1 /*- 2 * Copyright (c) 2001-2007, Cisco Systems, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions are met: 6 * 7 * a) Redistributions of source code must retain the above copyright notice, 8 * this list of conditions and the following disclaimer. 9 * 10 * b) Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in 12 * the documentation and/or other materials provided with the distribution. 13 * 14 * c) Neither the name of Cisco Systems, Inc. nor the names of its 15 * contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 20 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 28 * THE POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 /* $KAME: sctp_input.c,v 1.27 2005/03/06 16:04:17 itojun Exp $ */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #include <netinet/sctp_os.h> 37 #include <netinet/sctp_var.h> 38 #include <netinet/sctp_sysctl.h> 39 #include <netinet/sctp_pcb.h> 40 #include <netinet/sctp_header.h> 41 #include <netinet/sctputil.h> 42 #include <netinet/sctp_output.h> 43 #include <netinet/sctp_input.h> 44 #include <netinet/sctp_auth.h> 45 #include <netinet/sctp_indata.h> 46 #include <netinet/sctp_asconf.h> 47 48 49 50 51 static void 52 sctp_stop_all_cookie_timers(struct sctp_tcb *stcb) 53 { 54 struct sctp_nets *net; 55 56 /* 57 * This now not only stops all cookie timers it also stops any INIT 58 * timers as well. This will make sure that the timers are stopped 59 * in all collision cases. 60 */ 61 SCTP_TCB_LOCK_ASSERT(stcb); 62 TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { 63 if (net->rxt_timer.type == SCTP_TIMER_TYPE_COOKIE) { 64 sctp_timer_stop(SCTP_TIMER_TYPE_COOKIE, 65 stcb->sctp_ep, 66 stcb, 67 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_1); 68 } else if (net->rxt_timer.type == SCTP_TIMER_TYPE_INIT) { 69 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, 70 stcb->sctp_ep, 71 stcb, 72 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_2); 73 } 74 } 75 } 76 77 /* INIT handler */ 78 static void 79 sctp_handle_init(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 80 struct sctp_init_chunk *cp, struct sctp_inpcb *inp, struct sctp_tcb *stcb, 81 struct sctp_nets *net, int *abort_no_unlock) 82 { 83 struct sctp_init *init; 84 struct mbuf *op_err; 85 uint32_t init_limit; 86 87 #ifdef SCTP_DEBUG 88 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 89 printf("sctp_handle_init: handling INIT tcb:%p\n", stcb); 90 } 91 #endif 92 op_err = NULL; 93 init = &cp->init; 94 /* First are we accepting? */ 95 if ((inp->sctp_socket->so_qlimit == 0) && (stcb == NULL)) { 96 #ifdef SCTP_DEBUG 97 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 98 printf("sctp_handle_init: Abort, so_qlimit:%d\n", inp->sctp_socket->so_qlimit); 99 } 100 #endif 101 /* 102 * FIX ME ?? What about TCP model and we have a 103 * match/restart case? 104 */ 105 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 106 if (stcb) 107 *abort_no_unlock = 1; 108 return; 109 } 110 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_chunk)) { 111 /* Invalid length */ 112 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 113 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 114 if (stcb) 115 *abort_no_unlock = 1; 116 return; 117 } 118 /* validate parameters */ 119 if (init->initiate_tag == 0) { 120 /* protocol error... send abort */ 121 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 122 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 123 if (stcb) 124 *abort_no_unlock = 1; 125 return; 126 } 127 if (ntohl(init->a_rwnd) < SCTP_MIN_RWND) { 128 /* invalid parameter... send abort */ 129 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 130 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 131 return; 132 } 133 if (init->num_inbound_streams == 0) { 134 /* protocol error... send abort */ 135 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 136 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 137 if (stcb) 138 *abort_no_unlock = 1; 139 return; 140 } 141 if (init->num_outbound_streams == 0) { 142 /* protocol error... send abort */ 143 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 144 sctp_abort_association(inp, stcb, m, iphlen, sh, op_err); 145 if (stcb) 146 *abort_no_unlock = 1; 147 return; 148 } 149 init_limit = offset + ntohs(cp->ch.chunk_length); 150 if (sctp_validate_init_auth_params(m, offset + sizeof(*cp), 151 init_limit)) { 152 /* auth parameter(s) error... send abort */ 153 sctp_abort_association(inp, stcb, m, iphlen, sh, NULL); 154 if (stcb) 155 *abort_no_unlock = 1; 156 return; 157 } 158 /* send an INIT-ACK w/cookie */ 159 #ifdef SCTP_DEBUG 160 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 161 printf("sctp_handle_init: sending INIT-ACK\n"); 162 } 163 #endif 164 sctp_send_initiate_ack(inp, stcb, m, iphlen, offset, sh, cp); 165 } 166 167 /* 168 * process peer "INIT/INIT-ACK" chunk returns value < 0 on error 169 */ 170 static int 171 sctp_process_init(struct sctp_init_chunk *cp, struct sctp_tcb *stcb, 172 struct sctp_nets *net) 173 { 174 struct sctp_init *init; 175 struct sctp_association *asoc; 176 struct sctp_nets *lnet; 177 unsigned int i; 178 179 init = &cp->init; 180 asoc = &stcb->asoc; 181 /* save off parameters */ 182 asoc->peer_vtag = ntohl(init->initiate_tag); 183 asoc->peers_rwnd = ntohl(init->a_rwnd); 184 if (TAILQ_FIRST(&asoc->nets)) { 185 /* update any ssthresh's that may have a default */ 186 TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) { 187 lnet->ssthresh = asoc->peers_rwnd; 188 189 #if defined(SCTP_CWND_MONITOR) || defined(SCTP_CWND_LOGGING) 190 sctp_log_cwnd(stcb, lnet, 0, SCTP_CWND_INITIALIZATION); 191 #endif 192 193 } 194 } 195 SCTP_TCB_SEND_LOCK(stcb); 196 if (asoc->pre_open_streams > ntohs(init->num_inbound_streams)) { 197 unsigned int newcnt; 198 struct sctp_stream_out *outs; 199 struct sctp_stream_queue_pending *sp; 200 201 /* cut back on number of streams */ 202 newcnt = ntohs(init->num_inbound_streams); 203 /* This if is probably not needed but I am cautious */ 204 if (asoc->strmout) { 205 /* First make sure no data chunks are trapped */ 206 for (i = newcnt; i < asoc->pre_open_streams; i++) { 207 outs = &asoc->strmout[i]; 208 sp = TAILQ_FIRST(&outs->outqueue); 209 while (sp) { 210 TAILQ_REMOVE(&outs->outqueue, sp, 211 next); 212 asoc->stream_queue_cnt--; 213 sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, 214 stcb, SCTP_NOTIFY_DATAGRAM_UNSENT, 215 sp); 216 if (sp->data) { 217 sctp_m_freem(sp->data); 218 sp->data = NULL; 219 } 220 sctp_free_remote_addr(sp->net); 221 sp->net = NULL; 222 /* Free the chunk */ 223 printf("sp:%p tcb:%p weird free case\n", 224 sp, stcb); 225 226 sctp_free_a_strmoq(stcb, sp); 227 sp = TAILQ_FIRST(&outs->outqueue); 228 } 229 } 230 } 231 /* cut back the count and abandon the upper streams */ 232 asoc->pre_open_streams = newcnt; 233 } 234 SCTP_TCB_SEND_UNLOCK(stcb); 235 asoc->streamoutcnt = asoc->pre_open_streams; 236 /* init tsn's */ 237 asoc->highest_tsn_inside_map = asoc->asconf_seq_in = ntohl(init->initial_tsn) - 1; 238 #ifdef SCTP_MAP_LOGGING 239 sctp_log_map(0, 5, asoc->highest_tsn_inside_map, SCTP_MAP_SLIDE_RESULT); 240 #endif 241 /* This is the next one we expect */ 242 asoc->str_reset_seq_in = asoc->asconf_seq_in + 1; 243 244 asoc->mapping_array_base_tsn = ntohl(init->initial_tsn); 245 asoc->cumulative_tsn = asoc->asconf_seq_in; 246 asoc->last_echo_tsn = asoc->asconf_seq_in; 247 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 248 /* open the requested streams */ 249 if (asoc->strmin != NULL) { 250 /* Free the old ones */ 251 struct sctp_queued_to_read *ctl; 252 253 for (i = 0; i < asoc->streamincnt; i++) { 254 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 255 while (ctl) { 256 TAILQ_REMOVE(&asoc->strmin[i].inqueue, ctl, next); 257 sctp_free_remote_addr(ctl->whoFrom); 258 sctp_m_freem(ctl->data); 259 ctl->data = NULL; 260 sctp_free_a_readq(stcb, ctl); 261 ctl = TAILQ_FIRST(&asoc->strmin[i].inqueue); 262 } 263 } 264 SCTP_FREE(asoc->strmin); 265 } 266 asoc->streamincnt = ntohs(init->num_outbound_streams); 267 if (asoc->streamincnt > MAX_SCTP_STREAMS) { 268 asoc->streamincnt = MAX_SCTP_STREAMS; 269 } 270 SCTP_MALLOC(asoc->strmin, struct sctp_stream_in *, asoc->streamincnt * 271 sizeof(struct sctp_stream_in), "StreamsIn"); 272 if (asoc->strmin == NULL) { 273 /* we didn't get memory for the streams! */ 274 #ifdef SCTP_DEBUG 275 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 276 printf("process_init: couldn't get memory for the streams!\n"); 277 } 278 #endif 279 return (-1); 280 } 281 for (i = 0; i < asoc->streamincnt; i++) { 282 asoc->strmin[i].stream_no = i; 283 asoc->strmin[i].last_sequence_delivered = 0xffff; 284 /* 285 * U-stream ranges will be set when the cookie is unpacked. 286 * Or for the INIT sender they are un set (if pr-sctp not 287 * supported) when the INIT-ACK arrives. 288 */ 289 TAILQ_INIT(&asoc->strmin[i].inqueue); 290 /* 291 * we are not on any wheel, pr-sctp streams will go on the 292 * wheel when they have data waiting for reorder. 293 */ 294 asoc->strmin[i].next_spoke.tqe_next = 0; 295 asoc->strmin[i].next_spoke.tqe_prev = 0; 296 } 297 298 /* 299 * load_address_from_init will put the addresses into the 300 * association when the COOKIE is processed or the INIT-ACK is 301 * processed. Both types of COOKIE's existing and new call this 302 * routine. It will remove addresses that are no longer in the 303 * association (for the restarting case where addresses are 304 * removed). Up front when the INIT arrives we will discard it if it 305 * is a restart and new addresses have been added. 306 */ 307 return (0); 308 } 309 310 /* 311 * INIT-ACK message processing/consumption returns value < 0 on error 312 */ 313 static int 314 sctp_process_init_ack(struct mbuf *m, int iphlen, int offset, 315 struct sctphdr *sh, struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 316 struct sctp_nets *net, int *abort_no_unlock) 317 { 318 struct sctp_association *asoc; 319 struct mbuf *op_err; 320 int retval, abort_flag; 321 uint32_t initack_limit; 322 323 /* First verify that we have no illegal param's */ 324 abort_flag = 0; 325 op_err = NULL; 326 327 op_err = sctp_arethere_unrecognized_parameters(m, 328 (offset + sizeof(struct sctp_init_chunk)), 329 &abort_flag, (struct sctp_chunkhdr *)cp); 330 if (abort_flag) { 331 /* Send an abort and notify peer */ 332 if (op_err != NULL) { 333 sctp_send_operr_to(m, iphlen, op_err, cp->init.initiate_tag); 334 } else { 335 /* 336 * Just notify (abort_assoc does this if we send an 337 * abort). 338 */ 339 sctp_abort_notification(stcb, 0); 340 /* 341 * No sense in further INIT's since we will get the 342 * same param back 343 */ 344 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_3); 345 *abort_no_unlock = 1; 346 } 347 return (-1); 348 } 349 asoc = &stcb->asoc; 350 /* process the peer's parameters in the INIT-ACK */ 351 retval = sctp_process_init((struct sctp_init_chunk *)cp, stcb, net); 352 if (retval < 0) { 353 return (retval); 354 } 355 initack_limit = offset + ntohs(cp->ch.chunk_length); 356 /* load all addresses */ 357 if ((retval = sctp_load_addresses_from_init(stcb, m, iphlen, 358 (offset + sizeof(struct sctp_init_chunk)), initack_limit, sh, 359 NULL))) { 360 /* Huh, we should abort */ 361 #ifdef SCTP_DEBUG 362 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 363 printf("Load addresses from INIT causes an abort %d\n", retval); 364 } 365 #endif 366 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 367 NULL); 368 *abort_no_unlock = 1; 369 return (-1); 370 } 371 stcb->asoc.peer_hmac_id = sctp_negotiate_hmacid(stcb->asoc.peer_hmacs, 372 stcb->asoc.local_hmacs); 373 if (op_err) { 374 sctp_queue_op_err(stcb, op_err); 375 /* queuing will steal away the mbuf chain to the out queue */ 376 op_err = NULL; 377 } 378 /* extract the cookie and queue it to "echo" it back... */ 379 stcb->asoc.overall_error_count = 0; 380 net->error_count = 0; 381 382 /* 383 * Cancel the INIT timer, We do this first before queueing the 384 * cookie. We always cancel at the primary to assue that we are 385 * canceling the timer started by the INIT which always goes to the 386 * primary. 387 */ 388 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, stcb, 389 asoc->primary_destination, SCTP_FROM_SCTP_INPUT + SCTP_LOC_4); 390 391 /* calculate the RTO */ 392 net->RTO = sctp_calculate_rto(stcb, asoc, net, &asoc->time_entered); 393 394 retval = sctp_send_cookie_echo(m, offset, stcb, net); 395 if (retval < 0) { 396 /* 397 * No cookie, we probably should send a op error. But in any 398 * case if there is no cookie in the INIT-ACK, we can 399 * abandon the peer, its broke. 400 */ 401 if (retval == -3) { 402 /* We abort with an error of missing mandatory param */ 403 struct mbuf *op_err; 404 405 op_err = 406 sctp_generate_invmanparam(SCTP_CAUSE_MISSING_PARAM); 407 if (op_err) { 408 /* 409 * Expand beyond to include the mandatory 410 * param cookie 411 */ 412 struct sctp_inv_mandatory_param *mp; 413 414 SCTP_BUF_LEN(op_err) = 415 sizeof(struct sctp_inv_mandatory_param); 416 mp = mtod(op_err, 417 struct sctp_inv_mandatory_param *); 418 /* Subtract the reserved param */ 419 mp->length = 420 htons(sizeof(struct sctp_inv_mandatory_param) - 2); 421 mp->num_param = htonl(1); 422 mp->param = htons(SCTP_STATE_COOKIE); 423 mp->resv = 0; 424 } 425 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, 426 sh, op_err); 427 *abort_no_unlock = 1; 428 } 429 return (retval); 430 } 431 return (0); 432 } 433 434 static void 435 sctp_handle_heartbeat_ack(struct sctp_heartbeat_chunk *cp, 436 struct sctp_tcb *stcb, struct sctp_nets *net) 437 { 438 struct sockaddr_storage store; 439 struct sockaddr_in *sin; 440 struct sockaddr_in6 *sin6; 441 struct sctp_nets *r_net; 442 struct timeval tv; 443 444 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_heartbeat_chunk)) { 445 /* Invalid length */ 446 return; 447 } 448 sin = (struct sockaddr_in *)&store; 449 sin6 = (struct sockaddr_in6 *)&store; 450 451 memset(&store, 0, sizeof(store)); 452 if (cp->heartbeat.hb_info.addr_family == AF_INET && 453 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in)) { 454 sin->sin_family = cp->heartbeat.hb_info.addr_family; 455 sin->sin_len = cp->heartbeat.hb_info.addr_len; 456 sin->sin_port = stcb->rport; 457 memcpy(&sin->sin_addr, cp->heartbeat.hb_info.address, 458 sizeof(sin->sin_addr)); 459 } else if (cp->heartbeat.hb_info.addr_family == AF_INET6 && 460 cp->heartbeat.hb_info.addr_len == sizeof(struct sockaddr_in6)) { 461 sin6->sin6_family = cp->heartbeat.hb_info.addr_family; 462 sin6->sin6_len = cp->heartbeat.hb_info.addr_len; 463 sin6->sin6_port = stcb->rport; 464 memcpy(&sin6->sin6_addr, cp->heartbeat.hb_info.address, 465 sizeof(sin6->sin6_addr)); 466 } else { 467 return; 468 } 469 r_net = sctp_findnet(stcb, (struct sockaddr *)sin); 470 if (r_net == NULL) { 471 #ifdef SCTP_DEBUG 472 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 473 printf("Huh? I can't find the address I sent it to, discard\n"); 474 } 475 #endif 476 return; 477 } 478 if ((r_net && (r_net->dest_state & SCTP_ADDR_UNCONFIRMED)) && 479 (r_net->heartbeat_random1 == cp->heartbeat.hb_info.random_value1) && 480 (r_net->heartbeat_random2 == cp->heartbeat.hb_info.random_value2)) { 481 /* 482 * If the its a HB and it's random value is correct when can 483 * confirm the destination. 484 */ 485 r_net->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 486 if (r_net->dest_state & SCTP_ADDR_REQ_PRIMARY) { 487 stcb->asoc.primary_destination = r_net; 488 r_net->dest_state &= ~SCTP_ADDR_WAS_PRIMARY; 489 r_net->dest_state &= ~SCTP_ADDR_REQ_PRIMARY; 490 r_net = TAILQ_FIRST(&stcb->asoc.nets); 491 if (r_net != stcb->asoc.primary_destination) { 492 /* 493 * first one on the list is NOT the primary 494 * sctp_cmpaddr() is much more efficent if 495 * the primary is the first on the list, 496 * make it so. 497 */ 498 TAILQ_REMOVE(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 499 TAILQ_INSERT_HEAD(&stcb->asoc.nets, stcb->asoc.primary_destination, sctp_next); 500 } 501 } 502 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 503 stcb, 0, (void *)r_net); 504 } 505 r_net->error_count = 0; 506 r_net->hb_responded = 1; 507 tv.tv_sec = cp->heartbeat.hb_info.time_value_1; 508 tv.tv_usec = cp->heartbeat.hb_info.time_value_2; 509 if (r_net->dest_state & SCTP_ADDR_NOT_REACHABLE) { 510 r_net->dest_state &= ~SCTP_ADDR_NOT_REACHABLE; 511 r_net->dest_state |= SCTP_ADDR_REACHABLE; 512 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_UP, stcb, 513 SCTP_HEARTBEAT_SUCCESS, (void *)r_net); 514 /* now was it the primary? if so restore */ 515 if (r_net->dest_state & SCTP_ADDR_WAS_PRIMARY) { 516 sctp_set_primary_addr(stcb, (struct sockaddr *)NULL, r_net); 517 } 518 } 519 /* Now lets do a RTO with this */ 520 r_net->RTO = sctp_calculate_rto(stcb, &stcb->asoc, r_net, &tv); 521 } 522 523 static void 524 sctp_handle_abort(struct sctp_abort_chunk *cp, 525 struct sctp_tcb *stcb, struct sctp_nets *net) 526 { 527 528 #ifdef SCTP_DEBUG 529 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 530 printf("sctp_handle_abort: handling ABORT\n"); 531 } 532 #endif 533 if (stcb == NULL) 534 return; 535 /* verify that the destination addr is in the association */ 536 /* ignore abort for addresses being deleted */ 537 538 /* stop any receive timers */ 539 sctp_timer_stop(SCTP_TIMER_TYPE_RECV, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_5); 540 /* notify user of the abort and clean up... */ 541 sctp_abort_notification(stcb, 0); 542 /* free the tcb */ 543 SCTP_STAT_INCR_COUNTER32(sctps_aborted); 544 if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) || 545 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 546 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 547 } 548 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_6); 549 #ifdef SCTP_DEBUG 550 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 551 printf("sctp_handle_abort: finished\n"); 552 } 553 #endif 554 } 555 556 static void 557 sctp_handle_shutdown(struct sctp_shutdown_chunk *cp, 558 struct sctp_tcb *stcb, struct sctp_nets *net, int *abort_flag) 559 { 560 struct sctp_association *asoc; 561 int some_on_streamwheel; 562 563 #ifdef SCTP_DEBUG 564 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 565 printf("sctp_handle_shutdown: handling SHUTDOWN\n"); 566 } 567 #endif 568 if (stcb == NULL) 569 return; 570 asoc = &stcb->asoc; 571 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) || 572 (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) { 573 return; 574 } 575 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_shutdown_chunk)) { 576 /* Shutdown NOT the expected size */ 577 return; 578 } else { 579 sctp_update_acked(stcb, cp, net, abort_flag); 580 } 581 if (asoc->control_pdapi) { 582 /* 583 * With a normal shutdown we assume the end of last record. 584 */ 585 SCTP_INP_READ_LOCK(stcb->sctp_ep); 586 asoc->control_pdapi->end_added = 1; 587 asoc->control_pdapi->pdapi_aborted = 1; 588 asoc->control_pdapi = NULL; 589 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 590 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 591 } 592 /* goto SHUTDOWN_RECEIVED state to block new requests */ 593 if (stcb->sctp_socket) { 594 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 595 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 596 asoc->state = SCTP_STATE_SHUTDOWN_RECEIVED; 597 /* 598 * notify upper layer that peer has initiated a 599 * shutdown 600 */ 601 sctp_ulp_notify(SCTP_NOTIFY_PEER_SHUTDOWN, stcb, 0, NULL); 602 603 /* reset time */ 604 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 605 } 606 } 607 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) { 608 /* 609 * stop the shutdown timer, since we WILL move to 610 * SHUTDOWN-ACK-SENT. 611 */ 612 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_7); 613 } 614 /* Now are we there yet? */ 615 some_on_streamwheel = 0; 616 if (!TAILQ_EMPTY(&asoc->out_wheel)) { 617 /* Check to see if some data queued */ 618 struct sctp_stream_out *outs; 619 620 TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) { 621 if (!TAILQ_EMPTY(&outs->outqueue)) { 622 some_on_streamwheel = 1; 623 break; 624 } 625 } 626 } 627 if (!TAILQ_EMPTY(&asoc->send_queue) || 628 !TAILQ_EMPTY(&asoc->sent_queue) || 629 some_on_streamwheel) { 630 /* By returning we will push more data out */ 631 return; 632 } else { 633 /* no outstanding data to send, so move on... */ 634 /* send SHUTDOWN-ACK */ 635 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 636 /* move to SHUTDOWN-ACK-SENT state */ 637 if ((SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) || 638 (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED)) { 639 SCTP_STAT_DECR_GAUGE32(sctps_currestab); 640 } 641 asoc->state = SCTP_STATE_SHUTDOWN_ACK_SENT; 642 643 /* start SHUTDOWN timer */ 644 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNACK, stcb->sctp_ep, 645 stcb, net); 646 } 647 } 648 649 static void 650 sctp_handle_shutdown_ack(struct sctp_shutdown_ack_chunk *cp, 651 struct sctp_tcb *stcb, struct sctp_nets *net) 652 { 653 struct sctp_association *asoc; 654 655 #ifdef SCTP_DEBUG 656 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 657 printf("sctp_handle_shutdown_ack: handling SHUTDOWN ACK\n"); 658 } 659 #endif 660 if (stcb == NULL) 661 return; 662 663 asoc = &stcb->asoc; 664 /* process according to association state */ 665 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) && 666 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) { 667 /* unexpected SHUTDOWN-ACK... so ignore... */ 668 SCTP_TCB_UNLOCK(stcb); 669 return; 670 } 671 if (asoc->control_pdapi) { 672 /* 673 * With a normal shutdown we assume the end of last record. 674 */ 675 SCTP_INP_READ_LOCK(stcb->sctp_ep); 676 asoc->control_pdapi->end_added = 1; 677 asoc->control_pdapi->pdapi_aborted = 1; 678 asoc->control_pdapi = NULL; 679 SCTP_INP_READ_UNLOCK(stcb->sctp_ep); 680 sctp_sorwakeup(stcb->sctp_ep, stcb->sctp_socket); 681 } 682 /* are the queues empty? */ 683 if (!TAILQ_EMPTY(&asoc->send_queue) || 684 !TAILQ_EMPTY(&asoc->sent_queue) || 685 !TAILQ_EMPTY(&asoc->out_wheel)) { 686 sctp_report_all_outbound(stcb, 0); 687 } 688 /* stop the timer */ 689 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_8); 690 /* send SHUTDOWN-COMPLETE */ 691 sctp_send_shutdown_complete(stcb, net); 692 /* notify upper layer protocol */ 693 if (stcb->sctp_socket) { 694 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 695 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 696 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 697 /* Set the connected flag to disconnected */ 698 stcb->sctp_ep->sctp_socket->so_snd.sb_cc = 0; 699 } 700 } 701 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 702 /* free the TCB but first save off the ep */ 703 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, 704 SCTP_FROM_SCTP_INPUT + SCTP_LOC_9); 705 } 706 707 /* 708 * Skip past the param header and then we will find the chunk that caused the 709 * problem. There are two possiblities ASCONF or FWD-TSN other than that and 710 * our peer must be broken. 711 */ 712 static void 713 sctp_process_unrecog_chunk(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr, 714 struct sctp_nets *net) 715 { 716 struct sctp_chunkhdr *chk; 717 718 chk = (struct sctp_chunkhdr *)((caddr_t)phdr + sizeof(*phdr)); 719 switch (chk->chunk_type) { 720 case SCTP_ASCONF_ACK: 721 case SCTP_ASCONF: 722 sctp_asconf_cleanup(stcb, net); 723 break; 724 case SCTP_FORWARD_CUM_TSN: 725 stcb->asoc.peer_supports_prsctp = 0; 726 break; 727 default: 728 #ifdef SCTP_DEBUG 729 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 730 printf("Peer does not support chunk type %d(%x)??\n", 731 chk->chunk_type, (uint32_t) chk->chunk_type); 732 } 733 #endif 734 break; 735 } 736 } 737 738 /* 739 * Skip past the param header and then we will find the param that caused the 740 * problem. There are a number of param's in a ASCONF OR the prsctp param 741 * these will turn of specific features. 742 */ 743 static void 744 sctp_process_unrecog_param(struct sctp_tcb *stcb, struct sctp_paramhdr *phdr) 745 { 746 struct sctp_paramhdr *pbad; 747 748 pbad = phdr + 1; 749 switch (ntohs(pbad->param_type)) { 750 /* pr-sctp draft */ 751 case SCTP_PRSCTP_SUPPORTED: 752 stcb->asoc.peer_supports_prsctp = 0; 753 break; 754 case SCTP_SUPPORTED_CHUNK_EXT: 755 break; 756 /* draft-ietf-tsvwg-addip-sctp */ 757 case SCTP_ECN_NONCE_SUPPORTED: 758 stcb->asoc.peer_supports_ecn_nonce = 0; 759 stcb->asoc.ecn_nonce_allowed = 0; 760 stcb->asoc.ecn_allowed = 0; 761 break; 762 case SCTP_ADD_IP_ADDRESS: 763 case SCTP_DEL_IP_ADDRESS: 764 case SCTP_SET_PRIM_ADDR: 765 stcb->asoc.peer_supports_asconf = 0; 766 break; 767 case SCTP_SUCCESS_REPORT: 768 case SCTP_ERROR_CAUSE_IND: 769 #ifdef SCTP_DEBUG 770 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 771 printf("Huh, the peer does not support success? or error cause?\n"); 772 printf("Turning off ASCONF to this strange peer\n"); 773 } 774 #endif 775 stcb->asoc.peer_supports_asconf = 0; 776 break; 777 default: 778 #ifdef SCTP_DEBUG 779 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 780 printf("Peer does not support param type %d(%x)??\n", 781 pbad->param_type, (uint32_t) pbad->param_type); 782 } 783 #endif 784 break; 785 } 786 } 787 788 static int 789 sctp_handle_error(struct sctp_chunkhdr *ch, 790 struct sctp_tcb *stcb, struct sctp_nets *net) 791 { 792 int chklen; 793 struct sctp_paramhdr *phdr; 794 uint16_t error_type; 795 uint16_t error_len; 796 struct sctp_association *asoc; 797 798 int adjust; 799 800 /* parse through all of the errors and process */ 801 asoc = &stcb->asoc; 802 phdr = (struct sctp_paramhdr *)((caddr_t)ch + 803 sizeof(struct sctp_chunkhdr)); 804 chklen = ntohs(ch->chunk_length) - sizeof(struct sctp_chunkhdr); 805 while ((size_t)chklen >= sizeof(struct sctp_paramhdr)) { 806 /* Process an Error Cause */ 807 error_type = ntohs(phdr->param_type); 808 error_len = ntohs(phdr->param_length); 809 if ((error_len > chklen) || (error_len == 0)) { 810 /* invalid param length for this param */ 811 #ifdef SCTP_DEBUG 812 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 813 printf("Bogus length in error param- chunk left:%d errorlen:%d\n", 814 chklen, error_len); 815 } 816 #endif /* SCTP_DEBUG */ 817 return (0); 818 } 819 switch (error_type) { 820 case SCTP_CAUSE_INVALID_STREAM: 821 case SCTP_CAUSE_MISSING_PARAM: 822 case SCTP_CAUSE_INVALID_PARAM: 823 case SCTP_CAUSE_NO_USER_DATA: 824 #ifdef SCTP_DEBUG 825 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 826 printf("Software error we got a %d back? We have a bug :/ (or do they?)\n", 827 error_type); 828 } 829 #endif 830 break; 831 case SCTP_CAUSE_STALE_COOKIE: 832 /* 833 * We only act if we have echoed a cookie and are 834 * waiting. 835 */ 836 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 837 int *p; 838 839 p = (int *)((caddr_t)phdr + sizeof(*phdr)); 840 /* Save the time doubled */ 841 asoc->cookie_preserve_req = ntohl(*p) << 1; 842 asoc->stale_cookie_count++; 843 if (asoc->stale_cookie_count > 844 asoc->max_init_times) { 845 sctp_abort_notification(stcb, 0); 846 /* now free the asoc */ 847 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_10); 848 return (-1); 849 } 850 /* blast back to INIT state */ 851 asoc->state &= ~SCTP_STATE_COOKIE_ECHOED; 852 asoc->state |= SCTP_STATE_COOKIE_WAIT; 853 854 sctp_stop_all_cookie_timers(stcb); 855 sctp_send_initiate(stcb->sctp_ep, stcb); 856 } 857 break; 858 case SCTP_CAUSE_UNRESOLVABLE_ADDR: 859 /* 860 * Nothing we can do here, we don't do hostname 861 * addresses so if the peer does not like my IPv6 862 * (or IPv4 for that matter) it does not matter. If 863 * they don't support that type of address, they can 864 * NOT possibly get that packet type... i.e. with no 865 * IPv6 you can't recieve a IPv6 packet. so we can 866 * safely ignore this one. If we ever added support 867 * for HOSTNAME Addresses, then we would need to do 868 * something here. 869 */ 870 break; 871 case SCTP_CAUSE_UNRECOG_CHUNK: 872 sctp_process_unrecog_chunk(stcb, phdr, net); 873 break; 874 case SCTP_CAUSE_UNRECOG_PARAM: 875 sctp_process_unrecog_param(stcb, phdr); 876 break; 877 case SCTP_CAUSE_COOKIE_IN_SHUTDOWN: 878 /* 879 * We ignore this since the timer will drive out a 880 * new cookie anyway and there timer will drive us 881 * to send a SHUTDOWN_COMPLETE. We can't send one 882 * here since we don't have their tag. 883 */ 884 break; 885 case SCTP_CAUSE_DELETING_LAST_ADDR: 886 case SCTP_CAUSE_RESOURCE_SHORTAGE: 887 case SCTP_CAUSE_DELETING_SRC_ADDR: 888 /* 889 * We should NOT get these here, but in a 890 * ASCONF-ACK. 891 */ 892 #ifdef SCTP_DEBUG 893 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 894 printf("Peer sends ASCONF errors in a Operational Error?<%d>?\n", 895 error_type); 896 } 897 #endif 898 break; 899 case SCTP_CAUSE_OUT_OF_RESC: 900 /* 901 * And what, pray tell do we do with the fact that 902 * the peer is out of resources? Not really sure we 903 * could do anything but abort. I suspect this 904 * should have came WITH an abort instead of in a 905 * OP-ERROR. 906 */ 907 break; 908 default: 909 #ifdef SCTP_DEBUG 910 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 911 /* don't know what this error cause is... */ 912 printf("sctp_handle_error: unknown error type = 0x%xh\n", 913 error_type); 914 } 915 #endif /* SCTP_DEBUG */ 916 break; 917 } 918 adjust = SCTP_SIZE32(error_len); 919 chklen -= adjust; 920 phdr = (struct sctp_paramhdr *)((caddr_t)phdr + adjust); 921 } 922 return (0); 923 } 924 925 static int 926 sctp_handle_init_ack(struct mbuf *m, int iphlen, int offset, struct sctphdr *sh, 927 struct sctp_init_ack_chunk *cp, struct sctp_tcb *stcb, 928 struct sctp_nets *net, int *abort_no_unlock) 929 { 930 struct sctp_init_ack *init_ack; 931 int *state; 932 struct mbuf *op_err; 933 934 #ifdef SCTP_DEBUG 935 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 936 printf("sctp_handle_init_ack: handling INIT-ACK\n"); 937 } 938 #endif 939 if (stcb == NULL) { 940 #ifdef SCTP_DEBUG 941 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 942 printf("sctp_handle_init_ack: TCB is null\n"); 943 } 944 #endif 945 return (-1); 946 } 947 if (ntohs(cp->ch.chunk_length) < sizeof(struct sctp_init_ack_chunk)) { 948 /* Invalid length */ 949 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 950 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 951 op_err); 952 *abort_no_unlock = 1; 953 return (-1); 954 } 955 init_ack = &cp->init; 956 /* validate parameters */ 957 if (init_ack->initiate_tag == 0) { 958 /* protocol error... send an abort */ 959 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 960 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 961 op_err); 962 *abort_no_unlock = 1; 963 return (-1); 964 } 965 if (ntohl(init_ack->a_rwnd) < SCTP_MIN_RWND) { 966 /* protocol error... send an abort */ 967 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 968 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 969 op_err); 970 *abort_no_unlock = 1; 971 return (-1); 972 } 973 if (init_ack->num_inbound_streams == 0) { 974 /* protocol error... send an abort */ 975 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 976 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 977 op_err); 978 *abort_no_unlock = 1; 979 return (-1); 980 } 981 if (init_ack->num_outbound_streams == 0) { 982 /* protocol error... send an abort */ 983 op_err = sctp_generate_invmanparam(SCTP_CAUSE_INVALID_PARAM); 984 sctp_abort_association(stcb->sctp_ep, stcb, m, iphlen, sh, 985 op_err); 986 *abort_no_unlock = 1; 987 return (-1); 988 } 989 /* process according to association state... */ 990 state = &stcb->asoc.state; 991 switch (*state & SCTP_STATE_MASK) { 992 case SCTP_STATE_COOKIE_WAIT: 993 /* this is the expected state for this chunk */ 994 /* process the INIT-ACK parameters */ 995 if (stcb->asoc.primary_destination->dest_state & 996 SCTP_ADDR_UNCONFIRMED) { 997 /* 998 * The primary is where we sent the INIT, we can 999 * always consider it confirmed when the INIT-ACK is 1000 * returned. Do this before we load addresses 1001 * though. 1002 */ 1003 stcb->asoc.primary_destination->dest_state &= 1004 ~SCTP_ADDR_UNCONFIRMED; 1005 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 1006 stcb, 0, (void *)stcb->asoc.primary_destination); 1007 } 1008 if (sctp_process_init_ack(m, iphlen, offset, sh, cp, stcb, net, 1009 abort_no_unlock) < 0) { 1010 /* error in parsing parameters */ 1011 return (-1); 1012 } 1013 /* update our state */ 1014 #ifdef SCTP_DEBUG 1015 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1016 printf("moving to COOKIE-ECHOED state\n"); 1017 } 1018 #endif 1019 if (*state & SCTP_STATE_SHUTDOWN_PENDING) { 1020 *state = SCTP_STATE_COOKIE_ECHOED | 1021 SCTP_STATE_SHUTDOWN_PENDING; 1022 } else { 1023 *state = SCTP_STATE_COOKIE_ECHOED; 1024 } 1025 1026 /* reset the RTO calc */ 1027 stcb->asoc.overall_error_count = 0; 1028 SCTP_GETTIME_TIMEVAL(&stcb->asoc.time_entered); 1029 /* 1030 * collapse the init timer back in case of a exponential 1031 * backoff 1032 */ 1033 sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, stcb->sctp_ep, 1034 stcb, net); 1035 /* 1036 * the send at the end of the inbound data processing will 1037 * cause the cookie to be sent 1038 */ 1039 break; 1040 case SCTP_STATE_SHUTDOWN_SENT: 1041 /* incorrect state... discard */ 1042 break; 1043 case SCTP_STATE_COOKIE_ECHOED: 1044 /* incorrect state... discard */ 1045 break; 1046 case SCTP_STATE_OPEN: 1047 /* incorrect state... discard */ 1048 break; 1049 case SCTP_STATE_EMPTY: 1050 case SCTP_STATE_INUSE: 1051 default: 1052 /* incorrect state... discard */ 1053 return (-1); 1054 break; 1055 } /* end switch asoc state */ 1056 #ifdef SCTP_DEBUG 1057 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1058 printf("Leaving handle-init-ack end\n"); 1059 } 1060 #endif 1061 return (0); 1062 } 1063 1064 1065 /* 1066 * handle a state cookie for an existing association m: input packet mbuf 1067 * chain-- assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a 1068 * "split" mbuf and the cookie signature does not exist offset: offset into 1069 * mbuf to the cookie-echo chunk 1070 */ 1071 static struct sctp_tcb * 1072 sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset, 1073 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1074 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 1075 struct sockaddr *init_src, int *notification, sctp_assoc_t * sac_assoc_id) 1076 { 1077 struct sctp_association *asoc; 1078 struct sctp_init_chunk *init_cp, init_buf; 1079 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1080 int chk_length; 1081 int init_offset, initack_offset, i; 1082 int retval; 1083 int spec_flag = 0; 1084 int how_indx; 1085 1086 /* I know that the TCB is non-NULL from the caller */ 1087 asoc = &stcb->asoc; 1088 for (how_indx = 0; how_indx < sizeof(asoc->cookie_how); how_indx++) { 1089 if (asoc->cookie_how[how_indx] == 0) 1090 break; 1091 } 1092 if (how_indx < sizeof(asoc->cookie_how)) { 1093 asoc->cookie_how[how_indx] = 1; 1094 } 1095 if (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) { 1096 /* SHUTDOWN came in after sending INIT-ACK */ 1097 struct mbuf *op_err; 1098 struct sctp_paramhdr *ph; 1099 1100 sctp_send_shutdown_ack(stcb, stcb->asoc.primary_destination); 1101 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 1102 0, M_DONTWAIT, 1, MT_DATA); 1103 if (op_err == NULL) { 1104 /* FOOBAR */ 1105 return (NULL); 1106 } 1107 /* pre-reserve some space */ 1108 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 1109 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 1110 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 1111 /* Set the len */ 1112 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_paramhdr); 1113 ph = mtod(op_err, struct sctp_paramhdr *); 1114 ph->param_type = htons(SCTP_CAUSE_COOKIE_IN_SHUTDOWN); 1115 ph->param_length = htons(sizeof(struct sctp_paramhdr)); 1116 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 1117 if (how_indx < sizeof(asoc->cookie_how)) 1118 asoc->cookie_how[how_indx] = 2; 1119 return (NULL); 1120 } 1121 /* 1122 * find and validate the INIT chunk in the cookie (peer's info) the 1123 * INIT should start after the cookie-echo header struct (chunk 1124 * header, state cookie header struct) 1125 */ 1126 init_offset = offset += sizeof(struct sctp_cookie_echo_chunk); 1127 1128 init_cp = (struct sctp_init_chunk *) 1129 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1130 (uint8_t *) & init_buf); 1131 if (init_cp == NULL) { 1132 /* could not pull a INIT chunk in cookie */ 1133 return (NULL); 1134 } 1135 chk_length = ntohs(init_cp->ch.chunk_length); 1136 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1137 return (NULL); 1138 } 1139 /* 1140 * find and validate the INIT-ACK chunk in the cookie (my info) the 1141 * INIT-ACK follows the INIT chunk 1142 */ 1143 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1144 initack_cp = (struct sctp_init_ack_chunk *) 1145 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1146 (uint8_t *) & initack_buf); 1147 if (initack_cp == NULL) { 1148 /* could not pull INIT-ACK chunk in cookie */ 1149 return (NULL); 1150 } 1151 chk_length = ntohs(initack_cp->ch.chunk_length); 1152 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1153 return (NULL); 1154 } 1155 if ((ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag) && 1156 (ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag)) { 1157 /* 1158 * case D in Section 5.2.4 Table 2: MMAA process accordingly 1159 * to get into the OPEN state 1160 */ 1161 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1162 #ifdef INVARIANTS 1163 panic("Case D and non-match seq?"); 1164 #else 1165 printf("Case D, seq non-match %x vs %x?\n", 1166 ntohl(initack_cp->init.initial_tsn), asoc->init_seq_number); 1167 #endif 1168 } 1169 switch SCTP_GET_STATE 1170 (asoc) { 1171 case SCTP_STATE_COOKIE_WAIT: 1172 case SCTP_STATE_COOKIE_ECHOED: 1173 /* 1174 * INIT was sent, but got got a COOKIE_ECHO with the 1175 * correct tags... just accept it...but we must 1176 * process the init so that we can make sure we have 1177 * the right seq no's. 1178 */ 1179 /* First we must process the INIT !! */ 1180 retval = sctp_process_init(init_cp, stcb, net); 1181 if (retval < 0) { 1182 if (how_indx < sizeof(asoc->cookie_how)) 1183 asoc->cookie_how[how_indx] = 3; 1184 return (NULL); 1185 } 1186 /* we have already processed the INIT so no problem */ 1187 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, 1188 net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_11); 1189 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_12); 1190 /* update current state */ 1191 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1192 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1193 else 1194 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1195 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1196 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1197 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1198 stcb->sctp_ep, stcb, asoc->primary_destination); 1199 1200 } else { 1201 /* if ok, move to OPEN state */ 1202 asoc->state = SCTP_STATE_OPEN; 1203 } 1204 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1205 sctp_stop_all_cookie_timers(stcb); 1206 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1207 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1208 (inp->sctp_socket->so_qlimit == 0) 1209 ) { 1210 /* 1211 * Here is where collision would go if we 1212 * did a connect() and instead got a 1213 * init/init-ack/cookie done before the 1214 * init-ack came back.. 1215 */ 1216 stcb->sctp_ep->sctp_flags |= 1217 SCTP_PCB_FLAGS_CONNECTED; 1218 soisconnected(stcb->sctp_ep->sctp_socket); 1219 } 1220 /* notify upper layer */ 1221 *notification = SCTP_NOTIFY_ASSOC_UP; 1222 /* 1223 * since we did not send a HB make sure we don't 1224 * double things 1225 */ 1226 net->hb_responded = 1; 1227 1228 if (stcb->asoc.sctp_autoclose_ticks && 1229 (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE))) { 1230 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 1231 inp, stcb, NULL); 1232 } 1233 break; 1234 default: 1235 /* 1236 * we're in the OPEN state (or beyond), so peer must 1237 * have simply lost the COOKIE-ACK 1238 */ 1239 1240 break; 1241 } /* end switch */ 1242 sctp_stop_all_cookie_timers(stcb); 1243 /* 1244 * We ignore the return code here.. not sure if we should 1245 * somehow abort.. but we do have an existing asoc. This 1246 * really should not fail. 1247 */ 1248 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1249 init_offset + sizeof(struct sctp_init_chunk), 1250 initack_offset, sh, init_src)) { 1251 if (how_indx < sizeof(asoc->cookie_how)) 1252 asoc->cookie_how[how_indx] = 4; 1253 return (NULL); 1254 } 1255 /* respond with a COOKIE-ACK */ 1256 sctp_toss_old_cookies(stcb, asoc); 1257 sctp_send_cookie_ack(stcb); 1258 if (how_indx < sizeof(asoc->cookie_how)) 1259 asoc->cookie_how[how_indx] = 5; 1260 return (stcb); 1261 } /* end if */ 1262 if (ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1263 ntohl(init_cp->init.initiate_tag) == asoc->peer_vtag && 1264 cookie->tie_tag_my_vtag == 0 && 1265 cookie->tie_tag_peer_vtag == 0) { 1266 /* 1267 * case C in Section 5.2.4 Table 2: XMOO silently discard 1268 */ 1269 if (how_indx < sizeof(asoc->cookie_how)) 1270 asoc->cookie_how[how_indx] = 6; 1271 return (NULL); 1272 } 1273 if (ntohl(initack_cp->init.initiate_tag) == asoc->my_vtag && 1274 (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag || 1275 init_cp->init.initiate_tag == 0)) { 1276 /* 1277 * case B in Section 5.2.4 Table 2: MXAA or MOAA my info 1278 * should be ok, re-accept peer info 1279 */ 1280 if (ntohl(initack_cp->init.initial_tsn) != asoc->init_seq_number) { 1281 /* 1282 * Extension of case C. If we hit this, then the 1283 * random number generator returned the same vtag 1284 * when we first sent our INIT-ACK and when we later 1285 * sent our INIT. The side with the seq numbers that 1286 * are different will be the one that normnally 1287 * would have hit case C. This in effect "extends" 1288 * our vtags in this collision case to be 64 bits. 1289 * The same collision could occur aka you get both 1290 * vtag and seq number the same twice in a row.. but 1291 * is much less likely. If it did happen then we 1292 * would proceed through and bring up the assoc.. we 1293 * may end up with the wrong stream setup however.. 1294 * which would be bad.. but there is no way to 1295 * tell.. until we send on a stream that does not 1296 * exist :-) 1297 */ 1298 if (how_indx < sizeof(asoc->cookie_how)) 1299 asoc->cookie_how[how_indx] = 7; 1300 1301 return (NULL); 1302 } 1303 if (how_indx < sizeof(asoc->cookie_how)) 1304 asoc->cookie_how[how_indx] = 8; 1305 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_13); 1306 sctp_stop_all_cookie_timers(stcb); 1307 /* 1308 * since we did not send a HB make sure we don't double 1309 * things 1310 */ 1311 net->hb_responded = 1; 1312 if (stcb->asoc.sctp_autoclose_ticks && 1313 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1314 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, 1315 NULL); 1316 } 1317 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1318 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1319 1320 /* Note last_cwr_tsn? where is this used? */ 1321 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1322 if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) { 1323 /* 1324 * Ok the peer probably discarded our data (if we 1325 * echoed a cookie+data). So anything on the 1326 * sent_queue should be marked for retransmit, we 1327 * may not get something to kick us so it COULD 1328 * still take a timeout to move these.. but it can't 1329 * hurt to mark them. 1330 */ 1331 struct sctp_tmit_chunk *chk; 1332 1333 TAILQ_FOREACH(chk, &stcb->asoc.sent_queue, sctp_next) { 1334 if (chk->sent < SCTP_DATAGRAM_RESEND) { 1335 chk->sent = SCTP_DATAGRAM_RESEND; 1336 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 1337 spec_flag++; 1338 } 1339 } 1340 1341 } 1342 /* process the INIT info (peer's info) */ 1343 retval = sctp_process_init(init_cp, stcb, net); 1344 if (retval < 0) { 1345 if (how_indx < sizeof(asoc->cookie_how)) 1346 asoc->cookie_how[how_indx] = 9; 1347 return (NULL); 1348 } 1349 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1350 init_offset + sizeof(struct sctp_init_chunk), 1351 initack_offset, sh, init_src)) { 1352 if (how_indx < sizeof(asoc->cookie_how)) 1353 asoc->cookie_how[how_indx] = 10; 1354 return (NULL); 1355 } 1356 if ((asoc->state & SCTP_STATE_COOKIE_WAIT) || 1357 (asoc->state & SCTP_STATE_COOKIE_ECHOED)) { 1358 *notification = SCTP_NOTIFY_ASSOC_UP; 1359 1360 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1361 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1362 (inp->sctp_socket->so_qlimit == 0)) { 1363 stcb->sctp_ep->sctp_flags |= 1364 SCTP_PCB_FLAGS_CONNECTED; 1365 soisconnected(stcb->sctp_ep->sctp_socket); 1366 } 1367 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) 1368 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1369 else 1370 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1371 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 1372 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1373 } else if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1374 SCTP_STAT_INCR_COUNTER32(sctps_restartestab); 1375 } else { 1376 SCTP_STAT_INCR_COUNTER32(sctps_collisionestab); 1377 } 1378 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1379 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1380 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1381 stcb->sctp_ep, stcb, asoc->primary_destination); 1382 1383 } else { 1384 asoc->state = SCTP_STATE_OPEN; 1385 } 1386 sctp_stop_all_cookie_timers(stcb); 1387 sctp_toss_old_cookies(stcb, asoc); 1388 sctp_send_cookie_ack(stcb); 1389 if (spec_flag) { 1390 /* 1391 * only if we have retrans set do we do this. What 1392 * this call does is get only the COOKIE-ACK out and 1393 * then when we return the normal call to 1394 * sctp_chunk_output will get the retrans out behind 1395 * this. 1396 */ 1397 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_COOKIE_ACK); 1398 } 1399 if (how_indx < sizeof(asoc->cookie_how)) 1400 asoc->cookie_how[how_indx] = 11; 1401 1402 return (stcb); 1403 } 1404 if ((ntohl(initack_cp->init.initiate_tag) != asoc->my_vtag && 1405 ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) && 1406 cookie->tie_tag_my_vtag == asoc->my_vtag_nonce && 1407 cookie->tie_tag_peer_vtag == asoc->peer_vtag_nonce && 1408 cookie->tie_tag_peer_vtag != 0) { 1409 struct sctpasochead *head; 1410 1411 /* 1412 * case A in Section 5.2.4 Table 2: XXMM (peer restarted) 1413 */ 1414 /* temp code */ 1415 if (how_indx < sizeof(asoc->cookie_how)) 1416 asoc->cookie_how[how_indx] = 12; 1417 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_14); 1418 sctp_timer_stop(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_15); 1419 1420 *sac_assoc_id = sctp_get_associd(stcb); 1421 /* notify upper layer */ 1422 *notification = SCTP_NOTIFY_ASSOC_RESTART; 1423 atomic_add_int(&stcb->asoc.refcnt, 1); 1424 if ((SCTP_GET_STATE(asoc) != SCTP_STATE_OPEN) && 1425 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) && 1426 (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT)) { 1427 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1428 } 1429 if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) { 1430 SCTP_STAT_INCR_GAUGE32(sctps_restartestab); 1431 } else if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) { 1432 SCTP_STAT_INCR_GAUGE32(sctps_collisionestab); 1433 } 1434 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1435 asoc->state = SCTP_STATE_OPEN | 1436 SCTP_STATE_SHUTDOWN_PENDING; 1437 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1438 stcb->sctp_ep, stcb, asoc->primary_destination); 1439 1440 } else if (!(asoc->state & SCTP_STATE_SHUTDOWN_SENT)) { 1441 /* move to OPEN state, if not in SHUTDOWN_SENT */ 1442 asoc->state = SCTP_STATE_OPEN; 1443 } 1444 asoc->pre_open_streams = 1445 ntohs(initack_cp->init.num_outbound_streams); 1446 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1447 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1448 1449 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1450 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1451 1452 asoc->str_reset_seq_in = asoc->init_seq_number; 1453 1454 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1455 if (asoc->mapping_array) 1456 memset(asoc->mapping_array, 0, 1457 asoc->mapping_array_size); 1458 SCTP_TCB_UNLOCK(stcb); 1459 SCTP_INP_INFO_WLOCK(); 1460 SCTP_INP_WLOCK(stcb->sctp_ep); 1461 SCTP_TCB_LOCK(stcb); 1462 atomic_add_int(&stcb->asoc.refcnt, -1); 1463 /* send up all the data */ 1464 SCTP_TCB_SEND_LOCK(stcb); 1465 1466 sctp_report_all_outbound(stcb, 1); 1467 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 1468 stcb->asoc.strmout[i].stream_no = i; 1469 stcb->asoc.strmout[i].next_sequence_sent = 0; 1470 stcb->asoc.strmout[i].last_msg_incomplete = 0; 1471 } 1472 /* process the INIT-ACK info (my info) */ 1473 asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1474 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1475 1476 /* pull from vtag hash */ 1477 LIST_REMOVE(stcb, sctp_asocs); 1478 /* re-insert to new vtag position */ 1479 head = &sctppcbinfo.sctp_asochash[SCTP_PCBHASH_ASOC(stcb->asoc.my_vtag, 1480 sctppcbinfo.hashasocmark)]; 1481 /* 1482 * put it in the bucket in the vtag hash of assoc's for the 1483 * system 1484 */ 1485 LIST_INSERT_HEAD(head, stcb, sctp_asocs); 1486 1487 /* Is this the first restart? */ 1488 if (stcb->asoc.in_restart_hash == 0) { 1489 /* Ok add it to assoc_id vtag hash */ 1490 head = &sctppcbinfo.sctp_restarthash[SCTP_PCBHASH_ASOC(stcb->asoc.assoc_id, 1491 sctppcbinfo.hashrestartmark)]; 1492 LIST_INSERT_HEAD(head, stcb, sctp_tcbrestarhash); 1493 stcb->asoc.in_restart_hash = 1; 1494 } 1495 /* process the INIT info (peer's info) */ 1496 SCTP_TCB_SEND_UNLOCK(stcb); 1497 SCTP_INP_WUNLOCK(stcb->sctp_ep); 1498 SCTP_INP_INFO_WUNLOCK(); 1499 1500 retval = sctp_process_init(init_cp, stcb, net); 1501 if (retval < 0) { 1502 if (how_indx < sizeof(asoc->cookie_how)) 1503 asoc->cookie_how[how_indx] = 13; 1504 1505 return (NULL); 1506 } 1507 /* 1508 * since we did not send a HB make sure we don't double 1509 * things 1510 */ 1511 net->hb_responded = 1; 1512 1513 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1514 init_offset + sizeof(struct sctp_init_chunk), 1515 initack_offset, sh, init_src)) { 1516 if (how_indx < sizeof(asoc->cookie_how)) 1517 asoc->cookie_how[how_indx] = 14; 1518 1519 return (NULL); 1520 } 1521 /* respond with a COOKIE-ACK */ 1522 sctp_stop_all_cookie_timers(stcb); 1523 sctp_toss_old_cookies(stcb, asoc); 1524 sctp_send_cookie_ack(stcb); 1525 if (how_indx < sizeof(asoc->cookie_how)) 1526 asoc->cookie_how[how_indx] = 15; 1527 1528 return (stcb); 1529 } 1530 if (how_indx < sizeof(asoc->cookie_how)) 1531 asoc->cookie_how[how_indx] = 16; 1532 /* all other cases... */ 1533 return (NULL); 1534 } 1535 1536 1537 /* 1538 * handle a state cookie for a new association m: input packet mbuf chain-- 1539 * assumes a pullup on IP/SCTP/COOKIE-ECHO chunk note: this is a "split" mbuf 1540 * and the cookie signature does not exist offset: offset into mbuf to the 1541 * cookie-echo chunk length: length of the cookie chunk to: where the init 1542 * was from returns a new TCB 1543 */ 1544 static struct sctp_tcb * 1545 sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, 1546 struct sctphdr *sh, struct sctp_state_cookie *cookie, int cookie_len, 1547 struct sctp_inpcb *inp, struct sctp_nets **netp, 1548 struct sockaddr *init_src, int *notification, 1549 int auth_skipped, uint32_t auth_offset, uint32_t auth_len) 1550 { 1551 struct sctp_tcb *stcb; 1552 struct sctp_init_chunk *init_cp, init_buf; 1553 struct sctp_init_ack_chunk *initack_cp, initack_buf; 1554 struct sockaddr_storage sa_store; 1555 struct sockaddr *initack_src = (struct sockaddr *)&sa_store; 1556 struct sockaddr_in *sin; 1557 struct sockaddr_in6 *sin6; 1558 struct sctp_association *asoc; 1559 uint32_t vrf_id; 1560 int chk_length; 1561 int init_offset, initack_offset, initack_limit; 1562 int retval; 1563 int error = 0; 1564 uint32_t old_tag; 1565 uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; 1566 1567 vrf_id = inp->def_vrf_id; 1568 1569 /* 1570 * find and validate the INIT chunk in the cookie (peer's info) the 1571 * INIT should start after the cookie-echo header struct (chunk 1572 * header, state cookie header struct) 1573 */ 1574 init_offset = offset + sizeof(struct sctp_cookie_echo_chunk); 1575 init_cp = (struct sctp_init_chunk *) 1576 sctp_m_getptr(m, init_offset, sizeof(struct sctp_init_chunk), 1577 (uint8_t *) & init_buf); 1578 if (init_cp == NULL) { 1579 /* could not pull a INIT chunk in cookie */ 1580 #ifdef SCTP_DEBUG 1581 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1582 printf("process_cookie_new: could not pull INIT chunk hdr\n"); 1583 } 1584 #endif /* SCTP_DEBUG */ 1585 return (NULL); 1586 } 1587 chk_length = ntohs(init_cp->ch.chunk_length); 1588 if (init_cp->ch.chunk_type != SCTP_INITIATION) { 1589 #ifdef SCTP_DEBUG 1590 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1591 printf("HUH? process_cookie_new: could not find INIT chunk!\n"); 1592 } 1593 #endif /* SCTP_DEBUG */ 1594 return (NULL); 1595 } 1596 initack_offset = init_offset + SCTP_SIZE32(chk_length); 1597 /* 1598 * find and validate the INIT-ACK chunk in the cookie (my info) the 1599 * INIT-ACK follows the INIT chunk 1600 */ 1601 initack_cp = (struct sctp_init_ack_chunk *) 1602 sctp_m_getptr(m, initack_offset, sizeof(struct sctp_init_ack_chunk), 1603 (uint8_t *) & initack_buf); 1604 if (initack_cp == NULL) { 1605 /* could not pull INIT-ACK chunk in cookie */ 1606 #ifdef SCTP_DEBUG 1607 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1608 printf("process_cookie_new: could not pull INIT-ACK chunk hdr\n"); 1609 } 1610 #endif /* SCTP_DEBUG */ 1611 return (NULL); 1612 } 1613 chk_length = ntohs(initack_cp->ch.chunk_length); 1614 if (initack_cp->ch.chunk_type != SCTP_INITIATION_ACK) { 1615 return (NULL); 1616 } 1617 /* 1618 * NOTE: We can't use the INIT_ACK's chk_length to determine the 1619 * "initack_limit" value. This is because the chk_length field 1620 * includes the length of the cookie, but the cookie is omitted when 1621 * the INIT and INIT_ACK are tacked onto the cookie... 1622 */ 1623 initack_limit = offset + cookie_len; 1624 1625 /* 1626 * now that we know the INIT/INIT-ACK are in place, create a new TCB 1627 * and popluate 1628 */ 1629 stcb = sctp_aloc_assoc(inp, init_src, 0, &error, 1630 ntohl(initack_cp->init.initiate_tag), vrf_id); 1631 if (stcb == NULL) { 1632 struct mbuf *op_err; 1633 1634 /* memory problem? */ 1635 #ifdef SCTP_DEBUG 1636 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1637 printf("process_cookie_new: no room for another TCB!\n"); 1638 } 1639 #endif /* SCTP_DEBUG */ 1640 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1641 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1642 sh, op_err); 1643 return (NULL); 1644 } 1645 /* get the correct sctp_nets */ 1646 *netp = sctp_findnet(stcb, init_src); 1647 asoc = &stcb->asoc; 1648 /* get scope variables out of cookie */ 1649 asoc->ipv4_local_scope = cookie->ipv4_scope; 1650 asoc->site_scope = cookie->site_scope; 1651 asoc->local_scope = cookie->local_scope; 1652 asoc->loopback_scope = cookie->loopback_scope; 1653 1654 if ((asoc->ipv4_addr_legal != cookie->ipv4_addr_legal) || 1655 (asoc->ipv6_addr_legal != cookie->ipv6_addr_legal)) { 1656 struct mbuf *op_err; 1657 1658 /* 1659 * Houston we have a problem. The EP changed while the 1660 * cookie was in flight. Only recourse is to abort the 1661 * association. 1662 */ 1663 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 1664 sctp_abort_association(inp, (struct sctp_tcb *)NULL, m, iphlen, 1665 sh, op_err); 1666 return (NULL); 1667 } 1668 /* process the INIT-ACK info (my info) */ 1669 old_tag = asoc->my_vtag; 1670 asoc->assoc_id = asoc->my_vtag = ntohl(initack_cp->init.initiate_tag); 1671 asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd); 1672 asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams); 1673 asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn); 1674 asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = asoc->init_seq_number; 1675 asoc->last_cwr_tsn = asoc->init_seq_number - 1; 1676 asoc->asconf_seq_in = asoc->last_acked_seq = asoc->init_seq_number - 1; 1677 asoc->str_reset_seq_in = asoc->init_seq_number; 1678 1679 asoc->advanced_peer_ack_point = asoc->last_acked_seq; 1680 1681 /* process the INIT info (peer's info) */ 1682 retval = sctp_process_init(init_cp, stcb, *netp); 1683 if (retval < 0) { 1684 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_16); 1685 return (NULL); 1686 } 1687 /* load all addresses */ 1688 if (sctp_load_addresses_from_init(stcb, m, iphlen, 1689 init_offset + sizeof(struct sctp_init_chunk), initack_offset, sh, 1690 init_src)) { 1691 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_17); 1692 return (NULL); 1693 } 1694 /* 1695 * verify any preceding AUTH chunk that was skipped 1696 */ 1697 /* pull the local authentication parameters from the cookie/init-ack */ 1698 sctp_auth_get_cookie_params(stcb, m, 1699 initack_offset + sizeof(struct sctp_init_ack_chunk), 1700 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk))); 1701 if (auth_skipped) { 1702 struct sctp_auth_chunk *auth; 1703 1704 auth = (struct sctp_auth_chunk *) 1705 sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); 1706 if (sctp_handle_auth(stcb, auth, m, auth_offset)) { 1707 /* auth HMAC failed, dump the assoc and packet */ 1708 #ifdef SCTP_DEBUG 1709 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 1710 printf("COOKIE-ECHO: AUTH failed\n"); 1711 #endif /* SCTP_DEBUG */ 1712 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_18); 1713 return (NULL); 1714 } else { 1715 /* remaining chunks checked... good to go */ 1716 stcb->asoc.authenticated = 1; 1717 } 1718 } 1719 /* update current state */ 1720 #ifdef SCTP_DEBUG 1721 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 1722 printf("moving to OPEN state\n"); 1723 } 1724 #endif 1725 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 1726 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 1727 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 1728 stcb->sctp_ep, stcb, asoc->primary_destination); 1729 } else { 1730 asoc->state = SCTP_STATE_OPEN; 1731 } 1732 sctp_stop_all_cookie_timers(stcb); 1733 SCTP_STAT_INCR_COUNTER32(sctps_passiveestab); 1734 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 1735 1736 /* 1737 * if we're doing ASCONFs, check to see if we have any new local 1738 * addresses that need to get added to the peer (eg. addresses 1739 * changed while cookie echo in flight). This needs to be done 1740 * after we go to the OPEN state to do the correct asconf 1741 * processing. else, make sure we have the correct addresses in our 1742 * lists 1743 */ 1744 1745 /* warning, we re-use sin, sin6, sa_store here! */ 1746 /* pull in local_address (our "from" address) */ 1747 if (cookie->laddr_type == SCTP_IPV4_ADDRESS) { 1748 /* source addr is IPv4 */ 1749 sin = (struct sockaddr_in *)initack_src; 1750 memset(sin, 0, sizeof(*sin)); 1751 sin->sin_family = AF_INET; 1752 sin->sin_len = sizeof(struct sockaddr_in); 1753 sin->sin_addr.s_addr = cookie->laddress[0]; 1754 } else if (cookie->laddr_type == SCTP_IPV6_ADDRESS) { 1755 /* source addr is IPv6 */ 1756 sin6 = (struct sockaddr_in6 *)initack_src; 1757 memset(sin6, 0, sizeof(*sin6)); 1758 sin6->sin6_family = AF_INET6; 1759 sin6->sin6_len = sizeof(struct sockaddr_in6); 1760 sin6->sin6_scope_id = cookie->scope_id; 1761 memcpy(&sin6->sin6_addr, cookie->laddress, 1762 sizeof(sin6->sin6_addr)); 1763 } else { 1764 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_19); 1765 return (NULL); 1766 } 1767 1768 sctp_check_address_list(stcb, m, 1769 initack_offset + sizeof(struct sctp_init_ack_chunk), 1770 initack_limit - (initack_offset + sizeof(struct sctp_init_ack_chunk)), 1771 initack_src, cookie->local_scope, cookie->site_scope, 1772 cookie->ipv4_scope, cookie->loopback_scope); 1773 1774 1775 /* set up to notify upper layer */ 1776 *notification = SCTP_NOTIFY_ASSOC_UP; 1777 if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 1778 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) && 1779 (inp->sctp_socket->so_qlimit == 0)) { 1780 /* 1781 * This is an endpoint that called connect() how it got a 1782 * cookie that is NEW is a bit of a mystery. It must be that 1783 * the INIT was sent, but before it got there.. a complete 1784 * INIT/INIT-ACK/COOKIE arrived. But of course then it 1785 * should have went to the other code.. not here.. oh well.. 1786 * a bit of protection is worth having.. 1787 */ 1788 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 1789 soisconnected(stcb->sctp_ep->sctp_socket); 1790 } else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) && 1791 (inp->sctp_socket->so_qlimit)) { 1792 /* 1793 * We don't want to do anything with this one. Since it is 1794 * the listening guy. The timer will get started for 1795 * accepted connections in the caller. 1796 */ 1797 ; 1798 } 1799 /* since we did not send a HB make sure we don't double things */ 1800 (*netp)->hb_responded = 1; 1801 1802 if (stcb->asoc.sctp_autoclose_ticks && 1803 sctp_is_feature_on(inp, SCTP_PCB_FLAGS_AUTOCLOSE)) { 1804 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, inp, stcb, NULL); 1805 } 1806 /* respond with a COOKIE-ACK */ 1807 /* calculate the RTT */ 1808 (*netp)->RTO = sctp_calculate_rto(stcb, asoc, *netp, 1809 &cookie->time_entered); 1810 sctp_send_cookie_ack(stcb); 1811 return (stcb); 1812 } 1813 1814 1815 /* 1816 * handles a COOKIE-ECHO message stcb: modified to either a new or left as 1817 * existing (non-NULL) TCB 1818 */ 1819 static struct mbuf * 1820 sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, 1821 struct sctphdr *sh, struct sctp_cookie_echo_chunk *cp, 1822 struct sctp_inpcb **inp_p, struct sctp_tcb **stcb, struct sctp_nets **netp, 1823 int auth_skipped, uint32_t auth_offset, uint32_t auth_len, struct sctp_tcb **locked_tcb) 1824 { 1825 struct sctp_state_cookie *cookie; 1826 struct sockaddr_in6 sin6; 1827 struct sockaddr_in sin; 1828 struct sctp_tcb *l_stcb = *stcb; 1829 struct sctp_inpcb *l_inp; 1830 struct sockaddr *to; 1831 sctp_assoc_t sac_restart_id; 1832 struct sctp_pcb *ep; 1833 struct mbuf *m_sig; 1834 uint8_t calc_sig[SCTP_SIGNATURE_SIZE], tmp_sig[SCTP_SIGNATURE_SIZE]; 1835 uint8_t *sig; 1836 uint8_t cookie_ok = 0; 1837 unsigned int size_of_pkt, sig_offset, cookie_offset; 1838 unsigned int cookie_len; 1839 struct timeval now; 1840 struct timeval time_expires; 1841 struct sockaddr_storage dest_store; 1842 struct sockaddr *localep_sa = (struct sockaddr *)&dest_store; 1843 struct ip *iph; 1844 int notification = 0; 1845 struct sctp_nets *netl; 1846 int had_a_existing_tcb = 0; 1847 1848 #ifdef SCTP_DEBUG 1849 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1850 printf("sctp_handle_cookie: handling COOKIE-ECHO\n"); 1851 } 1852 #endif 1853 1854 if (inp_p == NULL) { 1855 return (NULL); 1856 } 1857 /* First get the destination address setup too. */ 1858 iph = mtod(m, struct ip *); 1859 if (iph->ip_v == IPVERSION) { 1860 /* its IPv4 */ 1861 struct sockaddr_in *sin; 1862 1863 sin = (struct sockaddr_in *)(localep_sa); 1864 memset(sin, 0, sizeof(*sin)); 1865 sin->sin_family = AF_INET; 1866 sin->sin_len = sizeof(*sin); 1867 sin->sin_port = sh->dest_port; 1868 sin->sin_addr.s_addr = iph->ip_dst.s_addr; 1869 size_of_pkt = SCTP_GET_IPV4_LENGTH(iph); 1870 } else if (iph->ip_v == (IPV6_VERSION >> 4)) { 1871 /* its IPv6 */ 1872 struct ip6_hdr *ip6; 1873 struct sockaddr_in6 *sin6; 1874 1875 sin6 = (struct sockaddr_in6 *)(localep_sa); 1876 memset(sin6, 0, sizeof(*sin6)); 1877 sin6->sin6_family = AF_INET6; 1878 sin6->sin6_len = sizeof(struct sockaddr_in6); 1879 ip6 = mtod(m, struct ip6_hdr *); 1880 sin6->sin6_port = sh->dest_port; 1881 sin6->sin6_addr = ip6->ip6_dst; 1882 size_of_pkt = SCTP_GET_IPV6_LENGTH(ip6) + iphlen; 1883 } else { 1884 return (NULL); 1885 } 1886 1887 cookie = &cp->cookie; 1888 cookie_offset = offset + sizeof(struct sctp_chunkhdr); 1889 cookie_len = ntohs(cp->ch.chunk_length); 1890 1891 if ((cookie->peerport != sh->src_port) && 1892 (cookie->myport != sh->dest_port) && 1893 (cookie->my_vtag != sh->v_tag)) { 1894 /* 1895 * invalid ports or bad tag. Note that we always leave the 1896 * v_tag in the header in network order and when we stored 1897 * it in the my_vtag slot we also left it in network order. 1898 * This maintians the match even though it may be in the 1899 * opposite byte order of the machine :-> 1900 */ 1901 return (NULL); 1902 } 1903 if (cookie_len > size_of_pkt || 1904 cookie_len < sizeof(struct sctp_cookie_echo_chunk) + 1905 sizeof(struct sctp_init_chunk) + 1906 sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { 1907 /* cookie too long! or too small */ 1908 return (NULL); 1909 } 1910 /* 1911 * split off the signature into its own mbuf (since it should not be 1912 * calculated in the sctp_hmac_m() call). 1913 */ 1914 sig_offset = offset + cookie_len - SCTP_SIGNATURE_SIZE; 1915 if (sig_offset > size_of_pkt) { 1916 /* packet not correct size! */ 1917 /* XXX this may already be accounted for earlier... */ 1918 return (NULL); 1919 } 1920 m_sig = m_split(m, sig_offset, M_DONTWAIT); 1921 if (m_sig == NULL) { 1922 /* out of memory or ?? */ 1923 return (NULL); 1924 } 1925 /* 1926 * compute the signature/digest for the cookie 1927 */ 1928 ep = &(*inp_p)->sctp_ep; 1929 l_inp = *inp_p; 1930 if (l_stcb) { 1931 SCTP_TCB_UNLOCK(l_stcb); 1932 } 1933 SCTP_INP_RLOCK(l_inp); 1934 if (l_stcb) { 1935 SCTP_TCB_LOCK(l_stcb); 1936 } 1937 /* which cookie is it? */ 1938 if ((cookie->time_entered.tv_sec < (long)ep->time_of_secret_change) && 1939 (ep->current_secret_number != ep->last_secret_number)) { 1940 /* it's the old cookie */ 1941 sctp_hmac_m(SCTP_HMAC, 1942 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1943 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1944 } else { 1945 /* it's the current cookie */ 1946 sctp_hmac_m(SCTP_HMAC, 1947 (uint8_t *) ep->secret_key[(int)ep->current_secret_number], 1948 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1949 } 1950 /* get the signature */ 1951 SCTP_INP_RUNLOCK(l_inp); 1952 sig = (uint8_t *) sctp_m_getptr(m_sig, 0, SCTP_SIGNATURE_SIZE, (uint8_t *) & tmp_sig); 1953 if (sig == NULL) { 1954 /* couldn't find signature */ 1955 sctp_m_freem(m_sig); 1956 return (NULL); 1957 } 1958 /* compare the received digest with the computed digest */ 1959 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) != 0) { 1960 /* try the old cookie? */ 1961 if ((cookie->time_entered.tv_sec == (long)ep->time_of_secret_change) && 1962 (ep->current_secret_number != ep->last_secret_number)) { 1963 /* compute digest with old */ 1964 sctp_hmac_m(SCTP_HMAC, 1965 (uint8_t *) ep->secret_key[(int)ep->last_secret_number], 1966 SCTP_SECRET_SIZE, m, cookie_offset, calc_sig); 1967 /* compare */ 1968 if (memcmp(calc_sig, sig, SCTP_SIGNATURE_SIZE) == 0) 1969 cookie_ok = 1; 1970 } 1971 } else { 1972 cookie_ok = 1; 1973 } 1974 1975 /* 1976 * Now before we continue we must reconstruct our mbuf so that 1977 * normal processing of any other chunks will work. 1978 */ 1979 { 1980 struct mbuf *m_at; 1981 1982 m_at = m; 1983 while (SCTP_BUF_NEXT(m_at) != NULL) { 1984 m_at = SCTP_BUF_NEXT(m_at); 1985 } 1986 SCTP_BUF_NEXT(m_at) = m_sig; 1987 } 1988 1989 if (cookie_ok == 0) { 1990 #ifdef SCTP_DEBUG 1991 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 1992 printf("handle_cookie_echo: cookie signature validation failed!\n"); 1993 printf("offset = %u, cookie_offset = %u, sig_offset = %u\n", 1994 (uint32_t) offset, cookie_offset, sig_offset); 1995 } 1996 #endif 1997 return (NULL); 1998 } 1999 /* 2000 * check the cookie timestamps to be sure it's not stale 2001 */ 2002 SCTP_GETTIME_TIMEVAL(&now); 2003 /* Expire time is in Ticks, so we convert to seconds */ 2004 time_expires.tv_sec = cookie->time_entered.tv_sec + cookie->cookie_life; 2005 time_expires.tv_usec = cookie->time_entered.tv_usec; 2006 if (timevalcmp(&now, &time_expires, >)) { 2007 /* cookie is stale! */ 2008 struct mbuf *op_err; 2009 struct sctp_stale_cookie_msg *scm; 2010 uint32_t tim; 2011 2012 op_err = sctp_get_mbuf_for_msg(sizeof(struct sctp_stale_cookie_msg), 2013 0, M_DONTWAIT, 1, MT_DATA); 2014 if (op_err == NULL) { 2015 /* FOOBAR */ 2016 return (NULL); 2017 } 2018 /* pre-reserve some space */ 2019 SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr)); 2020 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr)); 2021 SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr)); 2022 2023 /* Set the len */ 2024 SCTP_BUF_LEN(op_err) = sizeof(struct sctp_stale_cookie_msg); 2025 scm = mtod(op_err, struct sctp_stale_cookie_msg *); 2026 scm->ph.param_type = htons(SCTP_CAUSE_STALE_COOKIE); 2027 scm->ph.param_length = htons((sizeof(struct sctp_paramhdr) + 2028 (sizeof(uint32_t)))); 2029 /* seconds to usec */ 2030 tim = (now.tv_sec - time_expires.tv_sec) * 1000000; 2031 /* add in usec */ 2032 if (tim == 0) 2033 tim = now.tv_usec - cookie->time_entered.tv_usec; 2034 scm->time_usec = htonl(tim); 2035 sctp_send_operr_to(m, iphlen, op_err, cookie->peers_vtag); 2036 return (NULL); 2037 } 2038 /* 2039 * Now we must see with the lookup address if we have an existing 2040 * asoc. This will only happen if we were in the COOKIE-WAIT state 2041 * and a INIT collided with us and somewhere the peer sent the 2042 * cookie on another address besides the single address our assoc 2043 * had for him. In this case we will have one of the tie-tags set at 2044 * least AND the address field in the cookie can be used to look it 2045 * up. 2046 */ 2047 to = NULL; 2048 if (cookie->addr_type == SCTP_IPV6_ADDRESS) { 2049 memset(&sin6, 0, sizeof(sin6)); 2050 sin6.sin6_family = AF_INET6; 2051 sin6.sin6_len = sizeof(sin6); 2052 sin6.sin6_port = sh->src_port; 2053 sin6.sin6_scope_id = cookie->scope_id; 2054 memcpy(&sin6.sin6_addr.s6_addr, cookie->address, 2055 sizeof(sin6.sin6_addr.s6_addr)); 2056 to = (struct sockaddr *)&sin6; 2057 } else if (cookie->addr_type == SCTP_IPV4_ADDRESS) { 2058 memset(&sin, 0, sizeof(sin)); 2059 sin.sin_family = AF_INET; 2060 sin.sin_len = sizeof(sin); 2061 sin.sin_port = sh->src_port; 2062 sin.sin_addr.s_addr = cookie->address[0]; 2063 to = (struct sockaddr *)&sin; 2064 } 2065 if ((*stcb == NULL) && to) { 2066 /* Yep, lets check */ 2067 *stcb = sctp_findassociation_ep_addr(inp_p, to, netp, localep_sa, NULL); 2068 if (*stcb == NULL) { 2069 /* 2070 * We should have only got back the same inp. If we 2071 * got back a different ep we have a problem. The 2072 * original findep got back l_inp and now 2073 */ 2074 if (l_inp != *inp_p) { 2075 printf("Bad problem find_ep got a diff inp then special_locate?\n"); 2076 } 2077 } else { 2078 if (*locked_tcb == NULL) { 2079 /* 2080 * In this case we found the assoc only 2081 * after we locked the create lock. This 2082 * means we are in a colliding case and we 2083 * must make sure that we unlock the tcb if 2084 * its one of the cases where we throw away 2085 * the incoming packets. 2086 */ 2087 *locked_tcb = *stcb; 2088 2089 /* 2090 * We must also increment the inp ref count 2091 * since the ref_count flags was set when we 2092 * did not find the TCB, now we found it 2093 * which reduces the refcount.. we must 2094 * raise it back out to balance it all :-) 2095 */ 2096 SCTP_INP_INCR_REF((*stcb)->sctp_ep); 2097 if ((*stcb)->sctp_ep != l_inp) { 2098 printf("Huh? ep:%p diff then l_inp:%p?\n", 2099 (*stcb)->sctp_ep, l_inp); 2100 } 2101 } 2102 } 2103 } 2104 cookie_len -= SCTP_SIGNATURE_SIZE; 2105 if (*stcb == NULL) { 2106 /* this is the "normal" case... get a new TCB */ 2107 *stcb = sctp_process_cookie_new(m, iphlen, offset, sh, cookie, 2108 cookie_len, *inp_p, netp, to, ¬ification, 2109 auth_skipped, auth_offset, auth_len); 2110 } else { 2111 /* this is abnormal... cookie-echo on existing TCB */ 2112 had_a_existing_tcb = 1; 2113 *stcb = sctp_process_cookie_existing(m, iphlen, offset, sh, 2114 cookie, cookie_len, *inp_p, *stcb, *netp, to, ¬ification, 2115 &sac_restart_id); 2116 } 2117 2118 if (*stcb == NULL) { 2119 /* still no TCB... must be bad cookie-echo */ 2120 return (NULL); 2121 } 2122 /* 2123 * Ok, we built an association so confirm the address we sent the 2124 * INIT-ACK to. 2125 */ 2126 netl = sctp_findnet(*stcb, to); 2127 /* 2128 * This code should in theory NOT run but 2129 */ 2130 if (netl == NULL) { 2131 /* TSNH! Huh, why do I need to add this address here? */ 2132 int ret; 2133 2134 ret = sctp_add_remote_addr(*stcb, to, SCTP_DONOT_SETSCOPE, 2135 SCTP_IN_COOKIE_PROC); 2136 netl = sctp_findnet(*stcb, to); 2137 } 2138 if (netl) { 2139 if (netl->dest_state & SCTP_ADDR_UNCONFIRMED) { 2140 netl->dest_state &= ~SCTP_ADDR_UNCONFIRMED; 2141 sctp_set_primary_addr((*stcb), (struct sockaddr *)NULL, 2142 netl); 2143 sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_CONFIRMED, 2144 (*stcb), 0, (void *)netl); 2145 } 2146 } 2147 if (*stcb) { 2148 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, *inp_p, 2149 *stcb, NULL); 2150 } 2151 if ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) { 2152 if (!had_a_existing_tcb || 2153 (((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) == 0)) { 2154 /* 2155 * If we have a NEW cookie or the connect never 2156 * reached the connected state during collision we 2157 * must do the TCP accept thing. 2158 */ 2159 struct socket *so, *oso; 2160 struct sctp_inpcb *inp; 2161 2162 if (notification == SCTP_NOTIFY_ASSOC_RESTART) { 2163 /* 2164 * For a restart we will keep the same 2165 * socket, no need to do anything. I THINK!! 2166 */ 2167 sctp_ulp_notify(notification, *stcb, 0, (void *)&sac_restart_id); 2168 return (m); 2169 } 2170 oso = (*inp_p)->sctp_socket; 2171 /* 2172 * We do this to keep the sockets side happy durin 2173 * the sonewcon ONLY. 2174 */ 2175 NET_LOCK_GIANT(); 2176 SCTP_TCB_UNLOCK((*stcb)); 2177 so = sonewconn(oso, 0 2178 ); 2179 NET_UNLOCK_GIANT(); 2180 SCTP_INP_WLOCK((*stcb)->sctp_ep); 2181 SCTP_TCB_LOCK((*stcb)); 2182 SCTP_INP_WUNLOCK((*stcb)->sctp_ep); 2183 if (so == NULL) { 2184 struct mbuf *op_err; 2185 2186 /* Too many sockets */ 2187 #ifdef SCTP_DEBUG 2188 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 2189 printf("process_cookie_new: no room for another socket!\n"); 2190 } 2191 #endif /* SCTP_DEBUG */ 2192 op_err = sctp_generate_invmanparam(SCTP_CAUSE_OUT_OF_RESC); 2193 sctp_abort_association(*inp_p, NULL, m, iphlen, 2194 sh, op_err); 2195 sctp_free_assoc(*inp_p, *stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_20); 2196 return (NULL); 2197 } 2198 inp = (struct sctp_inpcb *)so->so_pcb; 2199 SCTP_INP_INCR_REF(inp); 2200 /* 2201 * We add the unbound flag here so that if we get an 2202 * soabort() before we get the move_pcb done, we 2203 * will properly cleanup. 2204 */ 2205 inp->sctp_flags = (SCTP_PCB_FLAGS_TCPTYPE | 2206 SCTP_PCB_FLAGS_CONNECTED | 2207 SCTP_PCB_FLAGS_IN_TCPPOOL | 2208 SCTP_PCB_FLAGS_UNBOUND | 2209 (SCTP_PCB_COPY_FLAGS & (*inp_p)->sctp_flags) | 2210 SCTP_PCB_FLAGS_DONT_WAKE); 2211 inp->sctp_features = (*inp_p)->sctp_features; 2212 inp->sctp_socket = so; 2213 inp->sctp_frag_point = (*inp_p)->sctp_frag_point; 2214 inp->partial_delivery_point = (*inp_p)->partial_delivery_point; 2215 inp->sctp_context = (*inp_p)->sctp_context; 2216 inp->inp_starting_point_for_iterator = NULL; 2217 /* 2218 * copy in the authentication parameters from the 2219 * original endpoint 2220 */ 2221 if (inp->sctp_ep.local_hmacs) 2222 sctp_free_hmaclist(inp->sctp_ep.local_hmacs); 2223 inp->sctp_ep.local_hmacs = 2224 sctp_copy_hmaclist((*inp_p)->sctp_ep.local_hmacs); 2225 if (inp->sctp_ep.local_auth_chunks) 2226 sctp_free_chunklist(inp->sctp_ep.local_auth_chunks); 2227 inp->sctp_ep.local_auth_chunks = 2228 sctp_copy_chunklist((*inp_p)->sctp_ep.local_auth_chunks); 2229 (void)sctp_copy_skeylist(&(*inp_p)->sctp_ep.shared_keys, 2230 &inp->sctp_ep.shared_keys); 2231 2232 /* 2233 * Now we must move it from one hash table to 2234 * another and get the tcb in the right place. 2235 */ 2236 sctp_move_pcb_and_assoc(*inp_p, inp, *stcb); 2237 sctp_pull_off_control_to_new_inp((*inp_p), inp, *stcb); 2238 2239 /* 2240 * now we must check to see if we were aborted while 2241 * the move was going on and the lock/unlock 2242 * happened. 2243 */ 2244 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 2245 /* 2246 * yep it was, we leave the assoc attached 2247 * to the socket since the sctp_inpcb_free() 2248 * call will send an abort for us. 2249 */ 2250 SCTP_INP_DECR_REF(inp); 2251 return (NULL); 2252 } 2253 SCTP_INP_DECR_REF(inp); 2254 /* Switch over to the new guy */ 2255 *inp_p = inp; 2256 sctp_ulp_notify(notification, *stcb, 0, NULL); 2257 2258 /* 2259 * Pull it from the incomplete queue and wake the 2260 * guy 2261 */ 2262 soisconnected(so); 2263 return (m); 2264 } 2265 } 2266 if ((notification) && ((*inp_p)->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) { 2267 sctp_ulp_notify(notification, *stcb, 0, NULL); 2268 } 2269 return (m); 2270 } 2271 2272 static void 2273 sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp, 2274 struct sctp_tcb *stcb, struct sctp_nets *net) 2275 { 2276 /* cp must not be used, others call this without a c-ack :-) */ 2277 struct sctp_association *asoc; 2278 2279 #ifdef SCTP_DEBUG 2280 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2281 printf("sctp_handle_cookie_ack: handling COOKIE-ACK\n"); 2282 } 2283 #endif 2284 if (stcb == NULL) 2285 return; 2286 2287 asoc = &stcb->asoc; 2288 2289 sctp_stop_all_cookie_timers(stcb); 2290 /* process according to association state */ 2291 if (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) { 2292 /* state change only needed when I am in right state */ 2293 #ifdef SCTP_DEBUG 2294 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2295 printf("moving to OPEN state\n"); 2296 } 2297 #endif 2298 if (asoc->state & SCTP_STATE_SHUTDOWN_PENDING) { 2299 asoc->state = SCTP_STATE_OPEN | SCTP_STATE_SHUTDOWN_PENDING; 2300 sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, 2301 stcb->sctp_ep, stcb, asoc->primary_destination); 2302 2303 } else { 2304 asoc->state = SCTP_STATE_OPEN; 2305 } 2306 /* update RTO */ 2307 SCTP_STAT_INCR_COUNTER32(sctps_activeestab); 2308 SCTP_STAT_INCR_GAUGE32(sctps_currestab); 2309 if (asoc->overall_error_count == 0) { 2310 net->RTO = sctp_calculate_rto(stcb, asoc, net, 2311 &asoc->time_entered); 2312 } 2313 SCTP_GETTIME_TIMEVAL(&asoc->time_entered); 2314 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL); 2315 if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) || 2316 (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 2317 stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED; 2318 soisconnected(stcb->sctp_ep->sctp_socket); 2319 } 2320 sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep, 2321 stcb, net); 2322 /* 2323 * since we did not send a HB make sure we don't double 2324 * things 2325 */ 2326 net->hb_responded = 1; 2327 2328 if (stcb->asoc.sctp_autoclose_ticks && 2329 sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) { 2330 sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE, 2331 stcb->sctp_ep, stcb, NULL); 2332 } 2333 /* 2334 * set ASCONF timer if ASCONFs are pending and allowed (eg. 2335 * addresses changed when init/cookie echo in flight) 2336 */ 2337 if ((sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_DO_ASCONF)) && 2338 (stcb->asoc.peer_supports_asconf) && 2339 (!TAILQ_EMPTY(&stcb->asoc.asconf_queue))) { 2340 sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, 2341 stcb->sctp_ep, stcb, 2342 stcb->asoc.primary_destination); 2343 } 2344 } 2345 /* Toss the cookie if I can */ 2346 sctp_toss_old_cookies(stcb, asoc); 2347 if (!TAILQ_EMPTY(&asoc->sent_queue)) { 2348 /* Restart the timer if we have pending data */ 2349 struct sctp_tmit_chunk *chk; 2350 2351 chk = TAILQ_FIRST(&asoc->sent_queue); 2352 if (chk) { 2353 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2354 stcb, chk->whoTo); 2355 } 2356 } 2357 } 2358 2359 static void 2360 sctp_handle_ecn_echo(struct sctp_ecne_chunk *cp, 2361 struct sctp_tcb *stcb) 2362 { 2363 struct sctp_nets *net; 2364 struct sctp_tmit_chunk *lchk; 2365 uint32_t tsn; 2366 2367 if (ntohs(cp->ch.chunk_length) != sizeof(struct sctp_ecne_chunk)) { 2368 return; 2369 } 2370 SCTP_STAT_INCR(sctps_recvecne); 2371 tsn = ntohl(cp->tsn); 2372 /* ECN Nonce stuff: need a resync and disable the nonce sum check */ 2373 /* Also we make sure we disable the nonce_wait */ 2374 lchk = TAILQ_FIRST(&stcb->asoc.send_queue); 2375 if (lchk == NULL) { 2376 stcb->asoc.nonce_resync_tsn = stcb->asoc.sending_seq; 2377 } else { 2378 stcb->asoc.nonce_resync_tsn = lchk->rec.data.TSN_seq; 2379 } 2380 stcb->asoc.nonce_wait_for_ecne = 0; 2381 stcb->asoc.nonce_sum_check = 0; 2382 2383 /* Find where it was sent, if possible */ 2384 net = NULL; 2385 lchk = TAILQ_FIRST(&stcb->asoc.sent_queue); 2386 while (lchk) { 2387 if (lchk->rec.data.TSN_seq == tsn) { 2388 net = lchk->whoTo; 2389 break; 2390 } 2391 if (compare_with_wrap(lchk->rec.data.TSN_seq, tsn, MAX_SEQ)) 2392 break; 2393 lchk = TAILQ_NEXT(lchk, sctp_next); 2394 } 2395 if (net == NULL) 2396 /* default is we use the primary */ 2397 net = stcb->asoc.primary_destination; 2398 2399 if (compare_with_wrap(tsn, stcb->asoc.last_cwr_tsn, MAX_TSN)) { 2400 #ifdef SCTP_CWND_MONITOR 2401 int old_cwnd; 2402 2403 old_cwnd = net->cwnd; 2404 #endif 2405 SCTP_STAT_INCR(sctps_ecnereducedcwnd); 2406 net->ssthresh = net->cwnd / 2; 2407 if (net->ssthresh < net->mtu) { 2408 net->ssthresh = net->mtu; 2409 /* here back off the timer as well, to slow us down */ 2410 net->RTO <<= 2; 2411 } 2412 net->cwnd = net->ssthresh; 2413 #ifdef SCTP_CWND_MONITOR 2414 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), SCTP_CWND_LOG_FROM_SAT); 2415 #endif 2416 /* 2417 * we reduce once every RTT. So we will only lower cwnd at 2418 * the next sending seq i.e. the resync_tsn. 2419 */ 2420 stcb->asoc.last_cwr_tsn = stcb->asoc.nonce_resync_tsn; 2421 } 2422 /* 2423 * We always send a CWR this way if our previous one was lost our 2424 * peer will get an update, or if it is not time again to reduce we 2425 * still get the cwr to the peer. 2426 */ 2427 sctp_send_cwr(stcb, net, tsn); 2428 } 2429 2430 static void 2431 sctp_handle_ecn_cwr(struct sctp_cwr_chunk *cp, struct sctp_tcb *stcb) 2432 { 2433 /* 2434 * Here we get a CWR from the peer. We must look in the outqueue and 2435 * make sure that we have a covered ECNE in teh control chunk part. 2436 * If so remove it. 2437 */ 2438 struct sctp_tmit_chunk *chk; 2439 struct sctp_ecne_chunk *ecne; 2440 2441 TAILQ_FOREACH(chk, &stcb->asoc.control_send_queue, sctp_next) { 2442 if (chk->rec.chunk_id.id != SCTP_ECN_ECHO) { 2443 continue; 2444 } 2445 /* 2446 * Look for and remove if it is the right TSN. Since there 2447 * is only ONE ECNE on the control queue at any one time we 2448 * don't need to worry about more than one! 2449 */ 2450 ecne = mtod(chk->data, struct sctp_ecne_chunk *); 2451 if (compare_with_wrap(ntohl(cp->tsn), ntohl(ecne->tsn), 2452 MAX_TSN) || (cp->tsn == ecne->tsn)) { 2453 /* this covers this ECNE, we can remove it */ 2454 stcb->asoc.ecn_echo_cnt_onq--; 2455 TAILQ_REMOVE(&stcb->asoc.control_send_queue, chk, 2456 sctp_next); 2457 if (chk->data) { 2458 sctp_m_freem(chk->data); 2459 chk->data = NULL; 2460 } 2461 stcb->asoc.ctrl_queue_cnt--; 2462 sctp_free_remote_addr(chk->whoTo); 2463 sctp_free_a_chunk(stcb, chk); 2464 break; 2465 } 2466 } 2467 } 2468 2469 static void 2470 sctp_handle_shutdown_complete(struct sctp_shutdown_complete_chunk *cp, 2471 struct sctp_tcb *stcb, struct sctp_nets *net) 2472 { 2473 struct sctp_association *asoc; 2474 2475 #ifdef SCTP_DEBUG 2476 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 2477 printf("sctp_handle_shutdown_complete: handling SHUTDOWN-COMPLETE\n"); 2478 } 2479 #endif 2480 if (stcb == NULL) 2481 return; 2482 2483 asoc = &stcb->asoc; 2484 /* process according to association state */ 2485 if (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT) { 2486 /* unexpected SHUTDOWN-COMPLETE... so ignore... */ 2487 SCTP_TCB_UNLOCK(stcb); 2488 return; 2489 } 2490 /* notify upper layer protocol */ 2491 if (stcb->sctp_socket) { 2492 sctp_ulp_notify(SCTP_NOTIFY_ASSOC_DOWN, stcb, 0, NULL); 2493 /* are the queues empty? they should be */ 2494 if (!TAILQ_EMPTY(&asoc->send_queue) || 2495 !TAILQ_EMPTY(&asoc->sent_queue) || 2496 !TAILQ_EMPTY(&asoc->out_wheel)) { 2497 sctp_report_all_outbound(stcb, 0); 2498 } 2499 } 2500 /* stop the timer */ 2501 sctp_timer_stop(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_21); 2502 SCTP_STAT_INCR_COUNTER32(sctps_shutdown); 2503 /* free the TCB */ 2504 sctp_free_assoc(stcb->sctp_ep, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_22); 2505 return; 2506 } 2507 2508 static int 2509 process_chunk_drop(struct sctp_tcb *stcb, struct sctp_chunk_desc *desc, 2510 struct sctp_nets *net, uint8_t flg) 2511 { 2512 switch (desc->chunk_type) { 2513 case SCTP_DATA: 2514 /* find the tsn to resend (possibly */ 2515 { 2516 uint32_t tsn; 2517 struct sctp_tmit_chunk *tp1; 2518 2519 tsn = ntohl(desc->tsn_ifany); 2520 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2521 while (tp1) { 2522 if (tp1->rec.data.TSN_seq == tsn) { 2523 /* found it */ 2524 break; 2525 } 2526 if (compare_with_wrap(tp1->rec.data.TSN_seq, tsn, 2527 MAX_TSN)) { 2528 /* not found */ 2529 tp1 = NULL; 2530 break; 2531 } 2532 tp1 = TAILQ_NEXT(tp1, sctp_next); 2533 } 2534 if (tp1 == NULL) { 2535 /* 2536 * Do it the other way , aka without paying 2537 * attention to queue seq order. 2538 */ 2539 SCTP_STAT_INCR(sctps_pdrpdnfnd); 2540 tp1 = TAILQ_FIRST(&stcb->asoc.sent_queue); 2541 while (tp1) { 2542 if (tp1->rec.data.TSN_seq == tsn) { 2543 /* found it */ 2544 break; 2545 } 2546 tp1 = TAILQ_NEXT(tp1, sctp_next); 2547 } 2548 } 2549 if (tp1 == NULL) { 2550 SCTP_STAT_INCR(sctps_pdrptsnnf); 2551 } 2552 if ((tp1) && (tp1->sent < SCTP_DATAGRAM_ACKED)) { 2553 uint8_t *ddp; 2554 2555 if ((stcb->asoc.peers_rwnd == 0) && 2556 ((flg & SCTP_FROM_MIDDLE_BOX) == 0)) { 2557 SCTP_STAT_INCR(sctps_pdrpdiwnp); 2558 return (0); 2559 } 2560 if (stcb->asoc.peers_rwnd == 0 && 2561 (flg & SCTP_FROM_MIDDLE_BOX)) { 2562 SCTP_STAT_INCR(sctps_pdrpdizrw); 2563 return (0); 2564 } 2565 ddp = (uint8_t *) (mtod(tp1->data, caddr_t)+ 2566 sizeof(struct sctp_data_chunk)); 2567 { 2568 unsigned int iii; 2569 2570 for (iii = 0; iii < sizeof(desc->data_bytes); 2571 iii++) { 2572 if (ddp[iii] != desc->data_bytes[iii]) { 2573 SCTP_STAT_INCR(sctps_pdrpbadd); 2574 return (-1); 2575 } 2576 } 2577 } 2578 /* 2579 * We zero out the nonce so resync not 2580 * needed 2581 */ 2582 tp1->rec.data.ect_nonce = 0; 2583 2584 if (tp1->do_rtt) { 2585 /* 2586 * this guy had a RTO calculation 2587 * pending on it, cancel it 2588 */ 2589 tp1->do_rtt = 0; 2590 } 2591 SCTP_STAT_INCR(sctps_pdrpmark); 2592 if (tp1->sent != SCTP_DATAGRAM_RESEND) 2593 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2594 tp1->sent = SCTP_DATAGRAM_RESEND; 2595 /* 2596 * mark it as if we were doing a FR, since 2597 * we will be getting gap ack reports behind 2598 * the info from the router. 2599 */ 2600 tp1->rec.data.doing_fast_retransmit = 1; 2601 /* 2602 * mark the tsn with what sequences can 2603 * cause a new FR. 2604 */ 2605 if (TAILQ_EMPTY(&stcb->asoc.send_queue)) { 2606 tp1->rec.data.fast_retran_tsn = stcb->asoc.sending_seq; 2607 } else { 2608 tp1->rec.data.fast_retran_tsn = (TAILQ_FIRST(&stcb->asoc.send_queue))->rec.data.TSN_seq; 2609 } 2610 2611 /* restart the timer */ 2612 sctp_timer_stop(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2613 stcb, tp1->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_23); 2614 sctp_timer_start(SCTP_TIMER_TYPE_SEND, stcb->sctp_ep, 2615 stcb, tp1->whoTo); 2616 2617 /* fix counts and things */ 2618 #ifdef SCTP_FLIGHT_LOGGING 2619 sctp_misc_ints(SCTP_FLIGHT_LOG_DOWN, 2620 tp1->whoTo->flight_size, 2621 tp1->book_size, 2622 (uintptr_t) stcb, 2623 tp1->rec.data.TSN_seq); 2624 #endif 2625 if (tp1->whoTo->flight_size >= tp1->book_size) 2626 tp1->whoTo->flight_size -= tp1->book_size; 2627 else 2628 tp1->whoTo->flight_size = 0; 2629 2630 if (stcb->asoc.total_flight >= tp1->book_size) { 2631 stcb->asoc.total_flight -= tp1->book_size; 2632 if (stcb->asoc.total_flight_count > 0) 2633 stcb->asoc.total_flight_count--; 2634 } else { 2635 stcb->asoc.total_flight = 0; 2636 stcb->asoc.total_flight_count = 0; 2637 } 2638 tp1->snd_count--; 2639 } { 2640 /* audit code */ 2641 unsigned int audit; 2642 2643 audit = 0; 2644 TAILQ_FOREACH(tp1, &stcb->asoc.sent_queue, sctp_next) { 2645 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2646 audit++; 2647 } 2648 TAILQ_FOREACH(tp1, &stcb->asoc.control_send_queue, 2649 sctp_next) { 2650 if (tp1->sent == SCTP_DATAGRAM_RESEND) 2651 audit++; 2652 } 2653 if (audit != stcb->asoc.sent_queue_retran_cnt) { 2654 printf("**Local Audit finds cnt:%d asoc cnt:%d\n", 2655 audit, stcb->asoc.sent_queue_retran_cnt); 2656 #ifndef SCTP_AUDITING_ENABLED 2657 stcb->asoc.sent_queue_retran_cnt = audit; 2658 #endif 2659 } 2660 } 2661 } 2662 break; 2663 case SCTP_ASCONF: 2664 { 2665 struct sctp_tmit_chunk *asconf; 2666 2667 TAILQ_FOREACH(asconf, &stcb->asoc.control_send_queue, 2668 sctp_next) { 2669 if (asconf->rec.chunk_id.id == SCTP_ASCONF) { 2670 break; 2671 } 2672 } 2673 if (asconf) { 2674 if (asconf->sent != SCTP_DATAGRAM_RESEND) 2675 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2676 asconf->sent = SCTP_DATAGRAM_RESEND; 2677 asconf->snd_count--; 2678 } 2679 } 2680 break; 2681 case SCTP_INITIATION: 2682 /* resend the INIT */ 2683 stcb->asoc.dropped_special_cnt++; 2684 if (stcb->asoc.dropped_special_cnt < SCTP_RETRY_DROPPED_THRESH) { 2685 /* 2686 * If we can get it in, in a few attempts we do 2687 * this, otherwise we let the timer fire. 2688 */ 2689 sctp_timer_stop(SCTP_TIMER_TYPE_INIT, stcb->sctp_ep, 2690 stcb, net, SCTP_FROM_SCTP_INPUT + SCTP_LOC_24); 2691 sctp_send_initiate(stcb->sctp_ep, stcb); 2692 } 2693 break; 2694 case SCTP_SELECTIVE_ACK: 2695 /* resend the sack */ 2696 sctp_send_sack(stcb); 2697 break; 2698 case SCTP_HEARTBEAT_REQUEST: 2699 /* resend a demand HB */ 2700 sctp_send_hb(stcb, 1, net); 2701 break; 2702 case SCTP_SHUTDOWN: 2703 sctp_send_shutdown(stcb, net); 2704 break; 2705 case SCTP_SHUTDOWN_ACK: 2706 sctp_send_shutdown_ack(stcb, net); 2707 break; 2708 case SCTP_COOKIE_ECHO: 2709 { 2710 struct sctp_tmit_chunk *cookie; 2711 2712 cookie = NULL; 2713 TAILQ_FOREACH(cookie, &stcb->asoc.control_send_queue, 2714 sctp_next) { 2715 if (cookie->rec.chunk_id.id == SCTP_COOKIE_ECHO) { 2716 break; 2717 } 2718 } 2719 if (cookie) { 2720 if (cookie->sent != SCTP_DATAGRAM_RESEND) 2721 sctp_ucount_incr(stcb->asoc.sent_queue_retran_cnt); 2722 cookie->sent = SCTP_DATAGRAM_RESEND; 2723 sctp_stop_all_cookie_timers(stcb); 2724 } 2725 } 2726 break; 2727 case SCTP_COOKIE_ACK: 2728 sctp_send_cookie_ack(stcb); 2729 break; 2730 case SCTP_ASCONF_ACK: 2731 /* resend last asconf ack */ 2732 sctp_send_asconf_ack(stcb, 1); 2733 break; 2734 case SCTP_FORWARD_CUM_TSN: 2735 send_forward_tsn(stcb, &stcb->asoc); 2736 break; 2737 /* can't do anything with these */ 2738 case SCTP_PACKET_DROPPED: 2739 case SCTP_INITIATION_ACK: /* this should not happen */ 2740 case SCTP_HEARTBEAT_ACK: 2741 case SCTP_ABORT_ASSOCIATION: 2742 case SCTP_OPERATION_ERROR: 2743 case SCTP_SHUTDOWN_COMPLETE: 2744 case SCTP_ECN_ECHO: 2745 case SCTP_ECN_CWR: 2746 default: 2747 break; 2748 } 2749 return (0); 2750 } 2751 2752 void 2753 sctp_reset_in_stream(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2754 { 2755 int i; 2756 uint16_t temp; 2757 2758 /* 2759 * We set things to 0xffff since this is the last delivered sequence 2760 * and we will be sending in 0 after the reset. 2761 */ 2762 2763 if (number_entries) { 2764 for (i = 0; i < number_entries; i++) { 2765 temp = ntohs(list[i]); 2766 if (temp >= stcb->asoc.streamincnt) { 2767 continue; 2768 } 2769 stcb->asoc.strmin[temp].last_sequence_delivered = 0xffff; 2770 } 2771 } else { 2772 list = NULL; 2773 for (i = 0; i < stcb->asoc.streamincnt; i++) { 2774 stcb->asoc.strmin[i].last_sequence_delivered = 0xffff; 2775 } 2776 } 2777 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_RECV, stcb, number_entries, (void *)list); 2778 } 2779 2780 static void 2781 sctp_reset_out_streams(struct sctp_tcb *stcb, int number_entries, uint16_t * list) 2782 { 2783 int i; 2784 2785 if (number_entries == 0) { 2786 for (i = 0; i < stcb->asoc.streamoutcnt; i++) { 2787 stcb->asoc.strmout[i].next_sequence_sent = 0; 2788 } 2789 } else if (number_entries) { 2790 for (i = 0; i < number_entries; i++) { 2791 uint16_t temp; 2792 2793 temp = ntohs(list[i]); 2794 if (temp >= stcb->asoc.streamoutcnt) { 2795 /* no such stream */ 2796 continue; 2797 } 2798 stcb->asoc.strmout[temp].next_sequence_sent = 0; 2799 } 2800 } 2801 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_SEND, stcb, number_entries, (void *)list); 2802 } 2803 2804 2805 struct sctp_stream_reset_out_request * 2806 sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) 2807 { 2808 struct sctp_association *asoc; 2809 struct sctp_stream_reset_out_req *req; 2810 struct sctp_stream_reset_out_request *r; 2811 struct sctp_tmit_chunk *chk; 2812 int len, clen; 2813 2814 asoc = &stcb->asoc; 2815 if (TAILQ_EMPTY(&stcb->asoc.control_send_queue)) { 2816 return (NULL); 2817 } 2818 if (stcb->asoc.str_reset == NULL) { 2819 return (NULL); 2820 } 2821 chk = stcb->asoc.str_reset; 2822 if (chk->data == NULL) { 2823 return (NULL); 2824 } 2825 if (bchk) { 2826 /* he wants a copy of the chk pointer */ 2827 *bchk = chk; 2828 } 2829 clen = chk->send_size; 2830 req = mtod(chk->data, struct sctp_stream_reset_out_req *); 2831 r = &req->sr_req; 2832 if (ntohl(r->request_seq) == seq) { 2833 /* found it */ 2834 return (r); 2835 } 2836 len = SCTP_SIZE32(ntohs(r->ph.param_length)); 2837 if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { 2838 /* move to the next one, there can only be a max of two */ 2839 r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); 2840 if (ntohl(r->request_seq) == seq) { 2841 return (r); 2842 } 2843 } 2844 /* that seq is not here */ 2845 return (NULL); 2846 } 2847 2848 static void 2849 sctp_clean_up_stream_reset(struct sctp_tcb *stcb) 2850 { 2851 struct sctp_association *asoc; 2852 struct sctp_tmit_chunk *chk = stcb->asoc.str_reset; 2853 2854 if (stcb->asoc.str_reset == NULL) { 2855 return; 2856 } 2857 asoc = &stcb->asoc; 2858 2859 sctp_timer_stop(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo, SCTP_FROM_SCTP_INPUT + SCTP_LOC_25); 2860 TAILQ_REMOVE(&asoc->control_send_queue, 2861 chk, 2862 sctp_next); 2863 if (chk->data) { 2864 sctp_m_freem(chk->data); 2865 chk->data = NULL; 2866 } 2867 asoc->ctrl_queue_cnt--; 2868 sctp_free_remote_addr(chk->whoTo); 2869 2870 sctp_free_a_chunk(stcb, chk); 2871 stcb->asoc.str_reset = NULL; 2872 } 2873 2874 2875 static int 2876 sctp_handle_stream_reset_response(struct sctp_tcb *stcb, 2877 uint32_t seq, uint32_t action, 2878 struct sctp_stream_reset_response *respin) 2879 { 2880 uint16_t type; 2881 int lparm_len; 2882 struct sctp_association *asoc = &stcb->asoc; 2883 struct sctp_tmit_chunk *chk; 2884 struct sctp_stream_reset_out_request *srparam; 2885 int number_entries; 2886 2887 if (asoc->stream_reset_outstanding == 0) { 2888 /* duplicate */ 2889 return (0); 2890 } 2891 if (seq == stcb->asoc.str_reset_seq_out) { 2892 srparam = sctp_find_stream_reset(stcb, seq, &chk); 2893 if (srparam) { 2894 stcb->asoc.str_reset_seq_out++; 2895 type = ntohs(srparam->ph.param_type); 2896 lparm_len = ntohs(srparam->ph.param_length); 2897 if (type == SCTP_STR_RESET_OUT_REQUEST) { 2898 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); 2899 asoc->stream_reset_out_is_outstanding = 0; 2900 if (asoc->stream_reset_outstanding) 2901 asoc->stream_reset_outstanding--; 2902 if (action == SCTP_STREAM_RESET_PERFORMED) { 2903 /* do it */ 2904 sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); 2905 } else { 2906 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams); 2907 } 2908 } else if (type == SCTP_STR_RESET_IN_REQUEST) { 2909 /* Answered my request */ 2910 number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); 2911 if (asoc->stream_reset_outstanding) 2912 asoc->stream_reset_outstanding--; 2913 if (action != SCTP_STREAM_RESET_PERFORMED) { 2914 sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, number_entries, srparam->list_of_streams); 2915 } 2916 } else if (type == SCTP_STR_RESET_TSN_REQUEST) { 2917 /** 2918 * a) Adopt the new in tsn. 2919 * b) reset the map 2920 * c) Adopt the new out-tsn 2921 */ 2922 struct sctp_stream_reset_response_tsn *resp; 2923 struct sctp_forward_tsn_chunk fwdtsn; 2924 int abort_flag = 0; 2925 2926 if (respin == NULL) { 2927 /* huh ? */ 2928 return (0); 2929 } 2930 if (action == SCTP_STREAM_RESET_PERFORMED) { 2931 resp = (struct sctp_stream_reset_response_tsn *)respin; 2932 asoc->stream_reset_outstanding--; 2933 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 2934 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 2935 fwdtsn.new_cumulative_tsn = htonl(ntohl(resp->senders_next_tsn) - 1); 2936 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 2937 if (abort_flag) { 2938 return (1); 2939 } 2940 stcb->asoc.highest_tsn_inside_map = (ntohl(resp->senders_next_tsn) - 1); 2941 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 2942 stcb->asoc.mapping_array_base_tsn = ntohl(resp->senders_next_tsn); 2943 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 2944 stcb->asoc.sending_seq = ntohl(resp->receivers_next_tsn); 2945 stcb->asoc.last_acked_seq = stcb->asoc.cumulative_tsn; 2946 2947 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 2948 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 2949 2950 } 2951 } 2952 /* get rid of the request and get the request flags */ 2953 if (asoc->stream_reset_outstanding == 0) { 2954 sctp_clean_up_stream_reset(stcb); 2955 } 2956 } 2957 } 2958 return (0); 2959 } 2960 2961 static void 2962 sctp_handle_str_reset_request_in(struct sctp_tcb *stcb, 2963 struct sctp_tmit_chunk *chk, 2964 struct sctp_stream_reset_in_request *req) 2965 { 2966 uint32_t seq; 2967 int len, i; 2968 int number_entries; 2969 uint16_t temp; 2970 2971 /* 2972 * peer wants me to send a str-reset to him for my outgoing seq's if 2973 * seq_in is right. 2974 */ 2975 struct sctp_association *asoc = &stcb->asoc; 2976 2977 seq = ntohl(req->request_seq); 2978 if (asoc->str_reset_seq_in == seq) { 2979 if (stcb->asoc.stream_reset_out_is_outstanding == 0) { 2980 len = ntohs(req->ph.param_length); 2981 number_entries = ((len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t)); 2982 for (i = 0; i < number_entries; i++) { 2983 temp = ntohs(req->list_of_streams[i]); 2984 req->list_of_streams[i] = temp; 2985 } 2986 /* move the reset action back one */ 2987 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2988 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 2989 sctp_add_stream_reset_out(chk, number_entries, req->list_of_streams, 2990 asoc->str_reset_seq_out, 2991 seq, (asoc->sending_seq - 1)); 2992 asoc->stream_reset_out_is_outstanding = 1; 2993 asoc->str_reset = chk; 2994 sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo); 2995 stcb->asoc.stream_reset_outstanding++; 2996 } else { 2997 /* Can't do it, since we have sent one out */ 2998 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 2999 asoc->last_reset_action[0] = SCTP_STREAM_RESET_TRY_LATER; 3000 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3001 } 3002 asoc->str_reset_seq_in++; 3003 } else if (asoc->str_reset_seq_in - 1 == seq) { 3004 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3005 } else if (asoc->str_reset_seq_in - 2 == seq) { 3006 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3007 } else { 3008 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3009 } 3010 } 3011 3012 static int 3013 sctp_handle_str_reset_request_tsn(struct sctp_tcb *stcb, 3014 struct sctp_tmit_chunk *chk, 3015 struct sctp_stream_reset_tsn_request *req) 3016 { 3017 /* reset all in and out and update the tsn */ 3018 /* 3019 * A) reset my str-seq's on in and out. B) Select a receive next, 3020 * and set cum-ack to it. Also process this selected number as a 3021 * fwd-tsn as well. C) set in the response my next sending seq. 3022 */ 3023 struct sctp_forward_tsn_chunk fwdtsn; 3024 struct sctp_association *asoc = &stcb->asoc; 3025 int abort_flag = 0; 3026 uint32_t seq; 3027 3028 seq = ntohl(req->request_seq); 3029 if (asoc->str_reset_seq_in == seq) { 3030 fwdtsn.ch.chunk_length = htons(sizeof(struct sctp_forward_tsn_chunk)); 3031 fwdtsn.ch.chunk_type = SCTP_FORWARD_CUM_TSN; 3032 fwdtsn.ch.chunk_flags = 0; 3033 fwdtsn.new_cumulative_tsn = htonl(stcb->asoc.highest_tsn_inside_map + 1); 3034 sctp_handle_forward_tsn(stcb, &fwdtsn, &abort_flag); 3035 if (abort_flag) { 3036 return (1); 3037 } 3038 stcb->asoc.highest_tsn_inside_map += SCTP_STREAM_RESET_TSN_DELTA; 3039 stcb->asoc.cumulative_tsn = stcb->asoc.highest_tsn_inside_map; 3040 stcb->asoc.mapping_array_base_tsn = stcb->asoc.highest_tsn_inside_map + 1; 3041 memset(stcb->asoc.mapping_array, 0, stcb->asoc.mapping_array_size); 3042 atomic_add_int(&stcb->asoc.sending_seq, 1); 3043 /* save off historical data for retrans */ 3044 stcb->asoc.last_sending_seq[1] = stcb->asoc.last_sending_seq[0]; 3045 stcb->asoc.last_sending_seq[0] = stcb->asoc.sending_seq; 3046 stcb->asoc.last_base_tsnsent[1] = stcb->asoc.last_base_tsnsent[0]; 3047 stcb->asoc.last_base_tsnsent[0] = stcb->asoc.mapping_array_base_tsn; 3048 3049 sctp_add_stream_reset_result_tsn(chk, 3050 ntohl(req->request_seq), 3051 SCTP_STREAM_RESET_PERFORMED, 3052 stcb->asoc.sending_seq, 3053 stcb->asoc.mapping_array_base_tsn); 3054 sctp_reset_out_streams(stcb, 0, (uint16_t *) NULL); 3055 sctp_reset_in_stream(stcb, 0, (uint16_t *) NULL); 3056 stcb->asoc.last_reset_action[1] = stcb->asoc.last_reset_action[0]; 3057 stcb->asoc.last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3058 3059 asoc->str_reset_seq_in++; 3060 } else if (asoc->str_reset_seq_in - 1 == seq) { 3061 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[0], 3062 stcb->asoc.last_sending_seq[0], 3063 stcb->asoc.last_base_tsnsent[0] 3064 ); 3065 } else if (asoc->str_reset_seq_in - 2 == seq) { 3066 sctp_add_stream_reset_result_tsn(chk, seq, asoc->last_reset_action[1], 3067 stcb->asoc.last_sending_seq[1], 3068 stcb->asoc.last_base_tsnsent[1] 3069 ); 3070 } else { 3071 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3072 } 3073 return (0); 3074 } 3075 3076 static void 3077 sctp_handle_str_reset_request_out(struct sctp_tcb *stcb, 3078 struct sctp_tmit_chunk *chk, 3079 struct sctp_stream_reset_out_request *req) 3080 { 3081 uint32_t seq, tsn; 3082 int number_entries, len; 3083 struct sctp_association *asoc = &stcb->asoc; 3084 3085 seq = ntohl(req->request_seq); 3086 3087 /* now if its not a duplicate we process it */ 3088 if (asoc->str_reset_seq_in == seq) { 3089 len = ntohs(req->ph.param_length); 3090 number_entries = ((len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t)); 3091 /* 3092 * the sender is resetting, handle the list issue.. we must 3093 * a) verify if we can do the reset, if so no problem b) If 3094 * we can't do the reset we must copy the request. c) queue 3095 * it, and setup the data in processor to trigger it off 3096 * when needed and dequeue all the queued data. 3097 */ 3098 tsn = ntohl(req->send_reset_at_tsn); 3099 3100 /* move the reset action back one */ 3101 asoc->last_reset_action[1] = asoc->last_reset_action[0]; 3102 if ((tsn == asoc->cumulative_tsn) || 3103 (compare_with_wrap(asoc->cumulative_tsn, tsn, MAX_TSN))) { 3104 /* we can do it now */ 3105 sctp_reset_in_stream(stcb, number_entries, req->list_of_streams); 3106 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3107 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3108 } else { 3109 /* 3110 * we must queue it up and thus wait for the TSN's 3111 * to arrive that are at or before tsn 3112 */ 3113 struct sctp_stream_reset_list *liste; 3114 int siz; 3115 3116 siz = sizeof(struct sctp_stream_reset_list) + (number_entries * sizeof(uint16_t)); 3117 SCTP_MALLOC(liste, struct sctp_stream_reset_list *, 3118 siz, "StrRstList"); 3119 if (liste == NULL) { 3120 /* gak out of memory */ 3121 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_DENIED); 3122 asoc->last_reset_action[0] = SCTP_STREAM_RESET_DENIED; 3123 return; 3124 } 3125 liste->tsn = tsn; 3126 liste->number_entries = number_entries; 3127 memcpy(&liste->req, req, 3128 (sizeof(struct sctp_stream_reset_out_request) + (number_entries * sizeof(uint16_t)))); 3129 TAILQ_INSERT_TAIL(&asoc->resetHead, liste, next_resp); 3130 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_PERFORMED); 3131 asoc->last_reset_action[0] = SCTP_STREAM_RESET_PERFORMED; 3132 } 3133 asoc->str_reset_seq_in++; 3134 } else if ((asoc->str_reset_seq_in - 1) == seq) { 3135 /* 3136 * one seq back, just echo back last action since my 3137 * response was lost. 3138 */ 3139 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[0]); 3140 } else if ((asoc->str_reset_seq_in - 2) == seq) { 3141 /* 3142 * two seq back, just echo back last action since my 3143 * response was lost. 3144 */ 3145 sctp_add_stream_reset_result(chk, seq, asoc->last_reset_action[1]); 3146 } else { 3147 sctp_add_stream_reset_result(chk, seq, SCTP_STREAM_RESET_BAD_SEQNO); 3148 } 3149 } 3150 3151 static int 3152 sctp_handle_stream_reset(struct sctp_tcb *stcb, struct sctp_stream_reset_out_req *sr_req) 3153 { 3154 int chk_length, param_len, ptype; 3155 uint32_t seq; 3156 int num_req = 0; 3157 struct sctp_tmit_chunk *chk; 3158 struct sctp_chunkhdr *ch; 3159 struct sctp_paramhdr *ph; 3160 int ret_code = 0; 3161 int num_param = 0; 3162 3163 /* now it may be a reset or a reset-response */ 3164 chk_length = ntohs(sr_req->ch.chunk_length); 3165 3166 /* setup for adding the response */ 3167 sctp_alloc_a_chunk(stcb, chk); 3168 if (chk == NULL) { 3169 return (ret_code); 3170 } 3171 chk->rec.chunk_id.id = SCTP_STREAM_RESET; 3172 chk->asoc = &stcb->asoc; 3173 chk->no_fr_allowed = 0; 3174 chk->book_size = chk->send_size = sizeof(struct sctp_chunkhdr); 3175 chk->book_size_scale = 0; 3176 chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA); 3177 if (chk->data == NULL) { 3178 strres_nochunk: 3179 if (chk->data) { 3180 sctp_m_freem(chk->data); 3181 chk->data = NULL; 3182 } 3183 sctp_free_a_chunk(stcb, chk); 3184 return (ret_code); 3185 } 3186 SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD); 3187 3188 /* setup chunk parameters */ 3189 chk->sent = SCTP_DATAGRAM_UNSENT; 3190 chk->snd_count = 0; 3191 chk->whoTo = stcb->asoc.primary_destination; 3192 atomic_add_int(&chk->whoTo->ref_count, 1); 3193 3194 ch = mtod(chk->data, struct sctp_chunkhdr *); 3195 ch->chunk_type = SCTP_STREAM_RESET; 3196 ch->chunk_flags = 0; 3197 ch->chunk_length = htons(chk->send_size); 3198 SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size); 3199 3200 ph = (struct sctp_paramhdr *)&sr_req->sr_req; 3201 while ((size_t)chk_length >= sizeof(struct sctp_stream_reset_tsn_request)) { 3202 param_len = ntohs(ph->param_length); 3203 if (param_len < (int)sizeof(struct sctp_stream_reset_tsn_request)) { 3204 /* bad param */ 3205 break; 3206 } 3207 ptype = ntohs(ph->param_type); 3208 num_param++; 3209 if (num_param > SCTP_MAX_RESET_PARAMS) { 3210 /* hit the max of parameters already sorry.. */ 3211 break; 3212 } 3213 if (ptype == SCTP_STR_RESET_OUT_REQUEST) { 3214 struct sctp_stream_reset_out_request *req_out; 3215 3216 req_out = (struct sctp_stream_reset_out_request *)ph; 3217 num_req++; 3218 if (stcb->asoc.stream_reset_outstanding) { 3219 seq = ntohl(req_out->response_seq); 3220 if (seq == stcb->asoc.str_reset_seq_out) { 3221 /* implicit ack */ 3222 sctp_handle_stream_reset_response(stcb, seq, SCTP_STREAM_RESET_PERFORMED, NULL); 3223 } 3224 } 3225 sctp_handle_str_reset_request_out(stcb, chk, req_out); 3226 } else if (ptype == SCTP_STR_RESET_IN_REQUEST) { 3227 struct sctp_stream_reset_in_request *req_in; 3228 3229 num_req++; 3230 req_in = (struct sctp_stream_reset_in_request *)ph; 3231 sctp_handle_str_reset_request_in(stcb, chk, req_in); 3232 } else if (ptype == SCTP_STR_RESET_TSN_REQUEST) { 3233 struct sctp_stream_reset_tsn_request *req_tsn; 3234 3235 num_req++; 3236 req_tsn = (struct sctp_stream_reset_tsn_request *)ph; 3237 if (sctp_handle_str_reset_request_tsn(stcb, chk, req_tsn)) { 3238 ret_code = 1; 3239 goto strres_nochunk; 3240 } 3241 /* no more */ 3242 break; 3243 } else if (ptype == SCTP_STR_RESET_RESPONSE) { 3244 struct sctp_stream_reset_response *resp; 3245 uint32_t result; 3246 3247 resp = (struct sctp_stream_reset_response *)ph; 3248 seq = ntohl(resp->response_seq); 3249 result = ntohl(resp->result); 3250 if (sctp_handle_stream_reset_response(stcb, seq, result, resp)) { 3251 ret_code = 1; 3252 goto strres_nochunk; 3253 } 3254 } else { 3255 break; 3256 } 3257 3258 ph = (struct sctp_paramhdr *)((caddr_t)ph + SCTP_SIZE32(param_len)); 3259 chk_length -= SCTP_SIZE32(param_len); 3260 } 3261 if (num_req == 0) { 3262 /* we have no response free the stuff */ 3263 goto strres_nochunk; 3264 } 3265 /* ok we have a chunk to link in */ 3266 TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, 3267 chk, 3268 sctp_next); 3269 stcb->asoc.ctrl_queue_cnt++; 3270 return (ret_code); 3271 } 3272 3273 /* 3274 * Handle a router or endpoints report of a packet loss, there are two ways 3275 * to handle this, either we get the whole packet and must disect it 3276 * ourselves (possibly with truncation and or corruption) or it is a summary 3277 * from a middle box that did the disectting for us. 3278 */ 3279 static void 3280 sctp_handle_packet_dropped(struct sctp_pktdrop_chunk *cp, 3281 struct sctp_tcb *stcb, struct sctp_nets *net) 3282 { 3283 uint32_t bottle_bw, on_queue; 3284 uint16_t trunc_len; 3285 unsigned int chlen; 3286 unsigned int at; 3287 struct sctp_chunk_desc desc; 3288 struct sctp_chunkhdr *ch; 3289 3290 chlen = ntohs(cp->ch.chunk_length); 3291 chlen -= sizeof(struct sctp_pktdrop_chunk); 3292 /* XXX possible chlen underflow */ 3293 if (chlen == 0) { 3294 ch = NULL; 3295 if (cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) 3296 SCTP_STAT_INCR(sctps_pdrpbwrpt); 3297 } else { 3298 ch = (struct sctp_chunkhdr *)(cp->data + sizeof(struct sctphdr)); 3299 chlen -= sizeof(struct sctphdr); 3300 /* XXX possible chlen underflow */ 3301 memset(&desc, 0, sizeof(desc)); 3302 } 3303 trunc_len = (uint16_t) ntohs(cp->trunc_len); 3304 /* now the chunks themselves */ 3305 while ((ch != NULL) && (chlen >= sizeof(struct sctp_chunkhdr))) { 3306 desc.chunk_type = ch->chunk_type; 3307 /* get amount we need to move */ 3308 at = ntohs(ch->chunk_length); 3309 if (at < sizeof(struct sctp_chunkhdr)) { 3310 /* corrupt chunk, maybe at the end? */ 3311 SCTP_STAT_INCR(sctps_pdrpcrupt); 3312 break; 3313 } 3314 if (trunc_len == 0) { 3315 /* we are supposed to have all of it */ 3316 if (at > chlen) { 3317 /* corrupt skip it */ 3318 SCTP_STAT_INCR(sctps_pdrpcrupt); 3319 break; 3320 } 3321 } else { 3322 /* is there enough of it left ? */ 3323 if (desc.chunk_type == SCTP_DATA) { 3324 if (chlen < (sizeof(struct sctp_data_chunk) + 3325 sizeof(desc.data_bytes))) { 3326 break; 3327 } 3328 } else { 3329 if (chlen < sizeof(struct sctp_chunkhdr)) { 3330 break; 3331 } 3332 } 3333 } 3334 if (desc.chunk_type == SCTP_DATA) { 3335 /* can we get out the tsn? */ 3336 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3337 SCTP_STAT_INCR(sctps_pdrpmbda); 3338 3339 if (chlen >= (sizeof(struct sctp_data_chunk) + sizeof(uint32_t))) { 3340 /* yep */ 3341 struct sctp_data_chunk *dcp; 3342 uint8_t *ddp; 3343 unsigned int iii; 3344 3345 dcp = (struct sctp_data_chunk *)ch; 3346 ddp = (uint8_t *) (dcp + 1); 3347 for (iii = 0; iii < sizeof(desc.data_bytes); iii++) { 3348 desc.data_bytes[iii] = ddp[iii]; 3349 } 3350 desc.tsn_ifany = dcp->dp.tsn; 3351 } else { 3352 /* nope we are done. */ 3353 SCTP_STAT_INCR(sctps_pdrpnedat); 3354 break; 3355 } 3356 } else { 3357 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX)) 3358 SCTP_STAT_INCR(sctps_pdrpmbct); 3359 } 3360 3361 if (process_chunk_drop(stcb, &desc, net, cp->ch.chunk_flags)) { 3362 SCTP_STAT_INCR(sctps_pdrppdbrk); 3363 break; 3364 } 3365 if (SCTP_SIZE32(at) > chlen) { 3366 break; 3367 } 3368 chlen -= SCTP_SIZE32(at); 3369 if (chlen < sizeof(struct sctp_chunkhdr)) { 3370 /* done, none left */ 3371 break; 3372 } 3373 ch = (struct sctp_chunkhdr *)((caddr_t)ch + SCTP_SIZE32(at)); 3374 } 3375 /* Now update any rwnd --- possibly */ 3376 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) == 0) { 3377 /* From a peer, we get a rwnd report */ 3378 uint32_t a_rwnd; 3379 3380 SCTP_STAT_INCR(sctps_pdrpfehos); 3381 3382 bottle_bw = ntohl(cp->bottle_bw); 3383 on_queue = ntohl(cp->current_onq); 3384 if (bottle_bw && on_queue) { 3385 /* a rwnd report is in here */ 3386 if (bottle_bw > on_queue) 3387 a_rwnd = bottle_bw - on_queue; 3388 else 3389 a_rwnd = 0; 3390 3391 if (a_rwnd == 0) 3392 stcb->asoc.peers_rwnd = 0; 3393 else { 3394 if (a_rwnd > stcb->asoc.total_flight) { 3395 stcb->asoc.peers_rwnd = 3396 a_rwnd - stcb->asoc.total_flight; 3397 } else { 3398 stcb->asoc.peers_rwnd = 0; 3399 } 3400 if (stcb->asoc.peers_rwnd < 3401 stcb->sctp_ep->sctp_ep.sctp_sws_sender) { 3402 /* SWS sender side engages */ 3403 stcb->asoc.peers_rwnd = 0; 3404 } 3405 } 3406 } 3407 } else { 3408 SCTP_STAT_INCR(sctps_pdrpfmbox); 3409 } 3410 3411 /* now middle boxes in sat networks get a cwnd bump */ 3412 if ((cp->ch.chunk_flags & SCTP_FROM_MIDDLE_BOX) && 3413 (stcb->asoc.sat_t3_loss_recovery == 0) && 3414 (stcb->asoc.sat_network)) { 3415 /* 3416 * This is debateable but for sat networks it makes sense 3417 * Note if a T3 timer has went off, we will prohibit any 3418 * changes to cwnd until we exit the t3 loss recovery. 3419 */ 3420 uint32_t bw_avail; 3421 int rtt, incr; 3422 3423 #ifdef SCTP_CWND_MONITOR 3424 int old_cwnd = net->cwnd; 3425 3426 #endif 3427 /* need real RTT for this calc */ 3428 rtt = ((net->lastsa >> 2) + net->lastsv) >> 1; 3429 /* get bottle neck bw */ 3430 bottle_bw = ntohl(cp->bottle_bw); 3431 /* and whats on queue */ 3432 on_queue = ntohl(cp->current_onq); 3433 /* 3434 * adjust the on-queue if our flight is more it could be 3435 * that the router has not yet gotten data "in-flight" to it 3436 */ 3437 if (on_queue < net->flight_size) 3438 on_queue = net->flight_size; 3439 3440 /* calculate the available space */ 3441 bw_avail = (bottle_bw * rtt) / 1000; 3442 if (bw_avail > bottle_bw) { 3443 /* 3444 * Cap the growth to no more than the bottle neck. 3445 * This can happen as RTT slides up due to queues. 3446 * It also means if you have more than a 1 second 3447 * RTT with a empty queue you will be limited to the 3448 * bottle_bw per second no matter if other points 3449 * have 1/2 the RTT and you could get more out... 3450 */ 3451 bw_avail = bottle_bw; 3452 } 3453 if (on_queue > bw_avail) { 3454 /* 3455 * No room for anything else don't allow anything 3456 * else to be "added to the fire". 3457 */ 3458 int seg_inflight, seg_onqueue, my_portion; 3459 3460 net->partial_bytes_acked = 0; 3461 3462 /* how much are we over queue size? */ 3463 incr = on_queue - bw_avail; 3464 if (stcb->asoc.seen_a_sack_this_pkt) { 3465 /* 3466 * undo any cwnd adjustment that the sack 3467 * might have made 3468 */ 3469 net->cwnd = net->prev_cwnd; 3470 } 3471 /* Now how much of that is mine? */ 3472 seg_inflight = net->flight_size / net->mtu; 3473 seg_onqueue = on_queue / net->mtu; 3474 my_portion = (incr * seg_inflight) / seg_onqueue; 3475 3476 /* Have I made an adjustment already */ 3477 if (net->cwnd > net->flight_size) { 3478 /* 3479 * for this flight I made an adjustment we 3480 * need to decrease the portion by a share 3481 * our previous adjustment. 3482 */ 3483 int diff_adj; 3484 3485 diff_adj = net->cwnd - net->flight_size; 3486 if (diff_adj > my_portion) 3487 my_portion = 0; 3488 else 3489 my_portion -= diff_adj; 3490 } 3491 /* 3492 * back down to the previous cwnd (assume we have 3493 * had a sack before this packet). minus what ever 3494 * portion of the overage is my fault. 3495 */ 3496 net->cwnd -= my_portion; 3497 3498 /* we will NOT back down more than 1 MTU */ 3499 if (net->cwnd <= net->mtu) { 3500 net->cwnd = net->mtu; 3501 } 3502 /* force into CA */ 3503 net->ssthresh = net->cwnd - 1; 3504 } else { 3505 /* 3506 * Take 1/4 of the space left or max burst up .. 3507 * whichever is less. 3508 */ 3509 incr = min((bw_avail - on_queue) >> 2, 3510 (int)stcb->asoc.max_burst * (int)net->mtu); 3511 net->cwnd += incr; 3512 } 3513 if (net->cwnd > bw_avail) { 3514 /* We can't exceed the pipe size */ 3515 net->cwnd = bw_avail; 3516 } 3517 if (net->cwnd < net->mtu) { 3518 /* We always have 1 MTU */ 3519 net->cwnd = net->mtu; 3520 } 3521 #ifdef SCTP_CWND_MONITOR 3522 if (net->cwnd - old_cwnd != 0) { 3523 /* log only changes */ 3524 sctp_log_cwnd(stcb, net, (net->cwnd - old_cwnd), 3525 SCTP_CWND_LOG_FROM_SAT); 3526 } 3527 #endif 3528 } 3529 } 3530 3531 /* 3532 * handles all control chunks in a packet inputs: - m: mbuf chain, assumed to 3533 * still contain IP/SCTP header - stcb: is the tcb found for this packet - 3534 * offset: offset into the mbuf chain to first chunkhdr - length: is the 3535 * length of the complete packet outputs: - length: modified to remaining 3536 * length after control processing - netp: modified to new sctp_nets after 3537 * cookie-echo processing - return NULL to discard the packet (ie. no asoc, 3538 * bad packet,...) otherwise return the tcb for this packet 3539 */ 3540 static struct sctp_tcb * 3541 sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, 3542 struct sctphdr *sh, struct sctp_chunkhdr *ch, struct sctp_inpcb *inp, 3543 struct sctp_tcb *stcb, struct sctp_nets **netp, int *fwd_tsn_seen) 3544 { 3545 struct sctp_association *asoc; 3546 uint32_t vtag_in; 3547 int num_chunks = 0; /* number of control chunks processed */ 3548 int chk_length; 3549 int ret; 3550 int abort_no_unlock = 0; 3551 3552 /* 3553 * How big should this be, and should it be alloc'd? Lets try the 3554 * d-mtu-ceiling for now (2k) and that should hopefully work ... 3555 * until we get into jumbo grams and such.. 3556 */ 3557 uint8_t chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; 3558 struct sctp_tcb *locked_tcb = stcb; 3559 int got_auth = 0; 3560 uint32_t auth_offset = 0, auth_len = 0; 3561 int auth_skipped = 0; 3562 3563 #ifdef SCTP_DEBUG 3564 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 3565 printf("sctp_process_control: iphlen=%u, offset=%u, length=%u stcb:%p\n", 3566 iphlen, *offset, length, stcb); 3567 } 3568 #endif /* SCTP_DEBUG */ 3569 3570 /* validate chunk header length... */ 3571 if (ntohs(ch->chunk_length) < sizeof(*ch)) { 3572 return (NULL); 3573 } 3574 /* 3575 * validate the verification tag 3576 */ 3577 vtag_in = ntohl(sh->v_tag); 3578 3579 if (locked_tcb) { 3580 SCTP_TCB_LOCK_ASSERT(locked_tcb); 3581 } 3582 if (ch->chunk_type == SCTP_INITIATION) { 3583 if (vtag_in != 0) { 3584 /* protocol error- silently discard... */ 3585 SCTP_STAT_INCR(sctps_badvtag); 3586 if (locked_tcb) 3587 SCTP_TCB_UNLOCK(locked_tcb); 3588 return (NULL); 3589 } 3590 } else if (ch->chunk_type != SCTP_COOKIE_ECHO) { 3591 /* 3592 * If there is no stcb, skip the AUTH chunk and process 3593 * later after a stcb is found (to validate the lookup was 3594 * valid. 3595 */ 3596 if ((ch->chunk_type == SCTP_AUTHENTICATION) && 3597 (stcb == NULL) && !sctp_auth_disable) { 3598 /* save this chunk for later processing */ 3599 auth_skipped = 1; 3600 auth_offset = *offset; 3601 auth_len = ntohs(ch->chunk_length); 3602 3603 /* (temporarily) move past this chunk */ 3604 *offset += SCTP_SIZE32(auth_len); 3605 if (*offset >= length) { 3606 /* no more data left in the mbuf chain */ 3607 *offset = length; 3608 return (NULL); 3609 } 3610 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3611 sizeof(struct sctp_chunkhdr), chunk_buf); 3612 } 3613 if (ch->chunk_type == SCTP_COOKIE_ECHO) { 3614 goto process_control_chunks; 3615 } 3616 /* 3617 * first check if it's an ASCONF with an unknown src addr we 3618 * need to look inside to find the association 3619 */ 3620 if (ch->chunk_type == SCTP_ASCONF && stcb == NULL) { 3621 /* inp's refcount may be reduced */ 3622 SCTP_INP_INCR_REF(inp); 3623 3624 stcb = sctp_findassociation_ep_asconf(m, iphlen, 3625 *offset, sh, &inp, netp); 3626 if (stcb == NULL) { 3627 /* 3628 * reduce inp's refcount if not reduced in 3629 * sctp_findassociation_ep_asconf(). 3630 */ 3631 SCTP_INP_DECR_REF(inp); 3632 } 3633 /* now go back and verify any auth chunk to be sure */ 3634 if (auth_skipped && (stcb != NULL)) { 3635 struct sctp_auth_chunk *auth; 3636 3637 auth = (struct sctp_auth_chunk *) 3638 sctp_m_getptr(m, auth_offset, 3639 auth_len, chunk_buf); 3640 got_auth = 1; 3641 auth_skipped = 0; 3642 if (sctp_handle_auth(stcb, auth, m, 3643 auth_offset)) { 3644 /* auth HMAC failed so dump it */ 3645 *offset = length; 3646 return (NULL); 3647 } else { 3648 /* remaining chunks are HMAC checked */ 3649 stcb->asoc.authenticated = 1; 3650 } 3651 } 3652 } 3653 if (stcb == NULL) { 3654 /* no association, so it's out of the blue... */ 3655 sctp_handle_ootb(m, iphlen, *offset, sh, inp, NULL); 3656 *offset = length; 3657 if (locked_tcb) 3658 SCTP_TCB_UNLOCK(locked_tcb); 3659 return (NULL); 3660 } 3661 asoc = &stcb->asoc; 3662 /* ABORT and SHUTDOWN can use either v_tag... */ 3663 if ((ch->chunk_type == SCTP_ABORT_ASSOCIATION) || 3664 (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) || 3665 (ch->chunk_type == SCTP_PACKET_DROPPED)) { 3666 if ((vtag_in == asoc->my_vtag) || 3667 ((ch->chunk_flags & SCTP_HAD_NO_TCB) && 3668 (vtag_in == asoc->peer_vtag))) { 3669 /* this is valid */ 3670 } else { 3671 /* drop this packet... */ 3672 SCTP_STAT_INCR(sctps_badvtag); 3673 if (locked_tcb) 3674 SCTP_TCB_UNLOCK(locked_tcb); 3675 return (NULL); 3676 } 3677 } else if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 3678 if (vtag_in != asoc->my_vtag) { 3679 /* 3680 * this could be a stale SHUTDOWN-ACK or the 3681 * peer never got the SHUTDOWN-COMPLETE and 3682 * is still hung; we have started a new asoc 3683 * but it won't complete until the shutdown 3684 * is completed 3685 */ 3686 if (locked_tcb) 3687 SCTP_TCB_UNLOCK(locked_tcb); 3688 sctp_handle_ootb(m, iphlen, *offset, sh, inp, 3689 NULL); 3690 return (NULL); 3691 } 3692 } else { 3693 /* for all other chunks, vtag must match */ 3694 if (vtag_in != asoc->my_vtag) { 3695 /* invalid vtag... */ 3696 #ifdef SCTP_DEBUG 3697 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3698 printf("invalid vtag: %xh, expect %xh\n", vtag_in, asoc->my_vtag); 3699 } 3700 #endif /* SCTP_DEBUG */ 3701 SCTP_STAT_INCR(sctps_badvtag); 3702 if (locked_tcb) 3703 SCTP_TCB_UNLOCK(locked_tcb); 3704 *offset = length; 3705 return (NULL); 3706 } 3707 } 3708 } /* end if !SCTP_COOKIE_ECHO */ 3709 /* 3710 * process all control chunks... 3711 */ 3712 if (((ch->chunk_type == SCTP_SELECTIVE_ACK) || 3713 (ch->chunk_type == SCTP_HEARTBEAT_REQUEST)) && 3714 (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_COOKIE_ECHOED)) { 3715 /* implied cookie-ack.. we must have lost the ack */ 3716 stcb->asoc.overall_error_count = 0; 3717 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, 3718 *netp); 3719 } 3720 process_control_chunks: 3721 3722 while (IS_SCTP_CONTROL(ch)) { 3723 /* validate chunk length */ 3724 chk_length = ntohs(ch->chunk_length); 3725 #ifdef SCTP_DEBUG 3726 if (sctp_debug_on & SCTP_DEBUG_INPUT2) { 3727 printf("sctp_process_control: processing a chunk type=%u, len=%u\n", 3728 ch->chunk_type, chk_length); 3729 } 3730 #endif /* SCTP_DEBUG */ 3731 if ((size_t)chk_length < sizeof(*ch) || 3732 (*offset + chk_length) > length) { 3733 *offset = length; 3734 if (locked_tcb) 3735 SCTP_TCB_UNLOCK(locked_tcb); 3736 return (NULL); 3737 } 3738 SCTP_STAT_INCR_COUNTER64(sctps_incontrolchunks); 3739 /* 3740 * INIT-ACK only gets the init ack "header" portion only 3741 * because we don't have to process the peer's COOKIE. All 3742 * others get a complete chunk. 3743 */ 3744 if (ch->chunk_type == SCTP_INITIATION_ACK) { 3745 /* get an init-ack chunk */ 3746 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3747 sizeof(struct sctp_init_ack_chunk), chunk_buf); 3748 if (ch == NULL) { 3749 *offset = length; 3750 if (locked_tcb) 3751 SCTP_TCB_UNLOCK(locked_tcb); 3752 return (NULL); 3753 } 3754 } else { 3755 /* get a complete chunk... */ 3756 if ((size_t)chk_length > sizeof(chunk_buf)) { 3757 struct mbuf *oper; 3758 struct sctp_paramhdr *phdr; 3759 3760 oper = NULL; 3761 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 3762 0, M_DONTWAIT, 1, MT_DATA); 3763 if (oper) { 3764 /* pre-reserve some space */ 3765 SCTP_BUF_RESV_UF(oper, sizeof(struct sctp_chunkhdr)); 3766 SCTP_BUF_LEN(oper) = sizeof(struct sctp_paramhdr); 3767 phdr = mtod(oper, struct sctp_paramhdr *); 3768 phdr->param_type = htons(SCTP_CAUSE_OUT_OF_RESC); 3769 phdr->param_length = htons(sizeof(struct sctp_paramhdr)); 3770 sctp_queue_op_err(stcb, oper); 3771 } 3772 if (locked_tcb) 3773 SCTP_TCB_UNLOCK(locked_tcb); 3774 return (NULL); 3775 } 3776 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 3777 chk_length, chunk_buf); 3778 if (ch == NULL) { 3779 printf("sctp_process_control: Can't get the all data....\n"); 3780 *offset = length; 3781 if (locked_tcb) 3782 SCTP_TCB_UNLOCK(locked_tcb); 3783 return (NULL); 3784 } 3785 } 3786 num_chunks++; 3787 /* Save off the last place we got a control from */ 3788 if (stcb != NULL) { 3789 if ((*netp != NULL) || (ch->chunk_type == SCTP_ASCONF)) { 3790 /* 3791 * allow last_control to be NULL if 3792 * ASCONF... ASCONF processing will find the 3793 * right net later 3794 */ 3795 stcb->asoc.last_control_chunk_from = *netp; 3796 } 3797 } 3798 #ifdef SCTP_AUDITING_ENABLED 3799 sctp_audit_log(0xB0, ch->chunk_type); 3800 #endif 3801 3802 /* check to see if this chunk required auth, but isn't */ 3803 if ((stcb != NULL) && !sctp_auth_disable && 3804 sctp_auth_is_required_chunk(ch->chunk_type, 3805 stcb->asoc.local_auth_chunks) && 3806 !stcb->asoc.authenticated) { 3807 /* "silently" ignore */ 3808 SCTP_STAT_INCR(sctps_recvauthmissing); 3809 goto next_chunk; 3810 } 3811 switch (ch->chunk_type) { 3812 case SCTP_INITIATION: 3813 /* must be first and only chunk */ 3814 #ifdef SCTP_DEBUG 3815 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3816 printf("SCTP_INIT\n"); 3817 } 3818 #endif /* SCTP_DEBUG */ 3819 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3820 /* We are not interested anymore? */ 3821 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3822 /* 3823 * collision case where we are 3824 * sending to them too 3825 */ 3826 ; 3827 } else { 3828 if (locked_tcb) 3829 SCTP_TCB_UNLOCK(locked_tcb); 3830 *offset = length; 3831 return (NULL); 3832 } 3833 } 3834 if ((num_chunks > 1) || 3835 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3836 *offset = length; 3837 if (locked_tcb) 3838 SCTP_TCB_UNLOCK(locked_tcb); 3839 return (NULL); 3840 } 3841 if ((stcb != NULL) && 3842 (SCTP_GET_STATE(&stcb->asoc) == 3843 SCTP_STATE_SHUTDOWN_ACK_SENT)) { 3844 sctp_send_shutdown_ack(stcb, 3845 stcb->asoc.primary_destination); 3846 *offset = length; 3847 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3848 if (locked_tcb) 3849 SCTP_TCB_UNLOCK(locked_tcb); 3850 return (NULL); 3851 } 3852 sctp_handle_init(m, iphlen, *offset, sh, 3853 (struct sctp_init_chunk *)ch, inp, stcb, *netp, &abort_no_unlock); 3854 if (abort_no_unlock) 3855 return (NULL); 3856 3857 *offset = length; 3858 if (locked_tcb) 3859 SCTP_TCB_UNLOCK(locked_tcb); 3860 return (NULL); 3861 break; 3862 case SCTP_INITIATION_ACK: 3863 /* must be first and only chunk */ 3864 #ifdef SCTP_DEBUG 3865 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3866 printf("SCTP_INIT-ACK\n"); 3867 } 3868 #endif /* SCTP_DEBUG */ 3869 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 3870 /* We are not interested anymore */ 3871 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 3872 ; 3873 } else { 3874 if (locked_tcb) 3875 SCTP_TCB_UNLOCK(locked_tcb); 3876 *offset = length; 3877 if (stcb) { 3878 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_26); 3879 } 3880 return (NULL); 3881 } 3882 } 3883 if ((num_chunks > 1) || 3884 (sctp_strict_init && (length - *offset > SCTP_SIZE32(chk_length)))) { 3885 *offset = length; 3886 if (locked_tcb) 3887 SCTP_TCB_UNLOCK(locked_tcb); 3888 return (NULL); 3889 } 3890 ret = sctp_handle_init_ack(m, iphlen, *offset, sh, 3891 (struct sctp_init_ack_chunk *)ch, stcb, *netp, &abort_no_unlock); 3892 /* 3893 * Special case, I must call the output routine to 3894 * get the cookie echoed 3895 */ 3896 if (abort_no_unlock) 3897 return (NULL); 3898 3899 if ((stcb) && ret == 0) 3900 sctp_chunk_output(stcb->sctp_ep, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 3901 *offset = length; 3902 if (locked_tcb) 3903 SCTP_TCB_UNLOCK(locked_tcb); 3904 return (NULL); 3905 break; 3906 case SCTP_SELECTIVE_ACK: 3907 #ifdef SCTP_DEBUG 3908 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3909 printf("SCTP_SACK\n"); 3910 } 3911 #endif /* SCTP_DEBUG */ 3912 SCTP_STAT_INCR(sctps_recvsacks); 3913 { 3914 struct sctp_sack_chunk *sack; 3915 int abort_now = 0; 3916 uint32_t a_rwnd, cum_ack; 3917 uint16_t num_seg; 3918 int nonce_sum_flag; 3919 3920 sack = (struct sctp_sack_chunk *)ch; 3921 3922 nonce_sum_flag = ch->chunk_flags & SCTP_SACK_NONCE_SUM; 3923 cum_ack = ntohl(sack->sack.cum_tsn_ack); 3924 num_seg = ntohs(sack->sack.num_gap_ack_blks); 3925 a_rwnd = (uint32_t) ntohl(sack->sack.a_rwnd); 3926 stcb->asoc.seen_a_sack_this_pkt = 1; 3927 if ((stcb->asoc.pr_sctp_cnt == 0) && 3928 (num_seg == 0) && 3929 ((compare_with_wrap(cum_ack, stcb->asoc.last_acked_seq, MAX_TSN)) || 3930 (cum_ack == stcb->asoc.last_acked_seq)) && 3931 (stcb->asoc.saw_sack_with_frags == 0) && 3932 (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) 3933 ) { 3934 /* 3935 * We have a SIMPLE sack having no 3936 * prior segments and data on sent 3937 * queue to be acked.. Use the 3938 * faster path sack processing. We 3939 * also allow window update sacks 3940 * with no missing segments to go 3941 * this way too. 3942 */ 3943 sctp_express_handle_sack(stcb, cum_ack, a_rwnd, nonce_sum_flag, &abort_now); 3944 } else { 3945 sctp_handle_sack(sack, stcb, *netp, &abort_now); 3946 } 3947 if (abort_now) { 3948 /* ABORT signal from sack processing */ 3949 *offset = length; 3950 return (NULL); 3951 } 3952 } 3953 break; 3954 case SCTP_HEARTBEAT_REQUEST: 3955 #ifdef SCTP_DEBUG 3956 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3957 printf("SCTP_HEARTBEAT\n"); 3958 } 3959 #endif /* SCTP_DEBUG */ 3960 SCTP_STAT_INCR(sctps_recvheartbeat); 3961 sctp_send_heartbeat_ack(stcb, m, *offset, chk_length, 3962 *netp); 3963 3964 /* He's alive so give him credit */ 3965 stcb->asoc.overall_error_count = 0; 3966 break; 3967 case SCTP_HEARTBEAT_ACK: 3968 #ifdef SCTP_DEBUG 3969 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3970 printf("SCTP_HEARTBEAT-ACK\n"); 3971 } 3972 #endif /* SCTP_DEBUG */ 3973 3974 /* He's alive so give him credit */ 3975 stcb->asoc.overall_error_count = 0; 3976 SCTP_STAT_INCR(sctps_recvheartbeatack); 3977 sctp_handle_heartbeat_ack((struct sctp_heartbeat_chunk *)ch, 3978 stcb, *netp); 3979 break; 3980 case SCTP_ABORT_ASSOCIATION: 3981 #ifdef SCTP_DEBUG 3982 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3983 printf("SCTP_ABORT\n"); 3984 } 3985 #endif /* SCTP_DEBUG */ 3986 sctp_handle_abort((struct sctp_abort_chunk *)ch, 3987 stcb, *netp); 3988 *offset = length; 3989 return (NULL); 3990 break; 3991 case SCTP_SHUTDOWN: 3992 #ifdef SCTP_DEBUG 3993 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 3994 printf("SCTP_SHUTDOWN\n"); 3995 } 3996 #endif /* SCTP_DEBUG */ 3997 { 3998 int abort_flag = 0; 3999 4000 sctp_handle_shutdown((struct sctp_shutdown_chunk *)ch, 4001 stcb, *netp, &abort_flag); 4002 if (abort_flag) { 4003 *offset = length; 4004 return (NULL); 4005 } 4006 } 4007 break; 4008 case SCTP_SHUTDOWN_ACK: 4009 #ifdef SCTP_DEBUG 4010 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4011 printf("SCTP_SHUTDOWN-ACK\n"); 4012 } 4013 #endif /* SCTP_DEBUG */ 4014 sctp_handle_shutdown_ack((struct sctp_shutdown_ack_chunk *)ch, stcb, *netp); 4015 *offset = length; 4016 return (NULL); 4017 break; 4018 case SCTP_OPERATION_ERROR: 4019 #ifdef SCTP_DEBUG 4020 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4021 printf("SCTP_OP-ERR\n"); 4022 } 4023 #endif /* SCTP_DEBUG */ 4024 if (sctp_handle_error(ch, stcb, *netp) < 0) { 4025 *offset = length; 4026 return (NULL); 4027 } 4028 break; 4029 case SCTP_COOKIE_ECHO: 4030 #ifdef SCTP_DEBUG 4031 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4032 printf("SCTP_COOKIE-ECHO stcb is %p\n", stcb); 4033 } 4034 #endif /* SCTP_DEBUG */ 4035 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4036 ; 4037 } else { 4038 if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) && 4039 (stcb == NULL)) { 4040 /* We are not interested anymore */ 4041 *offset = length; 4042 return (NULL); 4043 } 4044 } 4045 /* 4046 * First are we accepting? We do this again here 4047 * since it is possible that a previous endpoint WAS 4048 * listening responded to a INIT-ACK and then 4049 * closed. We opened and bound.. and are now no 4050 * longer listening. 4051 */ 4052 if (inp->sctp_socket->so_qlimit == 0) { 4053 if ((stcb) && (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) { 4054 /* 4055 * special case, is this a retran'd 4056 * COOKIE-ECHO or a restarting assoc 4057 * that is a peeled off or 4058 * one-to-one style socket. 4059 */ 4060 goto process_cookie_anyway; 4061 } 4062 sctp_abort_association(inp, stcb, m, iphlen, sh, 4063 NULL); 4064 *offset = length; 4065 return (NULL); 4066 } else if (inp->sctp_socket->so_qlimit) { 4067 /* we are accepting so check limits like TCP */ 4068 if (inp->sctp_socket->so_qlen > 4069 inp->sctp_socket->so_qlimit) { 4070 /* no space */ 4071 struct mbuf *oper; 4072 struct sctp_paramhdr *phdr; 4073 4074 if (sctp_abort_if_one_2_one_hits_limit) { 4075 oper = NULL; 4076 oper = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4077 0, M_DONTWAIT, 1, MT_DATA); 4078 if (oper) { 4079 SCTP_BUF_LEN(oper) = 4080 sizeof(struct sctp_paramhdr); 4081 phdr = mtod(oper, 4082 struct sctp_paramhdr *); 4083 phdr->param_type = 4084 htons(SCTP_CAUSE_OUT_OF_RESC); 4085 phdr->param_length = 4086 htons(sizeof(struct sctp_paramhdr)); 4087 } 4088 sctp_abort_association(inp, stcb, m, 4089 iphlen, sh, oper); 4090 } 4091 *offset = length; 4092 return (NULL); 4093 } 4094 } 4095 process_cookie_anyway: 4096 { 4097 struct mbuf *ret_buf; 4098 struct sctp_inpcb *linp; 4099 4100 if (stcb) 4101 linp = NULL; 4102 else 4103 linp = inp; 4104 4105 if (linp) 4106 SCTP_ASOC_CREATE_LOCK(linp); 4107 ret_buf = 4108 sctp_handle_cookie_echo(m, iphlen, 4109 *offset, sh, 4110 (struct sctp_cookie_echo_chunk *)ch, 4111 &inp, &stcb, netp, 4112 auth_skipped, 4113 auth_offset, 4114 auth_len, 4115 &locked_tcb); 4116 if (linp) 4117 SCTP_ASOC_CREATE_UNLOCK(linp); 4118 if (ret_buf == NULL) { 4119 if (locked_tcb) { 4120 SCTP_TCB_UNLOCK(locked_tcb); 4121 } 4122 #ifdef SCTP_DEBUG 4123 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4124 printf("GAK, null buffer\n"); 4125 } 4126 #endif /* SCTP_DEBUG */ 4127 auth_skipped = 0; 4128 *offset = length; 4129 return (NULL); 4130 } 4131 /* if AUTH skipped, see if it verified... */ 4132 if (auth_skipped) { 4133 got_auth = 1; 4134 auth_skipped = 0; 4135 } 4136 if (!TAILQ_EMPTY(&stcb->asoc.sent_queue)) { 4137 /* 4138 * Restart the timer if we have 4139 * pending data 4140 */ 4141 struct sctp_tmit_chunk *chk; 4142 4143 chk = TAILQ_FIRST(&stcb->asoc.sent_queue); 4144 if (chk) { 4145 sctp_timer_start(SCTP_TIMER_TYPE_SEND, 4146 stcb->sctp_ep, stcb, 4147 chk->whoTo); 4148 } 4149 } 4150 } 4151 break; 4152 case SCTP_COOKIE_ACK: 4153 #ifdef SCTP_DEBUG 4154 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4155 printf("SCTP_COOKIE-ACK\n"); 4156 } 4157 #endif /* SCTP_DEBUG */ 4158 4159 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4160 /* We are not interested anymore */ 4161 if ((stcb) && (stcb->asoc.total_output_queue_size)) { 4162 ; 4163 } else { 4164 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_27); 4165 *offset = length; 4166 return (NULL); 4167 } 4168 } 4169 /* He's alive so give him credit */ 4170 stcb->asoc.overall_error_count = 0; 4171 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, *netp); 4172 break; 4173 case SCTP_ECN_ECHO: 4174 #ifdef SCTP_DEBUG 4175 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4176 printf("SCTP_ECN-ECHO\n"); 4177 } 4178 #endif /* SCTP_DEBUG */ 4179 /* He's alive so give him credit */ 4180 stcb->asoc.overall_error_count = 0; 4181 sctp_handle_ecn_echo((struct sctp_ecne_chunk *)ch, 4182 stcb); 4183 break; 4184 case SCTP_ECN_CWR: 4185 #ifdef SCTP_DEBUG 4186 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4187 printf("SCTP_ECN-CWR\n"); 4188 } 4189 #endif /* SCTP_DEBUG */ 4190 /* He's alive so give him credit */ 4191 stcb->asoc.overall_error_count = 0; 4192 4193 sctp_handle_ecn_cwr((struct sctp_cwr_chunk *)ch, stcb); 4194 break; 4195 case SCTP_SHUTDOWN_COMPLETE: 4196 #ifdef SCTP_DEBUG 4197 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4198 printf("SCTP_SHUTDOWN-COMPLETE\n"); 4199 } 4200 #endif /* SCTP_DEBUG */ 4201 /* must be first and only chunk */ 4202 if ((num_chunks > 1) || 4203 (length - *offset > SCTP_SIZE32(chk_length))) { 4204 *offset = length; 4205 if (locked_tcb) 4206 SCTP_TCB_UNLOCK(locked_tcb); 4207 4208 return (NULL); 4209 } 4210 sctp_handle_shutdown_complete((struct sctp_shutdown_complete_chunk *)ch, 4211 stcb, *netp); 4212 *offset = length; 4213 return (NULL); 4214 break; 4215 case SCTP_ASCONF: 4216 #ifdef SCTP_DEBUG 4217 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4218 printf("SCTP_ASCONF\n"); 4219 } 4220 #endif /* SCTP_DEBUG */ 4221 /* He's alive so give him credit */ 4222 stcb->asoc.overall_error_count = 0; 4223 4224 sctp_handle_asconf(m, *offset, 4225 (struct sctp_asconf_chunk *)ch, stcb); 4226 break; 4227 case SCTP_ASCONF_ACK: 4228 #ifdef SCTP_DEBUG 4229 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4230 printf("SCTP_ASCONF-ACK\n"); 4231 } 4232 #endif /* SCTP_DEBUG */ 4233 /* He's alive so give him credit */ 4234 stcb->asoc.overall_error_count = 0; 4235 4236 sctp_handle_asconf_ack(m, *offset, 4237 (struct sctp_asconf_ack_chunk *)ch, stcb, *netp); 4238 break; 4239 case SCTP_FORWARD_CUM_TSN: 4240 #ifdef SCTP_DEBUG 4241 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4242 printf("SCTP_FWD-TSN\n"); 4243 } 4244 #endif /* SCTP_DEBUG */ 4245 /* He's alive so give him credit */ 4246 { 4247 int abort_flag = 0; 4248 4249 stcb->asoc.overall_error_count = 0; 4250 *fwd_tsn_seen = 1; 4251 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4252 /* We are not interested anymore */ 4253 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_28); 4254 *offset = length; 4255 return (NULL); 4256 } 4257 sctp_handle_forward_tsn(stcb, 4258 (struct sctp_forward_tsn_chunk *)ch, &abort_flag); 4259 if (abort_flag) { 4260 *offset = length; 4261 return (NULL); 4262 } else { 4263 stcb->asoc.overall_error_count = 0; 4264 } 4265 4266 } 4267 break; 4268 case SCTP_STREAM_RESET: 4269 #ifdef SCTP_DEBUG 4270 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4271 printf("SCTP_STREAM_RESET\n"); 4272 } 4273 #endif /* SCTP_DEBUG */ 4274 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4275 chk_length, chunk_buf); 4276 if (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) { 4277 /* We are not interested anymore */ 4278 sctp_free_assoc(inp, stcb, SCTP_NORMAL_PROC, SCTP_FROM_SCTP_INPUT + SCTP_LOC_29); 4279 *offset = length; 4280 return (NULL); 4281 } 4282 if (stcb->asoc.peer_supports_strreset == 0) { 4283 /* 4284 * hmm, peer should have announced this, but 4285 * we will turn it on since he is sending us 4286 * a stream reset. 4287 */ 4288 stcb->asoc.peer_supports_strreset = 1; 4289 } 4290 if (sctp_handle_stream_reset(stcb, (struct sctp_stream_reset_out_req *)ch)) { 4291 /* stop processing */ 4292 *offset = length; 4293 return (NULL); 4294 } 4295 break; 4296 case SCTP_PACKET_DROPPED: 4297 #ifdef SCTP_DEBUG 4298 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4299 printf("SCTP_PACKET_DROPPED\n"); 4300 } 4301 #endif /* SCTP_DEBUG */ 4302 /* re-get it all please */ 4303 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4304 chk_length, chunk_buf); 4305 4306 sctp_handle_packet_dropped((struct sctp_pktdrop_chunk *)ch, 4307 stcb, *netp); 4308 4309 break; 4310 4311 case SCTP_AUTHENTICATION: 4312 #ifdef SCTP_DEBUG 4313 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4314 printf("SCTP_AUTHENTICATION\n"); 4315 } 4316 #endif /* SCTP_DEBUG */ 4317 if (sctp_auth_disable) 4318 goto unknown_chunk; 4319 4320 if (stcb == NULL) { 4321 /* save the first AUTH for later processing */ 4322 if (auth_skipped == 0) { 4323 auth_offset = *offset; 4324 auth_len = chk_length; 4325 auth_skipped = 1; 4326 } 4327 /* skip this chunk (temporarily) */ 4328 goto next_chunk; 4329 } 4330 if (got_auth == 1) { 4331 /* skip this chunk... it's already auth'd */ 4332 goto next_chunk; 4333 } 4334 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4335 chk_length, chunk_buf); 4336 got_auth = 1; 4337 if (sctp_handle_auth(stcb, (struct sctp_auth_chunk *)ch, 4338 m, *offset)) { 4339 /* auth HMAC failed so dump the packet */ 4340 *offset = length; 4341 return (stcb); 4342 } else { 4343 /* remaining chunks are HMAC checked */ 4344 stcb->asoc.authenticated = 1; 4345 } 4346 break; 4347 4348 default: 4349 unknown_chunk: 4350 /* it's an unknown chunk! */ 4351 if ((ch->chunk_type & 0x40) && (stcb != NULL)) { 4352 struct mbuf *mm; 4353 struct sctp_paramhdr *phd; 4354 4355 mm = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 4356 0, M_DONTWAIT, 1, MT_DATA); 4357 if (mm) { 4358 phd = mtod(mm, struct sctp_paramhdr *); 4359 /* 4360 * We cheat and use param type since 4361 * we did not bother to define a 4362 * error cause struct. They are the 4363 * same basic format with different 4364 * names. 4365 */ 4366 phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); 4367 phd->param_length = htons(chk_length + sizeof(*phd)); 4368 SCTP_BUF_LEN(mm) = sizeof(*phd); 4369 SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), 4370 M_DONTWAIT); 4371 if (SCTP_BUF_NEXT(mm)) { 4372 sctp_queue_op_err(stcb, mm); 4373 } else { 4374 sctp_m_freem(mm); 4375 } 4376 } 4377 } 4378 if ((ch->chunk_type & 0x80) == 0) { 4379 /* discard this packet */ 4380 *offset = length; 4381 return (stcb); 4382 } /* else skip this bad chunk and continue... */ 4383 break; 4384 } /* switch (ch->chunk_type) */ 4385 4386 4387 next_chunk: 4388 /* get the next chunk */ 4389 *offset += SCTP_SIZE32(chk_length); 4390 if (*offset >= length) { 4391 /* no more data left in the mbuf chain */ 4392 break; 4393 } 4394 ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, *offset, 4395 sizeof(struct sctp_chunkhdr), chunk_buf); 4396 if (ch == NULL) { 4397 if (locked_tcb) 4398 SCTP_TCB_UNLOCK(locked_tcb); 4399 *offset = length; 4400 return (NULL); 4401 } 4402 } /* while */ 4403 return (stcb); 4404 } 4405 4406 4407 /* 4408 * Process the ECN bits we have something set so we must look to see if it is 4409 * ECN(0) or ECN(1) or CE 4410 */ 4411 static __inline void 4412 sctp_process_ecn_marked_a(struct sctp_tcb *stcb, struct sctp_nets *net, 4413 uint8_t ecn_bits) 4414 { 4415 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4416 ; 4417 } else if ((ecn_bits & SCTP_ECT1_BIT) == SCTP_ECT1_BIT) { 4418 /* 4419 * we only add to the nonce sum for ECT1, ECT0 does not 4420 * change the NS bit (that we have yet to find a way to send 4421 * it yet). 4422 */ 4423 4424 /* ECN Nonce stuff */ 4425 stcb->asoc.receiver_nonce_sum++; 4426 stcb->asoc.receiver_nonce_sum &= SCTP_SACK_NONCE_SUM; 4427 4428 /* 4429 * Drag up the last_echo point if cumack is larger since we 4430 * don't want the point falling way behind by more than 4431 * 2^^31 and then having it be incorrect. 4432 */ 4433 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4434 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4435 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4436 } 4437 } else if ((ecn_bits & SCTP_ECT0_BIT) == SCTP_ECT0_BIT) { 4438 /* 4439 * Drag up the last_echo point if cumack is larger since we 4440 * don't want the point falling way behind by more than 4441 * 2^^31 and then having it be incorrect. 4442 */ 4443 if (compare_with_wrap(stcb->asoc.cumulative_tsn, 4444 stcb->asoc.last_echo_tsn, MAX_TSN)) { 4445 stcb->asoc.last_echo_tsn = stcb->asoc.cumulative_tsn; 4446 } 4447 } 4448 } 4449 4450 static __inline void 4451 sctp_process_ecn_marked_b(struct sctp_tcb *stcb, struct sctp_nets *net, 4452 uint32_t high_tsn, uint8_t ecn_bits) 4453 { 4454 if ((ecn_bits & SCTP_CE_BITS) == SCTP_CE_BITS) { 4455 /* 4456 * we possibly must notify the sender that a congestion 4457 * window reduction is in order. We do this by adding a ECNE 4458 * chunk to the output chunk queue. The incoming CWR will 4459 * remove this chunk. 4460 */ 4461 if (compare_with_wrap(high_tsn, stcb->asoc.last_echo_tsn, 4462 MAX_TSN)) { 4463 /* Yep, we need to add a ECNE */ 4464 sctp_send_ecn_echo(stcb, net, high_tsn); 4465 stcb->asoc.last_echo_tsn = high_tsn; 4466 } 4467 } 4468 } 4469 4470 /* 4471 * common input chunk processing (v4 and v6) 4472 */ 4473 int 4474 sctp_common_input_processing(struct mbuf **mm, int iphlen, int offset, 4475 int length, struct sctphdr *sh, struct sctp_chunkhdr *ch, 4476 struct sctp_inpcb *inp, struct sctp_tcb *stcb, struct sctp_nets *net, 4477 uint8_t ecn_bits) 4478 { 4479 /* 4480 * Control chunk processing 4481 */ 4482 uint32_t high_tsn; 4483 int fwd_tsn_seen = 0, data_processed = 0; 4484 struct mbuf *m = *mm; 4485 int abort_flag = 0; 4486 int un_sent; 4487 4488 SCTP_STAT_INCR(sctps_recvdatagrams); 4489 #ifdef SCTP_AUDITING_ENABLED 4490 sctp_audit_log(0xE0, 1); 4491 sctp_auditing(0, inp, stcb, net); 4492 #endif 4493 4494 #ifdef SCTP_DEBUG 4495 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4496 printf("Ok, Common input processing called, m:%p iphlen:%d offset:%d\n", 4497 m, iphlen, offset); 4498 } 4499 #endif /* SCTP_DEBUG */ 4500 4501 if (stcb) { 4502 /* always clear this before beginning a packet */ 4503 stcb->asoc.authenticated = 0; 4504 stcb->asoc.seen_a_sack_this_pkt = 0; 4505 } 4506 if (IS_SCTP_CONTROL(ch)) { 4507 /* process the control portion of the SCTP packet */ 4508 stcb = sctp_process_control(m, iphlen, &offset, length, sh, ch, 4509 inp, stcb, &net, &fwd_tsn_seen); 4510 if (stcb) { 4511 /* 4512 * This covers us if the cookie-echo was there and 4513 * it changes our INP. 4514 */ 4515 inp = stcb->sctp_ep; 4516 } 4517 } else { 4518 /* 4519 * no control chunks, so pre-process DATA chunks (these 4520 * checks are taken care of by control processing) 4521 */ 4522 4523 /* 4524 * if DATA only packet, and auth is required, then punt... 4525 * can't have authenticated without any AUTH (control) 4526 * chunks 4527 */ 4528 if ((stcb != NULL) && !sctp_auth_disable && 4529 sctp_auth_is_required_chunk(SCTP_DATA, 4530 stcb->asoc.local_auth_chunks)) { 4531 /* "silently" ignore */ 4532 SCTP_STAT_INCR(sctps_recvauthmissing); 4533 SCTP_TCB_UNLOCK(stcb); 4534 return (1); 4535 } 4536 if (stcb == NULL) { 4537 /* out of the blue DATA chunk */ 4538 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4539 return (1); 4540 } 4541 if (stcb->asoc.my_vtag != ntohl(sh->v_tag)) { 4542 /* v_tag mismatch! */ 4543 SCTP_STAT_INCR(sctps_badvtag); 4544 SCTP_TCB_UNLOCK(stcb); 4545 return (1); 4546 } 4547 } 4548 4549 if (stcb == NULL) { 4550 /* 4551 * no valid TCB for this packet, or we found it's a bad 4552 * packet while processing control, or we're done with this 4553 * packet (done or skip rest of data), so we drop it... 4554 */ 4555 return (1); 4556 } 4557 /* 4558 * DATA chunk processing 4559 */ 4560 /* plow through the data chunks while length > offset */ 4561 4562 /* 4563 * Rest should be DATA only. Check authentication state if AUTH for 4564 * DATA is required. 4565 */ 4566 if ((length > offset) && (stcb != NULL) && !sctp_auth_disable && 4567 sctp_auth_is_required_chunk(SCTP_DATA, 4568 stcb->asoc.local_auth_chunks) && 4569 !stcb->asoc.authenticated) { 4570 /* "silently" ignore */ 4571 SCTP_STAT_INCR(sctps_recvauthmissing); 4572 #ifdef SCTP_DEBUG 4573 if (sctp_debug_on & SCTP_DEBUG_AUTH1) 4574 printf("Data chunk requires AUTH, skipped\n"); 4575 #endif 4576 goto trigger_send; 4577 } 4578 if (length > offset) { 4579 int retval; 4580 4581 /* 4582 * First check to make sure our state is correct. We would 4583 * not get here unless we really did have a tag, so we don't 4584 * abort if this happens, just dump the chunk silently. 4585 */ 4586 switch (SCTP_GET_STATE(&stcb->asoc)) { 4587 case SCTP_STATE_COOKIE_ECHOED: 4588 /* 4589 * we consider data with valid tags in this state 4590 * shows us the cookie-ack was lost. Imply it was 4591 * there. 4592 */ 4593 stcb->asoc.overall_error_count = 0; 4594 sctp_handle_cookie_ack((struct sctp_cookie_ack_chunk *)ch, stcb, net); 4595 break; 4596 case SCTP_STATE_COOKIE_WAIT: 4597 /* 4598 * We consider OOTB any data sent during asoc setup. 4599 */ 4600 sctp_handle_ootb(m, iphlen, offset, sh, inp, NULL); 4601 SCTP_TCB_UNLOCK(stcb); 4602 return (1); 4603 break; 4604 case SCTP_STATE_EMPTY: /* should not happen */ 4605 case SCTP_STATE_INUSE: /* should not happen */ 4606 case SCTP_STATE_SHUTDOWN_RECEIVED: /* This is a peer error */ 4607 case SCTP_STATE_SHUTDOWN_ACK_SENT: 4608 default: 4609 SCTP_TCB_UNLOCK(stcb); 4610 return (1); 4611 break; 4612 case SCTP_STATE_OPEN: 4613 case SCTP_STATE_SHUTDOWN_SENT: 4614 break; 4615 } 4616 /* take care of ECN, part 1. */ 4617 if (stcb->asoc.ecn_allowed && 4618 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4619 sctp_process_ecn_marked_a(stcb, net, ecn_bits); 4620 } 4621 /* plow through the data chunks while length > offset */ 4622 retval = sctp_process_data(mm, iphlen, &offset, length, sh, 4623 inp, stcb, net, &high_tsn); 4624 if (retval == 2) { 4625 /* 4626 * The association aborted, NO UNLOCK needed since 4627 * the association is destroyed. 4628 */ 4629 return (0); 4630 } 4631 data_processed = 1; 4632 if (retval == 0) { 4633 /* take care of ecn part 2. */ 4634 if (stcb->asoc.ecn_allowed && 4635 (ecn_bits & (SCTP_ECT0_BIT | SCTP_ECT1_BIT))) { 4636 sctp_process_ecn_marked_b(stcb, net, high_tsn, 4637 ecn_bits); 4638 } 4639 } 4640 /* 4641 * Anything important needs to have been m_copy'ed in 4642 * process_data 4643 */ 4644 } 4645 if ((data_processed == 0) && (fwd_tsn_seen)) { 4646 int was_a_gap = 0; 4647 4648 if (compare_with_wrap(stcb->asoc.highest_tsn_inside_map, 4649 stcb->asoc.cumulative_tsn, MAX_TSN)) { 4650 /* there was a gap before this data was processed */ 4651 was_a_gap = 1; 4652 } 4653 sctp_sack_check(stcb, 1, was_a_gap, &abort_flag); 4654 if (abort_flag) { 4655 /* Again, we aborted so NO UNLOCK needed */ 4656 return (0); 4657 } 4658 } 4659 /* trigger send of any chunks in queue... */ 4660 trigger_send: 4661 #ifdef SCTP_AUDITING_ENABLED 4662 sctp_audit_log(0xE0, 2); 4663 sctp_auditing(1, inp, stcb, net); 4664 #endif 4665 #ifdef SCTP_DEBUG 4666 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4667 printf("Check for chunk output prw:%d tqe:%d tf=%d\n", 4668 stcb->asoc.peers_rwnd, 4669 TAILQ_EMPTY(&stcb->asoc.control_send_queue), 4670 stcb->asoc.total_flight); 4671 } 4672 #endif 4673 un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight); 4674 4675 if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue) || 4676 ((un_sent) && 4677 (stcb->asoc.peers_rwnd > 0 || 4678 (stcb->asoc.peers_rwnd <= 0 && stcb->asoc.total_flight == 0)))) { 4679 #ifdef SCTP_DEBUG 4680 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4681 printf("Calling chunk OUTPUT\n"); 4682 } 4683 #endif 4684 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_CONTROL_PROC); 4685 #ifdef SCTP_DEBUG 4686 if (sctp_debug_on & SCTP_DEBUG_INPUT3) { 4687 printf("chunk OUTPUT returns\n"); 4688 } 4689 #endif 4690 } 4691 #ifdef SCTP_AUDITING_ENABLED 4692 sctp_audit_log(0xE0, 3); 4693 sctp_auditing(2, inp, stcb, net); 4694 #endif 4695 SCTP_TCB_UNLOCK(stcb); 4696 return (0); 4697 } 4698 4699 4700 4701 void 4702 sctp_input(i_pak, off) 4703 struct mbuf *i_pak; 4704 int off; 4705 4706 { 4707 #ifdef SCTP_MBUF_LOGGING 4708 struct mbuf *mat; 4709 4710 #endif 4711 struct mbuf *m; 4712 int iphlen; 4713 uint32_t vrf_id; 4714 uint8_t ecn_bits; 4715 struct ip *ip; 4716 struct sctphdr *sh; 4717 struct sctp_inpcb *inp = NULL; 4718 4719 uint32_t check, calc_check; 4720 struct sctp_nets *net; 4721 struct sctp_tcb *stcb = NULL; 4722 struct sctp_chunkhdr *ch; 4723 int refcount_up = 0; 4724 int length, mlen, offset; 4725 4726 vrf_id = SCTP_DEFAULT_VRFID; 4727 mlen = SCTP_HEADER_LEN(i_pak); 4728 iphlen = off; 4729 m = SCTP_HEADER_TO_CHAIN(i_pak); 4730 net = NULL; 4731 SCTP_STAT_INCR(sctps_recvpackets); 4732 SCTP_STAT_INCR_COUNTER64(sctps_inpackets); 4733 4734 #ifdef SCTP_MBUF_LOGGING 4735 /* Log in any input mbufs */ 4736 mat = m; 4737 while (mat) { 4738 if (SCTP_BUF_IS_EXTENDED(mat)) { 4739 sctp_log_mb(mat, SCTP_MBUF_INPUT); 4740 } 4741 mat = SCTP_BUF_NEXT(mat); 4742 } 4743 #endif 4744 4745 /* 4746 * Get IP, SCTP, and first chunk header together in first mbuf. 4747 */ 4748 ip = mtod(m, struct ip *); 4749 offset = iphlen + sizeof(*sh) + sizeof(*ch); 4750 if (SCTP_BUF_LEN(m) < offset) { 4751 if ((m = m_pullup(m, offset)) == 0) { 4752 SCTP_STAT_INCR(sctps_hdrops); 4753 return; 4754 } 4755 ip = mtod(m, struct ip *); 4756 } 4757 sh = (struct sctphdr *)((caddr_t)ip + iphlen); 4758 ch = (struct sctp_chunkhdr *)((caddr_t)sh + sizeof(*sh)); 4759 4760 /* SCTP does not allow broadcasts or multicasts */ 4761 if (IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { 4762 goto bad; 4763 } 4764 if (SCTP_IS_IT_BROADCAST(ip->ip_dst, m)) { 4765 /* 4766 * We only look at broadcast if its a front state, All 4767 * others we will not have a tcb for anyway. 4768 */ 4769 goto bad; 4770 } 4771 /* validate SCTP checksum */ 4772 if ((sctp_no_csum_on_loopback == 0) || !SCTP_IS_IT_LOOPBACK(m)) { 4773 /* 4774 * we do NOT validate things from the loopback if the sysctl 4775 * is set to 1. 4776 */ 4777 check = sh->checksum; /* save incoming checksum */ 4778 if ((check == 0) && (sctp_no_csum_on_loopback)) { 4779 /* 4780 * special hook for where we got a local address 4781 * somehow routed across a non IFT_LOOP type 4782 * interface 4783 */ 4784 if (ip->ip_src.s_addr == ip->ip_dst.s_addr) 4785 goto sctp_skip_csum_4; 4786 } 4787 sh->checksum = 0; /* prepare for calc */ 4788 calc_check = sctp_calculate_sum(m, &mlen, iphlen); 4789 if (calc_check != check) { 4790 #ifdef SCTP_DEBUG 4791 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4792 printf("Bad CSUM on SCTP packet calc_check:%x check:%x m:%p mlen:%d iphlen:%d\n", 4793 calc_check, check, m, mlen, iphlen); 4794 } 4795 #endif 4796 4797 stcb = sctp_findassociation_addr(m, iphlen, 4798 offset - sizeof(*ch), 4799 sh, ch, &inp, &net, vrf_id); 4800 if ((inp) && (stcb)) { 4801 sctp_send_packet_dropped(stcb, net, m, iphlen, 1); 4802 sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_INPUT_ERROR); 4803 } else if ((inp != NULL) && (stcb == NULL)) { 4804 refcount_up = 1; 4805 } 4806 SCTP_STAT_INCR(sctps_badsum); 4807 SCTP_STAT_INCR_COUNTER32(sctps_checksumerrors); 4808 goto bad; 4809 } 4810 sh->checksum = calc_check; 4811 } 4812 sctp_skip_csum_4: 4813 /* destination port of 0 is illegal, based on RFC2960. */ 4814 if (sh->dest_port == 0) { 4815 SCTP_STAT_INCR(sctps_hdrops); 4816 goto bad; 4817 } 4818 /* validate mbuf chain length with IP payload length */ 4819 if (mlen < (ip->ip_len - iphlen)) { 4820 SCTP_STAT_INCR(sctps_hdrops); 4821 goto bad; 4822 } 4823 /* 4824 * Locate pcb and tcb for datagram sctp_findassociation_addr() wants 4825 * IP/SCTP/first chunk header... 4826 */ 4827 stcb = sctp_findassociation_addr(m, iphlen, offset - sizeof(*ch), 4828 sh, ch, &inp, &net, vrf_id); 4829 /* inp's ref-count increased && stcb locked */ 4830 if (inp == NULL) { 4831 struct sctp_init_chunk *init_chk, chunk_buf; 4832 4833 SCTP_STAT_INCR(sctps_noport); 4834 #ifdef ICMP_BANDLIM 4835 /* 4836 * we use the bandwidth limiting to protect against sending 4837 * too many ABORTS all at once. In this case these count the 4838 * same as an ICMP message. 4839 */ 4840 if (badport_bandlim(0) < 0) 4841 goto bad; 4842 #endif /* ICMP_BANDLIM */ 4843 #ifdef SCTP_DEBUG 4844 if (sctp_debug_on & SCTP_DEBUG_INPUT1) { 4845 printf("Sending a ABORT from packet entry!\n"); 4846 } 4847 #endif 4848 if (ch->chunk_type == SCTP_INITIATION) { 4849 /* 4850 * we do a trick here to get the INIT tag, dig in 4851 * and get the tag from the INIT and put it in the 4852 * common header. 4853 */ 4854 init_chk = (struct sctp_init_chunk *)sctp_m_getptr(m, 4855 iphlen + sizeof(*sh), sizeof(*init_chk), 4856 (uint8_t *) & chunk_buf); 4857 if (init_chk != NULL) 4858 sh->v_tag = init_chk->init.initiate_tag; 4859 } 4860 if (ch->chunk_type == SCTP_SHUTDOWN_ACK) { 4861 sctp_send_shutdown_complete2(m, iphlen, sh); 4862 goto bad; 4863 } 4864 if (ch->chunk_type == SCTP_SHUTDOWN_COMPLETE) { 4865 goto bad; 4866 } 4867 if (ch->chunk_type != SCTP_ABORT_ASSOCIATION) 4868 sctp_send_abort(m, iphlen, sh, 0, NULL); 4869 goto bad; 4870 } else if (stcb == NULL) { 4871 refcount_up = 1; 4872 } 4873 #ifdef IPSEC 4874 /* 4875 * I very much doubt any of the IPSEC stuff will work but I have no 4876 * idea, so I will leave it in place. 4877 */ 4878 4879 if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { 4880 ipsecstat.in_polvio++; 4881 SCTP_STAT_INCR(sctps_hdrops); 4882 goto bad; 4883 } 4884 #endif /* IPSEC */ 4885 4886 4887 4888 /* 4889 * common chunk processing 4890 */ 4891 length = ip->ip_len + iphlen; 4892 offset -= sizeof(struct sctp_chunkhdr); 4893 4894 ecn_bits = ip->ip_tos; 4895 4896 sctp_common_input_processing(&m, iphlen, offset, length, sh, ch, 4897 inp, stcb, net, ecn_bits); 4898 /* inp's ref-count reduced && stcb unlocked */ 4899 if (m) { 4900 sctp_m_freem(m); 4901 } 4902 if ((inp) && (refcount_up)) { 4903 /* reduce ref-count */ 4904 SCTP_INP_WLOCK(inp); 4905 SCTP_INP_DECR_REF(inp); 4906 SCTP_INP_WUNLOCK(inp); 4907 } 4908 return; 4909 bad: 4910 if (stcb) 4911 SCTP_TCB_UNLOCK(stcb); 4912 4913 if ((inp) && (refcount_up)) { 4914 /* reduce ref-count */ 4915 SCTP_INP_WLOCK(inp); 4916 SCTP_INP_DECR_REF(inp); 4917 SCTP_INP_WUNLOCK(inp); 4918 } 4919 if (m) { 4920 sctp_m_freem(m); 4921 } 4922 return; 4923 } 4924