1 /*-
2 * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved.
4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are met:
8 *
9 * a) Redistributions of source code must retain the above copyright notice,
10 * this list of conditions and the following disclaimer.
11 *
12 * b) Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the distribution.
15 *
16 * c) Neither the name of Cisco Systems, Inc. nor the names of its
17 * contributors may be used to endorse or promote products derived
18 * from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
30 * THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #ifdef __FreeBSD__
34 #include <sys/cdefs.h>
35 __FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 271230 2014-09-07 18:05:37Z tuexen $");
36 #endif
37
38 #include <netinet/sctp_os.h>
39 #include <netinet/sctp_var.h>
40 #include <netinet/sctp_sysctl.h>
41 #include <netinet/sctp_pcb.h>
42 #include <netinet/sctp_header.h>
43 #include <netinet/sctputil.h>
44 #include <netinet/sctp_output.h>
45 #include <netinet/sctp_input.h>
46 #include <netinet/sctp_auth.h>
47 #include <netinet/sctp_indata.h>
48 #include <netinet/sctp_asconf.h>
49 #include <netinet/sctp_bsd_addr.h>
50 #include <netinet/sctp_timer.h>
51 #include <netinet/sctp_crc32.h>
52 #if defined(INET) || defined(INET6)
53 #if !defined(__Userspace_os_Windows)
54 #include <netinet/udp.h>
55 #endif
56 #endif
57 #if defined(__FreeBSD__)
58 #include <sys/smp.h>
59 #endif
60
61 #if defined(__APPLE__)
62 #define APPLE_FILE_NO 2
63 #endif
64
65
66 static void
sctp_stop_all_cookie_timers(struct sctp_tcb * stcb)67 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb)
68 {
69 struct sctp_nets *net;
70
71 /* This now not only stops all cookie timers
72 * it also stops any INIT timers as well. This
73 * will make sure that the timers are stopped in
74 * all collision cases.
75 */
76 SCTP_TCB_LOCK_ASSERT(stcb);
77 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
78 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) {
79 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE,
80 stcb->sctp_ep,
81 stcb,
82 net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_1);
83 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) {
84 sctp_timer_stop(SCTP_TIMER_TYPE_INIT,
85 stcb->sctp_ep,
86 stcb,
87 net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_2);
88 }
89 }
90 }
91
92 /* INIT handler */
93 static void
sctp_handle_init(struct mbuf * m,int iphlen,int offset,struct sockaddr * src,struct sockaddr * dst,struct sctphdr * sh,struct sctp_init_chunk * cp,struct sctp_inpcb * inp,struct sctp_tcb * stcb,int * abort_no_unlock,uint8_t use_mflowid,uint32_t mflowid,uint32_t vrf_id,uint16_t port)94 sctp_handle_init(struct mbuf *m, int iphlen, int offset,
95 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
96 struct sctp_init_chunk *cp, struct sctp_inpcb *inp,
97 struct sctp_tcb *stcb, int *abort_no_unlock,
98 #if defined(__FreeBSD__)
99 uint8_t use_mflowid, uint32_t mflowid,
100 #endif
101 uint32_t vrf_id, uint16_t port)
102 {
103 struct sctp_init *init;
104 struct mbuf *op_err;
105
106 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_init: handling INIT tcb:%p\n",
107 (void *)stcb);
108 if (stcb == NULL) {
109 SCTP_INP_RLOCK(inp);
110 }
111 /* validate length */
112 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) {
113 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
114 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
115 #if defined(__FreeBSD__)
116 use_mflowid, mflowid,
117 #endif
118 vrf_id, port);
119 if (stcb)
120 *abort_no_unlock = 1;
121 goto outnow;
122 }
123 /* validate parameters */
124 init = &cp->init;
125 if (init->initiate_tag == 0) {
126 /* protocol error... send abort */
127 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
128 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
129 #if defined(__FreeBSD__)
130 use_mflowid, mflowid,
131 #endif
132 vrf_id, port);
133 if (stcb)
134 *abort_no_unlock = 1;
135 goto outnow;
136 }
137 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) {
138 /* invalid parameter... send abort */
139 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
140 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
141 #if defined(__FreeBSD__)
142 use_mflowid, mflowid,
143 #endif
144 vrf_id, port);
145 if (stcb)
146 *abort_no_unlock = 1;
147 goto outnow;
148 }
149 if (init->num_inbound_streams == 0) {
150 /* protocol error... send abort */
151 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
152 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
153 #if defined(__FreeBSD__)
154 use_mflowid, mflowid,
155 #endif
156 vrf_id, port);
157 if (stcb)
158 *abort_no_unlock = 1;
159 goto outnow;
160 }
161 if (init->num_outbound_streams == 0) {
162 /* protocol error... send abort */
163 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
164 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
165 #if defined(__FreeBSD__)
166 use_mflowid, mflowid,
167 #endif
168 vrf_id, port);
169 if (stcb)
170 *abort_no_unlock = 1;
171 goto outnow;
172 }
173 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp),
174 offset + ntohs(cp->ch.chunk_length))) {
175 /* auth parameter(s) error... send abort */
176 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
177 "Problem with AUTH parameters");
178 sctp_abort_association(inp, stcb, m, iphlen, src, dst, sh, op_err,
179 #if defined(__FreeBSD__)
180 use_mflowid, mflowid,
181 #endif
182 vrf_id, port);
183 if (stcb)
184 *abort_no_unlock = 1;
185 goto outnow;
186 }
187 /* We are only accepting if we have a socket with positive so_qlimit.*/
188 if ((stcb == NULL) &&
189 ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
190 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
191 (inp->sctp_socket == NULL) ||
192 (inp->sctp_socket->so_qlimit == 0))) {
193 /*
194 * FIX ME ?? What about TCP model and we have a
195 * match/restart case? Actually no fix is needed.
196 * the lookup will always find the existing assoc so stcb
197 * would not be NULL. It may be questionable to do this
198 * since we COULD just send back the INIT-ACK and hope that
199 * the app did accept()'s by the time the COOKIE was sent. But
200 * there is a price to pay for COOKIE generation and I don't
201 * want to pay it on the chance that the app will actually do
202 * some accepts(). The App just looses and should NOT be in
203 * this state :-)
204 */
205 if (SCTP_BASE_SYSCTL(sctp_blackhole) == 0) {
206 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
207 "No listener");
208 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
209 #if defined(__FreeBSD__)
210 use_mflowid, mflowid,
211 #endif
212 vrf_id, port);
213 }
214 goto outnow;
215 }
216 if ((stcb != NULL) &&
217 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT)) {
218 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending SHUTDOWN-ACK\n");
219 sctp_send_shutdown_ack(stcb, NULL);
220 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
221 } else {
222 SCTPDBG(SCTP_DEBUG_INPUT3, "sctp_handle_init: sending INIT-ACK\n");
223 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, src, dst,
224 sh, cp,
225 #if defined(__FreeBSD__)
226 use_mflowid, mflowid,
227 #endif
228 vrf_id, port,
229 ((stcb == NULL) ? SCTP_HOLDS_LOCK : SCTP_NOT_LOCKED));
230 }
231 outnow:
232 if (stcb == NULL) {
233 SCTP_INP_RUNLOCK(inp);
234 }
235 }
236
237 /*
238 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error
239 */
240
241 int
sctp_is_there_unsent_data(struct sctp_tcb * stcb,int so_locked SCTP_UNUSED)242 sctp_is_there_unsent_data(struct sctp_tcb *stcb, int so_locked
243 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
244 SCTP_UNUSED
245 #endif
246 )
247 {
248 int unsent_data = 0;
249 unsigned int i;
250 struct sctp_stream_queue_pending *sp;
251 struct sctp_association *asoc;
252
253 /* This function returns the number of streams that have
254 * true unsent data on them. Note that as it looks through
255 * it will clean up any places that have old data that
256 * has been sent but left at top of stream queue.
257 */
258 asoc = &stcb->asoc;
259 SCTP_TCB_SEND_LOCK(stcb);
260 if (!stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
261 /* Check to see if some data queued */
262 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
263 /*sa_ignore FREED_MEMORY*/
264 sp = TAILQ_FIRST(&stcb->asoc.strmout[i].outqueue);
265 if (sp == NULL) {
266 continue;
267 }
268 if ((sp->msg_is_complete) &&
269 (sp->length == 0) &&
270 (sp->sender_all_done)) {
271 /* We are doing differed cleanup. Last
272 * time through when we took all the data
273 * the sender_all_done was not set.
274 */
275 if (sp->put_last_out == 0) {
276 SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
277 SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d\n",
278 sp->sender_all_done,
279 sp->length,
280 sp->msg_is_complete,
281 sp->put_last_out);
282 }
283 atomic_subtract_int(&stcb->asoc.stream_queue_cnt, 1);
284 TAILQ_REMOVE(&stcb->asoc.strmout[i].outqueue, sp, next);
285 if (sp->net) {
286 sctp_free_remote_addr(sp->net);
287 sp->net = NULL;
288 }
289 if (sp->data) {
290 sctp_m_freem(sp->data);
291 sp->data = NULL;
292 }
293 sctp_free_a_strmoq(stcb, sp, so_locked);
294 } else {
295 unsent_data++;
296 break;
297 }
298 }
299 }
300 SCTP_TCB_SEND_UNLOCK(stcb);
301 return (unsent_data);
302 }
303
304 static int
sctp_process_init(struct sctp_init_chunk * cp,struct sctp_tcb * stcb)305 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb)
306 {
307 struct sctp_init *init;
308 struct sctp_association *asoc;
309 struct sctp_nets *lnet;
310 unsigned int i;
311
312 init = &cp->init;
313 asoc = &stcb->asoc;
314 /* save off parameters */
315 asoc->peer_vtag = ntohl(init->initiate_tag);
316 asoc->peers_rwnd = ntohl(init->a_rwnd);
317 /* init tsn's */
318 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1;
319
320 if (!TAILQ_EMPTY(&asoc->nets)) {
321 /* update any ssthresh's that may have a default */
322 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
323 lnet->ssthresh = asoc->peers_rwnd;
324 if (SCTP_BASE_SYSCTL(sctp_logging_level) & (SCTP_CWND_MONITOR_ENABLE|SCTP_CWND_LOGGING_ENABLE)) {
325 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION);
326 }
327
328 }
329 }
330 SCTP_TCB_SEND_LOCK(stcb);
331 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) {
332 unsigned int newcnt;
333 struct sctp_stream_out *outs;
334 struct sctp_stream_queue_pending *sp, *nsp;
335 struct sctp_tmit_chunk *chk, *nchk;
336
337 /* abandon the upper streams */
338 newcnt = ntohs(init->num_inbound_streams);
339 TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
340 if (chk->rec.data.stream_number >= newcnt) {
341 TAILQ_REMOVE(&asoc->send_queue, chk, sctp_next);
342 asoc->send_queue_cnt--;
343 if (asoc->strmout[chk->rec.data.stream_number].chunks_on_queues > 0) {
344 asoc->strmout[chk->rec.data.stream_number].chunks_on_queues--;
345 #ifdef INVARIANTS
346 } else {
347 panic("No chunks on the queues for sid %u.", chk->rec.data.stream_number);
348 #endif
349 }
350 if (chk->data != NULL) {
351 sctp_free_bufspace(stcb, asoc, chk, 1);
352 sctp_ulp_notify(SCTP_NOTIFY_UNSENT_DG_FAIL, stcb,
353 0, chk, SCTP_SO_NOT_LOCKED);
354 if (chk->data) {
355 sctp_m_freem(chk->data);
356 chk->data = NULL;
357 }
358 }
359 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
360 /*sa_ignore FREED_MEMORY*/
361 }
362 }
363 if (asoc->strmout) {
364 for (i = newcnt; i < asoc->pre_open_streams; i++) {
365 outs = &asoc->strmout[i];
366 TAILQ_FOREACH_SAFE(sp, &outs->outqueue, next, nsp) {
367 TAILQ_REMOVE(&outs->outqueue, sp, next);
368 asoc->stream_queue_cnt--;
369 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL,
370 stcb, 0, sp, SCTP_SO_NOT_LOCKED);
371 if (sp->data) {
372 sctp_m_freem(sp->data);
373 sp->data = NULL;
374 }
375 if (sp->net) {
376 sctp_free_remote_addr(sp->net);
377 sp->net = NULL;
378 }
379 /* Free the chunk */
380 sctp_free_a_strmoq(stcb, sp, SCTP_SO_NOT_LOCKED);
381 /*sa_ignore FREED_MEMORY*/
382 }
383 }
384 }
385 /* cut back the count */
386 asoc->pre_open_streams = newcnt;
387 }
388 SCTP_TCB_SEND_UNLOCK(stcb);
389 asoc->strm_realoutsize = asoc->streamoutcnt = asoc->pre_open_streams;
390
391 /* EY - nr_sack: initialize highest tsn in nr_mapping_array */
392 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
393 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
394 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
395 }
396 /* This is the next one we expect */
397 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1;
398
399 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn);
400 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->asconf_seq_in;
401
402 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
403 /* open the requested streams */
404
405 if (asoc->strmin != NULL) {
406 /* Free the old ones */
407 struct sctp_queued_to_read *ctl, *nctl;
408
409 for (i = 0; i < asoc->streamincnt; i++) {
410 TAILQ_FOREACH_SAFE(ctl, &asoc->strmin[i].inqueue, next, nctl) {
411 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next);
412 sctp_free_remote_addr(ctl->whoFrom);
413 ctl->whoFrom = NULL;
414 sctp_m_freem(ctl->data);
415 ctl->data = NULL;
416 sctp_free_a_readq(stcb, ctl);
417 }
418 }
419 SCTP_FREE(asoc->strmin, SCTP_M_STRMI);
420 }
421 if (asoc->max_inbound_streams > ntohs(init->num_outbound_streams)) {
422 asoc->streamincnt = ntohs(init->num_outbound_streams);
423 } else {
424 asoc->streamincnt = asoc->max_inbound_streams;
425 }
426 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt *
427 sizeof(struct sctp_stream_in), SCTP_M_STRMI);
428 if (asoc->strmin == NULL) {
429 /* we didn't get memory for the streams! */
430 SCTPDBG(SCTP_DEBUG_INPUT2, "process_init: couldn't get memory for the streams!\n");
431 return (-1);
432 }
433 for (i = 0; i < asoc->streamincnt; i++) {
434 asoc->strmin[i].stream_no = i;
435 asoc->strmin[i].last_sequence_delivered = 0xffff;
436 TAILQ_INIT(&asoc->strmin[i].inqueue);
437 asoc->strmin[i].delivery_started = 0;
438 }
439 /*
440 * load_address_from_init will put the addresses into the
441 * association when the COOKIE is processed or the INIT-ACK is
442 * processed. Both types of COOKIE's existing and new call this
443 * routine. It will remove addresses that are no longer in the
444 * association (for the restarting case where addresses are
445 * removed). Up front when the INIT arrives we will discard it if it
446 * is a restart and new addresses have been added.
447 */
448 /* sa_ignore MEMLEAK */
449 return (0);
450 }
451
452 /*
453 * INIT-ACK message processing/consumption returns value < 0 on error
454 */
455 static int
sctp_process_init_ack(struct mbuf * m,int iphlen,int offset,struct sockaddr * src,struct sockaddr * dst,struct sctphdr * sh,struct sctp_init_ack_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net,int * abort_no_unlock,uint8_t use_mflowid,uint32_t mflowid,uint32_t vrf_id)456 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset,
457 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
458 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
459 struct sctp_nets *net, int *abort_no_unlock,
460 #if defined(__FreeBSD__)
461 uint8_t use_mflowid, uint32_t mflowid,
462 #endif
463 uint32_t vrf_id)
464 {
465 struct sctp_association *asoc;
466 struct mbuf *op_err;
467 int retval, abort_flag;
468 uint32_t initack_limit;
469 int nat_friendly = 0;
470
471 /* First verify that we have no illegal param's */
472 abort_flag = 0;
473
474 op_err = sctp_arethere_unrecognized_parameters(m,
475 (offset + sizeof(struct sctp_init_chunk)),
476 &abort_flag, (struct sctp_chunkhdr *)cp, &nat_friendly);
477 if (abort_flag) {
478 /* Send an abort and notify peer */
479 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED);
480 *abort_no_unlock = 1;
481 return (-1);
482 }
483 asoc = &stcb->asoc;
484 asoc->peer_supports_nat = (uint8_t)nat_friendly;
485 /* process the peer's parameters in the INIT-ACK */
486 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb);
487 if (retval < 0) {
488 return (retval);
489 }
490 initack_limit = offset + ntohs(cp->ch.chunk_length);
491 /* load all addresses */
492 if ((retval = sctp_load_addresses_from_init(stcb, m,
493 (offset + sizeof(struct sctp_init_chunk)), initack_limit,
494 src, dst, NULL))) {
495 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
496 "Problem with address parameters");
497 SCTPDBG(SCTP_DEBUG_INPUT1,
498 "Load addresses from INIT causes an abort %d\n",
499 retval);
500 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
501 src, dst, sh, op_err,
502 #if defined(__FreeBSD__)
503 use_mflowid, mflowid,
504 #endif
505 vrf_id, net->port);
506 *abort_no_unlock = 1;
507 return (-1);
508 }
509 /* if the peer doesn't support asconf, flush the asconf queue */
510 if (asoc->asconf_supported == 0) {
511 struct sctp_asconf_addr *param, *nparam;
512
513 TAILQ_FOREACH_SAFE(param, &asoc->asconf_queue, next, nparam) {
514 TAILQ_REMOVE(&asoc->asconf_queue, param, next);
515 SCTP_FREE(param, SCTP_M_ASC_ADDR);
516 }
517 }
518
519 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs,
520 stcb->asoc.local_hmacs);
521 if (op_err) {
522 sctp_queue_op_err(stcb, op_err);
523 /* queuing will steal away the mbuf chain to the out queue */
524 op_err = NULL;
525 }
526 /* extract the cookie and queue it to "echo" it back... */
527 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
528 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
529 stcb->asoc.overall_error_count,
530 0,
531 SCTP_FROM_SCTP_INPUT,
532 __LINE__);
533 }
534 stcb->asoc.overall_error_count = 0;
535 net->error_count = 0;
536
537 /*
538 * Cancel the INIT timer, We do this first before queueing the
539 * cookie. We always cancel at the primary to assue that we are
540 * canceling the timer started by the INIT which always goes to the
541 * primary.
542 */
543 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb,
544 asoc->primary_destination, SCTP_FROM_SCTP_INPUT+SCTP_LOC_4);
545
546 /* calculate the RTO */
547 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered, sctp_align_safe_nocopy,
548 SCTP_RTT_FROM_NON_DATA);
549
550 retval = sctp_send_cookie_echo(m, offset, stcb, net);
551 if (retval < 0) {
552 /*
553 * No cookie, we probably should send a op error. But in any
554 * case if there is no cookie in the INIT-ACK, we can
555 * abandon the peer, its broke.
556 */
557 if (retval == -3) {
558 /* We abort with an error of missing mandatory param */
559 op_err = sctp_generate_cause(SCTP_CAUSE_MISSING_PARAM, "");
560 if (op_err) {
561 /*
562 * Expand beyond to include the mandatory
563 * param cookie
564 */
565 struct sctp_inv_mandatory_param *mp;
566
567 SCTP_BUF_LEN(op_err) =
568 sizeof(struct sctp_inv_mandatory_param);
569 mp = mtod(op_err,
570 struct sctp_inv_mandatory_param *);
571 /* Subtract the reserved param */
572 mp->length =
573 htons(sizeof(struct sctp_inv_mandatory_param) - 2);
574 mp->num_param = htonl(1);
575 mp->param = htons(SCTP_STATE_COOKIE);
576 mp->resv = 0;
577 }
578 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
579 src, dst, sh, op_err,
580 #if defined(__FreeBSD__)
581 use_mflowid, mflowid,
582 #endif
583 vrf_id, net->port);
584 *abort_no_unlock = 1;
585 }
586 return (retval);
587 }
588
589 return (0);
590 }
591
592 static void
sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net)593 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp,
594 struct sctp_tcb *stcb, struct sctp_nets *net)
595 {
596 union sctp_sockstore store;
597 struct sctp_nets *r_net, *f_net;
598 struct timeval tv;
599 int req_prim = 0;
600 uint16_t old_error_counter;
601
602 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) {
603 /* Invalid length */
604 return;
605 }
606
607 memset(&store, 0, sizeof(store));
608 switch (cp->heartbeat.hb_info.addr_family) {
609 #ifdef INET
610 case AF_INET:
611 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) {
612 store.sin.sin_family = cp->heartbeat.hb_info.addr_family;
613 #ifdef HAVE_SIN_LEN
614 store.sin.sin_len = cp->heartbeat.hb_info.addr_len;
615 #endif
616 store.sin.sin_port = stcb->rport;
617 memcpy(&store.sin.sin_addr, cp->heartbeat.hb_info.address,
618 sizeof(store.sin.sin_addr));
619 } else {
620 return;
621 }
622 break;
623 #endif
624 #ifdef INET6
625 case AF_INET6:
626 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) {
627 store.sin6.sin6_family = cp->heartbeat.hb_info.addr_family;
628 #ifdef HAVE_SIN6_LEN
629 store.sin6.sin6_len = cp->heartbeat.hb_info.addr_len;
630 #endif
631 store.sin6.sin6_port = stcb->rport;
632 memcpy(&store.sin6.sin6_addr, cp->heartbeat.hb_info.address, sizeof(struct in6_addr));
633 } else {
634 return;
635 }
636 break;
637 #endif
638 #if defined(__Userspace__)
639 case AF_CONN:
640 if (cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_conn)) {
641 store.sconn.sconn_family = cp->heartbeat.hb_info.addr_family;
642 #ifdef HAVE_SCONN_LEN
643 store.sconn.sconn_len = cp->heartbeat.hb_info.addr_len;
644 #endif
645 store.sconn.sconn_port = stcb->rport;
646 memcpy(&store.sconn.sconn_addr, cp->heartbeat.hb_info.address, sizeof(void *));
647 } else {
648 return;
649 }
650 break;
651 #endif
652 default:
653 return;
654 }
655 r_net = sctp_findnet(stcb, &store.sa);
656 if (r_net == NULL) {
657 SCTPDBG(SCTP_DEBUG_INPUT1, "Huh? I can't find the address I sent it to, discard\n");
658 return;
659 }
660 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) &&
661 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) &&
662 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) {
663 /*
664 * If the its a HB and it's random value is correct when can
665 * confirm the destination.
666 */
667 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
668 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) {
669 stcb->asoc.primary_destination = r_net;
670 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY;
671 f_net = TAILQ_FIRST(&stcb->asoc.nets);
672 if (f_net != r_net) {
673 /* first one on the list is NOT the primary
674 * sctp_cmpaddr() is much more efficent if
675 * the primary is the first on the list, make it
676 * so.
677 */
678 TAILQ_REMOVE(&stcb->asoc.nets, r_net, sctp_next);
679 TAILQ_INSERT_HEAD(&stcb->asoc.nets, r_net, sctp_next);
680 }
681 req_prim = 1;
682 }
683 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
684 stcb, 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
685 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3);
686 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net);
687 }
688 old_error_counter = r_net->error_count;
689 r_net->error_count = 0;
690 r_net->hb_responded = 1;
691 tv.tv_sec = cp->heartbeat.hb_info.time_value_1;
692 tv.tv_usec = cp->heartbeat.hb_info.time_value_2;
693 /* Now lets do a RTO with this */
694 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv, sctp_align_safe_nocopy,
695 SCTP_RTT_FROM_NON_DATA);
696 if (!(r_net->dest_state & SCTP_ADDR_REACHABLE)) {
697 r_net->dest_state |= SCTP_ADDR_REACHABLE;
698 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb,
699 0, (void *)r_net, SCTP_SO_NOT_LOCKED);
700 }
701 if (r_net->dest_state & SCTP_ADDR_PF) {
702 r_net->dest_state &= ~SCTP_ADDR_PF;
703 stcb->asoc.cc_functions.sctp_cwnd_update_exit_pf(stcb, net);
704 }
705 if (old_error_counter > 0) {
706 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3);
707 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, r_net);
708 }
709 if (r_net == stcb->asoc.primary_destination) {
710 if (stcb->asoc.alternate) {
711 /* release the alternate, primary is good */
712 sctp_free_remote_addr(stcb->asoc.alternate);
713 stcb->asoc.alternate = NULL;
714 }
715 }
716 /* Mobility adaptation */
717 if (req_prim) {
718 if ((sctp_is_mobility_feature_on(stcb->sctp_ep,
719 SCTP_MOBILITY_BASE) ||
720 sctp_is_mobility_feature_on(stcb->sctp_ep,
721 SCTP_MOBILITY_FASTHANDOFF)) &&
722 sctp_is_mobility_feature_on(stcb->sctp_ep,
723 SCTP_MOBILITY_PRIM_DELETED)) {
724
725 sctp_timer_stop(SCTP_TIMER_TYPE_PRIM_DELETED, stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_TIMER+SCTP_LOC_7);
726 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
727 SCTP_MOBILITY_FASTHANDOFF)) {
728 sctp_assoc_immediate_retrans(stcb,
729 stcb->asoc.primary_destination);
730 }
731 if (sctp_is_mobility_feature_on(stcb->sctp_ep,
732 SCTP_MOBILITY_BASE)) {
733 sctp_move_chunks_from_net(stcb,
734 stcb->asoc.deleted_primary);
735 }
736 sctp_delete_prim_timer(stcb->sctp_ep, stcb,
737 stcb->asoc.deleted_primary);
738 }
739 }
740 }
741
742 static int
sctp_handle_nat_colliding_state(struct sctp_tcb * stcb)743 sctp_handle_nat_colliding_state(struct sctp_tcb *stcb)
744 {
745 /* return 0 means we want you to proceed with the abort
746 * non-zero means no abort processing
747 */
748 struct sctpasochead *head;
749
750 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_WAIT) {
751 /* generate a new vtag and send init */
752 LIST_REMOVE(stcb, sctp_asocs);
753 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
754 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
755 /* put it in the bucket in the vtag hash of assoc's for the system */
756 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
757 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
758 return (1);
759 }
760 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED) {
761 /* treat like a case where the cookie expired i.e.:
762 * - dump current cookie.
763 * - generate a new vtag.
764 * - resend init.
765 */
766 /* generate a new vtag and send init */
767 LIST_REMOVE(stcb, sctp_asocs);
768 stcb->asoc.state &= ~SCTP_STATE_COOKIE_ECHOED;
769 stcb->asoc.state |= SCTP_STATE_COOKIE_WAIT;
770 sctp_stop_all_cookie_timers(stcb);
771 sctp_toss_old_cookies(stcb, &stcb->asoc);
772 stcb->asoc.my_vtag = sctp_select_a_tag(stcb->sctp_ep, stcb->sctp_ep->sctp_lport, stcb->rport, 1);
773 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, SCTP_BASE_INFO(hashasocmark))];
774 /* put it in the bucket in the vtag hash of assoc's for the system */
775 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
776 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
777 return (1);
778 }
779 return (0);
780 }
781
782 static int
sctp_handle_nat_missing_state(struct sctp_tcb * stcb,struct sctp_nets * net)783 sctp_handle_nat_missing_state(struct sctp_tcb *stcb,
784 struct sctp_nets *net)
785 {
786 /* return 0 means we want you to proceed with the abort
787 * non-zero means no abort processing
788 */
789 if (stcb->asoc.auth_supported == 0) {
790 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_nat_missing_state: Peer does not support AUTH, cannot send an asconf\n");
791 return (0);
792 }
793 sctp_asconf_send_nat_state_update(stcb, net);
794 return (1);
795 }
796
797
798 static void
sctp_handle_abort(struct sctp_abort_chunk * abort,struct sctp_tcb * stcb,struct sctp_nets * net)799 sctp_handle_abort(struct sctp_abort_chunk *abort,
800 struct sctp_tcb *stcb, struct sctp_nets *net)
801 {
802 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
803 struct socket *so;
804 #endif
805 uint16_t len;
806 uint16_t error;
807
808 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: handling ABORT\n");
809 if (stcb == NULL)
810 return;
811
812 len = ntohs(abort->ch.chunk_length);
813 if (len > sizeof (struct sctp_chunkhdr)) {
814 /* Need to check the cause codes for our
815 * two magic nat aborts which don't kill the assoc
816 * necessarily.
817 */
818 struct sctp_missing_nat_state *natc;
819
820 natc = (struct sctp_missing_nat_state *)(abort + 1);
821 error = ntohs(natc->cause);
822 if (error == SCTP_CAUSE_NAT_COLLIDING_STATE) {
823 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
824 abort->ch.chunk_flags);
825 if (sctp_handle_nat_colliding_state(stcb)) {
826 return;
827 }
828 } else if (error == SCTP_CAUSE_NAT_MISSING_STATE) {
829 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
830 abort->ch.chunk_flags);
831 if (sctp_handle_nat_missing_state(stcb, net)) {
832 return;
833 }
834 }
835 } else {
836 error = 0;
837 }
838 /* stop any receive timers */
839 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_6);
840 /* notify user of the abort and clean up... */
841 sctp_abort_notification(stcb, 1, error, abort, SCTP_SO_NOT_LOCKED);
842 /* free the tcb */
843 SCTP_STAT_INCR_COUNTER32(sctps_aborted);
844 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) ||
845 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
846 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
847 }
848 #ifdef SCTP_ASOCLOG_OF_TSNS
849 sctp_print_out_track_log(stcb);
850 #endif
851 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
852 so = SCTP_INP_SO(stcb->sctp_ep);
853 atomic_add_int(&stcb->asoc.refcnt, 1);
854 SCTP_TCB_UNLOCK(stcb);
855 SCTP_SOCKET_LOCK(so, 1);
856 SCTP_TCB_LOCK(stcb);
857 atomic_subtract_int(&stcb->asoc.refcnt, 1);
858 #endif
859 stcb->asoc.state |= SCTP_STATE_WAS_ABORTED;
860 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
861 SCTP_FROM_SCTP_INPUT+SCTP_LOC_6);
862 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
863 SCTP_SOCKET_UNLOCK(so, 1);
864 #endif
865 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_handle_abort: finished\n");
866 }
867
868 static void
sctp_start_net_timers(struct sctp_tcb * stcb)869 sctp_start_net_timers(struct sctp_tcb *stcb)
870 {
871 uint32_t cnt_hb_sent;
872 struct sctp_nets *net;
873
874 cnt_hb_sent = 0;
875 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
876 /* For each network start:
877 * 1) A pmtu timer.
878 * 2) A HB timer
879 * 3) If the dest in unconfirmed send
880 * a hb as well if under max_hb_burst have
881 * been sent.
882 */
883 sctp_timer_start(SCTP_TIMER_TYPE_PATHMTURAISE, stcb->sctp_ep, stcb, net);
884 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net);
885 if ((net->dest_state & SCTP_ADDR_UNCONFIRMED) &&
886 (cnt_hb_sent < SCTP_BASE_SYSCTL(sctp_hb_maxburst))) {
887 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
888 cnt_hb_sent++;
889 }
890 }
891 if (cnt_hb_sent) {
892 sctp_chunk_output(stcb->sctp_ep, stcb,
893 SCTP_OUTPUT_FROM_COOKIE_ACK,
894 SCTP_SO_NOT_LOCKED);
895 }
896 }
897
898
899 static void
sctp_handle_shutdown(struct sctp_shutdown_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net,int * abort_flag)900 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp,
901 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag)
902 {
903 struct sctp_association *asoc;
904 int some_on_streamwheel;
905 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
906 struct socket *so;
907 #endif
908
909 SCTPDBG(SCTP_DEBUG_INPUT2,
910 "sctp_handle_shutdown: handling SHUTDOWN\n");
911 if (stcb == NULL)
912 return;
913 asoc = &stcb->asoc;
914 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
915 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
916 return;
917 }
918 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) {
919 /* Shutdown NOT the expected size */
920 return;
921 } else {
922 sctp_update_acked(stcb, cp, abort_flag);
923 if (*abort_flag) {
924 return;
925 }
926 }
927 if (asoc->control_pdapi) {
928 /* With a normal shutdown
929 * we assume the end of last record.
930 */
931 SCTP_INP_READ_LOCK(stcb->sctp_ep);
932 asoc->control_pdapi->end_added = 1;
933 asoc->control_pdapi->pdapi_aborted = 1;
934 asoc->control_pdapi = NULL;
935 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
936 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
937 so = SCTP_INP_SO(stcb->sctp_ep);
938 atomic_add_int(&stcb->asoc.refcnt, 1);
939 SCTP_TCB_UNLOCK(stcb);
940 SCTP_SOCKET_LOCK(so, 1);
941 SCTP_TCB_LOCK(stcb);
942 atomic_subtract_int(&stcb->asoc.refcnt, 1);
943 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
944 /* assoc was freed while we were unlocked */
945 SCTP_SOCKET_UNLOCK(so, 1);
946 return;
947 }
948 #endif
949 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
950 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
951 SCTP_SOCKET_UNLOCK(so, 1);
952 #endif
953 }
954 /* goto SHUTDOWN_RECEIVED state to block new requests */
955 if (stcb->sctp_socket) {
956 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
957 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) &&
958 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
959 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_RECEIVED);
960 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
961 /* notify upper layer that peer has initiated a shutdown */
962 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
963
964 /* reset time */
965 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
966 }
967 }
968 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) {
969 /*
970 * stop the shutdown timer, since we WILL move to
971 * SHUTDOWN-ACK-SENT.
972 */
973 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_8);
974 }
975 /* Now is there unsent data on a stream somewhere? */
976 some_on_streamwheel = sctp_is_there_unsent_data(stcb, SCTP_SO_NOT_LOCKED);
977
978 if (!TAILQ_EMPTY(&asoc->send_queue) ||
979 !TAILQ_EMPTY(&asoc->sent_queue) ||
980 some_on_streamwheel) {
981 /* By returning we will push more data out */
982 return;
983 } else {
984 /* no outstanding data to send, so move on... */
985 /* send SHUTDOWN-ACK */
986 /* move to SHUTDOWN-ACK-SENT state */
987 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) ||
988 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) {
989 SCTP_STAT_DECR_GAUGE32(sctps_currestab);
990 }
991 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT);
992 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
993 sctp_stop_timers_for_shutdown(stcb);
994 sctp_send_shutdown_ack(stcb, net);
995 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep,
996 stcb, net);
997 }
998 }
999
1000 static void
sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk * cp SCTP_UNUSED,struct sctp_tcb * stcb,struct sctp_nets * net)1001 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp SCTP_UNUSED,
1002 struct sctp_tcb *stcb,
1003 struct sctp_nets *net)
1004 {
1005 struct sctp_association *asoc;
1006 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1007 struct socket *so;
1008
1009 so = SCTP_INP_SO(stcb->sctp_ep);
1010 #endif
1011 SCTPDBG(SCTP_DEBUG_INPUT2,
1012 "sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n");
1013 if (stcb == NULL)
1014 return;
1015
1016 asoc = &stcb->asoc;
1017 /* process according to association state */
1018 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
1019 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
1020 /* unexpected SHUTDOWN-ACK... do OOTB handling... */
1021 sctp_send_shutdown_complete(stcb, net, 1);
1022 SCTP_TCB_UNLOCK(stcb);
1023 return;
1024 }
1025 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
1026 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
1027 /* unexpected SHUTDOWN-ACK... so ignore... */
1028 SCTP_TCB_UNLOCK(stcb);
1029 return;
1030 }
1031 if (asoc->control_pdapi) {
1032 /* With a normal shutdown
1033 * we assume the end of last record.
1034 */
1035 SCTP_INP_READ_LOCK(stcb->sctp_ep);
1036 asoc->control_pdapi->end_added = 1;
1037 asoc->control_pdapi->pdapi_aborted = 1;
1038 asoc->control_pdapi = NULL;
1039 SCTP_INP_READ_UNLOCK(stcb->sctp_ep);
1040 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1041 atomic_add_int(&stcb->asoc.refcnt, 1);
1042 SCTP_TCB_UNLOCK(stcb);
1043 SCTP_SOCKET_LOCK(so, 1);
1044 SCTP_TCB_LOCK(stcb);
1045 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1046 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1047 /* assoc was freed while we were unlocked */
1048 SCTP_SOCKET_UNLOCK(so, 1);
1049 return;
1050 }
1051 #endif
1052 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket);
1053 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1054 SCTP_SOCKET_UNLOCK(so, 1);
1055 #endif
1056 }
1057 #ifdef INVARIANTS
1058 if (!TAILQ_EMPTY(&asoc->send_queue) ||
1059 !TAILQ_EMPTY(&asoc->sent_queue) ||
1060 !stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
1061 panic("Queues are not empty when handling SHUTDOWN-ACK");
1062 }
1063 #endif
1064 /* stop the timer */
1065 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_9);
1066 /* send SHUTDOWN-COMPLETE */
1067 sctp_send_shutdown_complete(stcb, net, 0);
1068 /* notify upper layer protocol */
1069 if (stcb->sctp_socket) {
1070 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1071 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
1072 stcb->sctp_socket->so_snd.sb_cc = 0;
1073 }
1074 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
1075 }
1076 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
1077 /* free the TCB but first save off the ep */
1078 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1079 atomic_add_int(&stcb->asoc.refcnt, 1);
1080 SCTP_TCB_UNLOCK(stcb);
1081 SCTP_SOCKET_LOCK(so, 1);
1082 SCTP_TCB_LOCK(stcb);
1083 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1084 #endif
1085 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
1086 SCTP_FROM_SCTP_INPUT+SCTP_LOC_10);
1087 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1088 SCTP_SOCKET_UNLOCK(so, 1);
1089 #endif
1090 }
1091
1092 /*
1093 * Skip past the param header and then we will find the chunk that caused the
1094 * problem. There are two possiblities ASCONF or FWD-TSN other than that and
1095 * our peer must be broken.
1096 */
1097 static void
sctp_process_unrecog_chunk(struct sctp_tcb * stcb,struct sctp_paramhdr * phdr,struct sctp_nets * net)1098 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr,
1099 struct sctp_nets *net)
1100 {
1101 struct sctp_chunkhdr *chk;
1102
1103 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr));
1104 switch (chk->chunk_type) {
1105 case SCTP_ASCONF_ACK:
1106 case SCTP_ASCONF:
1107 sctp_asconf_cleanup(stcb, net);
1108 break;
1109 case SCTP_FORWARD_CUM_TSN:
1110 stcb->asoc.prsctp_supported = 0;
1111 break;
1112 default:
1113 SCTPDBG(SCTP_DEBUG_INPUT2,
1114 "Peer does not support chunk type %d(%x)??\n",
1115 chk->chunk_type, (uint32_t) chk->chunk_type);
1116 break;
1117 }
1118 }
1119
1120 /*
1121 * Skip past the param header and then we will find the param that caused the
1122 * problem. There are a number of param's in a ASCONF OR the prsctp param
1123 * these will turn of specific features.
1124 * XXX: Is this the right thing to do?
1125 */
1126 static void
sctp_process_unrecog_param(struct sctp_tcb * stcb,struct sctp_paramhdr * phdr)1127 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr)
1128 {
1129 struct sctp_paramhdr *pbad;
1130
1131 pbad = phdr + 1;
1132 switch (ntohs(pbad->param_type)) {
1133 /* pr-sctp draft */
1134 case SCTP_PRSCTP_SUPPORTED:
1135 stcb->asoc.prsctp_supported = 0;
1136 break;
1137 case SCTP_SUPPORTED_CHUNK_EXT:
1138 break;
1139 /* draft-ietf-tsvwg-addip-sctp */
1140 case SCTP_HAS_NAT_SUPPORT:
1141 stcb->asoc.peer_supports_nat = 0;
1142 break;
1143 case SCTP_ADD_IP_ADDRESS:
1144 case SCTP_DEL_IP_ADDRESS:
1145 case SCTP_SET_PRIM_ADDR:
1146 stcb->asoc.asconf_supported = 0;
1147 break;
1148 case SCTP_SUCCESS_REPORT:
1149 case SCTP_ERROR_CAUSE_IND:
1150 SCTPDBG(SCTP_DEBUG_INPUT2, "Huh, the peer does not support success? or error cause?\n");
1151 SCTPDBG(SCTP_DEBUG_INPUT2,
1152 "Turning off ASCONF to this strange peer\n");
1153 stcb->asoc.asconf_supported = 0;
1154 break;
1155 default:
1156 SCTPDBG(SCTP_DEBUG_INPUT2,
1157 "Peer does not support param type %d(%x)??\n",
1158 pbad->param_type, (uint32_t) pbad->param_type);
1159 break;
1160 }
1161 }
1162
1163 static int
sctp_handle_error(struct sctp_chunkhdr * ch,struct sctp_tcb * stcb,struct sctp_nets * net)1164 sctp_handle_error(struct sctp_chunkhdr *ch,
1165 struct sctp_tcb *stcb, struct sctp_nets *net)
1166 {
1167 int chklen;
1168 struct sctp_paramhdr *phdr;
1169 uint16_t error, error_type;
1170 uint16_t error_len;
1171 struct sctp_association *asoc;
1172 int adjust;
1173 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1174 struct socket *so;
1175 #endif
1176
1177 /* parse through all of the errors and process */
1178 asoc = &stcb->asoc;
1179 phdr = (struct sctp_paramhdr *)((caddr_t)ch +
1180 sizeof(struct sctp_chunkhdr));
1181 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr);
1182 error = 0;
1183 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) {
1184 /* Process an Error Cause */
1185 error_type = ntohs(phdr->param_type);
1186 error_len = ntohs(phdr->param_length);
1187 if ((error_len > chklen) || (error_len == 0)) {
1188 /* invalid param length for this param */
1189 SCTPDBG(SCTP_DEBUG_INPUT1, "Bogus length in error param- chunk left:%d errorlen:%d\n",
1190 chklen, error_len);
1191 return (0);
1192 }
1193 if (error == 0) {
1194 /* report the first error cause */
1195 error = error_type;
1196 }
1197 switch (error_type) {
1198 case SCTP_CAUSE_INVALID_STREAM:
1199 case SCTP_CAUSE_MISSING_PARAM:
1200 case SCTP_CAUSE_INVALID_PARAM:
1201 case SCTP_CAUSE_NO_USER_DATA:
1202 SCTPDBG(SCTP_DEBUG_INPUT1, "Software error we got a %d back? We have a bug :/ (or do they?)\n",
1203 error_type);
1204 break;
1205 case SCTP_CAUSE_NAT_COLLIDING_STATE:
1206 SCTPDBG(SCTP_DEBUG_INPUT2, "Received Colliding state abort flags:%x\n",
1207 ch->chunk_flags);
1208 if (sctp_handle_nat_colliding_state(stcb)) {
1209 return (0);
1210 }
1211 break;
1212 case SCTP_CAUSE_NAT_MISSING_STATE:
1213 SCTPDBG(SCTP_DEBUG_INPUT2, "Received missing state abort flags:%x\n",
1214 ch->chunk_flags);
1215 if (sctp_handle_nat_missing_state(stcb, net)) {
1216 return (0);
1217 }
1218 break;
1219 case SCTP_CAUSE_STALE_COOKIE:
1220 /*
1221 * We only act if we have echoed a cookie and are
1222 * waiting.
1223 */
1224 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
1225 int *p;
1226
1227 p = (int *)((caddr_t)phdr + sizeof(*phdr));
1228 /* Save the time doubled */
1229 asoc->cookie_preserve_req = ntohl(*p) << 1;
1230 asoc->stale_cookie_count++;
1231 if (asoc->stale_cookie_count >
1232 asoc->max_init_times) {
1233 sctp_abort_notification(stcb, 0, 0, NULL, SCTP_SO_NOT_LOCKED);
1234 /* now free the asoc */
1235 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1236 so = SCTP_INP_SO(stcb->sctp_ep);
1237 atomic_add_int(&stcb->asoc.refcnt, 1);
1238 SCTP_TCB_UNLOCK(stcb);
1239 SCTP_SOCKET_LOCK(so, 1);
1240 SCTP_TCB_LOCK(stcb);
1241 atomic_subtract_int(&stcb->asoc.refcnt, 1);
1242 #endif
1243 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC,
1244 SCTP_FROM_SCTP_INPUT+SCTP_LOC_11);
1245 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1246 SCTP_SOCKET_UNLOCK(so, 1);
1247 #endif
1248 return (-1);
1249 }
1250 /* blast back to INIT state */
1251 sctp_toss_old_cookies(stcb, &stcb->asoc);
1252 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED;
1253 asoc->state |= SCTP_STATE_COOKIE_WAIT;
1254 sctp_stop_all_cookie_timers(stcb);
1255 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
1256 }
1257 break;
1258 case SCTP_CAUSE_UNRESOLVABLE_ADDR:
1259 /*
1260 * Nothing we can do here, we don't do hostname
1261 * addresses so if the peer does not like my IPv6
1262 * (or IPv4 for that matter) it does not matter. If
1263 * they don't support that type of address, they can
1264 * NOT possibly get that packet type... i.e. with no
1265 * IPv6 you can't recieve a IPv6 packet. so we can
1266 * safely ignore this one. If we ever added support
1267 * for HOSTNAME Addresses, then we would need to do
1268 * something here.
1269 */
1270 break;
1271 case SCTP_CAUSE_UNRECOG_CHUNK:
1272 sctp_process_unrecog_chunk(stcb, phdr, net);
1273 break;
1274 case SCTP_CAUSE_UNRECOG_PARAM:
1275 sctp_process_unrecog_param(stcb, phdr);
1276 break;
1277 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN:
1278 /*
1279 * We ignore this since the timer will drive out a
1280 * new cookie anyway and there timer will drive us
1281 * to send a SHUTDOWN_COMPLETE. We can't send one
1282 * here since we don't have their tag.
1283 */
1284 break;
1285 case SCTP_CAUSE_DELETING_LAST_ADDR:
1286 case SCTP_CAUSE_RESOURCE_SHORTAGE:
1287 case SCTP_CAUSE_DELETING_SRC_ADDR:
1288 /*
1289 * We should NOT get these here, but in a
1290 * ASCONF-ACK.
1291 */
1292 SCTPDBG(SCTP_DEBUG_INPUT2, "Peer sends ASCONF errors in a Operational Error?<%d>?\n",
1293 error_type);
1294 break;
1295 case SCTP_CAUSE_OUT_OF_RESC:
1296 /*
1297 * And what, pray tell do we do with the fact that
1298 * the peer is out of resources? Not really sure we
1299 * could do anything but abort. I suspect this
1300 * should have came WITH an abort instead of in a
1301 * OP-ERROR.
1302 */
1303 break;
1304 default:
1305 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_handle_error: unknown error type = 0x%xh\n",
1306 error_type);
1307 break;
1308 }
1309 adjust = SCTP_SIZE32(error_len);
1310 chklen -= adjust;
1311 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust);
1312 }
1313 sctp_ulp_notify(SCTP_NOTIFY_REMOTE_ERROR, stcb, error, ch, SCTP_SO_NOT_LOCKED);
1314 return (0);
1315 }
1316
1317 static int
sctp_handle_init_ack(struct mbuf * m,int iphlen,int offset,struct sockaddr * src,struct sockaddr * dst,struct sctphdr * sh,struct sctp_init_ack_chunk * cp,struct sctp_tcb * stcb,struct sctp_nets * net,int * abort_no_unlock,uint8_t use_mflowid,uint32_t mflowid,uint32_t vrf_id)1318 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset,
1319 struct sockaddr *src, struct sockaddr *dst, struct sctphdr *sh,
1320 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb,
1321 struct sctp_nets *net, int *abort_no_unlock,
1322 #if defined(__FreeBSD__)
1323 uint8_t use_mflowid, uint32_t mflowid,
1324 #endif
1325 uint32_t vrf_id)
1326 {
1327 struct sctp_init_ack *init_ack;
1328 struct mbuf *op_err;
1329
1330 SCTPDBG(SCTP_DEBUG_INPUT2,
1331 "sctp_handle_init_ack: handling INIT-ACK\n");
1332
1333 if (stcb == NULL) {
1334 SCTPDBG(SCTP_DEBUG_INPUT2,
1335 "sctp_handle_init_ack: TCB is null\n");
1336 return (-1);
1337 }
1338 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) {
1339 /* Invalid length */
1340 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1341 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1342 src, dst, sh, op_err,
1343 #if defined(__FreeBSD__)
1344 use_mflowid, mflowid,
1345 #endif
1346 vrf_id, net->port);
1347 *abort_no_unlock = 1;
1348 return (-1);
1349 }
1350 init_ack = &cp->init;
1351 /* validate parameters */
1352 if (init_ack->initiate_tag == 0) {
1353 /* protocol error... send an abort */
1354 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1355 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1356 src, dst, sh, op_err,
1357 #if defined(__FreeBSD__)
1358 use_mflowid, mflowid,
1359 #endif
1360 vrf_id, net->port);
1361 *abort_no_unlock = 1;
1362 return (-1);
1363 }
1364 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) {
1365 /* protocol error... send an abort */
1366 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1367 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1368 src, dst, sh, op_err,
1369 #if defined(__FreeBSD__)
1370 use_mflowid, mflowid,
1371 #endif
1372 vrf_id, net->port);
1373 *abort_no_unlock = 1;
1374 return (-1);
1375 }
1376 if (init_ack->num_inbound_streams == 0) {
1377 /* protocol error... send an abort */
1378 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1379 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1380 src, dst, sh, op_err,
1381 #if defined(__FreeBSD__)
1382 use_mflowid, mflowid,
1383 #endif
1384 vrf_id, net->port);
1385 *abort_no_unlock = 1;
1386 return (-1);
1387 }
1388 if (init_ack->num_outbound_streams == 0) {
1389 /* protocol error... send an abort */
1390 op_err = sctp_generate_cause(SCTP_CAUSE_INVALID_PARAM, "");
1391 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen,
1392 src, dst, sh, op_err,
1393 #if defined(__FreeBSD__)
1394 use_mflowid, mflowid,
1395 #endif
1396 vrf_id, net->port);
1397 *abort_no_unlock = 1;
1398 return (-1);
1399 }
1400 /* process according to association state... */
1401 switch (stcb->asoc.state & SCTP_STATE_MASK) {
1402 case SCTP_STATE_COOKIE_WAIT:
1403 /* this is the expected state for this chunk */
1404 /* process the INIT-ACK parameters */
1405 if (stcb->asoc.primary_destination->dest_state &
1406 SCTP_ADDR_UNCONFIRMED) {
1407 /*
1408 * The primary is where we sent the INIT, we can
1409 * always consider it confirmed when the INIT-ACK is
1410 * returned. Do this before we load addresses
1411 * though.
1412 */
1413 stcb->asoc.primary_destination->dest_state &=
1414 ~SCTP_ADDR_UNCONFIRMED;
1415 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
1416 stcb, 0, (void *)stcb->asoc.primary_destination, SCTP_SO_NOT_LOCKED);
1417 }
1418 if (sctp_process_init_ack(m, iphlen, offset, src, dst, sh, cp, stcb,
1419 net, abort_no_unlock,
1420 #if defined(__FreeBSD__)
1421 use_mflowid, mflowid,
1422 #endif
1423 vrf_id) < 0) {
1424 /* error in parsing parameters */
1425 return (-1);
1426 }
1427 /* update our state */
1428 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to COOKIE-ECHOED state\n");
1429 SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_ECHOED);
1430
1431 /* reset the RTO calc */
1432 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
1433 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
1434 stcb->asoc.overall_error_count,
1435 0,
1436 SCTP_FROM_SCTP_INPUT,
1437 __LINE__);
1438 }
1439 stcb->asoc.overall_error_count = 0;
1440 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
1441 /*
1442 * collapse the init timer back in case of a exponential
1443 * backoff
1444 */
1445 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep,
1446 stcb, net);
1447 /*
1448 * the send at the end of the inbound data processing will
1449 * cause the cookie to be sent
1450 */
1451 break;
1452 case SCTP_STATE_SHUTDOWN_SENT:
1453 /* incorrect state... discard */
1454 break;
1455 case SCTP_STATE_COOKIE_ECHOED:
1456 /* incorrect state... discard */
1457 break;
1458 case SCTP_STATE_OPEN:
1459 /* incorrect state... discard */
1460 break;
1461 case SCTP_STATE_EMPTY:
1462 case SCTP_STATE_INUSE:
1463 default:
1464 /* incorrect state... discard */
1465 return (-1);
1466 break;
1467 }
1468 SCTPDBG(SCTP_DEBUG_INPUT1, "Leaving handle-init-ack end\n");
1469 return (0);
1470 }
1471
1472 static struct sctp_tcb *
1473 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
1474 struct sockaddr *src, struct sockaddr *dst,
1475 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1476 struct sctp_inpcb *inp, struct sctp_nets **netp,
1477 struct sockaddr *init_src, int *notification,
1478 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1479 #if defined(__FreeBSD__)
1480 uint8_t use_mflowid, uint32_t mflowid,
1481 #endif
1482 uint32_t vrf_id, uint16_t port);
1483
1484
1485 /*
1486 * handle a state cookie for an existing association m: input packet mbuf
1487 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a
1488 * "split" mbuf and the cookie signature does not exist offset: offset into
1489 * mbuf to the cookie-echo chunk
1490 */
1491 static struct sctp_tcb *
sctp_process_cookie_existing(struct mbuf * m,int iphlen,int offset,struct sockaddr * src,struct sockaddr * dst,struct sctphdr * sh,struct sctp_state_cookie * cookie,int cookie_len,struct sctp_inpcb * inp,struct sctp_tcb * stcb,struct sctp_nets ** netp,struct sockaddr * init_src,int * notification,int auth_skipped,uint32_t auth_offset,uint32_t auth_len,uint8_t use_mflowid,uint32_t mflowid,uint32_t vrf_id,uint16_t port)1492 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
1493 struct sockaddr *src, struct sockaddr *dst,
1494 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
1495 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets **netp,
1496 struct sockaddr *init_src, int *notification,
1497 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
1498 #if defined(__FreeBSD__)
1499 uint8_t use_mflowid, uint32_t mflowid,
1500 #endif
1501 uint32_t vrf_id, uint16_t port)
1502 {
1503 struct sctp_association *asoc;
1504 struct sctp_init_chunk *init_cp, init_buf;
1505 struct sctp_init_ack_chunk *initack_cp, initack_buf;
1506 struct sctp_nets *net;
1507 struct mbuf *op_err;
1508 int init_offset, initack_offset, i;
1509 int retval;
1510 int spec_flag = 0;
1511 uint32_t how_indx;
1512 #if defined(SCTP_DETAILED_STR_STATS)
1513 int j;
1514 #endif
1515
1516 net = *netp;
1517 /* I know that the TCB is non-NULL from the caller */
1518 asoc = &stcb->asoc;
1519 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) {
1520 if (asoc->cookie_how[how_indx] == 0)
1521 break;
1522 }
1523 if (how_indx < sizeof(asoc->cookie_how)) {
1524 asoc->cookie_how[how_indx] = 1;
1525 }
1526 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
1527 /* SHUTDOWN came in after sending INIT-ACK */
1528 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination);
1529 op_err = sctp_generate_cause(SCTP_CAUSE_COOKIE_IN_SHUTDOWN, "");
1530 sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err,
1531 #if defined(__FreeBSD__)
1532 use_mflowid, mflowid,
1533 #endif
1534 vrf_id, net->port);
1535 if (how_indx < sizeof(asoc->cookie_how))
1536 asoc->cookie_how[how_indx] = 2;
1537 return (NULL);
1538 }
1539 /*
1540 * find and validate the INIT chunk in the cookie (peer's info) the
1541 * INIT should start after the cookie-echo header struct (chunk
1542 * header, state cookie header struct)
1543 */
1544 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk);
1545
1546 init_cp = (struct sctp_init_chunk *)
1547 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
1548 (uint8_t *) & init_buf);
1549 if (init_cp == NULL) {
1550 /* could not pull a INIT chunk in cookie */
1551 return (NULL);
1552 }
1553 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
1554 return (NULL);
1555 }
1556 /*
1557 * find and validate the INIT-ACK chunk in the cookie (my info) the
1558 * INIT-ACK follows the INIT chunk
1559 */
1560 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length));
1561 initack_cp = (struct sctp_init_ack_chunk *)
1562 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
1563 (uint8_t *) & initack_buf);
1564 if (initack_cp == NULL) {
1565 /* could not pull INIT-ACK chunk in cookie */
1566 return (NULL);
1567 }
1568 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
1569 return (NULL);
1570 }
1571 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1572 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) {
1573 /*
1574 * case D in Section 5.2.4 Table 2: MMAA process accordingly
1575 * to get into the OPEN state
1576 */
1577 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1578 /*-
1579 * Opps, this means that we somehow generated two vtag's
1580 * the same. I.e. we did:
1581 * Us Peer
1582 * <---INIT(tag=a)------
1583 * ----INIT-ACK(tag=t)-->
1584 * ----INIT(tag=t)------> *1
1585 * <---INIT-ACK(tag=a)---
1586 * <----CE(tag=t)------------- *2
1587 *
1588 * At point *1 we should be generating a different
1589 * tag t'. Which means we would throw away the CE and send
1590 * ours instead. Basically this is case C (throw away side).
1591 */
1592 if (how_indx < sizeof(asoc->cookie_how))
1593 asoc->cookie_how[how_indx] = 17;
1594 return (NULL);
1595
1596 }
1597 switch (SCTP_GET_STATE(asoc)) {
1598 case SCTP_STATE_COOKIE_WAIT:
1599 case SCTP_STATE_COOKIE_ECHOED:
1600 /*
1601 * INIT was sent but got a COOKIE_ECHO with the
1602 * correct tags... just accept it...but we must
1603 * process the init so that we can make sure we
1604 * have the right seq no's.
1605 */
1606 /* First we must process the INIT !! */
1607 retval = sctp_process_init(init_cp, stcb);
1608 if (retval < 0) {
1609 if (how_indx < sizeof(asoc->cookie_how))
1610 asoc->cookie_how[how_indx] = 3;
1611 return (NULL);
1612 }
1613 /* we have already processed the INIT so no problem */
1614 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb,
1615 net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_12);
1616 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_13);
1617 /* update current state */
1618 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
1619 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1620 else
1621 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1622
1623 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1624 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1625 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1626 stcb->sctp_ep, stcb, asoc->primary_destination);
1627 }
1628 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1629 sctp_stop_all_cookie_timers(stcb);
1630 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1631 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1632 (inp->sctp_socket->so_qlimit == 0)
1633 ) {
1634 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1635 struct socket *so;
1636 #endif
1637 /*
1638 * Here is where collision would go if we
1639 * did a connect() and instead got a
1640 * init/init-ack/cookie done before the
1641 * init-ack came back..
1642 */
1643 stcb->sctp_ep->sctp_flags |=
1644 SCTP_PCB_FLAGS_CONNECTED;
1645 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1646 so = SCTP_INP_SO(stcb->sctp_ep);
1647 atomic_add_int(&stcb->asoc.refcnt, 1);
1648 SCTP_TCB_UNLOCK(stcb);
1649 SCTP_SOCKET_LOCK(so, 1);
1650 SCTP_TCB_LOCK(stcb);
1651 atomic_add_int(&stcb->asoc.refcnt, -1);
1652 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1653 SCTP_SOCKET_UNLOCK(so, 1);
1654 return (NULL);
1655 }
1656 #endif
1657 soisconnected(stcb->sctp_socket);
1658 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1659 SCTP_SOCKET_UNLOCK(so, 1);
1660 #endif
1661 }
1662 /* notify upper layer */
1663 *notification = SCTP_NOTIFY_ASSOC_UP;
1664 /*
1665 * since we did not send a HB make sure we
1666 * don't double things
1667 */
1668 net->hb_responded = 1;
1669 net->RTO = sctp_calculate_rto(stcb, asoc, net,
1670 &cookie->time_entered,
1671 sctp_align_unsafe_makecopy,
1672 SCTP_RTT_FROM_NON_DATA);
1673
1674 if (stcb->asoc.sctp_autoclose_ticks &&
1675 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) {
1676 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
1677 inp, stcb, NULL);
1678 }
1679 break;
1680 default:
1681 /*
1682 * we're in the OPEN state (or beyond), so
1683 * peer must have simply lost the COOKIE-ACK
1684 */
1685 break;
1686 } /* end switch */
1687 sctp_stop_all_cookie_timers(stcb);
1688 /*
1689 * We ignore the return code here.. not sure if we should
1690 * somehow abort.. but we do have an existing asoc. This
1691 * really should not fail.
1692 */
1693 if (sctp_load_addresses_from_init(stcb, m,
1694 init_offset + sizeof(struct sctp_init_chunk),
1695 initack_offset, src, dst, init_src)) {
1696 if (how_indx < sizeof(asoc->cookie_how))
1697 asoc->cookie_how[how_indx] = 4;
1698 return (NULL);
1699 }
1700 /* respond with a COOKIE-ACK */
1701 sctp_toss_old_cookies(stcb, asoc);
1702 sctp_send_cookie_ack(stcb);
1703 if (how_indx < sizeof(asoc->cookie_how))
1704 asoc->cookie_how[how_indx] = 5;
1705 return (stcb);
1706 }
1707
1708 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1709 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag &&
1710 cookie->tie_tag_my_vtag == 0 &&
1711 cookie->tie_tag_peer_vtag == 0) {
1712 /*
1713 * case C in Section 5.2.4 Table 2: XMOO silently discard
1714 */
1715 if (how_indx < sizeof(asoc->cookie_how))
1716 asoc->cookie_how[how_indx] = 6;
1717 return (NULL);
1718 }
1719 /* If nat support, and the below and stcb is established,
1720 * send back a ABORT(colliding state) if we are established.
1721 */
1722 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) &&
1723 (asoc->peer_supports_nat) &&
1724 ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1725 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
1726 (asoc->peer_vtag == 0)))) {
1727 /* Special case - Peer's support nat. We may have
1728 * two init's that we gave out the same tag on since
1729 * one was not established.. i.e. we get INIT from host-1
1730 * behind the nat and we respond tag-a, we get a INIT from
1731 * host-2 behind the nat and we get tag-a again. Then we
1732 * bring up host-1 (or 2's) assoc, Then comes the cookie
1733 * from hsot-2 (or 1). Now we have colliding state. We must
1734 * send an abort here with colliding state indication.
1735 */
1736 op_err = sctp_generate_cause(SCTP_CAUSE_NAT_COLLIDING_STATE, "");
1737 sctp_send_abort(m, iphlen, src, dst, sh, 0, op_err,
1738 #if defined(__FreeBSD__)
1739 use_mflowid, mflowid,
1740 #endif
1741 vrf_id, port);
1742 return (NULL);
1743 }
1744 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) &&
1745 ((ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) ||
1746 (asoc->peer_vtag == 0))) {
1747 /*
1748 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info
1749 * should be ok, re-accept peer info
1750 */
1751 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) {
1752 /* Extension of case C.
1753 * If we hit this, then the random number
1754 * generator returned the same vtag when we
1755 * first sent our INIT-ACK and when we later sent
1756 * our INIT. The side with the seq numbers that are
1757 * different will be the one that normnally would
1758 * have hit case C. This in effect "extends" our vtags
1759 * in this collision case to be 64 bits. The same collision
1760 * could occur aka you get both vtag and seq number the
1761 * same twice in a row.. but is much less likely. If it
1762 * did happen then we would proceed through and bring
1763 * up the assoc.. we may end up with the wrong stream
1764 * setup however.. which would be bad.. but there is
1765 * no way to tell.. until we send on a stream that does
1766 * not exist :-)
1767 */
1768 if (how_indx < sizeof(asoc->cookie_how))
1769 asoc->cookie_how[how_indx] = 7;
1770
1771 return (NULL);
1772 }
1773 if (how_indx < sizeof(asoc->cookie_how))
1774 asoc->cookie_how[how_indx] = 8;
1775 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_14);
1776 sctp_stop_all_cookie_timers(stcb);
1777 /*
1778 * since we did not send a HB make sure we don't double
1779 * things
1780 */
1781 net->hb_responded = 1;
1782 if (stcb->asoc.sctp_autoclose_ticks &&
1783 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
1784 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb,
1785 NULL);
1786 }
1787 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1788 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
1789
1790 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
1791 /* Ok the peer probably discarded our
1792 * data (if we echoed a cookie+data). So anything
1793 * on the sent_queue should be marked for
1794 * retransmit, we may not get something to
1795 * kick us so it COULD still take a timeout
1796 * to move these.. but it can't hurt to mark them.
1797 */
1798 struct sctp_tmit_chunk *chk;
1799 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) {
1800 if (chk->sent < SCTP_DATAGRAM_RESEND) {
1801 chk->sent = SCTP_DATAGRAM_RESEND;
1802 sctp_flight_size_decrease(chk);
1803 sctp_total_flight_decrease(stcb, chk);
1804 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
1805 spec_flag++;
1806 }
1807 }
1808
1809 }
1810 /* process the INIT info (peer's info) */
1811 retval = sctp_process_init(init_cp, stcb);
1812 if (retval < 0) {
1813 if (how_indx < sizeof(asoc->cookie_how))
1814 asoc->cookie_how[how_indx] = 9;
1815 return (NULL);
1816 }
1817 if (sctp_load_addresses_from_init(stcb, m,
1818 init_offset + sizeof(struct sctp_init_chunk),
1819 initack_offset, src, dst, init_src)) {
1820 if (how_indx < sizeof(asoc->cookie_how))
1821 asoc->cookie_how[how_indx] = 10;
1822 return (NULL);
1823 }
1824 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) ||
1825 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) {
1826 *notification = SCTP_NOTIFY_ASSOC_UP;
1827
1828 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
1829 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
1830 (inp->sctp_socket->so_qlimit == 0)) {
1831 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1832 struct socket *so;
1833 #endif
1834 stcb->sctp_ep->sctp_flags |=
1835 SCTP_PCB_FLAGS_CONNECTED;
1836 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1837 so = SCTP_INP_SO(stcb->sctp_ep);
1838 atomic_add_int(&stcb->asoc.refcnt, 1);
1839 SCTP_TCB_UNLOCK(stcb);
1840 SCTP_SOCKET_LOCK(so, 1);
1841 SCTP_TCB_LOCK(stcb);
1842 atomic_add_int(&stcb->asoc.refcnt, -1);
1843 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
1844 SCTP_SOCKET_UNLOCK(so, 1);
1845 return (NULL);
1846 }
1847 #endif
1848 soisconnected(stcb->sctp_socket);
1849 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1850 SCTP_SOCKET_UNLOCK(so, 1);
1851 #endif
1852 }
1853 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)
1854 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
1855 else
1856 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1857 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1858 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
1859 SCTP_STAT_INCR_COUNTER32(sctps_restartestab);
1860 } else {
1861 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab);
1862 }
1863 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1864 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1865 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1866 stcb->sctp_ep, stcb, asoc->primary_destination);
1867 }
1868 sctp_stop_all_cookie_timers(stcb);
1869 sctp_toss_old_cookies(stcb, asoc);
1870 sctp_send_cookie_ack(stcb);
1871 if (spec_flag) {
1872 /* only if we have retrans set do we do this. What
1873 * this call does is get only the COOKIE-ACK out
1874 * and then when we return the normal call to
1875 * sctp_chunk_output will get the retrans out
1876 * behind this.
1877 */
1878 sctp_chunk_output(inp,stcb, SCTP_OUTPUT_FROM_COOKIE_ACK, SCTP_SO_NOT_LOCKED);
1879 }
1880 if (how_indx < sizeof(asoc->cookie_how))
1881 asoc->cookie_how[how_indx] = 11;
1882
1883 return (stcb);
1884 }
1885 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag &&
1886 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) &&
1887 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce &&
1888 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce &&
1889 cookie->tie_tag_peer_vtag != 0) {
1890 struct sctpasochead *head;
1891 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1892 struct socket *so;
1893 #endif
1894
1895 if (asoc->peer_supports_nat) {
1896 /* This is a gross gross hack.
1897 * Just call the cookie_new code since we
1898 * are allowing a duplicate association.
1899 * I hope this works...
1900 */
1901 return (sctp_process_cookie_new(m, iphlen, offset, src, dst,
1902 sh, cookie, cookie_len,
1903 inp, netp, init_src,notification,
1904 auth_skipped, auth_offset, auth_len,
1905 #if defined(__FreeBSD__)
1906 use_mflowid, mflowid,
1907 #endif
1908 vrf_id, port));
1909 }
1910 /*
1911 * case A in Section 5.2.4 Table 2: XXMM (peer restarted)
1912 */
1913 /* temp code */
1914 if (how_indx < sizeof(asoc->cookie_how))
1915 asoc->cookie_how[how_indx] = 12;
1916 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_15);
1917 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_16);
1918
1919 /* notify upper layer */
1920 *notification = SCTP_NOTIFY_ASSOC_RESTART;
1921 atomic_add_int(&stcb->asoc.refcnt, 1);
1922 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) &&
1923 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
1924 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) {
1925 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
1926 }
1927 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
1928 SCTP_STAT_INCR_GAUGE32(sctps_restartestab);
1929 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) {
1930 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab);
1931 }
1932 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
1933 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1934 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
1935 stcb->sctp_ep, stcb, asoc->primary_destination);
1936
1937 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) {
1938 /* move to OPEN state, if not in SHUTDOWN_SENT */
1939 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
1940 }
1941 asoc->pre_open_streams =
1942 ntohs(initack_cp->init.num_outbound_streams);
1943 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
1944 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
1945 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
1946
1947 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
1948
1949 asoc->str_reset_seq_in = asoc->init_seq_number;
1950
1951 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
1952 if (asoc->mapping_array) {
1953 memset(asoc->mapping_array, 0,
1954 asoc->mapping_array_size);
1955 }
1956 if (asoc->nr_mapping_array) {
1957 memset(asoc->nr_mapping_array, 0,
1958 asoc->mapping_array_size);
1959 }
1960 SCTP_TCB_UNLOCK(stcb);
1961 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
1962 so = SCTP_INP_SO(stcb->sctp_ep);
1963 SCTP_SOCKET_LOCK(so, 1);
1964 #endif
1965 SCTP_INP_INFO_WLOCK();
1966 SCTP_INP_WLOCK(stcb->sctp_ep);
1967 SCTP_TCB_LOCK(stcb);
1968 atomic_add_int(&stcb->asoc.refcnt, -1);
1969 /* send up all the data */
1970 SCTP_TCB_SEND_LOCK(stcb);
1971
1972 sctp_report_all_outbound(stcb, 0, 1, SCTP_SO_LOCKED);
1973 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
1974 stcb->asoc.strmout[i].chunks_on_queues = 0;
1975 #if defined(SCTP_DETAILED_STR_STATS)
1976 for (j = 0; j < SCTP_PR_SCTP_MAX + 1; j++) {
1977 asoc->strmout[i].abandoned_sent[j] = 0;
1978 asoc->strmout[i].abandoned_unsent[j] = 0;
1979 }
1980 #else
1981 asoc->strmout[i].abandoned_sent[0] = 0;
1982 asoc->strmout[i].abandoned_unsent[0] = 0;
1983 #endif
1984 stcb->asoc.strmout[i].stream_no = i;
1985 stcb->asoc.strmout[i].next_sequence_send = 0;
1986 stcb->asoc.strmout[i].last_msg_incomplete = 0;
1987 }
1988 /* process the INIT-ACK info (my info) */
1989 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
1990 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
1991
1992 /* pull from vtag hash */
1993 LIST_REMOVE(stcb, sctp_asocs);
1994 /* re-insert to new vtag position */
1995 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag,
1996 SCTP_BASE_INFO(hashasocmark))];
1997 /*
1998 * put it in the bucket in the vtag hash of assoc's for the
1999 * system
2000 */
2001 LIST_INSERT_HEAD(head, stcb, sctp_asocs);
2002
2003 SCTP_TCB_SEND_UNLOCK(stcb);
2004 SCTP_INP_WUNLOCK(stcb->sctp_ep);
2005 SCTP_INP_INFO_WUNLOCK();
2006 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2007 SCTP_SOCKET_UNLOCK(so, 1);
2008 #endif
2009 asoc->total_flight = 0;
2010 asoc->total_flight_count = 0;
2011 /* process the INIT info (peer's info) */
2012 retval = sctp_process_init(init_cp, stcb);
2013 if (retval < 0) {
2014 if (how_indx < sizeof(asoc->cookie_how))
2015 asoc->cookie_how[how_indx] = 13;
2016
2017 return (NULL);
2018 }
2019 /*
2020 * since we did not send a HB make sure we don't double
2021 * things
2022 */
2023 net->hb_responded = 1;
2024
2025 if (sctp_load_addresses_from_init(stcb, m,
2026 init_offset + sizeof(struct sctp_init_chunk),
2027 initack_offset, src, dst, init_src)) {
2028 if (how_indx < sizeof(asoc->cookie_how))
2029 asoc->cookie_how[how_indx] = 14;
2030
2031 return (NULL);
2032 }
2033 /* respond with a COOKIE-ACK */
2034 sctp_stop_all_cookie_timers(stcb);
2035 sctp_toss_old_cookies(stcb, asoc);
2036 sctp_send_cookie_ack(stcb);
2037 if (how_indx < sizeof(asoc->cookie_how))
2038 asoc->cookie_how[how_indx] = 15;
2039
2040 return (stcb);
2041 }
2042 if (how_indx < sizeof(asoc->cookie_how))
2043 asoc->cookie_how[how_indx] = 16;
2044 /* all other cases... */
2045 return (NULL);
2046 }
2047
2048
2049 /*
2050 * handle a state cookie for a new association m: input packet mbuf chain--
2051 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf
2052 * and the cookie signature does not exist offset: offset into mbuf to the
2053 * cookie-echo chunk length: length of the cookie chunk to: where the init
2054 * was from returns a new TCB
2055 */
2056 static struct sctp_tcb *
sctp_process_cookie_new(struct mbuf * m,int iphlen,int offset,struct sockaddr * src,struct sockaddr * dst,struct sctphdr * sh,struct sctp_state_cookie * cookie,int cookie_len,struct sctp_inpcb * inp,struct sctp_nets ** netp,struct sockaddr * init_src,int * notification,int auth_skipped,uint32_t auth_offset,uint32_t auth_len,uint8_t use_mflowid,uint32_t mflowid,uint32_t vrf_id,uint16_t port)2057 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
2058 struct sockaddr *src, struct sockaddr *dst,
2059 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len,
2060 struct sctp_inpcb *inp, struct sctp_nets **netp,
2061 struct sockaddr *init_src, int *notification,
2062 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
2063 #if defined(__FreeBSD__)
2064 uint8_t use_mflowid, uint32_t mflowid,
2065 #endif
2066 uint32_t vrf_id, uint16_t port)
2067 {
2068 struct sctp_tcb *stcb;
2069 struct sctp_init_chunk *init_cp, init_buf;
2070 struct sctp_init_ack_chunk *initack_cp, initack_buf;
2071 union sctp_sockstore store;
2072 struct sctp_association *asoc;
2073 int init_offset, initack_offset, initack_limit;
2074 int retval;
2075 int error = 0;
2076 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
2077 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2078 struct socket *so;
2079
2080 so = SCTP_INP_SO(inp);
2081 #endif
2082
2083 /*
2084 * find and validate the INIT chunk in the cookie (peer's info) the
2085 * INIT should start after the cookie-echo header struct (chunk
2086 * header, state cookie header struct)
2087 */
2088 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk);
2089 init_cp = (struct sctp_init_chunk *)
2090 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk),
2091 (uint8_t *) & init_buf);
2092 if (init_cp == NULL) {
2093 /* could not pull a INIT chunk in cookie */
2094 SCTPDBG(SCTP_DEBUG_INPUT1,
2095 "process_cookie_new: could not pull INIT chunk hdr\n");
2096 return (NULL);
2097 }
2098 if (init_cp->ch.chunk_type != SCTP_INITIATION) {
2099 SCTPDBG(SCTP_DEBUG_INPUT1, "HUH? process_cookie_new: could not find INIT chunk!\n");
2100 return (NULL);
2101 }
2102 initack_offset = init_offset + SCTP_SIZE32(ntohs(init_cp->ch.chunk_length));
2103 /*
2104 * find and validate the INIT-ACK chunk in the cookie (my info) the
2105 * INIT-ACK follows the INIT chunk
2106 */
2107 initack_cp = (struct sctp_init_ack_chunk *)
2108 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk),
2109 (uint8_t *) & initack_buf);
2110 if (initack_cp == NULL) {
2111 /* could not pull INIT-ACK chunk in cookie */
2112 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: could not pull INIT-ACK chunk hdr\n");
2113 return (NULL);
2114 }
2115 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) {
2116 return (NULL);
2117 }
2118 /*
2119 * NOTE: We can't use the INIT_ACK's chk_length to determine the
2120 * "initack_limit" value. This is because the chk_length field
2121 * includes the length of the cookie, but the cookie is omitted when
2122 * the INIT and INIT_ACK are tacked onto the cookie...
2123 */
2124 initack_limit = offset + cookie_len;
2125
2126 /*
2127 * now that we know the INIT/INIT-ACK are in place, create a new TCB
2128 * and popluate
2129 */
2130
2131 /*
2132 * Here we do a trick, we set in NULL for the proc/thread argument. We
2133 * do this since in effect we only use the p argument when
2134 * the socket is unbound and we must do an implicit bind.
2135 * Since we are getting a cookie, we cannot be unbound.
2136 */
2137 stcb = sctp_aloc_assoc(inp, init_src, &error,
2138 ntohl(initack_cp->init.initiate_tag), vrf_id,
2139 #if defined(__FreeBSD__) && __FreeBSD_version >= 500000
2140 (struct thread *)NULL
2141 #elif defined(__Windows__)
2142 (PKTHREAD)NULL
2143 #else
2144 (struct proc *)NULL
2145 #endif
2146 );
2147 if (stcb == NULL) {
2148 struct mbuf *op_err;
2149
2150 /* memory problem? */
2151 SCTPDBG(SCTP_DEBUG_INPUT1,
2152 "process_cookie_new: no room for another TCB!\n");
2153 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2154 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
2155 src, dst, sh, op_err,
2156 #if defined(__FreeBSD__)
2157 use_mflowid, mflowid,
2158 #endif
2159 vrf_id, port);
2160 return (NULL);
2161 }
2162 /* get the correct sctp_nets */
2163 if (netp)
2164 *netp = sctp_findnet(stcb, init_src);
2165
2166 asoc = &stcb->asoc;
2167 /* get scope variables out of cookie */
2168 asoc->scope.ipv4_local_scope = cookie->ipv4_scope;
2169 asoc->scope.site_scope = cookie->site_scope;
2170 asoc->scope.local_scope = cookie->local_scope;
2171 asoc->scope.loopback_scope = cookie->loopback_scope;
2172
2173 #if defined(__Userspace__)
2174 if ((asoc->scope.ipv4_addr_legal != cookie->ipv4_addr_legal) ||
2175 (asoc->scope.ipv6_addr_legal != cookie->ipv6_addr_legal) ||
2176 (asoc->scope.conn_addr_legal != cookie->conn_addr_legal)) {
2177 #else
2178 if ((asoc->scope.ipv4_addr_legal != cookie->ipv4_addr_legal) ||
2179 (asoc->scope.ipv6_addr_legal != cookie->ipv6_addr_legal)) {
2180 #endif
2181 struct mbuf *op_err;
2182
2183 /*
2184 * Houston we have a problem. The EP changed while the
2185 * cookie was in flight. Only recourse is to abort the
2186 * association.
2187 */
2188 atomic_add_int(&stcb->asoc.refcnt, 1);
2189 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2190 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen,
2191 src, dst, sh, op_err,
2192 #if defined(__FreeBSD__)
2193 use_mflowid, mflowid,
2194 #endif
2195 vrf_id, port);
2196 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2197 SCTP_TCB_UNLOCK(stcb);
2198 SCTP_SOCKET_LOCK(so, 1);
2199 SCTP_TCB_LOCK(stcb);
2200 #endif
2201 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC,
2202 SCTP_FROM_SCTP_INPUT+SCTP_LOC_16);
2203 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2204 SCTP_SOCKET_UNLOCK(so, 1);
2205 #endif
2206 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2207 return (NULL);
2208 }
2209 /* process the INIT-ACK info (my info) */
2210 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
2211 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
2212 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
2213 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
2214 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number;
2215 asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
2216 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1;
2217 asoc->str_reset_seq_in = asoc->init_seq_number;
2218
2219 asoc->advanced_peer_ack_point = asoc->last_acked_seq;
2220
2221 /* process the INIT info (peer's info) */
2222 if (netp)
2223 retval = sctp_process_init(init_cp, stcb);
2224 else
2225 retval = 0;
2226 if (retval < 0) {
2227 atomic_add_int(&stcb->asoc.refcnt, 1);
2228 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2229 SCTP_TCB_UNLOCK(stcb);
2230 SCTP_SOCKET_LOCK(so, 1);
2231 SCTP_TCB_LOCK(stcb);
2232 #endif
2233 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_16);
2234 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2235 SCTP_SOCKET_UNLOCK(so, 1);
2236 #endif
2237 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2238 return (NULL);
2239 }
2240 /* load all addresses */
2241 if (sctp_load_addresses_from_init(stcb, m,
2242 init_offset + sizeof(struct sctp_init_chunk), initack_offset,
2243 src, dst, init_src)) {
2244 atomic_add_int(&stcb->asoc.refcnt, 1);
2245 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2246 SCTP_TCB_UNLOCK(stcb);
2247 SCTP_SOCKET_LOCK(so, 1);
2248 SCTP_TCB_LOCK(stcb);
2249 #endif
2250 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_17);
2251 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2252 SCTP_SOCKET_UNLOCK(so, 1);
2253 #endif
2254 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2255 return (NULL);
2256 }
2257 /*
2258 * verify any preceding AUTH chunk that was skipped
2259 */
2260 /* pull the local authentication parameters from the cookie/init-ack */
2261 sctp_auth_get_cookie_params(stcb, m,
2262 initack_offset + sizeof(struct sctp_init_ack_chunk),
2263 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)));
2264 if (auth_skipped) {
2265 struct sctp_auth_chunk *auth;
2266
2267 auth = (struct sctp_auth_chunk *)
2268 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
2269 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
2270 /* auth HMAC failed, dump the assoc and packet */
2271 SCTPDBG(SCTP_DEBUG_AUTH1,
2272 "COOKIE-ECHO: AUTH failed\n");
2273 atomic_add_int(&stcb->asoc.refcnt, 1);
2274 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2275 SCTP_TCB_UNLOCK(stcb);
2276 SCTP_SOCKET_LOCK(so, 1);
2277 SCTP_TCB_LOCK(stcb);
2278 #endif
2279 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_18);
2280 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2281 SCTP_SOCKET_UNLOCK(so, 1);
2282 #endif
2283 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2284 return (NULL);
2285 } else {
2286 /* remaining chunks checked... good to go */
2287 stcb->asoc.authenticated = 1;
2288 }
2289 }
2290 /* update current state */
2291 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
2292 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
2293 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
2294 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
2295 stcb->sctp_ep, stcb, asoc->primary_destination);
2296 }
2297 sctp_stop_all_cookie_timers(stcb);
2298 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab);
2299 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
2300
2301 /*
2302 * if we're doing ASCONFs, check to see if we have any new local
2303 * addresses that need to get added to the peer (eg. addresses
2304 * changed while cookie echo in flight). This needs to be done
2305 * after we go to the OPEN state to do the correct asconf
2306 * processing. else, make sure we have the correct addresses in our
2307 * lists
2308 */
2309
2310 /* warning, we re-use sin, sin6, sa_store here! */
2311 /* pull in local_address (our "from" address) */
2312 switch (cookie->laddr_type) {
2313 #ifdef INET
2314 case SCTP_IPV4_ADDRESS:
2315 /* source addr is IPv4 */
2316 memset(&store.sin, 0, sizeof(struct sockaddr_in));
2317 store.sin.sin_family = AF_INET;
2318 #ifdef HAVE_SIN_LEN
2319 store.sin.sin_len = sizeof(struct sockaddr_in);
2320 #endif
2321 store.sin.sin_addr.s_addr = cookie->laddress[0];
2322 break;
2323 #endif
2324 #ifdef INET6
2325 case SCTP_IPV6_ADDRESS:
2326 /* source addr is IPv6 */
2327 memset(&store.sin6, 0, sizeof(struct sockaddr_in6));
2328 store.sin6.sin6_family = AF_INET6;
2329 #ifdef HAVE_SIN6_LEN
2330 store.sin6.sin6_len = sizeof(struct sockaddr_in6);
2331 #endif
2332 store.sin6.sin6_scope_id = cookie->scope_id;
2333 memcpy(&store.sin6.sin6_addr, cookie->laddress, sizeof(struct in6_addr));
2334 break;
2335 #endif
2336 #if defined(__Userspace__)
2337 case SCTP_CONN_ADDRESS:
2338 /* source addr is conn */
2339 memset(&store.sconn, 0, sizeof(struct sockaddr_conn));
2340 store.sconn.sconn_family = AF_CONN;
2341 #ifdef HAVE_SCONN_LEN
2342 store.sconn.sconn_len = sizeof(struct sockaddr_conn);
2343 #endif
2344 memcpy(&store.sconn.sconn_addr, cookie->laddress, sizeof(void *));
2345 break;
2346 #endif
2347 default:
2348 atomic_add_int(&stcb->asoc.refcnt, 1);
2349 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2350 SCTP_TCB_UNLOCK(stcb);
2351 SCTP_SOCKET_LOCK(so, 1);
2352 SCTP_TCB_LOCK(stcb);
2353 #endif
2354 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_19);
2355 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2356 SCTP_SOCKET_UNLOCK(so, 1);
2357 #endif
2358 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2359 return (NULL);
2360 }
2361
2362 /* set up to notify upper layer */
2363 *notification = SCTP_NOTIFY_ASSOC_UP;
2364 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
2365 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
2366 (inp->sctp_socket->so_qlimit == 0)) {
2367 /*
2368 * This is an endpoint that called connect() how it got a
2369 * cookie that is NEW is a bit of a mystery. It must be that
2370 * the INIT was sent, but before it got there.. a complete
2371 * INIT/INIT-ACK/COOKIE arrived. But of course then it
2372 * should have went to the other code.. not here.. oh well..
2373 * a bit of protection is worth having..
2374 */
2375 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
2376 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2377 atomic_add_int(&stcb->asoc.refcnt, 1);
2378 SCTP_TCB_UNLOCK(stcb);
2379 SCTP_SOCKET_LOCK(so, 1);
2380 SCTP_TCB_LOCK(stcb);
2381 atomic_subtract_int(&stcb->asoc.refcnt, 1);
2382 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
2383 SCTP_SOCKET_UNLOCK(so, 1);
2384 return (NULL);
2385 }
2386 #endif
2387 soisconnected(stcb->sctp_socket);
2388 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2389 SCTP_SOCKET_UNLOCK(so, 1);
2390 #endif
2391 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
2392 (inp->sctp_socket->so_qlimit)) {
2393 /*
2394 * We don't want to do anything with this one. Since it is
2395 * the listening guy. The timer will get started for
2396 * accepted connections in the caller.
2397 */
2398 ;
2399 }
2400 /* since we did not send a HB make sure we don't double things */
2401 if ((netp) && (*netp))
2402 (*netp)->hb_responded = 1;
2403
2404 if (stcb->asoc.sctp_autoclose_ticks &&
2405 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) {
2406 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL);
2407 }
2408 /* calculate the RTT */
2409 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered);
2410 if ((netp) && (*netp)) {
2411 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp,
2412 &cookie->time_entered, sctp_align_unsafe_makecopy,
2413 SCTP_RTT_FROM_NON_DATA);
2414 }
2415 /* respond with a COOKIE-ACK */
2416 sctp_send_cookie_ack(stcb);
2417
2418 /*
2419 * check the address lists for any ASCONFs that need to be sent
2420 * AFTER the cookie-ack is sent
2421 */
2422 sctp_check_address_list(stcb, m,
2423 initack_offset + sizeof(struct sctp_init_ack_chunk),
2424 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)),
2425 &store.sa, cookie->local_scope, cookie->site_scope,
2426 cookie->ipv4_scope, cookie->loopback_scope);
2427
2428
2429 return (stcb);
2430 }
2431
2432 /*
2433 * CODE LIKE THIS NEEDS TO RUN IF the peer supports the NAT extension, i.e
2434 * we NEED to make sure we are not already using the vtag. If so we
2435 * need to send back an ABORT-TRY-AGAIN-WITH-NEW-TAG No middle box bit!
2436 head = &SCTP_BASE_INFO(sctp_asochash)[SCTP_PCBHASH_ASOC(tag,
2437 SCTP_BASE_INFO(hashasocmark))];
2438 LIST_FOREACH(stcb, head, sctp_asocs) {
2439 if ((stcb->asoc.my_vtag == tag) && (stcb->rport == rport) && (inp == stcb->sctp_ep)) {
2440 -- SEND ABORT - TRY AGAIN --
2441 }
2442 }
2443 */
2444
2445 /*
2446 * handles a COOKIE-ECHO message stcb: modified to either a new or left as
2447 * existing (non-NULL) TCB
2448 */
2449 static struct mbuf *
2450 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset,
2451 struct sockaddr *src, struct sockaddr *dst,
2452 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp,
2453 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp,
2454 int auth_skipped, uint32_t auth_offset, uint32_t auth_len,
2455 struct sctp_tcb **locked_tcb,
2456 #if defined(__FreeBSD__)
2457 uint8_t use_mflowid, uint32_t mflowid,
2458 #endif
2459 uint32_t vrf_id, uint16_t port)
2460 {
2461 struct sctp_state_cookie *cookie;
2462 struct sctp_tcb *l_stcb = *stcb;
2463 struct sctp_inpcb *l_inp;
2464 struct sockaddr *to;
2465 struct sctp_pcb *ep;
2466 struct mbuf *m_sig;
2467 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE];
2468 uint8_t *sig;
2469 uint8_t cookie_ok = 0;
2470 unsigned int sig_offset, cookie_offset;
2471 unsigned int cookie_len;
2472 struct timeval now;
2473 struct timeval time_expires;
2474 int notification = 0;
2475 struct sctp_nets *netl;
2476 int had_a_existing_tcb = 0;
2477 int send_int_conf = 0;
2478 #ifdef INET
2479 struct sockaddr_in sin;
2480 #endif
2481 #ifdef INET6
2482 struct sockaddr_in6 sin6;
2483 #endif
2484 #if defined(__Userspace__)
2485 struct sockaddr_conn sconn;
2486 #endif
2487
2488 SCTPDBG(SCTP_DEBUG_INPUT2,
2489 "sctp_handle_cookie: handling COOKIE-ECHO\n");
2490
2491 if (inp_p == NULL) {
2492 return (NULL);
2493 }
2494 cookie = &cp->cookie;
2495 cookie_offset = offset + sizeof(struct sctp_chunkhdr);
2496 cookie_len = ntohs(cp->ch.chunk_length);
2497
2498 if ((cookie->peerport != sh->src_port) &&
2499 (cookie->myport != sh->dest_port) &&
2500 (cookie->my_vtag != sh->v_tag)) {
2501 /*
2502 * invalid ports or bad tag. Note that we always leave the
2503 * v_tag in the header in network order and when we stored
2504 * it in the my_vtag slot we also left it in network order.
2505 * This maintains the match even though it may be in the
2506 * opposite byte order of the machine :->
2507 */
2508 return (NULL);
2509 }
2510 if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
2511 sizeof(struct sctp_init_chunk) +
2512 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
2513 /* cookie too small */
2514 return (NULL);
2515 }
2516 /*
2517 * split off the signature into its own mbuf (since it should not be
2518 * calculated in the sctp_hmac_m() call).
2519 */
2520 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE;
2521 m_sig = m_split(m, sig_offset, M_NOWAIT);
2522 if (m_sig == NULL) {
2523 /* out of memory or ?? */
2524 return (NULL);
2525 }
2526 #ifdef SCTP_MBUF_LOGGING
2527 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
2528 struct mbuf *mat;
2529
2530 for (mat = m_sig; mat; mat = SCTP_BUF_NEXT(mat)) {
2531 if (SCTP_BUF_IS_EXTENDED(mat)) {
2532 sctp_log_mb(mat, SCTP_MBUF_SPLIT);
2533 }
2534 }
2535 }
2536 #endif
2537
2538 /*
2539 * compute the signature/digest for the cookie
2540 */
2541 ep = &(*inp_p)->sctp_ep;
2542 l_inp = *inp_p;
2543 if (l_stcb) {
2544 SCTP_TCB_UNLOCK(l_stcb);
2545 }
2546 SCTP_INP_RLOCK(l_inp);
2547 if (l_stcb) {
2548 SCTP_TCB_LOCK(l_stcb);
2549 }
2550 /* which cookie is it? */
2551 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) &&
2552 (ep->current_secret_number != ep->last_secret_number)) {
2553 /* it's the old cookie */
2554 (void)sctp_hmac_m(SCTP_HMAC,
2555 (uint8_t *)ep->secret_key[(int)ep->last_secret_number],
2556 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2557 } else {
2558 /* it's the current cookie */
2559 (void)sctp_hmac_m(SCTP_HMAC,
2560 (uint8_t *)ep->secret_key[(int)ep->current_secret_number],
2561 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2562 }
2563 /* get the signature */
2564 SCTP_INP_RUNLOCK(l_inp);
2565 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig);
2566 if (sig == NULL) {
2567 /* couldn't find signature */
2568 sctp_m_freem(m_sig);
2569 return (NULL);
2570 }
2571 /* compare the received digest with the computed digest */
2572 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) {
2573 /* try the old cookie? */
2574 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) &&
2575 (ep->current_secret_number != ep->last_secret_number)) {
2576 /* compute digest with old */
2577 (void)sctp_hmac_m(SCTP_HMAC,
2578 (uint8_t *)ep->secret_key[(int)ep->last_secret_number],
2579 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig, 0);
2580 /* compare */
2581 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0)
2582 cookie_ok = 1;
2583 }
2584 } else {
2585 cookie_ok = 1;
2586 }
2587
2588 /*
2589 * Now before we continue we must reconstruct our mbuf so that
2590 * normal processing of any other chunks will work.
2591 */
2592 {
2593 struct mbuf *m_at;
2594
2595 m_at = m;
2596 while (SCTP_BUF_NEXT(m_at) != NULL) {
2597 m_at = SCTP_BUF_NEXT(m_at);
2598 }
2599 SCTP_BUF_NEXT(m_at) = m_sig;
2600 }
2601
2602 if (cookie_ok == 0) {
2603 SCTPDBG(SCTP_DEBUG_INPUT2, "handle_cookie_echo: cookie signature validation failed!\n");
2604 SCTPDBG(SCTP_DEBUG_INPUT2,
2605 "offset = %u, cookie_offset = %u, sig_offset = %u\n",
2606 (uint32_t) offset, cookie_offset, sig_offset);
2607 return (NULL);
2608 }
2609
2610 /*
2611 * check the cookie timestamps to be sure it's not stale
2612 */
2613 (void)SCTP_GETTIME_TIMEVAL(&now);
2614 /* Expire time is in Ticks, so we convert to seconds */
2615 time_expires.tv_sec = cookie->time_entered.tv_sec + TICKS_TO_SEC(cookie->cookie_life);
2616 time_expires.tv_usec = cookie->time_entered.tv_usec;
2617 /* TODO sctp_constants.h needs alternative time macros when
2618 * _KERNEL is undefined.
2619 */
2620 #ifndef __FreeBSD__
2621 if (timercmp(&now, &time_expires, >))
2622 #else
2623 if (timevalcmp(&now, &time_expires, >))
2624 #endif
2625 {
2626 /* cookie is stale! */
2627 struct mbuf *op_err;
2628 struct sctp_stale_cookie_msg *scm;
2629 uint32_t tim;
2630 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg),
2631 0, M_NOWAIT, 1, MT_DATA);
2632 if (op_err == NULL) {
2633 /* FOOBAR */
2634 return (NULL);
2635 }
2636 /* Set the len */
2637 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg);
2638 scm = mtod(op_err, struct sctp_stale_cookie_msg *);
2639 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE);
2640 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) +
2641 (sizeof(uint32_t))));
2642 /* seconds to usec */
2643 tim = (now.tv_sec - time_expires.tv_sec) * 1000000;
2644 /* add in usec */
2645 if (tim == 0)
2646 tim = now.tv_usec - cookie->time_entered.tv_usec;
2647 scm->time_usec = htonl(tim);
2648 sctp_send_operr_to(src, dst, sh, cookie->peers_vtag, op_err,
2649 #if defined(__FreeBSD__)
2650 use_mflowid, mflowid,
2651 #endif
2652 vrf_id, port);
2653 return (NULL);
2654 }
2655 /*
2656 * Now we must see with the lookup address if we have an existing
2657 * asoc. This will only happen if we were in the COOKIE-WAIT state
2658 * and a INIT collided with us and somewhere the peer sent the
2659 * cookie on another address besides the single address our assoc
2660 * had for him. In this case we will have one of the tie-tags set at
2661 * least AND the address field in the cookie can be used to look it
2662 * up.
2663 */
2664 to = NULL;
2665 switch (cookie->addr_type) {
2666 #ifdef INET6
2667 case SCTP_IPV6_ADDRESS:
2668 memset(&sin6, 0, sizeof(sin6));
2669 sin6.sin6_family = AF_INET6;
2670 #ifdef HAVE_SIN6_LEN
2671 sin6.sin6_len = sizeof(sin6);
2672 #endif
2673 sin6.sin6_port = sh->src_port;
2674 sin6.sin6_scope_id = cookie->scope_id;
2675 memcpy(&sin6.sin6_addr.s6_addr, cookie->address,
2676 sizeof(sin6.sin6_addr.s6_addr));
2677 to = (struct sockaddr *)&sin6;
2678 break;
2679 #endif
2680 #ifdef INET
2681 case SCTP_IPV4_ADDRESS:
2682 memset(&sin, 0, sizeof(sin));
2683 sin.sin_family = AF_INET;
2684 #ifdef HAVE_SIN_LEN
2685 sin.sin_len = sizeof(sin);
2686 #endif
2687 sin.sin_port = sh->src_port;
2688 sin.sin_addr.s_addr = cookie->address[0];
2689 to = (struct sockaddr *)&sin;
2690 break;
2691 #endif
2692 #if defined(__Userspace__)
2693 case SCTP_CONN_ADDRESS:
2694 memset(&sconn, 0, sizeof(struct sockaddr_conn));
2695 sconn.sconn_family = AF_CONN;
2696 #ifdef HAVE_SCONN_LEN
2697 sconn.sconn_len = sizeof(struct sockaddr_conn);
2698 #endif
2699 sconn.sconn_port = sh->src_port;
2700 memcpy(&sconn.sconn_addr, cookie->address, sizeof(void *));
2701 to = (struct sockaddr *)&sconn;
2702 break;
2703 #endif
2704 default:
2705 /* This should not happen */
2706 return (NULL);
2707 }
2708 if ((*stcb == NULL) && to) {
2709 /* Yep, lets check */
2710 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, dst, NULL);
2711 if (*stcb == NULL) {
2712 /*
2713 * We should have only got back the same inp. If we
2714 * got back a different ep we have a problem. The
2715 * original findep got back l_inp and now
2716 */
2717 if (l_inp != *inp_p) {
2718 SCTP_PRINTF("Bad problem find_ep got a diff inp then special_locate?\n");
2719 }
2720 } else {
2721 if (*locked_tcb == NULL) {
2722 /* In this case we found the assoc only
2723 * after we locked the create lock. This means
2724 * we are in a colliding case and we must make
2725 * sure that we unlock the tcb if its one of the
2726 * cases where we throw away the incoming packets.
2727 */
2728 *locked_tcb = *stcb;
2729
2730 /* We must also increment the inp ref count
2731 * since the ref_count flags was set when we
2732 * did not find the TCB, now we found it which
2733 * reduces the refcount.. we must raise it back
2734 * out to balance it all :-)
2735 */
2736 SCTP_INP_INCR_REF((*stcb)->sctp_ep);
2737 if ((*stcb)->sctp_ep != l_inp) {
2738 SCTP_PRINTF("Huh? ep:%p diff then l_inp:%p?\n",
2739 (void *)(*stcb)->sctp_ep, (void *)l_inp);
2740 }
2741 }
2742 }
2743 }
2744 if (to == NULL) {
2745 return (NULL);
2746 }
2747
2748 cookie_len -= SCTP_SIGNATURE_SIZE;
2749 if (*stcb == NULL) {
2750 /* this is the "normal" case... get a new TCB */
2751 *stcb = sctp_process_cookie_new(m, iphlen, offset, src, dst, sh,
2752 cookie, cookie_len, *inp_p,
2753 netp, to, ¬ification,
2754 auth_skipped, auth_offset, auth_len,
2755 #if defined(__FreeBSD__)
2756 use_mflowid, mflowid,
2757 #endif
2758 vrf_id, port);
2759 } else {
2760 /* this is abnormal... cookie-echo on existing TCB */
2761 had_a_existing_tcb = 1;
2762 *stcb = sctp_process_cookie_existing(m, iphlen, offset,
2763 src, dst, sh,
2764 cookie, cookie_len, *inp_p, *stcb, netp, to,
2765 ¬ification, auth_skipped, auth_offset, auth_len,
2766 #if defined(__FreeBSD__)
2767 use_mflowid, mflowid,
2768 #endif
2769 vrf_id, port);
2770 }
2771
2772 if (*stcb == NULL) {
2773 /* still no TCB... must be bad cookie-echo */
2774 return (NULL);
2775 }
2776 #if defined(__FreeBSD__)
2777 if ((*netp != NULL) && (use_mflowid != 0)) {
2778 (*netp)->flowid = mflowid;
2779 #ifdef INVARIANTS
2780 (*netp)->flowidset = 1;
2781 #endif
2782 }
2783 #endif
2784 /*
2785 * Ok, we built an association so confirm the address we sent the
2786 * INIT-ACK to.
2787 */
2788 netl = sctp_findnet(*stcb, to);
2789 /*
2790 * This code should in theory NOT run but
2791 */
2792 if (netl == NULL) {
2793 /* TSNH! Huh, why do I need to add this address here? */
2794 if (sctp_add_remote_addr(*stcb, to, NULL, SCTP_DONOT_SETSCOPE, SCTP_IN_COOKIE_PROC)) {
2795 return (NULL);
2796 }
2797 netl = sctp_findnet(*stcb, to);
2798 }
2799 if (netl) {
2800 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) {
2801 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
2802 (void)sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL,
2803 netl);
2804 send_int_conf = 1;
2805 }
2806 }
2807 sctp_start_net_timers(*stcb);
2808 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) {
2809 if (!had_a_existing_tcb ||
2810 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) {
2811 /*
2812 * If we have a NEW cookie or the connect never
2813 * reached the connected state during collision we
2814 * must do the TCP accept thing.
2815 */
2816 struct socket *so, *oso;
2817 struct sctp_inpcb *inp;
2818
2819 if (notification == SCTP_NOTIFY_ASSOC_RESTART) {
2820 /*
2821 * For a restart we will keep the same
2822 * socket, no need to do anything. I THINK!!
2823 */
2824 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2825 if (send_int_conf) {
2826 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2827 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2828 }
2829 return (m);
2830 }
2831 oso = (*inp_p)->sctp_socket;
2832 #if (defined(__FreeBSD__) && __FreeBSD_version < 700000)
2833 /*
2834 * We do this to keep the sockets side happy during
2835 * the sonewcon ONLY.
2836 */
2837 NET_LOCK_GIANT();
2838 #endif
2839 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2840 SCTP_TCB_UNLOCK((*stcb));
2841 #if defined(__FreeBSD__) && __FreeBSD_version >= 801000
2842 CURVNET_SET(oso->so_vnet);
2843 #endif
2844 #if defined(__APPLE__)
2845 SCTP_SOCKET_LOCK(oso, 1);
2846 #endif
2847 so = sonewconn(oso, 0
2848 #if defined(__APPLE__)
2849 ,NULL
2850 #endif
2851 #ifdef __Panda__
2852 ,NULL , (*inp_p)->def_vrf_id
2853 #endif
2854 );
2855 #if (defined(__FreeBSD__) && __FreeBSD_version < 700000)
2856 NET_UNLOCK_GIANT();
2857 #endif
2858 #if defined(__APPLE__)
2859 SCTP_SOCKET_UNLOCK(oso, 1);
2860 #endif
2861 #if defined(__FreeBSD__) && __FreeBSD_version >= 801000
2862 CURVNET_RESTORE();
2863 #endif
2864 SCTP_TCB_LOCK((*stcb));
2865 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2866
2867 if (so == NULL) {
2868 struct mbuf *op_err;
2869 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2870 struct socket *pcb_so;
2871 #endif
2872 /* Too many sockets */
2873 SCTPDBG(SCTP_DEBUG_INPUT1, "process_cookie_new: no room for another socket!\n");
2874 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
2875 sctp_abort_association(*inp_p, NULL, m, iphlen,
2876 src, dst, sh, op_err,
2877 #if defined(__FreeBSD__)
2878 use_mflowid, mflowid,
2879 #endif
2880 vrf_id, port);
2881 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2882 pcb_so = SCTP_INP_SO(*inp_p);
2883 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2884 SCTP_TCB_UNLOCK((*stcb));
2885 SCTP_SOCKET_LOCK(pcb_so, 1);
2886 SCTP_TCB_LOCK((*stcb));
2887 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2888 #endif
2889 (void)sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_20);
2890 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2891 SCTP_SOCKET_UNLOCK(pcb_so, 1);
2892 #endif
2893 return (NULL);
2894 }
2895 inp = (struct sctp_inpcb *)so->so_pcb;
2896 SCTP_INP_INCR_REF(inp);
2897 /*
2898 * We add the unbound flag here so that
2899 * if we get an soabort() before we get the
2900 * move_pcb done, we will properly cleanup.
2901 */
2902 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE |
2903 SCTP_PCB_FLAGS_CONNECTED |
2904 SCTP_PCB_FLAGS_IN_TCPPOOL |
2905 SCTP_PCB_FLAGS_UNBOUND |
2906 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) |
2907 SCTP_PCB_FLAGS_DONT_WAKE);
2908 inp->sctp_features = (*inp_p)->sctp_features;
2909 inp->sctp_mobility_features = (*inp_p)->sctp_mobility_features;
2910 inp->sctp_socket = so;
2911 inp->sctp_frag_point = (*inp_p)->sctp_frag_point;
2912 inp->sctp_cmt_on_off = (*inp_p)->sctp_cmt_on_off;
2913 inp->ecn_supported = (*inp_p)->ecn_supported;
2914 inp->prsctp_supported = (*inp_p)->prsctp_supported;
2915 inp->auth_supported = (*inp_p)->auth_supported;
2916 inp->asconf_supported = (*inp_p)->asconf_supported;
2917 inp->reconfig_supported = (*inp_p)->reconfig_supported;
2918 inp->nrsack_supported = (*inp_p)->nrsack_supported;
2919 inp->pktdrop_supported = (*inp_p)->pktdrop_supported;
2920 inp->partial_delivery_point = (*inp_p)->partial_delivery_point;
2921 inp->sctp_context = (*inp_p)->sctp_context;
2922 inp->local_strreset_support = (*inp_p)->local_strreset_support;
2923 inp->inp_starting_point_for_iterator = NULL;
2924 #if defined(__Userspace__)
2925 inp->ulp_info = (*inp_p)->ulp_info;
2926 inp->recv_callback = (*inp_p)->recv_callback;
2927 inp->send_callback = (*inp_p)->send_callback;
2928 inp->send_sb_threshold = (*inp_p)->send_sb_threshold;
2929 #endif
2930 /*
2931 * copy in the authentication parameters from the
2932 * original endpoint
2933 */
2934 if (inp->sctp_ep.local_hmacs)
2935 sctp_free_hmaclist(inp->sctp_ep.local_hmacs);
2936 inp->sctp_ep.local_hmacs =
2937 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs);
2938 if (inp->sctp_ep.local_auth_chunks)
2939 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks);
2940 inp->sctp_ep.local_auth_chunks =
2941 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks);
2942
2943 /*
2944 * Now we must move it from one hash table to
2945 * another and get the tcb in the right place.
2946 */
2947
2948 /* This is where the one-2-one socket is put into
2949 * the accept state waiting for the accept!
2950 */
2951 if (*stcb) {
2952 (*stcb)->asoc.state |= SCTP_STATE_IN_ACCEPT_QUEUE;
2953 }
2954 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb);
2955
2956 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2957 SCTP_TCB_UNLOCK((*stcb));
2958
2959 #if defined(__FreeBSD__)
2960 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb,
2961 0);
2962 #else
2963 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb, M_NOWAIT);
2964 #endif
2965 SCTP_TCB_LOCK((*stcb));
2966 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
2967
2968
2969 /* now we must check to see if we were aborted while
2970 * the move was going on and the lock/unlock happened.
2971 */
2972 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
2973 /* yep it was, we leave the
2974 * assoc attached to the socket since
2975 * the sctp_inpcb_free() call will send
2976 * an abort for us.
2977 */
2978 SCTP_INP_DECR_REF(inp);
2979 return (NULL);
2980 }
2981 SCTP_INP_DECR_REF(inp);
2982 /* Switch over to the new guy */
2983 *inp_p = inp;
2984 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
2985 if (send_int_conf) {
2986 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
2987 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
2988 }
2989
2990 /* Pull it from the incomplete queue and wake the guy */
2991 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2992 atomic_add_int(&(*stcb)->asoc.refcnt, 1);
2993 SCTP_TCB_UNLOCK((*stcb));
2994 SCTP_SOCKET_LOCK(so, 1);
2995 #endif
2996 soisconnected(so);
2997 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
2998 SCTP_TCB_LOCK((*stcb));
2999 atomic_subtract_int(&(*stcb)->asoc.refcnt, 1);
3000 SCTP_SOCKET_UNLOCK(so, 1);
3001 #endif
3002 return (m);
3003 }
3004 }
3005 if (notification) {
3006 sctp_ulp_notify(notification, *stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
3007 }
3008 if (send_int_conf) {
3009 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED,
3010 (*stcb), 0, (void *)netl, SCTP_SO_NOT_LOCKED);
3011 }
3012 return (m);
3013 }
3014
3015 static void
3016 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp SCTP_UNUSED,
3017 struct sctp_tcb *stcb, struct sctp_nets *net)
3018 {
3019 /* cp must not be used, others call this without a c-ack :-) */
3020 struct sctp_association *asoc;
3021
3022 SCTPDBG(SCTP_DEBUG_INPUT2,
3023 "sctp_handle_cookie_ack: handling COOKIE-ACK\n");
3024 if ((stcb == NULL) || (net == NULL)) {
3025 return;
3026 }
3027
3028 asoc = &stcb->asoc;
3029
3030 sctp_stop_all_cookie_timers(stcb);
3031 /* process according to association state */
3032 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) {
3033 /* state change only needed when I am in right state */
3034 SCTPDBG(SCTP_DEBUG_INPUT2, "moving to OPEN state\n");
3035 SCTP_SET_STATE(asoc, SCTP_STATE_OPEN);
3036 sctp_start_net_timers(stcb);
3037 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) {
3038 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD,
3039 stcb->sctp_ep, stcb, asoc->primary_destination);
3040
3041 }
3042 /* update RTO */
3043 SCTP_STAT_INCR_COUNTER32(sctps_activeestab);
3044 SCTP_STAT_INCR_GAUGE32(sctps_currestab);
3045 if (asoc->overall_error_count == 0) {
3046 net->RTO = sctp_calculate_rto(stcb, asoc, net,
3047 &asoc->time_entered, sctp_align_safe_nocopy,
3048 SCTP_RTT_FROM_NON_DATA);
3049 }
3050 (void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
3051 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
3052 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
3053 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
3054 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3055 struct socket *so;
3056
3057 #endif
3058 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
3059 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3060 so = SCTP_INP_SO(stcb->sctp_ep);
3061 atomic_add_int(&stcb->asoc.refcnt, 1);
3062 SCTP_TCB_UNLOCK(stcb);
3063 SCTP_SOCKET_LOCK(so, 1);
3064 SCTP_TCB_LOCK(stcb);
3065 atomic_subtract_int(&stcb->asoc.refcnt, 1);
3066 #endif
3067 if ((stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) == 0) {
3068 soisconnected(stcb->sctp_socket);
3069 }
3070 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3071 SCTP_SOCKET_UNLOCK(so, 1);
3072 #endif
3073 }
3074 /*
3075 * since we did not send a HB make sure we don't double
3076 * things
3077 */
3078 net->hb_responded = 1;
3079
3080 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
3081 /* We don't need to do the asconf thing,
3082 * nor hb or autoclose if the socket is closed.
3083 */
3084 goto closed_socket;
3085 }
3086
3087 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
3088 stcb, net);
3089
3090
3091 if (stcb->asoc.sctp_autoclose_ticks &&
3092 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
3093 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
3094 stcb->sctp_ep, stcb, NULL);
3095 }
3096 /*
3097 * send ASCONF if parameters are pending and ASCONFs are
3098 * allowed (eg. addresses changed when init/cookie echo were
3099 * in flight)
3100 */
3101 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) &&
3102 (stcb->asoc.asconf_supported == 1) &&
3103 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) {
3104 #ifdef SCTP_TIMER_BASED_ASCONF
3105 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF,
3106 stcb->sctp_ep, stcb,
3107 stcb->asoc.primary_destination);
3108 #else
3109 sctp_send_asconf(stcb, stcb->asoc.primary_destination,
3110 SCTP_ADDR_NOT_LOCKED);
3111 #endif
3112 }
3113 }
3114 closed_socket:
3115 /* Toss the cookie if I can */
3116 sctp_toss_old_cookies(stcb, asoc);
3117 if (!TAILQ_EMPTY(&asoc->sent_queue)) {
3118 /* Restart the timer if we have pending data */
3119 struct sctp_tmit_chunk *chk;
3120
3121 chk = TAILQ_FIRST(&asoc->sent_queue);
3122 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo);
3123 }
3124 }
3125
3126 static void
3127 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp,
3128 struct sctp_tcb *stcb)
3129 {
3130 struct sctp_nets *net;
3131 struct sctp_tmit_chunk *lchk;
3132 struct sctp_ecne_chunk bkup;
3133 uint8_t override_bit;
3134 uint32_t tsn, window_data_tsn;
3135 int len;
3136 unsigned int pkt_cnt;
3137
3138 len = ntohs(cp->ch.chunk_length);
3139 if ((len != sizeof(struct sctp_ecne_chunk)) &&
3140 (len != sizeof(struct old_sctp_ecne_chunk))) {
3141 return;
3142 }
3143 if (len == sizeof(struct old_sctp_ecne_chunk)) {
3144 /* Its the old format */
3145 memcpy(&bkup, cp, sizeof(struct old_sctp_ecne_chunk));
3146 bkup.num_pkts_since_cwr = htonl(1);
3147 cp = &bkup;
3148 }
3149 SCTP_STAT_INCR(sctps_recvecne);
3150 tsn = ntohl(cp->tsn);
3151 pkt_cnt = ntohl(cp->num_pkts_since_cwr);
3152 lchk = TAILQ_LAST(&stcb->asoc.send_queue, sctpchunk_listhead);
3153 if (lchk == NULL) {
3154 window_data_tsn = stcb->asoc.sending_seq - 1;
3155 } else {
3156 window_data_tsn = lchk->rec.data.TSN_seq;
3157 }
3158
3159 /* Find where it was sent to if possible. */
3160 net = NULL;
3161 TAILQ_FOREACH(lchk, &stcb->asoc.sent_queue, sctp_next) {
3162 if (lchk->rec.data.TSN_seq == tsn) {
3163 net = lchk->whoTo;
3164 net->ecn_prev_cwnd = lchk->rec.data.cwnd_at_send;
3165 break;
3166 }
3167 if (SCTP_TSN_GT(lchk->rec.data.TSN_seq, tsn)) {
3168 break;
3169 }
3170 }
3171 if (net == NULL) {
3172 /*
3173 * What to do. A previous send of a
3174 * CWR was possibly lost. See how old it is, we
3175 * may have it marked on the actual net.
3176 */
3177 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
3178 if (tsn == net->last_cwr_tsn) {
3179 /* Found him, send it off */
3180 break;
3181 }
3182 }
3183 if (net == NULL) {
3184 /*
3185 * If we reach here, we need to send a special
3186 * CWR that says hey, we did this a long time
3187 * ago and you lost the response.
3188 */
3189 net = TAILQ_FIRST(&stcb->asoc.nets);
3190 if (net == NULL) {
3191 /* TSNH */
3192 return;
3193 }
3194 override_bit = SCTP_CWR_REDUCE_OVERRIDE;
3195 } else {
3196 override_bit = 0;
3197 }
3198 } else {
3199 override_bit = 0;
3200 }
3201 if (SCTP_TSN_GT(tsn, net->cwr_window_tsn) &&
3202 ((override_bit&SCTP_CWR_REDUCE_OVERRIDE) == 0)) {
3203 /* JRS - Use the congestion control given in the pluggable CC module */
3204 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 0, pkt_cnt);
3205 /*
3206 * We reduce once every RTT. So we will only lower cwnd at
3207 * the next sending seq i.e. the window_data_tsn
3208 */
3209 net->cwr_window_tsn = window_data_tsn;
3210 net->ecn_ce_pkt_cnt += pkt_cnt;
3211 net->lost_cnt = pkt_cnt;
3212 net->last_cwr_tsn = tsn;
3213 } else {
3214 override_bit |= SCTP_CWR_IN_SAME_WINDOW;
3215 if (SCTP_TSN_GT(tsn, net->last_cwr_tsn) &&
3216 ((override_bit&SCTP_CWR_REDUCE_OVERRIDE) == 0)) {
3217 /*
3218 * Another loss in the same window update how
3219 * many marks/packets lost we have had.
3220 */
3221 int cnt = 1;
3222 if (pkt_cnt > net->lost_cnt) {
3223 /* Should be the case */
3224 cnt = (pkt_cnt - net->lost_cnt);
3225 net->ecn_ce_pkt_cnt += cnt;
3226 }
3227 net->lost_cnt = pkt_cnt;
3228 net->last_cwr_tsn = tsn;
3229 /*
3230 * Most CC functions will ignore this call, since we are in-window
3231 * yet of the initial CE the peer saw.
3232 */
3233 stcb->asoc.cc_functions.sctp_cwnd_update_after_ecn_echo(stcb, net, 1, cnt);
3234 }
3235 }
3236 /*
3237 * We always send a CWR this way if our previous one was lost our
3238 * peer will get an update, or if it is not time again to reduce we
3239 * still get the cwr to the peer. Note we set the override when we
3240 * could not find the TSN on the chunk or the destination network.
3241 */
3242 sctp_send_cwr(stcb, net, net->last_cwr_tsn, override_bit);
3243 }
3244
3245 static void
3246 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb, struct sctp_nets *net)
3247 {
3248 /*
3249 * Here we get a CWR from the peer. We must look in the outqueue and
3250 * make sure that we have a covered ECNE in the control chunk part.
3251 * If so remove it.
3252 */
3253 struct sctp_tmit_chunk *chk;
3254 struct sctp_ecne_chunk *ecne;
3255 int override;
3256 uint32_t cwr_tsn;
3257 cwr_tsn = ntohl(cp->tsn);
3258
3259 override = cp->ch.chunk_flags & SCTP_CWR_REDUCE_OVERRIDE;
3260 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) {
3261 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) {
3262 continue;
3263 }
3264 if ((override == 0) && (chk->whoTo != net)) {
3265 /* Must be from the right src unless override is set */
3266 continue;
3267 }
3268 ecne = mtod(chk->data, struct sctp_ecne_chunk *);
3269 if (SCTP_TSN_GE(cwr_tsn, ntohl(ecne->tsn))) {
3270 /* this covers this ECNE, we can remove it */
3271 stcb->asoc.ecn_echo_cnt_onq--;
3272 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk,
3273 sctp_next);
3274 if (chk->data) {
3275 sctp_m_freem(chk->data);
3276 chk->data = NULL;
3277 }
3278 stcb->asoc.ctrl_queue_cnt--;
3279 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
3280 if (override == 0) {
3281 break;
3282 }
3283 }
3284 }
3285 }
3286
3287 static void
3288 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp SCTP_UNUSED,
3289 struct sctp_tcb *stcb, struct sctp_nets *net)
3290 {
3291 struct sctp_association *asoc;
3292 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3293 struct socket *so;
3294 #endif
3295
3296 SCTPDBG(SCTP_DEBUG_INPUT2,
3297 "sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n");
3298 if (stcb == NULL)
3299 return;
3300
3301 asoc = &stcb->asoc;
3302 /* process according to association state */
3303 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) {
3304 /* unexpected SHUTDOWN-COMPLETE... so ignore... */
3305 SCTPDBG(SCTP_DEBUG_INPUT2,
3306 "sctp_handle_shutdown_complete: not in SCTP_STATE_SHUTDOWN_ACK_SENT --- ignore\n");
3307 SCTP_TCB_UNLOCK(stcb);
3308 return;
3309 }
3310 /* notify upper layer protocol */
3311 if (stcb->sctp_socket) {
3312 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
3313 }
3314 #ifdef INVARIANTS
3315 if (!TAILQ_EMPTY(&asoc->send_queue) ||
3316 !TAILQ_EMPTY(&asoc->sent_queue) ||
3317 !stcb->asoc.ss_functions.sctp_ss_is_empty(stcb, asoc)) {
3318 panic("Queues are not empty when handling SHUTDOWN-COMPLETE");
3319 }
3320 #endif
3321 /* stop the timer */
3322 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_22);
3323 SCTP_STAT_INCR_COUNTER32(sctps_shutdown);
3324 /* free the TCB */
3325 SCTPDBG(SCTP_DEBUG_INPUT2,
3326 "sctp_handle_shutdown_complete: calls free-asoc\n");
3327 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3328 so = SCTP_INP_SO(stcb->sctp_ep);
3329 atomic_add_int(&stcb->asoc.refcnt, 1);
3330 SCTP_TCB_UNLOCK(stcb);
3331 SCTP_SOCKET_LOCK(so, 1);
3332 SCTP_TCB_LOCK(stcb);
3333 atomic_subtract_int(&stcb->asoc.refcnt, 1);
3334 #endif
3335 (void)sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_23);
3336 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3337 SCTP_SOCKET_UNLOCK(so, 1);
3338 #endif
3339 return;
3340 }
3341
3342 static int
3343 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc,
3344 struct sctp_nets *net, uint8_t flg)
3345 {
3346 switch (desc->chunk_type) {
3347 case SCTP_DATA:
3348 /* find the tsn to resend (possibly */
3349 {
3350 uint32_t tsn;
3351 struct sctp_tmit_chunk *tp1;
3352
3353 tsn = ntohl(desc->tsn_ifany);
3354 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3355 if (tp1->rec.data.TSN_seq == tsn) {
3356 /* found it */
3357 break;
3358 }
3359 if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, tsn)) {
3360 /* not found */
3361 tp1 = NULL;
3362 break;
3363 }
3364 }
3365 if (tp1 == NULL) {
3366 /*
3367 * Do it the other way , aka without paying
3368 * attention to queue seq order.
3369 */
3370 SCTP_STAT_INCR(sctps_pdrpdnfnd);
3371 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3372 if (tp1->rec.data.TSN_seq == tsn) {
3373 /* found it */
3374 break;
3375 }
3376 }
3377 }
3378 if (tp1 == NULL) {
3379 SCTP_STAT_INCR(sctps_pdrptsnnf);
3380 }
3381 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) {
3382 uint8_t *ddp;
3383
3384 if (((flg & SCTP_BADCRC) == 0) &&
3385 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
3386 return (0);
3387 }
3388 if ((stcb->asoc.peers_rwnd == 0) &&
3389 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) {
3390 SCTP_STAT_INCR(sctps_pdrpdiwnp);
3391 return (0);
3392 }
3393 if (stcb->asoc.peers_rwnd == 0 &&
3394 (flg & SCTP_FROM_MIDDLE_BOX)) {
3395 SCTP_STAT_INCR(sctps_pdrpdizrw);
3396 return (0);
3397 }
3398 ddp = (uint8_t *) (mtod(tp1->data, caddr_t) +
3399 sizeof(struct sctp_data_chunk));
3400 {
3401 unsigned int iii;
3402
3403 for (iii = 0; iii < sizeof(desc->data_bytes);
3404 iii++) {
3405 if (ddp[iii] != desc->data_bytes[iii]) {
3406 SCTP_STAT_INCR(sctps_pdrpbadd);
3407 return (-1);
3408 }
3409 }
3410 }
3411
3412 if (tp1->do_rtt) {
3413 /*
3414 * this guy had a RTO calculation
3415 * pending on it, cancel it
3416 */
3417 if (tp1->whoTo->rto_needed == 0) {
3418 tp1->whoTo->rto_needed = 1;
3419 }
3420 tp1->do_rtt = 0;
3421 }
3422 SCTP_STAT_INCR(sctps_pdrpmark);
3423 if (tp1->sent != SCTP_DATAGRAM_RESEND)
3424 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3425 /*
3426 * mark it as if we were doing a FR, since
3427 * we will be getting gap ack reports behind
3428 * the info from the router.
3429 */
3430 tp1->rec.data.doing_fast_retransmit = 1;
3431 /*
3432 * mark the tsn with what sequences can
3433 * cause a new FR.
3434 */
3435 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) {
3436 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq;
3437 } else {
3438 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq;
3439 }
3440
3441 /* restart the timer */
3442 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3443 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT+SCTP_LOC_24);
3444 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep,
3445 stcb, tp1->whoTo);
3446
3447 /* fix counts and things */
3448 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
3449 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP,
3450 tp1->whoTo->flight_size,
3451 tp1->book_size,
3452 (uintptr_t)stcb,
3453 tp1->rec.data.TSN_seq);
3454 }
3455 if (tp1->sent < SCTP_DATAGRAM_RESEND) {
3456 sctp_flight_size_decrease(tp1);
3457 sctp_total_flight_decrease(stcb, tp1);
3458 }
3459 tp1->sent = SCTP_DATAGRAM_RESEND;
3460 } {
3461 /* audit code */
3462 unsigned int audit;
3463
3464 audit = 0;
3465 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) {
3466 if (tp1->sent == SCTP_DATAGRAM_RESEND)
3467 audit++;
3468 }
3469 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue,
3470 sctp_next) {
3471 if (tp1->sent == SCTP_DATAGRAM_RESEND)
3472 audit++;
3473 }
3474 if (audit != stcb->asoc.sent_queue_retran_cnt) {
3475 SCTP_PRINTF("**Local Audit finds cnt:%d asoc cnt:%d\n",
3476 audit, stcb->asoc.sent_queue_retran_cnt);
3477 #ifndef SCTP_AUDITING_ENABLED
3478 stcb->asoc.sent_queue_retran_cnt = audit;
3479 #endif
3480 }
3481 }
3482 }
3483 break;
3484 case SCTP_ASCONF:
3485 {
3486 struct sctp_tmit_chunk *asconf;
3487
3488 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue,
3489 sctp_next) {
3490 if (asconf->rec.chunk_id.id == SCTP_ASCONF) {
3491 break;
3492 }
3493 }
3494 if (asconf) {
3495 if (asconf->sent != SCTP_DATAGRAM_RESEND)
3496 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3497 asconf->sent = SCTP_DATAGRAM_RESEND;
3498 asconf->snd_count--;
3499 }
3500 }
3501 break;
3502 case SCTP_INITIATION:
3503 /* resend the INIT */
3504 stcb->asoc.dropped_special_cnt++;
3505 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) {
3506 /*
3507 * If we can get it in, in a few attempts we do
3508 * this, otherwise we let the timer fire.
3509 */
3510 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep,
3511 stcb, net, SCTP_FROM_SCTP_INPUT+SCTP_LOC_25);
3512 sctp_send_initiate(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED);
3513 }
3514 break;
3515 case SCTP_SELECTIVE_ACK:
3516 case SCTP_NR_SELECTIVE_ACK:
3517 /* resend the sack */
3518 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED);
3519 break;
3520 case SCTP_HEARTBEAT_REQUEST:
3521 /* resend a demand HB */
3522 if ((stcb->asoc.overall_error_count + 3) < stcb->asoc.max_send_times) {
3523 /* Only retransmit if we KNOW we wont destroy the tcb */
3524 sctp_send_hb(stcb, net, SCTP_SO_NOT_LOCKED);
3525 }
3526 break;
3527 case SCTP_SHUTDOWN:
3528 sctp_send_shutdown(stcb, net);
3529 break;
3530 case SCTP_SHUTDOWN_ACK:
3531 sctp_send_shutdown_ack(stcb, net);
3532 break;
3533 case SCTP_COOKIE_ECHO:
3534 {
3535 struct sctp_tmit_chunk *cookie;
3536
3537 cookie = NULL;
3538 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue,
3539 sctp_next) {
3540 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
3541 break;
3542 }
3543 }
3544 if (cookie) {
3545 if (cookie->sent != SCTP_DATAGRAM_RESEND)
3546 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt);
3547 cookie->sent = SCTP_DATAGRAM_RESEND;
3548 sctp_stop_all_cookie_timers(stcb);
3549 }
3550 }
3551 break;
3552 case SCTP_COOKIE_ACK:
3553 sctp_send_cookie_ack(stcb);
3554 break;
3555 case SCTP_ASCONF_ACK:
3556 /* resend last asconf ack */
3557 sctp_send_asconf_ack(stcb);
3558 break;
3559 case SCTP_FORWARD_CUM_TSN:
3560 send_forward_tsn(stcb, &stcb->asoc);
3561 break;
3562 /* can't do anything with these */
3563 case SCTP_PACKET_DROPPED:
3564 case SCTP_INITIATION_ACK: /* this should not happen */
3565 case SCTP_HEARTBEAT_ACK:
3566 case SCTP_ABORT_ASSOCIATION:
3567 case SCTP_OPERATION_ERROR:
3568 case SCTP_SHUTDOWN_COMPLETE:
3569 case SCTP_ECN_ECHO:
3570 case SCTP_ECN_CWR:
3571 default:
3572 break;
3573 }
3574 return (0);
3575 }
3576
3577 void
3578 sctp_reset_in_stream(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list)
3579 {
3580 uint32_t i;
3581 uint16_t temp;
3582
3583 /*
3584 * We set things to 0xffff since this is the last delivered sequence
3585 * and we will be sending in 0 after the reset.
3586 */
3587
3588 if (number_entries) {
3589 for (i = 0; i < number_entries; i++) {
3590 temp = ntohs(list[i]);
3591 if (temp >= stcb->asoc.streamincnt) {
3592 continue;
3593 }
3594 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff;
3595 }
3596 } else {
3597 list = NULL;
3598 for (i = 0; i < stcb->asoc.streamincnt; i++) {
3599 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
3600 }
3601 }
3602 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3603 }
3604
3605 static void
3606 sctp_reset_out_streams(struct sctp_tcb *stcb, uint32_t number_entries, uint16_t *list)
3607 {
3608 uint32_t i;
3609 uint16_t temp;
3610
3611 if (number_entries > 0) {
3612 for (i = 0; i < number_entries; i++) {
3613 temp = ntohs(list[i]);
3614 if (temp >= stcb->asoc.streamoutcnt) {
3615 /* no such stream */
3616 continue;
3617 }
3618 stcb->asoc.strmout[temp].next_sequence_send = 0;
3619 }
3620 } else {
3621 for (i = 0; i < stcb->asoc.streamoutcnt; i++) {
3622 stcb->asoc.strmout[i].next_sequence_send = 0;
3623 }
3624 }
3625 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list, SCTP_SO_NOT_LOCKED);
3626 }
3627
3628
3629 struct sctp_stream_reset_out_request *
3630 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk)
3631 {
3632 struct sctp_association *asoc;
3633 struct sctp_chunkhdr *ch;
3634 struct sctp_stream_reset_out_request *r;
3635 struct sctp_tmit_chunk *chk;
3636 int len, clen;
3637
3638 asoc = &stcb->asoc;
3639 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
3640 asoc->stream_reset_outstanding = 0;
3641 return (NULL);
3642 }
3643 if (stcb->asoc.str_reset == NULL) {
3644 asoc->stream_reset_outstanding = 0;
3645 return (NULL);
3646 }
3647 chk = stcb->asoc.str_reset;
3648 if (chk->data == NULL) {
3649 return (NULL);
3650 }
3651 if (bchk) {
3652 /* he wants a copy of the chk pointer */
3653 *bchk = chk;
3654 }
3655 clen = chk->send_size;
3656 ch = mtod(chk->data, struct sctp_chunkhdr *);
3657 r = (struct sctp_stream_reset_out_request *)(ch + 1);
3658 if (ntohl(r->request_seq) == seq) {
3659 /* found it */
3660 return (r);
3661 }
3662 len = SCTP_SIZE32(ntohs(r->ph.param_length));
3663 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) {
3664 /* move to the next one, there can only be a max of two */
3665 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len);
3666 if (ntohl(r->request_seq) == seq) {
3667 return (r);
3668 }
3669 }
3670 /* that seq is not here */
3671 return (NULL);
3672 }
3673
3674 static void
3675 sctp_clean_up_stream_reset(struct sctp_tcb *stcb)
3676 {
3677 struct sctp_association *asoc;
3678 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset;
3679
3680 if (stcb->asoc.str_reset == NULL) {
3681 return;
3682 }
3683 asoc = &stcb->asoc;
3684
3685 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT+SCTP_LOC_26);
3686 TAILQ_REMOVE(&asoc->control_send_queue,
3687 chk,
3688 sctp_next);
3689 if (chk->data) {
3690 sctp_m_freem(chk->data);
3691 chk->data = NULL;
3692 }
3693 asoc->ctrl_queue_cnt--;
3694 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
3695 /*sa_ignore NO_NULL_CHK*/
3696 stcb->asoc.str_reset = NULL;
3697 }
3698
3699
3700 static int
3701 sctp_handle_stream_reset_response(struct sctp_tcb *stcb,
3702 uint32_t seq, uint32_t action,
3703 struct sctp_stream_reset_response *respin)
3704 {
3705 uint16_t type;
3706 int lparm_len;
3707 struct sctp_association *asoc = &stcb->asoc;
3708 struct sctp_tmit_chunk *chk;
3709 struct sctp_stream_reset_out_request *srparam;
3710 uint32_t number_entries;
3711
3712 if (asoc->stream_reset_outstanding == 0) {
3713 /* duplicate */
3714 return (0);
3715 }
3716 if (seq == stcb->asoc.str_reset_seq_out) {
3717 srparam = sctp_find_stream_reset(stcb, seq, &chk);
3718 if (srparam) {
3719 stcb->asoc.str_reset_seq_out++;
3720 type = ntohs(srparam->ph.param_type);
3721 lparm_len = ntohs(srparam->ph.param_length);
3722 if (type == SCTP_STR_RESET_OUT_REQUEST) {
3723 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t);
3724 asoc->stream_reset_out_is_outstanding = 0;
3725 if (asoc->stream_reset_outstanding)
3726 asoc->stream_reset_outstanding--;
3727 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3728 /* do it */
3729 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams);
3730 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3731 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
3732 } else {
3733 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
3734 }
3735 } else if (type == SCTP_STR_RESET_IN_REQUEST) {
3736 /* Answered my request */
3737 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t);
3738 if (asoc->stream_reset_outstanding)
3739 asoc->stream_reset_outstanding--;
3740 if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3741 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_IN, stcb,
3742 number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
3743 } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) {
3744 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb,
3745 number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED);
3746 }
3747 } else if (type == SCTP_STR_RESET_ADD_OUT_STREAMS) {
3748 /* Ok we now may have more streams */
3749 int num_stream;
3750
3751 num_stream = stcb->asoc.strm_pending_add_size;
3752 if (num_stream > (stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt)) {
3753 /* TSNH */
3754 num_stream = stcb->asoc.strm_realoutsize - stcb->asoc.streamoutcnt;
3755 }
3756 stcb->asoc.strm_pending_add_size = 0;
3757 if (asoc->stream_reset_outstanding)
3758 asoc->stream_reset_outstanding--;
3759 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3760 /* Put the new streams into effect */
3761 stcb->asoc.streamoutcnt += num_stream;
3762 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0);
3763 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3764 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3765 SCTP_STREAM_CHANGE_DENIED);
3766 } else {
3767 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3768 SCTP_STREAM_CHANGE_FAILED);
3769 }
3770 } else if (type == SCTP_STR_RESET_ADD_IN_STREAMS) {
3771 if (asoc->stream_reset_outstanding)
3772 asoc->stream_reset_outstanding--;
3773 if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3774 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3775 SCTP_STREAM_CHANGE_DENIED);
3776 } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) {
3777 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt,
3778 SCTP_STREAM_CHANGE_FAILED);
3779 }
3780 } else if (type == SCTP_STR_RESET_TSN_REQUEST) {
3781 /**
3782 * a) Adopt the new in tsn.
3783 * b) reset the map
3784 * c) Adopt the new out-tsn
3785 */
3786 struct sctp_stream_reset_response_tsn *resp;
3787 struct sctp_forward_tsn_chunk fwdtsn;
3788 int abort_flag = 0;
3789 if (respin == NULL) {
3790 /* huh ? */
3791 return (0);
3792 }
3793 if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) {
3794 resp = (struct sctp_stream_reset_response_tsn *)respin;
3795 asoc->stream_reset_outstanding--;
3796 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3797 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3798 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1);
3799 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3800 if (abort_flag) {
3801 return (1);
3802 }
3803 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1);
3804 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
3805 sctp_log_map(0, 7, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
3806 }
3807
3808 stcb->asoc.tsn_last_delivered = stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map;
3809 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn);
3810 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size);
3811
3812 stcb->asoc.highest_tsn_inside_nr_map = stcb->asoc.highest_tsn_inside_map;
3813 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size);
3814
3815 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn);
3816 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn;
3817
3818 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3819 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3820 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1), 0);
3821 } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) {
3822 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1),
3823 SCTP_ASSOC_RESET_DENIED);
3824 } else {
3825 sctp_notify_stream_reset_tsn(stcb, stcb->asoc.sending_seq, (stcb->asoc.mapping_array_base_tsn + 1),
3826 SCTP_ASSOC_RESET_FAILED);
3827 }
3828 }
3829 /* get rid of the request and get the request flags */
3830 if (asoc->stream_reset_outstanding == 0) {
3831 sctp_clean_up_stream_reset(stcb);
3832 }
3833 }
3834 }
3835 return (0);
3836 }
3837
3838 static void
3839 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb,
3840 struct sctp_tmit_chunk *chk,
3841 struct sctp_stream_reset_in_request *req, int trunc)
3842 {
3843 uint32_t seq;
3844 int len, i;
3845 int number_entries;
3846 uint16_t temp;
3847
3848 /*
3849 * peer wants me to send a str-reset to him for my outgoing seq's if
3850 * seq_in is right.
3851 */
3852 struct sctp_association *asoc = &stcb->asoc;
3853
3854 seq = ntohl(req->request_seq);
3855 if (asoc->str_reset_seq_in == seq) {
3856 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3857 if (!(asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ)) {
3858 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3859 } else if (trunc) {
3860 /* Can't do it, since they exceeded our buffer size */
3861 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3862 } else if (stcb->asoc.stream_reset_out_is_outstanding == 0) {
3863 len = ntohs(req->ph.param_length);
3864 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t));
3865 for (i = 0; i < number_entries; i++) {
3866 temp = ntohs(req->list_of_streams[i]);
3867 req->list_of_streams[i] = temp;
3868 }
3869 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3870 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams,
3871 asoc->str_reset_seq_out,
3872 seq, (asoc->sending_seq - 1));
3873 asoc->stream_reset_out_is_outstanding = 1;
3874 asoc->str_reset = chk;
3875 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
3876 stcb->asoc.stream_reset_outstanding++;
3877 } else {
3878 /* Can't do it, since we have sent one out */
3879 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS;
3880 }
3881 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3882 asoc->str_reset_seq_in++;
3883 } else if (asoc->str_reset_seq_in - 1 == seq) {
3884 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
3885 } else if (asoc->str_reset_seq_in - 2 == seq) {
3886 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
3887 } else {
3888 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3889 }
3890 }
3891
3892 static int
3893 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb,
3894 struct sctp_tmit_chunk *chk,
3895 struct sctp_stream_reset_tsn_request *req)
3896 {
3897 /* reset all in and out and update the tsn */
3898 /*
3899 * A) reset my str-seq's on in and out. B) Select a receive next,
3900 * and set cum-ack to it. Also process this selected number as a
3901 * fwd-tsn as well. C) set in the response my next sending seq.
3902 */
3903 struct sctp_forward_tsn_chunk fwdtsn;
3904 struct sctp_association *asoc = &stcb->asoc;
3905 int abort_flag = 0;
3906 uint32_t seq;
3907
3908 seq = ntohl(req->request_seq);
3909 if (asoc->str_reset_seq_in == seq) {
3910 asoc->last_reset_action[1] = stcb->asoc.last_reset_action[0];
3911 if (!(asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ)) {
3912 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3913 } else {
3914 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk));
3915 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN;
3916 fwdtsn.ch.chunk_flags = 0;
3917 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1);
3918 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag, NULL, 0);
3919 if (abort_flag) {
3920 return (1);
3921 }
3922 asoc->highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA;
3923 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) {
3924 sctp_log_map(0, 10, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT);
3925 }
3926 asoc->tsn_last_delivered = asoc->cumulative_tsn = asoc->highest_tsn_inside_map;
3927 asoc->mapping_array_base_tsn = asoc->highest_tsn_inside_map + 1;
3928 memset(asoc->mapping_array, 0, asoc->mapping_array_size);
3929 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map;
3930 memset(asoc->nr_mapping_array, 0, asoc->mapping_array_size);
3931 atomic_add_int(&asoc->sending_seq, 1);
3932 /* save off historical data for retrans */
3933 asoc->last_sending_seq[1] = asoc->last_sending_seq[0];
3934 asoc->last_sending_seq[0] = asoc->sending_seq;
3935 asoc->last_base_tsnsent[1] = asoc->last_base_tsnsent[0];
3936 asoc->last_base_tsnsent[0] = asoc->mapping_array_base_tsn;
3937 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL);
3938 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL);
3939 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3940 sctp_notify_stream_reset_tsn(stcb, asoc->sending_seq, (asoc->mapping_array_base_tsn + 1), 0);
3941 }
3942 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3943 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]);
3944 asoc->str_reset_seq_in++;
3945 } else if (asoc->str_reset_seq_in - 1 == seq) {
3946 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0],
3947 asoc->last_sending_seq[0], asoc->last_base_tsnsent[0]);
3948 } else if (asoc->str_reset_seq_in - 2 == seq) {
3949 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1],
3950 asoc->last_sending_seq[1], asoc->last_base_tsnsent[1]);
3951 } else {
3952 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
3953 }
3954 return (0);
3955 }
3956
3957 static void
3958 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb,
3959 struct sctp_tmit_chunk *chk,
3960 struct sctp_stream_reset_out_request *req, int trunc)
3961 {
3962 uint32_t seq, tsn;
3963 int number_entries, len;
3964 struct sctp_association *asoc = &stcb->asoc;
3965
3966 seq = ntohl(req->request_seq);
3967
3968 /* now if its not a duplicate we process it */
3969 if (asoc->str_reset_seq_in == seq) {
3970 len = ntohs(req->ph.param_length);
3971 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t));
3972 /*
3973 * the sender is resetting, handle the list issue.. we must
3974 * a) verify if we can do the reset, if so no problem b) If
3975 * we can't do the reset we must copy the request. c) queue
3976 * it, and setup the data in processor to trigger it off
3977 * when needed and dequeue all the queued data.
3978 */
3979 tsn = ntohl(req->send_reset_at_tsn);
3980
3981 /* move the reset action back one */
3982 asoc->last_reset_action[1] = asoc->last_reset_action[0];
3983 if (!(asoc->local_strreset_support & SCTP_ENABLE_RESET_STREAM_REQ)) {
3984 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3985 } else if (trunc) {
3986 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
3987 } else if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) {
3988 /* we can do it now */
3989 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams);
3990 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
3991 } else {
3992 /*
3993 * we must queue it up and thus wait for the TSN's
3994 * to arrive that are at or before tsn
3995 */
3996 struct sctp_stream_reset_list *liste;
3997 int siz;
3998
3999 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t));
4000 SCTP_MALLOC(liste, struct sctp_stream_reset_list *,
4001 siz, SCTP_M_STRESET);
4002 if (liste == NULL) {
4003 /* gak out of memory */
4004 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4005 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4006 return;
4007 }
4008 liste->tsn = tsn;
4009 liste->number_entries = number_entries;
4010 memcpy(&liste->list_of_streams, req->list_of_streams, number_entries * sizeof(uint16_t));
4011 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp);
4012 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
4013 }
4014 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4015 asoc->str_reset_seq_in++;
4016 } else if ((asoc->str_reset_seq_in - 1) == seq) {
4017 /*
4018 * one seq back, just echo back last action since my
4019 * response was lost.
4020 */
4021 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4022 } else if ((asoc->str_reset_seq_in - 2) == seq) {
4023 /*
4024 * two seq back, just echo back last action since my
4025 * response was lost.
4026 */
4027 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
4028 } else {
4029 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
4030 }
4031 }
4032
4033 static void
4034 sctp_handle_str_reset_add_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
4035 struct sctp_stream_reset_add_strm *str_add)
4036 {
4037 /*
4038 * Peer is requesting to add more streams.
4039 * If its within our max-streams we will
4040 * allow it.
4041 */
4042 uint32_t num_stream, i;
4043 uint32_t seq;
4044 struct sctp_association *asoc = &stcb->asoc;
4045 struct sctp_queued_to_read *ctl, *nctl;
4046
4047 /* Get the number. */
4048 seq = ntohl(str_add->request_seq);
4049 num_stream = ntohs(str_add->number_of_streams);
4050 /* Now what would be the new total? */
4051 if (asoc->str_reset_seq_in == seq) {
4052 num_stream += stcb->asoc.streamincnt;
4053 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
4054 if (!(asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ)) {
4055 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4056 } else if ((num_stream > stcb->asoc.max_inbound_streams) ||
4057 (num_stream > 0xffff)) {
4058 /* We must reject it they ask for to many */
4059 denied:
4060 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4061 } else {
4062 /* Ok, we can do that :-) */
4063 struct sctp_stream_in *oldstrm;
4064
4065 /* save off the old */
4066 oldstrm = stcb->asoc.strmin;
4067 SCTP_MALLOC(stcb->asoc.strmin, struct sctp_stream_in *,
4068 (num_stream * sizeof(struct sctp_stream_in)),
4069 SCTP_M_STRMI);
4070 if (stcb->asoc.strmin == NULL) {
4071 stcb->asoc.strmin = oldstrm;
4072 goto denied;
4073 }
4074 /* copy off the old data */
4075 for (i = 0; i < stcb->asoc.streamincnt; i++) {
4076 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue);
4077 stcb->asoc.strmin[i].stream_no = i;
4078 stcb->asoc.strmin[i].last_sequence_delivered = oldstrm[i].last_sequence_delivered;
4079 stcb->asoc.strmin[i].delivery_started = oldstrm[i].delivery_started;
4080 /* now anything on those queues? */
4081 TAILQ_FOREACH_SAFE(ctl, &oldstrm[i].inqueue, next, nctl) {
4082 TAILQ_REMOVE(&oldstrm[i].inqueue, ctl, next);
4083 TAILQ_INSERT_TAIL(&stcb->asoc.strmin[i].inqueue, ctl, next);
4084 }
4085 }
4086 /* Init the new streams */
4087 for (i = stcb->asoc.streamincnt; i < num_stream; i++) {
4088 TAILQ_INIT(&stcb->asoc.strmin[i].inqueue);
4089 stcb->asoc.strmin[i].stream_no = i;
4090 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff;
4091 stcb->asoc.strmin[i].delivery_started = 0;
4092 }
4093 SCTP_FREE(oldstrm, SCTP_M_STRMI);
4094 /* update the size */
4095 stcb->asoc.streamincnt = num_stream;
4096 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
4097 sctp_notify_stream_reset_add(stcb, stcb->asoc.streamincnt, stcb->asoc.streamoutcnt, 0);
4098 }
4099 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4100 asoc->str_reset_seq_in++;
4101 } else if ((asoc->str_reset_seq_in - 1) == seq) {
4102 /*
4103 * one seq back, just echo back last action since my
4104 * response was lost.
4105 */
4106 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4107 } else if ((asoc->str_reset_seq_in - 2) == seq) {
4108 /*
4109 * two seq back, just echo back last action since my
4110 * response was lost.
4111 */
4112 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
4113 } else {
4114 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
4115
4116 }
4117 }
4118
4119 static void
4120 sctp_handle_str_reset_add_out_strm(struct sctp_tcb *stcb, struct sctp_tmit_chunk *chk,
4121 struct sctp_stream_reset_add_strm *str_add)
4122 {
4123 /*
4124 * Peer is requesting to add more streams.
4125 * If its within our max-streams we will
4126 * allow it.
4127 */
4128 uint16_t num_stream;
4129 uint32_t seq;
4130 struct sctp_association *asoc = &stcb->asoc;
4131
4132 /* Get the number. */
4133 seq = ntohl(str_add->request_seq);
4134 num_stream = ntohs(str_add->number_of_streams);
4135 /* Now what would be the new total? */
4136 if (asoc->str_reset_seq_in == seq) {
4137 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0];
4138 if (!(asoc->local_strreset_support & SCTP_ENABLE_CHANGE_ASSOC_REQ)) {
4139 asoc->last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4140 } else if (stcb->asoc.stream_reset_outstanding) {
4141 /* We must reject it we have something pending */
4142 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_ERR_IN_PROGRESS;
4143 } else {
4144 /* Ok, we can do that :-) */
4145 int mychk;
4146 mychk = stcb->asoc.streamoutcnt;
4147 mychk += num_stream;
4148 if (mychk < 0x10000) {
4149 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_PERFORMED;
4150 if (sctp_send_str_reset_req(stcb, 0, NULL, 0, 0, 0, 1, num_stream, 0, 1)) {
4151 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4152 }
4153 } else {
4154 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_RESULT_DENIED;
4155 }
4156 }
4157 sctp_add_stream_reset_result(chk, seq, stcb->asoc.last_reset_action[0]);
4158 asoc->str_reset_seq_in++;
4159 } else if ((asoc->str_reset_seq_in - 1) == seq) {
4160 /*
4161 * one seq back, just echo back last action since my
4162 * response was lost.
4163 */
4164 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]);
4165 } else if ((asoc->str_reset_seq_in - 2) == seq) {
4166 /*
4167 * two seq back, just echo back last action since my
4168 * response was lost.
4169 */
4170 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]);
4171 } else {
4172 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_RESULT_ERR_BAD_SEQNO);
4173 }
4174 }
4175
4176 #if !defined(__Panda__)
4177 #ifdef __GNUC__
4178 __attribute__ ((noinline))
4179 #endif
4180 #endif
4181 static int
4182 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct mbuf *m, int offset,
4183 struct sctp_chunkhdr *ch_req)
4184 {
4185 int chk_length, param_len, ptype;
4186 struct sctp_paramhdr pstore;
4187 uint8_t cstore[SCTP_CHUNK_BUFFER_SIZE];
4188 uint32_t seq = 0;
4189 int num_req = 0;
4190 int trunc = 0;
4191 struct sctp_tmit_chunk *chk;
4192 struct sctp_chunkhdr *ch;
4193 struct sctp_paramhdr *ph;
4194 int ret_code = 0;
4195 int num_param = 0;
4196
4197 /* now it may be a reset or a reset-response */
4198 chk_length = ntohs(ch_req->chunk_length);
4199
4200 /* setup for adding the response */
4201 sctp_alloc_a_chunk(stcb, chk);
4202 if (chk == NULL) {
4203 return (ret_code);
4204 }
4205 chk->rec.chunk_id.id = SCTP_STREAM_RESET;
4206 chk->rec.chunk_id.can_take_data = 0;
4207 chk->asoc = &stcb->asoc;
4208 chk->no_fr_allowed = 0;
4209 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr);
4210 chk->book_size_scale = 0;
4211 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
4212 if (chk->data == NULL) {
4213 strres_nochunk:
4214 if (chk->data) {
4215 sctp_m_freem(chk->data);
4216 chk->data = NULL;
4217 }
4218 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED);
4219 return (ret_code);
4220 }
4221 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
4222
4223 /* setup chunk parameters */
4224 chk->sent = SCTP_DATAGRAM_UNSENT;
4225 chk->snd_count = 0;
4226 chk->whoTo = NULL;
4227
4228 ch = mtod(chk->data, struct sctp_chunkhdr *);
4229 ch->chunk_type = SCTP_STREAM_RESET;
4230 ch->chunk_flags = 0;
4231 ch->chunk_length = htons(chk->send_size);
4232 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
4233 offset += sizeof(struct sctp_chunkhdr);
4234 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) {
4235 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, sizeof(pstore), (uint8_t *)&pstore);
4236 if (ph == NULL)
4237 break;
4238 param_len = ntohs(ph->param_length);
4239 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) {
4240 /* bad param */
4241 break;
4242 }
4243 ph = (struct sctp_paramhdr *)sctp_m_getptr(m, offset, min(param_len, (int)sizeof(cstore)),
4244 (uint8_t *)&cstore);
4245 ptype = ntohs(ph->param_type);
4246 num_param++;
4247 if (param_len > (int)sizeof(cstore)) {
4248 trunc = 1;
4249 } else {
4250 trunc = 0;
4251 }
4252 if (num_param > SCTP_MAX_RESET_PARAMS) {
4253 /* hit the max of parameters already sorry.. */
4254 break;
4255 }
4256 if (ptype == SCTP_STR_RESET_OUT_REQUEST) {
4257 struct sctp_stream_reset_out_request *req_out;
4258 req_out = (struct sctp_stream_reset_out_request *)ph;
4259 num_req++;
4260 if (stcb->asoc.stream_reset_outstanding) {
4261 seq = ntohl(req_out->response_seq);
4262 if (seq == stcb->asoc.str_reset_seq_out) {
4263 /* implicit ack */
4264 (void)sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_RESULT_PERFORMED, NULL);
4265 }
4266 }
4267 sctp_handle_str_reset_request_out(stcb, chk, req_out, trunc);
4268 } else if (ptype == SCTP_STR_RESET_ADD_OUT_STREAMS) {
4269 struct sctp_stream_reset_add_strm *str_add;
4270 str_add = (struct sctp_stream_reset_add_strm *)ph;
4271 num_req++;
4272 sctp_handle_str_reset_add_strm(stcb, chk, str_add);
4273 } else if (ptype == SCTP_STR_RESET_ADD_IN_STREAMS) {
4274 struct sctp_stream_reset_add_strm *str_add;
4275 str_add = (struct sctp_stream_reset_add_strm *)ph;
4276 num_req++;
4277 sctp_handle_str_reset_add_out_strm(stcb, chk, str_add);
4278 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) {
4279 struct sctp_stream_reset_in_request *req_in;
4280 num_req++;
4281 req_in = (struct sctp_stream_reset_in_request *)ph;
4282 sctp_handle_str_reset_request_in(stcb, chk, req_in, trunc);
4283 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) {
4284 struct sctp_stream_reset_tsn_request *req_tsn;
4285 num_req++;
4286 req_tsn = (struct sctp_stream_reset_tsn_request *)ph;
4287 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) {
4288 ret_code = 1;
4289 goto strres_nochunk;
4290 }
4291 /* no more */
4292 break;
4293 } else if (ptype == SCTP_STR_RESET_RESPONSE) {
4294 struct sctp_stream_reset_response *resp;
4295 uint32_t result;
4296 resp = (struct sctp_stream_reset_response *)ph;
4297 seq = ntohl(resp->response_seq);
4298 result = ntohl(resp->result);
4299 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) {
4300 ret_code = 1;
4301 goto strres_nochunk;
4302 }
4303 } else {
4304 break;
4305 }
4306 offset += SCTP_SIZE32(param_len);
4307 chk_length -= SCTP_SIZE32(param_len);
4308 }
4309 if (num_req == 0) {
4310 /* we have no response free the stuff */
4311 goto strres_nochunk;
4312 }
4313 /* ok we have a chunk to link in */
4314 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue,
4315 chk,
4316 sctp_next);
4317 stcb->asoc.ctrl_queue_cnt++;
4318 return (ret_code);
4319 }
4320
4321 /*
4322 * Handle a router or endpoints report of a packet loss, there are two ways
4323 * to handle this, either we get the whole packet and must disect it
4324 * ourselves (possibly with truncation and or corruption) or it is a summary
4325 * from a middle box that did the disectting for us.
4326 */
4327 static void
4328 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp,
4329 struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t limit)
4330 {
4331 uint32_t bottle_bw, on_queue;
4332 uint16_t trunc_len;
4333 unsigned int chlen;
4334 unsigned int at;
4335 struct sctp_chunk_desc desc;
4336 struct sctp_chunkhdr *ch;
4337
4338 chlen = ntohs(cp->ch.chunk_length);
4339 chlen -= sizeof(struct sctp_pktdrop_chunk);
4340 /* XXX possible chlen underflow */
4341 if (chlen == 0) {
4342 ch = NULL;
4343 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)
4344 SCTP_STAT_INCR(sctps_pdrpbwrpt);
4345 } else {
4346 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr));
4347 chlen -= sizeof(struct sctphdr);
4348 /* XXX possible chlen underflow */
4349 memset(&desc, 0, sizeof(desc));
4350 }
4351 trunc_len = (uint16_t) ntohs(cp->trunc_len);
4352 if (trunc_len > limit) {
4353 trunc_len = limit;
4354 }
4355
4356 /* now the chunks themselves */
4357 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) {
4358 desc.chunk_type = ch->chunk_type;
4359 /* get amount we need to move */
4360 at = ntohs(ch->chunk_length);
4361 if (at < sizeof(struct sctp_chunkhdr)) {
4362 /* corrupt chunk, maybe at the end? */
4363 SCTP_STAT_INCR(sctps_pdrpcrupt);
4364 break;
4365 }
4366 if (trunc_len == 0) {
4367 /* we are supposed to have all of it */
4368 if (at > chlen) {
4369 /* corrupt skip it */
4370 SCTP_STAT_INCR(sctps_pdrpcrupt);
4371 break;
4372 }
4373 } else {
4374 /* is there enough of it left ? */
4375 if (desc.chunk_type == SCTP_DATA) {
4376 if (chlen < (sizeof(struct sctp_data_chunk) +
4377 sizeof(desc.data_bytes))) {
4378 break;
4379 }
4380 } else {
4381 if (chlen < sizeof(struct sctp_chunkhdr)) {
4382 break;
4383 }
4384 }
4385 }
4386 if (desc.chunk_type == SCTP_DATA) {
4387 /* can we get out the tsn? */
4388 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
4389 SCTP_STAT_INCR(sctps_pdrpmbda);
4390
4391 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) {
4392 /* yep */
4393 struct sctp_data_chunk *dcp;
4394 uint8_t *ddp;
4395 unsigned int iii;
4396
4397 dcp = (struct sctp_data_chunk *)ch;
4398 ddp = (uint8_t *) (dcp + 1);
4399 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) {
4400 desc.data_bytes[iii] = ddp[iii];
4401 }
4402 desc.tsn_ifany = dcp->dp.tsn;
4403 } else {
4404 /* nope we are done. */
4405 SCTP_STAT_INCR(sctps_pdrpnedat);
4406 break;
4407 }
4408 } else {
4409 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX))
4410 SCTP_STAT_INCR(sctps_pdrpmbct);
4411 }
4412
4413 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) {
4414 SCTP_STAT_INCR(sctps_pdrppdbrk);
4415 break;
4416 }
4417 if (SCTP_SIZE32(at) > chlen) {
4418 break;
4419 }
4420 chlen -= SCTP_SIZE32(at);
4421 if (chlen < sizeof(struct sctp_chunkhdr)) {
4422 /* done, none left */
4423 break;
4424 }
4425 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at));
4426 }
4427 /* Now update any rwnd --- possibly */
4428 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) {
4429 /* From a peer, we get a rwnd report */
4430 uint32_t a_rwnd;
4431
4432 SCTP_STAT_INCR(sctps_pdrpfehos);
4433
4434 bottle_bw = ntohl(cp->bottle_bw);
4435 on_queue = ntohl(cp->current_onq);
4436 if (bottle_bw && on_queue) {
4437 /* a rwnd report is in here */
4438 if (bottle_bw > on_queue)
4439 a_rwnd = bottle_bw - on_queue;
4440 else
4441 a_rwnd = 0;
4442
4443 if (a_rwnd == 0)
4444 stcb->asoc.peers_rwnd = 0;
4445 else {
4446 if (a_rwnd > stcb->asoc.total_flight) {
4447 stcb->asoc.peers_rwnd =
4448 a_rwnd - stcb->asoc.total_flight;
4449 } else {
4450 stcb->asoc.peers_rwnd = 0;
4451 }
4452 if (stcb->asoc.peers_rwnd <
4453 stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
4454 /* SWS sender side engages */
4455 stcb->asoc.peers_rwnd = 0;
4456 }
4457 }
4458 }
4459 } else {
4460 SCTP_STAT_INCR(sctps_pdrpfmbox);
4461 }
4462
4463 /* now middle boxes in sat networks get a cwnd bump */
4464 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) &&
4465 (stcb->asoc.sat_t3_loss_recovery == 0) &&
4466 (stcb->asoc.sat_network)) {
4467 /*
4468 * This is debateable but for sat networks it makes sense
4469 * Note if a T3 timer has went off, we will prohibit any
4470 * changes to cwnd until we exit the t3 loss recovery.
4471 */
4472 stcb->asoc.cc_functions.sctp_cwnd_update_after_packet_dropped(stcb,
4473 net, cp, &bottle_bw, &on_queue);
4474 }
4475 }
4476
4477 /*
4478 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to
4479 * still contain IP/SCTP header - stcb: is the tcb found for this packet -
4480 * offset: offset into the mbuf chain to first chunkhdr - length: is the
4481 * length of the complete packet outputs: - length: modified to remaining
4482 * length after control processing - netp: modified to new sctp_nets after
4483 * cookie-echo processing - return NULL to discard the packet (ie. no asoc,
4484 * bad packet,...) otherwise return the tcb for this packet
4485 */
4486 #if !defined(__Panda__)
4487 #ifdef __GNUC__
4488 __attribute__ ((noinline))
4489 #endif
4490 #endif
4491 static struct sctp_tcb *
4492 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
4493 struct sockaddr *src, struct sockaddr *dst,
4494 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp,
4495 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen,
4496 #if defined(__FreeBSD__)
4497 uint8_t use_mflowid, uint32_t mflowid,
4498 #endif
4499 uint32_t vrf_id, uint16_t port)
4500 {
4501 struct sctp_association *asoc;
4502 struct mbuf *op_err;
4503 char msg[SCTP_DIAG_INFO_LEN];
4504 uint32_t vtag_in;
4505 int num_chunks = 0; /* number of control chunks processed */
4506 uint32_t chk_length;
4507 int ret;
4508 int abort_no_unlock = 0;
4509 int ecne_seen = 0;
4510 /*
4511 * How big should this be, and should it be alloc'd? Lets try the
4512 * d-mtu-ceiling for now (2k) and that should hopefully work ...
4513 * until we get into jumbo grams and such..
4514 */
4515 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
4516 struct sctp_tcb *locked_tcb = stcb;
4517 int got_auth = 0;
4518 uint32_t auth_offset = 0, auth_len = 0;
4519 int auth_skipped = 0;
4520 int asconf_cnt = 0;
4521 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4522 struct socket *so;
4523 #endif
4524
4525 SCTPDBG(SCTP_DEBUG_INPUT1, "sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n",
4526 iphlen, *offset, length, (void *)stcb);
4527
4528 /* validate chunk header length... */
4529 if (ntohs(ch->chunk_length) < sizeof(*ch)) {
4530 SCTPDBG(SCTP_DEBUG_INPUT1, "Invalid header length %d\n",
4531 ntohs(ch->chunk_length));
4532 if (locked_tcb) {
4533 SCTP_TCB_UNLOCK(locked_tcb);
4534 }
4535 return (NULL);
4536 }
4537 /*
4538 * validate the verification tag
4539 */
4540 vtag_in = ntohl(sh->v_tag);
4541
4542 if (locked_tcb) {
4543 SCTP_TCB_LOCK_ASSERT(locked_tcb);
4544 }
4545 if (ch->chunk_type == SCTP_INITIATION) {
4546 SCTPDBG(SCTP_DEBUG_INPUT1, "Its an INIT of len:%d vtag:%x\n",
4547 ntohs(ch->chunk_length), vtag_in);
4548 if (vtag_in != 0) {
4549 /* protocol error- silently discard... */
4550 SCTP_STAT_INCR(sctps_badvtag);
4551 if (locked_tcb) {
4552 SCTP_TCB_UNLOCK(locked_tcb);
4553 }
4554 return (NULL);
4555 }
4556 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) {
4557 /*
4558 * If there is no stcb, skip the AUTH chunk and process
4559 * later after a stcb is found (to validate the lookup was
4560 * valid.
4561 */
4562 if ((ch->chunk_type == SCTP_AUTHENTICATION) &&
4563 (stcb == NULL) &&
4564 (inp->auth_supported == 1)) {
4565 /* save this chunk for later processing */
4566 auth_skipped = 1;
4567 auth_offset = *offset;
4568 auth_len = ntohs(ch->chunk_length);
4569
4570 /* (temporarily) move past this chunk */
4571 *offset += SCTP_SIZE32(auth_len);
4572 if (*offset >= length) {
4573 /* no more data left in the mbuf chain */
4574 *offset = length;
4575 if (locked_tcb) {
4576 SCTP_TCB_UNLOCK(locked_tcb);
4577 }
4578 return (NULL);
4579 }
4580 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4581 sizeof(struct sctp_chunkhdr), chunk_buf);
4582 }
4583 if (ch == NULL) {
4584 /* Help */
4585 *offset = length;
4586 if (locked_tcb) {
4587 SCTP_TCB_UNLOCK(locked_tcb);
4588 }
4589 return (NULL);
4590 }
4591 if (ch->chunk_type == SCTP_COOKIE_ECHO) {
4592 goto process_control_chunks;
4593 }
4594 /*
4595 * first check if it's an ASCONF with an unknown src addr we
4596 * need to look inside to find the association
4597 */
4598 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) {
4599 struct sctp_chunkhdr *asconf_ch = ch;
4600 uint32_t asconf_offset = 0, asconf_len = 0;
4601
4602 /* inp's refcount may be reduced */
4603 SCTP_INP_INCR_REF(inp);
4604
4605 asconf_offset = *offset;
4606 do {
4607 asconf_len = ntohs(asconf_ch->chunk_length);
4608 if (asconf_len < sizeof(struct sctp_asconf_paramhdr))
4609 break;
4610 stcb = sctp_findassociation_ep_asconf(m,
4611 *offset,
4612 dst,
4613 sh, &inp, netp, vrf_id);
4614 if (stcb != NULL)
4615 break;
4616 asconf_offset += SCTP_SIZE32(asconf_len);
4617 asconf_ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, asconf_offset,
4618 sizeof(struct sctp_chunkhdr), chunk_buf);
4619 } while (asconf_ch != NULL && asconf_ch->chunk_type == SCTP_ASCONF);
4620 if (stcb == NULL) {
4621 /*
4622 * reduce inp's refcount if not reduced in
4623 * sctp_findassociation_ep_asconf().
4624 */
4625 SCTP_INP_DECR_REF(inp);
4626 } else {
4627 locked_tcb = stcb;
4628 }
4629
4630 /* now go back and verify any auth chunk to be sure */
4631 if (auth_skipped && (stcb != NULL)) {
4632 struct sctp_auth_chunk *auth;
4633
4634 auth = (struct sctp_auth_chunk *)
4635 sctp_m_getptr(m, auth_offset,
4636 auth_len, chunk_buf);
4637 got_auth = 1;
4638 auth_skipped = 0;
4639 if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
4640 auth_offset)) {
4641 /* auth HMAC failed so dump it */
4642 *offset = length;
4643 if (locked_tcb) {
4644 SCTP_TCB_UNLOCK(locked_tcb);
4645 }
4646 return (NULL);
4647 } else {
4648 /* remaining chunks are HMAC checked */
4649 stcb->asoc.authenticated = 1;
4650 }
4651 }
4652 }
4653 if (stcb == NULL) {
4654 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s\n", __FILE__, __LINE__, __FUNCTION__);
4655 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
4656 msg);
4657 /* no association, so it's out of the blue... */
4658 sctp_handle_ootb(m, iphlen, *offset, src, dst, sh, inp, op_err,
4659 #if defined(__FreeBSD__)
4660 use_mflowid, mflowid,
4661 #endif
4662 vrf_id, port);
4663 *offset = length;
4664 if (locked_tcb) {
4665 SCTP_TCB_UNLOCK(locked_tcb);
4666 }
4667 return (NULL);
4668 }
4669 asoc = &stcb->asoc;
4670 /* ABORT and SHUTDOWN can use either v_tag... */
4671 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) ||
4672 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) ||
4673 (ch->chunk_type == SCTP_PACKET_DROPPED)) {
4674 /* Take the T-bit always into account. */
4675 if ((((ch->chunk_flags & SCTP_HAD_NO_TCB) == 0) &&
4676 (vtag_in == asoc->my_vtag)) ||
4677 (((ch->chunk_flags & SCTP_HAD_NO_TCB) == SCTP_HAD_NO_TCB) &&
4678 (vtag_in == asoc->peer_vtag))) {
4679 /* this is valid */
4680 } else {
4681 /* drop this packet... */
4682 SCTP_STAT_INCR(sctps_badvtag);
4683 if (locked_tcb) {
4684 SCTP_TCB_UNLOCK(locked_tcb);
4685 }
4686 return (NULL);
4687 }
4688 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
4689 if (vtag_in != asoc->my_vtag) {
4690 /*
4691 * this could be a stale SHUTDOWN-ACK or the
4692 * peer never got the SHUTDOWN-COMPLETE and
4693 * is still hung; we have started a new asoc
4694 * but it won't complete until the shutdown
4695 * is completed
4696 */
4697 if (locked_tcb) {
4698 SCTP_TCB_UNLOCK(locked_tcb);
4699 }
4700 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s\n", __FILE__, __LINE__, __FUNCTION__);
4701 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
4702 msg);
4703 sctp_handle_ootb(m, iphlen, *offset, src, dst,
4704 sh, inp, op_err,
4705 #if defined(__FreeBSD__)
4706 use_mflowid, mflowid,
4707 #endif
4708 vrf_id, port);
4709 return (NULL);
4710 }
4711 } else {
4712 /* for all other chunks, vtag must match */
4713 if (vtag_in != asoc->my_vtag) {
4714 /* invalid vtag... */
4715 SCTPDBG(SCTP_DEBUG_INPUT3,
4716 "invalid vtag: %xh, expect %xh\n",
4717 vtag_in, asoc->my_vtag);
4718 SCTP_STAT_INCR(sctps_badvtag);
4719 if (locked_tcb) {
4720 SCTP_TCB_UNLOCK(locked_tcb);
4721 }
4722 *offset = length;
4723 return (NULL);
4724 }
4725 }
4726 } /* end if !SCTP_COOKIE_ECHO */
4727 /*
4728 * process all control chunks...
4729 */
4730 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) ||
4731 (ch->chunk_type == SCTP_NR_SELECTIVE_ACK) ||
4732 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) &&
4733 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) {
4734 /* implied cookie-ack.. we must have lost the ack */
4735 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
4736 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
4737 stcb->asoc.overall_error_count,
4738 0,
4739 SCTP_FROM_SCTP_INPUT,
4740 __LINE__);
4741 }
4742 stcb->asoc.overall_error_count = 0;
4743 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb,
4744 *netp);
4745 }
4746
4747 process_control_chunks:
4748 while (IS_SCTP_CONTROL(ch)) {
4749 /* validate chunk length */
4750 chk_length = ntohs(ch->chunk_length);
4751 SCTPDBG(SCTP_DEBUG_INPUT2, "sctp_process_control: processing a chunk type=%u, len=%u\n",
4752 ch->chunk_type, chk_length);
4753 SCTP_LTRACE_CHK(inp, stcb, ch->chunk_type, chk_length);
4754 if (chk_length < sizeof(*ch) ||
4755 (*offset + (int)chk_length) > length) {
4756 *offset = length;
4757 if (locked_tcb) {
4758 SCTP_TCB_UNLOCK(locked_tcb);
4759 }
4760 return (NULL);
4761 }
4762 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks);
4763 /*
4764 * INIT-ACK only gets the init ack "header" portion only
4765 * because we don't have to process the peer's COOKIE. All
4766 * others get a complete chunk.
4767 */
4768 if ((ch->chunk_type == SCTP_INITIATION_ACK) ||
4769 (ch->chunk_type == SCTP_INITIATION)) {
4770 /* get an init-ack chunk */
4771 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4772 sizeof(struct sctp_init_ack_chunk), chunk_buf);
4773 if (ch == NULL) {
4774 *offset = length;
4775 if (locked_tcb) {
4776 SCTP_TCB_UNLOCK(locked_tcb);
4777 }
4778 return (NULL);
4779 }
4780 } else {
4781 /* For cookies and all other chunks. */
4782 if (chk_length > sizeof(chunk_buf)) {
4783 /*
4784 * use just the size of the chunk buffer
4785 * so the front part of our chunks fit in
4786 * contiguous space up to the chunk buffer
4787 * size (508 bytes).
4788 * For chunks that need to get more than that
4789 * they must use the sctp_m_getptr() function
4790 * or other means (e.g. know how to parse mbuf
4791 * chains). Cookies do this already.
4792 */
4793 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4794 (sizeof(chunk_buf) - 4),
4795 chunk_buf);
4796 if (ch == NULL) {
4797 *offset = length;
4798 if (locked_tcb) {
4799 SCTP_TCB_UNLOCK(locked_tcb);
4800 }
4801 return (NULL);
4802 }
4803 } else {
4804 /* We can fit it all */
4805 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
4806 chk_length, chunk_buf);
4807 if (ch == NULL) {
4808 SCTP_PRINTF("sctp_process_control: Can't get the all data....\n");
4809 *offset = length;
4810 if (locked_tcb) {
4811 SCTP_TCB_UNLOCK(locked_tcb);
4812 }
4813 return (NULL);
4814 }
4815 }
4816 }
4817 num_chunks++;
4818 /* Save off the last place we got a control from */
4819 if (stcb != NULL) {
4820 if (((netp != NULL) && (*netp != NULL)) || (ch->chunk_type == SCTP_ASCONF)) {
4821 /*
4822 * allow last_control to be NULL if
4823 * ASCONF... ASCONF processing will find the
4824 * right net later
4825 */
4826 if ((netp != NULL) && (*netp != NULL))
4827 stcb->asoc.last_control_chunk_from = *netp;
4828 }
4829 }
4830 #ifdef SCTP_AUDITING_ENABLED
4831 sctp_audit_log(0xB0, ch->chunk_type);
4832 #endif
4833
4834 /* check to see if this chunk required auth, but isn't */
4835 if ((stcb != NULL) &&
4836 (stcb->asoc.auth_supported == 1) &&
4837 sctp_auth_is_required_chunk(ch->chunk_type, stcb->asoc.local_auth_chunks) &&
4838 !stcb->asoc.authenticated) {
4839 /* "silently" ignore */
4840 SCTP_STAT_INCR(sctps_recvauthmissing);
4841 goto next_chunk;
4842 }
4843 switch (ch->chunk_type) {
4844 case SCTP_INITIATION:
4845 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT\n");
4846 /* The INIT chunk must be the only chunk. */
4847 if ((num_chunks > 1) ||
4848 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
4849 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
4850 "INIT not the only chunk");
4851 sctp_abort_association(inp, stcb, m, iphlen,
4852 src, dst, sh, op_err,
4853 #if defined(__FreeBSD__)
4854 use_mflowid, mflowid,
4855 #endif
4856 vrf_id, port);
4857 *offset = length;
4858 return (NULL);
4859 }
4860 /* Honor our resource limit. */
4861 if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) {
4862 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
4863 sctp_abort_association(inp, stcb, m, iphlen,
4864 src, dst, sh, op_err,
4865 #if defined(__FreeBSD__)
4866 use_mflowid, mflowid,
4867 #endif
4868 vrf_id, port);
4869 *offset = length;
4870 return (NULL);
4871 }
4872 sctp_handle_init(m, iphlen, *offset, src, dst, sh,
4873 (struct sctp_init_chunk *)ch, inp,
4874 stcb, &abort_no_unlock,
4875 #if defined(__FreeBSD__)
4876 use_mflowid, mflowid,
4877 #endif
4878 vrf_id, port);
4879 *offset = length;
4880 if ((!abort_no_unlock) && (locked_tcb)) {
4881 SCTP_TCB_UNLOCK(locked_tcb);
4882 }
4883 return (NULL);
4884 break;
4885 case SCTP_PAD_CHUNK:
4886 break;
4887 case SCTP_INITIATION_ACK:
4888 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_INIT-ACK\n");
4889 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
4890 /* We are not interested anymore */
4891 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
4892 ;
4893 } else {
4894 if (locked_tcb != stcb) {
4895 /* Very unlikely */
4896 SCTP_TCB_UNLOCK(locked_tcb);
4897 }
4898 *offset = length;
4899 if (stcb) {
4900 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4901 so = SCTP_INP_SO(inp);
4902 atomic_add_int(&stcb->asoc.refcnt, 1);
4903 SCTP_TCB_UNLOCK(stcb);
4904 SCTP_SOCKET_LOCK(so, 1);
4905 SCTP_TCB_LOCK(stcb);
4906 atomic_subtract_int(&stcb->asoc.refcnt, 1);
4907 #endif
4908 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_27);
4909 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4910 SCTP_SOCKET_UNLOCK(so, 1);
4911 #endif
4912 }
4913 return (NULL);
4914 }
4915 }
4916 /* The INIT-ACK chunk must be the only chunk. */
4917 if ((num_chunks > 1) ||
4918 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
4919 *offset = length;
4920 if (locked_tcb) {
4921 SCTP_TCB_UNLOCK(locked_tcb);
4922 }
4923 return (NULL);
4924 }
4925 if ((netp) && (*netp)) {
4926 ret = sctp_handle_init_ack(m, iphlen, *offset,
4927 src, dst, sh,
4928 (struct sctp_init_ack_chunk *)ch,
4929 stcb, *netp,
4930 &abort_no_unlock,
4931 #if defined(__FreeBSD__)
4932 use_mflowid, mflowid,
4933 #endif
4934 vrf_id);
4935 } else {
4936 ret = -1;
4937 }
4938 *offset = length;
4939 if (abort_no_unlock) {
4940 return (NULL);
4941 }
4942 /*
4943 * Special case, I must call the output routine to
4944 * get the cookie echoed
4945 */
4946 if ((stcb != NULL) && (ret == 0)) {
4947 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
4948 }
4949 if (locked_tcb) {
4950 SCTP_TCB_UNLOCK(locked_tcb);
4951 }
4952 return (NULL);
4953 break;
4954 case SCTP_SELECTIVE_ACK:
4955 {
4956 struct sctp_sack_chunk *sack;
4957 int abort_now = 0;
4958 uint32_t a_rwnd, cum_ack;
4959 uint16_t num_seg, num_dup;
4960 uint8_t flags;
4961 int offset_seg, offset_dup;
4962
4963 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK\n");
4964 SCTP_STAT_INCR(sctps_recvsacks);
4965 if (stcb == NULL) {
4966 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing SACK chunk\n");
4967 break;
4968 }
4969 if (chk_length < sizeof(struct sctp_sack_chunk)) {
4970 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on SACK chunk, too small\n");
4971 break;
4972 }
4973 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
4974 /*-
4975 * If we have sent a shutdown-ack, we will pay no
4976 * attention to a sack sent in to us since
4977 * we don't care anymore.
4978 */
4979 break;
4980 }
4981 sack = (struct sctp_sack_chunk *)ch;
4982 flags = ch->chunk_flags;
4983 cum_ack = ntohl(sack->sack.cum_tsn_ack);
4984 num_seg = ntohs(sack->sack.num_gap_ack_blks);
4985 num_dup = ntohs(sack->sack.num_dup_tsns);
4986 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd);
4987 if (sizeof(struct sctp_sack_chunk) +
4988 num_seg * sizeof(struct sctp_gap_ack_block) +
4989 num_dup * sizeof(uint32_t) != chk_length) {
4990 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of SACK chunk\n");
4991 break;
4992 }
4993 offset_seg = *offset + sizeof(struct sctp_sack_chunk);
4994 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block);
4995 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
4996 cum_ack, num_seg, a_rwnd);
4997 stcb->asoc.seen_a_sack_this_pkt = 1;
4998 if ((stcb->asoc.pr_sctp_cnt == 0) &&
4999 (num_seg == 0) &&
5000 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) &&
5001 (stcb->asoc.saw_sack_with_frags == 0) &&
5002 (stcb->asoc.saw_sack_with_nr_frags == 0) &&
5003 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))
5004 ) {
5005 /* We have a SIMPLE sack having no prior segments and
5006 * data on sent queue to be acked.. Use the faster
5007 * path sack processing. We also allow window update
5008 * sacks with no missing segments to go this way too.
5009 */
5010 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, &abort_now, ecne_seen);
5011 } else {
5012 if (netp && *netp)
5013 sctp_handle_sack(m, offset_seg, offset_dup, stcb,
5014 num_seg, 0, num_dup, &abort_now, flags,
5015 cum_ack, a_rwnd, ecne_seen);
5016 }
5017 if (abort_now) {
5018 /* ABORT signal from sack processing */
5019 *offset = length;
5020 return (NULL);
5021 }
5022 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
5023 TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
5024 (stcb->asoc.stream_queue_cnt == 0)) {
5025 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
5026 }
5027 }
5028 break;
5029 /* EY - nr_sack: If the received chunk is an nr_sack chunk */
5030 case SCTP_NR_SELECTIVE_ACK:
5031 {
5032 struct sctp_nr_sack_chunk *nr_sack;
5033 int abort_now = 0;
5034 uint32_t a_rwnd, cum_ack;
5035 uint16_t num_seg, num_nr_seg, num_dup;
5036 uint8_t flags;
5037 int offset_seg, offset_dup;
5038
5039 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK\n");
5040 SCTP_STAT_INCR(sctps_recvsacks);
5041 if (stcb == NULL) {
5042 SCTPDBG(SCTP_DEBUG_INDATA1, "No stcb when processing NR-SACK chunk\n");
5043 break;
5044 }
5045 if (stcb->asoc.nrsack_supported == 0) {
5046 goto unknown_chunk;
5047 }
5048 if (chk_length < sizeof(struct sctp_nr_sack_chunk)) {
5049 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size on NR-SACK chunk, too small\n");
5050 break;
5051 }
5052 if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) {
5053 /*-
5054 * If we have sent a shutdown-ack, we will pay no
5055 * attention to a sack sent in to us since
5056 * we don't care anymore.
5057 */
5058 break;
5059 }
5060 nr_sack = (struct sctp_nr_sack_chunk *)ch;
5061 flags = ch->chunk_flags;
5062 cum_ack = ntohl(nr_sack->nr_sack.cum_tsn_ack);
5063 num_seg = ntohs(nr_sack->nr_sack.num_gap_ack_blks);
5064 num_nr_seg = ntohs(nr_sack->nr_sack.num_nr_gap_ack_blks);
5065 num_dup = ntohs(nr_sack->nr_sack.num_dup_tsns);
5066 a_rwnd = (uint32_t) ntohl(nr_sack->nr_sack.a_rwnd);
5067 if (sizeof(struct sctp_nr_sack_chunk) +
5068 (num_seg + num_nr_seg) * sizeof(struct sctp_gap_ack_block) +
5069 num_dup * sizeof(uint32_t) != chk_length) {
5070 SCTPDBG(SCTP_DEBUG_INDATA1, "Bad size of NR_SACK chunk\n");
5071 break;
5072 }
5073 offset_seg = *offset + sizeof(struct sctp_nr_sack_chunk);
5074 offset_dup = offset_seg + num_seg * sizeof(struct sctp_gap_ack_block);
5075 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_NR_SACK process cum_ack:%x num_seg:%d a_rwnd:%d\n",
5076 cum_ack, num_seg, a_rwnd);
5077 stcb->asoc.seen_a_sack_this_pkt = 1;
5078 if ((stcb->asoc.pr_sctp_cnt == 0) &&
5079 (num_seg == 0) && (num_nr_seg == 0) &&
5080 SCTP_TSN_GE(cum_ack, stcb->asoc.last_acked_seq) &&
5081 (stcb->asoc.saw_sack_with_frags == 0) &&
5082 (stcb->asoc.saw_sack_with_nr_frags == 0) &&
5083 (!TAILQ_EMPTY(&stcb->asoc.sent_queue))) {
5084 /*
5085 * We have a SIMPLE sack having no
5086 * prior segments and data on sent
5087 * queue to be acked. Use the
5088 * faster path sack processing. We
5089 * also allow window update sacks
5090 * with no missing segments to go
5091 * this way too.
5092 */
5093 sctp_express_handle_sack(stcb, cum_ack, a_rwnd,
5094 &abort_now, ecne_seen);
5095 } else {
5096 if (netp && *netp)
5097 sctp_handle_sack(m, offset_seg, offset_dup, stcb,
5098 num_seg, num_nr_seg, num_dup, &abort_now, flags,
5099 cum_ack, a_rwnd, ecne_seen);
5100 }
5101 if (abort_now) {
5102 /* ABORT signal from sack processing */
5103 *offset = length;
5104 return (NULL);
5105 }
5106 if (TAILQ_EMPTY(&stcb->asoc.send_queue) &&
5107 TAILQ_EMPTY(&stcb->asoc.sent_queue) &&
5108 (stcb->asoc.stream_queue_cnt == 0)) {
5109 sctp_ulp_notify(SCTP_NOTIFY_SENDER_DRY, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
5110 }
5111 }
5112 break;
5113
5114 case SCTP_HEARTBEAT_REQUEST:
5115 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT\n");
5116 if ((stcb) && netp && *netp) {
5117 SCTP_STAT_INCR(sctps_recvheartbeat);
5118 sctp_send_heartbeat_ack(stcb, m, *offset,
5119 chk_length, *netp);
5120
5121 /* He's alive so give him credit */
5122 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5123 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5124 stcb->asoc.overall_error_count,
5125 0,
5126 SCTP_FROM_SCTP_INPUT,
5127 __LINE__);
5128 }
5129 stcb->asoc.overall_error_count = 0;
5130 }
5131 break;
5132 case SCTP_HEARTBEAT_ACK:
5133 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_HEARTBEAT-ACK\n");
5134 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_heartbeat_chunk))) {
5135 /* Its not ours */
5136 *offset = length;
5137 if (locked_tcb) {
5138 SCTP_TCB_UNLOCK(locked_tcb);
5139 }
5140 return (NULL);
5141 }
5142 /* He's alive so give him credit */
5143 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5144 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5145 stcb->asoc.overall_error_count,
5146 0,
5147 SCTP_FROM_SCTP_INPUT,
5148 __LINE__);
5149 }
5150 stcb->asoc.overall_error_count = 0;
5151 SCTP_STAT_INCR(sctps_recvheartbeatack);
5152 if (netp && *netp)
5153 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch,
5154 stcb, *netp);
5155 break;
5156 case SCTP_ABORT_ASSOCIATION:
5157 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ABORT, stcb %p\n",
5158 (void *)stcb);
5159 if ((stcb) && netp && *netp)
5160 sctp_handle_abort((struct sctp_abort_chunk *)ch,
5161 stcb, *netp);
5162 *offset = length;
5163 return (NULL);
5164 break;
5165 case SCTP_SHUTDOWN:
5166 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN, stcb %p\n",
5167 (void *)stcb);
5168 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_shutdown_chunk))) {
5169 *offset = length;
5170 if (locked_tcb) {
5171 SCTP_TCB_UNLOCK(locked_tcb);
5172 }
5173 return (NULL);
5174 }
5175 if (netp && *netp) {
5176 int abort_flag = 0;
5177
5178 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch,
5179 stcb, *netp, &abort_flag);
5180 if (abort_flag) {
5181 *offset = length;
5182 return (NULL);
5183 }
5184 }
5185 break;
5186 case SCTP_SHUTDOWN_ACK:
5187 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-ACK, stcb %p\n", (void *)stcb);
5188 if ((stcb) && (netp) && (*netp))
5189 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp);
5190 *offset = length;
5191 return (NULL);
5192 break;
5193
5194 case SCTP_OPERATION_ERROR:
5195 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_OP-ERR\n");
5196 if ((stcb) && netp && *netp && sctp_handle_error(ch, stcb, *netp) < 0) {
5197 *offset = length;
5198 return (NULL);
5199 }
5200 break;
5201 case SCTP_COOKIE_ECHO:
5202 SCTPDBG(SCTP_DEBUG_INPUT3,
5203 "SCTP_COOKIE-ECHO, stcb %p\n", (void *)stcb);
5204 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
5205 ;
5206 } else {
5207 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5208 /* We are not interested anymore */
5209 abend:
5210 if (stcb) {
5211 SCTP_TCB_UNLOCK(stcb);
5212 }
5213 *offset = length;
5214 return (NULL);
5215 }
5216 }
5217 /*
5218 * First are we accepting? We do this again here
5219 * since it is possible that a previous endpoint WAS
5220 * listening responded to a INIT-ACK and then
5221 * closed. We opened and bound.. and are now no
5222 * longer listening.
5223 */
5224
5225 if ((stcb == NULL) && (inp->sctp_socket->so_qlen >= inp->sctp_socket->so_qlimit)) {
5226 if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
5227 (SCTP_BASE_SYSCTL(sctp_abort_if_one_2_one_hits_limit))) {
5228 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, "");
5229 sctp_abort_association(inp, stcb, m, iphlen,
5230 src, dst, sh, op_err,
5231 #if defined(__FreeBSD__)
5232 use_mflowid, mflowid,
5233 #endif
5234 vrf_id, port);
5235 }
5236 *offset = length;
5237 return (NULL);
5238 } else {
5239 struct mbuf *ret_buf;
5240 struct sctp_inpcb *linp;
5241 if (stcb) {
5242 linp = NULL;
5243 } else {
5244 linp = inp;
5245 }
5246
5247 if (linp) {
5248 SCTP_ASOC_CREATE_LOCK(linp);
5249 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
5250 (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
5251 SCTP_ASOC_CREATE_UNLOCK(linp);
5252 goto abend;
5253 }
5254 }
5255
5256 if (netp) {
5257 ret_buf =
5258 sctp_handle_cookie_echo(m, iphlen,
5259 *offset,
5260 src, dst,
5261 sh,
5262 (struct sctp_cookie_echo_chunk *)ch,
5263 &inp, &stcb, netp,
5264 auth_skipped,
5265 auth_offset,
5266 auth_len,
5267 &locked_tcb,
5268 #if defined(__FreeBSD__)
5269 use_mflowid,
5270 mflowid,
5271 #endif
5272 vrf_id,
5273 port);
5274 } else {
5275 ret_buf = NULL;
5276 }
5277 if (linp) {
5278 SCTP_ASOC_CREATE_UNLOCK(linp);
5279 }
5280 if (ret_buf == NULL) {
5281 if (locked_tcb) {
5282 SCTP_TCB_UNLOCK(locked_tcb);
5283 }
5284 SCTPDBG(SCTP_DEBUG_INPUT3,
5285 "GAK, null buffer\n");
5286 *offset = length;
5287 return (NULL);
5288 }
5289 /* if AUTH skipped, see if it verified... */
5290 if (auth_skipped) {
5291 got_auth = 1;
5292 auth_skipped = 0;
5293 }
5294 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) {
5295 /*
5296 * Restart the timer if we have
5297 * pending data
5298 */
5299 struct sctp_tmit_chunk *chk;
5300
5301 chk = TAILQ_FIRST(&stcb->asoc.sent_queue);
5302 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, chk->whoTo);
5303 }
5304 }
5305 break;
5306 case SCTP_COOKIE_ACK:
5307 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_COOKIE-ACK, stcb %p\n", (void *)stcb);
5308 if ((stcb == NULL) || chk_length != sizeof(struct sctp_cookie_ack_chunk)) {
5309 if (locked_tcb) {
5310 SCTP_TCB_UNLOCK(locked_tcb);
5311 }
5312 return (NULL);
5313 }
5314 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5315 /* We are not interested anymore */
5316 if ((stcb) && (stcb->asoc.total_output_queue_size)) {
5317 ;
5318 } else if (stcb) {
5319 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5320 so = SCTP_INP_SO(inp);
5321 atomic_add_int(&stcb->asoc.refcnt, 1);
5322 SCTP_TCB_UNLOCK(stcb);
5323 SCTP_SOCKET_LOCK(so, 1);
5324 SCTP_TCB_LOCK(stcb);
5325 atomic_subtract_int(&stcb->asoc.refcnt, 1);
5326 #endif
5327 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_27);
5328 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5329 SCTP_SOCKET_UNLOCK(so, 1);
5330 #endif
5331 *offset = length;
5332 return (NULL);
5333 }
5334 }
5335 /* He's alive so give him credit */
5336 if ((stcb) && netp && *netp) {
5337 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5338 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5339 stcb->asoc.overall_error_count,
5340 0,
5341 SCTP_FROM_SCTP_INPUT,
5342 __LINE__);
5343 }
5344 stcb->asoc.overall_error_count = 0;
5345 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch,stcb, *netp);
5346 }
5347 break;
5348 case SCTP_ECN_ECHO:
5349 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-ECHO\n");
5350 /* He's alive so give him credit */
5351 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_ecne_chunk))) {
5352 /* Its not ours */
5353 if (locked_tcb) {
5354 SCTP_TCB_UNLOCK(locked_tcb);
5355 }
5356 *offset = length;
5357 return (NULL);
5358 }
5359 if (stcb) {
5360 if (stcb->asoc.ecn_supported == 0) {
5361 goto unknown_chunk;
5362 }
5363 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5364 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5365 stcb->asoc.overall_error_count,
5366 0,
5367 SCTP_FROM_SCTP_INPUT,
5368 __LINE__);
5369 }
5370 stcb->asoc.overall_error_count = 0;
5371 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch,
5372 stcb);
5373 ecne_seen = 1;
5374 }
5375 break;
5376 case SCTP_ECN_CWR:
5377 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ECN-CWR\n");
5378 /* He's alive so give him credit */
5379 if ((stcb == NULL) || (chk_length != sizeof(struct sctp_cwr_chunk))) {
5380 /* Its not ours */
5381 if (locked_tcb) {
5382 SCTP_TCB_UNLOCK(locked_tcb);
5383 }
5384 *offset = length;
5385 return (NULL);
5386 }
5387 if (stcb) {
5388 if (stcb->asoc.ecn_supported == 0) {
5389 goto unknown_chunk;
5390 }
5391 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5392 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5393 stcb->asoc.overall_error_count,
5394 0,
5395 SCTP_FROM_SCTP_INPUT,
5396 __LINE__);
5397 }
5398 stcb->asoc.overall_error_count = 0;
5399 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb, *netp);
5400 }
5401 break;
5402 case SCTP_SHUTDOWN_COMPLETE:
5403 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_SHUTDOWN-COMPLETE, stcb %p\n", (void *)stcb);
5404 /* must be first and only chunk */
5405 if ((num_chunks > 1) ||
5406 (length - *offset > (int)SCTP_SIZE32(chk_length))) {
5407 *offset = length;
5408 if (locked_tcb) {
5409 SCTP_TCB_UNLOCK(locked_tcb);
5410 }
5411 return (NULL);
5412 }
5413 if ((stcb) && netp && *netp) {
5414 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch,
5415 stcb, *netp);
5416 }
5417 *offset = length;
5418 return (NULL);
5419 break;
5420 case SCTP_ASCONF:
5421 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF\n");
5422 /* He's alive so give him credit */
5423 if (stcb) {
5424 if (stcb->asoc.asconf_supported == 0) {
5425 goto unknown_chunk;
5426 }
5427 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5428 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5429 stcb->asoc.overall_error_count,
5430 0,
5431 SCTP_FROM_SCTP_INPUT,
5432 __LINE__);
5433 }
5434 stcb->asoc.overall_error_count = 0;
5435 sctp_handle_asconf(m, *offset, src,
5436 (struct sctp_asconf_chunk *)ch, stcb, asconf_cnt == 0);
5437 asconf_cnt++;
5438 }
5439 break;
5440 case SCTP_ASCONF_ACK:
5441 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_ASCONF-ACK\n");
5442 if (chk_length < sizeof(struct sctp_asconf_ack_chunk)) {
5443 /* Its not ours */
5444 if (locked_tcb) {
5445 SCTP_TCB_UNLOCK(locked_tcb);
5446 }
5447 *offset = length;
5448 return (NULL);
5449 }
5450 if ((stcb) && netp && *netp) {
5451 if (stcb->asoc.asconf_supported == 0) {
5452 goto unknown_chunk;
5453 }
5454 /* He's alive so give him credit */
5455 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5456 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5457 stcb->asoc.overall_error_count,
5458 0,
5459 SCTP_FROM_SCTP_INPUT,
5460 __LINE__);
5461 }
5462 stcb->asoc.overall_error_count = 0;
5463 sctp_handle_asconf_ack(m, *offset,
5464 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp, &abort_no_unlock);
5465 if (abort_no_unlock)
5466 return (NULL);
5467 }
5468 break;
5469 case SCTP_FORWARD_CUM_TSN:
5470 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_FWD-TSN\n");
5471 if (chk_length < sizeof(struct sctp_forward_tsn_chunk)) {
5472 /* Its not ours */
5473 if (locked_tcb) {
5474 SCTP_TCB_UNLOCK(locked_tcb);
5475 }
5476 *offset = length;
5477 return (NULL);
5478 }
5479
5480 /* He's alive so give him credit */
5481 if (stcb) {
5482 int abort_flag = 0;
5483
5484 if (stcb->asoc.prsctp_supported == 0) {
5485 goto unknown_chunk;
5486 }
5487 stcb->asoc.overall_error_count = 0;
5488 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5489 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5490 stcb->asoc.overall_error_count,
5491 0,
5492 SCTP_FROM_SCTP_INPUT,
5493 __LINE__);
5494 }
5495 *fwd_tsn_seen = 1;
5496 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) {
5497 /* We are not interested anymore */
5498 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5499 so = SCTP_INP_SO(inp);
5500 atomic_add_int(&stcb->asoc.refcnt, 1);
5501 SCTP_TCB_UNLOCK(stcb);
5502 SCTP_SOCKET_LOCK(so, 1);
5503 SCTP_TCB_LOCK(stcb);
5504 atomic_subtract_int(&stcb->asoc.refcnt, 1);
5505 #endif
5506 (void)sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT+SCTP_LOC_29);
5507 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
5508 SCTP_SOCKET_UNLOCK(so, 1);
5509 #endif
5510 *offset = length;
5511 return (NULL);
5512 }
5513 sctp_handle_forward_tsn(stcb,
5514 (struct sctp_forward_tsn_chunk *)ch, &abort_flag, m, *offset);
5515 if (abort_flag) {
5516 *offset = length;
5517 return (NULL);
5518 } else {
5519 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
5520 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
5521 stcb->asoc.overall_error_count,
5522 0,
5523 SCTP_FROM_SCTP_INPUT,
5524 __LINE__);
5525 }
5526 stcb->asoc.overall_error_count = 0;
5527 }
5528
5529 }
5530 break;
5531 case SCTP_STREAM_RESET:
5532 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_STREAM_RESET\n");
5533 if (((stcb == NULL) || (ch == NULL) || (chk_length < sizeof(struct sctp_stream_reset_tsn_req)))) {
5534 /* Its not ours */
5535 if (locked_tcb) {
5536 SCTP_TCB_UNLOCK(locked_tcb);
5537 }
5538 *offset = length;
5539 return (NULL);
5540 }
5541 if (stcb->asoc.reconfig_supported == 0) {
5542 goto unknown_chunk;
5543 }
5544 if (sctp_handle_stream_reset(stcb, m, *offset, ch)) {
5545 /* stop processing */
5546 *offset = length;
5547 return (NULL);
5548 }
5549 break;
5550 case SCTP_PACKET_DROPPED:
5551 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_PACKET_DROPPED\n");
5552 /* re-get it all please */
5553 if (chk_length < sizeof(struct sctp_pktdrop_chunk)) {
5554 /* Its not ours */
5555 if (locked_tcb) {
5556 SCTP_TCB_UNLOCK(locked_tcb);
5557 }
5558 *offset = length;
5559 return (NULL);
5560 }
5561
5562
5563 if (ch && (stcb) && netp && (*netp)) {
5564 if (stcb->asoc.pktdrop_supported == 0) {
5565 goto unknown_chunk;
5566 }
5567 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch,
5568 stcb, *netp,
5569 min(chk_length, (sizeof(chunk_buf) - 4)));
5570
5571 }
5572
5573 break;
5574 case SCTP_AUTHENTICATION:
5575 SCTPDBG(SCTP_DEBUG_INPUT3, "SCTP_AUTHENTICATION\n");
5576 if (stcb == NULL) {
5577 /* save the first AUTH for later processing */
5578 if (auth_skipped == 0) {
5579 auth_offset = *offset;
5580 auth_len = chk_length;
5581 auth_skipped = 1;
5582 }
5583 /* skip this chunk (temporarily) */
5584 goto next_chunk;
5585 }
5586 if (stcb->asoc.auth_supported == 0) {
5587 goto unknown_chunk;
5588 }
5589 if ((chk_length < (sizeof(struct sctp_auth_chunk))) ||
5590 (chk_length > (sizeof(struct sctp_auth_chunk) +
5591 SCTP_AUTH_DIGEST_LEN_MAX))) {
5592 /* Its not ours */
5593 if (locked_tcb) {
5594 SCTP_TCB_UNLOCK(locked_tcb);
5595 }
5596 *offset = length;
5597 return (NULL);
5598 }
5599 if (got_auth == 1) {
5600 /* skip this chunk... it's already auth'd */
5601 goto next_chunk;
5602 }
5603 got_auth = 1;
5604 if ((ch == NULL) || sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch,
5605 m, *offset)) {
5606 /* auth HMAC failed so dump the packet */
5607 *offset = length;
5608 return (stcb);
5609 } else {
5610 /* remaining chunks are HMAC checked */
5611 stcb->asoc.authenticated = 1;
5612 }
5613 break;
5614
5615 default:
5616 unknown_chunk:
5617 /* it's an unknown chunk! */
5618 if ((ch->chunk_type & 0x40) && (stcb != NULL)) {
5619 struct mbuf *mm;
5620 struct sctp_paramhdr *phd;
5621
5622 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr),
5623 0, M_NOWAIT, 1, MT_DATA);
5624 if (mm) {
5625 phd = mtod(mm, struct sctp_paramhdr *);
5626 /*
5627 * We cheat and use param type since
5628 * we did not bother to define a
5629 * error cause struct. They are the
5630 * same basic format with different
5631 * names.
5632 */
5633 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK);
5634 phd->param_length = htons(chk_length + sizeof(*phd));
5635 SCTP_BUF_LEN(mm) = sizeof(*phd);
5636 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, chk_length, M_NOWAIT);
5637 if (SCTP_BUF_NEXT(mm)) {
5638 if (sctp_pad_lastmbuf(SCTP_BUF_NEXT(mm), SCTP_SIZE32(chk_length) - chk_length, NULL) == NULL) {
5639 sctp_m_freem(mm);
5640 } else {
5641 #ifdef SCTP_MBUF_LOGGING
5642 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
5643 struct mbuf *mat;
5644
5645 for (mat = SCTP_BUF_NEXT(mm); mat; mat = SCTP_BUF_NEXT(mat)) {
5646 if (SCTP_BUF_IS_EXTENDED(mat)) {
5647 sctp_log_mb(mat, SCTP_MBUF_ICOPY);
5648 }
5649 }
5650 }
5651 #endif
5652 sctp_queue_op_err(stcb, mm);
5653 }
5654 } else {
5655 sctp_m_freem(mm);
5656 }
5657 }
5658 }
5659 if ((ch->chunk_type & 0x80) == 0) {
5660 /* discard this packet */
5661 *offset = length;
5662 return (stcb);
5663 } /* else skip this bad chunk and continue... */
5664 break;
5665 } /* switch (ch->chunk_type) */
5666
5667
5668 next_chunk:
5669 /* get the next chunk */
5670 *offset += SCTP_SIZE32(chk_length);
5671 if (*offset >= length) {
5672 /* no more data left in the mbuf chain */
5673 break;
5674 }
5675 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset,
5676 sizeof(struct sctp_chunkhdr), chunk_buf);
5677 if (ch == NULL) {
5678 if (locked_tcb) {
5679 SCTP_TCB_UNLOCK(locked_tcb);
5680 }
5681 *offset = length;
5682 return (NULL);
5683 }
5684 } /* while */
5685
5686 if (asconf_cnt > 0 && stcb != NULL) {
5687 sctp_send_asconf_ack(stcb);
5688 }
5689 return (stcb);
5690 }
5691
5692
5693 #ifdef INVARIANTS
5694 #ifdef __GNUC__
5695 __attribute__((noinline))
5696 #endif
5697 void
5698 sctp_validate_no_locks(struct sctp_inpcb *inp)
5699 {
5700 #ifndef __APPLE__
5701 struct sctp_tcb *lstcb;
5702
5703 LIST_FOREACH(lstcb, &inp->sctp_asoc_list, sctp_tcblist) {
5704 if (mtx_owned(&lstcb->tcb_mtx)) {
5705 panic("Own lock on stcb at return from input");
5706 }
5707 }
5708 if (mtx_owned(&inp->inp_create_mtx)) {
5709 panic("Own create lock on inp");
5710 }
5711 if (mtx_owned(&inp->inp_mtx)) {
5712 panic("Own inp lock on inp");
5713 }
5714 #endif
5715 }
5716 #endif
5717
5718 /*
5719 * common input chunk processing (v4 and v6)
5720 */
5721 void
5722 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, int length,
5723 struct sockaddr *src, struct sockaddr *dst,
5724 struct sctphdr *sh, struct sctp_chunkhdr *ch,
5725 #if !defined(SCTP_WITH_NO_CSUM)
5726 uint8_t compute_crc,
5727 #endif
5728 uint8_t ecn_bits,
5729 #if defined(__FreeBSD__)
5730 uint8_t use_mflowid, uint32_t mflowid,
5731 #endif
5732 uint32_t vrf_id, uint16_t port)
5733 {
5734 uint32_t high_tsn;
5735 int fwd_tsn_seen = 0, data_processed = 0;
5736 struct mbuf *m = *mm, *op_err;
5737 char msg[SCTP_DIAG_INFO_LEN];
5738 int un_sent;
5739 int cnt_ctrl_ready = 0;
5740 struct sctp_inpcb *inp = NULL, *inp_decr = NULL;
5741 struct sctp_tcb *stcb = NULL;
5742 struct sctp_nets *net = NULL;
5743
5744 SCTP_STAT_INCR(sctps_recvdatagrams);
5745 #ifdef SCTP_AUDITING_ENABLED
5746 sctp_audit_log(0xE0, 1);
5747 sctp_auditing(0, inp, stcb, net);
5748 #endif
5749 #if !defined(SCTP_WITH_NO_CSUM)
5750 if (compute_crc != 0) {
5751 uint32_t check, calc_check;
5752
5753 check = sh->checksum;
5754 sh->checksum = 0;
5755 calc_check = sctp_calculate_cksum(m, iphlen);
5756 sh->checksum = check;
5757 if (calc_check != check) {
5758 SCTPDBG(SCTP_DEBUG_INPUT1, "Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n",
5759 calc_check, check, (void *)m, length, iphlen);
5760 stcb = sctp_findassociation_addr(m, offset, src, dst,
5761 sh, ch, &inp, &net, vrf_id);
5762 #if defined(INET) || defined(INET6)
5763 if ((net != NULL) && (port != 0)) {
5764 if (net->port == 0) {
5765 sctp_pathmtu_adjustment(stcb, net->mtu - sizeof(struct udphdr));
5766 }
5767 net->port = port;
5768 }
5769 #endif
5770 #if defined(__FreeBSD__)
5771 if ((net != NULL) && (use_mflowid != 0)) {
5772 net->flowid = mflowid;
5773 #ifdef INVARIANTS
5774 net->flowidset = 1;
5775 #endif
5776 }
5777 #endif
5778 if ((inp != NULL) && (stcb != NULL)) {
5779 sctp_send_packet_dropped(stcb, net, m, length, iphlen, 1);
5780 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR, SCTP_SO_NOT_LOCKED);
5781 } else if ((inp != NULL) && (stcb == NULL)) {
5782 inp_decr = inp;
5783 }
5784 SCTP_STAT_INCR(sctps_badsum);
5785 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors);
5786 goto out;
5787 }
5788 }
5789 #endif
5790 /* Destination port of 0 is illegal, based on RFC4960. */
5791 if (sh->dest_port == 0) {
5792 SCTP_STAT_INCR(sctps_hdrops);
5793 goto out;
5794 }
5795 stcb = sctp_findassociation_addr(m, offset, src, dst,
5796 sh, ch, &inp, &net, vrf_id);
5797 #if defined(INET) || defined(INET6)
5798 if ((net != NULL) && (port != 0)) {
5799 if (net->port == 0) {
5800 sctp_pathmtu_adjustment(stcb, net->mtu - sizeof(struct udphdr));
5801 }
5802 net->port = port;
5803 }
5804 #endif
5805 #if defined(__FreeBSD__)
5806 if ((net != NULL) && (use_mflowid != 0)) {
5807 net->flowid = mflowid;
5808 #ifdef INVARIANTS
5809 net->flowidset = 1;
5810 #endif
5811 }
5812 #endif
5813 if (inp == NULL) {
5814 SCTP_STAT_INCR(sctps_noport);
5815 #if defined(__FreeBSD__) && (((__FreeBSD_version < 900000) && (__FreeBSD_version >= 804000)) || (__FreeBSD_version > 900000))
5816 if (badport_bandlim(BANDLIM_SCTP_OOTB) < 0) {
5817 goto out;
5818 }
5819 #endif
5820 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) {
5821 sctp_send_shutdown_complete2(src, dst, sh,
5822 #if defined(__FreeBSD__)
5823 use_mflowid, mflowid,
5824 #endif
5825 vrf_id, port);
5826 goto out;
5827 }
5828 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) {
5829 goto out;
5830 }
5831 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) {
5832 if ((SCTP_BASE_SYSCTL(sctp_blackhole) == 0) ||
5833 ((SCTP_BASE_SYSCTL(sctp_blackhole) == 1) &&
5834 (ch->chunk_type != SCTP_INIT))) {
5835 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5836 "Out of the blue");
5837 sctp_send_abort(m, iphlen, src, dst,
5838 sh, 0, op_err,
5839 #if defined(__FreeBSD__)
5840 use_mflowid, mflowid,
5841 #endif
5842 vrf_id, port);
5843 }
5844 }
5845 goto out;
5846 } else if (stcb == NULL) {
5847 inp_decr = inp;
5848 }
5849 #ifdef IPSEC
5850 /*-
5851 * I very much doubt any of the IPSEC stuff will work but I have no
5852 * idea, so I will leave it in place.
5853 */
5854 if (inp != NULL) {
5855 switch (dst->sa_family) {
5856 #ifdef INET
5857 case AF_INET:
5858 if (ipsec4_in_reject(m, &inp->ip_inp.inp)) {
5859 #if defined(__FreeBSD__) && (__FreeBSD_version > 1000036)
5860 IPSECSTAT_INC(ips_in_polvio);
5861 #else
5862 MODULE_GLOBAL(ipsec4stat).in_polvio++;
5863 #endif
5864 SCTP_STAT_INCR(sctps_hdrops);
5865 goto out;
5866 }
5867 break;
5868 #endif
5869 #ifdef INET6
5870 case AF_INET6:
5871 if (ipsec6_in_reject(m, &inp->ip_inp.inp)) {
5872 #if defined(__FreeBSD__) && (__FreeBSD_version > 1000036)
5873 IPSEC6STAT_INC(ips_in_polvio);
5874 #else
5875 MODULE_GLOBAL(ipsec6stat).in_polvio++;
5876 #endif
5877 SCTP_STAT_INCR(sctps_hdrops);
5878 goto out;
5879 }
5880 break;
5881 #endif
5882 default:
5883 break;
5884 }
5885 }
5886 #endif
5887 SCTPDBG(SCTP_DEBUG_INPUT1, "Ok, Common input processing called, m:%p iphlen:%d offset:%d length:%d stcb:%p\n",
5888 (void *)m, iphlen, offset, length, (void *)stcb);
5889 if (stcb) {
5890 /* always clear this before beginning a packet */
5891 stcb->asoc.authenticated = 0;
5892 stcb->asoc.seen_a_sack_this_pkt = 0;
5893 SCTPDBG(SCTP_DEBUG_INPUT1, "stcb:%p state:%x\n",
5894 (void *)stcb, stcb->asoc.state);
5895
5896 if ((stcb->asoc.state & SCTP_STATE_WAS_ABORTED) ||
5897 (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED)) {
5898 /*-
5899 * If we hit here, we had a ref count
5900 * up when the assoc was aborted and the
5901 * timer is clearing out the assoc, we should
5902 * NOT respond to any packet.. its OOTB.
5903 */
5904 SCTP_TCB_UNLOCK(stcb);
5905 stcb = NULL;
5906 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s\n", __FILE__, __LINE__, __FUNCTION__);
5907 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5908 msg);
5909 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
5910 #if defined(__FreeBSD__)
5911 use_mflowid, mflowid,
5912 #endif
5913 vrf_id, port);
5914 goto out;
5915 }
5916
5917 }
5918 if (IS_SCTP_CONTROL(ch)) {
5919 /* process the control portion of the SCTP packet */
5920 /* sa_ignore NO_NULL_CHK */
5921 stcb = sctp_process_control(m, iphlen, &offset, length,
5922 src, dst, sh, ch,
5923 inp, stcb, &net, &fwd_tsn_seen,
5924 #if defined(__FreeBSD__)
5925 use_mflowid, mflowid,
5926 #endif
5927 vrf_id, port);
5928 if (stcb) {
5929 /* This covers us if the cookie-echo was there
5930 * and it changes our INP.
5931 */
5932 inp = stcb->sctp_ep;
5933 #if defined(INET) || defined(INET6)
5934 if ((net) && (port)) {
5935 if (net->port == 0) {
5936 sctp_pathmtu_adjustment(stcb, net->mtu - sizeof(struct udphdr));
5937 }
5938 net->port = port;
5939 }
5940 #endif
5941 }
5942 } else {
5943 /*
5944 * no control chunks, so pre-process DATA chunks (these
5945 * checks are taken care of by control processing)
5946 */
5947
5948 /*
5949 * if DATA only packet, and auth is required, then punt...
5950 * can't have authenticated without any AUTH (control)
5951 * chunks
5952 */
5953 if ((stcb != NULL) &&
5954 (stcb->asoc.auth_supported == 1) &&
5955 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks)) {
5956 /* "silently" ignore */
5957 SCTP_STAT_INCR(sctps_recvauthmissing);
5958 goto out;
5959 }
5960 if (stcb == NULL) {
5961 /* out of the blue DATA chunk */
5962 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s\n", __FILE__, __LINE__, __FUNCTION__);
5963 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
5964 msg);
5965 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
5966 #if defined(__FreeBSD__)
5967 use_mflowid, mflowid,
5968 #endif
5969 vrf_id, port);
5970 goto out;
5971 }
5972 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) {
5973 /* v_tag mismatch! */
5974 SCTP_STAT_INCR(sctps_badvtag);
5975 goto out;
5976 }
5977 }
5978
5979 if (stcb == NULL) {
5980 /*
5981 * no valid TCB for this packet, or we found it's a bad
5982 * packet while processing control, or we're done with this
5983 * packet (done or skip rest of data), so we drop it...
5984 */
5985 goto out;
5986 }
5987
5988 /*
5989 * DATA chunk processing
5990 */
5991 /* plow through the data chunks while length > offset */
5992
5993 /*
5994 * Rest should be DATA only. Check authentication state if AUTH for
5995 * DATA is required.
5996 */
5997 if ((length > offset) &&
5998 (stcb != NULL) &&
5999 (stcb->asoc.auth_supported == 1) &&
6000 sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.local_auth_chunks) &&
6001 !stcb->asoc.authenticated) {
6002 /* "silently" ignore */
6003 SCTP_STAT_INCR(sctps_recvauthmissing);
6004 SCTPDBG(SCTP_DEBUG_AUTH1,
6005 "Data chunk requires AUTH, skipped\n");
6006 goto trigger_send;
6007 }
6008 if (length > offset) {
6009 int retval;
6010
6011 /*
6012 * First check to make sure our state is correct. We would
6013 * not get here unless we really did have a tag, so we don't
6014 * abort if this happens, just dump the chunk silently.
6015 */
6016 switch (SCTP_GET_STATE(&stcb->asoc)) {
6017 case SCTP_STATE_COOKIE_ECHOED:
6018 /*
6019 * we consider data with valid tags in this state
6020 * shows us the cookie-ack was lost. Imply it was
6021 * there.
6022 */
6023 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) {
6024 sctp_misc_ints(SCTP_THRESHOLD_CLEAR,
6025 stcb->asoc.overall_error_count,
6026 0,
6027 SCTP_FROM_SCTP_INPUT,
6028 __LINE__);
6029 }
6030 stcb->asoc.overall_error_count = 0;
6031 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net);
6032 break;
6033 case SCTP_STATE_COOKIE_WAIT:
6034 /*
6035 * We consider OOTB any data sent during asoc setup.
6036 */
6037 snprintf(msg, sizeof(msg), "OOTB, %s:%d at %s\n", __FILE__, __LINE__, __FUNCTION__);
6038 op_err = sctp_generate_cause(SCTP_BASE_SYSCTL(sctp_diag_info_code),
6039 msg);
6040 sctp_handle_ootb(m, iphlen, offset, src, dst, sh, inp, op_err,
6041 #if defined(__FreeBSD__)
6042 use_mflowid, mflowid,
6043 #endif
6044 vrf_id, port);
6045 goto out;
6046 /*sa_ignore NOTREACHED*/
6047 break;
6048 case SCTP_STATE_EMPTY: /* should not happen */
6049 case SCTP_STATE_INUSE: /* should not happen */
6050 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */
6051 case SCTP_STATE_SHUTDOWN_ACK_SENT:
6052 default:
6053 goto out;
6054 /*sa_ignore NOTREACHED*/
6055 break;
6056 case SCTP_STATE_OPEN:
6057 case SCTP_STATE_SHUTDOWN_SENT:
6058 break;
6059 }
6060 /* plow through the data chunks while length > offset */
6061 retval = sctp_process_data(mm, iphlen, &offset, length,
6062 src, dst, sh,
6063 inp, stcb, net, &high_tsn,
6064 #if defined(__FreeBSD__)
6065 use_mflowid, mflowid,
6066 #endif
6067 vrf_id, port);
6068 if (retval == 2) {
6069 /*
6070 * The association aborted, NO UNLOCK needed since
6071 * the association is destroyed.
6072 */
6073 stcb = NULL;
6074 goto out;
6075 }
6076 data_processed = 1;
6077 /*
6078 * Anything important needs to have been m_copy'ed in
6079 * process_data
6080 */
6081 }
6082
6083 /* take care of ecn */
6084 if ((data_processed == 1) &&
6085 (stcb->asoc.ecn_supported == 1) &&
6086 ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS)) {
6087 /* Yep, we need to add a ECNE */
6088 sctp_send_ecn_echo(stcb, net, high_tsn);
6089 }
6090
6091 if ((data_processed == 0) && (fwd_tsn_seen)) {
6092 int was_a_gap;
6093 uint32_t highest_tsn;
6094
6095 if (SCTP_TSN_GT(stcb->asoc.highest_tsn_inside_nr_map, stcb->asoc.highest_tsn_inside_map)) {
6096 highest_tsn = stcb->asoc.highest_tsn_inside_nr_map;
6097 } else {
6098 highest_tsn = stcb->asoc.highest_tsn_inside_map;
6099 }
6100 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn);
6101 stcb->asoc.send_sack = 1;
6102 sctp_sack_check(stcb, was_a_gap);
6103 } else if (fwd_tsn_seen) {
6104 stcb->asoc.send_sack = 1;
6105 }
6106 /* trigger send of any chunks in queue... */
6107 trigger_send:
6108 #ifdef SCTP_AUDITING_ENABLED
6109 sctp_audit_log(0xE0, 2);
6110 sctp_auditing(1, inp, stcb, net);
6111 #endif
6112 SCTPDBG(SCTP_DEBUG_INPUT1,
6113 "Check for chunk output prw:%d tqe:%d tf=%d\n",
6114 stcb->asoc.peers_rwnd,
6115 TAILQ_EMPTY(&stcb->asoc.control_send_queue),
6116 stcb->asoc.total_flight);
6117 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
6118 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
6119 cnt_ctrl_ready = stcb->asoc.ctrl_queue_cnt - stcb->asoc.ecn_echo_cnt_onq;
6120 }
6121 if (cnt_ctrl_ready ||
6122 ((un_sent) &&
6123 (stcb->asoc.peers_rwnd > 0 ||
6124 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) {
6125 SCTPDBG(SCTP_DEBUG_INPUT3, "Calling chunk OUTPUT\n");
6126 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC, SCTP_SO_NOT_LOCKED);
6127 SCTPDBG(SCTP_DEBUG_INPUT3, "chunk OUTPUT returns\n");
6128 }
6129 #ifdef SCTP_AUDITING_ENABLED
6130 sctp_audit_log(0xE0, 3);
6131 sctp_auditing(2, inp, stcb, net);
6132 #endif
6133 out:
6134 if (stcb != NULL) {
6135 SCTP_TCB_UNLOCK(stcb);
6136 }
6137 if (inp_decr != NULL) {
6138 /* reduce ref-count */
6139 SCTP_INP_WLOCK(inp_decr);
6140 SCTP_INP_DECR_REF(inp_decr);
6141 SCTP_INP_WUNLOCK(inp_decr);
6142 }
6143 #ifdef INVARIANTS
6144 if (inp != NULL) {
6145 sctp_validate_no_locks(inp);
6146 }
6147 #endif
6148 return;
6149 }
6150
6151 #if 0
6152 static void
6153 sctp_print_mbuf_chain(struct mbuf *m)
6154 {
6155 for (; m; m = SCTP_BUF_NEXT(m)) {
6156 SCTP_PRINTF("%p: m_len = %ld\n", (void *)m, SCTP_BUF_LEN(m));
6157 if (SCTP_BUF_IS_EXTENDED(m))
6158 SCTP_PRINTF("%p: extend_size = %d\n", (void *)m, SCTP_BUF_EXTEND_SIZE(m));
6159 }
6160 }
6161 #endif
6162
6163 #ifdef INET
6164 #if !defined(__Userspace__)
6165 #if defined(__FreeBSD__) || defined(__APPLE__) || defined(__Windows__)
6166 void
6167 sctp_input_with_port(struct mbuf *i_pak, int off, uint16_t port)
6168 #elif defined(__Panda__)
6169 void
6170 sctp_input(pakhandle_type i_pak)
6171 #else
6172 void
6173 #if __STDC__
6174 sctp_input(struct mbuf *i_pak,...)
6175 #else
6176 sctp_input(i_pak, va_alist)
6177 struct mbuf *i_pak;
6178 #endif
6179 #endif
6180 {
6181 struct mbuf *m;
6182 int iphlen;
6183 uint32_t vrf_id = 0;
6184 uint8_t ecn_bits;
6185 struct sockaddr_in src, dst;
6186 struct ip *ip;
6187 struct sctphdr *sh;
6188 struct sctp_chunkhdr *ch;
6189 int length, offset;
6190 #if !defined(SCTP_WITH_NO_CSUM)
6191 uint8_t compute_crc;
6192 #endif
6193 #if defined(__FreeBSD__)
6194 uint32_t mflowid;
6195 uint8_t use_mflowid;
6196 #endif
6197 #if !(defined(__FreeBSD__) || defined(__APPLE__) || defined(__Windows__))
6198 uint16_t port = 0;
6199 #endif
6200
6201 #if defined(__Panda__)
6202 /* This is Evil, but its the only way to make panda work right. */
6203 iphlen = sizeof(struct ip);
6204 #else
6205 iphlen = off;
6206 #endif
6207 if (SCTP_GET_PKT_VRFID(i_pak, vrf_id)) {
6208 SCTP_RELEASE_PKT(i_pak);
6209 return;
6210 }
6211 m = SCTP_HEADER_TO_CHAIN(i_pak);
6212 #ifdef __Panda__
6213 SCTP_DETACH_HEADER_FROM_CHAIN(i_pak);
6214 (void)SCTP_RELEASE_HEADER(i_pak);
6215 #endif
6216 #ifdef SCTP_MBUF_LOGGING
6217 /* Log in any input mbufs */
6218 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6219 struct mbuf *mat;
6220
6221 for (mat = m; mat; mat = SCTP_BUF_NEXT(mat)) {
6222 if (SCTP_BUF_IS_EXTENDED(mat)) {
6223 sctp_log_mb(mat, SCTP_MBUF_INPUT);
6224 }
6225 }
6226 }
6227 #endif
6228 #ifdef SCTP_PACKET_LOGGING
6229 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING) {
6230 sctp_packet_log(m);
6231 }
6232 #endif
6233 #if defined(__FreeBSD__)
6234 #if __FreeBSD_version > 1000049
6235 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
6236 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%b.\n",
6237 m->m_pkthdr.len,
6238 if_name(m->m_pkthdr.rcvif),
6239 (int)m->m_pkthdr.csum_flags, CSUM_BITS);
6240 #elif __FreeBSD_version >= 800000
6241 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
6242 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%x.\n",
6243 m->m_pkthdr.len,
6244 if_name(m->m_pkthdr.rcvif),
6245 m->m_pkthdr.csum_flags);
6246 #else
6247 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
6248 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%x.\n",
6249 m->m_pkthdr.len,
6250 m->m_pkthdr.rcvif->if_xname,
6251 m->m_pkthdr.csum_flags);
6252 #endif
6253 #endif
6254 #if defined(__APPLE__)
6255 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
6256 "sctp_input(): Packet of length %d received on %s%d with csum_flags 0x%x.\n",
6257 m->m_pkthdr.len,
6258 m->m_pkthdr.rcvif->if_name,
6259 m->m_pkthdr.rcvif->if_unit,
6260 m->m_pkthdr.csum_flags);
6261 #endif
6262 #if defined(__Windows__)
6263 SCTPDBG(SCTP_DEBUG_CRCOFFLOAD,
6264 "sctp_input(): Packet of length %d received on %s with csum_flags 0x%x.\n",
6265 m->m_pkthdr.len,
6266 m->m_pkthdr.rcvif->if_xname,
6267 m->m_pkthdr.csum_flags);
6268 #endif
6269 #if defined(__FreeBSD__)
6270 if (m->m_flags & M_FLOWID) {
6271 mflowid = m->m_pkthdr.flowid;
6272 use_mflowid = 1;
6273 } else {
6274 mflowid = 0;
6275 use_mflowid = 0;
6276 }
6277 #endif
6278 SCTP_STAT_INCR(sctps_recvpackets);
6279 SCTP_STAT_INCR_COUNTER64(sctps_inpackets);
6280 /* Get IP, SCTP, and first chunk header together in the first mbuf. */
6281 offset = iphlen + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
6282 if (SCTP_BUF_LEN(m) < offset) {
6283 if ((m = m_pullup(m, offset)) == NULL) {
6284 SCTP_STAT_INCR(sctps_hdrops);
6285 return;
6286 }
6287 }
6288 ip = mtod(m, struct ip *);
6289 sh = (struct sctphdr *)((caddr_t)ip + iphlen);
6290 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(struct sctphdr));
6291 offset -= sizeof(struct sctp_chunkhdr);
6292 memset(&src, 0, sizeof(struct sockaddr_in));
6293 src.sin_family = AF_INET;
6294 #ifdef HAVE_SIN_LEN
6295 src.sin_len = sizeof(struct sockaddr_in);
6296 #endif
6297 src.sin_port = sh->src_port;
6298 src.sin_addr = ip->ip_src;
6299 memset(&dst, 0, sizeof(struct sockaddr_in));
6300 dst.sin_family = AF_INET;
6301 #ifdef HAVE_SIN_LEN
6302 dst.sin_len = sizeof(struct sockaddr_in);
6303 #endif
6304 dst.sin_port = sh->dest_port;
6305 dst.sin_addr = ip->ip_dst;
6306 #if defined(__Windows__)
6307 NTOHS(ip->ip_len);
6308 #endif
6309 #if defined(__Userspace_os_Linux) || defined(__Userspace_os_Windows)
6310 ip->ip_len = ntohs(ip->ip_len);
6311 #endif
6312 #if defined(__FreeBSD__)
6313 #if __FreeBSD_version >= 1000000
6314 length = ntohs(ip->ip_len);
6315 #else
6316 length = ip->ip_len + iphlen;
6317 #endif
6318 #elif defined(__APPLE__)
6319 length = ip->ip_len + iphlen;
6320 #elif defined(__Userspace__)
6321 #if defined(__Userspace_os_Linux) || defined(__Userspace_os_Windows)
6322 length = ip->ip_len;
6323 #else
6324 length = ip->ip_len + iphlen;
6325 #endif
6326 #else
6327 length = ip->ip_len;
6328 #endif
6329 /* Validate mbuf chain length with IP payload length. */
6330 if (SCTP_HEADER_LEN(m) != length) {
6331 SCTPDBG(SCTP_DEBUG_INPUT1,
6332 "sctp_input() length:%d reported length:%d\n", length, SCTP_HEADER_LEN(m));
6333 SCTP_STAT_INCR(sctps_hdrops);
6334 goto out;
6335 }
6336 /* SCTP does not allow broadcasts or multicasts */
6337 if (IN_MULTICAST(ntohl(dst.sin_addr.s_addr))) {
6338 goto out;
6339 }
6340 if (SCTP_IS_IT_BROADCAST(dst.sin_addr, m)) {
6341 goto out;
6342 }
6343 ecn_bits = ip->ip_tos;
6344 #if defined(SCTP_WITH_NO_CSUM)
6345 SCTP_STAT_INCR(sctps_recvnocrc);
6346 #else
6347 #if defined(__FreeBSD__) && __FreeBSD_version >= 800000
6348 if (m->m_pkthdr.csum_flags & CSUM_SCTP_VALID) {
6349 SCTP_STAT_INCR(sctps_recvhwcrc);
6350 compute_crc = 0;
6351 } else {
6352 #else
6353 if (SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
6354 ((src.sin_addr.s_addr == dst.sin_addr.s_addr) ||
6355 (SCTP_IS_IT_LOOPBACK(m)))) {
6356 SCTP_STAT_INCR(sctps_recvnocrc);
6357 compute_crc = 0;
6358 } else {
6359 #endif
6360 SCTP_STAT_INCR(sctps_recvswcrc);
6361 compute_crc = 1;
6362 }
6363 #endif
6364 sctp_common_input_processing(&m, iphlen, offset, length,
6365 (struct sockaddr *)&src,
6366 (struct sockaddr *)&dst,
6367 sh, ch,
6368 #if !defined(SCTP_WITH_NO_CSUM)
6369 compute_crc,
6370 #endif
6371 ecn_bits,
6372 #if defined(__FreeBSD__)
6373 use_mflowid, mflowid,
6374 #endif
6375 vrf_id, port);
6376 out:
6377 if (m) {
6378 sctp_m_freem(m);
6379 }
6380 return;
6381 }
6382
6383 #if defined(__FreeBSD__) && defined(SCTP_MCORE_INPUT) && defined(SMP)
6384 extern int *sctp_cpuarry;
6385 #endif
6386
6387 #if defined(__FreeBSD__) && __FreeBSD_version >= 1100020
6388 int
6389 sctp_input(struct mbuf **mp, int *offp, int proto SCTP_UNUSED)
6390 {
6391 struct mbuf *m;
6392 int off;
6393
6394 m = *mp;
6395 off = *offp;
6396 #else
6397 void
6398 sctp_input(struct mbuf *m, int off)
6399 {
6400 #endif
6401 #if defined(__FreeBSD__) && defined(SCTP_MCORE_INPUT) && defined(SMP)
6402 if (mp_ncpus > 1) {
6403 struct ip *ip;
6404 struct sctphdr *sh;
6405 int offset;
6406 int cpu_to_use;
6407 uint32_t flowid, tag;
6408
6409 if (m->m_flags & M_FLOWID) {
6410 flowid = m->m_pkthdr.flowid;
6411 } else {
6412 /* No flow id built by lower layers
6413 * fix it so we create one.
6414 */
6415 offset = off + sizeof(struct sctphdr);
6416 if (SCTP_BUF_LEN(m) < offset) {
6417 if ((m = m_pullup(m, offset)) == NULL) {
6418 SCTP_STAT_INCR(sctps_hdrops);
6419 #if defined(__FreeBSD__) && __FreeBSD_version >= 1100020
6420 return (IPPROTO_DONE);
6421 #else
6422 return;
6423 #endif
6424 }
6425 }
6426 ip = mtod(m, struct ip *);
6427 sh = (struct sctphdr *)((caddr_t)ip + off);
6428 tag = htonl(sh->v_tag);
6429 flowid = tag ^ ntohs(sh->dest_port) ^ ntohs(sh->src_port);
6430 m->m_pkthdr.flowid = flowid;
6431 m->m_flags |= M_FLOWID;
6432 }
6433 cpu_to_use = sctp_cpuarry[flowid % mp_ncpus];
6434 sctp_queue_to_mcore(m, off, cpu_to_use);
6435 #if defined(__FreeBSD__) && __FreeBSD_version >= 1100020
6436 return (IPPROTO_DONE);
6437 #else
6438 return;
6439 #endif
6440 }
6441 #endif
6442 sctp_input_with_port(m, off, 0);
6443 #if defined(__FreeBSD__) && __FreeBSD_version >= 1100020
6444 return (IPPROTO_DONE);
6445 #endif
6446 }
6447 #endif
6448 #endif
6449