1 /*- 2 * Copyright (c) 2001-2006, Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #include "opt_ipsec.h" 37 #include "opt_compat.h" 38 #include "opt_inet6.h" 39 #include "opt_inet.h" 40 #include "opt_sctp.h" 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/malloc.h> 45 #include <sys/mbuf.h> 46 #include <sys/socket.h> 47 #include <sys/socketvar.h> 48 #include <sys/sysctl.h> 49 #include <sys/domain.h> 50 #include <sys/protosw.h> 51 #include <sys/kernel.h> 52 #include <sys/errno.h> 53 #include <sys/syslog.h> 54 55 #include <sys/limits.h> 56 #include <machine/cpu.h> 57 58 #include <net/if.h> 59 #include <net/route.h> 60 #include <net/if_types.h> 61 62 #include <netinet/in.h> 63 #include <netinet/in_systm.h> 64 #include <netinet/ip.h> 65 #include <netinet/in_pcb.h> 66 #include <netinet/in_var.h> 67 #include <netinet/ip_var.h> 68 69 #ifdef INET6 70 #include <netinet/ip6.h> 71 #include <netinet6/ip6_var.h> 72 #endif /* INET6 */ 73 74 #include <netinet/ip_icmp.h> 75 #include <netinet/icmp_var.h> 76 77 #include <netinet/sctp_os.h> 78 #include <netinet/sctp_var.h> 79 #include <netinet/sctp_pcb.h> 80 #include <netinet/sctp_header.h> 81 #include <netinet/sctputil.h> 82 #include <netinet/sctp_output.h> 83 #include <netinet/sctp_input.h> 84 #include <netinet/sctp_auth.h> 85 #include <netinet/sctp_indata.h> 86 #include <netinet/sctp_asconf.h> 87 88 #include <netinet/ip_options.h> 89 90 91 #ifdef IPSEC 92 #include <netinet6/ipsec.h> 93 #include <netkey/key.h> 94 #endif /* IPSEC */ 95 96 97 #ifdef SCTP_DEBUG 98 extern uint32_t sctp_debug_on; 99 100 #endif 101 102 103 104 105 struct sctp_foo_stuff sctp_logoff[30000]; 106 int sctp_logoff_stuff = 0; 107 108 109 static void 110 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 111 { 112 struct sctp_nets *net; 113 114 /* 115 * This now not only stops all cookie timers it also stops any INIT 116 * timers as well. This will make sure that the timers are stopped 117 * in all collision cases. 118 */ 119 SCTP_TCB_LOCK_ASSERT(stcb); 120 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 121 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 122 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 123 stcb->sctp_ep, 124 stcb, 125 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 126 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 127 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 128 stcb->sctp_ep, 129 stcb, 130 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 131 } 132 } 133 } 134 135 /* INIT handler */ 136 static void 137 sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 138 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 139 struct sctp_nets *net) 140 { 141 struct sctp_init *init; 142 struct mbuf *op_err; 143 uint32_t init_limit; 144 145 #ifdef SCTP_DEBUG 146 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 147 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 148 } 149 #endif 150 op_err = NULL; 151 init = &cp->init; 152 /* First are we accepting? */ 153 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 154 #ifdef SCTP_DEBUG 155 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 156 printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); 157 } 158 #endif 159 /* 160 * FIX ME ?? What about TCP model and we have a 161 * match/restart case? 162 */ 163 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 164 return; 165 } 166 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 167 /* Invalid length */ 168 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 169 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 170 return; 171 } 172 /* validate parameters */ 173 if (init->initiate_tag == 0) { 174 /* protocol error... send abort */ 175 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 176 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 177 return; 178 } 179 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 180 /* invalid parameter... send abort */ 181 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 182 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 183 return; 184 } 185 if (init->num_inbound_streams == 0) { 186 /* protocol error... send abort */ 187 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 188 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 189 return; 190 } 191 if (init->num_outbound_streams == 0) { 192 /* protocol error... send abort */ 193 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 194 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 195 return; 196 } 197 init_limit = offset + ntohs(cp->ch.chunk_length); 198 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 199 init_limit)) { 200 /* auth parameter(s) error... send abort */ 201 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); 202 return; 203 } 204 /* send an INIT-ACK w/cookie */ 205 #ifdef SCTP_DEBUG 206 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 207 printf("sctp_handle_init: sending INIT-ACK\n"); 208 } 209 #endif 210 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 211 } 212 213 /* 214 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 215 */ 216 static int 217 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 218 struct sctp_nets *net) 219 { 220 struct sctp_init *init; 221 struct sctp_association *asoc; 222 struct sctp_nets *lnet; 223 unsigned int i; 224 225 init = &cp->init; 226 asoc = &stcb->asoc; 227 /* save off parameters */ 228 asoc->peer_vtag = ntohl(init->initiate_tag); 229 asoc->peers_rwnd = ntohl(init->a_rwnd); 230 if (TAILQ_FIRST(&asoc->nets)) { 231 /* update any ssthresh's that may have a default */ 232 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 233 lnet->ssthresh = asoc->peers_rwnd; 234 235 #if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 236 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 237 #endif 238 239 } 240 } 241 SCTP_TCB_SEND_LOCK(stcb); 242 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 243 unsigned int newcnt; 244 struct sctp_stream_out *outs; 245 struct sctp_stream_queue_pending *sp; 246 247 /* cut back on number of streams */ 248 newcnt = ntohs(init->num_inbound_streams); 249 /* This if is probably not needed but I am cautious */ 250 if (asoc->strmout) { 251 /* First make sure no data chunks are trapped */ 252 for (i = newcnt; i < asoc->pre_open_streams; i++) { 253 outs = &asoc->strmout[i]; 254 sp = TAILQ_FIRST(&outs->outqueue); 255 while (sp) { 256 TAILQ_REMOVE(&outs->outqueue, sp, 257 next); 258 asoc->stream_queue_cnt--; 259 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 260 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 261 sp); 262 if (sp->data) { 263 sctp_m_freem(sp->data); 264 sp->data = NULL; 265 } 266 sctp_free_remote_addr(sp->net); 267 sp->net = NULL; 268 /* Free the chunk */ 269 printf("sp:%p tcb:%p weird free case\n", 270 sp, stcb); 271 272 sctp_free_a_strmoq(stcb, sp); 273 sp = TAILQ_FIRST(&outs->outqueue); 274 } 275 } 276 } 277 /* cut back the count and abandon the upper streams */ 278 asoc->pre_open_streams = newcnt; 279 } 280 SCTP_TCB_SEND_UNLOCK(stcb); 281 asoc->streamoutcnt = asoc->pre_open_streams; 282 /* init tsn's */ 283 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 284 #ifdef SCTP_MAP_LOGGING 285 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 286 #endif 287 /* This is the next one we expect */ 288 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 289 290 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 291 asoc->cumulative_tsn = asoc->asconf_seq_in; 292 asoc->last_echo_tsn = asoc->asconf_seq_in; 293 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 294 /* open the requested streams */ 295 if (asoc->strmin != NULL) { 296 /* Free the old ones */ 297 struct sctp_queued_to_read *ctl; 298 299 for (i = 0; i < asoc->streamincnt; i++) { 300 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 301 while (ctl) { 302 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 303 sctp_free_remote_addr(ctl->whoFrom); 304 sctp_m_freem(ctl->data); 305 ctl->data = NULL; 306 sctp_free_a_readq(stcb, ctl); 307 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 308 } 309 } 310 SCTP_FREE(asoc->strmin); 311 } 312 asoc->streamincnt = ntohs(init->num_outbound_streams); 313 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 314 asoc->streamincnt = MAX_SCTP_STREAMS; 315 } 316 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 317 sizeof(struct sctp_stream_in), "StreamsIn"); 318 if (asoc->strmin == NULL) { 319 /* we didn't get memory for the streams! */ 320 #ifdef SCTP_DEBUG 321 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 322 printf("process_init: couldn't get memory for the streams!\n"); 323 } 324 #endif 325 return (-1); 326 } 327 for (i = 0; i < asoc->streamincnt; i++) { 328 asoc->strmin[i].stream_no = i; 329 asoc->strmin[i].last_sequence_delivered = 0xffff; 330 /* 331 * U-stream ranges will be set when the cookie is unpacked. 332 * Or for the INIT sender they are un set (if pr-sctp not 333 * supported) when the INIT-ACK arrives. 334 */ 335 TAILQ_INIT(&asoc->strmin[i].inqueue); 336 /* 337 * we are not on any wheel, pr-sctp streams will go on the 338 * wheel when they have data waiting for reorder. 339 */ 340 asoc->strmin[i].next_spoke.tqe_next = 0; 341 asoc->strmin[i].next_spoke.tqe_prev = 0; 342 } 343 344 /* 345 * load_address_from_init will put the addresses into the 346 * association when the COOKIE is processed or the INIT-ACK is 347 * processed. Both types of COOKIE's existing and new call this 348 * routine. It will remove addresses that are no longer in the 349 * association (for the restarting case where addresses are 350 * removed). Up front when the INIT arrives we will discard it if it 351 * is a restart and new addresses have been added. 352 */ 353 return (0); 354 } 355 356 /* 357 * INIT-ACK message processing/consumption returns value < 0 on error 358 */ 359 static int 360 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 361 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 362 struct sctp_nets *net) 363 { 364 struct sctp_association *asoc; 365 struct mbuf *op_err; 366 int retval, abort_flag; 367 uint32_t initack_limit; 368 369 /* First verify that we have no illegal param's */ 370 abort_flag = 0; 371 op_err = NULL; 372 373 op_err = sctp_arethere_unrecognized_parameters(m, 374 (offset + sizeof(struct sctp_init_chunk)), 375 &abort_flag, (struct sctp_chunkhdr *)cp); 376 if (abort_flag) { 377 /* Send an abort and notify peer */ 378 if (op_err != NULL) { 379 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 380 } else { 381 /* 382 * Just notify (abort_assoc does this if we send an 383 * abort). 384 */ 385 sctp_abort_notification(stcb, 0); 386 /* 387 * No sense in further INIT's since we will get the 388 * same param back 389 */ 390 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 391 } 392 return (-1); 393 } 394 asoc = &stcb->asoc; 395 /* process the peer's parameters in the INIT-ACK */ 396 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 397 if (retval < 0) { 398 return (retval); 399 } 400 initack_limit = offset + ntohs(cp->ch.chunk_length); 401 /* load all addresses */ 402 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 403 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 404 NULL))) { 405 /* Huh, we should abort */ 406 #ifdef SCTP_DEBUG 407 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 408 printf("Load addresses from INIT causes an abort %d\n", retval); 409 } 410 #endif 411 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 412 NULL); 413 return (-1); 414 } 415 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 416 stcb->asoc.local_hmacs); 417 if (op_err) { 418 sctp_queue_op_err(stcb, op_err); 419 /* queuing will steal away the mbuf chain to the out queue */ 420 op_err = NULL; 421 } 422 /* extract the cookie and queue it to "echo" it back... */ 423 stcb->asoc.overall_error_count = 0; 424 net->error_count = 0; 425 426 /* 427 * Cancel the INIT timer, We do this first before queueing the 428 * cookie. We always cancel at the primary to assue that we are 429 * canceling the timer started by the INIT which always goes to the 430 * primary. 431 */ 432 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 433 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 434 435 /* calculate the RTO */ 436 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 437 438 retval = sctp_send_cookie_echo(m, offset, stcb, net); 439 if (retval < 0) { 440 /* 441 * No cookie, we probably should send a op error. But in any 442 * case if there is no cookie in the INIT-ACK, we can 443 * abandon the peer, its broke. 444 */ 445 if (retval == -3) { 446 /* We abort with an error of missing mandatory param */ 447 struct mbuf *op_err; 448 449 op_err = 450 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 451 if (op_err) { 452 /* 453 * Expand beyond to include the mandatory 454 * param cookie 455 */ 456 struct sctp_inv_mandatory_param *mp; 457 458 op_err->m_len = 459 sizeof(struct sctp_inv_mandatory_param); 460 mp = mtod(op_err, 461 struct sctp_inv_mandatory_param *); 462 /* Subtract the reserved param */ 463 mp->length = 464 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 465 mp->num_param = htonl(1); 466 mp->param = htons(SCTP_STATE_COOKIE); 467 mp->resv = 0; 468 } 469 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 470 sh, op_err); 471 } 472 return (retval); 473 } 474 return (0); 475 } 476 477 static void 478 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 479 struct sctp_tcb *stcb, struct sctp_nets *net) 480 { 481 struct sockaddr_storage store; 482 struct sockaddr_in *sin; 483 struct sockaddr_in6 *sin6; 484 struct sctp_nets *r_net; 485 struct timeval tv; 486 487 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 488 /* Invalid length */ 489 return; 490 } 491 sin = (struct sockaddr_in *)&store; 492 sin6 = (struct sockaddr_in6 *)&store; 493 494 memset(&store, 0, sizeof(store)); 495 if (cp->heartbeat.hb_info.addr_family == AF_INET && 496 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 497 sin->sin_family = cp->heartbeat.hb_info.addr_family; 498 sin->sin_len = cp->heartbeat.hb_info.addr_len; 499 sin->sin_port = stcb->rport; 500 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 501 sizeof(sin->sin_addr)); 502 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 503 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 504 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 505 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 506 sin6->sin6_port = stcb->rport; 507 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 508 sizeof(sin6->sin6_addr)); 509 } else { 510 return; 511 } 512 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 513 if (r_net == NULL) { 514 #ifdef SCTP_DEBUG 515 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 516 printf("Huh? I can't find the address I sent it to, discard\n"); 517 } 518 #endif 519 return; 520 } 521 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 522 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 523 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 524 /* 525 * If the its a HB and it's random value is correct when can 526 * confirm the destination. 527 */ 528 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 529 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 530 stcb, 0, (void *)r_net); 531 } 532 r_net->error_count = 0; 533 r_net->hb_responded = 1; 534 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 535 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 536 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 537 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 538 r_net->dest_state |= SCTP_ADDR_REACHABLE; 539 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 540 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 541 /* now was it the primary? if so restore */ 542 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 543 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 544 } 545 } 546 /* Now lets do a RTO with this */ 547 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 548 } 549 550 static void 551 sctp_handle_abort(struct sctp_abort_chunk *cp, 552 struct sctp_tcb *stcb, struct sctp_nets *net) 553 { 554 555 #ifdef SCTP_DEBUG 556 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 557 printf("sctp_handle_abort: handling ABORT\n"); 558 } 559 #endif 560 if (stcb == NULL) 561 return; 562 /* verify that the destination addr is in the association */ 563 /* ignore abort for addresses being deleted */ 564 565 /* stop any receive timers */ 566 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 567 /* notify user of the abort and clean up... */ 568 sctp_abort_notification(stcb, 0); 569 /* free the tcb */ 570 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 571 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 572 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 573 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 574 } 575 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 576 #ifdef SCTP_DEBUG 577 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 578 printf("sctp_handle_abort: finished\n"); 579 } 580 #endif 581 } 582 583 static void 584 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 585 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 586 { 587 struct sctp_association *asoc; 588 int some_on_streamwheel; 589 590 #ifdef SCTP_DEBUG 591 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 592 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 593 } 594 #endif 595 if (stcb == NULL) 596 return; 597 asoc = &stcb->asoc; 598 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 599 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 600 return; 601 } 602 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 603 /* Shutdown NOT the expected size */ 604 return; 605 } else { 606 sctp_update_acked(stcb, cp, net, abort_flag); 607 } 608 if (asoc->control_pdapi) { 609 /* 610 * With a normal shutdown we assume the end of last record. 611 */ 612 SCTP_INP_READ_LOCK(stcb->sctp_ep); 613 asoc->control_pdapi->end_added = 1; 614 asoc->control_pdapi->pdapi_aborted = 1; 615 if (asoc->control_pdapi->tail_mbuf) { 616 asoc->control_pdapi->tail_mbuf->m_flags |= M_EOR; 617 } 618 asoc->control_pdapi = NULL; 619 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 620 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 621 } 622 /* goto SHUTDOWN_RECEIVED state to block new requests */ 623 if (stcb->sctp_socket) { 624 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 625 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 626 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 627 /* 628 * notify upper layer that peer has initiated a 629 * shutdown 630 */ 631 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 632 633 /* reset time */ 634 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 635 } 636 } 637 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 638 /* 639 * stop the shutdown timer, since we WILL move to 640 * SHUTDOWN-ACK-SENT. 641 */ 642 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 643 } 644 /* Now are we there yet? */ 645 some_on_streamwheel = 0; 646 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 647 /* Check to see if some data queued */ 648 struct sctp_stream_out *outs; 649 650 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 651 if (!TAILQ_EMPTY(&outs->outqueue)) { 652 some_on_streamwheel = 1; 653 break; 654 } 655 } 656 } 657 if (!TAILQ_EMPTY(&asoc->send_queue) || 658 !TAILQ_EMPTY(&asoc->sent_queue) || 659 some_on_streamwheel) { 660 /* By returning we will push more data out */ 661 return; 662 } else { 663 /* no outstanding data to send, so move on... */ 664 /* send SHUTDOWN-ACK */ 665 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 666 /* move to SHUTDOWN-ACK-SENT state */ 667 if (asoc->state == SCTP_STATE_SHUTDOWN_RECEIVED) { 668 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 669 } 670 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 671 672 /* start SHUTDOWN timer */ 673 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 674 stcb, net); 675 } 676 } 677 678 static void 679 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 680 struct sctp_tcb *stcb, struct sctp_nets *net) 681 { 682 struct sctp_association *asoc; 683 684 #ifdef SCTP_DEBUG 685 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 686 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 687 } 688 #endif 689 if (stcb == NULL) 690 return; 691 692 asoc = &stcb->asoc; 693 /* process according to association state */ 694 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 695 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 696 /* unexpected SHUTDOWN-ACK... so ignore... */ 697 SCTP_TCB_UNLOCK(stcb); 698 return; 699 } 700 if (asoc->control_pdapi) { 701 /* 702 * With a normal shutdown we assume the end of last record. 703 */ 704 SCTP_INP_READ_LOCK(stcb->sctp_ep); 705 asoc->control_pdapi->end_added = 1; 706 asoc->control_pdapi->pdapi_aborted = 1; 707 if (asoc->control_pdapi->tail_mbuf) { 708 asoc->control_pdapi->tail_mbuf->m_flags |= M_EOR; 709 } 710 asoc->control_pdapi = NULL; 711 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 712 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 713 } 714 /* are the queues empty? */ 715 if (!TAILQ_EMPTY(&asoc->send_queue) || 716 !TAILQ_EMPTY(&asoc->sent_queue) || 717 !TAILQ_EMPTY(&asoc->out_wheel)) { 718 sctp_report_all_outbound(stcb, 0); 719 } 720 /* stop the timer */ 721 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 722 /* send SHUTDOWN-COMPLETE */ 723 sctp_send_shutdown_complete(stcb, net); 724 /* notify upper layer protocol */ 725 if (stcb->sctp_socket) { 726 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 727 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 728 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 729 /* Set the connected flag to disconnected */ 730 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 731 } 732 } 733 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 734 /* free the TCB but first save off the ep */ 735 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 736 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 737 } 738 739 /* 740 * Skip past the param header and then we will find the chunk that caused the 741 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 742 * our peer must be broken. 743 */ 744 static void 745 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 746 struct sctp_nets *net) 747 { 748 struct sctp_chunkhdr *chk; 749 750 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 751 switch (chk->chunk_type) { 752 case SCTP_ASCONF_ACK: 753 case SCTP_ASCONF: 754 sctp_asconf_cleanup(stcb, net); 755 break; 756 case SCTP_FORWARD_CUM_TSN: 757 stcb->asoc.peer_supports_prsctp = 0; 758 break; 759 default: 760 #ifdef SCTP_DEBUG 761 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 762 printf("Peer does not support chunk type %d(%x)??\n", 763 chk->chunk_type, (uint32_t) chk->chunk_type); 764 } 765 #endif 766 break; 767 } 768 } 769 770 /* 771 * Skip past the param header and then we will find the param that caused the 772 * problem. There are a number of param's in a ASCONF OR the prsctp param 773 * these will turn of specific features. 774 */ 775 static void 776 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 777 { 778 struct sctp_paramhdr *pbad; 779 780 pbad = phdr + 1; 781 switch (ntohs(pbad->param_type)) { 782 /* pr-sctp draft */ 783 case SCTP_PRSCTP_SUPPORTED: 784 stcb->asoc.peer_supports_prsctp = 0; 785 break; 786 case SCTP_SUPPORTED_CHUNK_EXT: 787 break; 788 /* draft-ietf-tsvwg-addip-sctp */ 789 case SCTP_ECN_NONCE_SUPPORTED: 790 stcb->asoc.peer_supports_ecn_nonce = 0; 791 stcb->asoc.ecn_nonce_allowed = 0; 792 stcb->asoc.ecn_allowed = 0; 793 break; 794 case SCTP_ADD_IP_ADDRESS: 795 case SCTP_DEL_IP_ADDRESS: 796 case SCTP_SET_PRIM_ADDR: 797 stcb->asoc.peer_supports_asconf = 0; 798 break; 799 case SCTP_SUCCESS_REPORT: 800 case SCTP_ERROR_CAUSE_IND: 801 #ifdef SCTP_DEBUG 802 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 803 printf("Huh, the peer does not support success? or error cause?\n"); 804 printf("Turning off ASCONF to this strange peer\n"); 805 } 806 #endif 807 stcb->asoc.peer_supports_asconf = 0; 808 break; 809 default: 810 #ifdef SCTP_DEBUG 811 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 812 printf("Peer does not support param type %d(%x)??\n", 813 pbad->param_type, (uint32_t) pbad->param_type); 814 } 815 #endif 816 break; 817 } 818 } 819 820 static int 821 sctp_handle_error(struct sctp_chunkhdr *ch, 822 struct sctp_tcb *stcb, struct sctp_nets *net) 823 { 824 int chklen; 825 struct sctp_paramhdr *phdr; 826 uint16_t error_type; 827 uint16_t error_len; 828 struct sctp_association *asoc; 829 830 int adjust; 831 832 /* parse through all of the errors and process */ 833 asoc = &stcb->asoc; 834 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 835 sizeof(struct sctp_chunkhdr)); 836 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 837 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 838 /* Process an Error Cause */ 839 error_type = ntohs(phdr->param_type); 840 error_len = ntohs(phdr->param_length); 841 if ((error_len > chklen) || (error_len == 0)) { 842 /* invalid param length for this param */ 843 #ifdef SCTP_DEBUG 844 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 845 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 846 chklen, error_len); 847 } 848 #endif /* SCTP_DEBUG */ 849 return (0); 850 } 851 switch (error_type) { 852 case SCTP_CAUSE_INVALID_STREAM: 853 case SCTP_CAUSE_MISSING_PARAM: 854 case SCTP_CAUSE_INVALID_PARAM: 855 case SCTP_CAUSE_NO_USER_DATA: 856 #ifdef SCTP_DEBUG 857 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 858 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 859 error_type); 860 } 861 #endif 862 break; 863 case SCTP_CAUSE_STALE_COOKIE: 864 /* 865 * We only act if we have echoed a cookie and are 866 * waiting. 867 */ 868 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 869 int *p; 870 871 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 872 /* Save the time doubled */ 873 asoc->cookie_preserve_req = ntohl(*p) << 1; 874 asoc->stale_cookie_count++; 875 if (asoc->stale_cookie_count > 876 asoc->max_init_times) { 877 sctp_abort_notification(stcb, 0); 878 /* now free the asoc */ 879 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 880 return (-1); 881 } 882 /* blast back to INIT state */ 883 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 884 asoc->state |= SCTP_STATE_COOKIE_WAIT; 885 886 sctp_stop_all_cookie_timers(stcb); 887 sctp_send_initiate(stcb->sctp_ep, stcb); 888 } 889 break; 890 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 891 /* 892 * Nothing we can do here, we don't do hostname 893 * addresses so if the peer does not like my IPv6 894 * (or IPv4 for that matter) it does not matter. If 895 * they don't support that type of address, they can 896 * NOT possibly get that packet type... i.e. with no 897 * IPv6 you can't recieve a IPv6 packet. so we can 898 * safely ignore this one. If we ever added support 899 * for HOSTNAME Addresses, then we would need to do 900 * something here. 901 */ 902 break; 903 case SCTP_CAUSE_UNRECOG_CHUNK: 904 sctp_process_unrecog_chunk(stcb, phdr, net); 905 break; 906 case SCTP_CAUSE_UNRECOG_PARAM: 907 sctp_process_unrecog_param(stcb, phdr); 908 break; 909 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 910 /* 911 * We ignore this since the timer will drive out a 912 * new cookie anyway and there timer will drive us 913 * to send a SHUTDOWN_COMPLETE. We can't send one 914 * here since we don't have their tag. 915 */ 916 break; 917 case SCTP_CAUSE_DELETING_LAST_ADDR: 918 case SCTP_CAUSE_RESOURCE_SHORTAGE: 919 case SCTP_CAUSE_DELETING_SRC_ADDR: 920 /* 921 * We should NOT get these here, but in a 922 * ASCONF-ACK. n 923 */ 924 #ifdef SCTP_DEBUG 925 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 926 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 927 error_type); 928 } 929 #endif 930 break; 931 case SCTP_CAUSE_OUT_OF_RESC: 932 /* 933 * And what, pray tell do we do with the fact that 934 * the peer is out of resources? Not really sure we 935 * could do anything but abort. I suspect this n * 936 * should have came WITH an abort instead of in a 937 * OP-ERROR. 938 */ 939 break; 940 default: 941 #ifdef SCTP_DEBUG 942 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 943 /* don't know what this error cause is... */ 944 printf("sctp_handle_error: unknown error type = 0x%xh\n", 945 error_type); 946 } 947 #endif /* SCTP_DEBUG */ 948 break; 949 } 950 adjust = SCTP_SIZE32(error_len); 951 chklen -= adjust; 952 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 953 } 954 return (0); 955 } 956 957 static int 958 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 959 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 960 struct sctp_nets *net) 961 { 962 struct sctp_init_ack *init_ack; 963 int *state; 964 struct mbuf *op_err; 965 966 #ifdef SCTP_DEBUG 967 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 968 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 969 } 970 #endif 971 if (stcb == NULL) { 972 #ifdef SCTP_DEBUG 973 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 974 printf("sctp_handle_init_ack: TCB is null\n"); 975 } 976 #endif 977 return (-1); 978 } 979 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 980 /* Invalid length */ 981 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 982 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 983 op_err); 984 return (-1); 985 } 986 init_ack = &cp->init; 987 /* validate parameters */ 988 if (init_ack->initiate_tag == 0) { 989 /* protocol error... send an abort */ 990 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 991 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 992 op_err); 993 return (-1); 994 } 995 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 996 /* protocol error... send an abort */ 997 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 998 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 999 op_err); 1000 return (-1); 1001 } 1002 if (init_ack->num_inbound_streams == 0) { 1003 /* protocol error... send an abort */ 1004 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1005 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1006 op_err); 1007 return (-1); 1008 } 1009 if (init_ack->num_outbound_streams == 0) { 1010 /* protocol error... send an abort */ 1011 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 1012 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 1013 op_err); 1014 return (-1); 1015 } 1016 /* process according to association state... */ 1017 state = &stcb->asoc.state; 1018 switch (*state & SCTP_STATE_MASK) { 1019 case SCTP_STATE_COOKIE_WAIT: 1020 /* this is the expected state for this chunk */ 1021 /* process the INIT-ACK parameters */ 1022 if (stcb->asoc.primary_destination->dest_state & 1023 SCTP_ADDR_UNCONFIRMED) { 1024 /* 1025 * The primary is where we sent the INIT, we can 1026 * always consider it confirmed when the INIT-ACK is 1027 * returned. Do this before we load addresses 1028 * though. 1029 */ 1030 stcb->asoc.primary_destination->dest_state &= 1031 ~SCTP_ADDR_UNCONFIRMED; 1032 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1033 stcb, 0, (void *)stcb->asoc.primary_destination); 1034 } 1035 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net 1036 ) < 0) { 1037 /* error in parsing parameters */ 1038 return (-1); 1039 } 1040 /* update our state */ 1041 #ifdef SCTP_DEBUG 1042 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1043 printf("moving to COOKIE-ECHOED state\n"); 1044 } 1045 #endif 1046 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1047 *state = SCTP_STATE_COOKIE_ECHOED | 1048 SCTP_STATE_SHUTDOWN_PENDING; 1049 } else { 1050 *state = SCTP_STATE_COOKIE_ECHOED; 1051 } 1052 1053 /* reset the RTO calc */ 1054 stcb->asoc.overall_error_count = 0; 1055 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1056 /* 1057 * collapse the init timer back in case of a exponential 1058 * backoff 1059 */ 1060 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1061 stcb, net); 1062 /* 1063 * the send at the end of the inbound data processing will 1064 * cause the cookie to be sent 1065 */ 1066 break; 1067 case SCTP_STATE_SHUTDOWN_SENT: 1068 /* incorrect state... discard */ 1069 break; 1070 case SCTP_STATE_COOKIE_ECHOED: 1071 /* incorrect state... discard */ 1072 break; 1073 case SCTP_STATE_OPEN: 1074 /* incorrect state... discard */ 1075 break; 1076 case SCTP_STATE_EMPTY: 1077 case SCTP_STATE_INUSE: 1078 default: 1079 /* incorrect state... discard */ 1080 return (-1); 1081 break; 1082 } /* end switch asoc state */ 1083 #ifdef SCTP_DEBUG 1084 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1085 printf("Leaving handle-init-ack end\n"); 1086 } 1087 #endif 1088 return (0); 1089 } 1090 1091 1092 /* 1093 * handle a state cookie for an existing association m: input packet mbuf 1094 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1095 * "split" mbuf and the cookie signature does not exist offset: offset into 1096 * mbuf to the cookie-echo chunk 1097 */ 1098 static struct sctp_tcb * 1099 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1100 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1101 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1102 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) 1103 { 1104 struct sctp_association *asoc; 1105 struct sctp_init_chunk *init_cp, init_buf; 1106 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1107 int chk_length; 1108 int init_offset, initack_offset, i; 1109 int retval; 1110 int spec_flag = 0; 1111 1112 /* I know that the TCB is non-NULL from the caller */ 1113 asoc = &stcb->asoc; 1114 1115 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1116 /* SHUTDOWN came in after sending INIT-ACK */ 1117 struct mbuf *op_err; 1118 struct sctp_paramhdr *ph; 1119 1120 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1121 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1122 1, M_DONTWAIT, 1, MT_DATA); 1123 if (op_err == NULL) { 1124 /* FOOBAR */ 1125 return (NULL); 1126 } 1127 /* pre-reserve some space */ 1128 op_err->m_data += sizeof(struct ip6_hdr); 1129 op_err->m_data += sizeof(struct sctphdr); 1130 op_err->m_data += sizeof(struct sctp_chunkhdr); 1131 /* Set the len */ 1132 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_paramhdr); 1133 ph = mtod(op_err, struct sctp_paramhdr *); 1134 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1135 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1136 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1137 return (NULL); 1138 } 1139 /* 1140 * find and validate the INIT chunk in the cookie (peer's info) the 1141 * INIT should start after the cookie-echo header struct (chunk 1142 * header, state cookie header struct) 1143 */ 1144 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1145 1146 init_cp = (struct sctp_init_chunk *) 1147 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1148 (uint8_t *) & init_buf); 1149 if (init_cp == NULL) { 1150 /* could not pull a INIT chunk in cookie */ 1151 return (NULL); 1152 } 1153 chk_length = ntohs(init_cp->ch.chunk_length); 1154 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1155 return (NULL); 1156 } 1157 /* 1158 * find and validate the INIT-ACK chunk in the cookie (my info) the 1159 * INIT-ACK follows the INIT chunk 1160 */ 1161 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1162 initack_cp = (struct sctp_init_ack_chunk *) 1163 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1164 (uint8_t *) & initack_buf); 1165 if (initack_cp == NULL) { 1166 /* could not pull INIT-ACK chunk in cookie */ 1167 return (NULL); 1168 } 1169 chk_length = ntohs(initack_cp->ch.chunk_length); 1170 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1171 return (NULL); 1172 } 1173 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1174 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1175 /* 1176 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1177 * to get into the OPEN state 1178 */ 1179 switch SCTP_GET_STATE 1180 (asoc) { 1181 case SCTP_STATE_COOKIE_WAIT: 1182 /* 1183 * INIT was sent, but got got a COOKIE_ECHO with the 1184 * correct tags... just accept it... 1185 */ 1186 /* First we must process the INIT !! */ 1187 retval = sctp_process_init(init_cp, stcb, net); 1188 if (retval < 0) { 1189 return (NULL); 1190 } 1191 /* intentional fall through to below... */ 1192 1193 case SCTP_STATE_COOKIE_ECHOED: 1194 /* Duplicate INIT case */ 1195 /* we have already processed the INIT so no problem */ 1196 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1197 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1198 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1199 /* update current state */ 1200 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1201 asoc->state = SCTP_STATE_OPEN | 1202 SCTP_STATE_SHUTDOWN_PENDING; 1203 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1204 stcb->sctp_ep, stcb, asoc->primary_destination); 1205 1206 } else if ((asoc->state & SCTP_STATE_SHUTDOWN_SENT) == 0) { 1207 /* if ok, move to OPEN state */ 1208 asoc->state = SCTP_STATE_OPEN; 1209 } 1210 sctp_stop_all_cookie_timers(stcb); 1211 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1212 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1213 (inp->sctp_socket->so_qlimit == 0) 1214 ) { 1215 /* 1216 * Here is where collision would go if we 1217 * did a connect() and instead got a 1218 * init/init-ack/cookie done before the 1219 * init-ack came back.. 1220 */ 1221 stcb->sctp_ep->sctp_flags |= 1222 SCTP_PCB_FLAGS_CONNECTED; 1223 soisconnected(stcb->sctp_ep->sctp_socket); 1224 } 1225 /* notify upper layer */ 1226 *notification = SCTP_NOTIFY_ASSOC_UP; 1227 /* 1228 * since we did not send a HB make sure we don't 1229 * double things 1230 */ 1231 net->hb_responded = 1; 1232 1233 if (stcb->asoc.sctp_autoclose_ticks && 1234 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1235 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1236 inp, stcb, NULL); 1237 } 1238 break; 1239 default: 1240 /* 1241 * we're in the OPEN state (or beyond), so peer must 1242 * have simply lost the COOKIE-ACK 1243 */ 1244 break; 1245 } /* end switch */ 1246 sctp_stop_all_cookie_timers(stcb); 1247 /* 1248 * We ignore the return code here.. not sure if we should 1249 * somehow abort.. but we do have an existing asoc. This 1250 * really should not fail. 1251 */ 1252 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1253 init_offset + sizeof(struct sctp_init_chunk), 1254 initack_offset, sh, init_src)) { 1255 return (NULL); 1256 } 1257 /* respond with a COOKIE-ACK */ 1258 sctp_toss_old_cookies(stcb, asoc); 1259 sctp_send_cookie_ack(stcb); 1260 return (stcb); 1261 } /* end if */ 1262 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1263 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1264 cookie->tie_tag_my_vtag == 0 && 1265 cookie->tie_tag_peer_vtag == 0) { 1266 /* 1267 * case C in Section 5.2.4 Table 2: XMOO silently discard 1268 */ 1269 return (NULL); 1270 } 1271 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1272 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1273 init_cp->init.initiate_tag == 0)) { 1274 /* 1275 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1276 * should be ok, re-accept peer info 1277 */ 1278 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1279 sctp_stop_all_cookie_timers(stcb); 1280 /* 1281 * since we did not send a HB make sure we don't double 1282 * things 1283 */ 1284 net->hb_responded = 1; 1285 if (stcb->asoc.sctp_autoclose_ticks && 1286 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1287 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1288 NULL); 1289 } 1290 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1291 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1292 1293 /* Note last_cwr_tsn? where is this used? */ 1294 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1295 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1296 /* 1297 * Ok the peer probably discarded our data (if we 1298 * echoed a cookie+data). So anything on the 1299 * sent_queue should be marked for retransmit, we 1300 * may not get something to kick us so it COULD 1301 * still take a timeout to move these.. but it can't 1302 * hurt to mark them. 1303 */ 1304 struct sctp_tmit_chunk *chk; 1305 1306 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1307 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1308 chk->sent = SCTP_DATAGRAM_RESEND; 1309 stcb->asoc.sent_queue_retran_cnt++; 1310 spec_flag++; 1311 } 1312 } 1313 1314 } 1315 /* process the INIT info (peer's info) */ 1316 retval = sctp_process_init(init_cp, stcb, net); 1317 if (retval < 0) { 1318 return (NULL); 1319 } 1320 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1321 init_offset + sizeof(struct sctp_init_chunk), 1322 initack_offset, sh, init_src)) { 1323 return (NULL); 1324 } 1325 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1326 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1327 *notification = SCTP_NOTIFY_ASSOC_UP; 1328 1329 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1330 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1331 (inp->sctp_socket->so_qlimit == 0)) { 1332 stcb->sctp_ep->sctp_flags |= 1333 SCTP_PCB_FLAGS_CONNECTED; 1334 soisconnected(stcb->sctp_ep->sctp_socket); 1335 } 1336 } 1337 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1338 asoc->state = SCTP_STATE_OPEN | 1339 SCTP_STATE_SHUTDOWN_PENDING; 1340 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1341 stcb->sctp_ep, stcb, asoc->primary_destination); 1342 1343 } else { 1344 asoc->state = SCTP_STATE_OPEN; 1345 } 1346 sctp_stop_all_cookie_timers(stcb); 1347 sctp_toss_old_cookies(stcb, asoc); 1348 sctp_send_cookie_ack(stcb); 1349 if (spec_flag) { 1350 /* 1351 * only if we have retrans set do we do this. What 1352 * this call does is get only the COOKIE-ACK out and 1353 * then when we return the normal call to 1354 * sctp_chunk_output will get the retrans out behind 1355 * this. 1356 */ 1357 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK); 1358 } 1359 return (stcb); 1360 } 1361 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1362 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1363 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1364 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1365 cookie->tie_tag_peer_vtag != 0) { 1366 struct sctpasochead *head; 1367 1368 /* 1369 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1370 */ 1371 /* temp code */ 1372 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1373 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1374 *sac_assoc_id = sctp_get_associd(stcb); 1375 /* notify upper layer */ 1376 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1377 atomic_add_int(&stcb->asoc.refcnt, 1); 1378 SCTP_TCB_UNLOCK(stcb); 1379 SCTP_INP_INFO_WLOCK(); 1380 SCTP_INP_WLOCK(stcb->sctp_ep); 1381 SCTP_TCB_LOCK(stcb); 1382 atomic_add_int(&stcb->asoc.refcnt, -1); 1383 /* send up all the data */ 1384 SCTP_TCB_SEND_LOCK(stcb); 1385 1386 sctp_report_all_outbound(stcb, 1); 1387 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1388 stcb->asoc.strmout[i].stream_no = i; 1389 stcb->asoc.strmout[i].next_sequence_sent = 0; 1390 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1391 } 1392 /* process the INIT-ACK info (my info) */ 1393 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1394 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1395 1396 /* pull from vtag hash */ 1397 LIST_REMOVE(stcb, sctp_asocs); 1398 /* re-insert to new vtag position */ 1399 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1400 sctppcbinfo.hashasocmark)]; 1401 /* 1402 * put it in the bucket in the vtag hash of assoc's for the 1403 * system 1404 */ 1405 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1406 1407 /* Is this the first restart? */ 1408 if (stcb->asoc.in_restart_hash == 0) { 1409 /* Ok add it to assoc_id vtag hash */ 1410 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1411 sctppcbinfo.hashrestartmark)]; 1412 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1413 stcb->asoc.in_restart_hash = 1; 1414 } 1415 asoc->pre_open_streams = 1416 ntohs(initack_cp->init.num_outbound_streams); 1417 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1418 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1419 1420 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1421 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1422 1423 asoc->str_reset_seq_in = asoc->init_seq_number; 1424 1425 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1426 if (asoc->mapping_array) 1427 memset(asoc->mapping_array, 0, 1428 asoc->mapping_array_size); 1429 /* process the INIT info (peer's info) */ 1430 SCTP_TCB_SEND_UNLOCK(stcb); 1431 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1432 SCTP_INP_INFO_WUNLOCK(); 1433 1434 retval = sctp_process_init(init_cp, stcb, net); 1435 if (retval < 0) { 1436 return (NULL); 1437 } 1438 /* 1439 * since we did not send a HB make sure we don't double 1440 * things 1441 */ 1442 net->hb_responded = 1; 1443 1444 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1445 init_offset + sizeof(struct sctp_init_chunk), 1446 initack_offset, sh, init_src)) { 1447 return (NULL); 1448 } 1449 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1450 asoc->state = SCTP_STATE_OPEN | 1451 SCTP_STATE_SHUTDOWN_PENDING; 1452 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1453 stcb->sctp_ep, stcb, asoc->primary_destination); 1454 1455 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1456 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1457 asoc->state = SCTP_STATE_OPEN; 1458 } 1459 /* respond with a COOKIE-ACK */ 1460 sctp_stop_all_cookie_timers(stcb); 1461 sctp_toss_old_cookies(stcb, asoc); 1462 sctp_send_cookie_ack(stcb); 1463 1464 return (stcb); 1465 } 1466 /* if we are not a restart we need the assoc_id field pop'd */ 1467 asoc->assoc_id = ntohl(initack_cp->init.initiate_tag); 1468 1469 /* all other cases... */ 1470 return (NULL); 1471 } 1472 1473 /* 1474 * handle a state cookie for a new association m: input packet mbuf chain-- 1475 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1476 * and the cookie signature does not exist offset: offset into mbuf to the 1477 * cookie-echo chunk length: length of the cookie chunk to: where the init 1478 * was from returns a new TCB 1479 */ 1480 static struct sctp_tcb * 1481 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1482 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1483 struct sctp_inpcb *inp, struct sctp_nets **netp, 1484 struct sockaddr *init_src, int *notification, 1485 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1486 { 1487 struct sctp_tcb *stcb; 1488 struct sctp_init_chunk *init_cp, init_buf; 1489 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1490 struct sockaddr_storage sa_store; 1491 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1492 struct sockaddr_in *sin; 1493 struct sockaddr_in6 *sin6; 1494 struct sctp_association *asoc; 1495 int chk_length; 1496 int init_offset, initack_offset, initack_limit; 1497 int retval; 1498 int error = 0; 1499 uint32_t old_tag; 1500 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 1501 1502 /* 1503 * find and validate the INIT chunk in the cookie (peer's info) the 1504 * INIT should start after the cookie-echo header struct (chunk 1505 * header, state cookie header struct) 1506 */ 1507 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1508 init_cp = (struct sctp_init_chunk *) 1509 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1510 (uint8_t *) & init_buf); 1511 if (init_cp == NULL) { 1512 /* could not pull a INIT chunk in cookie */ 1513 #ifdef SCTP_DEBUG 1514 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1515 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1516 } 1517 #endif /* SCTP_DEBUG */ 1518 return (NULL); 1519 } 1520 chk_length = ntohs(init_cp->ch.chunk_length); 1521 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1522 #ifdef SCTP_DEBUG 1523 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1524 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1525 } 1526 #endif /* SCTP_DEBUG */ 1527 return (NULL); 1528 } 1529 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1530 /* 1531 * find and validate the INIT-ACK chunk in the cookie (my info) the 1532 * INIT-ACK follows the INIT chunk 1533 */ 1534 initack_cp = (struct sctp_init_ack_chunk *) 1535 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1536 (uint8_t *) & initack_buf); 1537 if (initack_cp == NULL) { 1538 /* could not pull INIT-ACK chunk in cookie */ 1539 #ifdef SCTP_DEBUG 1540 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1541 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1542 } 1543 #endif /* SCTP_DEBUG */ 1544 return (NULL); 1545 } 1546 chk_length = ntohs(initack_cp->ch.chunk_length); 1547 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1548 return (NULL); 1549 } 1550 /* 1551 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1552 * "initack_limit" value. This is because the chk_length field 1553 * includes the length of the cookie, but the cookie is omitted when 1554 * the INIT and INIT_ACK are tacked onto the cookie... 1555 */ 1556 initack_limit = offset + cookie_len; 1557 1558 /* 1559 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1560 * and popluate 1561 */ 1562 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1563 ntohl(initack_cp->init.initiate_tag)); 1564 if (stcb == NULL) { 1565 struct mbuf *op_err; 1566 1567 /* memory problem? */ 1568 #ifdef SCTP_DEBUG 1569 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1570 printf("process_cookie_new: no room for another TCB!\n"); 1571 } 1572 #endif /* SCTP_DEBUG */ 1573 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1574 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1575 sh, op_err); 1576 return (NULL); 1577 } 1578 /* get the correct sctp_nets */ 1579 *netp = sctp_findnet(stcb, init_src); 1580 asoc = &stcb->asoc; 1581 /* get scope variables out of cookie */ 1582 asoc->ipv4_local_scope = cookie->ipv4_scope; 1583 asoc->site_scope = cookie->site_scope; 1584 asoc->local_scope = cookie->local_scope; 1585 asoc->loopback_scope = cookie->loopback_scope; 1586 1587 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1588 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1589 struct mbuf *op_err; 1590 1591 /* 1592 * Houston we have a problem. The EP changed while the 1593 * cookie was in flight. Only recourse is to abort the 1594 * association. 1595 */ 1596 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1597 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1598 sh, op_err); 1599 return (NULL); 1600 } 1601 /* process the INIT-ACK info (my info) */ 1602 old_tag = asoc->my_vtag; 1603 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1604 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1605 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1606 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1607 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1608 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1609 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1610 asoc->str_reset_seq_in = asoc->init_seq_number; 1611 1612 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1613 1614 /* process the INIT info (peer's info) */ 1615 retval = sctp_process_init(init_cp, stcb, *netp); 1616 if (retval < 0) { 1617 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1618 return (NULL); 1619 } 1620 /* load all addresses */ 1621 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1622 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1623 init_src)) { 1624 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1625 return (NULL); 1626 } 1627 /* 1628 * verify any preceding AUTH chunk that was skipped 1629 */ 1630 /* pull the local authentication parameters from the cookie/init-ack */ 1631 sctp_auth_get_cookie_params(stcb, m, 1632 initack_offset + sizeof(struct sctp_init_ack_chunk), 1633 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1634 if (auth_skipped) { 1635 struct sctp_auth_chunk *auth; 1636 1637 auth = (struct sctp_auth_chunk *) 1638 sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); 1639 if (sctp_handle_auth(stcb, auth, m, auth_offset)) { 1640 /* auth HMAC failed, dump the assoc and packet */ 1641 #ifdef SCTP_DEBUG 1642 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 1643 printf("COOKIE-ECHO: AUTH failed\n"); 1644 #endif /* SCTP_DEBUG */ 1645 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1646 return (NULL); 1647 } else { 1648 /* remaining chunks checked... good to go */ 1649 stcb->asoc.authenticated = 1; 1650 } 1651 } 1652 /* update current state */ 1653 #ifdef SCTP_DEBUG 1654 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1655 printf("moving to OPEN state\n"); 1656 } 1657 #endif 1658 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1659 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1660 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1661 stcb->sctp_ep, stcb, asoc->primary_destination); 1662 } else { 1663 asoc->state = SCTP_STATE_OPEN; 1664 } 1665 sctp_stop_all_cookie_timers(stcb); 1666 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1667 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1668 1669 /* 1670 * if we're doing ASCONFs, check to see if we have any new local 1671 * addresses that need to get added to the peer (eg. addresses 1672 * changed while cookie echo in flight). This needs to be done 1673 * after we go to the OPEN state to do the correct asconf 1674 * processing. else, make sure we have the correct addresses in our 1675 * lists 1676 */ 1677 1678 /* warning, we re-use sin, sin6, sa_store here! */ 1679 /* pull in local_address (our "from" address) */ 1680 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1681 /* source addr is IPv4 */ 1682 sin = (struct sockaddr_in *)initack_src; 1683 memset(sin, 0, sizeof(*sin)); 1684 sin->sin_family = AF_INET; 1685 sin->sin_len = sizeof(struct sockaddr_in); 1686 sin->sin_addr.s_addr = cookie->laddress[0]; 1687 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1688 /* source addr is IPv6 */ 1689 sin6 = (struct sockaddr_in6 *)initack_src; 1690 memset(sin6, 0, sizeof(*sin6)); 1691 sin6->sin6_family = AF_INET6; 1692 sin6->sin6_len = sizeof(struct sockaddr_in6); 1693 sin6->sin6_scope_id = cookie->scope_id; 1694 memcpy(&sin6->sin6_addr, cookie->laddress, 1695 sizeof(sin6->sin6_addr)); 1696 } else { 1697 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 1698 return (NULL); 1699 } 1700 1701 sctp_check_address_list(stcb, m, 1702 initack_offset + sizeof(struct sctp_init_ack_chunk), 1703 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1704 initack_src, cookie->local_scope, cookie->site_scope, 1705 cookie->ipv4_scope, cookie->loopback_scope); 1706 1707 1708 /* set up to notify upper layer */ 1709 *notification = SCTP_NOTIFY_ASSOC_UP; 1710 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1711 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1712 (inp->sctp_socket->so_qlimit == 0)) { 1713 /* 1714 * This is an endpoint that called connect() how it got a 1715 * cookie that is NEW is a bit of a mystery. It must be that 1716 * the INIT was sent, but before it got there.. a complete 1717 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1718 * should have went to the other code.. not here.. oh well.. 1719 * a bit of protection is worth having.. 1720 */ 1721 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1722 soisconnected(stcb->sctp_ep->sctp_socket); 1723 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1724 (inp->sctp_socket->so_qlimit)) { 1725 /* 1726 * We don't want to do anything with this one. Since it is 1727 * the listening guy. The timer will get started for 1728 * accepted connections in the caller. 1729 */ 1730 ; 1731 } 1732 /* since we did not send a HB make sure we don't double things */ 1733 (*netp)->hb_responded = 1; 1734 1735 if (stcb->asoc.sctp_autoclose_ticks && 1736 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1737 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1738 } 1739 /* respond with a COOKIE-ACK */ 1740 /* calculate the RTT */ 1741 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1742 &cookie->time_entered); 1743 sctp_send_cookie_ack(stcb); 1744 return (stcb); 1745 } 1746 1747 1748 /* 1749 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1750 * existing (non-NULL) TCB 1751 */ 1752 static struct mbuf * 1753 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1754 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1755 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1756 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, struct sctp_tcb **locked_tcb) 1757 { 1758 struct sctp_state_cookie *cookie; 1759 struct sockaddr_in6 sin6; 1760 struct sockaddr_in sin; 1761 struct sctp_tcb *l_stcb = *stcb; 1762 struct sctp_inpcb *l_inp; 1763 struct sockaddr *to; 1764 sctp_assoc_t sac_restart_id; 1765 struct sctp_pcb *ep; 1766 struct mbuf *m_sig; 1767 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1768 uint8_t *sig; 1769 uint8_t cookie_ok = 0; 1770 unsigned int size_of_pkt, sig_offset, cookie_offset; 1771 unsigned int cookie_len; 1772 struct timeval now; 1773 struct timeval time_expires; 1774 struct sockaddr_storage dest_store; 1775 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1776 struct ip *iph; 1777 int notification = 0; 1778 struct sctp_nets *netl; 1779 int had_a_existing_tcb = 0; 1780 1781 #ifdef SCTP_DEBUG 1782 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1783 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1784 } 1785 #endif 1786 1787 if (inp_p == NULL) { 1788 return (NULL); 1789 } 1790 /* First get the destination address setup too. */ 1791 iph = mtod(m, struct ip *); 1792 if (iph->ip_v == IPVERSION) { 1793 /* its IPv4 */ 1794 struct sockaddr_in *sin; 1795 1796 sin = (struct sockaddr_in *)(localep_sa); 1797 memset(sin, 0, sizeof(*sin)); 1798 sin->sin_family = AF_INET; 1799 sin->sin_len = sizeof(*sin); 1800 sin->sin_port = sh->dest_port; 1801 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1802 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1803 /* its IPv6 */ 1804 struct ip6_hdr *ip6; 1805 struct sockaddr_in6 *sin6; 1806 1807 sin6 = (struct sockaddr_in6 *)(localep_sa); 1808 memset(sin6, 0, sizeof(*sin6)); 1809 sin6->sin6_family = AF_INET6; 1810 sin6->sin6_len = sizeof(struct sockaddr_in6); 1811 ip6 = mtod(m, struct ip6_hdr *); 1812 sin6->sin6_port = sh->dest_port; 1813 sin6->sin6_addr = ip6->ip6_dst; 1814 } else { 1815 return (NULL); 1816 } 1817 1818 cookie = &cp->cookie; 1819 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1820 cookie_len = ntohs(cp->ch.chunk_length); 1821 1822 if ((cookie->peerport != sh->src_port) && 1823 (cookie->myport != sh->dest_port) && 1824 (cookie->my_vtag != sh->v_tag)) { 1825 /* 1826 * invalid ports or bad tag. Note that we always leave the 1827 * v_tag in the header in network order and when we stored 1828 * it in the my_vtag slot we also left it in network order. 1829 * This maintians the match even though it may be in the 1830 * opposite byte order of the machine :-> 1831 */ 1832 return (NULL); 1833 } 1834 /* compute size of packet */ 1835 if (m->m_flags & M_PKTHDR) { 1836 size_of_pkt = m->m_pkthdr.len; 1837 } else { 1838 /* Should have a pkt hdr really */ 1839 struct mbuf *mat; 1840 1841 mat = m; 1842 size_of_pkt = 0; 1843 while (mat != NULL) { 1844 size_of_pkt += mat->m_len; 1845 mat = mat->m_next; 1846 } 1847 } 1848 if (cookie_len > size_of_pkt || 1849 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1850 sizeof(struct sctp_init_chunk) + 1851 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1852 /* cookie too long! or too small */ 1853 return (NULL); 1854 } 1855 /* 1856 * split off the signature into its own mbuf (since it should not be 1857 * calculated in the sctp_hmac_m() call). 1858 */ 1859 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1860 if (sig_offset > size_of_pkt) { 1861 /* packet not correct size! */ 1862 /* XXX this may already be accounted for earlier... */ 1863 return (NULL); 1864 } 1865 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1866 if (m_sig == NULL) { 1867 /* out of memory or ?? */ 1868 return (NULL); 1869 } 1870 /* 1871 * compute the signature/digest for the cookie 1872 */ 1873 ep = &(*inp_p)->sctp_ep; 1874 l_inp = *inp_p; 1875 if (l_stcb) { 1876 SCTP_TCB_UNLOCK(l_stcb); 1877 } 1878 SCTP_INP_RLOCK(l_inp); 1879 if (l_stcb) { 1880 SCTP_TCB_LOCK(l_stcb); 1881 } 1882 /* which cookie is it? */ 1883 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1884 (ep->current_secret_number != ep->last_secret_number)) { 1885 /* it's the old cookie */ 1886 sctp_hmac_m(SCTP_HMAC, 1887 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1888 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1889 } else { 1890 /* it's the current cookie */ 1891 sctp_hmac_m(SCTP_HMAC, 1892 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1893 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1894 } 1895 /* get the signature */ 1896 SCTP_INP_RUNLOCK(l_inp); 1897 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1898 if (sig == NULL) { 1899 /* couldn't find signature */ 1900 sctp_m_freem(m_sig); 1901 return (NULL); 1902 } 1903 /* compare the received digest with the computed digest */ 1904 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1905 /* try the old cookie? */ 1906 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1907 (ep->current_secret_number != ep->last_secret_number)) { 1908 /* compute digest with old */ 1909 sctp_hmac_m(SCTP_HMAC, 1910 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1911 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1912 /* compare */ 1913 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1914 cookie_ok = 1; 1915 } 1916 } else { 1917 cookie_ok = 1; 1918 } 1919 1920 /* 1921 * Now before we continue we must reconstruct our mbuf so that 1922 * normal processing of any other chunks will work. 1923 */ 1924 { 1925 struct mbuf *m_at; 1926 1927 m_at = m; 1928 while (m_at->m_next != NULL) { 1929 m_at = m_at->m_next; 1930 } 1931 m_at->m_next = m_sig; 1932 if (m->m_flags & M_PKTHDR) { 1933 /* 1934 * We should only do this if and only if the front 1935 * mbuf has a m_pkthdr... it should in theory. 1936 */ 1937 if (m_sig->m_flags & M_PKTHDR) { 1938 /* Add back to the pkt hdr of main m chain */ 1939 m->m_pkthdr.len += m_sig->m_pkthdr.len; 1940 } else { 1941 /* 1942 * Got a problem, no pkthdr in split chain. 1943 * TSNH but we will handle it just in case 1944 */ 1945 int mmlen = 0; 1946 struct mbuf *lat; 1947 1948 printf("Warning: Hitting m_split join TSNH code - fixed\n"); 1949 lat = m_sig; 1950 while (lat) { 1951 mmlen += lat->m_len; 1952 lat = lat->m_next; 1953 } 1954 m->m_pkthdr.len += mmlen; 1955 } 1956 } 1957 } 1958 1959 if (cookie_ok == 0) { 1960 #ifdef SCTP_DEBUG 1961 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1962 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1963 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1964 (uint32_t) offset, cookie_offset, sig_offset); 1965 } 1966 #endif 1967 return (NULL); 1968 } 1969 /* 1970 * check the cookie timestamps to be sure it's not stale 1971 */ 1972 SCTP_GETTIME_TIMEVAL(&now); 1973 /* Expire time is in Ticks, so we convert to seconds */ 1974 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 1975 time_expires.tv_usec = cookie->time_entered.tv_usec; 1976 if (timevalcmp(&now, &time_expires, >)) { 1977 /* cookie is stale! */ 1978 struct mbuf *op_err; 1979 struct sctp_stale_cookie_msg *scm; 1980 uint32_t tim; 1981 1982 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 1983 1, M_DONTWAIT, 1, MT_DATA); 1984 if (op_err == NULL) { 1985 /* FOOBAR */ 1986 return (NULL); 1987 } 1988 /* pre-reserve some space */ 1989 op_err->m_data += sizeof(struct ip6_hdr); 1990 op_err->m_data += sizeof(struct sctphdr); 1991 op_err->m_data += sizeof(struct sctp_chunkhdr); 1992 1993 /* Set the len */ 1994 op_err->m_len = op_err->m_pkthdr.len = sizeof(struct sctp_stale_cookie_msg); 1995 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 1996 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 1997 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 1998 (sizeof(uint32_t)))); 1999 /* seconds to usec */ 2000 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2001 /* add in usec */ 2002 if (tim == 0) 2003 tim = now.tv_usec - cookie->time_entered.tv_usec; 2004 scm->time_usec = htonl(tim); 2005 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 2006 return (NULL); 2007 } 2008 /* 2009 * Now we must see with the lookup address if we have an existing 2010 * asoc. This will only happen if we were in the COOKIE-WAIT state 2011 * and a INIT collided with us and somewhere the peer sent the 2012 * cookie on another address besides the single address our assoc 2013 * had for him. In this case we will have one of the tie-tags set at 2014 * least AND the address field in the cookie can be used to look it 2015 * up. 2016 */ 2017 to = NULL; 2018 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2019 memset(&sin6, 0, sizeof(sin6)); 2020 sin6.sin6_family = AF_INET6; 2021 sin6.sin6_len = sizeof(sin6); 2022 sin6.sin6_port = sh->src_port; 2023 sin6.sin6_scope_id = cookie->scope_id; 2024 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2025 sizeof(sin6.sin6_addr.s6_addr)); 2026 to = (struct sockaddr *)&sin6; 2027 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2028 memset(&sin, 0, sizeof(sin)); 2029 sin.sin_family = AF_INET; 2030 sin.sin_len = sizeof(sin); 2031 sin.sin_port = sh->src_port; 2032 sin.sin_addr.s_addr = cookie->address[0]; 2033 to = (struct sockaddr *)&sin; 2034 } 2035 if ((*stcb == NULL) && to) { 2036 /* Yep, lets check */ 2037 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2038 if (*stcb == NULL) { 2039 /* 2040 * We should have only got back the same inp. If we 2041 * got back a different ep we have a problem. The 2042 * original findep got back l_inp and now 2043 */ 2044 if (l_inp != *inp_p) { 2045 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2046 } 2047 } else { 2048 if (*locked_tcb == NULL) { 2049 /* 2050 * In this case we found the assoc only 2051 * after we locked the create lock. This 2052 * means we are in a colliding case and we 2053 * must make sure that we unlock the tcb if 2054 * its one of the cases where we throw away 2055 * the incoming packets. 2056 */ 2057 *locked_tcb = *stcb; 2058 2059 /* 2060 * We must also increment the inp ref count 2061 * since the ref_count flags was set when we 2062 * did not find the TCB, now we found it 2063 * which reduces the refcount.. we must 2064 * raise it back out to balance it all :-) 2065 */ 2066 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2067 if ((*stcb)->sctp_ep != l_inp) { 2068 printf("Huh? ep:%p diff then l_inp:%p?\n", 2069 (*stcb)->sctp_ep, l_inp); 2070 } 2071 } 2072 } 2073 } 2074 cookie_len -= SCTP_SIGNATURE_SIZE; 2075 if (*stcb == NULL) { 2076 /* this is the "normal" case... get a new TCB */ 2077 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2078 cookie_len, *inp_p, netp, to, ¬ification, 2079 auth_skipped, auth_offset, auth_len); 2080 } else { 2081 /* this is abnormal... cookie-echo on existing TCB */ 2082 had_a_existing_tcb = 1; 2083 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2084 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 2085 &sac_restart_id); 2086 } 2087 2088 if (*stcb == NULL) { 2089 /* still no TCB... must be bad cookie-echo */ 2090 return (NULL); 2091 } 2092 /* 2093 * Ok, we built an association so confirm the address we sent the 2094 * INIT-ACK to. 2095 */ 2096 netl = sctp_findnet(*stcb, to); 2097 /* 2098 * This code should in theory NOT run but 2099 */ 2100 if (netl == NULL) { 2101 /* TSNH! Huh, why do I need to add this address here? */ 2102 int ret; 2103 2104 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2105 SCTP_IN_COOKIE_PROC); 2106 netl = sctp_findnet(*stcb, to); 2107 } 2108 if (netl) { 2109 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2110 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2111 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2112 netl); 2113 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2114 (*stcb), 0, (void *)netl); 2115 } 2116 } 2117 if (*stcb) { 2118 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2119 *stcb, NULL); 2120 } 2121 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2122 if (!had_a_existing_tcb || 2123 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2124 /* 2125 * If we have a NEW cookie or the connect never 2126 * reached the connected state during collision we 2127 * must do the TCP accept thing. 2128 */ 2129 struct socket *so, *oso; 2130 struct sctp_inpcb *inp; 2131 2132 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2133 /* 2134 * For a restart we will keep the same 2135 * socket, no need to do anything. I THINK!! 2136 */ 2137 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2138 return (m); 2139 } 2140 oso = (*inp_p)->sctp_socket; 2141 /* 2142 * We do this to keep the sockets side happy durin 2143 * the sonewcon ONLY. 2144 */ 2145 NET_LOCK_GIANT(); 2146 SCTP_TCB_UNLOCK((*stcb)); 2147 so = sonewconn(oso, SS_ISCONNECTED 2148 ); 2149 NET_UNLOCK_GIANT(); 2150 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2151 SCTP_TCB_LOCK((*stcb)); 2152 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2153 if (so == NULL) { 2154 struct mbuf *op_err; 2155 2156 /* Too many sockets */ 2157 #ifdef SCTP_DEBUG 2158 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2159 printf("process_cookie_new: no room for another socket!\n"); 2160 } 2161 #endif /* SCTP_DEBUG */ 2162 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2163 sctp_abort_association(*inp_p, NULL, m, iphlen, 2164 sh, op_err); 2165 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2166 return (NULL); 2167 } 2168 inp = (struct sctp_inpcb *)so->so_pcb; 2169 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2170 SCTP_PCB_FLAGS_CONNECTED | 2171 SCTP_PCB_FLAGS_IN_TCPPOOL | 2172 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2173 SCTP_PCB_FLAGS_DONT_WAKE); 2174 inp->sctp_features = (*inp_p)->sctp_features; 2175 inp->sctp_socket = so; 2176 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2177 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2178 inp->sctp_context = (*inp_p)->sctp_context; 2179 inp->inp_starting_point_for_iterator = NULL; 2180 /* 2181 * copy in the authentication parameters from the 2182 * original endpoint 2183 */ 2184 if (inp->sctp_ep.local_hmacs) 2185 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2186 inp->sctp_ep.local_hmacs = 2187 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2188 if (inp->sctp_ep.local_auth_chunks) 2189 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2190 inp->sctp_ep.local_auth_chunks = 2191 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2192 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2193 &inp->sctp_ep.shared_keys); 2194 2195 /* 2196 * Now we must move it from one hash table to 2197 * another and get the tcb in the right place. 2198 */ 2199 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2200 2201 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb); 2202 2203 /* Switch over to the new guy */ 2204 *inp_p = inp; 2205 2206 sctp_ulp_notify(notification, *stcb, 0, NULL); 2207 return (m); 2208 } 2209 } 2210 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2211 sctp_ulp_notify(notification, *stcb, 0, NULL); 2212 } 2213 return (m); 2214 } 2215 2216 static void 2217 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2218 struct sctp_tcb *stcb, struct sctp_nets *net) 2219 { 2220 /* cp must not be used, others call this without a c-ack :-) */ 2221 struct sctp_association *asoc; 2222 2223 #ifdef SCTP_DEBUG 2224 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2225 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2226 } 2227 #endif 2228 if (stcb == NULL) 2229 return; 2230 2231 asoc = &stcb->asoc; 2232 2233 sctp_stop_all_cookie_timers(stcb); 2234 /* process according to association state */ 2235 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2236 /* state change only needed when I am in right state */ 2237 #ifdef SCTP_DEBUG 2238 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2239 printf("moving to OPEN state\n"); 2240 } 2241 #endif 2242 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2243 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2244 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2245 stcb->sctp_ep, stcb, asoc->primary_destination); 2246 2247 } else { 2248 asoc->state = SCTP_STATE_OPEN; 2249 } 2250 /* update RTO */ 2251 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2252 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2253 if (asoc->overall_error_count == 0) { 2254 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2255 &asoc->time_entered); 2256 } 2257 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2258 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2259 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2260 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2261 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2262 soisconnected(stcb->sctp_ep->sctp_socket); 2263 } 2264 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2265 stcb, net); 2266 /* 2267 * since we did not send a HB make sure we don't double 2268 * things 2269 */ 2270 net->hb_responded = 1; 2271 2272 if (stcb->asoc.sctp_autoclose_ticks && 2273 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2274 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2275 stcb->sctp_ep, stcb, NULL); 2276 } 2277 /* 2278 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2279 * addresses changed when init/cookie echo in flight) 2280 */ 2281 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2282 (stcb->asoc.peer_supports_asconf) && 2283 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2284 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2285 stcb->sctp_ep, stcb, 2286 stcb->asoc.primary_destination); 2287 } 2288 } 2289 /* Toss the cookie if I can */ 2290 sctp_toss_old_cookies(stcb, asoc); 2291 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2292 /* Restart the timer if we have pending data */ 2293 struct sctp_tmit_chunk *chk; 2294 2295 chk = TAILQ_FIRST(&asoc->sent_queue); 2296 if (chk) { 2297 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2298 stcb, chk->whoTo); 2299 } 2300 } 2301 } 2302 2303 static void 2304 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2305 struct sctp_tcb *stcb) 2306 { 2307 struct sctp_nets *net; 2308 struct sctp_tmit_chunk *lchk; 2309 uint32_t tsn; 2310 2311 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2312 return; 2313 } 2314 SCTP_STAT_INCR(sctps_recvecne); 2315 tsn = ntohl(cp->tsn); 2316 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2317 /* Also we make sure we disable the nonce_wait */ 2318 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2319 if (lchk == NULL) { 2320 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2321 } else { 2322 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2323 } 2324 stcb->asoc.nonce_wait_for_ecne = 0; 2325 stcb->asoc.nonce_sum_check = 0; 2326 2327 /* Find where it was sent, if possible */ 2328 net = NULL; 2329 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2330 while (lchk) { 2331 if (lchk->rec.data.TSN_seq == tsn) { 2332 net = lchk->whoTo; 2333 break; 2334 } 2335 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2336 break; 2337 lchk = TAILQ_NEXT(lchk, sctp_next); 2338 } 2339 if (net == NULL) 2340 /* default is we use the primary */ 2341 net = stcb->asoc.primary_destination; 2342 2343 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2344 #ifdef SCTP_CWND_MONITOR 2345 int old_cwnd; 2346 2347 old_cwnd = net->cwnd; 2348 #endif 2349 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2350 net->ssthresh = net->cwnd / 2; 2351 if (net->ssthresh < net->mtu) { 2352 net->ssthresh = net->mtu; 2353 /* here back off the timer as well, to slow us down */ 2354 net->RTO <<= 2; 2355 } 2356 net->cwnd = net->ssthresh; 2357 #ifdef SCTP_CWND_MONITOR 2358 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2359 #endif 2360 /* 2361 * we reduce once every RTT. So we will only lower cwnd at 2362 * the next sending seq i.e. the resync_tsn. 2363 */ 2364 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2365 } 2366 /* 2367 * We always send a CWR this way if our previous one was lost our 2368 * peer will get an update, or if it is not time again to reduce we 2369 * still get the cwr to the peer. 2370 */ 2371 sctp_send_cwr(stcb, net, tsn); 2372 } 2373 2374 static void 2375 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2376 { 2377 /* 2378 * Here we get a CWR from the peer. We must look in the outqueue and 2379 * make sure that we have a covered ECNE in teh control chunk part. 2380 * If so remove it. 2381 */ 2382 struct sctp_tmit_chunk *chk; 2383 struct sctp_ecne_chunk *ecne; 2384 2385 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2386 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2387 continue; 2388 } 2389 /* 2390 * Look for and remove if it is the right TSN. Since there 2391 * is only ONE ECNE on the control queue at any one time we 2392 * don't need to worry about more than one! 2393 */ 2394 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2395 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2396 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2397 /* this covers this ECNE, we can remove it */ 2398 stcb->asoc.ecn_echo_cnt_onq--; 2399 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2400 sctp_next); 2401 if (chk->data) { 2402 sctp_m_freem(chk->data); 2403 chk->data = NULL; 2404 } 2405 stcb->asoc.ctrl_queue_cnt--; 2406 sctp_free_remote_addr(chk->whoTo); 2407 sctp_free_a_chunk(stcb, chk); 2408 break; 2409 } 2410 } 2411 } 2412 2413 static void 2414 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2415 struct sctp_tcb *stcb, struct sctp_nets *net) 2416 { 2417 struct sctp_association *asoc; 2418 2419 #ifdef SCTP_DEBUG 2420 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2421 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2422 } 2423 #endif 2424 if (stcb == NULL) 2425 return; 2426 2427 asoc = &stcb->asoc; 2428 /* process according to association state */ 2429 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2430 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2431 SCTP_TCB_UNLOCK(stcb); 2432 return; 2433 } 2434 /* notify upper layer protocol */ 2435 if (stcb->sctp_socket) { 2436 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2437 /* are the queues empty? they should be */ 2438 if (!TAILQ_EMPTY(&asoc->send_queue) || 2439 !TAILQ_EMPTY(&asoc->sent_queue) || 2440 !TAILQ_EMPTY(&asoc->out_wheel)) { 2441 sctp_report_all_outbound(stcb, 0); 2442 } 2443 } 2444 /* stop the timer */ 2445 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2446 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2447 /* free the TCB */ 2448 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2449 return; 2450 } 2451 2452 static int 2453 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2454 struct sctp_nets *net, uint8_t flg) 2455 { 2456 switch (desc->chunk_type) { 2457 case SCTP_DATA: 2458 /* find the tsn to resend (possibly */ 2459 { 2460 uint32_t tsn; 2461 struct sctp_tmit_chunk *tp1; 2462 2463 tsn = ntohl(desc->tsn_ifany); 2464 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2465 while (tp1) { 2466 if (tp1->rec.data.TSN_seq == tsn) { 2467 /* found it */ 2468 break; 2469 } 2470 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2471 MAX_TSN)) { 2472 /* not found */ 2473 tp1 = NULL; 2474 break; 2475 } 2476 tp1 = TAILQ_NEXT(tp1, sctp_next); 2477 } 2478 if (tp1 == NULL) { 2479 /* 2480 * Do it the other way , aka without paying 2481 * attention to queue seq order. 2482 */ 2483 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2484 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2485 while (tp1) { 2486 if (tp1->rec.data.TSN_seq == tsn) { 2487 /* found it */ 2488 break; 2489 } 2490 tp1 = TAILQ_NEXT(tp1, sctp_next); 2491 } 2492 } 2493 if (tp1 == NULL) { 2494 SCTP_STAT_INCR(sctps_pdrptsnnf); 2495 } 2496 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2497 uint8_t *ddp; 2498 2499 if ((stcb->asoc.peers_rwnd == 0) && 2500 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2501 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2502 return (0); 2503 } 2504 if (stcb->asoc.peers_rwnd == 0 && 2505 (flg & SCTP_FROM_MIDDLE_BOX)) { 2506 SCTP_STAT_INCR(sctps_pdrpdizrw); 2507 return (0); 2508 } 2509 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2510 sizeof(struct sctp_data_chunk)); 2511 { 2512 unsigned int iii; 2513 2514 for (iii = 0; iii < sizeof(desc->data_bytes); 2515 iii++) { 2516 if (ddp[iii] != desc->data_bytes[iii]) { 2517 SCTP_STAT_INCR(sctps_pdrpbadd); 2518 return (-1); 2519 } 2520 } 2521 } 2522 /* 2523 * We zero out the nonce so resync not 2524 * needed 2525 */ 2526 tp1->rec.data.ect_nonce = 0; 2527 2528 if (tp1->do_rtt) { 2529 /* 2530 * this guy had a RTO calculation 2531 * pending on it, cancel it 2532 */ 2533 tp1->whoTo->rto_pending = 0; 2534 tp1->do_rtt = 0; 2535 } 2536 SCTP_STAT_INCR(sctps_pdrpmark); 2537 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2538 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2539 tp1->sent = SCTP_DATAGRAM_RESEND; 2540 /* 2541 * mark it as if we were doing a FR, since 2542 * we will be getting gap ack reports behind 2543 * the info from the router. 2544 */ 2545 tp1->rec.data.doing_fast_retransmit = 1; 2546 /* 2547 * mark the tsn with what sequences can 2548 * cause a new FR. 2549 */ 2550 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2551 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2552 } else { 2553 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2554 } 2555 2556 /* restart the timer */ 2557 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2558 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2559 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2560 stcb, tp1->whoTo); 2561 2562 /* fix counts and things */ 2563 #ifdef SCTP_FLIGHT_LOGGING 2564 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN, 2565 tp1->whoTo->flight_size, 2566 tp1->book_size, 2567 (uintptr_t) stcb, 2568 tp1->rec.data.TSN_seq); 2569 #endif 2570 if (tp1->whoTo->flight_size >= tp1->book_size) 2571 tp1->whoTo->flight_size -= tp1->book_size; 2572 else 2573 tp1->whoTo->flight_size = 0; 2574 2575 if (stcb->asoc.total_flight >= tp1->book_size) { 2576 stcb->asoc.total_flight -= tp1->book_size; 2577 if (stcb->asoc.total_flight_count > 0) 2578 stcb->asoc.total_flight_count--; 2579 } else { 2580 stcb->asoc.total_flight = 0; 2581 stcb->asoc.total_flight_count = 0; 2582 } 2583 tp1->snd_count--; 2584 } { 2585 /* audit code */ 2586 unsigned int audit; 2587 2588 audit = 0; 2589 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2590 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2591 audit++; 2592 } 2593 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2594 sctp_next) { 2595 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2596 audit++; 2597 } 2598 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2599 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2600 audit, stcb->asoc.sent_queue_retran_cnt); 2601 #ifndef SCTP_AUDITING_ENABLED 2602 stcb->asoc.sent_queue_retran_cnt = audit; 2603 #endif 2604 } 2605 } 2606 } 2607 break; 2608 case SCTP_ASCONF: 2609 { 2610 struct sctp_tmit_chunk *asconf; 2611 2612 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2613 sctp_next) { 2614 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2615 break; 2616 } 2617 } 2618 if (asconf) { 2619 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2620 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2621 asconf->sent = SCTP_DATAGRAM_RESEND; 2622 asconf->snd_count--; 2623 } 2624 } 2625 break; 2626 case SCTP_INITIATION: 2627 /* resend the INIT */ 2628 stcb->asoc.dropped_special_cnt++; 2629 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2630 /* 2631 * If we can get it in, in a few attempts we do 2632 * this, otherwise we let the timer fire. 2633 */ 2634 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2635 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2636 sctp_send_initiate(stcb->sctp_ep, stcb); 2637 } 2638 break; 2639 case SCTP_SELECTIVE_ACK: 2640 /* resend the sack */ 2641 sctp_send_sack(stcb); 2642 break; 2643 case SCTP_HEARTBEAT_REQUEST: 2644 /* resend a demand HB */ 2645 sctp_send_hb(stcb, 1, net); 2646 break; 2647 case SCTP_SHUTDOWN: 2648 sctp_send_shutdown(stcb, net); 2649 break; 2650 case SCTP_SHUTDOWN_ACK: 2651 sctp_send_shutdown_ack(stcb, net); 2652 break; 2653 case SCTP_COOKIE_ECHO: 2654 { 2655 struct sctp_tmit_chunk *cookie; 2656 2657 cookie = NULL; 2658 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2659 sctp_next) { 2660 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2661 break; 2662 } 2663 } 2664 if (cookie) { 2665 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2666 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2667 cookie->sent = SCTP_DATAGRAM_RESEND; 2668 sctp_stop_all_cookie_timers(stcb); 2669 } 2670 } 2671 break; 2672 case SCTP_COOKIE_ACK: 2673 sctp_send_cookie_ack(stcb); 2674 break; 2675 case SCTP_ASCONF_ACK: 2676 /* resend last asconf ack */ 2677 sctp_send_asconf_ack(stcb, 1); 2678 break; 2679 case SCTP_FORWARD_CUM_TSN: 2680 send_forward_tsn(stcb, &stcb->asoc); 2681 break; 2682 /* can't do anything with these */ 2683 case SCTP_PACKET_DROPPED: 2684 case SCTP_INITIATION_ACK: /* this should not happen */ 2685 case SCTP_HEARTBEAT_ACK: 2686 case SCTP_ABORT_ASSOCIATION: 2687 case SCTP_OPERATION_ERROR: 2688 case SCTP_SHUTDOWN_COMPLETE: 2689 case SCTP_ECN_ECHO: 2690 case SCTP_ECN_CWR: 2691 default: 2692 break; 2693 } 2694 return (0); 2695 } 2696 2697 void 2698 sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2699 { 2700 int i; 2701 uint16_t temp; 2702 2703 /* 2704 * We set things to 0xffff since this is the last delivered sequence 2705 * and we will be sending in 0 after the reset. 2706 */ 2707 2708 if (number_entries) { 2709 for (i = 0; i < number_entries; i++) { 2710 temp = ntohs(list[i]); 2711 if (temp >= stcb->asoc.streamincnt) { 2712 continue; 2713 } 2714 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2715 } 2716 } else { 2717 list = NULL; 2718 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2719 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2720 } 2721 } 2722 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2723 } 2724 2725 static void 2726 sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2727 { 2728 int i; 2729 2730 if (number_entries == 0) { 2731 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2732 stcb->asoc.strmout[i].next_sequence_sent = 0; 2733 } 2734 } else if (number_entries) { 2735 for (i = 0; i < number_entries; i++) { 2736 uint16_t temp; 2737 2738 temp = ntohs(list[i]); 2739 if (temp >= stcb->asoc.streamoutcnt) { 2740 /* no such stream */ 2741 continue; 2742 } 2743 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2744 } 2745 } 2746 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2747 } 2748 2749 2750 struct sctp_stream_reset_out_request * 2751 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2752 { 2753 struct sctp_association *asoc; 2754 struct sctp_stream_reset_out_req *req; 2755 struct sctp_stream_reset_out_request *r; 2756 struct sctp_tmit_chunk *chk; 2757 int len, clen; 2758 2759 asoc = &stcb->asoc; 2760 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2761 return (NULL); 2762 } 2763 if (stcb->asoc.str_reset == NULL) { 2764 return (NULL); 2765 } 2766 chk = stcb->asoc.str_reset; 2767 if (chk->data == NULL) { 2768 return (NULL); 2769 } 2770 if (bchk) { 2771 /* he wants a copy of the chk pointer */ 2772 *bchk = chk; 2773 } 2774 clen = chk->send_size; 2775 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2776 r = &req->sr_req; 2777 if (ntohl(r->request_seq) == seq) { 2778 /* found it */ 2779 return (r); 2780 } 2781 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2782 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2783 /* move to the next one, there can only be a max of two */ 2784 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2785 if (ntohl(r->request_seq) == seq) { 2786 return (r); 2787 } 2788 } 2789 /* that seq is not here */ 2790 return (NULL); 2791 } 2792 2793 static void 2794 sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2795 { 2796 struct sctp_association *asoc; 2797 2798 asoc = &stcb->asoc; 2799 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2800 2801 if (stcb->asoc.str_reset == NULL) { 2802 return; 2803 } 2804 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 2805 TAILQ_REMOVE(&asoc->control_send_queue, 2806 chk, 2807 sctp_next); 2808 if (chk->data) { 2809 sctp_m_freem(chk->data); 2810 chk->data = NULL; 2811 } 2812 asoc->ctrl_queue_cnt--; 2813 sctp_free_remote_addr(chk->whoTo); 2814 2815 sctp_free_a_chunk(stcb, chk); 2816 stcb->asoc.str_reset = NULL; 2817 } 2818 2819 2820 static int 2821 sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2822 uint32_t seq, uint32_t action, 2823 struct sctp_stream_reset_response *respin) 2824 { 2825 uint16_t type; 2826 int lparm_len; 2827 struct sctp_association *asoc = &stcb->asoc; 2828 struct sctp_tmit_chunk *chk; 2829 struct sctp_stream_reset_out_request *srparam; 2830 int number_entries; 2831 2832 if (asoc->stream_reset_outstanding == 0) { 2833 /* duplicate */ 2834 return (0); 2835 } 2836 if (seq == stcb->asoc.str_reset_seq_out) { 2837 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2838 if (srparam) { 2839 stcb->asoc.str_reset_seq_out++; 2840 type = ntohs(srparam->ph.param_type); 2841 lparm_len = ntohs(srparam->ph.param_length); 2842 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2843 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2844 asoc->stream_reset_out_is_outstanding = 0; 2845 if (asoc->stream_reset_outstanding) 2846 asoc->stream_reset_outstanding--; 2847 if (action == SCTP_STREAM_RESET_PERFORMED) { 2848 /* do it */ 2849 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2850 } else { 2851 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2852 } 2853 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2854 /* Answered my request */ 2855 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 2856 if (asoc->stream_reset_outstanding) 2857 asoc->stream_reset_outstanding--; 2858 if (action != SCTP_STREAM_RESET_PERFORMED) { 2859 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2860 } 2861 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2862 /** 2863 * a) Adopt the new in tsn. 2864 * b) reset the map 2865 * c) Adopt the new out-tsn 2866 */ 2867 struct sctp_stream_reset_response_tsn *resp; 2868 struct sctp_forward_tsn_chunk fwdtsn; 2869 int abort_flag = 0; 2870 2871 if (respin == NULL) { 2872 /* huh ? */ 2873 return (0); 2874 } 2875 if (action == SCTP_STREAM_RESET_PERFORMED) { 2876 resp = (struct sctp_stream_reset_response_tsn *)respin; 2877 asoc->stream_reset_outstanding--; 2878 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2879 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2880 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2881 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2882 if (abort_flag) { 2883 return (1); 2884 } 2885 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2886 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2887 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2888 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2889 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2890 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2891 2892 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2893 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2894 2895 } 2896 } 2897 /* get rid of the request and get the request flags */ 2898 if (asoc->stream_reset_outstanding == 0) { 2899 sctp_clean_up_stream_reset(stcb); 2900 } 2901 } 2902 } 2903 return (0); 2904 } 2905 2906 static void 2907 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2908 struct sctp_tmit_chunk *chk, 2909 struct sctp_stream_reset_in_request *req) 2910 { 2911 uint32_t seq; 2912 int len, i; 2913 int number_entries; 2914 uint16_t temp; 2915 2916 /* 2917 * peer wants me to send a str-reset to him for my outgoing seq's if 2918 * seq_in is right. 2919 */ 2920 struct sctp_association *asoc = &stcb->asoc; 2921 2922 seq = ntohl(req->request_seq); 2923 if (asoc->str_reset_seq_in == seq) { 2924 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2925 len = ntohs(req->ph.param_length); 2926 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2927 for (i = 0; i < number_entries; i++) { 2928 temp = ntohs(req->list_of_streams[i]); 2929 req->list_of_streams[i] = temp; 2930 } 2931 /* move the reset action back one */ 2932 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2933 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2934 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2935 asoc->str_reset_seq_out, 2936 seq, (asoc->sending_seq - 1)); 2937 asoc->stream_reset_out_is_outstanding = 1; 2938 asoc->str_reset = chk; 2939 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2940 stcb->asoc.stream_reset_outstanding++; 2941 } else { 2942 /* Can't do it, since we have sent one out */ 2943 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2944 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2945 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2946 } 2947 asoc->str_reset_seq_in++; 2948 } else if (asoc->str_reset_seq_in - 1 == seq) { 2949 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2950 } else if (asoc->str_reset_seq_in - 2 == seq) { 2951 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2952 } else { 2953 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2954 } 2955 } 2956 2957 static int 2958 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 2959 struct sctp_tmit_chunk *chk, 2960 struct sctp_stream_reset_tsn_request *req) 2961 { 2962 /* reset all in and out and update the tsn */ 2963 /* 2964 * A) reset my str-seq's on in and out. B) Select a receive next, 2965 * and set cum-ack to it. Also process this selected number as a 2966 * fwd-tsn as well. C) set in the response my next sending seq. 2967 */ 2968 struct sctp_forward_tsn_chunk fwdtsn; 2969 struct sctp_association *asoc = &stcb->asoc; 2970 int abort_flag = 0; 2971 uint32_t seq; 2972 2973 seq = ntohl(req->request_seq); 2974 if (asoc->str_reset_seq_in == seq) { 2975 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2976 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2977 fwdtsn.ch.chunk_flags = 0; 2978 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 2979 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2980 if (abort_flag) { 2981 return (1); 2982 } 2983 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 2984 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2985 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 2986 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2987 atomic_add_int(&stcb->asoc.sending_seq, 1); 2988 /* save off historical data for retrans */ 2989 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 2990 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 2991 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 2992 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 2993 2994 sctp_add_stream_reset_result_tsn(chk, 2995 ntohl(req->request_seq), 2996 SCTP_STREAM_RESET_PERFORMED, 2997 stcb->asoc.sending_seq, 2998 stcb->asoc.mapping_array_base_tsn); 2999 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3000 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3001 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3002 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3003 3004 asoc->str_reset_seq_in++; 3005 } else if (asoc->str_reset_seq_in - 1 == seq) { 3006 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3007 stcb->asoc.last_sending_seq[0], 3008 stcb->asoc.last_base_tsnsent[0] 3009 ); 3010 } else if (asoc->str_reset_seq_in - 2 == seq) { 3011 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3012 stcb->asoc.last_sending_seq[1], 3013 stcb->asoc.last_base_tsnsent[1] 3014 ); 3015 } else { 3016 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3017 } 3018 return (0); 3019 } 3020 3021 static void 3022 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3023 struct sctp_tmit_chunk *chk, 3024 struct sctp_stream_reset_out_request *req) 3025 { 3026 uint32_t seq, tsn; 3027 int number_entries, len; 3028 struct sctp_association *asoc = &stcb->asoc; 3029 3030 seq = ntohl(req->request_seq); 3031 3032 /* now if its not a duplicate we process it */ 3033 if (asoc->str_reset_seq_in == seq) { 3034 len = ntohs(req->ph.param_length); 3035 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3036 /* 3037 * the sender is resetting, handle the list issue.. we must 3038 * a) verify if we can do the reset, if so no problem b) If 3039 * we can't do the reset we must copy the request. c) queue 3040 * it, and setup the data in processor to trigger it off 3041 * when needed and dequeue all the queued data. 3042 */ 3043 tsn = ntohl(req->send_reset_at_tsn); 3044 3045 /* move the reset action back one */ 3046 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3047 if ((tsn == asoc->cumulative_tsn) || 3048 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3049 /* we can do it now */ 3050 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3051 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3052 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3053 } else { 3054 /* 3055 * we must queue it up and thus wait for the TSN's 3056 * to arrive that are at or before tsn 3057 */ 3058 struct sctp_stream_reset_list *liste; 3059 int siz; 3060 3061 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3062 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3063 siz, "StrRstList"); 3064 if (liste == NULL) { 3065 /* gak out of memory */ 3066 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3067 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3068 return; 3069 } 3070 liste->tsn = tsn; 3071 liste->number_entries = number_entries; 3072 memcpy(&liste->req, req, 3073 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3074 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3075 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3076 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3077 } 3078 asoc->str_reset_seq_in++; 3079 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3080 /* 3081 * one seq back, just echo back last action since my 3082 * response was lost. 3083 */ 3084 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3085 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3086 /* 3087 * two seq back, just echo back last action since my 3088 * response was lost. 3089 */ 3090 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3091 } else { 3092 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3093 } 3094 } 3095 3096 static int 3097 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 3098 { 3099 int chk_length, param_len, ptype; 3100 uint32_t seq; 3101 int num_req = 0; 3102 struct sctp_tmit_chunk *chk; 3103 struct sctp_chunkhdr *ch; 3104 struct sctp_paramhdr *ph; 3105 3106 /* now it may be a reset or a reset-response */ 3107 chk_length = ntohs(sr_req->ch.chunk_length); 3108 int ret_code = 0; 3109 int num_param = 0; 3110 3111 /* setup for adding the response */ 3112 sctp_alloc_a_chunk(stcb, chk); 3113 if (chk == NULL) { 3114 return (ret_code); 3115 } 3116 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3117 chk->asoc = &stcb->asoc; 3118 chk->no_fr_allowed = 0; 3119 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3120 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_DONTWAIT, 1, MT_DATA); 3121 if (chk->data == NULL) { 3122 strres_nochunk: 3123 if (chk->data) { 3124 sctp_m_freem(chk->data); 3125 chk->data = NULL; 3126 } 3127 sctp_free_a_chunk(stcb, chk); 3128 return (ret_code); 3129 } 3130 chk->data->m_data += SCTP_MIN_OVERHEAD; 3131 3132 /* setup chunk parameters */ 3133 chk->sent = SCTP_DATAGRAM_UNSENT; 3134 chk->snd_count = 0; 3135 chk->whoTo = stcb->asoc.primary_destination; 3136 atomic_add_int(&chk->whoTo->ref_count, 1); 3137 3138 ch = mtod(chk->data, struct sctp_chunkhdr *); 3139 ch->chunk_type = SCTP_STREAM_RESET; 3140 ch->chunk_flags = 0; 3141 ch->chunk_length = htons(chk->send_size); 3142 chk->data->m_pkthdr.len = chk->data->m_len = SCTP_SIZE32(chk->send_size); 3143 3144 3145 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3146 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3147 param_len = ntohs(ph->param_length); 3148 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3149 /* bad param */ 3150 break; 3151 } 3152 ptype = ntohs(ph->param_type); 3153 num_param++; 3154 if (num_param > SCTP_MAX_RESET_PARAMS) { 3155 /* hit the max of parameters already sorry.. */ 3156 break; 3157 } 3158 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3159 struct sctp_stream_reset_out_request *req_out; 3160 3161 req_out = (struct sctp_stream_reset_out_request *)ph; 3162 num_req++; 3163 if (stcb->asoc.stream_reset_outstanding) { 3164 seq = ntohl(req_out->response_seq); 3165 if (seq == stcb->asoc.str_reset_seq_out) { 3166 /* implicit ack */ 3167 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3168 } 3169 } 3170 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3171 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3172 struct sctp_stream_reset_in_request *req_in; 3173 3174 num_req++; 3175 req_in = (struct sctp_stream_reset_in_request *)ph; 3176 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3177 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3178 struct sctp_stream_reset_tsn_request *req_tsn; 3179 3180 num_req++; 3181 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3182 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3183 ret_code = 1; 3184 goto strres_nochunk; 3185 } 3186 /* no more */ 3187 break; 3188 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3189 struct sctp_stream_reset_response *resp; 3190 uint32_t result; 3191 3192 resp = (struct sctp_stream_reset_response *)ph; 3193 seq = ntohl(resp->response_seq); 3194 result = ntohl(resp->result); 3195 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3196 ret_code = 1; 3197 goto strres_nochunk; 3198 } 3199 } else { 3200 break; 3201 } 3202 3203 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3204 chk_length -= SCTP_SIZE32(param_len); 3205 } 3206 if (num_req == 0) { 3207 /* we have no response free the stuff */ 3208 goto strres_nochunk; 3209 } 3210 /* ok we have a chunk to link in */ 3211 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3212 chk, 3213 sctp_next); 3214 stcb->asoc.ctrl_queue_cnt++; 3215 return (ret_code); 3216 } 3217 3218 /* 3219 * Handle a router or endpoints report of a packet loss, there are two ways 3220 * to handle this, either we get the whole packet and must disect it 3221 * ourselves (possibly with truncation and or corruption) or it is a summary 3222 * from a middle box that did the disectting for us. 3223 */ 3224 static void 3225 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3226 struct sctp_tcb *stcb, struct sctp_nets *net) 3227 { 3228 uint32_t bottle_bw, on_queue; 3229 uint16_t trunc_len; 3230 unsigned int chlen; 3231 unsigned int at; 3232 struct sctp_chunk_desc desc; 3233 struct sctp_chunkhdr *ch; 3234 3235 chlen = ntohs(cp->ch.chunk_length); 3236 chlen -= sizeof(struct sctp_pktdrop_chunk); 3237 /* XXX possible chlen underflow */ 3238 if (chlen == 0) { 3239 ch = NULL; 3240 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3241 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3242 } else { 3243 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3244 chlen -= sizeof(struct sctphdr); 3245 /* XXX possible chlen underflow */ 3246 memset(&desc, 0, sizeof(desc)); 3247 } 3248 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3249 /* now the chunks themselves */ 3250 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3251 desc.chunk_type = ch->chunk_type; 3252 /* get amount we need to move */ 3253 at = ntohs(ch->chunk_length); 3254 if (at < sizeof(struct sctp_chunkhdr)) { 3255 /* corrupt chunk, maybe at the end? */ 3256 SCTP_STAT_INCR(sctps_pdrpcrupt); 3257 break; 3258 } 3259 if (trunc_len == 0) { 3260 /* we are supposed to have all of it */ 3261 if (at > chlen) { 3262 /* corrupt skip it */ 3263 SCTP_STAT_INCR(sctps_pdrpcrupt); 3264 break; 3265 } 3266 } else { 3267 /* is there enough of it left ? */ 3268 if (desc.chunk_type == SCTP_DATA) { 3269 if (chlen < (sizeof(struct sctp_data_chunk) + 3270 sizeof(desc.data_bytes))) { 3271 break; 3272 } 3273 } else { 3274 if (chlen < sizeof(struct sctp_chunkhdr)) { 3275 break; 3276 } 3277 } 3278 } 3279 if (desc.chunk_type == SCTP_DATA) { 3280 /* can we get out the tsn? */ 3281 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3282 SCTP_STAT_INCR(sctps_pdrpmbda); 3283 3284 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3285 /* yep */ 3286 struct sctp_data_chunk *dcp; 3287 uint8_t *ddp; 3288 unsigned int iii; 3289 3290 dcp = (struct sctp_data_chunk *)ch; 3291 ddp = (uint8_t *) (dcp + 1); 3292 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3293 desc.data_bytes[iii] = ddp[iii]; 3294 } 3295 desc.tsn_ifany = dcp->dp.tsn; 3296 } else { 3297 /* nope we are done. */ 3298 SCTP_STAT_INCR(sctps_pdrpnedat); 3299 break; 3300 } 3301 } else { 3302 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3303 SCTP_STAT_INCR(sctps_pdrpmbct); 3304 } 3305 3306 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3307 SCTP_STAT_INCR(sctps_pdrppdbrk); 3308 break; 3309 } 3310 if (SCTP_SIZE32(at) > chlen) { 3311 break; 3312 } 3313 chlen -= SCTP_SIZE32(at); 3314 if (chlen < sizeof(struct sctp_chunkhdr)) { 3315 /* done, none left */ 3316 break; 3317 } 3318 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3319 } 3320 /* Now update any rwnd --- possibly */ 3321 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3322 /* From a peer, we get a rwnd report */ 3323 uint32_t a_rwnd; 3324 3325 SCTP_STAT_INCR(sctps_pdrpfehos); 3326 3327 bottle_bw = ntohl(cp->bottle_bw); 3328 on_queue = ntohl(cp->current_onq); 3329 if (bottle_bw && on_queue) { 3330 /* a rwnd report is in here */ 3331 if (bottle_bw > on_queue) 3332 a_rwnd = bottle_bw - on_queue; 3333 else 3334 a_rwnd = 0; 3335 3336 if (a_rwnd == 0) 3337 stcb->asoc.peers_rwnd = 0; 3338 else { 3339 if (a_rwnd > stcb->asoc.total_flight) { 3340 stcb->asoc.peers_rwnd = 3341 a_rwnd - stcb->asoc.total_flight; 3342 } else { 3343 stcb->asoc.peers_rwnd = 0; 3344 } 3345 if (stcb->asoc.peers_rwnd < 3346 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3347 /* SWS sender side engages */ 3348 stcb->asoc.peers_rwnd = 0; 3349 } 3350 } 3351 } 3352 } else { 3353 SCTP_STAT_INCR(sctps_pdrpfmbox); 3354 } 3355 3356 /* now middle boxes in sat networks get a cwnd bump */ 3357 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3358 (stcb->asoc.sat_t3_loss_recovery == 0) && 3359 (stcb->asoc.sat_network)) { 3360 /* 3361 * This is debateable but for sat networks it makes sense 3362 * Note if a T3 timer has went off, we will prohibit any 3363 * changes to cwnd until we exit the t3 loss recovery. 3364 */ 3365 uint32_t bw_avail; 3366 int rtt, incr; 3367 3368 #ifdef SCTP_CWND_MONITOR 3369 int old_cwnd = net->cwnd; 3370 3371 #endif 3372 /* need real RTT for this calc */ 3373 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3374 /* get bottle neck bw */ 3375 bottle_bw = ntohl(cp->bottle_bw); 3376 /* and whats on queue */ 3377 on_queue = ntohl(cp->current_onq); 3378 /* 3379 * adjust the on-queue if our flight is more it could be 3380 * that the router has not yet gotten data "in-flight" to it 3381 */ 3382 if (on_queue < net->flight_size) 3383 on_queue = net->flight_size; 3384 3385 /* calculate the available space */ 3386 bw_avail = (bottle_bw * rtt) / 1000; 3387 if (bw_avail > bottle_bw) { 3388 /* 3389 * Cap the growth to no more than the bottle neck. 3390 * This can happen as RTT slides up due to queues. 3391 * It also means if you have more than a 1 second 3392 * RTT with a empty queue you will be limited to the 3393 * bottle_bw per second no matter if other points 3394 * have 1/2 the RTT and you could get more out... 3395 */ 3396 bw_avail = bottle_bw; 3397 } 3398 if (on_queue > bw_avail) { 3399 /* 3400 * No room for anything else don't allow anything 3401 * else to be "added to the fire". 3402 */ 3403 int seg_inflight, seg_onqueue, my_portion; 3404 3405 net->partial_bytes_acked = 0; 3406 3407 /* how much are we over queue size? */ 3408 incr = on_queue - bw_avail; 3409 if (stcb->asoc.seen_a_sack_this_pkt) { 3410 /* 3411 * undo any cwnd adjustment that the sack 3412 * might have made 3413 */ 3414 net->cwnd = net->prev_cwnd; 3415 } 3416 /* Now how much of that is mine? */ 3417 seg_inflight = net->flight_size / net->mtu; 3418 seg_onqueue = on_queue / net->mtu; 3419 my_portion = (incr * seg_inflight) / seg_onqueue; 3420 3421 /* Have I made an adjustment already */ 3422 if (net->cwnd > net->flight_size) { 3423 /* 3424 * for this flight I made an adjustment we 3425 * need to decrease the portion by a share 3426 * our previous adjustment. 3427 */ 3428 int diff_adj; 3429 3430 diff_adj = net->cwnd - net->flight_size; 3431 if (diff_adj > my_portion) 3432 my_portion = 0; 3433 else 3434 my_portion -= diff_adj; 3435 } 3436 /* 3437 * back down to the previous cwnd (assume we have 3438 * had a sack before this packet). minus what ever 3439 * portion of the overage is my fault. 3440 */ 3441 net->cwnd -= my_portion; 3442 3443 /* we will NOT back down more than 1 MTU */ 3444 if (net->cwnd <= net->mtu) { 3445 net->cwnd = net->mtu; 3446 } 3447 /* force into CA */ 3448 net->ssthresh = net->cwnd - 1; 3449 } else { 3450 /* 3451 * Take 1/4 of the space left or max burst up .. 3452 * whichever is less. 3453 */ 3454 incr = min((bw_avail - on_queue) >> 2, 3455 (int)stcb->asoc.max_burst * (int)net->mtu); 3456 net->cwnd += incr; 3457 } 3458 if (net->cwnd > bw_avail) { 3459 /* We can't exceed the pipe size */ 3460 net->cwnd = bw_avail; 3461 } 3462 if (net->cwnd < net->mtu) { 3463 /* We always have 1 MTU */ 3464 net->cwnd = net->mtu; 3465 } 3466 #ifdef SCTP_CWND_MONITOR 3467 if (net->cwnd - old_cwnd != 0) { 3468 /* log only changes */ 3469 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3470 SCTP_CWND_LOG_FROM_SAT); 3471 } 3472 #endif 3473 } 3474 } 3475 3476 extern int sctp_strict_init; 3477 extern int sctp_abort_if_one_2_one_hits_limit; 3478 3479 /* 3480 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3481 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3482 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3483 * length of the complete packet outputs: - length: modified to remaining 3484 * length after control processing - netp: modified to new sctp_nets after 3485 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3486 * bad packet,...) otherwise return the tcb for this packet 3487 */ 3488 static struct sctp_tcb * 3489 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3490 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3491 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3492 { 3493 struct sctp_association *asoc; 3494 uint32_t vtag_in; 3495 int num_chunks = 0; /* number of control chunks processed */ 3496 int chk_length; 3497 int ret; 3498 3499 /* 3500 * How big should this be, and should it be alloc'd? Lets try the 3501 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3502 * until we get into jumbo grams and such.. 3503 */ 3504 uint8_t chunk_buf[DEFAULT_CHUNK_BUFFER]; 3505 struct sctp_tcb *locked_tcb = stcb; 3506 int got_auth = 0; 3507 uint32_t auth_offset = 0, auth_len = 0; 3508 int auth_skipped = 0; 3509 3510 #ifdef SCTP_DEBUG 3511 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3512 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3513 iphlen, *offset, length, stcb); 3514 } 3515 #endif /* SCTP_DEBUG */ 3516 3517 /* validate chunk header length... */ 3518 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3519 return (NULL); 3520 } 3521 /* 3522 * validate the verification tag 3523 */ 3524 vtag_in = ntohl(sh->v_tag); 3525 3526 if (locked_tcb) { 3527 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3528 } 3529 if (ch->chunk_type == SCTP_INITIATION) { 3530 if (vtag_in != 0) { 3531 /* protocol error- silently discard... */ 3532 SCTP_STAT_INCR(sctps_badvtag); 3533 if (locked_tcb) 3534 SCTP_TCB_UNLOCK(locked_tcb); 3535 return (NULL); 3536 } 3537 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3538 /* 3539 * If there is no stcb, skip the AUTH chunk and process 3540 * later after a stcb is found (to validate the lookup was 3541 * valid. 3542 */ 3543 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3544 (stcb == NULL) && !sctp_auth_disable) { 3545 /* save this chunk for later processing */ 3546 auth_skipped = 1; 3547 auth_offset = *offset; 3548 auth_len = ntohs(ch->chunk_length); 3549 3550 /* (temporarily) move past this chunk */ 3551 *offset += SCTP_SIZE32(auth_len); 3552 if (*offset >= length) { 3553 /* no more data left in the mbuf chain */ 3554 *offset = length; 3555 return (NULL); 3556 } 3557 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3558 sizeof(struct sctp_chunkhdr), chunk_buf); 3559 } 3560 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3561 goto process_control_chunks; 3562 } 3563 /* 3564 * first check if it's an ASCONF with an unknown src addr we 3565 * need to look inside to find the association 3566 */ 3567 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3568 /* inp's refcount may be reduced */ 3569 SCTP_INP_INCR_REF(inp); 3570 3571 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3572 *offset, sh, &inp, netp); 3573 if (stcb == NULL) { 3574 /* 3575 * reduce inp's refcount if not reduced in 3576 * sctp_findassociation_ep_asconf(). 3577 */ 3578 SCTP_INP_DECR_REF(inp); 3579 } 3580 /* now go back and verify any auth chunk to be sure */ 3581 if (auth_skipped && (stcb != NULL)) { 3582 struct sctp_auth_chunk *auth; 3583 3584 auth = (struct sctp_auth_chunk *) 3585 sctp_m_getptr(m, auth_offset, 3586 auth_len, chunk_buf); 3587 got_auth = 1; 3588 auth_skipped = 0; 3589 if (sctp_handle_auth(stcb, auth, m, 3590 auth_offset)) { 3591 /* auth HMAC failed so dump it */ 3592 *offset = length; 3593 return (NULL); 3594 } else { 3595 /* remaining chunks are HMAC checked */ 3596 stcb->asoc.authenticated = 1; 3597 } 3598 } 3599 } 3600 if (stcb == NULL) { 3601 /* no association, so it's out of the blue... */ 3602 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3603 *offset = length; 3604 if (locked_tcb) 3605 SCTP_TCB_UNLOCK(locked_tcb); 3606 return (NULL); 3607 } 3608 asoc = &stcb->asoc; 3609 /* ABORT and SHUTDOWN can use either v_tag... */ 3610 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3611 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3612 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3613 if ((vtag_in == asoc->my_vtag) || 3614 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3615 (vtag_in == asoc->peer_vtag))) { 3616 /* this is valid */ 3617 } else { 3618 /* drop this packet... */ 3619 SCTP_STAT_INCR(sctps_badvtag); 3620 if (locked_tcb) 3621 SCTP_TCB_UNLOCK(locked_tcb); 3622 return (NULL); 3623 } 3624 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3625 if (vtag_in != asoc->my_vtag) { 3626 /* 3627 * this could be a stale SHUTDOWN-ACK or the 3628 * peer never got the SHUTDOWN-COMPLETE and 3629 * is still hung; we have started a new asoc 3630 * but it won't complete until the shutdown 3631 * is completed 3632 */ 3633 if (locked_tcb) 3634 SCTP_TCB_UNLOCK(locked_tcb); 3635 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3636 NULL); 3637 return (NULL); 3638 } 3639 } else { 3640 /* for all other chunks, vtag must match */ 3641 if (vtag_in != asoc->my_vtag) { 3642 /* invalid vtag... */ 3643 #ifdef SCTP_DEBUG 3644 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3645 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3646 } 3647 #endif /* SCTP_DEBUG */ 3648 SCTP_STAT_INCR(sctps_badvtag); 3649 if (locked_tcb) 3650 SCTP_TCB_UNLOCK(locked_tcb); 3651 *offset = length; 3652 return (NULL); 3653 } 3654 } 3655 } /* end if !SCTP_COOKIE_ECHO */ 3656 /* 3657 * process all control chunks... 3658 */ 3659 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3660 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3661 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3662 /* implied cookie-ack.. we must have lost the ack */ 3663 stcb->asoc.overall_error_count = 0; 3664 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3665 *netp); 3666 } 3667 process_control_chunks: 3668 3669 while (IS_SCTP_CONTROL(ch)) { 3670 /* validate chunk length */ 3671 chk_length = ntohs(ch->chunk_length); 3672 #ifdef SCTP_DEBUG 3673 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3674 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", 3675 ch->chunk_type, chk_length); 3676 } 3677 #endif /* SCTP_DEBUG */ 3678 if ((size_t)chk_length < sizeof(*ch) || 3679 (*offset + chk_length) > length) { 3680 *offset = length; 3681 if (locked_tcb) 3682 SCTP_TCB_UNLOCK(locked_tcb); 3683 return (NULL); 3684 } 3685 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3686 /* 3687 * INIT-ACK only gets the init ack "header" portion only 3688 * because we don't have to process the peer's COOKIE. All 3689 * others get a complete chunk. 3690 */ 3691 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3692 /* get an init-ack chunk */ 3693 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3694 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3695 if (ch == NULL) { 3696 *offset = length; 3697 if (locked_tcb) 3698 SCTP_TCB_UNLOCK(locked_tcb); 3699 return (NULL); 3700 } 3701 } else { 3702 /* get a complete chunk... */ 3703 if ((size_t)chk_length > sizeof(chunk_buf)) { 3704 struct mbuf *oper; 3705 struct sctp_paramhdr *phdr; 3706 3707 oper = NULL; 3708 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3709 1, M_DONTWAIT, 1, MT_DATA); 3710 if (oper) { 3711 /* pre-reserve some space */ 3712 oper->m_data += sizeof(struct sctp_chunkhdr); 3713 oper->m_len = sizeof(struct sctp_paramhdr); 3714 oper->m_pkthdr.len = oper->m_len; 3715 phdr = mtod(oper, struct sctp_paramhdr *); 3716 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3717 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3718 sctp_queue_op_err(stcb, oper); 3719 } 3720 if (locked_tcb) 3721 SCTP_TCB_UNLOCK(locked_tcb); 3722 return (NULL); 3723 } 3724 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3725 chk_length, chunk_buf); 3726 if (ch == NULL) { 3727 printf("sctp_process_control: Can't get the all data....\n"); 3728 *offset = length; 3729 if (locked_tcb) 3730 SCTP_TCB_UNLOCK(locked_tcb); 3731 return (NULL); 3732 } 3733 } 3734 num_chunks++; 3735 /* Save off the last place we got a control from */ 3736 if (stcb != NULL) { 3737 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { 3738 /* 3739 * allow last_control to be NULL if 3740 * ASCONF... ASCONF processing will find the 3741 * right net later 3742 */ 3743 stcb->asoc.last_control_chunk_from = *netp; 3744 } 3745 } 3746 #ifdef SCTP_AUDITING_ENABLED 3747 sctp_audit_log(0xB0, ch->chunk_type); 3748 #endif 3749 3750 /* check to see if this chunk required auth, but isn't */ 3751 if ((stcb != NULL) && !sctp_auth_disable && 3752 sctp_auth_is_required_chunk(ch->chunk_type, 3753 stcb->asoc.local_auth_chunks) && 3754 !stcb->asoc.authenticated) { 3755 /* "silently" ignore */ 3756 SCTP_STAT_INCR(sctps_recvauthmissing); 3757 goto next_chunk; 3758 } 3759 switch (ch->chunk_type) { 3760 case SCTP_INITIATION: 3761 /* must be first and only chunk */ 3762 #ifdef SCTP_DEBUG 3763 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3764 printf("SCTP_INIT\n"); 3765 } 3766 #endif /* SCTP_DEBUG */ 3767 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3768 /* We are not interested anymore? */ 3769 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3770 /* 3771 * collision case where we are 3772 * sending to them too 3773 */ 3774 ; 3775 } else { 3776 if (locked_tcb) 3777 SCTP_TCB_UNLOCK(locked_tcb); 3778 *offset = length; 3779 return (NULL); 3780 } 3781 } 3782 if ((num_chunks > 1) || 3783 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3784 *offset = length; 3785 if (locked_tcb) 3786 SCTP_TCB_UNLOCK(locked_tcb); 3787 return (NULL); 3788 } 3789 if ((stcb != NULL) && 3790 (SCTP_GET_STATE(&stcb->asoc) == 3791 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3792 sctp_send_shutdown_ack(stcb, 3793 stcb->asoc.primary_destination); 3794 *offset = length; 3795 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3796 if (locked_tcb) 3797 SCTP_TCB_UNLOCK(locked_tcb); 3798 return (NULL); 3799 } 3800 sctp_handle_init(m, iphlen, *offset, sh, 3801 (struct sctp_init_chunk *)ch, inp, stcb, *netp); 3802 *offset = length; 3803 if (locked_tcb) 3804 SCTP_TCB_UNLOCK(locked_tcb); 3805 return (NULL); 3806 break; 3807 case SCTP_INITIATION_ACK: 3808 /* must be first and only chunk */ 3809 #ifdef SCTP_DEBUG 3810 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3811 printf("SCTP_INIT-ACK\n"); 3812 } 3813 #endif /* SCTP_DEBUG */ 3814 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3815 /* We are not interested anymore */ 3816 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3817 ; 3818 } else { 3819 if (locked_tcb) 3820 SCTP_TCB_UNLOCK(locked_tcb); 3821 *offset = length; 3822 if (stcb) { 3823 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3824 } 3825 return (NULL); 3826 } 3827 } 3828 if ((num_chunks > 1) || 3829 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3830 *offset = length; 3831 if (locked_tcb) 3832 SCTP_TCB_UNLOCK(locked_tcb); 3833 return (NULL); 3834 } 3835 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3836 (struct sctp_init_ack_chunk *)ch, stcb, *netp); 3837 /* 3838 * Special case, I must call the output routine to 3839 * get the cookie echoed 3840 */ 3841 if ((stcb) && ret == 0) 3842 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3843 *offset = length; 3844 if (locked_tcb) 3845 SCTP_TCB_UNLOCK(locked_tcb); 3846 return (NULL); 3847 break; 3848 case SCTP_SELECTIVE_ACK: 3849 #ifdef SCTP_DEBUG 3850 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3851 printf("SCTP_SACK\n"); 3852 } 3853 #endif /* SCTP_DEBUG */ 3854 SCTP_STAT_INCR(sctps_recvsacks); 3855 { 3856 struct sctp_sack_chunk *sack; 3857 int abort_now = 0; 3858 uint32_t a_rwnd, cum_ack; 3859 uint16_t num_seg; 3860 int nonce_sum_flag; 3861 3862 sack = (struct sctp_sack_chunk *)ch; 3863 3864 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3865 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3866 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3867 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3868 stcb->asoc.seen_a_sack_this_pkt = 1; 3869 if ((stcb->asoc.pr_sctp_cnt == 0) && 3870 (num_seg == 0) && 3871 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3872 (cum_ack == stcb->asoc.last_acked_seq)) && 3873 (stcb->asoc.saw_sack_with_frags == 0) && 3874 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3875 ) { 3876 /* 3877 * We have a SIMPLE sack having no 3878 * prior segments and data on sent 3879 * queue to be acked.. Use the 3880 * faster path sack processing. We 3881 * also allow window update sacks 3882 * with no missing segments to go 3883 * this way too. 3884 */ 3885 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now); 3886 } else { 3887 sctp_handle_sack(sack, stcb, *netp, &abort_now); 3888 } 3889 if (abort_now) { 3890 /* ABORT signal from sack processing */ 3891 *offset = length; 3892 return (NULL); 3893 } 3894 } 3895 break; 3896 case SCTP_HEARTBEAT_REQUEST: 3897 #ifdef SCTP_DEBUG 3898 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3899 printf("SCTP_HEARTBEAT\n"); 3900 } 3901 #endif /* SCTP_DEBUG */ 3902 SCTP_STAT_INCR(sctps_recvheartbeat); 3903 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3904 *netp); 3905 3906 /* He's alive so give him credit */ 3907 stcb->asoc.overall_error_count = 0; 3908 break; 3909 case SCTP_HEARTBEAT_ACK: 3910 #ifdef SCTP_DEBUG 3911 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3912 printf("SCTP_HEARTBEAT-ACK\n"); 3913 } 3914 #endif /* SCTP_DEBUG */ 3915 3916 /* He's alive so give him credit */ 3917 stcb->asoc.overall_error_count = 0; 3918 SCTP_STAT_INCR(sctps_recvheartbeatack); 3919 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3920 stcb, *netp); 3921 break; 3922 case SCTP_ABORT_ASSOCIATION: 3923 #ifdef SCTP_DEBUG 3924 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3925 printf("SCTP_ABORT\n"); 3926 } 3927 #endif /* SCTP_DEBUG */ 3928 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3929 stcb, *netp); 3930 *offset = length; 3931 return (NULL); 3932 break; 3933 case SCTP_SHUTDOWN: 3934 #ifdef SCTP_DEBUG 3935 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3936 printf("SCTP_SHUTDOWN\n"); 3937 } 3938 #endif /* SCTP_DEBUG */ 3939 { 3940 int abort_flag = 0; 3941 3942 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3943 stcb, *netp, &abort_flag); 3944 if (abort_flag) { 3945 *offset = length; 3946 return (NULL); 3947 } 3948 } 3949 break; 3950 case SCTP_SHUTDOWN_ACK: 3951 #ifdef SCTP_DEBUG 3952 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3953 printf("SCTP_SHUTDOWN-ACK\n"); 3954 } 3955 #endif /* SCTP_DEBUG */ 3956 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 3957 *offset = length; 3958 return (NULL); 3959 break; 3960 case SCTP_OPERATION_ERROR: 3961 #ifdef SCTP_DEBUG 3962 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3963 printf("SCTP_OP-ERR\n"); 3964 } 3965 #endif /* SCTP_DEBUG */ 3966 if (sctp_handle_error(ch, stcb, *netp) < 0) { 3967 *offset = length; 3968 return (NULL); 3969 } 3970 break; 3971 case SCTP_COOKIE_ECHO: 3972 #ifdef SCTP_DEBUG 3973 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3974 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 3975 } 3976 #endif /* SCTP_DEBUG */ 3977 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3978 ; 3979 } else { 3980 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && 3981 (stcb == NULL)) { 3982 /* We are not interested anymore */ 3983 *offset = length; 3984 return (NULL); 3985 } 3986 } 3987 /* 3988 * First are we accepting? We do this again here 3989 * since it is possible that a previous endpoint WAS 3990 * listening responded to a INIT-ACK and then 3991 * closed. We opened and bound.. and are now no 3992 * longer listening. 3993 */ 3994 if (inp->sctp_socket->so_qlimit == 0) { 3995 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 3996 /* 3997 * special case, is this a retran'd 3998 * COOKIE-ECHO or a restarting assoc 3999 * that is a peeled off or 4000 * one-to-one style socket. 4001 */ 4002 goto process_cookie_anyway; 4003 } 4004 sctp_abort_association(inp, stcb, m, iphlen, sh, 4005 NULL); 4006 *offset = length; 4007 return (NULL); 4008 } else if (inp->sctp_socket->so_qlimit) { 4009 /* we are accepting so check limits like TCP */ 4010 if (inp->sctp_socket->so_qlen > 4011 inp->sctp_socket->so_qlimit) { 4012 /* no space */ 4013 struct mbuf *oper; 4014 struct sctp_paramhdr *phdr; 4015 4016 if (sctp_abort_if_one_2_one_hits_limit) { 4017 oper = NULL; 4018 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4019 1, M_DONTWAIT, 1, MT_DATA); 4020 if (oper) { 4021 oper->m_len = 4022 oper->m_pkthdr.len = 4023 sizeof(struct sctp_paramhdr); 4024 phdr = mtod(oper, 4025 struct sctp_paramhdr *); 4026 phdr->param_type = 4027 htons(SCTP_CAUSE_OUT_OF_RESC); 4028 phdr->param_length = 4029 htons(sizeof(struct sctp_paramhdr)); 4030 } 4031 sctp_abort_association(inp, stcb, m, 4032 iphlen, sh, oper); 4033 } 4034 *offset = length; 4035 return (NULL); 4036 } 4037 } 4038 process_cookie_anyway: 4039 { 4040 struct mbuf *ret_buf; 4041 struct sctp_inpcb *linp; 4042 4043 if (stcb) 4044 linp = NULL; 4045 else 4046 linp = inp; 4047 4048 if (linp) 4049 SCTP_ASOC_CREATE_LOCK(linp); 4050 ret_buf = 4051 sctp_handle_cookie_echo(m, iphlen, 4052 *offset, sh, 4053 (struct sctp_cookie_echo_chunk *)ch, 4054 &inp, &stcb, netp, 4055 auth_skipped, 4056 auth_offset, 4057 auth_len, 4058 &locked_tcb); 4059 if (linp) 4060 SCTP_ASOC_CREATE_UNLOCK(linp); 4061 if (ret_buf == NULL) { 4062 if (locked_tcb) { 4063 SCTP_TCB_UNLOCK(locked_tcb); 4064 } 4065 #ifdef SCTP_DEBUG 4066 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4067 printf("GAK, null buffer\n"); 4068 } 4069 #endif /* SCTP_DEBUG */ 4070 auth_skipped = 0; 4071 *offset = length; 4072 return (NULL); 4073 } 4074 /* if AUTH skipped, see if it verified... */ 4075 if (auth_skipped) { 4076 got_auth = 1; 4077 auth_skipped = 0; 4078 } 4079 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4080 /* 4081 * Restart the timer if we have 4082 * pending data 4083 */ 4084 struct sctp_tmit_chunk *chk; 4085 4086 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4087 if (chk) { 4088 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4089 stcb->sctp_ep, stcb, 4090 chk->whoTo); 4091 } 4092 } 4093 } 4094 break; 4095 case SCTP_COOKIE_ACK: 4096 #ifdef SCTP_DEBUG 4097 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4098 printf("SCTP_COOKIE-ACK\n"); 4099 } 4100 #endif /* SCTP_DEBUG */ 4101 4102 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4103 /* We are not interested anymore */ 4104 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4105 ; 4106 } else { 4107 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4108 *offset = length; 4109 return (NULL); 4110 } 4111 } 4112 /* He's alive so give him credit */ 4113 stcb->asoc.overall_error_count = 0; 4114 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4115 break; 4116 case SCTP_ECN_ECHO: 4117 #ifdef SCTP_DEBUG 4118 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4119 printf("SCTP_ECN-ECHO\n"); 4120 } 4121 #endif /* SCTP_DEBUG */ 4122 /* He's alive so give him credit */ 4123 stcb->asoc.overall_error_count = 0; 4124 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4125 stcb); 4126 break; 4127 case SCTP_ECN_CWR: 4128 #ifdef SCTP_DEBUG 4129 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4130 printf("SCTP_ECN-CWR\n"); 4131 } 4132 #endif /* SCTP_DEBUG */ 4133 /* He's alive so give him credit */ 4134 stcb->asoc.overall_error_count = 0; 4135 4136 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4137 break; 4138 case SCTP_SHUTDOWN_COMPLETE: 4139 #ifdef SCTP_DEBUG 4140 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4141 printf("SCTP_SHUTDOWN-COMPLETE\n"); 4142 } 4143 #endif /* SCTP_DEBUG */ 4144 /* must be first and only chunk */ 4145 if ((num_chunks > 1) || 4146 (length - *offset > SCTP_SIZE32(chk_length))) { 4147 *offset = length; 4148 if (locked_tcb) 4149 SCTP_TCB_UNLOCK(locked_tcb); 4150 4151 return (NULL); 4152 } 4153 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4154 stcb, *netp); 4155 *offset = length; 4156 return (NULL); 4157 break; 4158 case SCTP_ASCONF: 4159 #ifdef SCTP_DEBUG 4160 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4161 printf("SCTP_ASCONF\n"); 4162 } 4163 #endif /* SCTP_DEBUG */ 4164 /* He's alive so give him credit */ 4165 stcb->asoc.overall_error_count = 0; 4166 4167 sctp_handle_asconf(m, *offset, 4168 (struct sctp_asconf_chunk *)ch, stcb); 4169 break; 4170 case SCTP_ASCONF_ACK: 4171 #ifdef SCTP_DEBUG 4172 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4173 printf("SCTP_ASCONF-ACK\n"); 4174 } 4175 #endif /* SCTP_DEBUG */ 4176 /* He's alive so give him credit */ 4177 stcb->asoc.overall_error_count = 0; 4178 4179 sctp_handle_asconf_ack(m, *offset, 4180 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4181 break; 4182 case SCTP_FORWARD_CUM_TSN: 4183 #ifdef SCTP_DEBUG 4184 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4185 printf("SCTP_FWD-TSN\n"); 4186 } 4187 #endif /* SCTP_DEBUG */ 4188 /* He's alive so give him credit */ 4189 { 4190 int abort_flag = 0; 4191 4192 stcb->asoc.overall_error_count = 0; 4193 *fwd_tsn_seen = 1; 4194 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4195 /* We are not interested anymore */ 4196 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 4197 *offset = length; 4198 return (NULL); 4199 } 4200 sctp_handle_forward_tsn(stcb, 4201 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4202 if (abort_flag) { 4203 *offset = length; 4204 return (NULL); 4205 } else { 4206 stcb->asoc.overall_error_count = 0; 4207 } 4208 4209 } 4210 break; 4211 case SCTP_STREAM_RESET: 4212 #ifdef SCTP_DEBUG 4213 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4214 printf("SCTP_STREAM_RESET\n"); 4215 } 4216 #endif /* SCTP_DEBUG */ 4217 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4218 chk_length, chunk_buf); 4219 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4220 /* We are not interested anymore */ 4221 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4222 *offset = length; 4223 return (NULL); 4224 } 4225 if (stcb->asoc.peer_supports_strreset == 0) { 4226 /* 4227 * hmm, peer should have announced this, but 4228 * we will turn it on since he is sending us 4229 * a stream reset. 4230 */ 4231 stcb->asoc.peer_supports_strreset = 1; 4232 } 4233 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4234 /* stop processing */ 4235 *offset = length; 4236 return (NULL); 4237 } 4238 break; 4239 case SCTP_PACKET_DROPPED: 4240 #ifdef SCTP_DEBUG 4241 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4242 printf("SCTP_PACKET_DROPPED\n"); 4243 } 4244 #endif /* SCTP_DEBUG */ 4245 /* re-get it all please */ 4246 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4247 chk_length, chunk_buf); 4248 4249 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4250 stcb, *netp); 4251 4252 break; 4253 4254 case SCTP_AUTHENTICATION: 4255 #ifdef SCTP_DEBUG 4256 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4257 printf("SCTP_AUTHENTICATION\n"); 4258 } 4259 #endif /* SCTP_DEBUG */ 4260 if (sctp_auth_disable) 4261 goto unknown_chunk; 4262 4263 if (stcb == NULL) { 4264 /* save the first AUTH for later processing */ 4265 if (auth_skipped == 0) { 4266 auth_offset = *offset; 4267 auth_len = chk_length; 4268 auth_skipped = 1; 4269 } 4270 /* skip this chunk (temporarily) */ 4271 goto next_chunk; 4272 } 4273 if (got_auth == 1) { 4274 /* skip this chunk... it's already auth'd */ 4275 goto next_chunk; 4276 } 4277 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4278 chk_length, chunk_buf); 4279 got_auth = 1; 4280 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4281 m, *offset)) { 4282 /* auth HMAC failed so dump the packet */ 4283 *offset = length; 4284 return (stcb); 4285 } else { 4286 /* remaining chunks are HMAC checked */ 4287 stcb->asoc.authenticated = 1; 4288 } 4289 break; 4290 4291 default: 4292 unknown_chunk: 4293 /* it's an unknown chunk! */ 4294 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4295 struct mbuf *mm; 4296 struct sctp_paramhdr *phd; 4297 4298 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4299 1, M_DONTWAIT, 1, MT_DATA); 4300 if (mm) { 4301 phd = mtod(mm, struct sctp_paramhdr *); 4302 /* 4303 * We cheat and use param type since 4304 * we did not bother to define a 4305 * error cause struct. They are the 4306 * same basic format with different 4307 * names. 4308 */ 4309 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4310 phd->param_length = htons(chk_length + sizeof(*phd)); 4311 mm->m_len = sizeof(*phd); 4312 mm->m_next = sctp_m_copym(m, *offset, SCTP_SIZE32(chk_length), 4313 M_DONTWAIT); 4314 if (mm->m_next) { 4315 mm->m_pkthdr.len = SCTP_SIZE32(chk_length) + sizeof(*phd); 4316 sctp_queue_op_err(stcb, mm); 4317 } else { 4318 sctp_m_freem(mm); 4319 } 4320 } 4321 } 4322 if ((ch->chunk_type & 0x80) == 0) { 4323 /* discard this packet */ 4324 *offset = length; 4325 return (stcb); 4326 } /* else skip this bad chunk and continue... */ 4327 break; 4328 } /* switch (ch->chunk_type) */ 4329 4330 4331 next_chunk: 4332 /* get the next chunk */ 4333 *offset += SCTP_SIZE32(chk_length); 4334 if (*offset >= length) { 4335 /* no more data left in the mbuf chain */ 4336 break; 4337 } 4338 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4339 sizeof(struct sctp_chunkhdr), chunk_buf); 4340 if (ch == NULL) { 4341 if (locked_tcb) 4342 SCTP_TCB_UNLOCK(locked_tcb); 4343 *offset = length; 4344 return (NULL); 4345 } 4346 } /* while */ 4347 return (stcb); 4348 } 4349 4350 4351 /* 4352 * Process the ECN bits we have something set so we must look to see if it is 4353 * ECN(0) or ECN(1) or CE 4354 */ 4355 static __inline void 4356 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4357 uint8_t ecn_bits) 4358 { 4359 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4360 ; 4361 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4362 /* 4363 * we only add to the nonce sum for ECT1, ECT0 does not 4364 * change the NS bit (that we have yet to find a way to send 4365 * it yet). 4366 */ 4367 4368 /* ECN Nonce stuff */ 4369 stcb->asoc.receiver_nonce_sum++; 4370 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4371 4372 /* 4373 * Drag up the last_echo point if cumack is larger since we 4374 * don't want the point falling way behind by more than 4375 * 2^^31 and then having it be incorrect. 4376 */ 4377 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4378 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4379 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4380 } 4381 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4382 /* 4383 * Drag up the last_echo point if cumack is larger since we 4384 * don't want the point falling way behind by more than 4385 * 2^^31 and then having it be incorrect. 4386 */ 4387 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4388 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4389 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4390 } 4391 } 4392 } 4393 4394 static __inline void 4395 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4396 uint32_t high_tsn, uint8_t ecn_bits) 4397 { 4398 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4399 /* 4400 * we possibly must notify the sender that a congestion 4401 * window reduction is in order. We do this by adding a ECNE 4402 * chunk to the output chunk queue. The incoming CWR will 4403 * remove this chunk. 4404 */ 4405 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4406 MAX_TSN)) { 4407 /* Yep, we need to add a ECNE */ 4408 sctp_send_ecn_echo(stcb, net, high_tsn); 4409 stcb->asoc.last_echo_tsn = high_tsn; 4410 } 4411 } 4412 } 4413 4414 /* 4415 * common input chunk processing (v4 and v6) 4416 */ 4417 int 4418 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4419 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4420 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4421 uint8_t ecn_bits) 4422 { 4423 /* 4424 * Control chunk processing 4425 */ 4426 uint32_t high_tsn; 4427 int fwd_tsn_seen = 0, data_processed = 0; 4428 struct mbuf *m = *mm; 4429 int abort_flag = 0; 4430 int un_sent; 4431 4432 SCTP_STAT_INCR(sctps_recvdatagrams); 4433 #ifdef SCTP_AUDITING_ENABLED 4434 sctp_audit_log(0xE0, 1); 4435 sctp_auditing(0, inp, stcb, net); 4436 #endif 4437 4438 #ifdef SCTP_DEBUG 4439 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4440 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4441 m, iphlen, offset); 4442 } 4443 #endif /* SCTP_DEBUG */ 4444 4445 if (stcb) { 4446 /* always clear this before beginning a packet */ 4447 stcb->asoc.authenticated = 0; 4448 stcb->asoc.seen_a_sack_this_pkt = 0; 4449 } 4450 if (IS_SCTP_CONTROL(ch)) { 4451 /* process the control portion of the SCTP packet */ 4452 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4453 inp, stcb, &net, &fwd_tsn_seen); 4454 if (stcb) { 4455 /* 4456 * This covers us if the cookie-echo was there and 4457 * it changes our INP. 4458 */ 4459 inp = stcb->sctp_ep; 4460 } 4461 } else { 4462 /* 4463 * no control chunks, so pre-process DATA chunks (these 4464 * checks are taken care of by control processing) 4465 */ 4466 4467 /* 4468 * if DATA only packet, and auth is required, then punt... 4469 * can't have authenticated without any AUTH (control) 4470 * chunks 4471 */ 4472 if ((stcb != NULL) && !sctp_auth_disable && 4473 sctp_auth_is_required_chunk(SCTP_DATA, 4474 stcb->asoc.local_auth_chunks)) { 4475 /* "silently" ignore */ 4476 SCTP_STAT_INCR(sctps_recvauthmissing); 4477 SCTP_TCB_UNLOCK(stcb); 4478 return (1); 4479 } 4480 if (stcb == NULL) { 4481 /* out of the blue DATA chunk */ 4482 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4483 return (1); 4484 } 4485 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4486 /* v_tag mismatch! */ 4487 SCTP_STAT_INCR(sctps_badvtag); 4488 SCTP_TCB_UNLOCK(stcb); 4489 return (1); 4490 } 4491 } 4492 4493 if (stcb == NULL) { 4494 /* 4495 * no valid TCB for this packet, or we found it's a bad 4496 * packet while processing control, or we're done with this 4497 * packet (done or skip rest of data), so we drop it... 4498 */ 4499 return (1); 4500 } 4501 /* 4502 * DATA chunk processing 4503 */ 4504 /* plow through the data chunks while length > offset */ 4505 4506 /* 4507 * Rest should be DATA only. Check authentication state if AUTH for 4508 * DATA is required. 4509 */ 4510 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 4511 sctp_auth_is_required_chunk(SCTP_DATA, 4512 stcb->asoc.local_auth_chunks) && 4513 !stcb->asoc.authenticated) { 4514 /* "silently" ignore */ 4515 SCTP_STAT_INCR(sctps_recvauthmissing); 4516 #ifdef SCTP_DEBUG 4517 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 4518 printf("Data chunk requires AUTH, skipped\n"); 4519 #endif 4520 goto trigger_send; 4521 } 4522 if (length > offset) { 4523 int retval; 4524 4525 /* 4526 * First check to make sure our state is correct. We would 4527 * not get here unless we really did have a tag, so we don't 4528 * abort if this happens, just dump the chunk silently. 4529 */ 4530 switch (SCTP_GET_STATE(&stcb->asoc)) { 4531 case SCTP_STATE_COOKIE_ECHOED: 4532 /* 4533 * we consider data with valid tags in this state 4534 * shows us the cookie-ack was lost. Imply it was 4535 * there. 4536 */ 4537 stcb->asoc.overall_error_count = 0; 4538 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4539 break; 4540 case SCTP_STATE_COOKIE_WAIT: 4541 /* 4542 * We consider OOTB any data sent during asoc setup. 4543 */ 4544 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4545 SCTP_TCB_UNLOCK(stcb); 4546 return (1); 4547 break; 4548 case SCTP_STATE_EMPTY: /* should not happen */ 4549 case SCTP_STATE_INUSE: /* should not happen */ 4550 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4551 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4552 default: 4553 SCTP_TCB_UNLOCK(stcb); 4554 return (1); 4555 break; 4556 case SCTP_STATE_OPEN: 4557 case SCTP_STATE_SHUTDOWN_SENT: 4558 break; 4559 } 4560 /* take care of ECN, part 1. */ 4561 if (stcb->asoc.ecn_allowed && 4562 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4563 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4564 } 4565 /* plow through the data chunks while length > offset */ 4566 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4567 inp, stcb, net, &high_tsn); 4568 if (retval == 2) { 4569 /* 4570 * The association aborted, NO UNLOCK needed since 4571 * the association is destroyed. 4572 */ 4573 return (0); 4574 } 4575 data_processed = 1; 4576 if (retval == 0) { 4577 /* take care of ecn part 2. */ 4578 if (stcb->asoc.ecn_allowed && 4579 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4580 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4581 ecn_bits); 4582 } 4583 } 4584 /* 4585 * Anything important needs to have been m_copy'ed in 4586 * process_data 4587 */ 4588 } 4589 if ((data_processed == 0) && (fwd_tsn_seen)) { 4590 int was_a_gap = 0; 4591 4592 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4593 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4594 /* there was a gap before this data was processed */ 4595 was_a_gap = 1; 4596 } 4597 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4598 if (abort_flag) { 4599 /* Again, we aborted so NO UNLOCK needed */ 4600 return (0); 4601 } 4602 } 4603 /* trigger send of any chunks in queue... */ 4604 trigger_send: 4605 #ifdef SCTP_AUDITING_ENABLED 4606 sctp_audit_log(0xE0, 2); 4607 sctp_auditing(1, inp, stcb, net); 4608 #endif 4609 #ifdef SCTP_DEBUG 4610 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4611 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4612 stcb->asoc.peers_rwnd, 4613 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4614 stcb->asoc.total_flight); 4615 } 4616 #endif 4617 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4618 4619 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4620 ((un_sent) && 4621 (stcb->asoc.peers_rwnd > 0 || 4622 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4623 #ifdef SCTP_DEBUG 4624 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4625 printf("Calling chunk OUTPUT\n"); 4626 } 4627 #endif 4628 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4629 #ifdef SCTP_DEBUG 4630 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4631 printf("chunk OUTPUT returns\n"); 4632 } 4633 #endif 4634 } 4635 #ifdef SCTP_AUDITING_ENABLED 4636 sctp_audit_log(0xE0, 3); 4637 sctp_auditing(2, inp, stcb, net); 4638 #endif 4639 SCTP_TCB_UNLOCK(stcb); 4640 return (0); 4641 } 4642 4643 extern int sctp_no_csum_on_loopback; 4644 4645 4646 int sctp_buf_index = 0; 4647 uint8_t sctp_list_of_chunks[30000]; 4648 4649 4650 void 4651 sctp_input(m, off) 4652 struct mbuf *m; 4653 int off; 4654 4655 { 4656 #ifdef SCTP_MBUF_LOGGING 4657 struct mbuf *mat; 4658 4659 #endif 4660 int iphlen; 4661 int s; 4662 uint8_t ecn_bits; 4663 struct ip *ip; 4664 struct sctphdr *sh; 4665 struct sctp_inpcb *inp = NULL; 4666 4667 uint32_t check, calc_check; 4668 struct sctp_nets *net; 4669 struct sctp_tcb *stcb = NULL; 4670 struct sctp_chunkhdr *ch; 4671 int refcount_up = 0; 4672 int length, mlen, offset; 4673 4674 4675 iphlen = off; 4676 net = NULL; 4677 SCTP_STAT_INCR(sctps_recvpackets); 4678 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4679 4680 /* 4681 * Strip IP options, we don't allow any in or out. 4682 */ 4683 #ifdef SCTP_MBUF_LOGGING 4684 /* Log in any input mbufs */ 4685 mat = m; 4686 while (mat) { 4687 if (mat->m_flags & M_EXT) { 4688 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4689 } 4690 mat = mat->m_next; 4691 } 4692 #endif 4693 if ((size_t)iphlen > sizeof(struct ip)) { 4694 ip_stripoptions(m, (struct mbuf *)0); 4695 iphlen = sizeof(struct ip); 4696 } 4697 /* 4698 * Get IP, SCTP, and first chunk header together in first mbuf. 4699 */ 4700 ip = mtod(m, struct ip *); 4701 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4702 if (m->m_len < offset) { 4703 if ((m = m_pullup(m, offset)) == 0) { 4704 SCTP_STAT_INCR(sctps_hdrops); 4705 return; 4706 } 4707 ip = mtod(m, struct ip *); 4708 } 4709 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4710 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4711 4712 /* SCTP does not allow broadcasts or multicasts */ 4713 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4714 goto bad; 4715 } 4716 if (((ch->chunk_type == SCTP_INITIATION) || 4717 (ch->chunk_type == SCTP_INITIATION_ACK) || 4718 (ch->chunk_type == SCTP_COOKIE_ECHO)) && 4719 (in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))) { 4720 /* 4721 * We only look at broadcast if its a front state, All 4722 * others we will not have a tcb for anyway. 4723 */ 4724 goto bad; 4725 } 4726 /* destination port of 0 is illegal, based on RFC2960. */ 4727 if (sh->dest_port == 0) { 4728 SCTP_STAT_INCR(sctps_hdrops); 4729 goto bad; 4730 } 4731 /* validate SCTP checksum */ 4732 if ((sctp_no_csum_on_loopback == 0) || 4733 (m->m_pkthdr.rcvif == NULL) || 4734 (m->m_pkthdr.rcvif->if_type != IFT_LOOP)) { 4735 /* 4736 * we do NOT validate things from the loopback if the sysctl 4737 * is set to 1. 4738 */ 4739 check = sh->checksum; /* save incoming checksum */ 4740 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4741 /* 4742 * special hook for where we got a local address 4743 * somehow routed across a non IFT_LOOP type 4744 * interface 4745 */ 4746 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4747 goto sctp_skip_csum_4; 4748 } 4749 sh->checksum = 0; /* prepare for calc */ 4750 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4751 if (calc_check != check) { 4752 #ifdef SCTP_DEBUG 4753 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4754 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4755 calc_check, check, m, mlen, iphlen); 4756 } 4757 #endif 4758 4759 stcb = sctp_findassociation_addr(m, iphlen, 4760 offset - sizeof(*ch), 4761 sh, ch, &inp, &net); 4762 if ((inp) && (stcb)) { 4763 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4764 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4765 } else if ((inp != NULL) && (stcb == NULL)) { 4766 refcount_up = 1; 4767 } 4768 SCTP_STAT_INCR(sctps_badsum); 4769 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4770 goto bad; 4771 } 4772 sh->checksum = calc_check; 4773 } else { 4774 sctp_skip_csum_4: 4775 mlen = m->m_pkthdr.len; 4776 } 4777 /* validate mbuf chain length with IP payload length */ 4778 if (mlen < (ip->ip_len - iphlen)) { 4779 SCTP_STAT_INCR(sctps_hdrops); 4780 goto bad; 4781 } { 4782 /* TEMP log the first chunk */ 4783 int x; 4784 4785 x = atomic_fetchadd_int(&sctp_buf_index, 1); 4786 if (x > 30000) { 4787 sctp_buf_index = 1; 4788 x = 0;; 4789 } 4790 sctp_list_of_chunks[x] = ch->chunk_type; 4791 } 4792 /* 4793 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4794 * IP/SCTP/first chunk header... 4795 */ 4796 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4797 sh, ch, &inp, &net); 4798 /* inp's ref-count increased && stcb locked */ 4799 if (inp == NULL) { 4800 struct sctp_init_chunk *init_chk, chunk_buf; 4801 4802 SCTP_STAT_INCR(sctps_noport); 4803 #ifdef ICMP_BANDLIM 4804 /* 4805 * we use the bandwidth limiting to protect against sending 4806 * too many ABORTS all at once. In this case these count the 4807 * same as an ICMP message. 4808 */ 4809 if (badport_bandlim(0) < 0) 4810 goto bad; 4811 #endif /* ICMP_BANDLIM */ 4812 #ifdef SCTP_DEBUG 4813 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4814 printf("Sending a ABORT from packet entry!\n"); 4815 } 4816 #endif 4817 if (ch->chunk_type == SCTP_INITIATION) { 4818 /* 4819 * we do a trick here to get the INIT tag, dig in 4820 * and get the tag from the INIT and put it in the 4821 * common header. 4822 */ 4823 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4824 iphlen + sizeof(*sh), sizeof(*init_chk), 4825 (uint8_t *) & chunk_buf); 4826 if (init_chk != NULL) 4827 sh->v_tag = init_chk->init.initiate_tag; 4828 } 4829 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4830 sctp_send_shutdown_complete2(m, iphlen, sh); 4831 goto bad; 4832 } 4833 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 4834 goto bad; 4835 } 4836 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 4837 sctp_send_abort(m, iphlen, sh, 0, NULL); 4838 goto bad; 4839 } else if (stcb == NULL) { 4840 refcount_up = 1; 4841 } 4842 #ifdef IPSEC 4843 /* 4844 * I very much doubt any of the IPSEC stuff will work but I have no 4845 * idea, so I will leave it in place. 4846 */ 4847 4848 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4849 ipsecstat.in_polvio++; 4850 SCTP_STAT_INCR(sctps_hdrops); 4851 goto bad; 4852 } 4853 #endif /* IPSEC */ 4854 4855 4856 4857 /* 4858 * common chunk processing 4859 */ 4860 length = ip->ip_len + iphlen; 4861 offset -= sizeof(struct sctp_chunkhdr); 4862 4863 ecn_bits = ip->ip_tos; 4864 s = splnet(); 4865 4866 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4867 inp, stcb, net, ecn_bits); 4868 /* inp's ref-count reduced && stcb unlocked */ 4869 splx(s); 4870 if (m) { 4871 sctp_m_freem(m); 4872 } 4873 if ((inp) && (refcount_up)) { 4874 /* reduce ref-count */ 4875 SCTP_INP_WLOCK(inp); 4876 SCTP_INP_DECR_REF(inp); 4877 SCTP_INP_WUNLOCK(inp); 4878 } 4879 return; 4880 bad: 4881 if (stcb) 4882 SCTP_TCB_UNLOCK(stcb); 4883 4884 if ((inp) && (refcount_up)) { 4885 /* reduce ref-count */ 4886 SCTP_INP_WLOCK(inp); 4887 SCTP_INP_DECR_REF(inp); 4888 SCTP_INP_WUNLOCK(inp); 4889 } 4890 if (m) { 4891 sctp_m_freem(m); 4892 } 4893 return; 4894 } 4895