1 /*- 2 * Copyright (c) 2001-2007, Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #include <netinet/sctp_os.h> 37 #include <netinet/sctp_var.h> 38 #include <netinet/sctp_sysctl.h> 39 #include <netinet/sctp_pcb.h> 40 #include <netinet/sctp_header.h> 41 #include <netinet/sctputil.h> 42 #include <netinet/sctp_output.h> 43 #include <netinet/sctp_input.h> 44 #include <netinet/sctp_auth.h> 45 #include <netinet/sctp_indata.h> 46 #include <netinet/sctp_asconf.h> 47 48 49 50 51 static void 52 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 53 { 54 struct sctp_nets *net; 55 56 /* 57 * This now not only stops all cookie timers it also stops any INIT 58 * timers as well. This will make sure that the timers are stopped 59 * in all collision cases. 60 */ 61 SCTP_TCB_LOCK_ASSERT(stcb); 62 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 63 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 64 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 65 stcb->sctp_ep, 66 stcb, 67 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 68 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 69 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 70 stcb->sctp_ep, 71 stcb, 72 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 73 } 74 } 75 } 76 77 /* INIT handler */ 78 static void 79 sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 80 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 81 struct sctp_nets *net, int *abort_no_unlock) 82 { 83 struct sctp_init *init; 84 struct mbuf *op_err; 85 uint32_t init_limit; 86 87 #ifdef SCTP_DEBUG 88 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 89 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 90 } 91 #endif 92 op_err = NULL; 93 init = &cp->init; 94 /* First are we accepting? */ 95 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 96 #ifdef SCTP_DEBUG 97 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 98 printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); 99 } 100 #endif 101 /* 102 * FIX ME ?? What about TCP model and we have a 103 * match/restart case? 104 */ 105 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 106 if (stcb) 107 *abort_no_unlock = 1; 108 return; 109 } 110 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 111 /* Invalid length */ 112 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 113 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 114 if (stcb) 115 *abort_no_unlock = 1; 116 return; 117 } 118 /* validate parameters */ 119 if (init->initiate_tag == 0) { 120 /* protocol error... send abort */ 121 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 122 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 123 if (stcb) 124 *abort_no_unlock = 1; 125 return; 126 } 127 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 128 /* invalid parameter... send abort */ 129 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 130 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 131 return; 132 } 133 if (init->num_inbound_streams == 0) { 134 /* protocol error... send abort */ 135 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 136 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 137 if (stcb) 138 *abort_no_unlock = 1; 139 return; 140 } 141 if (init->num_outbound_streams == 0) { 142 /* protocol error... send abort */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 145 if (stcb) 146 *abort_no_unlock = 1; 147 return; 148 } 149 init_limit = offset + ntohs(cp->ch.chunk_length); 150 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 151 init_limit)) { 152 /* auth parameter(s) error... send abort */ 153 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); 154 if (stcb) 155 *abort_no_unlock = 1; 156 return; 157 } 158 /* send an INIT-ACK w/cookie */ 159 #ifdef SCTP_DEBUG 160 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 161 printf("sctp_handle_init: sending INIT-ACK\n"); 162 } 163 #endif 164 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 165 } 166 167 /* 168 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 169 */ 170 static int 171 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 172 struct sctp_nets *net) 173 { 174 struct sctp_init *init; 175 struct sctp_association *asoc; 176 struct sctp_nets *lnet; 177 unsigned int i; 178 179 init = &cp->init; 180 asoc = &stcb->asoc; 181 /* save off parameters */ 182 asoc->peer_vtag = ntohl(init->initiate_tag); 183 asoc->peers_rwnd = ntohl(init->a_rwnd); 184 if (TAILQ_FIRST(&asoc->nets)) { 185 /* update any ssthresh's that may have a default */ 186 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 187 lnet->ssthresh = asoc->peers_rwnd; 188 189 #if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 190 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 191 #endif 192 193 } 194 } 195 SCTP_TCB_SEND_LOCK(stcb); 196 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 197 unsigned int newcnt; 198 struct sctp_stream_out *outs; 199 struct sctp_stream_queue_pending *sp; 200 201 /* cut back on number of streams */ 202 newcnt = ntohs(init->num_inbound_streams); 203 /* This if is probably not needed but I am cautious */ 204 if (asoc->strmout) { 205 /* First make sure no data chunks are trapped */ 206 for (i = newcnt; i < asoc->pre_open_streams; i++) { 207 outs = &asoc->strmout[i]; 208 sp = TAILQ_FIRST(&outs->outqueue); 209 while (sp) { 210 TAILQ_REMOVE(&outs->outqueue, sp, 211 next); 212 asoc->stream_queue_cnt--; 213 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 214 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 215 sp); 216 if (sp->data) { 217 sctp_m_freem(sp->data); 218 sp->data = NULL; 219 } 220 sctp_free_remote_addr(sp->net); 221 sp->net = NULL; 222 /* Free the chunk */ 223 printf("sp:%p tcb:%p weird free case\n", 224 sp, stcb); 225 226 sctp_free_a_strmoq(stcb, sp); 227 sp = TAILQ_FIRST(&outs->outqueue); 228 } 229 } 230 } 231 /* cut back the count and abandon the upper streams */ 232 asoc->pre_open_streams = newcnt; 233 } 234 SCTP_TCB_SEND_UNLOCK(stcb); 235 asoc->streamoutcnt = asoc->pre_open_streams; 236 /* init tsn's */ 237 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 238 #ifdef SCTP_MAP_LOGGING 239 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 240 #endif 241 /* This is the next one we expect */ 242 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 243 244 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 245 asoc->cumulative_tsn = asoc->asconf_seq_in; 246 asoc->last_echo_tsn = asoc->asconf_seq_in; 247 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 248 /* open the requested streams */ 249 if (asoc->strmin != NULL) { 250 /* Free the old ones */ 251 struct sctp_queued_to_read *ctl; 252 253 for (i = 0; i < asoc->streamincnt; i++) { 254 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 255 while (ctl) { 256 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 257 sctp_free_remote_addr(ctl->whoFrom); 258 sctp_m_freem(ctl->data); 259 ctl->data = NULL; 260 sctp_free_a_readq(stcb, ctl); 261 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 262 } 263 } 264 SCTP_FREE(asoc->strmin); 265 } 266 asoc->streamincnt = ntohs(init->num_outbound_streams); 267 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 268 asoc->streamincnt = MAX_SCTP_STREAMS; 269 } 270 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 271 sizeof(struct sctp_stream_in), "StreamsIn"); 272 if (asoc->strmin == NULL) { 273 /* we didn't get memory for the streams! */ 274 #ifdef SCTP_DEBUG 275 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 276 printf("process_init: couldn't get memory for the streams!\n"); 277 } 278 #endif 279 return (-1); 280 } 281 for (i = 0; i < asoc->streamincnt; i++) { 282 asoc->strmin[i].stream_no = i; 283 asoc->strmin[i].last_sequence_delivered = 0xffff; 284 /* 285 * U-stream ranges will be set when the cookie is unpacked. 286 * Or for the INIT sender they are un set (if pr-sctp not 287 * supported) when the INIT-ACK arrives. 288 */ 289 TAILQ_INIT(&asoc->strmin[i].inqueue); 290 asoc->strmin[i].delivery_started = 0; 291 } 292 /* 293 * load_address_from_init will put the addresses into the 294 * association when the COOKIE is processed or the INIT-ACK is 295 * processed. Both types of COOKIE's existing and new call this 296 * routine. It will remove addresses that are no longer in the 297 * association (for the restarting case where addresses are 298 * removed). Up front when the INIT arrives we will discard it if it 299 * is a restart and new addresses have been added. 300 */ 301 return (0); 302 } 303 304 /* 305 * INIT-ACK message processing/consumption returns value < 0 on error 306 */ 307 static int 308 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 309 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 310 struct sctp_nets *net, int *abort_no_unlock) 311 { 312 struct sctp_association *asoc; 313 struct mbuf *op_err; 314 int retval, abort_flag; 315 uint32_t initack_limit; 316 317 /* First verify that we have no illegal param's */ 318 abort_flag = 0; 319 op_err = NULL; 320 321 op_err = sctp_arethere_unrecognized_parameters(m, 322 (offset + sizeof(struct sctp_init_chunk)), 323 &abort_flag, (struct sctp_chunkhdr *)cp); 324 if (abort_flag) { 325 /* Send an abort and notify peer */ 326 if (op_err != NULL) { 327 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 328 } else { 329 /* 330 * Just notify (abort_assoc does this if we send an 331 * abort). 332 */ 333 sctp_abort_notification(stcb, 0); 334 /* 335 * No sense in further INIT's since we will get the 336 * same param back 337 */ 338 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 339 *abort_no_unlock = 1; 340 } 341 return (-1); 342 } 343 asoc = &stcb->asoc; 344 /* process the peer's parameters in the INIT-ACK */ 345 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 346 if (retval < 0) { 347 return (retval); 348 } 349 initack_limit = offset + ntohs(cp->ch.chunk_length); 350 /* load all addresses */ 351 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 352 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 353 NULL))) { 354 /* Huh, we should abort */ 355 #ifdef SCTP_DEBUG 356 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 357 printf("Load addresses from INIT causes an abort %d\n", retval); 358 } 359 #endif 360 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 361 NULL); 362 *abort_no_unlock = 1; 363 return (-1); 364 } 365 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 366 stcb->asoc.local_hmacs); 367 if (op_err) { 368 sctp_queue_op_err(stcb, op_err); 369 /* queuing will steal away the mbuf chain to the out queue */ 370 op_err = NULL; 371 } 372 /* extract the cookie and queue it to "echo" it back... */ 373 stcb->asoc.overall_error_count = 0; 374 net->error_count = 0; 375 376 /* 377 * Cancel the INIT timer, We do this first before queueing the 378 * cookie. We always cancel at the primary to assue that we are 379 * canceling the timer started by the INIT which always goes to the 380 * primary. 381 */ 382 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 383 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 384 385 /* calculate the RTO */ 386 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 387 388 retval = sctp_send_cookie_echo(m, offset, stcb, net); 389 if (retval < 0) { 390 /* 391 * No cookie, we probably should send a op error. But in any 392 * case if there is no cookie in the INIT-ACK, we can 393 * abandon the peer, its broke. 394 */ 395 if (retval == -3) { 396 /* We abort with an error of missing mandatory param */ 397 struct mbuf *op_err; 398 399 op_err = 400 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 401 if (op_err) { 402 /* 403 * Expand beyond to include the mandatory 404 * param cookie 405 */ 406 struct sctp_inv_mandatory_param *mp; 407 408 SCTP_BUF_LEN(op_err) = 409 sizeof(struct sctp_inv_mandatory_param); 410 mp = mtod(op_err, 411 struct sctp_inv_mandatory_param *); 412 /* Subtract the reserved param */ 413 mp->length = 414 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 415 mp->num_param = htonl(1); 416 mp->param = htons(SCTP_STATE_COOKIE); 417 mp->resv = 0; 418 } 419 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 420 sh, op_err); 421 *abort_no_unlock = 1; 422 } 423 return (retval); 424 } 425 return (0); 426 } 427 428 static void 429 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 430 struct sctp_tcb *stcb, struct sctp_nets *net) 431 { 432 struct sockaddr_storage store; 433 struct sockaddr_in *sin; 434 struct sockaddr_in6 *sin6; 435 struct sctp_nets *r_net; 436 struct timeval tv; 437 438 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 439 /* Invalid length */ 440 return; 441 } 442 sin = (struct sockaddr_in *)&store; 443 sin6 = (struct sockaddr_in6 *)&store; 444 445 memset(&store, 0, sizeof(store)); 446 if (cp->heartbeat.hb_info.addr_family == AF_INET && 447 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 448 sin->sin_family = cp->heartbeat.hb_info.addr_family; 449 sin->sin_len = cp->heartbeat.hb_info.addr_len; 450 sin->sin_port = stcb->rport; 451 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 452 sizeof(sin->sin_addr)); 453 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 454 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 455 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 456 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 457 sin6->sin6_port = stcb->rport; 458 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 459 sizeof(sin6->sin6_addr)); 460 } else { 461 return; 462 } 463 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 464 if (r_net == NULL) { 465 #ifdef SCTP_DEBUG 466 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 467 printf("Huh? I can't find the address I sent it to, discard\n"); 468 } 469 #endif 470 return; 471 } 472 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 473 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 474 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 475 /* 476 * If the its a HB and it's random value is correct when can 477 * confirm the destination. 478 */ 479 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 480 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 481 stcb->asoc.primary_destination = r_net; 482 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 483 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 484 r_net = TAILQ_FIRST(&stcb->asoc.nets); 485 if (r_net != stcb->asoc.primary_destination) { 486 /* 487 * first one on the list is NOT the primary 488 * sctp_cmpaddr() is much more efficent if 489 * the primary is the first on the list, 490 * make it so. 491 */ 492 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 493 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 494 } 495 } 496 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 497 stcb, 0, (void *)r_net); 498 } 499 r_net->error_count = 0; 500 r_net->hb_responded = 1; 501 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 502 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 503 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 504 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 505 r_net->dest_state |= SCTP_ADDR_REACHABLE; 506 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 507 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 508 /* now was it the primary? if so restore */ 509 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 510 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 511 } 512 } 513 /* Now lets do a RTO with this */ 514 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 515 } 516 517 static void 518 sctp_handle_abort(struct sctp_abort_chunk *cp, 519 struct sctp_tcb *stcb, struct sctp_nets *net) 520 { 521 522 #ifdef SCTP_DEBUG 523 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 524 printf("sctp_handle_abort: handling ABORT\n"); 525 } 526 #endif 527 if (stcb == NULL) 528 return; 529 /* verify that the destination addr is in the association */ 530 /* ignore abort for addresses being deleted */ 531 532 /* stop any receive timers */ 533 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 534 /* notify user of the abort and clean up... */ 535 sctp_abort_notification(stcb, 0); 536 /* free the tcb */ 537 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 538 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 539 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 540 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 541 } 542 #ifdef SCTP_ASOCLOG_OF_TSNS 543 sctp_print_out_track_log(stcb); 544 #endif 545 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 546 #ifdef SCTP_DEBUG 547 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 548 printf("sctp_handle_abort: finished\n"); 549 } 550 #endif 551 } 552 553 static void 554 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 555 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 556 { 557 struct sctp_association *asoc; 558 int some_on_streamwheel; 559 560 #ifdef SCTP_DEBUG 561 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 562 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 563 } 564 #endif 565 if (stcb == NULL) 566 return; 567 asoc = &stcb->asoc; 568 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 569 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 570 return; 571 } 572 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 573 /* Shutdown NOT the expected size */ 574 return; 575 } else { 576 sctp_update_acked(stcb, cp, net, abort_flag); 577 } 578 if (asoc->control_pdapi) { 579 /* 580 * With a normal shutdown we assume the end of last record. 581 */ 582 SCTP_INP_READ_LOCK(stcb->sctp_ep); 583 asoc->control_pdapi->end_added = 1; 584 asoc->control_pdapi->pdapi_aborted = 1; 585 asoc->control_pdapi = NULL; 586 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 587 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 588 } 589 /* goto SHUTDOWN_RECEIVED state to block new requests */ 590 if (stcb->sctp_socket) { 591 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 592 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 593 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 594 /* 595 * notify upper layer that peer has initiated a 596 * shutdown 597 */ 598 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 599 600 /* reset time */ 601 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 602 } 603 } 604 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 605 /* 606 * stop the shutdown timer, since we WILL move to 607 * SHUTDOWN-ACK-SENT. 608 */ 609 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 610 } 611 /* Now are we there yet? */ 612 some_on_streamwheel = 0; 613 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 614 /* Check to see if some data queued */ 615 struct sctp_stream_out *outs; 616 617 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 618 if (!TAILQ_EMPTY(&outs->outqueue)) { 619 some_on_streamwheel = 1; 620 break; 621 } 622 } 623 } 624 if (!TAILQ_EMPTY(&asoc->send_queue) || 625 !TAILQ_EMPTY(&asoc->sent_queue) || 626 some_on_streamwheel) { 627 /* By returning we will push more data out */ 628 return; 629 } else { 630 /* no outstanding data to send, so move on... */ 631 /* send SHUTDOWN-ACK */ 632 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 633 /* move to SHUTDOWN-ACK-SENT state */ 634 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 635 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 636 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 637 } 638 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 639 640 /* start SHUTDOWN timer */ 641 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 642 stcb, net); 643 } 644 } 645 646 static void 647 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 648 struct sctp_tcb *stcb, struct sctp_nets *net) 649 { 650 struct sctp_association *asoc; 651 652 #ifdef SCTP_DEBUG 653 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 654 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 655 } 656 #endif 657 if (stcb == NULL) 658 return; 659 660 asoc = &stcb->asoc; 661 /* process according to association state */ 662 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 663 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 664 /* unexpected SHUTDOWN-ACK... so ignore... */ 665 SCTP_TCB_UNLOCK(stcb); 666 return; 667 } 668 if (asoc->control_pdapi) { 669 /* 670 * With a normal shutdown we assume the end of last record. 671 */ 672 SCTP_INP_READ_LOCK(stcb->sctp_ep); 673 asoc->control_pdapi->end_added = 1; 674 asoc->control_pdapi->pdapi_aborted = 1; 675 asoc->control_pdapi = NULL; 676 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 677 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 678 } 679 /* are the queues empty? */ 680 if (!TAILQ_EMPTY(&asoc->send_queue) || 681 !TAILQ_EMPTY(&asoc->sent_queue) || 682 !TAILQ_EMPTY(&asoc->out_wheel)) { 683 sctp_report_all_outbound(stcb, 0); 684 } 685 /* stop the timer */ 686 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 687 /* send SHUTDOWN-COMPLETE */ 688 sctp_send_shutdown_complete(stcb, net); 689 /* notify upper layer protocol */ 690 if (stcb->sctp_socket) { 691 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 692 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 693 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 694 /* Set the connected flag to disconnected */ 695 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 696 } 697 } 698 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 699 /* free the TCB but first save off the ep */ 700 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 701 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 702 } 703 704 /* 705 * Skip past the param header and then we will find the chunk that caused the 706 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 707 * our peer must be broken. 708 */ 709 static void 710 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 711 struct sctp_nets *net) 712 { 713 struct sctp_chunkhdr *chk; 714 715 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 716 switch (chk->chunk_type) { 717 case SCTP_ASCONF_ACK: 718 case SCTP_ASCONF: 719 sctp_asconf_cleanup(stcb, net); 720 break; 721 case SCTP_FORWARD_CUM_TSN: 722 stcb->asoc.peer_supports_prsctp = 0; 723 break; 724 default: 725 #ifdef SCTP_DEBUG 726 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 727 printf("Peer does not support chunk type %d(%x)??\n", 728 chk->chunk_type, (uint32_t) chk->chunk_type); 729 } 730 #endif 731 break; 732 } 733 } 734 735 /* 736 * Skip past the param header and then we will find the param that caused the 737 * problem. There are a number of param's in a ASCONF OR the prsctp param 738 * these will turn of specific features. 739 */ 740 static void 741 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 742 { 743 struct sctp_paramhdr *pbad; 744 745 pbad = phdr + 1; 746 switch (ntohs(pbad->param_type)) { 747 /* pr-sctp draft */ 748 case SCTP_PRSCTP_SUPPORTED: 749 stcb->asoc.peer_supports_prsctp = 0; 750 break; 751 case SCTP_SUPPORTED_CHUNK_EXT: 752 break; 753 /* draft-ietf-tsvwg-addip-sctp */ 754 case SCTP_ECN_NONCE_SUPPORTED: 755 stcb->asoc.peer_supports_ecn_nonce = 0; 756 stcb->asoc.ecn_nonce_allowed = 0; 757 stcb->asoc.ecn_allowed = 0; 758 break; 759 case SCTP_ADD_IP_ADDRESS: 760 case SCTP_DEL_IP_ADDRESS: 761 case SCTP_SET_PRIM_ADDR: 762 stcb->asoc.peer_supports_asconf = 0; 763 break; 764 case SCTP_SUCCESS_REPORT: 765 case SCTP_ERROR_CAUSE_IND: 766 #ifdef SCTP_DEBUG 767 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 768 printf("Huh, the peer does not support success? or error cause?\n"); 769 printf("Turning off ASCONF to this strange peer\n"); 770 } 771 #endif 772 stcb->asoc.peer_supports_asconf = 0; 773 break; 774 default: 775 #ifdef SCTP_DEBUG 776 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 777 printf("Peer does not support param type %d(%x)??\n", 778 pbad->param_type, (uint32_t) pbad->param_type); 779 } 780 #endif 781 break; 782 } 783 } 784 785 static int 786 sctp_handle_error(struct sctp_chunkhdr *ch, 787 struct sctp_tcb *stcb, struct sctp_nets *net) 788 { 789 int chklen; 790 struct sctp_paramhdr *phdr; 791 uint16_t error_type; 792 uint16_t error_len; 793 struct sctp_association *asoc; 794 795 int adjust; 796 797 /* parse through all of the errors and process */ 798 asoc = &stcb->asoc; 799 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 800 sizeof(struct sctp_chunkhdr)); 801 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 802 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 803 /* Process an Error Cause */ 804 error_type = ntohs(phdr->param_type); 805 error_len = ntohs(phdr->param_length); 806 if ((error_len > chklen) || (error_len == 0)) { 807 /* invalid param length for this param */ 808 #ifdef SCTP_DEBUG 809 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 810 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 811 chklen, error_len); 812 } 813 #endif /* SCTP_DEBUG */ 814 return (0); 815 } 816 switch (error_type) { 817 case SCTP_CAUSE_INVALID_STREAM: 818 case SCTP_CAUSE_MISSING_PARAM: 819 case SCTP_CAUSE_INVALID_PARAM: 820 case SCTP_CAUSE_NO_USER_DATA: 821 #ifdef SCTP_DEBUG 822 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 823 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 824 error_type); 825 } 826 #endif 827 break; 828 case SCTP_CAUSE_STALE_COOKIE: 829 /* 830 * We only act if we have echoed a cookie and are 831 * waiting. 832 */ 833 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 834 int *p; 835 836 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 837 /* Save the time doubled */ 838 asoc->cookie_preserve_req = ntohl(*p) << 1; 839 asoc->stale_cookie_count++; 840 if (asoc->stale_cookie_count > 841 asoc->max_init_times) { 842 sctp_abort_notification(stcb, 0); 843 /* now free the asoc */ 844 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 845 return (-1); 846 } 847 /* blast back to INIT state */ 848 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 849 asoc->state |= SCTP_STATE_COOKIE_WAIT; 850 851 sctp_stop_all_cookie_timers(stcb); 852 sctp_send_initiate(stcb->sctp_ep, stcb); 853 } 854 break; 855 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 856 /* 857 * Nothing we can do here, we don't do hostname 858 * addresses so if the peer does not like my IPv6 859 * (or IPv4 for that matter) it does not matter. If 860 * they don't support that type of address, they can 861 * NOT possibly get that packet type... i.e. with no 862 * IPv6 you can't recieve a IPv6 packet. so we can 863 * safely ignore this one. If we ever added support 864 * for HOSTNAME Addresses, then we would need to do 865 * something here. 866 */ 867 break; 868 case SCTP_CAUSE_UNRECOG_CHUNK: 869 sctp_process_unrecog_chunk(stcb, phdr, net); 870 break; 871 case SCTP_CAUSE_UNRECOG_PARAM: 872 sctp_process_unrecog_param(stcb, phdr); 873 break; 874 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 875 /* 876 * We ignore this since the timer will drive out a 877 * new cookie anyway and there timer will drive us 878 * to send a SHUTDOWN_COMPLETE. We can't send one 879 * here since we don't have their tag. 880 */ 881 break; 882 case SCTP_CAUSE_DELETING_LAST_ADDR: 883 case SCTP_CAUSE_RESOURCE_SHORTAGE: 884 case SCTP_CAUSE_DELETING_SRC_ADDR: 885 /* 886 * We should NOT get these here, but in a 887 * ASCONF-ACK. 888 */ 889 #ifdef SCTP_DEBUG 890 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 891 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 892 error_type); 893 } 894 #endif 895 break; 896 case SCTP_CAUSE_OUT_OF_RESC: 897 /* 898 * And what, pray tell do we do with the fact that 899 * the peer is out of resources? Not really sure we 900 * could do anything but abort. I suspect this 901 * should have came WITH an abort instead of in a 902 * OP-ERROR. 903 */ 904 break; 905 default: 906 #ifdef SCTP_DEBUG 907 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 908 /* don't know what this error cause is... */ 909 printf("sctp_handle_error: unknown error type = 0x%xh\n", 910 error_type); 911 } 912 #endif /* SCTP_DEBUG */ 913 break; 914 } 915 adjust = SCTP_SIZE32(error_len); 916 chklen -= adjust; 917 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 918 } 919 return (0); 920 } 921 922 static int 923 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 924 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 925 struct sctp_nets *net, int *abort_no_unlock) 926 { 927 struct sctp_init_ack *init_ack; 928 int *state; 929 struct mbuf *op_err; 930 931 #ifdef SCTP_DEBUG 932 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 933 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 934 } 935 #endif 936 if (stcb == NULL) { 937 #ifdef SCTP_DEBUG 938 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 939 printf("sctp_handle_init_ack: TCB is null\n"); 940 } 941 #endif 942 return (-1); 943 } 944 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 945 /* Invalid length */ 946 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 947 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 948 op_err); 949 *abort_no_unlock = 1; 950 return (-1); 951 } 952 init_ack = &cp->init; 953 /* validate parameters */ 954 if (init_ack->initiate_tag == 0) { 955 /* protocol error... send an abort */ 956 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 957 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 958 op_err); 959 *abort_no_unlock = 1; 960 return (-1); 961 } 962 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 963 /* protocol error... send an abort */ 964 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 965 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 966 op_err); 967 *abort_no_unlock = 1; 968 return (-1); 969 } 970 if (init_ack->num_inbound_streams == 0) { 971 /* protocol error... send an abort */ 972 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 973 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 974 op_err); 975 *abort_no_unlock = 1; 976 return (-1); 977 } 978 if (init_ack->num_outbound_streams == 0) { 979 /* protocol error... send an abort */ 980 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 981 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 982 op_err); 983 *abort_no_unlock = 1; 984 return (-1); 985 } 986 /* process according to association state... */ 987 state = &stcb->asoc.state; 988 switch (*state & SCTP_STATE_MASK) { 989 case SCTP_STATE_COOKIE_WAIT: 990 /* this is the expected state for this chunk */ 991 /* process the INIT-ACK parameters */ 992 if (stcb->asoc.primary_destination->dest_state & 993 SCTP_ADDR_UNCONFIRMED) { 994 /* 995 * The primary is where we sent the INIT, we can 996 * always consider it confirmed when the INIT-ACK is 997 * returned. Do this before we load addresses 998 * though. 999 */ 1000 stcb->asoc.primary_destination->dest_state &= 1001 ~SCTP_ADDR_UNCONFIRMED; 1002 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1003 stcb, 0, (void *)stcb->asoc.primary_destination); 1004 } 1005 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net, 1006 abort_no_unlock) < 0) { 1007 /* error in parsing parameters */ 1008 return (-1); 1009 } 1010 /* update our state */ 1011 #ifdef SCTP_DEBUG 1012 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1013 printf("moving to COOKIE-ECHOED state\n"); 1014 } 1015 #endif 1016 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1017 *state = SCTP_STATE_COOKIE_ECHOED | 1018 SCTP_STATE_SHUTDOWN_PENDING; 1019 } else { 1020 *state = SCTP_STATE_COOKIE_ECHOED; 1021 } 1022 1023 /* reset the RTO calc */ 1024 stcb->asoc.overall_error_count = 0; 1025 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1026 /* 1027 * collapse the init timer back in case of a exponential 1028 * backoff 1029 */ 1030 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1031 stcb, net); 1032 /* 1033 * the send at the end of the inbound data processing will 1034 * cause the cookie to be sent 1035 */ 1036 break; 1037 case SCTP_STATE_SHUTDOWN_SENT: 1038 /* incorrect state... discard */ 1039 break; 1040 case SCTP_STATE_COOKIE_ECHOED: 1041 /* incorrect state... discard */ 1042 break; 1043 case SCTP_STATE_OPEN: 1044 /* incorrect state... discard */ 1045 break; 1046 case SCTP_STATE_EMPTY: 1047 case SCTP_STATE_INUSE: 1048 default: 1049 /* incorrect state... discard */ 1050 return (-1); 1051 break; 1052 } /* end switch asoc state */ 1053 #ifdef SCTP_DEBUG 1054 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1055 printf("Leaving handle-init-ack end\n"); 1056 } 1057 #endif 1058 return (0); 1059 } 1060 1061 1062 /* 1063 * handle a state cookie for an existing association m: input packet mbuf 1064 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1065 * "split" mbuf and the cookie signature does not exist offset: offset into 1066 * mbuf to the cookie-echo chunk 1067 */ 1068 static struct sctp_tcb * 1069 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1070 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1071 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1072 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) 1073 { 1074 struct sctp_association *asoc; 1075 struct sctp_init_chunk *init_cp, init_buf; 1076 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1077 int chk_length; 1078 int init_offset, initack_offset, i; 1079 int retval; 1080 int spec_flag = 0; 1081 int how_indx; 1082 1083 /* I know that the TCB is non-NULL from the caller */ 1084 asoc = &stcb->asoc; 1085 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1086 if (asoc->cookie_how[how_indx] == 0) 1087 break; 1088 } 1089 if (how_indx < sizeof(asoc->cookie_how)) { 1090 asoc->cookie_how[how_indx] = 1; 1091 } 1092 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1093 /* SHUTDOWN came in after sending INIT-ACK */ 1094 struct mbuf *op_err; 1095 struct sctp_paramhdr *ph; 1096 1097 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1098 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1099 0, M_DONTWAIT, 1, MT_DATA); 1100 if (op_err == NULL) { 1101 /* FOOBAR */ 1102 return (NULL); 1103 } 1104 /* pre-reserve some space */ 1105 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1106 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1107 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1108 /* Set the len */ 1109 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1110 ph = mtod(op_err, struct sctp_paramhdr *); 1111 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1112 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1113 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1114 if (how_indx < sizeof(asoc->cookie_how)) 1115 asoc->cookie_how[how_indx] = 2; 1116 return (NULL); 1117 } 1118 /* 1119 * find and validate the INIT chunk in the cookie (peer's info) the 1120 * INIT should start after the cookie-echo header struct (chunk 1121 * header, state cookie header struct) 1122 */ 1123 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1124 1125 init_cp = (struct sctp_init_chunk *) 1126 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1127 (uint8_t *) & init_buf); 1128 if (init_cp == NULL) { 1129 /* could not pull a INIT chunk in cookie */ 1130 return (NULL); 1131 } 1132 chk_length = ntohs(init_cp->ch.chunk_length); 1133 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1134 return (NULL); 1135 } 1136 /* 1137 * find and validate the INIT-ACK chunk in the cookie (my info) the 1138 * INIT-ACK follows the INIT chunk 1139 */ 1140 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1141 initack_cp = (struct sctp_init_ack_chunk *) 1142 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1143 (uint8_t *) & initack_buf); 1144 if (initack_cp == NULL) { 1145 /* could not pull INIT-ACK chunk in cookie */ 1146 return (NULL); 1147 } 1148 chk_length = ntohs(initack_cp->ch.chunk_length); 1149 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1150 return (NULL); 1151 } 1152 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1153 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1154 /* 1155 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1156 * to get into the OPEN state 1157 */ 1158 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1159 #ifdef INVARIANTS 1160 panic("Case D and non-match seq?"); 1161 #else 1162 printf("Case D, seq non-match %x vs %x?\n", 1163 ntohl(initack_cp->init.initial_tsn), asoc->init_seq_number); 1164 #endif 1165 } 1166 switch SCTP_GET_STATE 1167 (asoc) { 1168 case SCTP_STATE_COOKIE_WAIT: 1169 case SCTP_STATE_COOKIE_ECHOED: 1170 /* 1171 * INIT was sent, but got got a COOKIE_ECHO with the 1172 * correct tags... just accept it...but we must 1173 * process the init so that we can make sure we have 1174 * the right seq no's. 1175 */ 1176 /* First we must process the INIT !! */ 1177 retval = sctp_process_init(init_cp, stcb, net); 1178 if (retval < 0) { 1179 if (how_indx < sizeof(asoc->cookie_how)) 1180 asoc->cookie_how[how_indx] = 3; 1181 return (NULL); 1182 } 1183 /* we have already processed the INIT so no problem */ 1184 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1185 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1186 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1187 /* update current state */ 1188 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1189 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1190 else 1191 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1192 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1193 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1194 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1195 stcb->sctp_ep, stcb, asoc->primary_destination); 1196 1197 } else { 1198 /* if ok, move to OPEN state */ 1199 asoc->state = SCTP_STATE_OPEN; 1200 } 1201 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1202 sctp_stop_all_cookie_timers(stcb); 1203 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1204 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1205 (inp->sctp_socket->so_qlimit == 0) 1206 ) { 1207 /* 1208 * Here is where collision would go if we 1209 * did a connect() and instead got a 1210 * init/init-ack/cookie done before the 1211 * init-ack came back.. 1212 */ 1213 stcb->sctp_ep->sctp_flags |= 1214 SCTP_PCB_FLAGS_CONNECTED; 1215 soisconnected(stcb->sctp_ep->sctp_socket); 1216 } 1217 /* notify upper layer */ 1218 *notification = SCTP_NOTIFY_ASSOC_UP; 1219 /* 1220 * since we did not send a HB make sure we don't 1221 * double things 1222 */ 1223 net->hb_responded = 1; 1224 1225 if (stcb->asoc.sctp_autoclose_ticks && 1226 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1227 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1228 inp, stcb, NULL); 1229 } 1230 break; 1231 default: 1232 /* 1233 * we're in the OPEN state (or beyond), so peer must 1234 * have simply lost the COOKIE-ACK 1235 */ 1236 1237 break; 1238 } /* end switch */ 1239 sctp_stop_all_cookie_timers(stcb); 1240 /* 1241 * We ignore the return code here.. not sure if we should 1242 * somehow abort.. but we do have an existing asoc. This 1243 * really should not fail. 1244 */ 1245 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1246 init_offset + sizeof(struct sctp_init_chunk), 1247 initack_offset, sh, init_src)) { 1248 if (how_indx < sizeof(asoc->cookie_how)) 1249 asoc->cookie_how[how_indx] = 4; 1250 return (NULL); 1251 } 1252 /* respond with a COOKIE-ACK */ 1253 sctp_toss_old_cookies(stcb, asoc); 1254 sctp_send_cookie_ack(stcb); 1255 if (how_indx < sizeof(asoc->cookie_how)) 1256 asoc->cookie_how[how_indx] = 5; 1257 return (stcb); 1258 } /* end if */ 1259 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1260 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1261 cookie->tie_tag_my_vtag == 0 && 1262 cookie->tie_tag_peer_vtag == 0) { 1263 /* 1264 * case C in Section 5.2.4 Table 2: XMOO silently discard 1265 */ 1266 if (how_indx < sizeof(asoc->cookie_how)) 1267 asoc->cookie_how[how_indx] = 6; 1268 return (NULL); 1269 } 1270 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1271 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1272 init_cp->init.initiate_tag == 0)) { 1273 /* 1274 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1275 * should be ok, re-accept peer info 1276 */ 1277 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1278 /* 1279 * Extension of case C. If we hit this, then the 1280 * random number generator returned the same vtag 1281 * when we first sent our INIT-ACK and when we later 1282 * sent our INIT. The side with the seq numbers that 1283 * are different will be the one that normnally 1284 * would have hit case C. This in effect "extends" 1285 * our vtags in this collision case to be 64 bits. 1286 * The same collision could occur aka you get both 1287 * vtag and seq number the same twice in a row.. but 1288 * is much less likely. If it did happen then we 1289 * would proceed through and bring up the assoc.. we 1290 * may end up with the wrong stream setup however.. 1291 * which would be bad.. but there is no way to 1292 * tell.. until we send on a stream that does not 1293 * exist :-) 1294 */ 1295 if (how_indx < sizeof(asoc->cookie_how)) 1296 asoc->cookie_how[how_indx] = 7; 1297 1298 return (NULL); 1299 } 1300 if (how_indx < sizeof(asoc->cookie_how)) 1301 asoc->cookie_how[how_indx] = 8; 1302 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1303 sctp_stop_all_cookie_timers(stcb); 1304 /* 1305 * since we did not send a HB make sure we don't double 1306 * things 1307 */ 1308 net->hb_responded = 1; 1309 if (stcb->asoc.sctp_autoclose_ticks && 1310 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1311 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1312 NULL); 1313 } 1314 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1315 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1316 1317 /* Note last_cwr_tsn? where is this used? */ 1318 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1319 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1320 /* 1321 * Ok the peer probably discarded our data (if we 1322 * echoed a cookie+data). So anything on the 1323 * sent_queue should be marked for retransmit, we 1324 * may not get something to kick us so it COULD 1325 * still take a timeout to move these.. but it can't 1326 * hurt to mark them. 1327 */ 1328 struct sctp_tmit_chunk *chk; 1329 1330 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1331 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1332 chk->sent = SCTP_DATAGRAM_RESEND; 1333 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1334 spec_flag++; 1335 } 1336 } 1337 1338 } 1339 /* process the INIT info (peer's info) */ 1340 retval = sctp_process_init(init_cp, stcb, net); 1341 if (retval < 0) { 1342 if (how_indx < sizeof(asoc->cookie_how)) 1343 asoc->cookie_how[how_indx] = 9; 1344 return (NULL); 1345 } 1346 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1347 init_offset + sizeof(struct sctp_init_chunk), 1348 initack_offset, sh, init_src)) { 1349 if (how_indx < sizeof(asoc->cookie_how)) 1350 asoc->cookie_how[how_indx] = 10; 1351 return (NULL); 1352 } 1353 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1354 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1355 *notification = SCTP_NOTIFY_ASSOC_UP; 1356 1357 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1358 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1359 (inp->sctp_socket->so_qlimit == 0)) { 1360 stcb->sctp_ep->sctp_flags |= 1361 SCTP_PCB_FLAGS_CONNECTED; 1362 soisconnected(stcb->sctp_ep->sctp_socket); 1363 } 1364 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1365 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1366 else 1367 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1368 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1369 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1370 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1371 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1372 } else { 1373 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1374 } 1375 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1376 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1377 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1378 stcb->sctp_ep, stcb, asoc->primary_destination); 1379 1380 } else { 1381 asoc->state = SCTP_STATE_OPEN; 1382 } 1383 sctp_stop_all_cookie_timers(stcb); 1384 sctp_toss_old_cookies(stcb, asoc); 1385 sctp_send_cookie_ack(stcb); 1386 if (spec_flag) { 1387 /* 1388 * only if we have retrans set do we do this. What 1389 * this call does is get only the COOKIE-ACK out and 1390 * then when we return the normal call to 1391 * sctp_chunk_output will get the retrans out behind 1392 * this. 1393 */ 1394 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK); 1395 } 1396 if (how_indx < sizeof(asoc->cookie_how)) 1397 asoc->cookie_how[how_indx] = 11; 1398 1399 return (stcb); 1400 } 1401 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1402 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1403 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1404 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1405 cookie->tie_tag_peer_vtag != 0) { 1406 struct sctpasochead *head; 1407 1408 /* 1409 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1410 */ 1411 /* temp code */ 1412 if (how_indx < sizeof(asoc->cookie_how)) 1413 asoc->cookie_how[how_indx] = 12; 1414 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1415 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1416 1417 *sac_assoc_id = sctp_get_associd(stcb); 1418 /* notify upper layer */ 1419 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1420 atomic_add_int(&stcb->asoc.refcnt, 1); 1421 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1422 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1423 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1424 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1425 } 1426 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1427 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1428 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1429 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1430 } 1431 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1432 asoc->state = SCTP_STATE_OPEN | 1433 SCTP_STATE_SHUTDOWN_PENDING; 1434 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1435 stcb->sctp_ep, stcb, asoc->primary_destination); 1436 1437 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1438 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1439 asoc->state = SCTP_STATE_OPEN; 1440 } 1441 asoc->pre_open_streams = 1442 ntohs(initack_cp->init.num_outbound_streams); 1443 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1444 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1445 1446 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1447 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1448 1449 asoc->str_reset_seq_in = asoc->init_seq_number; 1450 1451 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1452 if (asoc->mapping_array) 1453 memset(asoc->mapping_array, 0, 1454 asoc->mapping_array_size); 1455 SCTP_TCB_UNLOCK(stcb); 1456 SCTP_INP_INFO_WLOCK(); 1457 SCTP_INP_WLOCK(stcb->sctp_ep); 1458 SCTP_TCB_LOCK(stcb); 1459 atomic_add_int(&stcb->asoc.refcnt, -1); 1460 /* send up all the data */ 1461 SCTP_TCB_SEND_LOCK(stcb); 1462 1463 sctp_report_all_outbound(stcb, 1); 1464 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1465 stcb->asoc.strmout[i].stream_no = i; 1466 stcb->asoc.strmout[i].next_sequence_sent = 0; 1467 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1468 } 1469 /* process the INIT-ACK info (my info) */ 1470 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1471 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1472 1473 /* pull from vtag hash */ 1474 LIST_REMOVE(stcb, sctp_asocs); 1475 /* re-insert to new vtag position */ 1476 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1477 sctppcbinfo.hashasocmark)]; 1478 /* 1479 * put it in the bucket in the vtag hash of assoc's for the 1480 * system 1481 */ 1482 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1483 1484 /* Is this the first restart? */ 1485 if (stcb->asoc.in_restart_hash == 0) { 1486 /* Ok add it to assoc_id vtag hash */ 1487 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1488 sctppcbinfo.hashrestartmark)]; 1489 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1490 stcb->asoc.in_restart_hash = 1; 1491 } 1492 /* process the INIT info (peer's info) */ 1493 SCTP_TCB_SEND_UNLOCK(stcb); 1494 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1495 SCTP_INP_INFO_WUNLOCK(); 1496 1497 retval = sctp_process_init(init_cp, stcb, net); 1498 if (retval < 0) { 1499 if (how_indx < sizeof(asoc->cookie_how)) 1500 asoc->cookie_how[how_indx] = 13; 1501 1502 return (NULL); 1503 } 1504 /* 1505 * since we did not send a HB make sure we don't double 1506 * things 1507 */ 1508 net->hb_responded = 1; 1509 1510 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1511 init_offset + sizeof(struct sctp_init_chunk), 1512 initack_offset, sh, init_src)) { 1513 if (how_indx < sizeof(asoc->cookie_how)) 1514 asoc->cookie_how[how_indx] = 14; 1515 1516 return (NULL); 1517 } 1518 /* respond with a COOKIE-ACK */ 1519 sctp_stop_all_cookie_timers(stcb); 1520 sctp_toss_old_cookies(stcb, asoc); 1521 sctp_send_cookie_ack(stcb); 1522 if (how_indx < sizeof(asoc->cookie_how)) 1523 asoc->cookie_how[how_indx] = 15; 1524 1525 return (stcb); 1526 } 1527 if (how_indx < sizeof(asoc->cookie_how)) 1528 asoc->cookie_how[how_indx] = 16; 1529 /* all other cases... */ 1530 return (NULL); 1531 } 1532 1533 1534 /* 1535 * handle a state cookie for a new association m: input packet mbuf chain-- 1536 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1537 * and the cookie signature does not exist offset: offset into mbuf to the 1538 * cookie-echo chunk length: length of the cookie chunk to: where the init 1539 * was from returns a new TCB 1540 */ 1541 static struct sctp_tcb * 1542 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1543 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1544 struct sctp_inpcb *inp, struct sctp_nets **netp, 1545 struct sockaddr *init_src, int *notification, 1546 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1547 { 1548 struct sctp_tcb *stcb; 1549 struct sctp_init_chunk *init_cp, init_buf; 1550 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1551 struct sockaddr_storage sa_store; 1552 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1553 struct sockaddr_in *sin; 1554 struct sockaddr_in6 *sin6; 1555 struct sctp_association *asoc; 1556 uint32_t vrf_id; 1557 int chk_length; 1558 int init_offset, initack_offset, initack_limit; 1559 int retval; 1560 int error = 0; 1561 uint32_t old_tag; 1562 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1563 1564 vrf_id = inp->def_vrf_id; 1565 1566 /* 1567 * find and validate the INIT chunk in the cookie (peer's info) the 1568 * INIT should start after the cookie-echo header struct (chunk 1569 * header, state cookie header struct) 1570 */ 1571 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1572 init_cp = (struct sctp_init_chunk *) 1573 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1574 (uint8_t *) & init_buf); 1575 if (init_cp == NULL) { 1576 /* could not pull a INIT chunk in cookie */ 1577 #ifdef SCTP_DEBUG 1578 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1579 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1580 } 1581 #endif /* SCTP_DEBUG */ 1582 return (NULL); 1583 } 1584 chk_length = ntohs(init_cp->ch.chunk_length); 1585 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1586 #ifdef SCTP_DEBUG 1587 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1588 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1589 } 1590 #endif /* SCTP_DEBUG */ 1591 return (NULL); 1592 } 1593 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1594 /* 1595 * find and validate the INIT-ACK chunk in the cookie (my info) the 1596 * INIT-ACK follows the INIT chunk 1597 */ 1598 initack_cp = (struct sctp_init_ack_chunk *) 1599 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1600 (uint8_t *) & initack_buf); 1601 if (initack_cp == NULL) { 1602 /* could not pull INIT-ACK chunk in cookie */ 1603 #ifdef SCTP_DEBUG 1604 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1605 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1606 } 1607 #endif /* SCTP_DEBUG */ 1608 return (NULL); 1609 } 1610 chk_length = ntohs(initack_cp->ch.chunk_length); 1611 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1612 return (NULL); 1613 } 1614 /* 1615 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1616 * "initack_limit" value. This is because the chk_length field 1617 * includes the length of the cookie, but the cookie is omitted when 1618 * the INIT and INIT_ACK are tacked onto the cookie... 1619 */ 1620 initack_limit = offset + cookie_len; 1621 1622 /* 1623 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1624 * and popluate 1625 */ 1626 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1627 ntohl(initack_cp->init.initiate_tag), vrf_id); 1628 if (stcb == NULL) { 1629 struct mbuf *op_err; 1630 1631 /* memory problem? */ 1632 #ifdef SCTP_DEBUG 1633 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1634 printf("process_cookie_new: no room for another TCB!\n"); 1635 } 1636 #endif /* SCTP_DEBUG */ 1637 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1638 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1639 sh, op_err); 1640 return (NULL); 1641 } 1642 /* get the correct sctp_nets */ 1643 *netp = sctp_findnet(stcb, init_src); 1644 asoc = &stcb->asoc; 1645 /* get scope variables out of cookie */ 1646 asoc->ipv4_local_scope = cookie->ipv4_scope; 1647 asoc->site_scope = cookie->site_scope; 1648 asoc->local_scope = cookie->local_scope; 1649 asoc->loopback_scope = cookie->loopback_scope; 1650 1651 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1652 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1653 struct mbuf *op_err; 1654 1655 /* 1656 * Houston we have a problem. The EP changed while the 1657 * cookie was in flight. Only recourse is to abort the 1658 * association. 1659 */ 1660 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1661 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1662 sh, op_err); 1663 return (NULL); 1664 } 1665 /* process the INIT-ACK info (my info) */ 1666 old_tag = asoc->my_vtag; 1667 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1668 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1669 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1670 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1671 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1672 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1673 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1674 asoc->str_reset_seq_in = asoc->init_seq_number; 1675 1676 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1677 1678 /* process the INIT info (peer's info) */ 1679 retval = sctp_process_init(init_cp, stcb, *netp); 1680 if (retval < 0) { 1681 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1682 return (NULL); 1683 } 1684 /* load all addresses */ 1685 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1686 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1687 init_src)) { 1688 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1689 return (NULL); 1690 } 1691 /* 1692 * verify any preceding AUTH chunk that was skipped 1693 */ 1694 /* pull the local authentication parameters from the cookie/init-ack */ 1695 sctp_auth_get_cookie_params(stcb, m, 1696 initack_offset + sizeof(struct sctp_init_ack_chunk), 1697 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1698 if (auth_skipped) { 1699 struct sctp_auth_chunk *auth; 1700 1701 auth = (struct sctp_auth_chunk *) 1702 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 1703 if (sctp_handle_auth(stcb, auth, m, auth_offset)) { 1704 /* auth HMAC failed, dump the assoc and packet */ 1705 #ifdef SCTP_DEBUG 1706 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 1707 printf("COOKIE-ECHO: AUTH failed\n"); 1708 #endif /* SCTP_DEBUG */ 1709 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1710 return (NULL); 1711 } else { 1712 /* remaining chunks checked... good to go */ 1713 stcb->asoc.authenticated = 1; 1714 } 1715 } 1716 /* update current state */ 1717 #ifdef SCTP_DEBUG 1718 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1719 printf("moving to OPEN state\n"); 1720 } 1721 #endif 1722 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1723 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1724 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1725 stcb->sctp_ep, stcb, asoc->primary_destination); 1726 } else { 1727 asoc->state = SCTP_STATE_OPEN; 1728 } 1729 sctp_stop_all_cookie_timers(stcb); 1730 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1731 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1732 1733 /* 1734 * if we're doing ASCONFs, check to see if we have any new local 1735 * addresses that need to get added to the peer (eg. addresses 1736 * changed while cookie echo in flight). This needs to be done 1737 * after we go to the OPEN state to do the correct asconf 1738 * processing. else, make sure we have the correct addresses in our 1739 * lists 1740 */ 1741 1742 /* warning, we re-use sin, sin6, sa_store here! */ 1743 /* pull in local_address (our "from" address) */ 1744 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1745 /* source addr is IPv4 */ 1746 sin = (struct sockaddr_in *)initack_src; 1747 memset(sin, 0, sizeof(*sin)); 1748 sin->sin_family = AF_INET; 1749 sin->sin_len = sizeof(struct sockaddr_in); 1750 sin->sin_addr.s_addr = cookie->laddress[0]; 1751 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1752 /* source addr is IPv6 */ 1753 sin6 = (struct sockaddr_in6 *)initack_src; 1754 memset(sin6, 0, sizeof(*sin6)); 1755 sin6->sin6_family = AF_INET6; 1756 sin6->sin6_len = sizeof(struct sockaddr_in6); 1757 sin6->sin6_scope_id = cookie->scope_id; 1758 memcpy(&sin6->sin6_addr, cookie->laddress, 1759 sizeof(sin6->sin6_addr)); 1760 } else { 1761 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 1762 return (NULL); 1763 } 1764 1765 sctp_check_address_list(stcb, m, 1766 initack_offset + sizeof(struct sctp_init_ack_chunk), 1767 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1768 initack_src, cookie->local_scope, cookie->site_scope, 1769 cookie->ipv4_scope, cookie->loopback_scope); 1770 1771 1772 /* set up to notify upper layer */ 1773 *notification = SCTP_NOTIFY_ASSOC_UP; 1774 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1775 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1776 (inp->sctp_socket->so_qlimit == 0)) { 1777 /* 1778 * This is an endpoint that called connect() how it got a 1779 * cookie that is NEW is a bit of a mystery. It must be that 1780 * the INIT was sent, but before it got there.. a complete 1781 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1782 * should have went to the other code.. not here.. oh well.. 1783 * a bit of protection is worth having.. 1784 */ 1785 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1786 soisconnected(stcb->sctp_ep->sctp_socket); 1787 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1788 (inp->sctp_socket->so_qlimit)) { 1789 /* 1790 * We don't want to do anything with this one. Since it is 1791 * the listening guy. The timer will get started for 1792 * accepted connections in the caller. 1793 */ 1794 ; 1795 } 1796 /* since we did not send a HB make sure we don't double things */ 1797 (*netp)->hb_responded = 1; 1798 1799 if (stcb->asoc.sctp_autoclose_ticks && 1800 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1801 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1802 } 1803 /* respond with a COOKIE-ACK */ 1804 /* calculate the RTT */ 1805 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1806 &cookie->time_entered); 1807 sctp_send_cookie_ack(stcb); 1808 return (stcb); 1809 } 1810 1811 1812 /* 1813 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1814 * existing (non-NULL) TCB 1815 */ 1816 static struct mbuf * 1817 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1818 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1819 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1820 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, struct sctp_tcb **locked_tcb) 1821 { 1822 struct sctp_state_cookie *cookie; 1823 struct sockaddr_in6 sin6; 1824 struct sockaddr_in sin; 1825 struct sctp_tcb *l_stcb = *stcb; 1826 struct sctp_inpcb *l_inp; 1827 struct sockaddr *to; 1828 sctp_assoc_t sac_restart_id; 1829 struct sctp_pcb *ep; 1830 struct mbuf *m_sig; 1831 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1832 uint8_t *sig; 1833 uint8_t cookie_ok = 0; 1834 unsigned int size_of_pkt, sig_offset, cookie_offset; 1835 unsigned int cookie_len; 1836 struct timeval now; 1837 struct timeval time_expires; 1838 struct sockaddr_storage dest_store; 1839 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1840 struct ip *iph; 1841 int notification = 0; 1842 struct sctp_nets *netl; 1843 int had_a_existing_tcb = 0; 1844 1845 #ifdef SCTP_DEBUG 1846 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1847 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1848 } 1849 #endif 1850 1851 if (inp_p == NULL) { 1852 return (NULL); 1853 } 1854 /* First get the destination address setup too. */ 1855 iph = mtod(m, struct ip *); 1856 if (iph->ip_v == IPVERSION) { 1857 /* its IPv4 */ 1858 struct sockaddr_in *sin; 1859 1860 sin = (struct sockaddr_in *)(localep_sa); 1861 memset(sin, 0, sizeof(*sin)); 1862 sin->sin_family = AF_INET; 1863 sin->sin_len = sizeof(*sin); 1864 sin->sin_port = sh->dest_port; 1865 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1866 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 1867 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1868 /* its IPv6 */ 1869 struct ip6_hdr *ip6; 1870 struct sockaddr_in6 *sin6; 1871 1872 sin6 = (struct sockaddr_in6 *)(localep_sa); 1873 memset(sin6, 0, sizeof(*sin6)); 1874 sin6->sin6_family = AF_INET6; 1875 sin6->sin6_len = sizeof(struct sockaddr_in6); 1876 ip6 = mtod(m, struct ip6_hdr *); 1877 sin6->sin6_port = sh->dest_port; 1878 sin6->sin6_addr = ip6->ip6_dst; 1879 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 1880 } else { 1881 return (NULL); 1882 } 1883 1884 cookie = &cp->cookie; 1885 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1886 cookie_len = ntohs(cp->ch.chunk_length); 1887 1888 if ((cookie->peerport != sh->src_port) && 1889 (cookie->myport != sh->dest_port) && 1890 (cookie->my_vtag != sh->v_tag)) { 1891 /* 1892 * invalid ports or bad tag. Note that we always leave the 1893 * v_tag in the header in network order and when we stored 1894 * it in the my_vtag slot we also left it in network order. 1895 * This maintians the match even though it may be in the 1896 * opposite byte order of the machine :-> 1897 */ 1898 return (NULL); 1899 } 1900 if (cookie_len > size_of_pkt || 1901 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1902 sizeof(struct sctp_init_chunk) + 1903 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1904 /* cookie too long! or too small */ 1905 return (NULL); 1906 } 1907 /* 1908 * split off the signature into its own mbuf (since it should not be 1909 * calculated in the sctp_hmac_m() call). 1910 */ 1911 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1912 if (sig_offset > size_of_pkt) { 1913 /* packet not correct size! */ 1914 /* XXX this may already be accounted for earlier... */ 1915 return (NULL); 1916 } 1917 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1918 if (m_sig == NULL) { 1919 /* out of memory or ?? */ 1920 return (NULL); 1921 } 1922 /* 1923 * compute the signature/digest for the cookie 1924 */ 1925 ep = &(*inp_p)->sctp_ep; 1926 l_inp = *inp_p; 1927 if (l_stcb) { 1928 SCTP_TCB_UNLOCK(l_stcb); 1929 } 1930 SCTP_INP_RLOCK(l_inp); 1931 if (l_stcb) { 1932 SCTP_TCB_LOCK(l_stcb); 1933 } 1934 /* which cookie is it? */ 1935 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1936 (ep->current_secret_number != ep->last_secret_number)) { 1937 /* it's the old cookie */ 1938 sctp_hmac_m(SCTP_HMAC, 1939 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1940 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1941 } else { 1942 /* it's the current cookie */ 1943 sctp_hmac_m(SCTP_HMAC, 1944 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1945 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1946 } 1947 /* get the signature */ 1948 SCTP_INP_RUNLOCK(l_inp); 1949 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1950 if (sig == NULL) { 1951 /* couldn't find signature */ 1952 sctp_m_freem(m_sig); 1953 return (NULL); 1954 } 1955 /* compare the received digest with the computed digest */ 1956 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1957 /* try the old cookie? */ 1958 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1959 (ep->current_secret_number != ep->last_secret_number)) { 1960 /* compute digest with old */ 1961 sctp_hmac_m(SCTP_HMAC, 1962 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1963 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1964 /* compare */ 1965 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1966 cookie_ok = 1; 1967 } 1968 } else { 1969 cookie_ok = 1; 1970 } 1971 1972 /* 1973 * Now before we continue we must reconstruct our mbuf so that 1974 * normal processing of any other chunks will work. 1975 */ 1976 { 1977 struct mbuf *m_at; 1978 1979 m_at = m; 1980 while (SCTP_BUF_NEXT(m_at) != NULL) { 1981 m_at = SCTP_BUF_NEXT(m_at); 1982 } 1983 SCTP_BUF_NEXT(m_at) = m_sig; 1984 } 1985 1986 if (cookie_ok == 0) { 1987 #ifdef SCTP_DEBUG 1988 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1989 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1990 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1991 (uint32_t) offset, cookie_offset, sig_offset); 1992 } 1993 #endif 1994 return (NULL); 1995 } 1996 /* 1997 * check the cookie timestamps to be sure it's not stale 1998 */ 1999 SCTP_GETTIME_TIMEVAL(&now); 2000 /* Expire time is in Ticks, so we convert to seconds */ 2001 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 2002 time_expires.tv_usec = cookie->time_entered.tv_usec; 2003 if (timevalcmp(&now, &time_expires, >)) { 2004 /* cookie is stale! */ 2005 struct mbuf *op_err; 2006 struct sctp_stale_cookie_msg *scm; 2007 uint32_t tim; 2008 2009 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2010 0, M_DONTWAIT, 1, MT_DATA); 2011 if (op_err == NULL) { 2012 /* FOOBAR */ 2013 return (NULL); 2014 } 2015 /* pre-reserve some space */ 2016 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 2017 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 2018 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 2019 2020 /* Set the len */ 2021 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2022 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2023 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2024 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2025 (sizeof(uint32_t)))); 2026 /* seconds to usec */ 2027 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2028 /* add in usec */ 2029 if (tim == 0) 2030 tim = now.tv_usec - cookie->time_entered.tv_usec; 2031 scm->time_usec = htonl(tim); 2032 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 2033 return (NULL); 2034 } 2035 /* 2036 * Now we must see with the lookup address if we have an existing 2037 * asoc. This will only happen if we were in the COOKIE-WAIT state 2038 * and a INIT collided with us and somewhere the peer sent the 2039 * cookie on another address besides the single address our assoc 2040 * had for him. In this case we will have one of the tie-tags set at 2041 * least AND the address field in the cookie can be used to look it 2042 * up. 2043 */ 2044 to = NULL; 2045 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2046 memset(&sin6, 0, sizeof(sin6)); 2047 sin6.sin6_family = AF_INET6; 2048 sin6.sin6_len = sizeof(sin6); 2049 sin6.sin6_port = sh->src_port; 2050 sin6.sin6_scope_id = cookie->scope_id; 2051 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2052 sizeof(sin6.sin6_addr.s6_addr)); 2053 to = (struct sockaddr *)&sin6; 2054 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2055 memset(&sin, 0, sizeof(sin)); 2056 sin.sin_family = AF_INET; 2057 sin.sin_len = sizeof(sin); 2058 sin.sin_port = sh->src_port; 2059 sin.sin_addr.s_addr = cookie->address[0]; 2060 to = (struct sockaddr *)&sin; 2061 } 2062 if ((*stcb == NULL) && to) { 2063 /* Yep, lets check */ 2064 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2065 if (*stcb == NULL) { 2066 /* 2067 * We should have only got back the same inp. If we 2068 * got back a different ep we have a problem. The 2069 * original findep got back l_inp and now 2070 */ 2071 if (l_inp != *inp_p) { 2072 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2073 } 2074 } else { 2075 if (*locked_tcb == NULL) { 2076 /* 2077 * In this case we found the assoc only 2078 * after we locked the create lock. This 2079 * means we are in a colliding case and we 2080 * must make sure that we unlock the tcb if 2081 * its one of the cases where we throw away 2082 * the incoming packets. 2083 */ 2084 *locked_tcb = *stcb; 2085 2086 /* 2087 * We must also increment the inp ref count 2088 * since the ref_count flags was set when we 2089 * did not find the TCB, now we found it 2090 * which reduces the refcount.. we must 2091 * raise it back out to balance it all :-) 2092 */ 2093 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2094 if ((*stcb)->sctp_ep != l_inp) { 2095 printf("Huh? ep:%p diff then l_inp:%p?\n", 2096 (*stcb)->sctp_ep, l_inp); 2097 } 2098 } 2099 } 2100 } 2101 cookie_len -= SCTP_SIGNATURE_SIZE; 2102 if (*stcb == NULL) { 2103 /* this is the "normal" case... get a new TCB */ 2104 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2105 cookie_len, *inp_p, netp, to, ¬ification, 2106 auth_skipped, auth_offset, auth_len); 2107 } else { 2108 /* this is abnormal... cookie-echo on existing TCB */ 2109 had_a_existing_tcb = 1; 2110 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2111 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 2112 &sac_restart_id); 2113 } 2114 2115 if (*stcb == NULL) { 2116 /* still no TCB... must be bad cookie-echo */ 2117 return (NULL); 2118 } 2119 /* 2120 * Ok, we built an association so confirm the address we sent the 2121 * INIT-ACK to. 2122 */ 2123 netl = sctp_findnet(*stcb, to); 2124 /* 2125 * This code should in theory NOT run but 2126 */ 2127 if (netl == NULL) { 2128 /* TSNH! Huh, why do I need to add this address here? */ 2129 int ret; 2130 2131 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2132 SCTP_IN_COOKIE_PROC); 2133 netl = sctp_findnet(*stcb, to); 2134 } 2135 if (netl) { 2136 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2137 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2138 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2139 netl); 2140 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2141 (*stcb), 0, (void *)netl); 2142 } 2143 } 2144 if (*stcb) { 2145 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2146 *stcb, NULL); 2147 } 2148 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2149 if (!had_a_existing_tcb || 2150 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2151 /* 2152 * If we have a NEW cookie or the connect never 2153 * reached the connected state during collision we 2154 * must do the TCP accept thing. 2155 */ 2156 struct socket *so, *oso; 2157 struct sctp_inpcb *inp; 2158 2159 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2160 /* 2161 * For a restart we will keep the same 2162 * socket, no need to do anything. I THINK!! 2163 */ 2164 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2165 return (m); 2166 } 2167 oso = (*inp_p)->sctp_socket; 2168 /* 2169 * We do this to keep the sockets side happy durin 2170 * the sonewcon ONLY. 2171 */ 2172 NET_LOCK_GIANT(); 2173 SCTP_TCB_UNLOCK((*stcb)); 2174 so = sonewconn(oso, 0 2175 ); 2176 NET_UNLOCK_GIANT(); 2177 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2178 SCTP_TCB_LOCK((*stcb)); 2179 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2180 if (so == NULL) { 2181 struct mbuf *op_err; 2182 2183 /* Too many sockets */ 2184 #ifdef SCTP_DEBUG 2185 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2186 printf("process_cookie_new: no room for another socket!\n"); 2187 } 2188 #endif /* SCTP_DEBUG */ 2189 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2190 sctp_abort_association(*inp_p, NULL, m, iphlen, 2191 sh, op_err); 2192 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2193 return (NULL); 2194 } 2195 inp = (struct sctp_inpcb *)so->so_pcb; 2196 SCTP_INP_INCR_REF(inp); 2197 /* 2198 * We add the unbound flag here so that if we get an 2199 * soabort() before we get the move_pcb done, we 2200 * will properly cleanup. 2201 */ 2202 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2203 SCTP_PCB_FLAGS_CONNECTED | 2204 SCTP_PCB_FLAGS_IN_TCPPOOL | 2205 SCTP_PCB_FLAGS_UNBOUND | 2206 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2207 SCTP_PCB_FLAGS_DONT_WAKE); 2208 inp->sctp_features = (*inp_p)->sctp_features; 2209 inp->sctp_socket = so; 2210 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2211 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2212 inp->sctp_context = (*inp_p)->sctp_context; 2213 inp->inp_starting_point_for_iterator = NULL; 2214 /* 2215 * copy in the authentication parameters from the 2216 * original endpoint 2217 */ 2218 if (inp->sctp_ep.local_hmacs) 2219 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2220 inp->sctp_ep.local_hmacs = 2221 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2222 if (inp->sctp_ep.local_auth_chunks) 2223 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2224 inp->sctp_ep.local_auth_chunks = 2225 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2226 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2227 &inp->sctp_ep.shared_keys); 2228 2229 /* 2230 * Now we must move it from one hash table to 2231 * another and get the tcb in the right place. 2232 */ 2233 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2234 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb); 2235 2236 /* 2237 * now we must check to see if we were aborted while 2238 * the move was going on and the lock/unlock 2239 * happened. 2240 */ 2241 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2242 /* 2243 * yep it was, we leave the assoc attached 2244 * to the socket since the sctp_inpcb_free() 2245 * call will send an abort for us. 2246 */ 2247 SCTP_INP_DECR_REF(inp); 2248 return (NULL); 2249 } 2250 SCTP_INP_DECR_REF(inp); 2251 /* Switch over to the new guy */ 2252 *inp_p = inp; 2253 sctp_ulp_notify(notification, *stcb, 0, NULL); 2254 2255 /* 2256 * Pull it from the incomplete queue and wake the 2257 * guy 2258 */ 2259 soisconnected(so); 2260 return (m); 2261 } 2262 } 2263 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2264 sctp_ulp_notify(notification, *stcb, 0, NULL); 2265 } 2266 return (m); 2267 } 2268 2269 static void 2270 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2271 struct sctp_tcb *stcb, struct sctp_nets *net) 2272 { 2273 /* cp must not be used, others call this without a c-ack :-) */ 2274 struct sctp_association *asoc; 2275 2276 #ifdef SCTP_DEBUG 2277 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2278 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2279 } 2280 #endif 2281 if (stcb == NULL) 2282 return; 2283 2284 asoc = &stcb->asoc; 2285 2286 sctp_stop_all_cookie_timers(stcb); 2287 /* process according to association state */ 2288 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2289 /* state change only needed when I am in right state */ 2290 #ifdef SCTP_DEBUG 2291 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2292 printf("moving to OPEN state\n"); 2293 } 2294 #endif 2295 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2296 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2297 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2298 stcb->sctp_ep, stcb, asoc->primary_destination); 2299 2300 } else { 2301 asoc->state = SCTP_STATE_OPEN; 2302 } 2303 /* update RTO */ 2304 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2305 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2306 if (asoc->overall_error_count == 0) { 2307 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2308 &asoc->time_entered); 2309 } 2310 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2311 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2312 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2313 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2314 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2315 soisconnected(stcb->sctp_ep->sctp_socket); 2316 } 2317 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2318 stcb, net); 2319 /* 2320 * since we did not send a HB make sure we don't double 2321 * things 2322 */ 2323 net->hb_responded = 1; 2324 2325 if (stcb->asoc.sctp_autoclose_ticks && 2326 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2327 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2328 stcb->sctp_ep, stcb, NULL); 2329 } 2330 /* 2331 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2332 * addresses changed when init/cookie echo in flight) 2333 */ 2334 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2335 (stcb->asoc.peer_supports_asconf) && 2336 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2337 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2338 stcb->sctp_ep, stcb, 2339 stcb->asoc.primary_destination); 2340 } 2341 } 2342 /* Toss the cookie if I can */ 2343 sctp_toss_old_cookies(stcb, asoc); 2344 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2345 /* Restart the timer if we have pending data */ 2346 struct sctp_tmit_chunk *chk; 2347 2348 chk = TAILQ_FIRST(&asoc->sent_queue); 2349 if (chk) { 2350 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2351 stcb, chk->whoTo); 2352 } 2353 } 2354 } 2355 2356 static void 2357 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2358 struct sctp_tcb *stcb) 2359 { 2360 struct sctp_nets *net; 2361 struct sctp_tmit_chunk *lchk; 2362 uint32_t tsn; 2363 2364 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2365 return; 2366 } 2367 SCTP_STAT_INCR(sctps_recvecne); 2368 tsn = ntohl(cp->tsn); 2369 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2370 /* Also we make sure we disable the nonce_wait */ 2371 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2372 if (lchk == NULL) { 2373 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2374 } else { 2375 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2376 } 2377 stcb->asoc.nonce_wait_for_ecne = 0; 2378 stcb->asoc.nonce_sum_check = 0; 2379 2380 /* Find where it was sent, if possible */ 2381 net = NULL; 2382 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2383 while (lchk) { 2384 if (lchk->rec.data.TSN_seq == tsn) { 2385 net = lchk->whoTo; 2386 break; 2387 } 2388 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2389 break; 2390 lchk = TAILQ_NEXT(lchk, sctp_next); 2391 } 2392 if (net == NULL) 2393 /* default is we use the primary */ 2394 net = stcb->asoc.primary_destination; 2395 2396 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2397 #ifdef SCTP_CWND_MONITOR 2398 int old_cwnd; 2399 2400 old_cwnd = net->cwnd; 2401 #endif 2402 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2403 net->ssthresh = net->cwnd / 2; 2404 if (net->ssthresh < net->mtu) { 2405 net->ssthresh = net->mtu; 2406 /* here back off the timer as well, to slow us down */ 2407 net->RTO <<= 2; 2408 } 2409 net->cwnd = net->ssthresh; 2410 #ifdef SCTP_CWND_MONITOR 2411 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2412 #endif 2413 /* 2414 * we reduce once every RTT. So we will only lower cwnd at 2415 * the next sending seq i.e. the resync_tsn. 2416 */ 2417 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2418 } 2419 /* 2420 * We always send a CWR this way if our previous one was lost our 2421 * peer will get an update, or if it is not time again to reduce we 2422 * still get the cwr to the peer. 2423 */ 2424 sctp_send_cwr(stcb, net, tsn); 2425 } 2426 2427 static void 2428 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2429 { 2430 /* 2431 * Here we get a CWR from the peer. We must look in the outqueue and 2432 * make sure that we have a covered ECNE in teh control chunk part. 2433 * If so remove it. 2434 */ 2435 struct sctp_tmit_chunk *chk; 2436 struct sctp_ecne_chunk *ecne; 2437 2438 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2439 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2440 continue; 2441 } 2442 /* 2443 * Look for and remove if it is the right TSN. Since there 2444 * is only ONE ECNE on the control queue at any one time we 2445 * don't need to worry about more than one! 2446 */ 2447 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2448 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2449 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2450 /* this covers this ECNE, we can remove it */ 2451 stcb->asoc.ecn_echo_cnt_onq--; 2452 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2453 sctp_next); 2454 if (chk->data) { 2455 sctp_m_freem(chk->data); 2456 chk->data = NULL; 2457 } 2458 stcb->asoc.ctrl_queue_cnt--; 2459 sctp_free_remote_addr(chk->whoTo); 2460 sctp_free_a_chunk(stcb, chk); 2461 break; 2462 } 2463 } 2464 } 2465 2466 static void 2467 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2468 struct sctp_tcb *stcb, struct sctp_nets *net) 2469 { 2470 struct sctp_association *asoc; 2471 2472 #ifdef SCTP_DEBUG 2473 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2474 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2475 } 2476 #endif 2477 if (stcb == NULL) 2478 return; 2479 2480 asoc = &stcb->asoc; 2481 /* process according to association state */ 2482 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2483 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2484 SCTP_TCB_UNLOCK(stcb); 2485 return; 2486 } 2487 /* notify upper layer protocol */ 2488 if (stcb->sctp_socket) { 2489 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2490 /* are the queues empty? they should be */ 2491 if (!TAILQ_EMPTY(&asoc->send_queue) || 2492 !TAILQ_EMPTY(&asoc->sent_queue) || 2493 !TAILQ_EMPTY(&asoc->out_wheel)) { 2494 sctp_report_all_outbound(stcb, 0); 2495 } 2496 } 2497 /* stop the timer */ 2498 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2499 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2500 /* free the TCB */ 2501 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2502 return; 2503 } 2504 2505 static int 2506 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2507 struct sctp_nets *net, uint8_t flg) 2508 { 2509 switch (desc->chunk_type) { 2510 case SCTP_DATA: 2511 /* find the tsn to resend (possibly */ 2512 { 2513 uint32_t tsn; 2514 struct sctp_tmit_chunk *tp1; 2515 2516 tsn = ntohl(desc->tsn_ifany); 2517 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2518 while (tp1) { 2519 if (tp1->rec.data.TSN_seq == tsn) { 2520 /* found it */ 2521 break; 2522 } 2523 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2524 MAX_TSN)) { 2525 /* not found */ 2526 tp1 = NULL; 2527 break; 2528 } 2529 tp1 = TAILQ_NEXT(tp1, sctp_next); 2530 } 2531 if (tp1 == NULL) { 2532 /* 2533 * Do it the other way , aka without paying 2534 * attention to queue seq order. 2535 */ 2536 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2537 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2538 while (tp1) { 2539 if (tp1->rec.data.TSN_seq == tsn) { 2540 /* found it */ 2541 break; 2542 } 2543 tp1 = TAILQ_NEXT(tp1, sctp_next); 2544 } 2545 } 2546 if (tp1 == NULL) { 2547 SCTP_STAT_INCR(sctps_pdrptsnnf); 2548 } 2549 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2550 uint8_t *ddp; 2551 2552 if ((stcb->asoc.peers_rwnd == 0) && 2553 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2554 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2555 return (0); 2556 } 2557 if (stcb->asoc.peers_rwnd == 0 && 2558 (flg & SCTP_FROM_MIDDLE_BOX)) { 2559 SCTP_STAT_INCR(sctps_pdrpdizrw); 2560 return (0); 2561 } 2562 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2563 sizeof(struct sctp_data_chunk)); 2564 { 2565 unsigned int iii; 2566 2567 for (iii = 0; iii < sizeof(desc->data_bytes); 2568 iii++) { 2569 if (ddp[iii] != desc->data_bytes[iii]) { 2570 SCTP_STAT_INCR(sctps_pdrpbadd); 2571 return (-1); 2572 } 2573 } 2574 } 2575 /* 2576 * We zero out the nonce so resync not 2577 * needed 2578 */ 2579 tp1->rec.data.ect_nonce = 0; 2580 2581 if (tp1->do_rtt) { 2582 /* 2583 * this guy had a RTO calculation 2584 * pending on it, cancel it 2585 */ 2586 tp1->do_rtt = 0; 2587 } 2588 SCTP_STAT_INCR(sctps_pdrpmark); 2589 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2590 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2591 tp1->sent = SCTP_DATAGRAM_RESEND; 2592 /* 2593 * mark it as if we were doing a FR, since 2594 * we will be getting gap ack reports behind 2595 * the info from the router. 2596 */ 2597 tp1->rec.data.doing_fast_retransmit = 1; 2598 /* 2599 * mark the tsn with what sequences can 2600 * cause a new FR. 2601 */ 2602 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2603 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2604 } else { 2605 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2606 } 2607 2608 /* restart the timer */ 2609 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2610 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2611 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2612 stcb, tp1->whoTo); 2613 2614 /* fix counts and things */ 2615 #ifdef SCTP_FLIGHT_LOGGING 2616 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN_PDRP, 2617 tp1->whoTo->flight_size, 2618 tp1->book_size, 2619 (uintptr_t) stcb, 2620 tp1->rec.data.TSN_seq); 2621 #endif 2622 sctp_flight_size_decrease(tp1); 2623 sctp_total_flight_decrease(stcb, tp1); 2624 } { 2625 /* audit code */ 2626 unsigned int audit; 2627 2628 audit = 0; 2629 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2630 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2631 audit++; 2632 } 2633 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2634 sctp_next) { 2635 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2636 audit++; 2637 } 2638 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2639 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2640 audit, stcb->asoc.sent_queue_retran_cnt); 2641 #ifndef SCTP_AUDITING_ENABLED 2642 stcb->asoc.sent_queue_retran_cnt = audit; 2643 #endif 2644 } 2645 } 2646 } 2647 break; 2648 case SCTP_ASCONF: 2649 { 2650 struct sctp_tmit_chunk *asconf; 2651 2652 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2653 sctp_next) { 2654 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2655 break; 2656 } 2657 } 2658 if (asconf) { 2659 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2660 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2661 asconf->sent = SCTP_DATAGRAM_RESEND; 2662 asconf->snd_count--; 2663 } 2664 } 2665 break; 2666 case SCTP_INITIATION: 2667 /* resend the INIT */ 2668 stcb->asoc.dropped_special_cnt++; 2669 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2670 /* 2671 * If we can get it in, in a few attempts we do 2672 * this, otherwise we let the timer fire. 2673 */ 2674 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2675 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2676 sctp_send_initiate(stcb->sctp_ep, stcb); 2677 } 2678 break; 2679 case SCTP_SELECTIVE_ACK: 2680 /* resend the sack */ 2681 sctp_send_sack(stcb); 2682 break; 2683 case SCTP_HEARTBEAT_REQUEST: 2684 /* resend a demand HB */ 2685 sctp_send_hb(stcb, 1, net); 2686 break; 2687 case SCTP_SHUTDOWN: 2688 sctp_send_shutdown(stcb, net); 2689 break; 2690 case SCTP_SHUTDOWN_ACK: 2691 sctp_send_shutdown_ack(stcb, net); 2692 break; 2693 case SCTP_COOKIE_ECHO: 2694 { 2695 struct sctp_tmit_chunk *cookie; 2696 2697 cookie = NULL; 2698 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2699 sctp_next) { 2700 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2701 break; 2702 } 2703 } 2704 if (cookie) { 2705 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2706 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2707 cookie->sent = SCTP_DATAGRAM_RESEND; 2708 sctp_stop_all_cookie_timers(stcb); 2709 } 2710 } 2711 break; 2712 case SCTP_COOKIE_ACK: 2713 sctp_send_cookie_ack(stcb); 2714 break; 2715 case SCTP_ASCONF_ACK: 2716 /* resend last asconf ack */ 2717 sctp_send_asconf_ack(stcb, 1); 2718 break; 2719 case SCTP_FORWARD_CUM_TSN: 2720 send_forward_tsn(stcb, &stcb->asoc); 2721 break; 2722 /* can't do anything with these */ 2723 case SCTP_PACKET_DROPPED: 2724 case SCTP_INITIATION_ACK: /* this should not happen */ 2725 case SCTP_HEARTBEAT_ACK: 2726 case SCTP_ABORT_ASSOCIATION: 2727 case SCTP_OPERATION_ERROR: 2728 case SCTP_SHUTDOWN_COMPLETE: 2729 case SCTP_ECN_ECHO: 2730 case SCTP_ECN_CWR: 2731 default: 2732 break; 2733 } 2734 return (0); 2735 } 2736 2737 void 2738 sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2739 { 2740 int i; 2741 uint16_t temp; 2742 2743 /* 2744 * We set things to 0xffff since this is the last delivered sequence 2745 * and we will be sending in 0 after the reset. 2746 */ 2747 2748 if (number_entries) { 2749 for (i = 0; i < number_entries; i++) { 2750 temp = ntohs(list[i]); 2751 if (temp >= stcb->asoc.streamincnt) { 2752 continue; 2753 } 2754 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2755 } 2756 } else { 2757 list = NULL; 2758 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2759 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2760 } 2761 } 2762 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2763 } 2764 2765 static void 2766 sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2767 { 2768 int i; 2769 2770 if (number_entries == 0) { 2771 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2772 stcb->asoc.strmout[i].next_sequence_sent = 0; 2773 } 2774 } else if (number_entries) { 2775 for (i = 0; i < number_entries; i++) { 2776 uint16_t temp; 2777 2778 temp = ntohs(list[i]); 2779 if (temp >= stcb->asoc.streamoutcnt) { 2780 /* no such stream */ 2781 continue; 2782 } 2783 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2784 } 2785 } 2786 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2787 } 2788 2789 2790 struct sctp_stream_reset_out_request * 2791 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2792 { 2793 struct sctp_association *asoc; 2794 struct sctp_stream_reset_out_req *req; 2795 struct sctp_stream_reset_out_request *r; 2796 struct sctp_tmit_chunk *chk; 2797 int len, clen; 2798 2799 asoc = &stcb->asoc; 2800 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2801 return (NULL); 2802 } 2803 if (stcb->asoc.str_reset == NULL) { 2804 return (NULL); 2805 } 2806 chk = stcb->asoc.str_reset; 2807 if (chk->data == NULL) { 2808 return (NULL); 2809 } 2810 if (bchk) { 2811 /* he wants a copy of the chk pointer */ 2812 *bchk = chk; 2813 } 2814 clen = chk->send_size; 2815 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2816 r = &req->sr_req; 2817 if (ntohl(r->request_seq) == seq) { 2818 /* found it */ 2819 return (r); 2820 } 2821 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2822 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2823 /* move to the next one, there can only be a max of two */ 2824 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2825 if (ntohl(r->request_seq) == seq) { 2826 return (r); 2827 } 2828 } 2829 /* that seq is not here */ 2830 return (NULL); 2831 } 2832 2833 static void 2834 sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2835 { 2836 struct sctp_association *asoc; 2837 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2838 2839 if (stcb->asoc.str_reset == NULL) { 2840 return; 2841 } 2842 asoc = &stcb->asoc; 2843 2844 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 2845 TAILQ_REMOVE(&asoc->control_send_queue, 2846 chk, 2847 sctp_next); 2848 if (chk->data) { 2849 sctp_m_freem(chk->data); 2850 chk->data = NULL; 2851 } 2852 asoc->ctrl_queue_cnt--; 2853 sctp_free_remote_addr(chk->whoTo); 2854 2855 sctp_free_a_chunk(stcb, chk); 2856 stcb->asoc.str_reset = NULL; 2857 } 2858 2859 2860 static int 2861 sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2862 uint32_t seq, uint32_t action, 2863 struct sctp_stream_reset_response *respin) 2864 { 2865 uint16_t type; 2866 int lparm_len; 2867 struct sctp_association *asoc = &stcb->asoc; 2868 struct sctp_tmit_chunk *chk; 2869 struct sctp_stream_reset_out_request *srparam; 2870 int number_entries; 2871 2872 if (asoc->stream_reset_outstanding == 0) { 2873 /* duplicate */ 2874 return (0); 2875 } 2876 if (seq == stcb->asoc.str_reset_seq_out) { 2877 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2878 if (srparam) { 2879 stcb->asoc.str_reset_seq_out++; 2880 type = ntohs(srparam->ph.param_type); 2881 lparm_len = ntohs(srparam->ph.param_length); 2882 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2883 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2884 asoc->stream_reset_out_is_outstanding = 0; 2885 if (asoc->stream_reset_outstanding) 2886 asoc->stream_reset_outstanding--; 2887 if (action == SCTP_STREAM_RESET_PERFORMED) { 2888 /* do it */ 2889 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2890 } else { 2891 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2892 } 2893 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2894 /* Answered my request */ 2895 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 2896 if (asoc->stream_reset_outstanding) 2897 asoc->stream_reset_outstanding--; 2898 if (action != SCTP_STREAM_RESET_PERFORMED) { 2899 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2900 } 2901 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2902 /** 2903 * a) Adopt the new in tsn. 2904 * b) reset the map 2905 * c) Adopt the new out-tsn 2906 */ 2907 struct sctp_stream_reset_response_tsn *resp; 2908 struct sctp_forward_tsn_chunk fwdtsn; 2909 int abort_flag = 0; 2910 2911 if (respin == NULL) { 2912 /* huh ? */ 2913 return (0); 2914 } 2915 if (action == SCTP_STREAM_RESET_PERFORMED) { 2916 resp = (struct sctp_stream_reset_response_tsn *)respin; 2917 asoc->stream_reset_outstanding--; 2918 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2919 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2920 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2921 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2922 if (abort_flag) { 2923 return (1); 2924 } 2925 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2926 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2927 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2928 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2929 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2930 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2931 2932 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2933 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2934 2935 } 2936 } 2937 /* get rid of the request and get the request flags */ 2938 if (asoc->stream_reset_outstanding == 0) { 2939 sctp_clean_up_stream_reset(stcb); 2940 } 2941 } 2942 } 2943 return (0); 2944 } 2945 2946 static void 2947 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2948 struct sctp_tmit_chunk *chk, 2949 struct sctp_stream_reset_in_request *req) 2950 { 2951 uint32_t seq; 2952 int len, i; 2953 int number_entries; 2954 uint16_t temp; 2955 2956 /* 2957 * peer wants me to send a str-reset to him for my outgoing seq's if 2958 * seq_in is right. 2959 */ 2960 struct sctp_association *asoc = &stcb->asoc; 2961 2962 seq = ntohl(req->request_seq); 2963 if (asoc->str_reset_seq_in == seq) { 2964 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2965 len = ntohs(req->ph.param_length); 2966 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2967 for (i = 0; i < number_entries; i++) { 2968 temp = ntohs(req->list_of_streams[i]); 2969 req->list_of_streams[i] = temp; 2970 } 2971 /* move the reset action back one */ 2972 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2973 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2974 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2975 asoc->str_reset_seq_out, 2976 seq, (asoc->sending_seq - 1)); 2977 asoc->stream_reset_out_is_outstanding = 1; 2978 asoc->str_reset = chk; 2979 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2980 stcb->asoc.stream_reset_outstanding++; 2981 } else { 2982 /* Can't do it, since we have sent one out */ 2983 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2984 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 2985 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2986 } 2987 asoc->str_reset_seq_in++; 2988 } else if (asoc->str_reset_seq_in - 1 == seq) { 2989 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 2990 } else if (asoc->str_reset_seq_in - 2 == seq) { 2991 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 2992 } else { 2993 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 2994 } 2995 } 2996 2997 static int 2998 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 2999 struct sctp_tmit_chunk *chk, 3000 struct sctp_stream_reset_tsn_request *req) 3001 { 3002 /* reset all in and out and update the tsn */ 3003 /* 3004 * A) reset my str-seq's on in and out. B) Select a receive next, 3005 * and set cum-ack to it. Also process this selected number as a 3006 * fwd-tsn as well. C) set in the response my next sending seq. 3007 */ 3008 struct sctp_forward_tsn_chunk fwdtsn; 3009 struct sctp_association *asoc = &stcb->asoc; 3010 int abort_flag = 0; 3011 uint32_t seq; 3012 3013 seq = ntohl(req->request_seq); 3014 if (asoc->str_reset_seq_in == seq) { 3015 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3016 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3017 fwdtsn.ch.chunk_flags = 0; 3018 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3019 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 3020 if (abort_flag) { 3021 return (1); 3022 } 3023 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3024 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3025 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3026 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3027 atomic_add_int(&stcb->asoc.sending_seq, 1); 3028 /* save off historical data for retrans */ 3029 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3030 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3031 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3032 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3033 3034 sctp_add_stream_reset_result_tsn(chk, 3035 ntohl(req->request_seq), 3036 SCTP_STREAM_RESET_PERFORMED, 3037 stcb->asoc.sending_seq, 3038 stcb->asoc.mapping_array_base_tsn); 3039 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3040 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3041 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3042 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3043 3044 asoc->str_reset_seq_in++; 3045 } else if (asoc->str_reset_seq_in - 1 == seq) { 3046 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3047 stcb->asoc.last_sending_seq[0], 3048 stcb->asoc.last_base_tsnsent[0] 3049 ); 3050 } else if (asoc->str_reset_seq_in - 2 == seq) { 3051 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3052 stcb->asoc.last_sending_seq[1], 3053 stcb->asoc.last_base_tsnsent[1] 3054 ); 3055 } else { 3056 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3057 } 3058 return (0); 3059 } 3060 3061 static void 3062 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3063 struct sctp_tmit_chunk *chk, 3064 struct sctp_stream_reset_out_request *req) 3065 { 3066 uint32_t seq, tsn; 3067 int number_entries, len; 3068 struct sctp_association *asoc = &stcb->asoc; 3069 3070 seq = ntohl(req->request_seq); 3071 3072 /* now if its not a duplicate we process it */ 3073 if (asoc->str_reset_seq_in == seq) { 3074 len = ntohs(req->ph.param_length); 3075 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3076 /* 3077 * the sender is resetting, handle the list issue.. we must 3078 * a) verify if we can do the reset, if so no problem b) If 3079 * we can't do the reset we must copy the request. c) queue 3080 * it, and setup the data in processor to trigger it off 3081 * when needed and dequeue all the queued data. 3082 */ 3083 tsn = ntohl(req->send_reset_at_tsn); 3084 3085 /* move the reset action back one */ 3086 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3087 if ((tsn == asoc->cumulative_tsn) || 3088 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3089 /* we can do it now */ 3090 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3091 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3092 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3093 } else { 3094 /* 3095 * we must queue it up and thus wait for the TSN's 3096 * to arrive that are at or before tsn 3097 */ 3098 struct sctp_stream_reset_list *liste; 3099 int siz; 3100 3101 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3102 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3103 siz, "StrRstList"); 3104 if (liste == NULL) { 3105 /* gak out of memory */ 3106 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3107 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3108 return; 3109 } 3110 liste->tsn = tsn; 3111 liste->number_entries = number_entries; 3112 memcpy(&liste->req, req, 3113 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3114 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3115 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3116 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3117 } 3118 asoc->str_reset_seq_in++; 3119 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3120 /* 3121 * one seq back, just echo back last action since my 3122 * response was lost. 3123 */ 3124 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3125 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3126 /* 3127 * two seq back, just echo back last action since my 3128 * response was lost. 3129 */ 3130 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3131 } else { 3132 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3133 } 3134 } 3135 3136 static int 3137 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 3138 { 3139 int chk_length, param_len, ptype; 3140 uint32_t seq; 3141 int num_req = 0; 3142 struct sctp_tmit_chunk *chk; 3143 struct sctp_chunkhdr *ch; 3144 struct sctp_paramhdr *ph; 3145 int ret_code = 0; 3146 int num_param = 0; 3147 3148 /* now it may be a reset or a reset-response */ 3149 chk_length = ntohs(sr_req->ch.chunk_length); 3150 3151 /* setup for adding the response */ 3152 sctp_alloc_a_chunk(stcb, chk); 3153 if (chk == NULL) { 3154 return (ret_code); 3155 } 3156 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3157 chk->asoc = &stcb->asoc; 3158 chk->no_fr_allowed = 0; 3159 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3160 chk->book_size_scale = 0; 3161 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3162 if (chk->data == NULL) { 3163 strres_nochunk: 3164 if (chk->data) { 3165 sctp_m_freem(chk->data); 3166 chk->data = NULL; 3167 } 3168 sctp_free_a_chunk(stcb, chk); 3169 return (ret_code); 3170 } 3171 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3172 3173 /* setup chunk parameters */ 3174 chk->sent = SCTP_DATAGRAM_UNSENT; 3175 chk->snd_count = 0; 3176 chk->whoTo = stcb->asoc.primary_destination; 3177 atomic_add_int(&chk->whoTo->ref_count, 1); 3178 3179 ch = mtod(chk->data, struct sctp_chunkhdr *); 3180 ch->chunk_type = SCTP_STREAM_RESET; 3181 ch->chunk_flags = 0; 3182 ch->chunk_length = htons(chk->send_size); 3183 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3184 3185 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3186 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3187 param_len = ntohs(ph->param_length); 3188 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3189 /* bad param */ 3190 break; 3191 } 3192 ptype = ntohs(ph->param_type); 3193 num_param++; 3194 if (num_param > SCTP_MAX_RESET_PARAMS) { 3195 /* hit the max of parameters already sorry.. */ 3196 break; 3197 } 3198 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3199 struct sctp_stream_reset_out_request *req_out; 3200 3201 req_out = (struct sctp_stream_reset_out_request *)ph; 3202 num_req++; 3203 if (stcb->asoc.stream_reset_outstanding) { 3204 seq = ntohl(req_out->response_seq); 3205 if (seq == stcb->asoc.str_reset_seq_out) { 3206 /* implicit ack */ 3207 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3208 } 3209 } 3210 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3211 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3212 struct sctp_stream_reset_in_request *req_in; 3213 3214 num_req++; 3215 req_in = (struct sctp_stream_reset_in_request *)ph; 3216 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3217 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3218 struct sctp_stream_reset_tsn_request *req_tsn; 3219 3220 num_req++; 3221 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3222 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3223 ret_code = 1; 3224 goto strres_nochunk; 3225 } 3226 /* no more */ 3227 break; 3228 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3229 struct sctp_stream_reset_response *resp; 3230 uint32_t result; 3231 3232 resp = (struct sctp_stream_reset_response *)ph; 3233 seq = ntohl(resp->response_seq); 3234 result = ntohl(resp->result); 3235 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3236 ret_code = 1; 3237 goto strres_nochunk; 3238 } 3239 } else { 3240 break; 3241 } 3242 3243 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3244 chk_length -= SCTP_SIZE32(param_len); 3245 } 3246 if (num_req == 0) { 3247 /* we have no response free the stuff */ 3248 goto strres_nochunk; 3249 } 3250 /* ok we have a chunk to link in */ 3251 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3252 chk, 3253 sctp_next); 3254 stcb->asoc.ctrl_queue_cnt++; 3255 return (ret_code); 3256 } 3257 3258 /* 3259 * Handle a router or endpoints report of a packet loss, there are two ways 3260 * to handle this, either we get the whole packet and must disect it 3261 * ourselves (possibly with truncation and or corruption) or it is a summary 3262 * from a middle box that did the disectting for us. 3263 */ 3264 static void 3265 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3266 struct sctp_tcb *stcb, struct sctp_nets *net) 3267 { 3268 uint32_t bottle_bw, on_queue; 3269 uint16_t trunc_len; 3270 unsigned int chlen; 3271 unsigned int at; 3272 struct sctp_chunk_desc desc; 3273 struct sctp_chunkhdr *ch; 3274 3275 chlen = ntohs(cp->ch.chunk_length); 3276 chlen -= sizeof(struct sctp_pktdrop_chunk); 3277 /* XXX possible chlen underflow */ 3278 if (chlen == 0) { 3279 ch = NULL; 3280 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3281 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3282 } else { 3283 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3284 chlen -= sizeof(struct sctphdr); 3285 /* XXX possible chlen underflow */ 3286 memset(&desc, 0, sizeof(desc)); 3287 } 3288 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3289 /* now the chunks themselves */ 3290 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3291 desc.chunk_type = ch->chunk_type; 3292 /* get amount we need to move */ 3293 at = ntohs(ch->chunk_length); 3294 if (at < sizeof(struct sctp_chunkhdr)) { 3295 /* corrupt chunk, maybe at the end? */ 3296 SCTP_STAT_INCR(sctps_pdrpcrupt); 3297 break; 3298 } 3299 if (trunc_len == 0) { 3300 /* we are supposed to have all of it */ 3301 if (at > chlen) { 3302 /* corrupt skip it */ 3303 SCTP_STAT_INCR(sctps_pdrpcrupt); 3304 break; 3305 } 3306 } else { 3307 /* is there enough of it left ? */ 3308 if (desc.chunk_type == SCTP_DATA) { 3309 if (chlen < (sizeof(struct sctp_data_chunk) + 3310 sizeof(desc.data_bytes))) { 3311 break; 3312 } 3313 } else { 3314 if (chlen < sizeof(struct sctp_chunkhdr)) { 3315 break; 3316 } 3317 } 3318 } 3319 if (desc.chunk_type == SCTP_DATA) { 3320 /* can we get out the tsn? */ 3321 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3322 SCTP_STAT_INCR(sctps_pdrpmbda); 3323 3324 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3325 /* yep */ 3326 struct sctp_data_chunk *dcp; 3327 uint8_t *ddp; 3328 unsigned int iii; 3329 3330 dcp = (struct sctp_data_chunk *)ch; 3331 ddp = (uint8_t *) (dcp + 1); 3332 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3333 desc.data_bytes[iii] = ddp[iii]; 3334 } 3335 desc.tsn_ifany = dcp->dp.tsn; 3336 } else { 3337 /* nope we are done. */ 3338 SCTP_STAT_INCR(sctps_pdrpnedat); 3339 break; 3340 } 3341 } else { 3342 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3343 SCTP_STAT_INCR(sctps_pdrpmbct); 3344 } 3345 3346 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3347 SCTP_STAT_INCR(sctps_pdrppdbrk); 3348 break; 3349 } 3350 if (SCTP_SIZE32(at) > chlen) { 3351 break; 3352 } 3353 chlen -= SCTP_SIZE32(at); 3354 if (chlen < sizeof(struct sctp_chunkhdr)) { 3355 /* done, none left */ 3356 break; 3357 } 3358 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3359 } 3360 /* Now update any rwnd --- possibly */ 3361 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3362 /* From a peer, we get a rwnd report */ 3363 uint32_t a_rwnd; 3364 3365 SCTP_STAT_INCR(sctps_pdrpfehos); 3366 3367 bottle_bw = ntohl(cp->bottle_bw); 3368 on_queue = ntohl(cp->current_onq); 3369 if (bottle_bw && on_queue) { 3370 /* a rwnd report is in here */ 3371 if (bottle_bw > on_queue) 3372 a_rwnd = bottle_bw - on_queue; 3373 else 3374 a_rwnd = 0; 3375 3376 if (a_rwnd == 0) 3377 stcb->asoc.peers_rwnd = 0; 3378 else { 3379 if (a_rwnd > stcb->asoc.total_flight) { 3380 stcb->asoc.peers_rwnd = 3381 a_rwnd - stcb->asoc.total_flight; 3382 } else { 3383 stcb->asoc.peers_rwnd = 0; 3384 } 3385 if (stcb->asoc.peers_rwnd < 3386 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3387 /* SWS sender side engages */ 3388 stcb->asoc.peers_rwnd = 0; 3389 } 3390 } 3391 } 3392 } else { 3393 SCTP_STAT_INCR(sctps_pdrpfmbox); 3394 } 3395 3396 /* now middle boxes in sat networks get a cwnd bump */ 3397 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3398 (stcb->asoc.sat_t3_loss_recovery == 0) && 3399 (stcb->asoc.sat_network)) { 3400 /* 3401 * This is debateable but for sat networks it makes sense 3402 * Note if a T3 timer has went off, we will prohibit any 3403 * changes to cwnd until we exit the t3 loss recovery. 3404 */ 3405 uint32_t bw_avail; 3406 int rtt, incr; 3407 3408 #ifdef SCTP_CWND_MONITOR 3409 int old_cwnd = net->cwnd; 3410 3411 #endif 3412 /* need real RTT for this calc */ 3413 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3414 /* get bottle neck bw */ 3415 bottle_bw = ntohl(cp->bottle_bw); 3416 /* and whats on queue */ 3417 on_queue = ntohl(cp->current_onq); 3418 /* 3419 * adjust the on-queue if our flight is more it could be 3420 * that the router has not yet gotten data "in-flight" to it 3421 */ 3422 if (on_queue < net->flight_size) 3423 on_queue = net->flight_size; 3424 3425 /* calculate the available space */ 3426 bw_avail = (bottle_bw * rtt) / 1000; 3427 if (bw_avail > bottle_bw) { 3428 /* 3429 * Cap the growth to no more than the bottle neck. 3430 * This can happen as RTT slides up due to queues. 3431 * It also means if you have more than a 1 second 3432 * RTT with a empty queue you will be limited to the 3433 * bottle_bw per second no matter if other points 3434 * have 1/2 the RTT and you could get more out... 3435 */ 3436 bw_avail = bottle_bw; 3437 } 3438 if (on_queue > bw_avail) { 3439 /* 3440 * No room for anything else don't allow anything 3441 * else to be "added to the fire". 3442 */ 3443 int seg_inflight, seg_onqueue, my_portion; 3444 3445 net->partial_bytes_acked = 0; 3446 3447 /* how much are we over queue size? */ 3448 incr = on_queue - bw_avail; 3449 if (stcb->asoc.seen_a_sack_this_pkt) { 3450 /* 3451 * undo any cwnd adjustment that the sack 3452 * might have made 3453 */ 3454 net->cwnd = net->prev_cwnd; 3455 } 3456 /* Now how much of that is mine? */ 3457 seg_inflight = net->flight_size / net->mtu; 3458 seg_onqueue = on_queue / net->mtu; 3459 my_portion = (incr * seg_inflight) / seg_onqueue; 3460 3461 /* Have I made an adjustment already */ 3462 if (net->cwnd > net->flight_size) { 3463 /* 3464 * for this flight I made an adjustment we 3465 * need to decrease the portion by a share 3466 * our previous adjustment. 3467 */ 3468 int diff_adj; 3469 3470 diff_adj = net->cwnd - net->flight_size; 3471 if (diff_adj > my_portion) 3472 my_portion = 0; 3473 else 3474 my_portion -= diff_adj; 3475 } 3476 /* 3477 * back down to the previous cwnd (assume we have 3478 * had a sack before this packet). minus what ever 3479 * portion of the overage is my fault. 3480 */ 3481 net->cwnd -= my_portion; 3482 3483 /* we will NOT back down more than 1 MTU */ 3484 if (net->cwnd <= net->mtu) { 3485 net->cwnd = net->mtu; 3486 } 3487 /* force into CA */ 3488 net->ssthresh = net->cwnd - 1; 3489 } else { 3490 /* 3491 * Take 1/4 of the space left or max burst up .. 3492 * whichever is less. 3493 */ 3494 incr = min((bw_avail - on_queue) >> 2, 3495 (int)stcb->asoc.max_burst * (int)net->mtu); 3496 net->cwnd += incr; 3497 } 3498 if (net->cwnd > bw_avail) { 3499 /* We can't exceed the pipe size */ 3500 net->cwnd = bw_avail; 3501 } 3502 if (net->cwnd < net->mtu) { 3503 /* We always have 1 MTU */ 3504 net->cwnd = net->mtu; 3505 } 3506 #ifdef SCTP_CWND_MONITOR 3507 if (net->cwnd - old_cwnd != 0) { 3508 /* log only changes */ 3509 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3510 SCTP_CWND_LOG_FROM_SAT); 3511 } 3512 #endif 3513 } 3514 } 3515 3516 /* 3517 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3518 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3519 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3520 * length of the complete packet outputs: - length: modified to remaining 3521 * length after control processing - netp: modified to new sctp_nets after 3522 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3523 * bad packet,...) otherwise return the tcb for this packet 3524 */ 3525 static struct sctp_tcb * 3526 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3527 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3528 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3529 { 3530 struct sctp_association *asoc; 3531 uint32_t vtag_in; 3532 int num_chunks = 0; /* number of control chunks processed */ 3533 int chk_length; 3534 int ret; 3535 int abort_no_unlock = 0; 3536 3537 /* 3538 * How big should this be, and should it be alloc'd? Lets try the 3539 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3540 * until we get into jumbo grams and such.. 3541 */ 3542 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 3543 struct sctp_tcb *locked_tcb = stcb; 3544 int got_auth = 0; 3545 uint32_t auth_offset = 0, auth_len = 0; 3546 int auth_skipped = 0; 3547 3548 #ifdef SCTP_DEBUG 3549 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3550 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3551 iphlen, *offset, length, stcb); 3552 } 3553 #endif /* SCTP_DEBUG */ 3554 3555 /* validate chunk header length... */ 3556 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3557 return (NULL); 3558 } 3559 /* 3560 * validate the verification tag 3561 */ 3562 vtag_in = ntohl(sh->v_tag); 3563 3564 if (locked_tcb) { 3565 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3566 } 3567 if (ch->chunk_type == SCTP_INITIATION) { 3568 if (vtag_in != 0) { 3569 /* protocol error- silently discard... */ 3570 SCTP_STAT_INCR(sctps_badvtag); 3571 if (locked_tcb) 3572 SCTP_TCB_UNLOCK(locked_tcb); 3573 return (NULL); 3574 } 3575 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3576 /* 3577 * If there is no stcb, skip the AUTH chunk and process 3578 * later after a stcb is found (to validate the lookup was 3579 * valid. 3580 */ 3581 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3582 (stcb == NULL) && !sctp_auth_disable) { 3583 /* save this chunk for later processing */ 3584 auth_skipped = 1; 3585 auth_offset = *offset; 3586 auth_len = ntohs(ch->chunk_length); 3587 3588 /* (temporarily) move past this chunk */ 3589 *offset += SCTP_SIZE32(auth_len); 3590 if (*offset >= length) { 3591 /* no more data left in the mbuf chain */ 3592 *offset = length; 3593 return (NULL); 3594 } 3595 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3596 sizeof(struct sctp_chunkhdr), chunk_buf); 3597 } 3598 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3599 goto process_control_chunks; 3600 } 3601 /* 3602 * first check if it's an ASCONF with an unknown src addr we 3603 * need to look inside to find the association 3604 */ 3605 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3606 /* inp's refcount may be reduced */ 3607 SCTP_INP_INCR_REF(inp); 3608 3609 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3610 *offset, sh, &inp, netp); 3611 if (stcb == NULL) { 3612 /* 3613 * reduce inp's refcount if not reduced in 3614 * sctp_findassociation_ep_asconf(). 3615 */ 3616 SCTP_INP_DECR_REF(inp); 3617 } 3618 /* now go back and verify any auth chunk to be sure */ 3619 if (auth_skipped && (stcb != NULL)) { 3620 struct sctp_auth_chunk *auth; 3621 3622 auth = (struct sctp_auth_chunk *) 3623 sctp_m_getptr(m, auth_offset, 3624 auth_len, chunk_buf); 3625 got_auth = 1; 3626 auth_skipped = 0; 3627 if (sctp_handle_auth(stcb, auth, m, 3628 auth_offset)) { 3629 /* auth HMAC failed so dump it */ 3630 *offset = length; 3631 return (NULL); 3632 } else { 3633 /* remaining chunks are HMAC checked */ 3634 stcb->asoc.authenticated = 1; 3635 } 3636 } 3637 } 3638 if (stcb == NULL) { 3639 /* no association, so it's out of the blue... */ 3640 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3641 *offset = length; 3642 if (locked_tcb) 3643 SCTP_TCB_UNLOCK(locked_tcb); 3644 return (NULL); 3645 } 3646 asoc = &stcb->asoc; 3647 /* ABORT and SHUTDOWN can use either v_tag... */ 3648 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3649 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3650 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3651 if ((vtag_in == asoc->my_vtag) || 3652 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3653 (vtag_in == asoc->peer_vtag))) { 3654 /* this is valid */ 3655 } else { 3656 /* drop this packet... */ 3657 SCTP_STAT_INCR(sctps_badvtag); 3658 if (locked_tcb) 3659 SCTP_TCB_UNLOCK(locked_tcb); 3660 return (NULL); 3661 } 3662 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3663 if (vtag_in != asoc->my_vtag) { 3664 /* 3665 * this could be a stale SHUTDOWN-ACK or the 3666 * peer never got the SHUTDOWN-COMPLETE and 3667 * is still hung; we have started a new asoc 3668 * but it won't complete until the shutdown 3669 * is completed 3670 */ 3671 if (locked_tcb) 3672 SCTP_TCB_UNLOCK(locked_tcb); 3673 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3674 NULL); 3675 return (NULL); 3676 } 3677 } else { 3678 /* for all other chunks, vtag must match */ 3679 if (vtag_in != asoc->my_vtag) { 3680 /* invalid vtag... */ 3681 #ifdef SCTP_DEBUG 3682 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3683 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3684 } 3685 #endif /* SCTP_DEBUG */ 3686 SCTP_STAT_INCR(sctps_badvtag); 3687 if (locked_tcb) 3688 SCTP_TCB_UNLOCK(locked_tcb); 3689 *offset = length; 3690 return (NULL); 3691 } 3692 } 3693 } /* end if !SCTP_COOKIE_ECHO */ 3694 /* 3695 * process all control chunks... 3696 */ 3697 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3698 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3699 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3700 /* implied cookie-ack.. we must have lost the ack */ 3701 stcb->asoc.overall_error_count = 0; 3702 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3703 *netp); 3704 } 3705 process_control_chunks: 3706 3707 while (IS_SCTP_CONTROL(ch)) { 3708 /* validate chunk length */ 3709 chk_length = ntohs(ch->chunk_length); 3710 #ifdef SCTP_DEBUG 3711 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3712 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", 3713 ch->chunk_type, chk_length); 3714 } 3715 #endif /* SCTP_DEBUG */ 3716 if ((size_t)chk_length < sizeof(*ch) || 3717 (*offset + chk_length) > length) { 3718 *offset = length; 3719 if (locked_tcb) 3720 SCTP_TCB_UNLOCK(locked_tcb); 3721 return (NULL); 3722 } 3723 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3724 /* 3725 * INIT-ACK only gets the init ack "header" portion only 3726 * because we don't have to process the peer's COOKIE. All 3727 * others get a complete chunk. 3728 */ 3729 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3730 /* get an init-ack chunk */ 3731 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3732 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3733 if (ch == NULL) { 3734 *offset = length; 3735 if (locked_tcb) 3736 SCTP_TCB_UNLOCK(locked_tcb); 3737 return (NULL); 3738 } 3739 } else { 3740 /* get a complete chunk... */ 3741 if ((size_t)chk_length > sizeof(chunk_buf)) { 3742 struct mbuf *oper; 3743 struct sctp_paramhdr *phdr; 3744 3745 oper = NULL; 3746 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3747 0, M_DONTWAIT, 1, MT_DATA); 3748 if (oper) { 3749 /* pre-reserve some space */ 3750 SCTP_BUF_RESV_UF(oper, sizeof(struct sctp_chunkhdr)); 3751 SCTP_BUF_LEN(oper) = sizeof(struct sctp_paramhdr); 3752 phdr = mtod(oper, struct sctp_paramhdr *); 3753 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3754 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3755 sctp_queue_op_err(stcb, oper); 3756 } 3757 if (locked_tcb) 3758 SCTP_TCB_UNLOCK(locked_tcb); 3759 return (NULL); 3760 } 3761 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3762 chk_length, chunk_buf); 3763 if (ch == NULL) { 3764 printf("sctp_process_control: Can't get the all data....\n"); 3765 *offset = length; 3766 if (locked_tcb) 3767 SCTP_TCB_UNLOCK(locked_tcb); 3768 return (NULL); 3769 } 3770 } 3771 num_chunks++; 3772 /* Save off the last place we got a control from */ 3773 if (stcb != NULL) { 3774 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { 3775 /* 3776 * allow last_control to be NULL if 3777 * ASCONF... ASCONF processing will find the 3778 * right net later 3779 */ 3780 stcb->asoc.last_control_chunk_from = *netp; 3781 } 3782 } 3783 #ifdef SCTP_AUDITING_ENABLED 3784 sctp_audit_log(0xB0, ch->chunk_type); 3785 #endif 3786 3787 /* check to see if this chunk required auth, but isn't */ 3788 if ((stcb != NULL) && !sctp_auth_disable && 3789 sctp_auth_is_required_chunk(ch->chunk_type, 3790 stcb->asoc.local_auth_chunks) && 3791 !stcb->asoc.authenticated) { 3792 /* "silently" ignore */ 3793 SCTP_STAT_INCR(sctps_recvauthmissing); 3794 goto next_chunk; 3795 } 3796 switch (ch->chunk_type) { 3797 case SCTP_INITIATION: 3798 /* must be first and only chunk */ 3799 #ifdef SCTP_DEBUG 3800 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3801 printf("SCTP_INIT\n"); 3802 } 3803 #endif /* SCTP_DEBUG */ 3804 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3805 /* We are not interested anymore? */ 3806 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3807 /* 3808 * collision case where we are 3809 * sending to them too 3810 */ 3811 ; 3812 } else { 3813 if (locked_tcb) 3814 SCTP_TCB_UNLOCK(locked_tcb); 3815 *offset = length; 3816 return (NULL); 3817 } 3818 } 3819 if ((num_chunks > 1) || 3820 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3821 *offset = length; 3822 if (locked_tcb) 3823 SCTP_TCB_UNLOCK(locked_tcb); 3824 return (NULL); 3825 } 3826 if ((stcb != NULL) && 3827 (SCTP_GET_STATE(&stcb->asoc) == 3828 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3829 sctp_send_shutdown_ack(stcb, 3830 stcb->asoc.primary_destination); 3831 *offset = length; 3832 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3833 if (locked_tcb) 3834 SCTP_TCB_UNLOCK(locked_tcb); 3835 return (NULL); 3836 } 3837 sctp_handle_init(m, iphlen, *offset, sh, 3838 (struct sctp_init_chunk *)ch, inp, stcb, *netp, &abort_no_unlock); 3839 if (abort_no_unlock) 3840 return (NULL); 3841 3842 *offset = length; 3843 if (locked_tcb) 3844 SCTP_TCB_UNLOCK(locked_tcb); 3845 return (NULL); 3846 break; 3847 case SCTP_INITIATION_ACK: 3848 /* must be first and only chunk */ 3849 #ifdef SCTP_DEBUG 3850 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3851 printf("SCTP_INIT-ACK\n"); 3852 } 3853 #endif /* SCTP_DEBUG */ 3854 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3855 /* We are not interested anymore */ 3856 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3857 ; 3858 } else { 3859 if (locked_tcb) 3860 SCTP_TCB_UNLOCK(locked_tcb); 3861 *offset = length; 3862 if (stcb) { 3863 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3864 } 3865 return (NULL); 3866 } 3867 } 3868 if ((num_chunks > 1) || 3869 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3870 *offset = length; 3871 if (locked_tcb) 3872 SCTP_TCB_UNLOCK(locked_tcb); 3873 return (NULL); 3874 } 3875 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3876 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 3877 /* 3878 * Special case, I must call the output routine to 3879 * get the cookie echoed 3880 */ 3881 if (abort_no_unlock) 3882 return (NULL); 3883 3884 if ((stcb) && ret == 0) 3885 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3886 *offset = length; 3887 if (locked_tcb) 3888 SCTP_TCB_UNLOCK(locked_tcb); 3889 return (NULL); 3890 break; 3891 case SCTP_SELECTIVE_ACK: 3892 #ifdef SCTP_DEBUG 3893 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3894 printf("SCTP_SACK\n"); 3895 } 3896 #endif /* SCTP_DEBUG */ 3897 SCTP_STAT_INCR(sctps_recvsacks); 3898 { 3899 struct sctp_sack_chunk *sack; 3900 int abort_now = 0; 3901 uint32_t a_rwnd, cum_ack; 3902 uint16_t num_seg; 3903 int nonce_sum_flag; 3904 3905 sack = (struct sctp_sack_chunk *)ch; 3906 3907 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3908 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3909 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3910 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3911 stcb->asoc.seen_a_sack_this_pkt = 1; 3912 if ((stcb->asoc.pr_sctp_cnt == 0) && 3913 (num_seg == 0) && 3914 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3915 (cum_ack == stcb->asoc.last_acked_seq)) && 3916 (stcb->asoc.saw_sack_with_frags == 0) && 3917 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3918 ) { 3919 /* 3920 * We have a SIMPLE sack having no 3921 * prior segments and data on sent 3922 * queue to be acked.. Use the 3923 * faster path sack processing. We 3924 * also allow window update sacks 3925 * with no missing segments to go 3926 * this way too. 3927 */ 3928 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now); 3929 } else { 3930 sctp_handle_sack(sack, stcb, *netp, &abort_now); 3931 } 3932 if (abort_now) { 3933 /* ABORT signal from sack processing */ 3934 *offset = length; 3935 return (NULL); 3936 } 3937 } 3938 break; 3939 case SCTP_HEARTBEAT_REQUEST: 3940 #ifdef SCTP_DEBUG 3941 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3942 printf("SCTP_HEARTBEAT\n"); 3943 } 3944 #endif /* SCTP_DEBUG */ 3945 SCTP_STAT_INCR(sctps_recvheartbeat); 3946 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3947 *netp); 3948 3949 /* He's alive so give him credit */ 3950 stcb->asoc.overall_error_count = 0; 3951 break; 3952 case SCTP_HEARTBEAT_ACK: 3953 #ifdef SCTP_DEBUG 3954 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3955 printf("SCTP_HEARTBEAT-ACK\n"); 3956 } 3957 #endif /* SCTP_DEBUG */ 3958 3959 /* He's alive so give him credit */ 3960 stcb->asoc.overall_error_count = 0; 3961 SCTP_STAT_INCR(sctps_recvheartbeatack); 3962 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3963 stcb, *netp); 3964 break; 3965 case SCTP_ABORT_ASSOCIATION: 3966 #ifdef SCTP_DEBUG 3967 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3968 printf("SCTP_ABORT\n"); 3969 } 3970 #endif /* SCTP_DEBUG */ 3971 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3972 stcb, *netp); 3973 *offset = length; 3974 return (NULL); 3975 break; 3976 case SCTP_SHUTDOWN: 3977 #ifdef SCTP_DEBUG 3978 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3979 printf("SCTP_SHUTDOWN\n"); 3980 } 3981 #endif /* SCTP_DEBUG */ 3982 { 3983 int abort_flag = 0; 3984 3985 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 3986 stcb, *netp, &abort_flag); 3987 if (abort_flag) { 3988 *offset = length; 3989 return (NULL); 3990 } 3991 } 3992 break; 3993 case SCTP_SHUTDOWN_ACK: 3994 #ifdef SCTP_DEBUG 3995 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3996 printf("SCTP_SHUTDOWN-ACK\n"); 3997 } 3998 #endif /* SCTP_DEBUG */ 3999 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4000 *offset = length; 4001 return (NULL); 4002 break; 4003 case SCTP_OPERATION_ERROR: 4004 #ifdef SCTP_DEBUG 4005 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4006 printf("SCTP_OP-ERR\n"); 4007 } 4008 #endif /* SCTP_DEBUG */ 4009 if (sctp_handle_error(ch, stcb, *netp) < 0) { 4010 *offset = length; 4011 return (NULL); 4012 } 4013 break; 4014 case SCTP_COOKIE_ECHO: 4015 #ifdef SCTP_DEBUG 4016 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4017 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 4018 } 4019 #endif /* SCTP_DEBUG */ 4020 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4021 ; 4022 } else { 4023 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && 4024 (stcb == NULL)) { 4025 /* We are not interested anymore */ 4026 *offset = length; 4027 return (NULL); 4028 } 4029 } 4030 /* 4031 * First are we accepting? We do this again here 4032 * since it is possible that a previous endpoint WAS 4033 * listening responded to a INIT-ACK and then 4034 * closed. We opened and bound.. and are now no 4035 * longer listening. 4036 */ 4037 if (inp->sctp_socket->so_qlimit == 0) { 4038 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 4039 /* 4040 * special case, is this a retran'd 4041 * COOKIE-ECHO or a restarting assoc 4042 * that is a peeled off or 4043 * one-to-one style socket. 4044 */ 4045 goto process_cookie_anyway; 4046 } 4047 sctp_abort_association(inp, stcb, m, iphlen, sh, 4048 NULL); 4049 *offset = length; 4050 return (NULL); 4051 } else if (inp->sctp_socket->so_qlimit) { 4052 /* we are accepting so check limits like TCP */ 4053 if (inp->sctp_socket->so_qlen > 4054 inp->sctp_socket->so_qlimit) { 4055 /* no space */ 4056 struct mbuf *oper; 4057 struct sctp_paramhdr *phdr; 4058 4059 if (sctp_abort_if_one_2_one_hits_limit) { 4060 oper = NULL; 4061 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4062 0, M_DONTWAIT, 1, MT_DATA); 4063 if (oper) { 4064 SCTP_BUF_LEN(oper) = 4065 sizeof(struct sctp_paramhdr); 4066 phdr = mtod(oper, 4067 struct sctp_paramhdr *); 4068 phdr->param_type = 4069 htons(SCTP_CAUSE_OUT_OF_RESC); 4070 phdr->param_length = 4071 htons(sizeof(struct sctp_paramhdr)); 4072 } 4073 sctp_abort_association(inp, stcb, m, 4074 iphlen, sh, oper); 4075 } 4076 *offset = length; 4077 return (NULL); 4078 } 4079 } 4080 process_cookie_anyway: 4081 { 4082 struct mbuf *ret_buf; 4083 struct sctp_inpcb *linp; 4084 4085 if (stcb) 4086 linp = NULL; 4087 else 4088 linp = inp; 4089 4090 if (linp) 4091 SCTP_ASOC_CREATE_LOCK(linp); 4092 ret_buf = 4093 sctp_handle_cookie_echo(m, iphlen, 4094 *offset, sh, 4095 (struct sctp_cookie_echo_chunk *)ch, 4096 &inp, &stcb, netp, 4097 auth_skipped, 4098 auth_offset, 4099 auth_len, 4100 &locked_tcb); 4101 if (linp) 4102 SCTP_ASOC_CREATE_UNLOCK(linp); 4103 if (ret_buf == NULL) { 4104 if (locked_tcb) { 4105 SCTP_TCB_UNLOCK(locked_tcb); 4106 } 4107 #ifdef SCTP_DEBUG 4108 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4109 printf("GAK, null buffer\n"); 4110 } 4111 #endif /* SCTP_DEBUG */ 4112 auth_skipped = 0; 4113 *offset = length; 4114 return (NULL); 4115 } 4116 /* if AUTH skipped, see if it verified... */ 4117 if (auth_skipped) { 4118 got_auth = 1; 4119 auth_skipped = 0; 4120 } 4121 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4122 /* 4123 * Restart the timer if we have 4124 * pending data 4125 */ 4126 struct sctp_tmit_chunk *chk; 4127 4128 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4129 if (chk) { 4130 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4131 stcb->sctp_ep, stcb, 4132 chk->whoTo); 4133 } 4134 } 4135 } 4136 break; 4137 case SCTP_COOKIE_ACK: 4138 #ifdef SCTP_DEBUG 4139 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4140 printf("SCTP_COOKIE-ACK\n"); 4141 } 4142 #endif /* SCTP_DEBUG */ 4143 4144 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4145 /* We are not interested anymore */ 4146 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4147 ; 4148 } else { 4149 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4150 *offset = length; 4151 return (NULL); 4152 } 4153 } 4154 /* He's alive so give him credit */ 4155 stcb->asoc.overall_error_count = 0; 4156 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4157 break; 4158 case SCTP_ECN_ECHO: 4159 #ifdef SCTP_DEBUG 4160 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4161 printf("SCTP_ECN-ECHO\n"); 4162 } 4163 #endif /* SCTP_DEBUG */ 4164 /* He's alive so give him credit */ 4165 stcb->asoc.overall_error_count = 0; 4166 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4167 stcb); 4168 break; 4169 case SCTP_ECN_CWR: 4170 #ifdef SCTP_DEBUG 4171 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4172 printf("SCTP_ECN-CWR\n"); 4173 } 4174 #endif /* SCTP_DEBUG */ 4175 /* He's alive so give him credit */ 4176 stcb->asoc.overall_error_count = 0; 4177 4178 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4179 break; 4180 case SCTP_SHUTDOWN_COMPLETE: 4181 #ifdef SCTP_DEBUG 4182 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4183 printf("SCTP_SHUTDOWN-COMPLETE\n"); 4184 } 4185 #endif /* SCTP_DEBUG */ 4186 /* must be first and only chunk */ 4187 if ((num_chunks > 1) || 4188 (length - *offset > SCTP_SIZE32(chk_length))) { 4189 *offset = length; 4190 if (locked_tcb) 4191 SCTP_TCB_UNLOCK(locked_tcb); 4192 4193 return (NULL); 4194 } 4195 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4196 stcb, *netp); 4197 *offset = length; 4198 return (NULL); 4199 break; 4200 case SCTP_ASCONF: 4201 #ifdef SCTP_DEBUG 4202 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4203 printf("SCTP_ASCONF\n"); 4204 } 4205 #endif /* SCTP_DEBUG */ 4206 /* He's alive so give him credit */ 4207 stcb->asoc.overall_error_count = 0; 4208 4209 sctp_handle_asconf(m, *offset, 4210 (struct sctp_asconf_chunk *)ch, stcb); 4211 break; 4212 case SCTP_ASCONF_ACK: 4213 #ifdef SCTP_DEBUG 4214 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4215 printf("SCTP_ASCONF-ACK\n"); 4216 } 4217 #endif /* SCTP_DEBUG */ 4218 /* He's alive so give him credit */ 4219 stcb->asoc.overall_error_count = 0; 4220 4221 sctp_handle_asconf_ack(m, *offset, 4222 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4223 break; 4224 case SCTP_FORWARD_CUM_TSN: 4225 #ifdef SCTP_DEBUG 4226 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4227 printf("SCTP_FWD-TSN\n"); 4228 } 4229 #endif /* SCTP_DEBUG */ 4230 /* He's alive so give him credit */ 4231 { 4232 int abort_flag = 0; 4233 4234 stcb->asoc.overall_error_count = 0; 4235 *fwd_tsn_seen = 1; 4236 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4237 /* We are not interested anymore */ 4238 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 4239 *offset = length; 4240 return (NULL); 4241 } 4242 sctp_handle_forward_tsn(stcb, 4243 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4244 if (abort_flag) { 4245 *offset = length; 4246 return (NULL); 4247 } else { 4248 stcb->asoc.overall_error_count = 0; 4249 } 4250 4251 } 4252 break; 4253 case SCTP_STREAM_RESET: 4254 #ifdef SCTP_DEBUG 4255 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4256 printf("SCTP_STREAM_RESET\n"); 4257 } 4258 #endif /* SCTP_DEBUG */ 4259 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4260 chk_length, chunk_buf); 4261 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4262 /* We are not interested anymore */ 4263 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4264 *offset = length; 4265 return (NULL); 4266 } 4267 if (stcb->asoc.peer_supports_strreset == 0) { 4268 /* 4269 * hmm, peer should have announced this, but 4270 * we will turn it on since he is sending us 4271 * a stream reset. 4272 */ 4273 stcb->asoc.peer_supports_strreset = 1; 4274 } 4275 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4276 /* stop processing */ 4277 *offset = length; 4278 return (NULL); 4279 } 4280 break; 4281 case SCTP_PACKET_DROPPED: 4282 #ifdef SCTP_DEBUG 4283 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4284 printf("SCTP_PACKET_DROPPED\n"); 4285 } 4286 #endif /* SCTP_DEBUG */ 4287 /* re-get it all please */ 4288 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4289 chk_length, chunk_buf); 4290 4291 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4292 stcb, *netp); 4293 4294 break; 4295 4296 case SCTP_AUTHENTICATION: 4297 #ifdef SCTP_DEBUG 4298 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4299 printf("SCTP_AUTHENTICATION\n"); 4300 } 4301 #endif /* SCTP_DEBUG */ 4302 if (sctp_auth_disable) 4303 goto unknown_chunk; 4304 4305 if (stcb == NULL) { 4306 /* save the first AUTH for later processing */ 4307 if (auth_skipped == 0) { 4308 auth_offset = *offset; 4309 auth_len = chk_length; 4310 auth_skipped = 1; 4311 } 4312 /* skip this chunk (temporarily) */ 4313 goto next_chunk; 4314 } 4315 if (got_auth == 1) { 4316 /* skip this chunk... it's already auth'd */ 4317 goto next_chunk; 4318 } 4319 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4320 chk_length, chunk_buf); 4321 got_auth = 1; 4322 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4323 m, *offset)) { 4324 /* auth HMAC failed so dump the packet */ 4325 *offset = length; 4326 return (stcb); 4327 } else { 4328 /* remaining chunks are HMAC checked */ 4329 stcb->asoc.authenticated = 1; 4330 } 4331 break; 4332 4333 default: 4334 unknown_chunk: 4335 /* it's an unknown chunk! */ 4336 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4337 struct mbuf *mm; 4338 struct sctp_paramhdr *phd; 4339 4340 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4341 0, M_DONTWAIT, 1, MT_DATA); 4342 if (mm) { 4343 phd = mtod(mm, struct sctp_paramhdr *); 4344 /* 4345 * We cheat and use param type since 4346 * we did not bother to define a 4347 * error cause struct. They are the 4348 * same basic format with different 4349 * names. 4350 */ 4351 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4352 phd->param_length = htons(chk_length + sizeof(*phd)); 4353 SCTP_BUF_LEN(mm) = sizeof(*phd); 4354 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 4355 M_DONTWAIT); 4356 if (SCTP_BUF_NEXT(mm)) { 4357 sctp_queue_op_err(stcb, mm); 4358 } else { 4359 sctp_m_freem(mm); 4360 } 4361 } 4362 } 4363 if ((ch->chunk_type & 0x80) == 0) { 4364 /* discard this packet */ 4365 *offset = length; 4366 return (stcb); 4367 } /* else skip this bad chunk and continue... */ 4368 break; 4369 } /* switch (ch->chunk_type) */ 4370 4371 4372 next_chunk: 4373 /* get the next chunk */ 4374 *offset += SCTP_SIZE32(chk_length); 4375 if (*offset >= length) { 4376 /* no more data left in the mbuf chain */ 4377 break; 4378 } 4379 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4380 sizeof(struct sctp_chunkhdr), chunk_buf); 4381 if (ch == NULL) { 4382 if (locked_tcb) 4383 SCTP_TCB_UNLOCK(locked_tcb); 4384 *offset = length; 4385 return (NULL); 4386 } 4387 } /* while */ 4388 return (stcb); 4389 } 4390 4391 4392 /* 4393 * Process the ECN bits we have something set so we must look to see if it is 4394 * ECN(0) or ECN(1) or CE 4395 */ 4396 static __inline void 4397 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4398 uint8_t ecn_bits) 4399 { 4400 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4401 ; 4402 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4403 /* 4404 * we only add to the nonce sum for ECT1, ECT0 does not 4405 * change the NS bit (that we have yet to find a way to send 4406 * it yet). 4407 */ 4408 4409 /* ECN Nonce stuff */ 4410 stcb->asoc.receiver_nonce_sum++; 4411 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4412 4413 /* 4414 * Drag up the last_echo point if cumack is larger since we 4415 * don't want the point falling way behind by more than 4416 * 2^^31 and then having it be incorrect. 4417 */ 4418 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4419 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4420 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4421 } 4422 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4423 /* 4424 * Drag up the last_echo point if cumack is larger since we 4425 * don't want the point falling way behind by more than 4426 * 2^^31 and then having it be incorrect. 4427 */ 4428 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4429 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4430 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4431 } 4432 } 4433 } 4434 4435 static __inline void 4436 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4437 uint32_t high_tsn, uint8_t ecn_bits) 4438 { 4439 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4440 /* 4441 * we possibly must notify the sender that a congestion 4442 * window reduction is in order. We do this by adding a ECNE 4443 * chunk to the output chunk queue. The incoming CWR will 4444 * remove this chunk. 4445 */ 4446 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4447 MAX_TSN)) { 4448 /* Yep, we need to add a ECNE */ 4449 sctp_send_ecn_echo(stcb, net, high_tsn); 4450 stcb->asoc.last_echo_tsn = high_tsn; 4451 } 4452 } 4453 } 4454 4455 /* 4456 * common input chunk processing (v4 and v6) 4457 */ 4458 int 4459 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4460 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4461 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4462 uint8_t ecn_bits) 4463 { 4464 /* 4465 * Control chunk processing 4466 */ 4467 uint32_t high_tsn; 4468 int fwd_tsn_seen = 0, data_processed = 0; 4469 struct mbuf *m = *mm; 4470 int abort_flag = 0; 4471 int un_sent; 4472 4473 SCTP_STAT_INCR(sctps_recvdatagrams); 4474 #ifdef SCTP_AUDITING_ENABLED 4475 sctp_audit_log(0xE0, 1); 4476 sctp_auditing(0, inp, stcb, net); 4477 #endif 4478 4479 #ifdef SCTP_DEBUG 4480 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4481 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4482 m, iphlen, offset); 4483 } 4484 #endif /* SCTP_DEBUG */ 4485 4486 if (stcb) { 4487 /* always clear this before beginning a packet */ 4488 stcb->asoc.authenticated = 0; 4489 stcb->asoc.seen_a_sack_this_pkt = 0; 4490 } 4491 if (IS_SCTP_CONTROL(ch)) { 4492 /* process the control portion of the SCTP packet */ 4493 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4494 inp, stcb, &net, &fwd_tsn_seen); 4495 if (stcb) { 4496 /* 4497 * This covers us if the cookie-echo was there and 4498 * it changes our INP. 4499 */ 4500 inp = stcb->sctp_ep; 4501 } 4502 } else { 4503 /* 4504 * no control chunks, so pre-process DATA chunks (these 4505 * checks are taken care of by control processing) 4506 */ 4507 4508 /* 4509 * if DATA only packet, and auth is required, then punt... 4510 * can't have authenticated without any AUTH (control) 4511 * chunks 4512 */ 4513 if ((stcb != NULL) && !sctp_auth_disable && 4514 sctp_auth_is_required_chunk(SCTP_DATA, 4515 stcb->asoc.local_auth_chunks)) { 4516 /* "silently" ignore */ 4517 SCTP_STAT_INCR(sctps_recvauthmissing); 4518 SCTP_TCB_UNLOCK(stcb); 4519 return (1); 4520 } 4521 if (stcb == NULL) { 4522 /* out of the blue DATA chunk */ 4523 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4524 return (1); 4525 } 4526 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4527 /* v_tag mismatch! */ 4528 SCTP_STAT_INCR(sctps_badvtag); 4529 SCTP_TCB_UNLOCK(stcb); 4530 return (1); 4531 } 4532 } 4533 4534 if (stcb == NULL) { 4535 /* 4536 * no valid TCB for this packet, or we found it's a bad 4537 * packet while processing control, or we're done with this 4538 * packet (done or skip rest of data), so we drop it... 4539 */ 4540 return (1); 4541 } 4542 /* 4543 * DATA chunk processing 4544 */ 4545 /* plow through the data chunks while length > offset */ 4546 4547 /* 4548 * Rest should be DATA only. Check authentication state if AUTH for 4549 * DATA is required. 4550 */ 4551 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 4552 sctp_auth_is_required_chunk(SCTP_DATA, 4553 stcb->asoc.local_auth_chunks) && 4554 !stcb->asoc.authenticated) { 4555 /* "silently" ignore */ 4556 SCTP_STAT_INCR(sctps_recvauthmissing); 4557 #ifdef SCTP_DEBUG 4558 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 4559 printf("Data chunk requires AUTH, skipped\n"); 4560 #endif 4561 goto trigger_send; 4562 } 4563 if (length > offset) { 4564 int retval; 4565 4566 /* 4567 * First check to make sure our state is correct. We would 4568 * not get here unless we really did have a tag, so we don't 4569 * abort if this happens, just dump the chunk silently. 4570 */ 4571 switch (SCTP_GET_STATE(&stcb->asoc)) { 4572 case SCTP_STATE_COOKIE_ECHOED: 4573 /* 4574 * we consider data with valid tags in this state 4575 * shows us the cookie-ack was lost. Imply it was 4576 * there. 4577 */ 4578 stcb->asoc.overall_error_count = 0; 4579 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4580 break; 4581 case SCTP_STATE_COOKIE_WAIT: 4582 /* 4583 * We consider OOTB any data sent during asoc setup. 4584 */ 4585 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4586 SCTP_TCB_UNLOCK(stcb); 4587 return (1); 4588 break; 4589 case SCTP_STATE_EMPTY: /* should not happen */ 4590 case SCTP_STATE_INUSE: /* should not happen */ 4591 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4592 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4593 default: 4594 SCTP_TCB_UNLOCK(stcb); 4595 return (1); 4596 break; 4597 case SCTP_STATE_OPEN: 4598 case SCTP_STATE_SHUTDOWN_SENT: 4599 break; 4600 } 4601 /* take care of ECN, part 1. */ 4602 if (stcb->asoc.ecn_allowed && 4603 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4604 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4605 } 4606 /* plow through the data chunks while length > offset */ 4607 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4608 inp, stcb, net, &high_tsn); 4609 if (retval == 2) { 4610 /* 4611 * The association aborted, NO UNLOCK needed since 4612 * the association is destroyed. 4613 */ 4614 return (0); 4615 } 4616 data_processed = 1; 4617 if (retval == 0) { 4618 /* take care of ecn part 2. */ 4619 if (stcb->asoc.ecn_allowed && 4620 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4621 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4622 ecn_bits); 4623 } 4624 } 4625 /* 4626 * Anything important needs to have been m_copy'ed in 4627 * process_data 4628 */ 4629 } 4630 if ((data_processed == 0) && (fwd_tsn_seen)) { 4631 int was_a_gap = 0; 4632 4633 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4634 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4635 /* there was a gap before this data was processed */ 4636 was_a_gap = 1; 4637 } 4638 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4639 if (abort_flag) { 4640 /* Again, we aborted so NO UNLOCK needed */ 4641 return (0); 4642 } 4643 } 4644 /* trigger send of any chunks in queue... */ 4645 trigger_send: 4646 #ifdef SCTP_AUDITING_ENABLED 4647 sctp_audit_log(0xE0, 2); 4648 sctp_auditing(1, inp, stcb, net); 4649 #endif 4650 #ifdef SCTP_DEBUG 4651 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4652 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4653 stcb->asoc.peers_rwnd, 4654 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4655 stcb->asoc.total_flight); 4656 } 4657 #endif 4658 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4659 4660 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4661 ((un_sent) && 4662 (stcb->asoc.peers_rwnd > 0 || 4663 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4664 #ifdef SCTP_DEBUG 4665 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4666 printf("Calling chunk OUTPUT\n"); 4667 } 4668 #endif 4669 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4670 #ifdef SCTP_DEBUG 4671 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4672 printf("chunk OUTPUT returns\n"); 4673 } 4674 #endif 4675 } 4676 #ifdef SCTP_AUDITING_ENABLED 4677 sctp_audit_log(0xE0, 3); 4678 sctp_auditing(2, inp, stcb, net); 4679 #endif 4680 SCTP_TCB_UNLOCK(stcb); 4681 return (0); 4682 } 4683 4684 4685 4686 void 4687 sctp_input(i_pak, off) 4688 struct mbuf *i_pak; 4689 int off; 4690 4691 { 4692 #ifdef SCTP_MBUF_LOGGING 4693 struct mbuf *mat; 4694 4695 #endif 4696 struct mbuf *m; 4697 int iphlen; 4698 uint32_t vrf_id; 4699 uint8_t ecn_bits; 4700 struct ip *ip; 4701 struct sctphdr *sh; 4702 struct sctp_inpcb *inp = NULL; 4703 4704 uint32_t check, calc_check; 4705 struct sctp_nets *net; 4706 struct sctp_tcb *stcb = NULL; 4707 struct sctp_chunkhdr *ch; 4708 int refcount_up = 0; 4709 int length, mlen, offset; 4710 4711 vrf_id = SCTP_DEFAULT_VRFID; 4712 mlen = SCTP_HEADER_LEN(i_pak); 4713 iphlen = off; 4714 m = SCTP_HEADER_TO_CHAIN(i_pak); 4715 net = NULL; 4716 SCTP_STAT_INCR(sctps_recvpackets); 4717 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4718 4719 #ifdef SCTP_MBUF_LOGGING 4720 /* Log in any input mbufs */ 4721 mat = m; 4722 while (mat) { 4723 if (SCTP_BUF_IS_EXTENDED(mat)) { 4724 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4725 } 4726 mat = SCTP_BUF_NEXT(mat); 4727 } 4728 #endif 4729 4730 /* 4731 * Get IP, SCTP, and first chunk header together in first mbuf. 4732 */ 4733 ip = mtod(m, struct ip *); 4734 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4735 if (SCTP_BUF_LEN(m) < offset) { 4736 if ((m = m_pullup(m, offset)) == 0) { 4737 SCTP_STAT_INCR(sctps_hdrops); 4738 return; 4739 } 4740 ip = mtod(m, struct ip *); 4741 } 4742 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4743 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4744 4745 /* SCTP does not allow broadcasts or multicasts */ 4746 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4747 goto bad; 4748 } 4749 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 4750 /* 4751 * We only look at broadcast if its a front state, All 4752 * others we will not have a tcb for anyway. 4753 */ 4754 goto bad; 4755 } 4756 /* validate SCTP checksum */ 4757 if ((sctp_no_csum_on_loopback == 0) || !SCTP_IS_IT_LOOPBACK(m)) { 4758 /* 4759 * we do NOT validate things from the loopback if the sysctl 4760 * is set to 1. 4761 */ 4762 check = sh->checksum; /* save incoming checksum */ 4763 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4764 /* 4765 * special hook for where we got a local address 4766 * somehow routed across a non IFT_LOOP type 4767 * interface 4768 */ 4769 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4770 goto sctp_skip_csum_4; 4771 } 4772 sh->checksum = 0; /* prepare for calc */ 4773 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4774 if (calc_check != check) { 4775 #ifdef SCTP_DEBUG 4776 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4777 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4778 calc_check, check, m, mlen, iphlen); 4779 } 4780 #endif 4781 4782 stcb = sctp_findassociation_addr(m, iphlen, 4783 offset - sizeof(*ch), 4784 sh, ch, &inp, &net, vrf_id); 4785 if ((inp) && (stcb)) { 4786 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4787 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4788 } else if ((inp != NULL) && (stcb == NULL)) { 4789 refcount_up = 1; 4790 } 4791 SCTP_STAT_INCR(sctps_badsum); 4792 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4793 goto bad; 4794 } 4795 sh->checksum = calc_check; 4796 } 4797 sctp_skip_csum_4: 4798 /* destination port of 0 is illegal, based on RFC2960. */ 4799 if (sh->dest_port == 0) { 4800 SCTP_STAT_INCR(sctps_hdrops); 4801 goto bad; 4802 } 4803 /* validate mbuf chain length with IP payload length */ 4804 if (mlen < (ip->ip_len - iphlen)) { 4805 SCTP_STAT_INCR(sctps_hdrops); 4806 goto bad; 4807 } 4808 /* 4809 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4810 * IP/SCTP/first chunk header... 4811 */ 4812 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4813 sh, ch, &inp, &net, vrf_id); 4814 /* inp's ref-count increased && stcb locked */ 4815 if (inp == NULL) { 4816 struct sctp_init_chunk *init_chk, chunk_buf; 4817 4818 SCTP_STAT_INCR(sctps_noport); 4819 #ifdef ICMP_BANDLIM 4820 /* 4821 * we use the bandwidth limiting to protect against sending 4822 * too many ABORTS all at once. In this case these count the 4823 * same as an ICMP message. 4824 */ 4825 if (badport_bandlim(0) < 0) 4826 goto bad; 4827 #endif /* ICMP_BANDLIM */ 4828 #ifdef SCTP_DEBUG 4829 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4830 printf("Sending a ABORT from packet entry!\n"); 4831 } 4832 #endif 4833 if (ch->chunk_type == SCTP_INITIATION) { 4834 /* 4835 * we do a trick here to get the INIT tag, dig in 4836 * and get the tag from the INIT and put it in the 4837 * common header. 4838 */ 4839 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4840 iphlen + sizeof(*sh), sizeof(*init_chk), 4841 (uint8_t *) & chunk_buf); 4842 if (init_chk != NULL) 4843 sh->v_tag = init_chk->init.initiate_tag; 4844 } 4845 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4846 sctp_send_shutdown_complete2(m, iphlen, sh); 4847 goto bad; 4848 } 4849 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 4850 goto bad; 4851 } 4852 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 4853 sctp_send_abort(m, iphlen, sh, 0, NULL); 4854 goto bad; 4855 } else if (stcb == NULL) { 4856 refcount_up = 1; 4857 } 4858 #ifdef IPSEC 4859 /* 4860 * I very much doubt any of the IPSEC stuff will work but I have no 4861 * idea, so I will leave it in place. 4862 */ 4863 4864 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4865 ipsecstat.in_polvio++; 4866 SCTP_STAT_INCR(sctps_hdrops); 4867 goto bad; 4868 } 4869 #endif /* IPSEC */ 4870 4871 /* 4872 * common chunk processing 4873 */ 4874 length = ip->ip_len + iphlen; 4875 offset -= sizeof(struct sctp_chunkhdr); 4876 4877 ecn_bits = ip->ip_tos; 4878 4879 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4880 inp, stcb, net, ecn_bits); 4881 /* inp's ref-count reduced && stcb unlocked */ 4882 if (m) { 4883 sctp_m_freem(m); 4884 } 4885 if ((inp) && (refcount_up)) { 4886 /* reduce ref-count */ 4887 SCTP_INP_WLOCK(inp); 4888 SCTP_INP_DECR_REF(inp); 4889 SCTP_INP_WUNLOCK(inp); 4890 } 4891 return; 4892 bad: 4893 if (stcb) 4894 SCTP_TCB_UNLOCK(stcb); 4895 4896 if ((inp) && (refcount_up)) { 4897 /* reduce ref-count */ 4898 SCTP_INP_WLOCK(inp); 4899 SCTP_INP_DECR_REF(inp); 4900 SCTP_INP_WUNLOCK(inp); 4901 } 4902 if (m) { 4903 sctp_m_freem(m); 4904 } 4905 return; 4906 } 4907