1 /*- 2 * Copyright (c) 2001-2007, by Cisco Systems, Inc. All rights reserved. 3 * Copyright (c) 2008-2012, by Randall Stewart. All rights reserved. 4 * Copyright (c) 2008-2012, by Michael Tuexen. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions are met: 8 * 9 * a) Redistributions of source code must retain the above copyright notice, 10 * this list of conditions and the following disclaimer. 11 * 12 * b) Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in 14 * the documentation and/or other materials provided with the distribution. 15 * 16 * c) Neither the name of Cisco Systems, Inc. nor the names of its 17 * contributors may be used to endorse or promote products derived 18 * from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 22 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 30 * THE POSSIBILITY OF SUCH DAMAGE. 31 */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #include <netinet/sctp_os.h> 37 #include <sys/proc.h> 38 #include <netinet/sctp_var.h> 39 #include <netinet/sctp_sysctl.h> 40 #include <netinet/sctp_header.h> 41 #include <netinet/sctp_pcb.h> 42 #include <netinet/sctputil.h> 43 #include <netinet/sctp_output.h> 44 #include <netinet/sctp_uio.h> 45 #include <netinet/sctp_auth.h> 46 #include <netinet/sctp_timer.h> 47 #include <netinet/sctp_asconf.h> 48 #include <netinet/sctp_indata.h> 49 #include <netinet/sctp_bsd_addr.h> 50 #include <netinet/sctp_input.h> 51 #include <netinet/sctp_crc32.h> 52 #include <netinet/sctp_lock_bsd.h> 53 /* 54 * NOTES: On the outbound side of things I need to check the sack timer to 55 * see if I should generate a sack into the chunk queue (if I have data to 56 * send that is and will be sending it .. for bundling. 57 * 58 * The callback in sctp_usrreq.c will get called when the socket is read from. 59 * This will cause sctp_service_queues() to get called on the top entry in 60 * the list. 61 */ 62 static uint32_t 63 sctp_add_chk_to_control(struct sctp_queued_to_read *control, 64 struct sctp_stream_in *strm, 65 struct sctp_tcb *stcb, 66 struct sctp_association *asoc, 67 struct sctp_tmit_chunk *chk, int lock_held); 68 69 70 void 71 sctp_set_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc) 72 { 73 asoc->my_rwnd = sctp_calc_rwnd(stcb, asoc); 74 } 75 76 /* Calculate what the rwnd would be */ 77 uint32_t 78 sctp_calc_rwnd(struct sctp_tcb *stcb, struct sctp_association *asoc) 79 { 80 uint32_t calc = 0; 81 82 /* 83 * This is really set wrong with respect to a 1-2-m socket. Since 84 * the sb_cc is the count that everyone as put up. When we re-write 85 * sctp_soreceive then we will fix this so that ONLY this 86 * associations data is taken into account. 87 */ 88 if (stcb->sctp_socket == NULL) { 89 return (calc); 90 } 91 if (stcb->asoc.sb_cc == 0 && 92 asoc->size_on_reasm_queue == 0 && 93 asoc->size_on_all_streams == 0) { 94 /* Full rwnd granted */ 95 KASSERT(asoc->cnt_on_reasm_queue == 0, ("cnt_on_reasm_queue is %u", asoc->cnt_on_reasm_queue)); 96 KASSERT(asoc->cnt_on_all_streams == 0, ("cnt_on_all_streams is %u", asoc->cnt_on_all_streams)); 97 calc = max(SCTP_SB_LIMIT_RCV(stcb->sctp_socket), SCTP_MINIMAL_RWND); 98 return (calc); 99 } 100 /* get actual space */ 101 calc = (uint32_t)sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv); 102 /* 103 * take out what has NOT been put on socket queue and we yet hold 104 * for putting up. 105 */ 106 calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_reasm_queue + 107 asoc->cnt_on_reasm_queue * MSIZE)); 108 calc = sctp_sbspace_sub(calc, (uint32_t)(asoc->size_on_all_streams + 109 asoc->cnt_on_all_streams * MSIZE)); 110 if (calc == 0) { 111 /* out of space */ 112 return (calc); 113 } 114 /* what is the overhead of all these rwnd's */ 115 calc = sctp_sbspace_sub(calc, stcb->asoc.my_rwnd_control_len); 116 /* 117 * If the window gets too small due to ctrl-stuff, reduce it to 1, 118 * even it is 0. SWS engaged 119 */ 120 if (calc < stcb->asoc.my_rwnd_control_len) { 121 calc = 1; 122 } 123 return (calc); 124 } 125 126 127 128 /* 129 * Build out our readq entry based on the incoming packet. 130 */ 131 struct sctp_queued_to_read * 132 sctp_build_readq_entry(struct sctp_tcb *stcb, 133 struct sctp_nets *net, 134 uint32_t tsn, uint32_t ppid, 135 uint32_t context, uint16_t sid, 136 uint32_t mid, uint8_t flags, 137 struct mbuf *dm) 138 { 139 struct sctp_queued_to_read *read_queue_e = NULL; 140 141 sctp_alloc_a_readq(stcb, read_queue_e); 142 if (read_queue_e == NULL) { 143 goto failed_build; 144 } 145 memset(read_queue_e, 0, sizeof(struct sctp_queued_to_read)); 146 read_queue_e->sinfo_stream = sid; 147 read_queue_e->sinfo_flags = (flags << 8); 148 read_queue_e->sinfo_ppid = ppid; 149 read_queue_e->sinfo_context = context; 150 read_queue_e->sinfo_tsn = tsn; 151 read_queue_e->sinfo_cumtsn = tsn; 152 read_queue_e->sinfo_assoc_id = sctp_get_associd(stcb); 153 read_queue_e->mid = mid; 154 read_queue_e->top_fsn = read_queue_e->fsn_included = 0xffffffff; 155 TAILQ_INIT(&read_queue_e->reasm); 156 read_queue_e->whoFrom = net; 157 atomic_add_int(&net->ref_count, 1); 158 read_queue_e->data = dm; 159 read_queue_e->stcb = stcb; 160 read_queue_e->port_from = stcb->rport; 161 failed_build: 162 return (read_queue_e); 163 } 164 165 struct mbuf * 166 sctp_build_ctl_nchunk(struct sctp_inpcb *inp, struct sctp_sndrcvinfo *sinfo) 167 { 168 struct sctp_extrcvinfo *seinfo; 169 struct sctp_sndrcvinfo *outinfo; 170 struct sctp_rcvinfo *rcvinfo; 171 struct sctp_nxtinfo *nxtinfo; 172 struct cmsghdr *cmh; 173 struct mbuf *ret; 174 int len; 175 int use_extended; 176 int provide_nxt; 177 178 if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT) && 179 sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVRCVINFO) && 180 sctp_is_feature_off(inp, SCTP_PCB_FLAGS_RECVNXTINFO)) { 181 /* user does not want any ancillary data */ 182 return (NULL); 183 } 184 len = 0; 185 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { 186 len += CMSG_SPACE(sizeof(struct sctp_rcvinfo)); 187 } 188 seinfo = (struct sctp_extrcvinfo *)sinfo; 189 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVNXTINFO) && 190 (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_AVAIL)) { 191 provide_nxt = 1; 192 len += CMSG_SPACE(sizeof(struct sctp_nxtinfo)); 193 } else { 194 provide_nxt = 0; 195 } 196 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) { 197 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXT_RCVINFO)) { 198 use_extended = 1; 199 len += CMSG_SPACE(sizeof(struct sctp_extrcvinfo)); 200 } else { 201 use_extended = 0; 202 len += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo)); 203 } 204 } else { 205 use_extended = 0; 206 } 207 208 ret = sctp_get_mbuf_for_msg(len, 0, M_NOWAIT, 1, MT_DATA); 209 if (ret == NULL) { 210 /* No space */ 211 return (ret); 212 } 213 SCTP_BUF_LEN(ret) = 0; 214 215 /* We need a CMSG header followed by the struct */ 216 cmh = mtod(ret, struct cmsghdr *); 217 /* 218 * Make sure that there is no un-initialized padding between the 219 * cmsg header and cmsg data and after the cmsg data. 220 */ 221 memset(cmh, 0, len); 222 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVRCVINFO)) { 223 cmh->cmsg_level = IPPROTO_SCTP; 224 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_rcvinfo)); 225 cmh->cmsg_type = SCTP_RCVINFO; 226 rcvinfo = (struct sctp_rcvinfo *)CMSG_DATA(cmh); 227 rcvinfo->rcv_sid = sinfo->sinfo_stream; 228 rcvinfo->rcv_ssn = sinfo->sinfo_ssn; 229 rcvinfo->rcv_flags = sinfo->sinfo_flags; 230 rcvinfo->rcv_ppid = sinfo->sinfo_ppid; 231 rcvinfo->rcv_tsn = sinfo->sinfo_tsn; 232 rcvinfo->rcv_cumtsn = sinfo->sinfo_cumtsn; 233 rcvinfo->rcv_context = sinfo->sinfo_context; 234 rcvinfo->rcv_assoc_id = sinfo->sinfo_assoc_id; 235 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_rcvinfo))); 236 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_rcvinfo)); 237 } 238 if (provide_nxt) { 239 cmh->cmsg_level = IPPROTO_SCTP; 240 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_nxtinfo)); 241 cmh->cmsg_type = SCTP_NXTINFO; 242 nxtinfo = (struct sctp_nxtinfo *)CMSG_DATA(cmh); 243 nxtinfo->nxt_sid = seinfo->serinfo_next_stream; 244 nxtinfo->nxt_flags = 0; 245 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_UNORDERED) { 246 nxtinfo->nxt_flags |= SCTP_UNORDERED; 247 } 248 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_IS_NOTIFICATION) { 249 nxtinfo->nxt_flags |= SCTP_NOTIFICATION; 250 } 251 if (seinfo->serinfo_next_flags & SCTP_NEXT_MSG_ISCOMPLETE) { 252 nxtinfo->nxt_flags |= SCTP_COMPLETE; 253 } 254 nxtinfo->nxt_ppid = seinfo->serinfo_next_ppid; 255 nxtinfo->nxt_length = seinfo->serinfo_next_length; 256 nxtinfo->nxt_assoc_id = seinfo->serinfo_next_aid; 257 cmh = (struct cmsghdr *)((caddr_t)cmh + CMSG_SPACE(sizeof(struct sctp_nxtinfo))); 258 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_nxtinfo)); 259 } 260 if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_RECVDATAIOEVNT)) { 261 cmh->cmsg_level = IPPROTO_SCTP; 262 outinfo = (struct sctp_sndrcvinfo *)CMSG_DATA(cmh); 263 if (use_extended) { 264 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_extrcvinfo)); 265 cmh->cmsg_type = SCTP_EXTRCV; 266 memcpy(outinfo, sinfo, sizeof(struct sctp_extrcvinfo)); 267 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_extrcvinfo)); 268 } else { 269 cmh->cmsg_len = CMSG_LEN(sizeof(struct sctp_sndrcvinfo)); 270 cmh->cmsg_type = SCTP_SNDRCV; 271 *outinfo = *sinfo; 272 SCTP_BUF_LEN(ret) += CMSG_SPACE(sizeof(struct sctp_sndrcvinfo)); 273 } 274 } 275 return (ret); 276 } 277 278 279 static void 280 sctp_mark_non_revokable(struct sctp_association *asoc, uint32_t tsn) 281 { 282 uint32_t gap, i, cumackp1; 283 int fnd = 0; 284 int in_r = 0, in_nr = 0; 285 286 if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) { 287 return; 288 } 289 cumackp1 = asoc->cumulative_tsn + 1; 290 if (SCTP_TSN_GT(cumackp1, tsn)) { 291 /* 292 * this tsn is behind the cum ack and thus we don't need to 293 * worry about it being moved from one to the other. 294 */ 295 return; 296 } 297 SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn); 298 in_r = SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap); 299 in_nr = SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap); 300 if ((in_r == 0) && (in_nr == 0)) { 301 #ifdef INVARIANTS 302 panic("Things are really messed up now"); 303 #else 304 SCTP_PRINTF("gap:%x tsn:%x\n", gap, tsn); 305 sctp_print_mapping_array(asoc); 306 #endif 307 } 308 if (in_nr == 0) 309 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap); 310 if (in_r) 311 SCTP_UNSET_TSN_PRESENT(asoc->mapping_array, gap); 312 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 313 asoc->highest_tsn_inside_nr_map = tsn; 314 } 315 if (tsn == asoc->highest_tsn_inside_map) { 316 /* We must back down to see what the new highest is */ 317 for (i = tsn - 1; SCTP_TSN_GE(i, asoc->mapping_array_base_tsn); i--) { 318 SCTP_CALC_TSN_TO_GAP(gap, i, asoc->mapping_array_base_tsn); 319 if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap)) { 320 asoc->highest_tsn_inside_map = i; 321 fnd = 1; 322 break; 323 } 324 } 325 if (!fnd) { 326 asoc->highest_tsn_inside_map = asoc->mapping_array_base_tsn - 1; 327 } 328 } 329 } 330 331 static int 332 sctp_place_control_in_stream(struct sctp_stream_in *strm, 333 struct sctp_association *asoc, 334 struct sctp_queued_to_read *control) 335 { 336 struct sctp_queued_to_read *at; 337 struct sctp_readhead *q; 338 uint8_t flags, unordered; 339 340 flags = (control->sinfo_flags >> 8); 341 unordered = flags & SCTP_DATA_UNORDERED; 342 if (unordered) { 343 q = &strm->uno_inqueue; 344 if (asoc->idata_supported == 0) { 345 if (!TAILQ_EMPTY(q)) { 346 /* 347 * Only one stream can be here in old style 348 * -- abort 349 */ 350 return (-1); 351 } 352 TAILQ_INSERT_TAIL(q, control, next_instrm); 353 control->on_strm_q = SCTP_ON_UNORDERED; 354 return (0); 355 } 356 } else { 357 q = &strm->inqueue; 358 } 359 if ((flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 360 control->end_added = 1; 361 control->first_frag_seen = 1; 362 control->last_frag_seen = 1; 363 } 364 if (TAILQ_EMPTY(q)) { 365 /* Empty queue */ 366 TAILQ_INSERT_HEAD(q, control, next_instrm); 367 if (unordered) { 368 control->on_strm_q = SCTP_ON_UNORDERED; 369 } else { 370 control->on_strm_q = SCTP_ON_ORDERED; 371 } 372 return (0); 373 } else { 374 TAILQ_FOREACH(at, q, next_instrm) { 375 if (SCTP_MID_GT(asoc->idata_supported, at->mid, control->mid)) { 376 /* 377 * one in queue is bigger than the new one, 378 * insert before this one 379 */ 380 TAILQ_INSERT_BEFORE(at, control, next_instrm); 381 if (unordered) { 382 control->on_strm_q = SCTP_ON_UNORDERED; 383 } else { 384 control->on_strm_q = SCTP_ON_ORDERED; 385 } 386 break; 387 } else if (SCTP_MID_EQ(asoc->idata_supported, at->mid, control->mid)) { 388 /* 389 * Gak, He sent me a duplicate msg id 390 * number?? return -1 to abort. 391 */ 392 return (-1); 393 } else { 394 if (TAILQ_NEXT(at, next_instrm) == NULL) { 395 /* 396 * We are at the end, insert it 397 * after this one 398 */ 399 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 400 sctp_log_strm_del(control, at, 401 SCTP_STR_LOG_FROM_INSERT_TL); 402 } 403 TAILQ_INSERT_AFTER(q, at, control, next_instrm); 404 if (unordered) { 405 control->on_strm_q = SCTP_ON_UNORDERED; 406 } else { 407 control->on_strm_q = SCTP_ON_ORDERED; 408 } 409 break; 410 } 411 } 412 } 413 } 414 return (0); 415 } 416 417 static void 418 sctp_abort_in_reasm(struct sctp_tcb *stcb, 419 struct sctp_queued_to_read *control, 420 struct sctp_tmit_chunk *chk, 421 int *abort_flag, int opspot) 422 { 423 char msg[SCTP_DIAG_INFO_LEN]; 424 struct mbuf *oper; 425 426 if (stcb->asoc.idata_supported) { 427 snprintf(msg, sizeof(msg), 428 "Reass %x,CF:%x,TSN=%8.8x,SID=%4.4x,FSN=%8.8x,MID:%8.8x", 429 opspot, 430 control->fsn_included, 431 chk->rec.data.tsn, 432 chk->rec.data.sid, 433 chk->rec.data.fsn, chk->rec.data.mid); 434 } else { 435 snprintf(msg, sizeof(msg), 436 "Reass %x,CI:%x,TSN=%8.8x,SID=%4.4x,FSN=%4.4x,SSN:%4.4x", 437 opspot, 438 control->fsn_included, 439 chk->rec.data.tsn, 440 chk->rec.data.sid, 441 chk->rec.data.fsn, 442 (uint16_t)chk->rec.data.mid); 443 } 444 oper = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 445 sctp_m_freem(chk->data); 446 chk->data = NULL; 447 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 448 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_1; 449 sctp_abort_an_association(stcb->sctp_ep, stcb, oper, SCTP_SO_NOT_LOCKED); 450 *abort_flag = 1; 451 } 452 453 static void 454 sctp_clean_up_control(struct sctp_tcb *stcb, struct sctp_queued_to_read *control) 455 { 456 /* 457 * The control could not be placed and must be cleaned. 458 */ 459 struct sctp_tmit_chunk *chk, *nchk; 460 461 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) { 462 TAILQ_REMOVE(&control->reasm, chk, sctp_next); 463 if (chk->data) 464 sctp_m_freem(chk->data); 465 chk->data = NULL; 466 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 467 } 468 sctp_free_a_readq(stcb, control); 469 } 470 471 /* 472 * Queue the chunk either right into the socket buffer if it is the next one 473 * to go OR put it in the correct place in the delivery queue. If we do 474 * append to the so_buf, keep doing so until we are out of order as 475 * long as the control's entered are non-fragmented. 476 */ 477 static void 478 sctp_queue_data_to_stream(struct sctp_tcb *stcb, 479 struct sctp_association *asoc, 480 struct sctp_queued_to_read *control, int *abort_flag, int *need_reasm) 481 { 482 /* 483 * FIX-ME maybe? What happens when the ssn wraps? If we are getting 484 * all the data in one stream this could happen quite rapidly. One 485 * could use the TSN to keep track of things, but this scheme breaks 486 * down in the other type of stream usage that could occur. Send a 487 * single msg to stream 0, send 4Billion messages to stream 1, now 488 * send a message to stream 0. You have a situation where the TSN 489 * has wrapped but not in the stream. Is this worth worrying about 490 * or should we just change our queue sort at the bottom to be by 491 * TSN. 492 * 493 * Could it also be legal for a peer to send ssn 1 with TSN 2 and 494 * ssn 2 with TSN 1? If the peer is doing some sort of funky TSN/SSN 495 * assignment this could happen... and I don't see how this would be 496 * a violation. So for now I am undecided an will leave the sort by 497 * SSN alone. Maybe a hybred approach is the answer 498 * 499 */ 500 struct sctp_queued_to_read *at; 501 int queue_needed; 502 uint32_t nxt_todel; 503 struct mbuf *op_err; 504 struct sctp_stream_in *strm; 505 char msg[SCTP_DIAG_INFO_LEN]; 506 507 strm = &asoc->strmin[control->sinfo_stream]; 508 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 509 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_INTO_STRD); 510 } 511 if (SCTP_MID_GT((asoc->idata_supported), strm->last_mid_delivered, control->mid)) { 512 /* The incoming sseq is behind where we last delivered? */ 513 SCTPDBG(SCTP_DEBUG_INDATA1, "Duplicate S-SEQ: %u delivered: %u from peer, Abort association\n", 514 strm->last_mid_delivered, control->mid); 515 /* 516 * throw it in the stream so it gets cleaned up in 517 * association destruction 518 */ 519 TAILQ_INSERT_HEAD(&strm->inqueue, control, next_instrm); 520 if (asoc->idata_supported) { 521 snprintf(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x", 522 strm->last_mid_delivered, control->sinfo_tsn, 523 control->sinfo_stream, control->mid); 524 } else { 525 snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x", 526 (uint16_t)strm->last_mid_delivered, 527 control->sinfo_tsn, 528 control->sinfo_stream, 529 (uint16_t)control->mid); 530 } 531 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 532 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_2; 533 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 534 *abort_flag = 1; 535 return; 536 537 } 538 queue_needed = 1; 539 asoc->size_on_all_streams += control->length; 540 sctp_ucount_incr(asoc->cnt_on_all_streams); 541 nxt_todel = strm->last_mid_delivered + 1; 542 if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) { 543 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 544 struct socket *so; 545 546 so = SCTP_INP_SO(stcb->sctp_ep); 547 atomic_add_int(&stcb->asoc.refcnt, 1); 548 SCTP_TCB_UNLOCK(stcb); 549 SCTP_SOCKET_LOCK(so, 1); 550 SCTP_TCB_LOCK(stcb); 551 atomic_subtract_int(&stcb->asoc.refcnt, 1); 552 if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 553 SCTP_SOCKET_UNLOCK(so, 1); 554 return; 555 } 556 #endif 557 /* can be delivered right away? */ 558 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 559 sctp_log_strm_del(control, NULL, SCTP_STR_LOG_FROM_IMMED_DEL); 560 } 561 /* EY it wont be queued if it could be delivered directly */ 562 queue_needed = 0; 563 if (asoc->size_on_all_streams >= control->length) { 564 asoc->size_on_all_streams -= control->length; 565 } else { 566 #ifdef INVARIANTS 567 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 568 #else 569 asoc->size_on_all_streams = 0; 570 #endif 571 } 572 sctp_ucount_decr(asoc->cnt_on_all_streams); 573 strm->last_mid_delivered++; 574 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 575 sctp_add_to_readq(stcb->sctp_ep, stcb, 576 control, 577 &stcb->sctp_socket->so_rcv, 1, 578 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_LOCKED); 579 TAILQ_FOREACH_SAFE(control, &strm->inqueue, next_instrm, at) { 580 /* all delivered */ 581 nxt_todel = strm->last_mid_delivered + 1; 582 if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid) && 583 (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG)) { 584 if (control->on_strm_q == SCTP_ON_ORDERED) { 585 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 586 if (asoc->size_on_all_streams >= control->length) { 587 asoc->size_on_all_streams -= control->length; 588 } else { 589 #ifdef INVARIANTS 590 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 591 #else 592 asoc->size_on_all_streams = 0; 593 #endif 594 } 595 sctp_ucount_decr(asoc->cnt_on_all_streams); 596 #ifdef INVARIANTS 597 } else { 598 panic("Huh control: %p is on_strm_q: %d", 599 control, control->on_strm_q); 600 #endif 601 } 602 control->on_strm_q = 0; 603 strm->last_mid_delivered++; 604 /* 605 * We ignore the return of deliver_data here 606 * since we always can hold the chunk on the 607 * d-queue. And we have a finite number that 608 * can be delivered from the strq. 609 */ 610 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 611 sctp_log_strm_del(control, NULL, 612 SCTP_STR_LOG_FROM_IMMED_DEL); 613 } 614 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 615 sctp_add_to_readq(stcb->sctp_ep, stcb, 616 control, 617 &stcb->sctp_socket->so_rcv, 1, 618 SCTP_READ_LOCK_NOT_HELD, 619 SCTP_SO_LOCKED); 620 continue; 621 } else if (SCTP_MID_EQ(asoc->idata_supported, nxt_todel, control->mid)) { 622 *need_reasm = 1; 623 } 624 break; 625 } 626 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 627 SCTP_SOCKET_UNLOCK(so, 1); 628 #endif 629 } 630 if (queue_needed) { 631 /* 632 * Ok, we did not deliver this guy, find the correct place 633 * to put it on the queue. 634 */ 635 if (sctp_place_control_in_stream(strm, asoc, control)) { 636 snprintf(msg, sizeof(msg), 637 "Queue to str MID: %u duplicate", 638 control->mid); 639 sctp_clean_up_control(stcb, control); 640 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 641 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_3; 642 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 643 *abort_flag = 1; 644 } 645 } 646 } 647 648 649 static void 650 sctp_setup_tail_pointer(struct sctp_queued_to_read *control) 651 { 652 struct mbuf *m, *prev = NULL; 653 struct sctp_tcb *stcb; 654 655 stcb = control->stcb; 656 control->held_length = 0; 657 control->length = 0; 658 m = control->data; 659 while (m) { 660 if (SCTP_BUF_LEN(m) == 0) { 661 /* Skip mbufs with NO length */ 662 if (prev == NULL) { 663 /* First one */ 664 control->data = sctp_m_free(m); 665 m = control->data; 666 } else { 667 SCTP_BUF_NEXT(prev) = sctp_m_free(m); 668 m = SCTP_BUF_NEXT(prev); 669 } 670 if (m == NULL) { 671 control->tail_mbuf = prev; 672 } 673 continue; 674 } 675 prev = m; 676 atomic_add_int(&control->length, SCTP_BUF_LEN(m)); 677 if (control->on_read_q) { 678 /* 679 * On read queue so we must increment the SB stuff, 680 * we assume caller has done any locks of SB. 681 */ 682 sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m); 683 } 684 m = SCTP_BUF_NEXT(m); 685 } 686 if (prev) { 687 control->tail_mbuf = prev; 688 } 689 } 690 691 static void 692 sctp_add_to_tail_pointer(struct sctp_queued_to_read *control, struct mbuf *m, uint32_t *added) 693 { 694 struct mbuf *prev = NULL; 695 struct sctp_tcb *stcb; 696 697 stcb = control->stcb; 698 if (stcb == NULL) { 699 #ifdef INVARIANTS 700 panic("Control broken"); 701 #else 702 return; 703 #endif 704 } 705 if (control->tail_mbuf == NULL) { 706 /* TSNH */ 707 control->data = m; 708 sctp_setup_tail_pointer(control); 709 return; 710 } 711 control->tail_mbuf->m_next = m; 712 while (m) { 713 if (SCTP_BUF_LEN(m) == 0) { 714 /* Skip mbufs with NO length */ 715 if (prev == NULL) { 716 /* First one */ 717 control->tail_mbuf->m_next = sctp_m_free(m); 718 m = control->tail_mbuf->m_next; 719 } else { 720 SCTP_BUF_NEXT(prev) = sctp_m_free(m); 721 m = SCTP_BUF_NEXT(prev); 722 } 723 if (m == NULL) { 724 control->tail_mbuf = prev; 725 } 726 continue; 727 } 728 prev = m; 729 if (control->on_read_q) { 730 /* 731 * On read queue so we must increment the SB stuff, 732 * we assume caller has done any locks of SB. 733 */ 734 sctp_sballoc(stcb, &stcb->sctp_socket->so_rcv, m); 735 } 736 *added += SCTP_BUF_LEN(m); 737 atomic_add_int(&control->length, SCTP_BUF_LEN(m)); 738 m = SCTP_BUF_NEXT(m); 739 } 740 if (prev) { 741 control->tail_mbuf = prev; 742 } 743 } 744 745 static void 746 sctp_build_readq_entry_from_ctl(struct sctp_queued_to_read *nc, struct sctp_queued_to_read *control) 747 { 748 memset(nc, 0, sizeof(struct sctp_queued_to_read)); 749 nc->sinfo_stream = control->sinfo_stream; 750 nc->mid = control->mid; 751 TAILQ_INIT(&nc->reasm); 752 nc->top_fsn = control->top_fsn; 753 nc->mid = control->mid; 754 nc->sinfo_flags = control->sinfo_flags; 755 nc->sinfo_ppid = control->sinfo_ppid; 756 nc->sinfo_context = control->sinfo_context; 757 nc->fsn_included = 0xffffffff; 758 nc->sinfo_tsn = control->sinfo_tsn; 759 nc->sinfo_cumtsn = control->sinfo_cumtsn; 760 nc->sinfo_assoc_id = control->sinfo_assoc_id; 761 nc->whoFrom = control->whoFrom; 762 atomic_add_int(&nc->whoFrom->ref_count, 1); 763 nc->stcb = control->stcb; 764 nc->port_from = control->port_from; 765 } 766 767 static void 768 sctp_reset_a_control(struct sctp_queued_to_read *control, 769 struct sctp_inpcb *inp, uint32_t tsn) 770 { 771 control->fsn_included = tsn; 772 if (control->on_read_q) { 773 /* 774 * We have to purge it from there, hopefully this will work 775 * :-) 776 */ 777 TAILQ_REMOVE(&inp->read_queue, control, next); 778 control->on_read_q = 0; 779 } 780 } 781 782 static int 783 sctp_handle_old_unordered_data(struct sctp_tcb *stcb, 784 struct sctp_association *asoc, 785 struct sctp_stream_in *strm, 786 struct sctp_queued_to_read *control, 787 uint32_t pd_point, 788 int inp_read_lock_held) 789 { 790 /* 791 * Special handling for the old un-ordered data chunk. All the 792 * chunks/TSN's go to mid 0. So we have to do the old style watching 793 * to see if we have it all. If you return one, no other control 794 * entries on the un-ordered queue will be looked at. In theory 795 * there should be no others entries in reality, unless the guy is 796 * sending both unordered NDATA and unordered DATA... 797 */ 798 struct sctp_tmit_chunk *chk, *lchk, *tchk; 799 uint32_t fsn; 800 struct sctp_queued_to_read *nc; 801 int cnt_added; 802 803 if (control->first_frag_seen == 0) { 804 /* Nothing we can do, we have not seen the first piece yet */ 805 return (1); 806 } 807 /* Collapse any we can */ 808 cnt_added = 0; 809 restart: 810 fsn = control->fsn_included + 1; 811 /* Now what can we add? */ 812 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, lchk) { 813 if (chk->rec.data.fsn == fsn) { 814 /* Ok lets add it */ 815 sctp_alloc_a_readq(stcb, nc); 816 if (nc == NULL) { 817 break; 818 } 819 memset(nc, 0, sizeof(struct sctp_queued_to_read)); 820 TAILQ_REMOVE(&control->reasm, chk, sctp_next); 821 sctp_add_chk_to_control(control, strm, stcb, asoc, chk, SCTP_READ_LOCK_NOT_HELD); 822 fsn++; 823 cnt_added++; 824 chk = NULL; 825 if (control->end_added) { 826 /* We are done */ 827 if (!TAILQ_EMPTY(&control->reasm)) { 828 /* 829 * Ok we have to move anything left 830 * on the control queue to a new 831 * control. 832 */ 833 sctp_build_readq_entry_from_ctl(nc, control); 834 tchk = TAILQ_FIRST(&control->reasm); 835 if (tchk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 836 TAILQ_REMOVE(&control->reasm, tchk, sctp_next); 837 if (asoc->size_on_reasm_queue >= tchk->send_size) { 838 asoc->size_on_reasm_queue -= tchk->send_size; 839 } else { 840 #ifdef INVARIANTS 841 panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, tchk->send_size); 842 #else 843 asoc->size_on_reasm_queue = 0; 844 #endif 845 } 846 sctp_ucount_decr(asoc->cnt_on_reasm_queue); 847 nc->first_frag_seen = 1; 848 nc->fsn_included = tchk->rec.data.fsn; 849 nc->data = tchk->data; 850 nc->sinfo_ppid = tchk->rec.data.ppid; 851 nc->sinfo_tsn = tchk->rec.data.tsn; 852 sctp_mark_non_revokable(asoc, tchk->rec.data.tsn); 853 tchk->data = NULL; 854 sctp_free_a_chunk(stcb, tchk, SCTP_SO_NOT_LOCKED); 855 sctp_setup_tail_pointer(nc); 856 tchk = TAILQ_FIRST(&control->reasm); 857 } 858 /* Spin the rest onto the queue */ 859 while (tchk) { 860 TAILQ_REMOVE(&control->reasm, tchk, sctp_next); 861 TAILQ_INSERT_TAIL(&nc->reasm, tchk, sctp_next); 862 tchk = TAILQ_FIRST(&control->reasm); 863 } 864 /* 865 * Now lets add it to the queue 866 * after removing control 867 */ 868 TAILQ_INSERT_TAIL(&strm->uno_inqueue, nc, next_instrm); 869 nc->on_strm_q = SCTP_ON_UNORDERED; 870 if (control->on_strm_q) { 871 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 872 control->on_strm_q = 0; 873 } 874 } 875 if (control->pdapi_started) { 876 strm->pd_api_started = 0; 877 control->pdapi_started = 0; 878 } 879 if (control->on_strm_q) { 880 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 881 control->on_strm_q = 0; 882 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); 883 } 884 if (control->on_read_q == 0) { 885 sctp_add_to_readq(stcb->sctp_ep, stcb, control, 886 &stcb->sctp_socket->so_rcv, control->end_added, 887 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 888 } 889 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 890 if ((nc->first_frag_seen) && !TAILQ_EMPTY(&nc->reasm)) { 891 /* 892 * Switch to the new guy and 893 * continue 894 */ 895 control = nc; 896 goto restart; 897 } else { 898 if (nc->on_strm_q == 0) { 899 sctp_free_a_readq(stcb, nc); 900 } 901 } 902 return (1); 903 } else { 904 sctp_free_a_readq(stcb, nc); 905 } 906 } else { 907 /* Can't add more */ 908 break; 909 } 910 } 911 if ((control->length > pd_point) && (strm->pd_api_started == 0)) { 912 strm->pd_api_started = 1; 913 control->pdapi_started = 1; 914 sctp_add_to_readq(stcb->sctp_ep, stcb, control, 915 &stcb->sctp_socket->so_rcv, control->end_added, 916 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 917 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 918 return (0); 919 } else { 920 return (1); 921 } 922 } 923 924 static void 925 sctp_inject_old_unordered_data(struct sctp_tcb *stcb, 926 struct sctp_association *asoc, 927 struct sctp_queued_to_read *control, 928 struct sctp_tmit_chunk *chk, 929 int *abort_flag) 930 { 931 struct sctp_tmit_chunk *at; 932 int inserted; 933 934 /* 935 * Here we need to place the chunk into the control structure sorted 936 * in the correct order. 937 */ 938 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 939 /* Its the very first one. */ 940 SCTPDBG(SCTP_DEBUG_XXX, 941 "chunk is a first fsn: %u becomes fsn_included\n", 942 chk->rec.data.fsn); 943 if (control->first_frag_seen) { 944 /* 945 * In old un-ordered we can reassembly on one 946 * control multiple messages. As long as the next 947 * FIRST is greater then the old first (TSN i.e. FSN 948 * wise) 949 */ 950 struct mbuf *tdata; 951 uint32_t tmp; 952 953 if (SCTP_TSN_GT(chk->rec.data.fsn, control->fsn_included)) { 954 /* 955 * Easy way the start of a new guy beyond 956 * the lowest 957 */ 958 goto place_chunk; 959 } 960 if ((chk->rec.data.fsn == control->fsn_included) || 961 (control->pdapi_started)) { 962 /* 963 * Ok this should not happen, if it does we 964 * started the pd-api on the higher TSN 965 * (since the equals part is a TSN failure 966 * it must be that). 967 * 968 * We are completly hosed in that case since 969 * I have no way to recover. This really 970 * will only happen if we can get more TSN's 971 * higher before the pd-api-point. 972 */ 973 sctp_abort_in_reasm(stcb, control, chk, 974 abort_flag, 975 SCTP_FROM_SCTP_INDATA + SCTP_LOC_4); 976 977 return; 978 } 979 /* 980 * Ok we have two firsts and the one we just got is 981 * smaller than the one we previously placed.. yuck! 982 * We must swap them out. 983 */ 984 /* swap the mbufs */ 985 tdata = control->data; 986 control->data = chk->data; 987 chk->data = tdata; 988 /* Save the lengths */ 989 chk->send_size = control->length; 990 /* Recompute length of control and tail pointer */ 991 sctp_setup_tail_pointer(control); 992 /* Fix the FSN included */ 993 tmp = control->fsn_included; 994 control->fsn_included = chk->rec.data.fsn; 995 chk->rec.data.fsn = tmp; 996 /* Fix the TSN included */ 997 tmp = control->sinfo_tsn; 998 control->sinfo_tsn = chk->rec.data.tsn; 999 chk->rec.data.tsn = tmp; 1000 /* Fix the PPID included */ 1001 tmp = control->sinfo_ppid; 1002 control->sinfo_ppid = chk->rec.data.ppid; 1003 chk->rec.data.ppid = tmp; 1004 /* Fix tail pointer */ 1005 goto place_chunk; 1006 } 1007 control->first_frag_seen = 1; 1008 control->fsn_included = chk->rec.data.fsn; 1009 control->top_fsn = chk->rec.data.fsn; 1010 control->sinfo_tsn = chk->rec.data.tsn; 1011 control->sinfo_ppid = chk->rec.data.ppid; 1012 control->data = chk->data; 1013 sctp_mark_non_revokable(asoc, chk->rec.data.tsn); 1014 chk->data = NULL; 1015 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 1016 sctp_setup_tail_pointer(control); 1017 return; 1018 } 1019 place_chunk: 1020 inserted = 0; 1021 TAILQ_FOREACH(at, &control->reasm, sctp_next) { 1022 if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) { 1023 /* 1024 * This one in queue is bigger than the new one, 1025 * insert the new one before at. 1026 */ 1027 asoc->size_on_reasm_queue += chk->send_size; 1028 sctp_ucount_incr(asoc->cnt_on_reasm_queue); 1029 inserted = 1; 1030 TAILQ_INSERT_BEFORE(at, chk, sctp_next); 1031 break; 1032 } else if (at->rec.data.fsn == chk->rec.data.fsn) { 1033 /* 1034 * They sent a duplicate fsn number. This really 1035 * should not happen since the FSN is a TSN and it 1036 * should have been dropped earlier. 1037 */ 1038 sctp_abort_in_reasm(stcb, control, chk, 1039 abort_flag, 1040 SCTP_FROM_SCTP_INDATA + SCTP_LOC_5); 1041 return; 1042 } 1043 } 1044 if (inserted == 0) { 1045 /* Its at the end */ 1046 asoc->size_on_reasm_queue += chk->send_size; 1047 sctp_ucount_incr(asoc->cnt_on_reasm_queue); 1048 control->top_fsn = chk->rec.data.fsn; 1049 TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next); 1050 } 1051 } 1052 1053 static int 1054 sctp_deliver_reasm_check(struct sctp_tcb *stcb, struct sctp_association *asoc, 1055 struct sctp_stream_in *strm, int inp_read_lock_held) 1056 { 1057 /* 1058 * Given a stream, strm, see if any of the SSN's on it that are 1059 * fragmented are ready to deliver. If so go ahead and place them on 1060 * the read queue. In so placing if we have hit the end, then we 1061 * need to remove them from the stream's queue. 1062 */ 1063 struct sctp_queued_to_read *control, *nctl = NULL; 1064 uint32_t next_to_del; 1065 uint32_t pd_point; 1066 int ret = 0; 1067 1068 if (stcb->sctp_socket) { 1069 pd_point = min(SCTP_SB_LIMIT_RCV(stcb->sctp_socket) >> SCTP_PARTIAL_DELIVERY_SHIFT, 1070 stcb->sctp_ep->partial_delivery_point); 1071 } else { 1072 pd_point = stcb->sctp_ep->partial_delivery_point; 1073 } 1074 control = TAILQ_FIRST(&strm->uno_inqueue); 1075 1076 if ((control != NULL) && 1077 (asoc->idata_supported == 0)) { 1078 /* Special handling needed for "old" data format */ 1079 if (sctp_handle_old_unordered_data(stcb, asoc, strm, control, pd_point, inp_read_lock_held)) { 1080 goto done_un; 1081 } 1082 } 1083 if (strm->pd_api_started) { 1084 /* Can't add more */ 1085 return (0); 1086 } 1087 while (control) { 1088 SCTPDBG(SCTP_DEBUG_XXX, "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u -uo\n", 1089 control, control->end_added, control->mid, control->top_fsn, control->fsn_included); 1090 nctl = TAILQ_NEXT(control, next_instrm); 1091 if (control->end_added) { 1092 /* We just put the last bit on */ 1093 if (control->on_strm_q) { 1094 #ifdef INVARIANTS 1095 if (control->on_strm_q != SCTP_ON_UNORDERED) { 1096 panic("Huh control: %p on_q: %d -- not unordered?", 1097 control, control->on_strm_q); 1098 } 1099 #endif 1100 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); 1101 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 1102 control->on_strm_q = 0; 1103 } 1104 if (control->on_read_q == 0) { 1105 sctp_add_to_readq(stcb->sctp_ep, stcb, 1106 control, 1107 &stcb->sctp_socket->so_rcv, control->end_added, 1108 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 1109 } 1110 } else { 1111 /* Can we do a PD-API for this un-ordered guy? */ 1112 if ((control->length >= pd_point) && (strm->pd_api_started == 0)) { 1113 strm->pd_api_started = 1; 1114 control->pdapi_started = 1; 1115 sctp_add_to_readq(stcb->sctp_ep, stcb, 1116 control, 1117 &stcb->sctp_socket->so_rcv, control->end_added, 1118 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 1119 1120 break; 1121 } 1122 } 1123 control = nctl; 1124 } 1125 done_un: 1126 control = TAILQ_FIRST(&strm->inqueue); 1127 if (strm->pd_api_started) { 1128 /* Can't add more */ 1129 return (0); 1130 } 1131 if (control == NULL) { 1132 return (ret); 1133 } 1134 if (SCTP_MID_EQ(asoc->idata_supported, strm->last_mid_delivered, control->mid)) { 1135 /* 1136 * Ok the guy at the top was being partially delivered 1137 * completed, so we remove it. Note the pd_api flag was 1138 * taken off when the chunk was merged on in 1139 * sctp_queue_data_for_reasm below. 1140 */ 1141 nctl = TAILQ_NEXT(control, next_instrm); 1142 SCTPDBG(SCTP_DEBUG_XXX, 1143 "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (lastdel: %u)- o\n", 1144 control, control->end_added, control->mid, 1145 control->top_fsn, control->fsn_included, 1146 strm->last_mid_delivered); 1147 if (control->end_added) { 1148 if (control->on_strm_q) { 1149 #ifdef INVARIANTS 1150 if (control->on_strm_q != SCTP_ON_ORDERED) { 1151 panic("Huh control: %p on_q: %d -- not ordered?", 1152 control, control->on_strm_q); 1153 } 1154 #endif 1155 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); 1156 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 1157 if (asoc->size_on_all_streams >= control->length) { 1158 asoc->size_on_all_streams -= control->length; 1159 } else { 1160 #ifdef INVARIANTS 1161 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 1162 #else 1163 asoc->size_on_all_streams = 0; 1164 #endif 1165 } 1166 sctp_ucount_decr(asoc->cnt_on_all_streams); 1167 control->on_strm_q = 0; 1168 } 1169 if (strm->pd_api_started && control->pdapi_started) { 1170 control->pdapi_started = 0; 1171 strm->pd_api_started = 0; 1172 } 1173 if (control->on_read_q == 0) { 1174 sctp_add_to_readq(stcb->sctp_ep, stcb, 1175 control, 1176 &stcb->sctp_socket->so_rcv, control->end_added, 1177 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 1178 } 1179 control = nctl; 1180 } 1181 } 1182 if (strm->pd_api_started) { 1183 /* 1184 * Can't add more must have gotten an un-ordered above being 1185 * partially delivered. 1186 */ 1187 return (0); 1188 } 1189 deliver_more: 1190 next_to_del = strm->last_mid_delivered + 1; 1191 if (control) { 1192 SCTPDBG(SCTP_DEBUG_XXX, 1193 "Looking at control: %p e(%d) ssn: %u top_fsn: %u inc_fsn: %u (nxtdel: %u)- o\n", 1194 control, control->end_added, control->mid, control->top_fsn, control->fsn_included, 1195 next_to_del); 1196 nctl = TAILQ_NEXT(control, next_instrm); 1197 if (SCTP_MID_EQ(asoc->idata_supported, control->mid, next_to_del) && 1198 (control->first_frag_seen)) { 1199 int done; 1200 1201 /* Ok we can deliver it onto the stream. */ 1202 if (control->end_added) { 1203 /* We are done with it afterwards */ 1204 if (control->on_strm_q) { 1205 #ifdef INVARIANTS 1206 if (control->on_strm_q != SCTP_ON_ORDERED) { 1207 panic("Huh control: %p on_q: %d -- not ordered?", 1208 control, control->on_strm_q); 1209 } 1210 #endif 1211 SCTP_STAT_INCR_COUNTER64(sctps_reasmusrmsgs); 1212 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 1213 if (asoc->size_on_all_streams >= control->length) { 1214 asoc->size_on_all_streams -= control->length; 1215 } else { 1216 #ifdef INVARIANTS 1217 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 1218 #else 1219 asoc->size_on_all_streams = 0; 1220 #endif 1221 } 1222 sctp_ucount_decr(asoc->cnt_on_all_streams); 1223 control->on_strm_q = 0; 1224 } 1225 ret++; 1226 } 1227 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 1228 /* 1229 * A singleton now slipping through - mark 1230 * it non-revokable too 1231 */ 1232 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 1233 } else if (control->end_added == 0) { 1234 /* 1235 * Check if we can defer adding until its 1236 * all there 1237 */ 1238 if ((control->length < pd_point) || (strm->pd_api_started)) { 1239 /* 1240 * Don't need it or cannot add more 1241 * (one being delivered that way) 1242 */ 1243 goto out; 1244 } 1245 } 1246 done = (control->end_added) && (control->last_frag_seen); 1247 if (control->on_read_q == 0) { 1248 sctp_add_to_readq(stcb->sctp_ep, stcb, 1249 control, 1250 &stcb->sctp_socket->so_rcv, control->end_added, 1251 inp_read_lock_held, SCTP_SO_NOT_LOCKED); 1252 } 1253 strm->last_mid_delivered = next_to_del; 1254 if (done) { 1255 control = nctl; 1256 goto deliver_more; 1257 } else { 1258 /* We are now doing PD API */ 1259 strm->pd_api_started = 1; 1260 control->pdapi_started = 1; 1261 } 1262 } 1263 } 1264 out: 1265 return (ret); 1266 } 1267 1268 1269 uint32_t 1270 sctp_add_chk_to_control(struct sctp_queued_to_read *control, 1271 struct sctp_stream_in *strm, 1272 struct sctp_tcb *stcb, struct sctp_association *asoc, 1273 struct sctp_tmit_chunk *chk, int hold_rlock) 1274 { 1275 /* 1276 * Given a control and a chunk, merge the data from the chk onto the 1277 * control and free up the chunk resources. 1278 */ 1279 uint32_t added = 0; 1280 int i_locked = 0; 1281 1282 if (control->on_read_q && (hold_rlock == 0)) { 1283 /* 1284 * Its being pd-api'd so we must do some locks. 1285 */ 1286 SCTP_INP_READ_LOCK(stcb->sctp_ep); 1287 i_locked = 1; 1288 } 1289 if (control->data == NULL) { 1290 control->data = chk->data; 1291 sctp_setup_tail_pointer(control); 1292 } else { 1293 sctp_add_to_tail_pointer(control, chk->data, &added); 1294 } 1295 control->fsn_included = chk->rec.data.fsn; 1296 asoc->size_on_reasm_queue -= chk->send_size; 1297 sctp_ucount_decr(asoc->cnt_on_reasm_queue); 1298 sctp_mark_non_revokable(asoc, chk->rec.data.tsn); 1299 chk->data = NULL; 1300 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 1301 control->first_frag_seen = 1; 1302 control->sinfo_tsn = chk->rec.data.tsn; 1303 control->sinfo_ppid = chk->rec.data.ppid; 1304 } 1305 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) { 1306 /* Its complete */ 1307 if ((control->on_strm_q) && (control->on_read_q)) { 1308 if (control->pdapi_started) { 1309 control->pdapi_started = 0; 1310 strm->pd_api_started = 0; 1311 } 1312 if (control->on_strm_q == SCTP_ON_UNORDERED) { 1313 /* Unordered */ 1314 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 1315 control->on_strm_q = 0; 1316 } else if (control->on_strm_q == SCTP_ON_ORDERED) { 1317 /* Ordered */ 1318 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 1319 if (asoc->size_on_all_streams >= control->length) { 1320 asoc->size_on_all_streams -= control->length; 1321 } else { 1322 #ifdef INVARIANTS 1323 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 1324 #else 1325 asoc->size_on_all_streams = 0; 1326 #endif 1327 } 1328 sctp_ucount_decr(asoc->cnt_on_all_streams); 1329 control->on_strm_q = 0; 1330 #ifdef INVARIANTS 1331 } else if (control->on_strm_q) { 1332 panic("Unknown state on ctrl: %p on_strm_q: %d", control, 1333 control->on_strm_q); 1334 #endif 1335 } 1336 } 1337 control->end_added = 1; 1338 control->last_frag_seen = 1; 1339 } 1340 if (i_locked) { 1341 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 1342 } 1343 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 1344 return (added); 1345 } 1346 1347 /* 1348 * Dump onto the re-assembly queue, in its proper place. After dumping on the 1349 * queue, see if anthing can be delivered. If so pull it off (or as much as 1350 * we can. If we run out of space then we must dump what we can and set the 1351 * appropriate flag to say we queued what we could. 1352 */ 1353 static void 1354 sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struct sctp_association *asoc, 1355 struct sctp_queued_to_read *control, 1356 struct sctp_tmit_chunk *chk, 1357 int created_control, 1358 int *abort_flag, uint32_t tsn) 1359 { 1360 uint32_t next_fsn; 1361 struct sctp_tmit_chunk *at, *nat; 1362 struct sctp_stream_in *strm; 1363 int do_wakeup, unordered; 1364 uint32_t lenadded; 1365 1366 strm = &asoc->strmin[control->sinfo_stream]; 1367 /* 1368 * For old un-ordered data chunks. 1369 */ 1370 if ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) { 1371 unordered = 1; 1372 } else { 1373 unordered = 0; 1374 } 1375 /* Must be added to the stream-in queue */ 1376 if (created_control) { 1377 if (unordered == 0) { 1378 sctp_ucount_incr(asoc->cnt_on_all_streams); 1379 } 1380 if (sctp_place_control_in_stream(strm, asoc, control)) { 1381 /* Duplicate SSN? */ 1382 sctp_abort_in_reasm(stcb, control, chk, 1383 abort_flag, 1384 SCTP_FROM_SCTP_INDATA + SCTP_LOC_6); 1385 sctp_clean_up_control(stcb, control); 1386 return; 1387 } 1388 if ((tsn == (asoc->cumulative_tsn + 1) && (asoc->idata_supported == 0))) { 1389 /* 1390 * Ok we created this control and now lets validate 1391 * that its legal i.e. there is a B bit set, if not 1392 * and we have up to the cum-ack then its invalid. 1393 */ 1394 if ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0) { 1395 sctp_abort_in_reasm(stcb, control, chk, 1396 abort_flag, 1397 SCTP_FROM_SCTP_INDATA + SCTP_LOC_7); 1398 return; 1399 } 1400 } 1401 } 1402 if ((asoc->idata_supported == 0) && (unordered == 1)) { 1403 sctp_inject_old_unordered_data(stcb, asoc, control, chk, abort_flag); 1404 return; 1405 } 1406 /* 1407 * Ok we must queue the chunk into the reasembly portion: o if its 1408 * the first it goes to the control mbuf. o if its not first but the 1409 * next in sequence it goes to the control, and each succeeding one 1410 * in order also goes. o if its not in order we place it on the list 1411 * in its place. 1412 */ 1413 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 1414 /* Its the very first one. */ 1415 SCTPDBG(SCTP_DEBUG_XXX, 1416 "chunk is a first fsn: %u becomes fsn_included\n", 1417 chk->rec.data.fsn); 1418 if (control->first_frag_seen) { 1419 /* 1420 * Error on senders part, they either sent us two 1421 * data chunks with FIRST, or they sent two 1422 * un-ordered chunks that were fragmented at the 1423 * same time in the same stream. 1424 */ 1425 sctp_abort_in_reasm(stcb, control, chk, 1426 abort_flag, 1427 SCTP_FROM_SCTP_INDATA + SCTP_LOC_8); 1428 return; 1429 } 1430 control->first_frag_seen = 1; 1431 control->sinfo_ppid = chk->rec.data.ppid; 1432 control->sinfo_tsn = chk->rec.data.tsn; 1433 control->fsn_included = chk->rec.data.fsn; 1434 control->data = chk->data; 1435 sctp_mark_non_revokable(asoc, chk->rec.data.tsn); 1436 chk->data = NULL; 1437 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 1438 sctp_setup_tail_pointer(control); 1439 asoc->size_on_all_streams += control->length; 1440 } else { 1441 /* Place the chunk in our list */ 1442 int inserted = 0; 1443 1444 if (control->last_frag_seen == 0) { 1445 /* Still willing to raise highest FSN seen */ 1446 if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) { 1447 SCTPDBG(SCTP_DEBUG_XXX, 1448 "We have a new top_fsn: %u\n", 1449 chk->rec.data.fsn); 1450 control->top_fsn = chk->rec.data.fsn; 1451 } 1452 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) { 1453 SCTPDBG(SCTP_DEBUG_XXX, 1454 "The last fsn is now in place fsn: %u\n", 1455 chk->rec.data.fsn); 1456 control->last_frag_seen = 1; 1457 } 1458 if (asoc->idata_supported || control->first_frag_seen) { 1459 /* 1460 * For IDATA we always check since we know 1461 * that the first fragment is 0. For old 1462 * DATA we have to receive the first before 1463 * we know the first FSN (which is the TSN). 1464 */ 1465 if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) { 1466 /* 1467 * We have already delivered up to 1468 * this so its a dup 1469 */ 1470 sctp_abort_in_reasm(stcb, control, chk, 1471 abort_flag, 1472 SCTP_FROM_SCTP_INDATA + SCTP_LOC_9); 1473 return; 1474 } 1475 } 1476 } else { 1477 if (chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) { 1478 /* Second last? huh? */ 1479 SCTPDBG(SCTP_DEBUG_XXX, 1480 "Duplicate last fsn: %u (top: %u) -- abort\n", 1481 chk->rec.data.fsn, control->top_fsn); 1482 sctp_abort_in_reasm(stcb, control, 1483 chk, abort_flag, 1484 SCTP_FROM_SCTP_INDATA + SCTP_LOC_10); 1485 return; 1486 } 1487 if (asoc->idata_supported || control->first_frag_seen) { 1488 /* 1489 * For IDATA we always check since we know 1490 * that the first fragment is 0. For old 1491 * DATA we have to receive the first before 1492 * we know the first FSN (which is the TSN). 1493 */ 1494 1495 if (SCTP_TSN_GE(control->fsn_included, chk->rec.data.fsn)) { 1496 /* 1497 * We have already delivered up to 1498 * this so its a dup 1499 */ 1500 SCTPDBG(SCTP_DEBUG_XXX, 1501 "New fsn: %u is already seen in included_fsn: %u -- abort\n", 1502 chk->rec.data.fsn, control->fsn_included); 1503 sctp_abort_in_reasm(stcb, control, chk, 1504 abort_flag, 1505 SCTP_FROM_SCTP_INDATA + SCTP_LOC_11); 1506 return; 1507 } 1508 } 1509 /* 1510 * validate not beyond top FSN if we have seen last 1511 * one 1512 */ 1513 if (SCTP_TSN_GT(chk->rec.data.fsn, control->top_fsn)) { 1514 SCTPDBG(SCTP_DEBUG_XXX, 1515 "New fsn: %u is beyond or at top_fsn: %u -- abort\n", 1516 chk->rec.data.fsn, 1517 control->top_fsn); 1518 sctp_abort_in_reasm(stcb, control, chk, 1519 abort_flag, 1520 SCTP_FROM_SCTP_INDATA + SCTP_LOC_12); 1521 return; 1522 } 1523 } 1524 /* 1525 * If we reach here, we need to place the new chunk in the 1526 * reassembly for this control. 1527 */ 1528 SCTPDBG(SCTP_DEBUG_XXX, 1529 "chunk is a not first fsn: %u needs to be inserted\n", 1530 chk->rec.data.fsn); 1531 TAILQ_FOREACH(at, &control->reasm, sctp_next) { 1532 if (SCTP_TSN_GT(at->rec.data.fsn, chk->rec.data.fsn)) { 1533 /* 1534 * This one in queue is bigger than the new 1535 * one, insert the new one before at. 1536 */ 1537 SCTPDBG(SCTP_DEBUG_XXX, 1538 "Insert it before fsn: %u\n", 1539 at->rec.data.fsn); 1540 asoc->size_on_reasm_queue += chk->send_size; 1541 sctp_ucount_incr(asoc->cnt_on_reasm_queue); 1542 TAILQ_INSERT_BEFORE(at, chk, sctp_next); 1543 inserted = 1; 1544 break; 1545 } else if (at->rec.data.fsn == chk->rec.data.fsn) { 1546 /* 1547 * Gak, He sent me a duplicate str seq 1548 * number 1549 */ 1550 /* 1551 * foo bar, I guess I will just free this 1552 * new guy, should we abort too? FIX ME 1553 * MAYBE? Or it COULD be that the SSN's have 1554 * wrapped. Maybe I should compare to TSN 1555 * somehow... sigh for now just blow away 1556 * the chunk! 1557 */ 1558 SCTPDBG(SCTP_DEBUG_XXX, 1559 "Duplicate to fsn: %u -- abort\n", 1560 at->rec.data.fsn); 1561 sctp_abort_in_reasm(stcb, control, 1562 chk, abort_flag, 1563 SCTP_FROM_SCTP_INDATA + SCTP_LOC_13); 1564 return; 1565 } 1566 } 1567 if (inserted == 0) { 1568 /* Goes on the end */ 1569 SCTPDBG(SCTP_DEBUG_XXX, "Inserting at tail of list fsn: %u\n", 1570 chk->rec.data.fsn); 1571 asoc->size_on_reasm_queue += chk->send_size; 1572 sctp_ucount_incr(asoc->cnt_on_reasm_queue); 1573 TAILQ_INSERT_TAIL(&control->reasm, chk, sctp_next); 1574 } 1575 } 1576 /* 1577 * Ok lets see if we can suck any up into the control structure that 1578 * are in seq if it makes sense. 1579 */ 1580 do_wakeup = 0; 1581 /* 1582 * If the first fragment has not been seen there is no sense in 1583 * looking. 1584 */ 1585 if (control->first_frag_seen) { 1586 next_fsn = control->fsn_included + 1; 1587 TAILQ_FOREACH_SAFE(at, &control->reasm, sctp_next, nat) { 1588 if (at->rec.data.fsn == next_fsn) { 1589 /* We can add this one now to the control */ 1590 SCTPDBG(SCTP_DEBUG_XXX, 1591 "Adding more to control: %p at: %p fsn: %u next_fsn: %u included: %u\n", 1592 control, at, 1593 at->rec.data.fsn, 1594 next_fsn, control->fsn_included); 1595 TAILQ_REMOVE(&control->reasm, at, sctp_next); 1596 lenadded = sctp_add_chk_to_control(control, strm, stcb, asoc, at, SCTP_READ_LOCK_NOT_HELD); 1597 if (control->on_read_q) { 1598 do_wakeup = 1; 1599 } else { 1600 /* 1601 * We only add to the 1602 * size-on-all-streams if its not on 1603 * the read q. The read q flag will 1604 * cause a sballoc so its accounted 1605 * for there. 1606 */ 1607 asoc->size_on_all_streams += lenadded; 1608 } 1609 next_fsn++; 1610 if (control->end_added && control->pdapi_started) { 1611 if (strm->pd_api_started) { 1612 strm->pd_api_started = 0; 1613 control->pdapi_started = 0; 1614 } 1615 if (control->on_read_q == 0) { 1616 sctp_add_to_readq(stcb->sctp_ep, stcb, 1617 control, 1618 &stcb->sctp_socket->so_rcv, control->end_added, 1619 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED); 1620 } 1621 break; 1622 } 1623 } else { 1624 break; 1625 } 1626 } 1627 } 1628 if (do_wakeup) { 1629 /* Need to wakeup the reader */ 1630 sctp_wakeup_the_read_socket(stcb->sctp_ep, stcb, SCTP_SO_NOT_LOCKED); 1631 } 1632 } 1633 1634 static struct sctp_queued_to_read * 1635 sctp_find_reasm_entry(struct sctp_stream_in *strm, uint32_t mid, int ordered, int idata_supported) 1636 { 1637 struct sctp_queued_to_read *control; 1638 1639 if (ordered) { 1640 TAILQ_FOREACH(control, &strm->inqueue, next_instrm) { 1641 if (SCTP_MID_EQ(idata_supported, control->mid, mid)) { 1642 break; 1643 } 1644 } 1645 } else { 1646 if (idata_supported) { 1647 TAILQ_FOREACH(control, &strm->uno_inqueue, next_instrm) { 1648 if (SCTP_MID_EQ(idata_supported, control->mid, mid)) { 1649 break; 1650 } 1651 } 1652 } else { 1653 control = TAILQ_FIRST(&strm->uno_inqueue); 1654 } 1655 } 1656 return (control); 1657 } 1658 1659 static int 1660 sctp_process_a_data_chunk(struct sctp_tcb *stcb, struct sctp_association *asoc, 1661 struct mbuf **m, int offset, int chk_length, 1662 struct sctp_nets *net, uint32_t *high_tsn, int *abort_flag, 1663 int *break_flag, int last_chunk, uint8_t chk_type) 1664 { 1665 /* Process a data chunk */ 1666 /* struct sctp_tmit_chunk *chk; */ 1667 struct sctp_tmit_chunk *chk; 1668 uint32_t tsn, fsn, gap, mid; 1669 struct mbuf *dmbuf; 1670 int the_len; 1671 int need_reasm_check = 0; 1672 uint16_t sid; 1673 struct mbuf *op_err; 1674 char msg[SCTP_DIAG_INFO_LEN]; 1675 struct sctp_queued_to_read *control, *ncontrol; 1676 uint32_t ppid; 1677 uint8_t chk_flags; 1678 struct sctp_stream_reset_list *liste; 1679 int ordered; 1680 size_t clen; 1681 int created_control = 0; 1682 1683 if (chk_type == SCTP_IDATA) { 1684 struct sctp_idata_chunk *chunk, chunk_buf; 1685 1686 chunk = (struct sctp_idata_chunk *)sctp_m_getptr(*m, offset, 1687 sizeof(struct sctp_idata_chunk), (uint8_t *)&chunk_buf); 1688 chk_flags = chunk->ch.chunk_flags; 1689 clen = sizeof(struct sctp_idata_chunk); 1690 tsn = ntohl(chunk->dp.tsn); 1691 sid = ntohs(chunk->dp.sid); 1692 mid = ntohl(chunk->dp.mid); 1693 if (chk_flags & SCTP_DATA_FIRST_FRAG) { 1694 fsn = 0; 1695 ppid = chunk->dp.ppid_fsn.ppid; 1696 } else { 1697 fsn = ntohl(chunk->dp.ppid_fsn.fsn); 1698 ppid = 0xffffffff; /* Use as an invalid value. */ 1699 } 1700 } else { 1701 struct sctp_data_chunk *chunk, chunk_buf; 1702 1703 chunk = (struct sctp_data_chunk *)sctp_m_getptr(*m, offset, 1704 sizeof(struct sctp_data_chunk), (uint8_t *)&chunk_buf); 1705 chk_flags = chunk->ch.chunk_flags; 1706 clen = sizeof(struct sctp_data_chunk); 1707 tsn = ntohl(chunk->dp.tsn); 1708 sid = ntohs(chunk->dp.sid); 1709 mid = (uint32_t)(ntohs(chunk->dp.ssn)); 1710 fsn = tsn; 1711 ppid = chunk->dp.ppid; 1712 } 1713 if ((size_t)chk_length == clen) { 1714 /* 1715 * Need to send an abort since we had a empty data chunk. 1716 */ 1717 op_err = sctp_generate_no_user_data_cause(tsn); 1718 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_14; 1719 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 1720 *abort_flag = 1; 1721 return (0); 1722 } 1723 if ((chk_flags & SCTP_DATA_SACK_IMMEDIATELY) == SCTP_DATA_SACK_IMMEDIATELY) { 1724 asoc->send_sack = 1; 1725 } 1726 ordered = ((chk_flags & SCTP_DATA_UNORDERED) == 0); 1727 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 1728 sctp_log_map(tsn, asoc->cumulative_tsn, asoc->highest_tsn_inside_map, SCTP_MAP_TSN_ENTERS); 1729 } 1730 if (stcb == NULL) { 1731 return (0); 1732 } 1733 SCTP_LTRACE_CHK(stcb->sctp_ep, stcb, chk_type, tsn); 1734 if (SCTP_TSN_GE(asoc->cumulative_tsn, tsn)) { 1735 /* It is a duplicate */ 1736 SCTP_STAT_INCR(sctps_recvdupdata); 1737 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) { 1738 /* Record a dup for the next outbound sack */ 1739 asoc->dup_tsns[asoc->numduptsns] = tsn; 1740 asoc->numduptsns++; 1741 } 1742 asoc->send_sack = 1; 1743 return (0); 1744 } 1745 /* Calculate the number of TSN's between the base and this TSN */ 1746 SCTP_CALC_TSN_TO_GAP(gap, tsn, asoc->mapping_array_base_tsn); 1747 if (gap >= (SCTP_MAPPING_ARRAY << 3)) { 1748 /* Can't hold the bit in the mapping at max array, toss it */ 1749 return (0); 1750 } 1751 if (gap >= (uint32_t)(asoc->mapping_array_size << 3)) { 1752 SCTP_TCB_LOCK_ASSERT(stcb); 1753 if (sctp_expand_mapping_array(asoc, gap)) { 1754 /* Can't expand, drop it */ 1755 return (0); 1756 } 1757 } 1758 if (SCTP_TSN_GT(tsn, *high_tsn)) { 1759 *high_tsn = tsn; 1760 } 1761 /* See if we have received this one already */ 1762 if (SCTP_IS_TSN_PRESENT(asoc->mapping_array, gap) || 1763 SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, gap)) { 1764 SCTP_STAT_INCR(sctps_recvdupdata); 1765 if (asoc->numduptsns < SCTP_MAX_DUP_TSNS) { 1766 /* Record a dup for the next outbound sack */ 1767 asoc->dup_tsns[asoc->numduptsns] = tsn; 1768 asoc->numduptsns++; 1769 } 1770 asoc->send_sack = 1; 1771 return (0); 1772 } 1773 /* 1774 * Check to see about the GONE flag, duplicates would cause a sack 1775 * to be sent up above 1776 */ 1777 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || 1778 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || 1779 (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET))) { 1780 /* 1781 * wait a minute, this guy is gone, there is no longer a 1782 * receiver. Send peer an ABORT! 1783 */ 1784 op_err = sctp_generate_cause(SCTP_CAUSE_OUT_OF_RESC, ""); 1785 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 1786 *abort_flag = 1; 1787 return (0); 1788 } 1789 /* 1790 * Now before going further we see if there is room. If NOT then we 1791 * MAY let one through only IF this TSN is the one we are waiting 1792 * for on a partial delivery API. 1793 */ 1794 1795 /* Is the stream valid? */ 1796 if (sid >= asoc->streamincnt) { 1797 struct sctp_error_invalid_stream *cause; 1798 1799 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_error_invalid_stream), 1800 0, M_NOWAIT, 1, MT_DATA); 1801 if (op_err != NULL) { 1802 /* add some space up front so prepend will work well */ 1803 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1804 cause = mtod(op_err, struct sctp_error_invalid_stream *); 1805 /* 1806 * Error causes are just param's and this one has 1807 * two back to back phdr, one with the error type 1808 * and size, the other with the streamid and a rsvd 1809 */ 1810 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_error_invalid_stream); 1811 cause->cause.code = htons(SCTP_CAUSE_INVALID_STREAM); 1812 cause->cause.length = htons(sizeof(struct sctp_error_invalid_stream)); 1813 cause->stream_id = htons(sid); 1814 cause->reserved = htons(0); 1815 sctp_queue_op_err(stcb, op_err); 1816 } 1817 SCTP_STAT_INCR(sctps_badsid); 1818 SCTP_TCB_LOCK_ASSERT(stcb); 1819 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap); 1820 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 1821 asoc->highest_tsn_inside_nr_map = tsn; 1822 } 1823 if (tsn == (asoc->cumulative_tsn + 1)) { 1824 /* Update cum-ack */ 1825 asoc->cumulative_tsn = tsn; 1826 } 1827 return (0); 1828 } 1829 /* 1830 * If its a fragmented message, lets see if we can find the control 1831 * on the reassembly queues. 1832 */ 1833 if ((chk_type == SCTP_IDATA) && 1834 ((chk_flags & SCTP_DATA_FIRST_FRAG) == 0) && 1835 (fsn == 0)) { 1836 /* 1837 * The first *must* be fsn 0, and other (middle/end) pieces 1838 * can *not* be fsn 0. XXX: This can happen in case of a 1839 * wrap around. Ignore is for now. 1840 */ 1841 snprintf(msg, sizeof(msg), "FSN zero for MID=%8.8x, but flags=%2.2x", 1842 mid, chk_flags); 1843 goto err_out; 1844 } 1845 control = sctp_find_reasm_entry(&asoc->strmin[sid], mid, ordered, asoc->idata_supported); 1846 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags:0x%x look for control on queues %p\n", 1847 chk_flags, control); 1848 if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) { 1849 /* See if we can find the re-assembly entity */ 1850 if (control != NULL) { 1851 /* We found something, does it belong? */ 1852 if (ordered && (mid != control->mid)) { 1853 snprintf(msg, sizeof(msg), "Reassembly problem (MID=%8.8x)", mid); 1854 err_out: 1855 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 1856 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_15; 1857 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 1858 *abort_flag = 1; 1859 return (0); 1860 } 1861 if (ordered && ((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED)) { 1862 /* 1863 * We can't have a switched order with an 1864 * unordered chunk 1865 */ 1866 snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)", 1867 tsn); 1868 goto err_out; 1869 } 1870 if (!ordered && (((control->sinfo_flags >> 8) & SCTP_DATA_UNORDERED) == 0)) { 1871 /* 1872 * We can't have a switched unordered with a 1873 * ordered chunk 1874 */ 1875 snprintf(msg, sizeof(msg), "All fragments of a user message must be ordered or unordered (TSN=%8.8x)", 1876 tsn); 1877 goto err_out; 1878 } 1879 } 1880 } else { 1881 /* 1882 * Its a complete segment. Lets validate we don't have a 1883 * re-assembly going on with the same Stream/Seq (for 1884 * ordered) or in the same Stream for unordered. 1885 */ 1886 if (control != NULL) { 1887 if (ordered || asoc->idata_supported) { 1888 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x dup detected on MID: %u\n", 1889 chk_flags, mid); 1890 snprintf(msg, sizeof(msg), "Duplicate MID=%8.8x detected.", mid); 1891 goto err_out; 1892 } else { 1893 if ((tsn == control->fsn_included + 1) && 1894 (control->end_added == 0)) { 1895 snprintf(msg, sizeof(msg), "Illegal message sequence, missing end for MID: %8.8x", control->fsn_included); 1896 goto err_out; 1897 } else { 1898 control = NULL; 1899 } 1900 } 1901 } 1902 } 1903 /* now do the tests */ 1904 if (((asoc->cnt_on_all_streams + 1905 asoc->cnt_on_reasm_queue + 1906 asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) || 1907 (((int)asoc->my_rwnd) <= 0)) { 1908 /* 1909 * When we have NO room in the rwnd we check to make sure 1910 * the reader is doing its job... 1911 */ 1912 if (stcb->sctp_socket->so_rcv.sb_cc) { 1913 /* some to read, wake-up */ 1914 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1915 struct socket *so; 1916 1917 so = SCTP_INP_SO(stcb->sctp_ep); 1918 atomic_add_int(&stcb->asoc.refcnt, 1); 1919 SCTP_TCB_UNLOCK(stcb); 1920 SCTP_SOCKET_LOCK(so, 1); 1921 SCTP_TCB_LOCK(stcb); 1922 atomic_subtract_int(&stcb->asoc.refcnt, 1); 1923 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 1924 /* assoc was freed while we were unlocked */ 1925 SCTP_SOCKET_UNLOCK(so, 1); 1926 return (0); 1927 } 1928 #endif 1929 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 1930 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 1931 SCTP_SOCKET_UNLOCK(so, 1); 1932 #endif 1933 } 1934 /* now is it in the mapping array of what we have accepted? */ 1935 if (chk_type == SCTP_DATA) { 1936 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map) && 1937 SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 1938 /* Nope not in the valid range dump it */ 1939 dump_packet: 1940 sctp_set_rwnd(stcb, asoc); 1941 if ((asoc->cnt_on_all_streams + 1942 asoc->cnt_on_reasm_queue + 1943 asoc->cnt_msg_on_sb) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue)) { 1944 SCTP_STAT_INCR(sctps_datadropchklmt); 1945 } else { 1946 SCTP_STAT_INCR(sctps_datadroprwnd); 1947 } 1948 *break_flag = 1; 1949 return (0); 1950 } 1951 } else { 1952 if (control == NULL) { 1953 goto dump_packet; 1954 } 1955 if (SCTP_TSN_GT(fsn, control->top_fsn)) { 1956 goto dump_packet; 1957 } 1958 } 1959 } 1960 #ifdef SCTP_ASOCLOG_OF_TSNS 1961 SCTP_TCB_LOCK_ASSERT(stcb); 1962 if (asoc->tsn_in_at >= SCTP_TSN_LOG_SIZE) { 1963 asoc->tsn_in_at = 0; 1964 asoc->tsn_in_wrapped = 1; 1965 } 1966 asoc->in_tsnlog[asoc->tsn_in_at].tsn = tsn; 1967 asoc->in_tsnlog[asoc->tsn_in_at].strm = sid; 1968 asoc->in_tsnlog[asoc->tsn_in_at].seq = mid; 1969 asoc->in_tsnlog[asoc->tsn_in_at].sz = chk_length; 1970 asoc->in_tsnlog[asoc->tsn_in_at].flgs = chunk_flags; 1971 asoc->in_tsnlog[asoc->tsn_in_at].stcb = (void *)stcb; 1972 asoc->in_tsnlog[asoc->tsn_in_at].in_pos = asoc->tsn_in_at; 1973 asoc->in_tsnlog[asoc->tsn_in_at].in_out = 1; 1974 asoc->tsn_in_at++; 1975 #endif 1976 /* 1977 * Before we continue lets validate that we are not being fooled by 1978 * an evil attacker. We can only have Nk chunks based on our TSN 1979 * spread allowed by the mapping array N * 8 bits, so there is no 1980 * way our stream sequence numbers could have wrapped. We of course 1981 * only validate the FIRST fragment so the bit must be set. 1982 */ 1983 if ((chk_flags & SCTP_DATA_FIRST_FRAG) && 1984 (TAILQ_EMPTY(&asoc->resetHead)) && 1985 (chk_flags & SCTP_DATA_UNORDERED) == 0 && 1986 SCTP_MID_GE(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered, mid)) { 1987 /* The incoming sseq is behind where we last delivered? */ 1988 SCTPDBG(SCTP_DEBUG_INDATA1, "EVIL/Broken-Dup S-SEQ: %u delivered: %u from peer, Abort!\n", 1989 mid, asoc->strmin[sid].last_mid_delivered); 1990 1991 if (asoc->idata_supported) { 1992 snprintf(msg, sizeof(msg), "Delivered MID=%8.8x, got TSN=%8.8x, SID=%4.4x, MID=%8.8x", 1993 asoc->strmin[sid].last_mid_delivered, 1994 tsn, 1995 sid, 1996 mid); 1997 } else { 1998 snprintf(msg, sizeof(msg), "Delivered SSN=%4.4x, got TSN=%8.8x, SID=%4.4x, SSN=%4.4x", 1999 (uint16_t)asoc->strmin[sid].last_mid_delivered, 2000 tsn, 2001 sid, 2002 (uint16_t)mid); 2003 } 2004 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2005 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_16; 2006 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 2007 *abort_flag = 1; 2008 return (0); 2009 } 2010 if (chk_type == SCTP_IDATA) { 2011 the_len = (chk_length - sizeof(struct sctp_idata_chunk)); 2012 } else { 2013 the_len = (chk_length - sizeof(struct sctp_data_chunk)); 2014 } 2015 if (last_chunk == 0) { 2016 if (chk_type == SCTP_IDATA) { 2017 dmbuf = SCTP_M_COPYM(*m, 2018 (offset + sizeof(struct sctp_idata_chunk)), 2019 the_len, M_NOWAIT); 2020 } else { 2021 dmbuf = SCTP_M_COPYM(*m, 2022 (offset + sizeof(struct sctp_data_chunk)), 2023 the_len, M_NOWAIT); 2024 } 2025 #ifdef SCTP_MBUF_LOGGING 2026 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { 2027 sctp_log_mbc(dmbuf, SCTP_MBUF_ICOPY); 2028 } 2029 #endif 2030 } else { 2031 /* We can steal the last chunk */ 2032 int l_len; 2033 2034 dmbuf = *m; 2035 /* lop off the top part */ 2036 if (chk_type == SCTP_IDATA) { 2037 m_adj(dmbuf, (offset + sizeof(struct sctp_idata_chunk))); 2038 } else { 2039 m_adj(dmbuf, (offset + sizeof(struct sctp_data_chunk))); 2040 } 2041 if (SCTP_BUF_NEXT(dmbuf) == NULL) { 2042 l_len = SCTP_BUF_LEN(dmbuf); 2043 } else { 2044 /* 2045 * need to count up the size hopefully does not hit 2046 * this to often :-0 2047 */ 2048 struct mbuf *lat; 2049 2050 l_len = 0; 2051 for (lat = dmbuf; lat; lat = SCTP_BUF_NEXT(lat)) { 2052 l_len += SCTP_BUF_LEN(lat); 2053 } 2054 } 2055 if (l_len > the_len) { 2056 /* Trim the end round bytes off too */ 2057 m_adj(dmbuf, -(l_len - the_len)); 2058 } 2059 } 2060 if (dmbuf == NULL) { 2061 SCTP_STAT_INCR(sctps_nomem); 2062 return (0); 2063 } 2064 /* 2065 * Now no matter what, we need a control, get one if we don't have 2066 * one (we may have gotten it above when we found the message was 2067 * fragmented 2068 */ 2069 if (control == NULL) { 2070 sctp_alloc_a_readq(stcb, control); 2071 sctp_build_readq_entry_mac(control, stcb, asoc->context, net, tsn, 2072 ppid, 2073 sid, 2074 chk_flags, 2075 NULL, fsn, mid); 2076 if (control == NULL) { 2077 SCTP_STAT_INCR(sctps_nomem); 2078 return (0); 2079 } 2080 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 2081 struct mbuf *mm; 2082 2083 control->data = dmbuf; 2084 for (mm = control->data; mm; mm = mm->m_next) { 2085 control->length += SCTP_BUF_LEN(mm); 2086 } 2087 control->tail_mbuf = NULL; 2088 control->end_added = 1; 2089 control->last_frag_seen = 1; 2090 control->first_frag_seen = 1; 2091 control->fsn_included = fsn; 2092 control->top_fsn = fsn; 2093 } 2094 created_control = 1; 2095 } 2096 SCTPDBG(SCTP_DEBUG_XXX, "chunk_flags: 0x%x ordered: %d MID: %u control: %p\n", 2097 chk_flags, ordered, mid, control); 2098 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG && 2099 TAILQ_EMPTY(&asoc->resetHead) && 2100 ((ordered == 0) || 2101 (SCTP_MID_EQ(asoc->idata_supported, asoc->strmin[sid].last_mid_delivered + 1, mid) && 2102 TAILQ_EMPTY(&asoc->strmin[sid].inqueue)))) { 2103 /* Candidate for express delivery */ 2104 /* 2105 * Its not fragmented, No PD-API is up, Nothing in the 2106 * delivery queue, Its un-ordered OR ordered and the next to 2107 * deliver AND nothing else is stuck on the stream queue, 2108 * And there is room for it in the socket buffer. Lets just 2109 * stuff it up the buffer.... 2110 */ 2111 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap); 2112 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 2113 asoc->highest_tsn_inside_nr_map = tsn; 2114 } 2115 SCTPDBG(SCTP_DEBUG_XXX, "Injecting control: %p to be read (MID: %u)\n", 2116 control, mid); 2117 2118 sctp_add_to_readq(stcb->sctp_ep, stcb, 2119 control, &stcb->sctp_socket->so_rcv, 2120 1, SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED); 2121 2122 if ((chk_flags & SCTP_DATA_UNORDERED) == 0) { 2123 /* for ordered, bump what we delivered */ 2124 asoc->strmin[sid].last_mid_delivered++; 2125 } 2126 SCTP_STAT_INCR(sctps_recvexpress); 2127 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 2128 sctp_log_strm_del_alt(stcb, tsn, mid, sid, 2129 SCTP_STR_LOG_FROM_EXPRS_DEL); 2130 } 2131 control = NULL; 2132 goto finish_express_del; 2133 } 2134 /* Now will we need a chunk too? */ 2135 if ((chk_flags & SCTP_DATA_NOT_FRAG) != SCTP_DATA_NOT_FRAG) { 2136 sctp_alloc_a_chunk(stcb, chk); 2137 if (chk == NULL) { 2138 /* No memory so we drop the chunk */ 2139 SCTP_STAT_INCR(sctps_nomem); 2140 if (last_chunk == 0) { 2141 /* we copied it, free the copy */ 2142 sctp_m_freem(dmbuf); 2143 } 2144 return (0); 2145 } 2146 chk->rec.data.tsn = tsn; 2147 chk->no_fr_allowed = 0; 2148 chk->rec.data.fsn = fsn; 2149 chk->rec.data.mid = mid; 2150 chk->rec.data.sid = sid; 2151 chk->rec.data.ppid = ppid; 2152 chk->rec.data.context = stcb->asoc.context; 2153 chk->rec.data.doing_fast_retransmit = 0; 2154 chk->rec.data.rcv_flags = chk_flags; 2155 chk->asoc = asoc; 2156 chk->send_size = the_len; 2157 chk->whoTo = net; 2158 SCTPDBG(SCTP_DEBUG_XXX, "Building ck: %p for control: %p to be read (MID: %u)\n", 2159 chk, 2160 control, mid); 2161 atomic_add_int(&net->ref_count, 1); 2162 chk->data = dmbuf; 2163 } 2164 /* Set the appropriate TSN mark */ 2165 if (SCTP_BASE_SYSCTL(sctp_do_drain) == 0) { 2166 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, gap); 2167 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_nr_map)) { 2168 asoc->highest_tsn_inside_nr_map = tsn; 2169 } 2170 } else { 2171 SCTP_SET_TSN_PRESENT(asoc->mapping_array, gap); 2172 if (SCTP_TSN_GT(tsn, asoc->highest_tsn_inside_map)) { 2173 asoc->highest_tsn_inside_map = tsn; 2174 } 2175 } 2176 /* Now is it complete (i.e. not fragmented)? */ 2177 if ((chk_flags & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 2178 /* 2179 * Special check for when streams are resetting. We could be 2180 * more smart about this and check the actual stream to see 2181 * if it is not being reset.. that way we would not create a 2182 * HOLB when amongst streams being reset and those not being 2183 * reset. 2184 * 2185 */ 2186 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) && 2187 SCTP_TSN_GT(tsn, liste->tsn)) { 2188 /* 2189 * yep its past where we need to reset... go ahead 2190 * and queue it. 2191 */ 2192 if (TAILQ_EMPTY(&asoc->pending_reply_queue)) { 2193 /* first one on */ 2194 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next); 2195 } else { 2196 struct sctp_queued_to_read *lcontrol, *nlcontrol; 2197 unsigned char inserted = 0; 2198 2199 TAILQ_FOREACH_SAFE(lcontrol, &asoc->pending_reply_queue, next, nlcontrol) { 2200 if (SCTP_TSN_GT(control->sinfo_tsn, lcontrol->sinfo_tsn)) { 2201 2202 continue; 2203 } else { 2204 /* found it */ 2205 TAILQ_INSERT_BEFORE(lcontrol, control, next); 2206 inserted = 1; 2207 break; 2208 } 2209 } 2210 if (inserted == 0) { 2211 /* 2212 * must be put at end, use prevP 2213 * (all setup from loop) to setup 2214 * nextP. 2215 */ 2216 TAILQ_INSERT_TAIL(&asoc->pending_reply_queue, control, next); 2217 } 2218 } 2219 goto finish_express_del; 2220 } 2221 if (chk_flags & SCTP_DATA_UNORDERED) { 2222 /* queue directly into socket buffer */ 2223 SCTPDBG(SCTP_DEBUG_XXX, "Unordered data to be read control: %p MID: %u\n", 2224 control, mid); 2225 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 2226 sctp_add_to_readq(stcb->sctp_ep, stcb, 2227 control, 2228 &stcb->sctp_socket->so_rcv, 1, 2229 SCTP_READ_LOCK_NOT_HELD, SCTP_SO_NOT_LOCKED); 2230 2231 } else { 2232 SCTPDBG(SCTP_DEBUG_XXX, "Queue control: %p for reordering MID: %u\n", control, 2233 mid); 2234 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check); 2235 if (*abort_flag) { 2236 if (last_chunk) { 2237 *m = NULL; 2238 } 2239 return (0); 2240 } 2241 } 2242 goto finish_express_del; 2243 } 2244 /* If we reach here its a reassembly */ 2245 need_reasm_check = 1; 2246 SCTPDBG(SCTP_DEBUG_XXX, 2247 "Queue data to stream for reasm control: %p MID: %u\n", 2248 control, mid); 2249 sctp_queue_data_for_reasm(stcb, asoc, control, chk, created_control, abort_flag, tsn); 2250 if (*abort_flag) { 2251 /* 2252 * the assoc is now gone and chk was put onto the reasm 2253 * queue, which has all been freed. 2254 */ 2255 if (last_chunk) { 2256 *m = NULL; 2257 } 2258 return (0); 2259 } 2260 finish_express_del: 2261 /* Here we tidy up things */ 2262 if (tsn == (asoc->cumulative_tsn + 1)) { 2263 /* Update cum-ack */ 2264 asoc->cumulative_tsn = tsn; 2265 } 2266 if (last_chunk) { 2267 *m = NULL; 2268 } 2269 if (ordered) { 2270 SCTP_STAT_INCR_COUNTER64(sctps_inorderchunks); 2271 } else { 2272 SCTP_STAT_INCR_COUNTER64(sctps_inunorderchunks); 2273 } 2274 SCTP_STAT_INCR(sctps_recvdata); 2275 /* Set it present please */ 2276 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_STR_LOGGING_ENABLE) { 2277 sctp_log_strm_del_alt(stcb, tsn, mid, sid, SCTP_STR_LOG_FROM_MARK_TSN); 2278 } 2279 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2280 sctp_log_map(asoc->mapping_array_base_tsn, asoc->cumulative_tsn, 2281 asoc->highest_tsn_inside_map, SCTP_MAP_PREPARE_SLIDE); 2282 } 2283 if (need_reasm_check) { 2284 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[sid], SCTP_READ_LOCK_NOT_HELD); 2285 need_reasm_check = 0; 2286 } 2287 /* check the special flag for stream resets */ 2288 if (((liste = TAILQ_FIRST(&asoc->resetHead)) != NULL) && 2289 SCTP_TSN_GE(asoc->cumulative_tsn, liste->tsn)) { 2290 /* 2291 * we have finished working through the backlogged TSN's now 2292 * time to reset streams. 1: call reset function. 2: free 2293 * pending_reply space 3: distribute any chunks in 2294 * pending_reply_queue. 2295 */ 2296 sctp_reset_in_stream(stcb, liste->number_entries, liste->list_of_streams); 2297 TAILQ_REMOVE(&asoc->resetHead, liste, next_resp); 2298 sctp_send_deferred_reset_response(stcb, liste, SCTP_STREAM_RESET_RESULT_PERFORMED); 2299 SCTP_FREE(liste, SCTP_M_STRESET); 2300 /* sa_ignore FREED_MEMORY */ 2301 liste = TAILQ_FIRST(&asoc->resetHead); 2302 if (TAILQ_EMPTY(&asoc->resetHead)) { 2303 /* All can be removed */ 2304 TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) { 2305 TAILQ_REMOVE(&asoc->pending_reply_queue, control, next); 2306 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check); 2307 if (*abort_flag) { 2308 return (0); 2309 } 2310 if (need_reasm_check) { 2311 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD); 2312 need_reasm_check = 0; 2313 } 2314 } 2315 } else { 2316 TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) { 2317 if (SCTP_TSN_GT(control->sinfo_tsn, liste->tsn)) { 2318 break; 2319 } 2320 /* 2321 * if control->sinfo_tsn is <= liste->tsn we 2322 * can process it which is the NOT of 2323 * control->sinfo_tsn > liste->tsn 2324 */ 2325 TAILQ_REMOVE(&asoc->pending_reply_queue, control, next); 2326 sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check); 2327 if (*abort_flag) { 2328 return (0); 2329 } 2330 if (need_reasm_check) { 2331 (void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD); 2332 need_reasm_check = 0; 2333 } 2334 } 2335 } 2336 } 2337 return (1); 2338 } 2339 2340 static const int8_t sctp_map_lookup_tab[256] = { 2341 0, 1, 0, 2, 0, 1, 0, 3, 2342 0, 1, 0, 2, 0, 1, 0, 4, 2343 0, 1, 0, 2, 0, 1, 0, 3, 2344 0, 1, 0, 2, 0, 1, 0, 5, 2345 0, 1, 0, 2, 0, 1, 0, 3, 2346 0, 1, 0, 2, 0, 1, 0, 4, 2347 0, 1, 0, 2, 0, 1, 0, 3, 2348 0, 1, 0, 2, 0, 1, 0, 6, 2349 0, 1, 0, 2, 0, 1, 0, 3, 2350 0, 1, 0, 2, 0, 1, 0, 4, 2351 0, 1, 0, 2, 0, 1, 0, 3, 2352 0, 1, 0, 2, 0, 1, 0, 5, 2353 0, 1, 0, 2, 0, 1, 0, 3, 2354 0, 1, 0, 2, 0, 1, 0, 4, 2355 0, 1, 0, 2, 0, 1, 0, 3, 2356 0, 1, 0, 2, 0, 1, 0, 7, 2357 0, 1, 0, 2, 0, 1, 0, 3, 2358 0, 1, 0, 2, 0, 1, 0, 4, 2359 0, 1, 0, 2, 0, 1, 0, 3, 2360 0, 1, 0, 2, 0, 1, 0, 5, 2361 0, 1, 0, 2, 0, 1, 0, 3, 2362 0, 1, 0, 2, 0, 1, 0, 4, 2363 0, 1, 0, 2, 0, 1, 0, 3, 2364 0, 1, 0, 2, 0, 1, 0, 6, 2365 0, 1, 0, 2, 0, 1, 0, 3, 2366 0, 1, 0, 2, 0, 1, 0, 4, 2367 0, 1, 0, 2, 0, 1, 0, 3, 2368 0, 1, 0, 2, 0, 1, 0, 5, 2369 0, 1, 0, 2, 0, 1, 0, 3, 2370 0, 1, 0, 2, 0, 1, 0, 4, 2371 0, 1, 0, 2, 0, 1, 0, 3, 2372 0, 1, 0, 2, 0, 1, 0, 8 2373 }; 2374 2375 2376 void 2377 sctp_slide_mapping_arrays(struct sctp_tcb *stcb) 2378 { 2379 /* 2380 * Now we also need to check the mapping array in a couple of ways. 2381 * 1) Did we move the cum-ack point? 2382 * 2383 * When you first glance at this you might think that all entries 2384 * that make up the position of the cum-ack would be in the 2385 * nr-mapping array only.. i.e. things up to the cum-ack are always 2386 * deliverable. Thats true with one exception, when its a fragmented 2387 * message we may not deliver the data until some threshold (or all 2388 * of it) is in place. So we must OR the nr_mapping_array and 2389 * mapping_array to get a true picture of the cum-ack. 2390 */ 2391 struct sctp_association *asoc; 2392 int at; 2393 uint8_t val; 2394 int slide_from, slide_end, lgap, distance; 2395 uint32_t old_cumack, old_base, old_highest, highest_tsn; 2396 2397 asoc = &stcb->asoc; 2398 2399 old_cumack = asoc->cumulative_tsn; 2400 old_base = asoc->mapping_array_base_tsn; 2401 old_highest = asoc->highest_tsn_inside_map; 2402 /* 2403 * We could probably improve this a small bit by calculating the 2404 * offset of the current cum-ack as the starting point. 2405 */ 2406 at = 0; 2407 for (slide_from = 0; slide_from < stcb->asoc.mapping_array_size; slide_from++) { 2408 val = asoc->nr_mapping_array[slide_from] | asoc->mapping_array[slide_from]; 2409 if (val == 0xff) { 2410 at += 8; 2411 } else { 2412 /* there is a 0 bit */ 2413 at += sctp_map_lookup_tab[val]; 2414 break; 2415 } 2416 } 2417 asoc->cumulative_tsn = asoc->mapping_array_base_tsn + (at - 1); 2418 2419 if (SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_map) && 2420 SCTP_TSN_GT(asoc->cumulative_tsn, asoc->highest_tsn_inside_nr_map)) { 2421 #ifdef INVARIANTS 2422 panic("huh, cumack 0x%x greater than high-tsn 0x%x in map", 2423 asoc->cumulative_tsn, asoc->highest_tsn_inside_map); 2424 #else 2425 SCTP_PRINTF("huh, cumack 0x%x greater than high-tsn 0x%x in map - should panic?\n", 2426 asoc->cumulative_tsn, asoc->highest_tsn_inside_map); 2427 sctp_print_mapping_array(asoc); 2428 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2429 sctp_log_map(0, 6, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 2430 } 2431 asoc->highest_tsn_inside_map = asoc->cumulative_tsn; 2432 asoc->highest_tsn_inside_nr_map = asoc->cumulative_tsn; 2433 #endif 2434 } 2435 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) { 2436 highest_tsn = asoc->highest_tsn_inside_nr_map; 2437 } else { 2438 highest_tsn = asoc->highest_tsn_inside_map; 2439 } 2440 if ((asoc->cumulative_tsn == highest_tsn) && (at >= 8)) { 2441 /* The complete array was completed by a single FR */ 2442 /* highest becomes the cum-ack */ 2443 int clr; 2444 #ifdef INVARIANTS 2445 unsigned int i; 2446 #endif 2447 2448 /* clear the array */ 2449 clr = ((at + 7) >> 3); 2450 if (clr > asoc->mapping_array_size) { 2451 clr = asoc->mapping_array_size; 2452 } 2453 memset(asoc->mapping_array, 0, clr); 2454 memset(asoc->nr_mapping_array, 0, clr); 2455 #ifdef INVARIANTS 2456 for (i = 0; i < asoc->mapping_array_size; i++) { 2457 if ((asoc->mapping_array[i]) || (asoc->nr_mapping_array[i])) { 2458 SCTP_PRINTF("Error Mapping array's not clean at clear\n"); 2459 sctp_print_mapping_array(asoc); 2460 } 2461 } 2462 #endif 2463 asoc->mapping_array_base_tsn = asoc->cumulative_tsn + 1; 2464 asoc->highest_tsn_inside_nr_map = asoc->highest_tsn_inside_map = asoc->cumulative_tsn; 2465 } else if (at >= 8) { 2466 /* we can slide the mapping array down */ 2467 /* slide_from holds where we hit the first NON 0xff byte */ 2468 2469 /* 2470 * now calculate the ceiling of the move using our highest 2471 * TSN value 2472 */ 2473 SCTP_CALC_TSN_TO_GAP(lgap, highest_tsn, asoc->mapping_array_base_tsn); 2474 slide_end = (lgap >> 3); 2475 if (slide_end < slide_from) { 2476 sctp_print_mapping_array(asoc); 2477 #ifdef INVARIANTS 2478 panic("impossible slide"); 2479 #else 2480 SCTP_PRINTF("impossible slide lgap: %x slide_end: %x slide_from: %x? at: %d\n", 2481 lgap, slide_end, slide_from, at); 2482 return; 2483 #endif 2484 } 2485 if (slide_end > asoc->mapping_array_size) { 2486 #ifdef INVARIANTS 2487 panic("would overrun buffer"); 2488 #else 2489 SCTP_PRINTF("Gak, would have overrun map end: %d slide_end: %d\n", 2490 asoc->mapping_array_size, slide_end); 2491 slide_end = asoc->mapping_array_size; 2492 #endif 2493 } 2494 distance = (slide_end - slide_from) + 1; 2495 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2496 sctp_log_map(old_base, old_cumack, old_highest, 2497 SCTP_MAP_PREPARE_SLIDE); 2498 sctp_log_map((uint32_t)slide_from, (uint32_t)slide_end, 2499 (uint32_t)lgap, SCTP_MAP_SLIDE_FROM); 2500 } 2501 if (distance + slide_from > asoc->mapping_array_size || 2502 distance < 0) { 2503 /* 2504 * Here we do NOT slide forward the array so that 2505 * hopefully when more data comes in to fill it up 2506 * we will be able to slide it forward. Really I 2507 * don't think this should happen :-0 2508 */ 2509 2510 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2511 sctp_log_map((uint32_t)distance, (uint32_t)slide_from, 2512 (uint32_t)asoc->mapping_array_size, 2513 SCTP_MAP_SLIDE_NONE); 2514 } 2515 } else { 2516 int ii; 2517 2518 for (ii = 0; ii < distance; ii++) { 2519 asoc->mapping_array[ii] = asoc->mapping_array[slide_from + ii]; 2520 asoc->nr_mapping_array[ii] = asoc->nr_mapping_array[slide_from + ii]; 2521 2522 } 2523 for (ii = distance; ii < asoc->mapping_array_size; ii++) { 2524 asoc->mapping_array[ii] = 0; 2525 asoc->nr_mapping_array[ii] = 0; 2526 } 2527 if (asoc->highest_tsn_inside_map + 1 == asoc->mapping_array_base_tsn) { 2528 asoc->highest_tsn_inside_map += (slide_from << 3); 2529 } 2530 if (asoc->highest_tsn_inside_nr_map + 1 == asoc->mapping_array_base_tsn) { 2531 asoc->highest_tsn_inside_nr_map += (slide_from << 3); 2532 } 2533 asoc->mapping_array_base_tsn += (slide_from << 3); 2534 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 2535 sctp_log_map(asoc->mapping_array_base_tsn, 2536 asoc->cumulative_tsn, asoc->highest_tsn_inside_map, 2537 SCTP_MAP_SLIDE_RESULT); 2538 } 2539 } 2540 } 2541 } 2542 2543 void 2544 sctp_sack_check(struct sctp_tcb *stcb, int was_a_gap) 2545 { 2546 struct sctp_association *asoc; 2547 uint32_t highest_tsn; 2548 int is_a_gap; 2549 2550 sctp_slide_mapping_arrays(stcb); 2551 asoc = &stcb->asoc; 2552 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) { 2553 highest_tsn = asoc->highest_tsn_inside_nr_map; 2554 } else { 2555 highest_tsn = asoc->highest_tsn_inside_map; 2556 } 2557 /* Is there a gap now? */ 2558 is_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn); 2559 2560 /* 2561 * Now we need to see if we need to queue a sack or just start the 2562 * timer (if allowed). 2563 */ 2564 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 2565 /* 2566 * Ok special case, in SHUTDOWN-SENT case. here we maker 2567 * sure SACK timer is off and instead send a SHUTDOWN and a 2568 * SACK 2569 */ 2570 if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) { 2571 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, 2572 stcb->sctp_ep, stcb, NULL, 2573 SCTP_FROM_SCTP_INDATA + SCTP_LOC_17); 2574 } 2575 sctp_send_shutdown(stcb, 2576 ((stcb->asoc.alternate) ? stcb->asoc.alternate : stcb->asoc.primary_destination)); 2577 if (is_a_gap) { 2578 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED); 2579 } 2580 } else { 2581 /* 2582 * CMT DAC algorithm: increase number of packets received 2583 * since last ack 2584 */ 2585 stcb->asoc.cmt_dac_pkts_rcvd++; 2586 2587 if ((stcb->asoc.send_sack == 1) || /* We need to send a 2588 * SACK */ 2589 ((was_a_gap) && (is_a_gap == 0)) || /* was a gap, but no 2590 * longer is one */ 2591 (stcb->asoc.numduptsns) || /* we have dup's */ 2592 (is_a_gap) || /* is still a gap */ 2593 (stcb->asoc.delayed_ack == 0) || /* Delayed sack disabled */ 2594 (stcb->asoc.data_pkts_seen >= stcb->asoc.sack_freq) /* hit limit of pkts */ 2595 ) { 2596 2597 if ((stcb->asoc.sctp_cmt_on_off > 0) && 2598 (SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) && 2599 (stcb->asoc.send_sack == 0) && 2600 (stcb->asoc.numduptsns == 0) && 2601 (stcb->asoc.delayed_ack) && 2602 (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer))) { 2603 2604 /* 2605 * CMT DAC algorithm: With CMT, delay acks 2606 * even in the face of 2607 * 2608 * reordering. Therefore, if acks that do 2609 * not have to be sent because of the above 2610 * reasons, will be delayed. That is, acks 2611 * that would have been sent due to gap 2612 * reports will be delayed with DAC. Start 2613 * the delayed ack timer. 2614 */ 2615 sctp_timer_start(SCTP_TIMER_TYPE_RECV, 2616 stcb->sctp_ep, stcb, NULL); 2617 } else { 2618 /* 2619 * Ok we must build a SACK since the timer 2620 * is pending, we got our first packet OR 2621 * there are gaps or duplicates. 2622 */ 2623 (void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer); 2624 sctp_send_sack(stcb, SCTP_SO_NOT_LOCKED); 2625 } 2626 } else { 2627 if (!SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) { 2628 sctp_timer_start(SCTP_TIMER_TYPE_RECV, 2629 stcb->sctp_ep, stcb, NULL); 2630 } 2631 } 2632 } 2633 } 2634 2635 int 2636 sctp_process_data(struct mbuf **mm, int iphlen, int *offset, int length, 2637 struct sctp_inpcb *inp, struct sctp_tcb *stcb, 2638 struct sctp_nets *net, uint32_t *high_tsn) 2639 { 2640 struct sctp_chunkhdr *ch, chunk_buf; 2641 struct sctp_association *asoc; 2642 int num_chunks = 0; /* number of control chunks processed */ 2643 int stop_proc = 0; 2644 int chk_length, break_flag, last_chunk; 2645 int abort_flag = 0, was_a_gap; 2646 struct mbuf *m; 2647 uint32_t highest_tsn; 2648 2649 /* set the rwnd */ 2650 sctp_set_rwnd(stcb, &stcb->asoc); 2651 2652 m = *mm; 2653 SCTP_TCB_LOCK_ASSERT(stcb); 2654 asoc = &stcb->asoc; 2655 if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->highest_tsn_inside_map)) { 2656 highest_tsn = asoc->highest_tsn_inside_nr_map; 2657 } else { 2658 highest_tsn = asoc->highest_tsn_inside_map; 2659 } 2660 was_a_gap = SCTP_TSN_GT(highest_tsn, stcb->asoc.cumulative_tsn); 2661 /* 2662 * setup where we got the last DATA packet from for any SACK that 2663 * may need to go out. Don't bump the net. This is done ONLY when a 2664 * chunk is assigned. 2665 */ 2666 asoc->last_data_chunk_from = net; 2667 2668 /*- 2669 * Now before we proceed we must figure out if this is a wasted 2670 * cluster... i.e. it is a small packet sent in and yet the driver 2671 * underneath allocated a full cluster for it. If so we must copy it 2672 * to a smaller mbuf and free up the cluster mbuf. This will help 2673 * with cluster starvation. Note for __Panda__ we don't do this 2674 * since it has clusters all the way down to 64 bytes. 2675 */ 2676 if (SCTP_BUF_LEN(m) < (long)MLEN && SCTP_BUF_NEXT(m) == NULL) { 2677 /* we only handle mbufs that are singletons.. not chains */ 2678 m = sctp_get_mbuf_for_msg(SCTP_BUF_LEN(m), 0, M_NOWAIT, 1, MT_DATA); 2679 if (m) { 2680 /* ok lets see if we can copy the data up */ 2681 caddr_t *from, *to; 2682 2683 /* get the pointers and copy */ 2684 to = mtod(m, caddr_t *); 2685 from = mtod((*mm), caddr_t *); 2686 memcpy(to, from, SCTP_BUF_LEN((*mm))); 2687 /* copy the length and free up the old */ 2688 SCTP_BUF_LEN(m) = SCTP_BUF_LEN((*mm)); 2689 sctp_m_freem(*mm); 2690 /* success, back copy */ 2691 *mm = m; 2692 } else { 2693 /* We are in trouble in the mbuf world .. yikes */ 2694 m = *mm; 2695 } 2696 } 2697 /* get pointer to the first chunk header */ 2698 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 2699 sizeof(struct sctp_chunkhdr), (uint8_t *)&chunk_buf); 2700 if (ch == NULL) { 2701 return (1); 2702 } 2703 /* 2704 * process all DATA chunks... 2705 */ 2706 *high_tsn = asoc->cumulative_tsn; 2707 break_flag = 0; 2708 asoc->data_pkts_seen++; 2709 while (stop_proc == 0) { 2710 /* validate chunk length */ 2711 chk_length = ntohs(ch->chunk_length); 2712 if (length - *offset < chk_length) { 2713 /* all done, mutulated chunk */ 2714 stop_proc = 1; 2715 continue; 2716 } 2717 if ((asoc->idata_supported == 1) && 2718 (ch->chunk_type == SCTP_DATA)) { 2719 struct mbuf *op_err; 2720 char msg[SCTP_DIAG_INFO_LEN]; 2721 2722 snprintf(msg, sizeof(msg), "%s", "I-DATA chunk received when DATA was negotiated"); 2723 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2724 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_18; 2725 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2726 return (2); 2727 } 2728 if ((asoc->idata_supported == 0) && 2729 (ch->chunk_type == SCTP_IDATA)) { 2730 struct mbuf *op_err; 2731 char msg[SCTP_DIAG_INFO_LEN]; 2732 2733 snprintf(msg, sizeof(msg), "%s", "DATA chunk received when I-DATA was negotiated"); 2734 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2735 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_19; 2736 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2737 return (2); 2738 } 2739 if ((ch->chunk_type == SCTP_DATA) || 2740 (ch->chunk_type == SCTP_IDATA)) { 2741 int clen; 2742 2743 if (ch->chunk_type == SCTP_DATA) { 2744 clen = sizeof(struct sctp_data_chunk); 2745 } else { 2746 clen = sizeof(struct sctp_idata_chunk); 2747 } 2748 if (chk_length < clen) { 2749 /* 2750 * Need to send an abort since we had a 2751 * invalid data chunk. 2752 */ 2753 struct mbuf *op_err; 2754 char msg[SCTP_DIAG_INFO_LEN]; 2755 2756 snprintf(msg, sizeof(msg), "DATA chunk of length %d", 2757 chk_length); 2758 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2759 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_20; 2760 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2761 return (2); 2762 } 2763 #ifdef SCTP_AUDITING_ENABLED 2764 sctp_audit_log(0xB1, 0); 2765 #endif 2766 if (SCTP_SIZE32(chk_length) == (length - *offset)) { 2767 last_chunk = 1; 2768 } else { 2769 last_chunk = 0; 2770 } 2771 if (sctp_process_a_data_chunk(stcb, asoc, mm, *offset, 2772 chk_length, net, high_tsn, &abort_flag, &break_flag, 2773 last_chunk, ch->chunk_type)) { 2774 num_chunks++; 2775 } 2776 if (abort_flag) 2777 return (2); 2778 2779 if (break_flag) { 2780 /* 2781 * Set because of out of rwnd space and no 2782 * drop rep space left. 2783 */ 2784 stop_proc = 1; 2785 continue; 2786 } 2787 } else { 2788 /* not a data chunk in the data region */ 2789 switch (ch->chunk_type) { 2790 case SCTP_INITIATION: 2791 case SCTP_INITIATION_ACK: 2792 case SCTP_SELECTIVE_ACK: 2793 case SCTP_NR_SELECTIVE_ACK: 2794 case SCTP_HEARTBEAT_REQUEST: 2795 case SCTP_HEARTBEAT_ACK: 2796 case SCTP_ABORT_ASSOCIATION: 2797 case SCTP_SHUTDOWN: 2798 case SCTP_SHUTDOWN_ACK: 2799 case SCTP_OPERATION_ERROR: 2800 case SCTP_COOKIE_ECHO: 2801 case SCTP_COOKIE_ACK: 2802 case SCTP_ECN_ECHO: 2803 case SCTP_ECN_CWR: 2804 case SCTP_SHUTDOWN_COMPLETE: 2805 case SCTP_AUTHENTICATION: 2806 case SCTP_ASCONF_ACK: 2807 case SCTP_PACKET_DROPPED: 2808 case SCTP_STREAM_RESET: 2809 case SCTP_FORWARD_CUM_TSN: 2810 case SCTP_ASCONF: 2811 { 2812 /* 2813 * Now, what do we do with KNOWN 2814 * chunks that are NOT in the right 2815 * place? 2816 * 2817 * For now, I do nothing but ignore 2818 * them. We may later want to add 2819 * sysctl stuff to switch out and do 2820 * either an ABORT() or possibly 2821 * process them. 2822 */ 2823 struct mbuf *op_err; 2824 char msg[SCTP_DIAG_INFO_LEN]; 2825 2826 snprintf(msg, sizeof(msg), "DATA chunk followed by chunk of type %2.2x", 2827 ch->chunk_type); 2828 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 2829 sctp_abort_an_association(inp, stcb, op_err, SCTP_SO_NOT_LOCKED); 2830 return (2); 2831 } 2832 default: 2833 /* unknown chunk type, use bit rules */ 2834 if (ch->chunk_type & 0x40) { 2835 /* Add a error report to the queue */ 2836 struct mbuf *op_err; 2837 struct sctp_gen_error_cause *cause; 2838 2839 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_gen_error_cause), 2840 0, M_NOWAIT, 1, MT_DATA); 2841 if (op_err != NULL) { 2842 cause = mtod(op_err, struct sctp_gen_error_cause *); 2843 cause->code = htons(SCTP_CAUSE_UNRECOG_CHUNK); 2844 cause->length = htons((uint16_t)(chk_length + sizeof(struct sctp_gen_error_cause))); 2845 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause); 2846 SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(m, *offset, chk_length, M_NOWAIT); 2847 if (SCTP_BUF_NEXT(op_err) != NULL) { 2848 sctp_queue_op_err(stcb, op_err); 2849 } else { 2850 sctp_m_freem(op_err); 2851 } 2852 } 2853 } 2854 if ((ch->chunk_type & 0x80) == 0) { 2855 /* discard the rest of this packet */ 2856 stop_proc = 1; 2857 } /* else skip this bad chunk and 2858 * continue... */ 2859 break; 2860 } /* switch of chunk type */ 2861 } 2862 *offset += SCTP_SIZE32(chk_length); 2863 if ((*offset >= length) || stop_proc) { 2864 /* no more data left in the mbuf chain */ 2865 stop_proc = 1; 2866 continue; 2867 } 2868 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 2869 sizeof(struct sctp_chunkhdr), (uint8_t *)&chunk_buf); 2870 if (ch == NULL) { 2871 *offset = length; 2872 stop_proc = 1; 2873 continue; 2874 } 2875 } 2876 if (break_flag) { 2877 /* 2878 * we need to report rwnd overrun drops. 2879 */ 2880 sctp_send_packet_dropped(stcb, net, *mm, length, iphlen, 0); 2881 } 2882 if (num_chunks) { 2883 /* 2884 * Did we get data, if so update the time for auto-close and 2885 * give peer credit for being alive. 2886 */ 2887 SCTP_STAT_INCR(sctps_recvpktwithdata); 2888 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 2889 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 2890 stcb->asoc.overall_error_count, 2891 0, 2892 SCTP_FROM_SCTP_INDATA, 2893 __LINE__); 2894 } 2895 stcb->asoc.overall_error_count = 0; 2896 (void)SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_last_rcvd); 2897 } 2898 /* now service all of the reassm queue if needed */ 2899 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 2900 /* Assure that we ack right away */ 2901 stcb->asoc.send_sack = 1; 2902 } 2903 /* Start a sack timer or QUEUE a SACK for sending */ 2904 sctp_sack_check(stcb, was_a_gap); 2905 return (0); 2906 } 2907 2908 static int 2909 sctp_process_segment_range(struct sctp_tcb *stcb, struct sctp_tmit_chunk **p_tp1, uint32_t last_tsn, 2910 uint16_t frag_strt, uint16_t frag_end, int nr_sacking, 2911 int *num_frs, 2912 uint32_t *biggest_newly_acked_tsn, 2913 uint32_t *this_sack_lowest_newack, 2914 int *rto_ok) 2915 { 2916 struct sctp_tmit_chunk *tp1; 2917 unsigned int theTSN; 2918 int j, wake_him = 0, circled = 0; 2919 2920 /* Recover the tp1 we last saw */ 2921 tp1 = *p_tp1; 2922 if (tp1 == NULL) { 2923 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2924 } 2925 for (j = frag_strt; j <= frag_end; j++) { 2926 theTSN = j + last_tsn; 2927 while (tp1) { 2928 if (tp1->rec.data.doing_fast_retransmit) 2929 (*num_frs) += 1; 2930 2931 /*- 2932 * CMT: CUCv2 algorithm. For each TSN being 2933 * processed from the sent queue, track the 2934 * next expected pseudo-cumack, or 2935 * rtx_pseudo_cumack, if required. Separate 2936 * cumack trackers for first transmissions, 2937 * and retransmissions. 2938 */ 2939 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && 2940 (tp1->whoTo->find_pseudo_cumack == 1) && 2941 (tp1->snd_count == 1)) { 2942 tp1->whoTo->pseudo_cumack = tp1->rec.data.tsn; 2943 tp1->whoTo->find_pseudo_cumack = 0; 2944 } 2945 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && 2946 (tp1->whoTo->find_rtx_pseudo_cumack == 1) && 2947 (tp1->snd_count > 1)) { 2948 tp1->whoTo->rtx_pseudo_cumack = tp1->rec.data.tsn; 2949 tp1->whoTo->find_rtx_pseudo_cumack = 0; 2950 } 2951 if (tp1->rec.data.tsn == theTSN) { 2952 if (tp1->sent != SCTP_DATAGRAM_UNSENT) { 2953 /*- 2954 * must be held until 2955 * cum-ack passes 2956 */ 2957 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 2958 /*- 2959 * If it is less than RESEND, it is 2960 * now no-longer in flight. 2961 * Higher values may already be set 2962 * via previous Gap Ack Blocks... 2963 * i.e. ACKED or RESEND. 2964 */ 2965 if (SCTP_TSN_GT(tp1->rec.data.tsn, 2966 *biggest_newly_acked_tsn)) { 2967 *biggest_newly_acked_tsn = tp1->rec.data.tsn; 2968 } 2969 /*- 2970 * CMT: SFR algo (and HTNA) - set 2971 * saw_newack to 1 for dest being 2972 * newly acked. update 2973 * this_sack_highest_newack if 2974 * appropriate. 2975 */ 2976 if (tp1->rec.data.chunk_was_revoked == 0) 2977 tp1->whoTo->saw_newack = 1; 2978 2979 if (SCTP_TSN_GT(tp1->rec.data.tsn, 2980 tp1->whoTo->this_sack_highest_newack)) { 2981 tp1->whoTo->this_sack_highest_newack = 2982 tp1->rec.data.tsn; 2983 } 2984 /*- 2985 * CMT DAC algo: also update 2986 * this_sack_lowest_newack 2987 */ 2988 if (*this_sack_lowest_newack == 0) { 2989 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 2990 sctp_log_sack(*this_sack_lowest_newack, 2991 last_tsn, 2992 tp1->rec.data.tsn, 2993 0, 2994 0, 2995 SCTP_LOG_TSN_ACKED); 2996 } 2997 *this_sack_lowest_newack = tp1->rec.data.tsn; 2998 } 2999 /*- 3000 * CMT: CUCv2 algorithm. If (rtx-)pseudo-cumack for corresp 3001 * dest is being acked, then we have a new (rtx-)pseudo-cumack. Set 3002 * new_(rtx_)pseudo_cumack to TRUE so that the cwnd for this dest can be 3003 * updated. Also trigger search for the next expected (rtx-)pseudo-cumack. 3004 * Separate pseudo_cumack trackers for first transmissions and 3005 * retransmissions. 3006 */ 3007 if (tp1->rec.data.tsn == tp1->whoTo->pseudo_cumack) { 3008 if (tp1->rec.data.chunk_was_revoked == 0) { 3009 tp1->whoTo->new_pseudo_cumack = 1; 3010 } 3011 tp1->whoTo->find_pseudo_cumack = 1; 3012 } 3013 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) { 3014 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK); 3015 } 3016 if (tp1->rec.data.tsn == tp1->whoTo->rtx_pseudo_cumack) { 3017 if (tp1->rec.data.chunk_was_revoked == 0) { 3018 tp1->whoTo->new_pseudo_cumack = 1; 3019 } 3020 tp1->whoTo->find_rtx_pseudo_cumack = 1; 3021 } 3022 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 3023 sctp_log_sack(*biggest_newly_acked_tsn, 3024 last_tsn, 3025 tp1->rec.data.tsn, 3026 frag_strt, 3027 frag_end, 3028 SCTP_LOG_TSN_ACKED); 3029 } 3030 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3031 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_GAP, 3032 tp1->whoTo->flight_size, 3033 tp1->book_size, 3034 (uint32_t)(uintptr_t)tp1->whoTo, 3035 tp1->rec.data.tsn); 3036 } 3037 sctp_flight_size_decrease(tp1); 3038 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 3039 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 3040 tp1); 3041 } 3042 sctp_total_flight_decrease(stcb, tp1); 3043 3044 tp1->whoTo->net_ack += tp1->send_size; 3045 if (tp1->snd_count < 2) { 3046 /*- 3047 * True non-retransmited chunk 3048 */ 3049 tp1->whoTo->net_ack2 += tp1->send_size; 3050 3051 /*- 3052 * update RTO too ? 3053 */ 3054 if (tp1->do_rtt) { 3055 if (*rto_ok) { 3056 tp1->whoTo->RTO = 3057 sctp_calculate_rto(stcb, 3058 &stcb->asoc, 3059 tp1->whoTo, 3060 &tp1->sent_rcv_time, 3061 sctp_align_safe_nocopy, 3062 SCTP_RTT_FROM_DATA); 3063 *rto_ok = 0; 3064 } 3065 if (tp1->whoTo->rto_needed == 0) { 3066 tp1->whoTo->rto_needed = 1; 3067 } 3068 tp1->do_rtt = 0; 3069 } 3070 } 3071 } 3072 if (tp1->sent <= SCTP_DATAGRAM_RESEND) { 3073 if (SCTP_TSN_GT(tp1->rec.data.tsn, 3074 stcb->asoc.this_sack_highest_gap)) { 3075 stcb->asoc.this_sack_highest_gap = 3076 tp1->rec.data.tsn; 3077 } 3078 if (tp1->sent == SCTP_DATAGRAM_RESEND) { 3079 sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt); 3080 #ifdef SCTP_AUDITING_ENABLED 3081 sctp_audit_log(0xB2, 3082 (stcb->asoc.sent_queue_retran_cnt & 0x000000ff)); 3083 #endif 3084 } 3085 } 3086 /*- 3087 * All chunks NOT UNSENT fall through here and are marked 3088 * (leave PR-SCTP ones that are to skip alone though) 3089 */ 3090 if ((tp1->sent != SCTP_FORWARD_TSN_SKIP) && 3091 (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) { 3092 tp1->sent = SCTP_DATAGRAM_MARKED; 3093 } 3094 if (tp1->rec.data.chunk_was_revoked) { 3095 /* deflate the cwnd */ 3096 tp1->whoTo->cwnd -= tp1->book_size; 3097 tp1->rec.data.chunk_was_revoked = 0; 3098 } 3099 /* NR Sack code here */ 3100 if (nr_sacking && 3101 (tp1->sent != SCTP_DATAGRAM_NR_ACKED)) { 3102 if (stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues > 0) { 3103 stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues--; 3104 #ifdef INVARIANTS 3105 } else { 3106 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid); 3107 #endif 3108 } 3109 if ((stcb->asoc.strmout[tp1->rec.data.sid].chunks_on_queues == 0) && 3110 (stcb->asoc.strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) && 3111 TAILQ_EMPTY(&stcb->asoc.strmout[tp1->rec.data.sid].outqueue)) { 3112 stcb->asoc.trigger_reset = 1; 3113 } 3114 tp1->sent = SCTP_DATAGRAM_NR_ACKED; 3115 if (tp1->data) { 3116 /* 3117 * sa_ignore 3118 * NO_NULL_CHK 3119 */ 3120 sctp_free_bufspace(stcb, &stcb->asoc, tp1, 1); 3121 sctp_m_freem(tp1->data); 3122 tp1->data = NULL; 3123 } 3124 wake_him++; 3125 } 3126 } 3127 break; 3128 } /* if (tp1->tsn == theTSN) */ 3129 if (SCTP_TSN_GT(tp1->rec.data.tsn, theTSN)) { 3130 break; 3131 } 3132 tp1 = TAILQ_NEXT(tp1, sctp_next); 3133 if ((tp1 == NULL) && (circled == 0)) { 3134 circled++; 3135 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 3136 } 3137 } /* end while (tp1) */ 3138 if (tp1 == NULL) { 3139 circled = 0; 3140 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 3141 } 3142 /* In case the fragments were not in order we must reset */ 3143 } /* end for (j = fragStart */ 3144 *p_tp1 = tp1; 3145 return (wake_him); /* Return value only used for nr-sack */ 3146 } 3147 3148 3149 static int 3150 sctp_handle_segments(struct mbuf *m, int *offset, struct sctp_tcb *stcb, struct sctp_association *asoc, 3151 uint32_t last_tsn, uint32_t *biggest_tsn_acked, 3152 uint32_t *biggest_newly_acked_tsn, uint32_t *this_sack_lowest_newack, 3153 int num_seg, int num_nr_seg, int *rto_ok) 3154 { 3155 struct sctp_gap_ack_block *frag, block; 3156 struct sctp_tmit_chunk *tp1; 3157 int i; 3158 int num_frs = 0; 3159 int chunk_freed; 3160 int non_revocable; 3161 uint16_t frag_strt, frag_end, prev_frag_end; 3162 3163 tp1 = TAILQ_FIRST(&asoc->sent_queue); 3164 prev_frag_end = 0; 3165 chunk_freed = 0; 3166 3167 for (i = 0; i < (num_seg + num_nr_seg); i++) { 3168 if (i == num_seg) { 3169 prev_frag_end = 0; 3170 tp1 = TAILQ_FIRST(&asoc->sent_queue); 3171 } 3172 frag = (struct sctp_gap_ack_block *)sctp_m_getptr(m, *offset, 3173 sizeof(struct sctp_gap_ack_block), (uint8_t *)&block); 3174 *offset += sizeof(block); 3175 if (frag == NULL) { 3176 return (chunk_freed); 3177 } 3178 frag_strt = ntohs(frag->start); 3179 frag_end = ntohs(frag->end); 3180 3181 if (frag_strt > frag_end) { 3182 /* This gap report is malformed, skip it. */ 3183 continue; 3184 } 3185 if (frag_strt <= prev_frag_end) { 3186 /* This gap report is not in order, so restart. */ 3187 tp1 = TAILQ_FIRST(&asoc->sent_queue); 3188 } 3189 if (SCTP_TSN_GT((last_tsn + frag_end), *biggest_tsn_acked)) { 3190 *biggest_tsn_acked = last_tsn + frag_end; 3191 } 3192 if (i < num_seg) { 3193 non_revocable = 0; 3194 } else { 3195 non_revocable = 1; 3196 } 3197 if (sctp_process_segment_range(stcb, &tp1, last_tsn, frag_strt, frag_end, 3198 non_revocable, &num_frs, biggest_newly_acked_tsn, 3199 this_sack_lowest_newack, rto_ok)) { 3200 chunk_freed = 1; 3201 } 3202 prev_frag_end = frag_end; 3203 } 3204 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3205 if (num_frs) 3206 sctp_log_fr(*biggest_tsn_acked, 3207 *biggest_newly_acked_tsn, 3208 last_tsn, SCTP_FR_LOG_BIGGEST_TSNS); 3209 } 3210 return (chunk_freed); 3211 } 3212 3213 static void 3214 sctp_check_for_revoked(struct sctp_tcb *stcb, 3215 struct sctp_association *asoc, uint32_t cumack, 3216 uint32_t biggest_tsn_acked) 3217 { 3218 struct sctp_tmit_chunk *tp1; 3219 3220 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 3221 if (SCTP_TSN_GT(tp1->rec.data.tsn, cumack)) { 3222 /* 3223 * ok this guy is either ACK or MARKED. If it is 3224 * ACKED it has been previously acked but not this 3225 * time i.e. revoked. If it is MARKED it was ACK'ed 3226 * again. 3227 */ 3228 if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked)) { 3229 break; 3230 } 3231 if (tp1->sent == SCTP_DATAGRAM_ACKED) { 3232 /* it has been revoked */ 3233 tp1->sent = SCTP_DATAGRAM_SENT; 3234 tp1->rec.data.chunk_was_revoked = 1; 3235 /* 3236 * We must add this stuff back in to assure 3237 * timers and such get started. 3238 */ 3239 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3240 sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE, 3241 tp1->whoTo->flight_size, 3242 tp1->book_size, 3243 (uint32_t)(uintptr_t)tp1->whoTo, 3244 tp1->rec.data.tsn); 3245 } 3246 sctp_flight_size_increase(tp1); 3247 sctp_total_flight_increase(stcb, tp1); 3248 /* 3249 * We inflate the cwnd to compensate for our 3250 * artificial inflation of the flight_size. 3251 */ 3252 tp1->whoTo->cwnd += tp1->book_size; 3253 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 3254 sctp_log_sack(asoc->last_acked_seq, 3255 cumack, 3256 tp1->rec.data.tsn, 3257 0, 3258 0, 3259 SCTP_LOG_TSN_REVOKED); 3260 } 3261 } else if (tp1->sent == SCTP_DATAGRAM_MARKED) { 3262 /* it has been re-acked in this SACK */ 3263 tp1->sent = SCTP_DATAGRAM_ACKED; 3264 } 3265 } 3266 if (tp1->sent == SCTP_DATAGRAM_UNSENT) 3267 break; 3268 } 3269 } 3270 3271 3272 static void 3273 sctp_strike_gap_ack_chunks(struct sctp_tcb *stcb, struct sctp_association *asoc, 3274 uint32_t biggest_tsn_acked, uint32_t biggest_tsn_newly_acked, uint32_t this_sack_lowest_newack, int accum_moved) 3275 { 3276 struct sctp_tmit_chunk *tp1; 3277 int strike_flag = 0; 3278 struct timeval now; 3279 int tot_retrans = 0; 3280 uint32_t sending_seq; 3281 struct sctp_nets *net; 3282 int num_dests_sacked = 0; 3283 3284 /* 3285 * select the sending_seq, this is either the next thing ready to be 3286 * sent but not transmitted, OR, the next seq we assign. 3287 */ 3288 tp1 = TAILQ_FIRST(&stcb->asoc.send_queue); 3289 if (tp1 == NULL) { 3290 sending_seq = asoc->sending_seq; 3291 } else { 3292 sending_seq = tp1->rec.data.tsn; 3293 } 3294 3295 /* CMT DAC algo: finding out if SACK is a mixed SACK */ 3296 if ((asoc->sctp_cmt_on_off > 0) && 3297 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) { 3298 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 3299 if (net->saw_newack) 3300 num_dests_sacked++; 3301 } 3302 } 3303 if (stcb->asoc.prsctp_supported) { 3304 (void)SCTP_GETTIME_TIMEVAL(&now); 3305 } 3306 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 3307 strike_flag = 0; 3308 if (tp1->no_fr_allowed) { 3309 /* this one had a timeout or something */ 3310 continue; 3311 } 3312 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3313 if (tp1->sent < SCTP_DATAGRAM_RESEND) 3314 sctp_log_fr(biggest_tsn_newly_acked, 3315 tp1->rec.data.tsn, 3316 tp1->sent, 3317 SCTP_FR_LOG_CHECK_STRIKE); 3318 } 3319 if (SCTP_TSN_GT(tp1->rec.data.tsn, biggest_tsn_acked) || 3320 tp1->sent == SCTP_DATAGRAM_UNSENT) { 3321 /* done */ 3322 break; 3323 } 3324 if (stcb->asoc.prsctp_supported) { 3325 if ((PR_SCTP_TTL_ENABLED(tp1->flags)) && tp1->sent < SCTP_DATAGRAM_ACKED) { 3326 /* Is it expired? */ 3327 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) { 3328 /* Yes so drop it */ 3329 if (tp1->data != NULL) { 3330 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1, 3331 SCTP_SO_NOT_LOCKED); 3332 } 3333 continue; 3334 } 3335 } 3336 } 3337 if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->this_sack_highest_gap)) { 3338 /* we are beyond the tsn in the sack */ 3339 break; 3340 } 3341 if (tp1->sent >= SCTP_DATAGRAM_RESEND) { 3342 /* either a RESEND, ACKED, or MARKED */ 3343 /* skip */ 3344 if (tp1->sent == SCTP_FORWARD_TSN_SKIP) { 3345 /* Continue strikin FWD-TSN chunks */ 3346 tp1->rec.data.fwd_tsn_cnt++; 3347 } 3348 continue; 3349 } 3350 /* 3351 * CMT : SFR algo (covers part of DAC and HTNA as well) 3352 */ 3353 if (tp1->whoTo && tp1->whoTo->saw_newack == 0) { 3354 /* 3355 * No new acks were receieved for data sent to this 3356 * dest. Therefore, according to the SFR algo for 3357 * CMT, no data sent to this dest can be marked for 3358 * FR using this SACK. 3359 */ 3360 continue; 3361 } else if (tp1->whoTo && SCTP_TSN_GT(tp1->rec.data.tsn, 3362 tp1->whoTo->this_sack_highest_newack)) { 3363 /* 3364 * CMT: New acks were receieved for data sent to 3365 * this dest. But no new acks were seen for data 3366 * sent after tp1. Therefore, according to the SFR 3367 * algo for CMT, tp1 cannot be marked for FR using 3368 * this SACK. This step covers part of the DAC algo 3369 * and the HTNA algo as well. 3370 */ 3371 continue; 3372 } 3373 /* 3374 * Here we check to see if we were have already done a FR 3375 * and if so we see if the biggest TSN we saw in the sack is 3376 * smaller than the recovery point. If so we don't strike 3377 * the tsn... otherwise we CAN strike the TSN. 3378 */ 3379 /* 3380 * @@@ JRI: Check for CMT if (accum_moved && 3381 * asoc->fast_retran_loss_recovery && (sctp_cmt_on_off == 3382 * 0)) { 3383 */ 3384 if (accum_moved && asoc->fast_retran_loss_recovery) { 3385 /* 3386 * Strike the TSN if in fast-recovery and cum-ack 3387 * moved. 3388 */ 3389 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3390 sctp_log_fr(biggest_tsn_newly_acked, 3391 tp1->rec.data.tsn, 3392 tp1->sent, 3393 SCTP_FR_LOG_STRIKE_CHUNK); 3394 } 3395 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3396 tp1->sent++; 3397 } 3398 if ((asoc->sctp_cmt_on_off > 0) && 3399 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) { 3400 /* 3401 * CMT DAC algorithm: If SACK flag is set to 3402 * 0, then lowest_newack test will not pass 3403 * because it would have been set to the 3404 * cumack earlier. If not already to be 3405 * rtx'd, If not a mixed sack and if tp1 is 3406 * not between two sacked TSNs, then mark by 3407 * one more. NOTE that we are marking by one 3408 * additional time since the SACK DAC flag 3409 * indicates that two packets have been 3410 * received after this missing TSN. 3411 */ 3412 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) && 3413 SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) { 3414 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3415 sctp_log_fr(16 + num_dests_sacked, 3416 tp1->rec.data.tsn, 3417 tp1->sent, 3418 SCTP_FR_LOG_STRIKE_CHUNK); 3419 } 3420 tp1->sent++; 3421 } 3422 } 3423 } else if ((tp1->rec.data.doing_fast_retransmit) && 3424 (asoc->sctp_cmt_on_off == 0)) { 3425 /* 3426 * For those that have done a FR we must take 3427 * special consideration if we strike. I.e the 3428 * biggest_newly_acked must be higher than the 3429 * sending_seq at the time we did the FR. 3430 */ 3431 if ( 3432 #ifdef SCTP_FR_TO_ALTERNATE 3433 /* 3434 * If FR's go to new networks, then we must only do 3435 * this for singly homed asoc's. However if the FR's 3436 * go to the same network (Armando's work) then its 3437 * ok to FR multiple times. 3438 */ 3439 (asoc->numnets < 2) 3440 #else 3441 (1) 3442 #endif 3443 ) { 3444 3445 if (SCTP_TSN_GE(biggest_tsn_newly_acked, 3446 tp1->rec.data.fast_retran_tsn)) { 3447 /* 3448 * Strike the TSN, since this ack is 3449 * beyond where things were when we 3450 * did a FR. 3451 */ 3452 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3453 sctp_log_fr(biggest_tsn_newly_acked, 3454 tp1->rec.data.tsn, 3455 tp1->sent, 3456 SCTP_FR_LOG_STRIKE_CHUNK); 3457 } 3458 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3459 tp1->sent++; 3460 } 3461 strike_flag = 1; 3462 if ((asoc->sctp_cmt_on_off > 0) && 3463 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) { 3464 /* 3465 * CMT DAC algorithm: If 3466 * SACK flag is set to 0, 3467 * then lowest_newack test 3468 * will not pass because it 3469 * would have been set to 3470 * the cumack earlier. If 3471 * not already to be rtx'd, 3472 * If not a mixed sack and 3473 * if tp1 is not between two 3474 * sacked TSNs, then mark by 3475 * one more. NOTE that we 3476 * are marking by one 3477 * additional time since the 3478 * SACK DAC flag indicates 3479 * that two packets have 3480 * been received after this 3481 * missing TSN. 3482 */ 3483 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && 3484 (num_dests_sacked == 1) && 3485 SCTP_TSN_GT(this_sack_lowest_newack, 3486 tp1->rec.data.tsn)) { 3487 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3488 sctp_log_fr(32 + num_dests_sacked, 3489 tp1->rec.data.tsn, 3490 tp1->sent, 3491 SCTP_FR_LOG_STRIKE_CHUNK); 3492 } 3493 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3494 tp1->sent++; 3495 } 3496 } 3497 } 3498 } 3499 } 3500 /* 3501 * JRI: TODO: remove code for HTNA algo. CMT's SFR 3502 * algo covers HTNA. 3503 */ 3504 } else if (SCTP_TSN_GT(tp1->rec.data.tsn, 3505 biggest_tsn_newly_acked)) { 3506 /* 3507 * We don't strike these: This is the HTNA 3508 * algorithm i.e. we don't strike If our TSN is 3509 * larger than the Highest TSN Newly Acked. 3510 */ 3511 ; 3512 } else { 3513 /* Strike the TSN */ 3514 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3515 sctp_log_fr(biggest_tsn_newly_acked, 3516 tp1->rec.data.tsn, 3517 tp1->sent, 3518 SCTP_FR_LOG_STRIKE_CHUNK); 3519 } 3520 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3521 tp1->sent++; 3522 } 3523 if ((asoc->sctp_cmt_on_off > 0) && 3524 SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) { 3525 /* 3526 * CMT DAC algorithm: If SACK flag is set to 3527 * 0, then lowest_newack test will not pass 3528 * because it would have been set to the 3529 * cumack earlier. If not already to be 3530 * rtx'd, If not a mixed sack and if tp1 is 3531 * not between two sacked TSNs, then mark by 3532 * one more. NOTE that we are marking by one 3533 * additional time since the SACK DAC flag 3534 * indicates that two packets have been 3535 * received after this missing TSN. 3536 */ 3537 if ((tp1->sent < SCTP_DATAGRAM_RESEND) && (num_dests_sacked == 1) && 3538 SCTP_TSN_GT(this_sack_lowest_newack, tp1->rec.data.tsn)) { 3539 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3540 sctp_log_fr(48 + num_dests_sacked, 3541 tp1->rec.data.tsn, 3542 tp1->sent, 3543 SCTP_FR_LOG_STRIKE_CHUNK); 3544 } 3545 tp1->sent++; 3546 } 3547 } 3548 } 3549 if (tp1->sent == SCTP_DATAGRAM_RESEND) { 3550 struct sctp_nets *alt; 3551 3552 /* fix counts and things */ 3553 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3554 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_RSND, 3555 (tp1->whoTo ? (tp1->whoTo->flight_size) : 0), 3556 tp1->book_size, 3557 (uint32_t)(uintptr_t)tp1->whoTo, 3558 tp1->rec.data.tsn); 3559 } 3560 if (tp1->whoTo) { 3561 tp1->whoTo->net_ack++; 3562 sctp_flight_size_decrease(tp1); 3563 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 3564 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 3565 tp1); 3566 } 3567 } 3568 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) { 3569 sctp_log_rwnd(SCTP_INCREASE_PEER_RWND, 3570 asoc->peers_rwnd, tp1->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)); 3571 } 3572 /* add back to the rwnd */ 3573 asoc->peers_rwnd += (tp1->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)); 3574 3575 /* remove from the total flight */ 3576 sctp_total_flight_decrease(stcb, tp1); 3577 3578 if ((stcb->asoc.prsctp_supported) && 3579 (PR_SCTP_RTX_ENABLED(tp1->flags))) { 3580 /* 3581 * Has it been retransmitted tv_sec times? - 3582 * we store the retran count there. 3583 */ 3584 if (tp1->snd_count > tp1->rec.data.timetodrop.tv_sec) { 3585 /* Yes, so drop it */ 3586 if (tp1->data != NULL) { 3587 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 1, 3588 SCTP_SO_NOT_LOCKED); 3589 } 3590 /* Make sure to flag we had a FR */ 3591 tp1->whoTo->net_ack++; 3592 continue; 3593 } 3594 } 3595 /* 3596 * SCTP_PRINTF("OK, we are now ready to FR this 3597 * guy\n"); 3598 */ 3599 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE) { 3600 sctp_log_fr(tp1->rec.data.tsn, tp1->snd_count, 3601 0, SCTP_FR_MARKED); 3602 } 3603 if (strike_flag) { 3604 /* This is a subsequent FR */ 3605 SCTP_STAT_INCR(sctps_sendmultfastretrans); 3606 } 3607 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 3608 if (asoc->sctp_cmt_on_off > 0) { 3609 /* 3610 * CMT: Using RTX_SSTHRESH policy for CMT. 3611 * If CMT is being used, then pick dest with 3612 * largest ssthresh for any retransmission. 3613 */ 3614 tp1->no_fr_allowed = 1; 3615 alt = tp1->whoTo; 3616 /* sa_ignore NO_NULL_CHK */ 3617 if (asoc->sctp_cmt_pf > 0) { 3618 /* 3619 * JRS 5/18/07 - If CMT PF is on, 3620 * use the PF version of 3621 * find_alt_net() 3622 */ 3623 alt = sctp_find_alternate_net(stcb, alt, 2); 3624 } else { 3625 /* 3626 * JRS 5/18/07 - If only CMT is on, 3627 * use the CMT version of 3628 * find_alt_net() 3629 */ 3630 /* sa_ignore NO_NULL_CHK */ 3631 alt = sctp_find_alternate_net(stcb, alt, 1); 3632 } 3633 if (alt == NULL) { 3634 alt = tp1->whoTo; 3635 } 3636 /* 3637 * CUCv2: If a different dest is picked for 3638 * the retransmission, then new 3639 * (rtx-)pseudo_cumack needs to be tracked 3640 * for orig dest. Let CUCv2 track new (rtx-) 3641 * pseudo-cumack always. 3642 */ 3643 if (tp1->whoTo) { 3644 tp1->whoTo->find_pseudo_cumack = 1; 3645 tp1->whoTo->find_rtx_pseudo_cumack = 1; 3646 } 3647 } else {/* CMT is OFF */ 3648 3649 #ifdef SCTP_FR_TO_ALTERNATE 3650 /* Can we find an alternate? */ 3651 alt = sctp_find_alternate_net(stcb, tp1->whoTo, 0); 3652 #else 3653 /* 3654 * default behavior is to NOT retransmit 3655 * FR's to an alternate. Armando Caro's 3656 * paper details why. 3657 */ 3658 alt = tp1->whoTo; 3659 #endif 3660 } 3661 3662 tp1->rec.data.doing_fast_retransmit = 1; 3663 tot_retrans++; 3664 /* mark the sending seq for possible subsequent FR's */ 3665 /* 3666 * SCTP_PRINTF("Marking TSN for FR new value %x\n", 3667 * (uint32_t)tpi->rec.data.tsn); 3668 */ 3669 if (TAILQ_EMPTY(&asoc->send_queue)) { 3670 /* 3671 * If the queue of send is empty then its 3672 * the next sequence number that will be 3673 * assigned so we subtract one from this to 3674 * get the one we last sent. 3675 */ 3676 tp1->rec.data.fast_retran_tsn = sending_seq; 3677 } else { 3678 /* 3679 * If there are chunks on the send queue 3680 * (unsent data that has made it from the 3681 * stream queues but not out the door, we 3682 * take the first one (which will have the 3683 * lowest TSN) and subtract one to get the 3684 * one we last sent. 3685 */ 3686 struct sctp_tmit_chunk *ttt; 3687 3688 ttt = TAILQ_FIRST(&asoc->send_queue); 3689 tp1->rec.data.fast_retran_tsn = 3690 ttt->rec.data.tsn; 3691 } 3692 3693 if (tp1->do_rtt) { 3694 /* 3695 * this guy had a RTO calculation pending on 3696 * it, cancel it 3697 */ 3698 if ((tp1->whoTo != NULL) && 3699 (tp1->whoTo->rto_needed == 0)) { 3700 tp1->whoTo->rto_needed = 1; 3701 } 3702 tp1->do_rtt = 0; 3703 } 3704 if (alt != tp1->whoTo) { 3705 /* yes, there is an alternate. */ 3706 sctp_free_remote_addr(tp1->whoTo); 3707 /* sa_ignore FREED_MEMORY */ 3708 tp1->whoTo = alt; 3709 atomic_add_int(&alt->ref_count, 1); 3710 } 3711 } 3712 } 3713 } 3714 3715 struct sctp_tmit_chunk * 3716 sctp_try_advance_peer_ack_point(struct sctp_tcb *stcb, 3717 struct sctp_association *asoc) 3718 { 3719 struct sctp_tmit_chunk *tp1, *tp2, *a_adv = NULL; 3720 struct timeval now; 3721 int now_filled = 0; 3722 3723 if (asoc->prsctp_supported == 0) { 3724 return (NULL); 3725 } 3726 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) { 3727 if (tp1->sent != SCTP_FORWARD_TSN_SKIP && 3728 tp1->sent != SCTP_DATAGRAM_RESEND && 3729 tp1->sent != SCTP_DATAGRAM_NR_ACKED) { 3730 /* no chance to advance, out of here */ 3731 break; 3732 } 3733 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) { 3734 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) || 3735 (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) { 3736 sctp_misc_ints(SCTP_FWD_TSN_CHECK, 3737 asoc->advanced_peer_ack_point, 3738 tp1->rec.data.tsn, 0, 0); 3739 } 3740 } 3741 if (!PR_SCTP_ENABLED(tp1->flags)) { 3742 /* 3743 * We can't fwd-tsn past any that are reliable aka 3744 * retransmitted until the asoc fails. 3745 */ 3746 break; 3747 } 3748 if (!now_filled) { 3749 (void)SCTP_GETTIME_TIMEVAL(&now); 3750 now_filled = 1; 3751 } 3752 /* 3753 * now we got a chunk which is marked for another 3754 * retransmission to a PR-stream but has run out its chances 3755 * already maybe OR has been marked to skip now. Can we skip 3756 * it if its a resend? 3757 */ 3758 if (tp1->sent == SCTP_DATAGRAM_RESEND && 3759 (PR_SCTP_TTL_ENABLED(tp1->flags))) { 3760 /* 3761 * Now is this one marked for resend and its time is 3762 * now up? 3763 */ 3764 if (timevalcmp(&now, &tp1->rec.data.timetodrop, >)) { 3765 /* Yes so drop it */ 3766 if (tp1->data) { 3767 (void)sctp_release_pr_sctp_chunk(stcb, tp1, 3768 1, SCTP_SO_NOT_LOCKED); 3769 } 3770 } else { 3771 /* 3772 * No, we are done when hit one for resend 3773 * whos time as not expired. 3774 */ 3775 break; 3776 } 3777 } 3778 /* 3779 * Ok now if this chunk is marked to drop it we can clean up 3780 * the chunk, advance our peer ack point and we can check 3781 * the next chunk. 3782 */ 3783 if ((tp1->sent == SCTP_FORWARD_TSN_SKIP) || 3784 (tp1->sent == SCTP_DATAGRAM_NR_ACKED)) { 3785 /* advance PeerAckPoint goes forward */ 3786 if (SCTP_TSN_GT(tp1->rec.data.tsn, asoc->advanced_peer_ack_point)) { 3787 asoc->advanced_peer_ack_point = tp1->rec.data.tsn; 3788 a_adv = tp1; 3789 } else if (tp1->rec.data.tsn == asoc->advanced_peer_ack_point) { 3790 /* No update but we do save the chk */ 3791 a_adv = tp1; 3792 } 3793 } else { 3794 /* 3795 * If it is still in RESEND we can advance no 3796 * further 3797 */ 3798 break; 3799 } 3800 } 3801 return (a_adv); 3802 } 3803 3804 static int 3805 sctp_fs_audit(struct sctp_association *asoc) 3806 { 3807 struct sctp_tmit_chunk *chk; 3808 int inflight = 0, resend = 0, inbetween = 0, acked = 0, above = 0; 3809 int ret; 3810 #ifndef INVARIANTS 3811 int entry_flight, entry_cnt; 3812 #endif 3813 3814 ret = 0; 3815 #ifndef INVARIANTS 3816 entry_flight = asoc->total_flight; 3817 entry_cnt = asoc->total_flight_count; 3818 #endif 3819 if (asoc->pr_sctp_cnt >= asoc->sent_queue_cnt) 3820 return (0); 3821 3822 TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) { 3823 if (chk->sent < SCTP_DATAGRAM_RESEND) { 3824 SCTP_PRINTF("Chk TSN: %u size: %d inflight cnt: %d\n", 3825 chk->rec.data.tsn, 3826 chk->send_size, 3827 chk->snd_count); 3828 inflight++; 3829 } else if (chk->sent == SCTP_DATAGRAM_RESEND) { 3830 resend++; 3831 } else if (chk->sent < SCTP_DATAGRAM_ACKED) { 3832 inbetween++; 3833 } else if (chk->sent > SCTP_DATAGRAM_ACKED) { 3834 above++; 3835 } else { 3836 acked++; 3837 } 3838 } 3839 3840 if ((inflight > 0) || (inbetween > 0)) { 3841 #ifdef INVARIANTS 3842 panic("Flight size-express incorrect? \n"); 3843 #else 3844 SCTP_PRINTF("asoc->total_flight: %d cnt: %d\n", 3845 entry_flight, entry_cnt); 3846 3847 SCTP_PRINTF("Flight size-express incorrect F: %d I: %d R: %d Ab: %d ACK: %d\n", 3848 inflight, inbetween, resend, above, acked); 3849 ret = 1; 3850 #endif 3851 } 3852 return (ret); 3853 } 3854 3855 3856 static void 3857 sctp_window_probe_recovery(struct sctp_tcb *stcb, 3858 struct sctp_association *asoc, 3859 struct sctp_tmit_chunk *tp1) 3860 { 3861 tp1->window_probe = 0; 3862 if ((tp1->sent >= SCTP_DATAGRAM_ACKED) || (tp1->data == NULL)) { 3863 /* TSN's skipped we do NOT move back. */ 3864 sctp_misc_ints(SCTP_FLIGHT_LOG_DWN_WP_FWD, 3865 tp1->whoTo ? tp1->whoTo->flight_size : 0, 3866 tp1->book_size, 3867 (uint32_t)(uintptr_t)tp1->whoTo, 3868 tp1->rec.data.tsn); 3869 return; 3870 } 3871 /* First setup this by shrinking flight */ 3872 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 3873 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 3874 tp1); 3875 } 3876 sctp_flight_size_decrease(tp1); 3877 sctp_total_flight_decrease(stcb, tp1); 3878 /* Now mark for resend */ 3879 tp1->sent = SCTP_DATAGRAM_RESEND; 3880 sctp_ucount_incr(asoc->sent_queue_retran_cnt); 3881 3882 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3883 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_WP, 3884 tp1->whoTo->flight_size, 3885 tp1->book_size, 3886 (uint32_t)(uintptr_t)tp1->whoTo, 3887 tp1->rec.data.tsn); 3888 } 3889 } 3890 3891 void 3892 sctp_express_handle_sack(struct sctp_tcb *stcb, uint32_t cumack, 3893 uint32_t rwnd, int *abort_now, int ecne_seen) 3894 { 3895 struct sctp_nets *net; 3896 struct sctp_association *asoc; 3897 struct sctp_tmit_chunk *tp1, *tp2; 3898 uint32_t old_rwnd; 3899 int win_probe_recovery = 0; 3900 int win_probe_recovered = 0; 3901 int j, done_once = 0; 3902 int rto_ok = 1; 3903 uint32_t send_s; 3904 3905 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) { 3906 sctp_misc_ints(SCTP_SACK_LOG_EXPRESS, cumack, 3907 rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd); 3908 } 3909 SCTP_TCB_LOCK_ASSERT(stcb); 3910 #ifdef SCTP_ASOCLOG_OF_TSNS 3911 stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cumack; 3912 stcb->asoc.cumack_log_at++; 3913 if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) { 3914 stcb->asoc.cumack_log_at = 0; 3915 } 3916 #endif 3917 asoc = &stcb->asoc; 3918 old_rwnd = asoc->peers_rwnd; 3919 if (SCTP_TSN_GT(asoc->last_acked_seq, cumack)) { 3920 /* old ack */ 3921 return; 3922 } else if (asoc->last_acked_seq == cumack) { 3923 /* Window update sack */ 3924 asoc->peers_rwnd = sctp_sbspace_sub(rwnd, 3925 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)))); 3926 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3927 /* SWS sender side engages */ 3928 asoc->peers_rwnd = 0; 3929 } 3930 if (asoc->peers_rwnd > old_rwnd) { 3931 goto again; 3932 } 3933 return; 3934 } 3935 /* First setup for CC stuff */ 3936 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 3937 if (SCTP_TSN_GT(cumack, net->cwr_window_tsn)) { 3938 /* Drag along the window_tsn for cwr's */ 3939 net->cwr_window_tsn = cumack; 3940 } 3941 net->prev_cwnd = net->cwnd; 3942 net->net_ack = 0; 3943 net->net_ack2 = 0; 3944 3945 /* 3946 * CMT: Reset CUC and Fast recovery algo variables before 3947 * SACK processing 3948 */ 3949 net->new_pseudo_cumack = 0; 3950 net->will_exit_fast_recovery = 0; 3951 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) { 3952 (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) (stcb, net); 3953 } 3954 } 3955 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 3956 tp1 = TAILQ_LAST(&asoc->sent_queue, 3957 sctpchunk_listhead); 3958 send_s = tp1->rec.data.tsn + 1; 3959 } else { 3960 send_s = asoc->sending_seq; 3961 } 3962 if (SCTP_TSN_GE(cumack, send_s)) { 3963 struct mbuf *op_err; 3964 char msg[SCTP_DIAG_INFO_LEN]; 3965 3966 *abort_now = 1; 3967 /* XXX */ 3968 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal than TSN %8.8x", 3969 cumack, send_s); 3970 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 3971 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_21; 3972 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 3973 return; 3974 } 3975 asoc->this_sack_highest_gap = cumack; 3976 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 3977 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 3978 stcb->asoc.overall_error_count, 3979 0, 3980 SCTP_FROM_SCTP_INDATA, 3981 __LINE__); 3982 } 3983 stcb->asoc.overall_error_count = 0; 3984 if (SCTP_TSN_GT(cumack, asoc->last_acked_seq)) { 3985 /* process the new consecutive TSN first */ 3986 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) { 3987 if (SCTP_TSN_GE(cumack, tp1->rec.data.tsn)) { 3988 if (tp1->sent == SCTP_DATAGRAM_UNSENT) { 3989 SCTP_PRINTF("Warning, an unsent is now acked?\n"); 3990 } 3991 if (tp1->sent < SCTP_DATAGRAM_ACKED) { 3992 /* 3993 * If it is less than ACKED, it is 3994 * now no-longer in flight. Higher 3995 * values may occur during marking 3996 */ 3997 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 3998 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 3999 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA, 4000 tp1->whoTo->flight_size, 4001 tp1->book_size, 4002 (uint32_t)(uintptr_t)tp1->whoTo, 4003 tp1->rec.data.tsn); 4004 } 4005 sctp_flight_size_decrease(tp1); 4006 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 4007 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 4008 tp1); 4009 } 4010 /* sa_ignore NO_NULL_CHK */ 4011 sctp_total_flight_decrease(stcb, tp1); 4012 } 4013 tp1->whoTo->net_ack += tp1->send_size; 4014 if (tp1->snd_count < 2) { 4015 /* 4016 * True non-retransmited 4017 * chunk 4018 */ 4019 tp1->whoTo->net_ack2 += 4020 tp1->send_size; 4021 4022 /* update RTO too? */ 4023 if (tp1->do_rtt) { 4024 if (rto_ok) { 4025 tp1->whoTo->RTO = 4026 /* 4027 * sa_ignore 4028 * NO_NULL_CHK 4029 */ 4030 sctp_calculate_rto(stcb, 4031 asoc, tp1->whoTo, 4032 &tp1->sent_rcv_time, 4033 sctp_align_safe_nocopy, 4034 SCTP_RTT_FROM_DATA); 4035 rto_ok = 0; 4036 } 4037 if (tp1->whoTo->rto_needed == 0) { 4038 tp1->whoTo->rto_needed = 1; 4039 } 4040 tp1->do_rtt = 0; 4041 } 4042 } 4043 /* 4044 * CMT: CUCv2 algorithm. From the 4045 * cumack'd TSNs, for each TSN being 4046 * acked for the first time, set the 4047 * following variables for the 4048 * corresp destination. 4049 * new_pseudo_cumack will trigger a 4050 * cwnd update. 4051 * find_(rtx_)pseudo_cumack will 4052 * trigger search for the next 4053 * expected (rtx-)pseudo-cumack. 4054 */ 4055 tp1->whoTo->new_pseudo_cumack = 1; 4056 tp1->whoTo->find_pseudo_cumack = 1; 4057 tp1->whoTo->find_rtx_pseudo_cumack = 1; 4058 4059 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) { 4060 /* sa_ignore NO_NULL_CHK */ 4061 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK); 4062 } 4063 } 4064 if (tp1->sent == SCTP_DATAGRAM_RESEND) { 4065 sctp_ucount_decr(asoc->sent_queue_retran_cnt); 4066 } 4067 if (tp1->rec.data.chunk_was_revoked) { 4068 /* deflate the cwnd */ 4069 tp1->whoTo->cwnd -= tp1->book_size; 4070 tp1->rec.data.chunk_was_revoked = 0; 4071 } 4072 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) { 4073 if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) { 4074 asoc->strmout[tp1->rec.data.sid].chunks_on_queues--; 4075 #ifdef INVARIANTS 4076 } else { 4077 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid); 4078 #endif 4079 } 4080 } 4081 if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) && 4082 (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) && 4083 TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) { 4084 asoc->trigger_reset = 1; 4085 } 4086 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next); 4087 if (tp1->data) { 4088 /* sa_ignore NO_NULL_CHK */ 4089 sctp_free_bufspace(stcb, asoc, tp1, 1); 4090 sctp_m_freem(tp1->data); 4091 tp1->data = NULL; 4092 } 4093 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 4094 sctp_log_sack(asoc->last_acked_seq, 4095 cumack, 4096 tp1->rec.data.tsn, 4097 0, 4098 0, 4099 SCTP_LOG_FREE_SENT); 4100 } 4101 asoc->sent_queue_cnt--; 4102 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED); 4103 } else { 4104 break; 4105 } 4106 } 4107 4108 } 4109 /* sa_ignore NO_NULL_CHK */ 4110 if (stcb->sctp_socket) { 4111 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4112 struct socket *so; 4113 4114 #endif 4115 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd); 4116 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) { 4117 /* sa_ignore NO_NULL_CHK */ 4118 sctp_wakeup_log(stcb, 1, SCTP_WAKESND_FROM_SACK); 4119 } 4120 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4121 so = SCTP_INP_SO(stcb->sctp_ep); 4122 atomic_add_int(&stcb->asoc.refcnt, 1); 4123 SCTP_TCB_UNLOCK(stcb); 4124 SCTP_SOCKET_LOCK(so, 1); 4125 SCTP_TCB_LOCK(stcb); 4126 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4127 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 4128 /* assoc was freed while we were unlocked */ 4129 SCTP_SOCKET_UNLOCK(so, 1); 4130 return; 4131 } 4132 #endif 4133 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket); 4134 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4135 SCTP_SOCKET_UNLOCK(so, 1); 4136 #endif 4137 } else { 4138 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) { 4139 sctp_wakeup_log(stcb, 1, SCTP_NOWAKE_FROM_SACK); 4140 } 4141 } 4142 4143 /* JRS - Use the congestion control given in the CC module */ 4144 if ((asoc->last_acked_seq != cumack) && (ecne_seen == 0)) { 4145 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4146 if (net->net_ack2 > 0) { 4147 /* 4148 * Karn's rule applies to clearing error 4149 * count, this is optional. 4150 */ 4151 net->error_count = 0; 4152 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) { 4153 /* addr came good */ 4154 net->dest_state |= SCTP_ADDR_REACHABLE; 4155 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 4156 0, (void *)net, SCTP_SO_NOT_LOCKED); 4157 } 4158 if (net == stcb->asoc.primary_destination) { 4159 if (stcb->asoc.alternate) { 4160 /* 4161 * release the alternate, 4162 * primary is good 4163 */ 4164 sctp_free_remote_addr(stcb->asoc.alternate); 4165 stcb->asoc.alternate = NULL; 4166 } 4167 } 4168 if (net->dest_state & SCTP_ADDR_PF) { 4169 net->dest_state &= ~SCTP_ADDR_PF; 4170 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, 4171 stcb->sctp_ep, stcb, net, 4172 SCTP_FROM_SCTP_INDATA + SCTP_LOC_22); 4173 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net); 4174 asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net); 4175 /* Done with this net */ 4176 net->net_ack = 0; 4177 } 4178 /* restore any doubled timers */ 4179 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv; 4180 if (net->RTO < stcb->asoc.minrto) { 4181 net->RTO = stcb->asoc.minrto; 4182 } 4183 if (net->RTO > stcb->asoc.maxrto) { 4184 net->RTO = stcb->asoc.maxrto; 4185 } 4186 } 4187 } 4188 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, 1, 0, 0); 4189 } 4190 asoc->last_acked_seq = cumack; 4191 4192 if (TAILQ_EMPTY(&asoc->sent_queue)) { 4193 /* nothing left in-flight */ 4194 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4195 net->flight_size = 0; 4196 net->partial_bytes_acked = 0; 4197 } 4198 asoc->total_flight = 0; 4199 asoc->total_flight_count = 0; 4200 } 4201 /* RWND update */ 4202 asoc->peers_rwnd = sctp_sbspace_sub(rwnd, 4203 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)))); 4204 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4205 /* SWS sender side engages */ 4206 asoc->peers_rwnd = 0; 4207 } 4208 if (asoc->peers_rwnd > old_rwnd) { 4209 win_probe_recovery = 1; 4210 } 4211 /* Now assure a timer where data is queued at */ 4212 again: 4213 j = 0; 4214 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4215 if (win_probe_recovery && (net->window_probe)) { 4216 win_probe_recovered = 1; 4217 /* 4218 * Find first chunk that was used with window probe 4219 * and clear the sent 4220 */ 4221 /* sa_ignore FREED_MEMORY */ 4222 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 4223 if (tp1->window_probe) { 4224 /* move back to data send queue */ 4225 sctp_window_probe_recovery(stcb, asoc, tp1); 4226 break; 4227 } 4228 } 4229 } 4230 if (net->flight_size) { 4231 j++; 4232 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net); 4233 if (net->window_probe) { 4234 net->window_probe = 0; 4235 } 4236 } else { 4237 if (net->window_probe) { 4238 /* 4239 * In window probes we must assure a timer 4240 * is still running there 4241 */ 4242 net->window_probe = 0; 4243 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 4244 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, stcb, net); 4245 } 4246 } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 4247 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4248 stcb, net, 4249 SCTP_FROM_SCTP_INDATA + SCTP_LOC_23); 4250 } 4251 } 4252 } 4253 if ((j == 0) && 4254 (!TAILQ_EMPTY(&asoc->sent_queue)) && 4255 (asoc->sent_queue_retran_cnt == 0) && 4256 (win_probe_recovered == 0) && 4257 (done_once == 0)) { 4258 /* 4259 * huh, this should not happen unless all packets are 4260 * PR-SCTP and marked to skip of course. 4261 */ 4262 if (sctp_fs_audit(asoc)) { 4263 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4264 net->flight_size = 0; 4265 } 4266 asoc->total_flight = 0; 4267 asoc->total_flight_count = 0; 4268 asoc->sent_queue_retran_cnt = 0; 4269 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 4270 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 4271 sctp_flight_size_increase(tp1); 4272 sctp_total_flight_increase(stcb, tp1); 4273 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) { 4274 sctp_ucount_incr(asoc->sent_queue_retran_cnt); 4275 } 4276 } 4277 } 4278 done_once = 1; 4279 goto again; 4280 } 4281 /**********************************/ 4282 /* Now what about shutdown issues */ 4283 /**********************************/ 4284 if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) { 4285 /* nothing left on sendqueue.. consider done */ 4286 /* clean up */ 4287 if ((asoc->stream_queue_cnt == 1) && 4288 ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) || 4289 (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED)) && 4290 ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc))) { 4291 asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT; 4292 } 4293 if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) || 4294 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) && 4295 (asoc->stream_queue_cnt == 1) && 4296 (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) { 4297 struct mbuf *op_err; 4298 4299 *abort_now = 1; 4300 /* XXX */ 4301 op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, ""); 4302 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24; 4303 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 4304 return; 4305 } 4306 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) && 4307 (asoc->stream_queue_cnt == 0)) { 4308 struct sctp_nets *netp; 4309 4310 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 4311 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 4312 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 4313 } 4314 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT); 4315 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 4316 sctp_stop_timers_for_shutdown(stcb); 4317 if (asoc->alternate) { 4318 netp = asoc->alternate; 4319 } else { 4320 netp = asoc->primary_destination; 4321 } 4322 sctp_send_shutdown(stcb, netp); 4323 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, 4324 stcb->sctp_ep, stcb, netp); 4325 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 4326 stcb->sctp_ep, stcb, netp); 4327 } else if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) && 4328 (asoc->stream_queue_cnt == 0)) { 4329 struct sctp_nets *netp; 4330 4331 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 4332 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT); 4333 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 4334 sctp_stop_timers_for_shutdown(stcb); 4335 if (asoc->alternate) { 4336 netp = asoc->alternate; 4337 } else { 4338 netp = asoc->primary_destination; 4339 } 4340 sctp_send_shutdown_ack(stcb, netp); 4341 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, 4342 stcb->sctp_ep, stcb, netp); 4343 } 4344 } 4345 /*********************************************/ 4346 /* Here we perform PR-SCTP procedures */ 4347 /* (section 4.2) */ 4348 /*********************************************/ 4349 /* C1. update advancedPeerAckPoint */ 4350 if (SCTP_TSN_GT(cumack, asoc->advanced_peer_ack_point)) { 4351 asoc->advanced_peer_ack_point = cumack; 4352 } 4353 /* PR-Sctp issues need to be addressed too */ 4354 if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) { 4355 struct sctp_tmit_chunk *lchk; 4356 uint32_t old_adv_peer_ack_point; 4357 4358 old_adv_peer_ack_point = asoc->advanced_peer_ack_point; 4359 lchk = sctp_try_advance_peer_ack_point(stcb, asoc); 4360 /* C3. See if we need to send a Fwd-TSN */ 4361 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cumack)) { 4362 /* 4363 * ISSUE with ECN, see FWD-TSN processing. 4364 */ 4365 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) { 4366 send_forward_tsn(stcb, asoc); 4367 } else if (lchk) { 4368 /* try to FR fwd-tsn's that get lost too */ 4369 if (lchk->rec.data.fwd_tsn_cnt >= 3) { 4370 send_forward_tsn(stcb, asoc); 4371 } 4372 } 4373 } 4374 if (lchk) { 4375 /* Assure a timer is up */ 4376 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4377 stcb->sctp_ep, stcb, lchk->whoTo); 4378 } 4379 } 4380 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) { 4381 sctp_misc_ints(SCTP_SACK_RWND_UPDATE, 4382 rwnd, 4383 stcb->asoc.peers_rwnd, 4384 stcb->asoc.total_flight, 4385 stcb->asoc.total_output_queue_size); 4386 } 4387 } 4388 4389 void 4390 sctp_handle_sack(struct mbuf *m, int offset_seg, int offset_dup, 4391 struct sctp_tcb *stcb, 4392 uint16_t num_seg, uint16_t num_nr_seg, uint16_t num_dup, 4393 int *abort_now, uint8_t flags, 4394 uint32_t cum_ack, uint32_t rwnd, int ecne_seen) 4395 { 4396 struct sctp_association *asoc; 4397 struct sctp_tmit_chunk *tp1, *tp2; 4398 uint32_t last_tsn, biggest_tsn_acked, biggest_tsn_newly_acked, this_sack_lowest_newack; 4399 uint16_t wake_him = 0; 4400 uint32_t send_s = 0; 4401 long j; 4402 int accum_moved = 0; 4403 int will_exit_fast_recovery = 0; 4404 uint32_t a_rwnd, old_rwnd; 4405 int win_probe_recovery = 0; 4406 int win_probe_recovered = 0; 4407 struct sctp_nets *net = NULL; 4408 int done_once; 4409 int rto_ok = 1; 4410 uint8_t reneged_all = 0; 4411 uint8_t cmt_dac_flag; 4412 4413 /* 4414 * we take any chance we can to service our queues since we cannot 4415 * get awoken when the socket is read from :< 4416 */ 4417 /* 4418 * Now perform the actual SACK handling: 1) Verify that it is not an 4419 * old sack, if so discard. 2) If there is nothing left in the send 4420 * queue (cum-ack is equal to last acked) then you have a duplicate 4421 * too, update any rwnd change and verify no timers are running. 4422 * then return. 3) Process any new consequtive data i.e. cum-ack 4423 * moved process these first and note that it moved. 4) Process any 4424 * sack blocks. 5) Drop any acked from the queue. 6) Check for any 4425 * revoked blocks and mark. 7) Update the cwnd. 8) Nothing left, 4426 * sync up flightsizes and things, stop all timers and also check 4427 * for shutdown_pending state. If so then go ahead and send off the 4428 * shutdown. If in shutdown recv, send off the shutdown-ack and 4429 * start that timer, Ret. 9) Strike any non-acked things and do FR 4430 * procedure if needed being sure to set the FR flag. 10) Do pr-sctp 4431 * procedures. 11) Apply any FR penalties. 12) Assure we will SACK 4432 * if in shutdown_recv state. 4433 */ 4434 SCTP_TCB_LOCK_ASSERT(stcb); 4435 /* CMT DAC algo */ 4436 this_sack_lowest_newack = 0; 4437 SCTP_STAT_INCR(sctps_slowpath_sack); 4438 last_tsn = cum_ack; 4439 cmt_dac_flag = flags & SCTP_SACK_CMT_DAC; 4440 #ifdef SCTP_ASOCLOG_OF_TSNS 4441 stcb->asoc.cumack_log[stcb->asoc.cumack_log_at] = cum_ack; 4442 stcb->asoc.cumack_log_at++; 4443 if (stcb->asoc.cumack_log_at > SCTP_TSN_LOG_SIZE) { 4444 stcb->asoc.cumack_log_at = 0; 4445 } 4446 #endif 4447 a_rwnd = rwnd; 4448 4449 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_SACK_ARRIVALS_ENABLE) { 4450 sctp_misc_ints(SCTP_SACK_LOG_NORMAL, cum_ack, 4451 rwnd, stcb->asoc.last_acked_seq, stcb->asoc.peers_rwnd); 4452 } 4453 old_rwnd = stcb->asoc.peers_rwnd; 4454 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_THRESHOLD_LOGGING) { 4455 sctp_misc_ints(SCTP_THRESHOLD_CLEAR, 4456 stcb->asoc.overall_error_count, 4457 0, 4458 SCTP_FROM_SCTP_INDATA, 4459 __LINE__); 4460 } 4461 stcb->asoc.overall_error_count = 0; 4462 asoc = &stcb->asoc; 4463 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 4464 sctp_log_sack(asoc->last_acked_seq, 4465 cum_ack, 4466 0, 4467 num_seg, 4468 num_dup, 4469 SCTP_LOG_NEW_SACK); 4470 } 4471 if ((num_dup) && (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FR_LOGGING_ENABLE)) { 4472 uint16_t i; 4473 uint32_t *dupdata, dblock; 4474 4475 for (i = 0; i < num_dup; i++) { 4476 dupdata = (uint32_t *)sctp_m_getptr(m, offset_dup + i * sizeof(uint32_t), 4477 sizeof(uint32_t), (uint8_t *)&dblock); 4478 if (dupdata == NULL) { 4479 break; 4480 } 4481 sctp_log_fr(*dupdata, 0, 0, SCTP_FR_DUPED); 4482 } 4483 } 4484 /* reality check */ 4485 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 4486 tp1 = TAILQ_LAST(&asoc->sent_queue, 4487 sctpchunk_listhead); 4488 send_s = tp1->rec.data.tsn + 1; 4489 } else { 4490 tp1 = NULL; 4491 send_s = asoc->sending_seq; 4492 } 4493 if (SCTP_TSN_GE(cum_ack, send_s)) { 4494 struct mbuf *op_err; 4495 char msg[SCTP_DIAG_INFO_LEN]; 4496 4497 /* 4498 * no way, we have not even sent this TSN out yet. Peer is 4499 * hopelessly messed up with us. 4500 */ 4501 SCTP_PRINTF("NEW cum_ack:%x send_s:%x is smaller or equal\n", 4502 cum_ack, send_s); 4503 if (tp1) { 4504 SCTP_PRINTF("Got send_s from tsn:%x + 1 of tp1: %p\n", 4505 tp1->rec.data.tsn, (void *)tp1); 4506 } 4507 hopeless_peer: 4508 *abort_now = 1; 4509 /* XXX */ 4510 snprintf(msg, sizeof(msg), "Cum ack %8.8x greater or equal than TSN %8.8x", 4511 cum_ack, send_s); 4512 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 4513 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_25; 4514 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 4515 return; 4516 } 4517 /**********************/ 4518 /* 1) check the range */ 4519 /**********************/ 4520 if (SCTP_TSN_GT(asoc->last_acked_seq, last_tsn)) { 4521 /* acking something behind */ 4522 return; 4523 } 4524 /* update the Rwnd of the peer */ 4525 if (TAILQ_EMPTY(&asoc->sent_queue) && 4526 TAILQ_EMPTY(&asoc->send_queue) && 4527 (asoc->stream_queue_cnt == 0)) { 4528 /* nothing left on send/sent and strmq */ 4529 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) { 4530 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK, 4531 asoc->peers_rwnd, 0, 0, a_rwnd); 4532 } 4533 asoc->peers_rwnd = a_rwnd; 4534 if (asoc->sent_queue_retran_cnt) { 4535 asoc->sent_queue_retran_cnt = 0; 4536 } 4537 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4538 /* SWS sender side engages */ 4539 asoc->peers_rwnd = 0; 4540 } 4541 /* stop any timers */ 4542 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4543 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4544 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_26); 4545 net->partial_bytes_acked = 0; 4546 net->flight_size = 0; 4547 } 4548 asoc->total_flight = 0; 4549 asoc->total_flight_count = 0; 4550 return; 4551 } 4552 /* 4553 * We init netAckSz and netAckSz2 to 0. These are used to track 2 4554 * things. The total byte count acked is tracked in netAckSz AND 4555 * netAck2 is used to track the total bytes acked that are un- 4556 * amibguious and were never retransmitted. We track these on a per 4557 * destination address basis. 4558 */ 4559 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4560 if (SCTP_TSN_GT(cum_ack, net->cwr_window_tsn)) { 4561 /* Drag along the window_tsn for cwr's */ 4562 net->cwr_window_tsn = cum_ack; 4563 } 4564 net->prev_cwnd = net->cwnd; 4565 net->net_ack = 0; 4566 net->net_ack2 = 0; 4567 4568 /* 4569 * CMT: Reset CUC and Fast recovery algo variables before 4570 * SACK processing 4571 */ 4572 net->new_pseudo_cumack = 0; 4573 net->will_exit_fast_recovery = 0; 4574 if (stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) { 4575 (*stcb->asoc.cc_functions.sctp_cwnd_prepare_net_for_sack) (stcb, net); 4576 } 4577 } 4578 /* process the new consecutive TSN first */ 4579 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 4580 if (SCTP_TSN_GE(last_tsn, tp1->rec.data.tsn)) { 4581 if (tp1->sent != SCTP_DATAGRAM_UNSENT) { 4582 accum_moved = 1; 4583 if (tp1->sent < SCTP_DATAGRAM_ACKED) { 4584 /* 4585 * If it is less than ACKED, it is 4586 * now no-longer in flight. Higher 4587 * values may occur during marking 4588 */ 4589 if ((tp1->whoTo->dest_state & 4590 SCTP_ADDR_UNCONFIRMED) && 4591 (tp1->snd_count < 2)) { 4592 /* 4593 * If there was no retran 4594 * and the address is 4595 * un-confirmed and we sent 4596 * there and are now 4597 * sacked.. its confirmed, 4598 * mark it so. 4599 */ 4600 tp1->whoTo->dest_state &= 4601 ~SCTP_ADDR_UNCONFIRMED; 4602 } 4603 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 4604 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 4605 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_CA, 4606 tp1->whoTo->flight_size, 4607 tp1->book_size, 4608 (uint32_t)(uintptr_t)tp1->whoTo, 4609 tp1->rec.data.tsn); 4610 } 4611 sctp_flight_size_decrease(tp1); 4612 sctp_total_flight_decrease(stcb, tp1); 4613 if (stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) { 4614 (*stcb->asoc.cc_functions.sctp_cwnd_update_tsn_acknowledged) (tp1->whoTo, 4615 tp1); 4616 } 4617 } 4618 tp1->whoTo->net_ack += tp1->send_size; 4619 4620 /* CMT SFR and DAC algos */ 4621 this_sack_lowest_newack = tp1->rec.data.tsn; 4622 tp1->whoTo->saw_newack = 1; 4623 4624 if (tp1->snd_count < 2) { 4625 /* 4626 * True non-retransmited 4627 * chunk 4628 */ 4629 tp1->whoTo->net_ack2 += 4630 tp1->send_size; 4631 4632 /* update RTO too? */ 4633 if (tp1->do_rtt) { 4634 if (rto_ok) { 4635 tp1->whoTo->RTO = 4636 sctp_calculate_rto(stcb, 4637 asoc, tp1->whoTo, 4638 &tp1->sent_rcv_time, 4639 sctp_align_safe_nocopy, 4640 SCTP_RTT_FROM_DATA); 4641 rto_ok = 0; 4642 } 4643 if (tp1->whoTo->rto_needed == 0) { 4644 tp1->whoTo->rto_needed = 1; 4645 } 4646 tp1->do_rtt = 0; 4647 } 4648 } 4649 /* 4650 * CMT: CUCv2 algorithm. From the 4651 * cumack'd TSNs, for each TSN being 4652 * acked for the first time, set the 4653 * following variables for the 4654 * corresp destination. 4655 * new_pseudo_cumack will trigger a 4656 * cwnd update. 4657 * find_(rtx_)pseudo_cumack will 4658 * trigger search for the next 4659 * expected (rtx-)pseudo-cumack. 4660 */ 4661 tp1->whoTo->new_pseudo_cumack = 1; 4662 tp1->whoTo->find_pseudo_cumack = 1; 4663 tp1->whoTo->find_rtx_pseudo_cumack = 1; 4664 4665 4666 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 4667 sctp_log_sack(asoc->last_acked_seq, 4668 cum_ack, 4669 tp1->rec.data.tsn, 4670 0, 4671 0, 4672 SCTP_LOG_TSN_ACKED); 4673 } 4674 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) { 4675 sctp_log_cwnd(stcb, tp1->whoTo, tp1->rec.data.tsn, SCTP_CWND_LOG_FROM_SACK); 4676 } 4677 } 4678 if (tp1->sent == SCTP_DATAGRAM_RESEND) { 4679 sctp_ucount_decr(asoc->sent_queue_retran_cnt); 4680 #ifdef SCTP_AUDITING_ENABLED 4681 sctp_audit_log(0xB3, 4682 (asoc->sent_queue_retran_cnt & 0x000000ff)); 4683 #endif 4684 } 4685 if (tp1->rec.data.chunk_was_revoked) { 4686 /* deflate the cwnd */ 4687 tp1->whoTo->cwnd -= tp1->book_size; 4688 tp1->rec.data.chunk_was_revoked = 0; 4689 } 4690 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) { 4691 tp1->sent = SCTP_DATAGRAM_ACKED; 4692 } 4693 } 4694 } else { 4695 break; 4696 } 4697 } 4698 biggest_tsn_newly_acked = biggest_tsn_acked = last_tsn; 4699 /* always set this up to cum-ack */ 4700 asoc->this_sack_highest_gap = last_tsn; 4701 4702 if ((num_seg > 0) || (num_nr_seg > 0)) { 4703 4704 /* 4705 * CMT: SFR algo (and HTNA) - this_sack_highest_newack has 4706 * to be greater than the cumack. Also reset saw_newack to 0 4707 * for all dests. 4708 */ 4709 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4710 net->saw_newack = 0; 4711 net->this_sack_highest_newack = last_tsn; 4712 } 4713 4714 /* 4715 * thisSackHighestGap will increase while handling NEW 4716 * segments this_sack_highest_newack will increase while 4717 * handling NEWLY ACKED chunks. this_sack_lowest_newack is 4718 * used for CMT DAC algo. saw_newack will also change. 4719 */ 4720 if (sctp_handle_segments(m, &offset_seg, stcb, asoc, last_tsn, &biggest_tsn_acked, 4721 &biggest_tsn_newly_acked, &this_sack_lowest_newack, 4722 num_seg, num_nr_seg, &rto_ok)) { 4723 wake_him++; 4724 } 4725 /* 4726 * validate the biggest_tsn_acked in the gap acks if strict 4727 * adherence is wanted. 4728 */ 4729 if (SCTP_TSN_GE(biggest_tsn_acked, send_s)) { 4730 /* 4731 * peer is either confused or we are under attack. 4732 * We must abort. 4733 */ 4734 SCTP_PRINTF("Hopeless peer! biggest_tsn_acked:%x largest seq:%x\n", 4735 biggest_tsn_acked, send_s); 4736 goto hopeless_peer; 4737 } 4738 } 4739 /*******************************************/ 4740 /* cancel ALL T3-send timer if accum moved */ 4741 /*******************************************/ 4742 if (asoc->sctp_cmt_on_off > 0) { 4743 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4744 if (net->new_pseudo_cumack) 4745 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4746 stcb, net, 4747 SCTP_FROM_SCTP_INDATA + SCTP_LOC_27); 4748 4749 } 4750 } else { 4751 if (accum_moved) { 4752 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4753 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4754 stcb, net, SCTP_FROM_SCTP_INDATA + SCTP_LOC_28); 4755 } 4756 } 4757 } 4758 /********************************************/ 4759 /* drop the acked chunks from the sentqueue */ 4760 /********************************************/ 4761 asoc->last_acked_seq = cum_ack; 4762 4763 TAILQ_FOREACH_SAFE(tp1, &asoc->sent_queue, sctp_next, tp2) { 4764 if (SCTP_TSN_GT(tp1->rec.data.tsn, cum_ack)) { 4765 break; 4766 } 4767 if (tp1->sent != SCTP_DATAGRAM_NR_ACKED) { 4768 if (asoc->strmout[tp1->rec.data.sid].chunks_on_queues > 0) { 4769 asoc->strmout[tp1->rec.data.sid].chunks_on_queues--; 4770 #ifdef INVARIANTS 4771 } else { 4772 panic("No chunks on the queues for sid %u.", tp1->rec.data.sid); 4773 #endif 4774 } 4775 } 4776 if ((asoc->strmout[tp1->rec.data.sid].chunks_on_queues == 0) && 4777 (asoc->strmout[tp1->rec.data.sid].state == SCTP_STREAM_RESET_PENDING) && 4778 TAILQ_EMPTY(&asoc->strmout[tp1->rec.data.sid].outqueue)) { 4779 asoc->trigger_reset = 1; 4780 } 4781 TAILQ_REMOVE(&asoc->sent_queue, tp1, sctp_next); 4782 if (PR_SCTP_ENABLED(tp1->flags)) { 4783 if (asoc->pr_sctp_cnt != 0) 4784 asoc->pr_sctp_cnt--; 4785 } 4786 asoc->sent_queue_cnt--; 4787 if (tp1->data) { 4788 /* sa_ignore NO_NULL_CHK */ 4789 sctp_free_bufspace(stcb, asoc, tp1, 1); 4790 sctp_m_freem(tp1->data); 4791 tp1->data = NULL; 4792 if (asoc->prsctp_supported && PR_SCTP_BUF_ENABLED(tp1->flags)) { 4793 asoc->sent_queue_cnt_removeable--; 4794 } 4795 } 4796 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_LOGGING_ENABLE) { 4797 sctp_log_sack(asoc->last_acked_seq, 4798 cum_ack, 4799 tp1->rec.data.tsn, 4800 0, 4801 0, 4802 SCTP_LOG_FREE_SENT); 4803 } 4804 sctp_free_a_chunk(stcb, tp1, SCTP_SO_NOT_LOCKED); 4805 wake_him++; 4806 } 4807 if (TAILQ_EMPTY(&asoc->sent_queue) && (asoc->total_flight > 0)) { 4808 #ifdef INVARIANTS 4809 panic("Warning flight size is positive and should be 0"); 4810 #else 4811 SCTP_PRINTF("Warning flight size incorrect should be 0 is %d\n", 4812 asoc->total_flight); 4813 #endif 4814 asoc->total_flight = 0; 4815 } 4816 /* sa_ignore NO_NULL_CHK */ 4817 if ((wake_him) && (stcb->sctp_socket)) { 4818 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4819 struct socket *so; 4820 4821 #endif 4822 SOCKBUF_LOCK(&stcb->sctp_socket->so_snd); 4823 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) { 4824 sctp_wakeup_log(stcb, wake_him, SCTP_WAKESND_FROM_SACK); 4825 } 4826 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4827 so = SCTP_INP_SO(stcb->sctp_ep); 4828 atomic_add_int(&stcb->asoc.refcnt, 1); 4829 SCTP_TCB_UNLOCK(stcb); 4830 SCTP_SOCKET_LOCK(so, 1); 4831 SCTP_TCB_LOCK(stcb); 4832 atomic_subtract_int(&stcb->asoc.refcnt, 1); 4833 if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) { 4834 /* assoc was freed while we were unlocked */ 4835 SCTP_SOCKET_UNLOCK(so, 1); 4836 return; 4837 } 4838 #endif 4839 sctp_sowwakeup_locked(stcb->sctp_ep, stcb->sctp_socket); 4840 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) 4841 SCTP_SOCKET_UNLOCK(so, 1); 4842 #endif 4843 } else { 4844 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_WAKE_LOGGING_ENABLE) { 4845 sctp_wakeup_log(stcb, wake_him, SCTP_NOWAKE_FROM_SACK); 4846 } 4847 } 4848 4849 if (asoc->fast_retran_loss_recovery && accum_moved) { 4850 if (SCTP_TSN_GE(asoc->last_acked_seq, asoc->fast_recovery_tsn)) { 4851 /* Setup so we will exit RFC2582 fast recovery */ 4852 will_exit_fast_recovery = 1; 4853 } 4854 } 4855 /* 4856 * Check for revoked fragments: 4857 * 4858 * if Previous sack - Had no frags then we can't have any revoked if 4859 * Previous sack - Had frag's then - If we now have frags aka 4860 * num_seg > 0 call sctp_check_for_revoked() to tell if peer revoked 4861 * some of them. else - The peer revoked all ACKED fragments, since 4862 * we had some before and now we have NONE. 4863 */ 4864 4865 if (num_seg) { 4866 sctp_check_for_revoked(stcb, asoc, cum_ack, biggest_tsn_acked); 4867 asoc->saw_sack_with_frags = 1; 4868 } else if (asoc->saw_sack_with_frags) { 4869 int cnt_revoked = 0; 4870 4871 /* Peer revoked all dg's marked or acked */ 4872 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 4873 if (tp1->sent == SCTP_DATAGRAM_ACKED) { 4874 tp1->sent = SCTP_DATAGRAM_SENT; 4875 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) { 4876 sctp_misc_ints(SCTP_FLIGHT_LOG_UP_REVOKE, 4877 tp1->whoTo->flight_size, 4878 tp1->book_size, 4879 (uint32_t)(uintptr_t)tp1->whoTo, 4880 tp1->rec.data.tsn); 4881 } 4882 sctp_flight_size_increase(tp1); 4883 sctp_total_flight_increase(stcb, tp1); 4884 tp1->rec.data.chunk_was_revoked = 1; 4885 /* 4886 * To ensure that this increase in 4887 * flightsize, which is artificial, does not 4888 * throttle the sender, we also increase the 4889 * cwnd artificially. 4890 */ 4891 tp1->whoTo->cwnd += tp1->book_size; 4892 cnt_revoked++; 4893 } 4894 } 4895 if (cnt_revoked) { 4896 reneged_all = 1; 4897 } 4898 asoc->saw_sack_with_frags = 0; 4899 } 4900 if (num_nr_seg > 0) 4901 asoc->saw_sack_with_nr_frags = 1; 4902 else 4903 asoc->saw_sack_with_nr_frags = 0; 4904 4905 /* JRS - Use the congestion control given in the CC module */ 4906 if (ecne_seen == 0) { 4907 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4908 if (net->net_ack2 > 0) { 4909 /* 4910 * Karn's rule applies to clearing error 4911 * count, this is optional. 4912 */ 4913 net->error_count = 0; 4914 if (!(net->dest_state & SCTP_ADDR_REACHABLE)) { 4915 /* addr came good */ 4916 net->dest_state |= SCTP_ADDR_REACHABLE; 4917 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 4918 0, (void *)net, SCTP_SO_NOT_LOCKED); 4919 } 4920 if (net == stcb->asoc.primary_destination) { 4921 if (stcb->asoc.alternate) { 4922 /* 4923 * release the alternate, 4924 * primary is good 4925 */ 4926 sctp_free_remote_addr(stcb->asoc.alternate); 4927 stcb->asoc.alternate = NULL; 4928 } 4929 } 4930 if (net->dest_state & SCTP_ADDR_PF) { 4931 net->dest_state &= ~SCTP_ADDR_PF; 4932 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, 4933 stcb->sctp_ep, stcb, net, 4934 SCTP_FROM_SCTP_INDATA + SCTP_LOC_29); 4935 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, stcb, net); 4936 asoc->cc_functions.sctp_cwnd_update_exit_pf(stcb, net); 4937 /* Done with this net */ 4938 net->net_ack = 0; 4939 } 4940 /* restore any doubled timers */ 4941 net->RTO = (net->lastsa >> SCTP_RTT_SHIFT) + net->lastsv; 4942 if (net->RTO < stcb->asoc.minrto) { 4943 net->RTO = stcb->asoc.minrto; 4944 } 4945 if (net->RTO > stcb->asoc.maxrto) { 4946 net->RTO = stcb->asoc.maxrto; 4947 } 4948 } 4949 } 4950 asoc->cc_functions.sctp_cwnd_update_after_sack(stcb, asoc, accum_moved, reneged_all, will_exit_fast_recovery); 4951 } 4952 if (TAILQ_EMPTY(&asoc->sent_queue)) { 4953 /* nothing left in-flight */ 4954 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 4955 /* stop all timers */ 4956 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 4957 stcb, net, 4958 SCTP_FROM_SCTP_INDATA + SCTP_LOC_30); 4959 net->flight_size = 0; 4960 net->partial_bytes_acked = 0; 4961 } 4962 asoc->total_flight = 0; 4963 asoc->total_flight_count = 0; 4964 } 4965 /**********************************/ 4966 /* Now what about shutdown issues */ 4967 /**********************************/ 4968 if (TAILQ_EMPTY(&asoc->send_queue) && TAILQ_EMPTY(&asoc->sent_queue)) { 4969 /* nothing left on sendqueue.. consider done */ 4970 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) { 4971 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK, 4972 asoc->peers_rwnd, 0, 0, a_rwnd); 4973 } 4974 asoc->peers_rwnd = a_rwnd; 4975 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 4976 /* SWS sender side engages */ 4977 asoc->peers_rwnd = 0; 4978 } 4979 /* clean up */ 4980 if ((asoc->stream_queue_cnt == 1) && 4981 ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) || 4982 (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED)) && 4983 ((*asoc->ss_functions.sctp_ss_is_user_msgs_incomplete) (stcb, asoc))) { 4984 asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT; 4985 } 4986 if (((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) || 4987 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) && 4988 (asoc->stream_queue_cnt == 1) && 4989 (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) { 4990 struct mbuf *op_err; 4991 4992 *abort_now = 1; 4993 /* XXX */ 4994 op_err = sctp_generate_cause(SCTP_CAUSE_USER_INITIATED_ABT, ""); 4995 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_24; 4996 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 4997 return; 4998 } 4999 if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) && 5000 (asoc->stream_queue_cnt == 0)) { 5001 struct sctp_nets *netp; 5002 5003 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 5004 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 5005 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 5006 } 5007 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT); 5008 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 5009 sctp_stop_timers_for_shutdown(stcb); 5010 if (asoc->alternate) { 5011 netp = asoc->alternate; 5012 } else { 5013 netp = asoc->primary_destination; 5014 } 5015 sctp_send_shutdown(stcb, netp); 5016 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, 5017 stcb->sctp_ep, stcb, netp); 5018 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 5019 stcb->sctp_ep, stcb, netp); 5020 return; 5021 } else if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) && 5022 (asoc->stream_queue_cnt == 0)) { 5023 struct sctp_nets *netp; 5024 5025 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 5026 SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_ACK_SENT); 5027 SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING); 5028 sctp_stop_timers_for_shutdown(stcb); 5029 if (asoc->alternate) { 5030 netp = asoc->alternate; 5031 } else { 5032 netp = asoc->primary_destination; 5033 } 5034 sctp_send_shutdown_ack(stcb, netp); 5035 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, 5036 stcb->sctp_ep, stcb, netp); 5037 return; 5038 } 5039 } 5040 /* 5041 * Now here we are going to recycle net_ack for a different use... 5042 * HEADS UP. 5043 */ 5044 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5045 net->net_ack = 0; 5046 } 5047 5048 /* 5049 * CMT DAC algorithm: If SACK DAC flag was 0, then no extra marking 5050 * to be done. Setting this_sack_lowest_newack to the cum_ack will 5051 * automatically ensure that. 5052 */ 5053 if ((asoc->sctp_cmt_on_off > 0) && 5054 SCTP_BASE_SYSCTL(sctp_cmt_use_dac) && 5055 (cmt_dac_flag == 0)) { 5056 this_sack_lowest_newack = cum_ack; 5057 } 5058 if ((num_seg > 0) || (num_nr_seg > 0)) { 5059 sctp_strike_gap_ack_chunks(stcb, asoc, biggest_tsn_acked, 5060 biggest_tsn_newly_acked, this_sack_lowest_newack, accum_moved); 5061 } 5062 /* JRS - Use the congestion control given in the CC module */ 5063 asoc->cc_functions.sctp_cwnd_update_after_fr(stcb, asoc); 5064 5065 /* Now are we exiting loss recovery ? */ 5066 if (will_exit_fast_recovery) { 5067 /* Ok, we must exit fast recovery */ 5068 asoc->fast_retran_loss_recovery = 0; 5069 } 5070 if ((asoc->sat_t3_loss_recovery) && 5071 SCTP_TSN_GE(asoc->last_acked_seq, asoc->sat_t3_recovery_tsn)) { 5072 /* end satellite t3 loss recovery */ 5073 asoc->sat_t3_loss_recovery = 0; 5074 } 5075 /* 5076 * CMT Fast recovery 5077 */ 5078 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5079 if (net->will_exit_fast_recovery) { 5080 /* Ok, we must exit fast recovery */ 5081 net->fast_retran_loss_recovery = 0; 5082 } 5083 } 5084 5085 /* Adjust and set the new rwnd value */ 5086 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) { 5087 sctp_log_rwnd_set(SCTP_SET_PEER_RWND_VIA_SACK, 5088 asoc->peers_rwnd, asoc->total_flight, (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)), a_rwnd); 5089 } 5090 asoc->peers_rwnd = sctp_sbspace_sub(a_rwnd, 5091 (uint32_t)(asoc->total_flight + (asoc->total_flight_count * SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)))); 5092 if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 5093 /* SWS sender side engages */ 5094 asoc->peers_rwnd = 0; 5095 } 5096 if (asoc->peers_rwnd > old_rwnd) { 5097 win_probe_recovery = 1; 5098 } 5099 /* 5100 * Now we must setup so we have a timer up for anyone with 5101 * outstanding data. 5102 */ 5103 done_once = 0; 5104 again: 5105 j = 0; 5106 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5107 if (win_probe_recovery && (net->window_probe)) { 5108 win_probe_recovered = 1; 5109 /*- 5110 * Find first chunk that was used with 5111 * window probe and clear the event. Put 5112 * it back into the send queue as if has 5113 * not been sent. 5114 */ 5115 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 5116 if (tp1->window_probe) { 5117 sctp_window_probe_recovery(stcb, asoc, tp1); 5118 break; 5119 } 5120 } 5121 } 5122 if (net->flight_size) { 5123 j++; 5124 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 5125 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 5126 stcb->sctp_ep, stcb, net); 5127 } 5128 if (net->window_probe) { 5129 net->window_probe = 0; 5130 } 5131 } else { 5132 if (net->window_probe) { 5133 /* 5134 * In window probes we must assure a timer 5135 * is still running there 5136 */ 5137 if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 5138 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 5139 stcb->sctp_ep, stcb, net); 5140 5141 } 5142 } else if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) { 5143 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 5144 stcb, net, 5145 SCTP_FROM_SCTP_INDATA + SCTP_LOC_32); 5146 } 5147 } 5148 } 5149 if ((j == 0) && 5150 (!TAILQ_EMPTY(&asoc->sent_queue)) && 5151 (asoc->sent_queue_retran_cnt == 0) && 5152 (win_probe_recovered == 0) && 5153 (done_once == 0)) { 5154 /* 5155 * huh, this should not happen unless all packets are 5156 * PR-SCTP and marked to skip of course. 5157 */ 5158 if (sctp_fs_audit(asoc)) { 5159 TAILQ_FOREACH(net, &asoc->nets, sctp_next) { 5160 net->flight_size = 0; 5161 } 5162 asoc->total_flight = 0; 5163 asoc->total_flight_count = 0; 5164 asoc->sent_queue_retran_cnt = 0; 5165 TAILQ_FOREACH(tp1, &asoc->sent_queue, sctp_next) { 5166 if (tp1->sent < SCTP_DATAGRAM_RESEND) { 5167 sctp_flight_size_increase(tp1); 5168 sctp_total_flight_increase(stcb, tp1); 5169 } else if (tp1->sent == SCTP_DATAGRAM_RESEND) { 5170 sctp_ucount_incr(asoc->sent_queue_retran_cnt); 5171 } 5172 } 5173 } 5174 done_once = 1; 5175 goto again; 5176 } 5177 /*********************************************/ 5178 /* Here we perform PR-SCTP procedures */ 5179 /* (section 4.2) */ 5180 /*********************************************/ 5181 /* C1. update advancedPeerAckPoint */ 5182 if (SCTP_TSN_GT(cum_ack, asoc->advanced_peer_ack_point)) { 5183 asoc->advanced_peer_ack_point = cum_ack; 5184 } 5185 /* C2. try to further move advancedPeerAckPoint ahead */ 5186 if ((asoc->prsctp_supported) && (asoc->pr_sctp_cnt > 0)) { 5187 struct sctp_tmit_chunk *lchk; 5188 uint32_t old_adv_peer_ack_point; 5189 5190 old_adv_peer_ack_point = asoc->advanced_peer_ack_point; 5191 lchk = sctp_try_advance_peer_ack_point(stcb, asoc); 5192 /* C3. See if we need to send a Fwd-TSN */ 5193 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, cum_ack)) { 5194 /* 5195 * ISSUE with ECN, see FWD-TSN processing. 5196 */ 5197 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) { 5198 sctp_misc_ints(SCTP_FWD_TSN_CHECK, 5199 0xee, cum_ack, asoc->advanced_peer_ack_point, 5200 old_adv_peer_ack_point); 5201 } 5202 if (SCTP_TSN_GT(asoc->advanced_peer_ack_point, old_adv_peer_ack_point)) { 5203 send_forward_tsn(stcb, asoc); 5204 } else if (lchk) { 5205 /* try to FR fwd-tsn's that get lost too */ 5206 if (lchk->rec.data.fwd_tsn_cnt >= 3) { 5207 send_forward_tsn(stcb, asoc); 5208 } 5209 } 5210 } 5211 if (lchk) { 5212 /* Assure a timer is up */ 5213 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 5214 stcb->sctp_ep, stcb, lchk->whoTo); 5215 } 5216 } 5217 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_SACK_RWND_LOGGING_ENABLE) { 5218 sctp_misc_ints(SCTP_SACK_RWND_UPDATE, 5219 a_rwnd, 5220 stcb->asoc.peers_rwnd, 5221 stcb->asoc.total_flight, 5222 stcb->asoc.total_output_queue_size); 5223 } 5224 } 5225 5226 void 5227 sctp_update_acked(struct sctp_tcb *stcb, struct sctp_shutdown_chunk *cp, int *abort_flag) 5228 { 5229 /* Copy cum-ack */ 5230 uint32_t cum_ack, a_rwnd; 5231 5232 cum_ack = ntohl(cp->cumulative_tsn_ack); 5233 /* Arrange so a_rwnd does NOT change */ 5234 a_rwnd = stcb->asoc.peers_rwnd + stcb->asoc.total_flight; 5235 5236 /* Now call the express sack handling */ 5237 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, abort_flag, 0); 5238 } 5239 5240 static void 5241 sctp_kick_prsctp_reorder_queue(struct sctp_tcb *stcb, 5242 struct sctp_stream_in *strmin) 5243 { 5244 struct sctp_queued_to_read *control, *ncontrol; 5245 struct sctp_association *asoc; 5246 uint32_t mid; 5247 int need_reasm_check = 0; 5248 5249 asoc = &stcb->asoc; 5250 mid = strmin->last_mid_delivered; 5251 /* 5252 * First deliver anything prior to and including the stream no that 5253 * came in. 5254 */ 5255 TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) { 5256 if (SCTP_MID_GE(asoc->idata_supported, mid, control->mid)) { 5257 /* this is deliverable now */ 5258 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 5259 if (control->on_strm_q) { 5260 if (control->on_strm_q == SCTP_ON_ORDERED) { 5261 TAILQ_REMOVE(&strmin->inqueue, control, next_instrm); 5262 } else if (control->on_strm_q == SCTP_ON_UNORDERED) { 5263 TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm); 5264 #ifdef INVARIANTS 5265 } else { 5266 panic("strmin: %p ctl: %p unknown %d", 5267 strmin, control, control->on_strm_q); 5268 #endif 5269 } 5270 control->on_strm_q = 0; 5271 } 5272 /* subtract pending on streams */ 5273 if (asoc->size_on_all_streams >= control->length) { 5274 asoc->size_on_all_streams -= control->length; 5275 } else { 5276 #ifdef INVARIANTS 5277 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 5278 #else 5279 asoc->size_on_all_streams = 0; 5280 #endif 5281 } 5282 sctp_ucount_decr(asoc->cnt_on_all_streams); 5283 /* deliver it to at least the delivery-q */ 5284 if (stcb->sctp_socket) { 5285 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 5286 sctp_add_to_readq(stcb->sctp_ep, stcb, 5287 control, 5288 &stcb->sctp_socket->so_rcv, 5289 1, SCTP_READ_LOCK_HELD, 5290 SCTP_SO_NOT_LOCKED); 5291 } 5292 } else { 5293 /* Its a fragmented message */ 5294 if (control->first_frag_seen) { 5295 /* 5296 * Make it so this is next to 5297 * deliver, we restore later 5298 */ 5299 strmin->last_mid_delivered = control->mid - 1; 5300 need_reasm_check = 1; 5301 break; 5302 } 5303 } 5304 } else { 5305 /* no more delivery now. */ 5306 break; 5307 } 5308 } 5309 if (need_reasm_check) { 5310 int ret; 5311 5312 ret = sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD); 5313 if (SCTP_MID_GT(asoc->idata_supported, mid, strmin->last_mid_delivered)) { 5314 /* Restore the next to deliver unless we are ahead */ 5315 strmin->last_mid_delivered = mid; 5316 } 5317 if (ret == 0) { 5318 /* Left the front Partial one on */ 5319 return; 5320 } 5321 need_reasm_check = 0; 5322 } 5323 /* 5324 * now we must deliver things in queue the normal way if any are 5325 * now ready. 5326 */ 5327 mid = strmin->last_mid_delivered + 1; 5328 TAILQ_FOREACH_SAFE(control, &strmin->inqueue, next_instrm, ncontrol) { 5329 if (SCTP_MID_EQ(asoc->idata_supported, mid, control->mid)) { 5330 if (((control->sinfo_flags >> 8) & SCTP_DATA_NOT_FRAG) == SCTP_DATA_NOT_FRAG) { 5331 /* this is deliverable now */ 5332 if (control->on_strm_q) { 5333 if (control->on_strm_q == SCTP_ON_ORDERED) { 5334 TAILQ_REMOVE(&strmin->inqueue, control, next_instrm); 5335 } else if (control->on_strm_q == SCTP_ON_UNORDERED) { 5336 TAILQ_REMOVE(&strmin->uno_inqueue, control, next_instrm); 5337 #ifdef INVARIANTS 5338 } else { 5339 panic("strmin: %p ctl: %p unknown %d", 5340 strmin, control, control->on_strm_q); 5341 #endif 5342 } 5343 control->on_strm_q = 0; 5344 } 5345 /* subtract pending on streams */ 5346 if (asoc->size_on_all_streams >= control->length) { 5347 asoc->size_on_all_streams -= control->length; 5348 } else { 5349 #ifdef INVARIANTS 5350 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 5351 #else 5352 asoc->size_on_all_streams = 0; 5353 #endif 5354 } 5355 sctp_ucount_decr(asoc->cnt_on_all_streams); 5356 /* deliver it to at least the delivery-q */ 5357 strmin->last_mid_delivered = control->mid; 5358 if (stcb->sctp_socket) { 5359 sctp_mark_non_revokable(asoc, control->sinfo_tsn); 5360 sctp_add_to_readq(stcb->sctp_ep, stcb, 5361 control, 5362 &stcb->sctp_socket->so_rcv, 1, 5363 SCTP_READ_LOCK_HELD, SCTP_SO_NOT_LOCKED); 5364 5365 } 5366 mid = strmin->last_mid_delivered + 1; 5367 } else { 5368 /* Its a fragmented message */ 5369 if (control->first_frag_seen) { 5370 /* 5371 * Make it so this is next to 5372 * deliver 5373 */ 5374 strmin->last_mid_delivered = control->mid - 1; 5375 need_reasm_check = 1; 5376 break; 5377 } 5378 } 5379 } else { 5380 break; 5381 } 5382 } 5383 if (need_reasm_check) { 5384 (void)sctp_deliver_reasm_check(stcb, &stcb->asoc, strmin, SCTP_READ_LOCK_HELD); 5385 } 5386 } 5387 5388 5389 5390 static void 5391 sctp_flush_reassm_for_str_seq(struct sctp_tcb *stcb, 5392 struct sctp_association *asoc, 5393 uint16_t stream, uint32_t mid, int ordered, uint32_t cumtsn) 5394 { 5395 struct sctp_queued_to_read *control; 5396 struct sctp_stream_in *strm; 5397 struct sctp_tmit_chunk *chk, *nchk; 5398 int cnt_removed = 0; 5399 5400 /* 5401 * For now large messages held on the stream reasm that are complete 5402 * will be tossed too. We could in theory do more work to spin 5403 * through and stop after dumping one msg aka seeing the start of a 5404 * new msg at the head, and call the delivery function... to see if 5405 * it can be delivered... But for now we just dump everything on the 5406 * queue. 5407 */ 5408 strm = &asoc->strmin[stream]; 5409 control = sctp_find_reasm_entry(strm, mid, ordered, asoc->idata_supported); 5410 if (control == NULL) { 5411 /* Not found */ 5412 return; 5413 } 5414 if (!asoc->idata_supported && !ordered && SCTP_TSN_GT(control->fsn_included, cumtsn)) { 5415 return; 5416 } 5417 TAILQ_FOREACH_SAFE(chk, &control->reasm, sctp_next, nchk) { 5418 /* Purge hanging chunks */ 5419 if (!asoc->idata_supported && (ordered == 0)) { 5420 if (SCTP_TSN_GT(chk->rec.data.tsn, cumtsn)) { 5421 break; 5422 } 5423 } 5424 cnt_removed++; 5425 TAILQ_REMOVE(&control->reasm, chk, sctp_next); 5426 if (asoc->size_on_reasm_queue >= chk->send_size) { 5427 asoc->size_on_reasm_queue -= chk->send_size; 5428 } else { 5429 #ifdef INVARIANTS 5430 panic("size_on_reasm_queue = %u smaller than chunk length %u", asoc->size_on_reasm_queue, chk->send_size); 5431 #else 5432 asoc->size_on_reasm_queue = 0; 5433 #endif 5434 } 5435 sctp_ucount_decr(asoc->cnt_on_reasm_queue); 5436 if (chk->data) { 5437 sctp_m_freem(chk->data); 5438 chk->data = NULL; 5439 } 5440 sctp_free_a_chunk(stcb, chk, SCTP_SO_NOT_LOCKED); 5441 } 5442 if (!TAILQ_EMPTY(&control->reasm)) { 5443 /* This has to be old data, unordered */ 5444 if (control->data) { 5445 sctp_m_freem(control->data); 5446 control->data = NULL; 5447 } 5448 sctp_reset_a_control(control, stcb->sctp_ep, cumtsn); 5449 chk = TAILQ_FIRST(&control->reasm); 5450 if (chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) { 5451 TAILQ_REMOVE(&control->reasm, chk, sctp_next); 5452 sctp_add_chk_to_control(control, strm, stcb, asoc, 5453 chk, SCTP_READ_LOCK_HELD); 5454 } 5455 sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_HELD); 5456 return; 5457 } 5458 if (control->on_strm_q == SCTP_ON_ORDERED) { 5459 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 5460 if (asoc->size_on_all_streams >= control->length) { 5461 asoc->size_on_all_streams -= control->length; 5462 } else { 5463 #ifdef INVARIANTS 5464 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 5465 #else 5466 asoc->size_on_all_streams = 0; 5467 #endif 5468 } 5469 sctp_ucount_decr(asoc->cnt_on_all_streams); 5470 control->on_strm_q = 0; 5471 } else if (control->on_strm_q == SCTP_ON_UNORDERED) { 5472 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 5473 control->on_strm_q = 0; 5474 #ifdef INVARIANTS 5475 } else if (control->on_strm_q) { 5476 panic("strm: %p ctl: %p unknown %d", 5477 strm, control, control->on_strm_q); 5478 #endif 5479 } 5480 control->on_strm_q = 0; 5481 if (control->on_read_q == 0) { 5482 sctp_free_remote_addr(control->whoFrom); 5483 if (control->data) { 5484 sctp_m_freem(control->data); 5485 control->data = NULL; 5486 } 5487 sctp_free_a_readq(stcb, control); 5488 } 5489 } 5490 5491 void 5492 sctp_handle_forward_tsn(struct sctp_tcb *stcb, 5493 struct sctp_forward_tsn_chunk *fwd, 5494 int *abort_flag, struct mbuf *m, int offset) 5495 { 5496 /* The pr-sctp fwd tsn */ 5497 /* 5498 * here we will perform all the data receiver side steps for 5499 * processing FwdTSN, as required in by pr-sctp draft: 5500 * 5501 * Assume we get FwdTSN(x): 5502 * 5503 * 1) update local cumTSN to x 2) try to further advance cumTSN to x 5504 * + others we have 3) examine and update re-ordering queue on 5505 * pr-in-streams 4) clean up re-assembly queue 5) Send a sack to 5506 * report where we are. 5507 */ 5508 struct sctp_association *asoc; 5509 uint32_t new_cum_tsn, gap; 5510 unsigned int i, fwd_sz, m_size; 5511 uint32_t str_seq; 5512 struct sctp_stream_in *strm; 5513 struct sctp_queued_to_read *control, *sv; 5514 5515 asoc = &stcb->asoc; 5516 if ((fwd_sz = ntohs(fwd->ch.chunk_length)) < sizeof(struct sctp_forward_tsn_chunk)) { 5517 SCTPDBG(SCTP_DEBUG_INDATA1, 5518 "Bad size too small/big fwd-tsn\n"); 5519 return; 5520 } 5521 m_size = (stcb->asoc.mapping_array_size << 3); 5522 /*************************************************************/ 5523 /* 1. Here we update local cumTSN and shift the bitmap array */ 5524 /*************************************************************/ 5525 new_cum_tsn = ntohl(fwd->new_cumulative_tsn); 5526 5527 if (SCTP_TSN_GE(asoc->cumulative_tsn, new_cum_tsn)) { 5528 /* Already got there ... */ 5529 return; 5530 } 5531 /* 5532 * now we know the new TSN is more advanced, let's find the actual 5533 * gap 5534 */ 5535 SCTP_CALC_TSN_TO_GAP(gap, new_cum_tsn, asoc->mapping_array_base_tsn); 5536 asoc->cumulative_tsn = new_cum_tsn; 5537 if (gap >= m_size) { 5538 if ((long)gap > sctp_sbspace(&stcb->asoc, &stcb->sctp_socket->so_rcv)) { 5539 struct mbuf *op_err; 5540 char msg[SCTP_DIAG_INFO_LEN]; 5541 5542 /* 5543 * out of range (of single byte chunks in the rwnd I 5544 * give out). This must be an attacker. 5545 */ 5546 *abort_flag = 1; 5547 snprintf(msg, sizeof(msg), 5548 "New cum ack %8.8x too high, highest TSN %8.8x", 5549 new_cum_tsn, asoc->highest_tsn_inside_map); 5550 op_err = sctp_generate_cause(SCTP_CAUSE_PROTOCOL_VIOLATION, msg); 5551 stcb->sctp_ep->last_abort_code = SCTP_FROM_SCTP_INDATA + SCTP_LOC_33; 5552 sctp_abort_an_association(stcb->sctp_ep, stcb, op_err, SCTP_SO_NOT_LOCKED); 5553 return; 5554 } 5555 SCTP_STAT_INCR(sctps_fwdtsn_map_over); 5556 5557 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 5558 asoc->mapping_array_base_tsn = new_cum_tsn + 1; 5559 asoc->highest_tsn_inside_map = new_cum_tsn; 5560 5561 memset(stcb->asoc.nr_mapping_array, 0, stcb->asoc.mapping_array_size); 5562 asoc->highest_tsn_inside_nr_map = new_cum_tsn; 5563 5564 if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MAP_LOGGING_ENABLE) { 5565 sctp_log_map(0, 3, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 5566 } 5567 } else { 5568 SCTP_TCB_LOCK_ASSERT(stcb); 5569 for (i = 0; i <= gap; i++) { 5570 if (!SCTP_IS_TSN_PRESENT(asoc->mapping_array, i) && 5571 !SCTP_IS_TSN_PRESENT(asoc->nr_mapping_array, i)) { 5572 SCTP_SET_TSN_PRESENT(asoc->nr_mapping_array, i); 5573 if (SCTP_TSN_GT(asoc->mapping_array_base_tsn + i, asoc->highest_tsn_inside_nr_map)) { 5574 asoc->highest_tsn_inside_nr_map = asoc->mapping_array_base_tsn + i; 5575 } 5576 } 5577 } 5578 } 5579 /*************************************************************/ 5580 /* 2. Clear up re-assembly queue */ 5581 /*************************************************************/ 5582 5583 /* This is now done as part of clearing up the stream/seq */ 5584 if (asoc->idata_supported == 0) { 5585 uint16_t sid; 5586 5587 /* Flush all the un-ordered data based on cum-tsn */ 5588 SCTP_INP_READ_LOCK(stcb->sctp_ep); 5589 for (sid = 0; sid < asoc->streamincnt; sid++) { 5590 sctp_flush_reassm_for_str_seq(stcb, asoc, sid, 0, 0, new_cum_tsn); 5591 } 5592 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 5593 } 5594 /*******************************************************/ 5595 /* 3. Update the PR-stream re-ordering queues and fix */ 5596 /* delivery issues as needed. */ 5597 /*******************************************************/ 5598 fwd_sz -= sizeof(*fwd); 5599 if (m && fwd_sz) { 5600 /* New method. */ 5601 unsigned int num_str; 5602 uint32_t mid, cur_mid; 5603 uint16_t sid; 5604 uint16_t ordered, flags; 5605 struct sctp_strseq *stseq, strseqbuf; 5606 struct sctp_strseq_mid *stseq_m, strseqbuf_m; 5607 5608 offset += sizeof(*fwd); 5609 5610 SCTP_INP_READ_LOCK(stcb->sctp_ep); 5611 if (asoc->idata_supported) { 5612 num_str = fwd_sz / sizeof(struct sctp_strseq_mid); 5613 } else { 5614 num_str = fwd_sz / sizeof(struct sctp_strseq); 5615 } 5616 for (i = 0; i < num_str; i++) { 5617 if (asoc->idata_supported) { 5618 stseq_m = (struct sctp_strseq_mid *)sctp_m_getptr(m, offset, 5619 sizeof(struct sctp_strseq_mid), 5620 (uint8_t *)&strseqbuf_m); 5621 offset += sizeof(struct sctp_strseq_mid); 5622 if (stseq_m == NULL) { 5623 break; 5624 } 5625 sid = ntohs(stseq_m->sid); 5626 mid = ntohl(stseq_m->mid); 5627 flags = ntohs(stseq_m->flags); 5628 if (flags & PR_SCTP_UNORDERED_FLAG) { 5629 ordered = 0; 5630 } else { 5631 ordered = 1; 5632 } 5633 } else { 5634 stseq = (struct sctp_strseq *)sctp_m_getptr(m, offset, 5635 sizeof(struct sctp_strseq), 5636 (uint8_t *)&strseqbuf); 5637 offset += sizeof(struct sctp_strseq); 5638 if (stseq == NULL) { 5639 break; 5640 } 5641 sid = ntohs(stseq->sid); 5642 mid = (uint32_t)ntohs(stseq->ssn); 5643 ordered = 1; 5644 } 5645 /* Convert */ 5646 5647 /* now process */ 5648 5649 /* 5650 * Ok we now look for the stream/seq on the read 5651 * queue where its not all delivered. If we find it 5652 * we transmute the read entry into a PDI_ABORTED. 5653 */ 5654 if (sid >= asoc->streamincnt) { 5655 /* screwed up streams, stop! */ 5656 break; 5657 } 5658 if ((asoc->str_of_pdapi == sid) && 5659 (asoc->ssn_of_pdapi == mid)) { 5660 /* 5661 * If this is the one we were partially 5662 * delivering now then we no longer are. 5663 * Note this will change with the reassembly 5664 * re-write. 5665 */ 5666 asoc->fragmented_delivery_inprogress = 0; 5667 } 5668 strm = &asoc->strmin[sid]; 5669 for (cur_mid = strm->last_mid_delivered; SCTP_MID_GE(asoc->idata_supported, mid, cur_mid); cur_mid++) { 5670 sctp_flush_reassm_for_str_seq(stcb, asoc, sid, cur_mid, ordered, new_cum_tsn); 5671 } 5672 TAILQ_FOREACH(control, &stcb->sctp_ep->read_queue, next) { 5673 if ((control->sinfo_stream == sid) && 5674 (SCTP_MID_EQ(asoc->idata_supported, control->mid, mid))) { 5675 str_seq = (sid << 16) | (0x0000ffff & mid); 5676 control->pdapi_aborted = 1; 5677 sv = stcb->asoc.control_pdapi; 5678 control->end_added = 1; 5679 if (control->on_strm_q == SCTP_ON_ORDERED) { 5680 TAILQ_REMOVE(&strm->inqueue, control, next_instrm); 5681 if (asoc->size_on_all_streams >= control->length) { 5682 asoc->size_on_all_streams -= control->length; 5683 } else { 5684 #ifdef INVARIANTS 5685 panic("size_on_all_streams = %u smaller than control length %u", asoc->size_on_all_streams, control->length); 5686 #else 5687 asoc->size_on_all_streams = 0; 5688 #endif 5689 } 5690 sctp_ucount_decr(asoc->cnt_on_all_streams); 5691 } else if (control->on_strm_q == SCTP_ON_UNORDERED) { 5692 TAILQ_REMOVE(&strm->uno_inqueue, control, next_instrm); 5693 #ifdef INVARIANTS 5694 } else if (control->on_strm_q) { 5695 panic("strm: %p ctl: %p unknown %d", 5696 strm, control, control->on_strm_q); 5697 #endif 5698 } 5699 control->on_strm_q = 0; 5700 stcb->asoc.control_pdapi = control; 5701 sctp_ulp_notify(SCTP_NOTIFY_PARTIAL_DELVIERY_INDICATION, 5702 stcb, 5703 SCTP_PARTIAL_DELIVERY_ABORTED, 5704 (void *)&str_seq, 5705 SCTP_SO_NOT_LOCKED); 5706 stcb->asoc.control_pdapi = sv; 5707 break; 5708 } else if ((control->sinfo_stream == sid) && 5709 SCTP_MID_GT(asoc->idata_supported, control->mid, mid)) { 5710 /* We are past our victim SSN */ 5711 break; 5712 } 5713 } 5714 if (SCTP_MID_GT(asoc->idata_supported, mid, strm->last_mid_delivered)) { 5715 /* Update the sequence number */ 5716 strm->last_mid_delivered = mid; 5717 } 5718 /* now kick the stream the new way */ 5719 /* sa_ignore NO_NULL_CHK */ 5720 sctp_kick_prsctp_reorder_queue(stcb, strm); 5721 } 5722 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 5723 } 5724 /* 5725 * Now slide thing forward. 5726 */ 5727 sctp_slide_mapping_arrays(stcb); 5728 } 5729