcb, (struct sockaddr *)&sin6, NULL,
3622 					                         SCTP_DONOT_SETSCOPE, SCTP_ADDR_IS_CONFIRMED)) {
3623 						*error = ENOBUFS;
3624 						return (1);
3625 					}
3626 				break;
3627 #endif
3628 			default:
3629 				break;
3630 			}
3631 		}
3632 		at += CMSG_ALIGN(cmh.cmsg_len);
3633 	}
3634 	return (0);
3635 }
3636 
3637 static struct sctp_tcb *
3638 sctp_findassociation_cmsgs(struct sctp_inpcb **inp_p,
3639                            uint16_t port,
3640                            struct mbuf *control,
3641                            struct sctp_nets **net_p,
3642                            int *error)
3643 {
3644 #if defined(__Userspace_os_Windows)
3645 	WSACMSGHDR cmh;
3646 #else
3647 	struct cmsghdr cmh;
3648 #endif
3649 	int tlen, at;
3650 	struct sctp_tcb *stcb;
3651 	struct sockaddr *addr;
3652 #ifdef INET
3653 	struct sockaddr_in sin;
3654 #endif
3655 #ifdef INET6
3656 	struct sockaddr_in6 sin6;
3657 #endif
3658 
3659 	tlen = SCTP_BUF_LEN(control);
3660 	at = 0;
3661 	while (at < tlen) {
3662 		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3663 			/* There is not enough room for one more. */
3664 			*error = EINVAL;
3665 			return (NULL);
3666 		}
3667 		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3668 		if (cmh.cmsg_len < CMSG_ALIGN(sizeof(cmh))) {
3669 			/* We dont't have a complete CMSG header. */
3670 			*error = EINVAL;
3671 			return (NULL);
3672 		}
3673 		if (((int)cmh.cmsg_len + at) > tlen) {
3674 			/* We don't have the complete CMSG. */
3675 			*error = EINVAL;
3676 			return (NULL);
3677 		}
3678 		if (cmh.cmsg_level == IPPROTO_SCTP) {
3679 			switch (cmh.cmsg_type) {
3680 #ifdef INET
3681 			case SCTP_DSTADDRV4:
3682 				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in_addr)) {
3683 					*error = EINVAL;
3684 					return (NULL);
3685 				}
3686 				memset(&sin, 0, sizeof(struct sockaddr_in));
3687 				sin.sin_family = AF_INET;
3688 #ifdef HAVE_SIN_LEN
3689 				sin.sin_len = sizeof(struct sockaddr_in);
3690 #endif
3691 				sin.sin_port = port;
3692 				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in_addr), (caddr_t)&sin.sin_addr);
3693 				addr = (struct sockaddr *)&sin;
3694 				break;
3695 #endif
3696 #ifdef INET6
3697 			case SCTP_DSTADDRV6:
3698 				if ((size_t)(cmh.cmsg_len - CMSG_ALIGN(sizeof(cmh))) < sizeof(struct in6_addr)) {
3699 					*error = EINVAL;
3700 					return (NULL);
3701 				}
3702 				memset(&sin6, 0, sizeof(struct sockaddr_in6));
3703 				sin6.sin6_family = AF_INET6;
3704 #ifdef HAVE_SIN6_LEN
3705 				sin6.sin6_len = sizeof(struct sockaddr_in6);
3706 #endif
3707 				sin6.sin6_port = port;
3708 				m_copydata(control, at + CMSG_ALIGN(sizeof(cmh)), sizeof(struct in6_addr), (caddr_t)&sin6.sin6_addr);
3709 #ifdef INET
3710 				if (IN6_IS_ADDR_V4MAPPED(&sin6.sin6_addr)) {
3711 					in6_sin6_2_sin(&sin, &sin6);
3712 					addr = (struct sockaddr *)&sin;
3713 				} else
3714 #endif
3715 					addr = (struct sockaddr *)&sin6;
3716 				break;
3717 #endif
3718 			default:
3719 				addr = NULL;
3720 				break;
3721 			}
3722 			if (addr) {
3723 				stcb = sctp_findassociation_ep_addr(inp_p, addr, net_p, NULL, NULL);
3724 				if (stcb != NULL) {
3725 					return (stcb);
3726 				}
3727 			}
3728 		}
3729 		at += CMSG_ALIGN(cmh.cmsg_len);
3730 	}
3731 	return (NULL);
3732 }
3733 
3734 static struct mbuf *
3735 sctp_add_cookie(struct mbuf *init, int init_offset,
3736     struct mbuf *initack, int initack_offset, struct sctp_state_cookie *stc_in, uint8_t **signature)
3737 {
3738 	struct mbuf *copy_init, *copy_initack, *m_at, *sig, *mret;
3739 	struct sctp_state_cookie *stc;
3740 	struct sctp_paramhdr *ph;
3741 	uint8_t *foo;
3742 	int sig_offset;
3743 	uint16_t cookie_sz;
3744 
3745 	mret = sctp_get_mbuf_for_msg((sizeof(struct sctp_state_cookie) +
3746 				      sizeof(struct sctp_paramhdr)), 0,
3747 				     M_NOWAIT, 1, MT_DATA);
3748 	if (mret == NULL) {
3749 		return (NULL);
3750 	}
3751 	copy_init = SCTP_M_COPYM(init, init_offset, M_COPYALL, M_NOWAIT);
3752 	if (copy_init == NULL) {
3753 		sctp_m_freem(mret);
3754 		return (NULL);
3755 	}
3756 #ifdef SCTP_MBUF_LOGGING
3757 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3758 		struct mbuf *mat;
3759 
3760 		for (mat = copy_init; mat; mat = SCTP_BUF_NEXT(mat)) {
3761 			if (SCTP_BUF_IS_EXTENDED(mat)) {
3762 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3763 			}
3764 		}
3765 	}
3766 #endif
3767 	copy_initack = SCTP_M_COPYM(initack, initack_offset, M_COPYALL,
3768 	    M_NOWAIT);
3769 	if (copy_initack == NULL) {
3770 		sctp_m_freem(mret);
3771 		sctp_m_freem(copy_init);
3772 		return (NULL);
3773 	}
3774 #ifdef SCTP_MBUF_LOGGING
3775 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3776 		struct mbuf *mat;
3777 
3778 		for (mat = copy_initack; mat; mat = SCTP_BUF_NEXT(mat)) {
3779 			if (SCTP_BUF_IS_EXTENDED(mat)) {
3780 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3781 			}
3782 		}
3783 	}
3784 #endif
3785 	/* easy side we just drop it on the end */
3786 	ph = mtod(mret, struct sctp_paramhdr *);
3787 	SCTP_BUF_LEN(mret) = sizeof(struct sctp_state_cookie) +
3788 	    sizeof(struct sctp_paramhdr);
3789 	stc = (struct sctp_state_cookie *)((caddr_t)ph +
3790 	    sizeof(struct sctp_paramhdr));
3791 	ph->param_type = htons(SCTP_STATE_COOKIE);
3792 	ph->param_length = 0;	/* fill in at the end */
3793 	/* Fill in the stc cookie data */
3794 	memcpy(stc, stc_in, sizeof(struct sctp_state_cookie));
3795 
3796 	/* tack the INIT and then the INIT-ACK onto the chain */
3797 	cookie_sz = 0;
3798 	for (m_at = mret; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3799 		cookie_sz += SCTP_BUF_LEN(m_at);
3800 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3801 			SCTP_BUF_NEXT(m_at) = copy_init;
3802 			break;
3803 		}
3804 	}
3805 	for (m_at = copy_init; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3806 		cookie_sz += SCTP_BUF_LEN(m_at);
3807 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3808 			SCTP_BUF_NEXT(m_at) = copy_initack;
3809 			break;
3810 		}
3811 	}
3812 	for (m_at = copy_initack; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3813 		cookie_sz += SCTP_BUF_LEN(m_at);
3814 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3815 			break;
3816 		}
3817 	}
3818 	sig = sctp_get_mbuf_for_msg(SCTP_SECRET_SIZE, 0, M_NOWAIT, 1, MT_DATA);
3819 	if (sig == NULL) {
3820 		/* no space, so free the entire chain */
3821 		sctp_m_freem(mret);
3822 		return (NULL);
3823 	}
3824 	SCTP_BUF_LEN(sig) = 0;
3825 	SCTP_BUF_NEXT(m_at) = sig;
3826 	sig_offset = 0;
3827 	foo = (uint8_t *) (mtod(sig, caddr_t) + sig_offset);
3828 	memset(foo, 0, SCTP_SIGNATURE_SIZE);
3829 	*signature = foo;
3830 	SCTP_BUF_LEN(sig) += SCTP_SIGNATURE_SIZE;
3831 	cookie_sz += SCTP_SIGNATURE_SIZE;
3832 	ph->param_length = htons(cookie_sz);
3833 	return (mret);
3834 }
3835 
3836 
3837 static uint8_t
3838 sctp_get_ect(struct sctp_tcb *stcb)
3839 {
3840 	if ((stcb != NULL) && (stcb->asoc.ecn_allowed == 1)) {
3841 		return (SCTP_ECT0_BIT);
3842 	} else {
3843 		return (0);
3844 	}
3845 }
3846 
3847 #if defined(INET) || defined(INET6)
3848 static void
3849 sctp_handle_no_route(struct sctp_tcb *stcb,
3850                      struct sctp_nets *net,
3851                      int so_locked)
3852 {
3853 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "dropped packet - no valid source addr\n");
3854 
3855 	if (net) {
3856 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Destination was ");
3857 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT1, &net->ro._l_addr.sa);
3858 		if (net->dest_state & SCTP_ADDR_CONFIRMED) {
3859 			if ((net->dest_state & SCTP_ADDR_REACHABLE) && stcb) {
3860 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "no route takes interface %p down\n", (void *)net);
3861 				sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_DOWN,
3862 			                        stcb, 0,
3863 			                        (void *)net,
3864 			                        so_locked);
3865 				net->dest_state &= ~SCTP_ADDR_REACHABLE;
3866 				net->dest_state &= ~SCTP_ADDR_PF;
3867 			}
3868 		}
3869 		if (stcb) {
3870 			if (net == stcb->asoc.primary_destination) {
3871 				/* need a new primary */
3872 				struct sctp_nets *alt;
3873 
3874 				alt = sctp_find_alternate_net(stcb, net, 0);
3875 				if (alt != net) {
3876 					if (stcb->asoc.alternate) {
3877 						sctp_free_remote_addr(stcb->asoc.alternate);
3878 					}
3879 					stcb->asoc.alternate = alt;
3880 					atomic_add_int(&stcb->asoc.alternate->ref_count, 1);
3881 					if (net->ro._s_addr) {
3882 						sctp_free_ifa(net->ro._s_addr);
3883 						net->ro._s_addr = NULL;
3884 					}
3885 					net->src_addr_selected = 0;
3886 				}
3887 			}
3888 		}
3889 	}
3890 }
3891 #endif
3892 
3893 static int
3894 sctp_lowlevel_chunk_output(struct sctp_inpcb *inp,
3895     struct sctp_tcb *stcb,	/* may be NULL */
3896     struct sctp_nets *net,
3897     struct sockaddr *to,
3898     struct mbuf *m,
3899     uint32_t auth_offset,
3900     struct sctp_auth_chunk *auth,
3901     uint16_t auth_keyid,
3902     int nofragment_flag,
3903     int ecn_ok,
3904     int out_of_asoc_ok,
3905     uint16_t src_port,
3906     uint16_t dest_port,
3907     uint32_t v_tag,
3908     uint16_t port,
3909     union sctp_sockstore *over_addr,
3910 #if defined(__FreeBSD__)
3911     uint8_t use_mflowid, uint32_t mflowid,
3912 #endif
3913 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3914     int so_locked SCTP_UNUSED
3915 #else
3916     int so_locked
3917 #endif
3918     )
3919 /* nofragment_flag to tell if IP_DF should be set (IPv4 only) */
3920 {
3921 	/**
3922 	 * Given a mbuf chain (via SCTP_BUF_NEXT()) that holds a packet header
3923 	 * WITH an SCTPHDR but no IP header, endpoint inp and sa structure:
3924 	 * - fill in the HMAC digest of any AUTH chunk in the packet.
3925 	 * - calculate and fill in the SCTP checksum.
3926 	 * - prepend an IP address header.
3927 	 * - if boundall use INADDR_ANY.
3928 	 * - if boundspecific do source address selection.
3929 	 * - set fragmentation option for ipV4.
3930 	 * - On return from IP output, check/adjust mtu size of output
3931 	 *   interface and smallest_mtu size as well.
3932 	 */
3933 	/* Will need ifdefs around this */
3934 #ifdef __Panda__
3935 	pakhandle_type o_pak;
3936 #endif
3937 	struct mbuf *newm;
3938 	struct sctphdr *sctphdr;
3939 	int packet_length;
3940 	int ret;
3941 #if defined(INET) || defined(INET6)
3942 	uint32_t vrf_id;
3943 #endif
3944 #if defined(INET) || defined(INET6)
3945 #if !defined(__Panda__)
3946 	struct mbuf *o_pak;
3947 #endif
3948 	sctp_route_t *ro = NULL;
3949 	struct udphdr *udp = NULL;
3950 #endif
3951 	uint8_t tos_value;
3952 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3953 	struct socket *so = NULL;
3954 #endif
3955 
3956 #if defined(__APPLE__)
3957 	if (so_locked) {
3958 		sctp_lock_assert(SCTP_INP_SO(inp));
3959 		SCTP_TCB_LOCK_ASSERT(stcb);
3960 	} else {
3961 		sctp_unlock_assert(SCTP_INP_SO(inp));
3962 	}
3963 #endif
3964 	if ((net) && (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)) {
3965 		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
3966 		sctp_m_freem(m);
3967 		return (EFAULT);
3968 	}
3969 #if defined(INET) || defined(INET6)
3970 	if (stcb) {
3971 		vrf_id = stcb->asoc.vrf_id;
3972 	} else {
3973 		vrf_id = inp->def_vrf_id;
3974 	}
3975 #endif
3976 	/* fill in the HMAC digest for any AUTH chunk in the packet */
3977 	if ((auth != NULL) && (stcb != NULL)) {
3978 		sctp_fill_hmac_digest_m(m, auth_offset, auth, stcb, auth_keyid);
3979 	}
3980 
3981 	if (net) {
3982 		tos_value = net->dscp;
3983 	} else if (stcb) {
3984 		tos_value = stcb->asoc.default_dscp;
3985 	} else {
3986 		tos_value = inp->sctp_ep.default_dscp;
3987 	}
3988 
3989 	switch (to->sa_family) {
3990 #ifdef INET
3991 	case AF_INET:
3992 	{
3993 		struct ip *ip = NULL;
3994 		sctp_route_t iproute;
3995 		int len;
3996 
3997 		len = sizeof(struct ip) + sizeof(struct sctphdr);
3998 		if (port) {
3999 			len += sizeof(struct udphdr);
4000 		}
4001 		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4002 		if (newm == NULL) {
4003 			sctp_m_freem(m);
4004 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4005 			return (ENOMEM);
4006 		}
4007 		SCTP_ALIGN_TO_END(newm, len);
4008 		SCTP_BUF_LEN(newm) = len;
4009 		SCTP_BUF_NEXT(newm) = m;
4010 		m = newm;
4011 #if defined(__FreeBSD__)
4012 		if (net != NULL) {
4013 #ifdef INVARIANTS
4014 			if (net->flowidset == 0) {
4015 				panic("Flow ID not set");
4016 			}
4017 #endif
4018 			m->m_pkthdr.flowid = net->flowid;
4019 			m->m_flags |= M_FLOWID;
4020 		} else {
4021 			if (use_mflowid != 0) {
4022 				m->m_pkthdr.flowid = mflowid;
4023 				m->m_flags |= M_FLOWID;
4024 			}
4025 		}
4026 #endif
4027 		packet_length = sctp_calculate_len(m);
4028 		ip = mtod(m, struct ip *);
4029 		ip->ip_v = IPVERSION;
4030 		ip->ip_hl = (sizeof(struct ip) >> 2);
4031 		if (tos_value == 0) {
4032 			/*
4033 			 * This means especially, that it is not set at the
4034 			 * SCTP layer. So use the value from the IP layer.
4035 			 */
4036 #if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4037 			tos_value = inp->ip_inp.inp.inp_ip_tos;
4038 #else
4039 			tos_value = inp->inp_ip_tos;
4040 #endif
4041 		}
4042 		tos_value &= 0xfc;
4043 		if (ecn_ok) {
4044 			tos_value |= sctp_get_ect(stcb);
4045 		}
4046                 if ((nofragment_flag) && (port == 0)) {
4047 #if defined(__FreeBSD__)
4048 #if __FreeBSD_version >= 1000000
4049 			ip->ip_off = htons(IP_DF);
4050 #else
4051 			ip->ip_off = IP_DF;
4052 #endif
4053 #elif defined(WITH_CONVERT_IP_OFF) || defined(__APPLE__) || defined(__Userspace__)
4054 			ip->ip_off = IP_DF;
4055 #else
4056 			ip->ip_off = htons(IP_DF);
4057 #endif
4058 		} else {
4059 #if defined(__FreeBSD__) && __FreeBSD_version >= 1000000
4060 			ip->ip_off = htons(0);
4061 #else
4062 			ip->ip_off = 0;
4063 #endif
4064 		}
4065 #if defined(__FreeBSD__)
4066 		/* FreeBSD has a function for ip_id's */
4067 		ip->ip_id = ip_newid();
4068 #elif defined(RANDOM_IP_ID)
4069 		/* Apple has RANDOM_IP_ID switch */
4070 		ip->ip_id = htons(ip_randomid());
4071 #elif defined(__Userspace__)
4072                 ip->ip_id = htons(SCTP_IP_ID(inp)++);
4073 #else
4074 		ip->ip_id = SCTP_IP_ID(inp)++;
4075 #endif
4076 
4077 #if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4078 		ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
4079 #else
4080 		ip->ip_ttl = inp->inp_ip_ttl;
4081 #endif
4082 #if defined(__FreeBSD__) && __FreeBSD_version >= 1000000
4083 		ip->ip_len = htons(packet_length);
4084 #else
4085 		ip->ip_len = packet_length;
4086 #endif
4087 		ip->ip_tos = tos_value;
4088 		if (port) {
4089 			ip->ip_p = IPPROTO_UDP;
4090 		} else {
4091 			ip->ip_p = IPPROTO_SCTP;
4092 		}
4093 		ip->ip_sum = 0;
4094 		if (net == NULL) {
4095 			ro = &iproute;
4096 			memset(&iproute, 0, sizeof(iproute));
4097 #ifdef HAVE_SA_LEN
4098 			memcpy(&ro->ro_dst, to, to->sa_len);
4099 #else
4100 			memcpy(&ro->ro_dst, to, sizeof(struct sockaddr_in));
4101 #endif
4102 		} else {
4103 			ro = (sctp_route_t *)&net->ro;
4104 		}
4105 		/* Now the address selection part */
4106 		ip->ip_dst.s_addr = ((struct sockaddr_in *)to)->sin_addr.s_addr;
4107 
4108 		/* call the routine to select the src address */
4109 		if (net && out_of_asoc_ok == 0) {
4110 			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED|SCTP_ADDR_IFA_UNUSEABLE))) {
4111 				sctp_free_ifa(net->ro._s_addr);
4112 				net->ro._s_addr = NULL;
4113 				net->src_addr_selected = 0;
4114 				if (ro->ro_rt) {
4115 					RTFREE(ro->ro_rt);
4116 					ro->ro_rt = NULL;
4117 				}
4118 			}
4119 			if (net->src_addr_selected == 0) {
4120 				/* Cache the source address */
4121 				net->ro._s_addr = sctp_source_address_selection(inp,stcb,
4122 										ro, net, 0,
4123 										vrf_id);
4124 				net->src_addr_selected = 1;
4125 			}
4126 			if (net->ro._s_addr == NULL) {
4127 				/* No route to host */
4128 				net->src_addr_selected = 0;
4129 				sctp_handle_no_route(stcb, net, so_locked);
4130 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4131 				sctp_m_freem(m);
4132 				return (EHOSTUNREACH);
4133 			}
4134 			ip->ip_src = net->ro._s_addr->address.sin.sin_addr;
4135 		} else {
4136 			if (over_addr == NULL) {
4137 				struct sctp_ifa *_lsrc;
4138 
4139 				_lsrc = sctp_source_address_selection(inp, stcb, ro,
4140 				                                      net,
4141 				                                      out_of_asoc_ok,
4142 				                                      vrf_id);
4143 				if (_lsrc == NULL) {
4144 					sctp_handle_no_route(stcb, net, so_locked);
4145 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4146 					sctp_m_freem(m);
4147 					return (EHOSTUNREACH);
4148 				}
4149 				ip->ip_src = _lsrc->address.sin.sin_addr;
4150 				sctp_free_ifa(_lsrc);
4151 			} else {
4152 				ip->ip_src = over_addr->sin.sin_addr;
4153 				SCTP_RTALLOC(ro, vrf_id);
4154 			}
4155 		}
4156 		if (port) {
4157 			if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4158 				sctp_handle_no_route(stcb, net, so_locked);
4159 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4160 				sctp_m_freem(m);
4161 				return (EHOSTUNREACH);
4162 			}
4163 			udp = (struct udphdr *)((caddr_t)ip + sizeof(struct ip));
4164 			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4165 			udp->uh_dport = port;
4166 			udp->uh_ulen = htons(packet_length - sizeof(struct ip));
4167 #if !defined(__Windows__) && !defined(__Userspace__)
4168 #if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
4169 			if (V_udp_cksum) {
4170 				udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4171 			} else {
4172 				udp->uh_sum = 0;
4173 			}
4174 #else
4175 			udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
4176 #endif
4177 #else
4178 			udp->uh_sum = 0;
4179 #endif
4180 			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4181 		} else {
4182 			sctphdr = (struct sctphdr *)((caddr_t)ip + sizeof(struct ip));
4183 		}
4184 
4185 		sctphdr->src_port = src_port;
4186 		sctphdr->dest_port = dest_port;
4187 		sctphdr->v_tag = v_tag;
4188 		sctphdr->checksum = 0;
4189 
4190 		/*
4191 		 * If source address selection fails and we find no route
4192 		 * then the ip_output should fail as well with a
4193 		 * NO_ROUTE_TO_HOST type error. We probably should catch
4194 		 * that somewhere and abort the association right away
4195 		 * (assuming this is an INIT being sent).
4196 		 */
4197 		if (ro->ro_rt == NULL) {
4198 			/*
4199 			 * src addr selection failed to find a route (or
4200 			 * valid source addr), so we can't get there from
4201 			 * here (yet)!
4202 			 */
4203 			sctp_handle_no_route(stcb, net, so_locked);
4204 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4205 			sctp_m_freem(m);
4206 			return (EHOSTUNREACH);
4207 		}
4208 		if (ro != &iproute) {
4209 			memcpy(&iproute, ro, sizeof(*ro));
4210 		}
4211 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv4 output routine from low level src addr:%x\n",
4212 			(uint32_t) (ntohl(ip->ip_src.s_addr)));
4213 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Destination is %x\n",
4214 			(uint32_t)(ntohl(ip->ip_dst.s_addr)));
4215 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "RTP route is %p through\n",
4216 			(void *)ro->ro_rt);
4217 
4218 		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4219 			/* failed to prepend data, give up */
4220 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4221 			sctp_m_freem(m);
4222 			return (ENOMEM);
4223 		}
4224 		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4225 		if (port) {
4226 #if defined(SCTP_WITH_NO_CSUM)
4227 			SCTP_STAT_INCR(sctps_sendnocrc);
4228 #else
4229 			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip) + sizeof(struct udphdr));
4230 			SCTP_STAT_INCR(sctps_sendswcrc);
4231 #endif
4232 #if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
4233 			if (V_udp_cksum) {
4234 				SCTP_ENABLE_UDP_CSUM(o_pak);
4235 			}
4236 #else
4237 			SCTP_ENABLE_UDP_CSUM(o_pak);
4238 #endif
4239 		} else {
4240 #if defined(SCTP_WITH_NO_CSUM)
4241 			SCTP_STAT_INCR(sctps_sendnocrc);
4242 #else
4243 #if defined(__FreeBSD__) && __FreeBSD_version >= 800000
4244 			m->m_pkthdr.csum_flags = CSUM_SCTP;
4245 			m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4246 			SCTP_STAT_INCR(sctps_sendhwcrc);
4247 #else
4248 			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
4249 			      (stcb) && (stcb->asoc.scope.loopback_scope))) {
4250 				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip));
4251 				SCTP_STAT_INCR(sctps_sendswcrc);
4252 			} else {
4253 				SCTP_STAT_INCR(sctps_sendnocrc);
4254 			}
4255 #endif
4256 #endif
4257 		}
4258 #ifdef SCTP_PACKET_LOGGING
4259 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4260 			sctp_packet_log(o_pak);
4261 #endif
4262 		/* send it out.  table id is taken from stcb */
4263 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4264 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4265 			so = SCTP_INP_SO(inp);
4266 			SCTP_SOCKET_UNLOCK(so, 0);
4267 		}
4268 #endif
4269 		SCTP_IP_OUTPUT(ret, o_pak, ro, stcb, vrf_id);
4270 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4271 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4272 			atomic_add_int(&stcb->asoc.refcnt, 1);
4273 			SCTP_TCB_UNLOCK(stcb);
4274 			SCTP_SOCKET_LOCK(so, 0);
4275 			SCTP_TCB_LOCK(stcb);
4276 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4277 		}
4278 #endif
4279 		SCTP_STAT_INCR(sctps_sendpackets);
4280 		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4281 		if (ret)
4282 			SCTP_STAT_INCR(sctps_senderrors);
4283 
4284 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "IP output returns %d\n", ret);
4285 		if (net == NULL) {
4286 			/* free tempy routes */
4287 #if defined(__FreeBSD__) && __FreeBSD_version > 901000
4288 			RO_RTFREE(ro);
4289 #else
4290 			if (ro->ro_rt) {
4291 				RTFREE(ro->ro_rt);
4292 				ro->ro_rt = NULL;
4293 			}
4294 #endif
4295 		} else {
4296 			/* PMTU check versus smallest asoc MTU goes here */
4297 			if ((ro->ro_rt != NULL) &&
4298 			    (net->ro._s_addr)) {
4299 				uint32_t mtu;
4300 				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4301 				if (net->port) {
4302 					mtu -= sizeof(struct udphdr);
4303 				}
4304 				if (mtu && (stcb->asoc.smallest_mtu > mtu)) {
4305 					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4306 					net->mtu = mtu;
4307 				}
4308 			} else if (ro->ro_rt == NULL) {
4309 				/* route was freed */
4310 				if (net->ro._s_addr &&
4311 				    net->src_addr_selected) {
4312 					sctp_free_ifa(net->ro._s_addr);
4313 					net->ro._s_addr = NULL;
4314 				}
4315 				net->src_addr_selected = 0;
4316 			}
4317 		}
4318 		return (ret);
4319 	}
4320 #endif
4321 #ifdef INET6
4322 	case AF_INET6:
4323 	{
4324 		uint32_t flowlabel, flowinfo;
4325 		struct ip6_hdr *ip6h;
4326 		struct route_in6 ip6route;
4327 #if !(defined(__Panda__) || defined(__Userspace__))
4328 		struct ifnet *ifp;
4329 #endif
4330 		struct sockaddr_in6 *sin6, tmp, *lsa6, lsa6_tmp;
4331 		int prev_scope = 0;
4332 #ifdef SCTP_EMBEDDED_V6_SCOPE
4333 		struct sockaddr_in6 lsa6_storage;
4334 		int error;
4335 #endif
4336 		u_short prev_port = 0;
4337 		int len;
4338 
4339 		if (net) {
4340 			flowlabel = net->flowlabel;
4341 		} else if (stcb) {
4342 			flowlabel = stcb->asoc.default_flowlabel;
4343 		} else {
4344 			flowlabel = inp->sctp_ep.default_flowlabel;
4345 		}
4346 		if (flowlabel == 0) {
4347 			/*
4348 			 * This means especially, that it is not set at the
4349 			 * SCTP layer. So use the value from the IP layer.
4350 			 */
4351 #if defined(__APPLE__) && (!defined(APPLE_LEOPARD) && !defined(APPLE_SNOWLEOPARD) && !defined(APPLE_LION) && !defined(APPLE_MOUNTAINLION))
4352 			flowlabel = ntohl(inp->ip_inp.inp.inp_flow);
4353 #else
4354 			flowlabel = ntohl(((struct in6pcb *)inp)->in6p_flowinfo);
4355 #endif
4356 		}
4357 		flowlabel &= 0x000fffff;
4358 		len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr);
4359 		if (port) {
4360 			len += sizeof(struct udphdr);
4361 		}
4362 		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4363 		if (newm == NULL) {
4364 			sctp_m_freem(m);
4365 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4366 			return (ENOMEM);
4367 		}
4368 		SCTP_ALIGN_TO_END(newm, len);
4369 		SCTP_BUF_LEN(newm) = len;
4370 		SCTP_BUF_NEXT(newm) = m;
4371 		m = newm;
4372 #if defined(__FreeBSD__)
4373 		if (net != NULL) {
4374 #ifdef INVARIANTS
4375 			if (net->flowidset == 0) {
4376 				panic("Flow ID not set");
4377 			}
4378 #endif
4379 			m->m_pkthdr.flowid = net->flowid;
4380 			m->m_flags |= M_FLOWID;
4381 		} else {
4382 			if (use_mflowid != 0) {
4383 				m->m_pkthdr.flowid = mflowid;
4384 				m->m_flags |= M_FLOWID;
4385 			}
4386 		}
4387 #endif
4388 		packet_length = sctp_calculate_len(m);
4389 
4390 		ip6h = mtod(m, struct ip6_hdr *);
4391 		/* protect *sin6 from overwrite */
4392 		sin6 = (struct sockaddr_in6 *)to;
4393 		tmp = *sin6;
4394 		sin6 = &tmp;
4395 
4396 #ifdef SCTP_EMBEDDED_V6_SCOPE
4397 		/* KAME hack: embed scopeid */
4398 #if defined(__APPLE__)
4399 #if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4400 		if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4401 #else
4402 		if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4403 #endif
4404 #elif defined(SCTP_KAME)
4405 		if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4406 #else
4407 		if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4408 #endif
4409 		{
4410 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4411 			return (EINVAL);
4412 		}
4413 #endif /* SCTP_EMBEDDED_V6_SCOPE */
4414 		if (net == NULL) {
4415 			memset(&ip6route, 0, sizeof(ip6route));
4416 			ro = (sctp_route_t *)&ip6route;
4417 #ifdef HAVE_SIN6_LEN
4418 			memcpy(&ro->ro_dst, sin6, sin6->sin6_len);
4419 #else
4420 			memcpy(&ro->ro_dst, sin6, sizeof(struct sockaddr_in6));
4421 #endif
4422 		} else {
4423 			ro = (sctp_route_t *)&net->ro;
4424 		}
4425 		/*
4426 		 * We assume here that inp_flow is in host byte order within
4427 		 * the TCB!
4428 		 */
4429 		if (tos_value == 0) {
4430 			/*
4431 			 * This means especially, that it is not set at the
4432 			 * SCTP layer. So use the value from the IP layer.
4433 			 */
4434 #if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Panda__) || defined(__Windows__) || defined(__Userspace__)
4435 #if defined(__APPLE__) && (!defined(APPLE_LEOPARD) && !defined(APPLE_SNOWLEOPARD) && !defined(APPLE_LION) && !defined(APPLE_MOUNTAINLION))
4436 			tos_value = (ntohl(inp->ip_inp.inp.inp_flow) >> 20) & 0xff;
4437 #else
4438 			tos_value = (ntohl(((struct in6pcb *)inp)->in6p_flowinfo) >> 20) & 0xff;
4439 #endif
4440 #endif
4441 		}
4442 		tos_value &= 0xfc;
4443 		if (ecn_ok) {
4444 			tos_value |= sctp_get_ect(stcb);
4445 		}
4446 		flowinfo = 0x06;
4447 		flowinfo <<= 8;
4448 		flowinfo |= tos_value;
4449 		flowinfo <<= 20;
4450 		flowinfo |= flowlabel;
4451 		ip6h->ip6_flow = htonl(flowinfo);
4452 		if (port) {
4453 			ip6h->ip6_nxt = IPPROTO_UDP;
4454 		} else {
4455 			ip6h->ip6_nxt = IPPROTO_SCTP;
4456 		}
4457 		ip6h->ip6_plen = (packet_length - sizeof(struct ip6_hdr));
4458 		ip6h->ip6_dst = sin6->sin6_addr;
4459 
4460 		/*
4461 		 * Add SRC address selection here: we can only reuse to a
4462 		 * limited degree the kame src-addr-sel, since we can try
4463 		 * their selection but it may not be bound.
4464 		 */
4465 		bzero(&lsa6_tmp, sizeof(lsa6_tmp));
4466 		lsa6_tmp.sin6_family = AF_INET6;
4467 #ifdef HAVE_SIN6_LEN
4468 		lsa6_tmp.sin6_len = sizeof(lsa6_tmp);
4469 #endif
4470 		lsa6 = &lsa6_tmp;
4471 		if (net && out_of_asoc_ok == 0) {
4472 			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED|SCTP_ADDR_IFA_UNUSEABLE))) {
4473 				sctp_free_ifa(net->ro._s_addr);
4474 				net->ro._s_addr = NULL;
4475 				net->src_addr_selected = 0;
4476 				if (ro->ro_rt) {
4477 					RTFREE(ro->ro_rt);
4478 					ro->ro_rt = NULL;
4479 				}
4480 			}
4481 			if (net->src_addr_selected == 0) {
4482 #ifdef SCTP_EMBEDDED_V6_SCOPE
4483 				sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4484 				/* KAME hack: embed scopeid */
4485 #if defined(__APPLE__)
4486 #if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4487 				if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4488 #else
4489 				if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4490 #endif
4491 #elif defined(SCTP_KAME)
4492 				if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4493 #else
4494 				if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4495 #endif
4496 				{
4497 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4498 					return (EINVAL);
4499 				}
4500 #endif /* SCTP_EMBEDDED_V6_SCOPE */
4501 				/* Cache the source address */
4502 				net->ro._s_addr = sctp_source_address_selection(inp,
4503 										stcb,
4504 										ro,
4505 										net,
4506 										0,
4507 										vrf_id);
4508 #ifdef SCTP_EMBEDDED_V6_SCOPE
4509 #ifdef SCTP_KAME
4510 				(void)sa6_recoverscope(sin6);
4511 #else
4512 				(void)in6_recoverscope(sin6, &sin6->sin6_addr, NULL);
4513 #endif	/* SCTP_KAME */
4514 #endif	/* SCTP_EMBEDDED_V6_SCOPE */
4515 				net->src_addr_selected = 1;
4516 			}
4517 			if (net->ro._s_addr == NULL) {
4518 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "V6:No route to host\n");
4519 				net->src_addr_selected = 0;
4520 				sctp_handle_no_route(stcb, net, so_locked);
4521 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4522 				sctp_m_freem(m);
4523 				return (EHOSTUNREACH);
4524 			}
4525 			lsa6->sin6_addr = net->ro._s_addr->address.sin6.sin6_addr;
4526 		} else {
4527 #ifdef SCTP_EMBEDDED_V6_SCOPE
4528 			sin6 = (struct sockaddr_in6 *)&ro->ro_dst;
4529 			/* KAME hack: embed scopeid */
4530 #if defined(__APPLE__)
4531 #if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
4532 			if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL) != 0)
4533 #else
4534 			if (in6_embedscope(&sin6->sin6_addr, sin6, NULL, NULL, NULL) != 0)
4535 #endif
4536 #elif defined(SCTP_KAME)
4537 			if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0)
4538 #else
4539 			if (in6_embedscope(&sin6->sin6_addr, sin6) != 0)
4540 #endif
4541 			  {
4542 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
4543 				return (EINVAL);
4544 			  }
4545 #endif /* SCTP_EMBEDDED_V6_SCOPE */
4546 			if (over_addr == NULL) {
4547 				struct sctp_ifa *_lsrc;
4548 
4549 				_lsrc = sctp_source_address_selection(inp, stcb, ro,
4550 				                                      net,
4551 				                                      out_of_asoc_ok,
4552 				                                      vrf_id);
4553 				if (_lsrc == NULL) {
4554 					sctp_handle_no_route(stcb, net, so_locked);
4555 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4556 					sctp_m_freem(m);
4557 					return (EHOSTUNREACH);
4558 				}
4559 				lsa6->sin6_addr = _lsrc->address.sin6.sin6_addr;
4560 				sctp_free_ifa(_lsrc);
4561 			} else {
4562 				lsa6->sin6_addr = over_addr->sin6.sin6_addr;
4563 				SCTP_RTALLOC(ro, vrf_id);
4564 			}
4565 #ifdef SCTP_EMBEDDED_V6_SCOPE
4566 #ifdef SCTP_KAME
4567 			(void)sa6_recoverscope(sin6);
4568 #else
4569 			(void)in6_recoverscope(sin6, &sin6->sin6_addr, NULL);
4570 #endif	/* SCTP_KAME */
4571 #endif	/* SCTP_EMBEDDED_V6_SCOPE */
4572 		}
4573 		lsa6->sin6_port = inp->sctp_lport;
4574 
4575 		if (ro->ro_rt == NULL) {
4576 			/*
4577 			 * src addr selection failed to find a route (or
4578 			 * valid source addr), so we can't get there from
4579 			 * here!
4580 			 */
4581 			sctp_handle_no_route(stcb, net, so_locked);
4582 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4583 			sctp_m_freem(m);
4584 			return (EHOSTUNREACH);
4585 		}
4586 #ifndef SCOPEDROUTING
4587 #ifdef SCTP_EMBEDDED_V6_SCOPE
4588 		/*
4589 		 * XXX: sa6 may not have a valid sin6_scope_id in the
4590 		 * non-SCOPEDROUTING case.
4591 		 */
4592 		bzero(&lsa6_storage, sizeof(lsa6_storage));
4593 		lsa6_storage.sin6_family = AF_INET6;
4594 #ifdef HAVE_SIN6_LEN
4595 		lsa6_storage.sin6_len = sizeof(lsa6_storage);
4596 #endif
4597 #ifdef SCTP_KAME
4598 		lsa6_storage.sin6_addr = lsa6->sin6_addr;
4599 		if ((error = sa6_recoverscope(&lsa6_storage)) != 0) {
4600 #else
4601 		if ((error = in6_recoverscope(&lsa6_storage, &lsa6->sin6_addr,
4602 		    NULL)) != 0) {
4603 #endif				/* SCTP_KAME */
4604 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "recover scope fails error %d\n", error);
4605 			sctp_m_freem(m);
4606 			return (error);
4607 		}
4608 		/* XXX */
4609 		lsa6_storage.sin6_addr = lsa6->sin6_addr;
4610 		lsa6_storage.sin6_port = inp->sctp_lport;
4611 		lsa6 = &lsa6_storage;
4612 #endif /* SCTP_EMBEDDED_V6_SCOPE */
4613 #endif /* SCOPEDROUTING */
4614 		ip6h->ip6_src = lsa6->sin6_addr;
4615 
4616 		if (port) {
4617 			if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
4618 				sctp_handle_no_route(stcb, net, so_locked);
4619 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
4620 				sctp_m_freem(m);
4621 				return (EHOSTUNREACH);
4622 			}
4623 			udp = (struct udphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4624 			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4625 			udp->uh_dport = port;
4626 			udp->uh_ulen = htons(packet_length - sizeof(struct ip6_hdr));
4627 			udp->uh_sum = 0;
4628 			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4629 		} else {
4630 			sctphdr = (struct sctphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4631 		}
4632 
4633 		sctphdr->src_port = src_port;
4634 		sctphdr->dest_port = dest_port;
4635 		sctphdr->v_tag = v_tag;
4636 		sctphdr->checksum = 0;
4637 
4638 		/*
4639 		 * We set the hop limit now since there is a good chance
4640 		 * that our ro pointer is now filled
4641 		 */
4642 		ip6h->ip6_hlim = SCTP_GET_HLIM(inp, ro);
4643 #if !(defined(__Panda__) || defined(__Userspace__))
4644 		ifp = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
4645 #endif
4646 
4647 #ifdef SCTP_DEBUG
4648 		/* Copy to be sure something bad is not happening */
4649 		sin6->sin6_addr = ip6h->ip6_dst;
4650 		lsa6->sin6_addr = ip6h->ip6_src;
4651 #endif
4652 
4653 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv6 output routine from low level\n");
4654 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "src: ");
4655 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)lsa6);
4656 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst: ");
4657 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)sin6);
4658 		if (net) {
4659 			sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4660 			/* preserve the port and scope for link local send */
4661 			prev_scope = sin6->sin6_scope_id;
4662 			prev_port = sin6->sin6_port;
4663 		}
4664 
4665 		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4666 			/* failed to prepend data, give up */
4667 			sctp_m_freem(m);
4668 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4669 			return (ENOMEM);
4670 		}
4671 		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4672 		if (port) {
4673 #if defined(SCTP_WITH_NO_CSUM)
4674 			SCTP_STAT_INCR(sctps_sendnocrc);
4675 #else
4676 			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
4677 			SCTP_STAT_INCR(sctps_sendswcrc);
4678 #endif
4679 #if defined(__Windows__)
4680 			udp->uh_sum = 0;
4681 #elif !defined(__Userspace__)
4682 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), packet_length - sizeof(struct ip6_hdr))) == 0) {
4683 				udp->uh_sum = 0xffff;
4684 			}
4685 #endif
4686 		} else {
4687 #if defined(SCTP_WITH_NO_CSUM)
4688 			SCTP_STAT_INCR(sctps_sendnocrc);
4689 #else
4690 #if defined(__FreeBSD__) && __FreeBSD_version >= 800000
4691 #if __FreeBSD_version < 900000
4692 			sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr));
4693 			SCTP_STAT_INCR(sctps_sendswcrc);
4694 #else
4695 #if __FreeBSD_version > 901000
4696 			m->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
4697 #else
4698 			m->m_pkthdr.csum_flags = CSUM_SCTP;
4699 #endif
4700 			m->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
4701 			SCTP_STAT_INCR(sctps_sendhwcrc);
4702 #endif
4703 #else
4704 			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
4705 			      (stcb) && (stcb->asoc.scope.loopback_scope))) {
4706 				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr));
4707 				SCTP_STAT_INCR(sctps_sendswcrc);
4708 			} else {
4709 				SCTP_STAT_INCR(sctps_sendnocrc);
4710 			}
4711 #endif
4712 #endif
4713 		}
4714 		/* send it out. table id is taken from stcb */
4715 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4716 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4717 			so = SCTP_INP_SO(inp);
4718 			SCTP_SOCKET_UNLOCK(so, 0);
4719 		}
4720 #endif
4721 #ifdef SCTP_PACKET_LOGGING
4722 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4723 			sctp_packet_log(o_pak);
4724 #endif
4725 #if !(defined(__Panda__) || defined(__Userspace__))
4726 		SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, &ifp, stcb, vrf_id);
4727 #else
4728 		SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, NULL, stcb, vrf_id);
4729 #endif
4730 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4731 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4732 			atomic_add_int(&stcb->asoc.refcnt, 1);
4733 			SCTP_TCB_UNLOCK(stcb);
4734 			SCTP_SOCKET_LOCK(so, 0);
4735 			SCTP_TCB_LOCK(stcb);
4736 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4737 		}
4738 #endif
4739 		if (net) {
4740 			/* for link local this must be done */
4741 			sin6->sin6_scope_id = prev_scope;
4742 			sin6->sin6_port = prev_port;
4743 		}
4744 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
4745 		SCTP_STAT_INCR(sctps_sendpackets);
4746 		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4747 		if (ret) {
4748 			SCTP_STAT_INCR(sctps_senderrors);
4749 		}
4750 		if (net == NULL) {
4751 			/* Now if we had a temp route free it */
4752 #if defined(__FreeBSD__) && __FreeBSD_version > 901000
4753 			RO_RTFREE(ro);
4754 #else
4755 			if (ro->ro_rt) {
4756 				RTFREE(ro->ro_rt);
4757 				ro->ro_rt = NULL;
4758 			}
4759 #endif
4760 		} else {
4761 			/* PMTU check versus smallest asoc MTU goes here */
4762 			if (ro->ro_rt == NULL) {
4763 				/* Route was freed */
4764 				if (net->ro._s_addr &&
4765 				    net->src_addr_selected) {
4766 					sctp_free_ifa(net->ro._s_addr);
4767 					net->ro._s_addr = NULL;
4768 				}
4769 				net->src_addr_selected = 0;
4770 			}
4771 			if ((ro->ro_rt != NULL) &&
4772 			    (net->ro._s_addr)) {
4773 				uint32_t mtu;
4774 				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4775 				if (mtu &&
4776 				    (stcb->asoc.smallest_mtu > mtu)) {
4777 					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4778 					net->mtu = mtu;
4779 					if (net->port) {
4780 						net->mtu -= sizeof(struct udphdr);
4781 					}
4782 				}
4783 			}
4784 #if !defined(__Panda__) && !defined(__Userspace__)
4785 			else if (ifp) {
4786 #if defined(__Windows__)
4787 #define ND_IFINFO(ifp)	(ifp)
4788 #define linkmtu		if_mtu
4789 #endif
4790 				if (ND_IFINFO(ifp)->linkmtu &&
4791 				    (stcb->asoc.smallest_mtu > ND_IFINFO(ifp)->linkmtu)) {
4792 					sctp_mtu_size_reset(inp,
4793 					    &stcb->asoc,
4794 					    ND_IFINFO(ifp)->linkmtu);
4795 				}
4796 			}
4797 #endif
4798 		}
4799 		return (ret);
4800 	}
4801 #endif
4802 #if defined(__Userspace__)
4803 	case AF_CONN:
4804 	{
4805 		char *buffer;
4806 		struct sockaddr_conn *sconn;
4807 		int len;
4808 
4809 		sconn = (struct sockaddr_conn *)to;
4810 		len = sizeof(struct sctphdr);
4811 		newm = sctp_get_mbuf_for_msg(len, 1, M_NOWAIT, 1, MT_DATA);
4812 		if (newm == NULL) {
4813 			sctp_m_freem(m);
4814 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4815 			return (ENOMEM);
4816 		}
4817 		SCTP_ALIGN_TO_END(newm, len);
4818 		SCTP_BUF_LEN(newm) = len;
4819 		SCTP_BUF_NEXT(newm) = m;
4820 		m = newm;
4821 		packet_length = sctp_calculate_len(m);
4822 		sctphdr = mtod(m, struct sctphdr *);
4823 		sctphdr->src_port = src_port;
4824 		sctphdr->dest_port = dest_port;
4825 		sctphdr->v_tag = v_tag;
4826 		sctphdr->checksum = 0;
4827 #if defined(SCTP_WITH_NO_CSUM)
4828 		SCTP_STAT_INCR(sctps_sendnocrc);
4829 #else
4830 		sctphdr->checksum = sctp_calculate_cksum(m, 0);
4831 		SCTP_STAT_INCR(sctps_sendswcrc);
4832 #endif
4833 		if (tos_value == 0) {
4834 			tos_value = inp->ip_inp.inp.inp_ip_tos;
4835 		}
4836 		tos_value &= 0xfc;
4837 		if (ecn_ok) {
4838 			tos_value |= sctp_get_ect(stcb);
4839 		}
4840 		/* Don't alloc/free for each packet */
4841 		if ((buffer = malloc(packet_length)) != NULL) {
4842 			m_copydata(m, 0, packet_length, buffer);
4843 			ret = SCTP_BASE_VAR(conn_output)(sconn->sconn_addr, buffer, packet_length, tos_value, nofragment_flag);
4844 			free(buffer);
4845 		} else {
4846 			ret = ENOMEM;
4847 		}
4848 		sctp_m_freem(m);
4849 		return (ret);
4850 	}
4851 #endif
4852 	default:
4853 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
4854 		        ((struct sockaddr *)to)->sa_family);
4855 		sctp_m_freem(m);
4856 		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4857 		return (EFAULT);
4858 	}
4859 }
4860 
4861 
4862 void
4863 sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked
4864 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
4865     SCTP_UNUSED
4866 #endif
4867     )
4868 {
4869 	struct mbuf *m;
4870 	struct sctp_nets *net;
4871 	struct sctp_init_chunk *init;
4872 	struct sctp_supported_addr_param *sup_addr;
4873 	struct sctp_adaptation_layer_indication *ali;
4874 	struct sctp_supported_chunk_types_param *pr_supported;
4875 	struct sctp_paramhdr *ph;
4876 	int cnt_inits_to = 0;
4877 	int ret;
4878 	uint16_t num_ext, chunk_len, padding_len, parameter_len;
4879 
4880 #if defined(__APPLE__)
4881 	if (so_locked) {
4882 		sctp_lock_assert(SCTP_INP_SO(inp));
4883 	} else {
4884 		sctp_unlock_assert(SCTP_INP_SO(inp));
4885 	}
4886 #endif
4887 	/* INIT's always go to the primary (and usually ONLY address) */
4888 	net = stcb->asoc.primary_destination;
4889 	if (net == NULL) {
4890 		net = TAILQ_FIRST(&stcb->asoc.nets);
4891 		if (net == NULL) {
4892 			/* TSNH */
4893 			return;
4894 		}
4895 		/* we confirm any address we send an INIT to */
4896 		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4897 		(void)sctp_set_primary_addr(stcb, NULL, net);
4898 	} else {
4899 		/* we confirm any address we send an INIT to */
4900 		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4901 	}
4902 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT\n");
4903 #ifdef INET6
4904 	if (net->ro._l_addr.sa.sa_family == AF_INET6) {
4905 		/*
4906 		 * special hook, if we are sending to link local it will not
4907 		 * show up in our private address count.
4908 		 */
4909 		if (IN6_IS_ADDR_LINKLOCAL(&net->ro._l_addr.sin6.sin6_addr))
4910 			cnt_inits_to = 1;
4911 	}
4912 #endif
4913 	if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4914 		/* This case should not happen */
4915 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - failed timer?\n");
4916 		return;
4917 	}
4918 	/* start the INIT timer */
4919 	sctp_timer_start(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
4920 
4921 	m = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_NOWAIT, 1, MT_DATA);
4922 	if (m == NULL) {
4923 		/* No memory, INIT timer will re-attempt. */
4924 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - mbuf?\n");
4925 		return;
4926 	}
4927 	chunk_len = (uint16_t)sizeof(struct sctp_init_chunk);
4928 	padding_len = 0;
4929 	/*
4930 	 * assume peer supports asconf in order to be able to queue
4931 	 * local address changes while an INIT is in flight and before
4932 	 * the assoc is established.
4933 	 */
4934 	stcb->asoc.peer_supports_asconf = 1;
4935 	/* Now lets put the chunk header in place */
4936 	init = mtod(m, struct sctp_init_chunk *);
4937 	/* now the chunk header */
4938 	init->ch.chunk_type = SCTP_INITIATION;
4939 	init->ch.chunk_flags = 0;
4940 	/* fill in later from mbuf we build */
4941 	init->ch.chunk_length = 0;
4942 	/* place in my tag */
4943 	init->init.initiate_tag = htonl(stcb->asoc.my_vtag);
4944 	/* set up some of the credits. */
4945 	init->init.a_rwnd = htonl(max(inp->sctp_socket?SCTP_SB_LIMIT_RCV(inp->sctp_socket):0,
4946 	                              SCTP_MINIMAL_RWND));
4947 	init->init.num_outbound_streams = htons(stcb->asoc.pre_open_streams);
4948 	init->init.num_inbound_streams = htons(stcb->asoc.max_inbound_streams);
4949 	init->init.initial_tsn = htonl(stcb->asoc.init_seq_number);
4950 
4951 	if (stcb->asoc.scope.ipv4_addr_legal || stcb->asoc.scope.ipv6_addr_legal) {
4952 		uint8_t i;
4953 
4954 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4955 		if (stcb->asoc.scope.ipv4_addr_legal) {
4956 			parameter_len += (uint16_t)sizeof(uint16_t);
4957 		}
4958 		if (stcb->asoc.scope.ipv6_addr_legal) {
4959 			parameter_len += (uint16_t)sizeof(uint16_t);
4960 		}
4961 		sup_addr = (struct sctp_supported_addr_param *)(mtod(m, caddr_t) + chunk_len);
4962 		sup_addr->ph.param_type = htons(SCTP_SUPPORTED_ADDRTYPE);
4963 		sup_addr->ph.param_length = htons(parameter_len);
4964 		i = 0;
4965 		if (stcb->asoc.scope.ipv4_addr_legal) {
4966 			sup_addr->addr_type[i++] = htons(SCTP_IPV4_ADDRESS);
4967 		}
4968 		if (stcb->asoc.scope.ipv6_addr_legal) {
4969 			sup_addr->addr_type[i++] = htons(SCTP_IPV6_ADDRESS);
4970 		}
4971 		padding_len = 4 - 2 * i;
4972 		chunk_len += parameter_len;
4973 	}
4974 
4975 	/* Adaptation layer indication parameter */
4976 	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
4977 		if (padding_len > 0) {
4978 			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
4979 			chunk_len += padding_len;
4980 			padding_len = 0;
4981 		}
4982 		parameter_len = (uint16_t)sizeof(struct sctp_adaptation_layer_indication);
4983 		ali = (struct sctp_adaptation_layer_indication *)(mtod(m, caddr_t) + chunk_len);
4984 		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
4985 		ali->ph.param_length = htons(parameter_len);
4986 		ali->indication = ntohl(inp->sctp_ep.adaptation_layer_indicator);
4987 		chunk_len += parameter_len;
4988 	}
4989 
4990 	if (SCTP_BASE_SYSCTL(sctp_inits_include_nat_friendly)) {
4991 		/* Add NAT friendly parameter. */
4992 		if (padding_len > 0) {
4993 			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
4994 			chunk_len += padding_len;
4995 			padding_len = 0;
4996 		}
4997 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
4998 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
4999 		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
5000 		ph->param_length = htons(parameter_len);
5001 		chunk_len += parameter_len;
5002 	}
5003 
5004 	/* now any cookie time extensions */
5005 	if (stcb->asoc.cookie_preserve_req) {
5006 		struct sctp_cookie_perserve_param *cookie_preserve;
5007 
5008 		if (padding_len > 0) {
5009 			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5010 			chunk_len += padding_len;
5011 			padding_len = 0;
5012 		}
5013 		parameter_len = (uint16_t)sizeof(struct sctp_cookie_perserve_param);
5014 		cookie_preserve = (struct sctp_cookie_perserve_param *)(mtod(m, caddr_t) + chunk_len);
5015 		cookie_preserve->ph.param_type = htons(SCTP_COOKIE_PRESERVE);
5016 		cookie_preserve->ph.param_length = htons(parameter_len);
5017 		cookie_preserve->time = htonl(stcb->asoc.cookie_preserve_req);
5018 		stcb->asoc.cookie_preserve_req = 0;
5019 		chunk_len += parameter_len;
5020 	}
5021 
5022 	/* ECN parameter */
5023 	if (stcb->asoc.ecn_allowed == 1) {
5024 		if (padding_len > 0) {
5025 			memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5026 			chunk_len += padding_len;
5027 			padding_len = 0;
5028 		}
5029 		parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5030 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
5031 		ph->param_type = htons(SCTP_ECN_CAPABLE);
5032 		ph->param_length = htons(parameter_len);
5033 		chunk_len += parameter_len;
5034 	}
5035 
5036 	/* And now tell the peer we do support PR-SCTP. */
5037 	if (padding_len > 0) {
5038 		memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5039 		chunk_len += padding_len;
5040 		padding_len = 0;
5041 	}
5042 	parameter_len = (uint16_t)sizeof(struct sctp_paramhdr);
5043 	ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + chunk_len);
5044 	ph->param_type = htons(SCTP_PRSCTP_SUPPORTED);
5045 	ph->param_length = htons(parameter_len);
5046 	chunk_len += parameter_len;
5047 
5048 	/* And now tell the peer we do all the extensions */
5049 	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t) + chunk_len);
5050 	pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
5051 	num_ext = 0;
5052 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
5053 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
5054 	pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
5055 	pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
5056 	pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
5057 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
5058 		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
5059 	}
5060 	if (stcb->asoc.sctp_nr_sack_on_off == 1) {
5061 		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
5062 	}
5063 	parameter_len = (uint16_t)sizeof(struct sctp_supported_chunk_types_param) + num_ext;
5064 	pr_supported->ph.param_length = htons(parameter_len);
5065 	padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5066 	chunk_len += parameter_len;
5067 
5068 	/* add authentication parameters */
5069 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
5070 		/* attach RANDOM parameter, if available */
5071 		if (stcb->asoc.authinfo.random != NULL) {
5072 			struct sctp_auth_random *randp;
5073 
5074 			if (padding_len > 0) {
5075 				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5076 				chunk_len += padding_len;
5077 				padding_len = 0;
5078 			}
5079 			randp = (struct sctp_auth_random *)(mtod(m, caddr_t) + chunk_len);
5080 			parameter_len = (uint16_t)sizeof(struct sctp_auth_random) + stcb->asoc.authinfo.random_len;
5081 			/* random key already contains the header */
5082 			memcpy(randp, stcb->asoc.authinfo.random->key, parameter_len);
5083 			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5084 			chunk_len += parameter_len;
5085 		}
5086 		/* add HMAC_ALGO parameter */
5087 		if ((stcb->asoc.local_hmacs != NULL) &&
5088 		    (stcb->asoc.local_hmacs->num_algo > 0)) {
5089 			struct sctp_auth_hmac_algo *hmacs;
5090 
5091 			if (padding_len > 0) {
5092 				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5093 				chunk_len += padding_len;
5094 				padding_len = 0;
5095 			}
5096 			hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t) + chunk_len);
5097 			parameter_len = (uint16_t)(sizeof(struct sctp_auth_hmac_algo) +
5098 			                           stcb->asoc.local_hmacs->num_algo * sizeof(uint16_t));
5099 			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
5100 			hmacs->ph.param_length = htons(parameter_len);
5101 			sctp_serialize_hmaclist(stcb->asoc.local_hmacs, (uint8_t *)hmacs->hmac_ids);
5102 			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5103 			chunk_len += parameter_len;
5104 		}
5105 		/* add CHUNKS parameter */
5106 		if (sctp_auth_get_chklist_size(stcb->asoc.local_auth_chunks) > 0) {
5107 			struct sctp_auth_chunk_list *chunks;
5108 
5109 			if (padding_len > 0) {
5110 				memset(mtod(m, caddr_t) + chunk_len, 0, padding_len);
5111 				chunk_len += padding_len;
5112 				padding_len = 0;
5113 			}
5114 			chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t) + chunk_len);
5115 			parameter_len = (uint16_t)(sizeof(struct sctp_auth_chunk_list) +
5116 			                           sctp_auth_get_chklist_size(stcb->asoc.local_auth_chunks));
5117 			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
5118 			chunks->ph.param_length = htons(parameter_len);
5119 			sctp_serialize_auth_chunks(stcb->asoc.local_auth_chunks, chunks->chunk_types);
5120 			padding_len = SCTP_SIZE32(parameter_len) - parameter_len;
5121 			chunk_len += parameter_len;
5122 		}
5123 	}
5124 	SCTP_BUF_LEN(m) = chunk_len;
5125 
5126 	/* now the addresses */
5127 	/* To optimize this we could put the scoping stuff
5128 	 * into a structure and remove the individual uint8's from
5129 	 * the assoc structure. Then we could just sifa in the
5130 	 * address within the stcb. But for now this is a quick
5131 	 * hack to get the address stuff teased apart.
5132 	 */
5133 	sctp_add_addresses_to_i_ia(inp, stcb, &stcb->asoc.scope, m, cnt_inits_to, &padding_len, &chunk_len);
5134 
5135 	init->ch.chunk_length = htons(chunk_len);
5136 	if (padding_len > 0) {
5137 		struct mbuf *m_at, *mp_last;
5138 
5139 		mp_last = NULL;
5140 		for (m_at = m; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
5141 			if (SCTP_BUF_NEXT(m_at) == NULL)
5142 				mp_last = m_at;
5143 		}
5144 		if ((mp_last == NULL) || sctp_add_pad_tombuf(mp_last, padding_len)) {
5145 			sctp_m_freem(m);
5146 			return;
5147 		}
5148 	}
5149 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - calls lowlevel_output\n");
5150 	ret = sctp_lowlevel_chunk_output(inp, stcb, net,
5151 	                                 (struct sockaddr *)&net->ro._l_addr,
5152 	                                 m, 0, NULL, 0, 0, 0, 0,
5153 	                                 inp->sctp_lport, stcb->rport, htonl(0),
5154 	                                 net->port, NULL,
5155 #if defined(__FreeBSD__)
5156 	                                 0, 0,
5157 #endif
5158 	                                 so_locked);
5159 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "lowlevel_output - %d\n", ret);
5160 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
5161 	(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
5162 }
5163 
5164 struct mbuf *
5165 sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
5166 	int param_offset, int *abort_processing, struct sctp_chunkhdr *cp, int *nat_friendly)
5167 {
5168 	/*
5169 	 * Given a mbuf containing an INIT or INIT-ACK with the param_offset
5170 	 * being equal to the beginning of the params i.e. (iphlen +
5171 	 * sizeof(struct sctp_init_msg) parse through the parameters to the
5172 	 * end of the mbuf verifying that all parameters are known.
5173 	 *
5174 	 * For unknown parameters build and return a mbuf with
5175 	 * UNRECOGNIZED_PARAMETER errors. If the flags indicate to stop
5176 	 * processing this chunk stop, and set *abort_processing to 1.
5177 	 *
5178 	 * By having param_offset be pre-set to where parameters begin it is
5179 	 * hoped that this routine may be reused in the future by new
5180 	 * features.
5181 	 */
5182 	struct sctp_paramhdr *phdr, params;
5183 
5184 	struct mbuf *mat, *op_err;
5185 	char tempbuf[SCTP_PARAM_BUFFER_SIZE];
5186 	int at, limit, pad_needed;
5187 	uint16_t ptype, plen, padded_size;
5188 	int err_at;
5189 
5190 	*abort_processing = 0;
5191 	mat = in_initpkt;
5192 	err_at = 0;
5193 	limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
5194 	at = param_offset;
5195 	op_err = NULL;
5196 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
5197 	phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5198 	while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
5199 		ptype = ntohs(phdr->param_type);
5200 		plen = ntohs(phdr->param_length);
5201 		if ((plen > limit) || (plen < sizeof(struct sctp_paramhdr))) {
5202 			/* wacked parameter */
5203 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error %d\n", plen);
5204 			goto invalid_size;
5205 		}
5206 		limit -= SCTP_SIZE32(plen);
5207 		/*-
5208 		 * All parameters for all chunks that we know/understand are
5209 		 * listed here. We process them other places and make
5210 		 * appropriate stop actions per the upper bits. However this
5211 		 * is the generic routine processor's can call to get back
5212 		 * an operr.. to either incorporate (init-ack) or send.
5213 		 */
5214 		padded_size = SCTP_SIZE32(plen);
5215 		switch (ptype) {
5216 			/* Param's with variable size */
5217 		case SCTP_HEARTBEAT_INFO:
5218 		case SCTP_STATE_COOKIE:
5219 		case SCTP_UNRECOG_PARAM:
5220 		case SCTP_ERROR_CAUSE_IND:
5221 			/* ok skip fwd */
5222 			at += padded_size;
5223 			break;
5224 			/* Param's with variable size within a range */
5225 		case SCTP_CHUNK_LIST:
5226 		case SCTP_SUPPORTED_CHUNK_EXT:
5227 			if (padded_size > (sizeof(struct sctp_supported_chunk_types_param) + (sizeof(uint8_t) * SCTP_MAX_SUPPORTED_EXT))) {
5228 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error chklist %d\n", plen);
5229 				goto invalid_size;
5230 			}
5231 			at += padded_size;
5232 			break;
5233 		case SCTP_SUPPORTED_ADDRTYPE:
5234 			if (padded_size > SCTP_MAX_ADDR_PARAMS_SIZE) {
5235 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error supaddrtype %d\n", plen);
5236 				goto invalid_size;
5237 			}
5238 			at += padded_size;
5239 			break;
5240 		case SCTP_RANDOM:
5241 			if (padded_size > (sizeof(struct sctp_auth_random) + SCTP_RANDOM_MAX_SIZE)) {
5242 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error random %d\n", plen);
5243 				goto invalid_size;
5244 			}
5245 			at += padded_size;
5246 			break;
5247 		case SCTP_SET_PRIM_ADDR:
5248 		case SCTP_DEL_IP_ADDRESS:
5249 		case SCTP_ADD_IP_ADDRESS:
5250 			if ((padded_size != sizeof(struct sctp_asconf_addrv4_param)) &&
5251 			    (padded_size != sizeof(struct sctp_asconf_addr_param))) {
5252 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error setprim %d\n", plen);
5253 				goto invalid_size;
5254 			}
5255 			at += padded_size;
5256 			break;
5257 			/* Param's with a fixed size */
5258 		case SCTP_IPV4_ADDRESS:
5259 			if (padded_size != sizeof(struct sctp_ipv4addr_param)) {
5260 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv4 addr %d\n", plen);
5261 				goto invalid_size;
5262 			}
5263 			at += padded_size;
5264 			break;
5265 		case SCTP_IPV6_ADDRESS:
5266 			if (padded_size != sizeof(struct sctp_ipv6addr_param)) {
5267 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv6 addr %d\n", plen);
5268 				goto invalid_size;
5269 			}
5270 			at += padded_size;
5271 			break;
5272 		case SCTP_COOKIE_PRESERVE:
5273 			if (padded_size != sizeof(struct sctp_cookie_perserve_param)) {
5274 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error cookie-preserve %d\n", plen);
5275 				goto invalid_size;
5276 			}
5277 			at += padded_size;
5278 			break;
5279 		case SCTP_HAS_NAT_SUPPORT:
5280 		  *nat_friendly = 1;
5281 		  /* fall through */
5282 		case SCTP_PRSCTP_SUPPORTED:
5283 
5284 			if (padded_size != sizeof(struct sctp_paramhdr)) {
5285 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error prsctp/nat support %d\n", plen);
5286 				goto invalid_size;
5287 			}
5288 			at += padded_size;
5289 			break;
5290 		case SCTP_ECN_CAPABLE:
5291 			if (padded_size != sizeof(struct sctp_ecn_supported_param)) {
5292 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecn %d\n", plen);
5293 				goto invalid_size;
5294 			}
5295 			at += padded_size;
5296 			break;
5297 		case SCTP_ULP_ADAPTATION:
5298 			if (padded_size != sizeof(struct sctp_adaptation_layer_indication)) {
5299 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error adapatation %d\n", plen);
5300 				goto invalid_size;
5301 			}
5302 			at += padded_size;
5303 			break;
5304 		case SCTP_SUCCESS_REPORT:
5305 			if (padded_size != sizeof(struct sctp_asconf_paramhdr)) {
5306 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error success %d\n", plen);
5307 				goto invalid_size;
5308 			}
5309 			at += padded_size;
5310 			break;
5311 		case SCTP_HOSTNAME_ADDRESS:
5312 		{
5313 			/* We can NOT handle HOST NAME addresses!! */
5314 			int l_len;
5315 
5316 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
5317 			*abort_processing = 1;
5318 			if (op_err == NULL) {
5319 				/* Ok need to try to get a mbuf */
5320 #ifdef INET6
5321 				l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5322 #else
5323 				l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5324 #endif
5325 				l_len += plen;
5326 				l_len += sizeof(struct sctp_paramhdr);
5327 				op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5328 				if (op_err) {
5329 					SCTP_BUF_LEN(op_err) = 0;
5330 					/*
5331 					 * pre-reserve space for ip and sctp
5332 					 * header  and chunk hdr
5333 					 */
5334 #ifdef INET6
5335 					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5336 #else
5337 					SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5338 #endif
5339 					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5340 					SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5341 				}
5342 			}
5343 			if (op_err) {
5344 				/* If we have space */
5345 				struct sctp_paramhdr s;
5346 
5347 				if (err_at % 4) {
5348 					uint32_t cpthis = 0;
5349 
5350 					pad_needed = 4 - (err_at % 4);
5351 					m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5352 					err_at += pad_needed;
5353 				}
5354 				s.param_type = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
5355 				s.param_length = htons(sizeof(s) + plen);
5356 				m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5357 				err_at += sizeof(s);
5358 				phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf),plen));
5359 				if (phdr == NULL) {
5360 					sctp_m_freem(op_err);
5361 					/*
5362 					 * we are out of memory but we still
5363 					 * need to have a look at what to do
5364 					 * (the system is in trouble
5365 					 * though).
5366 					 */
5367 					return (NULL);
5368 				}
5369 				m_copyback(op_err, err_at, plen, (caddr_t)phdr);
5370 			}
5371 			return (op_err);
5372 			break;
5373 		}
5374 		default:
5375 			/*
5376 			 * we do not recognize the parameter figure out what
5377 			 * we do.
5378 			 */
5379 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Hit default param %x\n", ptype);
5380 			if ((ptype & 0x4000) == 0x4000) {
5381 				/* Report bit is set?? */
5382 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "report op err\n");
5383 				if (op_err == NULL) {
5384 					int l_len;
5385 					/* Ok need to try to get an mbuf */
5386 #ifdef INET6
5387 					l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5388 #else
5389 					l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5390 #endif
5391 					l_len += plen;
5392 					l_len += sizeof(struct sctp_paramhdr);
5393 					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5394 					if (op_err) {
5395 						SCTP_BUF_LEN(op_err) = 0;
5396 #ifdef INET6
5397 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5398 #else
5399 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5400 #endif
5401 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5402 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5403 					}
5404 				}
5405 				if (op_err) {
5406 					/* If we have space */
5407 					struct sctp_paramhdr s;
5408 
5409 					if (err_at % 4) {
5410 						uint32_t cpthis = 0;
5411 
5412 						pad_needed = 4 - (err_at % 4);
5413 						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5414 						err_at += pad_needed;
5415 					}
5416 					s.param_type = htons(SCTP_UNRECOG_PARAM);
5417 					s.param_length = htons(sizeof(s) + plen);
5418 					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5419 					err_at += sizeof(s);
5420 					if (plen > sizeof(tempbuf)) {
5421 						plen = sizeof(tempbuf);
5422 					}
5423 					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf),plen));
5424 					if (phdr == NULL) {
5425 						sctp_m_freem(op_err);
5426 						/*
5427 						 * we are out of memory but
5428 						 * we still need to have a
5429 						 * look at what to do (the
5430 						 * system is in trouble
5431 						 * though).
5432 						 */
5433 						op_err = NULL;
5434 						goto more_processing;
5435 					}
5436 					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
5437 					err_at += plen;
5438 				}
5439 			}
5440 		more_processing:
5441 			if ((ptype & 0x8000) == 0x0000) {
5442 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "stop proc\n");
5443 				return (op_err);
5444 			} else {
5445 				/* skip this chunk and continue processing */
5446 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "move on\n");
5447 				at += SCTP_SIZE32(plen);
5448 			}
5449 			break;
5450 
5451 		}
5452 		phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
5453 	}
5454 	return (op_err);
5455  invalid_size:
5456 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
5457 	*abort_processing = 1;
5458 	if ((op_err == NULL) && phdr) {
5459 		int l_len;
5460 #ifdef INET6
5461 		l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5462 #else
5463 		l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
5464 #endif
5465 		l_len += (2 * sizeof(struct sctp_paramhdr));
5466 		op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
5467 		if (op_err) {
5468 			SCTP_BUF_LEN(op_err) = 0;
5469 #ifdef INET6
5470 			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
5471 #else
5472 			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
5473 #endif
5474 			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
5475 			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
5476 		}
5477 	}
5478 	if ((op_err) && phdr) {
5479 		struct sctp_paramhdr s;
5480 
5481 		if (err_at % 4) {
5482 			uint32_t cpthis = 0;
5483 
5484 			pad_needed = 4 - (err_at % 4);
5485 			m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
5486 			err_at += pad_needed;
5487 		}
5488 		s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
5489 		s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr));
5490 		m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
5491 		err_at += sizeof(s);
5492 		/* Only copy back the p-hdr that caused the issue */
5493 		m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr);
5494 	}
5495 	return (op_err);
5496 }
5497 
5498 static int
5499 sctp_are_there_new_addresses(struct sctp_association *asoc,
5500     struct mbuf *in_initpkt, int offset, struct sockaddr *src)
5501 {
5502 	/*
5503 	 * Given a INIT packet, look through the packet to verify that there
5504 	 * are NO new addresses. As we go through the parameters add reports
5505 	 * of any un-understood parameters that require an error.  Also we
5506 	 * must return (1) to drop the packet if we see a un-understood
5507 	 * parameter that tells us to drop the chunk.
5508 	 */
5509 	struct sockaddr *sa_touse;
5510 	struct sockaddr *sa;
5511 	struct sctp_paramhdr *phdr, params;
5512 	uint16_t ptype, plen;
5513 	uint8_t fnd;
5514 	struct sctp_nets *net;
5515 #ifdef INET
5516 	struct sockaddr_in sin4, *sa4;
5517 #endif
5518 #ifdef INET6
5519 	struct sockaddr_in6 sin6, *sa6;
5520 #endif
5521 
5522 #ifdef INET
5523 	memset(&sin4, 0, sizeof(sin4));
5524 	sin4.sin_family = AF_INET;
5525 #ifdef HAVE_SIN_LEN
5526 	sin4.sin_len = sizeof(sin4);
5527 #endif
5528 #endif
5529 #ifdef INET6
5530 	memset(&sin6, 0, sizeof(sin6));
5531 	sin6.sin6_family = AF_INET6;
5532 #ifdef HAVE_SIN6_LEN
5533 	sin6.sin6_len = sizeof(sin6);
5534 #endif
5535 #endif
5536 	/* First what about the src address of the pkt ? */
5537 	fnd = 0;
5538 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5539 		sa = (struct sockaddr *)&net->ro._l_addr;
5540 		if (sa->sa_family == src->sa_family) {
5541 #ifdef INET
5542 			if (sa->sa_family == AF_INET) {
5543 				struct sockaddr_in *src4;
5544 
5545 				sa4 = (struct sockaddr_in *)sa;
5546 				src4 = (struct sockaddr_in *)src;
5547 				if (sa4->sin_addr.s_addr == src4->sin_addr.s_addr) {
5548 					fnd = 1;
5549 					break;
5550 				}
5551 			}
5552 #endif
5553 #ifdef INET6
5554 			if (sa->sa_family == AF_INET6) {
5555 				struct sockaddr_in6 *src6;
5556 
5557 				sa6 = (struct sockaddr_in6 *)sa;
5558 				src6 = (struct sockaddr_in6 *)src;
5559 				if (SCTP6_ARE_ADDR_EQUAL(sa6, src6)) {
5560 					fnd = 1;
5561 					break;
5562 				}
5563 			}
5564 #endif
5565 		}
5566 	}
5567 	if (fnd == 0) {
5568 		/* New address added! no need to look futher. */
5569 		return (1);
5570 	}
5571 	/* Ok so far lets munge through the rest of the packet */
5572 	offset += sizeof(struct sctp_init_chunk);
5573 	phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5574 	while (phdr) {
5575 		sa_touse = NULL;
5576 		ptype = ntohs(phdr->param_type);
5577 		plen = ntohs(phdr->param_length);
5578 		switch (ptype) {
5579 #ifdef INET
5580 		case SCTP_IPV4_ADDRESS:
5581 		{
5582 			struct sctp_ipv4addr_param *p4, p4_buf;
5583 
5584 			phdr = sctp_get_next_param(in_initpkt, offset,
5585 			    (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
5586 			if (plen != sizeof(struct sctp_ipv4addr_param) ||
5587 			    phdr == NULL) {
5588 				return (1);
5589 			}
5590 			p4 = (struct sctp_ipv4addr_param *)phdr;
5591 			sin4.sin_addr.s_addr = p4->addr;
5592 			sa_touse = (struct sockaddr *)&sin4;
5593 			break;
5594 		}
5595 #endif
5596 #ifdef INET6
5597 		case SCTP_IPV6_ADDRESS:
5598 		{
5599 			struct sctp_ipv6addr_param *p6, p6_buf;
5600 
5601 			phdr = sctp_get_next_param(in_initpkt, offset,
5602 			    (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
5603 			if (plen != sizeof(struct sctp_ipv6addr_param) ||
5604 			    phdr == NULL) {
5605 				return (1);
5606 			}
5607 			p6 = (struct sctp_ipv6addr_param *)phdr;
5608 			memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
5609 			    sizeof(p6->addr));
5610 			sa_touse = (struct sockaddr *)&sin6;
5611 			break;
5612 		}
5613 #endif
5614 		default:
5615 			sa_touse = NULL;
5616 			break;
5617 		}
5618 		if (sa_touse) {
5619 			/* ok, sa_touse points to one to check */
5620 			fnd = 0;
5621 			TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
5622 				sa = (struct sockaddr *)&net->ro._l_addr;
5623 				if (sa->sa_family != sa_touse->sa_family) {
5624 					continue;
5625 				}
5626 #ifdef INET
5627 				if (sa->sa_family == AF_INET) {
5628 					sa4 = (struct sockaddr_in *)sa;
5629 					if (sa4->sin_addr.s_addr ==
5630 					    sin4.sin_addr.s_addr) {
5631 						fnd = 1;
5632 						break;
5633 					}
5634 				}
5635 #endif
5636 #ifdef INET6
5637 				if (sa->sa_family == AF_INET6) {
5638 					sa6 = (struct sockaddr_in6 *)sa;
5639 					if (SCTP6_ARE_ADDR_EQUAL(
5640 					    sa6, &sin6)) {
5641 						fnd = 1;
5642 						break;
5643 					}
5644 				}
5645 #endif
5646 			}
5647 			if (!fnd) {
5648 				/* New addr added! no need to look further */
5649 				return (1);
5650 			}
5651 		}
5652 		offset += SCTP_SIZE32(plen);
5653 		phdr = sctp_get_next_param(in_initpkt, offset, &params, sizeof(params));
5654 	}
5655 	return (0);
5656 }
5657 
5658 /*
5659  * Given a MBUF chain that was sent into us containing an INIT. Build a
5660  * INIT-ACK with COOKIE and send back. We assume that the in_initpkt has done
5661  * a pullup to include IPv6/4header, SCTP header and initial part of INIT
5662  * message (i.e. the struct sctp_init_msg).
5663  */
5664 void
5665 sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
5666                        struct mbuf *init_pkt, int iphlen, int offset,
5667                        struct sockaddr *src, struct sockaddr *dst,
5668                        struct sctphdr *sh, struct sctp_init_chunk *init_chk,
5669 #if defined(__FreeBSD__)
5670 		       uint8_t use_mflowid, uint32_t mflowid,
5671 #endif
5672                        uint32_t vrf_id, uint16_t port, int hold_inp_lock)
5673 {
5674 	struct sctp_association *asoc;
5675 	struct mbuf *m, *m_at, *m_tmp, *m_cookie, *op_err, *mp_last;
5676 	struct sctp_init_ack_chunk *initack;
5677 	struct sctp_adaptation_layer_indication *ali;
5678 	struct sctp_ecn_supported_param *ecn;
5679 	struct sctp_prsctp_supported_param *prsctp;
5680 	struct sctp_supported_chunk_types_param *pr_supported;
5681 	union sctp_sockstore *over_addr;
5682 #ifdef INET
5683 	struct sockaddr_in *dst4 = (struct sockaddr_in *)dst;
5684 	struct sockaddr_in *src4 = (struct sockaddr_in *)src;
5685 	struct sockaddr_in *sin;
5686 #endif
5687 #ifdef INET6
5688 	struct sockaddr_in6 *dst6 = (struct sockaddr_in6 *)dst;
5689 	struct sockaddr_in6 *src6 = (struct sockaddr_in6 *)src;
5690 	struct sockaddr_in6 *sin6;
5691 #endif
5692 #if defined(__Userspace__)
5693 	struct sockaddr_conn *dstconn = (struct sockaddr_conn *)dst;
5694 	struct sockaddr_conn *srcconn = (struct sockaddr_conn *)src;
5695 	struct sockaddr_conn *sconn;
5696 #endif
5697 	struct sockaddr *to;
5698 	struct sctp_state_cookie stc;
5699 	struct sctp_nets *net = NULL;
5700 	uint8_t *signature = NULL;
5701 	int cnt_inits_to = 0;
5702 	uint16_t his_limit, i_want;
5703 	int abort_flag, padval;
5704 	int num_ext;
5705 	int p_len;
5706 	int nat_friendly = 0;
5707 	struct socket *so;
5708 
5709 	if (stcb) {
5710 		asoc = &stcb->asoc;
5711 	} else {
5712 		asoc = NULL;
5713 	}
5714 	mp_last = NULL;
5715 	if ((asoc != NULL) &&
5716 	    (SCTP_GET_STATE(asoc) != SCTP_STATE_COOKIE_WAIT) &&
5717 	    (sctp_are_there_new_addresses(asoc, init_pkt, offset, src))) {
5718 		/* new addresses, out of here in non-cookie-wait states */
5719 		/*
5720 		 * Send a ABORT, we don't add the new address error clause
5721 		 * though we even set the T bit and copy in the 0 tag.. this
5722 		 * looks no different than if no listener was present.
5723 		 */
5724 		op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5725 		                             "Address added");
5726 		sctp_send_abort(init_pkt, iphlen, src, dst, sh, 0, op_err,
5727 #if defined(__FreeBSD__)
5728 		                use_mflowid, mflowid,
5729 #endif
5730 		                vrf_id, port);
5731 		return;
5732 	}
5733 	abort_flag = 0;
5734 	op_err = sctp_arethere_unrecognized_parameters(init_pkt,
5735 						       (offset + sizeof(struct sctp_init_chunk)),
5736 						       &abort_flag, (struct sctp_chunkhdr *)init_chk, &nat_friendly);
5737 	if (abort_flag) {
5738 	do_a_abort:
5739 		if (op_err == NULL) {
5740 			char msg[SCTP_DIAG_INFO_LEN];
5741 
5742 			snprintf(msg, sizeof(msg), "%s:%d at %s\n", __FILE__, __LINE__, __FUNCTION__);
5743 			op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5744 			                             msg);
5745 		}
5746 		sctp_send_abort(init_pkt, iphlen, src, dst, sh,
5747 				init_chk->init.initiate_tag, op_err,
5748 #if defined(__FreeBSD__)
5749 		                use_mflowid, mflowid,
5750 #endif
5751 		                vrf_id, port);
5752 		return;
5753 	}
5754 	m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
5755 	if (m == NULL) {
5756 		/* No memory, INIT timer will re-attempt. */
5757 		if (op_err)
5758 			sctp_m_freem(op_err);
5759 		return;
5760 	}
5761 	SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
5762 
5763 	/*
5764 	 * We might not overwrite the identification[] completely and on
5765 	 * some platforms time_entered will contain some padding.
5766 	 * Therefore zero out the cookie to avoid putting
5767 	 * uninitialized memory on the wire.
5768 	 */
5769 	memset(&stc, 0, sizeof(struct sctp_state_cookie));
5770 
5771 	/* the time I built cookie */
5772 	(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
5773 
5774 	/* populate any tie tags */
5775 	if (asoc != NULL) {
5776 		/* unlock before tag selections */
5777 		stc.tie_tag_my_vtag = asoc->my_vtag_nonce;
5778 		stc.tie_tag_peer_vtag = asoc->peer_vtag_nonce;
5779 		stc.cookie_life = asoc->cookie_life;
5780 		net = asoc->primary_destination;
5781 	} else {
5782 		stc.tie_tag_my_vtag = 0;
5783 		stc.tie_tag_peer_vtag = 0;
5784 		/* life I will award this cookie */
5785 		stc.cookie_life = inp->sctp_ep.def_cookie_life;
5786 	}
5787 
5788 	/* copy in the ports for later check */
5789 	stc.myport = sh->dest_port;
5790 	stc.peerport = sh->src_port;
5791 
5792 	/*
5793 	 * If we wanted to honor cookie life extentions, we would add to
5794 	 * stc.cookie_life. For now we should NOT honor any extension
5795 	 */
5796 	stc.site_scope = stc.local_scope = stc.loopback_scope = 0;
5797 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5798 		stc.ipv6_addr_legal = 1;
5799 		if (SCTP_IPV6_V6ONLY(inp)) {
5800 			stc.ipv4_addr_legal = 0;
5801 		} else {
5802 			stc.ipv4_addr_legal = 1;
5803 		}
5804 #if defined(__Userspace__)
5805 		stc.conn_addr_legal = 0;
5806 #endif
5807 	} else {
5808 		stc.ipv6_addr_legal = 0;
5809 #if defined(__Userspace__)
5810 		if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_CONN) {
5811 			stc.conn_addr_legal = 1;
5812 			stc.ipv4_addr_legal = 0;
5813 		} else {
5814 			stc.conn_addr_legal = 0;
5815 			stc.ipv4_addr_legal = 1;
5816 		}
5817 #else
5818 		stc.ipv4_addr_legal = 1;
5819 #endif
5820 	}
5821 #ifdef SCTP_DONT_DO_PRIVADDR_SCOPE
5822 	stc.ipv4_scope = 1;
5823 #else
5824 	stc.ipv4_scope = 0;
5825 #endif
5826 	if (net == NULL) {
5827 		to = src;
5828 		switch (dst->sa_family) {
5829 #ifdef INET
5830 		case AF_INET:
5831 		{
5832 			/* lookup address */
5833 			stc.address[0] = src4->sin_addr.s_addr;
5834 			stc.address[1] = 0;
5835 			stc.address[2] = 0;
5836 			stc.address[3] = 0;
5837 			stc.addr_type = SCTP_IPV4_ADDRESS;
5838 			/* local from address */
5839 			stc.laddress[0] = dst4->sin_addr.s_addr;
5840 			stc.laddress[1] = 0;
5841 			stc.laddress[2] = 0;
5842 			stc.laddress[3] = 0;
5843 			stc.laddr_type = SCTP_IPV4_ADDRESS;
5844 			/* scope_id is only for v6 */
5845 			stc.scope_id = 0;
5846 #ifndef SCTP_DONT_DO_PRIVADDR_SCOPE
5847 			if (IN4_ISPRIVATE_ADDRESS(&src4->sin_addr)) {
5848 				stc.ipv4_scope = 1;
5849 			}
5850 #else
5851 			stc.ipv4_scope = 1;
5852 #endif				/* SCTP_DONT_DO_PRIVADDR_SCOPE */
5853 			/* Must use the address in this case */
5854 			if (sctp_is_address_on_local_host(src, vrf_id)) {
5855 				stc.loopback_scope = 1;
5856 				stc.ipv4_scope = 1;
5857 				stc.site_scope = 1;
5858 				stc.local_scope = 0;
5859 			}
5860 			break;
5861 		}
5862 #endif
5863 #ifdef INET6
5864 		case AF_INET6:
5865 		{
5866 			stc.addr_type = SCTP_IPV6_ADDRESS;
5867 			memcpy(&stc.address, &src6->sin6_addr, sizeof(struct in6_addr));
5868 #if defined(__FreeBSD__) && (((__FreeBSD_version < 900000) && (__FreeBSD_version >= 804000)) || (__FreeBSD_version > 900000))
5869 			stc.scope_id = in6_getscope(&src6->sin6_addr);
5870 #else
5871 			stc.scope_id = 0;
5872 #endif
5873 			if (sctp_is_address_on_local_host(src, vrf_id)) {
5874 				stc.loopback_scope = 1;
5875 				stc.local_scope = 0;
5876 				stc.site_scope = 1;
5877 				stc.ipv4_scope = 1;
5878 			} else if (IN6_IS_ADDR_LINKLOCAL(&src6->sin6_addr)) {
5879 				/*
5880 				 * If the new destination is a LINK_LOCAL we
5881 				 * must have common both site and local
5882 				 * scope. Don't set local scope though since
5883 				 * we must depend on the source to be added
5884 				 * implicitly. We cannot assure just because
5885 				 * we share one link that all links are
5886 				 * common.
5887 				 */
5888 #if defined(__APPLE__)
5889 				/* Mac OS X currently doesn't have in6_getscope() */
5890 				stc.scope_id = src6->sin6_addr.s6_addr16[1];
5891 #endif
5892 				stc.local_scope = 0;
5893 				stc.site_scope = 1;
5894 				stc.ipv4_scope = 1;
5895 				/*
5896 				 * we start counting for the private address
5897 				 * stuff at 1. since the link local we
5898 				 * source from won't show up in our scoped
5899 				 * count.
5900 				 */
5901 				cnt_inits_to = 1;
5902 				/* pull out the scope_id from incoming pkt */
5903 			} else if (IN6_IS_ADDR_SITELOCAL(&src6->sin6_addr)) {
5904 				/*
5905 				 * If the new destination is SITE_LOCAL then
5906 				 * we must have site scope in common.
5907 				 */
5908 				stc.site_scope = 1;
5909 			}
5910 			memcpy(&stc.laddress, &dst6->sin6_addr, sizeof(struct in6_addr));
5911 			stc.laddr_type = SCTP_IPV6_ADDRESS;
5912 			break;
5913 		}
5914 #endif
5915 #if defined(__Userspace__)
5916 		case AF_CONN:
5917 		{
5918 			/* lookup address */
5919 			stc.address[0] = 0;
5920 			stc.address[1] = 0;
5921 			stc.address[2] = 0;
5922 			stc.address[3] = 0;
5923 			memcpy(&stc.address, &srcconn->sconn_addr, sizeof(void *));
5924 			stc.addr_type = SCTP_CONN_ADDRESS;
5925 			/* local from address */
5926 			stc.laddress[0] = 0;
5927 			stc.laddress[1] = 0;
5928 			stc.laddress[2] = 0;
5929 			stc.laddress[3] = 0;
5930 			memcpy(&stc.laddress, &dstconn->sconn_addr, sizeof(void *));
5931 			stc.laddr_type = SCTP_CONN_ADDRESS;
5932 			/* scope_id is only for v6 */
5933 			stc.scope_id = 0;
5934 			break;
5935 		}
5936 #endif
5937 		default:
5938 			/* TSNH */
5939 			goto do_a_abort;
5940 			break;
5941 		}
5942 	} else {
5943 		/* set the scope per the existing tcb */
5944 
5945 #ifdef INET6
5946 		struct sctp_nets *lnet;
5947 #endif
5948 
5949 		stc.loopback_scope = asoc->scope.loopback_scope;
5950 		stc.ipv4_scope = asoc->scope.ipv4_local_scope;
5951 		stc.site_scope = asoc->scope.site_scope;
5952 		stc.local_scope = asoc->scope.local_scope;
5953 #ifdef INET6
5954 		/* Why do we not consider IPv4 LL addresses? */
5955 		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
5956 			if (lnet->ro._l_addr.sin6.sin6_family == AF_INET6) {
5957 				if (IN6_IS_ADDR_LINKLOCAL(&lnet->ro._l_addr.sin6.sin6_addr)) {
5958 					/*
5959 					 * if we have a LL address, start
5960 					 * counting at 1.
5961 					 */
5962 					cnt_inits_to = 1;
5963 				}
5964 			}
5965 		}
5966 #endif
5967 		/* use the net pointer */
5968 		to = (struct sockaddr *)&net->ro._l_addr;
5969 		switch (to->sa_family) {
5970 #ifdef INET
5971 		case AF_INET:
5972 			sin = (struct sockaddr_in *)to;
5973 			stc.address[0] = sin->sin_addr.s_addr;
5974 			stc.address[1] = 0;
5975 			stc.address[2] = 0;
5976 			stc.address[3] = 0;
5977 			stc.addr_type = SCTP_IPV4_ADDRESS;
5978 			if (net->src_addr_selected == 0) {
5979 				/*
5980 				 * strange case here, the INIT should have
5981 				 * did the selection.
5982 				 */
5983 				net->ro._s_addr = sctp_source_address_selection(inp,
5984 										stcb, (sctp_route_t *)&net->ro,
5985 										net, 0, vrf_id);
5986 				if (net->ro._s_addr == NULL)
5987 					return;
5988 
5989 				net->src_addr_selected = 1;
5990 
5991 			}
5992 			stc.laddress[0] = net->ro._s_addr->address.sin.sin_addr.s_addr;
5993 			stc.laddress[1] = 0;
5994 			stc.laddress[2] = 0;
5995 			stc.laddress[3] = 0;
5996 			stc.laddr_type = SCTP_IPV4_ADDRESS;
5997 			/* scope_id is only for v6 */
5998 			stc.scope_id = 0;
5999 			break;
6000 #endif
6001 #ifdef INET6
6002 		case AF_INET6:
6003 			sin6 = (struct sockaddr_in6 *)to;
6004 			memcpy(&stc.address, &sin6->sin6_addr,
6005 			       sizeof(struct in6_addr));
6006 			stc.addr_type = SCTP_IPV6_ADDRESS;
6007 			stc.scope_id = sin6->sin6_scope_id;
6008 			if (net->src_addr_selected == 0) {
6009 				/*
6010 				 * strange case here, the INIT should have
6011 				 * done the selection.
6012 				 */
6013 				net->ro._s_addr = sctp_source_address_selection(inp,
6014 										stcb, (sctp_route_t *)&net->ro,
6015 										net, 0, vrf_id);
6016 				if (net->ro._s_addr == NULL)
6017 					return;
6018 
6019 				net->src_addr_selected = 1;
6020 			}
6021 			memcpy(&stc.laddress, &net->ro._s_addr->address.sin6.sin6_addr,
6022 			       sizeof(struct in6_addr));
6023 			stc.laddr_type = SCTP_IPV6_ADDRESS;
6024 			break;
6025 #endif
6026 #if defined(__Userspace__)
6027 		case AF_CONN:
6028 			sconn = (struct sockaddr_conn *)to;
6029 			stc.address[0] = 0;
6030 			stc.address[1] = 0;
6031 			stc.address[2] = 0;
6032 			stc.address[3] = 0;
6033 			memcpy(&stc.address, &sconn->sconn_addr, sizeof(void *));
6034 			stc.addr_type = SCTP_CONN_ADDRESS;
6035 			stc.laddress[0] = 0;
6036 			stc.laddress[1] = 0;
6037 			stc.laddress[2] = 0;
6038 			stc.laddress[3] = 0;
6039 			memcpy(&stc.laddress, &sconn->sconn_addr, sizeof(void *));
6040 			stc.laddr_type = SCTP_CONN_ADDRESS;
6041 			stc.scope_id = 0;
6042 			break;
6043 #endif
6044 		}
6045 	}
6046 	/* Now lets put the SCTP header in place */
6047 	initack = mtod(m, struct sctp_init_ack_chunk *);
6048 	/* Save it off for quick ref */
6049 	stc.peers_vtag = init_chk->init.initiate_tag;
6050 	/* who are we */
6051 	memcpy(stc.identification, SCTP_VERSION_STRING,
6052 	       min(strlen(SCTP_VERSION_STRING), sizeof(stc.identification)));
6053 	memset(stc.reserved, 0, SCTP_RESERVE_SPACE);
6054 	/* now the chunk header */
6055 	initack->ch.chunk_type = SCTP_INITIATION_ACK;
6056 	initack->ch.chunk_flags = 0;
6057 	/* fill in later from mbuf we build */
6058 	initack->ch.chunk_length = 0;
6059 	/* place in my tag */
6060 	if ((asoc != NULL) &&
6061 	    ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
6062 	     (SCTP_GET_STATE(asoc) == SCTP_STATE_INUSE) ||
6063 	     (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED))) {
6064 		/* re-use the v-tags and init-seq here */
6065 		initack->init.initiate_tag = htonl(asoc->my_vtag);
6066 		initack->init.initial_tsn = htonl(asoc->init_seq_number);
6067 	} else {
6068 		uint32_t vtag, itsn;
6069 		if (hold_inp_lock) {
6070 			SCTP_INP_INCR_REF(inp);
6071 			SCTP_INP_RUNLOCK(inp);
6072 		}
6073 		if (asoc) {
6074 			atomic_add_int(&asoc->refcnt, 1);
6075 			SCTP_TCB_UNLOCK(stcb);
6076 		new_tag:
6077 			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
6078 			if ((asoc->peer_supports_nat)  && (vtag == asoc->my_vtag)) {
6079 				/* Got a duplicate vtag on some guy behind a nat
6080 				 * make sure we don't use it.
6081 				 */
6082 				goto new_tag;
6083 			}
6084 			initack->init.initiate_tag = htonl(vtag);
6085 			/* get a TSN to use too */
6086 			itsn = sctp_select_initial_TSN(&inp->sctp_ep);
6087 			initack->init.initial_tsn = htonl(itsn);
6088 			SCTP_TCB_LOCK(stcb);
6089 			atomic_add_int(&asoc->refcnt, -1);
6090 		} else {
6091 			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
6092 			initack->init.initiate_tag = htonl(vtag);
6093 			/* get a TSN to use too */
6094 			initack->init.initial_tsn = htonl(sctp_select_initial_TSN(&inp->sctp_ep));
6095 		}
6096 		if (hold_inp_lock) {
6097 			SCTP_INP_RLOCK(inp);
6098 			SCTP_INP_DECR_REF(inp);
6099 		}
6100 	}
6101 	/* save away my tag to */
6102 	stc.my_vtag = initack->init.initiate_tag;
6103 
6104 	/* set up some of the credits. */
6105 	so = inp->sctp_socket;
6106 	if (so == NULL) {
6107 		/* memory problem */
6108 		sctp_m_freem(m);
6109 		return;
6110 	} else {
6111 		initack->init.a_rwnd = htonl(max(SCTP_SB_LIMIT_RCV(so), SCTP_MINIMAL_RWND));
6112 	}
6113 	/* set what I want */
6114 	his_limit = ntohs(init_chk->init.num_inbound_streams);
6115 	/* choose what I want */
6116 	if (asoc != NULL) {
6117 		if (asoc->streamoutcnt > inp->sctp_ep.pre_open_stream_count) {
6118 			i_want = asoc->streamoutcnt;
6119 		} else {
6120 			i_want = inp->sctp_ep.pre_open_stream_count;
6121 		}
6122 	} else {
6123 		i_want = inp->sctp_ep.pre_open_stream_count;
6124 	}
6125 	if (his_limit < i_want) {
6126 		/* I Want more :< */
6127 		initack->init.num_outbound_streams = init_chk->init.num_inbound_streams;
6128 	} else {
6129 		/* I can have what I want :> */
6130 		initack->init.num_outbound_streams = htons(i_want);
6131 	}
6132 	/* tell him his limit. */
6133 	initack->init.num_inbound_streams =
6134 		htons(inp->sctp_ep.max_open_streams_intome);
6135 
6136 	/* adaptation layer indication parameter */
6137 	if (inp->sctp_ep.adaptation_layer_indicator_provided) {
6138 		ali = (struct sctp_adaptation_layer_indication *)((caddr_t)initack + sizeof(*initack));
6139 		ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
6140 		ali->ph.param_length = htons(sizeof(*ali));
6141 		ali->indication = ntohl(inp->sctp_ep.adaptation_layer_indicator);
6142 		SCTP_BUF_LEN(m) += sizeof(*ali);
6143 		ecn = (struct sctp_ecn_supported_param *)((caddr_t)ali + sizeof(*ali));
6144 	} else {
6145 		ecn = (struct sctp_ecn_supported_param *)((caddr_t)initack + sizeof(*initack));
6146 	}
6147 
6148 	/* ECN parameter */
6149 	if (((asoc != NULL) && (asoc->ecn_allowed == 1)) ||
6150 	    (inp->sctp_ecn_enable == 1)) {
6151 		ecn->ph.param_type = htons(SCTP_ECN_CAPABLE);
6152 		ecn->ph.param_length = htons(sizeof(*ecn));
6153 		SCTP_BUF_LEN(m) += sizeof(*ecn);
6154 
6155 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn +
6156 								sizeof(*ecn));
6157 	} else {
6158 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn);
6159 	}
6160 	/* And now tell the peer we do  pr-sctp */
6161 	prsctp->ph.param_type = htons(SCTP_PRSCTP_SUPPORTED);
6162 	prsctp->ph.param_length = htons(sizeof(*prsctp));
6163 	SCTP_BUF_LEN(m) += sizeof(*prsctp);
6164 	if (nat_friendly) {
6165 		/* Add NAT friendly parameter */
6166 		struct sctp_paramhdr *ph;
6167 
6168 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t) + SCTP_BUF_LEN(m));
6169 		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
6170 		ph->param_length = htons(sizeof(struct sctp_paramhdr));
6171 		SCTP_BUF_LEN(m) += sizeof(struct sctp_paramhdr);
6172 	}
6173 	/* And now tell the peer we do all the extensions */
6174 	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t) + SCTP_BUF_LEN(m));
6175 	pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
6176 	num_ext = 0;
6177 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
6178 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
6179 	pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
6180 	pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
6181 	pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
6182 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable))
6183 		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
6184 	if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off))
6185 		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
6186 	p_len = sizeof(*pr_supported) + num_ext;
6187 	pr_supported->ph.param_length = htons(p_len);
6188 	bzero((caddr_t)pr_supported + p_len, SCTP_SIZE32(p_len) - p_len);
6189 	SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
6190 
6191 	/* add authentication parameters */
6192 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
6193 		struct sctp_auth_random *randp;
6194 		struct sctp_auth_hmac_algo *hmacs;
6195 		struct sctp_auth_chunk_list *chunks;
6196 		uint16_t random_len;
6197 
6198 		/* generate and add RANDOM parameter */
6199 		random_len = SCTP_AUTH_RANDOM_SIZE_DEFAULT;
6200 		randp = (struct sctp_auth_random *)(mtod(m, caddr_t) + SCTP_BUF_LEN(m));
6201 		randp->ph.param_type = htons(SCTP_RANDOM);
6202 		p_len = sizeof(*randp) + random_len;
6203 		randp->ph.param_length = htons(p_len);
6204 		SCTP_READ_RANDOM(randp->random_data, random_len);
6205 		/* zero out any padding required */
6206 		bzero((caddr_t)randp + p_len, SCTP_SIZE32(p_len) - p_len);
6207 		SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
6208 
6209 		/* add HMAC_ALGO parameter */
6210 		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t) + SCTP_BUF_LEN(m));
6211 		p_len = sctp_serialize_hmaclist(inp->sctp_ep.local_hmacs,
6212 						(uint8_t *) hmacs->hmac_ids);
6213 		if (p_len > 0) {
6214 			p_len += sizeof(*hmacs);
6215 			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
6216 			hmacs->ph.param_length = htons(p_len);
6217 			/* zero out any padding required */
6218 			bzero((caddr_t)hmacs + p_len, SCTP_SIZE32(p_len) - p_len);
6219 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
6220 		}
6221 		/* add CHUNKS parameter */
6222 		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t) + SCTP_BUF_LEN(m));
6223 		p_len = sctp_serialize_auth_chunks(inp->sctp_ep.local_auth_chunks,
6224 						   chunks->chunk_types);
6225 		if (p_len > 0) {
6226 			p_len += sizeof(*chunks);
6227 			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
6228 			chunks->ph.param_length = htons(p_len);
6229 			/* zero out any padding required */
6230 			bzero((caddr_t)chunks + p_len, SCTP_SIZE32(p_len) - p_len);
6231 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
6232 		}
6233 	}
6234 	m_at = m;
6235 	/* now the addresses */
6236 	{
6237 		struct sctp_scoping scp;
6238 		/* To optimize this we could put the scoping stuff
6239 		 * into a structure and remove the individual uint8's from
6240 		 * the stc structure. Then we could just sifa in the
6241 		 * address within the stc.. but for now this is a quick
6242 		 * hack to get the address stuff teased apart.
6243 		 */
6244  		scp.ipv4_addr_legal = stc.ipv4_addr_legal;
6245 		scp.ipv6_addr_legal = stc.ipv6_addr_legal;
6246 #if defined(__Userspace__)
6247 		scp.conn_addr_legal = stc.conn_addr_legal;
6248 #endif
6249 		scp.loopback_scope = stc.loopback_scope;
6250 		scp.ipv4_local_scope = stc.ipv4_scope;
6251 		scp.local_scope = stc.local_scope;
6252 		scp.site_scope = stc.site_scope;
6253 		m_at = sctp_add_addresses_to_i_ia(inp, stcb, &scp, m_at, cnt_inits_to, NULL, NULL);
6254 	}
6255 
6256 	/* tack on the operational error if present */
6257 	if (op_err) {
6258 		struct mbuf *ol;
6259 		int llen;
6260 		llen = 0;
6261 		ol = op_err;
6262 
6263 		while (ol) {
6264 			llen += SCTP_BUF_LEN(ol);
6265 			ol = SCTP_BUF_NEXT(ol);
6266 		}
6267 		if (llen % 4) {
6268 			/* must add a pad to the param */
6269 			uint32_t cpthis = 0;
6270 			int padlen;
6271 
6272 			padlen = 4 - (llen % 4);
6273 			m_copyback(op_err, llen, padlen, (caddr_t)&cpthis);
6274 		}
6275 		while (SCTP_BUF_NEXT(m_at) != NULL) {
6276 			m_at = SCTP_BUF_NEXT(m_at);
6277 		}
6278 		SCTP_BUF_NEXT(m_at) = op_err;
6279 		while (SCTP_BUF_NEXT(m_at) != NULL) {
6280 			m_at = SCTP_BUF_NEXT(m_at);
6281 		}
6282 	}
6283 	/* pre-calulate the size and update pkt header and chunk header */
6284 	p_len = 0;
6285 	for (m_tmp = m; m_tmp; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6286 		p_len += SCTP_BUF_LEN(m_tmp);
6287 		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
6288 			/* m_tmp should now point to last one */
6289 			break;
6290 		}
6291 	}
6292 
6293 	/* Now we must build a cookie */
6294 	m_cookie = sctp_add_cookie(init_pkt, offset, m, 0, &stc, &signature);
6295 	if (m_cookie == NULL) {
6296 		/* memory problem */
6297 		sctp_m_freem(m);
6298 		return;
6299 	}
6300 	/* Now append the cookie to the end and update the space/size */
6301 	SCTP_BUF_NEXT(m_tmp) = m_cookie;
6302 
6303 	for (m_tmp = m_cookie; m_tmp; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
6304 		p_len += SCTP_BUF_LEN(m_tmp);
6305 		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
6306 			/* m_tmp should now point to last one */
6307 			mp_last = m_tmp;
6308 			break;
6309 		}
6310 	}
6311 	/* Place in the size, but we don't include
6312 	 * the last pad (if any) in the INIT-ACK.
6313 	 */
6314 	initack->ch.chunk_length = htons(p_len);
6315 
6316 	/* Time to sign the cookie, we don't sign over the cookie
6317 	 * signature though thus we set trailer.
6318 	 */
6319 	(void)sctp_hmac_m(SCTP_HMAC,
6320 			  (uint8_t *)inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
6321 			  SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
6322 			  (uint8_t *)signature, SCTP_SIGNATURE_SIZE);
6323 	/*
6324 	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
6325 	 * here since the timer will drive a retranmission.
6326 	 */
6327 	padval = p_len % 4;
6328 	if ((padval) && (mp_last)) {
6329 		/* see my previous comments on mp_last */
6330 		if (sctp_add_pad_tombuf(mp_last, (4 - padval))) {
6331 			/* Houston we have a problem, no space */
6332 			sctp_m_freem(m);
6333 			return;
6334 		}
6335 	}
6336 	if (stc.loopback_scope) {
6337 		over_addr = (union sctp_sockstore *)dst;
6338 	} else {
6339 		over_addr = NULL;
6340 	}
6341 
6342 	(void)sctp_lowlevel_chunk_output(inp, NULL, NULL, to, m, 0, NULL, 0, 0,
6343 	                                 0, 0,
6344 	                                 inp->sctp_lport, sh->src_port, init_chk->init.initiate_tag,
6345 	                                 port, over_addr,
6346 #if defined(__FreeBSD__)
6347 	                                 use_mflowid, mflowid,
6348 #endif
6349 	                                 SCTP_SO_NOT_LOCKED);
6350 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
6351 }
6352 
6353 
6354 static void
6355 sctp_prune_prsctp(struct sctp_tcb *stcb,
6356     struct sctp_association *asoc,
6357     struct sctp_sndrcvinfo *srcv,
6358     int dataout)
6359 {
6360 	int freed_spc = 0;
6361 	struct sctp_tmit_chunk *chk, *nchk;
6362 
6363 	SCTP_TCB_LOCK_ASSERT(stcb);
6364 	if ((asoc->peer_supports_prsctp) &&
6365 	    (asoc->sent_queue_cnt_removeable > 0)) {
6366 		TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
6367 			/*
6368 			 * Look for chunks marked with the PR_SCTP flag AND
6369 			 * the buffer space flag. If the one being sent is
6370 			 * equal or greater priority then purge the old one
6371 			 * and free some space.
6372 			 */
6373 			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6374 				/*
6375 				 * This one is PR-SCTP AND buffer space
6376 				 * limited type
6377 				 */
6378 				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
6379 					/*
6380 					 * Lower numbers equates to higher
6381 					 * priority so if the one we are
6382 					 * looking at has a larger or equal
6383 					 * priority we want to drop the data
6384 					 * and NOT retransmit it.
6385 					 */
6386 					if (chk->data) {
6387 						/*
6388 						 * We release the book_size
6389 						 * if the mbuf is here
6390 						 */
6391 						int ret_spc;
6392 						uint8_t sent;
6393 
6394 						if (chk->sent > SCTP_DATAGRAM_UNSENT)
6395 							sent = 1;
6396 						else
6397 							sent = 0;
6398 						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6399 						    sent,
6400 						    SCTP_SO_LOCKED);
6401 						freed_spc += ret_spc;
6402 						if (freed_spc >= dataout) {
6403 							return;
6404 						}
6405 					}	/* if chunk was present */
6406 				}	/* if of sufficent priority */
6407 			}	/* if chunk has enabled */
6408 		}		/* tailqforeach */
6409 
6410 		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
6411 			/* Here we must move to the sent queue and mark */
6412 			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
6413 				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
6414 					if (chk->data) {
6415 						/*
6416 						 * We release the book_size
6417 						 * if the mbuf is here
6418 						 */
6419 						int ret_spc;
6420 
6421 						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
6422 						    0, SCTP_SO_LOCKED);
6423 
6424 						freed_spc += ret_spc;
6425 						if (freed_spc >= dataout) {
6426 							return;
6427 						}
6428 					}	/* end if chk->data */
6429 				}	/* end if right class */
6430 			}	/* end if chk pr-sctp */
6431 		}		/* tailqforeachsafe (chk) */
6432 	}			/* if enabled in asoc */
6433 }
6434 
6435 int
6436 sctp_get_frag_point(struct sctp_tcb *stcb,
6437     struct sctp_association *asoc)
6438 {
6439 	int siz, ovh;
6440 
6441 	/*
6442 	 * For endpoints that have both v6 and v4 addresses we must reserve
6443 	 * room for the ipv6 header, for those that are only dealing with V4
6444 	 * we use a larger frag point.
6445 	 */
6446 	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
6447 		ovh = SCTP_MED_OVERHEAD;
6448 	} else {
6449 		ovh = SCTP_MED_V4_OVERHEAD;
6450 	}
6451 
6452 	if (stcb->asoc.sctp_frag_point > asoc->smallest_mtu)
6453 		siz = asoc->smallest_mtu - ovh;
6454 	else
6455 		siz = (stcb->asoc.sctp_frag_point - ovh);
6456 	/*
6457 	 * if (siz > (MCLBYTES-sizeof(struct sctp_data_chunk))) {
6458 	 */
6459 	/* A data chunk MUST fit in a cluster */
6460 	/* siz = (MCLBYTES - sizeof(struct sctp_data_chunk)); */
6461 	/* } */
6462 
6463 	/* adjust for an AUTH chunk if DATA requires auth */
6464 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks))
6465 		siz -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
6466 
6467 	if (siz % 4) {
6468 		/* make it an even word boundary please */
6469 		siz -= (siz % 4);
6470 	}
6471 	return (siz);
6472 }
6473 
6474 static void
6475 sctp_set_prsctp_policy(struct sctp_stream_queue_pending *sp)
6476 {
6477 	/*
6478 	 * We assume that the user wants PR_SCTP_TTL if the user
6479 	 * provides a positive lifetime but does not specify any
6480 	 * PR_SCTP policy.
6481 	 */
6482 	if (PR_SCTP_ENABLED(sp->sinfo_flags)) {
6483 		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6484 	} else if (sp->timetolive > 0) {
6485 		sp->sinfo_flags |= SCTP_PR_SCTP_TTL;
6486 		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
6487 	} else {
6488 		return;
6489 	}
6490 	switch (PR_SCTP_POLICY(sp->sinfo_flags)) {
6491 	case CHUNK_FLAGS_PR_SCTP_BUF:
6492 		/*
6493 		 * Time to live is a priority stored in tv_sec when
6494 		 * doing the buffer drop thing.
6495 		 */
6496 		sp->ts.tv_sec = sp->timetolive;
6497 		sp->ts.tv_usec = 0;
6498 		break;
6499 	case CHUNK_FLAGS_PR_SCTP_TTL:
6500 	{
6501 		struct timeval tv;
6502 		(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6503 		tv.tv_sec = sp->timetolive / 1000;
6504 		tv.tv_usec = (sp->timetolive * 1000) % 1000000;
6505 		/* TODO sctp_constants.h needs alternative time macros when
6506 		 *  _KERNEL is undefined.
6507 		 */
6508 #ifndef __FreeBSD__
6509 		timeradd(&sp->ts, &tv, &sp->ts);
6510 #else
6511 		timevaladd(&sp->ts, &tv);
6512 #endif
6513 	}
6514 		break;
6515 	case CHUNK_FLAGS_PR_SCTP_RTX:
6516 		/*
6517 		 * Time to live is a the number or retransmissions
6518 		 * stored in tv_sec.
6519 		 */
6520 		sp->ts.tv_sec = sp->timetolive;
6521 		sp->ts.tv_usec = 0;
6522 		break;
6523 	default:
6524 		SCTPDBG(SCTP_DEBUG_USRREQ1,
6525 			"Unknown PR_SCTP policy %u.\n",
6526 			PR_SCTP_POLICY(sp->sinfo_flags));
6527 		break;
6528 	}
6529 }
6530 
6531 static int
6532 sctp_msg_append(struct sctp_tcb *stcb,
6533 		struct sctp_nets *net,
6534 		struct mbuf *m,
6535 		struct sctp_sndrcvinfo *srcv, int hold_stcb_lock)
6536 {
6537 	int error = 0;
6538 	struct mbuf *at;
6539 	struct sctp_stream_queue_pending *sp = NULL;
6540 	struct sctp_stream_out *strm;
6541 
6542 	/* Given an mbuf chain, put it
6543 	 * into the association send queue and
6544 	 * place it on the wheel
6545 	 */
6546 	if (srcv->sinfo_stream >= stcb->asoc.streamoutcnt) {
6547 		/* Invalid stream number */
6548 		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6549 		error = EINVAL;
6550 		goto out_now;
6551 	}
6552 	if ((stcb->asoc.stream_locked) &&
6553 	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
6554 		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
6555 		error = EINVAL;
6556 		goto out_now;
6557 	}
6558 	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
6559 	/* Now can we send this? */
6560 	if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
6561 	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
6562 	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
6563 	    (stcb->asoc.state & SCTP_STATE_SHUTDOWN_PENDING)) {
6564 		/* got data while shutting down */
6565 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
6566 		error = ECONNRESET;
6567 		goto out_now;
6568 	}
6569 	sctp_alloc_a_strmoq(stcb, sp);
6570 	if (sp == NULL) {
6571 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6572 		error = ENOMEM;
6573 		goto out_now;
6574 	}
6575 	sp->sinfo_flags = srcv->sinfo_flags;
6576 	sp->timetolive = srcv->sinfo_timetolive;
6577 	sp->ppid = srcv->sinfo_ppid;
6578 	sp->context = srcv->sinfo_context;
6579 	if (sp->sinfo_flags & SCTP_ADDR_OVER) {
6580 		sp->net = net;
6581 		atomic_add_int(&sp->net->ref_count, 1);
6582 	} else {
6583 		sp->net = NULL;
6584 	}
6585 	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
6586 	sp->stream = srcv->sinfo_stream;
6587 	sp->msg_is_complete = 1;
6588 	sp->sender_all_done = 1;
6589 	sp->some_taken = 0;
6590 	sp->data = m;
6591 	sp->tail_mbuf = NULL;
6592 	sctp_set_prsctp_policy(sp);
6593 	/* We could in theory (for sendall) sifa the length
6594 	 * in, but we would still have to hunt through the
6595 	 * chain since we need to setup the tail_mbuf
6596 	 */
6597 	sp->length = 0;
6598 	for (at = m; at; at = SCTP_BUF_NEXT(at)) {
6599 		if (SCTP_BUF_NEXT(at) == NULL)
6600 			sp->tail_mbuf = at;
6601 		sp->length += SCTP_BUF_LEN(at);
6602 	}
6603 	if (srcv->sinfo_keynumber_valid) {
6604 		sp->auth_keyid = srcv->sinfo_keynumber;
6605 	} else {
6606 		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
6607 	}
6608 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
6609 		sctp_auth_key_acquire(stcb, sp->auth_keyid);
6610 		sp->holds_key_ref = 1;
6611 	}
6612 	if (hold_stcb_lock == 0) {
6613 		SCTP_TCB_SEND_LOCK(stcb);
6614 	}
6615 	sctp_snd_sb_alloc(stcb, sp->length);
6616 	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
6617 	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
6618 	stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, &stcb->asoc, strm, sp, 1);
6619 	m = NULL;
6620 	if (hold_stcb_lock == 0) {
6621 		SCTP_TCB_SEND_UNLOCK(stcb);
6622 	}
6623 out_now:
6624 	if (m) {
6625 		sctp_m_freem(m);
6626 	}
6627 	return (error);
6628 }
6629 
6630 
6631 static struct mbuf *
6632 sctp_copy_mbufchain(struct mbuf *clonechain,
6633 		    struct mbuf *outchain,
6634 		    struct mbuf **endofchain,
6635 		    int can_take_mbuf,
6636 		    int sizeofcpy,
6637 		    uint8_t copy_by_ref)
6638 {
6639 	struct mbuf *m;
6640 	struct mbuf *appendchain;
6641 	caddr_t cp;
6642 	int len;
6643 
6644 	if (endofchain == NULL) {
6645 		/* error */
6646 	error_out:
6647 		if (outchain)
6648 			sctp_m_freem(outchain);
6649 		return (NULL);
6650 	}
6651 	if (can_take_mbuf) {
6652 		appendchain = clonechain;
6653 	} else {
6654 		if (!copy_by_ref &&
6655 #if defined(__Panda__)
6656 		    0
6657 #else
6658 		    (sizeofcpy <= (int)((((SCTP_BASE_SYSCTL(sctp_mbuf_threshold_count) - 1) * MLEN) + MHLEN)))
6659 #endif
6660 		    ) {
6661 			/* Its not in a cluster */
6662 			if (*endofchain == NULL) {
6663 				/* lets get a mbuf cluster */
6664 				if (outchain == NULL) {
6665 					/* This is the general case */
6666 				new_mbuf:
6667 					outchain = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6668 					if (outchain == NULL) {
6669 						goto error_out;
6670 					}
6671 					SCTP_BUF_LEN(outchain) = 0;
6672 					*endofchain = outchain;
6673 					/* get the prepend space */
6674 					SCTP_BUF_RESV_UF(outchain, (SCTP_FIRST_MBUF_RESV+4));
6675 				} else {
6676 					/* We really should not get a NULL in endofchain */
6677 					/* find end */
6678 					m = outchain;
6679 					while (m) {
6680 						if (SCTP_BUF_NEXT(m) == NULL) {
6681 							*endofchain = m;
6682 							break;
6683 						}
6684 						m = SCTP_BUF_NEXT(m);
6685 					}
6686 					/* sanity */
6687 					if (*endofchain == NULL) {
6688 						/* huh, TSNH XXX maybe we should panic */
6689 						sctp_m_freem(outchain);
6690 						goto new_mbuf;
6691 					}
6692 				}
6693 				/* get the new end of length */
6694 				len = M_TRAILINGSPACE(*endofchain);
6695 			} else {
6696 				/* how much is left at the end? */
6697 				len = M_TRAILINGSPACE(*endofchain);
6698 			}
6699 			/* Find the end of the data, for appending */
6700 			cp = (mtod((*endofchain), caddr_t) + SCTP_BUF_LEN((*endofchain)));
6701 
6702 			/* Now lets copy it out */
6703 			if (len >= sizeofcpy) {
6704 				/* It all fits, copy it in */
6705 				m_copydata(clonechain, 0, sizeofcpy, cp);
6706 				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6707 			} else {
6708 				/* fill up the end of the chain */
6709 				if (len > 0) {
6710 					m_copydata(clonechain, 0, len, cp);
6711 					SCTP_BUF_LEN((*endofchain)) += len;
6712 					/* now we need another one */
6713 					sizeofcpy -= len;
6714 				}
6715 				m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_HEADER);
6716 				if (m == NULL) {
6717 					/* We failed */
6718 					goto error_out;
6719 				}
6720 				SCTP_BUF_NEXT((*endofchain)) = m;
6721 				*endofchain = m;
6722 				cp = mtod((*endofchain), caddr_t);
6723 				m_copydata(clonechain, len, sizeofcpy, cp);
6724 				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6725 			}
6726 			return (outchain);
6727 		} else {
6728 			/* copy the old fashion way */
6729 			appendchain = SCTP_M_COPYM(clonechain, 0, M_COPYALL, M_NOWAIT);
6730 #ifdef SCTP_MBUF_LOGGING
6731 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6732 				struct mbuf *mat;
6733 
6734 				for (mat = appendchain; mat; mat = SCTP_BUF_NEXT(mat)) {
6735 					if (SCTP_BUF_IS_EXTENDED(mat)) {
6736 						sctp_log_mb(mat, SCTP_MBUF_ICOPY);
6737 					}
6738 				}
6739 			}
6740 #endif
6741 		}
6742 	}
6743 	if (appendchain == NULL) {
6744 		/* error */
6745 		if (outchain)
6746 			sctp_m_freem(outchain);
6747 		return (NULL);
6748 	}
6749 	if (outchain) {
6750 		/* tack on to the end */
6751 		if (*endofchain != NULL) {
6752 			SCTP_BUF_NEXT(((*endofchain))) = appendchain;
6753 		} else {
6754 			m = outchain;
6755 			while (m) {
6756 				if (SCTP_BUF_NEXT(m) == NULL) {
6757 					SCTP_BUF_NEXT(m) = appendchain;
6758 					break;
6759 				}
6760 				m = SCTP_BUF_NEXT(m);
6761 			}
6762 		}
6763 		/*
6764 		 * save off the end and update the end-chain
6765 		 * postion
6766 		 */
6767 		m = appendchain;
6768 		while (m) {
6769 			if (SCTP_BUF_NEXT(m) == NULL) {
6770 				*endofchain = m;
6771 				break;
6772 			}
6773 			m = SCTP_BUF_NEXT(m);
6774 		}
6775 		return (outchain);
6776 	} else {
6777 		/* save off the end and update the end-chain postion */
6778 		m = appendchain;
6779 		while (m) {
6780 			if (SCTP_BUF_NEXT(m) == NULL) {
6781 				*endofchain = m;
6782 				break;
6783 			}
6784 			m = SCTP_BUF_NEXT(m);
6785 		}
6786 		return (appendchain);
6787 	}
6788 }
6789 
6790 static int
6791 sctp_med_chunk_output(struct sctp_inpcb *inp,
6792 		      struct sctp_tcb *stcb,
6793 		      struct sctp_association *asoc,
6794 		      int *num_out,
6795 		      int *reason_code,
6796 		      int control_only, int from_where,
6797 		      struct timeval *now, int *now_filled, int frag_point, int so_locked
6798 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
6799 		      SCTP_UNUSED
6800 #endif
6801                       );
6802 
6803 static void
6804 sctp_sendall_iterator(struct sctp_inpcb *inp, struct sctp_tcb *stcb, void *ptr,
6805     uint32_t val SCTP_UNUSED)
6806 {
6807 	struct sctp_copy_all *ca;
6808 	struct mbuf *m;
6809 	int ret = 0;
6810 	int added_control = 0;
6811 	int un_sent, do_chunk_output = 1;
6812 	struct sctp_association *asoc;
6813 	struct sctp_nets *net;
6814 
6815 	ca = (struct sctp_copy_all *)ptr;
6816 	if (ca->m == NULL) {
6817 		return;
6818 	}
6819 	if (ca->inp != inp) {
6820 		/* TSNH */
6821 		return;
6822 	}
6823 	if (ca->sndlen > 0) {
6824 		m = SCTP_M_COPYM(ca->m, 0, M_COPYALL, M_NOWAIT);
6825 		if (m == NULL) {
6826 			/* can't copy so we are done */
6827 			ca->cnt_failed++;
6828 			return;
6829 		}
6830 #ifdef SCTP_MBUF_LOGGING
6831 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6832 			struct mbuf *mat;
6833 
6834 			for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) {
6835 				if (SCTP_BUF_IS_EXTENDED(mat)) {
6836 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
6837 				}
6838 			}
6839 		}
6840 #endif
6841 	} else {
6842 		m = NULL;
6843 	}
6844 	SCTP_TCB_LOCK_ASSERT(stcb);
6845 	if (stcb->asoc.alternate) {
6846 		net = stcb->asoc.alternate;
6847 	} else {
6848 		net = stcb->asoc.primary_destination;
6849 	}
6850 	if (ca->sndrcv.sinfo_flags & SCTP_ABORT) {
6851 		/* Abort this assoc with m as the user defined reason */
6852 		if (m != NULL) {
6853 			SCTP_BUF_PREPEND(m, sizeof(struct sctp_paramhdr), M_NOWAIT);
6854 		} else {
6855 			m = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
6856 			                          0, M_NOWAIT, 1, MT_DATA);
6857 			SCTP_BUF_LEN(m) = sizeof(struct sctp_paramhdr);
6858 		}
6859 		if (m != NULL) {
6860 			struct sctp_paramhdr *ph;
6861 
6862 			ph = mtod(m, struct sctp_paramhdr *);
6863 			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
6864 			ph->param_length = htons(sizeof(struct sctp_paramhdr) + ca->sndlen);
6865 		}
6866 		/* We add one here to keep the assoc from
6867 		 * dis-appearing on us.
6868 		 */
6869 		atomic_add_int(&stcb->asoc.refcnt, 1);
6870 		sctp_abort_an_association(inp, stcb, m, SCTP_SO_NOT_LOCKED);
6871 		/* sctp_abort_an_association calls sctp_free_asoc()
6872 		 * free association will NOT free it since we
6873 		 * incremented the refcnt .. we do this to prevent
6874 		 * it being freed and things getting tricky since
6875 		 * we could end up (from free_asoc) calling inpcb_free
6876 		 * which would get a recursive lock call to the
6877 		 * iterator lock.. But as a consequence of that the
6878 		 * stcb will return to us un-locked.. since free_asoc
6879 		 * returns with either no TCB or the TCB unlocked, we
6880 		 * must relock.. to unlock in the iterator timer :-0
6881 		 */
6882 		SCTP_TCB_LOCK(stcb);
6883 		atomic_add_int(&stcb->asoc.refcnt, -1);
6884 		goto no_chunk_output;
6885 	} else {
6886 		if (m) {
6887 			ret = sctp_msg_append(stcb, net, m,
6888 					      &ca->sndrcv, 1);
6889 		}
6890 		asoc = &stcb->asoc;
6891 		if (ca->sndrcv.sinfo_flags & SCTP_EOF) {
6892 			/* shutdown this assoc */
6893 			int cnt;
6894 			cnt = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED);
6895 
6896 			if (TAILQ_EMPTY(&asoc->send_queue) &&
6897 			    TAILQ_EMPTY(&asoc->sent_queue) &&
6898 			    (cnt == 0)) {
6899 				if (asoc->locked_on_sending) {
6900 					goto abort_anyway;
6901 				}
6902 				/* there is nothing queued to send, so I'm done... */
6903 				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
6904 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6905 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6906 					/* only send SHUTDOWN the first time through */
6907 					if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
6908 						SCTP_STAT_DECR_GAUGE32(sctps_currestab);
6909 					}
6910 					SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
6911 					SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
6912 					sctp_stop_timers_for_shutdown(stcb);
6913 					sctp_send_shutdown(stcb, net);
6914 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
6915 							 net);
6916 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6917 							 asoc->primary_destination);
6918 					added_control = 1;
6919 					do_chunk_output = 0;
6920 				}
6921 			} else {
6922 				/*
6923 				 * we still got (or just got) data to send, so set
6924 				 * SHUTDOWN_PENDING
6925 				 */
6926 				/*
6927 				 * XXX sockets draft says that SCTP_EOF should be
6928 				 * sent with no data.  currently, we will allow user
6929 				 * data to be sent first and move to
6930 				 * SHUTDOWN-PENDING
6931 				 */
6932 				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
6933 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6934 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6935 					if (asoc->locked_on_sending) {
6936 						/* Locked to send out the data */
6937 						struct sctp_stream_queue_pending *sp;
6938 						sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
6939 						if (sp) {
6940 							if ((sp->length == 0) && (sp->msg_is_complete == 0))
6941 								asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
6942 						}
6943 					}
6944 					asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
6945 					if (TAILQ_EMPTY(&asoc->send_queue) &&
6946 					    TAILQ_EMPTY(&asoc->sent_queue) &&
6947 					    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
6948 					abort_anyway:
6949 						atomic_add_int(&stcb->asoc.refcnt, 1);
6950 						sctp_abort_an_association(stcb->sctp_ep, stcb,
6951 									  NULL, SCTP_SO_NOT_LOCKED);
6952 						atomic_add_int(&stcb->asoc.refcnt, -1);
6953 						goto no_chunk_output;
6954 					}
6955 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6956 							 asoc->primary_destination);
6957 				}
6958 			}
6959 
6960 		}
6961 	}
6962 	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
6963 		   (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
6964 
6965 	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
6966 	    (stcb->asoc.total_flight > 0) &&
6967 	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
6968 		do_chunk_output = 0;
6969 	}
6970 	if (do_chunk_output)
6971 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_NOT_LOCKED);
6972 	else if (added_control) {
6973 		int num_out = 0, reason = 0, now_filled = 0;
6974 		struct timeval now;
6975 		int frag_point;
6976 		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
6977 		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
6978 				      &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_NOT_LOCKED);
6979 	}
6980  no_chunk_output:
6981 	if (ret) {
6982 		ca->cnt_failed++;
6983 	} else {
6984 		ca->cnt_sent++;
6985 	}
6986 }
6987 
6988 static void
6989 sctp_sendall_completes(void *ptr, uint32_t val SCTP_UNUSED)
6990 {
6991 	struct sctp_copy_all *ca;
6992 
6993 	ca = (struct sctp_copy_all *)ptr;
6994 	/*
6995 	 * Do a notify here? Kacheong suggests that the notify be done at
6996 	 * the send time.. so you would push up a notification if any send
6997 	 * failed. Don't know if this is feasable since the only failures we
6998 	 * have is "memory" related and if you cannot get an mbuf to send
6999 	 * the data you surely can't get an mbuf to send up to notify the
7000 	 * user you can't send the data :->
7001 	 */
7002 
7003 	/* now free everything */
7004 	sctp_m_freem(ca->m);
7005 	SCTP_FREE(ca, SCTP_M_COPYAL);
7006 }
7007 
7008 
7009 #define	MC_ALIGN(m, len) do {						\
7010 	SCTP_BUF_RESV_UF(m, ((MCLBYTES - (len)) & ~(sizeof(long) - 1));	\
7011 } while (0)
7012 
7013 
7014 
7015 static struct mbuf *
7016 sctp_copy_out_all(struct uio *uio, int len)
7017 {
7018 	struct mbuf *ret, *at;
7019 	int left, willcpy, cancpy, error;
7020 
7021 	ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAITOK, 1, MT_DATA);
7022 	if (ret == NULL) {
7023 		/* TSNH */
7024 		return (NULL);
7025 	}
7026 	left = len;
7027 	SCTP_BUF_LEN(ret) = 0;
7028 	/* save space for the data chunk header */
7029 	cancpy = M_TRAILINGSPACE(ret);
7030 	willcpy = min(cancpy, left);
7031 	at = ret;
7032 	while (left > 0) {
7033 		/* Align data to the end */
7034 		error = uiomove(mtod(at, caddr_t), willcpy, uio);
7035 		if (error) {
7036 	err_out_now:
7037 			sctp_m_freem(at);
7038 			return (NULL);
7039 		}
7040 		SCTP_BUF_LEN(at) = willcpy;
7041 		SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0;
7042 		left -= willcpy;
7043 		if (left > 0) {
7044 			SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 1, MT_DATA);
7045 			if (SCTP_BUF_NEXT(at) == NULL) {
7046 				goto err_out_now;
7047 			}
7048 			at = SCTP_BUF_NEXT(at);
7049 			SCTP_BUF_LEN(at) = 0;
7050 			cancpy = M_TRAILINGSPACE(at);
7051 			willcpy = min(cancpy, left);
7052 		}
7053 	}
7054 	return (ret);
7055 }
7056 
7057 static int
7058 sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
7059     struct sctp_sndrcvinfo *srcv)
7060 {
7061 	int ret;
7062 	struct sctp_copy_all *ca;
7063 
7064 	SCTP_MALLOC(ca, struct sctp_copy_all *, sizeof(struct sctp_copy_all),
7065 		    SCTP_M_COPYAL);
7066 	if (ca == NULL) {
7067 		sctp_m_freem(m);
7068 		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
7069 		return (ENOMEM);
7070 	}
7071 	memset(ca, 0, sizeof(struct sctp_copy_all));
7072 
7073 	ca->inp = inp;
7074 	if (srcv) {
7075 		memcpy(&ca->sndrcv, srcv, sizeof(struct sctp_nonpad_sndrcvinfo));
7076 	}
7077 	/*
7078 	 * take off the sendall flag, it would be bad if we failed to do
7079 	 * this :-0
7080 	 */
7081 	ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL;
7082 	/* get length and mbuf chain */
7083 	if (uio) {
7084 #if defined(__APPLE__)
7085 #if defined(APPLE_LEOPARD)
7086 		ca->sndlen = uio->uio_resid;
7087 #else
7088 		ca->sndlen = uio_resid(uio);
7089 #endif
7090 #else
7091 		ca->sndlen = uio->uio_resid;
7092 #endif
7093 #if defined(__APPLE__)
7094 		SCTP_SOCKET_UNLOCK(SCTP_INP_SO(inp), 0);
7095 #endif
7096 		ca->m = sctp_copy_out_all(uio, ca->sndlen);
7097 #if defined(__APPLE__)
7098 		SCTP_SOCKET_LOCK(SCTP_INP_SO(inp), 0);
7099 #endif
7100 		if (ca->m == NULL) {
7101 			SCTP_FREE(ca, SCTP_M_COPYAL);
7102 			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
7103 			return (ENOMEM);
7104 		}
7105 	} else {
7106 		/* Gather the length of the send */
7107 		struct mbuf *mat;
7108 
7109 		ca->sndlen = 0;
7110 		for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) {
7111 			ca->sndlen += SCTP_BUF_LEN(mat);
7112 		}
7113 	}
7114 	ret = sctp_initiate_iterator(NULL, sctp_sendall_iterator, NULL,
7115 				     SCTP_PCB_ANY_FLAGS, SCTP_PCB_ANY_FEATURES,
7116 				     SCTP_ASOC_ANY_STATE,
7117 				     (void *)ca, 0,
7118 				     sctp_sendall_completes, inp, 1);
7119 	if (ret) {
7120 		SCTP_PRINTF("Failed to initiate iterator for sendall\n");
7121 		SCTP_FREE(ca, SCTP_M_COPYAL);
7122 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
7123 		return (EFAULT);
7124 	}
7125 	return (0);
7126 }
7127 
7128 
7129 void
7130 sctp_toss_old_cookies(struct sctp_tcb *stcb, struct sctp_association *asoc)
7131 {
7132 	struct sctp_tmit_chunk *chk, *nchk;
7133 
7134 	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7135 		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
7136 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
7137 			if (chk->data) {
7138 				sctp_m_freem(chk->data);
7139 				chk->data = NULL;
7140 			}
7141 			asoc->ctrl_queue_cnt--;
7142 			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7143 		}
7144 	}
7145 }
7146 
7147 void
7148 sctp_toss_old_asconf(struct sctp_tcb *stcb)
7149 {
7150 	struct sctp_association *asoc;
7151 	struct sctp_tmit_chunk *chk, *nchk;
7152 	struct sctp_asconf_chunk *acp;
7153 
7154 	asoc = &stcb->asoc;
7155 	TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
7156 		/* find SCTP_ASCONF chunk in queue */
7157 		if (chk->rec.chunk_id.id == SCTP_ASCONF) {
7158 			if (chk->data) {
7159 				acp = mtod(chk->data, struct sctp_asconf_chunk *);
7160 				if (SCTP_TSN_GT(ntohl(acp->serial_number), asoc->asconf_seq_out_acked)) {
7161 					/* Not Acked yet */
7162 					break;
7163 				}
7164 			}
7165 			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
7166 			if (chk->data) {
7167 				sctp_m_freem(chk->data);
7168 				chk->data = NULL;
7169 			}
7170 			asoc->ctrl_queue_cnt--;
7171 			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
7172 		}
7173 	}
7174 }
7175 
7176 
7177 static void
7178 sctp_clean_up_datalist(struct sctp_tcb *stcb,
7179     struct sctp_association *asoc,
7180     struct sctp_tmit_chunk **data_list,
7181     int bundle_at,
7182     struct sctp_nets *net)
7183 {
7184 	int i;
7185 	struct sctp_tmit_chunk *tp1;
7186 
7187 	for (i = 0; i < bundle_at; i++) {
7188 		/* off of the send queue */
7189 		TAILQ_REMOVE(&asoc->send_queue, data_list[i], sctp_next);
7190 		asoc->send_queue_cnt--;
7191 		if (i > 0) {
7192 			/*
7193 			 * Any chunk NOT 0 you zap the time chunk 0 gets
7194 			 * zapped or set based on if a RTO measurment is
7195 			 * needed.
7196 			 */
7197 			data_list[i]->do_rtt = 0;
7198 		}
7199 		/* record time */
7200 		data_list[i]->sent_rcv_time = net->last_sent_time;
7201 		data_list[i]->rec.data.cwnd_at_send = net->cwnd;
7202 		data_list[i]->rec.data.fast_retran_tsn = data_list[i]->rec.data.TSN_seq;
7203 		if (data_list[i]->whoTo == NULL) {
7204 			data_list[i]->whoTo = net;
7205 			atomic_add_int(&net->ref_count, 1);
7206 		}
7207 		/* on to the sent queue */
7208 		tp1 = TAILQ_LAST(&asoc->sent_queue, sctpchunk_listhead);
7209 		if ((tp1) && SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
7210 			struct sctp_tmit_chunk *tpp;
7211 
7212 			/* need to move back */
7213 		back_up_more:
7214 			tpp = TAILQ_PREV(tp1, sctpchunk_listhead, sctp_next);
7215 			if (tpp == NULL) {
7216 				TAILQ_INSERT_BEFORE(tp1, data_list[i], sctp_next);
7217 				goto all_done;
7218 			}
7219 			tp1 = tpp;
7220 			if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
7221 				goto back_up_more;
7222 			}
7223 			TAILQ_INSERT_AFTER(&asoc->sent_queue, tp1, data_list[i], sctp_next);
7224 		} else {
7225 			TAILQ_INSERT_TAIL(&asoc->sent_queue,
7226 					  data_list[i],
7227 					  sctp_next);
7228 		}
7229 	all_done:
7230 		/* This does not lower until the cum-ack passes it */
7231 		asoc->sent_queue_cnt++;
7232 		if ((asoc->peers_rwnd <= 0) &&
7233 		    (asoc->total_flight == 0) &&
7234 		    (bundle_at == 1)) {
7235 			/* Mark the chunk as being a window probe */
7236 			SCTP_STAT_INCR(sctps_windowprobed);
7237 		}
7238 #ifdef SCTP_AUDITING_ENABLED
7239 		sctp_audit_log(0xC2, 3);
7240 #endif
7241 		data_list[i]->sent = SCTP_DATAGRAM_SENT;
7242 		data_list[i]->snd_count = 1;
7243 		data_list[i]->rec.data.chunk_was_revoked = 0;
7244 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
7245 			sctp_misc_ints(SCTP_FLIGHT_LOG_UP,
7246 				       data_list[i]->whoTo->flight_size,
7247 				       data_list[i]->book_size,
7248 				       (uintptr_t)data_list[i]->whoTo,
7249 				       data_list[i]->rec.data.TSN_seq);
7250 		}
7251 		sctp_flight_size_increase(data_list[i]);
7252 		sctp_total_flight_increase(stcb, data_list[i]);
7253 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
7254 			sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
7255 			      asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
7256 		}
7257 		asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
7258 						    (uint32_t) (data_list[i]->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
7259 		if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
7260 			/* SWS sender side engages */
7261 			asoc->peers_rwnd = 0;
7262 		}
7263 	}
7264 	if (asoc->cc_functions.sctp_cwnd_update_packet_transmitted) {
7265 		(*asoc->cc_functions.sctp_cwnd_update_packet_transmitted)(stcb, net);
7266 	}
7267 }
7268 
7269 static void
7270 sctp_clean_up_ctl(struct sctp_tcb *stcb, struct sctp_association *asoc, int so_locked
7271 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7272 	SCTP_UNUSED
7273 #endif
7274 )
7275 {
7276 	struct sctp_tmit_chunk *chk, *nchk;
7277 
7278 	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7279 		if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7280 		    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
7281 		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
7282 		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
7283 		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) ||
7284 		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
7285 		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
7286 		    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
7287 		    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
7288 		    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
7289 		    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
7290 		    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
7291 			/* Stray chunks must be cleaned up */
7292 	clean_up_anyway:
7293 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
7294 			if (chk->data) {
7295 				sctp_m_freem(chk->data);
7296 				chk->data = NULL;
7297 			}
7298 			asoc->ctrl_queue_cnt--;
7299 			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)
7300 				asoc->fwd_tsn_cnt--;
7301 			sctp_free_a_chunk(stcb, chk, so_locked);
7302 		} else if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
7303 			/* special handling, we must look into the param */
7304 			if (chk != asoc->str_reset) {
7305 				goto clean_up_anyway;
7306 			}
7307 		}
7308 	}
7309 }
7310 
7311 
7312 static int
7313 sctp_can_we_split_this(struct sctp_tcb *stcb,
7314                        uint32_t length,
7315                        uint32_t goal_mtu, uint32_t frag_point, int eeor_on)
7316 {
7317 	/* Make a decision on if I should split a
7318 	 * msg into multiple parts. This is only asked of
7319 	 * incomplete messages.
7320 	 */
7321 	if (eeor_on) {
7322 		/* If we are doing EEOR we need to always send
7323 		 * it if its the entire thing, since it might
7324 		 * be all the guy is putting in the hopper.
7325 		 */
7326 		if (goal_mtu >= length) {
7327 			/*-
7328 			 * If we have data outstanding,
7329 			 * we get another chance when the sack
7330 			 * arrives to transmit - wait for more data
7331 			 */
7332 			if (stcb->asoc.total_flight == 0) {
7333 				/* If nothing is in flight, we zero
7334 				 * the packet counter.
7335 				 */
7336 				return (length);
7337 			}
7338 			return (0);
7339 
7340 		} else {
7341 			/* You can fill the rest */
7342 			return (goal_mtu);
7343 		}
7344 	}
7345 	/*-
7346 	 * For those strange folk that make the send buffer
7347 	 * smaller than our fragmentation point, we can't
7348 	 * get a full msg in so we have to allow splitting.
7349 	 */
7350 	if (SCTP_SB_LIMIT_SND(stcb->sctp_socket) < frag_point) {
7351 		return (length);
7352 	}
7353 
7354 	if ((length <= goal_mtu) ||
7355 	    ((length - goal_mtu) < SCTP_BASE_SYSCTL(sctp_min_residual))) {
7356 		/* Sub-optimial residual don't split in non-eeor mode. */
7357 		return (0);
7358 	}
7359 	/* If we reach here length is larger
7360 	 * than the goal_mtu. Do we wish to split
7361 	 * it for the sake of packet putting together?
7362 	 */
7363 	if (goal_mtu >= min(SCTP_BASE_SYSCTL(sctp_min_split_point), frag_point)) {
7364 		/* Its ok to split it */
7365 		return (min(goal_mtu, frag_point));
7366 	}
7367 	/* Nope, can't split */
7368 	return (0);
7369 
7370 }
7371 
7372 static uint32_t
7373 sctp_move_to_outqueue(struct sctp_tcb *stcb,
7374                       struct sctp_stream_out *strq,
7375                       uint32_t goal_mtu,
7376                       uint32_t frag_point,
7377                       int *locked,
7378                       int *giveup,
7379                       int eeor_mode,
7380                       int *bail,
7381                       int so_locked
7382 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7383                       SCTP_UNUSED
7384 #endif
7385 	)
7386 {
7387 	/* Move from the stream to the send_queue keeping track of the total */
7388 	struct sctp_association *asoc;
7389 	struct sctp_stream_queue_pending *sp;
7390 	struct sctp_tmit_chunk *chk;
7391 	struct sctp_data_chunk *dchkh;
7392 	uint32_t to_move, length;
7393 	uint8_t rcv_flags = 0;
7394 	uint8_t some_taken;
7395 	uint8_t send_lock_up = 0;
7396 
7397 	SCTP_TCB_LOCK_ASSERT(stcb);
7398 	asoc = &stcb->asoc;
7399 one_more_time:
7400 	/*sa_ignore FREED_MEMORY*/
7401 	sp = TAILQ_FIRST(&strq->outqueue);
7402 	if (sp == NULL) {
7403 		*locked = 0;
7404 		if (send_lock_up == 0) {
7405 			SCTP_TCB_SEND_LOCK(stcb);
7406 			send_lock_up = 1;
7407 		}
7408 		sp = TAILQ_FIRST(&strq->outqueue);
7409 		if (sp) {
7410 			goto one_more_time;
7411 		}
7412 		if (strq->last_msg_incomplete) {
7413 			SCTP_PRINTF("Huh? Stream:%d lm_in_c=%d but queue is NULL\n",
7414 			            strq->stream_no,
7415 			            strq->last_msg_incomplete);
7416 			strq->last_msg_incomplete = 0;
7417 		}
7418 		to_move = 0;
7419 		if (send_lock_up) {
7420 			SCTP_TCB_SEND_UNLOCK(stcb);
7421 			send_lock_up = 0;
7422 		}
7423 		goto out_of;
7424 	}
7425 	if ((sp->msg_is_complete) && (sp->length == 0)) {
7426 		if (sp->sender_all_done) {
7427 			/* We are doing differed cleanup. Last
7428 			 * time through when we took all the data
7429 			 * the sender_all_done was not set.
7430 			 */
7431 			if ((sp->put_last_out == 0) && (sp->discard_rest == 0)) {
7432 				SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
7433 				SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
7434 				            sp->sender_all_done,
7435 				            sp->length,
7436 				            sp->msg_is_complete,
7437 				            sp->put_last_out,
7438 				            send_lock_up);
7439 			}
7440 			if ((TAILQ_NEXT(sp, next) == NULL) && (send_lock_up  == 0)) {
7441 				SCTP_TCB_SEND_LOCK(stcb);
7442 				send_lock_up = 1;
7443 			}
7444 			atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7445 			TAILQ_REMOVE(&strq->outqueue, sp, next);
7446 			stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp, send_lock_up);
7447 			if (sp->net) {
7448 				sctp_free_remote_addr(sp->net);
7449 				sp->net = NULL;
7450 			}
7451 			if (sp->data) {
7452 				sctp_m_freem(sp->data);
7453 				sp->data = NULL;
7454 			}
7455 			sctp_free_a_strmoq(stcb, sp, so_locked);
7456 			/* we can't be locked to it */
7457 			*locked = 0;
7458 			stcb->asoc.locked_on_sending = NULL;
7459 			if (send_lock_up) {
7460 				SCTP_TCB_SEND_UNLOCK(stcb);
7461 				send_lock_up = 0;
7462 			}
7463 			/* back to get the next msg */
7464 			goto one_more_time;
7465 		} else {
7466 			/* sender just finished this but
7467 			 * still holds a reference
7468 			 */
7469 			*locked = 1;
7470 			*giveup = 1;
7471 			to_move = 0;
7472 			goto out_of;
7473 		}
7474 	} else {
7475 		/* is there some to get */
7476 		if (sp->length == 0) {
7477 			/* no */
7478 			*locked = 1;
7479 			*giveup = 1;
7480 			to_move = 0;
7481 			goto out_of;
7482 		} else if (sp->discard_rest) {
7483 			if (send_lock_up == 0) {
7484 				SCTP_TCB_SEND_LOCK(stcb);
7485 				send_lock_up = 1;
7486 			}
7487 			/* Whack down the size */
7488 			atomic_subtract_int(&stcb->asoc.total_output_queue_size, sp->length);
7489 			if ((stcb->sctp_socket != NULL) &&	     \
7490 			    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
7491 			     (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL))) {
7492 				atomic_subtract_int(&stcb->sctp_socket->so_snd.sb_cc, sp->length);
7493 			}
7494 			if (sp->data) {
7495 				sctp_m_freem(sp->data);
7496 				sp->data = NULL;
7497 				sp->tail_mbuf = NULL;
7498 			}
7499 			sp->length = 0;
7500 			sp->some_taken = 1;
7501 			*locked = 1;
7502 			*giveup = 1;
7503 			to_move = 0;
7504 			goto out_of;
7505 		}
7506 	}
7507 	some_taken = sp->some_taken;
7508 	if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
7509 		sp->msg_is_complete = 1;
7510 	}
7511 re_look:
7512 	length = sp->length;
7513 	if (sp->msg_is_complete) {
7514 		/* The message is complete */
7515 		to_move = min(length, frag_point);
7516 		if (to_move == length) {
7517 			/* All of it fits in the MTU */
7518 			if (sp->some_taken) {
7519 				rcv_flags |= SCTP_DATA_LAST_FRAG;
7520 				sp->put_last_out = 1;
7521 			} else {
7522 				rcv_flags |= SCTP_DATA_NOT_FRAG;
7523 				sp->put_last_out = 1;
7524 			}
7525 		} else {
7526 			/* Not all of it fits, we fragment */
7527 			if (sp->some_taken == 0) {
7528 				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7529 			}
7530 			sp->some_taken = 1;
7531 		}
7532 	} else {
7533 		to_move = sctp_can_we_split_this(stcb, length, goal_mtu, frag_point, eeor_mode);
7534 		if (to_move) {
7535 			/*-
7536 			 * We use a snapshot of length in case it
7537 			 * is expanding during the compare.
7538 			 */
7539 			uint32_t llen;
7540 
7541 			llen = length;
7542 			if (to_move >= llen) {
7543 				to_move = llen;
7544 				if (send_lock_up == 0) {
7545 					/*-
7546 					 * We are taking all of an incomplete msg
7547 					 * thus we need a send lock.
7548 					 */
7549 					SCTP_TCB_SEND_LOCK(stcb);
7550 					send_lock_up = 1;
7551 					if (sp->msg_is_complete) {
7552 						/* the sender finished the msg */
7553 						goto re_look;
7554 					}
7555 				}
7556 			}
7557 			if (sp->some_taken == 0) {
7558 				rcv_flags |= SCTP_DATA_FIRST_FRAG;
7559 				sp->some_taken = 1;
7560 			}
7561 		} else {
7562 			/* Nothing to take. */
7563 			if (sp->some_taken) {
7564 				*locked = 1;
7565 			}
7566 			*giveup = 1;
7567 			to_move = 0;
7568 			goto out_of;
7569 		}
7570 	}
7571 
7572 	/* If we reach here, we can copy out a chunk */
7573 	sctp_alloc_a_chunk(stcb, chk);
7574 	if (chk == NULL) {
7575 		/* No chunk memory */
7576 		*giveup = 1;
7577 		to_move = 0;
7578 		goto out_of;
7579 	}
7580 	/* Setup for unordered if needed by looking
7581 	 * at the user sent info flags.
7582 	 */
7583 	if (sp->sinfo_flags & SCTP_UNORDERED) {
7584 		rcv_flags |= SCTP_DATA_UNORDERED;
7585 	}
7586 	if ((SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) && ((sp->sinfo_flags & SCTP_EOF) == SCTP_EOF)) ||
7587 	    ((sp->sinfo_flags & SCTP_SACK_IMMEDIATELY) == SCTP_SACK_IMMEDIATELY)) {
7588 		rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
7589 	}
7590 	/* clear out the chunk before setting up */
7591 	memset(chk, 0, sizeof(*chk));
7592 	chk->rec.data.rcv_flags = rcv_flags;
7593 
7594 	if (to_move >= length) {
7595 		/* we think we can steal the whole thing */
7596 		if ((sp->sender_all_done == 0) && (send_lock_up == 0)) {
7597 			SCTP_TCB_SEND_LOCK(stcb);
7598 			send_lock_up = 1;
7599 		}
7600 		if (to_move < sp->length) {
7601 			/* bail, it changed */
7602 			goto dont_do_it;
7603 		}
7604 		chk->data = sp->data;
7605 		chk->last_mbuf = sp->tail_mbuf;
7606 		/* register the stealing */
7607 		sp->data = sp->tail_mbuf = NULL;
7608 	} else {
7609 		struct mbuf *m;
7610 	dont_do_it:
7611 		chk->data = SCTP_M_COPYM(sp->data, 0, to_move, M_NOWAIT);
7612 		chk->last_mbuf = NULL;
7613 		if (chk->data == NULL) {
7614 			sp->some_taken = some_taken;
7615 			sctp_free_a_chunk(stcb, chk, so_locked);
7616 			*bail = 1;
7617 			to_move = 0;
7618 			goto out_of;
7619 		}
7620 #ifdef SCTP_MBUF_LOGGING
7621 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
7622 			struct mbuf *mat;
7623 
7624 			for (mat = chk->data; mat; mat = SCTP_BUF_NEXT(mat)) {
7625 				if (SCTP_BUF_IS_EXTENDED(mat)) {
7626 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
7627 				}
7628 			}
7629 		}
7630 #endif
7631 		/* Pull off the data */
7632 		m_adj(sp->data, to_move);
7633 		/* Now lets work our way down and compact it */
7634 		m = sp->data;
7635 		while (m && (SCTP_BUF_LEN(m) == 0)) {
7636 			sp->data  = SCTP_BUF_NEXT(m);
7637 			SCTP_BUF_NEXT(m) = NULL;
7638 			if (sp->tail_mbuf == m) {
7639 				/*-
7640 				 * Freeing tail? TSNH since
7641 				 * we supposedly were taking less
7642 				 * than the sp->length.
7643 				 */
7644 #ifdef INVARIANTS
7645 				panic("Huh, freing tail? - TSNH");
7646 #else
7647 				SCTP_PRINTF("Huh, freeing tail? - TSNH\n");
7648 				sp->tail_mbuf = sp->data = NULL;
7649 				sp->length = 0;
7650 #endif
7651 
7652 			}
7653 			sctp_m_free(m);
7654 			m = sp->data;
7655 		}
7656 	}
7657 	if (SCTP_BUF_IS_EXTENDED(chk->data)) {
7658 		chk->copy_by_ref = 1;
7659 	} else {
7660 		chk->copy_by_ref = 0;
7661 	}
7662 	/* get last_mbuf and counts of mb useage
7663 	 * This is ugly but hopefully its only one mbuf.
7664 	 */
7665 	if (chk->last_mbuf == NULL) {
7666 		chk->last_mbuf = chk->data;
7667 		while (SCTP_BUF_NEXT(chk->last_mbuf) != NULL) {
7668 			chk->last_mbuf = SCTP_BUF_NEXT(chk->last_mbuf);
7669 		}
7670 	}
7671 
7672 	if (to_move > length) {
7673 		/*- This should not happen either
7674 		 * since we always lower to_move to the size
7675 		 * of sp->length if its larger.
7676 		 */
7677 #ifdef INVARIANTS
7678 		panic("Huh, how can to_move be larger?");
7679 #else
7680 		SCTP_PRINTF("Huh, how can to_move be larger?\n");
7681 		sp->length = 0;
7682 #endif
7683 	} else {
7684 		atomic_subtract_int(&sp->length, to_move);
7685 	}
7686 	if (M_LEADINGSPACE(chk->data) < (int)sizeof(struct sctp_data_chunk)) {
7687 		/* Not enough room for a chunk header, get some */
7688 		struct mbuf *m;
7689 		m = sctp_get_mbuf_for_msg(1, 0, M_NOWAIT, 0, MT_DATA);
7690 		if (m == NULL) {
7691 			/*
7692 			 * we're in trouble here. _PREPEND below will free
7693 			 * all the data if there is no leading space, so we
7694 			 * must put the data back and restore.
7695 			 */
7696 			if (send_lock_up == 0) {
7697 				SCTP_TCB_SEND_LOCK(stcb);
7698 				send_lock_up = 1;
7699 			}
7700 			if (chk->data == NULL) {
7701 				/* unsteal the data */
7702 				sp->data = chk->data;
7703 				sp->tail_mbuf = chk->last_mbuf;
7704 			} else {
7705 				struct mbuf *m_tmp;
7706 				/* reassemble the data */
7707 				m_tmp = sp->data;
7708 				sp->data = chk->data;
7709 				SCTP_BUF_NEXT(chk->last_mbuf) = m_tmp;
7710 			}
7711 			sp->some_taken = some_taken;
7712 			atomic_add_int(&sp->length, to_move);
7713 			chk->data = NULL;
7714 			*bail = 1;
7715 			sctp_free_a_chunk(stcb, chk, so_locked);
7716 			to_move = 0;
7717 			goto out_of;
7718 		} else {
7719 			SCTP_BUF_LEN(m) = 0;
7720 			SCTP_BUF_NEXT(m) = chk->data;
7721 			chk->data = m;
7722 			M_ALIGN(chk->data, 4);
7723 		}
7724 	}
7725 	SCTP_BUF_PREPEND(chk->data, sizeof(struct sctp_data_chunk), M_NOWAIT);
7726 	if (chk->data == NULL) {
7727 		/* HELP, TSNH since we assured it would not above? */
7728 #ifdef INVARIANTS
7729 		panic("prepend failes HELP?");
7730 #else
7731 		SCTP_PRINTF("prepend fails HELP?\n");
7732 		sctp_free_a_chunk(stcb, chk, so_locked);
7733 #endif
7734 		*bail = 1;
7735 		to_move = 0;
7736 		goto out_of;
7737 	}
7738 	sctp_snd_sb_alloc(stcb, sizeof(struct sctp_data_chunk));
7739 	chk->book_size = chk->send_size = (to_move + sizeof(struct sctp_data_chunk));
7740 	chk->book_size_scale = 0;
7741 	chk->sent = SCTP_DATAGRAM_UNSENT;
7742 
7743 	chk->flags = 0;
7744 	chk->asoc = &stcb->asoc;
7745 	chk->pad_inplace = 0;
7746 	chk->no_fr_allowed = 0;
7747 	chk->rec.data.stream_seq = strq->next_sequence_send;
7748 	if ((rcv_flags & SCTP_DATA_LAST_FRAG) &&
7749 	    !(rcv_flags & SCTP_DATA_UNORDERED)) {
7750 		strq->next_sequence_send++;
7751 	}
7752 	chk->rec.data.stream_number = sp->stream;
7753 	chk->rec.data.payloadtype = sp->ppid;
7754 	chk->rec.data.context = sp->context;
7755 	chk->rec.data.doing_fast_retransmit = 0;
7756 
7757 	chk->rec.data.timetodrop = sp->ts;
7758 	chk->flags = sp->act_flags;
7759 
7760 	if (sp->net) {
7761 		chk->whoTo = sp->net;
7762 		atomic_add_int(&chk->whoTo->ref_count, 1);
7763 	} else
7764 		chk->whoTo = NULL;
7765 
7766 	if (sp->holds_key_ref) {
7767 		chk->auth_keyid = sp->auth_keyid;
7768 		sctp_auth_key_acquire(stcb, chk->auth_keyid);
7769 		chk->holds_key_ref = 1;
7770 	}
7771 
7772 #if defined(__FreeBSD__) || defined(__Panda__)
7773 	chk->rec.data.TSN_seq = atomic_fetchadd_int(&asoc->sending_seq, 1);
7774 #else
7775 	chk->rec.data.TSN_seq = asoc->sending_seq++;
7776 #endif
7777 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_OUTQ) {
7778 		sctp_misc_ints(SCTP_STRMOUT_LOG_SEND,
7779 		               (uintptr_t)stcb, sp->length,
7780 		               (uint32_t)((chk->rec.data.stream_number << 16) | chk->rec.data.stream_seq),
7781 		               chk->rec.data.TSN_seq);
7782 	}
7783 	dchkh = mtod(chk->data, struct sctp_data_chunk *);
7784 	/*
7785 	 * Put the rest of the things in place now. Size was done
7786 	 * earlier in previous loop prior to padding.
7787 	 */
7788 
7789 #ifdef SCTP_ASOCLOG_OF_TSNS
7790 	SCTP_TCB_LOCK_ASSERT(stcb);
7791 	if (asoc->tsn_out_at >= SCTP_TSN_LOG_SIZE) {
7792 		asoc->tsn_out_at = 0;
7793 		asoc->tsn_out_wrapped = 1;
7794 	}
7795 	asoc->out_tsnlog[asoc->tsn_out_at].tsn = chk->rec.data.TSN_seq;
7796 	asoc->out_tsnlog[asoc->tsn_out_at].strm = chk->rec.data.stream_number;
7797 	asoc->out_tsnlog[asoc->tsn_out_at].seq = chk->rec.data.stream_seq;
7798 	asoc->out_tsnlog[asoc->tsn_out_at].sz = chk->send_size;
7799 	asoc->out_tsnlog[asoc->tsn_out_at].flgs = chk->rec.data.rcv_flags;
7800 	asoc->out_tsnlog[asoc->tsn_out_at].stcb = (void *)stcb;
7801 	asoc->out_tsnlog[asoc->tsn_out_at].in_pos = asoc->tsn_out_at;
7802 	asoc->out_tsnlog[asoc->tsn_out_at].in_out = 2;
7803 	asoc->tsn_out_at++;
7804 #endif
7805 
7806 	dchkh->ch.chunk_type = SCTP_DATA;
7807 	dchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7808 	dchkh->dp.tsn = htonl(chk->rec.data.TSN_seq);
7809 	dchkh->dp.stream_id = htons(strq->stream_no);
7810 	dchkh->dp.stream_sequence = htons(chk->rec.data.stream_seq);
7811 	dchkh->dp.protocol_id = chk->rec.data.payloadtype;
7812 	dchkh->ch.chunk_length = htons(chk->send_size);
7813 	/* Now advance the chk->send_size by the actual pad needed. */
7814 	if (chk->send_size < SCTP_SIZE32(chk->book_size)) {
7815 		/* need a pad */
7816 		struct mbuf *lm;
7817 		int pads;
7818 
7819 		pads = SCTP_SIZE32(chk->book_size) - chk->send_size;
7820 		if (sctp_pad_lastmbuf(chk->data, pads, chk->last_mbuf) == 0) {
7821 			chk->pad_inplace = 1;
7822 		}
7823 		if ((lm = SCTP_BUF_NEXT(chk->last_mbuf)) != NULL) {
7824 			/* pad added an mbuf */
7825 			chk->last_mbuf = lm;
7826 		}
7827 		chk->send_size += pads;
7828 	}
7829 	if (PR_SCTP_ENABLED(chk->flags)) {
7830 		asoc->pr_sctp_cnt++;
7831 	}
7832 	if (sp->msg_is_complete && (sp->length == 0) && (sp->sender_all_done)) {
7833 		/* All done pull and kill the message */
7834 		atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7835 		if (sp->put_last_out == 0) {
7836 			SCTP_PRINTF("Gak, put out entire msg with NO end!-2\n");
7837 			SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
7838 			            sp->sender_all_done,
7839 			            sp->length,
7840 			            sp->msg_is_complete,
7841 			            sp->put_last_out,
7842 			            send_lock_up);
7843 		}
7844 		if ((send_lock_up == 0) && (TAILQ_NEXT(sp, next) == NULL)) {
7845 			SCTP_TCB_SEND_LOCK(stcb);
7846 			send_lock_up = 1;
7847 		}
7848 		TAILQ_REMOVE(&strq->outqueue, sp, next);
7849 		stcb->asoc.ss_functions.sctp_ss_remove_from_stream(stcb, asoc, strq, sp, send_lock_up);
7850 		if (sp->net) {
7851 			sctp_free_remote_addr(sp->net);
7852 			sp->net = NULL;
7853 		}
7854 		if (sp->data) {
7855 			sctp_m_freem(sp->data);
7856 			sp->data = NULL;
7857 		}
7858 		sctp_free_a_strmoq(stcb, sp, so_locked);
7859 
7860 		/* we can't be locked to it */
7861 		*locked = 0;
7862 		stcb->asoc.locked_on_sending = NULL;
7863 	} else {
7864 		/* more to go, we are locked */
7865 		*locked = 1;
7866 	}
7867 	asoc->chunks_on_out_queue++;
7868 	strq->chunks_on_queues++;
7869 	TAILQ_INSERT_TAIL(&asoc->send_queue, chk, sctp_next);
7870 	asoc->send_queue_cnt++;
7871 out_of:
7872 	if (send_lock_up) {
7873 		SCTP_TCB_SEND_UNLOCK(stcb);
7874 	}
7875 	return (to_move);
7876 }
7877 
7878 
7879 static void
7880 sctp_fill_outqueue(struct sctp_tcb *stcb,
7881     struct sctp_nets *net, int frag_point, int eeor_mode, int *quit_now, int so_locked
7882 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7883 	SCTP_UNUSED
7884 #endif
7885 )
7886 {
7887 	struct sctp_association *asoc;
7888 	struct sctp_stream_out *strq;
7889 	int goal_mtu, moved_how_much, total_moved = 0, bail = 0;
7890 	int locked, giveup;
7891 
7892 	SCTP_TCB_LOCK_ASSERT(stcb);
7893 	asoc = &stcb->asoc;
7894 	switch (net->ro._l_addr.sa.sa_family) {
7895 #ifdef INET
7896 		case AF_INET:
7897 			goal_mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
7898 			break;
7899 #endif
7900 #ifdef INET6
7901 		case AF_INET6:
7902 			goal_mtu = net->mtu - SCTP_MIN_OVERHEAD;
7903 			break;
7904 #endif
7905 #if defined(__Userspace__)
7906 		case AF_CONN:
7907 			goal_mtu = net->mtu - sizeof(struct sctphdr);
7908 			break;
7909 #endif
7910 		default:
7911 			/* TSNH */
7912 			goal_mtu = net->mtu;
7913 			break;
7914 	}
7915 	/* Need an allowance for the data chunk header too */
7916 	goal_mtu -= sizeof(struct sctp_data_chunk);
7917 
7918 	/* must make even word boundary */
7919 	goal_mtu &= 0xfffffffc;
7920 	if (asoc->locked_on_sending) {
7921 		/* We are stuck on one stream until the message completes. */
7922 		strq = asoc->locked_on_sending;
7923 		locked = 1;
7924 	} else {
7925 		strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7926 		locked = 0;
7927 	}
7928 	while ((goal_mtu > 0) && strq) {
7929 		giveup = 0;
7930 		bail = 0;
7931 		moved_how_much = sctp_move_to_outqueue(stcb, strq, goal_mtu, frag_point, &locked,
7932 						       &giveup, eeor_mode, &bail, so_locked);
7933 		if (moved_how_much)
7934 			stcb->asoc.ss_functions.sctp_ss_scheduled(stcb, net, asoc, strq, moved_how_much);
7935 
7936 		if (locked) {
7937 			asoc->locked_on_sending = strq;
7938 			if ((moved_how_much == 0) || (giveup) || bail)
7939 				/* no more to move for now */
7940 				break;
7941 		} else {
7942 			asoc->locked_on_sending = NULL;
7943 			if ((giveup) || bail) {
7944 				break;
7945 			}
7946 			strq = stcb->asoc.ss_functions.sctp_ss_select_stream(stcb, net, asoc);
7947 			if (strq == NULL) {
7948 				break;
7949 			}
7950 		}
7951 		total_moved += moved_how_much;
7952 		goal_mtu -= (moved_how_much + sizeof(struct sctp_data_chunk));
7953 		goal_mtu &= 0xfffffffc;
7954 	}
7955 	if (bail)
7956 		*quit_now = 1;
7957 
7958 	stcb->asoc.ss_functions.sctp_ss_packet_done(stcb, net, asoc);
7959 
7960 	if (total_moved == 0) {
7961 		if ((stcb->asoc.sctp_cmt_on_off == 0) &&
7962 		    (net == stcb->asoc.primary_destination)) {
7963 			/* ran dry for primary network net */
7964 			SCTP_STAT_INCR(sctps_primary_randry);
7965 		} else if (stcb->asoc.sctp_cmt_on_off > 0) {
7966 			/* ran dry with CMT on */
7967 			SCTP_STAT_INCR(sctps_cmt_randry);
7968 		}
7969 	}
7970 }
7971 
7972 void
7973 sctp_fix_ecn_echo(struct sctp_association *asoc)
7974 {
7975 	struct sctp_tmit_chunk *chk;
7976 
7977 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7978 		if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
7979 			chk->sent = SCTP_DATAGRAM_UNSENT;
7980 		}
7981 	}
7982 }
7983 
7984 void
7985 sctp_move_chunks_from_net(struct sctp_tcb *stcb, struct sctp_nets *net)
7986 {
7987 	struct sctp_association *asoc;
7988 	struct sctp_tmit_chunk *chk;
7989 	struct sctp_stream_queue_pending *sp;
7990 	unsigned int i;
7991 
7992 	if (net == NULL) {
7993 		return;
7994 	}
7995 	asoc = &stcb->asoc;
7996 	for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
7997 		TAILQ_FOREACH(sp, &stcb->asoc.strmout[i].outqueue, next) {
7998 			if (sp->net == net) {
7999 				sctp_free_remote_addr(sp->net);
8000 				sp->net = NULL;
8001 			}
8002 		}
8003 	}
8004 	TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
8005 		if (chk->whoTo == net) {
8006 			sctp_free_remote_addr(chk->whoTo);
8007 			chk->whoTo = NULL;
8008 		}
8009 	}
8010 }
8011 
8012 int
8013 sctp_med_chunk_output(struct sctp_inpcb *inp,
8014 		      struct sctp_tcb *stcb,
8015 		      struct sctp_association *asoc,
8016 		      int *num_out,
8017 		      int *reason_code,
8018 		      int control_only, int from_where,
8019 		      struct timeval *now, int *now_filled, int frag_point, int so_locked
8020 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
8021 		      SCTP_UNUSED
8022 #endif
8023 	)
8024 {
8025 	/**
8026 	 * Ok this is the generic chunk service queue. we must do the
8027 	 * following: - Service the stream queue that is next, moving any
8028 	 * message (note I must get a complete message i.e. FIRST/MIDDLE and
8029 	 * LAST to the out queue in one pass) and assigning TSN's - Check to
8030 	 * see if the cwnd/rwnd allows any output, if so we go ahead and
8031 	 * fomulate and send the low level chunks. Making sure to combine
8032 	 * any control in the control chunk queue also.
8033 	 */
8034 	struct sctp_nets *net, *start_at, *sack_goes_to = NULL, *old_start_at = NULL;
8035 	struct mbuf *outchain, *endoutchain;
8036 	struct sctp_tmit_chunk *chk, *nchk;
8037 
8038 	/* temp arrays for unlinking */
8039 	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
8040 	int no_fragmentflg, error;
8041 	unsigned int max_rwnd_per_dest, max_send_per_dest;
8042 	int one_chunk, hbflag, skip_data_for_this_net;
8043 	int asconf, cookie, no_out_cnt;
8044 	int bundle_at, ctl_cnt, no_data_chunks, eeor_mode;
8045 	unsigned int mtu, r_mtu, omtu, mx_mtu, to_out;
8046 	int tsns_sent = 0;
8047 	uint32_t auth_offset = 0;
8048 	struct sctp_auth_chunk *auth = NULL;
8049 	uint16_t auth_keyid;
8050 	int override_ok = 1;
8051 	int skip_fill_up = 0;
8052 	int data_auth_reqd = 0;
8053 	/* JRS 5/14/07 - Add flag for whether a heartbeat is sent to
8054 	   the destination. */
8055 	int quit_now = 0;
8056 
8057 #if defined(__APPLE__)
8058 	if (so_locked) {
8059 		sctp_lock_assert(SCTP_INP_SO(inp));
8060 	} else {
8061 		sctp_unlock_assert(SCTP_INP_SO(inp));
8062 	}
8063 #endif
8064 	*num_out = 0;
8065 	auth_keyid = stcb->asoc.authinfo.active_keyid;
8066 
8067 	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
8068 	    (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED) ||
8069 	    (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
8070 		eeor_mode = 1;
8071 	} else {
8072 		eeor_mode = 0;
8073 	}
8074 	ctl_cnt = no_out_cnt = asconf = cookie = 0;
8075 	/*
8076 	 * First lets prime the pump. For each destination, if there is room
8077 	 * in the flight size, attempt to pull an MTU's worth out of the
8078 	 * stream queues into the general send_queue
8079 	 */
8080 #ifdef SCTP_AUDITING_ENABLED
8081 	sctp_audit_log(0xC2, 2);
8082 #endif
8083 	SCTP_TCB_LOCK_ASSERT(stcb);
8084 	hbflag = 0;
8085 	if ((control_only) || (asoc->stream_reset_outstanding))
8086 		no_data_chunks = 1;
8087 	else
8088 		no_data_chunks = 0;
8089 
8090 	/* Nothing to possible to send? */
8091 	if ((TAILQ_EMPTY(&asoc->control_send_queue) ||
8092 	     (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) &&
8093 	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
8094 	    TAILQ_EMPTY(&asoc->send_queue) &&
8095 	    stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
8096 	nothing_to_send:
8097 		*reason_code = 9;
8098 		return (0);
8099 	}
8100 	if (asoc->peers_rwnd == 0) {
8101 		/* No room in peers rwnd */
8102 		*reason_code = 1;
8103 		if (asoc->total_flight > 0) {
8104 			/* we are allowed one chunk in flight */
8105 			no_data_chunks = 1;
8106 		}
8107 	}
8108 	if (stcb->asoc.ecn_echo_cnt_onq) {
8109 		/* Record where a sack goes, if any */
8110 		if (no_data_chunks &&
8111 		    (asoc->ctrl_queue_cnt == stcb->asoc.ecn_echo_cnt_onq)) {
8112 			/* Nothing but ECNe to send - we don't do that */
8113 			goto nothing_to_send;
8114 		}
8115 		TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8116 			if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8117 			    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
8118 				sack_goes_to = chk->whoTo;
8119 				break;
8120 			}
8121 		}
8122 	}
8123 	max_rwnd_per_dest = ((asoc->peers_rwnd + asoc->total_flight) / asoc->numnets);
8124 	if (stcb->sctp_socket)
8125 		max_send_per_dest = SCTP_SB_LIMIT_SND(stcb->sctp_socket) / asoc->numnets;
8126 	else
8127 		max_send_per_dest = 0;
8128 	if (no_data_chunks == 0) {
8129 		/* How many non-directed chunks are there? */
8130 		TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
8131 			if (chk->whoTo == NULL) {
8132 				/* We already have non-directed
8133 				 * chunks on the queue, no need
8134 				 * to do a fill-up.
8135 				 */
8136 				skip_fill_up = 1;
8137 				break;
8138 			}
8139 		}
8140 
8141 	}
8142 	if ((no_data_chunks == 0) &&
8143 	    (skip_fill_up == 0) &&
8144 	    (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc))) {
8145 		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
8146 			/*
8147 			 * This for loop we are in takes in
8148 			 * each net, if its's got space in cwnd and
8149 			 * has data sent to it (when CMT is off) then it
8150 			 * calls sctp_fill_outqueue for the net. This gets
8151 			 * data on the send queue for that network.
8152 			 *
8153 			 * In sctp_fill_outqueue TSN's are assigned and
8154 			 * data is copied out of the stream buffers. Note
8155 			 * mostly copy by reference (we hope).
8156 			 */
8157 			net->window_probe = 0;
8158 			if ((net != stcb->asoc.alternate) &&
8159 			    ((net->dest_state & SCTP_ADDR_PF) ||
8160 			     (!(net->dest_state & SCTP_ADDR_REACHABLE)) ||
8161 			     (net->dest_state & SCTP_ADDR_UNCONFIRMED))) {
8162 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8163 					sctp_log_cwnd(stcb, net, 1,
8164 						      SCTP_CWND_LOG_FILL_OUTQ_CALLED);
8165 				}
8166 			        continue;
8167 			}
8168 			if ((stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins) &&
8169 			    (net->flight_size == 0)) {
8170 				(*stcb->asoc.cc_functions.sctp_cwnd_new_transmission_begins)(stcb, net);
8171 			}
8172 			if (net->flight_size >= net->cwnd) {
8173 				/* skip this network, no room - can't fill */
8174 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8175 					sctp_log_cwnd(stcb, net, 3,
8176 						      SCTP_CWND_LOG_FILL_OUTQ_CALLED);
8177 				}
8178 				continue;
8179 			}
8180 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8181 				sctp_log_cwnd(stcb, net, 4, SCTP_CWND_LOG_FILL_OUTQ_CALLED);
8182 			}
8183 			sctp_fill_outqueue(stcb, net, frag_point, eeor_mode, &quit_now, so_locked);
8184 			if (quit_now) {
8185 				/* memory alloc failure */
8186 				no_data_chunks = 1;
8187 				break;
8188 			}
8189 		}
8190 	}
8191 	/* now service each destination and send out what we can for it */
8192 	/* Nothing to send? */
8193 	if (TAILQ_EMPTY(&asoc->control_send_queue) &&
8194 	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
8195 	    TAILQ_EMPTY(&asoc->send_queue)) {
8196 		*reason_code = 8;
8197 		return (0);
8198 	}
8199 
8200 	if (asoc->sctp_cmt_on_off > 0) {
8201 		/* get the last start point */
8202 		start_at = asoc->last_net_cmt_send_started;
8203 		if (start_at == NULL) {
8204 			/* null so to beginning */
8205 			start_at = TAILQ_FIRST(&asoc->nets);
8206 		} else {
8207 			start_at = TAILQ_NEXT(asoc->last_net_cmt_send_started, sctp_next);
8208 			if (start_at == NULL) {
8209 				start_at = TAILQ_FIRST(&asoc->nets);
8210 			}
8211 		}
8212 		asoc->last_net_cmt_send_started = start_at;
8213 	} else {
8214 		start_at = TAILQ_FIRST(&asoc->nets);
8215 	}
8216 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8217 		if (chk->whoTo == NULL) {
8218 			if (asoc->alternate) {
8219 				chk->whoTo = asoc->alternate;
8220 			} else {
8221 				chk->whoTo = asoc->primary_destination;
8222 			}
8223 			atomic_add_int(&chk->whoTo->ref_count, 1);
8224 		}
8225 	}
8226 	old_start_at = NULL;
8227 again_one_more_time:
8228 	for (net = start_at ; net != NULL; net = TAILQ_NEXT(net, sctp_next)) {
8229 		/* how much can we send? */
8230 		/* SCTPDBG("Examine for sending net:%x\n", (uint32_t)net); */
8231 		if (old_start_at && (old_start_at == net)) {
8232 			/* through list ocmpletely. */
8233 			break;
8234 		}
8235 		tsns_sent = 0xa;
8236 		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
8237 		    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
8238 		    (net->flight_size >= net->cwnd)) {
8239 			/* Nothing on control or asconf and flight is full, we can skip
8240 			 * even in the CMT case.
8241 			 */
8242 			continue;
8243 		}
8244 		bundle_at = 0;
8245 		endoutchain = outchain = NULL;
8246 		no_fragmentflg = 1;
8247 		one_chunk = 0;
8248 		if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
8249 			skip_data_for_this_net = 1;
8250 		} else {
8251 			skip_data_for_this_net = 0;
8252 		}
8253 #if !(defined(__Panda__) || defined(__Windows__) || defined(__Userspace__) || defined(__APPLE__))
8254 		if ((net->ro.ro_rt) && (net->ro.ro_rt->rt_ifp)) {
8255 			/*
8256 			 * if we have a route and an ifp check to see if we
8257 			 * have room to send to this guy
8258 			 */
8259 			struct ifnet *ifp;
8260 
8261 			ifp = net->ro.ro_rt->rt_ifp;
8262 			if ((ifp->if_snd.ifq_len + 2) >= ifp->if_snd.ifq_maxlen) {
8263 				SCTP_STAT_INCR(sctps_ifnomemqueued);
8264 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
8265 					sctp_log_maxburst(stcb, net, ifp->if_snd.ifq_len, ifp->if_snd.ifq_maxlen, SCTP_MAX_IFP_APPLIED);
8266 				}
8267 				continue;
8268 			}
8269 		}
8270 #endif
8271 		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8272 #ifdef INET
8273 		case AF_INET:
8274 			mtu = net->mtu - (sizeof(struct ip) + sizeof(struct sctphdr));
8275 			break;
8276 #endif
8277 #ifdef INET6
8278 		case AF_INET6:
8279 			mtu = net->mtu - (sizeof(struct ip6_hdr) + sizeof(struct sctphdr));
8280 			break;
8281 #endif
8282 #if defined(__Userspace__)
8283 		case AF_CONN:
8284 			mtu = net->mtu - sizeof(struct sctphdr);
8285 			break;
8286 #endif
8287 		default:
8288 			/* TSNH */
8289 			mtu = net->mtu;
8290 			break;
8291 		}
8292 		mx_mtu = mtu;
8293 		to_out = 0;
8294 		if (mtu > asoc->peers_rwnd) {
8295 			if (asoc->total_flight > 0) {
8296 				/* We have a packet in flight somewhere */
8297 				r_mtu = asoc->peers_rwnd;
8298 			} else {
8299 				/* We are always allowed to send one MTU out */
8300 				one_chunk = 1;
8301 				r_mtu = mtu;
8302 			}
8303 		} else {
8304 			r_mtu = mtu;
8305 		}
8306 		/************************/
8307 		/* ASCONF transmission */
8308 		/************************/
8309 		/* Now first lets go through the asconf queue */
8310 		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
8311 			if (chk->rec.chunk_id.id != SCTP_ASCONF) {
8312 				continue;
8313 			}
8314 			if (chk->whoTo == NULL) {
8315 				if (asoc->alternate == NULL) {
8316 					if (asoc->primary_destination != net) {
8317 						break;
8318 					}
8319 				} else {
8320 					if (asoc->alternate != net) {
8321 						break;
8322 					}
8323 				}
8324 			} else {
8325 				if (chk->whoTo != net) {
8326 					break;
8327 				}
8328 			}
8329 			if (chk->data == NULL) {
8330 				break;
8331 			}
8332 			if (chk->sent != SCTP_DATAGRAM_UNSENT &&
8333 			    chk->sent != SCTP_DATAGRAM_RESEND) {
8334 				break;
8335 			}
8336 			/*
8337 			 * if no AUTH is yet included and this chunk
8338 			 * requires it, make sure to account for it.  We
8339 			 * don't apply the size until the AUTH chunk is
8340 			 * actually added below in case there is no room for
8341 			 * this chunk. NOTE: we overload the use of "omtu"
8342 			 * here
8343 			 */
8344 			if ((auth == NULL) &&
8345 			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8346 							stcb->asoc.peer_auth_chunks)) {
8347 				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8348 			} else
8349 				omtu = 0;
8350 			/* Here we do NOT factor the r_mtu */
8351 			if ((chk->send_size < (int)(mtu - omtu)) ||
8352 			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8353 				/*
8354 				 * We probably should glom the mbuf chain
8355 				 * from the chk->data for control but the
8356 				 * problem is it becomes yet one more level
8357 				 * of tracking to do if for some reason
8358 				 * output fails. Then I have got to
8359 				 * reconstruct the merged control chain.. el
8360 				 * yucko.. for now we take the easy way and
8361 				 * do the copy
8362 				 */
8363 				/*
8364 				 * Add an AUTH chunk, if chunk requires it
8365 				 * save the offset into the chain for AUTH
8366 				 */
8367 				if ((auth == NULL) &&
8368 				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8369 								 stcb->asoc.peer_auth_chunks))) {
8370 					outchain = sctp_add_auth_chunk(outchain,
8371 								       &endoutchain,
8372 								       &auth,
8373 								       &auth_offset,
8374 								       stcb,
8375 								       chk->rec.chunk_id.id);
8376 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8377 				}
8378 				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8379 							       (int)chk->rec.chunk_id.can_take_data,
8380 							       chk->send_size, chk->copy_by_ref);
8381 				if (outchain == NULL) {
8382 					*reason_code = 8;
8383 					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8384 					return (ENOMEM);
8385 				}
8386 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8387 				/* update our MTU size */
8388 				if (mtu > (chk->send_size + omtu))
8389 					mtu -= (chk->send_size + omtu);
8390 				else
8391 					mtu = 0;
8392 				to_out += (chk->send_size + omtu);
8393 				/* Do clear IP_DF ? */
8394 				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8395 					no_fragmentflg = 0;
8396 				}
8397 				if (chk->rec.chunk_id.can_take_data)
8398 					chk->data = NULL;
8399 				/*
8400 				 * set hb flag since we can
8401 				 * use these for RTO
8402 				 */
8403 				hbflag = 1;
8404 				asconf = 1;
8405 				/*
8406 				 * should sysctl this: don't
8407 				 * bundle data with ASCONF
8408 				 * since it requires AUTH
8409 				 */
8410 				no_data_chunks = 1;
8411 				chk->sent = SCTP_DATAGRAM_SENT;
8412 				if (chk->whoTo == NULL) {
8413 					chk->whoTo = net;
8414 					atomic_add_int(&net->ref_count, 1);
8415 				}
8416 				chk->snd_count++;
8417 				if (mtu == 0) {
8418 					/*
8419 					 * Ok we are out of room but we can
8420 					 * output without effecting the
8421 					 * flight size since this little guy
8422 					 * is a control only packet.
8423 					 */
8424 					sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8425 					/*
8426 					 * do NOT clear the asconf
8427 					 * flag as it is used to do
8428 					 * appropriate source address
8429 					 * selection.
8430 					 */
8431 					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8432 					                                        (struct sockaddr *)&net->ro._l_addr,
8433 					                                        outchain, auth_offset, auth,
8434 					                                        stcb->asoc.authinfo.active_keyid,
8435 					                                        no_fragmentflg, 0, asconf,
8436 					                                        inp->sctp_lport, stcb->rport,
8437 					                                        htonl(stcb->asoc.peer_vtag),
8438 					                                        net->port, NULL,
8439 #if defined(__FreeBSD__)
8440 					                                        0, 0,
8441 #endif
8442 					                                        so_locked))) {
8443 						if (error == ENOBUFS) {
8444 							asoc->ifp_had_enobuf = 1;
8445 							SCTP_STAT_INCR(sctps_lowlevelerr);
8446 						}
8447 						if (from_where == 0) {
8448 							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8449 						}
8450 						if (*now_filled == 0) {
8451 							(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8452 							*now_filled = 1;
8453 							*now = net->last_sent_time;
8454 						} else {
8455 							net->last_sent_time = *now;
8456 						}
8457 						hbflag = 0;
8458 						/* error, could not output */
8459 						if (error == EHOSTUNREACH) {
8460 							/*
8461 							 * Destination went
8462 							 * unreachable
8463 							 * during this send
8464 							 */
8465 							sctp_move_chunks_from_net(stcb, net);
8466 						}
8467 						*reason_code = 7;
8468 						continue;
8469 					} else
8470 						asoc->ifp_had_enobuf = 0;
8471 					if (*now_filled == 0) {
8472 						(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8473 						*now_filled = 1;
8474 						*now = net->last_sent_time;
8475 					} else {
8476 						net->last_sent_time = *now;
8477 					}
8478 					hbflag = 0;
8479 					/*
8480 					 * increase the number we sent, if a
8481 					 * cookie is sent we don't tell them
8482 					 * any was sent out.
8483 					 */
8484 					outchain = endoutchain = NULL;
8485 					auth = NULL;
8486 					auth_offset = 0;
8487 					if (!no_out_cnt)
8488 						*num_out += ctl_cnt;
8489 					/* recalc a clean slate and setup */
8490 					switch (net->ro._l_addr.sa.sa_family) {
8491 #ifdef INET
8492 						case AF_INET:
8493 							mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8494 							break;
8495 #endif
8496 #ifdef INET6
8497 						case AF_INET6:
8498 							mtu = net->mtu - SCTP_MIN_OVERHEAD;
8499 							break;
8500 #endif
8501 #if defined(__Userspace__)
8502 						case AF_CONN:
8503 							mtu = net->mtu - sizeof(struct sctphdr);
8504 							break;
8505 #endif
8506 						default:
8507 							/* TSNH */
8508 							mtu = net->mtu;
8509 							break;
8510 					}
8511 					to_out = 0;
8512 					no_fragmentflg = 1;
8513 				}
8514 			}
8515 		}
8516 		/************************/
8517 		/* Control transmission */
8518 		/************************/
8519 		/* Now first lets go through the control queue */
8520 		TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
8521 			if ((sack_goes_to) &&
8522 			    (chk->rec.chunk_id.id == SCTP_ECN_ECHO) &&
8523 			    (chk->whoTo != sack_goes_to)) {
8524 				/*
8525 				 * if we have a sack in queue, and we are looking at an
8526 				 * ecn echo that is NOT queued to where the sack is going..
8527 				 */
8528 				if (chk->whoTo == net) {
8529 					/* Don't transmit it to where its going (current net) */
8530 					continue;
8531 				} else if (sack_goes_to == net) {
8532 					/* But do transmit it to this address */
8533 					goto skip_net_check;
8534 				}
8535 			}
8536 			if (chk->whoTo == NULL) {
8537 				if (asoc->alternate == NULL) {
8538 					if (asoc->primary_destination != net) {
8539 						continue;
8540 					}
8541 				} else {
8542 					if (asoc->alternate != net) {
8543 						continue;
8544 					}
8545 				}
8546 			} else {
8547 				if (chk->whoTo != net) {
8548 					continue;
8549 				}
8550 			}
8551 		skip_net_check:
8552 			if (chk->data == NULL) {
8553 				continue;
8554 			}
8555 			if (chk->sent != SCTP_DATAGRAM_UNSENT) {
8556 				/*
8557 				 * It must be unsent. Cookies and ASCONF's
8558 				 * hang around but there timers will force
8559 				 * when marked for resend.
8560 				 */
8561 				continue;
8562 			}
8563 			/*
8564 			 * if no AUTH is yet included and this chunk
8565 			 * requires it, make sure to account for it.  We
8566 			 * don't apply the size until the AUTH chunk is
8567 			 * actually added below in case there is no room for
8568 			 * this chunk. NOTE: we overload the use of "omtu"
8569 			 * here
8570 			 */
8571 			if ((auth == NULL) &&
8572 			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8573 							stcb->asoc.peer_auth_chunks)) {
8574 				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8575 			} else
8576 				omtu = 0;
8577 			/* Here we do NOT factor the r_mtu */
8578 			if ((chk->send_size <= (int)(mtu - omtu)) ||
8579 			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
8580 				/*
8581 				 * We probably should glom the mbuf chain
8582 				 * from the chk->data for control but the
8583 				 * problem is it becomes yet one more level
8584 				 * of tracking to do if for some reason
8585 				 * output fails. Then I have got to
8586 				 * reconstruct the merged control chain.. el
8587 				 * yucko.. for now we take the easy way and
8588 				 * do the copy
8589 				 */
8590 				/*
8591 				 * Add an AUTH chunk, if chunk requires it
8592 				 * save the offset into the chain for AUTH
8593 				 */
8594 				if ((auth == NULL) &&
8595 				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8596 								 stcb->asoc.peer_auth_chunks))) {
8597 					outchain = sctp_add_auth_chunk(outchain,
8598 								       &endoutchain,
8599 								       &auth,
8600 								       &auth_offset,
8601 								       stcb,
8602 								       chk->rec.chunk_id.id);
8603 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8604 				}
8605 				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
8606 							       (int)chk->rec.chunk_id.can_take_data,
8607 							       chk->send_size, chk->copy_by_ref);
8608 				if (outchain == NULL) {
8609 					*reason_code = 8;
8610 					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8611 					return (ENOMEM);
8612 				}
8613 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8614 				/* update our MTU size */
8615 				if (mtu > (chk->send_size + omtu))
8616 					mtu -= (chk->send_size + omtu);
8617 				else
8618 					mtu = 0;
8619 				to_out += (chk->send_size + omtu);
8620 				/* Do clear IP_DF ? */
8621 				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8622 					no_fragmentflg = 0;
8623 				}
8624 				if (chk->rec.chunk_id.can_take_data)
8625 					chk->data = NULL;
8626 				/* Mark things to be removed, if needed */
8627 				if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8628 				    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) || /* EY */
8629 				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
8630 				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
8631 				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
8632 				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
8633 				    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
8634 				    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
8635 				    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
8636 				    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
8637 				    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
8638 					if (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) {
8639 						hbflag = 1;
8640 					}
8641 					/* remove these chunks at the end */
8642 					if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
8643 					    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
8644 						/* turn off the timer */
8645 						if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
8646 							sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
8647 									inp, stcb, net, SCTP_FROM_SCTP_OUTPUT+SCTP_LOC_1);
8648 						}
8649 					}
8650 					ctl_cnt++;
8651 				} else {
8652 					/*
8653 					 * Other chunks, since they have
8654 					 * timers running (i.e. COOKIE)
8655 					 * we just "trust" that it
8656 					 * gets sent or retransmitted.
8657 					 */
8658 					ctl_cnt++;
8659 					if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
8660 						cookie = 1;
8661 						no_out_cnt = 1;
8662 					} else if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
8663 						/*
8664 						 * Increment ecne send count here
8665 						 * this means we may be over-zealous in
8666 						 * our counting if the send fails, but its
8667 						 * the best place to do it (we used to do
8668 						 * it in the queue of the chunk, but that did
8669 						 * not tell how many times it was sent.
8670 						 */
8671 						SCTP_STAT_INCR(sctps_sendecne);
8672 					}
8673 					chk->sent = SCTP_DATAGRAM_SENT;
8674 					if (chk->whoTo == NULL) {
8675 						chk->whoTo = net;
8676 						atomic_add_int(&net->ref_count, 1);
8677 					}
8678 					chk->snd_count++;
8679 				}
8680 				if (mtu == 0) {
8681 					/*
8682 					 * Ok we are out of room but we can
8683 					 * output without effecting the
8684 					 * flight size since this little guy
8685 					 * is a control only packet.
8686 					 */
8687 					if (asconf) {
8688 						sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
8689 						/*
8690 						 * do NOT clear the asconf
8691 						 * flag as it is used to do
8692 						 * appropriate source address
8693 						 * selection.
8694 						 */
8695 					}
8696 					if (cookie) {
8697 						sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8698 						cookie = 0;
8699 					}
8700 					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
8701 					                                        (struct sockaddr *)&net->ro._l_addr,
8702 					                                        outchain,
8703 					                                        auth_offset, auth,
8704 					                                        stcb->asoc.authinfo.active_keyid,
8705 					                                        no_fragmentflg, 0, asconf,
8706 					                                        inp->sctp_lport, stcb->rport,
8707 					                                        htonl(stcb->asoc.peer_vtag),
8708 					                                        net->port, NULL,
8709 #if defined(__FreeBSD__)
8710 					                                        0, 0,
8711 #endif
8712 					                                        so_locked))) {
8713 						if (error == ENOBUFS) {
8714 							asoc->ifp_had_enobuf = 1;
8715 							SCTP_STAT_INCR(sctps_lowlevelerr);
8716 						}
8717 						if (from_where == 0) {
8718 							SCTP_STAT_INCR(sctps_lowlevelerrusr);
8719 						}
8720 						/* error, could not output */
8721 						if (hbflag) {
8722 							if (*now_filled == 0) {
8723 								(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8724 								*now_filled = 1;
8725 								*now = net->last_sent_time;
8726 							} else {
8727 								net->last_sent_time = *now;
8728 							}
8729 							hbflag = 0;
8730 						}
8731 						if (error == EHOSTUNREACH) {
8732 							/*
8733 							 * Destination went
8734 							 * unreachable
8735 							 * during this send
8736 							 */
8737 							sctp_move_chunks_from_net(stcb, net);
8738 						}
8739 						*reason_code = 7;
8740 						continue;
8741 					} else
8742 						asoc->ifp_had_enobuf = 0;
8743 					/* Only HB or ASCONF advances time */
8744 					if (hbflag) {
8745 						if (*now_filled == 0) {
8746 							(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8747 							*now_filled = 1;
8748 							*now = net->last_sent_time;
8749 						} else {
8750 							net->last_sent_time = *now;
8751 						}
8752 						hbflag = 0;
8753 					}
8754 					/*
8755 					 * increase the number we sent, if a
8756 					 * cookie is sent we don't tell them
8757 					 * any was sent out.
8758 					 */
8759 					outchain = endoutchain = NULL;
8760 					auth = NULL;
8761 					auth_offset = 0;
8762 					if (!no_out_cnt)
8763 						*num_out += ctl_cnt;
8764 					/* recalc a clean slate and setup */
8765 					switch (net->ro._l_addr.sa.sa_family) {
8766 #ifdef INET
8767 						case AF_INET:
8768 							mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
8769 							break;
8770 #endif
8771 #ifdef INET6
8772 						case AF_INET6:
8773 							mtu = net->mtu - SCTP_MIN_OVERHEAD;
8774 							break;
8775 #endif
8776 #if defined(__Userspace__)
8777 						case AF_CONN:
8778 							mtu = net->mtu - sizeof(struct sctphdr);
8779 							break;
8780 #endif
8781 						default:
8782 							/* TSNH */
8783 							mtu = net->mtu;
8784 							break;
8785 					}
8786 					to_out = 0;
8787 					no_fragmentflg = 1;
8788 				}
8789 			}
8790 		}
8791 		/* JRI: if dest is in PF state, do not send data to it */
8792 		if ((asoc->sctp_cmt_on_off > 0) &&
8793 		    (net != stcb->asoc.alternate) &&
8794 		    (net->dest_state & SCTP_ADDR_PF)) {
8795 			goto no_data_fill;
8796 		}
8797 		if (net->flight_size >= net->cwnd) {
8798 			goto no_data_fill;
8799 		}
8800 		if ((asoc->sctp_cmt_on_off > 0) &&
8801 		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_RECV_BUFFER_SPLITTING) &&
8802 		    (net->flight_size > max_rwnd_per_dest)) {
8803 			goto no_data_fill;
8804 		}
8805 		/*
8806 		 * We need a specific accounting for the usage of the
8807 		 * send buffer. We also need to check the number of messages
8808 		 * per net. For now, this is better than nothing and it
8809 		 * disabled by default...
8810 		 */
8811 		if ((asoc->sctp_cmt_on_off > 0) &&
8812 		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_SEND_BUFFER_SPLITTING) &&
8813 		    (max_send_per_dest > 0) &&
8814 		    (net->flight_size > max_send_per_dest)) {
8815 			goto no_data_fill;
8816 		}
8817 		/*********************/
8818 		/* Data transmission */
8819 		/*********************/
8820 		/*
8821 		 * if AUTH for DATA is required and no AUTH has been added
8822 		 * yet, account for this in the mtu now... if no data can be
8823 		 * bundled, this adjustment won't matter anyways since the
8824 		 * packet will be going out...
8825 		 */
8826 		data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA,
8827 							     stcb->asoc.peer_auth_chunks);
8828 		if (data_auth_reqd && (auth == NULL)) {
8829 			mtu -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8830 		}
8831 		/* now lets add any data within the MTU constraints */
8832 		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8833 #ifdef INET
8834 		case AF_INET:
8835 			if (net->mtu > (sizeof(struct ip) + sizeof(struct sctphdr)))
8836 				omtu = net->mtu - (sizeof(struct ip) + sizeof(struct sctphdr));
8837 			else
8838 				omtu = 0;
8839 			break;
8840 #endif
8841 #ifdef INET6
8842 		case AF_INET6:
8843 			if (net->mtu > (sizeof(struct ip6_hdr) + sizeof(struct sctphdr)))
8844 				omtu = net->mtu - (sizeof(struct ip6_hdr) + sizeof(struct sctphdr));
8845 			else
8846 				omtu = 0;
8847 			break;
8848 #endif
8849 #if defined(__Userspace__)
8850 		case AF_CONN:
8851 			if (net->mtu > sizeof(struct sctphdr)) {
8852 				omtu = net->mtu - sizeof(struct sctphdr);
8853 			} else {
8854 				omtu = 0;
8855 			}
8856 			break;
8857 #endif
8858 		default:
8859 			/* TSNH */
8860 			omtu = 0;
8861 			break;
8862 		}
8863 		if ((((asoc->state & SCTP_STATE_OPEN) == SCTP_STATE_OPEN) &&
8864 		     (skip_data_for_this_net == 0)) ||
8865 		    (cookie)) {
8866 			TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
8867 				if (no_data_chunks) {
8868 					/* let only control go out */
8869 					*reason_code = 1;
8870 					break;
8871 				}
8872 				if (net->flight_size >= net->cwnd) {
8873 					/* skip this net, no room for data */
8874 					*reason_code = 2;
8875 					break;
8876 				}
8877 				if ((chk->whoTo != NULL) &&
8878 				    (chk->whoTo != net)) {
8879 					/* Don't send the chunk on this net */
8880 					continue;
8881 				}
8882 
8883 				if (asoc->sctp_cmt_on_off == 0) {
8884 					if ((asoc->alternate) &&
8885 					    (asoc->alternate != net) &&
8886 					    (chk->whoTo == NULL)) {
8887 						continue;
8888 					} else if ((net != asoc->primary_destination) &&
8889 						   (asoc->alternate == NULL) &&
8890 						   (chk->whoTo == NULL)) {
8891 						continue;
8892 					}
8893 				}
8894 				if ((chk->send_size > omtu) && ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) == 0)) {
8895 					/*-
8896 					 * strange, we have a chunk that is
8897 					 * to big for its destination and
8898 					 * yet no fragment ok flag.
8899 					 * Something went wrong when the
8900 					 * PMTU changed...we did not mark
8901 					 * this chunk for some reason?? I
8902 					 * will fix it here by letting IP
8903 					 * fragment it for now and printing
8904 					 * a warning. This really should not
8905 					 * happen ...
8906 					 */
8907 					SCTP_PRINTF("Warning chunk of %d bytes > mtu:%d and yet PMTU disc missed\n",
8908 						    chk->send_size, mtu);
8909 					chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
8910 				}
8911 				if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
8912 				    ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) == SCTP_STATE_SHUTDOWN_PENDING)) {
8913 					struct sctp_data_chunk *dchkh;
8914 
8915 					dchkh = mtod(chk->data, struct sctp_data_chunk *);
8916 					dchkh->ch.chunk_flags |= SCTP_DATA_SACK_IMMEDIATELY;
8917 				}
8918 				if (((chk->send_size <= mtu) && (chk->send_size <= r_mtu)) ||
8919 				    ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) && (chk->send_size <= asoc->peers_rwnd))) {
8920 					/* ok we will add this one */
8921 
8922 					/*
8923 					 * Add an AUTH chunk, if chunk
8924 					 * requires it, save the offset into
8925 					 * the chain for AUTH
8926 					 */
8927 					if (data_auth_reqd) {
8928 						if (auth == NULL) {
8929 							outchain = sctp_add_auth_chunk(outchain,
8930 										       &endoutchain,
8931 										       &auth,
8932 										       &auth_offset,
8933 										       stcb,
8934 										       SCTP_DATA);
8935 							auth_keyid = chk->auth_keyid;
8936 							override_ok = 0;
8937 							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8938 						} else if (override_ok) {
8939 							/* use this data's keyid */
8940 							auth_keyid = chk->auth_keyid;
8941 							override_ok = 0;
8942 						} else if (auth_keyid != chk->auth_keyid) {
8943 							/* different keyid, so done bundling */
8944 							break;
8945 						}
8946 					}
8947 					outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain, 0,
8948 								       chk->send_size, chk->copy_by_ref);
8949 					if (outchain == NULL) {
8950 						SCTPDBG(SCTP_DEBUG_OUTPUT3, "No memory?\n");
8951 						if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
8952 							sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8953 						}
8954 						*reason_code = 3;
8955 						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8956 						return (ENOMEM);
8957 					}
8958 					/* upate our MTU size */
8959 					/* Do clear IP_DF ? */
8960 					if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8961 						no_fragmentflg = 0;
8962 					}
8963 					/* unsigned subtraction of mtu */
8964 					if (mtu > chk->send_size)
8965 						mtu -= chk->send_size;
8966 					else
8967 						mtu = 0;
8968 					/* unsigned subtraction of r_mtu */
8969 					if (r_mtu > chk->send_size)
8970 						r_mtu -= chk->send_size;
8971 					else
8972 						r_mtu = 0;
8973 
8974 					to_out += chk->send_size;
8975 					if ((to_out > mx_mtu) && no_fragmentflg) {
8976 #ifdef INVARIANTS
8977 						panic("Exceeding mtu of %d out size is %d", mx_mtu, to_out);
8978 #else
8979 						SCTP_PRINTF("Exceeding mtu of %d out size is %d\n",
8980 							    mx_mtu, to_out);
8981 #endif
8982 					}
8983 					chk->window_probe = 0;
8984 					data_list[bundle_at++] = chk;
8985 					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
8986 						break;
8987 					}
8988 					if (chk->sent == SCTP_DATAGRAM_UNSENT) {
8989 						if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
8990 							SCTP_STAT_INCR_COUNTER64(sctps_outorderchunks);
8991 						} else {
8992 							SCTP_STAT_INCR_COUNTER64(sctps_outunorderchunks);
8993 						}
8994 						if (((chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) == SCTP_DATA_LAST_FRAG) &&
8995 						    ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0))
8996 							/* Count number of user msg's that were fragmented
8997 							 * we do this by counting when we see a LAST fragment
8998 							 * only.
8999 							 */
9000 							SCTP_STAT_INCR_COUNTER64(sctps_fragusrmsgs);
9001 					}
9002 					if ((mtu == 0) || (r_mtu == 0) || (one_chunk)) {
9003 						if ((one_chunk) && (stcb->asoc.total_flight == 0)) {
9004 							data_list[0]->window_probe = 1;
9005 							net->window_probe = 1;
9006 						}
9007 						break;
9008 					}
9009 				} else {
9010 					/*
9011 					 * Must be sent in order of the
9012 					 * TSN's (on a network)
9013 					 */
9014 					break;
9015 				}
9016 			}	/* for (chunk gather loop for this net) */
9017 		}		/* if asoc.state OPEN */
9018 	no_data_fill:
9019 		/* Is there something to send for this destination? */
9020 		if (outchain) {
9021 			/* We may need to start a control timer or two */
9022 			if (asconf) {
9023 				sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp,
9024 						 stcb, net);
9025 				/*
9026 				 * do NOT clear the asconf flag as it is used
9027 				 * to do appropriate source address selection.
9028 				 */
9029 			}
9030 			if (cookie) {
9031 				sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
9032 				cookie = 0;
9033 			}
9034 			/* must start a send timer if data is being sent */
9035 			if (bundle_at && (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
9036 				/*
9037 				 * no timer running on this destination
9038 				 * restart it.
9039 				 */
9040 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9041 			}
9042 			/* Now send it, if there is anything to send :> */
9043 			if ((error = sctp_lowlevel_chunk_output(inp,
9044 			                                        stcb,
9045 			                                        net,
9046 			                                        (struct sockaddr *)&net->ro._l_addr,
9047 			                                        outchain,
9048 			                                        auth_offset,
9049 			                                        auth,
9050 			                                        auth_keyid,
9051 			                                        no_fragmentflg,
9052 			                                        bundle_at,
9053 			                                        asconf,
9054 			                                        inp->sctp_lport, stcb->rport,
9055 			                                        htonl(stcb->asoc.peer_vtag),
9056 			                                        net->port, NULL,
9057 #if defined(__FreeBSD__)
9058 			                                        0, 0,
9059 #endif
9060 			                                        so_locked))) {
9061 				/* error, we could not output */
9062 				if (error == ENOBUFS) {
9063 					SCTP_STAT_INCR(sctps_lowlevelerr);
9064 					asoc->ifp_had_enobuf = 1;
9065 				}
9066 				if (from_where == 0) {
9067 					SCTP_STAT_INCR(sctps_lowlevelerrusr);
9068 				}
9069 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
9070 				if (hbflag) {
9071 					if (*now_filled == 0) {
9072 						(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
9073 						*now_filled = 1;
9074 						*now = net->last_sent_time;
9075 					} else {
9076 						net->last_sent_time = *now;
9077 					}
9078 					hbflag = 0;
9079 				}
9080 				if (error == EHOSTUNREACH) {
9081 					/*
9082 					 * Destination went unreachable
9083 					 * during this send
9084 					 */
9085 					sctp_move_chunks_from_net(stcb, net);
9086 				}
9087 				*reason_code = 6;
9088 				/*-
9089 				 * I add this line to be paranoid. As far as
9090 				 * I can tell the continue, takes us back to
9091 				 * the top of the for, but just to make sure
9092 				 * I will reset these again here.
9093 				 */
9094 				ctl_cnt = bundle_at = 0;
9095 				continue; /* This takes us back to the for() for the nets. */
9096 			} else {
9097 				asoc->ifp_had_enobuf = 0;
9098 			}
9099 			endoutchain = NULL;
9100 			auth = NULL;
9101 			auth_offset = 0;
9102 			if (bundle_at || hbflag) {
9103 				/* For data/asconf and hb set time */
9104 				if (*now_filled == 0) {
9105 					(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
9106 					*now_filled = 1;
9107 					*now = net->last_sent_time;
9108 				} else {
9109 					net->last_sent_time = *now;
9110 				}
9111 			}
9112 			if (!no_out_cnt) {
9113 				*num_out += (ctl_cnt + bundle_at);
9114 			}
9115 			if (bundle_at) {
9116 				/* setup for a RTO measurement */
9117 				tsns_sent = data_list[0]->rec.data.TSN_seq;
9118 				/* fill time if not already filled */
9119 				if (*now_filled == 0) {
9120 					(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
9121 					*now_filled = 1;
9122 					*now = asoc->time_last_sent;
9123 				} else {
9124 					asoc->time_last_sent = *now;
9125 				}
9126 				if (net->rto_needed) {
9127 					data_list[0]->do_rtt = 1;
9128 					net->rto_needed = 0;
9129 				}
9130 				SCTP_STAT_INCR_BY(sctps_senddata, bundle_at);
9131 				sctp_clean_up_datalist(stcb, asoc, data_list, bundle_at, net);
9132 			}
9133 			if (one_chunk) {
9134 				break;
9135 			}
9136 		}
9137 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9138 			sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_SEND);
9139 		}
9140 	}
9141 	if (old_start_at == NULL) {
9142 		old_start_at = start_at;
9143 		start_at = TAILQ_FIRST(&asoc->nets);
9144 		if (old_start_at)
9145 			goto again_one_more_time;
9146 	}
9147 
9148 	/*
9149 	 * At the end there should be no NON timed chunks hanging on this
9150 	 * queue.
9151 	 */
9152 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9153 		sctp_log_cwnd(stcb, net, *num_out, SCTP_CWND_LOG_FROM_SEND);
9154 	}
9155 	if ((*num_out == 0) && (*reason_code == 0)) {
9156 		*reason_code = 4;
9157 	} else {
9158 		*reason_code = 5;
9159 	}
9160 	sctp_clean_up_ctl(stcb, asoc, so_locked);
9161 	return (0);
9162 }
9163 
9164 void
9165 sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err)
9166 {
9167 	/*-
9168 	 * Prepend a OPERATIONAL_ERROR chunk header and put on the end of
9169 	 * the control chunk queue.
9170 	 */
9171 	struct sctp_chunkhdr *hdr;
9172 	struct sctp_tmit_chunk *chk;
9173 	struct mbuf *mat;
9174 
9175 	SCTP_TCB_LOCK_ASSERT(stcb);
9176 	sctp_alloc_a_chunk(stcb, chk);
9177 	if (chk == NULL) {
9178 		/* no memory */
9179 		sctp_m_freem(op_err);
9180 		return;
9181 	}
9182 	chk->copy_by_ref = 0;
9183 	SCTP_BUF_PREPEND(op_err, sizeof(struct sctp_chunkhdr), M_NOWAIT);
9184 	if (op_err == NULL) {
9185 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
9186 		return;
9187 	}
9188 	chk->send_size = 0;
9189 	mat = op_err;
9190 	while (mat != NULL) {
9191 		chk->send_size += SCTP_BUF_LEN(mat);
9192 		mat = SCTP_BUF_NEXT(mat);
9193 	}
9194 	chk->rec.chunk_id.id = SCTP_OPERATION_ERROR;
9195 	chk->rec.chunk_id.can_take_data = 1;
9196 	chk->sent = SCTP_DATAGRAM_UNSENT;
9197 	chk->snd_count = 0;
9198 	chk->flags = 0;
9199 	chk->asoc = &stcb->asoc;
9200 	chk->data = op_err;
9201 	chk->whoTo = NULL;
9202 	hdr = mtod(op_err, struct sctp_chunkhdr *);
9203 	hdr->chunk_type = SCTP_OPERATION_ERROR;
9204 	hdr->chunk_flags = 0;
9205 	hdr->chunk_length = htons(chk->send_size);
9206 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue,
9207 	    chk,
9208 	    sctp_next);
9209 	chk->asoc->ctrl_queue_cnt++;
9210 }
9211 
9212 int
9213 sctp_send_cookie_echo(struct mbuf *m,
9214     int offset,
9215     struct sctp_tcb *stcb,
9216     struct sctp_nets *net)
9217 {
9218 	/*-
9219 	 * pull out the cookie and put it at the front of the control chunk
9220 	 * queue.
9221 	 */
9222 	int at;
9223 	struct mbuf *cookie;
9224 	struct sctp_paramhdr parm, *phdr;
9225 	struct sctp_chunkhdr *hdr;
9226 	struct sctp_tmit_chunk *chk;
9227 	uint16_t ptype, plen;
9228 
9229 	/* First find the cookie in the param area */
9230 	cookie = NULL;
9231 	at = offset + sizeof(struct sctp_init_chunk);
9232 
9233 	SCTP_TCB_LOCK_ASSERT(stcb);
9234 	do {
9235 		phdr = sctp_get_next_param(m, at, &parm, sizeof(parm));
9236 		if (phdr == NULL) {
9237 			return (-3);
9238 		}
9239 		ptype = ntohs(phdr->param_type);
9240 		plen = ntohs(phdr->param_length);
9241 		if (ptype == SCTP_STATE_COOKIE) {
9242 			int pad;
9243 
9244 			/* found the cookie */
9245 			if ((pad = (plen % 4))) {
9246 				plen += 4 - pad;
9247 			}
9248 			cookie = SCTP_M_COPYM(m, at, plen, M_NOWAIT);
9249 			if (cookie == NULL) {
9250 				/* No memory */
9251 				return (-2);
9252 			}
9253 #ifdef SCTP_MBUF_LOGGING
9254 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9255 				struct mbuf *mat;
9256 
9257 				for (mat = cookie; mat; mat = SCTP_BUF_NEXT(mat)) {
9258 					if (SCTP_BUF_IS_EXTENDED(mat)) {
9259 						sctp_log_mb(mat, SCTP_MBUF_ICOPY);
9260 					}
9261 				}
9262 			}
9263 #endif
9264 			break;
9265 		}
9266 		at += SCTP_SIZE32(plen);
9267 	} while (phdr);
9268 	if (cookie == NULL) {
9269 		/* Did not find the cookie */
9270 		return (-3);
9271 	}
9272 	/* ok, we got the cookie lets change it into a cookie echo chunk */
9273 
9274 	/* first the change from param to cookie */
9275 	hdr = mtod(cookie, struct sctp_chunkhdr *);
9276 	hdr->chunk_type = SCTP_COOKIE_ECHO;
9277 	hdr->chunk_flags = 0;
9278 	/* get the chunk stuff now and place it in the FRONT of the queue */
9279 	sctp_alloc_a_chunk(stcb, chk);
9280 	if (chk == NULL) {
9281 		/* no memory */
9282 		sctp_m_freem(cookie);
9283 		return (-5);
9284 	}
9285 	chk->copy_by_ref = 0;
9286 	chk->send_size = plen;
9287 	chk->rec.chunk_id.id = SCTP_COOKIE_ECHO;
9288 	chk->rec.chunk_id.can_take_data = 0;
9289 	chk->sent = SCTP_DATAGRAM_UNSENT;
9290 	chk->snd_count = 0;
9291 	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9292 	chk->asoc = &stcb->asoc;
9293 	chk->data = cookie;
9294 	chk->whoTo = net;
9295 	atomic_add_int(&chk->whoTo->ref_count, 1);
9296 	TAILQ_INSERT_HEAD(&chk->asoc->control_send_queue, chk, sctp_next);
9297 	chk->asoc->ctrl_queue_cnt++;
9298 	return (0);
9299 }
9300 
9301 void
9302 sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
9303     struct mbuf *m,
9304     int offset,
9305     int chk_length,
9306     struct sctp_nets *net)
9307 {
9308 	/*
9309 	 * take a HB request and make it into a HB ack and send it.
9310 	 */
9311 	struct mbuf *outchain;
9312 	struct sctp_chunkhdr *chdr;
9313 	struct sctp_tmit_chunk *chk;
9314 
9315 
9316 	if (net == NULL)
9317 		/* must have a net pointer */
9318 		return;
9319 
9320 	outchain = SCTP_M_COPYM(m, offset, chk_length, M_NOWAIT);
9321 	if (outchain == NULL) {
9322 		/* gak out of memory */
9323 		return;
9324 	}
9325 #ifdef SCTP_MBUF_LOGGING
9326 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9327 		struct mbuf *mat;
9328 
9329 		for (mat = outchain; mat; mat = SCTP_BUF_NEXT(mat)) {
9330 			if (SCTP_BUF_IS_EXTENDED(mat)) {
9331 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
9332 			}
9333 		}
9334 	}
9335 #endif
9336 	chdr = mtod(outchain, struct sctp_chunkhdr *);
9337 	chdr->chunk_type = SCTP_HEARTBEAT_ACK;
9338 	chdr->chunk_flags = 0;
9339 	if (chk_length % 4) {
9340 		/* need pad */
9341 		uint32_t cpthis = 0;
9342 		int padlen;
9343 
9344 		padlen = 4 - (chk_length % 4);
9345 		m_copyback(outchain, chk_length, padlen, (caddr_t)&cpthis);
9346 	}
9347 	sctp_alloc_a_chunk(stcb, chk);
9348 	if (chk == NULL) {
9349 		/* no memory */
9350 		sctp_m_freem(outchain);
9351 		return;
9352 	}
9353 	chk->copy_by_ref = 0;
9354 	chk->send_size = chk_length;
9355 	chk->rec.chunk_id.id = SCTP_HEARTBEAT_ACK;
9356 	chk->rec.chunk_id.can_take_data = 1;
9357 	chk->sent = SCTP_DATAGRAM_UNSENT;
9358 	chk->snd_count = 0;
9359 	chk->flags = 0;
9360 	chk->asoc = &stcb->asoc;
9361 	chk->data = outchain;
9362 	chk->whoTo = net;
9363 	atomic_add_int(&chk->whoTo->ref_count, 1);
9364 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9365 	chk->asoc->ctrl_queue_cnt++;
9366 }
9367 
9368 void
9369 sctp_send_cookie_ack(struct sctp_tcb *stcb)
9370 {
9371 	/* formulate and queue a cookie-ack back to sender */
9372 	struct mbuf *cookie_ack;
9373 	struct sctp_chunkhdr *hdr;
9374 	struct sctp_tmit_chunk *chk;
9375 
9376 	SCTP_TCB_LOCK_ASSERT(stcb);
9377 
9378 	cookie_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
9379 	if (cookie_ack == NULL) {
9380 		/* no mbuf's */
9381 		return;
9382 	}
9383 	SCTP_BUF_RESV_UF(cookie_ack, SCTP_MIN_OVERHEAD);
9384 	sctp_alloc_a_chunk(stcb, chk);
9385 	if (chk == NULL) {
9386 		/* no memory */
9387 		sctp_m_freem(cookie_ack);
9388 		return;
9389 	}
9390 	chk->copy_by_ref = 0;
9391 	chk->send_size = sizeof(struct sctp_chunkhdr);
9392 	chk->rec.chunk_id.id = SCTP_COOKIE_ACK;
9393 	chk->rec.chunk_id.can_take_data = 1;
9394 	chk->sent = SCTP_DATAGRAM_UNSENT;
9395 	chk->snd_count = 0;
9396 	chk->flags = 0;
9397 	chk->asoc = &stcb->asoc;
9398 	chk->data = cookie_ack;
9399 	if (chk->asoc->last_control_chunk_from != NULL) {
9400 		chk->whoTo = chk->asoc->last_control_chunk_from;
9401 		atomic_add_int(&chk->whoTo->ref_count, 1);
9402 	} else {
9403 		chk->whoTo = NULL;
9404 	}
9405 	hdr = mtod(cookie_ack, struct sctp_chunkhdr *);
9406 	hdr->chunk_type = SCTP_COOKIE_ACK;
9407 	hdr->chunk_flags = 0;
9408 	hdr->chunk_length = htons(chk->send_size);
9409 	SCTP_BUF_LEN(cookie_ack) = chk->send_size;
9410 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9411 	chk->asoc->ctrl_queue_cnt++;
9412 	return;
9413 }
9414 
9415 
9416 void
9417 sctp_send_shutdown_ack(struct sctp_tcb *stcb, struct sctp_nets *net)
9418 {
9419 	/* formulate and queue a SHUTDOWN-ACK back to the sender */
9420 	struct mbuf *m_shutdown_ack;
9421 	struct sctp_shutdown_ack_chunk *ack_cp;
9422 	struct sctp_tmit_chunk *chk;
9423 
9424 	m_shutdown_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_ack_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9425 	if (m_shutdown_ack == NULL) {
9426 		/* no mbuf's */
9427 		return;
9428 	}
9429 	SCTP_BUF_RESV_UF(m_shutdown_ack, SCTP_MIN_OVERHEAD);
9430 	sctp_alloc_a_chunk(stcb, chk);
9431 	if (chk == NULL) {
9432 		/* no memory */
9433 		sctp_m_freem(m_shutdown_ack);
9434 		return;
9435 	}
9436 	chk->copy_by_ref = 0;
9437 	chk->send_size = sizeof(struct sctp_chunkhdr);
9438 	chk->rec.chunk_id.id = SCTP_SHUTDOWN_ACK;
9439 	chk->rec.chunk_id.can_take_data = 1;
9440 	chk->sent = SCTP_DATAGRAM_UNSENT;
9441 	chk->snd_count = 0;
9442 	chk->flags = 0;
9443 	chk->asoc = &stcb->asoc;
9444 	chk->data = m_shutdown_ack;
9445 	chk->whoTo = net;
9446 	if (chk->whoTo) {
9447 		atomic_add_int(&chk->whoTo->ref_count, 1);
9448 	}
9449 	ack_cp = mtod(m_shutdown_ack, struct sctp_shutdown_ack_chunk *);
9450 	ack_cp->ch.chunk_type = SCTP_SHUTDOWN_ACK;
9451 	ack_cp->ch.chunk_flags = 0;
9452 	ack_cp->ch.chunk_length = htons(chk->send_size);
9453 	SCTP_BUF_LEN(m_shutdown_ack) = chk->send_size;
9454 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9455 	chk->asoc->ctrl_queue_cnt++;
9456 	return;
9457 }
9458 
9459 void
9460 sctp_send_shutdown(struct sctp_tcb *stcb, struct sctp_nets *net)
9461 {
9462 	/* formulate and queue a SHUTDOWN to the sender */
9463 	struct mbuf *m_shutdown;
9464 	struct sctp_shutdown_chunk *shutdown_cp;
9465 	struct sctp_tmit_chunk *chk;
9466 
9467 	m_shutdown = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_chunk), 0, M_NOWAIT, 1, MT_HEADER);
9468 	if (m_shutdown == NULL) {
9469 		/* no mbuf's */
9470 		return;
9471 	}
9472 	SCTP_BUF_RESV_UF(m_shutdown, SCTP_MIN_OVERHEAD);
9473 	sctp_alloc_a_chunk(stcb, chk);
9474 	if (chk == NULL) {
9475 		/* no memory */
9476 		sctp_m_freem(m_shutdown);
9477 		return;
9478 	}
9479 	chk->copy_by_ref = 0;
9480 	chk->send_size = sizeof(struct sctp_shutdown_chunk);
9481 	chk->rec.chunk_id.id = SCTP_SHUTDOWN;
9482 	chk->rec.chunk_id.can_take_data = 1;
9483 	chk->sent = SCTP_DATAGRAM_UNSENT;
9484 	chk->snd_count = 0;
9485 	chk->flags = 0;
9486 	chk->asoc = &stcb->asoc;
9487 	chk->data = m_shutdown;
9488 	chk->whoTo = net;
9489 	if (chk->whoTo) {
9490 		atomic_add_int(&chk->whoTo->ref_count, 1);
9491 	}
9492 	shutdown_cp = mtod(m_shutdown, struct sctp_shutdown_chunk *);
9493 	shutdown_cp->ch.chunk_type = SCTP_SHUTDOWN;
9494 	shutdown_cp->ch.chunk_flags = 0;
9495 	shutdown_cp->ch.chunk_length = htons(chk->send_size);
9496 	shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
9497 	SCTP_BUF_LEN(m_shutdown) = chk->send_size;
9498 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9499 	chk->asoc->ctrl_queue_cnt++;
9500 	return;
9501 }
9502 
9503 void
9504 sctp_send_asconf(struct sctp_tcb *stcb, struct sctp_nets *net, int addr_locked)
9505 {
9506 	/*
9507 	 * formulate and queue an ASCONF to the peer.
9508 	 * ASCONF parameters should be queued on the assoc queue.
9509 	 */
9510 	struct sctp_tmit_chunk *chk;
9511 	struct mbuf *m_asconf;
9512 	int len;
9513 
9514 	SCTP_TCB_LOCK_ASSERT(stcb);
9515 
9516 	if ((!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue)) &&
9517 	    (!sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS))) {
9518 		/* can't send a new one if there is one in flight already */
9519 		return;
9520 	}
9521 
9522 	/* compose an ASCONF chunk, maximum length is PMTU */
9523 	m_asconf = sctp_compose_asconf(stcb, &len, addr_locked);
9524 	if (m_asconf == NULL) {
9525 		return;
9526 	}
9527 
9528 	sctp_alloc_a_chunk(stcb, chk);
9529 	if (chk == NULL) {
9530 		/* no memory */
9531 		sctp_m_freem(m_asconf);
9532 		return;
9533 	}
9534 
9535 	chk->copy_by_ref = 0;
9536 	chk->data = m_asconf;
9537 	chk->send_size = len;
9538 	chk->rec.chunk_id.id = SCTP_ASCONF;
9539 	chk->rec.chunk_id.can_take_data = 0;
9540 	chk->sent = SCTP_DATAGRAM_UNSENT;
9541 	chk->snd_count = 0;
9542 	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
9543 	chk->asoc = &stcb->asoc;
9544 	chk->whoTo = net;
9545 	if (chk->whoTo) {
9546 		atomic_add_int(&chk->whoTo->ref_count, 1);
9547 	}
9548 	TAILQ_INSERT_TAIL(&chk->asoc->asconf_send_queue, chk, sctp_next);
9549 	chk->asoc->ctrl_queue_cnt++;
9550 	return;
9551 }
9552 
9553 void
9554 sctp_send_asconf_ack(struct sctp_tcb *stcb)
9555 {
9556 	/*
9557 	 * formulate and queue a asconf-ack back to sender.
9558 	 * the asconf-ack must be stored in the tcb.
9559 	 */
9560 	struct sctp_tmit_chunk *chk;
9561 	struct sctp_asconf_ack *ack, *latest_ack;
9562 	struct mbuf *m_ack;
9563 	struct sctp_nets *net = NULL;
9564 
9565 	SCTP_TCB_LOCK_ASSERT(stcb);
9566 	/* Get the latest ASCONF-ACK */
9567 	latest_ack = TAILQ_LAST(&stcb->asoc.asconf_ack_sent, sctp_asconf_ackhead);
9568 	if (latest_ack == NULL) {
9569 		return;
9570 	}
9571 	if (latest_ack->last_sent_to != NULL &&
9572 	    latest_ack->last_sent_to == stcb->asoc.last_control_chunk_from) {
9573 		/* we're doing a retransmission */
9574 		net = sctp_find_alternate_net(stcb, stcb->asoc.last_control_chunk_from, 0);
9575 		if (net == NULL) {
9576 			/* no alternate */
9577 			if (stcb->asoc.last_control_chunk_from == NULL) {
9578 				if (stcb->asoc.alternate) {
9579 					net = stcb->asoc.alternate;
9580 				} else {
9581 					net = stcb->asoc.primary_destination;
9582 				}
9583 			} else {
9584 				net = stcb->asoc.last_control_chunk_from;
9585 			}
9586 		}
9587 	} else {
9588 		/* normal case */
9589 		if (stcb->asoc.last_control_chunk_from == NULL) {
9590 			if (stcb->asoc.alternate) {
9591 				net = stcb->asoc.alternate;
9592 			} else {
9593 				net = stcb->asoc.primary_destination;
9594 			}
9595 		} else {
9596 			net = stcb->asoc.last_control_chunk_from;
9597 		}
9598 	}
9599 	latest_ack->last_sent_to = net;
9600 
9601 	TAILQ_FOREACH(ack, &stcb->asoc.asconf_ack_sent, next) {
9602 		if (ack->data == NULL) {
9603 			continue;
9604 		}
9605 
9606 		/* copy the asconf_ack */
9607 		m_ack = SCTP_M_COPYM(ack->data, 0, M_COPYALL, M_NOWAIT);
9608 		if (m_ack == NULL) {
9609 			/* couldn't copy it */
9610 			return;
9611 		}
9612 #ifdef SCTP_MBUF_LOGGING
9613 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
9614 			struct mbuf *mat;
9615 
9616 			for (mat = m_ack; mat; mat = SCTP_BUF_NEXT(mat)) {
9617 				if (SCTP_BUF_IS_EXTENDED(mat)) {
9618 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
9619 				}
9620 			}
9621 		}
9622 #endif
9623 
9624 		sctp_alloc_a_chunk(stcb, chk);
9625 		if (chk == NULL) {
9626 			/* no memory */
9627 			if (m_ack)
9628 				sctp_m_freem(m_ack);
9629 			return;
9630 		}
9631 		chk->copy_by_ref = 0;
9632 
9633 		chk->whoTo = net;
9634 		if (chk->whoTo) {
9635 			atomic_add_int(&chk->whoTo->ref_count, 1);
9636 		}
9637 		chk->data = m_ack;
9638 		chk->send_size = 0;
9639 		/* Get size */
9640 		chk->send_size = ack->len;
9641 		chk->rec.chunk_id.id = SCTP_ASCONF_ACK;
9642 		chk->rec.chunk_id.can_take_data = 1;
9643 		chk->sent = SCTP_DATAGRAM_UNSENT;
9644 		chk->snd_count = 0;
9645 		chk->flags |= CHUNK_FLAGS_FRAGMENT_OK; /* XXX */
9646 		chk->asoc = &stcb->asoc;
9647 
9648 		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
9649 		chk->asoc->ctrl_queue_cnt++;
9650 	}
9651 	return;
9652 }
9653 
9654 
9655 static int
9656 sctp_chunk_retransmission(struct sctp_inpcb *inp,
9657     struct sctp_tcb *stcb,
9658     struct sctp_association *asoc,
9659     int *cnt_out, struct timeval *now, int *now_filled, int *fr_done, int so_locked
9660 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
9661     SCTP_UNUSED
9662 #endif
9663     )
9664 {
9665 	/*-
9666 	 * send out one MTU of retransmission. If fast_retransmit is
9667 	 * happening we ignore the cwnd. Otherwise we obey the cwnd and
9668 	 * rwnd. For a Cookie or Asconf in the control chunk queue we
9669 	 * retransmit them by themselves.
9670 	 *
9671 	 * For data chunks we will pick out the lowest TSN's in the sent_queue
9672 	 * marked for resend and bundle them all together (up to a MTU of
9673 	 * destination). The address to send to should have been
9674 	 * selected/changed where the retransmission was marked (i.e. in FR
9675 	 * or t3-timeout routines).
9676 	 */
9677 	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
9678 	struct sctp_tmit_chunk *chk, *fwd;
9679 	struct mbuf *m, *endofchain;
9680 	struct sctp_nets *net = NULL;
9681 	uint32_t tsns_sent = 0;
9682 	int no_fragmentflg, bundle_at, cnt_thru;
9683 	unsigned int mtu;
9684 	int error, i, one_chunk, fwd_tsn, ctl_cnt, tmr_started;
9685 	struct sctp_auth_chunk *auth = NULL;
9686 	uint32_t auth_offset = 0;
9687 	uint16_t auth_keyid;
9688 	int override_ok = 1;
9689 	int data_auth_reqd = 0;
9690 	uint32_t dmtu = 0;
9691 
9692 #if defined(__APPLE__)
9693 	if (so_locked) {
9694 		sctp_lock_assert(SCTP_INP_SO(inp));
9695 	} else {
9696 		sctp_unlock_assert(SCTP_INP_SO(inp));
9697 	}
9698 #endif
9699 	SCTP_TCB_LOCK_ASSERT(stcb);
9700 	tmr_started = ctl_cnt = bundle_at = error = 0;
9701 	no_fragmentflg = 1;
9702 	fwd_tsn = 0;
9703 	*cnt_out = 0;
9704 	fwd = NULL;
9705 	endofchain = m = NULL;
9706 	auth_keyid = stcb->asoc.authinfo.active_keyid;
9707 #ifdef SCTP_AUDITING_ENABLED
9708 	sctp_audit_log(0xC3, 1);
9709 #endif
9710 	if ((TAILQ_EMPTY(&asoc->sent_queue)) &&
9711 	    (TAILQ_EMPTY(&asoc->control_send_queue))) {
9712 		SCTPDBG(SCTP_DEBUG_OUTPUT1,"SCTP hits empty queue with cnt set to %d?\n",
9713 			asoc->sent_queue_retran_cnt);
9714 		asoc->sent_queue_cnt = 0;
9715 		asoc->sent_queue_cnt_removeable = 0;
9716 		/* send back 0/0 so we enter normal transmission */
9717 		*cnt_out = 0;
9718 		return (0);
9719 	}
9720 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9721 		if ((chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) ||
9722 		    (chk->rec.chunk_id.id == SCTP_STREAM_RESET) ||
9723 		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)) {
9724 			if (chk->sent != SCTP_DATAGRAM_RESEND) {
9725 				continue;
9726 			}
9727 			if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
9728 				if (chk != asoc->str_reset) {
9729 					/*
9730 					 * not eligible for retran if its
9731 					 * not ours
9732 					 */
9733 					continue;
9734 				}
9735 			}
9736 			ctl_cnt++;
9737 			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
9738 				fwd_tsn = 1;
9739 			}
9740 			/*
9741 			 * Add an AUTH chunk, if chunk requires it save the
9742 			 * offset into the chain for AUTH
9743 			 */
9744 			if ((auth == NULL) &&
9745 			    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
9746 							 stcb->asoc.peer_auth_chunks))) {
9747 				m = sctp_add_auth_chunk(m, &endofchain,
9748 							&auth, &auth_offset,
9749 							stcb,
9750 							chk->rec.chunk_id.id);
9751 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9752 			}
9753 			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9754 			break;
9755 		}
9756 	}
9757 	one_chunk = 0;
9758 	cnt_thru = 0;
9759 	/* do we have control chunks to retransmit? */
9760 	if (m != NULL) {
9761 		/* Start a timer no matter if we suceed or fail */
9762 		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
9763 			sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, chk->whoTo);
9764 		} else if (chk->rec.chunk_id.id == SCTP_ASCONF)
9765 			sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, chk->whoTo);
9766 		chk->snd_count++;	/* update our count */
9767 		if ((error = sctp_lowlevel_chunk_output(inp, stcb, chk->whoTo,
9768 		                                        (struct sockaddr *)&chk->whoTo->ro._l_addr, m,
9769 		                                        auth_offset, auth, stcb->asoc.authinfo.active_keyid,
9770 		                                        no_fragmentflg, 0, 0,
9771 		                                        inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9772 		                                        chk->whoTo->port, NULL,
9773 #if defined(__FreeBSD__)
9774 		                                        0, 0,
9775 #endif
9776 		                                        so_locked))) {
9777 			SCTP_STAT_INCR(sctps_lowlevelerr);
9778 			return (error);
9779 		}
9780 		endofchain = NULL;
9781 		auth = NULL;
9782 		auth_offset = 0;
9783 		/*
9784 		 * We don't want to mark the net->sent time here since this
9785 		 * we use this for HB and retrans cannot measure RTT
9786 		 */
9787 		/* (void)SCTP_GETTIME_TIMEVAL(&chk->whoTo->last_sent_time); */
9788 		*cnt_out += 1;
9789 		chk->sent = SCTP_DATAGRAM_SENT;
9790 		sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
9791 		if (fwd_tsn == 0) {
9792 			return (0);
9793 		} else {
9794 			/* Clean up the fwd-tsn list */
9795 			sctp_clean_up_ctl(stcb, asoc, so_locked);
9796 			return (0);
9797 		}
9798 	}
9799 	/*
9800 	 * Ok, it is just data retransmission we need to do or that and a
9801 	 * fwd-tsn with it all.
9802 	 */
9803 	if (TAILQ_EMPTY(&asoc->sent_queue)) {
9804 		return (SCTP_RETRAN_DONE);
9805 	}
9806 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) ||
9807 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT)) {
9808 		/* not yet open, resend the cookie and that is it */
9809 		return (1);
9810 	}
9811 #ifdef SCTP_AUDITING_ENABLED
9812 	sctp_auditing(20, inp, stcb, NULL);
9813 #endif
9814 	data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks);
9815 	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
9816 		if (chk->sent != SCTP_DATAGRAM_RESEND) {
9817 			/* No, not sent to this net or not ready for rtx */
9818 			continue;
9819 		}
9820 		if (chk->data == NULL) {
9821 			SCTP_PRINTF("TSN:%x chk->snd_count:%d chk->sent:%d can't retran - no data\n",
9822 			            chk->rec.data.TSN_seq, chk->snd_count, chk->sent);
9823 			continue;
9824 		}
9825 		if ((SCTP_BASE_SYSCTL(sctp_max_retran_chunk)) &&
9826 		    (chk->snd_count >= SCTP_BASE_SYSCTL(sctp_max_retran_chunk))) {
9827 			/* Gak, we have exceeded max unlucky retran, abort! */
9828 			SCTP_PRINTF("Gak, chk->snd_count:%d >= max:%d - send abort\n",
9829 				    chk->snd_count,
9830 				    SCTP_BASE_SYSCTL(sctp_max_retran_chunk));
9831 			atomic_add_int(&stcb->asoc.refcnt, 1);
9832 			sctp_abort_an_association(stcb->sctp_ep, stcb, NULL, so_locked);
9833 			SCTP_TCB_LOCK(stcb);
9834 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
9835 			return (SCTP_RETRAN_EXIT);
9836 		}
9837 		/* pick up the net */
9838 		net = chk->whoTo;
9839 		switch (net->ro._l_addr.sa.sa_family) {
9840 #ifdef INET
9841 			case AF_INET:
9842 				mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
9843 				break;
9844 #endif
9845 #ifdef INET6
9846 			case AF_INET6:
9847 				mtu = net->mtu - SCTP_MIN_OVERHEAD;
9848 				break;
9849 #endif
9850 #if defined(__Userspace__)
9851 			case AF_CONN:
9852 				mtu = net->mtu - sizeof(struct sctphdr);
9853 				break;
9854 #endif
9855 			default:
9856 				/* TSNH */
9857 				mtu = net->mtu;
9858 				break;
9859 		}
9860 
9861 		if ((asoc->peers_rwnd < mtu) && (asoc->total_flight > 0)) {
9862 			/* No room in peers rwnd */
9863 			uint32_t tsn;
9864 
9865 			tsn = asoc->last_acked_seq + 1;
9866 			if (tsn == chk->rec.data.TSN_seq) {
9867 				/*
9868 				 * we make a special exception for this
9869 				 * case. The peer has no rwnd but is missing
9870 				 * the lowest chunk.. which is probably what
9871 				 * is holding up the rwnd.
9872 				 */
9873 				goto one_chunk_around;
9874 			}
9875 			return (1);
9876 		}
9877 	one_chunk_around:
9878 		if (asoc->peers_rwnd < mtu) {
9879 			one_chunk = 1;
9880 			if ((asoc->peers_rwnd == 0) &&
9881 			    (asoc->total_flight == 0)) {
9882 				chk->window_probe = 1;
9883 				chk->whoTo->window_probe = 1;
9884 			}
9885 		}
9886 #ifdef SCTP_AUDITING_ENABLED
9887 		sctp_audit_log(0xC3, 2);
9888 #endif
9889 		bundle_at = 0;
9890 		m = NULL;
9891 		net->fast_retran_ip = 0;
9892 		if (chk->rec.data.doing_fast_retransmit == 0) {
9893 			/*
9894 			 * if no FR in progress skip destination that have
9895 			 * flight_size > cwnd.
9896 			 */
9897 			if (net->flight_size >= net->cwnd) {
9898 				continue;
9899 			}
9900 		} else {
9901 			/*
9902 			 * Mark the destination net to have FR recovery
9903 			 * limits put on it.
9904 			 */
9905 			*fr_done = 1;
9906 			net->fast_retran_ip = 1;
9907 		}
9908 
9909 		/*
9910 		 * if no AUTH is yet included and this chunk requires it,
9911 		 * make sure to account for it.  We don't apply the size
9912 		 * until the AUTH chunk is actually added below in case
9913 		 * there is no room for this chunk.
9914 		 */
9915 		if (data_auth_reqd && (auth == NULL)) {
9916 			dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9917 		} else
9918 			dmtu = 0;
9919 
9920 		if ((chk->send_size <= (mtu - dmtu)) ||
9921 		    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
9922 			/* ok we will add this one */
9923 			if (data_auth_reqd) {
9924 				if (auth == NULL) {
9925 					m = sctp_add_auth_chunk(m,
9926 								&endofchain,
9927 								&auth,
9928 								&auth_offset,
9929 								stcb,
9930 								SCTP_DATA);
9931 					auth_keyid = chk->auth_keyid;
9932 					override_ok = 0;
9933 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9934 				} else if (override_ok) {
9935 					auth_keyid = chk->auth_keyid;
9936 					override_ok = 0;
9937 				} else if (chk->auth_keyid != auth_keyid) {
9938 					/* different keyid, so done bundling */
9939 					break;
9940 				}
9941 			}
9942 			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9943 			if (m == NULL) {
9944 				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9945 				return (ENOMEM);
9946 			}
9947 			/* Do clear IP_DF ? */
9948 			if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9949 				no_fragmentflg = 0;
9950 			}
9951 			/* upate our MTU size */
9952 			if (mtu > (chk->send_size + dmtu))
9953 				mtu -= (chk->send_size + dmtu);
9954 			else
9955 				mtu = 0;
9956 			data_list[bundle_at++] = chk;
9957 			if (one_chunk && (asoc->total_flight <= 0)) {
9958 				SCTP_STAT_INCR(sctps_windowprobed);
9959 			}
9960 		}
9961 		if (one_chunk == 0) {
9962 			/*
9963 			 * now are there anymore forward from chk to pick
9964 			 * up?
9965 			 */
9966 			for (fwd = TAILQ_NEXT(chk, sctp_next); fwd != NULL; fwd = TAILQ_NEXT(fwd, sctp_next)) {
9967 				if (fwd->sent != SCTP_DATAGRAM_RESEND) {
9968 					/* Nope, not for retran */
9969 					continue;
9970 				}
9971 				if (fwd->whoTo != net) {
9972 					/* Nope, not the net in question */
9973 					continue;
9974 				}
9975 				if (data_auth_reqd && (auth == NULL)) {
9976 					dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9977 				} else
9978 					dmtu = 0;
9979 				if (fwd->send_size <= (mtu - dmtu)) {
9980 					if (data_auth_reqd) {
9981 						if (auth == NULL) {
9982 							m = sctp_add_auth_chunk(m,
9983 										&endofchain,
9984 										&auth,
9985 										&auth_offset,
9986 										stcb,
9987 										SCTP_DATA);
9988 							auth_keyid = fwd->auth_keyid;
9989 							override_ok = 0;
9990 							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9991 						} else if (override_ok) {
9992 							auth_keyid = fwd->auth_keyid;
9993 							override_ok = 0;
9994 						} else if (fwd->auth_keyid != auth_keyid) {
9995 							/* different keyid, so done bundling */
9996 							break;
9997 						}
9998 					}
9999 					m = sctp_copy_mbufchain(fwd->data, m, &endofchain, 0, fwd->send_size, fwd->copy_by_ref);
10000 					if (m == NULL) {
10001 						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
10002 						return (ENOMEM);
10003 					}
10004 					/* Do clear IP_DF ? */
10005 					if (fwd->flags & CHUNK_FLAGS_FRAGMENT_OK) {
10006 						no_fragmentflg = 0;
10007 					}
10008 					/* upate our MTU size */
10009 					if (mtu > (fwd->send_size + dmtu))
10010 						mtu -= (fwd->send_size + dmtu);
10011 					else
10012 						mtu = 0;
10013 					data_list[bundle_at++] = fwd;
10014 					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
10015 						break;
10016 					}
10017 				} else {
10018 					/* can't fit so we are done */
10019 					break;
10020 				}
10021 			}
10022 		}
10023 		/* Is there something to send for this destination? */
10024 		if (m) {
10025 			/*
10026 			 * No matter if we fail/or suceed we should start a
10027 			 * timer. A failure is like a lost IP packet :-)
10028 			 */
10029 			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
10030 				/*
10031 				 * no timer running on this destination
10032 				 * restart it.
10033 				 */
10034 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
10035 				tmr_started = 1;
10036 			}
10037 			/* Now lets send it, if there is anything to send :> */
10038 			if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
10039 			                                        (struct sockaddr *)&net->ro._l_addr, m,
10040 			                                        auth_offset, auth, auth_keyid,
10041 			                                        no_fragmentflg, 0, 0,
10042 			                                        inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
10043 			                                        net->port, NULL,
10044 #if defined(__FreeBSD__)
10045 			                                        0, 0,
10046 #endif
10047 			                                        so_locked))) {
10048 				/* error, we could not output */
10049 				SCTP_STAT_INCR(sctps_lowlevelerr);
10050 				return (error);
10051 			}
10052 			endofchain = NULL;
10053 			auth = NULL;
10054 			auth_offset = 0;
10055 			/* For HB's */
10056 			/*
10057 			 * We don't want to mark the net->sent time here
10058 			 * since this we use this for HB and retrans cannot
10059 			 * measure RTT
10060 			 */
10061 			/* (void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time); */
10062 
10063 			/* For auto-close */
10064 			cnt_thru++;
10065 			if (*now_filled == 0) {
10066 				(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
10067 				*now = asoc->time_last_sent;
10068 				*now_filled = 1;
10069 			} else {
10070 				asoc->time_last_sent = *now;
10071 			}
10072 			*cnt_out += bundle_at;
10073 #ifdef SCTP_AUDITING_ENABLED
10074 			sctp_audit_log(0xC4, bundle_at);
10075 #endif
10076 			if (bundle_at) {
10077 				tsns_sent = data_list[0]->rec.data.TSN_seq;
10078 			}
10079 			for (i = 0; i < bundle_at; i++) {
10080 				SCTP_STAT_INCR(sctps_sendretransdata);
10081 				data_list[i]->sent = SCTP_DATAGRAM_SENT;
10082 				/*
10083 				 * When we have a revoked data, and we
10084 				 * retransmit it, then we clear the revoked
10085 				 * flag since this flag dictates if we
10086 				 * subtracted from the fs
10087 				 */
10088 				if (data_list[i]->rec.data.chunk_was_revoked) {
10089 					/* Deflate the cwnd */
10090 					data_list[i]->whoTo->cwnd -= data_list[i]->book_size;
10091 					data_list[i]->rec.data.chunk_was_revoked = 0;
10092 				}
10093 				data_list[i]->snd_count++;
10094 				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
10095 				/* record the time */
10096 				data_list[i]->sent_rcv_time = asoc->time_last_sent;
10097 				if (data_list[i]->book_size_scale) {
10098 					/*
10099 					 * need to double the book size on
10100 					 * this one
10101 					 */
10102 					data_list[i]->book_size_scale = 0;
10103 					/* Since we double the booksize, we must
10104 					 * also double the output queue size, since this
10105 					 * get shrunk when we free by this amount.
10106 					 */
10107 					atomic_add_int(&((asoc)->total_output_queue_size),data_list[i]->book_size);
10108 					data_list[i]->book_size *= 2;
10109 
10110 
10111 				} else {
10112 					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
10113 						sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
10114 						      asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
10115 					}
10116 					asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
10117 									    (uint32_t) (data_list[i]->send_size +
10118 											SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
10119 				}
10120 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
10121 					sctp_misc_ints(SCTP_FLIGHT_LOG_UP_RSND,
10122 						       data_list[i]->whoTo->flight_size,
10123 						       data_list[i]->book_size,
10124 						       (uintptr_t)data_list[i]->whoTo,
10125 						       data_list[i]->rec.data.TSN_seq);
10126 				}
10127 				sctp_flight_size_increase(data_list[i]);
10128 				sctp_total_flight_increase(stcb, data_list[i]);
10129 				if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
10130 					/* SWS sender side engages */
10131 					asoc->peers_rwnd = 0;
10132 				}
10133 				if ((i == 0) &&
10134 				    (data_list[i]->rec.data.doing_fast_retransmit)) {
10135 					SCTP_STAT_INCR(sctps_sendfastretrans);
10136 					if ((data_list[i] == TAILQ_FIRST(&asoc->sent_queue)) &&
10137 					    (tmr_started == 0)) {
10138 						/*-
10139 						 * ok we just fast-retrans'd
10140 						 * the lowest TSN, i.e the
10141 						 * first on the list. In
10142 						 * this case we want to give
10143 						 * some more time to get a
10144 						 * SACK back without a
10145 						 * t3-expiring.
10146 						 */
10147 						sctp_timer_stop(SCTP_TIMER_TYPE_SEND, inp, stcb, net,
10148 								SCTP_FROM_SCTP_OUTPUT+SCTP_LOC_4);
10149 						sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
10150 					}
10151 				}
10152 			}
10153 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10154 				sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_RESEND);
10155 			}
10156 #ifdef SCTP_AUDITING_ENABLED
10157 			sctp_auditing(21, inp, stcb, NULL);
10158 #endif
10159 		} else {
10160 			/* None will fit */
10161 			return (1);
10162 		}
10163 		if (asoc->sent_queue_retran_cnt <= 0) {
10164 			/* all done we have no more to retran */
10165 			asoc->sent_queue_retran_cnt = 0;
10166 			break;
10167 		}
10168 		if (one_chunk) {
10169 			/* No more room in rwnd */
10170 			return (1);
10171 		}
10172 		/* stop the for loop here. we sent out a packet */
10173 		break;
10174 	}
10175 	return (0);
10176 }
10177 
10178 static void
10179 sctp_timer_validation(struct sctp_inpcb *inp,
10180     struct sctp_tcb *stcb,
10181     struct sctp_association *asoc)
10182 {
10183 	struct sctp_nets *net;
10184 
10185 	/* Validate that a timer is running somewhere */
10186 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10187 		if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
10188 			/* Here is a timer */
10189 			return;
10190 		}
10191 	}
10192 	SCTP_TCB_LOCK_ASSERT(stcb);
10193 	/* Gak, we did not have a timer somewhere */
10194 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "Deadlock avoided starting timer on a dest at retran\n");
10195 	if (asoc->alternate) {
10196 		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->alternate);
10197 	} else {
10198 		sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->primary_destination);
10199 	}
10200 	return;
10201 }
10202 
10203 void
10204 sctp_chunk_output (struct sctp_inpcb *inp,
10205     struct sctp_tcb *stcb,
10206     int from_where,
10207     int so_locked
10208 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
10209     SCTP_UNUSED
10210 #endif
10211     )
10212 {
10213 	/*-
10214 	 * Ok this is the generic chunk service queue. we must do the
10215 	 * following:
10216 	 * - See if there are retransmits pending, if so we must
10217 	 *   do these first.
10218 	 * - Service the stream queue that is next, moving any
10219 	 *   message (note I must get a complete message i.e.
10220 	 *   FIRST/MIDDLE and LAST to the out queue in one pass) and assigning
10221 	 *   TSN's
10222 	 * - Check to see if the cwnd/rwnd allows any output, if so we
10223 	 *   go ahead and fomulate and send the low level chunks. Making sure
10224 	 *   to combine any control in the control chunk queue also.
10225 	 */
10226 	struct sctp_association *asoc;
10227 	struct sctp_nets *net;
10228 	int error = 0, num_out = 0, tot_out = 0, ret = 0, reason_code = 0;
10229 	unsigned int burst_cnt = 0;
10230 	struct timeval now;
10231 	int now_filled = 0;
10232 	int nagle_on;
10233 	int frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
10234 	int un_sent = 0;
10235 	int fr_done;
10236 	unsigned int tot_frs = 0;
10237 
10238 #if defined(__APPLE__)
10239 	if (so_locked) {
10240 		sctp_lock_assert(SCTP_INP_SO(inp));
10241 	} else {
10242 		sctp_unlock_assert(SCTP_INP_SO(inp));
10243 	}
10244 #endif
10245 	asoc = &stcb->asoc;
10246 	/* The Nagle algorithm is only applied when handling a send call. */
10247 	if (from_where == SCTP_OUTPUT_FROM_USR_SEND) {
10248 		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NODELAY)) {
10249 			nagle_on = 0;
10250 		} else {
10251 			nagle_on = 1;
10252 		}
10253 	} else {
10254 		nagle_on = 0;
10255 	}
10256 	SCTP_TCB_LOCK_ASSERT(stcb);
10257 
10258 	un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
10259 
10260 	if ((un_sent <= 0) &&
10261 	    (TAILQ_EMPTY(&asoc->control_send_queue)) &&
10262 	    (TAILQ_EMPTY(&asoc->asconf_send_queue)) &&
10263 	    (asoc->sent_queue_retran_cnt == 0)) {
10264 		/* Nothing to do unless there is something to be sent left */
10265 		return;
10266 	}
10267 	/* Do we have something to send, data or control AND
10268 	 * a sack timer running, if so piggy-back the sack.
10269 	 */
10270  	if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
10271 		sctp_send_sack(stcb, so_locked);
10272 		(void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
10273 	}
10274 	while (asoc->sent_queue_retran_cnt) {
10275 		/*-
10276 		 * Ok, it is retransmission time only, we send out only ONE
10277 		 * packet with a single call off to the retran code.
10278 		 */
10279 		if (from_where == SCTP_OUTPUT_FROM_COOKIE_ACK) {
10280 			/*-
10281 			 * Special hook for handling cookiess discarded
10282 			 * by peer that carried data. Send cookie-ack only
10283 			 * and then the next call with get the retran's.
10284 			 */
10285  			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
10286 						    from_where,
10287 						    &now, &now_filled, frag_point, so_locked);
10288 			return;
10289 		} else if (from_where != SCTP_OUTPUT_FROM_HB_TMR) {
10290 			/* if its not from a HB then do it */
10291 			fr_done = 0;
10292 			ret = sctp_chunk_retransmission(inp, stcb, asoc, &num_out, &now, &now_filled, &fr_done, so_locked);
10293 			if (fr_done) {
10294 				tot_frs++;
10295 			}
10296 		} else {
10297 			/*
10298 			 * its from any other place, we don't allow retran
10299 			 * output (only control)
10300 			 */
10301 			ret = 1;
10302 		}
10303 		if (ret > 0) {
10304 			/* Can't send anymore */
10305 			/*-
10306 			 * now lets push out control by calling med-level
10307 			 * output once. this assures that we WILL send HB's
10308 			 * if queued too.
10309 			 */
10310 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
10311 						    from_where,
10312 						    &now, &now_filled, frag_point, so_locked);
10313 #ifdef SCTP_AUDITING_ENABLED
10314 			sctp_auditing(8, inp, stcb, NULL);
10315 #endif
10316 			sctp_timer_validation(inp, stcb, asoc);
10317 			return;
10318 		}
10319 		if (ret < 0) {
10320 			/*-
10321 			 * The count was off.. retran is not happening so do
10322 			 * the normal retransmission.
10323 			 */
10324 #ifdef SCTP_AUDITING_ENABLED
10325 			sctp_auditing(9, inp, stcb, NULL);
10326 #endif
10327 			if (ret == SCTP_RETRAN_EXIT) {
10328 				return;
10329 			}
10330 			break;
10331 		}
10332 		if (from_where == SCTP_OUTPUT_FROM_T3) {
10333 			/* Only one transmission allowed out of a timeout */
10334 #ifdef SCTP_AUDITING_ENABLED
10335 			sctp_auditing(10, inp, stcb, NULL);
10336 #endif
10337 			/* Push out any control */
10338 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1, from_where,
10339 						    &now, &now_filled, frag_point, so_locked);
10340 			return;
10341 		}
10342 		if ((asoc->fr_max_burst > 0) && (tot_frs >= asoc->fr_max_burst)) {
10343 			/* Hit FR burst limit */
10344 			return;
10345 		}
10346 		if ((num_out == 0) && (ret == 0)) {
10347 			/* No more retrans to send */
10348 			break;
10349 		}
10350 	}
10351 #ifdef SCTP_AUDITING_ENABLED
10352 	sctp_auditing(12, inp, stcb, NULL);
10353 #endif
10354 	/* Check for bad destinations, if they exist move chunks around. */
10355 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
10356 		if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
10357 			/*-
10358 			 * if possible move things off of this address we
10359 			 * still may send below due to the dormant state but
10360 			 * we try to find an alternate address to send to
10361 			 * and if we have one we move all queued data on the
10362 			 * out wheel to this alternate address.
10363 			 */
10364 			if (net->ref_count > 1)
10365 				sctp_move_chunks_from_net(stcb, net);
10366 		} else {
10367 			/*-
10368 			 * if ((asoc->sat_network) || (net->addr_is_local))
10369 			 * { burst_limit = asoc->max_burst *
10370 			 * SCTP_SAT_NETWORK_BURST_INCR; }
10371 			 */
10372 			if (asoc->max_burst > 0) {
10373 				if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst)) {
10374 					if ((net->flight_size + (asoc->max_burst * net->mtu)) < net->cwnd) {
10375 						/* JRS - Use the congestion control given in the congestion control module */
10376 						asoc->cc_functions.sctp_cwnd_update_after_output(stcb, net, asoc->max_burst);
10377 						if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10378 							sctp_log_maxburst(stcb, net, 0, asoc->max_burst, SCTP_MAX_BURST_APPLIED);
10379 						}
10380 						SCTP_STAT_INCR(sctps_maxburstqueued);
10381 					}
10382 					net->fast_retran_ip = 0;
10383 				} else {
10384 					if (net->flight_size == 0) {
10385 						/* Should be decaying the cwnd here */
10386 						;
10387 					}
10388 				}
10389 			}
10390 		}
10391 
10392 	}
10393 	burst_cnt = 0;
10394 	do {
10395 		error = sctp_med_chunk_output(inp, stcb, asoc, &num_out,
10396 					      &reason_code, 0, from_where,
10397 					      &now, &now_filled, frag_point, so_locked);
10398 		if (error) {
10399 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Error %d was returned from med-c-op\n", error);
10400 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10401 				sctp_log_maxburst(stcb, asoc->primary_destination, error, burst_cnt, SCTP_MAX_BURST_ERROR_STOP);
10402 			}
10403 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10404 				sctp_log_cwnd(stcb, NULL, error, SCTP_SEND_NOW_COMPLETES);
10405 				sctp_log_cwnd(stcb, NULL, 0xdeadbeef, SCTP_SEND_NOW_COMPLETES);
10406 			}
10407 			break;
10408 		}
10409 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "m-c-o put out %d\n", num_out);
10410 
10411 		tot_out += num_out;
10412 		burst_cnt++;
10413 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10414 			sctp_log_cwnd(stcb, NULL, num_out, SCTP_SEND_NOW_COMPLETES);
10415 			if (num_out == 0) {
10416 				sctp_log_cwnd(stcb, NULL, reason_code, SCTP_SEND_NOW_COMPLETES);
10417 			}
10418 		}
10419 		if (nagle_on) {
10420 			/*
10421 			 * When the Nagle algorithm is used, look at how much
10422 			 * is unsent, then if its smaller than an MTU and we
10423 			 * have data in flight we stop, except if we are
10424 			 * handling a fragmented user message.
10425 			 */
10426 			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
10427 			           (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
10428 			if ((un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD)) &&
10429 			    (stcb->asoc.total_flight > 0) &&
10430 			    ((stcb->asoc.locked_on_sending == NULL) ||
10431 			     sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
10432 				break;
10433 			}
10434 		}
10435 		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
10436 		    TAILQ_EMPTY(&asoc->send_queue) &&
10437 		    stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
10438 			/* Nothing left to send */
10439 			break;
10440 		}
10441 		if ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) <= 0) {
10442 			/* Nothing left to send */
10443 			break;
10444 		}
10445 	} while (num_out &&
10446 	         ((asoc->max_burst == 0) ||
10447 		  SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) ||
10448 		  (burst_cnt < asoc->max_burst)));
10449 
10450 	if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) == 0) {
10451 		if ((asoc->max_burst > 0) && (burst_cnt >= asoc->max_burst)) {
10452 			SCTP_STAT_INCR(sctps_maxburstqueued);
10453 			asoc->burst_limit_applied = 1;
10454 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
10455 				sctp_log_maxburst(stcb, asoc->primary_destination, 0, burst_cnt, SCTP_MAX_BURST_APPLIED);
10456 			}
10457 		} else {
10458 			asoc->burst_limit_applied = 0;
10459 		}
10460 	}
10461 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
10462 		sctp_log_cwnd(stcb, NULL, tot_out, SCTP_SEND_NOW_COMPLETES);
10463 	}
10464 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, we have put out %d chunks\n",
10465 		tot_out);
10466 
10467 	/*-
10468 	 * Now we need to clean up the control chunk chain if a ECNE is on
10469 	 * it. It must be marked as UNSENT again so next call will continue
10470 	 * to send it until such time that we get a CWR, to remove it.
10471 	 */
10472 	if (stcb->asoc.ecn_echo_cnt_onq)
10473 		sctp_fix_ecn_echo(asoc);
10474 	return;
10475 }
10476 
10477 
10478 int
10479 sctp_output(
10480 	struct sctp_inpcb *inp,
10481 #if defined(__Panda__)
10482 	pakhandle_type m,
10483 #else
10484 	struct mbuf *m,
10485 #endif
10486 	struct sockaddr *addr,
10487 #if defined(__Panda__)
10488 	pakhandle_type control,
10489 #else
10490 	struct mbuf *control,
10491 #endif
10492 #if defined(__FreeBSD__) && __FreeBSD_version >= 500000
10493 	struct thread *p,
10494 #elif defined(__Windows__)
10495 	PKTHREAD p,
10496 #else
10497 #if defined(__APPLE__)
10498 	struct proc *p SCTP_UNUSED,
10499 #else
10500 	struct proc *p,
10501 #endif
10502 #endif
10503 	int flags)
10504 {
10505 	if (inp == NULL) {
10506 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10507 		return (EINVAL);
10508 	}
10509 
10510 	if (inp->sctp_socket == NULL) {
10511 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
10512 		return (EINVAL);
10513 	}
10514 	return (sctp_sosend(inp->sctp_socket,
10515 			    addr,
10516 			    (struct uio *)NULL,
10517 			    m,
10518 			    control,
10519 #if defined(__APPLE__) || defined(__Panda__)
10520 			    flags
10521 #else
10522 			    flags, p
10523 #endif
10524 			));
10525 }
10526 
10527 void
10528 send_forward_tsn(struct sctp_tcb *stcb,
10529 		 struct sctp_association *asoc)
10530 {
10531         struct sctp_tmit_chunk *chk;
10532 	struct sctp_forward_tsn_chunk *fwdtsn;
10533 	uint32_t advance_peer_ack_point;
10534 
10535         SCTP_TCB_LOCK_ASSERT(stcb);
10536 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10537 		if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
10538 			/* mark it to unsent */
10539 			chk->sent = SCTP_DATAGRAM_UNSENT;
10540 			chk->snd_count = 0;
10541 			/* Do we correct its output location? */
10542 			if (chk->whoTo) {
10543 				sctp_free_remote_addr(chk->whoTo);
10544 				chk->whoTo = NULL;
10545 			}
10546 			goto sctp_fill_in_rest;
10547 		}
10548 	}
10549 	/* Ok if we reach here we must build one */
10550 	sctp_alloc_a_chunk(stcb, chk);
10551 	if (chk == NULL) {
10552 		return;
10553 	}
10554 	asoc->fwd_tsn_cnt++;
10555 	chk->copy_by_ref = 0;
10556 	chk->rec.chunk_id.id = SCTP_FORWARD_CUM_TSN;
10557 	chk->rec.chunk_id.can_take_data = 0;
10558 	chk->asoc = asoc;
10559 	chk->whoTo = NULL;
10560 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
10561 	if (chk->data == NULL) {
10562 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
10563 		return;
10564 	}
10565 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10566 	chk->sent = SCTP_DATAGRAM_UNSENT;
10567 	chk->snd_count = 0;
10568 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
10569 	asoc->ctrl_queue_cnt++;
10570 sctp_fill_in_rest:
10571 	/*-
10572 	 * Here we go through and fill out the part that deals with
10573 	 * stream/seq of the ones we skip.
10574 	 */
10575 	SCTP_BUF_LEN(chk->data) = 0;
10576 	{
10577 		struct sctp_tmit_chunk *at, *tp1, *last;
10578 		struct sctp_strseq *strseq;
10579 		unsigned int cnt_of_space, i, ovh;
10580 		unsigned int space_needed;
10581 		unsigned int cnt_of_skipped = 0;
10582 
10583 		TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
10584 			if ((at->sent != SCTP_FORWARD_TSN_SKIP) &&
10585 			    (at->sent != SCTP_DATAGRAM_NR_ACKED)) {
10586 				/* no more to look at */
10587 				break;
10588 			}
10589 			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
10590 				/* We don't report these */
10591 				continue;
10592 			}
10593 			cnt_of_skipped++;
10594 		}
10595 		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
10596 		    (cnt_of_skipped * sizeof(struct sctp_strseq)));
10597 
10598 		cnt_of_space = M_TRAILINGSPACE(chk->data);
10599 
10600 		if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
10601 			ovh = SCTP_MIN_OVERHEAD;
10602 		} else {
10603 			ovh = SCTP_MIN_V4_OVERHEAD;
10604 		}
10605 		if (cnt_of_space > (asoc->smallest_mtu - ovh)) {
10606 			/* trim to a mtu size */
10607 			cnt_of_space = asoc->smallest_mtu - ovh;
10608 		}
10609 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10610 			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10611 				       0xff, 0, cnt_of_skipped,
10612 				       asoc->advanced_peer_ack_point);
10613 
10614 		}
10615 		advance_peer_ack_point = asoc->advanced_peer_ack_point;
10616 		if (cnt_of_space < space_needed) {
10617 			/*-
10618 			 * ok we must trim down the chunk by lowering the
10619 			 * advance peer ack point.
10620 			 */
10621 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10622 				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10623 					       0xff, 0xff, cnt_of_space,
10624 					       space_needed);
10625 			}
10626 			cnt_of_skipped = cnt_of_space - sizeof(struct sctp_forward_tsn_chunk);
10627 			cnt_of_skipped /= sizeof(struct sctp_strseq);
10628 			/*-
10629 			 * Go through and find the TSN that will be the one
10630 			 * we report.
10631 			 */
10632 			at = TAILQ_FIRST(&asoc->sent_queue);
10633 			if (at != NULL) {
10634 				for (i = 0; i < cnt_of_skipped; i++) {
10635 					tp1 = TAILQ_NEXT(at, sctp_next);
10636 					if (tp1 == NULL) {
10637 						break;
10638 					}
10639 					at = tp1;
10640 				}
10641 			}
10642 			if (at && SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
10643 				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
10644 					       0xff, cnt_of_skipped, at->rec.data.TSN_seq,
10645 					       asoc->advanced_peer_ack_point);
10646 			}
10647 			last = at;
10648 			/*-
10649 			 * last now points to last one I can report, update
10650 			 * peer ack point
10651 			 */
10652 			if (last)
10653 				advance_peer_ack_point = last->rec.data.TSN_seq;
10654 			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
10655 			               cnt_of_skipped * sizeof(struct sctp_strseq);
10656 		}
10657 		chk->send_size = space_needed;
10658 		/* Setup the chunk */
10659 		fwdtsn = mtod(chk->data, struct sctp_forward_tsn_chunk *);
10660 		fwdtsn->ch.chunk_length = htons(chk->send_size);
10661 		fwdtsn->ch.chunk_flags = 0;
10662 		fwdtsn->ch.chunk_type = SCTP_FORWARD_CUM_TSN;
10663 		fwdtsn->new_cumulative_tsn = htonl(advance_peer_ack_point);
10664 		SCTP_BUF_LEN(chk->data) = chk->send_size;
10665 		fwdtsn++;
10666 		/*-
10667 		 * Move pointer to after the fwdtsn and transfer to the
10668 		 * strseq pointer.
10669 		 */
10670 		strseq = (struct sctp_strseq *)fwdtsn;
10671 		/*-
10672 		 * Now populate the strseq list. This is done blindly
10673 		 * without pulling out duplicate stream info. This is
10674 		 * inefficent but won't harm the process since the peer will
10675 		 * look at these in sequence and will thus release anything.
10676 		 * It could mean we exceed the PMTU and chop off some that
10677 		 * we could have included.. but this is unlikely (aka 1432/4
10678 		 * would mean 300+ stream seq's would have to be reported in
10679 		 * one FWD-TSN. With a bit of work we can later FIX this to
10680 		 * optimize and pull out duplcates.. but it does add more
10681 		 * overhead. So for now... not!
10682 		 */
10683 		at = TAILQ_FIRST(&asoc->sent_queue);
10684 		for (i = 0; i < cnt_of_skipped; i++) {
10685 			tp1 = TAILQ_NEXT(at, sctp_next);
10686 			if (tp1 == NULL)
10687 				break;
10688 			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
10689 				/* We don't report these */
10690 				i--;
10691 				at = tp1;
10692 				continue;
10693 			}
10694 			if (at->rec.data.TSN_seq == advance_peer_ack_point) {
10695 				at->rec.data.fwd_tsn_cnt = 0;
10696 			}
10697 			strseq->stream = ntohs(at->rec.data.stream_number);
10698 			strseq->sequence = ntohs(at->rec.data.stream_seq);
10699 			strseq++;
10700 			at = tp1;
10701 		}
10702 	}
10703 	return;
10704 }
10705 
10706 void
10707 sctp_send_sack(struct sctp_tcb *stcb, int so_locked
10708 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
10709 	SCTP_UNUSED
10710 #endif
10711 )
10712 {
10713 	/*-
10714 	 * Queue up a SACK or NR-SACK in the control queue.
10715 	 * We must first check to see if a SACK or NR-SACK is
10716 	 * somehow on the control queue.
10717 	 * If so, we will take and and remove the old one.
10718 	 */
10719 	struct sctp_association *asoc;
10720 	struct sctp_tmit_chunk *chk, *a_chk;
10721 	struct sctp_sack_chunk *sack;
10722 	struct sctp_nr_sack_chunk *nr_sack;
10723 	struct sctp_gap_ack_block *gap_descriptor;
10724 	struct sack_track *selector;
10725 	int mergeable = 0;
10726 	int offset;
10727 	caddr_t limit;
10728 	uint32_t *dup;
10729 	int limit_reached = 0;
10730 	unsigned int i, siz, j;
10731 	unsigned int num_gap_blocks = 0, num_nr_gap_blocks = 0, space;
10732 	int num_dups = 0;
10733 	int space_req;
10734 	uint32_t highest_tsn;
10735 	uint8_t flags;
10736 	uint8_t type;
10737 	uint8_t tsn_map;
10738 
10739 	if ((stcb->asoc.sctp_nr_sack_on_off == 1) &&
10740 	    (stcb->asoc.peer_supports_nr_sack == 1)) {
10741 		type = SCTP_NR_SELECTIVE_ACK;
10742 	} else {
10743 		type = SCTP_SELECTIVE_ACK;
10744 	}
10745 	a_chk = NULL;
10746 	asoc = &stcb->asoc;
10747 	SCTP_TCB_LOCK_ASSERT(stcb);
10748 	if (asoc->last_data_chunk_from == NULL) {
10749 		/* Hmm we never received anything */
10750 		return;
10751 	}
10752 	sctp_slide_mapping_arrays(stcb);
10753 	sctp_set_rwnd(stcb, asoc);
10754 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10755 		if (chk->rec.chunk_id.id == type) {
10756 			/* Hmm, found a sack already on queue, remove it */
10757 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
10758 			asoc->ctrl_queue_cnt--;
10759 			a_chk = chk;
10760 			if (a_chk->data) {
10761 				sctp_m_freem(a_chk->data);
10762 				a_chk->data = NULL;
10763 			}
10764 			if (a_chk->whoTo) {
10765 				sctp_free_remote_addr(a_chk->whoTo);
10766 				a_chk->whoTo = NULL;
10767 			}
10768 			break;
10769 		}
10770 	}
10771 	if (a_chk == NULL) {
10772 		sctp_alloc_a_chunk(stcb, a_chk);
10773 		if (a_chk == NULL) {
10774 			/* No memory so we drop the idea, and set a timer */
10775 			if (stcb->asoc.delayed_ack) {
10776 				sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10777 				    stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_5);
10778 				sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10779 				    stcb->sctp_ep, stcb, NULL);
10780 			} else {
10781 				stcb->asoc.send_sack = 1;
10782 			}
10783 			return;
10784 		}
10785 		a_chk->copy_by_ref = 0;
10786 		a_chk->rec.chunk_id.id = type;
10787 		a_chk->rec.chunk_id.can_take_data = 1;
10788 	}
10789 	/* Clear our pkt counts */
10790 	asoc->data_pkts_seen = 0;
10791 
10792 	a_chk->asoc = asoc;
10793 	a_chk->snd_count = 0;
10794 	a_chk->send_size = 0;	/* fill in later */
10795 	a_chk->sent = SCTP_DATAGRAM_UNSENT;
10796 	a_chk->whoTo = NULL;
10797 
10798 	if ((asoc->numduptsns) ||
10799 	    (!(asoc->last_data_chunk_from->dest_state & SCTP_ADDR_REACHABLE))) {
10800 		/*-
10801 		 * Ok, we have some duplicates or the destination for the
10802 		 * sack is unreachable, lets see if we can select an
10803 		 * alternate than asoc->last_data_chunk_from
10804 		 */
10805 		if ((asoc->last_data_chunk_from->dest_state & SCTP_ADDR_REACHABLE) &&
10806 		    (asoc->used_alt_onsack > asoc->numnets)) {
10807 			/* We used an alt last time, don't this time */
10808 			a_chk->whoTo = NULL;
10809 		} else {
10810 			asoc->used_alt_onsack++;
10811 			a_chk->whoTo = sctp_find_alternate_net(stcb, asoc->last_data_chunk_from, 0);
10812 		}
10813 		if (a_chk->whoTo == NULL) {
10814 			/* Nope, no alternate */
10815 			a_chk->whoTo = asoc->last_data_chunk_from;
10816 			asoc->used_alt_onsack = 0;
10817 		}
10818 	} else {
10819 		/*
10820 		 * No duplicates so we use the last place we received data
10821 		 * from.
10822 		 */
10823 		asoc->used_alt_onsack = 0;
10824 		a_chk->whoTo = asoc->last_data_chunk_from;
10825 	}
10826 	if (a_chk->whoTo) {
10827 		atomic_add_int(&a_chk->whoTo->ref_count, 1);
10828 	}
10829 	if (SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->highest_tsn_inside_nr_map)) {
10830 		highest_tsn = asoc->highest_tsn_inside_map;
10831 	} else {
10832 		highest_tsn = asoc->highest_tsn_inside_nr_map;
10833 	}
10834 	if (highest_tsn == asoc->cumulative_tsn) {
10835 		/* no gaps */
10836 		if (type == SCTP_SELECTIVE_ACK) {
10837 			space_req = sizeof(struct sctp_sack_chunk);
10838 		} else {
10839 			space_req = sizeof(struct sctp_nr_sack_chunk);
10840 		}
10841 	} else {
10842 		/* gaps get a cluster */
10843 		space_req = MCLBYTES;
10844 	}
10845 	/* Ok now lets formulate a MBUF with our sack */
10846 	a_chk->data = sctp_get_mbuf_for_msg(space_req, 0, M_NOWAIT, 1, MT_DATA);
10847 	if ((a_chk->data == NULL) ||
10848 	    (a_chk->whoTo == NULL)) {
10849 		/* rats, no mbuf memory */
10850 		if (a_chk->data) {
10851 			/* was a problem with the destination */
10852 			sctp_m_freem(a_chk->data);
10853 			a_chk->data = NULL;
10854 		}
10855 		sctp_free_a_chunk(stcb, a_chk, so_locked);
10856 		/* sa_ignore NO_NULL_CHK */
10857 		if (stcb->asoc.delayed_ack) {
10858 			sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10859 			    stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_6);
10860 			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10861 			    stcb->sctp_ep, stcb, NULL);
10862 		} else {
10863 			stcb->asoc.send_sack = 1;
10864 		}
10865 		return;
10866 	}
10867 	/* ok, lets go through and fill it in */
10868 	SCTP_BUF_RESV_UF(a_chk->data, SCTP_MIN_OVERHEAD);
10869 	space = M_TRAILINGSPACE(a_chk->data);
10870 	if (space > (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD)) {
10871 		space = (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD);
10872 	}
10873 	limit = mtod(a_chk->data, caddr_t);
10874 	limit += space;
10875 
10876 	flags = 0;
10877 
10878 	if ((asoc->sctp_cmt_on_off > 0) &&
10879 	    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
10880 		/*-
10881 		 * CMT DAC algorithm: If 2 (i.e., 0x10) packets have been
10882 		 * received, then set high bit to 1, else 0. Reset
10883 		 * pkts_rcvd.
10884 		 */
10885 		flags |= (asoc->cmt_dac_pkts_rcvd << 6);
10886 		asoc->cmt_dac_pkts_rcvd = 0;
10887 	}
10888 #ifdef SCTP_ASOCLOG_OF_TSNS
10889 	stcb->asoc.cumack_logsnt[stcb->asoc.cumack_log_atsnt] = asoc->cumulative_tsn;
10890 	stcb->asoc.cumack_log_atsnt++;
10891 	if (stcb->asoc.cumack_log_atsnt >= SCTP_TSN_LOG_SIZE) {
10892 		stcb->asoc.cumack_log_atsnt = 0;
10893 	}
10894 #endif
10895 	/* reset the readers interpretation */
10896 	stcb->freed_by_sorcv_sincelast = 0;
10897 
10898 	if (type == SCTP_SELECTIVE_ACK) {
10899 		sack = mtod(a_chk->data, struct sctp_sack_chunk *);
10900 		nr_sack = NULL;
10901 		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)sack + sizeof(struct sctp_sack_chunk));
10902 		if (highest_tsn > asoc->mapping_array_base_tsn) {
10903 			siz = (((highest_tsn - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10904 		} else {
10905 			siz = (((MAX_TSN - highest_tsn) + 1) + highest_tsn + 7) / 8;
10906 		}
10907 	} else {
10908 		sack = NULL;
10909 		nr_sack = mtod(a_chk->data, struct sctp_nr_sack_chunk *);
10910 		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)nr_sack + sizeof(struct sctp_nr_sack_chunk));
10911 		if (asoc->highest_tsn_inside_map > asoc->mapping_array_base_tsn) {
10912 			siz = (((asoc->highest_tsn_inside_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10913 		} else {
10914 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_map + 7) / 8;
10915 		}
10916 	}
10917 
10918 	if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10919 		offset = 1;
10920 	} else {
10921 		offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10922 	}
10923 	if (((type == SCTP_SELECTIVE_ACK) &&
10924 	     SCTP_TSN_GT(highest_tsn, asoc->cumulative_tsn)) ||
10925 	    ((type == SCTP_NR_SELECTIVE_ACK) &&
10926 	     SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->cumulative_tsn))) {
10927 		/* we have a gap .. maybe */
10928 		for (i = 0; i < siz; i++) {
10929 			tsn_map = asoc->mapping_array[i];
10930 			if (type == SCTP_SELECTIVE_ACK) {
10931 				tsn_map |= asoc->nr_mapping_array[i];
10932 			}
10933 			if (i == 0) {
10934 				/*
10935 				 * Clear all bits corresponding to TSNs
10936 				 * smaller or equal to the cumulative TSN.
10937 				 */
10938 				tsn_map &= (~0 << (1 - offset));
10939 			}
10940 			selector = &sack_array[tsn_map];
10941 			if (mergeable && selector->right_edge) {
10942 				/*
10943 				 * Backup, left and right edges were ok to
10944 				 * merge.
10945 				 */
10946 				num_gap_blocks--;
10947 				gap_descriptor--;
10948 			}
10949 			if (selector->num_entries == 0)
10950 				mergeable = 0;
10951 			else {
10952 				for (j = 0; j < selector->num_entries; j++) {
10953 					if (mergeable && selector->right_edge) {
10954 						/*
10955 						 * do a merge by NOT setting
10956 						 * the left side
10957 						 */
10958 						mergeable = 0;
10959 					} else {
10960 						/*
10961 						 * no merge, set the left
10962 						 * side
10963 						 */
10964 						mergeable = 0;
10965 						gap_descriptor->start = htons((selector->gaps[j].start + offset));
10966 					}
10967 					gap_descriptor->end = htons((selector->gaps[j].end + offset));
10968 					num_gap_blocks++;
10969 					gap_descriptor++;
10970 					if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10971 						/* no more room */
10972 						limit_reached = 1;
10973 						break;
10974 					}
10975 				}
10976 				if (selector->left_edge) {
10977 					mergeable = 1;
10978 				}
10979 			}
10980 			if (limit_reached) {
10981 				/* Reached the limit stop */
10982 				break;
10983 			}
10984 			offset += 8;
10985 		}
10986 	}
10987 	if ((type == SCTP_NR_SELECTIVE_ACK) &&
10988 	    (limit_reached == 0)) {
10989 
10990 		mergeable = 0;
10991 
10992 		if (asoc->highest_tsn_inside_nr_map > asoc->mapping_array_base_tsn) {
10993 			siz = (((asoc->highest_tsn_inside_nr_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10994 		} else {
10995 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_nr_map + 7) / 8;
10996 		}
10997 
10998 		if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10999 			offset = 1;
11000 		} else {
11001 			offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
11002 		}
11003 		if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->cumulative_tsn)) {
11004 			/* we have a gap .. maybe */
11005 			for (i = 0; i < siz; i++) {
11006 				tsn_map = asoc->nr_mapping_array[i];
11007 				if (i == 0) {
11008 					/*
11009 					 * Clear all bits corresponding to TSNs
11010 					 * smaller or equal to the cumulative TSN.
11011 					 */
11012 					tsn_map &= (~0 << (1 - offset));
11013 				}
11014 				selector = &sack_array[tsn_map];
11015 				if (mergeable && selector->right_edge) {
11016 					/*
11017 					* Backup, left and right edges were ok to
11018 					* merge.
11019 					*/
11020 					num_nr_gap_blocks--;
11021 					gap_descriptor--;
11022 				}
11023 				if (selector->num_entries == 0)
11024 					mergeable = 0;
11025 				else {
11026 					for (j = 0; j < selector->num_entries; j++) {
11027 						if (mergeable && selector->right_edge) {
11028 							/*
11029 							* do a merge by NOT setting
11030 							* the left side
11031 							*/
11032 							mergeable = 0;
11033 						} else {
11034 							/*
11035 							* no merge, set the left
11036 							* side
11037 							*/
11038 							mergeable = 0;
11039 							gap_descriptor->start = htons((selector->gaps[j].start + offset));
11040 						}
11041 						gap_descriptor->end = htons((selector->gaps[j].end + offset));
11042 						num_nr_gap_blocks++;
11043 						gap_descriptor++;
11044 						if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
11045 							/* no more room */
11046 							limit_reached = 1;
11047 							break;
11048 						}
11049 					}
11050 					if (selector->left_edge) {
11051 						mergeable = 1;
11052 					}
11053 				}
11054 				if (limit_reached) {
11055 					/* Reached the limit stop */
11056 					break;
11057 				}
11058 				offset += 8;
11059 			}
11060 		}
11061 	}
11062 	/* now we must add any dups we are going to report. */
11063 	if ((limit_reached == 0) && (asoc->numduptsns)) {
11064 		dup = (uint32_t *) gap_descriptor;
11065 		for (i = 0; i < asoc->numduptsns; i++) {
11066 			*dup = htonl(asoc->dup_tsns[i]);
11067 			dup++;
11068 			num_dups++;
11069 			if (((caddr_t)dup + sizeof(uint32_t)) > limit) {
11070 				/* no more room */
11071 				break;
11072 			}
11073 		}
11074 		asoc->numduptsns = 0;
11075 	}
11076 	/*
11077 	 * now that the chunk is prepared queue it to the control chunk
11078 	 * queue.
11079 	 */
11080 	if (type == SCTP_SELECTIVE_ACK) {
11081 		a_chk->send_size = sizeof(struct sctp_sack_chunk) +
11082 		                   (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
11083 		                   num_dups * sizeof(int32_t);
11084 		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
11085 		sack->sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
11086 		sack->sack.a_rwnd = htonl(asoc->my_rwnd);
11087 		sack->sack.num_gap_ack_blks = htons(num_gap_blocks);
11088 		sack->sack.num_dup_tsns = htons(num_dups);
11089 		sack->ch.chunk_type = type;
11090 		sack->ch.chunk_flags = flags;
11091 		sack->ch.chunk_length = htons(a_chk->send_size);
11092 	} else {
11093 		a_chk->send_size = sizeof(struct sctp_nr_sack_chunk) +
11094 		                   (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
11095 		                   num_dups * sizeof(int32_t);
11096 		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
11097 		nr_sack->nr_sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
11098 		nr_sack->nr_sack.a_rwnd = htonl(asoc->my_rwnd);
11099 		nr_sack->nr_sack.num_gap_ack_blks = htons(num_gap_blocks);
11100 		nr_sack->nr_sack.num_nr_gap_ack_blks = htons(num_nr_gap_blocks);
11101 		nr_sack->nr_sack.num_dup_tsns = htons(num_dups);
11102 		nr_sack->nr_sack.reserved = 0;
11103 		nr_sack->ch.chunk_type = type;
11104 		nr_sack->ch.chunk_flags = flags;
11105 		nr_sack->ch.chunk_length = htons(a_chk->send_size);
11106 	}
11107 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, a_chk, sctp_next);
11108 	asoc->my_last_reported_rwnd = asoc->my_rwnd;
11109 	asoc->ctrl_queue_cnt++;
11110 	asoc->send_sack = 0;
11111 	SCTP_STAT_INCR(sctps_sendsacks);
11112 	return;
11113 }
11114 
11115 void
11116 sctp_send_abort_tcb(struct sctp_tcb *stcb, struct mbuf *operr, int so_locked
11117 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
11118     SCTP_UNUSED
11119 #endif
11120     )
11121 {
11122 	struct mbuf *m_abort, *m, *m_last;
11123 	struct mbuf *m_out, *m_end = NULL;
11124 	struct sctp_abort_chunk *abort;
11125 	struct sctp_auth_chunk *auth = NULL;
11126 	struct sctp_nets *net;
11127 	uint32_t vtag;
11128 	uint32_t auth_offset = 0;
11129 	uint16_t cause_len, chunk_len, padding_len;
11130 
11131 #if defined(__APPLE__)
11132 	if (so_locked) {
11133 		sctp_lock_assert(SCTP_INP_SO(stcb->sctp_ep));
11134 	} else {
11135 		sctp_unlock_assert(SCTP_INP_SO(stcb->sctp_ep));
11136 	}
11137 #endif
11138 	SCTP_TCB_LOCK_ASSERT(stcb);
11139 	/*-
11140 	 * Add an AUTH chunk, if chunk requires it and save the offset into
11141 	 * the chain for AUTH
11142 	 */
11143 	if (sctp_auth_is_required_chunk(SCTP_ABORT_ASSOCIATION,
11144 	                                stcb->asoc.peer_auth_chunks)) {
11145 		m_out = sctp_add_auth_chunk(NULL, &m_end, &auth, &auth_offset,
11146 					    stcb, SCTP_ABORT_ASSOCIATION);
11147 		SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11148 	} else {
11149 		m_out = NULL;
11150 	}
11151 	m_abort = sctp_get_mbuf_for_msg(sizeof(struct sctp_abort_chunk), 0, M_NOWAIT, 1, MT_HEADER);
11152 	if (m_abort == NULL) {
11153 		if (m_out) {
11154 			sctp_m_freem(m_out);
11155 		}
11156 		if (operr) {
11157 			sctp_m_freem(operr);
11158 		}
11159 		return;
11160 	}
11161 	/* link in any error */
11162 	SCTP_BUF_NEXT(m_abort) = operr;
11163 	cause_len = 0;
11164 	m_last = NULL;
11165 	for (m = operr; m; m = SCTP_BUF_NEXT(m)) {
11166 		cause_len += (uint16_t)SCTP_BUF_LEN(m);
11167 		if (SCTP_BUF_NEXT(m) == NULL) {
11168 			m_last = m;
11169 		}
11170 	}
11171 	SCTP_BUF_LEN(m_abort) = sizeof(struct sctp_abort_chunk);
11172 	chunk_len = (uint16_t)sizeof(struct sctp_abort_chunk) + cause_len;
11173 	padding_len = SCTP_SIZE32(chunk_len) - chunk_len;
11174 	if (m_out == NULL) {
11175 		/* NO Auth chunk prepended, so reserve space in front */
11176 		SCTP_BUF_RESV_UF(m_abort, SCTP_MIN_OVERHEAD);
11177 		m_out = m_abort;
11178 	} else {
11179 		/* Put AUTH chunk at the front of the chain */
11180 		SCTP_BUF_NEXT(m_end) = m_abort;
11181 	}
11182 	if (stcb->asoc.alternate) {
11183 		net = stcb->asoc.alternate;
11184 	} else {
11185 		net = stcb->asoc.primary_destination;
11186 	}
11187 	/* Fill in the ABORT chunk header. */
11188 	abort = mtod(m_abort, struct sctp_abort_chunk *);
11189 	abort->ch.chunk_type = SCTP_ABORT_ASSOCIATION;
11190 	if (stcb->asoc.peer_vtag == 0) {
11191 		/* This happens iff the assoc is in COOKIE-WAIT state. */
11192 		vtag = stcb->asoc.my_vtag;
11193 		abort->ch.chunk_flags = SCTP_HAD_NO_TCB;
11194 	} else {
11195 		vtag = stcb->asoc.peer_vtag;
11196 		abort->ch.chunk_flags = 0;
11197 	}
11198 	abort->ch.chunk_length = htons(chunk_len);
11199 	/* Add padding, if necessary. */
11200 	if (padding_len > 0) {
11201 		if ((m_last == NULL) || sctp_add_pad_tombuf(m_last, padding_len)) {
11202 			sctp_m_freem(m_out);
11203 			return;
11204 		}
11205 	}
11206 	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
11207 	                                 (struct sockaddr *)&net->ro._l_addr,
11208 	                                 m_out, auth_offset, auth, stcb->asoc.authinfo.active_keyid, 1, 0, 0,
11209 	                                 stcb->sctp_ep->sctp_lport, stcb->rport, htonl(vtag),
11210 	                                 stcb->asoc.primary_destination->port, NULL,
11211 #if defined(__FreeBSD__)
11212 	                                 0, 0,
11213 #endif
11214 	                                 so_locked);
11215 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11216 }
11217 
11218 void
11219 sctp_send_shutdown_complete(struct sctp_tcb *stcb,
11220                             struct sctp_nets *net,
11221                             int reflect_vtag)
11222 {
11223 	/* formulate and SEND a SHUTDOWN-COMPLETE */
11224 	struct mbuf *m_shutdown_comp;
11225 	struct sctp_shutdown_complete_chunk *shutdown_complete;
11226 	uint32_t vtag;
11227 	uint8_t flags;
11228 
11229 	m_shutdown_comp = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_NOWAIT, 1, MT_HEADER);
11230 	if (m_shutdown_comp == NULL) {
11231 		/* no mbuf's */
11232 		return;
11233 	}
11234 	if (reflect_vtag) {
11235 		flags = SCTP_HAD_NO_TCB;
11236 		vtag = stcb->asoc.my_vtag;
11237 	} else {
11238 		flags = 0;
11239 		vtag = stcb->asoc.peer_vtag;
11240 	}
11241 	shutdown_complete = mtod(m_shutdown_comp, struct sctp_shutdown_complete_chunk *);
11242 	shutdown_complete->ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
11243 	shutdown_complete->ch.chunk_flags = flags;
11244 	shutdown_complete->ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
11245 	SCTP_BUF_LEN(m_shutdown_comp) = sizeof(struct sctp_shutdown_complete_chunk);
11246 	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
11247 	                                 (struct sockaddr *)&net->ro._l_addr,
11248 	                                 m_shutdown_comp, 0, NULL, 0, 1, 0, 0,
11249 	                                 stcb->sctp_ep->sctp_lport, stcb->rport,
11250 	                                 htonl(vtag),
11251 	                                 net->port, NULL,
11252 #if defined(__FreeBSD__)
11253 	                                 0, 0,
11254 #endif
11255 	                                 SCTP_SO_NOT_LOCKED);
11256 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11257 	return;
11258 }
11259 
11260 #if defined(__FreeBSD__)
11261 static void
11262 sctp_send_resp_msg(struct sockaddr *src, struct sockaddr *dst,
11263                    struct sctphdr *sh, uint32_t vtag,
11264                    uint8_t type, struct mbuf *cause,
11265                    uint8_t use_mflowid, uint32_t mflowid,
11266                    uint32_t vrf_id, uint16_t port)
11267 #else
11268 static void
11269 sctp_send_resp_msg(struct sockaddr *src, struct sockaddr *dst,
11270                    struct sctphdr *sh, uint32_t vtag,
11271                    uint8_t type, struct mbuf *cause,
11272                    uint32_t vrf_id SCTP_UNUSED, uint16_t port)
11273 #endif
11274 {
11275 #ifdef __Panda__
11276 	pakhandle_type o_pak;
11277 #else
11278 	struct mbuf *o_pak;
11279 #endif
11280 	struct mbuf *mout;
11281 	struct sctphdr *shout;
11282 	struct sctp_chunkhdr *ch;
11283 	struct udphdr *udp;
11284 	int len, cause_len, padding_len;
11285 #if defined(INET) || defined(INET6)
11286 	int ret;
11287 #endif
11288 #ifdef INET
11289 #if defined(__APPLE__) || defined(__Panda__)
11290 	sctp_route_t ro;
11291 #endif
11292 	struct sockaddr_in *src_sin, *dst_sin;
11293 	struct ip *ip;
11294 #endif
11295 #ifdef INET6
11296 	struct sockaddr_in6 *src_sin6, *dst_sin6;
11297 	struct ip6_hdr *ip6;
11298 #endif
11299 
11300 	/* Compute the length of the cause and add final padding. */
11301 	cause_len = 0;
11302 	if (cause != NULL) {
11303 		struct mbuf *m_at, *m_last = NULL;
11304 
11305 		for (m_at = cause; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
11306 			if (SCTP_BUF_NEXT(m_at) == NULL)
11307 				m_last = m_at;
11308 			cause_len += SCTP_BUF_LEN(m_at);
11309 		}
11310 		padding_len = cause_len % 4;
11311 		if (padding_len != 0) {
11312 			padding_len = 4 - padding_len;
11313 		}
11314 		if (padding_len != 0) {
11315 			if (sctp_add_pad_tombuf(m_last, padding_len)) {
11316 				sctp_m_freem(cause);
11317 				return;
11318 			}
11319 		}
11320 	} else {
11321 		padding_len = 0;
11322 	}
11323 	/* Get an mbuf for the header. */
11324 	len = sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
11325 	switch (dst->sa_family) {
11326 #ifdef INET
11327 	case AF_INET:
11328 		len += sizeof(struct ip);
11329 		break;
11330 #endif
11331 #ifdef INET6
11332 	case AF_INET6:
11333 		len += sizeof(struct ip6_hdr);
11334 		break;
11335 #endif
11336 	default:
11337 		break;
11338 	}
11339 	if (port) {
11340 		len += sizeof(struct udphdr);
11341 	}
11342 #if defined(__APPLE__)
11343 #if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
11344 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_NOWAIT, 1, MT_DATA);
11345 #else
11346 	mout = sctp_get_mbuf_for_msg(len + SCTP_MAX_LINKHDR, 1, M_NOWAIT, 1, MT_DATA);
11347 #endif
11348 #else
11349 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_NOWAIT, 1, MT_DATA);
11350 #endif
11351 	if (mout == NULL) {
11352 		if (cause) {
11353 			sctp_m_freem(cause);
11354 		}
11355 		return;
11356 	}
11357 #if defined(__APPLE__)
11358 #if defined(APPLE_LEOPARD) || defined(APPLE_SNOWLEOPARD)
11359 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11360 #else
11361 	SCTP_BUF_RESV_UF(mout, SCTP_MAX_LINKHDR);
11362 #endif
11363 #else
11364 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11365 #endif
11366 	SCTP_BUF_LEN(mout) = len;
11367 	SCTP_BUF_NEXT(mout) = cause;
11368 #if defined(__FreeBSD__)
11369 	if (use_mflowid != 0) {
11370 		mout->m_pkthdr.flowid = mflowid;
11371 		mout->m_flags |= M_FLOWID;
11372 	}
11373 #endif
11374 #ifdef INET
11375 	ip = NULL;
11376 #endif
11377 #ifdef INET6
11378 	ip6 = NULL;
11379 #endif
11380 	switch (dst->sa_family) {
11381 #ifdef INET
11382 	case AF_INET:
11383 		src_sin = (struct sockaddr_in *)src;
11384 		dst_sin = (struct sockaddr_in *)dst;
11385 		ip = mtod(mout, struct ip *);
11386 		ip->ip_v = IPVERSION;
11387 		ip->ip_hl = (sizeof(struct ip) >> 2);
11388 		ip->ip_tos = 0;
11389 #if defined(__FreeBSD__)
11390 		ip->ip_id = ip_newid();
11391 #elif defined(__APPLE__)
11392 #if RANDOM_IP_ID
11393 		ip->ip_id = ip_randomid();
11394 #else
11395 		ip->ip_id = htons(ip_id++);
11396 #endif
11397 #else
11398                 ip->ip_id = htons(ip_id++);
11399 #endif
11400 		ip->ip_off = 0;
11401 		ip->ip_ttl = MODULE_GLOBAL(ip_defttl);
11402 		if (port) {
11403 			ip->ip_p = IPPROTO_UDP;
11404 		} else {
11405 			ip->ip_p = IPPROTO_SCTP;
11406 		}
11407 		ip->ip_src.s_addr = dst_sin->sin_addr.s_addr;
11408 		ip->ip_dst.s_addr = src_sin->sin_addr.s_addr;
11409 		ip->ip_sum = 0;
11410 		len = sizeof(struct ip);
11411 		shout = (struct sctphdr *)((caddr_t)ip + len);
11412 		break;
11413 #endif
11414 #ifdef INET6
11415 	case AF_INET6:
11416 		src_sin6 = (struct sockaddr_in6 *)src;
11417 		dst_sin6 = (struct sockaddr_in6 *)dst;
11418 		ip6 = mtod(mout, struct ip6_hdr *);
11419 		ip6->ip6_flow = htonl(0x60000000);
11420 #if defined(__FreeBSD__)
11421 		if (V_ip6_auto_flowlabel) {
11422 			ip6->ip6_flow |= (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
11423 		}
11424 #endif
11425 #if defined(__Userspace__)
11426 		ip6->ip6_hlim = IPv6_HOP_LIMIT;
11427 #else
11428 		ip6->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11429 #endif
11430 		if (port) {
11431 			ip6->ip6_nxt = IPPROTO_UDP;
11432 		} else {
11433 			ip6->ip6_nxt = IPPROTO_SCTP;
11434 		}
11435 		ip6->ip6_src = dst_sin6->sin6_addr;
11436 		ip6->ip6_dst = src_sin6->sin6_addr;
11437 		len = sizeof(struct ip6_hdr);
11438 		shout = (struct sctphdr *)((caddr_t)ip6 + len);
11439 		break;
11440 #endif
11441 	default:
11442 		len = 0;
11443 		shout = mtod(mout, struct sctphdr *);
11444 		break;
11445 	}
11446 	if (port) {
11447 		if (htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port)) == 0) {
11448 			sctp_m_freem(mout);
11449 			return;
11450 		}
11451 		udp = (struct udphdr *)shout;
11452 		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11453 		udp->uh_dport = port;
11454 		udp->uh_sum = 0;
11455 		udp->uh_ulen = htons(sizeof(struct udphdr) +
11456 		                     sizeof(struct sctphdr) +
11457 		                     sizeof(struct sctp_chunkhdr) +
11458 		                     cause_len + padding_len);
11459 		len += sizeof(struct udphdr);
11460 		shout = (struct sctphdr *)((caddr_t)shout + sizeof(struct udphdr));
11461 	} else {
11462 		udp = NULL;
11463 	}
11464 	shout->src_port = sh->dest_port;
11465 	shout->dest_port = sh->src_port;
11466 	shout->checksum = 0;
11467 	if (vtag) {
11468 		shout->v_tag = htonl(vtag);
11469 	} else {
11470 		shout->v_tag = sh->v_tag;
11471 	}
11472 	len += sizeof(struct sctphdr);
11473 	ch = (struct sctp_chunkhdr *)((caddr_t)shout + sizeof(struct sctphdr));
11474 	ch->chunk_type = type;
11475 	if (vtag) {
11476 		ch->chunk_flags = 0;
11477 	} else {
11478 		ch->chunk_flags = SCTP_HAD_NO_TCB;
11479 	}
11480 	ch->chunk_length = htons(sizeof(struct sctp_chunkhdr) + cause_len);
11481 	len += sizeof(struct sctp_chunkhdr);
11482 	len += cause_len + padding_len;
11483 
11484 	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11485 		sctp_m_freem(mout);
11486 		return;
11487 	}
11488 	SCTP_ATTACH_CHAIN(o_pak, mout, len);
11489 	switch (dst->sa_family) {
11490 #ifdef INET
11491 	case AF_INET:
11492 #if defined(__APPLE__) || defined(__Panda__)
11493 		/* zap the stack pointer to the route */
11494 		bzero(&ro, sizeof(sctp_route_t));
11495 #if defined(__Panda__)
11496 		ro._l_addr.sa.sa_family = AF_INET;
11497 #endif
11498 #endif
11499 		if (port) {
11500 #if !defined(__Windows__) && !defined(__Userspace__)
11501 #if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
11502 			if (V_udp_cksum) {
11503 				udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11504 			} else {
11505 				udp->uh_sum = 0;
11506 			}
11507 #else
11508 			udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11509 #endif
11510 #else
11511 			udp->uh_sum = 0;
11512 #endif
11513 		}
11514 #if defined(__FreeBSD__)
11515 #if __FreeBSD_version >= 1000000
11516 		ip->ip_len = htons(len);
11517 #else
11518 		ip->ip_len = len;
11519 #endif
11520 #elif defined(__APPLE__) || defined(__Userspace__)
11521 		ip->ip_len = len;
11522 #else
11523 		ip->ip_len = htons(len);
11524 #endif
11525 		if (port) {
11526 #if defined(SCTP_WITH_NO_CSUM)
11527 			SCTP_STAT_INCR(sctps_sendnocrc);
11528 #else
11529 			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip) + sizeof(struct udphdr));
11530 			SCTP_STAT_INCR(sctps_sendswcrc);
11531 #endif
11532 #if defined(__FreeBSD__) && ((__FreeBSD_version > 803000 && __FreeBSD_version < 900000) || __FreeBSD_version > 900000)
11533 			if (V_udp_cksum) {
11534 				SCTP_ENABLE_UDP_CSUM(o_pak);
11535 			}
11536 #else
11537 			SCTP_ENABLE_UDP_CSUM(o_pak);
11538 #endif
11539 		} else {
11540 #if defined(SCTP_WITH_NO_CSUM)
11541 			SCTP_STAT_INCR(sctps_sendnocrc);
11542 #else
11543 #if defined(__FreeBSD__) && __FreeBSD_version >= 800000
11544 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11545 			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11546 			SCTP_STAT_INCR(sctps_sendhwcrc);
11547 #else
11548 			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip));
11549 			SCTP_STAT_INCR(sctps_sendswcrc);
11550 #endif
11551 #endif
11552 		}
11553 #ifdef SCTP_PACKET_LOGGING
11554 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11555 			sctp_packet_log(o_pak);
11556 		}
11557 #endif
11558 #if defined(__APPLE__) || defined(__Panda__)
11559 		SCTP_IP_OUTPUT(ret, o_pak, &ro, NULL, vrf_id);
11560 		/* Free the route if we got one back */
11561 		if (ro.ro_rt) {
11562 			RTFREE(ro.ro_rt);
11563 			ro.ro_rt = NULL;
11564 		}
11565 #else
11566 		SCTP_IP_OUTPUT(ret, o_pak, NULL, NULL, vrf_id);
11567 #endif
11568 		break;
11569 #endif
11570 #ifdef INET6
11571 	case AF_INET6:
11572 		ip6->ip6_plen = len - sizeof(struct ip6_hdr);
11573 		if (port) {
11574 #if defined(SCTP_WITH_NO_CSUM)
11575 			SCTP_STAT_INCR(sctps_sendnocrc);
11576 #else
11577 			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11578 			SCTP_STAT_INCR(sctps_sendswcrc);
11579 #endif
11580 #if defined(__Windows__)
11581 			udp->uh_sum = 0;
11582 #elif !defined(__Userspace__)
11583 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11584 				udp->uh_sum = 0xffff;
11585 			}
11586 #endif
11587 		} else {
11588 #if defined(SCTP_WITH_NO_CSUM)
11589 			SCTP_STAT_INCR(sctps_sendnocrc);
11590 #else
11591 #if defined(__FreeBSD__) && __FreeBSD_version >= 900000
11592 #if __FreeBSD_version > 901000
11593 			mout->m_pkthdr.csum_flags = CSUM_SCTP_IPV6;
11594 #else
11595 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11596 #endif
11597 			mout->m_pkthdr.csum_data = offsetof(struct sctphdr, checksum);
11598 			SCTP_STAT_INCR(sctps_sendhwcrc);
11599 #else
11600 			shout->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr));
11601 			SCTP_STAT_INCR(sctps_sendswcrc);
11602 #endif
11603 #endif
11604 		}
11605 #ifdef SCTP_PACKET_LOGGING
11606 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11607 			sctp_packet_log(o_pak);
11608 		}
11609 #endif
11610 		SCTP_IP6_OUTPUT(ret, o_pak, NULL, NULL, NULL, vrf_id);
11611 		break;
11612 #endif
11613 #if defined(__Userspace__)
11614 	case AF_CONN:
11615 	{
11616 		char *buffer;
11617 		struct sockaddr_conn *sconn;
11618 
11619 		sconn = (struct sockaddr_conn *)src;
11620 #if defined(SCTP_WITH_NO_CSUM)
11621 		SCTP_STAT_INCR(sctps_sendnocrc);
11622 #else
11623 		shout->checksum = sctp_calculate_cksum(mout, 0);
11624 		SCTP_STAT_INCR(sctps_sendswcrc);
11625 #endif
11626 #ifdef SCTP_PACKET_LOGGING
11627 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
11628 			sctp_packet_log(mout);
11629 		}
11630 #endif
11631 		/* Don't alloc/free for each packet */
11632 		if ((buffer = malloc(len)) != NULL) {
11633 			m_copydata(mout, 0, len, buffer);
11634 			SCTP_BASE_VAR(conn_output)(sconn->sconn_addr, buffer, len, 0, 0);
11635 			free(buffer);
11636 		}
11637 		sctp_m_freem(mout);
11638 		break;
11639 	}
11640 #endif
11641 	default:
11642 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
11643 		        dst->sa_family);
11644 		sctp_m_freem(mout);
11645 		SCTP_LTRACE_ERR_RET_PKT(mout, NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
11646 		return;
11647 	}
11648 	SCTP_STAT_INCR(sctps_sendpackets);
11649 	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11650 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11651 	return;
11652 }
11653 
11654 void
11655 sctp_send_shutdown_complete2(struct sockaddr *src, struct sockaddr *dst,
11656                              struct sctphdr *sh,
11657 #if defined(__FreeBSD__)
11658                              uint8_t use_mflowid, uint32_t mflowid,
11659 #endif
11660                              uint32_t vrf_id, uint16_t port)
11661 {
11662 	sctp_send_resp_msg(src, dst, sh, 0, SCTP_SHUTDOWN_COMPLETE, NULL,
11663 #if defined(__FreeBSD__)
11664 	                   use_mflowid, mflowid,
11665 #endif
11666 	                   vrf_id, port);
11667 }
11668 
11669 void
11670 sctp_send_hb(struct sctp_tcb *stcb, struct sctp_nets *net,int so_locked
11671 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
11672 	SCTP_UNUSED
11673 #endif
11674 )
11675 {
11676 	struct sctp_tmit_chunk *chk;
11677 	struct sctp_heartbeat_chunk *hb;
11678 	struct timeval now;
11679 
11680 	SCTP_TCB_LOCK_ASSERT(stcb);
11681 	if (net == NULL) {
11682 		return;
11683 	}
11684 	(void)SCTP_GETTIME_TIMEVAL(&now);
11685 	switch (net->ro._l_addr.sa.sa_family) {
11686 #ifdef INET
11687 	case AF_INET:
11688 		break;
11689 #endif
11690 #ifdef INET6
11691 	case AF_INET6:
11692 		break;
11693 #endif
11694 #if defined(__Userspace__)
11695 	case AF_CONN:
11696 		break;
11697 #endif
11698 	default:
11699 		return;
11700 	}
11701 	sctp_alloc_a_chunk(stcb, chk);
11702 	if (chk == NULL) {
11703 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak, can't get a chunk for hb\n");
11704 		return;
11705 	}
11706 
11707 	chk->copy_by_ref = 0;
11708 	chk->rec.chunk_id.id = SCTP_HEARTBEAT_REQUEST;
11709 	chk->rec.chunk_id.can_take_data = 1;
11710 	chk->asoc = &stcb->asoc;
11711 	chk->send_size = sizeof(struct sctp_heartbeat_chunk);
11712 
11713 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11714 	if (chk->data == NULL) {
11715 		sctp_free_a_chunk(stcb, chk, so_locked);
11716 		return;
11717 	}
11718 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11719 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11720 	chk->sent = SCTP_DATAGRAM_UNSENT;
11721 	chk->snd_count = 0;
11722 	chk->whoTo = net;
11723 	atomic_add_int(&chk->whoTo->ref_count, 1);
11724 	/* Now we have a mbuf that we can fill in with the details */
11725 	hb = mtod(chk->data, struct sctp_heartbeat_chunk *);
11726 	memset(hb, 0, sizeof(struct sctp_heartbeat_chunk));
11727 	/* fill out chunk header */
11728 	hb->ch.chunk_type = SCTP_HEARTBEAT_REQUEST;
11729 	hb->ch.chunk_flags = 0;
11730 	hb->ch.chunk_length = htons(chk->send_size);
11731 	/* Fill out hb parameter */
11732 	hb->heartbeat.hb_info.ph.param_type = htons(SCTP_HEARTBEAT_INFO);
11733 	hb->heartbeat.hb_info.ph.param_length = htons(sizeof(struct sctp_heartbeat_info_param));
11734 	hb->heartbeat.hb_info.time_value_1 = now.tv_sec;
11735 	hb->heartbeat.hb_info.time_value_2 = now.tv_usec;
11736 	/* Did our user request this one, put it in */
11737 	hb->heartbeat.hb_info.addr_family = net->ro._l_addr.sa.sa_family;
11738 #ifdef HAVE_SA_LEN
11739 	hb->heartbeat.hb_info.addr_len = net->ro._l_addr.sa.sa_len;
11740 #else
11741 	switch (net->ro._l_addr.sa.sa_family) {
11742 #ifdef INET
11743 	case AF_INET:
11744 		hb->heartbeat.hb_info.addr_len = sizeof(struct sockaddr_in);
11745 		break;
11746 #endif
11747 #ifdef INET6
11748 	case AF_INET6:
11749 		hb->heartbeat.hb_info.addr_len = sizeof(struct sockaddr_in6);
11750 		break;
11751 #endif
11752 #if defined(__Userspace__)
11753 	case AF_CONN:
11754 		hb->heartbeat.hb_info.addr_len = sizeof(struct sockaddr_conn);
11755 		break;
11756 #endif
11757 	default:
11758 		hb->heartbeat.hb_info.addr_len = 0;
11759 		break;
11760 	}
11761 #endif
11762 	if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
11763 		/*
11764 		 * we only take from the entropy pool if the address is not
11765 		 * confirmed.
11766 		 */
11767 		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11768 		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
11769 	} else {
11770 		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = 0;
11771 		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = 0;
11772 	}
11773 	switch (net->ro._l_addr.sa.sa_family) {
11774 #ifdef INET
11775 	case AF_INET:
11776 		memcpy(hb->heartbeat.hb_info.address,
11777 		       &net->ro._l_addr.sin.sin_addr,
11778 		       sizeof(net->ro._l_addr.sin.sin_addr));
11779 		break;
11780 #endif
11781 #ifdef INET6
11782 	case AF_INET6:
11783 		memcpy(hb->heartbeat.hb_info.address,
11784 		       &net->ro._l_addr.sin6.sin6_addr,
11785 		       sizeof(net->ro._l_addr.sin6.sin6_addr));
11786 		break;
11787 #endif
11788 #if defined(__Userspace__)
11789 	case AF_CONN:
11790 		memcpy(hb->heartbeat.hb_info.address,
11791 		       &net->ro._l_addr.sconn.sconn_addr,
11792 		       sizeof(net->ro._l_addr.sconn.sconn_addr));
11793 		break;
11794 #endif
11795 	default:
11796 		return;
11797 		break;
11798 	}
11799 	net->hb_responded = 0;
11800 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11801 	stcb->asoc.ctrl_queue_cnt++;
11802 	SCTP_STAT_INCR(sctps_sendheartbeat);
11803 	return;
11804 }
11805 
11806 void
11807 sctp_send_ecn_echo(struct sctp_tcb *stcb, struct sctp_nets *net,
11808 		   uint32_t high_tsn)
11809 {
11810 	struct sctp_association *asoc;
11811 	struct sctp_ecne_chunk *ecne;
11812 	struct sctp_tmit_chunk *chk;
11813 
11814 	if (net == NULL) {
11815 		return;
11816 	}
11817 	asoc = &stcb->asoc;
11818 	SCTP_TCB_LOCK_ASSERT(stcb);
11819 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11820 		if ((chk->rec.chunk_id.id == SCTP_ECN_ECHO) && (net == chk->whoTo)) {
11821 			/* found a previous ECN_ECHO update it if needed */
11822 			uint32_t cnt, ctsn;
11823 			ecne = mtod(chk->data, struct sctp_ecne_chunk *);
11824 			ctsn = ntohl(ecne->tsn);
11825 			if (SCTP_TSN_GT(high_tsn, ctsn)) {
11826 				ecne->tsn = htonl(high_tsn);
11827 				SCTP_STAT_INCR(sctps_queue_upd_ecne);
11828 			}
11829 			cnt = ntohl(ecne->num_pkts_since_cwr);
11830 			cnt++;
11831 			ecne->num_pkts_since_cwr = htonl(cnt);
11832 			return;
11833 		}
11834 	}
11835 	/* nope could not find one to update so we must build one */
11836 	sctp_alloc_a_chunk(stcb, chk);
11837 	if (chk == NULL) {
11838 		return;
11839 	}
11840 	chk->copy_by_ref = 0;
11841 	SCTP_STAT_INCR(sctps_queue_upd_ecne);
11842 	chk->rec.chunk_id.id = SCTP_ECN_ECHO;
11843 	chk->rec.chunk_id.can_take_data = 0;
11844 	chk->asoc = &stcb->asoc;
11845 	chk->send_size = sizeof(struct sctp_ecne_chunk);
11846 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
11847 	if (chk->data == NULL) {
11848 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11849 		return;
11850 	}
11851 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11852 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11853 	chk->sent = SCTP_DATAGRAM_UNSENT;
11854 	chk->snd_count = 0;
11855 	chk->whoTo = net;
11856 	atomic_add_int(&chk->whoTo->ref_count, 1);
11857 
11858 	stcb->asoc.ecn_echo_cnt_onq++;
11859 	ecne = mtod(chk->data, struct sctp_ecne_chunk *);
11860 	ecne->ch.chunk_type = SCTP_ECN_ECHO;
11861 	ecne->ch.chunk_flags = 0;
11862 	ecne->ch.chunk_length = htons(sizeof(struct sctp_ecne_chunk));
11863 	ecne->tsn = htonl(high_tsn);
11864 	ecne->num_pkts_since_cwr = htonl(1);
11865 	TAILQ_INSERT_HEAD(&stcb->asoc.control_send_queue, chk, sctp_next);
11866 	asoc->ctrl_queue_cnt++;
11867 }
11868 
11869 void
11870 sctp_send_packet_dropped(struct sctp_tcb *stcb, struct sctp_nets *net,
11871     struct mbuf *m, int len, int iphlen, int bad_crc)
11872 {
11873 	struct sctp_association *asoc;
11874 	struct sctp_pktdrop_chunk *drp;
11875 	struct sctp_tmit_chunk *chk;
11876 	uint8_t *datap;
11877 	int was_trunc = 0;
11878 	int fullsz = 0;
11879 	long spc;
11880 	int offset;
11881 	struct sctp_chunkhdr *ch, chunk_buf;
11882 	unsigned int chk_length;
11883 
11884         if (!stcb) {
11885             return;
11886         }
11887 	asoc = &stcb->asoc;
11888 	SCTP_TCB_LOCK_ASSERT(stcb);
11889 	if (asoc->peer_supports_pktdrop == 0) {
11890 		/*-
11891 		 * peer must declare support before I send one.
11892 		 */
11893 		return;
11894 	}
11895 	if (stcb->sctp_socket == NULL) {
11896 		return;
11897 	}
11898 	sctp_alloc_a_chunk(stcb, chk);
11899 	if (chk == NULL) {
11900 		return;
11901 	}
11902 	chk->copy_by_ref = 0;
11903 	len -= iphlen;
11904 	chk->send_size = len;
11905         /* Validate that we do not have an ABORT in here. */
11906 	offset = iphlen + sizeof(struct sctphdr);
11907 	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
11908 						   sizeof(*ch), (uint8_t *) & chunk_buf);
11909 	while (ch != NULL) {
11910 		chk_length = ntohs(ch->chunk_length);
11911 		if (chk_length < sizeof(*ch)) {
11912 			/* break to abort land */
11913 			break;
11914 		}
11915 		switch (ch->chunk_type) {
11916 		case SCTP_PACKET_DROPPED:
11917 		case SCTP_ABORT_ASSOCIATION:
11918 		case SCTP_INITIATION_ACK:
11919 			/**
11920 			 * We don't respond with an PKT-DROP to an ABORT
11921 			 * or PKT-DROP. We also do not respond to an
11922 			 * INIT-ACK, because we can't know if the initiation
11923 			 * tag is correct or not.
11924 			 */
11925 			sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11926 			return;
11927 		default:
11928 			break;
11929 		}
11930 		offset += SCTP_SIZE32(chk_length);
11931 		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
11932 		    sizeof(*ch), (uint8_t *) & chunk_buf);
11933 	}
11934 
11935 	if ((len + SCTP_MAX_OVERHEAD + sizeof(struct sctp_pktdrop_chunk)) >
11936 	    min(stcb->asoc.smallest_mtu, MCLBYTES)) {
11937 		/* only send 1 mtu worth, trim off the
11938 		 * excess on the end.
11939 		 */
11940 		fullsz = len;
11941 		len = min(stcb->asoc.smallest_mtu, MCLBYTES) - SCTP_MAX_OVERHEAD;
11942 		was_trunc = 1;
11943 	}
11944 	chk->asoc = &stcb->asoc;
11945 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
11946 	if (chk->data == NULL) {
11947 jump_out:
11948 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
11949 		return;
11950 	}
11951 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11952 	drp = mtod(chk->data, struct sctp_pktdrop_chunk *);
11953 	if (drp == NULL) {
11954 		sctp_m_freem(chk->data);
11955 		chk->data = NULL;
11956 		goto jump_out;
11957 	}
11958 	chk->book_size = SCTP_SIZE32((chk->send_size + sizeof(struct sctp_pktdrop_chunk) +
11959 	    sizeof(struct sctphdr) + SCTP_MED_OVERHEAD));
11960 	chk->book_size_scale = 0;
11961 	if (was_trunc) {
11962 		drp->ch.chunk_flags = SCTP_PACKET_TRUNCATED;
11963 		drp->trunc_len = htons(fullsz);
11964 		/* Len is already adjusted to size minus overhead above
11965 		 * take out the pkt_drop chunk itself from it.
11966 		 */
11967 		chk->send_size = len - sizeof(struct sctp_pktdrop_chunk);
11968 		len = chk->send_size;
11969 	} else {
11970 		/* no truncation needed */
11971 		drp->ch.chunk_flags = 0;
11972 		drp->trunc_len = htons(0);
11973 	}
11974 	if (bad_crc) {
11975 		drp->ch.chunk_flags |= SCTP_BADCRC;
11976 	}
11977 	chk->send_size += sizeof(struct sctp_pktdrop_chunk);
11978 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11979 	chk->sent = SCTP_DATAGRAM_UNSENT;
11980 	chk->snd_count = 0;
11981 	if (net) {
11982 		/* we should hit here */
11983 		chk->whoTo = net;
11984 		atomic_add_int(&chk->whoTo->ref_count, 1);
11985 	} else {
11986 		chk->whoTo = NULL;
11987 	}
11988 	chk->rec.chunk_id.id = SCTP_PACKET_DROPPED;
11989 	chk->rec.chunk_id.can_take_data = 1;
11990 	drp->ch.chunk_type = SCTP_PACKET_DROPPED;
11991 	drp->ch.chunk_length = htons(chk->send_size);
11992 	spc = SCTP_SB_LIMIT_RCV(stcb->sctp_socket);
11993 	if (spc < 0) {
11994 		spc = 0;
11995 	}
11996 	drp->bottle_bw = htonl(spc);
11997 	if (asoc->my_rwnd) {
11998 		drp->current_onq = htonl(asoc->size_on_reasm_queue +
11999 		    asoc->size_on_all_streams +
12000 		    asoc->my_rwnd_control_len +
12001 		    stcb->sctp_socket->so_rcv.sb_cc);
12002 	} else {
12003 		/*-
12004 		 * If my rwnd is 0, possibly from mbuf depletion as well as
12005 		 * space used, tell the peer there is NO space aka onq == bw
12006 		 */
12007 		drp->current_onq = htonl(spc);
12008 	}
12009 	drp->reserved = 0;
12010 	datap = drp->data;
12011 	m_copydata(m, iphlen, len, (caddr_t)datap);
12012 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
12013 	asoc->ctrl_queue_cnt++;
12014 }
12015 
12016 void
12017 sctp_send_cwr(struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t high_tsn, uint8_t override)
12018 {
12019 	struct sctp_association *asoc;
12020 	struct sctp_cwr_chunk *cwr;
12021 	struct sctp_tmit_chunk *chk;
12022 
12023 	SCTP_TCB_LOCK_ASSERT(stcb);
12024 	if (net == NULL) {
12025 		return;
12026 	}
12027 	asoc = &stcb->asoc;
12028 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
12029 		if ((chk->rec.chunk_id.id == SCTP_ECN_CWR) && (net == chk->whoTo)) {
12030 			/* found a previous CWR queued to same destination update it if needed */
12031 			uint32_t ctsn;
12032 			cwr = mtod(chk->data, struct sctp_cwr_chunk *);
12033 			ctsn = ntohl(cwr->tsn);
12034 			if (SCTP_TSN_GT(high_tsn, ctsn)) {
12035 				cwr->tsn = htonl(high_tsn);
12036 			}
12037 			if (override & SCTP_CWR_REDUCE_OVERRIDE) {
12038 				/* Make sure override is carried */
12039 				cwr->ch.chunk_flags |= SCTP_CWR_REDUCE_OVERRIDE;
12040 			}
12041 			return;
12042 		}
12043 	}
12044 	sctp_alloc_a_chunk(stcb, chk);
12045 	if (chk == NULL) {
12046 		return;
12047 	}
12048 	chk->copy_by_ref = 0;
12049 	chk->rec.chunk_id.id = SCTP_ECN_CWR;
12050 	chk->rec.chunk_id.can_take_data = 1;
12051 	chk->asoc = &stcb->asoc;
12052 	chk->send_size = sizeof(struct sctp_cwr_chunk);
12053 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_NOWAIT, 1, MT_HEADER);
12054 	if (chk->data == NULL) {
12055 		sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
12056 		return;
12057 	}
12058 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12059 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12060 	chk->sent = SCTP_DATAGRAM_UNSENT;
12061 	chk->snd_count = 0;
12062 	chk->whoTo = net;
12063 	atomic_add_int(&chk->whoTo->ref_count, 1);
12064 	cwr = mtod(chk->data, struct sctp_cwr_chunk *);
12065 	cwr->ch.chunk_type = SCTP_ECN_CWR;
12066 	cwr->ch.chunk_flags = override;
12067 	cwr->ch.chunk_length = htons(sizeof(struct sctp_cwr_chunk));
12068 	cwr->tsn = htonl(high_tsn);
12069 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
12070 	asoc->ctrl_queue_cnt++;
12071 }
12072 
12073 void
12074 sctp_add_stream_reset_out(struct sctp_tmit_chunk *chk,
12075                           int number_entries, uint16_t * list,
12076                           uint32_t seq, uint32_t resp_seq, uint32_t last_sent)
12077 {
12078 	uint16_t len, old_len, i;
12079 	struct sctp_stream_reset_out_request *req_out;
12080 	struct sctp_chunkhdr *ch;
12081 
12082 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12083 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12084 
12085 	/* get to new offset for the param. */
12086 	req_out = (struct sctp_stream_reset_out_request *)((caddr_t)ch + len);
12087 	/* now how long will this param be? */
12088 	len = (sizeof(struct sctp_stream_reset_out_request) + (sizeof(uint16_t) * number_entries));
12089 	req_out->ph.param_type = htons(SCTP_STR_RESET_OUT_REQUEST);
12090 	req_out->ph.param_length = htons(len);
12091 	req_out->request_seq = htonl(seq);
12092 	req_out->response_seq = htonl(resp_seq);
12093 	req_out->send_reset_at_tsn = htonl(last_sent);
12094 	if (number_entries) {
12095 		for (i = 0; i < number_entries; i++) {
12096 			req_out->list_of_streams[i] = htons(list[i]);
12097 		}
12098 	}
12099 	if (SCTP_SIZE32(len) > len) {
12100 		/*-
12101 		 * Need to worry about the pad we may end up adding to the
12102 		 * end. This is easy since the struct is either aligned to 4
12103 		 * bytes or 2 bytes off.
12104 		 */
12105 		req_out->list_of_streams[number_entries] = 0;
12106 	}
12107 	/* now fix the chunk length */
12108 	ch->chunk_length = htons(len + old_len);
12109 	chk->book_size = len + old_len;
12110 	chk->book_size_scale = 0;
12111 	chk->send_size = SCTP_SIZE32(chk->book_size);
12112 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12113 	return;
12114 }
12115 
12116 static void
12117 sctp_add_stream_reset_in(struct sctp_tmit_chunk *chk,
12118                          int number_entries, uint16_t *list,
12119                          uint32_t seq)
12120 {
12121 	uint16_t len, old_len, i;
12122 	struct sctp_stream_reset_in_request *req_in;
12123 	struct sctp_chunkhdr *ch;
12124 
12125 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12126 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12127 
12128 	/* get to new offset for the param. */
12129 	req_in = (struct sctp_stream_reset_in_request *)((caddr_t)ch + len);
12130 	/* now how long will this param be? */
12131 	len = (sizeof(struct sctp_stream_reset_in_request) + (sizeof(uint16_t) * number_entries));
12132 	req_in->ph.param_type = htons(SCTP_STR_RESET_IN_REQUEST);
12133 	req_in->ph.param_length = htons(len);
12134 	req_in->request_seq = htonl(seq);
12135 	if (number_entries) {
12136 		for (i = 0; i < number_entries; i++) {
12137 			req_in->list_of_streams[i] = htons(list[i]);
12138 		}
12139 	}
12140 	if (SCTP_SIZE32(len) > len) {
12141 		/*-
12142 		 * Need to worry about the pad we may end up adding to the
12143 		 * end. This is easy since the struct is either aligned to 4
12144 		 * bytes or 2 bytes off.
12145 		 */
12146 		req_in->list_of_streams[number_entries] = 0;
12147 	}
12148 	/* now fix the chunk length */
12149 	ch->chunk_length = htons(len + old_len);
12150 	chk->book_size = len + old_len;
12151 	chk->book_size_scale = 0;
12152 	chk->send_size = SCTP_SIZE32(chk->book_size);
12153 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12154 	return;
12155 }
12156 
12157 static void
12158 sctp_add_stream_reset_tsn(struct sctp_tmit_chunk *chk,
12159                           uint32_t seq)
12160 {
12161 	uint16_t len, old_len;
12162 	struct sctp_stream_reset_tsn_request *req_tsn;
12163 	struct sctp_chunkhdr *ch;
12164 
12165 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12166 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12167 
12168 	/* get to new offset for the param. */
12169 	req_tsn = (struct sctp_stream_reset_tsn_request *)((caddr_t)ch + len);
12170 	/* now how long will this param be? */
12171 	len = sizeof(struct sctp_stream_reset_tsn_request);
12172 	req_tsn->ph.param_type = htons(SCTP_STR_RESET_TSN_REQUEST);
12173 	req_tsn->ph.param_length = htons(len);
12174 	req_tsn->request_seq = htonl(seq);
12175 
12176 	/* now fix the chunk length */
12177 	ch->chunk_length = htons(len + old_len);
12178 	chk->send_size = len + old_len;
12179 	chk->book_size = SCTP_SIZE32(chk->send_size);
12180 	chk->book_size_scale = 0;
12181 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12182 	return;
12183 }
12184 
12185 void
12186 sctp_add_stream_reset_result(struct sctp_tmit_chunk *chk,
12187                              uint32_t resp_seq, uint32_t result)
12188 {
12189 	uint16_t len, old_len;
12190 	struct sctp_stream_reset_response *resp;
12191 	struct sctp_chunkhdr *ch;
12192 
12193 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12194 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12195 
12196 	/* get to new offset for the param. */
12197 	resp = (struct sctp_stream_reset_response *)((caddr_t)ch + len);
12198 	/* now how long will this param be? */
12199 	len = sizeof(struct sctp_stream_reset_response);
12200 	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
12201 	resp->ph.param_length = htons(len);
12202 	resp->response_seq = htonl(resp_seq);
12203 	resp->result = ntohl(result);
12204 
12205 	/* now fix the chunk length */
12206 	ch->chunk_length = htons(len + old_len);
12207 	chk->book_size = len + old_len;
12208 	chk->book_size_scale = 0;
12209 	chk->send_size = SCTP_SIZE32(chk->book_size);
12210 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12211 	return;
12212 }
12213 
12214 void
12215 sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *chk,
12216                                  uint32_t resp_seq, uint32_t result,
12217                                  uint32_t send_una, uint32_t recv_next)
12218 {
12219 	uint16_t len, old_len;
12220 	struct sctp_stream_reset_response_tsn *resp;
12221 	struct sctp_chunkhdr *ch;
12222 
12223 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12224 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12225 
12226 	/* get to new offset for the param. */
12227 	resp = (struct sctp_stream_reset_response_tsn *)((caddr_t)ch + len);
12228 	/* now how long will this param be? */
12229 	len = sizeof(struct sctp_stream_reset_response_tsn);
12230 	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
12231 	resp->ph.param_length = htons(len);
12232 	resp->response_seq = htonl(resp_seq);
12233 	resp->result = htonl(result);
12234 	resp->senders_next_tsn = htonl(send_una);
12235 	resp->receivers_next_tsn = htonl(recv_next);
12236 
12237 	/* now fix the chunk length */
12238 	ch->chunk_length = htons(len + old_len);
12239 	chk->book_size = len + old_len;
12240 	chk->send_size = SCTP_SIZE32(chk->book_size);
12241 	chk->book_size_scale = 0;
12242 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12243 	return;
12244 }
12245 
12246 static void
12247 sctp_add_an_out_stream(struct sctp_tmit_chunk *chk,
12248 		       uint32_t seq,
12249 		       uint16_t adding)
12250 {
12251 	uint16_t len, old_len;
12252 	struct sctp_chunkhdr *ch;
12253 	struct sctp_stream_reset_add_strm *addstr;
12254 
12255 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12256 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12257 
12258 	/* get to new offset for the param. */
12259 	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
12260 	/* now how long will this param be? */
12261 	len = sizeof(struct sctp_stream_reset_add_strm);
12262 
12263 	/* Fill it out. */
12264 	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_OUT_STREAMS);
12265 	addstr->ph.param_length = htons(len);
12266 	addstr->request_seq = htonl(seq);
12267 	addstr->number_of_streams = htons(adding);
12268 	addstr->reserved = 0;
12269 
12270 	/* now fix the chunk length */
12271 	ch->chunk_length = htons(len + old_len);
12272 	chk->send_size = len + old_len;
12273 	chk->book_size = SCTP_SIZE32(chk->send_size);
12274 	chk->book_size_scale = 0;
12275 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12276 	return;
12277 }
12278 
12279 static void
12280 sctp_add_an_in_stream(struct sctp_tmit_chunk *chk,
12281                       uint32_t seq,
12282                       uint16_t adding)
12283 {
12284 	uint16_t len, old_len;
12285 	struct sctp_chunkhdr *ch;
12286 	struct sctp_stream_reset_add_strm *addstr;
12287 
12288 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12289 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
12290 
12291 	/* get to new offset for the param. */
12292 	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
12293 	/* now how long will this param be? */
12294 	len = sizeof(struct sctp_stream_reset_add_strm);
12295 	/* Fill it out. */
12296 	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_IN_STREAMS);
12297 	addstr->ph.param_length = htons(len);
12298 	addstr->request_seq = htonl(seq);
12299 	addstr->number_of_streams = htons(adding);
12300 	addstr->reserved = 0;
12301 
12302 	/* now fix the chunk length */
12303 	ch->chunk_length = htons(len + old_len);
12304 	chk->send_size = len + old_len;
12305 	chk->book_size = SCTP_SIZE32(chk->send_size);
12306 	chk->book_size_scale = 0;
12307 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
12308 	return;
12309 }
12310 
12311 int
12312 sctp_send_str_reset_req(struct sctp_tcb *stcb,
12313                         int number_entries, uint16_t *list,
12314                         uint8_t send_out_req,
12315                         uint8_t send_in_req,
12316                         uint8_t send_tsn_req,
12317                         uint8_t add_stream,
12318                         uint16_t adding_o,
12319                         uint16_t adding_i, uint8_t peer_asked)
12320 {
12321 
12322 	struct sctp_association *asoc;
12323 	struct sctp_tmit_chunk *chk;
12324 	struct sctp_chunkhdr *ch;
12325 	uint32_t seq;
12326 
12327 	asoc = &stcb->asoc;
12328 	if (asoc->stream_reset_outstanding) {
12329 		/*-
12330 		 * Already one pending, must get ACK back to clear the flag.
12331 		 */
12332 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EBUSY);
12333 		return (EBUSY);
12334 	}
12335 	if ((send_out_req == 0) && (send_in_req == 0) && (send_tsn_req == 0) &&
12336 	    (add_stream == 0)) {
12337 		/* nothing to do */
12338 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12339 		return (EINVAL);
12340 	}
12341 	if (send_tsn_req && (send_out_req || send_in_req)) {
12342 		/* error, can't do that */
12343 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12344 		return (EINVAL);
12345 	}
12346 	sctp_alloc_a_chunk(stcb, chk);
12347 	if (chk == NULL) {
12348 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12349 		return (ENOMEM);
12350 	}
12351 	chk->copy_by_ref = 0;
12352 	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
12353 	chk->rec.chunk_id.can_take_data = 0;
12354 	chk->asoc = &stcb->asoc;
12355 	chk->book_size = sizeof(struct sctp_chunkhdr);
12356 	chk->send_size = SCTP_SIZE32(chk->book_size);
12357 	chk->book_size_scale = 0;
12358 
12359 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
12360 	if (chk->data == NULL) {
12361 		sctp_free_a_chunk(stcb, chk, SCTP_SO_LOCKED);
12362 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12363 		return (ENOMEM);
12364 	}
12365 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
12366 
12367 	/* setup chunk parameters */
12368 	chk->sent = SCTP_DATAGRAM_UNSENT;
12369 	chk->snd_count = 0;
12370 	if (stcb->asoc.alternate) {
12371 		chk->whoTo = stcb->asoc.alternate;
12372 	} else {
12373 		chk->whoTo = stcb->asoc.primary_destination;
12374 	}
12375 	atomic_add_int(&chk->whoTo->ref_count, 1);
12376 	ch = mtod(chk->data, struct sctp_chunkhdr *);
12377 	ch->chunk_type = SCTP_STREAM_RESET;
12378 	ch->chunk_flags = 0;
12379 	ch->chunk_length = htons(chk->book_size);
12380 	SCTP_BUF_LEN(chk->data) = chk->send_size;
12381 
12382 	seq = stcb->asoc.str_reset_seq_out;
12383 	if (send_out_req) {
12384 		sctp_add_stream_reset_out(chk, number_entries, list,
12385 					  seq, (stcb->asoc.str_reset_seq_in - 1), (stcb->asoc.sending_seq - 1));
12386 		asoc->stream_reset_out_is_outstanding = 1;
12387 		seq++;
12388 		asoc->stream_reset_outstanding++;
12389 	}
12390 	if ((add_stream & 1) &&
12391 	    ((stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt) < adding_o)) {
12392 		/* Need to allocate more */
12393 		struct sctp_stream_out *oldstream;
12394 		struct sctp_stream_queue_pending *sp, *nsp;
12395 		int i;
12396 
12397 		oldstream = stcb->asoc.strmout;
12398 		/* get some more */
12399 		SCTP_MALLOC(stcb->asoc.strmout, struct sctp_stream_out *,
12400 			    ((stcb->asoc.streamoutcnt+adding_o) * sizeof(struct sctp_stream_out)),
12401 			    SCTP_M_STRMO);
12402 		if (stcb->asoc.strmout == NULL) {
12403 			uint8_t x;
12404 			stcb->asoc.strmout = oldstream;
12405 			/* Turn off the bit */
12406 			x = add_stream & 0xfe;
12407 			add_stream = x;
12408 			goto skip_stuff;
12409 		}
12410 		/* Ok now we proceed with copying the old out stuff and
12411 		 * initializing the new stuff.
12412 		 */
12413 		SCTP_TCB_SEND_LOCK(stcb);
12414 		stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, 0, 1);
12415 		for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
12416 			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12417 			stcb->asoc.strmout[i].chunks_on_queues = oldstream[i].chunks_on_queues;
12418 			stcb->asoc.strmout[i].next_sequence_send = oldstream[i].next_sequence_send;
12419 			stcb->asoc.strmout[i].last_msg_incomplete = oldstream[i].last_msg_incomplete;
12420 			stcb->asoc.strmout[i].stream_no = i;
12421 			stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], &oldstream[i]);
12422 			/* now anything on those queues? */
12423 			TAILQ_FOREACH_SAFE(sp, &oldstream[i].outqueue, next, nsp) {
12424 				TAILQ_REMOVE(&oldstream[i].outqueue, sp, next);
12425 				TAILQ_INSERT_TAIL(&stcb->asoc.strmout[i].outqueue, sp, next);
12426 			}
12427 			/* Now move assoc pointers too */
12428 			if (stcb->asoc.last_out_stream == &oldstream[i]) {
12429 				stcb->asoc.last_out_stream = &stcb->asoc.strmout[i];
12430 			}
12431 			if (stcb->asoc.locked_on_sending == &oldstream[i]) {
12432 				stcb->asoc.locked_on_sending = &stcb->asoc.strmout[i];
12433 			}
12434 		}
12435 		/* now the new streams */
12436 		stcb->asoc.ss_functions.sctp_ss_init(stcb, &stcb->asoc, 1);
12437 		for (i = stcb->asoc.streamoutcnt; i < (stcb->asoc.streamoutcnt + adding_o); i++) {
12438 			TAILQ_INIT(&stcb->asoc.strmout[i].outqueue);
12439 			stcb->asoc.strmout[i].chunks_on_queues = 0;
12440 			stcb->asoc.strmout[i].next_sequence_send = 0x0;
12441 			stcb->asoc.strmout[i].stream_no = i;
12442 			stcb->asoc.strmout[i].last_msg_incomplete = 0;
12443 			stcb->asoc.ss_functions.sctp_ss_init_stream(&stcb->asoc.strmout[i], NULL);
12444 		}
12445 		stcb->asoc.strm_realoutsize = stcb->asoc.streamoutcnt + adding_o;
12446 		SCTP_FREE(oldstream, SCTP_M_STRMO);
12447 		SCTP_TCB_SEND_UNLOCK(stcb);
12448 	}
12449 skip_stuff:
12450 	if ((add_stream & 1) && (adding_o > 0)) {
12451 		asoc->strm_pending_add_size = adding_o;
12452 		asoc->peer_req_out = peer_asked;
12453 		sctp_add_an_out_stream(chk, seq, adding_o);
12454 		seq++;
12455 		asoc->stream_reset_outstanding++;
12456 	}
12457 	if ((add_stream & 2) && (adding_i > 0)) {
12458 		sctp_add_an_in_stream(chk, seq, adding_i);
12459 		seq++;
12460 		asoc->stream_reset_outstanding++;
12461 	}
12462 	if (send_in_req) {
12463 		sctp_add_stream_reset_in(chk, number_entries, list, seq);
12464 		seq++;
12465 		asoc->stream_reset_outstanding++;
12466 	}
12467 	if (send_tsn_req) {
12468 		sctp_add_stream_reset_tsn(chk, seq);
12469 		asoc->stream_reset_outstanding++;
12470 	}
12471 	asoc->str_reset = chk;
12472 	/* insert the chunk for sending */
12473 	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
12474 			  chk,
12475 			  sctp_next);
12476 	asoc->ctrl_queue_cnt++;
12477 	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
12478 	return (0);
12479 }
12480 
12481 void
12482 sctp_send_abort(struct mbuf *m, int iphlen, struct sockaddr *src, struct sockaddr *dst,
12483                 struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12484 #if defined(__FreeBSD__)
12485                 uint8_t use_mflowid, uint32_t mflowid,
12486 #endif
12487                 uint32_t vrf_id, uint16_t port)
12488 {
12489 	/* Don't respond to an ABORT with an ABORT. */
12490 	if (sctp_is_there_an_abort_here(m, iphlen, &vtag)) {
12491 		if (cause)
12492 			sctp_m_freem(cause);
12493 		return;
12494 	}
12495 	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_ABORT_ASSOCIATION, cause,
12496 #if defined(__FreeBSD__)
12497 	                   use_mflowid, mflowid,
12498 #endif
12499 	                   vrf_id, port);
12500 	return;
12501 }
12502 
12503 void
12504 sctp_send_operr_to(struct sockaddr *src, struct sockaddr *dst,
12505                    struct sctphdr *sh, uint32_t vtag, struct mbuf *cause,
12506 #if defined(__FreeBSD__)
12507                    uint8_t use_mflowid, uint32_t mflowid,
12508 #endif
12509                    uint32_t vrf_id, uint16_t port)
12510 {
12511 	sctp_send_resp_msg(src, dst, sh, vtag, SCTP_OPERATION_ERROR, cause,
12512 #if defined(__FreeBSD__)
12513 	                   use_mflowid, mflowid,
12514 #endif
12515 	                   vrf_id, port);
12516 	return;
12517 }
12518 
12519 static struct mbuf *
12520 sctp_copy_resume(struct uio *uio,
12521 		 int max_send_len,
12522 #if defined(__FreeBSD__) && __FreeBSD_version > 602000
12523 		 int user_marks_eor,
12524 #endif
12525 		 int *error,
12526 		 uint32_t *sndout,
12527 		 struct mbuf **new_tail)
12528 {
12529 #if defined(__Panda__)
12530 	struct mbuf *m;
12531 
12532 	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
12533 			(user_marks_eor ? M_EOR : 0));
12534 	if (m == NULL) {
12535 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12536 		*error = ENOMEM;
12537 	} else {
12538 		*sndout = m_length(m, NULL);
12539 		*new_tail = m_last(m);
12540 	}
12541 	return (m);
12542 #elif defined(__FreeBSD__) && __FreeBSD_version > 602000
12543 	struct mbuf *m;
12544 
12545 	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
12546 		(M_PKTHDR | (user_marks_eor ? M_EOR : 0)));
12547 	if (m == NULL) {
12548 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12549 		*error = ENOMEM;
12550 	} else {
12551 		*sndout = m_length(m, NULL);
12552 		*new_tail = m_last(m);
12553 	}
12554 	return (m);
12555 #else
12556 	int left, cancpy, willcpy;
12557 	struct mbuf *m, *head;
12558 
12559 #if defined(__APPLE__)
12560 #if defined(APPLE_LEOPARD)
12561         left = min(uio->uio_resid, max_send_len);
12562 #else
12563         left = min(uio_resid(uio), max_send_len);
12564 #endif
12565 #else
12566         left = min(uio->uio_resid, max_send_len);
12567 #endif
12568 	/* Always get a header just in case */
12569 	head = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 0, MT_DATA);
12570 	if (head == NULL) {
12571 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12572 		*error = ENOMEM;
12573 		return (NULL);
12574 	}
12575 	cancpy = M_TRAILINGSPACE(head);
12576 	willcpy = min(cancpy, left);
12577 	*error = uiomove(mtod(head, caddr_t), willcpy, uio);
12578 	if (*error) {
12579 		sctp_m_freem(head);
12580 		return (NULL);
12581 	}
12582 	*sndout += willcpy;
12583 	left -= willcpy;
12584 	SCTP_BUF_LEN(head) = willcpy;
12585 	m = head;
12586 	*new_tail = head;
12587 	while (left > 0) {
12588 		/* move in user data */
12589 		SCTP_BUF_NEXT(m) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 0, MT_DATA);
12590 		if (SCTP_BUF_NEXT(m) == NULL) {
12591 			sctp_m_freem(head);
12592 			*new_tail = NULL;
12593 			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12594 			*error = ENOMEM;
12595 			return (NULL);
12596 		}
12597 		m = SCTP_BUF_NEXT(m);
12598 		cancpy = M_TRAILINGSPACE(m);
12599 		willcpy = min(cancpy, left);
12600 		*error = uiomove(mtod(m, caddr_t), willcpy, uio);
12601 		if (*error) {
12602 			sctp_m_freem(head);
12603 			*new_tail = NULL;
12604 			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12605 			*error = EFAULT;
12606 			return (NULL);
12607 		}
12608 		SCTP_BUF_LEN(m) = willcpy;
12609 		left -= willcpy;
12610 		*sndout += willcpy;
12611 		*new_tail = m;
12612 		if (left == 0) {
12613 			SCTP_BUF_NEXT(m) = NULL;
12614 		}
12615 	}
12616 	return (head);
12617 #endif
12618 }
12619 
12620 static int
12621 sctp_copy_one(struct sctp_stream_queue_pending *sp,
12622 	      struct uio *uio,
12623 	      int resv_upfront)
12624 {
12625 	int left;
12626 #if defined(__Panda__)
12627 	left = sp->length;
12628 	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length,
12629 			       resv_upfront, 0);
12630 	if (sp->data == NULL) {
12631 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12632 		return (ENOMEM);
12633 	}
12634 
12635 	sp->tail_mbuf = m_last(sp->data);
12636 	return (0);
12637 
12638 #elif defined(__FreeBSD__) && __FreeBSD_version > 602000
12639 	left = sp->length;
12640 	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length,
12641 			       resv_upfront, 0);
12642 	if (sp->data == NULL) {
12643 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12644 		return (ENOMEM);
12645 	}
12646 
12647 	sp->tail_mbuf = m_last(sp->data);
12648 	return (0);
12649 #else
12650 	int cancpy, willcpy, error;
12651 	struct mbuf *m, *head;
12652 	int cpsz = 0;
12653 
12654 	/* First one gets a header */
12655 	left = sp->length;
12656 	head = m = sctp_get_mbuf_for_msg((left + resv_upfront), 0, M_WAITOK, 0, MT_DATA);
12657 	if (m == NULL) {
12658 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12659 		return (ENOMEM);
12660 	}
12661 	/*-
12662 	 * Add this one for m in now, that way if the alloc fails we won't
12663 	 * have a bad cnt.
12664 	 */
12665 	SCTP_BUF_RESV_UF(m, resv_upfront);
12666 	cancpy = M_TRAILINGSPACE(m);
12667 	willcpy = min(cancpy, left);
12668 	while (left > 0) {
12669 		/* move in user data */
12670 		error = uiomove(mtod(m, caddr_t), willcpy, uio);
12671 		if (error) {
12672 			sctp_m_freem(head);
12673 			return (error);
12674 		}
12675 		SCTP_BUF_LEN(m) = willcpy;
12676 		left -= willcpy;
12677 		cpsz += willcpy;
12678 		if (left > 0) {
12679 			SCTP_BUF_NEXT(m) = sctp_get_mbuf_for_msg(left, 0, M_WAITOK, 0, MT_DATA);
12680 			if (SCTP_BUF_NEXT(m) == NULL) {
12681 				/*
12682 				 * the head goes back to caller, he can free
12683 				 * the rest
12684 				 */
12685 				sctp_m_freem(head);
12686 				SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12687 				return (ENOMEM);
12688 			}
12689 			m = SCTP_BUF_NEXT(m);
12690 			cancpy = M_TRAILINGSPACE(m);
12691 			willcpy = min(cancpy, left);
12692 		} else {
12693 			sp->tail_mbuf = m;
12694 			SCTP_BUF_NEXT(m) = NULL;
12695 		}
12696 	}
12697 	sp->data = head;
12698 	sp->length = cpsz;
12699 	return (0);
12700 #endif
12701 }
12702 
12703 
12704 
12705 static struct sctp_stream_queue_pending *
12706 sctp_copy_it_in(struct sctp_tcb *stcb,
12707     struct sctp_association *asoc,
12708     struct sctp_sndrcvinfo *srcv,
12709     struct uio *uio,
12710     struct sctp_nets *net,
12711     int max_send_len,
12712     int user_marks_eor,
12713     int *error)
12714 
12715 {
12716 	/*-
12717 	 * This routine must be very careful in its work. Protocol
12718 	 * processing is up and running so care must be taken to spl...()
12719 	 * when you need to do something that may effect the stcb/asoc. The
12720 	 * sb is locked however. When data is copied the protocol processing
12721 	 * should be enabled since this is a slower operation...
12722 	 */
12723 	struct sctp_stream_queue_pending *sp = NULL;
12724 	int resv_in_first;
12725 
12726 	*error = 0;
12727 	/* Now can we send this? */
12728 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
12729 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
12730 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
12731 	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
12732 		/* got data while shutting down */
12733 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12734 		*error = ECONNRESET;
12735 		goto out_now;
12736 	}
12737 	sctp_alloc_a_strmoq(stcb, sp);
12738 	if (sp == NULL) {
12739 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12740 		*error = ENOMEM;
12741 		goto out_now;
12742 	}
12743 	sp->act_flags = 0;
12744 	sp->sender_all_done = 0;
12745 	sp->sinfo_flags = srcv->sinfo_flags;
12746 	sp->timetolive = srcv->sinfo_timetolive;
12747 	sp->ppid = srcv->sinfo_ppid;
12748 	sp->context = srcv->sinfo_context;
12749 	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
12750 
12751 	sp->stream = srcv->sinfo_stream;
12752 #if defined(__APPLE__)
12753 #if defined(APPLE_LEOPARD)
12754 	sp->length = min(uio->uio_resid, max_send_len);
12755 #else
12756 	sp->length = min(uio_resid(uio), max_send_len);
12757 #endif
12758 #else
12759 	sp->length = min(uio->uio_resid, max_send_len);
12760 #endif
12761 #if defined(__APPLE__)
12762 #if defined(APPLE_LEOPARD)
12763 	if ((sp->length == (uint32_t)uio->uio_resid) &&
12764 #else
12765 	if ((sp->length == (uint32_t)uio_resid(uio)) &&
12766 #endif
12767 #else
12768 	if ((sp->length == (uint32_t)uio->uio_resid) &&
12769 #endif
12770 	    ((user_marks_eor == 0) ||
12771 	     (srcv->sinfo_flags & SCTP_EOF) ||
12772 	     (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
12773 		sp->msg_is_complete = 1;
12774 	} else {
12775 		sp->msg_is_complete = 0;
12776 	}
12777 	sp->sender_all_done = 0;
12778 	sp->some_taken = 0;
12779 	sp->put_last_out = 0;
12780 	resv_in_first = sizeof(struct sctp_data_chunk);
12781 	sp->data = sp->tail_mbuf = NULL;
12782 	if (sp->length == 0) {
12783 		*error = 0;
12784 		goto skip_copy;
12785 	}
12786 	if (srcv->sinfo_keynumber_valid) {
12787 		sp->auth_keyid = srcv->sinfo_keynumber;
12788 	} else {
12789 		sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
12790 	}
12791 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
12792 		sctp_auth_key_acquire(stcb, sp->auth_keyid);
12793 		sp->holds_key_ref = 1;
12794 	}
12795 #if defined(__APPLE__)
12796 	SCTP_SOCKET_UNLOCK(SCTP_INP_SO(stcb->sctp_ep), 0);
12797 #endif
12798 	*error = sctp_copy_one(sp, uio, resv_in_first);
12799 #if defined(__APPLE__)
12800 	SCTP_SOCKET_LOCK(SCTP_INP_SO(stcb->sctp_ep), 0);
12801 #endif
12802  skip_copy:
12803 	if (*error) {
12804 		sctp_free_a_strmoq(stcb, sp, SCTP_SO_LOCKED);
12805 		sp = NULL;
12806 	} else {
12807 		if (sp->sinfo_flags & SCTP_ADDR_OVER) {
12808 			sp->net = net;
12809 			atomic_add_int(&sp->net->ref_count, 1);
12810 		} else {
12811 			sp->net = NULL;
12812 		}
12813 		sctp_set_prsctp_policy(sp);
12814 	}
12815 out_now:
12816 	return (sp);
12817 }
12818 
12819 
12820 int
12821 sctp_sosend(struct socket *so,
12822             struct sockaddr *addr,
12823             struct uio *uio,
12824 #ifdef __Panda__
12825             pakhandle_type top,
12826             pakhandle_type icontrol,
12827 #else
12828             struct mbuf *top,
12829             struct mbuf *control,
12830 #endif
12831 #if defined(__APPLE__) || defined(__Panda__)
12832             int flags
12833 #else
12834             int flags,
12835 #if defined(__FreeBSD__) && __FreeBSD_version >= 500000
12836             struct thread *p
12837 #elif defined(__Windows__)
12838             PKTHREAD p
12839 #else
12840 #if defined(__Userspace__)
12841             /*
12842 	     * proc is a dummy in __Userspace__ and will not be passed
12843 	     * to sctp_lower_sosend
12844 	     */
12845 #endif
12846             struct proc *p
12847 #endif
12848 #endif
12849 )
12850 {
12851 #ifdef __Panda__
12852 	struct mbuf *control = NULL;
12853 #endif
12854 #if defined(__APPLE__)
12855 	struct proc *p = current_proc();
12856 #endif
12857 	int error, use_sndinfo = 0;
12858 	struct sctp_sndrcvinfo sndrcvninfo;
12859 	struct sockaddr *addr_to_use;
12860 #if defined(INET) && defined(INET6)
12861 	struct sockaddr_in sin;
12862 #endif
12863 
12864 #if defined(__APPLE__)
12865 	SCTP_SOCKET_LOCK(so, 1);
12866 #endif
12867 #ifdef __Panda__
12868 	control = SCTP_HEADER_TO_CHAIN(icontrol);
12869 #endif
12870 	if (control) {
12871 		/* process cmsg snd/rcv info (maybe a assoc-id) */
12872 		if (sctp_find_cmsg(SCTP_SNDRCV, (void *)&sndrcvninfo, control,
12873 		    sizeof(sndrcvninfo))) {
12874 			/* got one */
12875 			use_sndinfo = 1;
12876 		}
12877 	}
12878 	addr_to_use = addr;
12879 #if defined(INET) && defined(INET6)
12880 	if ((addr) && (addr->sa_family == AF_INET6)) {
12881 		struct sockaddr_in6 *sin6;
12882 
12883 		sin6 = (struct sockaddr_in6 *)addr;
12884 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
12885 			in6_sin6_2_sin(&sin, sin6);
12886 			addr_to_use = (struct sockaddr *)&sin;
12887 		}
12888 	}
12889 #endif
12890 	error = sctp_lower_sosend(so, addr_to_use, uio, top,
12891 #ifdef __Panda__
12892 				  icontrol,
12893 #else
12894 				  control,
12895 #endif
12896 				  flags,
12897 				  use_sndinfo ? &sndrcvninfo: NULL
12898 #if !(defined(__Panda__) || defined(__Userspace__))
12899 				  , p
12900 #endif
12901 		);
12902 #if defined(__APPLE__)
12903 	SCTP_SOCKET_UNLOCK(so, 1);
12904 #endif
12905 	return (error);
12906 }
12907 
12908 
12909 int
12910 sctp_lower_sosend(struct socket *so,
12911                   struct sockaddr *addr,
12912                   struct uio *uio,
12913 #ifdef __Panda__
12914                   pakhandle_type i_pak,
12915                   pakhandle_type i_control,
12916 #else
12917                   struct mbuf *i_pak,
12918                   struct mbuf *control,
12919 #endif
12920                   int flags,
12921                   struct sctp_sndrcvinfo *srcv
12922 #if !(defined( __Panda__) || defined(__Userspace__))
12923                   ,
12924 #if defined(__FreeBSD__) && __FreeBSD_version >= 500000
12925                   struct thread *p
12926 #elif defined(__Windows__)
12927                   PKTHREAD p
12928 #else
12929                   struct proc *p
12930 #endif
12931 #endif
12932 	)
12933 {
12934 	unsigned int sndlen = 0, max_len;
12935 	int error, len;
12936 	struct mbuf *top = NULL;
12937 #ifdef __Panda__
12938 	struct mbuf *control = NULL;
12939 #endif
12940 	int queue_only = 0, queue_only_for_init = 0;
12941 	int free_cnt_applied = 0;
12942 	int un_sent;
12943 	int now_filled = 0;
12944 	unsigned int inqueue_bytes = 0;
12945 	struct sctp_block_entry be;
12946 	struct sctp_inpcb *inp;
12947 	struct sctp_tcb *stcb = NULL;
12948 	struct timeval now;
12949 	struct sctp_nets *net;
12950 	struct sctp_association *asoc;
12951 	struct sctp_inpcb *t_inp;
12952 	int user_marks_eor;
12953 	int create_lock_applied = 0;
12954 	int nagle_applies = 0;
12955 	int some_on_control = 0;
12956 	int got_all_of_the_send = 0;
12957 	int hold_tcblock = 0;
12958 	int non_blocking = 0;
12959 	uint32_t local_add_more, local_soresv = 0;
12960 	uint16_t port;
12961 	uint16_t sinfo_flags;
12962 	sctp_assoc_t sinfo_assoc_id;
12963 
12964 	error = 0;
12965 	net = NULL;
12966 	stcb = NULL;
12967 	asoc = NULL;
12968 
12969 #if defined(__APPLE__)
12970 	sctp_lock_assert(so);
12971 #endif
12972 	t_inp = inp = (struct sctp_inpcb *)so->so_pcb;
12973 	if (inp == NULL) {
12974 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12975 		error = EINVAL;
12976 		if (i_pak) {
12977 			SCTP_RELEASE_PKT(i_pak);
12978 		}
12979 		return (error);
12980 	}
12981 	if ((uio == NULL) && (i_pak == NULL)) {
12982 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12983 		return (EINVAL);
12984 	}
12985 	user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
12986 	atomic_add_int(&inp->total_sends, 1);
12987 	if (uio) {
12988 #if defined(__APPLE__)
12989 #if defined(APPLE_LEOPARD)
12990 		if (uio->uio_resid < 0) {
12991 #else
12992 		if (uio_resid(uio) < 0) {
12993 #endif
12994 #else
12995 		if (uio->uio_resid < 0) {
12996 #endif
12997 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12998 			return (EINVAL);
12999 		}
13000 #if defined(__APPLE__)
13001 #if defined(APPLE_LEOPARD)
13002 		sndlen = uio->uio_resid;
13003 #else
13004 		sndlen = uio_resid(uio);
13005 #endif
13006 #else
13007 		sndlen = uio->uio_resid;
13008 #endif
13009 	} else {
13010 		top = SCTP_HEADER_TO_CHAIN(i_pak);
13011 #ifdef __Panda__
13012 		/*-
13013 		 * app len indicates the datalen, dgsize for cases
13014 		 * of SCTP_EOF/ABORT will not have the right len
13015 		 */
13016 		sndlen = SCTP_APP_DATA_LEN(i_pak);
13017 		/*-
13018 		 * Set the particle len also to zero to match
13019 		 * up with app len. We only have one particle
13020 		 * if app len is zero for Panda. This is ensured
13021 		 * in the socket lib
13022 		 */
13023 		if (sndlen == 0) {
13024 			SCTP_BUF_LEN(top)  = 0;
13025 		}
13026 		/*-
13027 		 * We delink the chain from header, but keep
13028 		 * the header around as we will need it in
13029 		 * EAGAIN case
13030 		 */
13031 		SCTP_DETACH_HEADER_FROM_CHAIN(i_pak);
13032 #else
13033 		sndlen = SCTP_HEADER_LEN(i_pak);
13034 #endif
13035 	}
13036 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %d\n",
13037 		(void *)addr,
13038 	        sndlen);
13039 #ifdef __Panda__
13040 	if (i_control) {
13041 		control = SCTP_HEADER_TO_CHAIN(i_control);
13042 	}
13043 #endif
13044 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
13045 	    (inp->sctp_socket->so_qlimit)) {
13046 		/* The listener can NOT send */
13047 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
13048 		error = ENOTCONN;
13049 		goto out_unlocked;
13050 	}
13051 	/**
13052 	 * Pre-screen address, if one is given the sin-len
13053 	 * must be set correctly!
13054 	 */
13055 	if (addr) {
13056 		union sctp_sockstore *raddr = (union sctp_sockstore *)addr;
13057 		switch (raddr->sa.sa_family) {
13058 #ifdef INET
13059 		case AF_INET:
13060 #ifdef HAVE_SIN_LEN
13061 			if (raddr->sin.sin_len != sizeof(struct sockaddr_in)) {
13062 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13063 				error = EINVAL;
13064 				goto out_unlocked;
13065 			}
13066 #endif
13067 			port = raddr->sin.sin_port;
13068 			break;
13069 #endif
13070 #ifdef INET6
13071 		case AF_INET6:
13072 #ifdef HAVE_SIN6_LEN
13073 			if (raddr->sin6.sin6_len != sizeof(struct sockaddr_in6)) {
13074 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13075 				error = EINVAL;
13076 				goto out_unlocked;
13077 			}
13078 #endif
13079 			port = raddr->sin6.sin6_port;
13080 			break;
13081 #endif
13082 #if defined(__Userspace__)
13083 		case AF_CONN:
13084 #ifdef HAVE_SCONN_LEN
13085 			if (raddr->sconn.sconn_len != sizeof(struct sockaddr_conn)) {
13086 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13087 				error = EINVAL;
13088 				goto out_unlocked;
13089 			}
13090 #endif
13091 			port = raddr->sconn.sconn_port;
13092 			break;
13093 #endif
13094 		default:
13095 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAFNOSUPPORT);
13096 			error = EAFNOSUPPORT;
13097 			goto out_unlocked;
13098 		}
13099 	} else
13100 		port = 0;
13101 
13102 	if (srcv) {
13103 		sinfo_flags = srcv->sinfo_flags;
13104 		sinfo_assoc_id = srcv->sinfo_assoc_id;
13105 		if (INVALID_SINFO_FLAG(sinfo_flags) ||
13106 		    PR_SCTP_INVALID_POLICY(sinfo_flags)) {
13107 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13108 			error = EINVAL;
13109 			goto out_unlocked;
13110 		}
13111 		if (srcv->sinfo_flags)
13112 			SCTP_STAT_INCR(sctps_sends_with_flags);
13113 	} else {
13114 		sinfo_flags = inp->def_send.sinfo_flags;
13115 		sinfo_assoc_id = inp->def_send.sinfo_assoc_id;
13116 	}
13117 	if (sinfo_flags & SCTP_SENDALL) {
13118 		/* its a sendall */
13119 		error = sctp_sendall(inp, uio, top, srcv);
13120 		top = NULL;
13121 		goto out_unlocked;
13122 	}
13123 	if ((sinfo_flags & SCTP_ADDR_OVER) && (addr == NULL)) {
13124 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13125 		error = EINVAL;
13126 		goto out_unlocked;
13127 	}
13128 	/* now we must find the assoc */
13129 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) ||
13130 	    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
13131 		SCTP_INP_RLOCK(inp);
13132 		stcb = LIST_FIRST(&inp->sctp_asoc_list);
13133 		if (stcb) {
13134 			SCTP_TCB_LOCK(stcb);
13135 			hold_tcblock = 1;
13136 		}
13137 		SCTP_INP_RUNLOCK(inp);
13138 	} else if (sinfo_assoc_id) {
13139 		stcb = sctp_findassociation_ep_asocid(inp, sinfo_assoc_id, 0);
13140 	} else if (addr) {
13141 		/*-
13142 		 * Since we did not use findep we must
13143 		 * increment it, and if we don't find a tcb
13144 		 * decrement it.
13145 		 */
13146 		SCTP_INP_WLOCK(inp);
13147 		SCTP_INP_INCR_REF(inp);
13148 		SCTP_INP_WUNLOCK(inp);
13149 		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
13150 		if (stcb == NULL) {
13151 			SCTP_INP_WLOCK(inp);
13152 			SCTP_INP_DECR_REF(inp);
13153 			SCTP_INP_WUNLOCK(inp);
13154 		} else {
13155 			hold_tcblock = 1;
13156 		}
13157 	}
13158 	if ((stcb == NULL) && (addr)) {
13159 		/* Possible implicit send? */
13160 		SCTP_ASOC_CREATE_LOCK(inp);
13161 		create_lock_applied = 1;
13162 		if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
13163 		    (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
13164 			/* Should I really unlock ? */
13165 			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13166 			error = EINVAL;
13167 			goto out_unlocked;
13168 
13169 		}
13170 		if (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0) &&
13171 		    (addr->sa_family == AF_INET6)) {
13172 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13173 			error = EINVAL;
13174 			goto out_unlocked;
13175 		}
13176 		SCTP_INP_WLOCK(inp);
13177 		SCTP_INP_INCR_REF(inp);
13178 		SCTP_INP_WUNLOCK(inp);
13179 		/* With the lock applied look again */
13180 		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
13181 		if ((stcb == NULL) && (control != NULL) && (port > 0)) {
13182 			stcb = sctp_findassociation_cmsgs(&t_inp, port, control, &net, &error);
13183 		}
13184 		if (stcb == NULL) {
13185 			SCTP_INP_WLOCK(inp);
13186 			SCTP_INP_DECR_REF(inp);
13187 			SCTP_INP_WUNLOCK(inp);
13188 		} else {
13189 			hold_tcblock = 1;
13190 		}
13191 		if (error) {
13192 			goto out_unlocked;
13193 		}
13194 		if (t_inp != inp) {
13195 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
13196 			error = ENOTCONN;
13197 			goto out_unlocked;
13198 		}
13199 	}
13200 	if (stcb == NULL) {
13201 		if (addr == NULL) {
13202 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
13203 			error = ENOENT;
13204 			goto out_unlocked;
13205 		} else {
13206 			/* We must go ahead and start the INIT process */
13207 			uint32_t vrf_id;
13208 
13209 			if ((sinfo_flags & SCTP_ABORT) ||
13210 			    ((sinfo_flags & SCTP_EOF) && (sndlen == 0))) {
13211 				/*-
13212 				 * User asks to abort a non-existant assoc,
13213 				 * or EOF a non-existant assoc with no data
13214 				 */
13215 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
13216 				error = ENOENT;
13217 				goto out_unlocked;
13218 			}
13219 			/* get an asoc/stcb struct */
13220 			vrf_id = inp->def_vrf_id;
13221 #ifdef INVARIANTS
13222 			if (create_lock_applied == 0) {
13223 				panic("Error, should hold create lock and I don't?");
13224 			}
13225 #endif
13226 			stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id,
13227 #if !(defined( __Panda__) || defined(__Userspace__))
13228 					       p
13229 #else
13230 					       (struct proc *)NULL
13231 #endif
13232 				);
13233 			if (stcb == NULL) {
13234 				/* Error is setup for us in the call */
13235 				goto out_unlocked;
13236 			}
13237 			if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
13238 				stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
13239 				/* Set the connected flag so we can queue data */
13240 				soisconnecting(so);
13241 			}
13242 			hold_tcblock = 1;
13243 			if (create_lock_applied) {
13244 				SCTP_ASOC_CREATE_UNLOCK(inp);
13245 				create_lock_applied = 0;
13246 			} else {
13247 				SCTP_PRINTF("Huh-3? create lock should have been on??\n");
13248 			}
13249 			/* Turn on queue only flag to prevent data from being sent */
13250 			queue_only = 1;
13251 			asoc = &stcb->asoc;
13252 			SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
13253 			(void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
13254 
13255 			/* initialize authentication params for the assoc */
13256 			sctp_initialize_auth_params(inp, stcb);
13257 
13258 			if (control) {
13259 				if (sctp_process_cmsgs_for_init(stcb, control, &error)) {
13260 					sctp_free_assoc(inp, stcb, SCTP_PCBFREE_FORCE, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_7);
13261 					hold_tcblock = 0;
13262 					stcb = NULL;
13263 					goto out_unlocked;
13264 				}
13265 			}
13266 			/* out with the INIT */
13267 			queue_only_for_init = 1;
13268 			/*-
13269 			 * we may want to dig in after this call and adjust the MTU
13270 			 * value. It defaulted to 1500 (constant) but the ro
13271 			 * structure may now have an update and thus we may need to
13272 			 * change it BEFORE we append the message.
13273 			 */
13274 		}
13275 	} else
13276 		asoc = &stcb->asoc;
13277 	if (srcv == NULL)
13278 		srcv = (struct sctp_sndrcvinfo *)&asoc->def_send;
13279 	if (srcv->sinfo_flags & SCTP_ADDR_OVER) {
13280 		if (addr)
13281 			net = sctp_findnet(stcb, addr);
13282 		else
13283 			net = NULL;
13284 		if ((net == NULL) ||
13285 		    ((port != 0) && (port != stcb->rport))) {
13286 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13287 			error = EINVAL;
13288 			goto out_unlocked;
13289 		}
13290 	} else {
13291 		if (stcb->asoc.alternate) {
13292 			net = stcb->asoc.alternate;
13293 		} else {
13294 			net = stcb->asoc.primary_destination;
13295 		}
13296 	}
13297 	atomic_add_int(&stcb->total_sends, 1);
13298 	/* Keep the stcb from being freed under our feet */
13299 	atomic_add_int(&asoc->refcnt, 1);
13300 	free_cnt_applied = 1;
13301 
13302 	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) {
13303 		if (sndlen > asoc->smallest_mtu) {
13304 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
13305 			error = EMSGSIZE;
13306 			goto out_unlocked;
13307 		}
13308 	}
13309 #if defined(__Userspace__)
13310 	if (inp->recv_callback) {
13311 		non_blocking = 1;
13312 	}
13313 #else
13314 	if (SCTP_SO_IS_NBIO(so)
13315 #if defined(__FreeBSD__) && __FreeBSD_version >= 500000
13316 	     || (flags & MSG_NBIO)
13317 #endif
13318 	    ) {
13319 		non_blocking = 1;
13320 	}
13321 #endif
13322 	/* would we block? */
13323 	if (non_blocking) {
13324 		if (hold_tcblock == 0) {
13325 			SCTP_TCB_LOCK(stcb);
13326 			hold_tcblock = 1;
13327 		}
13328 		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13329 		if ((SCTP_SB_LIMIT_SND(so) <  (sndlen + inqueue_bytes + stcb->asoc.sb_send_resv)) ||
13330 		    (stcb->asoc.chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13331 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EWOULDBLOCK);
13332 			if (sndlen > SCTP_SB_LIMIT_SND(so))
13333 				error = EMSGSIZE;
13334 			else
13335 				error = EWOULDBLOCK;
13336 			goto out_unlocked;
13337 		}
13338 		stcb->asoc.sb_send_resv += sndlen;
13339 		SCTP_TCB_UNLOCK(stcb);
13340 		hold_tcblock = 0;
13341 	} else {
13342 		atomic_add_int(&stcb->asoc.sb_send_resv, sndlen);
13343 	}
13344 	local_soresv = sndlen;
13345 	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13346 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
13347 		error = ECONNRESET;
13348 		goto out_unlocked;
13349 	}
13350 	if (create_lock_applied) {
13351 		SCTP_ASOC_CREATE_UNLOCK(inp);
13352 		create_lock_applied = 0;
13353 	}
13354 	if (asoc->stream_reset_outstanding) {
13355 		/*
13356 		 * Can't queue any data while stream reset is underway.
13357 		 */
13358 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAGAIN);
13359 		error = EAGAIN;
13360 		goto out_unlocked;
13361 	}
13362 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
13363 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
13364 		queue_only = 1;
13365 	}
13366 	/* we are now done with all control */
13367 	if (control) {
13368 		sctp_m_freem(control);
13369 		control = NULL;
13370 	}
13371 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
13372 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
13373 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
13374 	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
13375 		if (srcv->sinfo_flags & SCTP_ABORT) {
13376 			;
13377 		} else {
13378 			SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
13379 			error = ECONNRESET;
13380 			goto out_unlocked;
13381 		}
13382 	}
13383 	/* Ok, we will attempt a msgsnd :> */
13384 #if !(defined(__Panda__) || defined(__Windows__) || defined(__Userspace__))
13385 	if (p) {
13386 #if defined(__FreeBSD__) && __FreeBSD_version >= 603000
13387 		p->td_ru.ru_msgsnd++;
13388 #elif defined(__FreeBSD__) && __FreeBSD_version >= 500000
13389 		p->td_proc->p_stats->p_ru.ru_msgsnd++;
13390 #else
13391 		p->p_stats->p_ru.ru_msgsnd++;
13392 #endif
13393 	}
13394 #endif
13395 	/* Are we aborting? */
13396 	if (srcv->sinfo_flags & SCTP_ABORT) {
13397 		struct mbuf *mm;
13398 		int tot_demand, tot_out = 0, max_out;
13399 
13400 		SCTP_STAT_INCR(sctps_sends_with_abort);
13401 		if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
13402 		    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
13403 			/* It has to be up before we abort */
13404 			/* how big is the user initiated abort? */
13405 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13406 			error = EINVAL;
13407 			goto out;
13408 		}
13409 		if (hold_tcblock) {
13410 			SCTP_TCB_UNLOCK(stcb);
13411 			hold_tcblock = 0;
13412 		}
13413 		if (top) {
13414 			struct mbuf *cntm = NULL;
13415 
13416 			mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_WAITOK, 1, MT_DATA);
13417 			if (sndlen != 0) {
13418 				for (cntm = top; cntm; cntm = SCTP_BUF_NEXT(cntm)) {
13419 					tot_out += SCTP_BUF_LEN(cntm);
13420 				}
13421 			}
13422 		} else {
13423 			/* Must fit in a MTU */
13424 			tot_out = sndlen;
13425 			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
13426 			if (tot_demand > SCTP_DEFAULT_ADD_MORE) {
13427 				/* To big */
13428 				SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
13429 				error = EMSGSIZE;
13430 				goto out;
13431 			}
13432 			mm = sctp_get_mbuf_for_msg(tot_demand, 0, M_WAITOK, 1, MT_DATA);
13433 		}
13434 		if (mm == NULL) {
13435 			SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
13436 			error = ENOMEM;
13437 			goto out;
13438 		}
13439 		max_out = asoc->smallest_mtu - sizeof(struct sctp_paramhdr);
13440 		max_out -= sizeof(struct sctp_abort_msg);
13441 		if (tot_out > max_out) {
13442 			tot_out = max_out;
13443 		}
13444 		if (mm) {
13445 			struct sctp_paramhdr *ph;
13446 
13447 			/* now move forward the data pointer */
13448 			ph = mtod(mm, struct sctp_paramhdr *);
13449 			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
13450 			ph->param_length = htons(sizeof(struct sctp_paramhdr) + tot_out);
13451 			ph++;
13452 			SCTP_BUF_LEN(mm) = tot_out + sizeof(struct sctp_paramhdr);
13453 			if (top == NULL) {
13454 #if defined(__APPLE__)
13455 				SCTP_SOCKET_UNLOCK(so, 0);
13456 #endif
13457 				error = uiomove((caddr_t)ph, (int)tot_out, uio);
13458 #if defined(__APPLE__)
13459 				SCTP_SOCKET_LOCK(so, 0);
13460 #endif
13461 				if (error) {
13462 					/*-
13463 					 * Here if we can't get his data we
13464 					 * still abort we just don't get to
13465 					 * send the users note :-0
13466 					 */
13467 					sctp_m_freem(mm);
13468 					mm = NULL;
13469 				}
13470 			} else {
13471 				if (sndlen != 0) {
13472 					SCTP_BUF_NEXT(mm) = top;
13473 				}
13474 			}
13475 		}
13476 		if (hold_tcblock == 0) {
13477 			SCTP_TCB_LOCK(stcb);
13478 		}
13479 		atomic_add_int(&stcb->asoc.refcnt, -1);
13480 		free_cnt_applied = 0;
13481 		/* release this lock, otherwise we hang on ourselves */
13482 		sctp_abort_an_association(stcb->sctp_ep, stcb, mm, SCTP_SO_LOCKED);
13483 		/* now relock the stcb so everything is sane */
13484 		hold_tcblock = 0;
13485 		stcb = NULL;
13486 		/* In this case top is already chained to mm
13487 		 * avoid double free, since we free it below if
13488 		 * top != NULL and driver would free it after sending
13489 		 * the packet out
13490 		 */
13491 		if (sndlen != 0) {
13492 			top = NULL;
13493 		}
13494 		goto out_unlocked;
13495 	}
13496 	/* Calculate the maximum we can send */
13497 	inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13498 	if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13499 		if (non_blocking) {
13500 			/* we already checked for non-blocking above. */
13501 			max_len = sndlen;
13502 		} else {
13503 			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13504 		}
13505 	} else {
13506 		max_len = 0;
13507 	}
13508 	if (hold_tcblock) {
13509 		SCTP_TCB_UNLOCK(stcb);
13510 		hold_tcblock = 0;
13511 	}
13512 	/* Is the stream no. valid? */
13513 	if (srcv->sinfo_stream >= asoc->streamoutcnt) {
13514 		/* Invalid stream number */
13515 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13516 		error = EINVAL;
13517 		goto out_unlocked;
13518 	}
13519 	if (asoc->strmout == NULL) {
13520 		/* huh? software error */
13521 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
13522 		error = EFAULT;
13523 		goto out_unlocked;
13524 	}
13525 
13526 	/* Unless E_EOR mode is on, we must make a send FIT in one call. */
13527 	if ((user_marks_eor == 0) &&
13528 	    (sndlen > SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
13529 		/* It will NEVER fit */
13530 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
13531 		error = EMSGSIZE;
13532 		goto out_unlocked;
13533 	}
13534 	if ((uio == NULL) && user_marks_eor) {
13535 		/*-
13536 		 * We do not support eeor mode for
13537 		 * sending with mbuf chains (like sendfile).
13538 		 */
13539 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13540 		error = EINVAL;
13541 		goto out_unlocked;
13542 	}
13543 
13544 	if (user_marks_eor) {
13545 		local_add_more = min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
13546 	} else {
13547 		/*-
13548 		 * For non-eeor the whole message must fit in
13549 		 * the socket send buffer.
13550 		 */
13551 		local_add_more = sndlen;
13552 	}
13553 	len = 0;
13554 	if (non_blocking) {
13555 		goto skip_preblock;
13556 	}
13557 	if (((max_len <= local_add_more) &&
13558 	     (SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
13559 	    (max_len == 0) ||
13560 	    ((stcb->asoc.chunks_on_out_queue+stcb->asoc.stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13561 		/* No room right now ! */
13562 		SOCKBUF_LOCK(&so->so_snd);
13563 		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13564 		while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) ||
13565 		       ((stcb->asoc.stream_queue_cnt+stcb->asoc.chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
13566 			SCTPDBG(SCTP_DEBUG_OUTPUT1,"pre_block limit:%u <(inq:%d + %d) || (%d+%d > %d)\n",
13567 			        (unsigned int)SCTP_SB_LIMIT_SND(so),
13568 			        inqueue_bytes,
13569 			        local_add_more,
13570 			        stcb->asoc.stream_queue_cnt,
13571 			        stcb->asoc.chunks_on_out_queue,
13572 			        SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue));
13573 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13574 				sctp_log_block(SCTP_BLOCK_LOG_INTO_BLKA, asoc, sndlen);
13575 			}
13576 			be.error = 0;
13577 #if !defined(__Panda__) && !defined(__Windows__)
13578 			stcb->block_entry = &be;
13579 #endif
13580 			error = sbwait(&so->so_snd);
13581 			stcb->block_entry = NULL;
13582 			if (error || so->so_error || be.error) {
13583 				if (error == 0) {
13584 					if (so->so_error)
13585 						error = so->so_error;
13586 					if (be.error) {
13587 						error = be.error;
13588 					}
13589 				}
13590 				SOCKBUF_UNLOCK(&so->so_snd);
13591 				goto out_unlocked;
13592 			}
13593 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13594 				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13595 				               asoc, stcb->asoc.total_output_queue_size);
13596 			}
13597 			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13598 				goto out_unlocked;
13599 			}
13600 			inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13601 		}
13602 		if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
13603 			max_len = SCTP_SB_LIMIT_SND(so) -  inqueue_bytes;
13604 		} else {
13605 			max_len = 0;
13606 		}
13607 		SOCKBUF_UNLOCK(&so->so_snd);
13608 	}
13609 
13610 skip_preblock:
13611 	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13612 		goto out_unlocked;
13613 	}
13614 #if defined(__APPLE__)
13615 	error = sblock(&so->so_snd, SBLOCKWAIT(flags));
13616 #endif
13617 	/* sndlen covers for mbuf case
13618 	 * uio_resid covers for the non-mbuf case
13619 	 * NOTE: uio will be null when top/mbuf is passed
13620 	 */
13621 	if (sndlen == 0) {
13622 		if (srcv->sinfo_flags & SCTP_EOF) {
13623 			got_all_of_the_send = 1;
13624 			goto dataless_eof;
13625 		} else {
13626 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13627 			error = EINVAL;
13628 			goto out;
13629 		}
13630 	}
13631 	if (top == NULL) {
13632 		struct sctp_stream_queue_pending *sp;
13633 		struct sctp_stream_out *strm;
13634 		uint32_t sndout;
13635 
13636 		SCTP_TCB_SEND_LOCK(stcb);
13637 		if ((asoc->stream_locked) &&
13638 		    (asoc->stream_locked_on  != srcv->sinfo_stream)) {
13639 			SCTP_TCB_SEND_UNLOCK(stcb);
13640 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
13641 			error = EINVAL;
13642 			goto out;
13643 		}
13644 		SCTP_TCB_SEND_UNLOCK(stcb);
13645 
13646 		strm = &stcb->asoc.strmout[srcv->sinfo_stream];
13647 		if (strm->last_msg_incomplete == 0) {
13648 		do_a_copy_in:
13649 			sp = sctp_copy_it_in(stcb, asoc, srcv, uio, net, max_len, user_marks_eor, &error);
13650 			if ((sp == NULL) || (error)) {
13651 				goto out;
13652 			}
13653 			SCTP_TCB_SEND_LOCK(stcb);
13654 			if (sp->msg_is_complete) {
13655 				strm->last_msg_incomplete = 0;
13656 				asoc->stream_locked = 0;
13657 			} else {
13658 				/* Just got locked to this guy in
13659 				 * case of an interrupt.
13660 				 */
13661 				strm->last_msg_incomplete = 1;
13662 				asoc->stream_locked = 1;
13663 				asoc->stream_locked_on  = srcv->sinfo_stream;
13664 				sp->sender_all_done = 0;
13665 			}
13666 			sctp_snd_sb_alloc(stcb, sp->length);
13667 			atomic_add_int(&asoc->stream_queue_cnt, 1);
13668 			if (srcv->sinfo_flags & SCTP_UNORDERED) {
13669 				SCTP_STAT_INCR(sctps_sends_with_unord);
13670 			}
13671 			TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
13672 			stcb->asoc.ss_functions.sctp_ss_add_to_stream(stcb, asoc, strm, sp, 1);
13673 			SCTP_TCB_SEND_UNLOCK(stcb);
13674 		} else {
13675 			SCTP_TCB_SEND_LOCK(stcb);
13676 			sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead);
13677 			SCTP_TCB_SEND_UNLOCK(stcb);
13678 			if (sp == NULL) {
13679 				/* ???? Huh ??? last msg is gone */
13680 #ifdef INVARIANTS
13681 				panic("Warning: Last msg marked incomplete, yet nothing left?");
13682 #else
13683 				SCTP_PRINTF("Warning: Last msg marked incomplete, yet nothing left?\n");
13684 				strm->last_msg_incomplete = 0;
13685 #endif
13686 				goto do_a_copy_in;
13687 
13688 			}
13689 		}
13690 #if defined(__APPLE__)
13691 #if defined(APPLE_LEOPARD)
13692 		while (uio->uio_resid > 0) {
13693 #else
13694 		while (uio_resid(uio) > 0) {
13695 #endif
13696 #else
13697 		while (uio->uio_resid > 0) {
13698 #endif
13699 			/* How much room do we have? */
13700 			struct mbuf *new_tail, *mm;
13701 
13702 			if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
13703 				max_len = SCTP_SB_LIMIT_SND(so) - stcb->asoc.total_output_queue_size;
13704 			else
13705 				max_len = 0;
13706 
13707 			if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
13708 			    (max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
13709 #if defined(__APPLE__)
13710 #if defined(APPLE_LEOPARD)
13711 			    (uio->uio_resid && (uio->uio_resid <= (int)max_len))) {
13712 #else
13713 			    (uio_resid(uio) && (uio_resid(uio) <= (int)max_len))) {
13714 #endif
13715 #else
13716 			    (uio->uio_resid && (uio->uio_resid <= (int)max_len))) {
13717 #endif
13718 				sndout = 0;
13719 				new_tail = NULL;
13720 				if (hold_tcblock) {
13721 					SCTP_TCB_UNLOCK(stcb);
13722 					hold_tcblock = 0;
13723 				}
13724 #if defined(__APPLE__)
13725 				SCTP_SOCKET_UNLOCK(so, 0);
13726 #endif
13727 #if defined(__FreeBSD__) && __FreeBSD_version > 602000
13728 				    mm = sctp_copy_resume(uio, max_len, user_marks_eor, &error, &sndout, &new_tail);
13729 #else
13730 				    mm = sctp_copy_resume(uio, max_len, &error, &sndout, &new_tail);
13731 #endif
13732 #if defined(__APPLE__)
13733 				SCTP_SOCKET_LOCK(so, 0);
13734 #endif
13735 				if ((mm == NULL) || error) {
13736 					if (mm) {
13737 						sctp_m_freem(mm);
13738 					}
13739 					goto out;
13740 				}
13741 				/* Update the mbuf and count */
13742 				SCTP_TCB_SEND_LOCK(stcb);
13743 				if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13744 					/* we need to get out.
13745 					 * Peer probably aborted.
13746 					 */
13747 					sctp_m_freem(mm);
13748 					if (stcb->asoc.state & SCTP_PCB_FLAGS_WAS_ABORTED) {
13749 						SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
13750 						error = ECONNRESET;
13751 					}
13752 					SCTP_TCB_SEND_UNLOCK(stcb);
13753 					goto out;
13754 				}
13755 				if (sp->tail_mbuf) {
13756 					/* tack it to the end */
13757 					SCTP_BUF_NEXT(sp->tail_mbuf) = mm;
13758 					sp->tail_mbuf = new_tail;
13759 				} else {
13760 					/* A stolen mbuf */
13761 					sp->data = mm;
13762 					sp->tail_mbuf = new_tail;
13763 				}
13764 				sctp_snd_sb_alloc(stcb, sndout);
13765 				atomic_add_int(&sp->length,sndout);
13766 				len += sndout;
13767 
13768 				/* Did we reach EOR? */
13769 #if defined(__APPLE__)
13770 #if defined(APPLE_LEOPARD)
13771 				if ((uio->uio_resid == 0) &&
13772 #else
13773 				if ((uio_resid(uio) == 0) &&
13774 #endif
13775 #else
13776 				if ((uio->uio_resid == 0) &&
13777 #endif
13778 				    ((user_marks_eor == 0) ||
13779 				     (srcv->sinfo_flags & SCTP_EOF) ||
13780 				     (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
13781 					sp->msg_is_complete = 1;
13782 				} else {
13783 					sp->msg_is_complete = 0;
13784 				}
13785 				SCTP_TCB_SEND_UNLOCK(stcb);
13786 			}
13787 #if defined(__APPLE__)
13788 #if defined(APPLE_LEOPARD)
13789 			if (uio->uio_resid == 0) {
13790 #else
13791 			if (uio_resid(uio) == 0) {
13792 #endif
13793 #else
13794 			if (uio->uio_resid == 0) {
13795 #endif
13796 				/* got it all? */
13797 				continue;
13798 			}
13799 			/* PR-SCTP? */
13800 			if ((asoc->peer_supports_prsctp) && (asoc->sent_queue_cnt_removeable > 0)) {
13801 				/* This is ugly but we must assure locking order */
13802 				if (hold_tcblock == 0) {
13803 					SCTP_TCB_LOCK(stcb);
13804 					hold_tcblock = 1;
13805 				}
13806 				sctp_prune_prsctp(stcb, asoc, srcv, sndlen);
13807 				inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
13808 				if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
13809 					max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
13810 				else
13811 					max_len = 0;
13812 				if (max_len > 0) {
13813 					continue;
13814 				}
13815 				SCTP_TCB_UNLOCK(stcb);
13816 				hold_tcblock = 0;
13817 			}
13818 			/* wait for space now */
13819 			if (non_blocking) {
13820 				/* Non-blocking io in place out */
13821 				goto skip_out_eof;
13822 			}
13823 			/* What about the INIT, send it maybe */
13824 			if (queue_only_for_init) {
13825 				if (hold_tcblock == 0) {
13826 					SCTP_TCB_LOCK(stcb);
13827 					hold_tcblock = 1;
13828 				}
13829 				if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
13830 					/* a collision took us forward? */
13831 					queue_only = 0;
13832 				} else {
13833 					sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13834 					SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
13835 					queue_only = 1;
13836 				}
13837 			}
13838 			if ((net->flight_size > net->cwnd) &&
13839 			    (asoc->sctp_cmt_on_off == 0)) {
13840 				SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13841 				queue_only = 1;
13842 			} else if (asoc->ifp_had_enobuf) {
13843 				SCTP_STAT_INCR(sctps_ifnomemqueued);
13844 				if (net->flight_size > (2 * net->mtu)) {
13845 					queue_only = 1;
13846 				}
13847 				asoc->ifp_had_enobuf = 0;
13848 			}
13849 			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
13850 			           (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
13851 			if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13852 			    (stcb->asoc.total_flight > 0) &&
13853 			    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13854 			    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
13855 
13856 				/*-
13857 				 * Ok, Nagle is set on and we have data outstanding.
13858 				 * Don't send anything and let SACKs drive out the
13859 				 * data unless wen have a "full" segment to send.
13860 				 */
13861 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13862 					sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13863 				}
13864 				SCTP_STAT_INCR(sctps_naglequeued);
13865 				nagle_applies = 1;
13866 			} else {
13867 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13868 					if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13869 						sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13870 				}
13871 				SCTP_STAT_INCR(sctps_naglesent);
13872 				nagle_applies = 0;
13873 			}
13874 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13875 
13876 				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13877 					       nagle_applies, un_sent);
13878 				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
13879 					       stcb->asoc.total_flight,
13880 					       stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
13881 			}
13882 			if (queue_only_for_init)
13883 				queue_only_for_init = 0;
13884 			if ((queue_only == 0) && (nagle_applies == 0)) {
13885 				/*-
13886 				 * need to start chunk output
13887 				 * before blocking.. note that if
13888 				 * a lock is already applied, then
13889 				 * the input via the net is happening
13890 				 * and I don't need to start output :-D
13891 				 */
13892 				if (hold_tcblock == 0) {
13893 					if (SCTP_TCB_TRYLOCK(stcb)) {
13894 						hold_tcblock = 1;
13895 						sctp_chunk_output(inp,
13896 								  stcb,
13897 								  SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13898 					}
13899 				} else {
13900 					sctp_chunk_output(inp,
13901 							  stcb,
13902 							  SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13903 				}
13904 				if (hold_tcblock == 1) {
13905 					SCTP_TCB_UNLOCK(stcb);
13906 					hold_tcblock = 0;
13907 				}
13908 			}
13909 			SOCKBUF_LOCK(&so->so_snd);
13910 			/*-
13911 			 * This is a bit strange, but I think it will
13912 			 * work. The total_output_queue_size is locked and
13913 			 * protected by the TCB_LOCK, which we just released.
13914 			 * There is a race that can occur between releasing it
13915 			 * above, and me getting the socket lock, where sacks
13916 			 * come in but we have not put the SB_WAIT on the
13917 			 * so_snd buffer to get the wakeup. After the LOCK
13918 			 * is applied the sack_processing will also need to
13919 			 * LOCK the so->so_snd to do the actual sowwakeup(). So
13920 			 * once we have the socket buffer lock if we recheck the
13921 			 * size we KNOW we will get to sleep safely with the
13922 			 * wakeup flag in place.
13923 			 */
13924 			if (SCTP_SB_LIMIT_SND(so) <= (stcb->asoc.total_output_queue_size +
13925 						      min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) {
13926 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13927 #if defined(__APPLE__)
13928 #if defined(APPLE_LEOPARD)
13929 					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
13930 						       asoc, uio->uio_resid);
13931 #else
13932 					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
13933 						       asoc, uio_resid(uio));
13934 #endif
13935 #else
13936 					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
13937 						       asoc, uio->uio_resid);
13938 #endif
13939 				}
13940 				be.error = 0;
13941 #if !defined(__Panda__) && !defined(__Windows__)
13942 				stcb->block_entry = &be;
13943 #endif
13944 #if defined(__APPLE__)
13945 				sbunlock(&so->so_snd, 1);
13946 #endif
13947 				error = sbwait(&so->so_snd);
13948 				stcb->block_entry = NULL;
13949 
13950 				if (error || so->so_error || be.error) {
13951 					if (error == 0) {
13952 						if (so->so_error)
13953 							error = so->so_error;
13954 						if (be.error) {
13955 							error = be.error;
13956 						}
13957 					}
13958 					SOCKBUF_UNLOCK(&so->so_snd);
13959 					goto out_unlocked;
13960 				}
13961 
13962 #if defined(__APPLE__)
13963 				error = sblock(&so->so_snd, SBLOCKWAIT(flags));
13964 #endif
13965 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13966 					sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13967 						       asoc, stcb->asoc.total_output_queue_size);
13968 				}
13969 			}
13970 			SOCKBUF_UNLOCK(&so->so_snd);
13971 			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13972 				goto out_unlocked;
13973 			}
13974 		}
13975 		SCTP_TCB_SEND_LOCK(stcb);
13976 		if (sp) {
13977 			if (sp->msg_is_complete == 0) {
13978 				strm->last_msg_incomplete = 1;
13979 				asoc->stream_locked = 1;
13980 				asoc->stream_locked_on  = srcv->sinfo_stream;
13981 			} else {
13982 				sp->sender_all_done = 1;
13983 				strm->last_msg_incomplete = 0;
13984 				asoc->stream_locked = 0;
13985 			}
13986 		} else {
13987 			SCTP_PRINTF("Huh no sp TSNH?\n");
13988 			strm->last_msg_incomplete = 0;
13989 			asoc->stream_locked = 0;
13990 		}
13991 		SCTP_TCB_SEND_UNLOCK(stcb);
13992 #if defined(__APPLE__)
13993 #if defined(APPLE_LEOPARD)
13994 		if (uio->uio_resid == 0) {
13995 #else
13996 		if (uio_resid(uio) == 0) {
13997 #endif
13998 #else
13999 		if (uio->uio_resid == 0) {
14000 #endif
14001 			got_all_of_the_send = 1;
14002 		}
14003 	} else {
14004 		/* We send in a 0, since we do NOT have any locks */
14005 		error = sctp_msg_append(stcb, net, top, srcv, 0);
14006 		top = NULL;
14007 		if (srcv->sinfo_flags & SCTP_EOF) {
14008 			/*
14009 			 * This should only happen for Panda for the mbuf
14010 			 * send case, which does NOT yet support EEOR mode.
14011 			 * Thus, we can just set this flag to do the proper
14012 			 * EOF handling.
14013 			 */
14014 			got_all_of_the_send = 1;
14015 		}
14016 	}
14017 	if (error) {
14018 		goto out;
14019 	}
14020 dataless_eof:
14021 	/* EOF thing ? */
14022 	if ((srcv->sinfo_flags & SCTP_EOF) &&
14023 	    (got_all_of_the_send == 1)) {
14024 		int cnt;
14025 		SCTP_STAT_INCR(sctps_sends_with_eof);
14026 		error = 0;
14027 		if (hold_tcblock == 0) {
14028 			SCTP_TCB_LOCK(stcb);
14029 			hold_tcblock = 1;
14030 		}
14031 		cnt = sctp_is_there_unsent_data(stcb, SCTP_SO_LOCKED);
14032 		if (TAILQ_EMPTY(&asoc->send_queue) &&
14033 		    TAILQ_EMPTY(&asoc->sent_queue) &&
14034 		    (cnt == 0)) {
14035 			if (asoc->locked_on_sending) {
14036 				goto abort_anyway;
14037 			}
14038 			/* there is nothing queued to send, so I'm done... */
14039 			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
14040 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
14041 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
14042 				struct sctp_nets *netp;
14043 
14044 				/* only send SHUTDOWN the first time through */
14045 				if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
14046 					SCTP_STAT_DECR_GAUGE32(sctps_currestab);
14047 				}
14048 				SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
14049 				SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
14050 				sctp_stop_timers_for_shutdown(stcb);
14051 				if (stcb->asoc.alternate) {
14052 					netp = stcb->asoc.alternate;
14053 				} else {
14054 					netp = stcb->asoc.primary_destination;
14055 				}
14056 				sctp_send_shutdown(stcb, netp);
14057 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
14058 				                 netp);
14059 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
14060 				                 asoc->primary_destination);
14061 			}
14062 		} else {
14063 			/*-
14064 			 * we still got (or just got) data to send, so set
14065 			 * SHUTDOWN_PENDING
14066 			 */
14067 			/*-
14068 			 * XXX sockets draft says that SCTP_EOF should be
14069 			 * sent with no data.  currently, we will allow user
14070 			 * data to be sent first and move to
14071 			 * SHUTDOWN-PENDING
14072 			 */
14073 			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
14074 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
14075 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
14076 				if (hold_tcblock == 0) {
14077 					SCTP_TCB_LOCK(stcb);
14078 					hold_tcblock = 1;
14079 				}
14080 				if (asoc->locked_on_sending) {
14081 					/* Locked to send out the data */
14082 					struct sctp_stream_queue_pending *sp;
14083 					sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
14084 					if (sp) {
14085 						if ((sp->length == 0) && (sp->msg_is_complete == 0))
14086 							asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
14087 					}
14088 				}
14089 				asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
14090 				if (TAILQ_EMPTY(&asoc->send_queue) &&
14091 				    TAILQ_EMPTY(&asoc->sent_queue) &&
14092 				    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
14093 				abort_anyway:
14094 					if (free_cnt_applied) {
14095 						atomic_add_int(&stcb->asoc.refcnt, -1);
14096 						free_cnt_applied = 0;
14097 					}
14098 					sctp_abort_an_association(stcb->sctp_ep, stcb,
14099 					                          NULL, SCTP_SO_LOCKED);
14100 					/* now relock the stcb so everything is sane */
14101 					hold_tcblock = 0;
14102 					stcb = NULL;
14103 					goto out;
14104 				}
14105 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
14106 				                 asoc->primary_destination);
14107 				sctp_feature_off(inp, SCTP_PCB_FLAGS_NODELAY);
14108 			}
14109 		}
14110 	}
14111 skip_out_eof:
14112 	if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
14113 		some_on_control = 1;
14114 	}
14115 	if (queue_only_for_init) {
14116 		if (hold_tcblock == 0) {
14117 			SCTP_TCB_LOCK(stcb);
14118 			hold_tcblock = 1;
14119 		}
14120 		if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
14121 			/* a collision took us forward? */
14122 			queue_only = 0;
14123 		} else {
14124 			sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
14125 			SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_WAIT);
14126 			queue_only = 1;
14127 		}
14128 	}
14129 	if ((net->flight_size > net->cwnd) &&
14130 	    (stcb->asoc.sctp_cmt_on_off == 0)) {
14131 		SCTP_STAT_INCR(sctps_send_cwnd_avoid);
14132 		queue_only = 1;
14133 	} else if (asoc->ifp_had_enobuf) {
14134 		SCTP_STAT_INCR(sctps_ifnomemqueued);
14135 		if (net->flight_size > (2 * net->mtu)) {
14136 			queue_only = 1;
14137 		}
14138 		asoc->ifp_had_enobuf = 0;
14139 	}
14140 	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
14141 	           (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
14142 	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
14143 	    (stcb->asoc.total_flight > 0) &&
14144 	    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
14145 	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
14146 		/*-
14147 		 * Ok, Nagle is set on and we have data outstanding.
14148 		 * Don't send anything and let SACKs drive out the
14149 		 * data unless wen have a "full" segment to send.
14150 		 */
14151 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
14152 			sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
14153 		}
14154 		SCTP_STAT_INCR(sctps_naglequeued);
14155 		nagle_applies = 1;
14156 	} else {
14157 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
14158 			if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
14159 				sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
14160 		}
14161 		SCTP_STAT_INCR(sctps_naglesent);
14162 		nagle_applies = 0;
14163 	}
14164 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
14165 		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
14166 		               nagle_applies, un_sent);
14167 		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
14168 		               stcb->asoc.total_flight,
14169 		               stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
14170 	}
14171 	if ((queue_only == 0) && (nagle_applies == 0) && (stcb->asoc.peers_rwnd && un_sent)) {
14172 		/* we can attempt to send too. */
14173 		if (hold_tcblock == 0) {
14174 			/* If there is activity recv'ing sacks no need to send */
14175 			if (SCTP_TCB_TRYLOCK(stcb)) {
14176 				sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
14177 				hold_tcblock = 1;
14178 			}
14179 		} else {
14180 			sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
14181 		}
14182 	} else if ((queue_only == 0) &&
14183 	           (stcb->asoc.peers_rwnd == 0) &&
14184 	           (stcb->asoc.total_flight == 0)) {
14185 		/* We get to have a probe outstanding */
14186 		if (hold_tcblock == 0) {
14187 			hold_tcblock = 1;
14188 			SCTP_TCB_LOCK(stcb);
14189 		}
14190 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
14191 	} else if (some_on_control) {
14192 		int num_out, reason, frag_point;
14193 
14194 		/* Here we do control only */
14195 		if (hold_tcblock == 0) {
14196 			hold_tcblock = 1;
14197 			SCTP_TCB_LOCK(stcb);
14198 		}
14199 		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
14200 		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
14201 		                            &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_LOCKED);
14202 	}
14203 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "USR Send complete qo:%d prw:%d unsent:%d tf:%d cooq:%d toqs:%d err:%d\n",
14204 	        queue_only, stcb->asoc.peers_rwnd, un_sent,
14205 		stcb->asoc.total_flight, stcb->asoc.chunks_on_out_queue,
14206 	        stcb->asoc.total_output_queue_size, error);
14207 
14208 out:
14209 #if defined(__APPLE__)
14210 	sbunlock(&so->so_snd, 1);
14211 #endif
14212 out_unlocked:
14213 
14214 	if (local_soresv && stcb) {
14215 		atomic_subtract_int(&stcb->asoc.sb_send_resv, sndlen);
14216 	}
14217 	if (create_lock_applied) {
14218 		SCTP_ASOC_CREATE_UNLOCK(inp);
14219 	}
14220 	if ((stcb) && hold_tcblock) {
14221 		SCTP_TCB_UNLOCK(stcb);
14222 	}
14223 	if (stcb && free_cnt_applied) {
14224 		atomic_add_int(&stcb->asoc.refcnt, -1);
14225 	}
14226 #ifdef INVARIANTS
14227 #if !defined(__APPLE__)
14228 	if (stcb) {
14229 		if (mtx_owned(&stcb->tcb_mtx)) {
14230 			panic("Leaving with tcb mtx owned?");
14231 		}
14232 		if (mtx_owned(&stcb->tcb_send_mtx)) {
14233 			panic("Leaving with tcb send mtx owned?");
14234 		}
14235 	}
14236 #endif
14237 #endif
14238 #ifdef __Panda__
14239 	/*
14240 	 * Handle the EAGAIN/ENOMEM cases to reattach the pak header
14241 	 * to particle when pak is passed in, so that caller
14242 	 * can try again with this pak
14243 	 *
14244 	 * NOTE: For other cases, including success case,
14245 	 * we simply want to return the header back to free
14246 	 * pool
14247 	 */
14248 	if (top) {
14249 		if ((error == EAGAIN) || (error == ENOMEM)) {
14250 			SCTP_ATTACH_CHAIN(i_pak, top, sndlen);
14251 			top = NULL;
14252 		} else {
14253 			(void)SCTP_RELEASE_HEADER(i_pak);
14254 		}
14255 	} else {
14256 		/* This is to handle cases when top has
14257 		 * been reset to NULL but pak might not
14258 		 * be freed
14259 		 */
14260 		if (i_pak) {
14261 			(void)SCTP_RELEASE_HEADER(i_pak);
14262 		}
14263 	}
14264 #endif
14265 #ifdef INVARIANTS
14266 	if (inp) {
14267 		sctp_validate_no_locks(inp);
14268 	} else {
14269 		SCTP_PRINTF("Warning - inp is NULL so cant validate locks\n");
14270 	}
14271 #endif
14272 	if (top) {
14273 		sctp_m_freem(top);
14274 	}
14275 	if (control) {
14276 		sctp_m_freem(control);
14277 	}
14278 	return (error);
14279 }
14280 
14281 
14282 /*
14283  * generate an AUTHentication chunk, if required
14284  */
14285 struct mbuf *
14286 sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
14287     struct sctp_auth_chunk **auth_ret, uint32_t * offset,
14288     struct sctp_tcb *stcb, uint8_t chunk)
14289 {
14290 	struct mbuf *m_auth;
14291 	struct sctp_auth_chunk *auth;
14292 	int chunk_len;
14293 	struct mbuf *cn;
14294 
14295 	if ((m_end == NULL) || (auth_ret == NULL) || (offset == NULL) ||
14296 	    (stcb == NULL))
14297 		return (m);
14298 
14299 	/* sysctl disabled auth? */
14300 	if (SCTP_BASE_SYSCTL(sctp_auth_disable))
14301 		return (m);
14302 
14303 	/* peer doesn't do auth... */
14304 	if (!stcb->asoc.peer_supports_auth) {
14305 		return (m);
14306 	}
14307 	/* does the requested chunk require auth? */
14308 	if (!sctp_auth_is_required_chunk(chunk, stcb->asoc.peer_auth_chunks)) {
14309 		return (m);
14310 	}
14311 	m_auth = sctp_get_mbuf_for_msg(sizeof(*auth), 0, M_NOWAIT, 1, MT_HEADER);
14312 	if (m_auth == NULL) {
14313 		/* no mbuf's */
14314 		return (m);
14315 	}
14316 	/* reserve some space if this will be the first mbuf */
14317 	if (m == NULL)
14318 		SCTP_BUF_RESV_UF(m_auth, SCTP_MIN_OVERHEAD);
14319 	/* fill in the AUTH chunk details */
14320 	auth = mtod(m_auth, struct sctp_auth_chunk *);
14321 	bzero(auth, sizeof(*auth));
14322 	auth->ch.chunk_type = SCTP_AUTHENTICATION;
14323 	auth->ch.chunk_flags = 0;
14324 	chunk_len = sizeof(*auth) +
14325 	    sctp_get_hmac_digest_len(stcb->asoc.peer_hmac_id);
14326 	auth->ch.chunk_length = htons(chunk_len);
14327 	auth->hmac_id = htons(stcb->asoc.peer_hmac_id);
14328 	/* key id and hmac digest will be computed and filled in upon send */
14329 
14330 	/* save the offset where the auth was inserted into the chain */
14331 	*offset = 0;
14332 	for (cn = m; cn; cn = SCTP_BUF_NEXT(cn)) {
14333 		*offset += SCTP_BUF_LEN(cn);
14334 	}
14335 
14336 	/* update length and return pointer to the auth chunk */
14337 	SCTP_BUF_LEN(m_auth) = chunk_len;
14338 	m = sctp_copy_mbufchain(m_auth, m, m_end, 1, chunk_len, 0);
14339 	if (auth_ret != NULL)
14340 		*auth_ret = auth;
14341 
14342 	return (m);
14343 }
14344 
14345 #if defined(__FreeBSD__)  || defined(__APPLE__)
14346 #ifdef INET6
14347 int
14348 sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t *ro)
14349 {
14350 	struct nd_prefix *pfx = NULL;
14351 	struct nd_pfxrouter *pfxrtr = NULL;
14352 	struct sockaddr_in6 gw6;
14353 
14354 	if (ro == NULL || ro->ro_rt == NULL || src6->sin6_family != AF_INET6)
14355 		return (0);
14356 
14357 	/* get prefix entry of address */
14358 	LIST_FOREACH(pfx, &MODULE_GLOBAL(nd_prefix), ndpr_entry) {
14359 		if (pfx->ndpr_stateflags & NDPRF_DETACHED)
14360 			continue;
14361 		if (IN6_ARE_MASKED_ADDR_EQUAL(&pfx->ndpr_prefix.sin6_addr,
14362 		    &src6->sin6_addr, &pfx->ndpr_mask))
14363 			break;
14364 	}
14365 	/* no prefix entry in the prefix list */
14366 	if (pfx == NULL) {
14367 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefix entry for ");
14368 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
14369 		return (0);
14370 	}
14371 
14372 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "v6src_match_nexthop(), Prefix entry is ");
14373 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
14374 
14375 	/* search installed gateway from prefix entry */
14376 	LIST_FOREACH(pfxrtr, &pfx->ndpr_advrtrs, pfr_entry) {
14377 		memset(&gw6, 0, sizeof(struct sockaddr_in6));
14378 		gw6.sin6_family = AF_INET6;
14379 #ifdef HAVE_SIN6_LEN
14380 		gw6.sin6_len = sizeof(struct sockaddr_in6);
14381 #endif
14382 		memcpy(&gw6.sin6_addr, &pfxrtr->router->rtaddr,
14383 		    sizeof(struct in6_addr));
14384 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "prefix router is ");
14385 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&gw6);
14386 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "installed router is ");
14387 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
14388 		if (sctp_cmpaddr((struct sockaddr *)&gw6,
14389 				ro->ro_rt->rt_gateway)) {
14390 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is installed\n");
14391 			return (1);
14392 		}
14393 	}
14394 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is not installed\n");
14395 	return (0);
14396 }
14397 #endif
14398 
14399 int
14400 sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t *ro)
14401 {
14402 #ifdef INET
14403 	struct sockaddr_in *sin, *mask;
14404 	struct ifaddr *ifa;
14405 	struct in_addr srcnetaddr, gwnetaddr;
14406 
14407 	if (ro == NULL || ro->ro_rt == NULL ||
14408 	    sifa->address.sa.sa_family != AF_INET) {
14409 		return (0);
14410 	}
14411 	ifa = (struct ifaddr *)sifa->ifa;
14412 	mask = (struct sockaddr_in *)(ifa->ifa_netmask);
14413 	sin = (struct sockaddr_in *)&sifa->address.sin;
14414 	srcnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
14415 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: src address is ");
14416 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
14417 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", srcnetaddr.s_addr);
14418 
14419 	sin = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
14420 	gwnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
14421 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: nexthop is ");
14422 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
14423 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", gwnetaddr.s_addr);
14424 	if (srcnetaddr.s_addr == gwnetaddr.s_addr) {
14425 		return (1);
14426 	}
14427 #endif
14428 	return (0);
14429 }
14430 #elif defined(__Userspace__)
14431 /* TODO __Userspace__ versions of sctp_vXsrc_match_nexthop(). */
14432 int
14433 sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t *ro)
14434 {
14435     return (0);
14436 }
14437 int
14438 sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t *ro)
14439 {
14440     return (0);
14441 }
14442 
14443 #endif
14444