1 /*-
2 * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved.
3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * a) Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 *
12 * b) Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the distribution.
15 *
16 * c) Neither the name of Cisco Systems, Inc. nor the names of its
17 * contributors may be used to endorse or promote products derived
18 * from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30 * THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #ifdef __FreeBSD__
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD: head/sys/netinet/sctp_indata.c 269448 2014-08-02 21:36:40Z tuexen $");
36 #endif
37
38 #include <netinet/sctp_os.h>
39 #include <netinet/sctp_var.h>
40 #include <netinet/sctp_sysctl.h>
41 #include <netinet/sctp_pcb.h>
42 #include <netinet/sctp_header.h>
43 #include <netinet/sctputil.h>
44 #include <netinet/sctp_output.h>
45 #include <netinet/sctp_input.h>
46 #include <netinet/sctp_indata.h>
47 #include <netinet/sctp_uio.h>
48 #include <netinet/sctp_timer.h>
49
50
51 /*
52 * NOTES: On the outbound side of things I need to check the sack timer to
53 * see if I should generate a sack into the chunk queue (if I have data to
54 * send that is and will be sending it .. for bundling.
55 *
56 * The callback in sctp_usrreq.c will get called when the socket is read from.
57 * This will cause sctp_service_queues() to get called on the top entry in
58 * the list.
59 */
60
61 void
sctp_set_rwnd(struct sctp_tcb * stcb,struct sctp_association * asoc)62 sctp_set_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc)
63 {
64 asoc->my_rwnd = sctp_calc_rwnd(stcb, asoc);
65 }
66
67 /* Calculate what the rwnd would be */
68 uint32_t
sctp_calc_rwnd(struct sctp_tcb * stcb,struct sctp_association * asoc)69 sctp_calc_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc)
70 {
71 uint32_t calc = 0;
72
73 /*
74 * This is really set wrong with respect to a 1-2-m socket. Since
75 * the sb_cc is the count that everyone as put up. When we re-write
76 * sctp_soreceive then we will fix this so that ONLY this
77 * associations data is taken into account.
78 */
79 if (stcb->sctp_socket == NULL)
80 return (calc);
81
82 if (stcb->asoc.sb_cc == 0 &&
83 asoc->size_on_reasm_queue == 0 &&
84 asoc->size_on_all_streams == 0) {
85 /* Full rwnd granted */
86 calc = max(SCTP_SB_LIMIT_RCV(stcb->sctp_socket), SCTP_MINIMAL_RWND);
87 return (calc);
88 }
89 /* get actual space */
90 calc = (uint32_t) sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv);
91
92 /*
93 * take out what has NOT been put on socket queue and we yet hold
94 * for putting up.
95 */
96 calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_reasm_queue +
97 asoc->cnt_on_reasm_queue * MSIZE));
98 calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_all_streams +
99 asoc->cnt_on_all_streams * MSIZE));
100
101 if (calc == 0) {
102 /* out of space */
103 return (calc);
104 }
105
106 /* what is the overhead of all these rwnd's */
107 calc = sctp_sbspace_sub(calc, stcb->asoc.my_rwnd_control_len);
108 /* If the window gets too small due to ctrl-stuff, reduce it
109 * to 1, even it is 0. SWS engaged
110 */
111 if (calc < stcb->asoc.my_rwnd_control_len) {
112 calc = 1;
113 }
114 return (calc);
115 }
116
117
118
119 /*
120 * Build out our readq entry based on the incoming packet.
121 */
122 struct sctp_queued_to_read *
sctp_build_readq_entry(struct sctp_tcb * stcb,struct sctp_nets * net,uint32_t tsn,uint32_t ppid,uint32_t context,uint16_t stream_no,uint16_t stream_seq,uint8_t flags,struct mbuf * dm)123 sctp_build_readq_entry(struct sctp_tcb *stcb,
124 struct sctp_nets *net,
125 uint32_t tsn, uint32_t ppid,
126 uint32_t context, uint16_t stream_no,
127 uint16_t stream_seq, uint8_t flags,
128 struct mbuf *dm)
129 {
130 struct sctp_queued_to_read *read_queue_e = NULL;
131
132 sctp_alloc_a_readq(stcb, read_queue_e);
133 if (read_queue_e == NULL) {
134 goto failed_build;
135 }
136 read_queue_e->sinfo_stream = stream_no;
137 read_queue_e->sinfo_ssn = stream_seq;
138 read_queue_e->sinfo_flags = (flags << 8);
139 read_queue_e->sinfo_ppid = ppid;
140 read_queue_e->sinfo_context = context;
141 read_queue_e->sinfo_timetolive = 0;
142 read_queue_e->sinfo_tsn = tsn;
143 read_queue_e->sinfo_cumtsn = tsn;
144 read_queue_e->sinfo_assoc_id = sctp_get_associd(stcb);
145 read_queue_e->whoFrom = net;
146 read_queue_e->length = 0;
147 atomic_add_int(&net->ref_count, 1);
148 read_queue_e->data = dm;
149 read_queue_e->spec_flags = 0;
150 read_queue_e->tail_mbuf = NULL;
151 read_queue_e->aux_data = NULL;
152 read_queue_e->stcb = stcb;
153 read_queue_e->port_from = stcb->rport;
154 read_queue_e->do_not_ref_stcb = 0;
155 read_queue_e->end_added = 0;
156 read_queue_e->some_taken = 0;
157 read_queue_e->pdapi_aborted = 0;
158 failed_build:
159 return (read_queue_e);
160 }
161
162
163 /*
164 * Build out our readq entry based on the incoming packet.
165 */
166 static struct sctp_queued_to_read *
sctp_build_readq_entry_chk(struct sctp_tcb * stcb,struct sctp_tmit_chunk * chk)167 sctp_build_readq_entry_chk(struct sctp_tcb *stcb,
168 struct sctp_tmit_chunk *chk)
169 {
170 struct sctp_queued_to_read *read_queue_e = NULL;
171
172 sctp_alloc_a_readq(stcb, read_queue_e);
173 if (read_queue_e == NULL) {
174 goto failed_build;
175 }
176 read_queue_e->sinfo_stream = chk->rec.data.stream_number;
177 read_queue_e->sinfo_ssn = chk->rec.data.stream_seq;
178 read_queue_e->sinfo_flags = (chk->rec.data.rcv_flags << 8);
179 read_queue_e->sinfo_ppid = chk->rec.data.payloadtype;
180 read_queue_e->sinfo_context = stcb->asoc.context;
181 read_queue_e->sinfo_timetolive = 0;
182 read_queue_e->sinfo_tsn = chk->rec.data.TSN_seq;
183 read_queue_e->sinfo_cumtsn = chk->rec.data.TSN_seq;
184 read_queue_e->sinfo_assoc_id = sctp_get_associd(stcb);
185 read_queue_e->whoFrom = chk->whoTo;
186 read_queue_e->aux_data = NULL;
187 read_queue_e->length = 0;
188 atomic_add_int(&chk->whoTo->ref_count, 1);
189 read_queue_e->data = chk->data;
190 read_queue_e->tail_mbuf = NULL;
191 read_queue_e->stcb = stcb;
192 read_queue_e->port_from = stcb->rport;
193 read_queue_e->spec_flags = 0;
194 read_queue_e->do_not_ref_stcb = 0;
195 read_queue_e->end_added = 0;
196 read_queue_e->some_taken = 0;
197 read_queue_e->pdapi_aborted = 0;
198 failed_build:
199 return (read_queue_e);
200 }
201
202
203 struct mbuf *
sctp_build_ctl_nchunk(struct sctp_inpcb * inp,struct sctp_sndrcvinfo * sinfo)204 sctp_build_ctl_nchunk(struct sctp_inpcb *inp, struct sctp_sndrcvinfo *sinfo)
205 {
206 struct sctp_extrcvinfo *seinfo;
207 struct sctp_sndrcvinfo *outinfo;
208 struct sctp_rcvinfo *rcvinfo;
209 struct sctp_nxtinfo *nxtinfo;
210 #if defined(__Userspace_os_Windows)
211 WSACMSGHDR *cmh;
212 #else
213 struct cmsghdr *cmh;
214 #endif
215 struct mbuf *ret;
216 int len;
217 int use_extended;
218 int provide_nxt;
219
220 if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT) &&
221 sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVRCVINFO) &&
222 sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVNXTINFO)) {
223 /* user does not want any ancillary data */
224 return (NULL);
225 }
226
227 len = 0;
228 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
229 len += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
230 }
231 seinfo = (struct sctp_extrcvinfo *)sinfo;
232 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO) &&
233 (seinfo->sreinfo_next_flags & SCTP_NEXT_MSG_AVAIL)) {
234 provide_nxt = 1;
235 len += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
236 } else {
237 provide_nxt = 0;
238 }
239 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) {
240 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXT_RCVINFO)) {
241 use_extended = 1;
242 len += CMSG_SPACE(sizeof(struct sctp_extrcvinfo));
243 } else {
244 use_extended = 0;
245 len += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
246 }
247 } else {
248 use_extended = 0;
249 }
250
251 ret = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA);
252 if (ret == NULL) {
253 /* No space */
254 return (ret);
255 }
256 SCTP_BUF_LEN(ret) = 0;
257
258 /* We need a CMSG header followed by the struct */
259 #if defined(__Userspace_os_Windows)
260 cmh = mtod(ret, WSACMSGHDR *);
261 #else
262 cmh = mtod(ret, struct cmsghdr *);
263 #endif
264 /*
265 * Make sure that there is no un-initialized padding between
266 * the cmsg header and cmsg data and after the cmsg data.
267 */
268 memset(cmh, 0, len);
269 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) {
270 cmh->cmsg_level = IPPROTO_SCTP;
271 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo));
272 cmh->cmsg_type = SCTP_RCVINFO;
273 rcvinfo = (struct sctp_rcvinfo *)CMSG_DATA(cmh);
274 rcvinfo->rcv_sid = sinfo->sinfo_stream;
275 rcvinfo->rcv_ssn = sinfo->sinfo_ssn;
276 rcvinfo->rcv_flags = sinfo->sinfo_flags;
277 rcvinfo->rcv_ppid = sinfo->sinfo_ppid;
278 rcvinfo->rcv_tsn = sinfo->sinfo_tsn;
279 rcvinfo->rcv_cumtsn = sinfo->sinfo_cumtsn;
280 rcvinfo->rcv_context = sinfo->sinfo_context;
281 rcvinfo->rcv_assoc_id = sinfo->sinfo_assoc_id;
282 #if defined(__Userspace_os_Windows)
283 cmh = (WSACMSGHDR *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_rcvinfo)));
284 #else
285 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_rcvinfo)));
286 #endif
287 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_rcvinfo));
288 }
289 if (provide_nxt) {
290 cmh->cmsg_level = IPPROTO_SCTP;
291 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_nxtinfo));
292 cmh->cmsg_type = SCTP_NXTINFO;
293 nxtinfo = (struct sctp_nxtinfo *)CMSG_DATA(cmh);
294 nxtinfo->nxt_sid = seinfo->sreinfo_next_stream;
295 nxtinfo->nxt_flags = 0;
296 if (seinfo->sreinfo_next_flags & SCTP_NEXT_MSG_IS_UNORDERED) {
297 nxtinfo->nxt_flags |= SCTP_UNORDERED;
298 }
299 if (seinfo->sreinfo_next_flags & SCTP_NEXT_MSG_IS_NOTIFICATION) {
300 nxtinfo->nxt_flags |= SCTP_NOTIFICATION;
301 }
302 if (seinfo->sreinfo_next_flags & SCTP_NEXT_MSG_ISCOMPLETE) {
303 nxtinfo->nxt_flags |= SCTP_COMPLETE;
304 }
305 nxtinfo->nxt_ppid = seinfo->sreinfo_next_ppid;
306 nxtinfo->nxt_length = seinfo->sreinfo_next_length;
307 nxtinfo->nxt_assoc_id = seinfo->sreinfo_next_aid;
308 #if defined(__Userspace_os_Windows)
309 cmh = (WSACMSGHDR *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_nxtinfo)));
310 #else
311 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_nxtinfo)));
312 #endif
313 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_nxtinfo));
314 }
315 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) {
316 cmh->cmsg_level = IPPROTO_SCTP;
317 outinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmh);
318 if (use_extended) {
319 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_extrcvinfo));
320 cmh->cmsg_type = SCTP_EXTRCV;
321 memcpy(outinfo, sinfo, sizeof(struct sctp_extrcvinfo));
322 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_extrcvinfo));
323 } else {
324 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo));
325 cmh->cmsg_type = SCTP_SNDRCV;
326 *outinfo = *sinfo;
327 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo));
328 }
329 }
330 return (ret);
331 }
332
333
334 static void
sctp_mark_non_revokable(struct sctp_association * asoc,uint32_t tsn)335 sctp_mark_non_revokable(struct sctp_association *asoc, uint32_t tsn)
336 {
337 uint32_t gap, i, cumackp1;
338 int fnd = 0;
339
340 if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
341 return;
342 }
343 cumackp1 = asoc->cumulative_tsn + 1;
344 if (SCTP_TSN_GT(cumackp1, tsn)) {
345 /* this tsn is behind the cum ack and thus we don't
346 * need to worry about it being moved from one to the other.
347 */
348 return;
349 }
350 SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn);
351 if (!SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap)) {
352 SCTP_PRINTF("gap:%x tsn:%x\n", gap, tsn);
353 sctp_print_mapping_array(asoc);
354 #ifdef INVARIANTS
355 panic("Things are really messed up now!!");
356 #endif
357 }
358 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
359 SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap);
360 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
361 asoc->highest_tsn_inside_nr_map = tsn;
362 }
363 if (tsn == asoc->highest_tsn_inside_map) {
364 /* We must back down to see what the new highest is */
365 for (i = tsn - 1; SCTP_TSN_GE(i, asoc->mapping_array_base_tsn); i--) {
366 SCTP_CALC_TSN_TO_GAP(gap, i, asoc->mapping_array_base_tsn);
367 if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap)) {
368 asoc->highest_tsn_inside_map = i;
369 fnd = 1;
370 break;
371 }
372 }
373 if (!fnd) {
374 asoc->highest_tsn_inside_map = asoc->mapping_array_base_tsn - 1;
375 }
376 }
377 }
378
379
380 /*
381 * We are delivering currently from the reassembly queue. We must continue to
382 * deliver until we either: 1) run out of space. 2) run out of sequential
383 * TSN's 3) hit the SCTP_DATA_LAST_FRAG flag.
384 */
385 static void
sctp_service_reassembly(struct sctp_tcb * stcb,struct sctp_association * asoc)386 sctp_service_reassembly(struct sctp_tcb *stcb, struct sctp_association *asoc)
387 {
388 struct sctp_tmit_chunk *chk, *nchk;
389 uint16_t nxt_todel;
390 uint16_t stream_no;
391 int end = 0;
392 int cntDel;
393 struct sctp_queued_to_read *control, *ctl, *nctl;
394
395 if (stcb == NULL)
396 return;
397
398 cntDel = stream_no = 0;
399 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
400 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) ||
401 (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) {
402 /* socket above is long gone or going.. */
403 abandon:
404 asoc->fragmented_delivery_inprogress = 0;
405 TAILQ_FOREACH_SAFE(chk, &asoc->reasmqueue, sctp_next, nchk) {
406 TAILQ_REMOVE(&asoc->reasmqueue, chk, sctp_next);
407 asoc->size_on_reasm_queue -= chk->send_size;
408 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
409 /*
410 * Lose the data pointer, since its in the socket
411 * buffer
412 */
413 if (chk->data) {
414 sctp_m_freem(chk->data);
415 chk->data = NULL;
416 }
417 /* Now free the address and data */
418 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
419 /*sa_ignore FREED_MEMORY*/
420 }
421 return;
422 }
423 SCTP_TCB_LOCK_ASSERT(stcb);
424 TAILQ_FOREACH_SAFE(chk, &asoc->reasmqueue, sctp_next, nchk) {
425 if (chk->rec.data.TSN_seq != (asoc->tsn_last_delivered + 1)) {
426 /* Can't deliver more :< */
427 return;
428 }
429 stream_no = chk->rec.data.stream_number;
430 nxt_todel = asoc->strmin[stream_no].last_sequence_delivered + 1;
431 if (nxt_todel != chk->rec.data.stream_seq &&
432 (chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
433 /*
434 * Not the next sequence to deliver in its stream OR
435 * unordered
436 */
437 return;
438 }
439 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
440
441 control = sctp_build_readq_entry_chk(stcb, chk);
442 if (control == NULL) {
443 /* out of memory? */
444 return;
445 }
446 /* save it off for our future deliveries */
447 stcb->asoc.control_pdapi = control;
448 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG)
449 end = 1;
450 else
451 end = 0;
452 sctp_mark_non_revokable(asoc, chk->rec.data.TSN_seq);
453 sctp_add_to_readq(stcb->sctp_ep,
454 stcb, control, &stcb->sctp_socket->so_rcv, end,
455 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
456 cntDel++;
457 } else {
458 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG)
459 end = 1;
460 else
461 end = 0;
462 sctp_mark_non_revokable(asoc, chk->rec.data.TSN_seq);
463 if (sctp_append_to_readq(stcb->sctp_ep, stcb,
464 stcb->asoc.control_pdapi,
465 chk->data, end, chk->rec.data.TSN_seq,
466 &stcb->sctp_socket->so_rcv)) {
467 /*
468 * something is very wrong, either
469 * control_pdapi is NULL, or the tail_mbuf
470 * is corrupt, or there is a EOM already on
471 * the mbuf chain.
472 */
473 if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
474 goto abandon;
475 } else {
476 #ifdef INVARIANTS
477 if ((stcb->asoc.control_pdapi == NULL) || (stcb->asoc.control_pdapi->tail_mbuf == NULL)) {
478 panic("This should not happen control_pdapi NULL?");
479 }
480 /* if we did not panic, it was a EOM */
481 panic("Bad chunking ??");
482 #else
483 if ((stcb->asoc.control_pdapi == NULL) || (stcb->asoc.control_pdapi->tail_mbuf == NULL)) {
484 SCTP_PRINTF("This should not happen control_pdapi NULL?\n");
485 }
486 SCTP_PRINTF("Bad chunking ??\n");
487 SCTP_PRINTF("Dumping re-assembly queue this will probably hose the association\n");
488
489 #endif
490 goto abandon;
491 }
492 }
493 cntDel++;
494 }
495 /* pull it we did it */
496 TAILQ_REMOVE(&asoc->reasmqueue, chk, sctp_next);
497 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
498 asoc->fragmented_delivery_inprogress = 0;
499 if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
500 asoc->strmin[stream_no].last_sequence_delivered++;
501 }
502 if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0) {
503 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs);
504 }
505 } else if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
506 /*
507 * turn the flag back on since we just delivered
508 * yet another one.
509 */
510 asoc->fragmented_delivery_inprogress = 1;
511 }
512 asoc->tsn_of_pdapi_last_delivered = chk->rec.data.TSN_seq;
513 asoc->last_flags_delivered = chk->rec.data.rcv_flags;
514 asoc->last_strm_seq_delivered = chk->rec.data.stream_seq;
515 asoc->last_strm_no_delivered = chk->rec.data.stream_number;
516
517 asoc->tsn_last_delivered = chk->rec.data.TSN_seq;
518 asoc->size_on_reasm_queue -= chk->send_size;
519 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
520 /* free up the chk */
521 chk->data = NULL;
522 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
523
524 if (asoc->fragmented_delivery_inprogress == 0) {
525 /*
526 * Now lets see if we can deliver the next one on
527 * the stream
528 */
529 struct sctp_stream_in *strm;
530
531 strm = &asoc->strmin[stream_no];
532 nxt_todel = strm->last_sequence_delivered + 1;
533 TAILQ_FOREACH_SAFE(ctl, &strm->inqueue, next, nctl) {
534 /* Deliver more if we can. */
535 if (nxt_todel == ctl->sinfo_ssn) {
536 TAILQ_REMOVE(&strm->inqueue, ctl, next);
537 asoc->size_on_all_streams -= ctl->length;
538 sctp_ucount_decr(asoc->cnt_on_all_streams);
539 strm->last_sequence_delivered++;
540 sctp_mark_non_revokable(asoc, ctl->sinfo_tsn);
541 sctp_add_to_readq(stcb->sctp_ep, stcb,
542 ctl,
543 &stcb->sctp_socket->so_rcv, 1,
544 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
545 } else {
546 break;
547 }
548 nxt_todel = strm->last_sequence_delivered + 1;
549 }
550 break;
551 }
552 }
553 }
554
555 /*
556 * Queue the chunk either right into the socket buffer if it is the next one
557 * to go OR put it in the correct place in the delivery queue. If we do
558 * append to the so_buf, keep doing so until we are out of order. One big
559 * question still remains, what to do when the socket buffer is FULL??
560 */
561 static void
sctp_queue_data_to_stream(struct sctp_tcb * stcb,struct sctp_association * asoc,struct sctp_queued_to_read * control,int * abort_flag)562 sctp_queue_data_to_stream(struct sctp_tcb *stcb, struct sctp_association *asoc,
563 struct sctp_queued_to_read *control, int *abort_flag)
564 {
565 /*
566 * FIX-ME maybe? What happens when the ssn wraps? If we are getting
567 * all the data in one stream this could happen quite rapidly. One
568 * could use the TSN to keep track of things, but this scheme breaks
569 * down in the other type of stream useage that could occur. Send a
570 * single msg to stream 0, send 4Billion messages to stream 1, now
571 * send a message to stream 0. You have a situation where the TSN
572 * has wrapped but not in the stream. Is this worth worrying about
573 * or should we just change our queue sort at the bottom to be by
574 * TSN.
575 *
576 * Could it also be legal for a peer to send ssn 1 with TSN 2 and ssn 2
577 * with TSN 1? If the peer is doing some sort of funky TSN/SSN
578 * assignment this could happen... and I don't see how this would be
579 * a violation. So for now I am undecided an will leave the sort by
580 * SSN alone. Maybe a hybred approach is the answer
581 *
582 */
583 struct sctp_stream_in *strm;
584 struct sctp_queued_to_read *at;
585 int queue_needed;
586 uint16_t nxt_todel;
587 struct mbuf *op_err;
588 char msg[SCTP_DIAG_INFO_LEN];
589
590 queue_needed = 1;
591 asoc->size_on_all_streams += control->length;
592 sctp_ucount_incr(asoc->cnt_on_all_streams);
593 strm = &asoc->strmin[control->sinfo_stream];
594 nxt_todel = strm->last_sequence_delivered + 1;
595 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
596 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_INTO_STRD);
597 }
598 SCTPDBG(SCTP_DEBUG_INDATA1,
599 "queue to stream called for ssn:%u lastdel:%u nxt:%u\n",
600 (uint32_t) control->sinfo_stream,
601 (uint32_t) strm->last_sequence_delivered,
602 (uint32_t) nxt_todel);
603 if (SCTP_SSN_GE(strm->last_sequence_delivered, control->sinfo_ssn)) {
604 /* The incoming sseq is behind where we last delivered? */
605 SCTPDBG(SCTP_DEBUG_INDATA1, "Duplicate S-SEQ:%d delivered:%d from peer, Abort association\n",
606 control->sinfo_ssn, strm->last_sequence_delivered);
607 protocol_error:
608 /*
609 * throw it in the stream so it gets cleaned up in
610 * association destruction
611 */
612 TAILQ_INSERT_HEAD(&strm->inqueue, control, next);
613 snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
614 strm->last_sequence_delivered, control->sinfo_tsn,
615 control->sinfo_stream, control->sinfo_ssn);
616 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
617 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_1;
618 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
619 *abort_flag = 1;
620 return;
621
622 }
623 if (nxt_todel == control->sinfo_ssn) {
624 /* can be delivered right away? */
625 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
626 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_IMMED_DEL);
627 }
628 /* EY it wont be queued if it could be delivered directly*/
629 queue_needed = 0;
630 asoc->size_on_all_streams -= control->length;
631 sctp_ucount_decr(asoc->cnt_on_all_streams);
632 strm->last_sequence_delivered++;
633
634 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
635 sctp_add_to_readq(stcb->sctp_ep, stcb,
636 control,
637 &stcb->sctp_socket->so_rcv, 1,
638 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
639 TAILQ_FOREACH_SAFE(control, &strm->inqueue, next, at) {
640 /* all delivered */
641 nxt_todel = strm->last_sequence_delivered + 1;
642 if (nxt_todel == control->sinfo_ssn) {
643 TAILQ_REMOVE(&strm->inqueue, control, next);
644 asoc->size_on_all_streams -= control->length;
645 sctp_ucount_decr(asoc->cnt_on_all_streams);
646 strm->last_sequence_delivered++;
647 /*
648 * We ignore the return of deliver_data here
649 * since we always can hold the chunk on the
650 * d-queue. And we have a finite number that
651 * can be delivered from the strq.
652 */
653 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
654 sctp_log_strm_del(control, NULL,
655 SCTP_STR_LOG_FROM_IMMED_DEL);
656 }
657 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
658 sctp_add_to_readq(stcb->sctp_ep, stcb,
659 control,
660 &stcb->sctp_socket->so_rcv, 1,
661 SCTP_READ_LOCK_NOT_HELD,
662 SCTP_SO_NOT_LOCKED);
663 continue;
664 }
665 break;
666 }
667 }
668 if (queue_needed) {
669 /*
670 * Ok, we did not deliver this guy, find the correct place
671 * to put it on the queue.
672 */
673 if (SCTP_TSN_GE(asoc->cumulative_tsn, control->sinfo_tsn)) {
674 goto protocol_error;
675 }
676 if (TAILQ_EMPTY(&strm->inqueue)) {
677 /* Empty queue */
678 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
679 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_INSERT_HD);
680 }
681 TAILQ_INSERT_HEAD(&strm->inqueue, control, next);
682 } else {
683 TAILQ_FOREACH(at, &strm->inqueue, next) {
684 if (SCTP_SSN_GT(at->sinfo_ssn, control->sinfo_ssn)) {
685 /*
686 * one in queue is bigger than the
687 * new one, insert before this one
688 */
689 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
690 sctp_log_strm_del(control, at,
691 SCTP_STR_LOG_FROM_INSERT_MD);
692 }
693 TAILQ_INSERT_BEFORE(at, control, next);
694 break;
695 } else if (at->sinfo_ssn == control->sinfo_ssn) {
696 /*
697 * Gak, He sent me a duplicate str
698 * seq number
699 */
700 /*
701 * foo bar, I guess I will just free
702 * this new guy, should we abort
703 * too? FIX ME MAYBE? Or it COULD be
704 * that the SSN's have wrapped.
705 * Maybe I should compare to TSN
706 * somehow... sigh for now just blow
707 * away the chunk!
708 */
709
710 if (control->data)
711 sctp_m_freem(control->data);
712 control->data = NULL;
713 asoc->size_on_all_streams -= control->length;
714 sctp_ucount_decr(asoc->cnt_on_all_streams);
715 if (control->whoFrom) {
716 sctp_free_remote_addr(control->whoFrom);
717 control->whoFrom = NULL;
718 }
719 sctp_free_a_readq(stcb, control);
720 return;
721 } else {
722 if (TAILQ_NEXT(at, next) == NULL) {
723 /*
724 * We are at the end, insert
725 * it after this one
726 */
727 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
728 sctp_log_strm_del(control, at,
729 SCTP_STR_LOG_FROM_INSERT_TL);
730 }
731 TAILQ_INSERT_AFTER(&strm->inqueue,
732 at, control, next);
733 break;
734 }
735 }
736 }
737 }
738 }
739 }
740
741 /*
742 * Returns two things: You get the total size of the deliverable parts of the
743 * first fragmented message on the reassembly queue. And you get a 1 back if
744 * all of the message is ready or a 0 back if the message is still incomplete
745 */
746 static int
sctp_is_all_msg_on_reasm(struct sctp_association * asoc,uint32_t * t_size)747 sctp_is_all_msg_on_reasm(struct sctp_association *asoc, uint32_t *t_size)
748 {
749 struct sctp_tmit_chunk *chk;
750 uint32_t tsn;
751
752 *t_size = 0;
753 chk = TAILQ_FIRST(&asoc->reasmqueue);
754 if (chk == NULL) {
755 /* nothing on the queue */
756 return (0);
757 }
758 if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0) {
759 /* Not a first on the queue */
760 return (0);
761 }
762 tsn = chk->rec.data.TSN_seq;
763 TAILQ_FOREACH(chk, &asoc->reasmqueue, sctp_next) {
764 if (tsn != chk->rec.data.TSN_seq) {
765 return (0);
766 }
767 *t_size += chk->send_size;
768 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) {
769 return (1);
770 }
771 tsn++;
772 }
773 return (0);
774 }
775
776 static void
sctp_deliver_reasm_check(struct sctp_tcb * stcb,struct sctp_association * asoc)777 sctp_deliver_reasm_check(struct sctp_tcb *stcb, struct sctp_association *asoc)
778 {
779 struct sctp_tmit_chunk *chk;
780 uint16_t nxt_todel;
781 uint32_t tsize, pd_point;
782
783 doit_again:
784 chk = TAILQ_FIRST(&asoc->reasmqueue);
785 if (chk == NULL) {
786 /* Huh? */
787 asoc->size_on_reasm_queue = 0;
788 asoc->cnt_on_reasm_queue = 0;
789 return;
790 }
791 if (asoc->fragmented_delivery_inprogress == 0) {
792 nxt_todel =
793 asoc->strmin[chk->rec.data.stream_number].last_sequence_delivered + 1;
794 if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) &&
795 (nxt_todel == chk->rec.data.stream_seq ||
796 (chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED))) {
797 /*
798 * Yep the first one is here and its ok to deliver
799 * but should we?
800 */
801 if (stcb->sctp_socket) {
802 pd_point = min(SCTP_SB_LIMIT_RCV(stcb->sctp_socket) >> SCTP_PARTIAL_DELIVERY_SHIFT,
803 stcb->sctp_ep->partial_delivery_point);
804 } else {
805 pd_point = stcb->sctp_ep->partial_delivery_point;
806 }
807 if (sctp_is_all_msg_on_reasm(asoc, &tsize) || (tsize >= pd_point)) {
808 /*
809 * Yes, we setup to start reception, by
810 * backing down the TSN just in case we
811 * can't deliver. If we
812 */
813 asoc->fragmented_delivery_inprogress = 1;
814 asoc->tsn_last_delivered =
815 chk->rec.data.TSN_seq - 1;
816 asoc->str_of_pdapi =
817 chk->rec.data.stream_number;
818 asoc->ssn_of_pdapi = chk->rec.data.stream_seq;
819 asoc->pdapi_ppid = chk->rec.data.payloadtype;
820 asoc->fragment_flags = chk->rec.data.rcv_flags;
821 sctp_service_reassembly(stcb, asoc);
822 }
823 }
824 } else {
825 /* Service re-assembly will deliver stream data queued
826 * at the end of fragmented delivery.. but it wont know
827 * to go back and call itself again... we do that here
828 * with the got doit_again
829 */
830 sctp_service_reassembly(stcb, asoc);
831 if (asoc->fragmented_delivery_inprogress == 0) {
832 /* finished our Fragmented delivery, could be
833 * more waiting?
834 */
835 goto doit_again;
836 }
837 }
838 }
839
840 /*
841 * Dump onto the re-assembly queue, in its proper place. After dumping on the
842 * queue, see if anthing can be delivered. If so pull it off (or as much as
843 * we can. If we run out of space then we must dump what we can and set the
844 * appropriate flag to say we queued what we could.
845 */
846 static void
sctp_queue_data_for_reasm(struct sctp_tcb * stcb,struct sctp_association * asoc,struct sctp_tmit_chunk * chk,int * abort_flag)847 sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc,
848 struct sctp_tmit_chunk *chk, int *abort_flag)
849 {
850 struct mbuf *op_err;
851 char msg[SCTP_DIAG_INFO_LEN];
852 uint32_t cum_ackp1, prev_tsn, post_tsn;
853 struct sctp_tmit_chunk *at, *prev, *next;
854
855 prev = next = NULL;
856 cum_ackp1 = asoc->tsn_last_delivered + 1;
857 if (TAILQ_EMPTY(&asoc->reasmqueue)) {
858 /* This is the first one on the queue */
859 TAILQ_INSERT_HEAD(&asoc->reasmqueue, chk, sctp_next);
860 /*
861 * we do not check for delivery of anything when only one
862 * fragment is here
863 */
864 asoc->size_on_reasm_queue = chk->send_size;
865 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
866 if (chk->rec.data.TSN_seq == cum_ackp1) {
867 if (asoc->fragmented_delivery_inprogress == 0 &&
868 (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) !=
869 SCTP_DATA_FIRST_FRAG) {
870 /*
871 * An empty queue, no delivery inprogress,
872 * we hit the next one and it does NOT have
873 * a FIRST fragment mark.
874 */
875 SCTPDBG(SCTP_DEBUG_INDATA1, "Gak, Evil plot, its not first, no fragmented delivery in progress\n");
876 snprintf(msg, sizeof(msg),
877 "Expected B-bit for TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
878 chk->rec.data.TSN_seq,
879 chk->rec.data.stream_number,
880 chk->rec.data.stream_seq);
881 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
882 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_2;
883 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
884 *abort_flag = 1;
885 } else if (asoc->fragmented_delivery_inprogress &&
886 (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == SCTP_DATA_FIRST_FRAG) {
887 /*
888 * We are doing a partial delivery and the
889 * NEXT chunk MUST be either the LAST or
890 * MIDDLE fragment NOT a FIRST
891 */
892 SCTPDBG(SCTP_DEBUG_INDATA1, "Gak, Evil plot, it IS a first and fragmented delivery in progress\n");
893 snprintf(msg, sizeof(msg),
894 "Didn't expect B-bit for TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
895 chk->rec.data.TSN_seq,
896 chk->rec.data.stream_number,
897 chk->rec.data.stream_seq);
898 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
899 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_3;
900 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
901 *abort_flag = 1;
902 } else if (asoc->fragmented_delivery_inprogress) {
903 /*
904 * Here we are ok with a MIDDLE or LAST
905 * piece
906 */
907 if (chk->rec.data.stream_number !=
908 asoc->str_of_pdapi) {
909 /* Got to be the right STR No */
910 SCTPDBG(SCTP_DEBUG_INDATA1, "Gak, Evil plot, it IS not same stream number %d vs %d\n",
911 chk->rec.data.stream_number,
912 asoc->str_of_pdapi);
913 snprintf(msg, sizeof(msg),
914 "Expected SID=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
915 asoc->str_of_pdapi,
916 chk->rec.data.TSN_seq,
917 chk->rec.data.stream_number,
918 chk->rec.data.stream_seq);
919 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
920 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_4;
921 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
922 *abort_flag = 1;
923 } else if ((asoc->fragment_flags & SCTP_DATA_UNORDERED) !=
924 SCTP_DATA_UNORDERED &&
925 chk->rec.data.stream_seq != asoc->ssn_of_pdapi) {
926 /* Got to be the right STR Seq */
927 SCTPDBG(SCTP_DEBUG_INDATA1, "Gak, Evil plot, it IS not same stream seq %d vs %d\n",
928 chk->rec.data.stream_seq,
929 asoc->ssn_of_pdapi);
930 snprintf(msg, sizeof(msg),
931 "Expected SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
932 asoc->ssn_of_pdapi,
933 chk->rec.data.TSN_seq,
934 chk->rec.data.stream_number,
935 chk->rec.data.stream_seq);
936 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
937 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_5;
938 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
939 *abort_flag = 1;
940 }
941 }
942 }
943 return;
944 }
945 /* Find its place */
946 TAILQ_FOREACH(at, &asoc->reasmqueue, sctp_next) {
947 if (SCTP_TSN_GT(at->rec.data.TSN_seq, chk->rec.data.TSN_seq)) {
948 /*
949 * one in queue is bigger than the new one, insert
950 * before this one
951 */
952 /* A check */
953 asoc->size_on_reasm_queue += chk->send_size;
954 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
955 next = at;
956 TAILQ_INSERT_BEFORE(at, chk, sctp_next);
957 break;
958 } else if (at->rec.data.TSN_seq == chk->rec.data.TSN_seq) {
959 /* Gak, He sent me a duplicate str seq number */
960 /*
961 * foo bar, I guess I will just free this new guy,
962 * should we abort too? FIX ME MAYBE? Or it COULD be
963 * that the SSN's have wrapped. Maybe I should
964 * compare to TSN somehow... sigh for now just blow
965 * away the chunk!
966 */
967 if (chk->data) {
968 sctp_m_freem(chk->data);
969 chk->data = NULL;
970 }
971 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
972 return;
973 } else {
974 prev = at;
975 if (TAILQ_NEXT(at, sctp_next) == NULL) {
976 /*
977 * We are at the end, insert it after this
978 * one
979 */
980 /* check it first */
981 asoc->size_on_reasm_queue += chk->send_size;
982 sctp_ucount_incr(asoc->cnt_on_reasm_queue);
983 TAILQ_INSERT_AFTER(&asoc->reasmqueue, at, chk, sctp_next);
984 break;
985 }
986 }
987 }
988 /* Now the audits */
989 if (prev) {
990 prev_tsn = chk->rec.data.TSN_seq - 1;
991 if (prev_tsn == prev->rec.data.TSN_seq) {
992 /*
993 * Ok the one I am dropping onto the end is the
994 * NEXT. A bit of valdiation here.
995 */
996 if ((prev->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) ==
997 SCTP_DATA_FIRST_FRAG ||
998 (prev->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) ==
999 SCTP_DATA_MIDDLE_FRAG) {
1000 /*
1001 * Insert chk MUST be a MIDDLE or LAST
1002 * fragment
1003 */
1004 if ((chk->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) ==
1005 SCTP_DATA_FIRST_FRAG) {
1006 SCTPDBG(SCTP_DEBUG_INDATA1, "Prev check - It can be a midlle or last but not a first\n");
1007 SCTPDBG(SCTP_DEBUG_INDATA1, "Gak, Evil plot, it's a FIRST!\n");
1008 snprintf(msg, sizeof(msg),
1009 "Can't handle B-bit, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1010 chk->rec.data.TSN_seq,
1011 chk->rec.data.stream_number,
1012 chk->rec.data.stream_seq);
1013 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1014 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_6;
1015 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1016 *abort_flag = 1;
1017 return;
1018 }
1019 if (chk->rec.data.stream_number !=
1020 prev->rec.data.stream_number) {
1021 /*
1022 * Huh, need the correct STR here,
1023 * they must be the same.
1024 */
1025 SCTPDBG(SCTP_DEBUG_INDATA1, "Prev check - Gak, Evil plot, sid:%d not the same as at:%d\n",
1026 chk->rec.data.stream_number,
1027 prev->rec.data.stream_number);
1028 snprintf(msg, sizeof(msg),
1029 "Expect SID=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1030 prev->rec.data.stream_number,
1031 chk->rec.data.TSN_seq,
1032 chk->rec.data.stream_number,
1033 chk->rec.data.stream_seq);
1034 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1035 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_7;
1036 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1037 *abort_flag = 1;
1038 return;
1039 }
1040 if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) !=
1041 (prev->rec.data.rcv_flags & SCTP_DATA_UNORDERED)) {
1042 /*
1043 * Huh, need the same ordering here,
1044 * they must be the same.
1045 */
1046 SCTPDBG(SCTP_DEBUG_INDATA1, "Prev check - Gak, Evil plot, U-bit not constant\n");
1047 snprintf(msg, sizeof(msg),
1048 "Expect U-bit=%d for TSN=%8.8x, got U-bit=%d",
1049 (prev->rec.data.rcv_flags & SCTP_DATA_UNORDERED) ? 1 : 0,
1050 chk->rec.data.TSN_seq,
1051 (chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) ? 1 : 0);
1052 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1053 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_7;
1054 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1055 *abort_flag = 1;
1056 return;
1057 }
1058 if ((prev->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0 &&
1059 chk->rec.data.stream_seq !=
1060 prev->rec.data.stream_seq) {
1061 /*
1062 * Huh, need the correct STR here,
1063 * they must be the same.
1064 */
1065 SCTPDBG(SCTP_DEBUG_INDATA1, "Prev check - Gak, Evil plot, sseq:%d not the same as at:%d\n",
1066 chk->rec.data.stream_seq,
1067 prev->rec.data.stream_seq);
1068 snprintf(msg, sizeof(msg),
1069 "Expect SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1070 prev->rec.data.stream_seq,
1071 chk->rec.data.TSN_seq,
1072 chk->rec.data.stream_number,
1073 chk->rec.data.stream_seq);
1074 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1075 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_8;
1076 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1077 *abort_flag = 1;
1078 return;
1079 }
1080 } else if ((prev->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) ==
1081 SCTP_DATA_LAST_FRAG) {
1082 /* Insert chk MUST be a FIRST */
1083 if ((chk->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) !=
1084 SCTP_DATA_FIRST_FRAG) {
1085 SCTPDBG(SCTP_DEBUG_INDATA1, "Prev check - Gak, evil plot, its not FIRST and it must be!\n");
1086 snprintf(msg, sizeof(msg),
1087 "Expect B-bit, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1088 chk->rec.data.TSN_seq,
1089 chk->rec.data.stream_number,
1090 chk->rec.data.stream_seq);
1091 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1092 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_9;
1093 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1094 *abort_flag = 1;
1095 return;
1096 }
1097 }
1098 }
1099 }
1100 if (next) {
1101 post_tsn = chk->rec.data.TSN_seq + 1;
1102 if (post_tsn == next->rec.data.TSN_seq) {
1103 /*
1104 * Ok the one I am inserting ahead of is my NEXT
1105 * one. A bit of valdiation here.
1106 */
1107 if (next->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) {
1108 /* Insert chk MUST be a last fragment */
1109 if ((chk->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK)
1110 != SCTP_DATA_LAST_FRAG) {
1111 SCTPDBG(SCTP_DEBUG_INDATA1, "Next chk - Next is FIRST, we must be LAST\n");
1112 SCTPDBG(SCTP_DEBUG_INDATA1, "Gak, Evil plot, its not a last!\n");
1113 snprintf(msg, sizeof(msg),
1114 "Expect only E-bit, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1115 chk->rec.data.TSN_seq,
1116 chk->rec.data.stream_number,
1117 chk->rec.data.stream_seq);
1118 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1119 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_10;
1120 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1121 *abort_flag = 1;
1122 return;
1123 }
1124 } else if ((next->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) ==
1125 SCTP_DATA_MIDDLE_FRAG ||
1126 (next->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) ==
1127 SCTP_DATA_LAST_FRAG) {
1128 /*
1129 * Insert chk CAN be MIDDLE or FIRST NOT
1130 * LAST
1131 */
1132 if ((chk->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) ==
1133 SCTP_DATA_LAST_FRAG) {
1134 SCTPDBG(SCTP_DEBUG_INDATA1, "Next chk - Next is a MIDDLE/LAST\n");
1135 SCTPDBG(SCTP_DEBUG_INDATA1, "Gak, Evil plot, new prev chunk is a LAST\n");
1136 snprintf(msg, sizeof(msg),
1137 "Didn't expect E-bit, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1138 chk->rec.data.TSN_seq,
1139 chk->rec.data.stream_number,
1140 chk->rec.data.stream_seq);
1141 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1142 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_11;
1143 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1144 *abort_flag = 1;
1145 return;
1146 }
1147 if (chk->rec.data.stream_number !=
1148 next->rec.data.stream_number) {
1149 /*
1150 * Huh, need the correct STR here,
1151 * they must be the same.
1152 */
1153 SCTPDBG(SCTP_DEBUG_INDATA1, "Next chk - Gak, Evil plot, ssn:%d not the same as at:%d\n",
1154 chk->rec.data.stream_number,
1155 next->rec.data.stream_number);
1156 snprintf(msg, sizeof(msg),
1157 "Required SID %4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1158 next->rec.data.stream_number,
1159 chk->rec.data.TSN_seq,
1160 chk->rec.data.stream_number,
1161 chk->rec.data.stream_seq);
1162 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1163 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_12;
1164 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1165 *abort_flag = 1;
1166 return;
1167 }
1168 if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) !=
1169 (next->rec.data.rcv_flags & SCTP_DATA_UNORDERED)) {
1170 /*
1171 * Huh, need the same ordering here,
1172 * they must be the same.
1173 */
1174 SCTPDBG(SCTP_DEBUG_INDATA1, "Next check - Gak, Evil plot, U-bit not constant\n");
1175 snprintf(msg, sizeof(msg),
1176 "Expect U-bit=%d for TSN=%8.8x, got U-bit=%d",
1177 (next->rec.data.rcv_flags & SCTP_DATA_UNORDERED) ? 1 : 0,
1178 chk->rec.data.TSN_seq,
1179 (chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) ? 1 : 0);
1180 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1181 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_12;
1182 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1183 *abort_flag = 1;
1184 return;
1185 }
1186 if ((next->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0 &&
1187 chk->rec.data.stream_seq !=
1188 next->rec.data.stream_seq) {
1189 /*
1190 * Huh, need the correct STR here,
1191 * they must be the same.
1192 */
1193 SCTPDBG(SCTP_DEBUG_INDATA1, "Next chk - Gak, Evil plot, sseq:%d not the same as at:%d\n",
1194 chk->rec.data.stream_seq,
1195 next->rec.data.stream_seq);
1196 snprintf(msg, sizeof(msg),
1197 "Required SSN %4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1198 next->rec.data.stream_seq,
1199 chk->rec.data.TSN_seq,
1200 chk->rec.data.stream_number,
1201 chk->rec.data.stream_seq);
1202 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1203 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_13;
1204 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1205 *abort_flag = 1;
1206 return;
1207 }
1208 }
1209 }
1210 }
1211 /* Do we need to do some delivery? check */
1212 sctp_deliver_reasm_check(stcb, asoc);
1213 }
1214
1215 /*
1216 * This is an unfortunate routine. It checks to make sure a evil guy is not
1217 * stuffing us full of bad packet fragments. A broken peer could also do this
1218 * but this is doubtful. It is to bad I must worry about evil crackers sigh
1219 * :< more cycles.
1220 */
1221 static int
sctp_does_tsn_belong_to_reasm(struct sctp_association * asoc,uint32_t TSN_seq)1222 sctp_does_tsn_belong_to_reasm(struct sctp_association *asoc,
1223 uint32_t TSN_seq)
1224 {
1225 struct sctp_tmit_chunk *at;
1226 uint32_t tsn_est;
1227
1228 TAILQ_FOREACH(at, &asoc->reasmqueue, sctp_next) {
1229 if (SCTP_TSN_GT(TSN_seq, at->rec.data.TSN_seq)) {
1230 /* is it one bigger? */
1231 tsn_est = at->rec.data.TSN_seq + 1;
1232 if (tsn_est == TSN_seq) {
1233 /* yep. It better be a last then */
1234 if ((at->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) !=
1235 SCTP_DATA_LAST_FRAG) {
1236 /*
1237 * Ok this guy belongs next to a guy
1238 * that is NOT last, it should be a
1239 * middle/last, not a complete
1240 * chunk.
1241 */
1242 return (1);
1243 } else {
1244 /*
1245 * This guy is ok since its a LAST
1246 * and the new chunk is a fully
1247 * self- contained one.
1248 */
1249 return (0);
1250 }
1251 }
1252 } else if (TSN_seq == at->rec.data.TSN_seq) {
1253 /* Software error since I have a dup? */
1254 return (1);
1255 } else {
1256 /*
1257 * Ok, 'at' is larger than new chunk but does it
1258 * need to be right before it.
1259 */
1260 tsn_est = TSN_seq + 1;
1261 if (tsn_est == at->rec.data.TSN_seq) {
1262 /* Yep, It better be a first */
1263 if ((at->rec.data.rcv_flags & SCTP_DATA_FRAG_MASK) !=
1264 SCTP_DATA_FIRST_FRAG) {
1265 return (1);
1266 } else {
1267 return (0);
1268 }
1269 }
1270 }
1271 }
1272 return (0);
1273 }
1274
1275 static int
sctp_process_a_data_chunk(struct sctp_tcb * stcb,struct sctp_association * asoc,struct mbuf ** m,int offset,struct sctp_data_chunk * ch,int chk_length,struct sctp_nets * net,uint32_t * high_tsn,int * abort_flag,int * break_flag,int last_chunk)1276 sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc,
1277 struct mbuf **m, int offset, struct sctp_data_chunk *ch, int chk_length,
1278 struct sctp_nets *net, uint32_t *high_tsn, int *abort_flag,
1279 int *break_flag, int last_chunk)
1280 {
1281 /* Process a data chunk */
1282 /* struct sctp_tmit_chunk *chk; */
1283 struct sctp_tmit_chunk *chk;
1284 uint32_t tsn, gap;
1285 struct mbuf *dmbuf;
1286 int the_len;
1287 int need_reasm_check = 0;
1288 uint16_t strmno, strmseq;
1289 struct mbuf *op_err;
1290 char msg[SCTP_DIAG_INFO_LEN];
1291 struct sctp_queued_to_read *control;
1292 int ordered;
1293 uint32_t protocol_id;
1294 uint8_t chunk_flags;
1295 struct sctp_stream_reset_list *liste;
1296
1297 chk = NULL;
1298 tsn = ntohl(ch->dp.tsn);
1299 chunk_flags = ch->ch.chunk_flags;
1300 if ((chunk_flags & SCTP_DATA_SACK_IMMEDIATELY) == SCTP_DATA_SACK_IMMEDIATELY) {
1301 asoc->send_sack = 1;
1302 }
1303 protocol_id = ch->dp.protocol_id;
1304 ordered = ((chunk_flags & SCTP_DATA_UNORDERED) == 0);
1305 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
1306 sctp_log_map(tsn, asoc->cumulative_tsn, asoc->highest_tsn_inside_map, SCTP_MAP_TSN_ENTERS);
1307 }
1308 if (stcb == NULL) {
1309 return (0);
1310 }
1311 SCTP_LTRACE_CHK(stcb->sctp_ep, stcb, ch->ch.chunk_type, tsn);
1312 if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
1313 /* It is a duplicate */
1314 SCTP_STAT_INCR(sctps_recvdupdata);
1315 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) {
1316 /* Record a dup for the next outbound sack */
1317 asoc->dup_tsns[asoc->numduptsns] = tsn;
1318 asoc->numduptsns++;
1319 }
1320 asoc->send_sack = 1;
1321 return (0);
1322 }
1323 /* Calculate the number of TSN's between the base and this TSN */
1324 SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn);
1325 if (gap >= (SCTP_MAPPING_ARRAY << 3)) {
1326 /* Can't hold the bit in the mapping at max array, toss it */
1327 return (0);
1328 }
1329 if (gap >= (uint32_t) (asoc->mapping_array_size << 3)) {
1330 SCTP_TCB_LOCK_ASSERT(stcb);
1331 if (sctp_expand_mapping_array(asoc, gap)) {
1332 /* Can't expand, drop it */
1333 return (0);
1334 }
1335 }
1336 if (SCTP_TSN_GT(tsn, *high_tsn)) {
1337 *high_tsn = tsn;
1338 }
1339 /* See if we have received this one already */
1340 if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap) ||
1341 SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap)) {
1342 SCTP_STAT_INCR(sctps_recvdupdata);
1343 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) {
1344 /* Record a dup for the next outbound sack */
1345 asoc->dup_tsns[asoc->numduptsns] = tsn;
1346 asoc->numduptsns++;
1347 }
1348 asoc->send_sack = 1;
1349 return (0);
1350 }
1351 /*
1352 * Check to see about the GONE flag, duplicates would cause a sack
1353 * to be sent up above
1354 */
1355 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
1356 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
1357 (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET))) {
1358 /*
1359 * wait a minute, this guy is gone, there is no longer a
1360 * receiver. Send peer an ABORT!
1361 */
1362 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
1363 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1364 *abort_flag = 1;
1365 return (0);
1366 }
1367 /*
1368 * Now before going further we see if there is room. If NOT then we
1369 * MAY let one through only IF this TSN is the one we are waiting
1370 * for on a partial delivery API.
1371 */
1372
1373 /* now do the tests */
1374 if (((asoc->cnt_on_all_streams +
1375 asoc->cnt_on_reasm_queue +
1376 asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) ||
1377 (((int)asoc->my_rwnd) <= 0)) {
1378 /*
1379 * When we have NO room in the rwnd we check to make sure
1380 * the reader is doing its job...
1381 */
1382 if (stcb->sctp_socket->so_rcv.sb_cc) {
1383 /* some to read, wake-up */
1384 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1385 struct socket *so;
1386
1387 so = SCTP_INP_SO(stcb->sctp_ep);
1388 atomic_add_int(&stcb->asoc.refcnt, 1);
1389 SCTP_TCB_UNLOCK(stcb);
1390 SCTP_SOCKET_LOCK(so, 1);
1391 SCTP_TCB_LOCK(stcb);
1392 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1393 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1394 /* assoc was freed while we were unlocked */
1395 SCTP_SOCKET_UNLOCK(so, 1);
1396 return (0);
1397 }
1398 #endif
1399 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
1400 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1401 SCTP_SOCKET_UNLOCK(so, 1);
1402 #endif
1403 }
1404 /* now is it in the mapping array of what we have accepted? */
1405 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map) &&
1406 SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1407 /* Nope not in the valid range dump it */
1408 sctp_set_rwnd(stcb, asoc);
1409 if ((asoc->cnt_on_all_streams +
1410 asoc->cnt_on_reasm_queue +
1411 asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) {
1412 SCTP_STAT_INCR(sctps_datadropchklmt);
1413 } else {
1414 SCTP_STAT_INCR(sctps_datadroprwnd);
1415 }
1416 *break_flag = 1;
1417 return (0);
1418 }
1419 }
1420 strmno = ntohs(ch->dp.stream_id);
1421 if (strmno >= asoc->streamincnt) {
1422 struct sctp_paramhdr *phdr;
1423 struct mbuf *mb;
1424
1425 mb = sctp_get_mbuf_for_msg((sizeof(struct sctp_paramhdr) * 2),
1426 0, M_NOWAIT, 1, MT_DATA);
1427 if (mb != NULL) {
1428 /* add some space up front so prepend will work well */
1429 SCTP_BUF_RESV_UF(mb, sizeof(struct sctp_chunkhdr));
1430 phdr = mtod(mb, struct sctp_paramhdr *);
1431 /*
1432 * Error causes are just param's and this one has
1433 * two back to back phdr, one with the error type
1434 * and size, the other with the streamid and a rsvd
1435 */
1436 SCTP_BUF_LEN(mb) = (sizeof(struct sctp_paramhdr) * 2);
1437 phdr->param_type = htons(SCTP_CAUSE_INVALID_STREAM);
1438 phdr->param_length =
1439 htons(sizeof(struct sctp_paramhdr) * 2);
1440 phdr++;
1441 /* We insert the stream in the type field */
1442 phdr->param_type = ch->dp.stream_id;
1443 /* And set the length to 0 for the rsvd field */
1444 phdr->param_length = 0;
1445 sctp_queue_op_err(stcb, mb);
1446 }
1447 SCTP_STAT_INCR(sctps_badsid);
1448 SCTP_TCB_LOCK_ASSERT(stcb);
1449 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
1450 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1451 asoc->highest_tsn_inside_nr_map = tsn;
1452 }
1453 if (tsn == (asoc->cumulative_tsn + 1)) {
1454 /* Update cum-ack */
1455 asoc->cumulative_tsn = tsn;
1456 }
1457 return (0);
1458 }
1459 /*
1460 * Before we continue lets validate that we are not being fooled by
1461 * an evil attacker. We can only have 4k chunks based on our TSN
1462 * spread allowed by the mapping array 512 * 8 bits, so there is no
1463 * way our stream sequence numbers could have wrapped. We of course
1464 * only validate the FIRST fragment so the bit must be set.
1465 */
1466 strmseq = ntohs(ch->dp.stream_sequence);
1467 #ifdef SCTP_ASOCLOG_OF_TSNS
1468 SCTP_TCB_LOCK_ASSERT(stcb);
1469 if (asoc->tsn_in_at >= SCTP_TSN_LOG_SIZE) {
1470 asoc->tsn_in_at = 0;
1471 asoc->tsn_in_wrapped = 1;
1472 }
1473 asoc->in_tsnlog[asoc->tsn_in_at].tsn = tsn;
1474 asoc->in_tsnlog[asoc->tsn_in_at].strm = strmno;
1475 asoc->in_tsnlog[asoc->tsn_in_at].seq = strmseq;
1476 asoc->in_tsnlog[asoc->tsn_in_at].sz = chk_length;
1477 asoc->in_tsnlog[asoc->tsn_in_at].flgs = chunk_flags;
1478 asoc->in_tsnlog[asoc->tsn_in_at].stcb = (void *)stcb;
1479 asoc->in_tsnlog[asoc->tsn_in_at].in_pos = asoc->tsn_in_at;
1480 asoc->in_tsnlog[asoc->tsn_in_at].in_out = 1;
1481 asoc->tsn_in_at++;
1482 #endif
1483 if ((chunk_flags & SCTP_DATA_FIRST_FRAG) &&
1484 (TAILQ_EMPTY(&asoc->resetHead)) &&
1485 (chunk_flags & SCTP_DATA_UNORDERED) == 0 &&
1486 SCTP_SSN_GE(asoc->strmin[strmno].last_sequence_delivered, strmseq)) {
1487 /* The incoming sseq is behind where we last delivered? */
1488 SCTPDBG(SCTP_DEBUG_INDATA1, "EVIL/Broken-Dup S-SEQ:%d delivered:%d from peer, Abort!\n",
1489 strmseq, asoc->strmin[strmno].last_sequence_delivered);
1490
1491 snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1492 asoc->strmin[strmno].last_sequence_delivered,
1493 tsn, strmno, strmseq);
1494 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1495 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_14;
1496 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1497 *abort_flag = 1;
1498 return (0);
1499 }
1500 /************************************
1501 * From here down we may find ch-> invalid
1502 * so its a good idea NOT to use it.
1503 *************************************/
1504
1505 the_len = (chk_length - sizeof(struct sctp_data_chunk));
1506 if (last_chunk == 0) {
1507 dmbuf = SCTP_M_COPYM(*m,
1508 (offset + sizeof(struct sctp_data_chunk)),
1509 the_len, M_NOWAIT);
1510 #ifdef SCTP_MBUF_LOGGING
1511 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
1512 struct mbuf *mat;
1513
1514 for (mat = dmbuf; mat; mat = SCTP_BUF_NEXT(mat)) {
1515 if (SCTP_BUF_IS_EXTENDED(mat)) {
1516 sctp_log_mb(mat, SCTP_MBUF_ICOPY);
1517 }
1518 }
1519 }
1520 #endif
1521 } else {
1522 /* We can steal the last chunk */
1523 int l_len;
1524 dmbuf = *m;
1525 /* lop off the top part */
1526 m_adj(dmbuf, (offset + sizeof(struct sctp_data_chunk)));
1527 if (SCTP_BUF_NEXT(dmbuf) == NULL) {
1528 l_len = SCTP_BUF_LEN(dmbuf);
1529 } else {
1530 /* need to count up the size hopefully
1531 * does not hit this to often :-0
1532 */
1533 struct mbuf *lat;
1534
1535 l_len = 0;
1536 for (lat = dmbuf; lat; lat = SCTP_BUF_NEXT(lat)) {
1537 l_len += SCTP_BUF_LEN(lat);
1538 }
1539 }
1540 if (l_len > the_len) {
1541 /* Trim the end round bytes off too */
1542 m_adj(dmbuf, -(l_len - the_len));
1543 }
1544 }
1545 if (dmbuf == NULL) {
1546 SCTP_STAT_INCR(sctps_nomem);
1547 return (0);
1548 }
1549 if ((chunk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG &&
1550 asoc->fragmented_delivery_inprogress == 0 &&
1551 TAILQ_EMPTY(&asoc->resetHead) &&
1552 ((ordered == 0) ||
1553 ((uint16_t)(asoc->strmin[strmno].last_sequence_delivered + 1) == strmseq &&
1554 TAILQ_EMPTY(&asoc->strmin[strmno].inqueue)))) {
1555 /* Candidate for express delivery */
1556 /*
1557 * Its not fragmented, No PD-API is up, Nothing in the
1558 * delivery queue, Its un-ordered OR ordered and the next to
1559 * deliver AND nothing else is stuck on the stream queue,
1560 * And there is room for it in the socket buffer. Lets just
1561 * stuff it up the buffer....
1562 */
1563
1564 /* It would be nice to avoid this copy if we could :< */
1565 sctp_alloc_a_readq(stcb, control);
1566 sctp_build_readq_entry_mac(control, stcb, asoc->context, net, tsn,
1567 protocol_id,
1568 strmno, strmseq,
1569 chunk_flags,
1570 dmbuf);
1571 if (control == NULL) {
1572 goto failed_express_del;
1573 }
1574 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
1575 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1576 asoc->highest_tsn_inside_nr_map = tsn;
1577 }
1578 sctp_add_to_readq(stcb->sctp_ep, stcb,
1579 control, &stcb->sctp_socket->so_rcv,
1580 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
1581
1582 if ((chunk_flags & SCTP_DATA_UNORDERED) == 0) {
1583 /* for ordered, bump what we delivered */
1584 asoc->strmin[strmno].last_sequence_delivered++;
1585 }
1586 SCTP_STAT_INCR(sctps_recvexpress);
1587 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
1588 sctp_log_strm_del_alt(stcb, tsn, strmseq, strmno,
1589 SCTP_STR_LOG_FROM_EXPRS_DEL);
1590 }
1591 control = NULL;
1592
1593 goto finish_express_del;
1594 }
1595 failed_express_del:
1596 /* If we reach here this is a new chunk */
1597 chk = NULL;
1598 control = NULL;
1599 /* Express for fragmented delivery? */
1600 if ((asoc->fragmented_delivery_inprogress) &&
1601 (stcb->asoc.control_pdapi) &&
1602 (asoc->str_of_pdapi == strmno) &&
1603 (asoc->ssn_of_pdapi == strmseq)
1604 ) {
1605 control = stcb->asoc.control_pdapi;
1606 if ((chunk_flags & SCTP_DATA_FIRST_FRAG) == SCTP_DATA_FIRST_FRAG) {
1607 /* Can't be another first? */
1608 goto failed_pdapi_express_del;
1609 }
1610 if (tsn == (control->sinfo_tsn + 1)) {
1611 /* Yep, we can add it on */
1612 int end = 0;
1613
1614 if (chunk_flags & SCTP_DATA_LAST_FRAG) {
1615 end = 1;
1616 }
1617 if (sctp_append_to_readq(stcb->sctp_ep, stcb, control, dmbuf, end,
1618 tsn,
1619 &stcb->sctp_socket->so_rcv)) {
1620 SCTP_PRINTF("Append fails end:%d\n", end);
1621 goto failed_pdapi_express_del;
1622 }
1623
1624 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
1625 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1626 asoc->highest_tsn_inside_nr_map = tsn;
1627 }
1628 SCTP_STAT_INCR(sctps_recvexpressm);
1629 asoc->tsn_last_delivered = tsn;
1630 asoc->fragment_flags = chunk_flags;
1631 asoc->tsn_of_pdapi_last_delivered = tsn;
1632 asoc->last_flags_delivered = chunk_flags;
1633 asoc->last_strm_seq_delivered = strmseq;
1634 asoc->last_strm_no_delivered = strmno;
1635 if (end) {
1636 /* clean up the flags and such */
1637 asoc->fragmented_delivery_inprogress = 0;
1638 if ((chunk_flags & SCTP_DATA_UNORDERED) == 0) {
1639 asoc->strmin[strmno].last_sequence_delivered++;
1640 }
1641 stcb->asoc.control_pdapi = NULL;
1642 if (TAILQ_EMPTY(&asoc->reasmqueue) == 0) {
1643 /* There could be another message ready */
1644 need_reasm_check = 1;
1645 }
1646 }
1647 control = NULL;
1648 goto finish_express_del;
1649 }
1650 }
1651 failed_pdapi_express_del:
1652 control = NULL;
1653 if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) {
1654 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap);
1655 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) {
1656 asoc->highest_tsn_inside_nr_map = tsn;
1657 }
1658 } else {
1659 SCTP_SET_TSN_PRESENT(asoc->mapping_array, gap);
1660 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map)) {
1661 asoc->highest_tsn_inside_map = tsn;
1662 }
1663 }
1664 if ((chunk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) {
1665 sctp_alloc_a_chunk(stcb, chk);
1666 if (chk == NULL) {
1667 /* No memory so we drop the chunk */
1668 SCTP_STAT_INCR(sctps_nomem);
1669 if (last_chunk == 0) {
1670 /* we copied it, free the copy */
1671 sctp_m_freem(dmbuf);
1672 }
1673 return (0);
1674 }
1675 chk->rec.data.TSN_seq = tsn;
1676 chk->no_fr_allowed = 0;
1677 chk->rec.data.stream_seq = strmseq;
1678 chk->rec.data.stream_number = strmno;
1679 chk->rec.data.payloadtype = protocol_id;
1680 chk->rec.data.context = stcb->asoc.context;
1681 chk->rec.data.doing_fast_retransmit = 0;
1682 chk->rec.data.rcv_flags = chunk_flags;
1683 chk->asoc = asoc;
1684 chk->send_size = the_len;
1685 chk->whoTo = net;
1686 atomic_add_int(&net->ref_count, 1);
1687 chk->data = dmbuf;
1688 } else {
1689 sctp_alloc_a_readq(stcb, control);
1690 sctp_build_readq_entry_mac(control, stcb, asoc->context, net, tsn,
1691 protocol_id,
1692 strmno, strmseq,
1693 chunk_flags,
1694 dmbuf);
1695 if (control == NULL) {
1696 /* No memory so we drop the chunk */
1697 SCTP_STAT_INCR(sctps_nomem);
1698 if (last_chunk == 0) {
1699 /* we copied it, free the copy */
1700 sctp_m_freem(dmbuf);
1701 }
1702 return (0);
1703 }
1704 control->length = the_len;
1705 }
1706
1707 /* Mark it as received */
1708 /* Now queue it where it belongs */
1709 if (control != NULL) {
1710 /* First a sanity check */
1711 if (asoc->fragmented_delivery_inprogress) {
1712 /*
1713 * Ok, we have a fragmented delivery in progress if
1714 * this chunk is next to deliver OR belongs in our
1715 * view to the reassembly, the peer is evil or
1716 * broken.
1717 */
1718 uint32_t estimate_tsn;
1719
1720 estimate_tsn = asoc->tsn_last_delivered + 1;
1721 if (TAILQ_EMPTY(&asoc->reasmqueue) &&
1722 (estimate_tsn == control->sinfo_tsn)) {
1723 /* Evil/Broke peer */
1724 sctp_m_freem(control->data);
1725 control->data = NULL;
1726 if (control->whoFrom) {
1727 sctp_free_remote_addr(control->whoFrom);
1728 control->whoFrom = NULL;
1729 }
1730 sctp_free_a_readq(stcb, control);
1731 snprintf(msg, sizeof(msg), "Reas. queue emtpy, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1732 tsn, strmno, strmseq);
1733 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1734 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_15;
1735 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1736 *abort_flag = 1;
1737 if (last_chunk) {
1738 *m = NULL;
1739 }
1740 return (0);
1741 } else {
1742 if (sctp_does_tsn_belong_to_reasm(asoc, control->sinfo_tsn)) {
1743 sctp_m_freem(control->data);
1744 control->data = NULL;
1745 if (control->whoFrom) {
1746 sctp_free_remote_addr(control->whoFrom);
1747 control->whoFrom = NULL;
1748 }
1749 sctp_free_a_readq(stcb, control);
1750 snprintf(msg, sizeof(msg), "PD ongoing, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1751 tsn, strmno, strmseq);
1752 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1753 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_16;
1754 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1755 *abort_flag = 1;
1756 if (last_chunk) {
1757 *m = NULL;
1758 }
1759 return (0);
1760 }
1761 }
1762 } else {
1763 /* No PDAPI running */
1764 if (!TAILQ_EMPTY(&asoc->reasmqueue)) {
1765 /*
1766 * Reassembly queue is NOT empty validate
1767 * that this tsn does not need to be in
1768 * reasembly queue. If it does then our peer
1769 * is broken or evil.
1770 */
1771 if (sctp_does_tsn_belong_to_reasm(asoc, control->sinfo_tsn)) {
1772 sctp_m_freem(control->data);
1773 control->data = NULL;
1774 if (control->whoFrom) {
1775 sctp_free_remote_addr(control->whoFrom);
1776 control->whoFrom = NULL;
1777 }
1778 sctp_free_a_readq(stcb, control);
1779 snprintf(msg, sizeof(msg), "No PD ongoing, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x",
1780 tsn, strmno, strmseq);
1781 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
1782 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_17;
1783 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
1784 *abort_flag = 1;
1785 if (last_chunk) {
1786 *m = NULL;
1787 }
1788 return (0);
1789 }
1790 }
1791 }
1792 /* ok, if we reach here we have passed the sanity checks */
1793 if (chunk_flags & SCTP_DATA_UNORDERED) {
1794 /* queue directly into socket buffer */
1795 sctp_mark_non_revokable(asoc, control->sinfo_tsn);
1796 sctp_add_to_readq(stcb->sctp_ep, stcb,
1797 control,
1798 &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED);
1799 } else {
1800 /*
1801 * Special check for when streams are resetting. We
1802 * could be more smart about this and check the
1803 * actual stream to see if it is not being reset..
1804 * that way we would not create a HOLB when amongst
1805 * streams being reset and those not being reset.
1806 *
1807 * We take complete messages that have a stream reset
1808 * intervening (aka the TSN is after where our
1809 * cum-ack needs to be) off and put them on a
1810 * pending_reply_queue. The reassembly ones we do
1811 * not have to worry about since they are all sorted
1812 * and proceessed by TSN order. It is only the
1813 * singletons I must worry about.
1814 */
1815 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) &&
1816 SCTP_TSN_GT(tsn, liste->tsn)) {
1817 /*
1818 * yep its past where we need to reset... go
1819 * ahead and queue it.
1820 */
1821 if (TAILQ_EMPTY(&asoc->pending_reply_queue)) {
1822 /* first one on */
1823 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next);
1824 } else {
1825 struct sctp_queued_to_read *ctlOn, *nctlOn;
1826 unsigned char inserted = 0;
1827
1828 TAILQ_FOREACH_SAFE(ctlOn, &asoc->pending_reply_queue, next, nctlOn) {
1829 if (SCTP_TSN_GT(control->sinfo_tsn, ctlOn->sinfo_tsn)) {
1830 continue;
1831 } else {
1832 /* found it */
1833 TAILQ_INSERT_BEFORE(ctlOn, control, next);
1834 inserted = 1;
1835 break;
1836 }
1837 }
1838 if (inserted == 0) {
1839 /*
1840 * must be put at end, use
1841 * prevP (all setup from
1842 * loop) to setup nextP.
1843 */
1844 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next);
1845 }
1846 }
1847 } else {
1848 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag);
1849 if (*abort_flag) {
1850 if (last_chunk) {
1851 *m = NULL;
1852 }
1853 return (0);
1854 }
1855 }
1856 }
1857 } else {
1858 /* Into the re-assembly queue */
1859 sctp_queue_data_for_reasm(stcb, asoc, chk, abort_flag);
1860 if (*abort_flag) {
1861 /*
1862 * the assoc is now gone and chk was put onto the
1863 * reasm queue, which has all been freed.
1864 */
1865 if (last_chunk) {
1866 *m = NULL;
1867 }
1868 return (0);
1869 }
1870 }
1871 finish_express_del:
1872 if (tsn == (asoc->cumulative_tsn + 1)) {
1873 /* Update cum-ack */
1874 asoc->cumulative_tsn = tsn;
1875 }
1876 if (last_chunk) {
1877 *m = NULL;
1878 }
1879 if (ordered) {
1880 SCTP_STAT_INCR_COUNTER64(sctps_inorderchunks);
1881 } else {
1882 SCTP_STAT_INCR_COUNTER64(sctps_inunorderchunks);
1883 }
1884 SCTP_STAT_INCR(sctps_recvdata);
1885 /* Set it present please */
1886 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) {
1887 sctp_log_strm_del_alt(stcb, tsn, strmseq, strmno, SCTP_STR_LOG_FROM_MARK_TSN);
1888 }
1889 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
1890 sctp_log_map(asoc->mapping_array_base_tsn, asoc->cumulative_tsn,
1891 asoc->highest_tsn_inside_map, SCTP_MAP_PREPARE_SLIDE);
1892 }
1893 /* check the special flag for stream resets */
1894 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) &&
1895 SCTP_TSN_GE(asoc->cumulative_tsn, liste->tsn)) {
1896 /*
1897 * we have finished working through the backlogged TSN's now
1898 * time to reset streams. 1: call reset function. 2: free
1899 * pending_reply space 3: distribute any chunks in
1900 * pending_reply_queue.
1901 */
1902 struct sctp_queued_to_read *ctl, *nctl;
1903
1904 sctp_reset_in_stream(stcb, liste->number_entries, liste->list_of_streams);
1905 TAILQ_REMOVE(&asoc->resetHead, liste, next_resp);
1906 SCTP_FREE(liste, SCTP_M_STRESET);
1907 /*sa_ignore FREED_MEMORY*/
1908 liste = TAILQ_FIRST(&asoc->resetHead);
1909 if (TAILQ_EMPTY(&asoc->resetHead)) {
1910 /* All can be removed */
1911 TAILQ_FOREACH_SAFE(ctl, &asoc->pending_reply_queue, next, nctl) {
1912 TAILQ_REMOVE(&asoc->pending_reply_queue, ctl, next);
1913 sctp_queue_data_to_stream(stcb, asoc, ctl, abort_flag);
1914 if (*abort_flag) {
1915 return (0);
1916 }
1917 }
1918 } else {
1919 TAILQ_FOREACH_SAFE(ctl, &asoc->pending_reply_queue, next, nctl) {
1920 if (SCTP_TSN_GT(ctl->sinfo_tsn, liste->tsn)) {
1921 break;
1922 }
1923 /*
1924 * if ctl->sinfo_tsn is <= liste->tsn we can
1925 * process it which is the NOT of
1926 * ctl->sinfo_tsn > liste->tsn
1927 */
1928 TAILQ_REMOVE(&asoc->pending_reply_queue, ctl, next);
1929 sctp_queue_data_to_stream(stcb, asoc, ctl, abort_flag);
1930 if (*abort_flag) {
1931 return (0);
1932 }
1933 }
1934 }
1935 /*
1936 * Now service re-assembly to pick up anything that has been
1937 * held on reassembly queue?
1938 */
1939 sctp_deliver_reasm_check(stcb, asoc);
1940 need_reasm_check = 0;
1941 }
1942
1943 if (need_reasm_check) {
1944 /* Another one waits ? */
1945 sctp_deliver_reasm_check(stcb, asoc);
1946 }
1947 return (1);
1948 }
1949
1950 int8_t sctp_map_lookup_tab[256] = {
1951 0, 1, 0, 2, 0, 1, 0, 3,
1952 0, 1, 0, 2, 0, 1, 0, 4,
1953 0, 1, 0, 2, 0, 1, 0, 3,
1954 0, 1, 0, 2, 0, 1, 0, 5,
1955 0, 1, 0, 2, 0, 1, 0, 3,
1956 0, 1, 0, 2, 0, 1, 0, 4,
1957 0, 1, 0, 2, 0, 1, 0, 3,
1958 0, 1, 0, 2, 0, 1, 0, 6,
1959 0, 1, 0, 2, 0, 1, 0, 3,
1960 0, 1, 0, 2, 0, 1, 0, 4,
1961 0, 1, 0, 2, 0, 1, 0, 3,
1962 0, 1, 0, 2, 0, 1, 0, 5,
1963 0, 1, 0, 2, 0, 1, 0, 3,
1964 0, 1, 0, 2, 0, 1, 0, 4,
1965 0, 1, 0, 2, 0, 1, 0, 3,
1966 0, 1, 0, 2, 0, 1, 0, 7,
1967 0, 1, 0, 2, 0, 1, 0, 3,
1968 0, 1, 0, 2, 0, 1, 0, 4,
1969 0, 1, 0, 2, 0, 1, 0, 3,
1970 0, 1, 0, 2, 0, 1, 0, 5,
1971 0, 1, 0, 2, 0, 1, 0, 3,
1972 0, 1, 0, 2, 0, 1, 0, 4,
1973 0, 1, 0, 2, 0, 1, 0, 3,
1974 0, 1, 0, 2, 0, 1, 0, 6,
1975 0, 1, 0, 2, 0, 1, 0, 3,
1976 0, 1, 0, 2, 0, 1, 0, 4,
1977 0, 1, 0, 2, 0, 1, 0, 3,
1978 0, 1, 0, 2, 0, 1, 0, 5,
1979 0, 1, 0, 2, 0, 1, 0, 3,
1980 0, 1, 0, 2, 0, 1, 0, 4,
1981 0, 1, 0, 2, 0, 1, 0, 3,
1982 0, 1, 0, 2, 0, 1, 0, 8
1983 };
1984
1985
1986 void
sctp_slide_mapping_arrays(struct sctp_tcb * stcb)1987 sctp_slide_mapping_arrays(struct sctp_tcb *stcb)
1988 {
1989 /*
1990 * Now we also need to check the mapping array in a couple of ways.
1991 * 1) Did we move the cum-ack point?
1992 *
1993 * When you first glance at this you might think
1994 * that all entries that make up the postion
1995 * of the cum-ack would be in the nr-mapping array
1996 * only.. i.e. things up to the cum-ack are always
1997 * deliverable. Thats true with one exception, when
1998 * its a fragmented message we may not deliver the data
1999 * until some threshold (or all of it) is in place. So
2000 * we must OR the nr_mapping_array and mapping_array to
2001 * get a true picture of the cum-ack.
2002 */
2003 struct sctp_association *asoc;
2004 int at;
2005 uint8_t val;
2006 int slide_from, slide_end, lgap, distance;
2007 uint32_t old_cumack, old_base, old_highest, highest_tsn;
2008
2009 asoc = &stcb->asoc;
2010
2011 old_cumack = asoc->cumulative_tsn;
2012 old_base = asoc->mapping_array_base_tsn;
2013 old_highest = asoc->highest_tsn_inside_map;
2014 /*
2015 * We could probably improve this a small bit by calculating the
2016 * offset of the current cum-ack as the starting point.
2017 */
2018 at = 0;
2019 for (slide_from = 0; slide_from < stcb->asoc.mapping_array_size; slide_from++) {
2020 val = asoc->nr_mapping_array[slide_from] | asoc->mapping_array[slide_from];
2021 if (val == 0xff) {
2022 at += 8;
2023 } else {
2024 /* there is a 0 bit */
2025 at += sctp_map_lookup_tab[val];
2026 break;
2027 }
2028 }
2029 asoc->cumulative_tsn = asoc->mapping_array_base_tsn + (at-1);
2030
2031 if (SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_map) &&
2032 SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_nr_map)) {
2033 #ifdef INVARIANTS
2034 panic("huh, cumack 0x%x greater than high-tsn 0x%x in map",
2035 asoc->cumulative_tsn, asoc->highest_tsn_inside_map);
2036 #else
2037 SCTP_PRINTF("huh, cumack 0x%x greater than high-tsn 0x%x in map - should panic?\n",
2038 asoc->cumulative_tsn, asoc->highest_tsn_inside_map);
2039 sctp_print_mapping_array(asoc);
2040 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2041 sctp_log_map(0, 6, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
2042 }
2043 asoc->highest_tsn_inside_map = asoc->cumulative_tsn;
2044 asoc->highest_tsn_inside_nr_map = asoc->cumulative_tsn;
2045 #endif
2046 }
2047 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2048 highest_tsn = asoc->highest_tsn_inside_nr_map;
2049 } else {
2050 highest_tsn = asoc->highest_tsn_inside_map;
2051 }
2052 if ((asoc->cumulative_tsn == highest_tsn) && (at >= 8)) {
2053 /* The complete array was completed by a single FR */
2054 /* highest becomes the cum-ack */
2055 int clr;
2056 #ifdef INVARIANTS
2057 unsigned int i;
2058 #endif
2059
2060 /* clear the array */
2061 clr = ((at+7) >> 3);
2062 if (clr > asoc->mapping_array_size) {
2063 clr = asoc->mapping_array_size;
2064 }
2065 memset(asoc->mapping_array, 0, clr);
2066 memset(asoc->nr_mapping_array, 0, clr);
2067 #ifdef INVARIANTS
2068 for (i = 0; i < asoc->mapping_array_size; i++) {
2069 if ((asoc->mapping_array[i]) || (asoc->nr_mapping_array[i])) {
2070 SCTP_PRINTF("Error Mapping array's not clean at clear\n");
2071 sctp_print_mapping_array(asoc);
2072 }
2073 }
2074 #endif
2075 asoc->mapping_array_base_tsn = asoc->cumulative_tsn + 1;
2076 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map = asoc->cumulative_tsn;
2077 } else if (at >= 8) {
2078 /* we can slide the mapping array down */
2079 /* slide_from holds where we hit the first NON 0xff byte */
2080
2081 /*
2082 * now calculate the ceiling of the move using our highest
2083 * TSN value
2084 */
2085 SCTP_CALC_TSN_TO_GAP(lgap, highest_tsn, asoc->mapping_array_base_tsn);
2086 slide_end = (lgap >> 3);
2087 if (slide_end < slide_from) {
2088 sctp_print_mapping_array(asoc);
2089 #ifdef INVARIANTS
2090 panic("impossible slide");
2091 #else
2092 SCTP_PRINTF("impossible slide lgap:%x slide_end:%x slide_from:%x? at:%d\n",
2093 lgap, slide_end, slide_from, at);
2094 return;
2095 #endif
2096 }
2097 if (slide_end > asoc->mapping_array_size) {
2098 #ifdef INVARIANTS
2099 panic("would overrun buffer");
2100 #else
2101 SCTP_PRINTF("Gak, would have overrun map end:%d slide_end:%d\n",
2102 asoc->mapping_array_size, slide_end);
2103 slide_end = asoc->mapping_array_size;
2104 #endif
2105 }
2106 distance = (slide_end - slide_from) + 1;
2107 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2108 sctp_log_map(old_base, old_cumack, old_highest,
2109 SCTP_MAP_PREPARE_SLIDE);
2110 sctp_log_map((uint32_t) slide_from, (uint32_t) slide_end,
2111 (uint32_t) lgap, SCTP_MAP_SLIDE_FROM);
2112 }
2113 if (distance + slide_from > asoc->mapping_array_size ||
2114 distance < 0) {
2115 /*
2116 * Here we do NOT slide forward the array so that
2117 * hopefully when more data comes in to fill it up
2118 * we will be able to slide it forward. Really I
2119 * don't think this should happen :-0
2120 */
2121
2122 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2123 sctp_log_map((uint32_t) distance, (uint32_t) slide_from,
2124 (uint32_t) asoc->mapping_array_size,
2125 SCTP_MAP_SLIDE_NONE);
2126 }
2127 } else {
2128 int ii;
2129
2130 for (ii = 0; ii < distance; ii++) {
2131 asoc->mapping_array[ii] = asoc->mapping_array[slide_from + ii];
2132 asoc->nr_mapping_array[ii] = asoc->nr_mapping_array[slide_from + ii];
2133
2134 }
2135 for (ii = distance; ii < asoc->mapping_array_size; ii++) {
2136 asoc->mapping_array[ii] = 0;
2137 asoc->nr_mapping_array[ii] = 0;
2138 }
2139 if (asoc->highest_tsn_inside_map + 1 == asoc->mapping_array_base_tsn) {
2140 asoc->highest_tsn_inside_map += (slide_from << 3);
2141 }
2142 if (asoc->highest_tsn_inside_nr_map + 1 == asoc->mapping_array_base_tsn) {
2143 asoc->highest_tsn_inside_nr_map += (slide_from << 3);
2144 }
2145 asoc->mapping_array_base_tsn += (slide_from << 3);
2146 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
2147 sctp_log_map(asoc->mapping_array_base_tsn,
2148 asoc->cumulative_tsn, asoc->highest_tsn_inside_map,
2149 SCTP_MAP_SLIDE_RESULT);
2150 }
2151 }
2152 }
2153 }
2154
2155 void
sctp_sack_check(struct sctp_tcb * stcb,int was_a_gap)2156 sctp_sack_check(struct sctp_tcb *stcb, int was_a_gap)
2157 {
2158 struct sctp_association *asoc;
2159 uint32_t highest_tsn;
2160
2161 asoc = &stcb->asoc;
2162 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2163 highest_tsn = asoc->highest_tsn_inside_nr_map;
2164 } else {
2165 highest_tsn = asoc->highest_tsn_inside_map;
2166 }
2167
2168 /*
2169 * Now we need to see if we need to queue a sack or just start the
2170 * timer (if allowed).
2171 */
2172 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
2173 /*
2174 * Ok special case, in SHUTDOWN-SENT case. here we
2175 * maker sure SACK timer is off and instead send a
2176 * SHUTDOWN and a SACK
2177 */
2178 if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
2179 sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
2180 stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_INDATA+SCTP_LOC_18);
2181 }
2182 sctp_send_shutdown(stcb,
2183 ((stcb->asoc.alternate) ? stcb->asoc.alternate : stcb->asoc.primary_destination));
2184 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
2185 } else {
2186 int is_a_gap;
2187
2188 /* is there a gap now ? */
2189 is_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
2190
2191 /*
2192 * CMT DAC algorithm: increase number of packets
2193 * received since last ack
2194 */
2195 stcb->asoc.cmt_dac_pkts_rcvd++;
2196
2197 if ((stcb->asoc.send_sack == 1) || /* We need to send a SACK */
2198 ((was_a_gap) && (is_a_gap == 0)) || /* was a gap, but no
2199 * longer is one */
2200 (stcb->asoc.numduptsns) || /* we have dup's */
2201 (is_a_gap) || /* is still a gap */
2202 (stcb->asoc.delayed_ack == 0) || /* Delayed sack disabled */
2203 (stcb->asoc.data_pkts_seen >= stcb->asoc.sack_freq) /* hit limit of pkts */
2204 ) {
2205
2206 if ((stcb->asoc.sctp_cmt_on_off > 0) &&
2207 (SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) &&
2208 (stcb->asoc.send_sack == 0) &&
2209 (stcb->asoc.numduptsns == 0) &&
2210 (stcb->asoc.delayed_ack) &&
2211 (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer))) {
2212
2213 /*
2214 * CMT DAC algorithm: With CMT,
2215 * delay acks even in the face of
2216
2217 * reordering. Therefore, if acks
2218 * that do not have to be sent
2219 * because of the above reasons,
2220 * will be delayed. That is, acks
2221 * that would have been sent due to
2222 * gap reports will be delayed with
2223 * DAC. Start the delayed ack timer.
2224 */
2225 sctp_timer_start(SCTP_TIMER_TYPE_RECV,
2226 stcb->sctp_ep, stcb, NULL);
2227 } else {
2228 /*
2229 * Ok we must build a SACK since the
2230 * timer is pending, we got our
2231 * first packet OR there are gaps or
2232 * duplicates.
2233 */
2234 (void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
2235 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
2236 }
2237 } else {
2238 if (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
2239 sctp_timer_start(SCTP_TIMER_TYPE_RECV,
2240 stcb->sctp_ep, stcb, NULL);
2241 }
2242 }
2243 }
2244 }
2245
2246 void
sctp_service_queues(struct sctp_tcb * stcb,struct sctp_association * asoc)2247 sctp_service_queues(struct sctp_tcb *stcb, struct sctp_association *asoc)
2248 {
2249 struct sctp_tmit_chunk *chk;
2250 uint32_t tsize, pd_point;
2251 uint16_t nxt_todel;
2252
2253 if (asoc->fragmented_delivery_inprogress) {
2254 sctp_service_reassembly(stcb, asoc);
2255 }
2256 /* Can we proceed further, i.e. the PD-API is complete */
2257 if (asoc->fragmented_delivery_inprogress) {
2258 /* no */
2259 return;
2260 }
2261 /*
2262 * Now is there some other chunk I can deliver from the reassembly
2263 * queue.
2264 */
2265 doit_again:
2266 chk = TAILQ_FIRST(&asoc->reasmqueue);
2267 if (chk == NULL) {
2268 asoc->size_on_reasm_queue = 0;
2269 asoc->cnt_on_reasm_queue = 0;
2270 return;
2271 }
2272 nxt_todel = asoc->strmin[chk->rec.data.stream_number].last_sequence_delivered + 1;
2273 if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) &&
2274 ((nxt_todel == chk->rec.data.stream_seq) ||
2275 (chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED))) {
2276 /*
2277 * Yep the first one is here. We setup to start reception,
2278 * by backing down the TSN just in case we can't deliver.
2279 */
2280
2281 /*
2282 * Before we start though either all of the message should
2283 * be here or the socket buffer max or nothing on the
2284 * delivery queue and something can be delivered.
2285 */
2286 if (stcb->sctp_socket) {
2287 pd_point = min(SCTP_SB_LIMIT_RCV(stcb->sctp_socket) >> SCTP_PARTIAL_DELIVERY_SHIFT,
2288 stcb->sctp_ep->partial_delivery_point);
2289 } else {
2290 pd_point = stcb->sctp_ep->partial_delivery_point;
2291 }
2292 if (sctp_is_all_msg_on_reasm(asoc, &tsize) || (tsize >= pd_point)) {
2293 asoc->fragmented_delivery_inprogress = 1;
2294 asoc->tsn_last_delivered = chk->rec.data.TSN_seq - 1;
2295 asoc->str_of_pdapi = chk->rec.data.stream_number;
2296 asoc->ssn_of_pdapi = chk->rec.data.stream_seq;
2297 asoc->pdapi_ppid = chk->rec.data.payloadtype;
2298 asoc->fragment_flags = chk->rec.data.rcv_flags;
2299 sctp_service_reassembly(stcb, asoc);
2300 if (asoc->fragmented_delivery_inprogress == 0) {
2301 goto doit_again;
2302 }
2303 }
2304 }
2305 }
2306
2307 int
sctp_process_data(struct mbuf ** mm,int iphlen,int * offset,int length,struct sockaddr * src,struct sockaddr * dst,struct sctphdr * sh,struct sctp_inpcb * inp,struct sctp_tcb * stcb,struct sctp_nets * net,uint32_t * high_tsn,uint8_t use_mflowid,uint32_t mflowid,uint32_t vrf_id,uint16_t port)2308 sctp_process_data(struct mbuf **mm, int iphlen, int *offset, int length,
2309 struct sockaddr *src, struct sockaddr *dst,
2310 struct sctphdr *sh, struct sctp_inpcb *inp,
2311 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t *high_tsn,
2312 #if defined(__FreeBSD__)
2313 uint8_t use_mflowid, uint32_t mflowid,
2314 #endif
2315 uint32_t vrf_id, uint16_t port)
2316 {
2317 struct sctp_data_chunk *ch, chunk_buf;
2318 struct sctp_association *asoc;
2319 int num_chunks = 0; /* number of control chunks processed */
2320 int stop_proc = 0;
2321 int chk_length, break_flag, last_chunk;
2322 int abort_flag = 0, was_a_gap;
2323 struct mbuf *m;
2324 uint32_t highest_tsn;
2325
2326 /* set the rwnd */
2327 sctp_set_rwnd(stcb, &stcb->asoc);
2328
2329 m = *mm;
2330 SCTP_TCB_LOCK_ASSERT(stcb);
2331 asoc = &stcb->asoc;
2332 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) {
2333 highest_tsn = asoc->highest_tsn_inside_nr_map;
2334 } else {
2335 highest_tsn = asoc->highest_tsn_inside_map;
2336 }
2337 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
2338 /*
2339 * setup where we got the last DATA packet from for any SACK that
2340 * may need to go out. Don't bump the net. This is done ONLY when a
2341 * chunk is assigned.
2342 */
2343 asoc->last_data_chunk_from = net;
2344
2345 #ifndef __Panda__
2346 /*-
2347 * Now before we proceed we must figure out if this is a wasted
2348 * cluster... i.e. it is a small packet sent in and yet the driver
2349 * underneath allocated a full cluster for it. If so we must copy it
2350 * to a smaller mbuf and free up the cluster mbuf. This will help
2351 * with cluster starvation. Note for __Panda__ we don't do this
2352 * since it has clusters all the way down to 64 bytes.
2353 */
2354 if (SCTP_BUF_LEN(m) < (long)MLEN && SCTP_BUF_NEXT(m) == NULL) {
2355 /* we only handle mbufs that are singletons.. not chains */
2356 m = sctp_get_mbuf_for_msg(SCTP_BUF_LEN(m), 0, M_NOWAIT, 1, MT_DATA);
2357 if (m) {
2358 /* ok lets see if we can copy the data up */
2359 caddr_t *from, *to;
2360 /* get the pointers and copy */
2361 to = mtod(m, caddr_t *);
2362 from = mtod((*mm), caddr_t *);
2363 memcpy(to, from, SCTP_BUF_LEN((*mm)));
2364 /* copy the length and free up the old */
2365 SCTP_BUF_LEN(m) = SCTP_BUF_LEN((*mm));
2366 sctp_m_freem(*mm);
2367 /* sucess, back copy */
2368 *mm = m;
2369 } else {
2370 /* We are in trouble in the mbuf world .. yikes */
2371 m = *mm;
2372 }
2373 }
2374 #endif
2375 /* get pointer to the first chunk header */
2376 ch = (struct sctp_data_chunk *)sctp_m_getptr(m, *offset,
2377 sizeof(struct sctp_data_chunk), (uint8_t *) & chunk_buf);
2378 if (ch == NULL) {
2379 return (1);
2380 }
2381 /*
2382 * process all DATA chunks...
2383 */
2384 *high_tsn = asoc->cumulative_tsn;
2385 break_flag = 0;
2386 asoc->data_pkts_seen++;
2387 while (stop_proc == 0) {
2388 /* validate chunk length */
2389 chk_length = ntohs(ch->ch.chunk_length);
2390 if (length - *offset < chk_length) {
2391 /* all done, mutulated chunk */
2392 stop_proc = 1;
2393 continue;
2394 }
2395 if (ch->ch.chunk_type == SCTP_DATA) {
2396 if ((size_t)chk_length < sizeof(struct sctp_data_chunk)) {
2397 /*
2398 * Need to send an abort since we had a
2399 * invalid data chunk.
2400 */
2401 struct mbuf *op_err;
2402 char msg[SCTP_DIAG_INFO_LEN];
2403
2404 snprintf(msg, sizeof(msg), "DATA chunk of length %d",
2405 chk_length);
2406 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
2407 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_19;
2408 sctp_abort_association(inp, stcb, m, iphlen,
2409 src, dst, sh, op_err,
2410 #if defined(__FreeBSD__)
2411 use_mflowid, mflowid,
2412 #endif
2413 vrf_id, port);
2414 return (2);
2415 }
2416 if ((size_t)chk_length == sizeof(struct sctp_data_chunk)) {
2417 /*
2418 * Need to send an abort since we had an
2419 * empty data chunk.
2420 */
2421 struct mbuf *op_err;
2422
2423 op_err = sctp_generate_no_user_data_cause(ch->dp.tsn);
2424 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_19;
2425 sctp_abort_association(inp, stcb, m, iphlen,
2426 src, dst, sh, op_err,
2427 #if defined(__FreeBSD__)
2428 use_mflowid, mflowid,
2429 #endif
2430 vrf_id, port);
2431 return (2);
2432 }
2433 #ifdef SCTP_AUDITING_ENABLED
2434 sctp_audit_log(0xB1, 0);
2435 #endif
2436 if (SCTP_SIZE32(chk_length) == (length - *offset)) {
2437 last_chunk = 1;
2438 } else {
2439 last_chunk = 0;
2440 }
2441 if (sctp_process_a_data_chunk(stcb, asoc, mm, *offset, ch,
2442 chk_length, net, high_tsn, &abort_flag, &break_flag,
2443 last_chunk)) {
2444 num_chunks++;
2445 }
2446 if (abort_flag)
2447 return (2);
2448
2449 if (break_flag) {
2450 /*
2451 * Set because of out of rwnd space and no
2452 * drop rep space left.
2453 */
2454 stop_proc = 1;
2455 continue;
2456 }
2457 } else {
2458 /* not a data chunk in the data region */
2459 switch (ch->ch.chunk_type) {
2460 case SCTP_INITIATION:
2461 case SCTP_INITIATION_ACK:
2462 case SCTP_SELECTIVE_ACK:
2463 case SCTP_NR_SELECTIVE_ACK:
2464 case SCTP_HEARTBEAT_REQUEST:
2465 case SCTP_HEARTBEAT_ACK:
2466 case SCTP_ABORT_ASSOCIATION:
2467 case SCTP_SHUTDOWN:
2468 case SCTP_SHUTDOWN_ACK:
2469 case SCTP_OPERATION_ERROR:
2470 case SCTP_COOKIE_ECHO:
2471 case SCTP_COOKIE_ACK:
2472 case SCTP_ECN_ECHO:
2473 case SCTP_ECN_CWR:
2474 case SCTP_SHUTDOWN_COMPLETE:
2475 case SCTP_AUTHENTICATION:
2476 case SCTP_ASCONF_ACK:
2477 case SCTP_PACKET_DROPPED:
2478 case SCTP_STREAM_RESET:
2479 case SCTP_FORWARD_CUM_TSN:
2480 case SCTP_ASCONF:
2481 /*
2482 * Now, what do we do with KNOWN chunks that
2483 * are NOT in the right place?
2484 *
2485 * For now, I do nothing but ignore them. We
2486 * may later want to add sysctl stuff to
2487 * switch out and do either an ABORT() or
2488 * possibly process them.
2489 */
2490 if (SCTP_BASE_SYSCTL(sctp_strict_data_order)) {
2491 struct mbuf *op_err;
2492
2493 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, "");
2494 sctp_abort_association(inp, stcb,
2495 m, iphlen,
2496 src, dst,
2497 sh, op_err,
2498 #if defined(__FreeBSD__)
2499 use_mflowid, mflowid,
2500 #endif
2501 vrf_id, port);
2502 return (2);
2503 }
2504 break;
2505 default:
2506 /* unknown chunk type, use bit rules */
2507 if (ch->ch.chunk_type & 0x40) {
2508 /* Add a error report to the queue */
2509 struct mbuf *merr;
2510 struct sctp_paramhdr *phd;
2511
2512 merr = sctp_get_mbuf_for_msg(sizeof(*phd), 0, M_NOWAIT, 1, MT_DATA);
2513 if (merr) {
2514 phd = mtod(merr, struct sctp_paramhdr *);
2515 /*
2516 * We cheat and use param
2517 * type since we did not
2518 * bother to define a error
2519 * cause struct. They are
2520 * the same basic format
2521 * with different names.
2522 */
2523 phd->param_type =
2524 htons(SCTP_CAUSE_UNRECOG_CHUNK);
2525 phd->param_length =
2526 htons(chk_length + sizeof(*phd));
2527 SCTP_BUF_LEN(merr) = sizeof(*phd);
2528 SCTP_BUF_NEXT(merr) = SCTP_M_COPYM(m, *offset, chk_length, M_NOWAIT);
2529 if (SCTP_BUF_NEXT(merr)) {
2530 if (sctp_pad_lastmbuf(SCTP_BUF_NEXT(merr), SCTP_SIZE32(chk_length) - chk_length, NULL) == NULL) {
2531 sctp_m_freem(merr);
2532 } else {
2533 sctp_queue_op_err(stcb, merr);
2534 }
2535 } else {
2536 sctp_m_freem(merr);
2537 }
2538 }
2539 }
2540 if ((ch->ch.chunk_type & 0x80) == 0) {
2541 /* discard the rest of this packet */
2542 stop_proc = 1;
2543 } /* else skip this bad chunk and
2544 * continue... */
2545 break;
2546 } /* switch of chunk type */
2547 }
2548 *offset += SCTP_SIZE32(chk_length);
2549 if ((*offset >= length) || stop_proc) {
2550 /* no more data left in the mbuf chain */
2551 stop_proc = 1;
2552 continue;
2553 }
2554 ch = (struct sctp_data_chunk *)sctp_m_getptr(m, *offset,
2555 sizeof(struct sctp_data_chunk), (uint8_t *) & chunk_buf);
2556 if (ch == NULL) {
2557 *offset = length;
2558 stop_proc = 1;
2559 continue;
2560 }
2561 }
2562 if (break_flag) {
2563 /*
2564 * we need to report rwnd overrun drops.
2565 */
2566 sctp_send_packet_dropped(stcb, net, *mm, length, iphlen, 0);
2567 }
2568 if (num_chunks) {
2569 /*
2570 * Did we get data, if so update the time for auto-close and
2571 * give peer credit for being alive.
2572 */
2573 SCTP_STAT_INCR(sctps_recvpktwithdata);
2574 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
2575 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
2576 stcb->asoc.overall_error_count,
2577 0,
2578 SCTP_FROM_SCTP_INDATA,
2579 __LINE__);
2580 }
2581 stcb->asoc.overall_error_count = 0;
2582 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_last_rcvd);
2583 }
2584 /* now service all of the reassm queue if needed */
2585 if (!(TAILQ_EMPTY(&asoc->reasmqueue)))
2586 sctp_service_queues(stcb, asoc);
2587
2588 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
2589 /* Assure that we ack right away */
2590 stcb->asoc.send_sack = 1;
2591 }
2592 /* Start a sack timer or QUEUE a SACK for sending */
2593 sctp_sack_check(stcb, was_a_gap);
2594 return (0);
2595 }
2596
2597 static int
sctp_process_segment_range(struct sctp_tcb * stcb,struct sctp_tmit_chunk ** p_tp1,uint32_t last_tsn,uint16_t frag_strt,uint16_t frag_end,int nr_sacking,int * num_frs,uint32_t * biggest_newly_acked_tsn,uint32_t * this_sack_lowest_newack,int * rto_ok)2598 sctp_process_segment_range(struct sctp_tcb *stcb, struct sctp_tmit_chunk **p_tp1, uint32_t last_tsn,
2599 uint16_t frag_strt, uint16_t frag_end, int nr_sacking,
2600 int *num_frs,
2601 uint32_t *biggest_newly_acked_tsn,
2602 uint32_t *this_sack_lowest_newack,
2603 int *rto_ok)
2604 {
2605 struct sctp_tmit_chunk *tp1;
2606 unsigned int theTSN;
2607 int j, wake_him = 0, circled = 0;
2608
2609 /* Recover the tp1 we last saw */
2610 tp1 = *p_tp1;
2611 if (tp1 == NULL) {
2612 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2613 }
2614 for (j = frag_strt; j <= frag_end; j++) {
2615 theTSN = j + last_tsn;
2616 while (tp1) {
2617 if (tp1->rec.data.doing_fast_retransmit)
2618 (*num_frs) += 1;
2619
2620 /*-
2621 * CMT: CUCv2 algorithm. For each TSN being
2622 * processed from the sent queue, track the
2623 * next expected pseudo-cumack, or
2624 * rtx_pseudo_cumack, if required. Separate
2625 * cumack trackers for first transmissions,
2626 * and retransmissions.
2627 */
2628 if ((tp1->whoTo->find_pseudo_cumack == 1) && (tp1->sent < SCTP_DATAGRAM_RESEND) &&
2629 (tp1->snd_count == 1)) {
2630 tp1->whoTo->pseudo_cumack = tp1->rec.data.TSN_seq;
2631 tp1->whoTo->find_pseudo_cumack = 0;
2632 }
2633 if ((tp1->whoTo->find_rtx_pseudo_cumack == 1) && (tp1->sent < SCTP_DATAGRAM_RESEND) &&
2634 (tp1->snd_count > 1)) {
2635 tp1->whoTo->rtx_pseudo_cumack = tp1->rec.data.TSN_seq;
2636 tp1->whoTo->find_rtx_pseudo_cumack = 0;
2637 }
2638 if (tp1->rec.data.TSN_seq == theTSN) {
2639 if (tp1->sent != SCTP_DATAGRAM_UNSENT) {
2640 /*-
2641 * must be held until
2642 * cum-ack passes
2643 */
2644 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
2645 /*-
2646 * If it is less than RESEND, it is
2647 * now no-longer in flight.
2648 * Higher values may already be set
2649 * via previous Gap Ack Blocks...
2650 * i.e. ACKED or RESEND.
2651 */
2652 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq,
2653 *biggest_newly_acked_tsn)) {
2654 *biggest_newly_acked_tsn = tp1->rec.data.TSN_seq;
2655 }
2656 /*-
2657 * CMT: SFR algo (and HTNA) - set
2658 * saw_newack to 1 for dest being
2659 * newly acked. update
2660 * this_sack_highest_newack if
2661 * appropriate.
2662 */
2663 if (tp1->rec.data.chunk_was_revoked == 0)
2664 tp1->whoTo->saw_newack = 1;
2665
2666 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq,
2667 tp1->whoTo->this_sack_highest_newack)) {
2668 tp1->whoTo->this_sack_highest_newack =
2669 tp1->rec.data.TSN_seq;
2670 }
2671 /*-
2672 * CMT DAC algo: also update
2673 * this_sack_lowest_newack
2674 */
2675 if (*this_sack_lowest_newack == 0) {
2676 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
2677 sctp_log_sack(*this_sack_lowest_newack,
2678 last_tsn,
2679 tp1->rec.data.TSN_seq,
2680 0,
2681 0,
2682 SCTP_LOG_TSN_ACKED);
2683 }
2684 *this_sack_lowest_newack = tp1->rec.data.TSN_seq;
2685 }
2686 /*-
2687 * CMT: CUCv2 algorithm. If (rtx-)pseudo-cumack for corresp
2688 * dest is being acked, then we have a new (rtx-)pseudo-cumack. Set
2689 * new_(rtx_)pseudo_cumack to TRUE so that the cwnd for this dest can be
2690 * updated. Also trigger search for the next expected (rtx-)pseudo-cumack.
2691 * Separate pseudo_cumack trackers for first transmissions and
2692 * retransmissions.
2693 */
2694 if (tp1->rec.data.TSN_seq == tp1->whoTo->pseudo_cumack) {
2695 if (tp1->rec.data.chunk_was_revoked == 0) {
2696 tp1->whoTo->new_pseudo_cumack = 1;
2697 }
2698 tp1->whoTo->find_pseudo_cumack = 1;
2699 }
2700 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
2701 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.TSN_seq, SCTP_CWND_LOG_FROM_SACK);
2702 }
2703 if (tp1->rec.data.TSN_seq == tp1->whoTo->rtx_pseudo_cumack) {
2704 if (tp1->rec.data.chunk_was_revoked == 0) {
2705 tp1->whoTo->new_pseudo_cumack = 1;
2706 }
2707 tp1->whoTo->find_rtx_pseudo_cumack = 1;
2708 }
2709 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
2710 sctp_log_sack(*biggest_newly_acked_tsn,
2711 last_tsn,
2712 tp1->rec.data.TSN_seq,
2713 frag_strt,
2714 frag_end,
2715 SCTP_LOG_TSN_ACKED);
2716 }
2717 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
2718 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_GAP,
2719 tp1->whoTo->flight_size,
2720 tp1->book_size,
2721 (uintptr_t)tp1->whoTo,
2722 tp1->rec.data.TSN_seq);
2723 }
2724 sctp_flight_size_decrease(tp1);
2725 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
2726 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
2727 tp1);
2728 }
2729 sctp_total_flight_decrease(stcb, tp1);
2730
2731 tp1->whoTo->net_ack += tp1->send_size;
2732 if (tp1->snd_count < 2) {
2733 /*-
2734 * True non-retransmited chunk
2735 */
2736 tp1->whoTo->net_ack2 += tp1->send_size;
2737
2738 /*-
2739 * update RTO too ?
2740 */
2741 if (tp1->do_rtt) {
2742 if (*rto_ok) {
2743 tp1->whoTo->RTO =
2744 sctp_calculate_rto(stcb,
2745 &stcb->asoc,
2746 tp1->whoTo,
2747 &tp1->sent_rcv_time,
2748 sctp_align_safe_nocopy,
2749 SCTP_RTT_FROM_DATA);
2750 *rto_ok = 0;
2751 }
2752 if (tp1->whoTo->rto_needed == 0) {
2753 tp1->whoTo->rto_needed = 1;
2754 }
2755 tp1->do_rtt = 0;
2756 }
2757 }
2758
2759 }
2760 if (tp1->sent <= SCTP_DATAGRAM_RESEND) {
2761 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq,
2762 stcb->asoc.this_sack_highest_gap)) {
2763 stcb->asoc.this_sack_highest_gap =
2764 tp1->rec.data.TSN_seq;
2765 }
2766 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
2767 sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
2768 #ifdef SCTP_AUDITING_ENABLED
2769 sctp_audit_log(0xB2,
2770 (stcb->asoc.sent_queue_retran_cnt & 0x000000ff));
2771 #endif
2772 }
2773 }
2774 /*-
2775 * All chunks NOT UNSENT fall through here and are marked
2776 * (leave PR-SCTP ones that are to skip alone though)
2777 */
2778 if ((tp1->sent != SCTP_FORWARD_TSN_SKIP) &&
2779 (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) {
2780 tp1->sent = SCTP_DATAGRAM_MARKED;
2781 }
2782 if (tp1->rec.data.chunk_was_revoked) {
2783 /* deflate the cwnd */
2784 tp1->whoTo->cwnd -= tp1->book_size;
2785 tp1->rec.data.chunk_was_revoked = 0;
2786 }
2787 /* NR Sack code here */
2788 if (nr_sacking &&
2789 (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) {
2790 if (stcb->asoc.strmout[tp1->rec.data.stream_number].chunks_on_queues > 0) {
2791 stcb->asoc.strmout[tp1->rec.data.stream_number].chunks_on_queues--;
2792 #ifdef INVARIANTS
2793 } else {
2794 panic("No chunks on the queues for sid %u.", tp1->rec.data.stream_number);
2795 #endif
2796 }
2797 tp1->sent = SCTP_DATAGRAM_NR_ACKED;
2798 if (tp1->data) {
2799 /* sa_ignore NO_NULL_CHK */
2800 sctp_free_bufspace(stcb, &stcb->asoc, tp1, 1);
2801 sctp_m_freem(tp1->data);
2802 tp1->data = NULL;
2803 }
2804 wake_him++;
2805 }
2806 }
2807 break;
2808 } /* if (tp1->TSN_seq == theTSN) */
2809 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, theTSN)) {
2810 break;
2811 }
2812 tp1 = TAILQ_NEXT(tp1, sctp_next);
2813 if ((tp1 == NULL) && (circled == 0)) {
2814 circled++;
2815 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2816 }
2817 } /* end while (tp1) */
2818 if (tp1 == NULL) {
2819 circled = 0;
2820 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue);
2821 }
2822 /* In case the fragments were not in order we must reset */
2823 } /* end for (j = fragStart */
2824 *p_tp1 = tp1;
2825 return (wake_him); /* Return value only used for nr-sack */
2826 }
2827
2828
2829 static int
sctp_handle_segments(struct mbuf * m,int * offset,struct sctp_tcb * stcb,struct sctp_association * asoc,uint32_t last_tsn,uint32_t * biggest_tsn_acked,uint32_t * biggest_newly_acked_tsn,uint32_t * this_sack_lowest_newack,int num_seg,int num_nr_seg,int * rto_ok)2830 sctp_handle_segments(struct mbuf *m, int *offset, struct sctp_tcb *stcb, struct sctp_association *asoc,
2831 uint32_t last_tsn, uint32_t *biggest_tsn_acked,
2832 uint32_t *biggest_newly_acked_tsn, uint32_t *this_sack_lowest_newack,
2833 int num_seg, int num_nr_seg, int *rto_ok)
2834 {
2835 struct sctp_gap_ack_block *frag, block;
2836 struct sctp_tmit_chunk *tp1;
2837 int i;
2838 int num_frs = 0;
2839 int chunk_freed;
2840 int non_revocable;
2841 uint16_t frag_strt, frag_end, prev_frag_end;
2842
2843 tp1 = TAILQ_FIRST(&asoc->sent_queue);
2844 prev_frag_end = 0;
2845 chunk_freed = 0;
2846
2847 for (i = 0; i < (num_seg + num_nr_seg); i++) {
2848 if (i == num_seg) {
2849 prev_frag_end = 0;
2850 tp1 = TAILQ_FIRST(&asoc->sent_queue);
2851 }
2852 frag = (struct sctp_gap_ack_block *)sctp_m_getptr(m, *offset,
2853 sizeof(struct sctp_gap_ack_block), (uint8_t *) &block);
2854 *offset += sizeof(block);
2855 if (frag == NULL) {
2856 return (chunk_freed);
2857 }
2858 frag_strt = ntohs(frag->start);
2859 frag_end = ntohs(frag->end);
2860
2861 if (frag_strt > frag_end) {
2862 /* This gap report is malformed, skip it. */
2863 continue;
2864 }
2865 if (frag_strt <= prev_frag_end) {
2866 /* This gap report is not in order, so restart. */
2867 tp1 = TAILQ_FIRST(&asoc->sent_queue);
2868 }
2869 if (SCTP_TSN_GT((last_tsn + frag_end), *biggest_tsn_acked)) {
2870 *biggest_tsn_acked = last_tsn + frag_end;
2871 }
2872 if (i < num_seg) {
2873 non_revocable = 0;
2874 } else {
2875 non_revocable = 1;
2876 }
2877 if (sctp_process_segment_range(stcb, &tp1, last_tsn, frag_strt, frag_end,
2878 non_revocable, &num_frs, biggest_newly_acked_tsn,
2879 this_sack_lowest_newack, rto_ok)) {
2880 chunk_freed = 1;
2881 }
2882 prev_frag_end = frag_end;
2883 }
2884 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
2885 if (num_frs)
2886 sctp_log_fr(*biggest_tsn_acked,
2887 *biggest_newly_acked_tsn,
2888 last_tsn, SCTP_FR_LOG_BIGGEST_TSNS);
2889 }
2890 return (chunk_freed);
2891 }
2892
2893 static void
sctp_check_for_revoked(struct sctp_tcb * stcb,struct sctp_association * asoc,uint32_t cumack,uint32_t biggest_tsn_acked)2894 sctp_check_for_revoked(struct sctp_tcb *stcb,
2895 struct sctp_association *asoc, uint32_t cumack,
2896 uint32_t biggest_tsn_acked)
2897 {
2898 struct sctp_tmit_chunk *tp1;
2899
2900 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
2901 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, cumack)) {
2902 /*
2903 * ok this guy is either ACK or MARKED. If it is
2904 * ACKED it has been previously acked but not this
2905 * time i.e. revoked. If it is MARKED it was ACK'ed
2906 * again.
2907 */
2908 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, biggest_tsn_acked)) {
2909 break;
2910 }
2911 if (tp1->sent == SCTP_DATAGRAM_ACKED) {
2912 /* it has been revoked */
2913 tp1->sent = SCTP_DATAGRAM_SENT;
2914 tp1->rec.data.chunk_was_revoked = 1;
2915 /* We must add this stuff back in to
2916 * assure timers and such get started.
2917 */
2918 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
2919 sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE,
2920 tp1->whoTo->flight_size,
2921 tp1->book_size,
2922 (uintptr_t)tp1->whoTo,
2923 tp1->rec.data.TSN_seq);
2924 }
2925 sctp_flight_size_increase(tp1);
2926 sctp_total_flight_increase(stcb, tp1);
2927 /* We inflate the cwnd to compensate for our
2928 * artificial inflation of the flight_size.
2929 */
2930 tp1->whoTo->cwnd += tp1->book_size;
2931 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
2932 sctp_log_sack(asoc->last_acked_seq,
2933 cumack,
2934 tp1->rec.data.TSN_seq,
2935 0,
2936 0,
2937 SCTP_LOG_TSN_REVOKED);
2938 }
2939 } else if (tp1->sent == SCTP_DATAGRAM_MARKED) {
2940 /* it has been re-acked in this SACK */
2941 tp1->sent = SCTP_DATAGRAM_ACKED;
2942 }
2943 }
2944 if (tp1->sent == SCTP_DATAGRAM_UNSENT)
2945 break;
2946 }
2947 }
2948
2949
2950 static void
sctp_strike_gap_ack_chunks(struct sctp_tcb * stcb,struct sctp_association * asoc,uint32_t biggest_tsn_acked,uint32_t biggest_tsn_newly_acked,uint32_t this_sack_lowest_newack,int accum_moved)2951 sctp_strike_gap_ack_chunks(struct sctp_tcb *stcb, struct sctp_association *asoc,
2952 uint32_t biggest_tsn_acked, uint32_t biggest_tsn_newly_acked, uint32_t this_sack_lowest_newack, int accum_moved)
2953 {
2954 struct sctp_tmit_chunk *tp1;
2955 int strike_flag = 0;
2956 struct timeval now;
2957 int tot_retrans = 0;
2958 uint32_t sending_seq;
2959 struct sctp_nets *net;
2960 int num_dests_sacked = 0;
2961
2962 /*
2963 * select the sending_seq, this is either the next thing ready to be
2964 * sent but not transmitted, OR, the next seq we assign.
2965 */
2966 tp1 = TAILQ_FIRST(&stcb->asoc.send_queue);
2967 if (tp1 == NULL) {
2968 sending_seq = asoc->sending_seq;
2969 } else {
2970 sending_seq = tp1->rec.data.TSN_seq;
2971 }
2972
2973 /* CMT DAC algo: finding out if SACK is a mixed SACK */
2974 if ((asoc->sctp_cmt_on_off > 0) &&
2975 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
2976 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
2977 if (net->saw_newack)
2978 num_dests_sacked++;
2979 }
2980 }
2981 if (stcb->asoc.prsctp_supported) {
2982 (void)SCTP_GETTIME_TIMEVAL(&now);
2983 }
2984 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
2985 strike_flag = 0;
2986 if (tp1->no_fr_allowed) {
2987 /* this one had a timeout or something */
2988 continue;
2989 }
2990 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
2991 if (tp1->sent < SCTP_DATAGRAM_RESEND)
2992 sctp_log_fr(biggest_tsn_newly_acked,
2993 tp1->rec.data.TSN_seq,
2994 tp1->sent,
2995 SCTP_FR_LOG_CHECK_STRIKE);
2996 }
2997 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, biggest_tsn_acked) ||
2998 tp1->sent == SCTP_DATAGRAM_UNSENT) {
2999 /* done */
3000 break;
3001 }
3002 if (stcb->asoc.prsctp_supported) {
3003 if ((PR_SCTP_TTL_ENABLED(tp1->flags)) && tp1->sent < SCTP_DATAGRAM_ACKED) {
3004 /* Is it expired? */
3005 #ifndef __FreeBSD__
3006 if (timercmp(&now, &tp1->rec.data.timetodrop, >)) {
3007 #else
3008 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) {
3009 #endif
3010 /* Yes so drop it */
3011 if (tp1->data != NULL) {
3012 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1,
3013 SCTP_SO_NOT_LOCKED);
3014 }
3015 continue;
3016 }
3017 }
3018
3019 }
3020 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, asoc->this_sack_highest_gap)) {
3021 /* we are beyond the tsn in the sack */
3022 break;
3023 }
3024 if (tp1->sent >= SCTP_DATAGRAM_RESEND) {
3025 /* either a RESEND, ACKED, or MARKED */
3026 /* skip */
3027 if (tp1->sent == SCTP_FORWARD_TSN_SKIP) {
3028 /* Continue strikin FWD-TSN chunks */
3029 tp1->rec.data.fwd_tsn_cnt++;
3030 }
3031 continue;
3032 }
3033 /*
3034 * CMT : SFR algo (covers part of DAC and HTNA as well)
3035 */
3036 if (tp1->whoTo && tp1->whoTo->saw_newack == 0) {
3037 /*
3038 * No new acks were receieved for data sent to this
3039 * dest. Therefore, according to the SFR algo for
3040 * CMT, no data sent to this dest can be marked for
3041 * FR using this SACK.
3042 */
3043 continue;
3044 } else if (tp1->whoTo && SCTP_TSN_GT(tp1->rec.data.TSN_seq,
3045 tp1->whoTo->this_sack_highest_newack)) {
3046 /*
3047 * CMT: New acks were receieved for data sent to
3048 * this dest. But no new acks were seen for data
3049 * sent after tp1. Therefore, according to the SFR
3050 * algo for CMT, tp1 cannot be marked for FR using
3051 * this SACK. This step covers part of the DAC algo
3052 * and the HTNA algo as well.
3053 */
3054 continue;
3055 }
3056 /*
3057 * Here we check to see if we were have already done a FR
3058 * and if so we see if the biggest TSN we saw in the sack is
3059 * smaller than the recovery point. If so we don't strike
3060 * the tsn... otherwise we CAN strike the TSN.
3061 */
3062 /*
3063 * @@@ JRI: Check for CMT
3064 * if (accum_moved && asoc->fast_retran_loss_recovery && (sctp_cmt_on_off == 0)) {
3065 */
3066 if (accum_moved && asoc->fast_retran_loss_recovery) {
3067 /*
3068 * Strike the TSN if in fast-recovery and cum-ack
3069 * moved.
3070 */
3071 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3072 sctp_log_fr(biggest_tsn_newly_acked,
3073 tp1->rec.data.TSN_seq,
3074 tp1->sent,
3075 SCTP_FR_LOG_STRIKE_CHUNK);
3076 }
3077 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3078 tp1->sent++;
3079 }
3080 if ((asoc->sctp_cmt_on_off > 0) &&
3081 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3082 /*
3083 * CMT DAC algorithm: If SACK flag is set to
3084 * 0, then lowest_newack test will not pass
3085 * because it would have been set to the
3086 * cumack earlier. If not already to be
3087 * rtx'd, If not a mixed sack and if tp1 is
3088 * not between two sacked TSNs, then mark by
3089 * one more.
3090 * NOTE that we are marking by one additional time since the SACK DAC flag indicates that
3091 * two packets have been received after this missing TSN.
3092 */
3093 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) &&
3094 SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.TSN_seq)) {
3095 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3096 sctp_log_fr(16 + num_dests_sacked,
3097 tp1->rec.data.TSN_seq,
3098 tp1->sent,
3099 SCTP_FR_LOG_STRIKE_CHUNK);
3100 }
3101 tp1->sent++;
3102 }
3103 }
3104 } else if ((tp1->rec.data.doing_fast_retransmit) &&
3105 (asoc->sctp_cmt_on_off == 0)) {
3106 /*
3107 * For those that have done a FR we must take
3108 * special consideration if we strike. I.e the
3109 * biggest_newly_acked must be higher than the
3110 * sending_seq at the time we did the FR.
3111 */
3112 if (
3113 #ifdef SCTP_FR_TO_ALTERNATE
3114 /*
3115 * If FR's go to new networks, then we must only do
3116 * this for singly homed asoc's. However if the FR's
3117 * go to the same network (Armando's work) then its
3118 * ok to FR multiple times.
3119 */
3120 (asoc->numnets < 2)
3121 #else
3122 (1)
3123 #endif
3124 ) {
3125
3126 if (SCTP_TSN_GE(biggest_tsn_newly_acked,
3127 tp1->rec.data.fast_retran_tsn)) {
3128 /*
3129 * Strike the TSN, since this ack is
3130 * beyond where things were when we
3131 * did a FR.
3132 */
3133 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3134 sctp_log_fr(biggest_tsn_newly_acked,
3135 tp1->rec.data.TSN_seq,
3136 tp1->sent,
3137 SCTP_FR_LOG_STRIKE_CHUNK);
3138 }
3139 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3140 tp1->sent++;
3141 }
3142 strike_flag = 1;
3143 if ((asoc->sctp_cmt_on_off > 0) &&
3144 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3145 /*
3146 * CMT DAC algorithm: If
3147 * SACK flag is set to 0,
3148 * then lowest_newack test
3149 * will not pass because it
3150 * would have been set to
3151 * the cumack earlier. If
3152 * not already to be rtx'd,
3153 * If not a mixed sack and
3154 * if tp1 is not between two
3155 * sacked TSNs, then mark by
3156 * one more.
3157 * NOTE that we are marking by one additional time since the SACK DAC flag indicates that
3158 * two packets have been received after this missing TSN.
3159 */
3160 if ((tp1->sent < SCTP_DATAGRAM_RESEND) &&
3161 (num_dests_sacked == 1) &&
3162 SCTP_TSN_GT(this_sack_lowest_newack,
3163 tp1->rec.data.TSN_seq)) {
3164 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3165 sctp_log_fr(32 + num_dests_sacked,
3166 tp1->rec.data.TSN_seq,
3167 tp1->sent,
3168 SCTP_FR_LOG_STRIKE_CHUNK);
3169 }
3170 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3171 tp1->sent++;
3172 }
3173 }
3174 }
3175 }
3176 }
3177 /*
3178 * JRI: TODO: remove code for HTNA algo. CMT's
3179 * SFR algo covers HTNA.
3180 */
3181 } else if (SCTP_TSN_GT(tp1->rec.data.TSN_seq,
3182 biggest_tsn_newly_acked)) {
3183 /*
3184 * We don't strike these: This is the HTNA
3185 * algorithm i.e. we don't strike If our TSN is
3186 * larger than the Highest TSN Newly Acked.
3187 */
3188 ;
3189 } else {
3190 /* Strike the TSN */
3191 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3192 sctp_log_fr(biggest_tsn_newly_acked,
3193 tp1->rec.data.TSN_seq,
3194 tp1->sent,
3195 SCTP_FR_LOG_STRIKE_CHUNK);
3196 }
3197 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3198 tp1->sent++;
3199 }
3200 if ((asoc->sctp_cmt_on_off > 0) &&
3201 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
3202 /*
3203 * CMT DAC algorithm: If SACK flag is set to
3204 * 0, then lowest_newack test will not pass
3205 * because it would have been set to the
3206 * cumack earlier. If not already to be
3207 * rtx'd, If not a mixed sack and if tp1 is
3208 * not between two sacked TSNs, then mark by
3209 * one more.
3210 * NOTE that we are marking by one additional time since the SACK DAC flag indicates that
3211 * two packets have been received after this missing TSN.
3212 */
3213 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) &&
3214 SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.TSN_seq)) {
3215 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3216 sctp_log_fr(48 + num_dests_sacked,
3217 tp1->rec.data.TSN_seq,
3218 tp1->sent,
3219 SCTP_FR_LOG_STRIKE_CHUNK);
3220 }
3221 tp1->sent++;
3222 }
3223 }
3224 }
3225 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
3226 struct sctp_nets *alt;
3227
3228 /* fix counts and things */
3229 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3230 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_RSND,
3231 (tp1->whoTo ? (tp1->whoTo->flight_size) : 0),
3232 tp1->book_size,
3233 (uintptr_t)tp1->whoTo,
3234 tp1->rec.data.TSN_seq);
3235 }
3236 if (tp1->whoTo) {
3237 tp1->whoTo->net_ack++;
3238 sctp_flight_size_decrease(tp1);
3239 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3240 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
3241 tp1);
3242 }
3243 }
3244
3245 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
3246 sctp_log_rwnd(SCTP_INCREASE_PEER_RWND,
3247 asoc->peers_rwnd, tp1->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
3248 }
3249 /* add back to the rwnd */
3250 asoc->peers_rwnd += (tp1->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
3251
3252 /* remove from the total flight */
3253 sctp_total_flight_decrease(stcb, tp1);
3254
3255 if ((stcb->asoc.prsctp_supported) &&
3256 (PR_SCTP_RTX_ENABLED(tp1->flags))) {
3257 /* Has it been retransmitted tv_sec times? - we store the retran count there. */
3258 if (tp1->snd_count > tp1->rec.data.timetodrop.tv_sec) {
3259 /* Yes, so drop it */
3260 if (tp1->data != NULL) {
3261 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1,
3262 SCTP_SO_NOT_LOCKED);
3263 }
3264 /* Make sure to flag we had a FR */
3265 tp1->whoTo->net_ack++;
3266 continue;
3267 }
3268 }
3269 /* SCTP_PRINTF("OK, we are now ready to FR this guy\n"); */
3270 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) {
3271 sctp_log_fr(tp1->rec.data.TSN_seq, tp1->snd_count,
3272 0, SCTP_FR_MARKED);
3273 }
3274 if (strike_flag) {
3275 /* This is a subsequent FR */
3276 SCTP_STAT_INCR(sctps_sendmultfastretrans);
3277 }
3278 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3279 if (asoc->sctp_cmt_on_off > 0) {
3280 /*
3281 * CMT: Using RTX_SSTHRESH policy for CMT.
3282 * If CMT is being used, then pick dest with
3283 * largest ssthresh for any retransmission.
3284 */
3285 tp1->no_fr_allowed = 1;
3286 alt = tp1->whoTo;
3287 /*sa_ignore NO_NULL_CHK*/
3288 if (asoc->sctp_cmt_pf > 0) {
3289 /* JRS 5/18/07 - If CMT PF is on, use the PF version of find_alt_net() */
3290 alt = sctp_find_alternate_net(stcb, alt, 2);
3291 } else {
3292 /* JRS 5/18/07 - If only CMT is on, use the CMT version of find_alt_net() */
3293 /*sa_ignore NO_NULL_CHK*/
3294 alt = sctp_find_alternate_net(stcb, alt, 1);
3295 }
3296 if (alt == NULL) {
3297 alt = tp1->whoTo;
3298 }
3299 /*
3300 * CUCv2: If a different dest is picked for
3301 * the retransmission, then new
3302 * (rtx-)pseudo_cumack needs to be tracked
3303 * for orig dest. Let CUCv2 track new (rtx-)
3304 * pseudo-cumack always.
3305 */
3306 if (tp1->whoTo) {
3307 tp1->whoTo->find_pseudo_cumack = 1;
3308 tp1->whoTo->find_rtx_pseudo_cumack = 1;
3309 }
3310
3311 } else {/* CMT is OFF */
3312
3313 #ifdef SCTP_FR_TO_ALTERNATE
3314 /* Can we find an alternate? */
3315 alt = sctp_find_alternate_net(stcb, tp1->whoTo, 0);
3316 #else
3317 /*
3318 * default behavior is to NOT retransmit
3319 * FR's to an alternate. Armando Caro's
3320 * paper details why.
3321 */
3322 alt = tp1->whoTo;
3323 #endif
3324 }
3325
3326 tp1->rec.data.doing_fast_retransmit = 1;
3327 tot_retrans++;
3328 /* mark the sending seq for possible subsequent FR's */
3329 /*
3330 * SCTP_PRINTF("Marking TSN for FR new value %x\n",
3331 * (uint32_t)tpi->rec.data.TSN_seq);
3332 */
3333 if (TAILQ_EMPTY(&asoc->send_queue)) {
3334 /*
3335 * If the queue of send is empty then its
3336 * the next sequence number that will be
3337 * assigned so we subtract one from this to
3338 * get the one we last sent.
3339 */
3340 tp1->rec.data.fast_retran_tsn = sending_seq;
3341 } else {
3342 /*
3343 * If there are chunks on the send queue
3344 * (unsent data that has made it from the
3345 * stream queues but not out the door, we
3346 * take the first one (which will have the
3347 * lowest TSN) and subtract one to get the
3348 * one we last sent.
3349 */
3350 struct sctp_tmit_chunk *ttt;
3351
3352 ttt = TAILQ_FIRST(&asoc->send_queue);
3353 tp1->rec.data.fast_retran_tsn =
3354 ttt->rec.data.TSN_seq;
3355 }
3356
3357 if (tp1->do_rtt) {
3358 /*
3359 * this guy had a RTO calculation pending on
3360 * it, cancel it
3361 */
3362 if ((tp1->whoTo != NULL) &&
3363 (tp1->whoTo->rto_needed == 0)) {
3364 tp1->whoTo->rto_needed = 1;
3365 }
3366 tp1->do_rtt = 0;
3367 }
3368 if (alt != tp1->whoTo) {
3369 /* yes, there is an alternate. */
3370 sctp_free_remote_addr(tp1->whoTo);
3371 /*sa_ignore FREED_MEMORY*/
3372 tp1->whoTo = alt;
3373 atomic_add_int(&alt->ref_count, 1);
3374 }
3375 }
3376 }
3377 }
3378
3379 struct sctp_tmit_chunk *
3380 sctp_try_advance_peer_ack_point(struct sctp_tcb *stcb,
3381 struct sctp_association *asoc)
3382 {
3383 struct sctp_tmit_chunk *tp1, *tp2, *a_adv = NULL;
3384 struct timeval now;
3385 int now_filled = 0;
3386
3387 if (asoc->prsctp_supported == 0) {
3388 return (NULL);
3389 }
3390 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
3391 if (tp1->sent != SCTP_FORWARD_TSN_SKIP &&
3392 tp1->sent != SCTP_DATAGRAM_RESEND &&
3393 tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
3394 /* no chance to advance, out of here */
3395 break;
3396 }
3397 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
3398 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) ||
3399 (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) {
3400 sctp_misc_ints(SCTP_FWD_TSN_CHECK,
3401 asoc->advanced_peer_ack_point,
3402 tp1->rec.data.TSN_seq, 0, 0);
3403 }
3404 }
3405 if (!PR_SCTP_ENABLED(tp1->flags)) {
3406 /*
3407 * We can't fwd-tsn past any that are reliable aka
3408 * retransmitted until the asoc fails.
3409 */
3410 break;
3411 }
3412 if (!now_filled) {
3413 (void)SCTP_GETTIME_TIMEVAL(&now);
3414 now_filled = 1;
3415 }
3416 /*
3417 * now we got a chunk which is marked for another
3418 * retransmission to a PR-stream but has run out its chances
3419 * already maybe OR has been marked to skip now. Can we skip
3420 * it if its a resend?
3421 */
3422 if (tp1->sent == SCTP_DATAGRAM_RESEND &&
3423 (PR_SCTP_TTL_ENABLED(tp1->flags))) {
3424 /*
3425 * Now is this one marked for resend and its time is
3426 * now up?
3427 */
3428 #ifndef __FreeBSD__
3429 if (timercmp(&now, &tp1->rec.data.timetodrop, >)) {
3430 #else
3431 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) {
3432 #endif
3433 /* Yes so drop it */
3434 if (tp1->data) {
3435 (void)sctp_release_pr_sctp_chunk(stcb, tp1,
3436 1, SCTP_SO_NOT_LOCKED);
3437 }
3438 } else {
3439 /*
3440 * No, we are done when hit one for resend
3441 * whos time as not expired.
3442 */
3443 break;
3444 }
3445 }
3446 /*
3447 * Ok now if this chunk is marked to drop it we can clean up
3448 * the chunk, advance our peer ack point and we can check
3449 * the next chunk.
3450 */
3451 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) ||
3452 (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) {
3453 /* advance PeerAckPoint goes forward */
3454 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, asoc->advanced_peer_ack_point)) {
3455 asoc->advanced_peer_ack_point = tp1->rec.data.TSN_seq;
3456 a_adv = tp1;
3457 } else if (tp1->rec.data.TSN_seq == asoc->advanced_peer_ack_point) {
3458 /* No update but we do save the chk */
3459 a_adv = tp1;
3460 }
3461 } else {
3462 /*
3463 * If it is still in RESEND we can advance no
3464 * further
3465 */
3466 break;
3467 }
3468 }
3469 return (a_adv);
3470 }
3471
3472 static int
3473 sctp_fs_audit(struct sctp_association *asoc)
3474 {
3475 struct sctp_tmit_chunk *chk;
3476 int inflight = 0, resend = 0, inbetween = 0, acked = 0, above = 0;
3477 int entry_flight, entry_cnt, ret;
3478
3479 entry_flight = asoc->total_flight;
3480 entry_cnt = asoc->total_flight_count;
3481 ret = 0;
3482
3483 if (asoc->pr_sctp_cnt >= asoc->sent_queue_cnt)
3484 return (0);
3485
3486 TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
3487 if (chk->sent < SCTP_DATAGRAM_RESEND) {
3488 SCTP_PRINTF("Chk TSN:%u size:%d inflight cnt:%d\n",
3489 chk->rec.data.TSN_seq,
3490 chk->send_size,
3491 chk->snd_count);
3492 inflight++;
3493 } else if (chk->sent == SCTP_DATAGRAM_RESEND) {
3494 resend++;
3495 } else if (chk->sent < SCTP_DATAGRAM_ACKED) {
3496 inbetween++;
3497 } else if (chk->sent > SCTP_DATAGRAM_ACKED) {
3498 above++;
3499 } else {
3500 acked++;
3501 }
3502 }
3503
3504 if ((inflight > 0) || (inbetween > 0)) {
3505 #ifdef INVARIANTS
3506 panic("Flight size-express incorrect? \n");
3507 #else
3508 SCTP_PRINTF("asoc->total_flight:%d cnt:%d\n",
3509 entry_flight, entry_cnt);
3510
3511 SCTP_PRINTF("Flight size-express incorrect F:%d I:%d R:%d Ab:%d ACK:%d\n",
3512 inflight, inbetween, resend, above, acked);
3513 ret = 1;
3514 #endif
3515 }
3516 return (ret);
3517 }
3518
3519
3520 static void
3521 sctp_window_probe_recovery(struct sctp_tcb *stcb,
3522 struct sctp_association *asoc,
3523 struct sctp_tmit_chunk *tp1)
3524 {
3525 tp1->window_probe = 0;
3526 if ((tp1->sent >= SCTP_DATAGRAM_ACKED) || (tp1->data == NULL)) {
3527 /* TSN's skipped we do NOT move back. */
3528 sctp_misc_ints(SCTP_FLIGHT_LOG_DWN_WP_FWD,
3529 tp1->whoTo->flight_size,
3530 tp1->book_size,
3531 (uintptr_t)tp1->whoTo,
3532 tp1->rec.data.TSN_seq);
3533 return;
3534 }
3535 /* First setup this by shrinking flight */
3536 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3537 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
3538 tp1);
3539 }
3540 sctp_flight_size_decrease(tp1);
3541 sctp_total_flight_decrease(stcb, tp1);
3542 /* Now mark for resend */
3543 tp1->sent = SCTP_DATAGRAM_RESEND;
3544 sctp_ucount_incr(asoc->sent_queue_retran_cnt);
3545
3546 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3547 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_WP,
3548 tp1->whoTo->flight_size,
3549 tp1->book_size,
3550 (uintptr_t)tp1->whoTo,
3551 tp1->rec.data.TSN_seq);
3552 }
3553 }
3554
3555 void
3556 sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack,
3557 uint32_t rwnd, int *abort_now, int ecne_seen)
3558 {
3559 struct sctp_nets *net;
3560 struct sctp_association *asoc;
3561 struct sctp_tmit_chunk *tp1, *tp2;
3562 uint32_t old_rwnd;
3563 int win_probe_recovery = 0;
3564 int win_probe_recovered = 0;
3565 int j, done_once = 0;
3566 int rto_ok = 1;
3567
3568 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) {
3569 sctp_misc_ints(SCTP_SACK_LOG_EXPRESS, cumack,
3570 rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd);
3571 }
3572 SCTP_TCB_LOCK_ASSERT(stcb);
3573 #ifdef SCTP_ASOCLOG_OF_TSNS
3574 stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cumack;
3575 stcb->asoc.cumack_log_at++;
3576 if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) {
3577 stcb->asoc.cumack_log_at = 0;
3578 }
3579 #endif
3580 asoc = &stcb->asoc;
3581 old_rwnd = asoc->peers_rwnd;
3582 if (SCTP_TSN_GT(asoc->last_acked_seq, cumack)) {
3583 /* old ack */
3584 return;
3585 } else if (asoc->last_acked_seq == cumack) {
3586 /* Window update sack */
3587 asoc->peers_rwnd = sctp_sbspace_sub(rwnd,
3588 (uint32_t) (asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
3589 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
3590 /* SWS sender side engages */
3591 asoc->peers_rwnd = 0;
3592 }
3593 if (asoc->peers_rwnd > old_rwnd) {
3594 goto again;
3595 }
3596 return;
3597 }
3598
3599 /* First setup for CC stuff */
3600 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3601 if (SCTP_TSN_GT(cumack, net->cwr_window_tsn)) {
3602 /* Drag along the window_tsn for cwr's */
3603 net->cwr_window_tsn = cumack;
3604 }
3605 net->prev_cwnd = net->cwnd;
3606 net->net_ack = 0;
3607 net->net_ack2 = 0;
3608
3609 /*
3610 * CMT: Reset CUC and Fast recovery algo variables before
3611 * SACK processing
3612 */
3613 net->new_pseudo_cumack = 0;
3614 net->will_exit_fast_recovery = 0;
3615 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) {
3616 (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack)(stcb, net);
3617 }
3618 }
3619 if (SCTP_BASE_SYSCTL(sctp_strict_sacks)) {
3620 uint32_t send_s;
3621
3622 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
3623 tp1 = TAILQ_LAST(&asoc->sent_queue,
3624 sctpchunk_listhead);
3625 send_s = tp1->rec.data.TSN_seq + 1;
3626 } else {
3627 send_s = asoc->sending_seq;
3628 }
3629 if (SCTP_TSN_GE(cumack, send_s)) {
3630 #ifndef INVARIANTS
3631 struct mbuf *op_err;
3632 char msg[SCTP_DIAG_INFO_LEN];
3633
3634 #endif
3635 #ifdef INVARIANTS
3636 panic("Impossible sack 1");
3637 #else
3638
3639 *abort_now = 1;
3640 /* XXX */
3641 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal then TSN %8.8x",
3642 cumack, send_s);
3643 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
3644 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_25;
3645 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
3646 return;
3647 #endif
3648 }
3649 }
3650 asoc->this_sack_highest_gap = cumack;
3651 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
3652 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
3653 stcb->asoc.overall_error_count,
3654 0,
3655 SCTP_FROM_SCTP_INDATA,
3656 __LINE__);
3657 }
3658 stcb->asoc.overall_error_count = 0;
3659 if (SCTP_TSN_GT(cumack, asoc->last_acked_seq)) {
3660 /* process the new consecutive TSN first */
3661 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
3662 if (SCTP_TSN_GE(cumack, tp1->rec.data.TSN_seq)) {
3663 if (tp1->sent == SCTP_DATAGRAM_UNSENT) {
3664 SCTP_PRINTF("Warning, an unsent is now acked?\n");
3665 }
3666 if (tp1->sent < SCTP_DATAGRAM_ACKED) {
3667 /*
3668 * If it is less than ACKED, it is
3669 * now no-longer in flight. Higher
3670 * values may occur during marking
3671 */
3672 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3673 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3674 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA,
3675 tp1->whoTo->flight_size,
3676 tp1->book_size,
3677 (uintptr_t)tp1->whoTo,
3678 tp1->rec.data.TSN_seq);
3679 }
3680 sctp_flight_size_decrease(tp1);
3681 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
3682 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
3683 tp1);
3684 }
3685 /* sa_ignore NO_NULL_CHK */
3686 sctp_total_flight_decrease(stcb, tp1);
3687 }
3688 tp1->whoTo->net_ack += tp1->send_size;
3689 if (tp1->snd_count < 2) {
3690 /*
3691 * True non-retransmited
3692 * chunk
3693 */
3694 tp1->whoTo->net_ack2 +=
3695 tp1->send_size;
3696
3697 /* update RTO too? */
3698 if (tp1->do_rtt) {
3699 if (rto_ok) {
3700 tp1->whoTo->RTO =
3701 /*
3702 * sa_ignore
3703 * NO_NULL_CHK
3704 */
3705 sctp_calculate_rto(stcb,
3706 asoc, tp1->whoTo,
3707 &tp1->sent_rcv_time,
3708 sctp_align_safe_nocopy,
3709 SCTP_RTT_FROM_DATA);
3710 rto_ok = 0;
3711 }
3712 if (tp1->whoTo->rto_needed == 0) {
3713 tp1->whoTo->rto_needed = 1;
3714 }
3715 tp1->do_rtt = 0;
3716 }
3717 }
3718 /*
3719 * CMT: CUCv2 algorithm. From the
3720 * cumack'd TSNs, for each TSN being
3721 * acked for the first time, set the
3722 * following variables for the
3723 * corresp destination.
3724 * new_pseudo_cumack will trigger a
3725 * cwnd update.
3726 * find_(rtx_)pseudo_cumack will
3727 * trigger search for the next
3728 * expected (rtx-)pseudo-cumack.
3729 */
3730 tp1->whoTo->new_pseudo_cumack = 1;
3731 tp1->whoTo->find_pseudo_cumack = 1;
3732 tp1->whoTo->find_rtx_pseudo_cumack = 1;
3733
3734 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
3735 /* sa_ignore NO_NULL_CHK */
3736 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.TSN_seq, SCTP_CWND_LOG_FROM_SACK);
3737 }
3738 }
3739 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
3740 sctp_ucount_decr(asoc->sent_queue_retran_cnt);
3741 }
3742 if (tp1->rec.data.chunk_was_revoked) {
3743 /* deflate the cwnd */
3744 tp1->whoTo->cwnd -= tp1->book_size;
3745 tp1->rec.data.chunk_was_revoked = 0;
3746 }
3747 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
3748 if (asoc->strmout[tp1->rec.data.stream_number].chunks_on_queues > 0) {
3749 asoc->strmout[tp1->rec.data.stream_number].chunks_on_queues--;
3750 #ifdef INVARIANTS
3751 } else {
3752 panic("No chunks on the queues for sid %u.", tp1->rec.data.stream_number);
3753 #endif
3754 }
3755 }
3756 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
3757 if (tp1->data) {
3758 /* sa_ignore NO_NULL_CHK */
3759 sctp_free_bufspace(stcb, asoc, tp1, 1);
3760 sctp_m_freem(tp1->data);
3761 tp1->data = NULL;
3762 }
3763 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
3764 sctp_log_sack(asoc->last_acked_seq,
3765 cumack,
3766 tp1->rec.data.TSN_seq,
3767 0,
3768 0,
3769 SCTP_LOG_FREE_SENT);
3770 }
3771 asoc->sent_queue_cnt--;
3772 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED);
3773 } else {
3774 break;
3775 }
3776 }
3777
3778 }
3779 #if defined(__Userspace__)
3780 if (stcb->sctp_ep->recv_callback) {
3781 if (stcb->sctp_socket) {
3782 uint32_t inqueue_bytes, sb_free_now;
3783 struct sctp_inpcb *inp;
3784
3785 inp = stcb->sctp_ep;
3786 inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
3787 sb_free_now = SCTP_SB_LIMIT_SND(stcb->sctp_socket) - (inqueue_bytes + stcb->asoc.sb_send_resv);
3788
3789 /* check if the amount free in the send socket buffer crossed the threshold */
3790 if (inp->send_callback &&
3791 (((inp->send_sb_threshold > 0) &&
3792 (sb_free_now >= inp->send_sb_threshold) &&
3793 (stcb->asoc.chunks_on_out_queue <= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) ||
3794 (inp->send_sb_threshold == 0))) {
3795 atomic_add_int(&stcb->asoc.refcnt, 1);
3796 SCTP_TCB_UNLOCK(stcb);
3797 inp->send_callback(stcb->sctp_socket, sb_free_now);
3798 SCTP_TCB_LOCK(stcb);
3799 atomic_subtract_int(&stcb->asoc.refcnt, 1);
3800 }
3801 }
3802 } else if (stcb->sctp_socket) {
3803 #else
3804 /* sa_ignore NO_NULL_CHK */
3805 if (stcb->sctp_socket) {
3806 #endif
3807 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3808 struct socket *so;
3809
3810 #endif
3811 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
3812 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
3813 /* sa_ignore NO_NULL_CHK */
3814 sctp_wakeup_log(stcb, 1, SCTP_WAKESND_FROM_SACK);
3815 }
3816 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3817 so = SCTP_INP_SO(stcb->sctp_ep);
3818 atomic_add_int(&stcb->asoc.refcnt, 1);
3819 SCTP_TCB_UNLOCK(stcb);
3820 SCTP_SOCKET_LOCK(so, 1);
3821 SCTP_TCB_LOCK(stcb);
3822 atomic_subtract_int(&stcb->asoc.refcnt, 1);
3823 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
3824 /* assoc was freed while we were unlocked */
3825 SCTP_SOCKET_UNLOCK(so, 1);
3826 return;
3827 }
3828 #endif
3829 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket);
3830 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3831 SCTP_SOCKET_UNLOCK(so, 1);
3832 #endif
3833 } else {
3834 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
3835 sctp_wakeup_log(stcb, 1, SCTP_NOWAKE_FROM_SACK);
3836 }
3837 }
3838
3839 /* JRS - Use the congestion control given in the CC module */
3840 if ((asoc->last_acked_seq != cumack) && (ecne_seen == 0)) {
3841 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3842 if (net->net_ack2 > 0) {
3843 /*
3844 * Karn's rule applies to clearing error count, this
3845 * is optional.
3846 */
3847 net->error_count = 0;
3848 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
3849 /* addr came good */
3850 net->dest_state |= SCTP_ADDR_REACHABLE;
3851 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
3852 0, (void *)net, SCTP_SO_NOT_LOCKED);
3853 }
3854 if (net == stcb->asoc.primary_destination) {
3855 if (stcb->asoc.alternate) {
3856 /* release the alternate, primary is good */
3857 sctp_free_remote_addr(stcb->asoc.alternate);
3858 stcb->asoc.alternate = NULL;
3859 }
3860 }
3861 if (net->dest_state & SCTP_ADDR_PF) {
3862 net->dest_state &= ~SCTP_ADDR_PF;
3863 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3);
3864 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
3865 asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
3866 /* Done with this net */
3867 net->net_ack = 0;
3868 }
3869 /* restore any doubled timers */
3870 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
3871 if (net->RTO < stcb->asoc.minrto) {
3872 net->RTO = stcb->asoc.minrto;
3873 }
3874 if (net->RTO > stcb->asoc.maxrto) {
3875 net->RTO = stcb->asoc.maxrto;
3876 }
3877 }
3878 }
3879 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, 1, 0, 0);
3880 }
3881 asoc->last_acked_seq = cumack;
3882
3883 if (TAILQ_EMPTY(&asoc->sent_queue)) {
3884 /* nothing left in-flight */
3885 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3886 net->flight_size = 0;
3887 net->partial_bytes_acked = 0;
3888 }
3889 asoc->total_flight = 0;
3890 asoc->total_flight_count = 0;
3891 }
3892
3893 /* RWND update */
3894 asoc->peers_rwnd = sctp_sbspace_sub(rwnd,
3895 (uint32_t) (asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
3896 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
3897 /* SWS sender side engages */
3898 asoc->peers_rwnd = 0;
3899 }
3900 if (asoc->peers_rwnd > old_rwnd) {
3901 win_probe_recovery = 1;
3902 }
3903 /* Now assure a timer where data is queued at */
3904 again:
3905 j = 0;
3906 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3907 int to_ticks;
3908 if (win_probe_recovery && (net->window_probe)) {
3909 win_probe_recovered = 1;
3910 /*
3911 * Find first chunk that was used with window probe
3912 * and clear the sent
3913 */
3914 /* sa_ignore FREED_MEMORY */
3915 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
3916 if (tp1->window_probe) {
3917 /* move back to data send queue */
3918 sctp_window_probe_recovery(stcb, asoc, tp1);
3919 break;
3920 }
3921 }
3922 }
3923 if (net->RTO == 0) {
3924 to_ticks = MSEC_TO_TICKS(stcb->asoc.initial_rto);
3925 } else {
3926 to_ticks = MSEC_TO_TICKS(net->RTO);
3927 }
3928 if (net->flight_size) {
3929 j++;
3930 (void)SCTP_OS_TIMER_START(&net->rxt_timer.timer, to_ticks,
3931 sctp_timeout_handler, &net->rxt_timer);
3932 if (net->window_probe) {
3933 net->window_probe = 0;
3934 }
3935 } else {
3936 if (net->window_probe) {
3937 /* In window probes we must assure a timer is still running there */
3938 net->window_probe = 0;
3939 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
3940 SCTP_OS_TIMER_START(&net->rxt_timer.timer, to_ticks,
3941 sctp_timeout_handler, &net->rxt_timer);
3942 }
3943 } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
3944 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3945 stcb, net,
3946 SCTP_FROM_SCTP_INDATA + SCTP_LOC_22);
3947 }
3948 }
3949 }
3950 if ((j == 0) &&
3951 (!TAILQ_EMPTY(&asoc->sent_queue)) &&
3952 (asoc->sent_queue_retran_cnt == 0) &&
3953 (win_probe_recovered == 0) &&
3954 (done_once == 0)) {
3955 /* huh, this should not happen unless all packets
3956 * are PR-SCTP and marked to skip of course.
3957 */
3958 if (sctp_fs_audit(asoc)) {
3959 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
3960 net->flight_size = 0;
3961 }
3962 asoc->total_flight = 0;
3963 asoc->total_flight_count = 0;
3964 asoc->sent_queue_retran_cnt = 0;
3965 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
3966 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3967 sctp_flight_size_increase(tp1);
3968 sctp_total_flight_increase(stcb, tp1);
3969 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) {
3970 sctp_ucount_incr(asoc->sent_queue_retran_cnt);
3971 }
3972 }
3973 }
3974 done_once = 1;
3975 goto again;
3976 }
3977 /**********************************/
3978 /* Now what about shutdown issues */
3979 /**********************************/
3980 if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) {
3981 /* nothing left on sendqueue.. consider done */
3982 /* clean up */
3983 if ((asoc->stream_queue_cnt == 1) &&
3984 ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
3985 (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED)) &&
3986 (asoc->locked_on_sending)
3987 ) {
3988 struct sctp_stream_queue_pending *sp;
3989 /* I may be in a state where we got
3990 * all across.. but cannot write more due
3991 * to a shutdown... we abort since the
3992 * user did not indicate EOR in this case. The
3993 * sp will be cleaned during free of the asoc.
3994 */
3995 sp = TAILQ_LAST(&((asoc->locked_on_sending)->outqueue),
3996 sctp_streamhead);
3997 if ((sp) && (sp->length == 0)) {
3998 /* Let cleanup code purge it */
3999 if (sp->msg_is_complete) {
4000 asoc->stream_queue_cnt--;
4001 } else {
4002 asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
4003 asoc->locked_on_sending = NULL;
4004 asoc->stream_queue_cnt--;
4005 }
4006 }
4007 }
4008 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) &&
4009 (asoc->stream_queue_cnt == 0)) {
4010 if (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT) {
4011 /* Need to abort here */
4012 struct mbuf *op_err;
4013
4014 abort_out_now:
4015 *abort_now = 1;
4016 /* XXX */
4017 op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
4018 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24;
4019 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4020 } else {
4021 struct sctp_nets *netp;
4022
4023 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
4024 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4025 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4026 }
4027 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
4028 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
4029 sctp_stop_timers_for_shutdown(stcb);
4030 if (asoc->alternate) {
4031 netp = asoc->alternate;
4032 } else {
4033 netp = asoc->primary_destination;
4034 }
4035 sctp_send_shutdown(stcb, netp);
4036 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
4037 stcb->sctp_ep, stcb, netp);
4038 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
4039 stcb->sctp_ep, stcb, netp);
4040 }
4041 } else if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) &&
4042 (asoc->stream_queue_cnt == 0)) {
4043 struct sctp_nets *netp;
4044
4045 if (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT) {
4046 goto abort_out_now;
4047 }
4048 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4049 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
4050 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
4051 sctp_stop_timers_for_shutdown(stcb);
4052 if (asoc->alternate) {
4053 netp = asoc->alternate;
4054 } else {
4055 netp = asoc->primary_destination;
4056 }
4057 sctp_send_shutdown_ack(stcb, netp);
4058 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
4059 stcb->sctp_ep, stcb, netp);
4060 }
4061 }
4062 /*********************************************/
4063 /* Here we perform PR-SCTP procedures */
4064 /* (section 4.2) */
4065 /*********************************************/
4066 /* C1. update advancedPeerAckPoint */
4067 if (SCTP_TSN_GT(cumack, asoc->advanced_peer_ack_point)) {
4068 asoc->advanced_peer_ack_point = cumack;
4069 }
4070 /* PR-Sctp issues need to be addressed too */
4071 if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) {
4072 struct sctp_tmit_chunk *lchk;
4073 uint32_t old_adv_peer_ack_point;
4074
4075 old_adv_peer_ack_point = asoc->advanced_peer_ack_point;
4076 lchk = sctp_try_advance_peer_ack_point(stcb, asoc);
4077 /* C3. See if we need to send a Fwd-TSN */
4078 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cumack)) {
4079 /*
4080 * ISSUE with ECN, see FWD-TSN processing.
4081 */
4082 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) {
4083 send_forward_tsn(stcb, asoc);
4084 } else if (lchk) {
4085 /* try to FR fwd-tsn's that get lost too */
4086 if (lchk->rec.data.fwd_tsn_cnt >= 3) {
4087 send_forward_tsn(stcb, asoc);
4088 }
4089 }
4090 }
4091 if (lchk) {
4092 /* Assure a timer is up */
4093 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4094 stcb->sctp_ep, stcb, lchk->whoTo);
4095 }
4096 }
4097 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) {
4098 sctp_misc_ints(SCTP_SACK_RWND_UPDATE,
4099 rwnd,
4100 stcb->asoc.peers_rwnd,
4101 stcb->asoc.total_flight,
4102 stcb->asoc.total_output_queue_size);
4103 }
4104 }
4105
4106 void
4107 sctp_handle_sack(struct mbuf *m, int offset_seg, int offset_dup,
4108 struct sctp_tcb *stcb,
4109 uint16_t num_seg, uint16_t num_nr_seg, uint16_t num_dup,
4110 int *abort_now, uint8_t flags,
4111 uint32_t cum_ack, uint32_t rwnd, int ecne_seen)
4112 {
4113 struct sctp_association *asoc;
4114 struct sctp_tmit_chunk *tp1, *tp2;
4115 uint32_t last_tsn, biggest_tsn_acked, biggest_tsn_newly_acked, this_sack_lowest_newack;
4116 uint16_t wake_him = 0;
4117 uint32_t send_s = 0;
4118 long j;
4119 int accum_moved = 0;
4120 int will_exit_fast_recovery = 0;
4121 uint32_t a_rwnd, old_rwnd;
4122 int win_probe_recovery = 0;
4123 int win_probe_recovered = 0;
4124 struct sctp_nets *net = NULL;
4125 int done_once;
4126 int rto_ok = 1;
4127 uint8_t reneged_all = 0;
4128 uint8_t cmt_dac_flag;
4129 /*
4130 * we take any chance we can to service our queues since we cannot
4131 * get awoken when the socket is read from :<
4132 */
4133 /*
4134 * Now perform the actual SACK handling: 1) Verify that it is not an
4135 * old sack, if so discard. 2) If there is nothing left in the send
4136 * queue (cum-ack is equal to last acked) then you have a duplicate
4137 * too, update any rwnd change and verify no timers are running.
4138 * then return. 3) Process any new consequtive data i.e. cum-ack
4139 * moved process these first and note that it moved. 4) Process any
4140 * sack blocks. 5) Drop any acked from the queue. 6) Check for any
4141 * revoked blocks and mark. 7) Update the cwnd. 8) Nothing left,
4142 * sync up flightsizes and things, stop all timers and also check
4143 * for shutdown_pending state. If so then go ahead and send off the
4144 * shutdown. If in shutdown recv, send off the shutdown-ack and
4145 * start that timer, Ret. 9) Strike any non-acked things and do FR
4146 * procedure if needed being sure to set the FR flag. 10) Do pr-sctp
4147 * procedures. 11) Apply any FR penalties. 12) Assure we will SACK
4148 * if in shutdown_recv state.
4149 */
4150 SCTP_TCB_LOCK_ASSERT(stcb);
4151 /* CMT DAC algo */
4152 this_sack_lowest_newack = 0;
4153 SCTP_STAT_INCR(sctps_slowpath_sack);
4154 last_tsn = cum_ack;
4155 cmt_dac_flag = flags & SCTP_SACK_CMT_DAC;
4156 #ifdef SCTP_ASOCLOG_OF_TSNS
4157 stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cum_ack;
4158 stcb->asoc.cumack_log_at++;
4159 if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) {
4160 stcb->asoc.cumack_log_at = 0;
4161 }
4162 #endif
4163 a_rwnd = rwnd;
4164
4165 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) {
4166 sctp_misc_ints(SCTP_SACK_LOG_NORMAL, cum_ack,
4167 rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd);
4168 }
4169
4170 old_rwnd = stcb->asoc.peers_rwnd;
4171 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4172 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4173 stcb->asoc.overall_error_count,
4174 0,
4175 SCTP_FROM_SCTP_INDATA,
4176 __LINE__);
4177 }
4178 stcb->asoc.overall_error_count = 0;
4179 asoc = &stcb->asoc;
4180 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4181 sctp_log_sack(asoc->last_acked_seq,
4182 cum_ack,
4183 0,
4184 num_seg,
4185 num_dup,
4186 SCTP_LOG_NEW_SACK);
4187 }
4188 if ((num_dup) && (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE)) {
4189 uint16_t i;
4190 uint32_t *dupdata, dblock;
4191
4192 for (i = 0; i < num_dup; i++) {
4193 dupdata = (uint32_t *)sctp_m_getptr(m, offset_dup + i * sizeof(uint32_t),
4194 sizeof(uint32_t), (uint8_t *)&dblock);
4195 if (dupdata == NULL) {
4196 break;
4197 }
4198 sctp_log_fr(*dupdata, 0, 0, SCTP_FR_DUPED);
4199 }
4200 }
4201 if (SCTP_BASE_SYSCTL(sctp_strict_sacks)) {
4202 /* reality check */
4203 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
4204 tp1 = TAILQ_LAST(&asoc->sent_queue,
4205 sctpchunk_listhead);
4206 send_s = tp1->rec.data.TSN_seq + 1;
4207 } else {
4208 tp1 = NULL;
4209 send_s = asoc->sending_seq;
4210 }
4211 if (SCTP_TSN_GE(cum_ack, send_s)) {
4212 struct mbuf *op_err;
4213 char msg[SCTP_DIAG_INFO_LEN];
4214
4215 /*
4216 * no way, we have not even sent this TSN out yet.
4217 * Peer is hopelessly messed up with us.
4218 */
4219 SCTP_PRINTF("NEW cum_ack:%x send_s:%x is smaller or equal\n",
4220 cum_ack, send_s);
4221 if (tp1) {
4222 SCTP_PRINTF("Got send_s from tsn:%x + 1 of tp1:%p\n",
4223 tp1->rec.data.TSN_seq, (void *)tp1);
4224 }
4225 hopeless_peer:
4226 *abort_now = 1;
4227 /* XXX */
4228 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal then TSN %8.8x",
4229 cum_ack, send_s);
4230 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
4231 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_25;
4232 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4233 return;
4234 }
4235 }
4236 /**********************/
4237 /* 1) check the range */
4238 /**********************/
4239 if (SCTP_TSN_GT(asoc->last_acked_seq, last_tsn)) {
4240 /* acking something behind */
4241 return;
4242 }
4243
4244 /* update the Rwnd of the peer */
4245 if (TAILQ_EMPTY(&asoc->sent_queue) &&
4246 TAILQ_EMPTY(&asoc->send_queue) &&
4247 (asoc->stream_queue_cnt == 0)) {
4248 /* nothing left on send/sent and strmq */
4249 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
4250 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
4251 asoc->peers_rwnd, 0, 0, a_rwnd);
4252 }
4253 asoc->peers_rwnd = a_rwnd;
4254 if (asoc->sent_queue_retran_cnt) {
4255 asoc->sent_queue_retran_cnt = 0;
4256 }
4257 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4258 /* SWS sender side engages */
4259 asoc->peers_rwnd = 0;
4260 }
4261 /* stop any timers */
4262 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4263 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4264 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_26);
4265 net->partial_bytes_acked = 0;
4266 net->flight_size = 0;
4267 }
4268 asoc->total_flight = 0;
4269 asoc->total_flight_count = 0;
4270 return;
4271 }
4272 /*
4273 * We init netAckSz and netAckSz2 to 0. These are used to track 2
4274 * things. The total byte count acked is tracked in netAckSz AND
4275 * netAck2 is used to track the total bytes acked that are un-
4276 * amibguious and were never retransmitted. We track these on a per
4277 * destination address basis.
4278 */
4279 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4280 if (SCTP_TSN_GT(cum_ack, net->cwr_window_tsn)) {
4281 /* Drag along the window_tsn for cwr's */
4282 net->cwr_window_tsn = cum_ack;
4283 }
4284 net->prev_cwnd = net->cwnd;
4285 net->net_ack = 0;
4286 net->net_ack2 = 0;
4287
4288 /*
4289 * CMT: Reset CUC and Fast recovery algo variables before
4290 * SACK processing
4291 */
4292 net->new_pseudo_cumack = 0;
4293 net->will_exit_fast_recovery = 0;
4294 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) {
4295 (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack)(stcb, net);
4296 }
4297 }
4298 /* process the new consecutive TSN first */
4299 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4300 if (SCTP_TSN_GE(last_tsn, tp1->rec.data.TSN_seq)) {
4301 if (tp1->sent != SCTP_DATAGRAM_UNSENT) {
4302 accum_moved = 1;
4303 if (tp1->sent < SCTP_DATAGRAM_ACKED) {
4304 /*
4305 * If it is less than ACKED, it is
4306 * now no-longer in flight. Higher
4307 * values may occur during marking
4308 */
4309 if ((tp1->whoTo->dest_state &
4310 SCTP_ADDR_UNCONFIRMED) &&
4311 (tp1->snd_count < 2)) {
4312 /*
4313 * If there was no retran
4314 * and the address is
4315 * un-confirmed and we sent
4316 * there and are now
4317 * sacked.. its confirmed,
4318 * mark it so.
4319 */
4320 tp1->whoTo->dest_state &=
4321 ~SCTP_ADDR_UNCONFIRMED;
4322 }
4323 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
4324 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
4325 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA,
4326 tp1->whoTo->flight_size,
4327 tp1->book_size,
4328 (uintptr_t)tp1->whoTo,
4329 tp1->rec.data.TSN_seq);
4330 }
4331 sctp_flight_size_decrease(tp1);
4332 sctp_total_flight_decrease(stcb, tp1);
4333 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) {
4334 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged)(tp1->whoTo,
4335 tp1);
4336 }
4337 }
4338 tp1->whoTo->net_ack += tp1->send_size;
4339
4340 /* CMT SFR and DAC algos */
4341 this_sack_lowest_newack = tp1->rec.data.TSN_seq;
4342 tp1->whoTo->saw_newack = 1;
4343
4344 if (tp1->snd_count < 2) {
4345 /*
4346 * True non-retransmited
4347 * chunk
4348 */
4349 tp1->whoTo->net_ack2 +=
4350 tp1->send_size;
4351
4352 /* update RTO too? */
4353 if (tp1->do_rtt) {
4354 if (rto_ok) {
4355 tp1->whoTo->RTO =
4356 sctp_calculate_rto(stcb,
4357 asoc, tp1->whoTo,
4358 &tp1->sent_rcv_time,
4359 sctp_align_safe_nocopy,
4360 SCTP_RTT_FROM_DATA);
4361 rto_ok = 0;
4362 }
4363 if (tp1->whoTo->rto_needed == 0) {
4364 tp1->whoTo->rto_needed = 1;
4365 }
4366 tp1->do_rtt = 0;
4367 }
4368 }
4369 /*
4370 * CMT: CUCv2 algorithm. From the
4371 * cumack'd TSNs, for each TSN being
4372 * acked for the first time, set the
4373 * following variables for the
4374 * corresp destination.
4375 * new_pseudo_cumack will trigger a
4376 * cwnd update.
4377 * find_(rtx_)pseudo_cumack will
4378 * trigger search for the next
4379 * expected (rtx-)pseudo-cumack.
4380 */
4381 tp1->whoTo->new_pseudo_cumack = 1;
4382 tp1->whoTo->find_pseudo_cumack = 1;
4383 tp1->whoTo->find_rtx_pseudo_cumack = 1;
4384
4385
4386 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4387 sctp_log_sack(asoc->last_acked_seq,
4388 cum_ack,
4389 tp1->rec.data.TSN_seq,
4390 0,
4391 0,
4392 SCTP_LOG_TSN_ACKED);
4393 }
4394 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
4395 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.TSN_seq, SCTP_CWND_LOG_FROM_SACK);
4396 }
4397 }
4398 if (tp1->sent == SCTP_DATAGRAM_RESEND) {
4399 sctp_ucount_decr(asoc->sent_queue_retran_cnt);
4400 #ifdef SCTP_AUDITING_ENABLED
4401 sctp_audit_log(0xB3,
4402 (asoc->sent_queue_retran_cnt & 0x000000ff));
4403 #endif
4404 }
4405 if (tp1->rec.data.chunk_was_revoked) {
4406 /* deflate the cwnd */
4407 tp1->whoTo->cwnd -= tp1->book_size;
4408 tp1->rec.data.chunk_was_revoked = 0;
4409 }
4410 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
4411 tp1->sent = SCTP_DATAGRAM_ACKED;
4412 }
4413 }
4414 } else {
4415 break;
4416 }
4417 }
4418 biggest_tsn_newly_acked = biggest_tsn_acked = last_tsn;
4419 /* always set this up to cum-ack */
4420 asoc->this_sack_highest_gap = last_tsn;
4421
4422 if ((num_seg > 0) || (num_nr_seg > 0)) {
4423
4424 /*
4425 * CMT: SFR algo (and HTNA) - this_sack_highest_newack has
4426 * to be greater than the cumack. Also reset saw_newack to 0
4427 * for all dests.
4428 */
4429 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4430 net->saw_newack = 0;
4431 net->this_sack_highest_newack = last_tsn;
4432 }
4433
4434 /*
4435 * thisSackHighestGap will increase while handling NEW
4436 * segments this_sack_highest_newack will increase while
4437 * handling NEWLY ACKED chunks. this_sack_lowest_newack is
4438 * used for CMT DAC algo. saw_newack will also change.
4439 */
4440 if (sctp_handle_segments(m, &offset_seg, stcb, asoc, last_tsn, &biggest_tsn_acked,
4441 &biggest_tsn_newly_acked, &this_sack_lowest_newack,
4442 num_seg, num_nr_seg, &rto_ok)) {
4443 wake_him++;
4444 }
4445 if (SCTP_BASE_SYSCTL(sctp_strict_sacks)) {
4446 /*
4447 * validate the biggest_tsn_acked in the gap acks if
4448 * strict adherence is wanted.
4449 */
4450 if (SCTP_TSN_GE(biggest_tsn_acked, send_s)) {
4451 /*
4452 * peer is either confused or we are under
4453 * attack. We must abort.
4454 */
4455 SCTP_PRINTF("Hopeless peer! biggest_tsn_acked:%x largest seq:%x\n",
4456 biggest_tsn_acked, send_s);
4457 goto hopeless_peer;
4458 }
4459 }
4460 }
4461 /*******************************************/
4462 /* cancel ALL T3-send timer if accum moved */
4463 /*******************************************/
4464 if (asoc->sctp_cmt_on_off > 0) {
4465 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4466 if (net->new_pseudo_cumack)
4467 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4468 stcb, net,
4469 SCTP_FROM_SCTP_INDATA + SCTP_LOC_27);
4470
4471 }
4472 } else {
4473 if (accum_moved) {
4474 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4475 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4476 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_28);
4477 }
4478 }
4479 }
4480 /********************************************/
4481 /* drop the acked chunks from the sentqueue */
4482 /********************************************/
4483 asoc->last_acked_seq = cum_ack;
4484
4485 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) {
4486 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, cum_ack)) {
4487 break;
4488 }
4489 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) {
4490 if (asoc->strmout[tp1->rec.data.stream_number].chunks_on_queues > 0) {
4491 asoc->strmout[tp1->rec.data.stream_number].chunks_on_queues--;
4492 #ifdef INVARIANTS
4493 } else {
4494 panic("No chunks on the queues for sid %u.", tp1->rec.data.stream_number);
4495 #endif
4496 }
4497 }
4498 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next);
4499 if (PR_SCTP_ENABLED(tp1->flags)) {
4500 if (asoc->pr_sctp_cnt != 0)
4501 asoc->pr_sctp_cnt--;
4502 }
4503 asoc->sent_queue_cnt--;
4504 if (tp1->data) {
4505 /* sa_ignore NO_NULL_CHK */
4506 sctp_free_bufspace(stcb, asoc, tp1, 1);
4507 sctp_m_freem(tp1->data);
4508 tp1->data = NULL;
4509 if (asoc->prsctp_supported && PR_SCTP_BUF_ENABLED(tp1->flags)) {
4510 asoc->sent_queue_cnt_removeable--;
4511 }
4512 }
4513 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) {
4514 sctp_log_sack(asoc->last_acked_seq,
4515 cum_ack,
4516 tp1->rec.data.TSN_seq,
4517 0,
4518 0,
4519 SCTP_LOG_FREE_SENT);
4520 }
4521 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED);
4522 wake_him++;
4523 }
4524 if (TAILQ_EMPTY(&asoc->sent_queue) && (asoc->total_flight > 0)) {
4525 #ifdef INVARIANTS
4526 panic("Warning flight size is postive and should be 0");
4527 #else
4528 SCTP_PRINTF("Warning flight size incorrect should be 0 is %d\n",
4529 asoc->total_flight);
4530 #endif
4531 asoc->total_flight = 0;
4532 }
4533
4534 #if defined(__Userspace__)
4535 if (stcb->sctp_ep->recv_callback) {
4536 if (stcb->sctp_socket) {
4537 uint32_t inqueue_bytes, sb_free_now;
4538 struct sctp_inpcb *inp;
4539
4540 inp = stcb->sctp_ep;
4541 inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
4542 sb_free_now = SCTP_SB_LIMIT_SND(stcb->sctp_socket) - (inqueue_bytes + stcb->asoc.sb_send_resv);
4543
4544 /* check if the amount free in the send socket buffer crossed the threshold */
4545 if (inp->send_callback &&
4546 (((inp->send_sb_threshold > 0) && (sb_free_now >= inp->send_sb_threshold)) ||
4547 (inp->send_sb_threshold == 0))) {
4548 atomic_add_int(&stcb->asoc.refcnt, 1);
4549 SCTP_TCB_UNLOCK(stcb);
4550 inp->send_callback(stcb->sctp_socket, sb_free_now);
4551 SCTP_TCB_LOCK(stcb);
4552 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4553 }
4554 }
4555 } else if ((wake_him) && (stcb->sctp_socket)) {
4556 #else
4557 /* sa_ignore NO_NULL_CHK */
4558 if ((wake_him) && (stcb->sctp_socket)) {
4559 #endif
4560 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4561 struct socket *so;
4562
4563 #endif
4564 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd);
4565 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4566 sctp_wakeup_log(stcb, wake_him, SCTP_WAKESND_FROM_SACK);
4567 }
4568 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4569 so = SCTP_INP_SO(stcb->sctp_ep);
4570 atomic_add_int(&stcb->asoc.refcnt, 1);
4571 SCTP_TCB_UNLOCK(stcb);
4572 SCTP_SOCKET_LOCK(so, 1);
4573 SCTP_TCB_LOCK(stcb);
4574 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4575 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
4576 /* assoc was freed while we were unlocked */
4577 SCTP_SOCKET_UNLOCK(so, 1);
4578 return;
4579 }
4580 #endif
4581 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket);
4582 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4583 SCTP_SOCKET_UNLOCK(so, 1);
4584 #endif
4585 } else {
4586 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) {
4587 sctp_wakeup_log(stcb, wake_him, SCTP_NOWAKE_FROM_SACK);
4588 }
4589 }
4590
4591 if (asoc->fast_retran_loss_recovery && accum_moved) {
4592 if (SCTP_TSN_GE(asoc->last_acked_seq, asoc->fast_recovery_tsn)) {
4593 /* Setup so we will exit RFC2582 fast recovery */
4594 will_exit_fast_recovery = 1;
4595 }
4596 }
4597 /*
4598 * Check for revoked fragments:
4599 *
4600 * if Previous sack - Had no frags then we can't have any revoked if
4601 * Previous sack - Had frag's then - If we now have frags aka
4602 * num_seg > 0 call sctp_check_for_revoked() to tell if peer revoked
4603 * some of them. else - The peer revoked all ACKED fragments, since
4604 * we had some before and now we have NONE.
4605 */
4606
4607 if (num_seg) {
4608 sctp_check_for_revoked(stcb, asoc, cum_ack, biggest_tsn_acked);
4609 asoc->saw_sack_with_frags = 1;
4610 } else if (asoc->saw_sack_with_frags) {
4611 int cnt_revoked = 0;
4612
4613 /* Peer revoked all dg's marked or acked */
4614 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4615 if (tp1->sent == SCTP_DATAGRAM_ACKED) {
4616 tp1->sent = SCTP_DATAGRAM_SENT;
4617 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
4618 sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE,
4619 tp1->whoTo->flight_size,
4620 tp1->book_size,
4621 (uintptr_t)tp1->whoTo,
4622 tp1->rec.data.TSN_seq);
4623 }
4624 sctp_flight_size_increase(tp1);
4625 sctp_total_flight_increase(stcb, tp1);
4626 tp1->rec.data.chunk_was_revoked = 1;
4627 /*
4628 * To ensure that this increase in
4629 * flightsize, which is artificial,
4630 * does not throttle the sender, we
4631 * also increase the cwnd
4632 * artificially.
4633 */
4634 tp1->whoTo->cwnd += tp1->book_size;
4635 cnt_revoked++;
4636 }
4637 }
4638 if (cnt_revoked) {
4639 reneged_all = 1;
4640 }
4641 asoc->saw_sack_with_frags = 0;
4642 }
4643 if (num_nr_seg > 0)
4644 asoc->saw_sack_with_nr_frags = 1;
4645 else
4646 asoc->saw_sack_with_nr_frags = 0;
4647
4648 /* JRS - Use the congestion control given in the CC module */
4649 if (ecne_seen == 0) {
4650 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4651 if (net->net_ack2 > 0) {
4652 /*
4653 * Karn's rule applies to clearing error count, this
4654 * is optional.
4655 */
4656 net->error_count = 0;
4657 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) {
4658 /* addr came good */
4659 net->dest_state |= SCTP_ADDR_REACHABLE;
4660 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
4661 0, (void *)net, SCTP_SO_NOT_LOCKED);
4662 }
4663
4664 if (net == stcb->asoc.primary_destination) {
4665 if (stcb->asoc.alternate) {
4666 /* release the alternate, primary is good */
4667 sctp_free_remote_addr(stcb->asoc.alternate);
4668 stcb->asoc.alternate = NULL;
4669 }
4670 }
4671
4672 if (net->dest_state & SCTP_ADDR_PF) {
4673 net->dest_state &= ~SCTP_ADDR_PF;
4674 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3);
4675 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
4676 asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
4677 /* Done with this net */
4678 net->net_ack = 0;
4679 }
4680 /* restore any doubled timers */
4681 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv;
4682 if (net->RTO < stcb->asoc.minrto) {
4683 net->RTO = stcb->asoc.minrto;
4684 }
4685 if (net->RTO > stcb->asoc.maxrto) {
4686 net->RTO = stcb->asoc.maxrto;
4687 }
4688 }
4689 }
4690 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, accum_moved, reneged_all, will_exit_fast_recovery);
4691 }
4692
4693 if (TAILQ_EMPTY(&asoc->sent_queue)) {
4694 /* nothing left in-flight */
4695 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4696 /* stop all timers */
4697 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4698 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_30);
4699 net->flight_size = 0;
4700 net->partial_bytes_acked = 0;
4701 }
4702 asoc->total_flight = 0;
4703 asoc->total_flight_count = 0;
4704 }
4705
4706 /**********************************/
4707 /* Now what about shutdown issues */
4708 /**********************************/
4709 if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) {
4710 /* nothing left on sendqueue.. consider done */
4711 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
4712 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
4713 asoc->peers_rwnd, 0, 0, a_rwnd);
4714 }
4715 asoc->peers_rwnd = a_rwnd;
4716 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4717 /* SWS sender side engages */
4718 asoc->peers_rwnd = 0;
4719 }
4720 /* clean up */
4721 if ((asoc->stream_queue_cnt == 1) &&
4722 ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
4723 (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED)) &&
4724 (asoc->locked_on_sending)
4725 ) {
4726 struct sctp_stream_queue_pending *sp;
4727 /* I may be in a state where we got
4728 * all across.. but cannot write more due
4729 * to a shutdown... we abort since the
4730 * user did not indicate EOR in this case.
4731 */
4732 sp = TAILQ_LAST(&((asoc->locked_on_sending)->outqueue),
4733 sctp_streamhead);
4734 if ((sp) && (sp->length == 0)) {
4735 asoc->locked_on_sending = NULL;
4736 if (sp->msg_is_complete) {
4737 asoc->stream_queue_cnt--;
4738 } else {
4739 asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
4740 asoc->stream_queue_cnt--;
4741 }
4742 }
4743 }
4744 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) &&
4745 (asoc->stream_queue_cnt == 0)) {
4746 if (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT) {
4747 /* Need to abort here */
4748 struct mbuf *op_err;
4749
4750 abort_out_now:
4751 *abort_now = 1;
4752 /* XXX */
4753 op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, "");
4754 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_31;
4755 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
4756 return;
4757 } else {
4758 struct sctp_nets *netp;
4759
4760 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
4761 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
4762 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4763 }
4764 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
4765 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
4766 sctp_stop_timers_for_shutdown(stcb);
4767 if (asoc->alternate) {
4768 netp = asoc->alternate;
4769 } else {
4770 netp = asoc->primary_destination;
4771 }
4772 sctp_send_shutdown(stcb, netp);
4773 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN,
4774 stcb->sctp_ep, stcb, netp);
4775 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
4776 stcb->sctp_ep, stcb, netp);
4777 }
4778 return;
4779 } else if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) &&
4780 (asoc->stream_queue_cnt == 0)) {
4781 struct sctp_nets *netp;
4782
4783 if (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT) {
4784 goto abort_out_now;
4785 }
4786 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
4787 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
4788 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
4789 sctp_stop_timers_for_shutdown(stcb);
4790 if (asoc->alternate) {
4791 netp = asoc->alternate;
4792 } else {
4793 netp = asoc->primary_destination;
4794 }
4795 sctp_send_shutdown_ack(stcb, netp);
4796 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK,
4797 stcb->sctp_ep, stcb, netp);
4798 return;
4799 }
4800 }
4801 /*
4802 * Now here we are going to recycle net_ack for a different use...
4803 * HEADS UP.
4804 */
4805 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4806 net->net_ack = 0;
4807 }
4808
4809 /*
4810 * CMT DAC algorithm: If SACK DAC flag was 0, then no extra marking
4811 * to be done. Setting this_sack_lowest_newack to the cum_ack will
4812 * automatically ensure that.
4813 */
4814 if ((asoc->sctp_cmt_on_off > 0) &&
4815 SCTP_BASE_SYSCTL(sctp_cmt_use_dac) &&
4816 (cmt_dac_flag == 0)) {
4817 this_sack_lowest_newack = cum_ack;
4818 }
4819 if ((num_seg > 0) || (num_nr_seg > 0)) {
4820 sctp_strike_gap_ack_chunks(stcb, asoc, biggest_tsn_acked,
4821 biggest_tsn_newly_acked, this_sack_lowest_newack, accum_moved);
4822 }
4823 /* JRS - Use the congestion control given in the CC module */
4824 asoc->cc_functions.sctp_cwnd_update_after_fr(stcb, asoc);
4825
4826 /* Now are we exiting loss recovery ? */
4827 if (will_exit_fast_recovery) {
4828 /* Ok, we must exit fast recovery */
4829 asoc->fast_retran_loss_recovery = 0;
4830 }
4831 if ((asoc->sat_t3_loss_recovery) &&
4832 SCTP_TSN_GE(asoc->last_acked_seq, asoc->sat_t3_recovery_tsn)) {
4833 /* end satellite t3 loss recovery */
4834 asoc->sat_t3_loss_recovery = 0;
4835 }
4836 /*
4837 * CMT Fast recovery
4838 */
4839 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4840 if (net->will_exit_fast_recovery) {
4841 /* Ok, we must exit fast recovery */
4842 net->fast_retran_loss_recovery = 0;
4843 }
4844 }
4845
4846 /* Adjust and set the new rwnd value */
4847 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
4848 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK,
4849 asoc->peers_rwnd, asoc->total_flight, (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)), a_rwnd);
4850 }
4851 asoc->peers_rwnd = sctp_sbspace_sub(a_rwnd,
4852 (uint32_t) (asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh))));
4853 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4854 /* SWS sender side engages */
4855 asoc->peers_rwnd = 0;
4856 }
4857 if (asoc->peers_rwnd > old_rwnd) {
4858 win_probe_recovery = 1;
4859 }
4860
4861 /*
4862 * Now we must setup so we have a timer up for anyone with
4863 * outstanding data.
4864 */
4865 done_once = 0;
4866 again:
4867 j = 0;
4868 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4869 if (win_probe_recovery && (net->window_probe)) {
4870 win_probe_recovered = 1;
4871 /*-
4872 * Find first chunk that was used with
4873 * window probe and clear the event. Put
4874 * it back into the send queue as if has
4875 * not been sent.
4876 */
4877 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4878 if (tp1->window_probe) {
4879 sctp_window_probe_recovery(stcb, asoc, tp1);
4880 break;
4881 }
4882 }
4883 }
4884 if (net->flight_size) {
4885 j++;
4886 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4887 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4888 stcb->sctp_ep, stcb, net);
4889 }
4890 if (net->window_probe) {
4891 net->window_probe = 0;
4892 }
4893 } else {
4894 if (net->window_probe) {
4895 /* In window probes we must assure a timer is still running there */
4896 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4897 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4898 stcb->sctp_ep, stcb, net);
4899
4900 }
4901 } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4902 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
4903 stcb, net,
4904 SCTP_FROM_SCTP_INDATA + SCTP_LOC_22);
4905 }
4906 }
4907 }
4908 if ((j == 0) &&
4909 (!TAILQ_EMPTY(&asoc->sent_queue)) &&
4910 (asoc->sent_queue_retran_cnt == 0) &&
4911 (win_probe_recovered == 0) &&
4912 (done_once == 0)) {
4913 /* huh, this should not happen unless all packets
4914 * are PR-SCTP and marked to skip of course.
4915 */
4916 if (sctp_fs_audit(asoc)) {
4917 TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4918 net->flight_size = 0;
4919 }
4920 asoc->total_flight = 0;
4921 asoc->total_flight_count = 0;
4922 asoc->sent_queue_retran_cnt = 0;
4923 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) {
4924 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
4925 sctp_flight_size_increase(tp1);
4926 sctp_total_flight_increase(stcb, tp1);
4927 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) {
4928 sctp_ucount_incr(asoc->sent_queue_retran_cnt);
4929 }
4930 }
4931 }
4932 done_once = 1;
4933 goto again;
4934 }
4935 /*********************************************/
4936 /* Here we perform PR-SCTP procedures */
4937 /* (section 4.2) */
4938 /*********************************************/
4939 /* C1. update advancedPeerAckPoint */
4940 if (SCTP_TSN_GT(cum_ack, asoc->advanced_peer_ack_point)) {
4941 asoc->advanced_peer_ack_point = cum_ack;
4942 }
4943 /* C2. try to further move advancedPeerAckPoint ahead */
4944 if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) {
4945 struct sctp_tmit_chunk *lchk;
4946 uint32_t old_adv_peer_ack_point;
4947
4948 old_adv_peer_ack_point = asoc->advanced_peer_ack_point;
4949 lchk = sctp_try_advance_peer_ack_point(stcb, asoc);
4950 /* C3. See if we need to send a Fwd-TSN */
4951 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cum_ack)) {
4952 /*
4953 * ISSUE with ECN, see FWD-TSN processing.
4954 */
4955 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
4956 sctp_misc_ints(SCTP_FWD_TSN_CHECK,
4957 0xee, cum_ack, asoc->advanced_peer_ack_point,
4958 old_adv_peer_ack_point);
4959 }
4960 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) {
4961 send_forward_tsn(stcb, asoc);
4962 } else if (lchk) {
4963 /* try to FR fwd-tsn's that get lost too */
4964 if (lchk->rec.data.fwd_tsn_cnt >= 3) {
4965 send_forward_tsn(stcb, asoc);
4966 }
4967 }
4968 }
4969 if (lchk) {
4970 /* Assure a timer is up */
4971 sctp_timer_start(SCTP_TIMER_TYPE_SEND,
4972 stcb->sctp_ep, stcb, lchk->whoTo);
4973 }
4974 }
4975 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) {
4976 sctp_misc_ints(SCTP_SACK_RWND_UPDATE,
4977 a_rwnd,
4978 stcb->asoc.peers_rwnd,
4979 stcb->asoc.total_flight,
4980 stcb->asoc.total_output_queue_size);
4981 }
4982 }
4983
4984 void
4985 sctp_update_acked(struct sctp_tcb *stcb, struct sctp_shutdown_chunk *cp, int *abort_flag)
4986 {
4987 /* Copy cum-ack */
4988 uint32_t cum_ack, a_rwnd;
4989
4990 cum_ack = ntohl(cp->cumulative_tsn_ack);
4991 /* Arrange so a_rwnd does NOT change */
4992 a_rwnd = stcb->asoc.peers_rwnd + stcb->asoc.total_flight;
4993
4994 /* Now call the express sack handling */
4995 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, abort_flag, 0);
4996 }
4997
4998 static void
4999 sctp_kick_prsctp_reorder_queue(struct sctp_tcb *stcb,
5000 struct sctp_stream_in *strmin)
5001 {
5002 struct sctp_queued_to_read *ctl, *nctl;
5003 struct sctp_association *asoc;
5004 uint16_t tt;
5005
5006 asoc = &stcb->asoc;
5007 tt = strmin->last_sequence_delivered;
5008 /*
5009 * First deliver anything prior to and including the stream no that
5010 * came in
5011 */
5012 TAILQ_FOREACH_SAFE(ctl, &strmin->inqueue, next, nctl) {
5013 if (SCTP_SSN_GE(tt, ctl->sinfo_ssn)) {
5014 /* this is deliverable now */
5015 TAILQ_REMOVE(&strmin->inqueue, ctl, next);
5016 /* subtract pending on streams */
5017 asoc->size_on_all_streams -= ctl->length;
5018 sctp_ucount_decr(asoc->cnt_on_all_streams);
5019 /* deliver it to at least the delivery-q */
5020 if (stcb->sctp_socket) {
5021 sctp_mark_non_revokable(asoc, ctl->sinfo_tsn);
5022 sctp_add_to_readq(stcb->sctp_ep, stcb,
5023 ctl,
5024 &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_HELD, SCTP_SO_NOT_LOCKED);
5025 }
5026 } else {
5027 /* no more delivery now. */
5028 break;
5029 }
5030 }
5031 /*
5032 * now we must deliver things in queue the normal way if any are
5033 * now ready.
5034 */
5035 tt = strmin->last_sequence_delivered + 1;
5036 TAILQ_FOREACH_SAFE(ctl, &strmin->inqueue, next, nctl) {
5037 if (tt == ctl->sinfo_ssn) {
5038 /* this is deliverable now */
5039 TAILQ_REMOVE(&strmin->inqueue, ctl, next);
5040 /* subtract pending on streams */
5041 asoc->size_on_all_streams -= ctl->length;
5042 sctp_ucount_decr(asoc->cnt_on_all_streams);
5043 /* deliver it to at least the delivery-q */
5044 strmin->last_sequence_delivered = ctl->sinfo_ssn;
5045 if (stcb->sctp_socket) {
5046 sctp_mark_non_revokable(asoc, ctl->sinfo_tsn);
5047 sctp_add_to_readq(stcb->sctp_ep, stcb,
5048 ctl,
5049 &stcb->sctp_socket->so_rcv, 1, SCTP_READ_LOCK_HELD, SCTP_SO_NOT_LOCKED);
5050
5051 }
5052 tt = strmin->last_sequence_delivered + 1;
5053 } else {
5054 break;
5055 }
5056 }
5057 }
5058
5059 static void
5060 sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb,
5061 struct sctp_association *asoc,
5062 uint16_t stream, uint16_t seq)
5063 {
5064 struct sctp_tmit_chunk *chk, *nchk;
5065
5066 /* For each one on here see if we need to toss it */
5067 /*
5068 * For now large messages held on the reasmqueue that are
5069 * complete will be tossed too. We could in theory do more
5070 * work to spin through and stop after dumping one msg aka
5071 * seeing the start of a new msg at the head, and call the
5072 * delivery function... to see if it can be delivered... But
5073 * for now we just dump everything on the queue.
5074 */
5075 TAILQ_FOREACH_SAFE(chk, &asoc->reasmqueue, sctp_next, nchk) {
5076 /* Do not toss it if on a different stream or
5077 * marked for unordered delivery in which case
5078 * the stream sequence number has no meaning.
5079 */
5080 if ((chk->rec.data.stream_number != stream) ||
5081 ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == SCTP_DATA_UNORDERED)) {
5082 continue;
5083 }
5084 if (chk->rec.data.stream_seq == seq) {
5085 /* It needs to be tossed */
5086 TAILQ_REMOVE(&asoc->reasmqueue, chk, sctp_next);
5087 if (SCTP_TSN_GT(chk->rec.data.TSN_seq, asoc->tsn_last_delivered)) {
5088 asoc->tsn_last_delivered = chk->rec.data.TSN_seq;
5089 asoc->str_of_pdapi = chk->rec.data.stream_number;
5090 asoc->ssn_of_pdapi = chk->rec.data.stream_seq;
5091 asoc->fragment_flags = chk->rec.data.rcv_flags;
5092 }
5093 asoc->size_on_reasm_queue -= chk->send_size;
5094 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
5095
5096 /* Clear up any stream problem */
5097 if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) != SCTP_DATA_UNORDERED &&
5098 SCTP_SSN_GT(chk->rec.data.stream_seq, asoc->strmin[chk->rec.data.stream_number].last_sequence_delivered)) {
5099 /*
5100 * We must dump forward this streams
5101 * sequence number if the chunk is
5102 * not unordered that is being
5103 * skipped. There is a chance that
5104 * if the peer does not include the
5105 * last fragment in its FWD-TSN we
5106 * WILL have a problem here since
5107 * you would have a partial chunk in
5108 * queue that may not be
5109 * deliverable. Also if a Partial
5110 * delivery API as started the user
5111 * may get a partial chunk. The next
5112 * read returning a new chunk...
5113 * really ugly but I see no way
5114 * around it! Maybe a notify??
5115 */
5116 asoc->strmin[chk->rec.data.stream_number].last_sequence_delivered = chk->rec.data.stream_seq;
5117 }
5118 if (chk->data) {
5119 sctp_m_freem(chk->data);
5120 chk->data = NULL;
5121 }
5122 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
5123 } else if (SCTP_SSN_GT(chk->rec.data.stream_seq, seq)) {
5124 /* If the stream_seq is > than the purging one, we are done */
5125 break;
5126 }
5127 }
5128 }
5129
5130
5131 void
5132 sctp_handle_forward_tsn(struct sctp_tcb *stcb,
5133 struct sctp_forward_tsn_chunk *fwd,
5134 int *abort_flag, struct mbuf *m ,int offset)
5135 {
5136 /* The pr-sctp fwd tsn */
5137 /*
5138 * here we will perform all the data receiver side steps for
5139 * processing FwdTSN, as required in by pr-sctp draft:
5140 *
5141 * Assume we get FwdTSN(x):
5142 *
5143 * 1) update local cumTSN to x 2) try to further advance cumTSN to x +
5144 * others we have 3) examine and update re-ordering queue on
5145 * pr-in-streams 4) clean up re-assembly queue 5) Send a sack to
5146 * report where we are.
5147 */
5148 struct sctp_association *asoc;
5149 uint32_t new_cum_tsn, gap;
5150 unsigned int i, fwd_sz, m_size;
5151 uint32_t str_seq;
5152 struct sctp_stream_in *strm;
5153 struct sctp_tmit_chunk *chk, *nchk;
5154 struct sctp_queued_to_read *ctl, *sv;
5155
5156 asoc = &stcb->asoc;
5157 if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) {
5158 SCTPDBG(SCTP_DEBUG_INDATA1,
5159 "Bad size too small/big fwd-tsn\n");
5160 return;
5161 }
5162 m_size = (stcb->asoc.mapping_array_size << 3);
5163 /*************************************************************/
5164 /* 1. Here we update local cumTSN and shift the bitmap array */
5165 /*************************************************************/
5166 new_cum_tsn = ntohl(fwd->new_cumulative_tsn);
5167
5168 if (SCTP_TSN_GE(asoc->cumulative_tsn, new_cum_tsn)) {
5169 /* Already got there ... */
5170 return;
5171 }
5172 /*
5173 * now we know the new TSN is more advanced, let's find the actual
5174 * gap
5175 */
5176 SCTP_CALC_TSN_TO_GAP(gap, new_cum_tsn, asoc->mapping_array_base_tsn);
5177 asoc->cumulative_tsn = new_cum_tsn;
5178 if (gap >= m_size) {
5179 if ((long)gap > sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv)) {
5180 struct mbuf *op_err;
5181 char msg[SCTP_DIAG_INFO_LEN];
5182
5183 /*
5184 * out of range (of single byte chunks in the rwnd I
5185 * give out). This must be an attacker.
5186 */
5187 *abort_flag = 1;
5188 snprintf(msg, sizeof(msg),
5189 "New cum ack %8.8x too high, highest TSN %8.8x",
5190 new_cum_tsn, asoc->highest_tsn_inside_map);
5191 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg);
5192 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA+SCTP_LOC_33;
5193 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
5194 return;
5195 }
5196 SCTP_STAT_INCR(sctps_fwdtsn_map_over);
5197
5198 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
5199 asoc->mapping_array_base_tsn = new_cum_tsn + 1;
5200 asoc->highest_tsn_inside_map = new_cum_tsn;
5201
5202 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size);
5203 asoc->highest_tsn_inside_nr_map = new_cum_tsn;
5204
5205 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
5206 sctp_log_map(0, 3, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
5207 }
5208 } else {
5209 SCTP_TCB_LOCK_ASSERT(stcb);
5210 for (i = 0; i <= gap; i++) {
5211 if (!SCTP_IS_TSN_PRESENT(asoc->mapping_array, i) &&
5212 !SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, i)) {
5213 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, i);
5214 if (SCTP_TSN_GT(asoc->mapping_array_base_tsn + i, asoc->highest_tsn_inside_nr_map)) {
5215 asoc->highest_tsn_inside_nr_map = asoc->mapping_array_base_tsn + i;
5216 }
5217 }
5218 }
5219 }
5220 /*************************************************************/
5221 /* 2. Clear up re-assembly queue */
5222 /*************************************************************/
5223 /*
5224 * First service it if pd-api is up, just in case we can progress it
5225 * forward
5226 */
5227 if (asoc->fragmented_delivery_inprogress) {
5228 sctp_service_reassembly(stcb, asoc);
5229 }
5230 /* For each one on here see if we need to toss it */
5231 /*
5232 * For now large messages held on the reasmqueue that are
5233 * complete will be tossed too. We could in theory do more
5234 * work to spin through and stop after dumping one msg aka
5235 * seeing the start of a new msg at the head, and call the
5236 * delivery function... to see if it can be delivered... But
5237 * for now we just dump everything on the queue.
5238 */
5239 TAILQ_FOREACH_SAFE(chk, &asoc->reasmqueue, sctp_next, nchk) {
5240 if (SCTP_TSN_GE(new_cum_tsn, chk->rec.data.TSN_seq)) {
5241 /* It needs to be tossed */
5242 TAILQ_REMOVE(&asoc->reasmqueue, chk, sctp_next);
5243 if (SCTP_TSN_GT(chk->rec.data.TSN_seq, asoc->tsn_last_delivered)) {
5244 asoc->tsn_last_delivered = chk->rec.data.TSN_seq;
5245 asoc->str_of_pdapi = chk->rec.data.stream_number;
5246 asoc->ssn_of_pdapi = chk->rec.data.stream_seq;
5247 asoc->fragment_flags = chk->rec.data.rcv_flags;
5248 }
5249 asoc->size_on_reasm_queue -= chk->send_size;
5250 sctp_ucount_decr(asoc->cnt_on_reasm_queue);
5251
5252 /* Clear up any stream problem */
5253 if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) != SCTP_DATA_UNORDERED &&
5254 SCTP_SSN_GT(chk->rec.data.stream_seq, asoc->strmin[chk->rec.data.stream_number].last_sequence_delivered)) {
5255 /*
5256 * We must dump forward this streams
5257 * sequence number if the chunk is
5258 * not unordered that is being
5259 * skipped. There is a chance that
5260 * if the peer does not include the
5261 * last fragment in its FWD-TSN we
5262 * WILL have a problem here since
5263 * you would have a partial chunk in
5264 * queue that may not be
5265 * deliverable. Also if a Partial
5266 * delivery API as started the user
5267 * may get a partial chunk. The next
5268 * read returning a new chunk...
5269 * really ugly but I see no way
5270 * around it! Maybe a notify??
5271 */
5272 asoc->strmin[chk->rec.data.stream_number].last_sequence_delivered = chk->rec.data.stream_seq;
5273 }
5274 if (chk->data) {
5275 sctp_m_freem(chk->data);
5276 chk->data = NULL;
5277 }
5278 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
5279 } else {
5280 /*
5281 * Ok we have gone beyond the end of the
5282 * fwd-tsn's mark.
5283 */
5284 break;
5285 }
5286 }
5287 /*******************************************************/
5288 /* 3. Update the PR-stream re-ordering queues and fix */
5289 /* delivery issues as needed. */
5290 /*******************************************************/
5291 fwd_sz -= sizeof(*fwd);
5292 if (m && fwd_sz) {
5293 /* New method. */
5294 unsigned int num_str;
5295 struct sctp_strseq *stseq, strseqbuf;
5296 offset += sizeof(*fwd);
5297
5298 SCTP_INP_READ_LOCK(stcb->sctp_ep);
5299 num_str = fwd_sz / sizeof(struct sctp_strseq);
5300 for (i = 0; i < num_str; i++) {
5301 uint16_t st;
5302 stseq = (struct sctp_strseq *)sctp_m_getptr(m, offset,
5303 sizeof(struct sctp_strseq),
5304 (uint8_t *)&strseqbuf);
5305 offset += sizeof(struct sctp_strseq);
5306 if (stseq == NULL) {
5307 break;
5308 }
5309 /* Convert */
5310 st = ntohs(stseq->stream);
5311 stseq->stream = st;
5312 st = ntohs(stseq->sequence);
5313 stseq->sequence = st;
5314
5315 /* now process */
5316
5317 /*
5318 * Ok we now look for the stream/seq on the read queue
5319 * where its not all delivered. If we find it we transmute the
5320 * read entry into a PDI_ABORTED.
5321 */
5322 if (stseq->stream >= asoc->streamincnt) {
5323 /* screwed up streams, stop! */
5324 break;
5325 }
5326 if ((asoc->str_of_pdapi == stseq->stream) &&
5327 (asoc->ssn_of_pdapi == stseq->sequence)) {
5328 /* If this is the one we were partially delivering
5329 * now then we no longer are. Note this will change
5330 * with the reassembly re-write.
5331 */
5332 asoc->fragmented_delivery_inprogress = 0;
5333 }
5334 sctp_flush_reassm_for_str_seq(stcb, asoc, stseq->stream, stseq->sequence);
5335 TAILQ_FOREACH(ctl, &stcb->sctp_ep->read_queue, next) {
5336 if ((ctl->sinfo_stream == stseq->stream) &&
5337 (ctl->sinfo_ssn == stseq->sequence)) {
5338 str_seq = (stseq->stream << 16) | stseq->sequence;
5339 ctl->end_added = 1;
5340 ctl->pdapi_aborted = 1;
5341 sv = stcb->asoc.control_pdapi;
5342 stcb->asoc.control_pdapi = ctl;
5343 sctp_ulp_notify(SCTP_NOTIFY_PARTIAL_DELVIERY_INDICATION,
5344 stcb,
5345 SCTP_PARTIAL_DELIVERY_ABORTED,
5346 (void *)&str_seq,
5347 SCTP_SO_NOT_LOCKED);
5348 stcb->asoc.control_pdapi = sv;
5349 break;
5350 } else if ((ctl->sinfo_stream == stseq->stream) &&
5351 SCTP_SSN_GT(ctl->sinfo_ssn, stseq->sequence)) {
5352 /* We are past our victim SSN */
5353 break;
5354 }
5355 }
5356 strm = &asoc->strmin[stseq->stream];
5357 if (SCTP_SSN_GT(stseq->sequence, strm->last_sequence_delivered)) {
5358 /* Update the sequence number */
5359 strm->last_sequence_delivered = stseq->sequence;
5360 }
5361 /* now kick the stream the new way */
5362 /*sa_ignore NO_NULL_CHK*/
5363 sctp_kick_prsctp_reorder_queue(stcb, strm);
5364 }
5365 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
5366 }
5367 /*
5368 * Now slide thing forward.
5369 */
5370 sctp_slide_mapping_arrays(stcb);
5371
5372 if (!TAILQ_EMPTY(&asoc->reasmqueue)) {
5373 /* now lets kick out and check for more fragmented delivery */
5374 /*sa_ignore NO_NULL_CHK*/
5375 sctp_deliver_reasm_check(stcb, &stcb->asoc);
5376 }
5377 }
5378