xref: /freebsd/sys/netinet/sctp_output.c (revision 8f861da99cb9865b2f1ef6098ad074150f368c23) 
1 /*-
2  * Copyright (c) 2001-2008, by Cisco Systems, Inc. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions are met:
6  *
7  * a) Redistributions of source code must retain the above copyright notice,
8  *   this list of conditions and the following disclaimer.
9  *
10  * b) Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in
12  *   the documentation and/or other materials provided with the distribution.
13  *
14  * c) Neither the name of Cisco Systems, Inc. nor the names of its
15  *    contributors may be used to endorse or promote products derived
16  *    from this software without specific prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
22  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
28  * THE POSSIBILITY OF SUCH DAMAGE.
29  */
30 
31 /* $KAME: sctp_output.c,v 1.46 2005/03/06 16:04:17 itojun Exp $	 */
32 
33 #include <sys/cdefs.h>
34 __FBSDID("$FreeBSD$");
35 
36 #include <netinet/sctp_os.h>
37 #include <sys/proc.h>
38 #include <netinet/sctp_var.h>
39 #include <netinet/sctp_sysctl.h>
40 #include <netinet/sctp_header.h>
41 #include <netinet/sctp_pcb.h>
42 #include <netinet/sctputil.h>
43 #include <netinet/sctp_output.h>
44 #include <netinet/sctp_uio.h>
45 #include <netinet/sctputil.h>
46 #include <netinet/sctp_auth.h>
47 #include <netinet/sctp_timer.h>
48 #include <netinet/sctp_asconf.h>
49 #include <netinet/sctp_indata.h>
50 #include <netinet/sctp_bsd_addr.h>
51 #include <netinet/sctp_input.h>
52 #include <netinet/sctp_crc32.h>
53 #include <netinet/udp.h>
54 #include <machine/in_cksum.h>
55 
56 
57 
58 #define SCTP_MAX_GAPS_INARRAY 4
59 struct sack_track {
60 	uint8_t right_edge;	/* mergable on the right edge */
61 	uint8_t left_edge;	/* mergable on the left edge */
62 	uint8_t num_entries;
63 	uint8_t spare;
64 	struct sctp_gap_ack_block gaps[SCTP_MAX_GAPS_INARRAY];
65 };
66 
67 struct sack_track sack_array[256] = {
68 	{0, 0, 0, 0,		/* 0x00 */
69 		{{0, 0},
70 		{0, 0},
71 		{0, 0},
72 		{0, 0}
73 		}
74 	},
75 	{1, 0, 1, 0,		/* 0x01 */
76 		{{0, 0},
77 		{0, 0},
78 		{0, 0},
79 		{0, 0}
80 		}
81 	},
82 	{0, 0, 1, 0,		/* 0x02 */
83 		{{1, 1},
84 		{0, 0},
85 		{0, 0},
86 		{0, 0}
87 		}
88 	},
89 	{1, 0, 1, 0,		/* 0x03 */
90 		{{0, 1},
91 		{0, 0},
92 		{0, 0},
93 		{0, 0}
94 		}
95 	},
96 	{0, 0, 1, 0,		/* 0x04 */
97 		{{2, 2},
98 		{0, 0},
99 		{0, 0},
100 		{0, 0}
101 		}
102 	},
103 	{1, 0, 2, 0,		/* 0x05 */
104 		{{0, 0},
105 		{2, 2},
106 		{0, 0},
107 		{0, 0}
108 		}
109 	},
110 	{0, 0, 1, 0,		/* 0x06 */
111 		{{1, 2},
112 		{0, 0},
113 		{0, 0},
114 		{0, 0}
115 		}
116 	},
117 	{1, 0, 1, 0,		/* 0x07 */
118 		{{0, 2},
119 		{0, 0},
120 		{0, 0},
121 		{0, 0}
122 		}
123 	},
124 	{0, 0, 1, 0,		/* 0x08 */
125 		{{3, 3},
126 		{0, 0},
127 		{0, 0},
128 		{0, 0}
129 		}
130 	},
131 	{1, 0, 2, 0,		/* 0x09 */
132 		{{0, 0},
133 		{3, 3},
134 		{0, 0},
135 		{0, 0}
136 		}
137 	},
138 	{0, 0, 2, 0,		/* 0x0a */
139 		{{1, 1},
140 		{3, 3},
141 		{0, 0},
142 		{0, 0}
143 		}
144 	},
145 	{1, 0, 2, 0,		/* 0x0b */
146 		{{0, 1},
147 		{3, 3},
148 		{0, 0},
149 		{0, 0}
150 		}
151 	},
152 	{0, 0, 1, 0,		/* 0x0c */
153 		{{2, 3},
154 		{0, 0},
155 		{0, 0},
156 		{0, 0}
157 		}
158 	},
159 	{1, 0, 2, 0,		/* 0x0d */
160 		{{0, 0},
161 		{2, 3},
162 		{0, 0},
163 		{0, 0}
164 		}
165 	},
166 	{0, 0, 1, 0,		/* 0x0e */
167 		{{1, 3},
168 		{0, 0},
169 		{0, 0},
170 		{0, 0}
171 		}
172 	},
173 	{1, 0, 1, 0,		/* 0x0f */
174 		{{0, 3},
175 		{0, 0},
176 		{0, 0},
177 		{0, 0}
178 		}
179 	},
180 	{0, 0, 1, 0,		/* 0x10 */
181 		{{4, 4},
182 		{0, 0},
183 		{0, 0},
184 		{0, 0}
185 		}
186 	},
187 	{1, 0, 2, 0,		/* 0x11 */
188 		{{0, 0},
189 		{4, 4},
190 		{0, 0},
191 		{0, 0}
192 		}
193 	},
194 	{0, 0, 2, 0,		/* 0x12 */
195 		{{1, 1},
196 		{4, 4},
197 		{0, 0},
198 		{0, 0}
199 		}
200 	},
201 	{1, 0, 2, 0,		/* 0x13 */
202 		{{0, 1},
203 		{4, 4},
204 		{0, 0},
205 		{0, 0}
206 		}
207 	},
208 	{0, 0, 2, 0,		/* 0x14 */
209 		{{2, 2},
210 		{4, 4},
211 		{0, 0},
212 		{0, 0}
213 		}
214 	},
215 	{1, 0, 3, 0,		/* 0x15 */
216 		{{0, 0},
217 		{2, 2},
218 		{4, 4},
219 		{0, 0}
220 		}
221 	},
222 	{0, 0, 2, 0,		/* 0x16 */
223 		{{1, 2},
224 		{4, 4},
225 		{0, 0},
226 		{0, 0}
227 		}
228 	},
229 	{1, 0, 2, 0,		/* 0x17 */
230 		{{0, 2},
231 		{4, 4},
232 		{0, 0},
233 		{0, 0}
234 		}
235 	},
236 	{0, 0, 1, 0,		/* 0x18 */
237 		{{3, 4},
238 		{0, 0},
239 		{0, 0},
240 		{0, 0}
241 		}
242 	},
243 	{1, 0, 2, 0,		/* 0x19 */
244 		{{0, 0},
245 		{3, 4},
246 		{0, 0},
247 		{0, 0}
248 		}
249 	},
250 	{0, 0, 2, 0,		/* 0x1a */
251 		{{1, 1},
252 		{3, 4},
253 		{0, 0},
254 		{0, 0}
255 		}
256 	},
257 	{1, 0, 2, 0,		/* 0x1b */
258 		{{0, 1},
259 		{3, 4},
260 		{0, 0},
261 		{0, 0}
262 		}
263 	},
264 	{0, 0, 1, 0,		/* 0x1c */
265 		{{2, 4},
266 		{0, 0},
267 		{0, 0},
268 		{0, 0}
269 		}
270 	},
271 	{1, 0, 2, 0,		/* 0x1d */
272 		{{0, 0},
273 		{2, 4},
274 		{0, 0},
275 		{0, 0}
276 		}
277 	},
278 	{0, 0, 1, 0,		/* 0x1e */
279 		{{1, 4},
280 		{0, 0},
281 		{0, 0},
282 		{0, 0}
283 		}
284 	},
285 	{1, 0, 1, 0,		/* 0x1f */
286 		{{0, 4},
287 		{0, 0},
288 		{0, 0},
289 		{0, 0}
290 		}
291 	},
292 	{0, 0, 1, 0,		/* 0x20 */
293 		{{5, 5},
294 		{0, 0},
295 		{0, 0},
296 		{0, 0}
297 		}
298 	},
299 	{1, 0, 2, 0,		/* 0x21 */
300 		{{0, 0},
301 		{5, 5},
302 		{0, 0},
303 		{0, 0}
304 		}
305 	},
306 	{0, 0, 2, 0,		/* 0x22 */
307 		{{1, 1},
308 		{5, 5},
309 		{0, 0},
310 		{0, 0}
311 		}
312 	},
313 	{1, 0, 2, 0,		/* 0x23 */
314 		{{0, 1},
315 		{5, 5},
316 		{0, 0},
317 		{0, 0}
318 		}
319 	},
320 	{0, 0, 2, 0,		/* 0x24 */
321 		{{2, 2},
322 		{5, 5},
323 		{0, 0},
324 		{0, 0}
325 		}
326 	},
327 	{1, 0, 3, 0,		/* 0x25 */
328 		{{0, 0},
329 		{2, 2},
330 		{5, 5},
331 		{0, 0}
332 		}
333 	},
334 	{0, 0, 2, 0,		/* 0x26 */
335 		{{1, 2},
336 		{5, 5},
337 		{0, 0},
338 		{0, 0}
339 		}
340 	},
341 	{1, 0, 2, 0,		/* 0x27 */
342 		{{0, 2},
343 		{5, 5},
344 		{0, 0},
345 		{0, 0}
346 		}
347 	},
348 	{0, 0, 2, 0,		/* 0x28 */
349 		{{3, 3},
350 		{5, 5},
351 		{0, 0},
352 		{0, 0}
353 		}
354 	},
355 	{1, 0, 3, 0,		/* 0x29 */
356 		{{0, 0},
357 		{3, 3},
358 		{5, 5},
359 		{0, 0}
360 		}
361 	},
362 	{0, 0, 3, 0,		/* 0x2a */
363 		{{1, 1},
364 		{3, 3},
365 		{5, 5},
366 		{0, 0}
367 		}
368 	},
369 	{1, 0, 3, 0,		/* 0x2b */
370 		{{0, 1},
371 		{3, 3},
372 		{5, 5},
373 		{0, 0}
374 		}
375 	},
376 	{0, 0, 2, 0,		/* 0x2c */
377 		{{2, 3},
378 		{5, 5},
379 		{0, 0},
380 		{0, 0}
381 		}
382 	},
383 	{1, 0, 3, 0,		/* 0x2d */
384 		{{0, 0},
385 		{2, 3},
386 		{5, 5},
387 		{0, 0}
388 		}
389 	},
390 	{0, 0, 2, 0,		/* 0x2e */
391 		{{1, 3},
392 		{5, 5},
393 		{0, 0},
394 		{0, 0}
395 		}
396 	},
397 	{1, 0, 2, 0,		/* 0x2f */
398 		{{0, 3},
399 		{5, 5},
400 		{0, 0},
401 		{0, 0}
402 		}
403 	},
404 	{0, 0, 1, 0,		/* 0x30 */
405 		{{4, 5},
406 		{0, 0},
407 		{0, 0},
408 		{0, 0}
409 		}
410 	},
411 	{1, 0, 2, 0,		/* 0x31 */
412 		{{0, 0},
413 		{4, 5},
414 		{0, 0},
415 		{0, 0}
416 		}
417 	},
418 	{0, 0, 2, 0,		/* 0x32 */
419 		{{1, 1},
420 		{4, 5},
421 		{0, 0},
422 		{0, 0}
423 		}
424 	},
425 	{1, 0, 2, 0,		/* 0x33 */
426 		{{0, 1},
427 		{4, 5},
428 		{0, 0},
429 		{0, 0}
430 		}
431 	},
432 	{0, 0, 2, 0,		/* 0x34 */
433 		{{2, 2},
434 		{4, 5},
435 		{0, 0},
436 		{0, 0}
437 		}
438 	},
439 	{1, 0, 3, 0,		/* 0x35 */
440 		{{0, 0},
441 		{2, 2},
442 		{4, 5},
443 		{0, 0}
444 		}
445 	},
446 	{0, 0, 2, 0,		/* 0x36 */
447 		{{1, 2},
448 		{4, 5},
449 		{0, 0},
450 		{0, 0}
451 		}
452 	},
453 	{1, 0, 2, 0,		/* 0x37 */
454 		{{0, 2},
455 		{4, 5},
456 		{0, 0},
457 		{0, 0}
458 		}
459 	},
460 	{0, 0, 1, 0,		/* 0x38 */
461 		{{3, 5},
462 		{0, 0},
463 		{0, 0},
464 		{0, 0}
465 		}
466 	},
467 	{1, 0, 2, 0,		/* 0x39 */
468 		{{0, 0},
469 		{3, 5},
470 		{0, 0},
471 		{0, 0}
472 		}
473 	},
474 	{0, 0, 2, 0,		/* 0x3a */
475 		{{1, 1},
476 		{3, 5},
477 		{0, 0},
478 		{0, 0}
479 		}
480 	},
481 	{1, 0, 2, 0,		/* 0x3b */
482 		{{0, 1},
483 		{3, 5},
484 		{0, 0},
485 		{0, 0}
486 		}
487 	},
488 	{0, 0, 1, 0,		/* 0x3c */
489 		{{2, 5},
490 		{0, 0},
491 		{0, 0},
492 		{0, 0}
493 		}
494 	},
495 	{1, 0, 2, 0,		/* 0x3d */
496 		{{0, 0},
497 		{2, 5},
498 		{0, 0},
499 		{0, 0}
500 		}
501 	},
502 	{0, 0, 1, 0,		/* 0x3e */
503 		{{1, 5},
504 		{0, 0},
505 		{0, 0},
506 		{0, 0}
507 		}
508 	},
509 	{1, 0, 1, 0,		/* 0x3f */
510 		{{0, 5},
511 		{0, 0},
512 		{0, 0},
513 		{0, 0}
514 		}
515 	},
516 	{0, 0, 1, 0,		/* 0x40 */
517 		{{6, 6},
518 		{0, 0},
519 		{0, 0},
520 		{0, 0}
521 		}
522 	},
523 	{1, 0, 2, 0,		/* 0x41 */
524 		{{0, 0},
525 		{6, 6},
526 		{0, 0},
527 		{0, 0}
528 		}
529 	},
530 	{0, 0, 2, 0,		/* 0x42 */
531 		{{1, 1},
532 		{6, 6},
533 		{0, 0},
534 		{0, 0}
535 		}
536 	},
537 	{1, 0, 2, 0,		/* 0x43 */
538 		{{0, 1},
539 		{6, 6},
540 		{0, 0},
541 		{0, 0}
542 		}
543 	},
544 	{0, 0, 2, 0,		/* 0x44 */
545 		{{2, 2},
546 		{6, 6},
547 		{0, 0},
548 		{0, 0}
549 		}
550 	},
551 	{1, 0, 3, 0,		/* 0x45 */
552 		{{0, 0},
553 		{2, 2},
554 		{6, 6},
555 		{0, 0}
556 		}
557 	},
558 	{0, 0, 2, 0,		/* 0x46 */
559 		{{1, 2},
560 		{6, 6},
561 		{0, 0},
562 		{0, 0}
563 		}
564 	},
565 	{1, 0, 2, 0,		/* 0x47 */
566 		{{0, 2},
567 		{6, 6},
568 		{0, 0},
569 		{0, 0}
570 		}
571 	},
572 	{0, 0, 2, 0,		/* 0x48 */
573 		{{3, 3},
574 		{6, 6},
575 		{0, 0},
576 		{0, 0}
577 		}
578 	},
579 	{1, 0, 3, 0,		/* 0x49 */
580 		{{0, 0},
581 		{3, 3},
582 		{6, 6},
583 		{0, 0}
584 		}
585 	},
586 	{0, 0, 3, 0,		/* 0x4a */
587 		{{1, 1},
588 		{3, 3},
589 		{6, 6},
590 		{0, 0}
591 		}
592 	},
593 	{1, 0, 3, 0,		/* 0x4b */
594 		{{0, 1},
595 		{3, 3},
596 		{6, 6},
597 		{0, 0}
598 		}
599 	},
600 	{0, 0, 2, 0,		/* 0x4c */
601 		{{2, 3},
602 		{6, 6},
603 		{0, 0},
604 		{0, 0}
605 		}
606 	},
607 	{1, 0, 3, 0,		/* 0x4d */
608 		{{0, 0},
609 		{2, 3},
610 		{6, 6},
611 		{0, 0}
612 		}
613 	},
614 	{0, 0, 2, 0,		/* 0x4e */
615 		{{1, 3},
616 		{6, 6},
617 		{0, 0},
618 		{0, 0}
619 		}
620 	},
621 	{1, 0, 2, 0,		/* 0x4f */
622 		{{0, 3},
623 		{6, 6},
624 		{0, 0},
625 		{0, 0}
626 		}
627 	},
628 	{0, 0, 2, 0,		/* 0x50 */
629 		{{4, 4},
630 		{6, 6},
631 		{0, 0},
632 		{0, 0}
633 		}
634 	},
635 	{1, 0, 3, 0,		/* 0x51 */
636 		{{0, 0},
637 		{4, 4},
638 		{6, 6},
639 		{0, 0}
640 		}
641 	},
642 	{0, 0, 3, 0,		/* 0x52 */
643 		{{1, 1},
644 		{4, 4},
645 		{6, 6},
646 		{0, 0}
647 		}
648 	},
649 	{1, 0, 3, 0,		/* 0x53 */
650 		{{0, 1},
651 		{4, 4},
652 		{6, 6},
653 		{0, 0}
654 		}
655 	},
656 	{0, 0, 3, 0,		/* 0x54 */
657 		{{2, 2},
658 		{4, 4},
659 		{6, 6},
660 		{0, 0}
661 		}
662 	},
663 	{1, 0, 4, 0,		/* 0x55 */
664 		{{0, 0},
665 		{2, 2},
666 		{4, 4},
667 		{6, 6}
668 		}
669 	},
670 	{0, 0, 3, 0,		/* 0x56 */
671 		{{1, 2},
672 		{4, 4},
673 		{6, 6},
674 		{0, 0}
675 		}
676 	},
677 	{1, 0, 3, 0,		/* 0x57 */
678 		{{0, 2},
679 		{4, 4},
680 		{6, 6},
681 		{0, 0}
682 		}
683 	},
684 	{0, 0, 2, 0,		/* 0x58 */
685 		{{3, 4},
686 		{6, 6},
687 		{0, 0},
688 		{0, 0}
689 		}
690 	},
691 	{1, 0, 3, 0,		/* 0x59 */
692 		{{0, 0},
693 		{3, 4},
694 		{6, 6},
695 		{0, 0}
696 		}
697 	},
698 	{0, 0, 3, 0,		/* 0x5a */
699 		{{1, 1},
700 		{3, 4},
701 		{6, 6},
702 		{0, 0}
703 		}
704 	},
705 	{1, 0, 3, 0,		/* 0x5b */
706 		{{0, 1},
707 		{3, 4},
708 		{6, 6},
709 		{0, 0}
710 		}
711 	},
712 	{0, 0, 2, 0,		/* 0x5c */
713 		{{2, 4},
714 		{6, 6},
715 		{0, 0},
716 		{0, 0}
717 		}
718 	},
719 	{1, 0, 3, 0,		/* 0x5d */
720 		{{0, 0},
721 		{2, 4},
722 		{6, 6},
723 		{0, 0}
724 		}
725 	},
726 	{0, 0, 2, 0,		/* 0x5e */
727 		{{1, 4},
728 		{6, 6},
729 		{0, 0},
730 		{0, 0}
731 		}
732 	},
733 	{1, 0, 2, 0,		/* 0x5f */
734 		{{0, 4},
735 		{6, 6},
736 		{0, 0},
737 		{0, 0}
738 		}
739 	},
740 	{0, 0, 1, 0,		/* 0x60 */
741 		{{5, 6},
742 		{0, 0},
743 		{0, 0},
744 		{0, 0}
745 		}
746 	},
747 	{1, 0, 2, 0,		/* 0x61 */
748 		{{0, 0},
749 		{5, 6},
750 		{0, 0},
751 		{0, 0}
752 		}
753 	},
754 	{0, 0, 2, 0,		/* 0x62 */
755 		{{1, 1},
756 		{5, 6},
757 		{0, 0},
758 		{0, 0}
759 		}
760 	},
761 	{1, 0, 2, 0,		/* 0x63 */
762 		{{0, 1},
763 		{5, 6},
764 		{0, 0},
765 		{0, 0}
766 		}
767 	},
768 	{0, 0, 2, 0,		/* 0x64 */
769 		{{2, 2},
770 		{5, 6},
771 		{0, 0},
772 		{0, 0}
773 		}
774 	},
775 	{1, 0, 3, 0,		/* 0x65 */
776 		{{0, 0},
777 		{2, 2},
778 		{5, 6},
779 		{0, 0}
780 		}
781 	},
782 	{0, 0, 2, 0,		/* 0x66 */
783 		{{1, 2},
784 		{5, 6},
785 		{0, 0},
786 		{0, 0}
787 		}
788 	},
789 	{1, 0, 2, 0,		/* 0x67 */
790 		{{0, 2},
791 		{5, 6},
792 		{0, 0},
793 		{0, 0}
794 		}
795 	},
796 	{0, 0, 2, 0,		/* 0x68 */
797 		{{3, 3},
798 		{5, 6},
799 		{0, 0},
800 		{0, 0}
801 		}
802 	},
803 	{1, 0, 3, 0,		/* 0x69 */
804 		{{0, 0},
805 		{3, 3},
806 		{5, 6},
807 		{0, 0}
808 		}
809 	},
810 	{0, 0, 3, 0,		/* 0x6a */
811 		{{1, 1},
812 		{3, 3},
813 		{5, 6},
814 		{0, 0}
815 		}
816 	},
817 	{1, 0, 3, 0,		/* 0x6b */
818 		{{0, 1},
819 		{3, 3},
820 		{5, 6},
821 		{0, 0}
822 		}
823 	},
824 	{0, 0, 2, 0,		/* 0x6c */
825 		{{2, 3},
826 		{5, 6},
827 		{0, 0},
828 		{0, 0}
829 		}
830 	},
831 	{1, 0, 3, 0,		/* 0x6d */
832 		{{0, 0},
833 		{2, 3},
834 		{5, 6},
835 		{0, 0}
836 		}
837 	},
838 	{0, 0, 2, 0,		/* 0x6e */
839 		{{1, 3},
840 		{5, 6},
841 		{0, 0},
842 		{0, 0}
843 		}
844 	},
845 	{1, 0, 2, 0,		/* 0x6f */
846 		{{0, 3},
847 		{5, 6},
848 		{0, 0},
849 		{0, 0}
850 		}
851 	},
852 	{0, 0, 1, 0,		/* 0x70 */
853 		{{4, 6},
854 		{0, 0},
855 		{0, 0},
856 		{0, 0}
857 		}
858 	},
859 	{1, 0, 2, 0,		/* 0x71 */
860 		{{0, 0},
861 		{4, 6},
862 		{0, 0},
863 		{0, 0}
864 		}
865 	},
866 	{0, 0, 2, 0,		/* 0x72 */
867 		{{1, 1},
868 		{4, 6},
869 		{0, 0},
870 		{0, 0}
871 		}
872 	},
873 	{1, 0, 2, 0,		/* 0x73 */
874 		{{0, 1},
875 		{4, 6},
876 		{0, 0},
877 		{0, 0}
878 		}
879 	},
880 	{0, 0, 2, 0,		/* 0x74 */
881 		{{2, 2},
882 		{4, 6},
883 		{0, 0},
884 		{0, 0}
885 		}
886 	},
887 	{1, 0, 3, 0,		/* 0x75 */
888 		{{0, 0},
889 		{2, 2},
890 		{4, 6},
891 		{0, 0}
892 		}
893 	},
894 	{0, 0, 2, 0,		/* 0x76 */
895 		{{1, 2},
896 		{4, 6},
897 		{0, 0},
898 		{0, 0}
899 		}
900 	},
901 	{1, 0, 2, 0,		/* 0x77 */
902 		{{0, 2},
903 		{4, 6},
904 		{0, 0},
905 		{0, 0}
906 		}
907 	},
908 	{0, 0, 1, 0,		/* 0x78 */
909 		{{3, 6},
910 		{0, 0},
911 		{0, 0},
912 		{0, 0}
913 		}
914 	},
915 	{1, 0, 2, 0,		/* 0x79 */
916 		{{0, 0},
917 		{3, 6},
918 		{0, 0},
919 		{0, 0}
920 		}
921 	},
922 	{0, 0, 2, 0,		/* 0x7a */
923 		{{1, 1},
924 		{3, 6},
925 		{0, 0},
926 		{0, 0}
927 		}
928 	},
929 	{1, 0, 2, 0,		/* 0x7b */
930 		{{0, 1},
931 		{3, 6},
932 		{0, 0},
933 		{0, 0}
934 		}
935 	},
936 	{0, 0, 1, 0,		/* 0x7c */
937 		{{2, 6},
938 		{0, 0},
939 		{0, 0},
940 		{0, 0}
941 		}
942 	},
943 	{1, 0, 2, 0,		/* 0x7d */
944 		{{0, 0},
945 		{2, 6},
946 		{0, 0},
947 		{0, 0}
948 		}
949 	},
950 	{0, 0, 1, 0,		/* 0x7e */
951 		{{1, 6},
952 		{0, 0},
953 		{0, 0},
954 		{0, 0}
955 		}
956 	},
957 	{1, 0, 1, 0,		/* 0x7f */
958 		{{0, 6},
959 		{0, 0},
960 		{0, 0},
961 		{0, 0}
962 		}
963 	},
964 	{0, 1, 1, 0,		/* 0x80 */
965 		{{7, 7},
966 		{0, 0},
967 		{0, 0},
968 		{0, 0}
969 		}
970 	},
971 	{1, 1, 2, 0,		/* 0x81 */
972 		{{0, 0},
973 		{7, 7},
974 		{0, 0},
975 		{0, 0}
976 		}
977 	},
978 	{0, 1, 2, 0,		/* 0x82 */
979 		{{1, 1},
980 		{7, 7},
981 		{0, 0},
982 		{0, 0}
983 		}
984 	},
985 	{1, 1, 2, 0,		/* 0x83 */
986 		{{0, 1},
987 		{7, 7},
988 		{0, 0},
989 		{0, 0}
990 		}
991 	},
992 	{0, 1, 2, 0,		/* 0x84 */
993 		{{2, 2},
994 		{7, 7},
995 		{0, 0},
996 		{0, 0}
997 		}
998 	},
999 	{1, 1, 3, 0,		/* 0x85 */
1000 		{{0, 0},
1001 		{2, 2},
1002 		{7, 7},
1003 		{0, 0}
1004 		}
1005 	},
1006 	{0, 1, 2, 0,		/* 0x86 */
1007 		{{1, 2},
1008 		{7, 7},
1009 		{0, 0},
1010 		{0, 0}
1011 		}
1012 	},
1013 	{1, 1, 2, 0,		/* 0x87 */
1014 		{{0, 2},
1015 		{7, 7},
1016 		{0, 0},
1017 		{0, 0}
1018 		}
1019 	},
1020 	{0, 1, 2, 0,		/* 0x88 */
1021 		{{3, 3},
1022 		{7, 7},
1023 		{0, 0},
1024 		{0, 0}
1025 		}
1026 	},
1027 	{1, 1, 3, 0,		/* 0x89 */
1028 		{{0, 0},
1029 		{3, 3},
1030 		{7, 7},
1031 		{0, 0}
1032 		}
1033 	},
1034 	{0, 1, 3, 0,		/* 0x8a */
1035 		{{1, 1},
1036 		{3, 3},
1037 		{7, 7},
1038 		{0, 0}
1039 		}
1040 	},
1041 	{1, 1, 3, 0,		/* 0x8b */
1042 		{{0, 1},
1043 		{3, 3},
1044 		{7, 7},
1045 		{0, 0}
1046 		}
1047 	},
1048 	{0, 1, 2, 0,		/* 0x8c */
1049 		{{2, 3},
1050 		{7, 7},
1051 		{0, 0},
1052 		{0, 0}
1053 		}
1054 	},
1055 	{1, 1, 3, 0,		/* 0x8d */
1056 		{{0, 0},
1057 		{2, 3},
1058 		{7, 7},
1059 		{0, 0}
1060 		}
1061 	},
1062 	{0, 1, 2, 0,		/* 0x8e */
1063 		{{1, 3},
1064 		{7, 7},
1065 		{0, 0},
1066 		{0, 0}
1067 		}
1068 	},
1069 	{1, 1, 2, 0,		/* 0x8f */
1070 		{{0, 3},
1071 		{7, 7},
1072 		{0, 0},
1073 		{0, 0}
1074 		}
1075 	},
1076 	{0, 1, 2, 0,		/* 0x90 */
1077 		{{4, 4},
1078 		{7, 7},
1079 		{0, 0},
1080 		{0, 0}
1081 		}
1082 	},
1083 	{1, 1, 3, 0,		/* 0x91 */
1084 		{{0, 0},
1085 		{4, 4},
1086 		{7, 7},
1087 		{0, 0}
1088 		}
1089 	},
1090 	{0, 1, 3, 0,		/* 0x92 */
1091 		{{1, 1},
1092 		{4, 4},
1093 		{7, 7},
1094 		{0, 0}
1095 		}
1096 	},
1097 	{1, 1, 3, 0,		/* 0x93 */
1098 		{{0, 1},
1099 		{4, 4},
1100 		{7, 7},
1101 		{0, 0}
1102 		}
1103 	},
1104 	{0, 1, 3, 0,		/* 0x94 */
1105 		{{2, 2},
1106 		{4, 4},
1107 		{7, 7},
1108 		{0, 0}
1109 		}
1110 	},
1111 	{1, 1, 4, 0,		/* 0x95 */
1112 		{{0, 0},
1113 		{2, 2},
1114 		{4, 4},
1115 		{7, 7}
1116 		}
1117 	},
1118 	{0, 1, 3, 0,		/* 0x96 */
1119 		{{1, 2},
1120 		{4, 4},
1121 		{7, 7},
1122 		{0, 0}
1123 		}
1124 	},
1125 	{1, 1, 3, 0,		/* 0x97 */
1126 		{{0, 2},
1127 		{4, 4},
1128 		{7, 7},
1129 		{0, 0}
1130 		}
1131 	},
1132 	{0, 1, 2, 0,		/* 0x98 */
1133 		{{3, 4},
1134 		{7, 7},
1135 		{0, 0},
1136 		{0, 0}
1137 		}
1138 	},
1139 	{1, 1, 3, 0,		/* 0x99 */
1140 		{{0, 0},
1141 		{3, 4},
1142 		{7, 7},
1143 		{0, 0}
1144 		}
1145 	},
1146 	{0, 1, 3, 0,		/* 0x9a */
1147 		{{1, 1},
1148 		{3, 4},
1149 		{7, 7},
1150 		{0, 0}
1151 		}
1152 	},
1153 	{1, 1, 3, 0,		/* 0x9b */
1154 		{{0, 1},
1155 		{3, 4},
1156 		{7, 7},
1157 		{0, 0}
1158 		}
1159 	},
1160 	{0, 1, 2, 0,		/* 0x9c */
1161 		{{2, 4},
1162 		{7, 7},
1163 		{0, 0},
1164 		{0, 0}
1165 		}
1166 	},
1167 	{1, 1, 3, 0,		/* 0x9d */
1168 		{{0, 0},
1169 		{2, 4},
1170 		{7, 7},
1171 		{0, 0}
1172 		}
1173 	},
1174 	{0, 1, 2, 0,		/* 0x9e */
1175 		{{1, 4},
1176 		{7, 7},
1177 		{0, 0},
1178 		{0, 0}
1179 		}
1180 	},
1181 	{1, 1, 2, 0,		/* 0x9f */
1182 		{{0, 4},
1183 		{7, 7},
1184 		{0, 0},
1185 		{0, 0}
1186 		}
1187 	},
1188 	{0, 1, 2, 0,		/* 0xa0 */
1189 		{{5, 5},
1190 		{7, 7},
1191 		{0, 0},
1192 		{0, 0}
1193 		}
1194 	},
1195 	{1, 1, 3, 0,		/* 0xa1 */
1196 		{{0, 0},
1197 		{5, 5},
1198 		{7, 7},
1199 		{0, 0}
1200 		}
1201 	},
1202 	{0, 1, 3, 0,		/* 0xa2 */
1203 		{{1, 1},
1204 		{5, 5},
1205 		{7, 7},
1206 		{0, 0}
1207 		}
1208 	},
1209 	{1, 1, 3, 0,		/* 0xa3 */
1210 		{{0, 1},
1211 		{5, 5},
1212 		{7, 7},
1213 		{0, 0}
1214 		}
1215 	},
1216 	{0, 1, 3, 0,		/* 0xa4 */
1217 		{{2, 2},
1218 		{5, 5},
1219 		{7, 7},
1220 		{0, 0}
1221 		}
1222 	},
1223 	{1, 1, 4, 0,		/* 0xa5 */
1224 		{{0, 0},
1225 		{2, 2},
1226 		{5, 5},
1227 		{7, 7}
1228 		}
1229 	},
1230 	{0, 1, 3, 0,		/* 0xa6 */
1231 		{{1, 2},
1232 		{5, 5},
1233 		{7, 7},
1234 		{0, 0}
1235 		}
1236 	},
1237 	{1, 1, 3, 0,		/* 0xa7 */
1238 		{{0, 2},
1239 		{5, 5},
1240 		{7, 7},
1241 		{0, 0}
1242 		}
1243 	},
1244 	{0, 1, 3, 0,		/* 0xa8 */
1245 		{{3, 3},
1246 		{5, 5},
1247 		{7, 7},
1248 		{0, 0}
1249 		}
1250 	},
1251 	{1, 1, 4, 0,		/* 0xa9 */
1252 		{{0, 0},
1253 		{3, 3},
1254 		{5, 5},
1255 		{7, 7}
1256 		}
1257 	},
1258 	{0, 1, 4, 0,		/* 0xaa */
1259 		{{1, 1},
1260 		{3, 3},
1261 		{5, 5},
1262 		{7, 7}
1263 		}
1264 	},
1265 	{1, 1, 4, 0,		/* 0xab */
1266 		{{0, 1},
1267 		{3, 3},
1268 		{5, 5},
1269 		{7, 7}
1270 		}
1271 	},
1272 	{0, 1, 3, 0,		/* 0xac */
1273 		{{2, 3},
1274 		{5, 5},
1275 		{7, 7},
1276 		{0, 0}
1277 		}
1278 	},
1279 	{1, 1, 4, 0,		/* 0xad */
1280 		{{0, 0},
1281 		{2, 3},
1282 		{5, 5},
1283 		{7, 7}
1284 		}
1285 	},
1286 	{0, 1, 3, 0,		/* 0xae */
1287 		{{1, 3},
1288 		{5, 5},
1289 		{7, 7},
1290 		{0, 0}
1291 		}
1292 	},
1293 	{1, 1, 3, 0,		/* 0xaf */
1294 		{{0, 3},
1295 		{5, 5},
1296 		{7, 7},
1297 		{0, 0}
1298 		}
1299 	},
1300 	{0, 1, 2, 0,		/* 0xb0 */
1301 		{{4, 5},
1302 		{7, 7},
1303 		{0, 0},
1304 		{0, 0}
1305 		}
1306 	},
1307 	{1, 1, 3, 0,		/* 0xb1 */
1308 		{{0, 0},
1309 		{4, 5},
1310 		{7, 7},
1311 		{0, 0}
1312 		}
1313 	},
1314 	{0, 1, 3, 0,		/* 0xb2 */
1315 		{{1, 1},
1316 		{4, 5},
1317 		{7, 7},
1318 		{0, 0}
1319 		}
1320 	},
1321 	{1, 1, 3, 0,		/* 0xb3 */
1322 		{{0, 1},
1323 		{4, 5},
1324 		{7, 7},
1325 		{0, 0}
1326 		}
1327 	},
1328 	{0, 1, 3, 0,		/* 0xb4 */
1329 		{{2, 2},
1330 		{4, 5},
1331 		{7, 7},
1332 		{0, 0}
1333 		}
1334 	},
1335 	{1, 1, 4, 0,		/* 0xb5 */
1336 		{{0, 0},
1337 		{2, 2},
1338 		{4, 5},
1339 		{7, 7}
1340 		}
1341 	},
1342 	{0, 1, 3, 0,		/* 0xb6 */
1343 		{{1, 2},
1344 		{4, 5},
1345 		{7, 7},
1346 		{0, 0}
1347 		}
1348 	},
1349 	{1, 1, 3, 0,		/* 0xb7 */
1350 		{{0, 2},
1351 		{4, 5},
1352 		{7, 7},
1353 		{0, 0}
1354 		}
1355 	},
1356 	{0, 1, 2, 0,		/* 0xb8 */
1357 		{{3, 5},
1358 		{7, 7},
1359 		{0, 0},
1360 		{0, 0}
1361 		}
1362 	},
1363 	{1, 1, 3, 0,		/* 0xb9 */
1364 		{{0, 0},
1365 		{3, 5},
1366 		{7, 7},
1367 		{0, 0}
1368 		}
1369 	},
1370 	{0, 1, 3, 0,		/* 0xba */
1371 		{{1, 1},
1372 		{3, 5},
1373 		{7, 7},
1374 		{0, 0}
1375 		}
1376 	},
1377 	{1, 1, 3, 0,		/* 0xbb */
1378 		{{0, 1},
1379 		{3, 5},
1380 		{7, 7},
1381 		{0, 0}
1382 		}
1383 	},
1384 	{0, 1, 2, 0,		/* 0xbc */
1385 		{{2, 5},
1386 		{7, 7},
1387 		{0, 0},
1388 		{0, 0}
1389 		}
1390 	},
1391 	{1, 1, 3, 0,		/* 0xbd */
1392 		{{0, 0},
1393 		{2, 5},
1394 		{7, 7},
1395 		{0, 0}
1396 		}
1397 	},
1398 	{0, 1, 2, 0,		/* 0xbe */
1399 		{{1, 5},
1400 		{7, 7},
1401 		{0, 0},
1402 		{0, 0}
1403 		}
1404 	},
1405 	{1, 1, 2, 0,		/* 0xbf */
1406 		{{0, 5},
1407 		{7, 7},
1408 		{0, 0},
1409 		{0, 0}
1410 		}
1411 	},
1412 	{0, 1, 1, 0,		/* 0xc0 */
1413 		{{6, 7},
1414 		{0, 0},
1415 		{0, 0},
1416 		{0, 0}
1417 		}
1418 	},
1419 	{1, 1, 2, 0,		/* 0xc1 */
1420 		{{0, 0},
1421 		{6, 7},
1422 		{0, 0},
1423 		{0, 0}
1424 		}
1425 	},
1426 	{0, 1, 2, 0,		/* 0xc2 */
1427 		{{1, 1},
1428 		{6, 7},
1429 		{0, 0},
1430 		{0, 0}
1431 		}
1432 	},
1433 	{1, 1, 2, 0,		/* 0xc3 */
1434 		{{0, 1},
1435 		{6, 7},
1436 		{0, 0},
1437 		{0, 0}
1438 		}
1439 	},
1440 	{0, 1, 2, 0,		/* 0xc4 */
1441 		{{2, 2},
1442 		{6, 7},
1443 		{0, 0},
1444 		{0, 0}
1445 		}
1446 	},
1447 	{1, 1, 3, 0,		/* 0xc5 */
1448 		{{0, 0},
1449 		{2, 2},
1450 		{6, 7},
1451 		{0, 0}
1452 		}
1453 	},
1454 	{0, 1, 2, 0,		/* 0xc6 */
1455 		{{1, 2},
1456 		{6, 7},
1457 		{0, 0},
1458 		{0, 0}
1459 		}
1460 	},
1461 	{1, 1, 2, 0,		/* 0xc7 */
1462 		{{0, 2},
1463 		{6, 7},
1464 		{0, 0},
1465 		{0, 0}
1466 		}
1467 	},
1468 	{0, 1, 2, 0,		/* 0xc8 */
1469 		{{3, 3},
1470 		{6, 7},
1471 		{0, 0},
1472 		{0, 0}
1473 		}
1474 	},
1475 	{1, 1, 3, 0,		/* 0xc9 */
1476 		{{0, 0},
1477 		{3, 3},
1478 		{6, 7},
1479 		{0, 0}
1480 		}
1481 	},
1482 	{0, 1, 3, 0,		/* 0xca */
1483 		{{1, 1},
1484 		{3, 3},
1485 		{6, 7},
1486 		{0, 0}
1487 		}
1488 	},
1489 	{1, 1, 3, 0,		/* 0xcb */
1490 		{{0, 1},
1491 		{3, 3},
1492 		{6, 7},
1493 		{0, 0}
1494 		}
1495 	},
1496 	{0, 1, 2, 0,		/* 0xcc */
1497 		{{2, 3},
1498 		{6, 7},
1499 		{0, 0},
1500 		{0, 0}
1501 		}
1502 	},
1503 	{1, 1, 3, 0,		/* 0xcd */
1504 		{{0, 0},
1505 		{2, 3},
1506 		{6, 7},
1507 		{0, 0}
1508 		}
1509 	},
1510 	{0, 1, 2, 0,		/* 0xce */
1511 		{{1, 3},
1512 		{6, 7},
1513 		{0, 0},
1514 		{0, 0}
1515 		}
1516 	},
1517 	{1, 1, 2, 0,		/* 0xcf */
1518 		{{0, 3},
1519 		{6, 7},
1520 		{0, 0},
1521 		{0, 0}
1522 		}
1523 	},
1524 	{0, 1, 2, 0,		/* 0xd0 */
1525 		{{4, 4},
1526 		{6, 7},
1527 		{0, 0},
1528 		{0, 0}
1529 		}
1530 	},
1531 	{1, 1, 3, 0,		/* 0xd1 */
1532 		{{0, 0},
1533 		{4, 4},
1534 		{6, 7},
1535 		{0, 0}
1536 		}
1537 	},
1538 	{0, 1, 3, 0,		/* 0xd2 */
1539 		{{1, 1},
1540 		{4, 4},
1541 		{6, 7},
1542 		{0, 0}
1543 		}
1544 	},
1545 	{1, 1, 3, 0,		/* 0xd3 */
1546 		{{0, 1},
1547 		{4, 4},
1548 		{6, 7},
1549 		{0, 0}
1550 		}
1551 	},
1552 	{0, 1, 3, 0,		/* 0xd4 */
1553 		{{2, 2},
1554 		{4, 4},
1555 		{6, 7},
1556 		{0, 0}
1557 		}
1558 	},
1559 	{1, 1, 4, 0,		/* 0xd5 */
1560 		{{0, 0},
1561 		{2, 2},
1562 		{4, 4},
1563 		{6, 7}
1564 		}
1565 	},
1566 	{0, 1, 3, 0,		/* 0xd6 */
1567 		{{1, 2},
1568 		{4, 4},
1569 		{6, 7},
1570 		{0, 0}
1571 		}
1572 	},
1573 	{1, 1, 3, 0,		/* 0xd7 */
1574 		{{0, 2},
1575 		{4, 4},
1576 		{6, 7},
1577 		{0, 0}
1578 		}
1579 	},
1580 	{0, 1, 2, 0,		/* 0xd8 */
1581 		{{3, 4},
1582 		{6, 7},
1583 		{0, 0},
1584 		{0, 0}
1585 		}
1586 	},
1587 	{1, 1, 3, 0,		/* 0xd9 */
1588 		{{0, 0},
1589 		{3, 4},
1590 		{6, 7},
1591 		{0, 0}
1592 		}
1593 	},
1594 	{0, 1, 3, 0,		/* 0xda */
1595 		{{1, 1},
1596 		{3, 4},
1597 		{6, 7},
1598 		{0, 0}
1599 		}
1600 	},
1601 	{1, 1, 3, 0,		/* 0xdb */
1602 		{{0, 1},
1603 		{3, 4},
1604 		{6, 7},
1605 		{0, 0}
1606 		}
1607 	},
1608 	{0, 1, 2, 0,		/* 0xdc */
1609 		{{2, 4},
1610 		{6, 7},
1611 		{0, 0},
1612 		{0, 0}
1613 		}
1614 	},
1615 	{1, 1, 3, 0,		/* 0xdd */
1616 		{{0, 0},
1617 		{2, 4},
1618 		{6, 7},
1619 		{0, 0}
1620 		}
1621 	},
1622 	{0, 1, 2, 0,		/* 0xde */
1623 		{{1, 4},
1624 		{6, 7},
1625 		{0, 0},
1626 		{0, 0}
1627 		}
1628 	},
1629 	{1, 1, 2, 0,		/* 0xdf */
1630 		{{0, 4},
1631 		{6, 7},
1632 		{0, 0},
1633 		{0, 0}
1634 		}
1635 	},
1636 	{0, 1, 1, 0,		/* 0xe0 */
1637 		{{5, 7},
1638 		{0, 0},
1639 		{0, 0},
1640 		{0, 0}
1641 		}
1642 	},
1643 	{1, 1, 2, 0,		/* 0xe1 */
1644 		{{0, 0},
1645 		{5, 7},
1646 		{0, 0},
1647 		{0, 0}
1648 		}
1649 	},
1650 	{0, 1, 2, 0,		/* 0xe2 */
1651 		{{1, 1},
1652 		{5, 7},
1653 		{0, 0},
1654 		{0, 0}
1655 		}
1656 	},
1657 	{1, 1, 2, 0,		/* 0xe3 */
1658 		{{0, 1},
1659 		{5, 7},
1660 		{0, 0},
1661 		{0, 0}
1662 		}
1663 	},
1664 	{0, 1, 2, 0,		/* 0xe4 */
1665 		{{2, 2},
1666 		{5, 7},
1667 		{0, 0},
1668 		{0, 0}
1669 		}
1670 	},
1671 	{1, 1, 3, 0,		/* 0xe5 */
1672 		{{0, 0},
1673 		{2, 2},
1674 		{5, 7},
1675 		{0, 0}
1676 		}
1677 	},
1678 	{0, 1, 2, 0,		/* 0xe6 */
1679 		{{1, 2},
1680 		{5, 7},
1681 		{0, 0},
1682 		{0, 0}
1683 		}
1684 	},
1685 	{1, 1, 2, 0,		/* 0xe7 */
1686 		{{0, 2},
1687 		{5, 7},
1688 		{0, 0},
1689 		{0, 0}
1690 		}
1691 	},
1692 	{0, 1, 2, 0,		/* 0xe8 */
1693 		{{3, 3},
1694 		{5, 7},
1695 		{0, 0},
1696 		{0, 0}
1697 		}
1698 	},
1699 	{1, 1, 3, 0,		/* 0xe9 */
1700 		{{0, 0},
1701 		{3, 3},
1702 		{5, 7},
1703 		{0, 0}
1704 		}
1705 	},
1706 	{0, 1, 3, 0,		/* 0xea */
1707 		{{1, 1},
1708 		{3, 3},
1709 		{5, 7},
1710 		{0, 0}
1711 		}
1712 	},
1713 	{1, 1, 3, 0,		/* 0xeb */
1714 		{{0, 1},
1715 		{3, 3},
1716 		{5, 7},
1717 		{0, 0}
1718 		}
1719 	},
1720 	{0, 1, 2, 0,		/* 0xec */
1721 		{{2, 3},
1722 		{5, 7},
1723 		{0, 0},
1724 		{0, 0}
1725 		}
1726 	},
1727 	{1, 1, 3, 0,		/* 0xed */
1728 		{{0, 0},
1729 		{2, 3},
1730 		{5, 7},
1731 		{0, 0}
1732 		}
1733 	},
1734 	{0, 1, 2, 0,		/* 0xee */
1735 		{{1, 3},
1736 		{5, 7},
1737 		{0, 0},
1738 		{0, 0}
1739 		}
1740 	},
1741 	{1, 1, 2, 0,		/* 0xef */
1742 		{{0, 3},
1743 		{5, 7},
1744 		{0, 0},
1745 		{0, 0}
1746 		}
1747 	},
1748 	{0, 1, 1, 0,		/* 0xf0 */
1749 		{{4, 7},
1750 		{0, 0},
1751 		{0, 0},
1752 		{0, 0}
1753 		}
1754 	},
1755 	{1, 1, 2, 0,		/* 0xf1 */
1756 		{{0, 0},
1757 		{4, 7},
1758 		{0, 0},
1759 		{0, 0}
1760 		}
1761 	},
1762 	{0, 1, 2, 0,		/* 0xf2 */
1763 		{{1, 1},
1764 		{4, 7},
1765 		{0, 0},
1766 		{0, 0}
1767 		}
1768 	},
1769 	{1, 1, 2, 0,		/* 0xf3 */
1770 		{{0, 1},
1771 		{4, 7},
1772 		{0, 0},
1773 		{0, 0}
1774 		}
1775 	},
1776 	{0, 1, 2, 0,		/* 0xf4 */
1777 		{{2, 2},
1778 		{4, 7},
1779 		{0, 0},
1780 		{0, 0}
1781 		}
1782 	},
1783 	{1, 1, 3, 0,		/* 0xf5 */
1784 		{{0, 0},
1785 		{2, 2},
1786 		{4, 7},
1787 		{0, 0}
1788 		}
1789 	},
1790 	{0, 1, 2, 0,		/* 0xf6 */
1791 		{{1, 2},
1792 		{4, 7},
1793 		{0, 0},
1794 		{0, 0}
1795 		}
1796 	},
1797 	{1, 1, 2, 0,		/* 0xf7 */
1798 		{{0, 2},
1799 		{4, 7},
1800 		{0, 0},
1801 		{0, 0}
1802 		}
1803 	},
1804 	{0, 1, 1, 0,		/* 0xf8 */
1805 		{{3, 7},
1806 		{0, 0},
1807 		{0, 0},
1808 		{0, 0}
1809 		}
1810 	},
1811 	{1, 1, 2, 0,		/* 0xf9 */
1812 		{{0, 0},
1813 		{3, 7},
1814 		{0, 0},
1815 		{0, 0}
1816 		}
1817 	},
1818 	{0, 1, 2, 0,		/* 0xfa */
1819 		{{1, 1},
1820 		{3, 7},
1821 		{0, 0},
1822 		{0, 0}
1823 		}
1824 	},
1825 	{1, 1, 2, 0,		/* 0xfb */
1826 		{{0, 1},
1827 		{3, 7},
1828 		{0, 0},
1829 		{0, 0}
1830 		}
1831 	},
1832 	{0, 1, 1, 0,		/* 0xfc */
1833 		{{2, 7},
1834 		{0, 0},
1835 		{0, 0},
1836 		{0, 0}
1837 		}
1838 	},
1839 	{1, 1, 2, 0,		/* 0xfd */
1840 		{{0, 0},
1841 		{2, 7},
1842 		{0, 0},
1843 		{0, 0}
1844 		}
1845 	},
1846 	{0, 1, 1, 0,		/* 0xfe */
1847 		{{1, 7},
1848 		{0, 0},
1849 		{0, 0},
1850 		{0, 0}
1851 		}
1852 	},
1853 	{1, 1, 1, 0,		/* 0xff */
1854 		{{0, 7},
1855 		{0, 0},
1856 		{0, 0},
1857 		{0, 0}
1858 		}
1859 	}
1860 };
1861 
1862 
1863 int
1864 sctp_is_address_in_scope(struct sctp_ifa *ifa,
1865     int ipv4_addr_legal,
1866     int ipv6_addr_legal,
1867     int loopback_scope,
1868     int ipv4_local_scope,
1869     int local_scope,
1870     int site_scope,
1871     int do_update)
1872 {
1873 	if ((loopback_scope == 0) &&
1874 	    (ifa->ifn_p) && SCTP_IFN_IS_IFT_LOOP(ifa->ifn_p)) {
1875 		/*
1876 		 * skip loopback if not in scope *
1877 		 */
1878 		return (0);
1879 	}
1880 	switch (ifa->address.sa.sa_family) {
1881 	case AF_INET:
1882 		if (ipv4_addr_legal) {
1883 			struct sockaddr_in *sin;
1884 
1885 			sin = (struct sockaddr_in *)&ifa->address.sin;
1886 			if (sin->sin_addr.s_addr == 0) {
1887 				/* not in scope , unspecified */
1888 				return (0);
1889 			}
1890 			if ((ipv4_local_scope == 0) &&
1891 			    (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr))) {
1892 				/* private address not in scope */
1893 				return (0);
1894 			}
1895 		} else {
1896 			return (0);
1897 		}
1898 		break;
1899 #ifdef INET6
1900 	case AF_INET6:
1901 		if (ipv6_addr_legal) {
1902 			struct sockaddr_in6 *sin6;
1903 
1904 			/*
1905 			 * Must update the flags,  bummer, which means any
1906 			 * IFA locks must now be applied HERE <->
1907 			 */
1908 			if (do_update) {
1909 				sctp_gather_internal_ifa_flags(ifa);
1910 			}
1911 			if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
1912 				return (0);
1913 			}
1914 			/* ok to use deprecated addresses? */
1915 			sin6 = (struct sockaddr_in6 *)&ifa->address.sin6;
1916 			if (IN6_IS_ADDR_UNSPECIFIED(&sin6->sin6_addr)) {
1917 				/* skip unspecifed addresses */
1918 				return (0);
1919 			}
1920 			if (	/* (local_scope == 0) && */
1921 			    (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))) {
1922 				return (0);
1923 			}
1924 			if ((site_scope == 0) &&
1925 			    (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr))) {
1926 				return (0);
1927 			}
1928 		} else {
1929 			return (0);
1930 		}
1931 		break;
1932 #endif
1933 	default:
1934 		return (0);
1935 	}
1936 	return (1);
1937 }
1938 
1939 static struct mbuf *
1940 sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa)
1941 {
1942 	struct sctp_paramhdr *parmh;
1943 	struct mbuf *mret;
1944 	int len;
1945 
1946 	if (ifa->address.sa.sa_family == AF_INET) {
1947 		len = sizeof(struct sctp_ipv4addr_param);
1948 	} else if (ifa->address.sa.sa_family == AF_INET6) {
1949 		len = sizeof(struct sctp_ipv6addr_param);
1950 	} else {
1951 		/* unknown type */
1952 		return (m);
1953 	}
1954 	if (M_TRAILINGSPACE(m) >= len) {
1955 		/* easy side we just drop it on the end */
1956 		parmh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m)));
1957 		mret = m;
1958 	} else {
1959 		/* Need more space */
1960 		mret = m;
1961 		while (SCTP_BUF_NEXT(mret) != NULL) {
1962 			mret = SCTP_BUF_NEXT(mret);
1963 		}
1964 		SCTP_BUF_NEXT(mret) = sctp_get_mbuf_for_msg(len, 0, M_DONTWAIT, 1, MT_DATA);
1965 		if (SCTP_BUF_NEXT(mret) == NULL) {
1966 			/* We are hosed, can't add more addresses */
1967 			return (m);
1968 		}
1969 		mret = SCTP_BUF_NEXT(mret);
1970 		parmh = mtod(mret, struct sctp_paramhdr *);
1971 	}
1972 	/* now add the parameter */
1973 	switch (ifa->address.sa.sa_family) {
1974 	case AF_INET:
1975 		{
1976 			struct sctp_ipv4addr_param *ipv4p;
1977 			struct sockaddr_in *sin;
1978 
1979 			sin = (struct sockaddr_in *)&ifa->address.sin;
1980 			ipv4p = (struct sctp_ipv4addr_param *)parmh;
1981 			parmh->param_type = htons(SCTP_IPV4_ADDRESS);
1982 			parmh->param_length = htons(len);
1983 			ipv4p->addr = sin->sin_addr.s_addr;
1984 			SCTP_BUF_LEN(mret) += len;
1985 			break;
1986 		}
1987 #ifdef INET6
1988 	case AF_INET6:
1989 		{
1990 			struct sctp_ipv6addr_param *ipv6p;
1991 			struct sockaddr_in6 *sin6;
1992 
1993 			sin6 = (struct sockaddr_in6 *)&ifa->address.sin6;
1994 			ipv6p = (struct sctp_ipv6addr_param *)parmh;
1995 			parmh->param_type = htons(SCTP_IPV6_ADDRESS);
1996 			parmh->param_length = htons(len);
1997 			memcpy(ipv6p->addr, &sin6->sin6_addr,
1998 			    sizeof(ipv6p->addr));
1999 			/* clear embedded scope in the address */
2000 			in6_clearscope((struct in6_addr *)ipv6p->addr);
2001 			SCTP_BUF_LEN(mret) += len;
2002 			break;
2003 		}
2004 #endif
2005 	default:
2006 		return (m);
2007 	}
2008 	return (mret);
2009 }
2010 
2011 
2012 struct mbuf *
2013 sctp_add_addresses_to_i_ia(struct sctp_inpcb *inp, struct sctp_scoping *scope,
2014     struct mbuf *m_at, int cnt_inits_to)
2015 {
2016 	struct sctp_vrf *vrf = NULL;
2017 	int cnt, limit_out = 0, total_count;
2018 	uint32_t vrf_id;
2019 
2020 	vrf_id = inp->def_vrf_id;
2021 	SCTP_IPI_ADDR_RLOCK();
2022 	vrf = sctp_find_vrf(vrf_id);
2023 	if (vrf == NULL) {
2024 		SCTP_IPI_ADDR_RUNLOCK();
2025 		return (m_at);
2026 	}
2027 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
2028 		struct sctp_ifa *sctp_ifap;
2029 		struct sctp_ifn *sctp_ifnp;
2030 
2031 		cnt = cnt_inits_to;
2032 		if (vrf->total_ifa_count > SCTP_COUNT_LIMIT) {
2033 			limit_out = 1;
2034 			cnt = SCTP_ADDRESS_LIMIT;
2035 			goto skip_count;
2036 		}
2037 		LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2038 			if ((scope->loopback_scope == 0) &&
2039 			    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2040 				/*
2041 				 * Skip loopback devices if loopback_scope
2042 				 * not set
2043 				 */
2044 				continue;
2045 			}
2046 			LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2047 				if (sctp_is_address_in_scope(sctp_ifap,
2048 				    scope->ipv4_addr_legal,
2049 				    scope->ipv6_addr_legal,
2050 				    scope->loopback_scope,
2051 				    scope->ipv4_local_scope,
2052 				    scope->local_scope,
2053 				    scope->site_scope, 1) == 0) {
2054 					continue;
2055 				}
2056 				cnt++;
2057 				if (cnt > SCTP_ADDRESS_LIMIT) {
2058 					break;
2059 				}
2060 			}
2061 			if (cnt > SCTP_ADDRESS_LIMIT) {
2062 				break;
2063 			}
2064 		}
2065 skip_count:
2066 		if (cnt > 1) {
2067 			total_count = 0;
2068 			LIST_FOREACH(sctp_ifnp, &vrf->ifnlist, next_ifn) {
2069 				cnt = 0;
2070 				if ((scope->loopback_scope == 0) &&
2071 				    SCTP_IFN_IS_IFT_LOOP(sctp_ifnp)) {
2072 					/*
2073 					 * Skip loopback devices if
2074 					 * loopback_scope not set
2075 					 */
2076 					continue;
2077 				}
2078 				LIST_FOREACH(sctp_ifap, &sctp_ifnp->ifalist, next_ifa) {
2079 					if (sctp_is_address_in_scope(sctp_ifap,
2080 					    scope->ipv4_addr_legal,
2081 					    scope->ipv6_addr_legal,
2082 					    scope->loopback_scope,
2083 					    scope->ipv4_local_scope,
2084 					    scope->local_scope,
2085 					    scope->site_scope, 0) == 0) {
2086 						continue;
2087 					}
2088 					m_at = sctp_add_addr_to_mbuf(m_at, sctp_ifap);
2089 					if (limit_out) {
2090 						cnt++;
2091 						total_count++;
2092 						if (cnt >= 2) {
2093 							/*
2094 							 * two from each
2095 							 * address
2096 							 */
2097 							break;
2098 						}
2099 						if (total_count > SCTP_ADDRESS_LIMIT) {
2100 							/* No more addresses */
2101 							break;
2102 						}
2103 					}
2104 				}
2105 			}
2106 		}
2107 	} else {
2108 		struct sctp_laddr *laddr;
2109 
2110 		cnt = cnt_inits_to;
2111 		/* First, how many ? */
2112 		LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2113 			if (laddr->ifa == NULL) {
2114 				continue;
2115 			}
2116 			if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2117 				/*
2118 				 * Address being deleted by the system, dont
2119 				 * list.
2120 				 */
2121 				continue;
2122 			if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2123 				/*
2124 				 * Address being deleted on this ep don't
2125 				 * list.
2126 				 */
2127 				continue;
2128 			}
2129 			if (sctp_is_address_in_scope(laddr->ifa,
2130 			    scope->ipv4_addr_legal,
2131 			    scope->ipv6_addr_legal,
2132 			    scope->loopback_scope,
2133 			    scope->ipv4_local_scope,
2134 			    scope->local_scope,
2135 			    scope->site_scope, 1) == 0) {
2136 				continue;
2137 			}
2138 			cnt++;
2139 		}
2140 		if (cnt > SCTP_ADDRESS_LIMIT) {
2141 			limit_out = 1;
2142 		}
2143 		/*
2144 		 * To get through a NAT we only list addresses if we have
2145 		 * more than one. That way if you just bind a single address
2146 		 * we let the source of the init dictate our address.
2147 		 */
2148 		if (cnt > 1) {
2149 			LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2150 				cnt = 0;
2151 				if (laddr->ifa == NULL) {
2152 					continue;
2153 				}
2154 				if (laddr->ifa->localifa_flags & SCTP_BEING_DELETED)
2155 					continue;
2156 
2157 				if (sctp_is_address_in_scope(laddr->ifa,
2158 				    scope->ipv4_addr_legal,
2159 				    scope->ipv6_addr_legal,
2160 				    scope->loopback_scope,
2161 				    scope->ipv4_local_scope,
2162 				    scope->local_scope,
2163 				    scope->site_scope, 0) == 0) {
2164 					continue;
2165 				}
2166 				m_at = sctp_add_addr_to_mbuf(m_at, laddr->ifa);
2167 				cnt++;
2168 				if (cnt >= SCTP_ADDRESS_LIMIT) {
2169 					break;
2170 				}
2171 			}
2172 		}
2173 	}
2174 	SCTP_IPI_ADDR_RUNLOCK();
2175 	return (m_at);
2176 }
2177 
2178 static struct sctp_ifa *
2179 sctp_is_ifa_addr_preferred(struct sctp_ifa *ifa,
2180     uint8_t dest_is_loop,
2181     uint8_t dest_is_priv,
2182     sa_family_t fam)
2183 {
2184 	uint8_t dest_is_global = 0;
2185 
2186 	/* dest_is_priv is true if destination is a private address */
2187 	/* dest_is_loop is true if destination is a loopback addresses */
2188 
2189 	/**
2190 	 * Here we determine if its a preferred address. A preferred address
2191 	 * means it is the same scope or higher scope then the destination.
2192 	 * L = loopback, P = private, G = global
2193 	 * -----------------------------------------
2194          *    src    |  dest | result
2195          *  ----------------------------------------
2196          *     L     |    L  |    yes
2197          *  -----------------------------------------
2198          *     P     |    L  |    yes-v4 no-v6
2199          *  -----------------------------------------
2200          *     G     |    L  |    yes-v4 no-v6
2201          *  -----------------------------------------
2202          *     L     |    P  |    no
2203          *  -----------------------------------------
2204          *     P     |    P  |    yes
2205          *  -----------------------------------------
2206          *     G     |    P  |    no
2207          *   -----------------------------------------
2208          *     L     |    G  |    no
2209          *   -----------------------------------------
2210          *     P     |    G  |    no
2211          *    -----------------------------------------
2212          *     G     |    G  |    yes
2213          *    -----------------------------------------
2214 	 */
2215 
2216 	if (ifa->address.sa.sa_family != fam) {
2217 		/* forget mis-matched family */
2218 		return (NULL);
2219 	}
2220 	if ((dest_is_priv == 0) && (dest_is_loop == 0)) {
2221 		dest_is_global = 1;
2222 	}
2223 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Is destination preferred:");
2224 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &ifa->address.sa);
2225 	/* Ok the address may be ok */
2226 	if (fam == AF_INET6) {
2227 		/* ok to use deprecated addresses? no lets not! */
2228 		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2229 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:1\n");
2230 			return (NULL);
2231 		}
2232 		if (ifa->src_is_priv && !ifa->src_is_loop) {
2233 			if (dest_is_loop) {
2234 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:2\n");
2235 				return (NULL);
2236 			}
2237 		}
2238 		if (ifa->src_is_glob) {
2239 			if (dest_is_loop) {
2240 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:3\n");
2241 				return (NULL);
2242 			}
2243 		}
2244 	}
2245 	/*
2246 	 * Now that we know what is what, implement or table this could in
2247 	 * theory be done slicker (it used to be), but this is
2248 	 * straightforward and easier to validate :-)
2249 	 */
2250 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "src_loop:%d src_priv:%d src_glob:%d\n",
2251 	    ifa->src_is_loop, ifa->src_is_priv, ifa->src_is_glob);
2252 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "dest_loop:%d dest_priv:%d dest_glob:%d\n",
2253 	    dest_is_loop, dest_is_priv, dest_is_global);
2254 
2255 	if ((ifa->src_is_loop) && (dest_is_priv)) {
2256 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:4\n");
2257 		return (NULL);
2258 	}
2259 	if ((ifa->src_is_glob) && (dest_is_priv)) {
2260 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:5\n");
2261 		return (NULL);
2262 	}
2263 	if ((ifa->src_is_loop) && (dest_is_global)) {
2264 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:6\n");
2265 		return (NULL);
2266 	}
2267 	if ((ifa->src_is_priv) && (dest_is_global)) {
2268 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "NO:7\n");
2269 		return (NULL);
2270 	}
2271 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "YES\n");
2272 	/* its a preferred address */
2273 	return (ifa);
2274 }
2275 
2276 static struct sctp_ifa *
2277 sctp_is_ifa_addr_acceptable(struct sctp_ifa *ifa,
2278     uint8_t dest_is_loop,
2279     uint8_t dest_is_priv,
2280     sa_family_t fam)
2281 {
2282 	uint8_t dest_is_global = 0;
2283 
2284 	/*
2285 	 * Here we determine if its a acceptable address. A acceptable
2286 	 * address means it is the same scope or higher scope but we can
2287 	 * allow for NAT which means its ok to have a global dest and a
2288 	 * private src.
2289 	 *
2290 	 * L = loopback, P = private, G = global
2291 	 * ----------------------------------------- src    |  dest | result
2292 	 * ----------------------------------------- L     |   L   |    yes
2293 	 * ----------------------------------------- P     |   L   |
2294 	 * yes-v4 no-v6 ----------------------------------------- G     |
2295 	 * L   |    yes ----------------------------------------- L     |
2296 	 * P   |    no ----------------------------------------- P     |   P
2297 	 * |    yes ----------------------------------------- G     |   P
2298 	 * |    yes - May not work -----------------------------------------
2299 	 * L     |   G   |    no ----------------------------------------- P
2300 	 * |   G   |    yes - May not work
2301 	 * ----------------------------------------- G     |   G   |    yes
2302 	 * -----------------------------------------
2303 	 */
2304 
2305 	if (ifa->address.sa.sa_family != fam) {
2306 		/* forget non matching family */
2307 		return (NULL);
2308 	}
2309 	/* Ok the address may be ok */
2310 	if ((dest_is_loop == 0) && (dest_is_priv == 0)) {
2311 		dest_is_global = 1;
2312 	}
2313 	if (fam == AF_INET6) {
2314 		/* ok to use deprecated addresses? */
2315 		if (ifa->localifa_flags & SCTP_ADDR_IFA_UNUSEABLE) {
2316 			return (NULL);
2317 		}
2318 		if (ifa->src_is_priv) {
2319 			/* Special case, linklocal to loop */
2320 			if (dest_is_loop)
2321 				return (NULL);
2322 		}
2323 	}
2324 	/*
2325 	 * Now that we know what is what, implement our table. This could in
2326 	 * theory be done slicker (it used to be), but this is
2327 	 * straightforward and easier to validate :-)
2328 	 */
2329 	if ((ifa->src_is_loop == 1) && (dest_is_priv)) {
2330 		return (NULL);
2331 	}
2332 	if ((ifa->src_is_loop == 1) && (dest_is_global)) {
2333 		return (NULL);
2334 	}
2335 	/* its an acceptable address */
2336 	return (ifa);
2337 }
2338 
2339 int
2340 sctp_is_addr_restricted(struct sctp_tcb *stcb, struct sctp_ifa *ifa)
2341 {
2342 	struct sctp_laddr *laddr;
2343 
2344 	if (stcb == NULL) {
2345 		/* There are no restrictions, no TCB :-) */
2346 		return (0);
2347 	}
2348 	LIST_FOREACH(laddr, &stcb->asoc.sctp_restricted_addrs, sctp_nxt_addr) {
2349 		if (laddr->ifa == NULL) {
2350 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2351 			    __FUNCTION__);
2352 			continue;
2353 		}
2354 		if (laddr->ifa == ifa) {
2355 			/* Yes it is on the list */
2356 			return (1);
2357 		}
2358 	}
2359 	return (0);
2360 }
2361 
2362 
2363 int
2364 sctp_is_addr_in_ep(struct sctp_inpcb *inp, struct sctp_ifa *ifa)
2365 {
2366 	struct sctp_laddr *laddr;
2367 
2368 	if (ifa == NULL)
2369 		return (0);
2370 	LIST_FOREACH(laddr, &inp->sctp_addr_list, sctp_nxt_addr) {
2371 		if (laddr->ifa == NULL) {
2372 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "%s: NULL ifa\n",
2373 			    __FUNCTION__);
2374 			continue;
2375 		}
2376 		if ((laddr->ifa == ifa) && laddr->action == 0)
2377 			/* same pointer */
2378 			return (1);
2379 	}
2380 	return (0);
2381 }
2382 
2383 
2384 
2385 static struct sctp_ifa *
2386 sctp_choose_boundspecific_inp(struct sctp_inpcb *inp,
2387     sctp_route_t * ro,
2388     uint32_t vrf_id,
2389     int non_asoc_addr_ok,
2390     uint8_t dest_is_priv,
2391     uint8_t dest_is_loop,
2392     sa_family_t fam)
2393 {
2394 	struct sctp_laddr *laddr, *starting_point;
2395 	void *ifn;
2396 	int resettotop = 0;
2397 	struct sctp_ifn *sctp_ifn;
2398 	struct sctp_ifa *sctp_ifa, *sifa;
2399 	struct sctp_vrf *vrf;
2400 	uint32_t ifn_index;
2401 
2402 	vrf = sctp_find_vrf(vrf_id);
2403 	if (vrf == NULL)
2404 		return (NULL);
2405 
2406 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2407 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2408 	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2409 	/*
2410 	 * first question, is the ifn we will emit on in our list, if so, we
2411 	 * want such an address. Note that we first looked for a preferred
2412 	 * address.
2413 	 */
2414 	if (sctp_ifn) {
2415 		/* is a preferred one on the interface we route out? */
2416 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2417 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2418 			    (non_asoc_addr_ok == 0))
2419 				continue;
2420 			sifa = sctp_is_ifa_addr_preferred(sctp_ifa,
2421 			    dest_is_loop,
2422 			    dest_is_priv, fam);
2423 			if (sifa == NULL)
2424 				continue;
2425 			if (sctp_is_addr_in_ep(inp, sifa)) {
2426 				atomic_add_int(&sifa->refcount, 1);
2427 				return (sifa);
2428 			}
2429 		}
2430 	}
2431 	/*
2432 	 * ok, now we now need to find one on the list of the addresses. We
2433 	 * can't get one on the emitting interface so let's find first a
2434 	 * preferred one. If not that an acceptable one otherwise... we
2435 	 * return NULL.
2436 	 */
2437 	starting_point = inp->next_addr_touse;
2438 once_again:
2439 	if (inp->next_addr_touse == NULL) {
2440 		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2441 		resettotop = 1;
2442 	}
2443 	for (laddr = inp->next_addr_touse; laddr;
2444 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2445 		if (laddr->ifa == NULL) {
2446 			/* address has been removed */
2447 			continue;
2448 		}
2449 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2450 			/* address is being deleted */
2451 			continue;
2452 		}
2453 		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop,
2454 		    dest_is_priv, fam);
2455 		if (sifa == NULL)
2456 			continue;
2457 		atomic_add_int(&sifa->refcount, 1);
2458 		return (sifa);
2459 	}
2460 	if (resettotop == 0) {
2461 		inp->next_addr_touse = NULL;
2462 		goto once_again;
2463 	}
2464 	inp->next_addr_touse = starting_point;
2465 	resettotop = 0;
2466 once_again_too:
2467 	if (inp->next_addr_touse == NULL) {
2468 		inp->next_addr_touse = LIST_FIRST(&inp->sctp_addr_list);
2469 		resettotop = 1;
2470 	}
2471 	/* ok, what about an acceptable address in the inp */
2472 	for (laddr = inp->next_addr_touse; laddr;
2473 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2474 		if (laddr->ifa == NULL) {
2475 			/* address has been removed */
2476 			continue;
2477 		}
2478 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2479 			/* address is being deleted */
2480 			continue;
2481 		}
2482 		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2483 		    dest_is_priv, fam);
2484 		if (sifa == NULL)
2485 			continue;
2486 		atomic_add_int(&sifa->refcount, 1);
2487 		return (sifa);
2488 	}
2489 	if (resettotop == 0) {
2490 		inp->next_addr_touse = NULL;
2491 		goto once_again_too;
2492 	}
2493 	/*
2494 	 * no address bound can be a source for the destination we are in
2495 	 * trouble
2496 	 */
2497 	return (NULL);
2498 }
2499 
2500 
2501 
2502 static struct sctp_ifa *
2503 sctp_choose_boundspecific_stcb(struct sctp_inpcb *inp,
2504     struct sctp_tcb *stcb,
2505     struct sctp_nets *net,
2506     sctp_route_t * ro,
2507     uint32_t vrf_id,
2508     uint8_t dest_is_priv,
2509     uint8_t dest_is_loop,
2510     int non_asoc_addr_ok,
2511     sa_family_t fam)
2512 {
2513 	struct sctp_laddr *laddr, *starting_point;
2514 	void *ifn;
2515 	struct sctp_ifn *sctp_ifn;
2516 	struct sctp_ifa *sctp_ifa, *sifa;
2517 	uint8_t start_at_beginning = 0;
2518 	struct sctp_vrf *vrf;
2519 	uint32_t ifn_index;
2520 
2521 	/*
2522 	 * first question, is the ifn we will emit on in our list, if so, we
2523 	 * want that one.
2524 	 */
2525 	vrf = sctp_find_vrf(vrf_id);
2526 	if (vrf == NULL)
2527 		return (NULL);
2528 
2529 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2530 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2531 	sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2532 
2533 	/*
2534 	 * first question, is the ifn we will emit on in our list?  If so,
2535 	 * we want that one. First we look for a preferred. Second, we go
2536 	 * for an acceptable.
2537 	 */
2538 	if (sctp_ifn) {
2539 		/* first try for a preferred address on the ep */
2540 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2541 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2542 				continue;
2543 			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2544 				sifa = sctp_is_ifa_addr_preferred(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2545 				if (sifa == NULL)
2546 					continue;
2547 				if (((non_asoc_addr_ok == 0) &&
2548 				    (sctp_is_addr_restricted(stcb, sifa))) ||
2549 				    (non_asoc_addr_ok &&
2550 				    (sctp_is_addr_restricted(stcb, sifa)) &&
2551 				    (!sctp_is_addr_pending(stcb, sifa)))) {
2552 					/* on the no-no list */
2553 					continue;
2554 				}
2555 				atomic_add_int(&sifa->refcount, 1);
2556 				return (sifa);
2557 			}
2558 		}
2559 		/* next try for an acceptable address on the ep */
2560 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
2561 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) && (non_asoc_addr_ok == 0))
2562 				continue;
2563 			if (sctp_is_addr_in_ep(inp, sctp_ifa)) {
2564 				sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop, dest_is_priv, fam);
2565 				if (sifa == NULL)
2566 					continue;
2567 				if (((non_asoc_addr_ok == 0) &&
2568 				    (sctp_is_addr_restricted(stcb, sifa))) ||
2569 				    (non_asoc_addr_ok &&
2570 				    (sctp_is_addr_restricted(stcb, sifa)) &&
2571 				    (!sctp_is_addr_pending(stcb, sifa)))) {
2572 					/* on the no-no list */
2573 					continue;
2574 				}
2575 				atomic_add_int(&sifa->refcount, 1);
2576 				return (sifa);
2577 			}
2578 		}
2579 
2580 	}
2581 	/*
2582 	 * if we can't find one like that then we must look at all addresses
2583 	 * bound to pick one at first preferable then secondly acceptable.
2584 	 */
2585 	starting_point = stcb->asoc.last_used_address;
2586 sctp_from_the_top:
2587 	if (stcb->asoc.last_used_address == NULL) {
2588 		start_at_beginning = 1;
2589 		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2590 	}
2591 	/* search beginning with the last used address */
2592 	for (laddr = stcb->asoc.last_used_address; laddr;
2593 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2594 		if (laddr->ifa == NULL) {
2595 			/* address has been removed */
2596 			continue;
2597 		}
2598 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2599 			/* address is being deleted */
2600 			continue;
2601 		}
2602 		sifa = sctp_is_ifa_addr_preferred(laddr->ifa, dest_is_loop, dest_is_priv, fam);
2603 		if (sifa == NULL)
2604 			continue;
2605 		if (((non_asoc_addr_ok == 0) &&
2606 		    (sctp_is_addr_restricted(stcb, sifa))) ||
2607 		    (non_asoc_addr_ok &&
2608 		    (sctp_is_addr_restricted(stcb, sifa)) &&
2609 		    (!sctp_is_addr_pending(stcb, sifa)))) {
2610 			/* on the no-no list */
2611 			continue;
2612 		}
2613 		stcb->asoc.last_used_address = laddr;
2614 		atomic_add_int(&sifa->refcount, 1);
2615 		return (sifa);
2616 	}
2617 	if (start_at_beginning == 0) {
2618 		stcb->asoc.last_used_address = NULL;
2619 		goto sctp_from_the_top;
2620 	}
2621 	/* now try for any higher scope than the destination */
2622 	stcb->asoc.last_used_address = starting_point;
2623 	start_at_beginning = 0;
2624 sctp_from_the_top2:
2625 	if (stcb->asoc.last_used_address == NULL) {
2626 		start_at_beginning = 1;
2627 		stcb->asoc.last_used_address = LIST_FIRST(&inp->sctp_addr_list);
2628 	}
2629 	/* search beginning with the last used address */
2630 	for (laddr = stcb->asoc.last_used_address; laddr;
2631 	    laddr = LIST_NEXT(laddr, sctp_nxt_addr)) {
2632 		if (laddr->ifa == NULL) {
2633 			/* address has been removed */
2634 			continue;
2635 		}
2636 		if (laddr->action == SCTP_DEL_IP_ADDRESS) {
2637 			/* address is being deleted */
2638 			continue;
2639 		}
2640 		sifa = sctp_is_ifa_addr_acceptable(laddr->ifa, dest_is_loop,
2641 		    dest_is_priv, fam);
2642 		if (sifa == NULL)
2643 			continue;
2644 		if (((non_asoc_addr_ok == 0) &&
2645 		    (sctp_is_addr_restricted(stcb, sifa))) ||
2646 		    (non_asoc_addr_ok &&
2647 		    (sctp_is_addr_restricted(stcb, sifa)) &&
2648 		    (!sctp_is_addr_pending(stcb, sifa)))) {
2649 			/* on the no-no list */
2650 			continue;
2651 		}
2652 		stcb->asoc.last_used_address = laddr;
2653 		atomic_add_int(&sifa->refcount, 1);
2654 		return (sifa);
2655 	}
2656 	if (start_at_beginning == 0) {
2657 		stcb->asoc.last_used_address = NULL;
2658 		goto sctp_from_the_top2;
2659 	}
2660 	return (NULL);
2661 }
2662 
2663 static struct sctp_ifa *
2664 sctp_select_nth_preferred_addr_from_ifn_boundall(struct sctp_ifn *ifn,
2665     struct sctp_tcb *stcb,
2666     int non_asoc_addr_ok,
2667     uint8_t dest_is_loop,
2668     uint8_t dest_is_priv,
2669     int addr_wanted,
2670     sa_family_t fam,
2671     sctp_route_t * ro
2672 )
2673 {
2674 	struct sctp_ifa *ifa, *sifa;
2675 	int num_eligible_addr = 0;
2676 
2677 #ifdef INET6
2678 	struct sockaddr_in6 sin6, lsa6;
2679 
2680 	if (fam == AF_INET6) {
2681 		memcpy(&sin6, &ro->ro_dst, sizeof(struct sockaddr_in6));
2682 		(void)sa6_recoverscope(&sin6);
2683 	}
2684 #endif				/* INET6 */
2685 	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2686 		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2687 		    (non_asoc_addr_ok == 0))
2688 			continue;
2689 		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2690 		    dest_is_priv, fam);
2691 		if (sifa == NULL)
2692 			continue;
2693 #ifdef INET6
2694 		if (fam == AF_INET6 &&
2695 		    dest_is_loop &&
2696 		    sifa->src_is_loop && sifa->src_is_priv) {
2697 			/*
2698 			 * don't allow fe80::1 to be a src on loop ::1, we
2699 			 * don't list it to the peer so we will get an
2700 			 * abort.
2701 			 */
2702 			continue;
2703 		}
2704 		if (fam == AF_INET6 &&
2705 		    IN6_IS_ADDR_LINKLOCAL(&sifa->address.sin6.sin6_addr) &&
2706 		    IN6_IS_ADDR_LINKLOCAL(&sin6.sin6_addr)) {
2707 			/*
2708 			 * link-local <-> link-local must belong to the same
2709 			 * scope.
2710 			 */
2711 			memcpy(&lsa6, &sifa->address.sin6, sizeof(struct sockaddr_in6));
2712 			(void)sa6_recoverscope(&lsa6);
2713 			if (sin6.sin6_scope_id != lsa6.sin6_scope_id) {
2714 				continue;
2715 			}
2716 		}
2717 #endif				/* INET6 */
2718 
2719 		/*
2720 		 * Check if the IPv6 address matches to next-hop. In the
2721 		 * mobile case, old IPv6 address may be not deleted from the
2722 		 * interface. Then, the interface has previous and new
2723 		 * addresses.  We should use one corresponding to the
2724 		 * next-hop.  (by micchie)
2725 		 */
2726 #ifdef INET6
2727 		if (stcb && fam == AF_INET6 &&
2728 		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2729 			if (sctp_v6src_match_nexthop(&sifa->address.sin6, ro)
2730 			    == 0) {
2731 				continue;
2732 			}
2733 		}
2734 #endif
2735 		/* Avoid topologically incorrect IPv4 address */
2736 		if (stcb && fam == AF_INET &&
2737 		    sctp_is_mobility_feature_on(stcb->sctp_ep, SCTP_MOBILITY_BASE)) {
2738 			if (sctp_v4src_match_nexthop(sifa, ro) == 0) {
2739 				continue;
2740 			}
2741 		}
2742 		if (stcb) {
2743 			if (sctp_is_address_in_scope(ifa,
2744 			    stcb->asoc.ipv4_addr_legal,
2745 			    stcb->asoc.ipv6_addr_legal,
2746 			    stcb->asoc.loopback_scope,
2747 			    stcb->asoc.ipv4_local_scope,
2748 			    stcb->asoc.local_scope,
2749 			    stcb->asoc.site_scope, 0) == 0) {
2750 				continue;
2751 			}
2752 			if (((non_asoc_addr_ok == 0) &&
2753 			    (sctp_is_addr_restricted(stcb, sifa))) ||
2754 			    (non_asoc_addr_ok &&
2755 			    (sctp_is_addr_restricted(stcb, sifa)) &&
2756 			    (!sctp_is_addr_pending(stcb, sifa)))) {
2757 				/*
2758 				 * It is restricted for some reason..
2759 				 * probably not yet added.
2760 				 */
2761 				continue;
2762 			}
2763 		}
2764 		if (num_eligible_addr >= addr_wanted) {
2765 			return (sifa);
2766 		}
2767 		num_eligible_addr++;
2768 	}
2769 	return (NULL);
2770 }
2771 
2772 
2773 static int
2774 sctp_count_num_preferred_boundall(struct sctp_ifn *ifn,
2775     struct sctp_tcb *stcb,
2776     int non_asoc_addr_ok,
2777     uint8_t dest_is_loop,
2778     uint8_t dest_is_priv,
2779     sa_family_t fam)
2780 {
2781 	struct sctp_ifa *ifa, *sifa;
2782 	int num_eligible_addr = 0;
2783 
2784 	LIST_FOREACH(ifa, &ifn->ifalist, next_ifa) {
2785 		if ((ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2786 		    (non_asoc_addr_ok == 0)) {
2787 			continue;
2788 		}
2789 		sifa = sctp_is_ifa_addr_preferred(ifa, dest_is_loop,
2790 		    dest_is_priv, fam);
2791 		if (sifa == NULL) {
2792 			continue;
2793 		}
2794 		if (stcb) {
2795 			if (sctp_is_address_in_scope(ifa,
2796 			    stcb->asoc.ipv4_addr_legal,
2797 			    stcb->asoc.ipv6_addr_legal,
2798 			    stcb->asoc.loopback_scope,
2799 			    stcb->asoc.ipv4_local_scope,
2800 			    stcb->asoc.local_scope,
2801 			    stcb->asoc.site_scope, 0) == 0) {
2802 				continue;
2803 			}
2804 			if (((non_asoc_addr_ok == 0) &&
2805 			    (sctp_is_addr_restricted(stcb, sifa))) ||
2806 			    (non_asoc_addr_ok &&
2807 			    (sctp_is_addr_restricted(stcb, sifa)) &&
2808 			    (!sctp_is_addr_pending(stcb, sifa)))) {
2809 				/*
2810 				 * It is restricted for some reason..
2811 				 * probably not yet added.
2812 				 */
2813 				continue;
2814 			}
2815 		}
2816 		num_eligible_addr++;
2817 	}
2818 	return (num_eligible_addr);
2819 }
2820 
2821 static struct sctp_ifa *
2822 sctp_choose_boundall(struct sctp_inpcb *inp,
2823     struct sctp_tcb *stcb,
2824     struct sctp_nets *net,
2825     sctp_route_t * ro,
2826     uint32_t vrf_id,
2827     uint8_t dest_is_priv,
2828     uint8_t dest_is_loop,
2829     int non_asoc_addr_ok,
2830     sa_family_t fam)
2831 {
2832 	int cur_addr_num = 0, num_preferred = 0;
2833 	void *ifn;
2834 	struct sctp_ifn *sctp_ifn, *looked_at = NULL, *emit_ifn;
2835 	struct sctp_ifa *sctp_ifa, *sifa;
2836 	uint32_t ifn_index;
2837 	struct sctp_vrf *vrf;
2838 
2839 	/*-
2840 	 * For boundall we can use any address in the association.
2841 	 * If non_asoc_addr_ok is set we can use any address (at least in
2842 	 * theory). So we look for preferred addresses first. If we find one,
2843 	 * we use it. Otherwise we next try to get an address on the
2844 	 * interface, which we should be able to do (unless non_asoc_addr_ok
2845 	 * is false and we are routed out that way). In these cases where we
2846 	 * can't use the address of the interface we go through all the
2847 	 * ifn's looking for an address we can use and fill that in. Punting
2848 	 * means we send back address 0, which will probably cause problems
2849 	 * actually since then IP will fill in the address of the route ifn,
2850 	 * which means we probably already rejected it.. i.e. here comes an
2851 	 * abort :-<.
2852 	 */
2853 	vrf = sctp_find_vrf(vrf_id);
2854 	if (vrf == NULL)
2855 		return (NULL);
2856 
2857 	ifn = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
2858 	ifn_index = SCTP_GET_IF_INDEX_FROM_ROUTE(ro);
2859 	emit_ifn = looked_at = sctp_ifn = sctp_find_ifn(ifn, ifn_index);
2860 	if (sctp_ifn == NULL) {
2861 		/* ?? We don't have this guy ?? */
2862 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No ifn emit interface?\n");
2863 		goto bound_all_plan_b;
2864 	}
2865 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "ifn_index:%d name:%s is emit interface\n",
2866 	    ifn_index, sctp_ifn->ifn_name);
2867 
2868 	if (net) {
2869 		cur_addr_num = net->indx_of_eligible_next_to_use;
2870 	}
2871 	num_preferred = sctp_count_num_preferred_boundall(sctp_ifn,
2872 	    stcb,
2873 	    non_asoc_addr_ok,
2874 	    dest_is_loop,
2875 	    dest_is_priv, fam);
2876 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Found %d preferred source addresses for intf:%s\n",
2877 	    num_preferred, sctp_ifn->ifn_name);
2878 	if (num_preferred == 0) {
2879 		/*
2880 		 * no eligible addresses, we must use some other interface
2881 		 * address if we can find one.
2882 		 */
2883 		goto bound_all_plan_b;
2884 	}
2885 	/*
2886 	 * Ok we have num_eligible_addr set with how many we can use, this
2887 	 * may vary from call to call due to addresses being deprecated
2888 	 * etc..
2889 	 */
2890 	if (cur_addr_num >= num_preferred) {
2891 		cur_addr_num = 0;
2892 	}
2893 	/*
2894 	 * select the nth address from the list (where cur_addr_num is the
2895 	 * nth) and 0 is the first one, 1 is the second one etc...
2896 	 */
2897 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "cur_addr_num:%d\n", cur_addr_num);
2898 
2899 	sctp_ifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, stcb, non_asoc_addr_ok, dest_is_loop,
2900 	    dest_is_priv, cur_addr_num, fam, ro);
2901 
2902 	/* if sctp_ifa is NULL something changed??, fall to plan b. */
2903 	if (sctp_ifa) {
2904 		atomic_add_int(&sctp_ifa->refcount, 1);
2905 		if (net) {
2906 			/* save off where the next one we will want */
2907 			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
2908 		}
2909 		return (sctp_ifa);
2910 	}
2911 	/*
2912 	 * plan_b: Look at all interfaces and find a preferred address. If
2913 	 * no preferred fall through to plan_c.
2914 	 */
2915 bound_all_plan_b:
2916 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan B\n");
2917 	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
2918 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "Examine interface %s\n",
2919 		    sctp_ifn->ifn_name);
2920 		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
2921 			/* wrong base scope */
2922 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "skip\n");
2923 			continue;
2924 		}
2925 		if ((sctp_ifn == looked_at) && looked_at) {
2926 			/* already looked at this guy */
2927 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "already seen\n");
2928 			continue;
2929 		}
2930 		num_preferred = sctp_count_num_preferred_boundall(sctp_ifn, stcb, non_asoc_addr_ok,
2931 		    dest_is_loop, dest_is_priv, fam);
2932 		SCTPDBG(SCTP_DEBUG_OUTPUT2,
2933 		    "Found ifn:%p %d preferred source addresses\n",
2934 		    ifn, num_preferred);
2935 		if (num_preferred == 0) {
2936 			/* None on this interface. */
2937 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefered -- skipping to next\n");
2938 			continue;
2939 		}
2940 		SCTPDBG(SCTP_DEBUG_OUTPUT2,
2941 		    "num preferred:%d on interface:%p cur_addr_num:%d\n",
2942 		    num_preferred, sctp_ifn, cur_addr_num);
2943 
2944 		/*
2945 		 * Ok we have num_eligible_addr set with how many we can
2946 		 * use, this may vary from call to call due to addresses
2947 		 * being deprecated etc..
2948 		 */
2949 		if (cur_addr_num >= num_preferred) {
2950 			cur_addr_num = 0;
2951 		}
2952 		sifa = sctp_select_nth_preferred_addr_from_ifn_boundall(sctp_ifn, stcb, non_asoc_addr_ok, dest_is_loop,
2953 		    dest_is_priv, cur_addr_num, fam, ro);
2954 		if (sifa == NULL)
2955 			continue;
2956 		if (net) {
2957 			net->indx_of_eligible_next_to_use = cur_addr_num + 1;
2958 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "we selected %d\n",
2959 			    cur_addr_num);
2960 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Source:");
2961 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
2962 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "Dest:");
2963 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &net->ro._l_addr.sa);
2964 		}
2965 		atomic_add_int(&sifa->refcount, 1);
2966 		return (sifa);
2967 
2968 	}
2969 
2970 	/* plan_c: do we have an acceptable address on the emit interface */
2971 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan C: find acceptable on interface\n");
2972 	if (emit_ifn == NULL) {
2973 		goto plan_d;
2974 	}
2975 	LIST_FOREACH(sctp_ifa, &emit_ifn->ifalist, next_ifa) {
2976 		if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
2977 		    (non_asoc_addr_ok == 0))
2978 			continue;
2979 		sifa = sctp_is_ifa_addr_acceptable(sctp_ifa, dest_is_loop,
2980 		    dest_is_priv, fam);
2981 		if (sifa == NULL)
2982 			continue;
2983 		if (stcb) {
2984 			if (sctp_is_address_in_scope(sifa,
2985 			    stcb->asoc.ipv4_addr_legal,
2986 			    stcb->asoc.ipv6_addr_legal,
2987 			    stcb->asoc.loopback_scope,
2988 			    stcb->asoc.ipv4_local_scope,
2989 			    stcb->asoc.local_scope,
2990 			    stcb->asoc.site_scope, 0) == 0) {
2991 				continue;
2992 			}
2993 			if (((non_asoc_addr_ok == 0) &&
2994 			    (sctp_is_addr_restricted(stcb, sifa))) ||
2995 			    (non_asoc_addr_ok &&
2996 			    (sctp_is_addr_restricted(stcb, sifa)) &&
2997 			    (!sctp_is_addr_pending(stcb, sifa)))) {
2998 				/*
2999 				 * It is restricted for some reason..
3000 				 * probably not yet added.
3001 				 */
3002 				continue;
3003 			}
3004 		}
3005 		atomic_add_int(&sifa->refcount, 1);
3006 		return (sifa);
3007 	}
3008 plan_d:
3009 	/*
3010 	 * plan_d: We are in trouble. No preferred address on the emit
3011 	 * interface. And not even a preferred address on all interfaces. Go
3012 	 * out and see if we can find an acceptable address somewhere
3013 	 * amongst all interfaces.
3014 	 */
3015 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Trying Plan D\n");
3016 	LIST_FOREACH(sctp_ifn, &vrf->ifnlist, next_ifn) {
3017 		if (dest_is_loop == 0 && SCTP_IFN_IS_IFT_LOOP(sctp_ifn)) {
3018 			/* wrong base scope */
3019 			continue;
3020 		}
3021 		if ((sctp_ifn == looked_at) && looked_at)
3022 			/* already looked at this guy */
3023 			continue;
3024 
3025 		LIST_FOREACH(sctp_ifa, &sctp_ifn->ifalist, next_ifa) {
3026 			if ((sctp_ifa->localifa_flags & SCTP_ADDR_DEFER_USE) &&
3027 			    (non_asoc_addr_ok == 0))
3028 				continue;
3029 			sifa = sctp_is_ifa_addr_acceptable(sctp_ifa,
3030 			    dest_is_loop,
3031 			    dest_is_priv, fam);
3032 			if (sifa == NULL)
3033 				continue;
3034 			if (stcb) {
3035 				if (sctp_is_address_in_scope(sifa,
3036 				    stcb->asoc.ipv4_addr_legal,
3037 				    stcb->asoc.ipv6_addr_legal,
3038 				    stcb->asoc.loopback_scope,
3039 				    stcb->asoc.ipv4_local_scope,
3040 				    stcb->asoc.local_scope,
3041 				    stcb->asoc.site_scope, 0) == 0) {
3042 					continue;
3043 				}
3044 				if (((non_asoc_addr_ok == 0) &&
3045 				    (sctp_is_addr_restricted(stcb, sifa))) ||
3046 				    (non_asoc_addr_ok &&
3047 				    (sctp_is_addr_restricted(stcb, sifa)) &&
3048 				    (!sctp_is_addr_pending(stcb, sifa)))) {
3049 					/*
3050 					 * It is restricted for some
3051 					 * reason.. probably not yet added.
3052 					 */
3053 					continue;
3054 				}
3055 			}
3056 			atomic_add_int(&sifa->refcount, 1);
3057 			return (sifa);
3058 		}
3059 	}
3060 	/*
3061 	 * Ok we can find NO address to source from that is not on our
3062 	 * restricted list and non_asoc_address is NOT ok, or it is on our
3063 	 * restricted list. We can't source to it :-(
3064 	 */
3065 	return (NULL);
3066 }
3067 
3068 
3069 
3070 /* tcb may be NULL */
3071 struct sctp_ifa *
3072 sctp_source_address_selection(struct sctp_inpcb *inp,
3073     struct sctp_tcb *stcb,
3074     sctp_route_t * ro,
3075     struct sctp_nets *net,
3076     int non_asoc_addr_ok, uint32_t vrf_id)
3077 {
3078 	struct sockaddr_in *to = (struct sockaddr_in *)&ro->ro_dst;
3079 
3080 #ifdef INET6
3081 	struct sockaddr_in6 *to6 = (struct sockaddr_in6 *)&ro->ro_dst;
3082 
3083 #endif
3084 	struct sctp_ifa *answer;
3085 	uint8_t dest_is_priv, dest_is_loop;
3086 	sa_family_t fam;
3087 
3088 	/*-
3089 	 * Rules: - Find the route if needed, cache if I can. - Look at
3090 	 * interface address in route, Is it in the bound list. If so we
3091 	 * have the best source. - If not we must rotate amongst the
3092 	 * addresses.
3093 	 *
3094 	 * Cavets and issues
3095 	 *
3096 	 * Do we need to pay attention to scope. We can have a private address
3097 	 * or a global address we are sourcing or sending to. So if we draw
3098 	 * it out
3099 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3100 	 * For V4
3101 	 * ------------------------------------------
3102 	 *      source     *      dest  *  result
3103 	 * -----------------------------------------
3104 	 * <a>  Private    *    Global  *  NAT
3105 	 * -----------------------------------------
3106 	 * <b>  Private    *    Private *  No problem
3107 	 * -----------------------------------------
3108 	 * <c>  Global     *    Private *  Huh, How will this work?
3109 	 * -----------------------------------------
3110 	 * <d>  Global     *    Global  *  No Problem
3111 	 *------------------------------------------
3112 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3113 	 * For V6
3114 	 *------------------------------------------
3115 	 *      source     *      dest  *  result
3116 	 * -----------------------------------------
3117 	 * <a>  Linklocal  *    Global  *
3118 	 * -----------------------------------------
3119 	 * <b>  Linklocal  * Linklocal  *  No problem
3120 	 * -----------------------------------------
3121 	 * <c>  Global     * Linklocal  *  Huh, How will this work?
3122 	 * -----------------------------------------
3123 	 * <d>  Global     *    Global  *  No Problem
3124 	 *------------------------------------------
3125 	 * zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
3126 	 *
3127 	 * And then we add to that what happens if there are multiple addresses
3128 	 * assigned to an interface. Remember the ifa on a ifn is a linked
3129 	 * list of addresses. So one interface can have more than one IP
3130 	 * address. What happens if we have both a private and a global
3131 	 * address? Do we then use context of destination to sort out which
3132 	 * one is best? And what about NAT's sending P->G may get you a NAT
3133 	 * translation, or should you select the G thats on the interface in
3134 	 * preference.
3135 	 *
3136 	 * Decisions:
3137 	 *
3138 	 * - count the number of addresses on the interface.
3139 	 * - if it is one, no problem except case <c>.
3140 	 *   For <a> we will assume a NAT out there.
3141 	 * - if there are more than one, then we need to worry about scope P
3142 	 *   or G. We should prefer G -> G and P -> P if possible.
3143 	 *   Then as a secondary fall back to mixed types G->P being a last
3144 	 *   ditch one.
3145 	 * - The above all works for bound all, but bound specific we need to
3146 	 *   use the same concept but instead only consider the bound
3147 	 *   addresses. If the bound set is NOT assigned to the interface then
3148 	 *   we must use rotation amongst the bound addresses..
3149 	 */
3150 	if (ro->ro_rt == NULL) {
3151 		/*
3152 		 * Need a route to cache.
3153 		 */
3154 		SCTP_RTALLOC(ro, vrf_id);
3155 	}
3156 	if (ro->ro_rt == NULL) {
3157 		return (NULL);
3158 	}
3159 	fam = to->sin_family;
3160 	dest_is_priv = dest_is_loop = 0;
3161 	/* Setup our scopes for the destination */
3162 	switch (fam) {
3163 	case AF_INET:
3164 		/* Scope based on outbound address */
3165 		if (IN4_ISLOOPBACK_ADDRESS(&to->sin_addr)) {
3166 			dest_is_loop = 1;
3167 			if (net != NULL) {
3168 				/* mark it as local */
3169 				net->addr_is_local = 1;
3170 			}
3171 		} else if ((IN4_ISPRIVATE_ADDRESS(&to->sin_addr))) {
3172 			dest_is_priv = 1;
3173 		}
3174 		break;
3175 #ifdef INET6
3176 	case AF_INET6:
3177 		/* Scope based on outbound address */
3178 		if (IN6_IS_ADDR_LOOPBACK(&to6->sin6_addr) ||
3179 		    SCTP_ROUTE_IS_REAL_LOOP(ro)) {
3180 			/*
3181 			 * If the address is a loopback address, which
3182 			 * consists of "::1" OR "fe80::1%lo0", we are
3183 			 * loopback scope. But we don't use dest_is_priv
3184 			 * (link local addresses).
3185 			 */
3186 			dest_is_loop = 1;
3187 			if (net != NULL) {
3188 				/* mark it as local */
3189 				net->addr_is_local = 1;
3190 			}
3191 		} else if (IN6_IS_ADDR_LINKLOCAL(&to6->sin6_addr)) {
3192 			dest_is_priv = 1;
3193 		}
3194 		break;
3195 #endif
3196 	}
3197 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "Select source addr for:");
3198 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)to);
3199 	SCTP_IPI_ADDR_RLOCK();
3200 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUNDALL) {
3201 		/*
3202 		 * Bound all case
3203 		 */
3204 		answer = sctp_choose_boundall(inp, stcb, net, ro, vrf_id,
3205 		    dest_is_priv, dest_is_loop,
3206 		    non_asoc_addr_ok, fam);
3207 		SCTP_IPI_ADDR_RUNLOCK();
3208 		return (answer);
3209 	}
3210 	/*
3211 	 * Subset bound case
3212 	 */
3213 	if (stcb) {
3214 		answer = sctp_choose_boundspecific_stcb(inp, stcb, net, ro,
3215 		    vrf_id, dest_is_priv,
3216 		    dest_is_loop,
3217 		    non_asoc_addr_ok, fam);
3218 	} else {
3219 		answer = sctp_choose_boundspecific_inp(inp, ro, vrf_id,
3220 		    non_asoc_addr_ok,
3221 		    dest_is_priv,
3222 		    dest_is_loop, fam);
3223 	}
3224 	SCTP_IPI_ADDR_RUNLOCK();
3225 	return (answer);
3226 }
3227 
3228 static int
3229 sctp_find_cmsg(int c_type, void *data, struct mbuf *control, int cpsize)
3230 {
3231 	struct cmsghdr cmh;
3232 	int tlen, at;
3233 
3234 	tlen = SCTP_BUF_LEN(control);
3235 	at = 0;
3236 	/*
3237 	 * Independent of how many mbufs, find the c_type inside the control
3238 	 * structure and copy out the data.
3239 	 */
3240 	while (at < tlen) {
3241 		if ((tlen - at) < (int)CMSG_ALIGN(sizeof(cmh))) {
3242 			/* not enough room for one more we are done. */
3243 			return (0);
3244 		}
3245 		m_copydata(control, at, sizeof(cmh), (caddr_t)&cmh);
3246 		if (((int)cmh.cmsg_len + at) > tlen) {
3247 			/*
3248 			 * this is real messed up since there is not enough
3249 			 * data here to cover the cmsg header. We are done.
3250 			 */
3251 			return (0);
3252 		}
3253 		if ((cmh.cmsg_level == IPPROTO_SCTP) &&
3254 		    (c_type == cmh.cmsg_type)) {
3255 			/* found the one we want, copy it out */
3256 			at += CMSG_ALIGN(sizeof(struct cmsghdr));
3257 			if ((int)(cmh.cmsg_len - CMSG_ALIGN(sizeof(struct cmsghdr))) < cpsize) {
3258 				/*
3259 				 * space of cmsg_len after header not big
3260 				 * enough
3261 				 */
3262 				return (0);
3263 			}
3264 			m_copydata(control, at, cpsize, data);
3265 			return (1);
3266 		} else {
3267 			at += CMSG_ALIGN(cmh.cmsg_len);
3268 			if (cmh.cmsg_len == 0) {
3269 				break;
3270 			}
3271 		}
3272 	}
3273 	/* not found */
3274 	return (0);
3275 }
3276 
3277 static struct mbuf *
3278 sctp_add_cookie(struct sctp_inpcb *inp, struct mbuf *init, int init_offset,
3279     struct mbuf *initack, int initack_offset, struct sctp_state_cookie *stc_in, uint8_t ** signature)
3280 {
3281 	struct mbuf *copy_init, *copy_initack, *m_at, *sig, *mret;
3282 	struct sctp_state_cookie *stc;
3283 	struct sctp_paramhdr *ph;
3284 	uint8_t *foo;
3285 	int sig_offset;
3286 	uint16_t cookie_sz;
3287 
3288 	mret = NULL;
3289 	mret = sctp_get_mbuf_for_msg((sizeof(struct sctp_state_cookie) +
3290 	    sizeof(struct sctp_paramhdr)), 0,
3291 	    M_DONTWAIT, 1, MT_DATA);
3292 	if (mret == NULL) {
3293 		return (NULL);
3294 	}
3295 	copy_init = SCTP_M_COPYM(init, init_offset, M_COPYALL, M_DONTWAIT);
3296 	if (copy_init == NULL) {
3297 		sctp_m_freem(mret);
3298 		return (NULL);
3299 	}
3300 #ifdef SCTP_MBUF_LOGGING
3301 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3302 		struct mbuf *mat;
3303 
3304 		mat = copy_init;
3305 		while (mat) {
3306 			if (SCTP_BUF_IS_EXTENDED(mat)) {
3307 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3308 			}
3309 			mat = SCTP_BUF_NEXT(mat);
3310 		}
3311 	}
3312 #endif
3313 	copy_initack = SCTP_M_COPYM(initack, initack_offset, M_COPYALL,
3314 	    M_DONTWAIT);
3315 	if (copy_initack == NULL) {
3316 		sctp_m_freem(mret);
3317 		sctp_m_freem(copy_init);
3318 		return (NULL);
3319 	}
3320 #ifdef SCTP_MBUF_LOGGING
3321 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
3322 		struct mbuf *mat;
3323 
3324 		mat = copy_initack;
3325 		while (mat) {
3326 			if (SCTP_BUF_IS_EXTENDED(mat)) {
3327 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
3328 			}
3329 			mat = SCTP_BUF_NEXT(mat);
3330 		}
3331 	}
3332 #endif
3333 	/* easy side we just drop it on the end */
3334 	ph = mtod(mret, struct sctp_paramhdr *);
3335 	SCTP_BUF_LEN(mret) = sizeof(struct sctp_state_cookie) +
3336 	    sizeof(struct sctp_paramhdr);
3337 	stc = (struct sctp_state_cookie *)((caddr_t)ph +
3338 	    sizeof(struct sctp_paramhdr));
3339 	ph->param_type = htons(SCTP_STATE_COOKIE);
3340 	ph->param_length = 0;	/* fill in at the end */
3341 	/* Fill in the stc cookie data */
3342 	memcpy(stc, stc_in, sizeof(struct sctp_state_cookie));
3343 
3344 	/* tack the INIT and then the INIT-ACK onto the chain */
3345 	cookie_sz = 0;
3346 	m_at = mret;
3347 	for (m_at = mret; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3348 		cookie_sz += SCTP_BUF_LEN(m_at);
3349 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3350 			SCTP_BUF_NEXT(m_at) = copy_init;
3351 			break;
3352 		}
3353 	}
3354 
3355 	for (m_at = copy_init; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3356 		cookie_sz += SCTP_BUF_LEN(m_at);
3357 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3358 			SCTP_BUF_NEXT(m_at) = copy_initack;
3359 			break;
3360 		}
3361 	}
3362 
3363 	for (m_at = copy_initack; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
3364 		cookie_sz += SCTP_BUF_LEN(m_at);
3365 		if (SCTP_BUF_NEXT(m_at) == NULL) {
3366 			break;
3367 		}
3368 	}
3369 	sig = sctp_get_mbuf_for_msg(SCTP_SECRET_SIZE, 0, M_DONTWAIT, 1, MT_DATA);
3370 	if (sig == NULL) {
3371 		/* no space, so free the entire chain */
3372 		sctp_m_freem(mret);
3373 		return (NULL);
3374 	}
3375 	SCTP_BUF_LEN(sig) = 0;
3376 	SCTP_BUF_NEXT(m_at) = sig;
3377 	sig_offset = 0;
3378 	foo = (uint8_t *) (mtod(sig, caddr_t)+sig_offset);
3379 	memset(foo, 0, SCTP_SIGNATURE_SIZE);
3380 	*signature = foo;
3381 	SCTP_BUF_LEN(sig) += SCTP_SIGNATURE_SIZE;
3382 	cookie_sz += SCTP_SIGNATURE_SIZE;
3383 	ph->param_length = htons(cookie_sz);
3384 	return (mret);
3385 }
3386 
3387 
3388 static uint8_t
3389 sctp_get_ect(struct sctp_tcb *stcb,
3390     struct sctp_tmit_chunk *chk)
3391 {
3392 	uint8_t this_random;
3393 
3394 	/* Huh? */
3395 	if (SCTP_BASE_SYSCTL(sctp_ecn_enable) == 0)
3396 		return (0);
3397 
3398 	if (SCTP_BASE_SYSCTL(sctp_ecn_nonce) == 0)
3399 		/* no nonce, always return ECT0 */
3400 		return (SCTP_ECT0_BIT);
3401 
3402 	if (stcb->asoc.peer_supports_ecn_nonce == 0) {
3403 		/* Peer does NOT support it, so we send a ECT0 only */
3404 		return (SCTP_ECT0_BIT);
3405 	}
3406 	if (chk == NULL)
3407 		return (SCTP_ECT0_BIT);
3408 
3409 	if ((stcb->asoc.hb_random_idx > 3) ||
3410 	    ((stcb->asoc.hb_random_idx == 3) &&
3411 	    (stcb->asoc.hb_ect_randombit > 7))) {
3412 		uint32_t rndval;
3413 
3414 warp_drive_sa:
3415 		rndval = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
3416 		memcpy(stcb->asoc.hb_random_values, &rndval,
3417 		    sizeof(stcb->asoc.hb_random_values));
3418 		this_random = stcb->asoc.hb_random_values[0];
3419 		stcb->asoc.hb_random_idx = 0;
3420 		stcb->asoc.hb_ect_randombit = 0;
3421 	} else {
3422 		if (stcb->asoc.hb_ect_randombit > 7) {
3423 			stcb->asoc.hb_ect_randombit = 0;
3424 			stcb->asoc.hb_random_idx++;
3425 			if (stcb->asoc.hb_random_idx > 3) {
3426 				goto warp_drive_sa;
3427 			}
3428 		}
3429 		this_random = stcb->asoc.hb_random_values[stcb->asoc.hb_random_idx];
3430 	}
3431 	if ((this_random >> stcb->asoc.hb_ect_randombit) & 0x01) {
3432 		if (chk != NULL)
3433 			/* ECN Nonce stuff */
3434 			chk->rec.data.ect_nonce = SCTP_ECT1_BIT;
3435 		stcb->asoc.hb_ect_randombit++;
3436 		return (SCTP_ECT1_BIT);
3437 	} else {
3438 		stcb->asoc.hb_ect_randombit++;
3439 		return (SCTP_ECT0_BIT);
3440 	}
3441 }
3442 
3443 static int
3444 sctp_lowlevel_chunk_output(struct sctp_inpcb *inp,
3445     struct sctp_tcb *stcb,	/* may be NULL */
3446     struct sctp_nets *net,
3447     struct sockaddr *to,
3448     struct mbuf *m,
3449     uint32_t auth_offset,
3450     struct sctp_auth_chunk *auth,
3451     uint16_t auth_keyid,
3452     int nofragment_flag,
3453     int ecn_ok,
3454     struct sctp_tmit_chunk *chk,
3455     int out_of_asoc_ok,
3456     uint16_t src_port,
3457     uint16_t dest_port,
3458     uint32_t v_tag,
3459     uint16_t port,
3460     int so_locked,
3461 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
3462     SCTP_UNUSED
3463 #endif
3464     union sctp_sockstore *over_addr
3465 )
3466 /* nofragment_flag to tell if IP_DF should be set (IPv4 only) */
3467 {
3468 	/*
3469 	 * Given a mbuf chain (via SCTP_BUF_NEXT()) that holds a packet
3470 	 * header WITH an SCTPHDR but no IP header, endpoint inp and sa
3471 	 * structure: - fill in the HMAC digest of any AUTH chunk in the
3472 	 * packet. - calculate and fill in the SCTP checksum. - prepend an
3473 	 * IP address header. - if boundall use INADDR_ANY. - if
3474 	 * boundspecific do source address selection. - set fragmentation
3475 	 * option for ipV4. - On return from IP output, check/adjust mtu
3476 	 * size of output interface and smallest_mtu size as well.
3477 	 */
3478 	/* Will need ifdefs around this */
3479 	struct mbuf *o_pak;
3480 	struct mbuf *newm;
3481 	struct sctphdr *sctphdr;
3482 	int packet_length;
3483 	int ret;
3484 	uint32_t vrf_id;
3485 	sctp_route_t *ro = NULL;
3486 	struct udphdr *udp = NULL;
3487 
3488 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3489 	struct socket *so = NULL;
3490 
3491 #endif
3492 
3493 	if ((net) && (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)) {
3494 		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
3495 		sctp_m_freem(m);
3496 		return (EFAULT);
3497 	}
3498 	if (stcb) {
3499 		vrf_id = stcb->asoc.vrf_id;
3500 	} else {
3501 		vrf_id = inp->def_vrf_id;
3502 	}
3503 
3504 	/* fill in the HMAC digest for any AUTH chunk in the packet */
3505 	if ((auth != NULL) && (stcb != NULL)) {
3506 		sctp_fill_hmac_digest_m(m, auth_offset, auth, stcb, auth_keyid);
3507 	}
3508 	if (to->sa_family == AF_INET) {
3509 		struct ip *ip = NULL;
3510 		sctp_route_t iproute;
3511 		uint8_t tos_value;
3512 		int len;
3513 
3514 		len = sizeof(struct ip) + sizeof(struct sctphdr);
3515 		if (port) {
3516 			len += sizeof(struct udphdr);
3517 		}
3518 		newm = sctp_get_mbuf_for_msg(len, 1, M_DONTWAIT, 1, MT_DATA);
3519 		if (newm == NULL) {
3520 			sctp_m_freem(m);
3521 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
3522 			return (ENOMEM);
3523 		}
3524 		SCTP_ALIGN_TO_END(newm, len);
3525 		SCTP_BUF_LEN(newm) = len;
3526 		SCTP_BUF_NEXT(newm) = m;
3527 		m = newm;
3528 		packet_length = sctp_calculate_len(m);
3529 		ip = mtod(m, struct ip *);
3530 		ip->ip_v = IPVERSION;
3531 		ip->ip_hl = (sizeof(struct ip) >> 2);
3532 		if (net) {
3533 			tos_value = net->tos_flowlabel & 0x000000ff;
3534 		} else {
3535 			tos_value = inp->ip_inp.inp.inp_ip_tos;
3536 		}
3537 		if ((nofragment_flag) && (port == 0)) {
3538 			ip->ip_off = IP_DF;
3539 		} else
3540 			ip->ip_off = 0;
3541 
3542 		/* FreeBSD has a function for ip_id's */
3543 		ip->ip_id = ip_newid();
3544 
3545 		ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
3546 		ip->ip_len = packet_length;
3547 		if (stcb) {
3548 			if ((stcb->asoc.ecn_allowed) && ecn_ok) {
3549 				/* Enable ECN */
3550 				ip->ip_tos = ((u_char)(tos_value & 0xfc) | sctp_get_ect(stcb, chk));
3551 			} else {
3552 				/* No ECN */
3553 				ip->ip_tos = (u_char)(tos_value & 0xfc);
3554 			}
3555 		} else {
3556 			/* no association at all */
3557 			ip->ip_tos = (tos_value & 0xfc);
3558 		}
3559 		if (port) {
3560 			ip->ip_p = IPPROTO_UDP;
3561 		} else {
3562 			ip->ip_p = IPPROTO_SCTP;
3563 		}
3564 		ip->ip_sum = 0;
3565 		if (net == NULL) {
3566 			ro = &iproute;
3567 			memset(&iproute, 0, sizeof(iproute));
3568 			memcpy(&ro->ro_dst, to, to->sa_len);
3569 		} else {
3570 			ro = (sctp_route_t *) & net->ro;
3571 		}
3572 		/* Now the address selection part */
3573 		ip->ip_dst.s_addr = ((struct sockaddr_in *)to)->sin_addr.s_addr;
3574 
3575 		/* call the routine to select the src address */
3576 		if (net && out_of_asoc_ok == 0) {
3577 			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
3578 				sctp_free_ifa(net->ro._s_addr);
3579 				net->ro._s_addr = NULL;
3580 				net->src_addr_selected = 0;
3581 				if (ro->ro_rt) {
3582 					RTFREE(ro->ro_rt);
3583 					ro->ro_rt = NULL;
3584 				}
3585 			}
3586 			if (net->src_addr_selected == 0) {
3587 				/* Cache the source address */
3588 				net->ro._s_addr = sctp_source_address_selection(inp, stcb,
3589 				    ro, net, 0,
3590 				    vrf_id);
3591 				net->src_addr_selected = 1;
3592 			}
3593 			if (net->ro._s_addr == NULL) {
3594 				/* No route to host */
3595 				net->src_addr_selected = 0;
3596 				goto no_route;
3597 			}
3598 			ip->ip_src = net->ro._s_addr->address.sin.sin_addr;
3599 		} else {
3600 			if (over_addr == NULL) {
3601 				struct sctp_ifa *_lsrc;
3602 
3603 				_lsrc = sctp_source_address_selection(inp, stcb, ro,
3604 				    net,
3605 				    out_of_asoc_ok,
3606 				    vrf_id);
3607 				if (_lsrc == NULL) {
3608 					goto no_route;
3609 				}
3610 				ip->ip_src = _lsrc->address.sin.sin_addr;
3611 				sctp_free_ifa(_lsrc);
3612 			} else {
3613 				ip->ip_src = over_addr->sin.sin_addr;
3614 				SCTP_RTALLOC(ro, vrf_id);
3615 			}
3616 		}
3617 		if (port) {
3618 			udp = (struct udphdr *)((caddr_t)ip + sizeof(struct ip));
3619 			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
3620 			udp->uh_dport = port;
3621 			udp->uh_ulen = htons(packet_length - sizeof(struct ip));
3622 			udp->uh_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
3623 			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
3624 		} else {
3625 			sctphdr = (struct sctphdr *)((caddr_t)ip + sizeof(struct ip));
3626 		}
3627 
3628 		sctphdr->src_port = src_port;
3629 		sctphdr->dest_port = dest_port;
3630 		sctphdr->v_tag = v_tag;
3631 		sctphdr->checksum = 0;
3632 
3633 		/*
3634 		 * If source address selection fails and we find no route
3635 		 * then the ip_output should fail as well with a
3636 		 * NO_ROUTE_TO_HOST type error. We probably should catch
3637 		 * that somewhere and abort the association right away
3638 		 * (assuming this is an INIT being sent).
3639 		 */
3640 		if ((ro->ro_rt == NULL)) {
3641 			/*
3642 			 * src addr selection failed to find a route (or
3643 			 * valid source addr), so we can't get there from
3644 			 * here (yet)!
3645 			 */
3646 	no_route:
3647 			SCTPDBG(SCTP_DEBUG_OUTPUT1,
3648 			    "%s: dropped packet - no valid source addr\n",
3649 			    __FUNCTION__);
3650 			if (net) {
3651 				SCTPDBG(SCTP_DEBUG_OUTPUT1,
3652 				    "Destination was ");
3653 				SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT1,
3654 				    &net->ro._l_addr.sa);
3655 				if (net->dest_state & SCTP_ADDR_CONFIRMED) {
3656 					if ((net->dest_state & SCTP_ADDR_REACHABLE) && stcb) {
3657 						SCTPDBG(SCTP_DEBUG_OUTPUT1, "no route takes interface %p down\n", net);
3658 						sctp_ulp_notify(SCTP_NOTIFY_INTERFACE_DOWN,
3659 						    stcb,
3660 						    SCTP_FAILED_THRESHOLD,
3661 						    (void *)net,
3662 						    so_locked);
3663 						net->dest_state &= ~SCTP_ADDR_REACHABLE;
3664 						net->dest_state |= SCTP_ADDR_NOT_REACHABLE;
3665 						/*
3666 						 * JRS 5/14/07 - If a
3667 						 * destination is
3668 						 * unreachable, the PF bit
3669 						 * is turned off.  This
3670 						 * allows an unambiguous use
3671 						 * of the PF bit for
3672 						 * destinations that are
3673 						 * reachable but potentially
3674 						 * failed. If the
3675 						 * destination is set to the
3676 						 * unreachable state, also
3677 						 * set the destination to
3678 						 * the PF state.
3679 						 */
3680 						/*
3681 						 * Add debug message here if
3682 						 * destination is not in PF
3683 						 * state.
3684 						 */
3685 						/*
3686 						 * Stop any running T3
3687 						 * timers here?
3688 						 */
3689 						if ((stcb->asoc.sctp_cmt_on_off > 0) &&
3690 						    (stcb->asoc.sctp_cmt_pf > 0)) {
3691 							net->dest_state &= ~SCTP_ADDR_PF;
3692 							SCTPDBG(SCTP_DEBUG_OUTPUT1, "Destination %p moved from PF to unreachable.\n",
3693 							    net);
3694 						}
3695 					}
3696 				}
3697 				if (stcb) {
3698 					if (net == stcb->asoc.primary_destination) {
3699 						/* need a new primary */
3700 						struct sctp_nets *alt;
3701 
3702 						alt = sctp_find_alternate_net(stcb, net, 0);
3703 						if (alt != net) {
3704 							if (sctp_set_primary_addr(stcb,
3705 							    (struct sockaddr *)NULL,
3706 							    alt) == 0) {
3707 								net->dest_state |= SCTP_ADDR_WAS_PRIMARY;
3708 								if (net->ro._s_addr) {
3709 									sctp_free_ifa(net->ro._s_addr);
3710 									net->ro._s_addr = NULL;
3711 								}
3712 								net->src_addr_selected = 0;
3713 							}
3714 						}
3715 					}
3716 				}
3717 			}
3718 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EHOSTUNREACH);
3719 			sctp_m_freem(m);
3720 			return (EHOSTUNREACH);
3721 		}
3722 		if (ro != &iproute) {
3723 			memcpy(&iproute, ro, sizeof(*ro));
3724 		}
3725 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv4 output routine from low level src addr:%x\n",
3726 		    (uint32_t) (ntohl(ip->ip_src.s_addr)));
3727 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Destination is %x\n",
3728 		    (uint32_t) (ntohl(ip->ip_dst.s_addr)));
3729 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "RTP route is %p through\n",
3730 		    ro->ro_rt);
3731 
3732 		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
3733 			/* failed to prepend data, give up */
3734 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
3735 			sctp_m_freem(m);
3736 			return (ENOMEM);
3737 		}
3738 #ifdef  SCTP_PACKET_LOGGING
3739 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
3740 			sctp_packet_log(m, packet_length);
3741 #endif
3742 		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
3743 		if (port) {
3744 #if defined(SCTP_WITH_NO_CSUM)
3745 			SCTP_STAT_INCR(sctps_sendnocrc);
3746 #else
3747 			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
3748 			    (stcb) &&
3749 			    (stcb->asoc.loopback_scope))) {
3750 				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip) + sizeof(struct udphdr));
3751 				SCTP_STAT_INCR(sctps_sendswcrc);
3752 			} else {
3753 				SCTP_STAT_INCR(sctps_sendnocrc);
3754 			}
3755 #endif
3756 			SCTP_ENABLE_UDP_CSUM(o_pak);
3757 		} else {
3758 #if defined(SCTP_WITH_NO_CSUM)
3759 			SCTP_STAT_INCR(sctps_sendnocrc);
3760 #else
3761 			m->m_pkthdr.csum_flags = CSUM_SCTP;
3762 			m->m_pkthdr.csum_data = 0;
3763 			SCTP_STAT_INCR(sctps_sendhwcrc);
3764 #endif
3765 		}
3766 		/* send it out.  table id is taken from stcb */
3767 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3768 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
3769 			so = SCTP_INP_SO(inp);
3770 			SCTP_SOCKET_UNLOCK(so, 0);
3771 		}
3772 #endif
3773 		SCTP_IP_OUTPUT(ret, o_pak, ro, stcb, vrf_id);
3774 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
3775 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
3776 			atomic_add_int(&stcb->asoc.refcnt, 1);
3777 			SCTP_TCB_UNLOCK(stcb);
3778 			SCTP_SOCKET_LOCK(so, 0);
3779 			SCTP_TCB_LOCK(stcb);
3780 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
3781 		}
3782 #endif
3783 		SCTP_STAT_INCR(sctps_sendpackets);
3784 		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
3785 		if (ret)
3786 			SCTP_STAT_INCR(sctps_senderrors);
3787 
3788 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "IP output returns %d\n", ret);
3789 		if (net == NULL) {
3790 			/* free tempy routes */
3791 			if (ro->ro_rt) {
3792 				RTFREE(ro->ro_rt);
3793 				ro->ro_rt = NULL;
3794 			}
3795 		} else {
3796 			/* PMTU check versus smallest asoc MTU goes here */
3797 			if ((ro->ro_rt != NULL) &&
3798 			    (net->ro._s_addr)) {
3799 				uint32_t mtu;
3800 
3801 				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
3802 				if (net->port) {
3803 					mtu -= sizeof(struct udphdr);
3804 				}
3805 				if (mtu && (stcb->asoc.smallest_mtu > mtu)) {
3806 					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
3807 					net->mtu = mtu;
3808 				}
3809 			} else if (ro->ro_rt == NULL) {
3810 				/* route was freed */
3811 				if (net->ro._s_addr &&
3812 				    net->src_addr_selected) {
3813 					sctp_free_ifa(net->ro._s_addr);
3814 					net->ro._s_addr = NULL;
3815 				}
3816 				net->src_addr_selected = 0;
3817 			}
3818 		}
3819 		return (ret);
3820 	}
3821 #ifdef INET6
3822 	else if (to->sa_family == AF_INET6) {
3823 		uint32_t flowlabel;
3824 		struct ip6_hdr *ip6h;
3825 		struct route_in6 ip6route;
3826 		struct ifnet *ifp;
3827 		u_char flowTop;
3828 		uint16_t flowBottom;
3829 		u_char tosBottom, tosTop;
3830 		struct sockaddr_in6 *sin6, tmp, *lsa6, lsa6_tmp;
3831 		int prev_scope = 0;
3832 		struct sockaddr_in6 lsa6_storage;
3833 		int error;
3834 		u_short prev_port = 0;
3835 		int len;
3836 
3837 		if (net != NULL) {
3838 			flowlabel = net->tos_flowlabel;
3839 		} else {
3840 			flowlabel = ((struct in6pcb *)inp)->in6p_flowinfo;
3841 		}
3842 
3843 		len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr);
3844 		if (port) {
3845 			len += sizeof(struct udphdr);
3846 		}
3847 		newm = sctp_get_mbuf_for_msg(len, 1, M_DONTWAIT, 1, MT_DATA);
3848 		if (newm == NULL) {
3849 			sctp_m_freem(m);
3850 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
3851 			return (ENOMEM);
3852 		}
3853 		SCTP_ALIGN_TO_END(newm, len);
3854 		SCTP_BUF_LEN(newm) = len;
3855 		SCTP_BUF_NEXT(newm) = m;
3856 		m = newm;
3857 		packet_length = sctp_calculate_len(m);
3858 
3859 		ip6h = mtod(m, struct ip6_hdr *);
3860 		/*
3861 		 * We assume here that inp_flow is in host byte order within
3862 		 * the TCB!
3863 		 */
3864 		flowBottom = flowlabel & 0x0000ffff;
3865 		flowTop = ((flowlabel & 0x000f0000) >> 16);
3866 		tosTop = (((flowlabel & 0xf0) >> 4) | IPV6_VERSION);
3867 		/* protect *sin6 from overwrite */
3868 		sin6 = (struct sockaddr_in6 *)to;
3869 		tmp = *sin6;
3870 		sin6 = &tmp;
3871 
3872 		/* KAME hack: embed scopeid */
3873 		if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
3874 			SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
3875 			return (EINVAL);
3876 		}
3877 		if (net == NULL) {
3878 			memset(&ip6route, 0, sizeof(ip6route));
3879 			ro = (sctp_route_t *) & ip6route;
3880 			memcpy(&ro->ro_dst, sin6, sin6->sin6_len);
3881 		} else {
3882 			ro = (sctp_route_t *) & net->ro;
3883 		}
3884 		if (stcb != NULL) {
3885 			if ((stcb->asoc.ecn_allowed) && ecn_ok) {
3886 				/* Enable ECN */
3887 				tosBottom = (((((struct in6pcb *)inp)->in6p_flowinfo & 0x0c) | sctp_get_ect(stcb, chk)) << 4);
3888 			} else {
3889 				/* No ECN */
3890 				tosBottom = ((((struct in6pcb *)inp)->in6p_flowinfo & 0x0c) << 4);
3891 			}
3892 		} else {
3893 			/* we could get no asoc if it is a O-O-T-B packet */
3894 			tosBottom = ((((struct in6pcb *)inp)->in6p_flowinfo & 0x0c) << 4);
3895 		}
3896 		ip6h->ip6_flow = htonl(((tosTop << 24) | ((tosBottom | flowTop) << 16) | flowBottom));
3897 		if (port) {
3898 			ip6h->ip6_nxt = IPPROTO_UDP;
3899 		} else {
3900 			ip6h->ip6_nxt = IPPROTO_SCTP;
3901 		}
3902 		ip6h->ip6_plen = (packet_length - sizeof(struct ip6_hdr));
3903 		ip6h->ip6_dst = sin6->sin6_addr;
3904 
3905 		/*
3906 		 * Add SRC address selection here: we can only reuse to a
3907 		 * limited degree the kame src-addr-sel, since we can try
3908 		 * their selection but it may not be bound.
3909 		 */
3910 		bzero(&lsa6_tmp, sizeof(lsa6_tmp));
3911 		lsa6_tmp.sin6_family = AF_INET6;
3912 		lsa6_tmp.sin6_len = sizeof(lsa6_tmp);
3913 		lsa6 = &lsa6_tmp;
3914 		if (net && out_of_asoc_ok == 0) {
3915 			if (net->ro._s_addr && (net->ro._s_addr->localifa_flags & (SCTP_BEING_DELETED | SCTP_ADDR_IFA_UNUSEABLE))) {
3916 				sctp_free_ifa(net->ro._s_addr);
3917 				net->ro._s_addr = NULL;
3918 				net->src_addr_selected = 0;
3919 				if (ro->ro_rt) {
3920 					RTFREE(ro->ro_rt);
3921 					ro->ro_rt = NULL;
3922 				}
3923 			}
3924 			if (net->src_addr_selected == 0) {
3925 				sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
3926 				/* KAME hack: embed scopeid */
3927 				if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
3928 					SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
3929 					return (EINVAL);
3930 				}
3931 				/* Cache the source address */
3932 				net->ro._s_addr = sctp_source_address_selection(inp,
3933 				    stcb,
3934 				    ro,
3935 				    net,
3936 				    0,
3937 				    vrf_id);
3938 				(void)sa6_recoverscope(sin6);
3939 				net->src_addr_selected = 1;
3940 			}
3941 			if (net->ro._s_addr == NULL) {
3942 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "V6:No route to host\n");
3943 				net->src_addr_selected = 0;
3944 				goto no_route;
3945 			}
3946 			lsa6->sin6_addr = net->ro._s_addr->address.sin6.sin6_addr;
3947 		} else {
3948 			sin6 = (struct sockaddr_in6 *)&ro->ro_dst;
3949 			/* KAME hack: embed scopeid */
3950 			if (sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone)) != 0) {
3951 				SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
3952 				return (EINVAL);
3953 			}
3954 			if (over_addr == NULL) {
3955 				struct sctp_ifa *_lsrc;
3956 
3957 				_lsrc = sctp_source_address_selection(inp, stcb, ro,
3958 				    net,
3959 				    out_of_asoc_ok,
3960 				    vrf_id);
3961 				if (_lsrc == NULL) {
3962 					goto no_route;
3963 				}
3964 				lsa6->sin6_addr = _lsrc->address.sin6.sin6_addr;
3965 				sctp_free_ifa(_lsrc);
3966 			} else {
3967 				lsa6->sin6_addr = over_addr->sin6.sin6_addr;
3968 				SCTP_RTALLOC(ro, vrf_id);
3969 			}
3970 			(void)sa6_recoverscope(sin6);
3971 		}
3972 		lsa6->sin6_port = inp->sctp_lport;
3973 
3974 		if (ro->ro_rt == NULL) {
3975 			/*
3976 			 * src addr selection failed to find a route (or
3977 			 * valid source addr), so we can't get there from
3978 			 * here!
3979 			 */
3980 			goto no_route;
3981 		}
3982 		/*
3983 		 * XXX: sa6 may not have a valid sin6_scope_id in the
3984 		 * non-SCOPEDROUTING case.
3985 		 */
3986 		bzero(&lsa6_storage, sizeof(lsa6_storage));
3987 		lsa6_storage.sin6_family = AF_INET6;
3988 		lsa6_storage.sin6_len = sizeof(lsa6_storage);
3989 		lsa6_storage.sin6_addr = lsa6->sin6_addr;
3990 		if ((error = sa6_recoverscope(&lsa6_storage)) != 0) {
3991 			SCTPDBG(SCTP_DEBUG_OUTPUT3, "recover scope fails error %d\n", error);
3992 			sctp_m_freem(m);
3993 			return (error);
3994 		}
3995 		/* XXX */
3996 		lsa6_storage.sin6_addr = lsa6->sin6_addr;
3997 		lsa6_storage.sin6_port = inp->sctp_lport;
3998 		lsa6 = &lsa6_storage;
3999 		ip6h->ip6_src = lsa6->sin6_addr;
4000 
4001 		if (port) {
4002 			udp = (struct udphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4003 			udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
4004 			udp->uh_dport = port;
4005 			udp->uh_ulen = htons(packet_length - sizeof(struct ip6_hdr));
4006 			udp->uh_sum = 0;
4007 			sctphdr = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
4008 		} else {
4009 			sctphdr = (struct sctphdr *)((caddr_t)ip6h + sizeof(struct ip6_hdr));
4010 		}
4011 
4012 		sctphdr->src_port = src_port;
4013 		sctphdr->dest_port = dest_port;
4014 		sctphdr->v_tag = v_tag;
4015 		sctphdr->checksum = 0;
4016 
4017 		/*
4018 		 * We set the hop limit now since there is a good chance
4019 		 * that our ro pointer is now filled
4020 		 */
4021 		ip6h->ip6_hlim = SCTP_GET_HLIM(inp, ro);
4022 		ifp = SCTP_GET_IFN_VOID_FROM_ROUTE(ro);
4023 
4024 #ifdef SCTP_DEBUG
4025 		/* Copy to be sure something bad is not happening */
4026 		sin6->sin6_addr = ip6h->ip6_dst;
4027 		lsa6->sin6_addr = ip6h->ip6_src;
4028 #endif
4029 
4030 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "Calling ipv6 output routine from low level\n");
4031 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "src: ");
4032 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)lsa6);
4033 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "dst: ");
4034 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT3, (struct sockaddr *)sin6);
4035 		if (net) {
4036 			sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
4037 			/* preserve the port and scope for link local send */
4038 			prev_scope = sin6->sin6_scope_id;
4039 			prev_port = sin6->sin6_port;
4040 		}
4041 		if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
4042 			/* failed to prepend data, give up */
4043 			sctp_m_freem(m);
4044 			SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
4045 			return (ENOMEM);
4046 		}
4047 #ifdef  SCTP_PACKET_LOGGING
4048 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
4049 			sctp_packet_log(m, packet_length);
4050 #endif
4051 		SCTP_ATTACH_CHAIN(o_pak, m, packet_length);
4052 		if (port) {
4053 #if defined(SCTP_WITH_NO_CSUM)
4054 			SCTP_STAT_INCR(sctps_sendnocrc);
4055 #else
4056 			if (!(SCTP_BASE_SYSCTL(sctp_no_csum_on_loopback) &&
4057 			    (stcb) &&
4058 			    (stcb->asoc.loopback_scope))) {
4059 				sctphdr->checksum = sctp_calculate_cksum(m, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
4060 				SCTP_STAT_INCR(sctps_sendswcrc);
4061 			} else {
4062 				SCTP_STAT_INCR(sctps_sendnocrc);
4063 			}
4064 #endif
4065 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), packet_length - sizeof(struct ip6_hdr))) == 0) {
4066 				udp->uh_sum = 0xffff;
4067 			}
4068 		} else {
4069 #if defined(SCTP_WITH_NO_CSUM)
4070 			SCTP_STAT_INCR(sctps_sendnocrc);
4071 #else
4072 			m->m_pkthdr.csum_flags = CSUM_SCTP;
4073 			m->m_pkthdr.csum_data = 0;
4074 			SCTP_STAT_INCR(sctps_sendhwcrc);
4075 #endif
4076 		}
4077 		/* send it out. table id is taken from stcb */
4078 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4079 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4080 			so = SCTP_INP_SO(inp);
4081 			SCTP_SOCKET_UNLOCK(so, 0);
4082 		}
4083 #endif
4084 		SCTP_IP6_OUTPUT(ret, o_pak, (struct route_in6 *)ro, &ifp, stcb, vrf_id);
4085 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
4086 		if ((SCTP_BASE_SYSCTL(sctp_output_unlocked)) && (so_locked)) {
4087 			atomic_add_int(&stcb->asoc.refcnt, 1);
4088 			SCTP_TCB_UNLOCK(stcb);
4089 			SCTP_SOCKET_LOCK(so, 0);
4090 			SCTP_TCB_LOCK(stcb);
4091 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
4092 		}
4093 #endif
4094 		if (net) {
4095 			/* for link local this must be done */
4096 			sin6->sin6_scope_id = prev_scope;
4097 			sin6->sin6_port = prev_port;
4098 		}
4099 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "return from send is %d\n", ret);
4100 		SCTP_STAT_INCR(sctps_sendpackets);
4101 		SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
4102 		if (ret) {
4103 			SCTP_STAT_INCR(sctps_senderrors);
4104 		}
4105 		if (net == NULL) {
4106 			/* Now if we had a temp route free it */
4107 			if (ro->ro_rt) {
4108 				RTFREE(ro->ro_rt);
4109 			}
4110 		} else {
4111 			/* PMTU check versus smallest asoc MTU goes here */
4112 			if (ro->ro_rt == NULL) {
4113 				/* Route was freed */
4114 				if (net->ro._s_addr &&
4115 				    net->src_addr_selected) {
4116 					sctp_free_ifa(net->ro._s_addr);
4117 					net->ro._s_addr = NULL;
4118 				}
4119 				net->src_addr_selected = 0;
4120 			}
4121 			if ((ro->ro_rt != NULL) &&
4122 			    (net->ro._s_addr)) {
4123 				uint32_t mtu;
4124 
4125 				mtu = SCTP_GATHER_MTU_FROM_ROUTE(net->ro._s_addr, &net->ro._l_addr.sa, ro->ro_rt);
4126 				if (mtu &&
4127 				    (stcb->asoc.smallest_mtu > mtu)) {
4128 					sctp_mtu_size_reset(inp, &stcb->asoc, mtu);
4129 					net->mtu = mtu;
4130 					if (net->port) {
4131 						net->mtu -= sizeof(struct udphdr);
4132 					}
4133 				}
4134 			} else if (ifp) {
4135 				if (ND_IFINFO(ifp)->linkmtu &&
4136 				    (stcb->asoc.smallest_mtu > ND_IFINFO(ifp)->linkmtu)) {
4137 					sctp_mtu_size_reset(inp,
4138 					    &stcb->asoc,
4139 					    ND_IFINFO(ifp)->linkmtu);
4140 				}
4141 			}
4142 		}
4143 		return (ret);
4144 	}
4145 #endif
4146 	else {
4147 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "Unknown protocol (TSNH) type %d\n",
4148 		    ((struct sockaddr *)to)->sa_family);
4149 		sctp_m_freem(m);
4150 		SCTP_LTRACE_ERR_RET_PKT(m, inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
4151 		return (EFAULT);
4152 	}
4153 }
4154 
4155 
4156 void
4157 sctp_send_initiate(struct sctp_inpcb *inp, struct sctp_tcb *stcb, int so_locked
4158 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
4159     SCTP_UNUSED
4160 #endif
4161 )
4162 {
4163 	struct mbuf *m, *m_at, *mp_last;
4164 	struct sctp_nets *net;
4165 	struct sctp_init_chunk *init;
4166 	struct sctp_supported_addr_param *sup_addr;
4167 	struct sctp_adaptation_layer_indication *ali;
4168 	struct sctp_ecn_supported_param *ecn;
4169 	struct sctp_prsctp_supported_param *prsctp;
4170 	struct sctp_ecn_nonce_supported_param *ecn_nonce;
4171 	struct sctp_supported_chunk_types_param *pr_supported;
4172 	int cnt_inits_to = 0;
4173 	int padval, ret;
4174 	int num_ext;
4175 	int p_len;
4176 
4177 	/* INIT's always go to the primary (and usually ONLY address) */
4178 	mp_last = NULL;
4179 	net = stcb->asoc.primary_destination;
4180 	if (net == NULL) {
4181 		net = TAILQ_FIRST(&stcb->asoc.nets);
4182 		if (net == NULL) {
4183 			/* TSNH */
4184 			return;
4185 		}
4186 		/* we confirm any address we send an INIT to */
4187 		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4188 		(void)sctp_set_primary_addr(stcb, NULL, net);
4189 	} else {
4190 		/* we confirm any address we send an INIT to */
4191 		net->dest_state &= ~SCTP_ADDR_UNCONFIRMED;
4192 	}
4193 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT\n");
4194 #ifdef INET6
4195 	if (((struct sockaddr *)&(net->ro._l_addr))->sa_family == AF_INET6) {
4196 		/*
4197 		 * special hook, if we are sending to link local it will not
4198 		 * show up in our private address count.
4199 		 */
4200 		struct sockaddr_in6 *sin6l;
4201 
4202 		sin6l = &net->ro._l_addr.sin6;
4203 		if (IN6_IS_ADDR_LINKLOCAL(&sin6l->sin6_addr))
4204 			cnt_inits_to = 1;
4205 	}
4206 #endif
4207 	if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
4208 		/* This case should not happen */
4209 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - failed timer?\n");
4210 		return;
4211 	}
4212 	/* start the INIT timer */
4213 	sctp_timer_start(SCTP_TIMER_TYPE_INIT, inp, stcb, net);
4214 
4215 	m = sctp_get_mbuf_for_msg(MCLBYTES, 1, M_DONTWAIT, 1, MT_DATA);
4216 	if (m == NULL) {
4217 		/* No memory, INIT timer will re-attempt. */
4218 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - mbuf?\n");
4219 		return;
4220 	}
4221 	SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
4222 	/*
4223 	 * assume peer supports asconf in order to be able to queue local
4224 	 * address changes while an INIT is in flight and before the assoc
4225 	 * is established.
4226 	 */
4227 	stcb->asoc.peer_supports_asconf = 1;
4228 	/* Now lets put the SCTP header in place */
4229 	init = mtod(m, struct sctp_init_chunk *);
4230 	/* now the chunk header */
4231 	init->ch.chunk_type = SCTP_INITIATION;
4232 	init->ch.chunk_flags = 0;
4233 	/* fill in later from mbuf we build */
4234 	init->ch.chunk_length = 0;
4235 	/* place in my tag */
4236 	init->init.initiate_tag = htonl(stcb->asoc.my_vtag);
4237 	/* set up some of the credits. */
4238 	init->init.a_rwnd = htonl(max(inp->sctp_socket ? SCTP_SB_LIMIT_RCV(inp->sctp_socket) : 0,
4239 	    SCTP_MINIMAL_RWND));
4240 
4241 	init->init.num_outbound_streams = htons(stcb->asoc.pre_open_streams);
4242 	init->init.num_inbound_streams = htons(stcb->asoc.max_inbound_streams);
4243 	init->init.initial_tsn = htonl(stcb->asoc.init_seq_number);
4244 	/* now the address restriction */
4245 	sup_addr = (struct sctp_supported_addr_param *)((caddr_t)init +
4246 	    sizeof(*init));
4247 	sup_addr->ph.param_type = htons(SCTP_SUPPORTED_ADDRTYPE);
4248 #ifdef INET6
4249 	/* we support 2 types: IPv6/IPv4 */
4250 	sup_addr->ph.param_length = htons(sizeof(*sup_addr) + sizeof(uint16_t));
4251 	sup_addr->addr_type[0] = htons(SCTP_IPV4_ADDRESS);
4252 	sup_addr->addr_type[1] = htons(SCTP_IPV6_ADDRESS);
4253 #else
4254 	/* we support 1 type: IPv4 */
4255 	sup_addr->ph.param_length = htons(sizeof(*sup_addr) + sizeof(uint8_t));
4256 	sup_addr->addr_type[0] = htons(SCTP_IPV4_ADDRESS);
4257 	sup_addr->addr_type[1] = htons(0);	/* this is the padding */
4258 #endif
4259 	SCTP_BUF_LEN(m) += sizeof(*sup_addr) + sizeof(uint16_t);
4260 	/* adaptation layer indication parameter */
4261 	ali = (struct sctp_adaptation_layer_indication *)((caddr_t)sup_addr + sizeof(*sup_addr) + sizeof(uint16_t));
4262 	ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
4263 	ali->ph.param_length = htons(sizeof(*ali));
4264 	ali->indication = ntohl(inp->sctp_ep.adaptation_layer_indicator);
4265 	SCTP_BUF_LEN(m) += sizeof(*ali);
4266 	ecn = (struct sctp_ecn_supported_param *)((caddr_t)ali + sizeof(*ali));
4267 
4268 	if (SCTP_BASE_SYSCTL(sctp_inits_include_nat_friendly)) {
4269 		/* Add NAT friendly parameter */
4270 		struct sctp_paramhdr *ph;
4271 
4272 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
4273 		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
4274 		ph->param_length = htons(sizeof(struct sctp_paramhdr));
4275 		SCTP_BUF_LEN(m) += sizeof(struct sctp_paramhdr);
4276 		ecn = (struct sctp_ecn_supported_param *)((caddr_t)ph + sizeof(*ph));
4277 	}
4278 	/* now any cookie time extensions */
4279 	if (stcb->asoc.cookie_preserve_req) {
4280 		struct sctp_cookie_perserve_param *cookie_preserve;
4281 
4282 		cookie_preserve = (struct sctp_cookie_perserve_param *)(ecn);
4283 		cookie_preserve->ph.param_type = htons(SCTP_COOKIE_PRESERVE);
4284 		cookie_preserve->ph.param_length = htons(
4285 		    sizeof(*cookie_preserve));
4286 		cookie_preserve->time = htonl(stcb->asoc.cookie_preserve_req);
4287 		SCTP_BUF_LEN(m) += sizeof(*cookie_preserve);
4288 		ecn = (struct sctp_ecn_supported_param *)(
4289 		    (caddr_t)cookie_preserve + sizeof(*cookie_preserve));
4290 		stcb->asoc.cookie_preserve_req = 0;
4291 	}
4292 	/* ECN parameter */
4293 	if (SCTP_BASE_SYSCTL(sctp_ecn_enable) == 1) {
4294 		ecn->ph.param_type = htons(SCTP_ECN_CAPABLE);
4295 		ecn->ph.param_length = htons(sizeof(*ecn));
4296 		SCTP_BUF_LEN(m) += sizeof(*ecn);
4297 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn +
4298 		    sizeof(*ecn));
4299 	} else {
4300 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn);
4301 	}
4302 	/* And now tell the peer we do pr-sctp */
4303 	prsctp->ph.param_type = htons(SCTP_PRSCTP_SUPPORTED);
4304 	prsctp->ph.param_length = htons(sizeof(*prsctp));
4305 	SCTP_BUF_LEN(m) += sizeof(*prsctp);
4306 
4307 	/* And now tell the peer we do all the extensions */
4308 	pr_supported = (struct sctp_supported_chunk_types_param *)
4309 	    ((caddr_t)prsctp + sizeof(*prsctp));
4310 	pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
4311 	num_ext = 0;
4312 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
4313 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
4314 	pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
4315 	pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
4316 	pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
4317 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
4318 		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
4319 	}
4320 	if (stcb->asoc.sctp_nr_sack_on_off == 1) {
4321 		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
4322 	}
4323 	p_len = sizeof(*pr_supported) + num_ext;
4324 	pr_supported->ph.param_length = htons(p_len);
4325 	bzero((caddr_t)pr_supported + p_len, SCTP_SIZE32(p_len) - p_len);
4326 	SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
4327 
4328 
4329 	/* ECN nonce: And now tell the peer we support ECN nonce */
4330 	if (SCTP_BASE_SYSCTL(sctp_ecn_nonce)) {
4331 		ecn_nonce = (struct sctp_ecn_nonce_supported_param *)
4332 		    ((caddr_t)pr_supported + SCTP_SIZE32(p_len));
4333 		ecn_nonce->ph.param_type = htons(SCTP_ECN_NONCE_SUPPORTED);
4334 		ecn_nonce->ph.param_length = htons(sizeof(*ecn_nonce));
4335 		SCTP_BUF_LEN(m) += sizeof(*ecn_nonce);
4336 	}
4337 	/* add authentication parameters */
4338 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
4339 		struct sctp_auth_random *randp;
4340 		struct sctp_auth_hmac_algo *hmacs;
4341 		struct sctp_auth_chunk_list *chunks;
4342 
4343 		/* attach RANDOM parameter, if available */
4344 		if (stcb->asoc.authinfo.random != NULL) {
4345 			randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
4346 			p_len = sizeof(*randp) + stcb->asoc.authinfo.random_len;
4347 			/* random key already contains the header */
4348 			bcopy(stcb->asoc.authinfo.random->key, randp, p_len);
4349 			/* zero out any padding required */
4350 			bzero((caddr_t)randp + p_len, SCTP_SIZE32(p_len) - p_len);
4351 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
4352 		}
4353 		/* add HMAC_ALGO parameter */
4354 		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
4355 		p_len = sctp_serialize_hmaclist(stcb->asoc.local_hmacs,
4356 		    (uint8_t *) hmacs->hmac_ids);
4357 		if (p_len > 0) {
4358 			p_len += sizeof(*hmacs);
4359 			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
4360 			hmacs->ph.param_length = htons(p_len);
4361 			/* zero out any padding required */
4362 			bzero((caddr_t)hmacs + p_len, SCTP_SIZE32(p_len) - p_len);
4363 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
4364 		}
4365 		/* add CHUNKS parameter */
4366 		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
4367 		p_len = sctp_serialize_auth_chunks(stcb->asoc.local_auth_chunks,
4368 		    chunks->chunk_types);
4369 		if (p_len > 0) {
4370 			p_len += sizeof(*chunks);
4371 			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
4372 			chunks->ph.param_length = htons(p_len);
4373 			/* zero out any padding required */
4374 			bzero((caddr_t)chunks + p_len, SCTP_SIZE32(p_len) - p_len);
4375 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
4376 		}
4377 	}
4378 	m_at = m;
4379 	/* now the addresses */
4380 	{
4381 		struct sctp_scoping scp;
4382 
4383 		/*
4384 		 * To optimize this we could put the scoping stuff into a
4385 		 * structure and remove the individual uint8's from the
4386 		 * assoc structure. Then we could just sifa in the address
4387 		 * within the stcb.. but for now this is a quick hack to get
4388 		 * the address stuff teased apart.
4389 		 */
4390 		scp.ipv4_addr_legal = stcb->asoc.ipv4_addr_legal;
4391 		scp.ipv6_addr_legal = stcb->asoc.ipv6_addr_legal;
4392 		scp.loopback_scope = stcb->asoc.loopback_scope;
4393 		scp.ipv4_local_scope = stcb->asoc.ipv4_local_scope;
4394 		scp.local_scope = stcb->asoc.local_scope;
4395 		scp.site_scope = stcb->asoc.site_scope;
4396 
4397 		m_at = sctp_add_addresses_to_i_ia(inp, &scp, m_at, cnt_inits_to);
4398 	}
4399 
4400 	/* calulate the size and update pkt header and chunk header */
4401 	p_len = 0;
4402 	for (m_at = m; m_at; m_at = SCTP_BUF_NEXT(m_at)) {
4403 		if (SCTP_BUF_NEXT(m_at) == NULL)
4404 			mp_last = m_at;
4405 		p_len += SCTP_BUF_LEN(m_at);
4406 	}
4407 	init->ch.chunk_length = htons(p_len);
4408 	/*
4409 	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
4410 	 * here since the timer will drive a retranmission.
4411 	 */
4412 
4413 	/* I don't expect this to execute but we will be safe here */
4414 	padval = p_len % 4;
4415 	if ((padval) && (mp_last)) {
4416 		/*
4417 		 * The compiler worries that mp_last may not be set even
4418 		 * though I think it is impossible :-> however we add
4419 		 * mp_last here just in case.
4420 		 */
4421 		ret = sctp_add_pad_tombuf(mp_last, (4 - padval));
4422 		if (ret) {
4423 			/* Houston we have a problem, no space */
4424 			sctp_m_freem(m);
4425 			return;
4426 		}
4427 		p_len += padval;
4428 	}
4429 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "Sending INIT - calls lowlevel_output\n");
4430 	ret = sctp_lowlevel_chunk_output(inp, stcb, net,
4431 	    (struct sockaddr *)&net->ro._l_addr,
4432 	    m, 0, NULL, 0, 0, 0, NULL, 0,
4433 	    inp->sctp_lport, stcb->rport, htonl(0),
4434 	    net->port, so_locked, NULL);
4435 	SCTPDBG(SCTP_DEBUG_OUTPUT4, "lowlevel_output - %d\n", ret);
4436 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
4437 	(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
4438 }
4439 
4440 struct mbuf *
4441 sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
4442     int param_offset, int *abort_processing, struct sctp_chunkhdr *cp, int *nat_friendly)
4443 {
4444 	/*
4445 	 * Given a mbuf containing an INIT or INIT-ACK with the param_offset
4446 	 * being equal to the beginning of the params i.e. (iphlen +
4447 	 * sizeof(struct sctp_init_msg) parse through the parameters to the
4448 	 * end of the mbuf verifying that all parameters are known.
4449 	 *
4450 	 * For unknown parameters build and return a mbuf with
4451 	 * UNRECOGNIZED_PARAMETER errors. If the flags indicate to stop
4452 	 * processing this chunk stop, and set *abort_processing to 1.
4453 	 *
4454 	 * By having param_offset be pre-set to where parameters begin it is
4455 	 * hoped that this routine may be reused in the future by new
4456 	 * features.
4457 	 */
4458 	struct sctp_paramhdr *phdr, params;
4459 
4460 	struct mbuf *mat, *op_err;
4461 	char tempbuf[SCTP_PARAM_BUFFER_SIZE];
4462 	int at, limit, pad_needed;
4463 	uint16_t ptype, plen, padded_size;
4464 	int err_at;
4465 
4466 	*abort_processing = 0;
4467 	mat = in_initpkt;
4468 	err_at = 0;
4469 	limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
4470 	at = param_offset;
4471 	op_err = NULL;
4472 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
4473 	phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
4474 	while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
4475 		ptype = ntohs(phdr->param_type);
4476 		plen = ntohs(phdr->param_length);
4477 		if ((plen > limit) || (plen < sizeof(struct sctp_paramhdr))) {
4478 			/* wacked parameter */
4479 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error %d\n", plen);
4480 			goto invalid_size;
4481 		}
4482 		limit -= SCTP_SIZE32(plen);
4483 		/*-
4484 		 * All parameters for all chunks that we know/understand are
4485 		 * listed here. We process them other places and make
4486 		 * appropriate stop actions per the upper bits. However this
4487 		 * is the generic routine processor's can call to get back
4488 		 * an operr.. to either incorporate (init-ack) or send.
4489 		 */
4490 		padded_size = SCTP_SIZE32(plen);
4491 		switch (ptype) {
4492 			/* Param's with variable size */
4493 		case SCTP_HEARTBEAT_INFO:
4494 		case SCTP_STATE_COOKIE:
4495 		case SCTP_UNRECOG_PARAM:
4496 		case SCTP_ERROR_CAUSE_IND:
4497 			/* ok skip fwd */
4498 			at += padded_size;
4499 			break;
4500 			/* Param's with variable size within a range */
4501 		case SCTP_CHUNK_LIST:
4502 		case SCTP_SUPPORTED_CHUNK_EXT:
4503 			if (padded_size > (sizeof(struct sctp_supported_chunk_types_param) + (sizeof(uint8_t) * SCTP_MAX_SUPPORTED_EXT))) {
4504 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error chklist %d\n", plen);
4505 				goto invalid_size;
4506 			}
4507 			at += padded_size;
4508 			break;
4509 		case SCTP_SUPPORTED_ADDRTYPE:
4510 			if (padded_size > SCTP_MAX_ADDR_PARAMS_SIZE) {
4511 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error supaddrtype %d\n", plen);
4512 				goto invalid_size;
4513 			}
4514 			at += padded_size;
4515 			break;
4516 		case SCTP_RANDOM:
4517 			if (padded_size > (sizeof(struct sctp_auth_random) + SCTP_RANDOM_MAX_SIZE)) {
4518 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error random %d\n", plen);
4519 				goto invalid_size;
4520 			}
4521 			at += padded_size;
4522 			break;
4523 		case SCTP_SET_PRIM_ADDR:
4524 		case SCTP_DEL_IP_ADDRESS:
4525 		case SCTP_ADD_IP_ADDRESS:
4526 			if ((padded_size != sizeof(struct sctp_asconf_addrv4_param)) &&
4527 			    (padded_size != sizeof(struct sctp_asconf_addr_param))) {
4528 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error setprim %d\n", plen);
4529 				goto invalid_size;
4530 			}
4531 			at += padded_size;
4532 			break;
4533 			/* Param's with a fixed size */
4534 		case SCTP_IPV4_ADDRESS:
4535 			if (padded_size != sizeof(struct sctp_ipv4addr_param)) {
4536 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv4 addr %d\n", plen);
4537 				goto invalid_size;
4538 			}
4539 			at += padded_size;
4540 			break;
4541 		case SCTP_IPV6_ADDRESS:
4542 			if (padded_size != sizeof(struct sctp_ipv6addr_param)) {
4543 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ipv6 addr %d\n", plen);
4544 				goto invalid_size;
4545 			}
4546 			at += padded_size;
4547 			break;
4548 		case SCTP_COOKIE_PRESERVE:
4549 			if (padded_size != sizeof(struct sctp_cookie_perserve_param)) {
4550 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error cookie-preserve %d\n", plen);
4551 				goto invalid_size;
4552 			}
4553 			at += padded_size;
4554 			break;
4555 		case SCTP_HAS_NAT_SUPPORT:
4556 			*nat_friendly = 1;
4557 			/* fall through */
4558 		case SCTP_ECN_NONCE_SUPPORTED:
4559 		case SCTP_PRSCTP_SUPPORTED:
4560 
4561 			if (padded_size != sizeof(struct sctp_paramhdr)) {
4562 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecnnonce/prsctp/nat support %d\n", plen);
4563 				goto invalid_size;
4564 			}
4565 			at += padded_size;
4566 			break;
4567 		case SCTP_ECN_CAPABLE:
4568 			if (padded_size != sizeof(struct sctp_ecn_supported_param)) {
4569 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error ecn %d\n", plen);
4570 				goto invalid_size;
4571 			}
4572 			at += padded_size;
4573 			break;
4574 		case SCTP_ULP_ADAPTATION:
4575 			if (padded_size != sizeof(struct sctp_adaptation_layer_indication)) {
4576 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error adapatation %d\n", plen);
4577 				goto invalid_size;
4578 			}
4579 			at += padded_size;
4580 			break;
4581 		case SCTP_SUCCESS_REPORT:
4582 			if (padded_size != sizeof(struct sctp_asconf_paramhdr)) {
4583 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Invalid size - error success %d\n", plen);
4584 				goto invalid_size;
4585 			}
4586 			at += padded_size;
4587 			break;
4588 		case SCTP_HOSTNAME_ADDRESS:
4589 			{
4590 				/* We can NOT handle HOST NAME addresses!! */
4591 				int l_len;
4592 
4593 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
4594 				*abort_processing = 1;
4595 				if (op_err == NULL) {
4596 					/* Ok need to try to get a mbuf */
4597 #ifdef INET6
4598 					l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4599 #else
4600 					l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4601 #endif
4602 					l_len += plen;
4603 					l_len += sizeof(struct sctp_paramhdr);
4604 					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_DONTWAIT, 1, MT_DATA);
4605 					if (op_err) {
4606 						SCTP_BUF_LEN(op_err) = 0;
4607 						/*
4608 						 * pre-reserve space for ip
4609 						 * and sctp header  and
4610 						 * chunk hdr
4611 						 */
4612 #ifdef INET6
4613 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
4614 #else
4615 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
4616 #endif
4617 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
4618 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
4619 					}
4620 				}
4621 				if (op_err) {
4622 					/* If we have space */
4623 					struct sctp_paramhdr s;
4624 
4625 					if (err_at % 4) {
4626 						uint32_t cpthis = 0;
4627 
4628 						pad_needed = 4 - (err_at % 4);
4629 						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
4630 						err_at += pad_needed;
4631 					}
4632 					s.param_type = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
4633 					s.param_length = htons(sizeof(s) + plen);
4634 					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
4635 					err_at += sizeof(s);
4636 					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf), plen));
4637 					if (phdr == NULL) {
4638 						sctp_m_freem(op_err);
4639 						/*
4640 						 * we are out of memory but
4641 						 * we still need to have a
4642 						 * look at what to do (the
4643 						 * system is in trouble
4644 						 * though).
4645 						 */
4646 						return (NULL);
4647 					}
4648 					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
4649 					err_at += plen;
4650 				}
4651 				return (op_err);
4652 				break;
4653 			}
4654 		default:
4655 			/*
4656 			 * we do not recognize the parameter figure out what
4657 			 * we do.
4658 			 */
4659 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Hit default param %x\n", ptype);
4660 			if ((ptype & 0x4000) == 0x4000) {
4661 				/* Report bit is set?? */
4662 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "report op err\n");
4663 				if (op_err == NULL) {
4664 					int l_len;
4665 
4666 					/* Ok need to try to get an mbuf */
4667 #ifdef INET6
4668 					l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4669 #else
4670 					l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4671 #endif
4672 					l_len += plen;
4673 					l_len += sizeof(struct sctp_paramhdr);
4674 					op_err = sctp_get_mbuf_for_msg(l_len, 0, M_DONTWAIT, 1, MT_DATA);
4675 					if (op_err) {
4676 						SCTP_BUF_LEN(op_err) = 0;
4677 #ifdef INET6
4678 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
4679 #else
4680 						SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
4681 #endif
4682 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
4683 						SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
4684 					}
4685 				}
4686 				if (op_err) {
4687 					/* If we have space */
4688 					struct sctp_paramhdr s;
4689 
4690 					if (err_at % 4) {
4691 						uint32_t cpthis = 0;
4692 
4693 						pad_needed = 4 - (err_at % 4);
4694 						m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
4695 						err_at += pad_needed;
4696 					}
4697 					s.param_type = htons(SCTP_UNRECOG_PARAM);
4698 					s.param_length = htons(sizeof(s) + plen);
4699 					m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
4700 					err_at += sizeof(s);
4701 					if (plen > sizeof(tempbuf)) {
4702 						plen = sizeof(tempbuf);
4703 					}
4704 					phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf), plen));
4705 					if (phdr == NULL) {
4706 						sctp_m_freem(op_err);
4707 						/*
4708 						 * we are out of memory but
4709 						 * we still need to have a
4710 						 * look at what to do (the
4711 						 * system is in trouble
4712 						 * though).
4713 						 */
4714 						op_err = NULL;
4715 						goto more_processing;
4716 					}
4717 					m_copyback(op_err, err_at, plen, (caddr_t)phdr);
4718 					err_at += plen;
4719 				}
4720 			}
4721 	more_processing:
4722 			if ((ptype & 0x8000) == 0x0000) {
4723 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "stop proc\n");
4724 				return (op_err);
4725 			} else {
4726 				/* skip this chunk and continue processing */
4727 				SCTPDBG(SCTP_DEBUG_OUTPUT1, "move on\n");
4728 				at += SCTP_SIZE32(plen);
4729 			}
4730 			break;
4731 
4732 		}
4733 		phdr = sctp_get_next_param(mat, at, &params, sizeof(params));
4734 	}
4735 	return (op_err);
4736 invalid_size:
4737 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
4738 	*abort_processing = 1;
4739 	if ((op_err == NULL) && phdr) {
4740 		int l_len;
4741 
4742 #ifdef INET6
4743 		l_len = sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4744 #else
4745 		l_len = sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr);
4746 #endif
4747 		l_len += (2 * sizeof(struct sctp_paramhdr));
4748 		op_err = sctp_get_mbuf_for_msg(l_len, 0, M_DONTWAIT, 1, MT_DATA);
4749 		if (op_err) {
4750 			SCTP_BUF_LEN(op_err) = 0;
4751 #ifdef INET6
4752 			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
4753 #else
4754 			SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
4755 #endif
4756 			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
4757 			SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
4758 		}
4759 	}
4760 	if ((op_err) && phdr) {
4761 		struct sctp_paramhdr s;
4762 
4763 		if (err_at % 4) {
4764 			uint32_t cpthis = 0;
4765 
4766 			pad_needed = 4 - (err_at % 4);
4767 			m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
4768 			err_at += pad_needed;
4769 		}
4770 		s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
4771 		s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr));
4772 		m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
4773 		err_at += sizeof(s);
4774 		/* Only copy back the p-hdr that caused the issue */
4775 		m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr);
4776 	}
4777 	return (op_err);
4778 }
4779 
4780 static int
4781 sctp_are_there_new_addresses(struct sctp_association *asoc,
4782     struct mbuf *in_initpkt, int iphlen, int offset)
4783 {
4784 	/*
4785 	 * Given a INIT packet, look through the packet to verify that there
4786 	 * are NO new addresses. As we go through the parameters add reports
4787 	 * of any un-understood parameters that require an error.  Also we
4788 	 * must return (1) to drop the packet if we see a un-understood
4789 	 * parameter that tells us to drop the chunk.
4790 	 */
4791 	struct sockaddr_in sin4, *sa4;
4792 
4793 #ifdef INET6
4794 	struct sockaddr_in6 sin6, *sa6;
4795 
4796 #endif
4797 	struct sockaddr *sa_touse;
4798 	struct sockaddr *sa;
4799 	struct sctp_paramhdr *phdr, params;
4800 	struct ip *iph;
4801 
4802 #ifdef INET6
4803 	struct ip6_hdr *ip6h;
4804 
4805 #endif
4806 	struct mbuf *mat;
4807 	uint16_t ptype, plen;
4808 	int err_at;
4809 	uint8_t fnd;
4810 	struct sctp_nets *net;
4811 
4812 	memset(&sin4, 0, sizeof(sin4));
4813 #ifdef INET6
4814 	memset(&sin6, 0, sizeof(sin6));
4815 #endif
4816 	sin4.sin_family = AF_INET;
4817 	sin4.sin_len = sizeof(sin4);
4818 #ifdef INET6
4819 	sin6.sin6_family = AF_INET6;
4820 	sin6.sin6_len = sizeof(sin6);
4821 #endif
4822 	sa_touse = NULL;
4823 	/* First what about the src address of the pkt ? */
4824 	iph = mtod(in_initpkt, struct ip *);
4825 	switch (iph->ip_v) {
4826 	case IPVERSION:
4827 		/* source addr is IPv4 */
4828 		sin4.sin_addr = iph->ip_src;
4829 		sa_touse = (struct sockaddr *)&sin4;
4830 		break;
4831 #ifdef INET6
4832 	case IPV6_VERSION >> 4:
4833 		/* source addr is IPv6 */
4834 		ip6h = mtod(in_initpkt, struct ip6_hdr *);
4835 		sin6.sin6_addr = ip6h->ip6_src;
4836 		sa_touse = (struct sockaddr *)&sin6;
4837 		break;
4838 #endif
4839 	default:
4840 		return (1);
4841 	}
4842 
4843 	fnd = 0;
4844 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4845 		sa = (struct sockaddr *)&net->ro._l_addr;
4846 		if (sa->sa_family == sa_touse->sa_family) {
4847 			if (sa->sa_family == AF_INET) {
4848 				sa4 = (struct sockaddr_in *)sa;
4849 				if (sa4->sin_addr.s_addr ==
4850 				    sin4.sin_addr.s_addr) {
4851 					fnd = 1;
4852 					break;
4853 				}
4854 			}
4855 #ifdef INET6
4856 			if (sa->sa_family == AF_INET6) {
4857 				sa6 = (struct sockaddr_in6 *)sa;
4858 				if (SCTP6_ARE_ADDR_EQUAL(sa6,
4859 				    &sin6)) {
4860 					fnd = 1;
4861 					break;
4862 				}
4863 			}
4864 #endif
4865 		}
4866 	}
4867 	if (fnd == 0) {
4868 		/* New address added! no need to look futher. */
4869 		return (1);
4870 	}
4871 	/* Ok so far lets munge through the rest of the packet */
4872 	mat = in_initpkt;
4873 	err_at = 0;
4874 	sa_touse = NULL;
4875 	offset += sizeof(struct sctp_init_chunk);
4876 	phdr = sctp_get_next_param(mat, offset, &params, sizeof(params));
4877 	while (phdr) {
4878 		ptype = ntohs(phdr->param_type);
4879 		plen = ntohs(phdr->param_length);
4880 		if (ptype == SCTP_IPV4_ADDRESS) {
4881 			struct sctp_ipv4addr_param *p4, p4_buf;
4882 
4883 			phdr = sctp_get_next_param(mat, offset,
4884 			    (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf));
4885 			if (plen != sizeof(struct sctp_ipv4addr_param) ||
4886 			    phdr == NULL) {
4887 				return (1);
4888 			}
4889 			p4 = (struct sctp_ipv4addr_param *)phdr;
4890 			sin4.sin_addr.s_addr = p4->addr;
4891 			sa_touse = (struct sockaddr *)&sin4;
4892 		} else if (ptype == SCTP_IPV6_ADDRESS) {
4893 			struct sctp_ipv6addr_param *p6, p6_buf;
4894 
4895 			phdr = sctp_get_next_param(mat, offset,
4896 			    (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf));
4897 			if (plen != sizeof(struct sctp_ipv6addr_param) ||
4898 			    phdr == NULL) {
4899 				return (1);
4900 			}
4901 			p6 = (struct sctp_ipv6addr_param *)phdr;
4902 #ifdef INET6
4903 			memcpy((caddr_t)&sin6.sin6_addr, p6->addr,
4904 			    sizeof(p6->addr));
4905 #endif
4906 			sa_touse = (struct sockaddr *)&sin4;
4907 		}
4908 		if (sa_touse) {
4909 			/* ok, sa_touse points to one to check */
4910 			fnd = 0;
4911 			TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
4912 				sa = (struct sockaddr *)&net->ro._l_addr;
4913 				if (sa->sa_family != sa_touse->sa_family) {
4914 					continue;
4915 				}
4916 				if (sa->sa_family == AF_INET) {
4917 					sa4 = (struct sockaddr_in *)sa;
4918 					if (sa4->sin_addr.s_addr ==
4919 					    sin4.sin_addr.s_addr) {
4920 						fnd = 1;
4921 						break;
4922 					}
4923 				}
4924 #ifdef INET6
4925 				if (sa->sa_family == AF_INET6) {
4926 					sa6 = (struct sockaddr_in6 *)sa;
4927 					if (SCTP6_ARE_ADDR_EQUAL(
4928 					    sa6, &sin6)) {
4929 						fnd = 1;
4930 						break;
4931 					}
4932 				}
4933 #endif
4934 			}
4935 			if (!fnd) {
4936 				/* New addr added! no need to look further */
4937 				return (1);
4938 			}
4939 		}
4940 		offset += SCTP_SIZE32(plen);
4941 		phdr = sctp_get_next_param(mat, offset, &params, sizeof(params));
4942 	}
4943 	return (0);
4944 }
4945 
4946 /*
4947  * Given a MBUF chain that was sent into us containing an INIT. Build a
4948  * INIT-ACK with COOKIE and send back. We assume that the in_initpkt has done
4949  * a pullup to include IPv6/4header, SCTP header and initial part of INIT
4950  * message (i.e. the struct sctp_init_msg).
4951  */
4952 void
4953 sctp_send_initiate_ack(struct sctp_inpcb *inp, struct sctp_tcb *stcb,
4954     struct mbuf *init_pkt, int iphlen, int offset, struct sctphdr *sh,
4955     struct sctp_init_chunk *init_chk, uint32_t vrf_id, uint16_t port, int hold_inp_lock)
4956 {
4957 	struct sctp_association *asoc;
4958 	struct mbuf *m, *m_at, *m_tmp, *m_cookie, *op_err, *mp_last;
4959 	struct sctp_init_ack_chunk *initack;
4960 	struct sctp_adaptation_layer_indication *ali;
4961 	struct sctp_ecn_supported_param *ecn;
4962 	struct sctp_prsctp_supported_param *prsctp;
4963 	struct sctp_ecn_nonce_supported_param *ecn_nonce;
4964 	struct sctp_supported_chunk_types_param *pr_supported;
4965 	union sctp_sockstore store, store1, *over_addr;
4966 	struct sockaddr_in *sin, *to_sin;
4967 
4968 #ifdef INET6
4969 	struct sockaddr_in6 *sin6, *to_sin6;
4970 
4971 #endif
4972 	struct ip *iph;
4973 
4974 #ifdef INET6
4975 	struct ip6_hdr *ip6;
4976 
4977 #endif
4978 	struct sockaddr *to;
4979 	struct sctp_state_cookie stc;
4980 	struct sctp_nets *net = NULL;
4981 	uint8_t *signature = NULL;
4982 	int cnt_inits_to = 0;
4983 	uint16_t his_limit, i_want;
4984 	int abort_flag, padval;
4985 	int num_ext;
4986 	int p_len;
4987 	int nat_friendly = 0;
4988 	struct socket *so;
4989 
4990 	if (stcb)
4991 		asoc = &stcb->asoc;
4992 	else
4993 		asoc = NULL;
4994 	mp_last = NULL;
4995 	if ((asoc != NULL) &&
4996 	    (SCTP_GET_STATE(asoc) != SCTP_STATE_COOKIE_WAIT) &&
4997 	    (sctp_are_there_new_addresses(asoc, init_pkt, iphlen, offset))) {
4998 		/* new addresses, out of here in non-cookie-wait states */
4999 		/*
5000 		 * Send a ABORT, we don't add the new address error clause
5001 		 * though we even set the T bit and copy in the 0 tag.. this
5002 		 * looks no different than if no listener was present.
5003 		 */
5004 		sctp_send_abort(init_pkt, iphlen, sh, 0, NULL, vrf_id, port);
5005 		return;
5006 	}
5007 	abort_flag = 0;
5008 	op_err = sctp_arethere_unrecognized_parameters(init_pkt,
5009 	    (offset + sizeof(struct sctp_init_chunk)),
5010 	    &abort_flag, (struct sctp_chunkhdr *)init_chk, &nat_friendly);
5011 	if (abort_flag) {
5012 do_a_abort:
5013 		sctp_send_abort(init_pkt, iphlen, sh,
5014 		    init_chk->init.initiate_tag, op_err, vrf_id, port);
5015 		return;
5016 	}
5017 	m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
5018 	if (m == NULL) {
5019 		/* No memory, INIT timer will re-attempt. */
5020 		if (op_err)
5021 			sctp_m_freem(op_err);
5022 		return;
5023 	}
5024 	SCTP_BUF_LEN(m) = sizeof(struct sctp_init_chunk);
5025 
5026 	/* the time I built cookie */
5027 	(void)SCTP_GETTIME_TIMEVAL(&stc.time_entered);
5028 
5029 	/* populate any tie tags */
5030 	if (asoc != NULL) {
5031 		/* unlock before tag selections */
5032 		stc.tie_tag_my_vtag = asoc->my_vtag_nonce;
5033 		stc.tie_tag_peer_vtag = asoc->peer_vtag_nonce;
5034 		stc.cookie_life = asoc->cookie_life;
5035 		net = asoc->primary_destination;
5036 	} else {
5037 		stc.tie_tag_my_vtag = 0;
5038 		stc.tie_tag_peer_vtag = 0;
5039 		/* life I will award this cookie */
5040 		stc.cookie_life = inp->sctp_ep.def_cookie_life;
5041 	}
5042 
5043 	/* copy in the ports for later check */
5044 	stc.myport = sh->dest_port;
5045 	stc.peerport = sh->src_port;
5046 
5047 	/*
5048 	 * If we wanted to honor cookie life extentions, we would add to
5049 	 * stc.cookie_life. For now we should NOT honor any extension
5050 	 */
5051 	stc.site_scope = stc.local_scope = stc.loopback_scope = 0;
5052 	if (inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5053 		struct inpcb *in_inp;
5054 
5055 		/* Its a V6 socket */
5056 		in_inp = (struct inpcb *)inp;
5057 		stc.ipv6_addr_legal = 1;
5058 		/* Now look at the binding flag to see if V4 will be legal */
5059 		if (SCTP_IPV6_V6ONLY(in_inp) == 0) {
5060 			stc.ipv4_addr_legal = 1;
5061 		} else {
5062 			/* V4 addresses are NOT legal on the association */
5063 			stc.ipv4_addr_legal = 0;
5064 		}
5065 	} else {
5066 		/* Its a V4 socket, no - V6 */
5067 		stc.ipv4_addr_legal = 1;
5068 		stc.ipv6_addr_legal = 0;
5069 	}
5070 
5071 #ifdef SCTP_DONT_DO_PRIVADDR_SCOPE
5072 	stc.ipv4_scope = 1;
5073 #else
5074 	stc.ipv4_scope = 0;
5075 #endif
5076 	/* now for scope setup */
5077 	memset((caddr_t)&store, 0, sizeof(store));
5078 	memset((caddr_t)&store1, 0, sizeof(store1));
5079 	sin = &store.sin;
5080 	to_sin = &store1.sin;
5081 #ifdef INET6
5082 	sin6 = &store.sin6;
5083 	to_sin6 = &store1.sin6;
5084 #endif
5085 	iph = mtod(init_pkt, struct ip *);
5086 	/* establish the to_addr's */
5087 	switch (iph->ip_v) {
5088 	case IPVERSION:
5089 		to_sin->sin_port = sh->dest_port;
5090 		to_sin->sin_family = AF_INET;
5091 		to_sin->sin_len = sizeof(struct sockaddr_in);
5092 		to_sin->sin_addr = iph->ip_dst;
5093 		break;
5094 #ifdef INET6
5095 	case IPV6_VERSION >> 4:
5096 		ip6 = mtod(init_pkt, struct ip6_hdr *);
5097 		to_sin6->sin6_addr = ip6->ip6_dst;
5098 		to_sin6->sin6_scope_id = 0;
5099 		to_sin6->sin6_port = sh->dest_port;
5100 		to_sin6->sin6_family = AF_INET6;
5101 		to_sin6->sin6_len = sizeof(struct sockaddr_in6);
5102 		break;
5103 #endif
5104 	default:
5105 		goto do_a_abort;
5106 		break;
5107 	};
5108 
5109 	if (net == NULL) {
5110 		to = (struct sockaddr *)&store;
5111 		switch (iph->ip_v) {
5112 		case IPVERSION:
5113 			{
5114 				sin->sin_family = AF_INET;
5115 				sin->sin_len = sizeof(struct sockaddr_in);
5116 				sin->sin_port = sh->src_port;
5117 				sin->sin_addr = iph->ip_src;
5118 				/* lookup address */
5119 				stc.address[0] = sin->sin_addr.s_addr;
5120 				stc.address[1] = 0;
5121 				stc.address[2] = 0;
5122 				stc.address[3] = 0;
5123 				stc.addr_type = SCTP_IPV4_ADDRESS;
5124 				/* local from address */
5125 				stc.laddress[0] = to_sin->sin_addr.s_addr;
5126 				stc.laddress[1] = 0;
5127 				stc.laddress[2] = 0;
5128 				stc.laddress[3] = 0;
5129 				stc.laddr_type = SCTP_IPV4_ADDRESS;
5130 				/* scope_id is only for v6 */
5131 				stc.scope_id = 0;
5132 #ifndef SCTP_DONT_DO_PRIVADDR_SCOPE
5133 				if (IN4_ISPRIVATE_ADDRESS(&sin->sin_addr)) {
5134 					stc.ipv4_scope = 1;
5135 				}
5136 #else
5137 				stc.ipv4_scope = 1;
5138 #endif				/* SCTP_DONT_DO_PRIVADDR_SCOPE */
5139 				/* Must use the address in this case */
5140 				if (sctp_is_address_on_local_host((struct sockaddr *)sin, vrf_id)) {
5141 					stc.loopback_scope = 1;
5142 					stc.ipv4_scope = 1;
5143 					stc.site_scope = 1;
5144 					stc.local_scope = 0;
5145 				}
5146 				break;
5147 			}
5148 #ifdef INET6
5149 		case IPV6_VERSION >> 4:
5150 			{
5151 				ip6 = mtod(init_pkt, struct ip6_hdr *);
5152 				sin6->sin6_family = AF_INET6;
5153 				sin6->sin6_len = sizeof(struct sockaddr_in6);
5154 				sin6->sin6_port = sh->src_port;
5155 				sin6->sin6_addr = ip6->ip6_src;
5156 				/* lookup address */
5157 				memcpy(&stc.address, &sin6->sin6_addr,
5158 				    sizeof(struct in6_addr));
5159 				sin6->sin6_scope_id = 0;
5160 				stc.addr_type = SCTP_IPV6_ADDRESS;
5161 				stc.scope_id = 0;
5162 				if (sctp_is_address_on_local_host((struct sockaddr *)sin6, vrf_id)) {
5163 					/*
5164 					 * FIX ME: does this have scope from
5165 					 * rcvif?
5166 					 */
5167 					(void)sa6_recoverscope(sin6);
5168 					stc.scope_id = sin6->sin6_scope_id;
5169 					sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone));
5170 					stc.loopback_scope = 1;
5171 					stc.local_scope = 0;
5172 					stc.site_scope = 1;
5173 					stc.ipv4_scope = 1;
5174 				} else if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) {
5175 					/*
5176 					 * If the new destination is a
5177 					 * LINK_LOCAL we must have common
5178 					 * both site and local scope. Don't
5179 					 * set local scope though since we
5180 					 * must depend on the source to be
5181 					 * added implicitly. We cannot
5182 					 * assure just because we share one
5183 					 * link that all links are common.
5184 					 */
5185 					stc.local_scope = 0;
5186 					stc.site_scope = 1;
5187 					stc.ipv4_scope = 1;
5188 					/*
5189 					 * we start counting for the private
5190 					 * address stuff at 1. since the
5191 					 * link local we source from won't
5192 					 * show up in our scoped count.
5193 					 */
5194 					cnt_inits_to = 1;
5195 					/*
5196 					 * pull out the scope_id from
5197 					 * incoming pkt
5198 					 */
5199 					/*
5200 					 * FIX ME: does this have scope from
5201 					 * rcvif?
5202 					 */
5203 					(void)sa6_recoverscope(sin6);
5204 					stc.scope_id = sin6->sin6_scope_id;
5205 					sa6_embedscope(sin6, MODULE_GLOBAL(ip6_use_defzone));
5206 				} else if (IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
5207 					/*
5208 					 * If the new destination is
5209 					 * SITE_LOCAL then we must have site
5210 					 * scope in common.
5211 					 */
5212 					stc.site_scope = 1;
5213 				}
5214 				memcpy(&stc.laddress, &to_sin6->sin6_addr, sizeof(struct in6_addr));
5215 				stc.laddr_type = SCTP_IPV6_ADDRESS;
5216 				break;
5217 			}
5218 #endif
5219 		default:
5220 			/* TSNH */
5221 			goto do_a_abort;
5222 			break;
5223 		}
5224 	} else {
5225 		/* set the scope per the existing tcb */
5226 
5227 #ifdef INET6
5228 		struct sctp_nets *lnet;
5229 
5230 #endif
5231 
5232 		stc.loopback_scope = asoc->loopback_scope;
5233 		stc.ipv4_scope = asoc->ipv4_local_scope;
5234 		stc.site_scope = asoc->site_scope;
5235 		stc.local_scope = asoc->local_scope;
5236 #ifdef INET6
5237 		/* Why do we not consider IPv4 LL addresses? */
5238 		TAILQ_FOREACH(lnet, &asoc->nets, sctp_next) {
5239 			if (lnet->ro._l_addr.sin6.sin6_family == AF_INET6) {
5240 				if (IN6_IS_ADDR_LINKLOCAL(&lnet->ro._l_addr.sin6.sin6_addr)) {
5241 					/*
5242 					 * if we have a LL address, start
5243 					 * counting at 1.
5244 					 */
5245 					cnt_inits_to = 1;
5246 				}
5247 			}
5248 		}
5249 #endif
5250 		/* use the net pointer */
5251 		to = (struct sockaddr *)&net->ro._l_addr;
5252 		switch (to->sa_family) {
5253 		case AF_INET:
5254 			sin = (struct sockaddr_in *)to;
5255 			stc.address[0] = sin->sin_addr.s_addr;
5256 			stc.address[1] = 0;
5257 			stc.address[2] = 0;
5258 			stc.address[3] = 0;
5259 			stc.addr_type = SCTP_IPV4_ADDRESS;
5260 			if (net->src_addr_selected == 0) {
5261 				/*
5262 				 * strange case here, the INIT should have
5263 				 * did the selection.
5264 				 */
5265 				net->ro._s_addr = sctp_source_address_selection(inp,
5266 				    stcb, (sctp_route_t *) & net->ro,
5267 				    net, 0, vrf_id);
5268 				if (net->ro._s_addr == NULL)
5269 					return;
5270 
5271 				net->src_addr_selected = 1;
5272 
5273 			}
5274 			stc.laddress[0] = net->ro._s_addr->address.sin.sin_addr.s_addr;
5275 			stc.laddress[1] = 0;
5276 			stc.laddress[2] = 0;
5277 			stc.laddress[3] = 0;
5278 			stc.laddr_type = SCTP_IPV4_ADDRESS;
5279 			break;
5280 #ifdef INET6
5281 		case AF_INET6:
5282 			sin6 = (struct sockaddr_in6 *)to;
5283 			memcpy(&stc.address, &sin6->sin6_addr,
5284 			    sizeof(struct in6_addr));
5285 			stc.addr_type = SCTP_IPV6_ADDRESS;
5286 			if (net->src_addr_selected == 0) {
5287 				/*
5288 				 * strange case here, the INIT should have
5289 				 * did the selection.
5290 				 */
5291 				net->ro._s_addr = sctp_source_address_selection(inp,
5292 				    stcb, (sctp_route_t *) & net->ro,
5293 				    net, 0, vrf_id);
5294 				if (net->ro._s_addr == NULL)
5295 					return;
5296 
5297 				net->src_addr_selected = 1;
5298 			}
5299 			memcpy(&stc.laddress, &net->ro._s_addr->address.sin6.sin6_addr,
5300 			    sizeof(struct in6_addr));
5301 			stc.laddr_type = SCTP_IPV6_ADDRESS;
5302 			break;
5303 #endif
5304 		}
5305 	}
5306 	/* Now lets put the SCTP header in place */
5307 	initack = mtod(m, struct sctp_init_ack_chunk *);
5308 	/* Save it off for quick ref */
5309 	stc.peers_vtag = init_chk->init.initiate_tag;
5310 	/* who are we */
5311 	memcpy(stc.identification, SCTP_VERSION_STRING,
5312 	    min(strlen(SCTP_VERSION_STRING), sizeof(stc.identification)));
5313 	/* now the chunk header */
5314 	initack->ch.chunk_type = SCTP_INITIATION_ACK;
5315 	initack->ch.chunk_flags = 0;
5316 	/* fill in later from mbuf we build */
5317 	initack->ch.chunk_length = 0;
5318 	/* place in my tag */
5319 	if ((asoc != NULL) &&
5320 	    ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
5321 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_INUSE) ||
5322 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED))) {
5323 		/* re-use the v-tags and init-seq here */
5324 		initack->init.initiate_tag = htonl(asoc->my_vtag);
5325 		initack->init.initial_tsn = htonl(asoc->init_seq_number);
5326 	} else {
5327 		uint32_t vtag, itsn;
5328 
5329 		if (hold_inp_lock) {
5330 			SCTP_INP_INCR_REF(inp);
5331 			SCTP_INP_RUNLOCK(inp);
5332 		}
5333 		if (asoc) {
5334 			atomic_add_int(&asoc->refcnt, 1);
5335 			SCTP_TCB_UNLOCK(stcb);
5336 	new_tag:
5337 			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5338 			if ((asoc->peer_supports_nat) && (vtag == asoc->my_vtag)) {
5339 				/*
5340 				 * Got a duplicate vtag on some guy behind a
5341 				 * nat make sure we don't use it.
5342 				 */
5343 				goto new_tag;
5344 			}
5345 			initack->init.initiate_tag = htonl(vtag);
5346 			/* get a TSN to use too */
5347 			itsn = sctp_select_initial_TSN(&inp->sctp_ep);
5348 			initack->init.initial_tsn = htonl(itsn);
5349 			SCTP_TCB_LOCK(stcb);
5350 			atomic_add_int(&asoc->refcnt, -1);
5351 		} else {
5352 			vtag = sctp_select_a_tag(inp, inp->sctp_lport, sh->src_port, 1);
5353 			initack->init.initiate_tag = htonl(vtag);
5354 			/* get a TSN to use too */
5355 			initack->init.initial_tsn = htonl(sctp_select_initial_TSN(&inp->sctp_ep));
5356 		}
5357 		if (hold_inp_lock) {
5358 			SCTP_INP_RLOCK(inp);
5359 			SCTP_INP_DECR_REF(inp);
5360 		}
5361 	}
5362 	/* save away my tag to */
5363 	stc.my_vtag = initack->init.initiate_tag;
5364 
5365 	/* set up some of the credits. */
5366 	so = inp->sctp_socket;
5367 	if (so == NULL) {
5368 		/* memory problem */
5369 		sctp_m_freem(m);
5370 		return;
5371 	} else {
5372 		initack->init.a_rwnd = htonl(max(SCTP_SB_LIMIT_RCV(so), SCTP_MINIMAL_RWND));
5373 	}
5374 	/* set what I want */
5375 	his_limit = ntohs(init_chk->init.num_inbound_streams);
5376 	/* choose what I want */
5377 	if (asoc != NULL) {
5378 		if (asoc->streamoutcnt > inp->sctp_ep.pre_open_stream_count) {
5379 			i_want = asoc->streamoutcnt;
5380 		} else {
5381 			i_want = inp->sctp_ep.pre_open_stream_count;
5382 		}
5383 	} else {
5384 		i_want = inp->sctp_ep.pre_open_stream_count;
5385 	}
5386 	if (his_limit < i_want) {
5387 		/* I Want more :< */
5388 		initack->init.num_outbound_streams = init_chk->init.num_inbound_streams;
5389 	} else {
5390 		/* I can have what I want :> */
5391 		initack->init.num_outbound_streams = htons(i_want);
5392 	}
5393 	/* tell him his limt. */
5394 	initack->init.num_inbound_streams =
5395 	    htons(inp->sctp_ep.max_open_streams_intome);
5396 
5397 	/* adaptation layer indication parameter */
5398 	ali = (struct sctp_adaptation_layer_indication *)((caddr_t)initack + sizeof(*initack));
5399 	ali->ph.param_type = htons(SCTP_ULP_ADAPTATION);
5400 	ali->ph.param_length = htons(sizeof(*ali));
5401 	ali->indication = ntohl(inp->sctp_ep.adaptation_layer_indicator);
5402 	SCTP_BUF_LEN(m) += sizeof(*ali);
5403 	ecn = (struct sctp_ecn_supported_param *)((caddr_t)ali + sizeof(*ali));
5404 
5405 	/* ECN parameter */
5406 	if (SCTP_BASE_SYSCTL(sctp_ecn_enable) == 1) {
5407 		ecn->ph.param_type = htons(SCTP_ECN_CAPABLE);
5408 		ecn->ph.param_length = htons(sizeof(*ecn));
5409 		SCTP_BUF_LEN(m) += sizeof(*ecn);
5410 
5411 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn +
5412 		    sizeof(*ecn));
5413 	} else {
5414 		prsctp = (struct sctp_prsctp_supported_param *)((caddr_t)ecn);
5415 	}
5416 	/* And now tell the peer we do  pr-sctp */
5417 	prsctp->ph.param_type = htons(SCTP_PRSCTP_SUPPORTED);
5418 	prsctp->ph.param_length = htons(sizeof(*prsctp));
5419 	SCTP_BUF_LEN(m) += sizeof(*prsctp);
5420 	if (nat_friendly) {
5421 		/* Add NAT friendly parameter */
5422 		struct sctp_paramhdr *ph;
5423 
5424 		ph = (struct sctp_paramhdr *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5425 		ph->param_type = htons(SCTP_HAS_NAT_SUPPORT);
5426 		ph->param_length = htons(sizeof(struct sctp_paramhdr));
5427 		SCTP_BUF_LEN(m) += sizeof(struct sctp_paramhdr);
5428 	}
5429 	/* And now tell the peer we do all the extensions */
5430 	pr_supported = (struct sctp_supported_chunk_types_param *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5431 	pr_supported->ph.param_type = htons(SCTP_SUPPORTED_CHUNK_EXT);
5432 	num_ext = 0;
5433 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF;
5434 	pr_supported->chunk_types[num_ext++] = SCTP_ASCONF_ACK;
5435 	pr_supported->chunk_types[num_ext++] = SCTP_FORWARD_CUM_TSN;
5436 	pr_supported->chunk_types[num_ext++] = SCTP_PACKET_DROPPED;
5437 	pr_supported->chunk_types[num_ext++] = SCTP_STREAM_RESET;
5438 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable))
5439 		pr_supported->chunk_types[num_ext++] = SCTP_AUTHENTICATION;
5440 	if (SCTP_BASE_SYSCTL(sctp_nr_sack_on_off))
5441 		pr_supported->chunk_types[num_ext++] = SCTP_NR_SELECTIVE_ACK;
5442 	p_len = sizeof(*pr_supported) + num_ext;
5443 	pr_supported->ph.param_length = htons(p_len);
5444 	bzero((caddr_t)pr_supported + p_len, SCTP_SIZE32(p_len) - p_len);
5445 	SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
5446 
5447 	/* ECN nonce: And now tell the peer we support ECN nonce */
5448 	if (SCTP_BASE_SYSCTL(sctp_ecn_nonce)) {
5449 		ecn_nonce = (struct sctp_ecn_nonce_supported_param *)
5450 		    ((caddr_t)pr_supported + SCTP_SIZE32(p_len));
5451 		ecn_nonce->ph.param_type = htons(SCTP_ECN_NONCE_SUPPORTED);
5452 		ecn_nonce->ph.param_length = htons(sizeof(*ecn_nonce));
5453 		SCTP_BUF_LEN(m) += sizeof(*ecn_nonce);
5454 	}
5455 	/* add authentication parameters */
5456 	if (!SCTP_BASE_SYSCTL(sctp_auth_disable)) {
5457 		struct sctp_auth_random *randp;
5458 		struct sctp_auth_hmac_algo *hmacs;
5459 		struct sctp_auth_chunk_list *chunks;
5460 		uint16_t random_len;
5461 
5462 		/* generate and add RANDOM parameter */
5463 		random_len = SCTP_AUTH_RANDOM_SIZE_DEFAULT;
5464 		randp = (struct sctp_auth_random *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5465 		randp->ph.param_type = htons(SCTP_RANDOM);
5466 		p_len = sizeof(*randp) + random_len;
5467 		randp->ph.param_length = htons(p_len);
5468 		SCTP_READ_RANDOM(randp->random_data, random_len);
5469 		/* zero out any padding required */
5470 		bzero((caddr_t)randp + p_len, SCTP_SIZE32(p_len) - p_len);
5471 		SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
5472 
5473 		/* add HMAC_ALGO parameter */
5474 		hmacs = (struct sctp_auth_hmac_algo *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5475 		p_len = sctp_serialize_hmaclist(inp->sctp_ep.local_hmacs,
5476 		    (uint8_t *) hmacs->hmac_ids);
5477 		if (p_len > 0) {
5478 			p_len += sizeof(*hmacs);
5479 			hmacs->ph.param_type = htons(SCTP_HMAC_LIST);
5480 			hmacs->ph.param_length = htons(p_len);
5481 			/* zero out any padding required */
5482 			bzero((caddr_t)hmacs + p_len, SCTP_SIZE32(p_len) - p_len);
5483 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
5484 		}
5485 		/* add CHUNKS parameter */
5486 		chunks = (struct sctp_auth_chunk_list *)(mtod(m, caddr_t)+SCTP_BUF_LEN(m));
5487 		p_len = sctp_serialize_auth_chunks(inp->sctp_ep.local_auth_chunks,
5488 		    chunks->chunk_types);
5489 		if (p_len > 0) {
5490 			p_len += sizeof(*chunks);
5491 			chunks->ph.param_type = htons(SCTP_CHUNK_LIST);
5492 			chunks->ph.param_length = htons(p_len);
5493 			/* zero out any padding required */
5494 			bzero((caddr_t)chunks + p_len, SCTP_SIZE32(p_len) - p_len);
5495 			SCTP_BUF_LEN(m) += SCTP_SIZE32(p_len);
5496 		}
5497 	}
5498 	m_at = m;
5499 	/* now the addresses */
5500 	{
5501 		struct sctp_scoping scp;
5502 
5503 		/*
5504 		 * To optimize this we could put the scoping stuff into a
5505 		 * structure and remove the individual uint8's from the stc
5506 		 * structure. Then we could just sifa in the address within
5507 		 * the stc.. but for now this is a quick hack to get the
5508 		 * address stuff teased apart.
5509 		 */
5510 		scp.ipv4_addr_legal = stc.ipv4_addr_legal;
5511 		scp.ipv6_addr_legal = stc.ipv6_addr_legal;
5512 		scp.loopback_scope = stc.loopback_scope;
5513 		scp.ipv4_local_scope = stc.ipv4_scope;
5514 		scp.local_scope = stc.local_scope;
5515 		scp.site_scope = stc.site_scope;
5516 		m_at = sctp_add_addresses_to_i_ia(inp, &scp, m_at, cnt_inits_to);
5517 	}
5518 
5519 	/* tack on the operational error if present */
5520 	if (op_err) {
5521 		struct mbuf *ol;
5522 		int llen;
5523 
5524 		llen = 0;
5525 		ol = op_err;
5526 		while (ol) {
5527 			llen += SCTP_BUF_LEN(ol);
5528 			ol = SCTP_BUF_NEXT(ol);
5529 		}
5530 		if (llen % 4) {
5531 			/* must add a pad to the param */
5532 			uint32_t cpthis = 0;
5533 			int padlen;
5534 
5535 			padlen = 4 - (llen % 4);
5536 			m_copyback(op_err, llen, padlen, (caddr_t)&cpthis);
5537 		}
5538 		while (SCTP_BUF_NEXT(m_at) != NULL) {
5539 			m_at = SCTP_BUF_NEXT(m_at);
5540 		}
5541 		SCTP_BUF_NEXT(m_at) = op_err;
5542 		while (SCTP_BUF_NEXT(m_at) != NULL) {
5543 			m_at = SCTP_BUF_NEXT(m_at);
5544 		}
5545 	}
5546 	/* pre-calulate the size and update pkt header and chunk header */
5547 	p_len = 0;
5548 	for (m_tmp = m; m_tmp; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
5549 		p_len += SCTP_BUF_LEN(m_tmp);
5550 		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
5551 			/* m_tmp should now point to last one */
5552 			break;
5553 		}
5554 	}
5555 
5556 	/* Now we must build a cookie */
5557 	m_cookie = sctp_add_cookie(inp, init_pkt, offset, m, 0, &stc, &signature);
5558 	if (m_cookie == NULL) {
5559 		/* memory problem */
5560 		sctp_m_freem(m);
5561 		return;
5562 	}
5563 	/* Now append the cookie to the end and update the space/size */
5564 	SCTP_BUF_NEXT(m_tmp) = m_cookie;
5565 
5566 	for (m_tmp = m_cookie; m_tmp; m_tmp = SCTP_BUF_NEXT(m_tmp)) {
5567 		p_len += SCTP_BUF_LEN(m_tmp);
5568 		if (SCTP_BUF_NEXT(m_tmp) == NULL) {
5569 			/* m_tmp should now point to last one */
5570 			mp_last = m_tmp;
5571 			break;
5572 		}
5573 	}
5574 	/*
5575 	 * Place in the size, but we don't include the last pad (if any) in
5576 	 * the INIT-ACK.
5577 	 */
5578 	initack->ch.chunk_length = htons(p_len);
5579 
5580 	/*
5581 	 * Time to sign the cookie, we don't sign over the cookie signature
5582 	 * though thus we set trailer.
5583 	 */
5584 	(void)sctp_hmac_m(SCTP_HMAC,
5585 	    (uint8_t *) inp->sctp_ep.secret_key[(int)(inp->sctp_ep.current_secret_number)],
5586 	    SCTP_SECRET_SIZE, m_cookie, sizeof(struct sctp_paramhdr),
5587 	    (uint8_t *) signature, SCTP_SIGNATURE_SIZE);
5588 	/*
5589 	 * We sifa 0 here to NOT set IP_DF if its IPv4, we ignore the return
5590 	 * here since the timer will drive a retranmission.
5591 	 */
5592 	padval = p_len % 4;
5593 	if ((padval) && (mp_last)) {
5594 		/* see my previous comments on mp_last */
5595 		int ret;
5596 
5597 		ret = sctp_add_pad_tombuf(mp_last, (4 - padval));
5598 		if (ret) {
5599 			/* Houston we have a problem, no space */
5600 			sctp_m_freem(m);
5601 			return;
5602 		}
5603 		p_len += padval;
5604 	}
5605 	if (stc.loopback_scope) {
5606 		over_addr = &store1;
5607 	} else {
5608 		over_addr = NULL;
5609 	}
5610 
5611 	(void)sctp_lowlevel_chunk_output(inp, NULL, NULL, to, m, 0, NULL, 0, 0,
5612 	    0, NULL, 0,
5613 	    inp->sctp_lport, sh->src_port, init_chk->init.initiate_tag,
5614 	    port, SCTP_SO_NOT_LOCKED, over_addr);
5615 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
5616 }
5617 
5618 
5619 void
5620 sctp_insert_on_wheel(struct sctp_tcb *stcb,
5621     struct sctp_association *asoc,
5622     struct sctp_stream_out *strq, int holds_lock)
5623 {
5624 	if (holds_lock == 0) {
5625 		SCTP_TCB_SEND_LOCK(stcb);
5626 	}
5627 	if ((strq->next_spoke.tqe_next == NULL) &&
5628 	    (strq->next_spoke.tqe_prev == NULL)) {
5629 		TAILQ_INSERT_TAIL(&asoc->out_wheel, strq, next_spoke);
5630 	}
5631 	if (holds_lock == 0) {
5632 		SCTP_TCB_SEND_UNLOCK(stcb);
5633 	}
5634 }
5635 
5636 void
5637 sctp_remove_from_wheel(struct sctp_tcb *stcb,
5638     struct sctp_association *asoc,
5639     struct sctp_stream_out *strq,
5640     int holds_lock)
5641 {
5642 	/* take off and then setup so we know it is not on the wheel */
5643 	if (holds_lock == 0) {
5644 		SCTP_TCB_SEND_LOCK(stcb);
5645 	}
5646 	if (TAILQ_EMPTY(&strq->outqueue)) {
5647 		if (asoc->last_out_stream == strq) {
5648 			asoc->last_out_stream = TAILQ_PREV(asoc->last_out_stream, sctpwheel_listhead, next_spoke);
5649 			if (asoc->last_out_stream == NULL) {
5650 				asoc->last_out_stream = TAILQ_LAST(&asoc->out_wheel, sctpwheel_listhead);
5651 			}
5652 			if (asoc->last_out_stream == strq) {
5653 				asoc->last_out_stream = NULL;
5654 			}
5655 		}
5656 		TAILQ_REMOVE(&asoc->out_wheel, strq, next_spoke);
5657 		strq->next_spoke.tqe_next = NULL;
5658 		strq->next_spoke.tqe_prev = NULL;
5659 	}
5660 	if (holds_lock == 0) {
5661 		SCTP_TCB_SEND_UNLOCK(stcb);
5662 	}
5663 }
5664 
5665 static void
5666 sctp_prune_prsctp(struct sctp_tcb *stcb,
5667     struct sctp_association *asoc,
5668     struct sctp_sndrcvinfo *srcv,
5669     int dataout)
5670 {
5671 	int freed_spc = 0;
5672 	struct sctp_tmit_chunk *chk, *nchk;
5673 
5674 	SCTP_TCB_LOCK_ASSERT(stcb);
5675 	if ((asoc->peer_supports_prsctp) &&
5676 	    (asoc->sent_queue_cnt_removeable > 0)) {
5677 		TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
5678 			/*
5679 			 * Look for chunks marked with the PR_SCTP flag AND
5680 			 * the buffer space flag. If the one being sent is
5681 			 * equal or greater priority then purge the old one
5682 			 * and free some space.
5683 			 */
5684 			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
5685 				/*
5686 				 * This one is PR-SCTP AND buffer space
5687 				 * limited type
5688 				 */
5689 				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
5690 					/*
5691 					 * Lower numbers equates to higher
5692 					 * priority so if the one we are
5693 					 * looking at has a larger or equal
5694 					 * priority we want to drop the data
5695 					 * and NOT retransmit it.
5696 					 */
5697 					if (chk->data) {
5698 						/*
5699 						 * We release the book_size
5700 						 * if the mbuf is here
5701 						 */
5702 						int ret_spc;
5703 						int cause;
5704 
5705 						if (chk->sent > SCTP_DATAGRAM_UNSENT)
5706 							cause = SCTP_RESPONSE_TO_USER_REQ | SCTP_NOTIFY_DATAGRAM_SENT;
5707 						else
5708 							cause = SCTP_RESPONSE_TO_USER_REQ | SCTP_NOTIFY_DATAGRAM_UNSENT;
5709 						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
5710 						    cause,
5711 						    SCTP_SO_LOCKED);
5712 						freed_spc += ret_spc;
5713 						if (freed_spc >= dataout) {
5714 							return;
5715 						}
5716 					}	/* if chunk was present */
5717 				}	/* if of sufficent priority */
5718 			}	/* if chunk has enabled */
5719 		}		/* tailqforeach */
5720 
5721 		TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
5722 			/* Here we must move to the sent queue and mark */
5723 			if (PR_SCTP_BUF_ENABLED(chk->flags)) {
5724 				if (chk->rec.data.timetodrop.tv_sec >= (long)srcv->sinfo_timetolive) {
5725 					if (chk->data) {
5726 						/*
5727 						 * We release the book_size
5728 						 * if the mbuf is here
5729 						 */
5730 						int ret_spc;
5731 
5732 						ret_spc = sctp_release_pr_sctp_chunk(stcb, chk,
5733 						    SCTP_RESPONSE_TO_USER_REQ | SCTP_NOTIFY_DATAGRAM_UNSENT,
5734 						    SCTP_SO_LOCKED);
5735 
5736 						freed_spc += ret_spc;
5737 						if (freed_spc >= dataout) {
5738 							return;
5739 						}
5740 					}	/* end if chk->data */
5741 				}	/* end if right class */
5742 			}	/* end if chk pr-sctp */
5743 		}		/* tailqforeachsafe (chk) */
5744 	}			/* if enabled in asoc */
5745 }
5746 
5747 int
5748 sctp_get_frag_point(struct sctp_tcb *stcb,
5749     struct sctp_association *asoc)
5750 {
5751 	int siz, ovh;
5752 
5753 	/*
5754 	 * For endpoints that have both v6 and v4 addresses we must reserve
5755 	 * room for the ipv6 header, for those that are only dealing with V4
5756 	 * we use a larger frag point.
5757 	 */
5758 	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
5759 		ovh = SCTP_MED_OVERHEAD;
5760 	} else {
5761 		ovh = SCTP_MED_V4_OVERHEAD;
5762 	}
5763 
5764 	if (stcb->asoc.sctp_frag_point > asoc->smallest_mtu)
5765 		siz = asoc->smallest_mtu - ovh;
5766 	else
5767 		siz = (stcb->asoc.sctp_frag_point - ovh);
5768 	/*
5769 	 * if (siz > (MCLBYTES-sizeof(struct sctp_data_chunk))) {
5770 	 */
5771 	/* A data chunk MUST fit in a cluster */
5772 	/* siz = (MCLBYTES - sizeof(struct sctp_data_chunk)); */
5773 	/* } */
5774 
5775 	/* adjust for an AUTH chunk if DATA requires auth */
5776 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks))
5777 		siz -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
5778 
5779 	if (siz % 4) {
5780 		/* make it an even word boundary please */
5781 		siz -= (siz % 4);
5782 	}
5783 	return (siz);
5784 }
5785 
5786 static void
5787 sctp_set_prsctp_policy(struct sctp_stream_queue_pending *sp)
5788 {
5789 	sp->pr_sctp_on = 0;
5790 	/*
5791 	 * We assume that the user wants PR_SCTP_TTL if the user provides a
5792 	 * positive lifetime but does not specify any PR_SCTP policy. This
5793 	 * is a BAD assumption and causes problems at least with the
5794 	 * U-Vancovers MPI folks. I will change this to be no policy means
5795 	 * NO PR-SCTP.
5796 	 */
5797 	if (PR_SCTP_ENABLED(sp->sinfo_flags)) {
5798 		sp->act_flags |= PR_SCTP_POLICY(sp->sinfo_flags);
5799 		sp->pr_sctp_on = 1;
5800 	} else {
5801 		return;
5802 	}
5803 	switch (PR_SCTP_POLICY(sp->sinfo_flags)) {
5804 	case CHUNK_FLAGS_PR_SCTP_BUF:
5805 		/*
5806 		 * Time to live is a priority stored in tv_sec when doing
5807 		 * the buffer drop thing.
5808 		 */
5809 		sp->ts.tv_sec = sp->timetolive;
5810 		sp->ts.tv_usec = 0;
5811 		break;
5812 	case CHUNK_FLAGS_PR_SCTP_TTL:
5813 		{
5814 			struct timeval tv;
5815 
5816 			(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
5817 			tv.tv_sec = sp->timetolive / 1000;
5818 			tv.tv_usec = (sp->timetolive * 1000) % 1000000;
5819 			/*
5820 			 * TODO sctp_constants.h needs alternative time
5821 			 * macros when _KERNEL is undefined.
5822 			 */
5823 			timevaladd(&sp->ts, &tv);
5824 		}
5825 		break;
5826 	case CHUNK_FLAGS_PR_SCTP_RTX:
5827 		/*
5828 		 * Time to live is a the number or retransmissions stored in
5829 		 * tv_sec.
5830 		 */
5831 		sp->ts.tv_sec = sp->timetolive;
5832 		sp->ts.tv_usec = 0;
5833 		break;
5834 	default:
5835 		SCTPDBG(SCTP_DEBUG_USRREQ1,
5836 		    "Unknown PR_SCTP policy %u.\n",
5837 		    PR_SCTP_POLICY(sp->sinfo_flags));
5838 		break;
5839 	}
5840 }
5841 
5842 static int
5843 sctp_msg_append(struct sctp_tcb *stcb,
5844     struct sctp_nets *net,
5845     struct mbuf *m,
5846     struct sctp_sndrcvinfo *srcv, int hold_stcb_lock)
5847 {
5848 	int error = 0, holds_lock;
5849 	struct mbuf *at;
5850 	struct sctp_stream_queue_pending *sp = NULL;
5851 	struct sctp_stream_out *strm;
5852 
5853 	/*
5854 	 * Given an mbuf chain, put it into the association send queue and
5855 	 * place it on the wheel
5856 	 */
5857 	holds_lock = hold_stcb_lock;
5858 	if (srcv->sinfo_stream >= stcb->asoc.streamoutcnt) {
5859 		/* Invalid stream number */
5860 		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
5861 		error = EINVAL;
5862 		goto out_now;
5863 	}
5864 	if ((stcb->asoc.stream_locked) &&
5865 	    (stcb->asoc.stream_locked_on != srcv->sinfo_stream)) {
5866 		SCTP_LTRACE_ERR_RET_PKT(m, NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
5867 		error = EINVAL;
5868 		goto out_now;
5869 	}
5870 	strm = &stcb->asoc.strmout[srcv->sinfo_stream];
5871 	/* Now can we send this? */
5872 	if ((SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
5873 	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
5874 	    (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
5875 	    (stcb->asoc.state & SCTP_STATE_SHUTDOWN_PENDING)) {
5876 		/* got data while shutting down */
5877 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
5878 		error = ECONNRESET;
5879 		goto out_now;
5880 	}
5881 	sctp_alloc_a_strmoq(stcb, sp);
5882 	if (sp == NULL) {
5883 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
5884 		error = ENOMEM;
5885 		goto out_now;
5886 	}
5887 	sp->sinfo_flags = srcv->sinfo_flags;
5888 	sp->timetolive = srcv->sinfo_timetolive;
5889 	sp->ppid = srcv->sinfo_ppid;
5890 	sp->context = srcv->sinfo_context;
5891 	sp->strseq = 0;
5892 	if (sp->sinfo_flags & SCTP_ADDR_OVER) {
5893 		sp->net = net;
5894 		atomic_add_int(&sp->net->ref_count, 1);
5895 	} else {
5896 		sp->net = NULL;
5897 	}
5898 	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
5899 	sp->stream = srcv->sinfo_stream;
5900 	sp->msg_is_complete = 1;
5901 	sp->sender_all_done = 1;
5902 	sp->some_taken = 0;
5903 	sp->data = m;
5904 	sp->tail_mbuf = NULL;
5905 	sp->length = 0;
5906 	at = m;
5907 	sctp_set_prsctp_policy(sp);
5908 	/*
5909 	 * We could in theory (for sendall) sifa the length in, but we would
5910 	 * still have to hunt through the chain since we need to setup the
5911 	 * tail_mbuf
5912 	 */
5913 	while (at) {
5914 		if (SCTP_BUF_NEXT(at) == NULL)
5915 			sp->tail_mbuf = at;
5916 		sp->length += SCTP_BUF_LEN(at);
5917 		at = SCTP_BUF_NEXT(at);
5918 	}
5919 	SCTP_TCB_SEND_LOCK(stcb);
5920 	sctp_snd_sb_alloc(stcb, sp->length);
5921 	atomic_add_int(&stcb->asoc.stream_queue_cnt, 1);
5922 	TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
5923 	if ((srcv->sinfo_flags & SCTP_UNORDERED) == 0) {
5924 		sp->strseq = strm->next_sequence_sent;
5925 		strm->next_sequence_sent++;
5926 	}
5927 	if ((strm->next_spoke.tqe_next == NULL) &&
5928 	    (strm->next_spoke.tqe_prev == NULL)) {
5929 		/* Not on wheel, insert */
5930 		sctp_insert_on_wheel(stcb, &stcb->asoc, strm, 1);
5931 	}
5932 	m = NULL;
5933 	SCTP_TCB_SEND_UNLOCK(stcb);
5934 out_now:
5935 	if (m) {
5936 		sctp_m_freem(m);
5937 	}
5938 	return (error);
5939 }
5940 
5941 
5942 static struct mbuf *
5943 sctp_copy_mbufchain(struct mbuf *clonechain,
5944     struct mbuf *outchain,
5945     struct mbuf **endofchain,
5946     int can_take_mbuf,
5947     int sizeofcpy,
5948     uint8_t copy_by_ref)
5949 {
5950 	struct mbuf *m;
5951 	struct mbuf *appendchain;
5952 	caddr_t cp;
5953 	int len;
5954 
5955 	if (endofchain == NULL) {
5956 		/* error */
5957 error_out:
5958 		if (outchain)
5959 			sctp_m_freem(outchain);
5960 		return (NULL);
5961 	}
5962 	if (can_take_mbuf) {
5963 		appendchain = clonechain;
5964 	} else {
5965 		if (!copy_by_ref &&
5966 		    (sizeofcpy <= (int)((((SCTP_BASE_SYSCTL(sctp_mbuf_threshold_count) - 1) * MLEN) + MHLEN)))
5967 		    ) {
5968 			/* Its not in a cluster */
5969 			if (*endofchain == NULL) {
5970 				/* lets get a mbuf cluster */
5971 				if (outchain == NULL) {
5972 					/* This is the general case */
5973 			new_mbuf:
5974 					outchain = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_HEADER);
5975 					if (outchain == NULL) {
5976 						goto error_out;
5977 					}
5978 					SCTP_BUF_LEN(outchain) = 0;
5979 					*endofchain = outchain;
5980 					/* get the prepend space */
5981 					SCTP_BUF_RESV_UF(outchain, (SCTP_FIRST_MBUF_RESV + 4));
5982 				} else {
5983 					/*
5984 					 * We really should not get a NULL
5985 					 * in endofchain
5986 					 */
5987 					/* find end */
5988 					m = outchain;
5989 					while (m) {
5990 						if (SCTP_BUF_NEXT(m) == NULL) {
5991 							*endofchain = m;
5992 							break;
5993 						}
5994 						m = SCTP_BUF_NEXT(m);
5995 					}
5996 					/* sanity */
5997 					if (*endofchain == NULL) {
5998 						/*
5999 						 * huh, TSNH XXX maybe we
6000 						 * should panic
6001 						 */
6002 						sctp_m_freem(outchain);
6003 						goto new_mbuf;
6004 					}
6005 				}
6006 				/* get the new end of length */
6007 				len = M_TRAILINGSPACE(*endofchain);
6008 			} else {
6009 				/* how much is left at the end? */
6010 				len = M_TRAILINGSPACE(*endofchain);
6011 			}
6012 			/* Find the end of the data, for appending */
6013 			cp = (mtod((*endofchain), caddr_t)+SCTP_BUF_LEN((*endofchain)));
6014 
6015 			/* Now lets copy it out */
6016 			if (len >= sizeofcpy) {
6017 				/* It all fits, copy it in */
6018 				m_copydata(clonechain, 0, sizeofcpy, cp);
6019 				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6020 			} else {
6021 				/* fill up the end of the chain */
6022 				if (len > 0) {
6023 					m_copydata(clonechain, 0, len, cp);
6024 					SCTP_BUF_LEN((*endofchain)) += len;
6025 					/* now we need another one */
6026 					sizeofcpy -= len;
6027 				}
6028 				m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_HEADER);
6029 				if (m == NULL) {
6030 					/* We failed */
6031 					goto error_out;
6032 				}
6033 				SCTP_BUF_NEXT((*endofchain)) = m;
6034 				*endofchain = m;
6035 				cp = mtod((*endofchain), caddr_t);
6036 				m_copydata(clonechain, len, sizeofcpy, cp);
6037 				SCTP_BUF_LEN((*endofchain)) += sizeofcpy;
6038 			}
6039 			return (outchain);
6040 		} else {
6041 			/* copy the old fashion way */
6042 			appendchain = SCTP_M_COPYM(clonechain, 0, M_COPYALL, M_DONTWAIT);
6043 #ifdef SCTP_MBUF_LOGGING
6044 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6045 				struct mbuf *mat;
6046 
6047 				mat = appendchain;
6048 				while (mat) {
6049 					if (SCTP_BUF_IS_EXTENDED(mat)) {
6050 						sctp_log_mb(mat, SCTP_MBUF_ICOPY);
6051 					}
6052 					mat = SCTP_BUF_NEXT(mat);
6053 				}
6054 			}
6055 #endif
6056 		}
6057 	}
6058 	if (appendchain == NULL) {
6059 		/* error */
6060 		if (outchain)
6061 			sctp_m_freem(outchain);
6062 		return (NULL);
6063 	}
6064 	if (outchain) {
6065 		/* tack on to the end */
6066 		if (*endofchain != NULL) {
6067 			SCTP_BUF_NEXT(((*endofchain))) = appendchain;
6068 		} else {
6069 			m = outchain;
6070 			while (m) {
6071 				if (SCTP_BUF_NEXT(m) == NULL) {
6072 					SCTP_BUF_NEXT(m) = appendchain;
6073 					break;
6074 				}
6075 				m = SCTP_BUF_NEXT(m);
6076 			}
6077 		}
6078 		/*
6079 		 * save off the end and update the end-chain postion
6080 		 */
6081 		m = appendchain;
6082 		while (m) {
6083 			if (SCTP_BUF_NEXT(m) == NULL) {
6084 				*endofchain = m;
6085 				break;
6086 			}
6087 			m = SCTP_BUF_NEXT(m);
6088 		}
6089 		return (outchain);
6090 	} else {
6091 		/* save off the end and update the end-chain postion */
6092 		m = appendchain;
6093 		while (m) {
6094 			if (SCTP_BUF_NEXT(m) == NULL) {
6095 				*endofchain = m;
6096 				break;
6097 			}
6098 			m = SCTP_BUF_NEXT(m);
6099 		}
6100 		return (appendchain);
6101 	}
6102 }
6103 
6104 int
6105 sctp_med_chunk_output(struct sctp_inpcb *inp,
6106     struct sctp_tcb *stcb,
6107     struct sctp_association *asoc,
6108     int *num_out,
6109     int *reason_code,
6110     int control_only, int from_where,
6111     struct timeval *now, int *now_filled, int frag_point, int so_locked
6112 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
6113     SCTP_UNUSED
6114 #endif
6115 );
6116 
6117 static void
6118 sctp_sendall_iterator(struct sctp_inpcb *inp, struct sctp_tcb *stcb, void *ptr,
6119     uint32_t val)
6120 {
6121 	struct sctp_copy_all *ca;
6122 	struct mbuf *m;
6123 	int ret = 0;
6124 	int added_control = 0;
6125 	int un_sent, do_chunk_output = 1;
6126 	struct sctp_association *asoc;
6127 
6128 	ca = (struct sctp_copy_all *)ptr;
6129 	if (ca->m == NULL) {
6130 		return;
6131 	}
6132 	if (ca->inp != inp) {
6133 		/* TSNH */
6134 		return;
6135 	}
6136 	if ((ca->m) && ca->sndlen) {
6137 		m = SCTP_M_COPYM(ca->m, 0, M_COPYALL, M_DONTWAIT);
6138 		if (m == NULL) {
6139 			/* can't copy so we are done */
6140 			ca->cnt_failed++;
6141 			return;
6142 		}
6143 #ifdef SCTP_MBUF_LOGGING
6144 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6145 			struct mbuf *mat;
6146 
6147 			mat = m;
6148 			while (mat) {
6149 				if (SCTP_BUF_IS_EXTENDED(mat)) {
6150 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
6151 				}
6152 				mat = SCTP_BUF_NEXT(mat);
6153 			}
6154 		}
6155 #endif
6156 	} else {
6157 		m = NULL;
6158 	}
6159 	SCTP_TCB_LOCK_ASSERT(stcb);
6160 	if (ca->sndrcv.sinfo_flags & SCTP_ABORT) {
6161 		/* Abort this assoc with m as the user defined reason */
6162 		if (m) {
6163 			struct sctp_paramhdr *ph;
6164 
6165 			SCTP_BUF_PREPEND(m, sizeof(struct sctp_paramhdr), M_DONTWAIT);
6166 			if (m) {
6167 				ph = mtod(m, struct sctp_paramhdr *);
6168 				ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
6169 				ph->param_length = htons(ca->sndlen);
6170 			}
6171 			/*
6172 			 * We add one here to keep the assoc from
6173 			 * dis-appearing on us.
6174 			 */
6175 			atomic_add_int(&stcb->asoc.refcnt, 1);
6176 			sctp_abort_an_association(inp, stcb,
6177 			    SCTP_RESPONSE_TO_USER_REQ,
6178 			    m, SCTP_SO_NOT_LOCKED);
6179 			/*
6180 			 * sctp_abort_an_association calls sctp_free_asoc()
6181 			 * free association will NOT free it since we
6182 			 * incremented the refcnt .. we do this to prevent
6183 			 * it being freed and things getting tricky since we
6184 			 * could end up (from free_asoc) calling inpcb_free
6185 			 * which would get a recursive lock call to the
6186 			 * iterator lock.. But as a consequence of that the
6187 			 * stcb will return to us un-locked.. since
6188 			 * free_asoc returns with either no TCB or the TCB
6189 			 * unlocked, we must relock.. to unlock in the
6190 			 * iterator timer :-0
6191 			 */
6192 			SCTP_TCB_LOCK(stcb);
6193 			atomic_add_int(&stcb->asoc.refcnt, -1);
6194 			goto no_chunk_output;
6195 		}
6196 	} else {
6197 		if (m) {
6198 			ret = sctp_msg_append(stcb, stcb->asoc.primary_destination, m,
6199 			    &ca->sndrcv, 1);
6200 		}
6201 		asoc = &stcb->asoc;
6202 		if (ca->sndrcv.sinfo_flags & SCTP_EOF) {
6203 			/* shutdown this assoc */
6204 			int cnt;
6205 
6206 			cnt = sctp_is_there_unsent_data(stcb);
6207 
6208 			if (TAILQ_EMPTY(&asoc->send_queue) &&
6209 			    TAILQ_EMPTY(&asoc->sent_queue) &&
6210 			    (cnt == 0)) {
6211 				if (asoc->locked_on_sending) {
6212 					goto abort_anyway;
6213 				}
6214 				/*
6215 				 * there is nothing queued to send, so I'm
6216 				 * done...
6217 				 */
6218 				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
6219 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6220 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6221 					/*
6222 					 * only send SHUTDOWN the first time
6223 					 * through
6224 					 */
6225 					sctp_send_shutdown(stcb, stcb->asoc.primary_destination);
6226 					if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
6227 						SCTP_STAT_DECR_GAUGE32(sctps_currestab);
6228 					}
6229 					SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
6230 					SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
6231 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
6232 					    asoc->primary_destination);
6233 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6234 					    asoc->primary_destination);
6235 					added_control = 1;
6236 					do_chunk_output = 0;
6237 				}
6238 			} else {
6239 				/*
6240 				 * we still got (or just got) data to send,
6241 				 * so set SHUTDOWN_PENDING
6242 				 */
6243 				/*
6244 				 * XXX sockets draft says that SCTP_EOF
6245 				 * should be sent with no data.  currently,
6246 				 * we will allow user data to be sent first
6247 				 * and move to SHUTDOWN-PENDING
6248 				 */
6249 				if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
6250 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
6251 				    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
6252 					if (asoc->locked_on_sending) {
6253 						/*
6254 						 * Locked to send out the
6255 						 * data
6256 						 */
6257 						struct sctp_stream_queue_pending *sp;
6258 
6259 						sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
6260 						if (sp) {
6261 							if ((sp->length == 0) && (sp->msg_is_complete == 0))
6262 								asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
6263 						}
6264 					}
6265 					asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
6266 					if (TAILQ_EMPTY(&asoc->send_queue) &&
6267 					    TAILQ_EMPTY(&asoc->sent_queue) &&
6268 					    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
6269 				abort_anyway:
6270 						atomic_add_int(&stcb->asoc.refcnt, 1);
6271 						sctp_abort_an_association(stcb->sctp_ep, stcb,
6272 						    SCTP_RESPONSE_TO_USER_REQ,
6273 						    NULL, SCTP_SO_NOT_LOCKED);
6274 						atomic_add_int(&stcb->asoc.refcnt, -1);
6275 						goto no_chunk_output;
6276 					}
6277 					sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
6278 					    asoc->primary_destination);
6279 				}
6280 			}
6281 
6282 		}
6283 	}
6284 	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
6285 	    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
6286 
6287 	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
6288 	    (stcb->asoc.total_flight > 0) &&
6289 	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))
6290 	    ) {
6291 		do_chunk_output = 0;
6292 	}
6293 	if (do_chunk_output)
6294 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_NOT_LOCKED);
6295 	else if (added_control) {
6296 		int num_out = 0, reason = 0, now_filled = 0;
6297 		struct timeval now;
6298 		int frag_point;
6299 
6300 		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
6301 		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
6302 		    &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_NOT_LOCKED);
6303 	}
6304 no_chunk_output:
6305 	if (ret) {
6306 		ca->cnt_failed++;
6307 	} else {
6308 		ca->cnt_sent++;
6309 	}
6310 }
6311 
6312 static void
6313 sctp_sendall_completes(void *ptr, uint32_t val)
6314 {
6315 	struct sctp_copy_all *ca;
6316 
6317 	ca = (struct sctp_copy_all *)ptr;
6318 	/*
6319 	 * Do a notify here? Kacheong suggests that the notify be done at
6320 	 * the send time.. so you would push up a notification if any send
6321 	 * failed. Don't know if this is feasable since the only failures we
6322 	 * have is "memory" related and if you cannot get an mbuf to send
6323 	 * the data you surely can't get an mbuf to send up to notify the
6324 	 * user you can't send the data :->
6325 	 */
6326 
6327 	/* now free everything */
6328 	sctp_m_freem(ca->m);
6329 	SCTP_FREE(ca, SCTP_M_COPYAL);
6330 }
6331 
6332 
6333 #define	MC_ALIGN(m, len) do {						\
6334 	SCTP_BUF_RESV_UF(m, ((MCLBYTES - (len)) & ~(sizeof(long) - 1));	\
6335 } while (0)
6336 
6337 
6338 
6339 static struct mbuf *
6340 sctp_copy_out_all(struct uio *uio, int len)
6341 {
6342 	struct mbuf *ret, *at;
6343 	int left, willcpy, cancpy, error;
6344 
6345 	ret = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_WAIT, 1, MT_DATA);
6346 	if (ret == NULL) {
6347 		/* TSNH */
6348 		return (NULL);
6349 	}
6350 	left = len;
6351 	SCTP_BUF_LEN(ret) = 0;
6352 	/* save space for the data chunk header */
6353 	cancpy = M_TRAILINGSPACE(ret);
6354 	willcpy = min(cancpy, left);
6355 	at = ret;
6356 	while (left > 0) {
6357 		/* Align data to the end */
6358 		error = uiomove(mtod(at, caddr_t), willcpy, uio);
6359 		if (error) {
6360 	err_out_now:
6361 			sctp_m_freem(at);
6362 			return (NULL);
6363 		}
6364 		SCTP_BUF_LEN(at) = willcpy;
6365 		SCTP_BUF_NEXT_PKT(at) = SCTP_BUF_NEXT(at) = 0;
6366 		left -= willcpy;
6367 		if (left > 0) {
6368 			SCTP_BUF_NEXT(at) = sctp_get_mbuf_for_msg(left, 0, M_WAIT, 1, MT_DATA);
6369 			if (SCTP_BUF_NEXT(at) == NULL) {
6370 				goto err_out_now;
6371 			}
6372 			at = SCTP_BUF_NEXT(at);
6373 			SCTP_BUF_LEN(at) = 0;
6374 			cancpy = M_TRAILINGSPACE(at);
6375 			willcpy = min(cancpy, left);
6376 		}
6377 	}
6378 	return (ret);
6379 }
6380 
6381 static int
6382 sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
6383     struct sctp_sndrcvinfo *srcv)
6384 {
6385 	int ret;
6386 	struct sctp_copy_all *ca;
6387 
6388 	SCTP_MALLOC(ca, struct sctp_copy_all *, sizeof(struct sctp_copy_all),
6389 	    SCTP_M_COPYAL);
6390 	if (ca == NULL) {
6391 		sctp_m_freem(m);
6392 		SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6393 		return (ENOMEM);
6394 	}
6395 	memset(ca, 0, sizeof(struct sctp_copy_all));
6396 
6397 	ca->inp = inp;
6398 	memcpy(&ca->sndrcv, srcv, sizeof(struct sctp_nonpad_sndrcvinfo));
6399 	/*
6400 	 * take off the sendall flag, it would be bad if we failed to do
6401 	 * this :-0
6402 	 */
6403 	ca->sndrcv.sinfo_flags &= ~SCTP_SENDALL;
6404 	/* get length and mbuf chain */
6405 	if (uio) {
6406 		ca->sndlen = uio->uio_resid;
6407 		ca->m = sctp_copy_out_all(uio, ca->sndlen);
6408 		if (ca->m == NULL) {
6409 			SCTP_FREE(ca, SCTP_M_COPYAL);
6410 			SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
6411 			return (ENOMEM);
6412 		}
6413 	} else {
6414 		/* Gather the length of the send */
6415 		struct mbuf *mat;
6416 
6417 		mat = m;
6418 		ca->sndlen = 0;
6419 		while (m) {
6420 			ca->sndlen += SCTP_BUF_LEN(m);
6421 			m = SCTP_BUF_NEXT(m);
6422 		}
6423 		ca->m = mat;
6424 	}
6425 	ret = sctp_initiate_iterator(NULL, sctp_sendall_iterator, NULL,
6426 	    SCTP_PCB_ANY_FLAGS, SCTP_PCB_ANY_FEATURES,
6427 	    SCTP_ASOC_ANY_STATE,
6428 	    (void *)ca, 0,
6429 	    sctp_sendall_completes, inp, 1);
6430 	if (ret) {
6431 		SCTP_PRINTF("Failed to initiate iterator for sendall\n");
6432 		SCTP_FREE(ca, SCTP_M_COPYAL);
6433 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EFAULT);
6434 		return (EFAULT);
6435 	}
6436 	return (0);
6437 }
6438 
6439 
6440 void
6441 sctp_toss_old_cookies(struct sctp_tcb *stcb, struct sctp_association *asoc)
6442 {
6443 	struct sctp_tmit_chunk *chk, *nchk;
6444 
6445 	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
6446 		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
6447 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
6448 			if (chk->data) {
6449 				sctp_m_freem(chk->data);
6450 				chk->data = NULL;
6451 			}
6452 			asoc->ctrl_queue_cnt--;
6453 			sctp_free_a_chunk(stcb, chk);
6454 		}
6455 	}
6456 }
6457 
6458 void
6459 sctp_toss_old_asconf(struct sctp_tcb *stcb)
6460 {
6461 	struct sctp_association *asoc;
6462 	struct sctp_tmit_chunk *chk, *nchk;
6463 	struct sctp_asconf_chunk *acp;
6464 
6465 	asoc = &stcb->asoc;
6466 	TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
6467 		/* find SCTP_ASCONF chunk in queue */
6468 		if (chk->rec.chunk_id.id == SCTP_ASCONF) {
6469 			if (chk->data) {
6470 				acp = mtod(chk->data, struct sctp_asconf_chunk *);
6471 				if (SCTP_TSN_GT(ntohl(acp->serial_number), asoc->asconf_seq_out_acked)) {
6472 					/* Not Acked yet */
6473 					break;
6474 				}
6475 			}
6476 			TAILQ_REMOVE(&asoc->asconf_send_queue, chk, sctp_next);
6477 			if (chk->data) {
6478 				sctp_m_freem(chk->data);
6479 				chk->data = NULL;
6480 			}
6481 			asoc->ctrl_queue_cnt--;
6482 			sctp_free_a_chunk(stcb, chk);
6483 		}
6484 	}
6485 }
6486 
6487 
6488 static void
6489 sctp_clean_up_datalist(struct sctp_tcb *stcb,
6490     struct sctp_association *asoc,
6491     struct sctp_tmit_chunk **data_list,
6492     int bundle_at,
6493     struct sctp_nets *net)
6494 {
6495 	int i;
6496 	struct sctp_tmit_chunk *tp1;
6497 
6498 	for (i = 0; i < bundle_at; i++) {
6499 		/* off of the send queue */
6500 		TAILQ_REMOVE(&asoc->send_queue, data_list[i], sctp_next);
6501 		asoc->send_queue_cnt--;
6502 		if (i > 0) {
6503 			/*
6504 			 * Any chunk NOT 0 you zap the time chunk 0 gets
6505 			 * zapped or set based on if a RTO measurment is
6506 			 * needed.
6507 			 */
6508 			data_list[i]->do_rtt = 0;
6509 		}
6510 		/* record time */
6511 		data_list[i]->sent_rcv_time = net->last_sent_time;
6512 		data_list[i]->rec.data.fast_retran_tsn = data_list[i]->rec.data.TSN_seq;
6513 		if (data_list[i]->whoTo == NULL) {
6514 			data_list[i]->whoTo = net;
6515 			atomic_add_int(&net->ref_count, 1);
6516 		}
6517 		/* on to the sent queue */
6518 		tp1 = TAILQ_LAST(&asoc->sent_queue, sctpchunk_listhead);
6519 		if ((tp1) && SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
6520 			struct sctp_tmit_chunk *tpp;
6521 
6522 			/* need to move back */
6523 	back_up_more:
6524 			tpp = TAILQ_PREV(tp1, sctpchunk_listhead, sctp_next);
6525 			if (tpp == NULL) {
6526 				TAILQ_INSERT_BEFORE(tp1, data_list[i], sctp_next);
6527 				goto all_done;
6528 			}
6529 			tp1 = tpp;
6530 			if (SCTP_TSN_GT(tp1->rec.data.TSN_seq, data_list[i]->rec.data.TSN_seq)) {
6531 				goto back_up_more;
6532 			}
6533 			TAILQ_INSERT_AFTER(&asoc->sent_queue, tp1, data_list[i], sctp_next);
6534 		} else {
6535 			TAILQ_INSERT_TAIL(&asoc->sent_queue,
6536 			    data_list[i],
6537 			    sctp_next);
6538 		}
6539 all_done:
6540 		/* This does not lower until the cum-ack passes it */
6541 		asoc->sent_queue_cnt++;
6542 		if ((asoc->peers_rwnd <= 0) &&
6543 		    (asoc->total_flight == 0) &&
6544 		    (bundle_at == 1)) {
6545 			/* Mark the chunk as being a window probe */
6546 			SCTP_STAT_INCR(sctps_windowprobed);
6547 		}
6548 #ifdef SCTP_AUDITING_ENABLED
6549 		sctp_audit_log(0xC2, 3);
6550 #endif
6551 		data_list[i]->sent = SCTP_DATAGRAM_SENT;
6552 		data_list[i]->snd_count = 1;
6553 		data_list[i]->rec.data.chunk_was_revoked = 0;
6554 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
6555 			sctp_misc_ints(SCTP_FLIGHT_LOG_UP,
6556 			    data_list[i]->whoTo->flight_size,
6557 			    data_list[i]->book_size,
6558 			    (uintptr_t) data_list[i]->whoTo,
6559 			    data_list[i]->rec.data.TSN_seq);
6560 		}
6561 		sctp_flight_size_increase(data_list[i]);
6562 		sctp_total_flight_increase(stcb, data_list[i]);
6563 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
6564 			sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
6565 			    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
6566 		}
6567 		asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
6568 		    (uint32_t) (data_list[i]->send_size + SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
6569 		if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
6570 			/* SWS sender side engages */
6571 			asoc->peers_rwnd = 0;
6572 		}
6573 	}
6574 }
6575 
6576 static void
6577 sctp_clean_up_ctl(struct sctp_tcb *stcb, struct sctp_association *asoc)
6578 {
6579 	struct sctp_tmit_chunk *chk, *nchk;
6580 
6581 	TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
6582 		if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
6583 		    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
6584 		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
6585 		    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
6586 		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) ||
6587 		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
6588 		    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
6589 		    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
6590 		    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
6591 		    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
6592 		    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
6593 		    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
6594 			/* Stray chunks must be cleaned up */
6595 	clean_up_anyway:
6596 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
6597 			if (chk->data) {
6598 				sctp_m_freem(chk->data);
6599 				chk->data = NULL;
6600 			}
6601 			asoc->ctrl_queue_cnt--;
6602 			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)
6603 				asoc->fwd_tsn_cnt--;
6604 			sctp_free_a_chunk(stcb, chk);
6605 		} else if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
6606 			/* special handling, we must look into the param */
6607 			if (chk != asoc->str_reset) {
6608 				goto clean_up_anyway;
6609 			}
6610 		}
6611 	}
6612 }
6613 
6614 
6615 static int
6616 sctp_can_we_split_this(struct sctp_tcb *stcb,
6617     uint32_t length,
6618     uint32_t goal_mtu, uint32_t frag_point, int eeor_on)
6619 {
6620 	/*
6621 	 * Make a decision on if I should split a msg into multiple parts.
6622 	 * This is only asked of incomplete messages.
6623 	 */
6624 	if (eeor_on) {
6625 		/*
6626 		 * If we are doing EEOR we need to always send it if its the
6627 		 * entire thing, since it might be all the guy is putting in
6628 		 * the hopper.
6629 		 */
6630 		if (goal_mtu >= length) {
6631 			/*-
6632 			 * If we have data outstanding,
6633 			 * we get another chance when the sack
6634 			 * arrives to transmit - wait for more data
6635 			 */
6636 			if (stcb->asoc.total_flight == 0) {
6637 				/*
6638 				 * If nothing is in flight, we zero the
6639 				 * packet counter.
6640 				 */
6641 				return (length);
6642 			}
6643 			return (0);
6644 
6645 		} else {
6646 			/* You can fill the rest */
6647 			return (goal_mtu);
6648 		}
6649 	}
6650 	/*-
6651 	 * For those strange folk that make the send buffer
6652 	 * smaller than our fragmentation point, we can't
6653 	 * get a full msg in so we have to allow splitting.
6654 	 */
6655 	if (SCTP_SB_LIMIT_SND(stcb->sctp_socket) < frag_point) {
6656 		return (length);
6657 	}
6658 	if ((length <= goal_mtu) ||
6659 	    ((length - goal_mtu) < SCTP_BASE_SYSCTL(sctp_min_residual))) {
6660 		/* Sub-optimial residual don't split in non-eeor mode. */
6661 		return (0);
6662 	}
6663 	/*
6664 	 * If we reach here length is larger than the goal_mtu. Do we wish
6665 	 * to split it for the sake of packet putting together?
6666 	 */
6667 	if (goal_mtu >= min(SCTP_BASE_SYSCTL(sctp_min_split_point), frag_point)) {
6668 		/* Its ok to split it */
6669 		return (min(goal_mtu, frag_point));
6670 	}
6671 	/* Nope, can't split */
6672 	return (0);
6673 
6674 }
6675 
6676 static uint32_t
6677 sctp_move_to_outqueue(struct sctp_tcb *stcb,
6678     struct sctp_stream_out *strq,
6679     uint32_t goal_mtu,
6680     uint32_t frag_point,
6681     int *locked,
6682     int *giveup,
6683     int eeor_mode,
6684     int *bail)
6685 {
6686 	/* Move from the stream to the send_queue keeping track of the total */
6687 	struct sctp_association *asoc;
6688 	struct sctp_stream_queue_pending *sp;
6689 	struct sctp_tmit_chunk *chk;
6690 	struct sctp_data_chunk *dchkh;
6691 	uint32_t to_move, length;
6692 	uint8_t rcv_flags = 0;
6693 	uint8_t some_taken;
6694 	uint8_t send_lock_up = 0;
6695 
6696 	SCTP_TCB_LOCK_ASSERT(stcb);
6697 	asoc = &stcb->asoc;
6698 one_more_time:
6699 	/* sa_ignore FREED_MEMORY */
6700 	sp = TAILQ_FIRST(&strq->outqueue);
6701 	if (sp == NULL) {
6702 		*locked = 0;
6703 		if (send_lock_up == 0) {
6704 			SCTP_TCB_SEND_LOCK(stcb);
6705 			send_lock_up = 1;
6706 		}
6707 		sp = TAILQ_FIRST(&strq->outqueue);
6708 		if (sp) {
6709 			goto one_more_time;
6710 		}
6711 		if (strq->last_msg_incomplete) {
6712 			SCTP_PRINTF("Huh? Stream:%d lm_in_c=%d but queue is NULL\n",
6713 			    strq->stream_no,
6714 			    strq->last_msg_incomplete);
6715 			strq->last_msg_incomplete = 0;
6716 		}
6717 		to_move = 0;
6718 		if (send_lock_up) {
6719 			SCTP_TCB_SEND_UNLOCK(stcb);
6720 			send_lock_up = 0;
6721 		}
6722 		goto out_of;
6723 	}
6724 	if ((sp->msg_is_complete) && (sp->length == 0)) {
6725 		if (sp->sender_all_done) {
6726 			/*
6727 			 * We are doing differed cleanup. Last time through
6728 			 * when we took all the data the sender_all_done was
6729 			 * not set.
6730 			 */
6731 			if ((sp->put_last_out == 0) && (sp->discard_rest == 0)) {
6732 				SCTP_PRINTF("Gak, put out entire msg with NO end!-1\n");
6733 				SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
6734 				    sp->sender_all_done,
6735 				    sp->length,
6736 				    sp->msg_is_complete,
6737 				    sp->put_last_out,
6738 				    send_lock_up);
6739 			}
6740 			if ((TAILQ_NEXT(sp, next) == NULL) && (send_lock_up == 0)) {
6741 				SCTP_TCB_SEND_LOCK(stcb);
6742 				send_lock_up = 1;
6743 			}
6744 			atomic_subtract_int(&asoc->stream_queue_cnt, 1);
6745 			TAILQ_REMOVE(&strq->outqueue, sp, next);
6746 			if (sp->net) {
6747 				sctp_free_remote_addr(sp->net);
6748 				sp->net = NULL;
6749 			}
6750 			if (sp->data) {
6751 				sctp_m_freem(sp->data);
6752 				sp->data = NULL;
6753 			}
6754 			sctp_free_a_strmoq(stcb, sp);
6755 			/* we can't be locked to it */
6756 			*locked = 0;
6757 			stcb->asoc.locked_on_sending = NULL;
6758 			if (send_lock_up) {
6759 				SCTP_TCB_SEND_UNLOCK(stcb);
6760 				send_lock_up = 0;
6761 			}
6762 			/* back to get the next msg */
6763 			goto one_more_time;
6764 		} else {
6765 			/*
6766 			 * sender just finished this but still holds a
6767 			 * reference
6768 			 */
6769 			*locked = 1;
6770 			*giveup = 1;
6771 			to_move = 0;
6772 			goto out_of;
6773 		}
6774 	} else {
6775 		/* is there some to get */
6776 		if (sp->length == 0) {
6777 			/* no */
6778 			*locked = 1;
6779 			*giveup = 1;
6780 			to_move = 0;
6781 			goto out_of;
6782 		} else if (sp->discard_rest) {
6783 			if (send_lock_up == 0) {
6784 				SCTP_TCB_SEND_LOCK(stcb);
6785 				send_lock_up = 1;
6786 			}
6787 			/* Whack down the size */
6788 			atomic_subtract_int(&stcb->asoc.total_output_queue_size, sp->length);
6789 			if ((stcb->sctp_socket != NULL) && \
6790 			    ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
6791 			    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL))) {
6792 				atomic_subtract_int(&stcb->sctp_socket->so_snd.sb_cc, sp->length);
6793 			}
6794 			if (sp->data) {
6795 				sctp_m_freem(sp->data);
6796 				sp->data = NULL;
6797 				sp->tail_mbuf = NULL;
6798 			}
6799 			sp->length = 0;
6800 			sp->some_taken = 1;
6801 			*locked = 1;
6802 			*giveup = 1;
6803 			to_move = 0;
6804 			goto out_of;
6805 		}
6806 	}
6807 	some_taken = sp->some_taken;
6808 	if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
6809 		sp->msg_is_complete = 1;
6810 	}
6811 re_look:
6812 	length = sp->length;
6813 	if (sp->msg_is_complete) {
6814 		/* The message is complete */
6815 		to_move = min(length, frag_point);
6816 		if (to_move == length) {
6817 			/* All of it fits in the MTU */
6818 			if (sp->some_taken) {
6819 				rcv_flags |= SCTP_DATA_LAST_FRAG;
6820 				sp->put_last_out = 1;
6821 			} else {
6822 				rcv_flags |= SCTP_DATA_NOT_FRAG;
6823 				sp->put_last_out = 1;
6824 			}
6825 		} else {
6826 			/* Not all of it fits, we fragment */
6827 			if (sp->some_taken == 0) {
6828 				rcv_flags |= SCTP_DATA_FIRST_FRAG;
6829 			}
6830 			sp->some_taken = 1;
6831 		}
6832 	} else {
6833 		to_move = sctp_can_we_split_this(stcb, length, goal_mtu, frag_point, eeor_mode);
6834 		if (to_move) {
6835 			/*-
6836 			 * We use a snapshot of length in case it
6837 			 * is expanding during the compare.
6838 			 */
6839 			uint32_t llen;
6840 
6841 			llen = length;
6842 			if (to_move >= llen) {
6843 				to_move = llen;
6844 				if (send_lock_up == 0) {
6845 					/*-
6846 					 * We are taking all of an incomplete msg
6847 					 * thus we need a send lock.
6848 					 */
6849 					SCTP_TCB_SEND_LOCK(stcb);
6850 					send_lock_up = 1;
6851 					if (sp->msg_is_complete) {
6852 						/*
6853 						 * the sender finished the
6854 						 * msg
6855 						 */
6856 						goto re_look;
6857 					}
6858 				}
6859 			}
6860 			if (sp->some_taken == 0) {
6861 				rcv_flags |= SCTP_DATA_FIRST_FRAG;
6862 				sp->some_taken = 1;
6863 			}
6864 		} else {
6865 			/* Nothing to take. */
6866 			if (sp->some_taken) {
6867 				*locked = 1;
6868 			}
6869 			*giveup = 1;
6870 			to_move = 0;
6871 			goto out_of;
6872 		}
6873 	}
6874 
6875 	/* If we reach here, we can copy out a chunk */
6876 	sctp_alloc_a_chunk(stcb, chk);
6877 	if (chk == NULL) {
6878 		/* No chunk memory */
6879 		*giveup = 1;
6880 		to_move = 0;
6881 		goto out_of;
6882 	}
6883 	/*
6884 	 * Setup for unordered if needed by looking at the user sent info
6885 	 * flags.
6886 	 */
6887 	if (sp->sinfo_flags & SCTP_UNORDERED) {
6888 		rcv_flags |= SCTP_DATA_UNORDERED;
6889 	}
6890 	if ((SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) && ((sp->sinfo_flags & SCTP_EOF) == SCTP_EOF)) ||
6891 	    ((sp->sinfo_flags & SCTP_SACK_IMMEDIATELY) == SCTP_SACK_IMMEDIATELY)) {
6892 		rcv_flags |= SCTP_DATA_SACK_IMMEDIATELY;
6893 	}
6894 	/* clear out the chunk before setting up */
6895 	memset(chk, 0, sizeof(*chk));
6896 	chk->rec.data.rcv_flags = rcv_flags;
6897 
6898 	if (to_move >= length) {
6899 		/* we think we can steal the whole thing */
6900 		if ((sp->sender_all_done == 0) && (send_lock_up == 0)) {
6901 			SCTP_TCB_SEND_LOCK(stcb);
6902 			send_lock_up = 1;
6903 		}
6904 		if (to_move < sp->length) {
6905 			/* bail, it changed */
6906 			goto dont_do_it;
6907 		}
6908 		chk->data = sp->data;
6909 		chk->last_mbuf = sp->tail_mbuf;
6910 		/* register the stealing */
6911 		sp->data = sp->tail_mbuf = NULL;
6912 	} else {
6913 		struct mbuf *m;
6914 
6915 dont_do_it:
6916 		chk->data = SCTP_M_COPYM(sp->data, 0, to_move, M_DONTWAIT);
6917 		chk->last_mbuf = NULL;
6918 		if (chk->data == NULL) {
6919 			sp->some_taken = some_taken;
6920 			sctp_free_a_chunk(stcb, chk);
6921 			*bail = 1;
6922 			to_move = 0;
6923 			goto out_of;
6924 		}
6925 #ifdef SCTP_MBUF_LOGGING
6926 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
6927 			struct mbuf *mat;
6928 
6929 			mat = chk->data;
6930 			while (mat) {
6931 				if (SCTP_BUF_IS_EXTENDED(mat)) {
6932 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
6933 				}
6934 				mat = SCTP_BUF_NEXT(mat);
6935 			}
6936 		}
6937 #endif
6938 		/* Pull off the data */
6939 		m_adj(sp->data, to_move);
6940 		/* Now lets work our way down and compact it */
6941 		m = sp->data;
6942 		while (m && (SCTP_BUF_LEN(m) == 0)) {
6943 			sp->data = SCTP_BUF_NEXT(m);
6944 			SCTP_BUF_NEXT(m) = NULL;
6945 			if (sp->tail_mbuf == m) {
6946 				/*-
6947 				 * Freeing tail? TSNH since
6948 				 * we supposedly were taking less
6949 				 * than the sp->length.
6950 				 */
6951 #ifdef INVARIANTS
6952 				panic("Huh, freing tail? - TSNH");
6953 #else
6954 				SCTP_PRINTF("Huh, freeing tail? - TSNH\n");
6955 				sp->tail_mbuf = sp->data = NULL;
6956 				sp->length = 0;
6957 #endif
6958 
6959 			}
6960 			sctp_m_free(m);
6961 			m = sp->data;
6962 		}
6963 	}
6964 	if (SCTP_BUF_IS_EXTENDED(chk->data)) {
6965 		chk->copy_by_ref = 1;
6966 	} else {
6967 		chk->copy_by_ref = 0;
6968 	}
6969 	/*
6970 	 * get last_mbuf and counts of mb useage This is ugly but hopefully
6971 	 * its only one mbuf.
6972 	 */
6973 	if (chk->last_mbuf == NULL) {
6974 		chk->last_mbuf = chk->data;
6975 		while (SCTP_BUF_NEXT(chk->last_mbuf) != NULL) {
6976 			chk->last_mbuf = SCTP_BUF_NEXT(chk->last_mbuf);
6977 		}
6978 	}
6979 	if (to_move > length) {
6980 		/*- This should not happen either
6981 		 * since we always lower to_move to the size
6982 		 * of sp->length if its larger.
6983 		 */
6984 #ifdef INVARIANTS
6985 		panic("Huh, how can to_move be larger?");
6986 #else
6987 		SCTP_PRINTF("Huh, how can to_move be larger?\n");
6988 		sp->length = 0;
6989 #endif
6990 	} else {
6991 		atomic_subtract_int(&sp->length, to_move);
6992 	}
6993 	if (M_LEADINGSPACE(chk->data) < (int)sizeof(struct sctp_data_chunk)) {
6994 		/* Not enough room for a chunk header, get some */
6995 		struct mbuf *m;
6996 
6997 		m = sctp_get_mbuf_for_msg(1, 0, M_DONTWAIT, 0, MT_DATA);
6998 		if (m == NULL) {
6999 			/*
7000 			 * we're in trouble here. _PREPEND below will free
7001 			 * all the data if there is no leading space, so we
7002 			 * must put the data back and restore.
7003 			 */
7004 			if (send_lock_up == 0) {
7005 				SCTP_TCB_SEND_LOCK(stcb);
7006 				send_lock_up = 1;
7007 			}
7008 			if (chk->data == NULL) {
7009 				/* unsteal the data */
7010 				sp->data = chk->data;
7011 				sp->tail_mbuf = chk->last_mbuf;
7012 			} else {
7013 				struct mbuf *m_tmp;
7014 
7015 				/* reassemble the data */
7016 				m_tmp = sp->data;
7017 				sp->data = chk->data;
7018 				SCTP_BUF_NEXT(chk->last_mbuf) = m_tmp;
7019 			}
7020 			sp->some_taken = some_taken;
7021 			atomic_add_int(&sp->length, to_move);
7022 			chk->data = NULL;
7023 			*bail = 1;
7024 			sctp_free_a_chunk(stcb, chk);
7025 			to_move = 0;
7026 			goto out_of;
7027 		} else {
7028 			SCTP_BUF_LEN(m) = 0;
7029 			SCTP_BUF_NEXT(m) = chk->data;
7030 			chk->data = m;
7031 			M_ALIGN(chk->data, 4);
7032 		}
7033 	}
7034 	SCTP_BUF_PREPEND(chk->data, sizeof(struct sctp_data_chunk), M_DONTWAIT);
7035 	if (chk->data == NULL) {
7036 		/* HELP, TSNH since we assured it would not above? */
7037 #ifdef INVARIANTS
7038 		panic("prepend failes HELP?");
7039 #else
7040 		SCTP_PRINTF("prepend fails HELP?\n");
7041 		sctp_free_a_chunk(stcb, chk);
7042 #endif
7043 		*bail = 1;
7044 		to_move = 0;
7045 		goto out_of;
7046 	}
7047 	sctp_snd_sb_alloc(stcb, sizeof(struct sctp_data_chunk));
7048 	chk->book_size = chk->send_size = (to_move + sizeof(struct sctp_data_chunk));
7049 	chk->book_size_scale = 0;
7050 	chk->sent = SCTP_DATAGRAM_UNSENT;
7051 
7052 	chk->flags = 0;
7053 	chk->asoc = &stcb->asoc;
7054 	chk->pad_inplace = 0;
7055 	chk->no_fr_allowed = 0;
7056 	chk->rec.data.stream_seq = sp->strseq;
7057 	chk->rec.data.stream_number = sp->stream;
7058 	chk->rec.data.payloadtype = sp->ppid;
7059 	chk->rec.data.context = sp->context;
7060 	chk->rec.data.doing_fast_retransmit = 0;
7061 	chk->rec.data.ect_nonce = 0;	/* ECN Nonce */
7062 
7063 	chk->rec.data.timetodrop = sp->ts;
7064 	chk->flags = sp->act_flags;
7065 
7066 	if (sp->net) {
7067 		chk->whoTo = sp->net;
7068 		atomic_add_int(&chk->whoTo->ref_count, 1);
7069 	} else
7070 		chk->whoTo = NULL;
7071 
7072 	if (sp->holds_key_ref) {
7073 		chk->auth_keyid = sp->auth_keyid;
7074 		sctp_auth_key_acquire(stcb, chk->auth_keyid);
7075 		chk->holds_key_ref = 1;
7076 	}
7077 	chk->rec.data.TSN_seq = atomic_fetchadd_int(&asoc->sending_seq, 1);
7078 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_OUTQ) {
7079 		sctp_misc_ints(SCTP_STRMOUT_LOG_SEND,
7080 		    (uintptr_t) stcb, sp->length,
7081 		    (uint32_t) ((chk->rec.data.stream_number << 16) | chk->rec.data.stream_seq),
7082 		    chk->rec.data.TSN_seq);
7083 	}
7084 	dchkh = mtod(chk->data, struct sctp_data_chunk *);
7085 	/*
7086 	 * Put the rest of the things in place now. Size was done earlier in
7087 	 * previous loop prior to padding.
7088 	 */
7089 
7090 #ifdef SCTP_ASOCLOG_OF_TSNS
7091 	SCTP_TCB_LOCK_ASSERT(stcb);
7092 	if (asoc->tsn_out_at >= SCTP_TSN_LOG_SIZE) {
7093 		asoc->tsn_out_at = 0;
7094 		asoc->tsn_out_wrapped = 1;
7095 	}
7096 	asoc->out_tsnlog[asoc->tsn_out_at].tsn = chk->rec.data.TSN_seq;
7097 	asoc->out_tsnlog[asoc->tsn_out_at].strm = chk->rec.data.stream_number;
7098 	asoc->out_tsnlog[asoc->tsn_out_at].seq = chk->rec.data.stream_seq;
7099 	asoc->out_tsnlog[asoc->tsn_out_at].sz = chk->send_size;
7100 	asoc->out_tsnlog[asoc->tsn_out_at].flgs = chk->rec.data.rcv_flags;
7101 	asoc->out_tsnlog[asoc->tsn_out_at].stcb = (void *)stcb;
7102 	asoc->out_tsnlog[asoc->tsn_out_at].in_pos = asoc->tsn_out_at;
7103 	asoc->out_tsnlog[asoc->tsn_out_at].in_out = 2;
7104 	asoc->tsn_out_at++;
7105 #endif
7106 
7107 	dchkh->ch.chunk_type = SCTP_DATA;
7108 	dchkh->ch.chunk_flags = chk->rec.data.rcv_flags;
7109 	dchkh->dp.tsn = htonl(chk->rec.data.TSN_seq);
7110 	dchkh->dp.stream_id = htons(strq->stream_no);
7111 	dchkh->dp.stream_sequence = htons(chk->rec.data.stream_seq);
7112 	dchkh->dp.protocol_id = chk->rec.data.payloadtype;
7113 	dchkh->ch.chunk_length = htons(chk->send_size);
7114 	/* Now advance the chk->send_size by the actual pad needed. */
7115 	if (chk->send_size < SCTP_SIZE32(chk->book_size)) {
7116 		/* need a pad */
7117 		struct mbuf *lm;
7118 		int pads;
7119 
7120 		pads = SCTP_SIZE32(chk->book_size) - chk->send_size;
7121 		if (sctp_pad_lastmbuf(chk->data, pads, chk->last_mbuf) == 0) {
7122 			chk->pad_inplace = 1;
7123 		}
7124 		if ((lm = SCTP_BUF_NEXT(chk->last_mbuf)) != NULL) {
7125 			/* pad added an mbuf */
7126 			chk->last_mbuf = lm;
7127 		}
7128 		chk->send_size += pads;
7129 	}
7130 	/* We only re-set the policy if it is on */
7131 	if (sp->pr_sctp_on) {
7132 		sctp_set_prsctp_policy(sp);
7133 		asoc->pr_sctp_cnt++;
7134 		chk->pr_sctp_on = 1;
7135 	} else {
7136 		chk->pr_sctp_on = 0;
7137 	}
7138 	if (sp->msg_is_complete && (sp->length == 0) && (sp->sender_all_done)) {
7139 		/* All done pull and kill the message */
7140 		atomic_subtract_int(&asoc->stream_queue_cnt, 1);
7141 		if (sp->put_last_out == 0) {
7142 			SCTP_PRINTF("Gak, put out entire msg with NO end!-2\n");
7143 			SCTP_PRINTF("sender_done:%d len:%d msg_comp:%d put_last_out:%d send_lock:%d\n",
7144 			    sp->sender_all_done,
7145 			    sp->length,
7146 			    sp->msg_is_complete,
7147 			    sp->put_last_out,
7148 			    send_lock_up);
7149 		}
7150 		if ((send_lock_up == 0) && (TAILQ_NEXT(sp, next) == NULL)) {
7151 			SCTP_TCB_SEND_LOCK(stcb);
7152 			send_lock_up = 1;
7153 		}
7154 		TAILQ_REMOVE(&strq->outqueue, sp, next);
7155 		if (sp->net) {
7156 			sctp_free_remote_addr(sp->net);
7157 			sp->net = NULL;
7158 		}
7159 		if (sp->data) {
7160 			sctp_m_freem(sp->data);
7161 			sp->data = NULL;
7162 		}
7163 		sctp_free_a_strmoq(stcb, sp);
7164 
7165 		/* we can't be locked to it */
7166 		*locked = 0;
7167 		stcb->asoc.locked_on_sending = NULL;
7168 	} else {
7169 		/* more to go, we are locked */
7170 		*locked = 1;
7171 	}
7172 	asoc->chunks_on_out_queue++;
7173 	TAILQ_INSERT_TAIL(&asoc->send_queue, chk, sctp_next);
7174 	asoc->send_queue_cnt++;
7175 out_of:
7176 	if (send_lock_up) {
7177 		SCTP_TCB_SEND_UNLOCK(stcb);
7178 		send_lock_up = 0;
7179 	}
7180 	return (to_move);
7181 }
7182 
7183 
7184 static struct sctp_stream_out *
7185 sctp_select_a_stream(struct sctp_tcb *stcb, struct sctp_association *asoc)
7186 {
7187 	struct sctp_stream_out *strq;
7188 
7189 	/* Find the next stream to use */
7190 	if (asoc->last_out_stream == NULL) {
7191 		strq = TAILQ_FIRST(&asoc->out_wheel);
7192 	} else {
7193 		strq = TAILQ_NEXT(asoc->last_out_stream, next_spoke);
7194 		if (strq == NULL) {
7195 			strq = TAILQ_FIRST(&asoc->out_wheel);
7196 		}
7197 	}
7198 	return (strq);
7199 }
7200 
7201 
7202 static void
7203 sctp_fill_outqueue(struct sctp_tcb *stcb,
7204     struct sctp_nets *net, int frag_point, int eeor_mode, int *quit_now)
7205 {
7206 	struct sctp_association *asoc;
7207 	struct sctp_stream_out *strq, *strqn;
7208 	int goal_mtu, moved_how_much, total_moved = 0, bail = 0;
7209 	int locked, giveup;
7210 	struct sctp_stream_queue_pending *sp;
7211 
7212 	SCTP_TCB_LOCK_ASSERT(stcb);
7213 	asoc = &stcb->asoc;
7214 #ifdef INET6
7215 	if (net->ro._l_addr.sin6.sin6_family == AF_INET6) {
7216 		goal_mtu = net->mtu - SCTP_MIN_OVERHEAD;
7217 	} else {
7218 		/* ?? not sure what else to do */
7219 		goal_mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
7220 	}
7221 #else
7222 	goal_mtu = net->mtu - SCTP_MIN_OVERHEAD;
7223 #endif
7224 	/* Need an allowance for the data chunk header too */
7225 	goal_mtu -= sizeof(struct sctp_data_chunk);
7226 
7227 	/* must make even word boundary */
7228 	goal_mtu &= 0xfffffffc;
7229 	if (asoc->locked_on_sending) {
7230 		/* We are stuck on one stream until the message completes. */
7231 		strq = asoc->locked_on_sending;
7232 		locked = 1;
7233 	} else {
7234 		strq = sctp_select_a_stream(stcb, asoc);
7235 		locked = 0;
7236 	}
7237 	strqn = strq;
7238 	while ((goal_mtu > 0) && strq) {
7239 		sp = TAILQ_FIRST(&strq->outqueue);
7240 		if (sp == NULL) {
7241 			break;
7242 		}
7243 		/**
7244 		 * Honor the users' choice if given. If not given,
7245 		 * pull it only to the primary path in case of not using
7246 		 * CMT.
7247 		 */
7248 		if (((sp->net != NULL) &&
7249 		    (sp->net != net)) ||
7250 		    ((sp->net == NULL) &&
7251 		    (asoc->sctp_cmt_on_off == 0) &&
7252 		    (asoc->primary_destination != net))) {
7253 			/* Do not pull to this network */
7254 			if (locked) {
7255 				break;
7256 			} else {
7257 				strq = sctp_select_a_stream(stcb, asoc);
7258 				if (strq == NULL)
7259 					/* none left */
7260 					break;
7261 				if (strqn == strq) {
7262 					/* I have circled */
7263 					break;
7264 				}
7265 				continue;
7266 			}
7267 		}
7268 		giveup = 0;
7269 		bail = 0;
7270 		moved_how_much = sctp_move_to_outqueue(stcb, strq, goal_mtu, frag_point, &locked,
7271 		    &giveup, eeor_mode, &bail);
7272 		if (moved_how_much)
7273 			asoc->last_out_stream = strq;
7274 
7275 		if (locked) {
7276 			asoc->locked_on_sending = strq;
7277 			if ((moved_how_much == 0) || (giveup) || bail)
7278 				/* no more to move for now */
7279 				break;
7280 		} else {
7281 			asoc->locked_on_sending = NULL;
7282 			if (TAILQ_EMPTY(&strq->outqueue)) {
7283 				if (strq == strqn) {
7284 					/* Must move start to next one */
7285 					strqn = TAILQ_NEXT(strq, next_spoke);
7286 					if (strqn == NULL) {
7287 						strqn = TAILQ_FIRST(&asoc->out_wheel);
7288 						if (strqn == NULL) {
7289 							break;
7290 						}
7291 					}
7292 				}
7293 				sctp_remove_from_wheel(stcb, asoc, strq, 0);
7294 			}
7295 			if ((giveup) || bail) {
7296 				break;
7297 			}
7298 			strq = sctp_select_a_stream(stcb, asoc);
7299 			if (strq == NULL) {
7300 				break;
7301 			}
7302 		}
7303 		total_moved += moved_how_much;
7304 		goal_mtu -= (moved_how_much + sizeof(struct sctp_data_chunk));
7305 		goal_mtu &= 0xfffffffc;
7306 	}
7307 	if (bail)
7308 		*quit_now = 1;
7309 
7310 	if (total_moved == 0) {
7311 		if ((stcb->asoc.sctp_cmt_on_off == 0) &&
7312 		    (net == stcb->asoc.primary_destination)) {
7313 			/* ran dry for primary network net */
7314 			SCTP_STAT_INCR(sctps_primary_randry);
7315 		} else if (stcb->asoc.sctp_cmt_on_off > 0) {
7316 			/* ran dry with CMT on */
7317 			SCTP_STAT_INCR(sctps_cmt_randry);
7318 		}
7319 	}
7320 }
7321 
7322 void
7323 sctp_fix_ecn_echo(struct sctp_association *asoc)
7324 {
7325 	struct sctp_tmit_chunk *chk;
7326 
7327 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
7328 		if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
7329 			chk->sent = SCTP_DATAGRAM_UNSENT;
7330 		}
7331 	}
7332 }
7333 
7334 void
7335 sctp_move_chunks_from_net(struct sctp_tcb *stcb, struct sctp_nets *net)
7336 {
7337 	struct sctp_association *asoc;
7338 	struct sctp_stream_out *outs;
7339 	struct sctp_tmit_chunk *chk;
7340 	struct sctp_stream_queue_pending *sp;
7341 
7342 	if (net == NULL) {
7343 		return;
7344 	}
7345 	asoc = &stcb->asoc;
7346 	TAILQ_FOREACH(outs, &asoc->out_wheel, next_spoke) {
7347 		TAILQ_FOREACH(sp, &outs->outqueue, next) {
7348 			if (sp->net == net) {
7349 				sctp_free_remote_addr(sp->net);
7350 				sp->net = NULL;
7351 			}
7352 		}
7353 	}
7354 	TAILQ_FOREACH(chk, &asoc->send_queue, sctp_next) {
7355 		if (chk->whoTo == net) {
7356 			sctp_free_remote_addr(chk->whoTo);
7357 			chk->whoTo = NULL;
7358 		}
7359 	}
7360 }
7361 
7362 int
7363 sctp_med_chunk_output(struct sctp_inpcb *inp,
7364     struct sctp_tcb *stcb,
7365     struct sctp_association *asoc,
7366     int *num_out,
7367     int *reason_code,
7368     int control_only, int from_where,
7369     struct timeval *now, int *now_filled, int frag_point, int so_locked
7370 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
7371     SCTP_UNUSED
7372 #endif
7373 )
7374 {
7375 	/*
7376 	 * Ok this is the generic chunk service queue. we must do the
7377 	 * following: - Service the stream queue that is next, moving any
7378 	 * message (note I must get a complete message i.e. FIRST/MIDDLE and
7379 	 * LAST to the out queue in one pass) and assigning TSN's - Check to
7380 	 * see if the cwnd/rwnd allows any output, if so we go ahead and
7381 	 * fomulate and send the low level chunks. Making sure to combine
7382 	 * any control in the control chunk queue also.
7383 	 */
7384 	struct sctp_nets *net, *start_at, *old_start_at = NULL;
7385 	struct mbuf *outchain, *endoutchain;
7386 	struct sctp_tmit_chunk *chk, *nchk;
7387 
7388 	/* temp arrays for unlinking */
7389 	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
7390 	int no_fragmentflg, error;
7391 	unsigned int max_rwnd_per_dest, max_send_per_dest;
7392 	int one_chunk, hbflag, skip_data_for_this_net;
7393 	int asconf, cookie, no_out_cnt;
7394 	int bundle_at, ctl_cnt, no_data_chunks, eeor_mode;
7395 	unsigned int mtu, r_mtu, omtu, mx_mtu, to_out;
7396 	int tsns_sent = 0;
7397 	uint32_t auth_offset = 0;
7398 	struct sctp_auth_chunk *auth = NULL;
7399 	uint16_t auth_keyid;
7400 	int override_ok = 1;
7401 	int data_auth_reqd = 0;
7402 
7403 	/*
7404 	 * JRS 5/14/07 - Add flag for whether a heartbeat is sent to the
7405 	 * destination.
7406 	 */
7407 	int pf_hbflag = 0;
7408 	int quit_now = 0;
7409 
7410 	*num_out = 0;
7411 	auth_keyid = stcb->asoc.authinfo.active_keyid;
7412 
7413 	if ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) ||
7414 	    (asoc->state & SCTP_STATE_SHUTDOWN_RECEIVED) ||
7415 	    (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR))) {
7416 		eeor_mode = 1;
7417 	} else {
7418 		eeor_mode = 0;
7419 	}
7420 	ctl_cnt = no_out_cnt = asconf = cookie = 0;
7421 	/*
7422 	 * First lets prime the pump. For each destination, if there is room
7423 	 * in the flight size, attempt to pull an MTU's worth out of the
7424 	 * stream queues into the general send_queue
7425 	 */
7426 #ifdef SCTP_AUDITING_ENABLED
7427 	sctp_audit_log(0xC2, 2);
7428 #endif
7429 	SCTP_TCB_LOCK_ASSERT(stcb);
7430 	hbflag = 0;
7431 	if ((control_only) || (asoc->stream_reset_outstanding))
7432 		no_data_chunks = 1;
7433 	else
7434 		no_data_chunks = 0;
7435 
7436 	/* Nothing to possible to send? */
7437 	if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7438 	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7439 	    TAILQ_EMPTY(&asoc->send_queue) &&
7440 	    TAILQ_EMPTY(&asoc->out_wheel)) {
7441 		*reason_code = 9;
7442 		return (0);
7443 	}
7444 	if (asoc->peers_rwnd == 0) {
7445 		/* No room in peers rwnd */
7446 		*reason_code = 1;
7447 		if (asoc->total_flight > 0) {
7448 			/* we are allowed one chunk in flight */
7449 			no_data_chunks = 1;
7450 		}
7451 	}
7452 	max_rwnd_per_dest = ((asoc->peers_rwnd + asoc->total_flight) / asoc->numnets);
7453 	if (stcb->sctp_socket)
7454 		max_send_per_dest = SCTP_SB_LIMIT_SND(stcb->sctp_socket) / asoc->numnets;
7455 	else
7456 		max_send_per_dest = 0;
7457 	if ((no_data_chunks == 0) && (!TAILQ_EMPTY(&asoc->out_wheel))) {
7458 		TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
7459 			/*
7460 			 * This for loop we are in takes in each net, if
7461 			 * its's got space in cwnd and has data sent to it
7462 			 * (when CMT is off) then it calls
7463 			 * sctp_fill_outqueue for the net. This gets data on
7464 			 * the send queue for that network.
7465 			 *
7466 			 * In sctp_fill_outqueue TSN's are assigned and data is
7467 			 * copied out of the stream buffers. Note mostly
7468 			 * copy by reference (we hope).
7469 			 */
7470 			net->window_probe = 0;
7471 			if ((net->dest_state & SCTP_ADDR_NOT_REACHABLE) ||
7472 			    (net->dest_state & SCTP_ADDR_UNCONFIRMED)) {
7473 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7474 					sctp_log_cwnd(stcb, net, 1,
7475 					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7476 				}
7477 				continue;
7478 			}
7479 			if ((asoc->sctp_cmt_on_off == 0) &&
7480 			    (asoc->primary_destination != net) &&
7481 			    (net->ref_count < 2)) {
7482 				/* nothing can be in queue for this guy */
7483 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7484 					sctp_log_cwnd(stcb, net, 2,
7485 					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7486 				}
7487 				continue;
7488 			}
7489 			if (net->flight_size >= net->cwnd) {
7490 				/* skip this network, no room - can't fill */
7491 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7492 					sctp_log_cwnd(stcb, net, 3,
7493 					    SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7494 				}
7495 				continue;
7496 			}
7497 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
7498 				sctp_log_cwnd(stcb, net, 4, SCTP_CWND_LOG_FILL_OUTQ_CALLED);
7499 			}
7500 			sctp_fill_outqueue(stcb, net, frag_point, eeor_mode, &quit_now);
7501 			if (quit_now) {
7502 				/* memory alloc failure */
7503 				no_data_chunks = 1;
7504 				break;
7505 			}
7506 		}
7507 	}
7508 	/* now service each destination and send out what we can for it */
7509 	/* Nothing to send? */
7510 	if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7511 	    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7512 	    TAILQ_EMPTY(&asoc->send_queue)) {
7513 		*reason_code = 8;
7514 		return (0);
7515 	}
7516 	if (asoc->sctp_cmt_on_off > 0) {
7517 		/* get the last start point */
7518 		start_at = asoc->last_net_cmt_send_started;
7519 		if (start_at == NULL) {
7520 			/* null so to beginning */
7521 			start_at = TAILQ_FIRST(&asoc->nets);
7522 		} else {
7523 			start_at = TAILQ_NEXT(asoc->last_net_cmt_send_started, sctp_next);
7524 			if (start_at == NULL) {
7525 				start_at = TAILQ_FIRST(&asoc->nets);
7526 			}
7527 		}
7528 		asoc->last_net_cmt_send_started = start_at;
7529 	} else {
7530 		start_at = TAILQ_FIRST(&asoc->nets);
7531 	}
7532 	old_start_at = NULL;
7533 again_one_more_time:
7534 	for (net = start_at; net != NULL; net = TAILQ_NEXT(net, sctp_next)) {
7535 		/* how much can we send? */
7536 		/* SCTPDBG("Examine for sending net:%x\n", (uint32_t)net); */
7537 		if (old_start_at && (old_start_at == net)) {
7538 			/* through list ocmpletely. */
7539 			break;
7540 		}
7541 		tsns_sent = 0xa;
7542 		if ((asoc->sctp_cmt_on_off == 0) &&
7543 		    (asoc->primary_destination != net) &&
7544 		    (net->ref_count < 2)) {
7545 			/*
7546 			 * Ref-count of 1 so we cannot have data or control
7547 			 * queued to this address. Skip it (non-CMT).
7548 			 */
7549 			continue;
7550 		}
7551 		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
7552 		    TAILQ_EMPTY(&asoc->asconf_send_queue) &&
7553 		    (net->flight_size >= net->cwnd)) {
7554 			/*
7555 			 * Nothing on control or asconf and flight is full,
7556 			 * we can skip even in the CMT case.
7557 			 */
7558 			continue;
7559 		}
7560 		ctl_cnt = bundle_at = 0;
7561 		endoutchain = outchain = NULL;
7562 		no_fragmentflg = 1;
7563 		one_chunk = 0;
7564 		if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
7565 			skip_data_for_this_net = 1;
7566 		} else {
7567 			skip_data_for_this_net = 0;
7568 		}
7569 		if ((net->ro.ro_rt) && (net->ro.ro_rt->rt_ifp)) {
7570 			/*
7571 			 * if we have a route and an ifp check to see if we
7572 			 * have room to send to this guy
7573 			 */
7574 			struct ifnet *ifp;
7575 
7576 			ifp = net->ro.ro_rt->rt_ifp;
7577 			if ((ifp->if_snd.ifq_len + 2) >= ifp->if_snd.ifq_maxlen) {
7578 				SCTP_STAT_INCR(sctps_ifnomemqueued);
7579 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
7580 					sctp_log_maxburst(stcb, net, ifp->if_snd.ifq_len, ifp->if_snd.ifq_maxlen, SCTP_MAX_IFP_APPLIED);
7581 				}
7582 				continue;
7583 			}
7584 		}
7585 		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
7586 		case AF_INET:
7587 			mtu = net->mtu - (sizeof(struct ip) + sizeof(struct sctphdr));
7588 			break;
7589 #ifdef INET6
7590 		case AF_INET6:
7591 			mtu = net->mtu - (sizeof(struct ip6_hdr) + sizeof(struct sctphdr));
7592 			break;
7593 #endif
7594 		default:
7595 			/* TSNH */
7596 			mtu = net->mtu;
7597 			break;
7598 		}
7599 		mx_mtu = mtu;
7600 		to_out = 0;
7601 		if (mtu > asoc->peers_rwnd) {
7602 			if (asoc->total_flight > 0) {
7603 				/* We have a packet in flight somewhere */
7604 				r_mtu = asoc->peers_rwnd;
7605 			} else {
7606 				/* We are always allowed to send one MTU out */
7607 				one_chunk = 1;
7608 				r_mtu = mtu;
7609 			}
7610 		} else {
7611 			r_mtu = mtu;
7612 		}
7613 		/************************/
7614 		/* ASCONF transmission */
7615 		/************************/
7616 		/* Now first lets go through the asconf queue */
7617 		TAILQ_FOREACH_SAFE(chk, &asoc->asconf_send_queue, sctp_next, nchk) {
7618 			if (chk->rec.chunk_id.id != SCTP_ASCONF) {
7619 				continue;
7620 			}
7621 			if (chk->whoTo != net) {
7622 				/*
7623 				 * No, not sent to the network we are
7624 				 * looking at
7625 				 */
7626 				break;
7627 			}
7628 			if (chk->data == NULL) {
7629 				break;
7630 			}
7631 			if (chk->sent != SCTP_DATAGRAM_UNSENT &&
7632 			    chk->sent != SCTP_DATAGRAM_RESEND) {
7633 				break;
7634 			}
7635 			/*
7636 			 * if no AUTH is yet included and this chunk
7637 			 * requires it, make sure to account for it.  We
7638 			 * don't apply the size until the AUTH chunk is
7639 			 * actually added below in case there is no room for
7640 			 * this chunk. NOTE: we overload the use of "omtu"
7641 			 * here
7642 			 */
7643 			if ((auth == NULL) &&
7644 			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
7645 			    stcb->asoc.peer_auth_chunks)) {
7646 				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
7647 			} else
7648 				omtu = 0;
7649 			/* Here we do NOT factor the r_mtu */
7650 			if ((chk->send_size < (int)(mtu - omtu)) ||
7651 			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
7652 				/*
7653 				 * We probably should glom the mbuf chain
7654 				 * from the chk->data for control but the
7655 				 * problem is it becomes yet one more level
7656 				 * of tracking to do if for some reason
7657 				 * output fails. Then I have got to
7658 				 * reconstruct the merged control chain.. el
7659 				 * yucko.. for now we take the easy way and
7660 				 * do the copy
7661 				 */
7662 				/*
7663 				 * Add an AUTH chunk, if chunk requires it
7664 				 * save the offset into the chain for AUTH
7665 				 */
7666 				if ((auth == NULL) &&
7667 				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
7668 				    stcb->asoc.peer_auth_chunks))) {
7669 					outchain = sctp_add_auth_chunk(outchain,
7670 					    &endoutchain,
7671 					    &auth,
7672 					    &auth_offset,
7673 					    stcb,
7674 					    chk->rec.chunk_id.id);
7675 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
7676 				}
7677 				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
7678 				    (int)chk->rec.chunk_id.can_take_data,
7679 				    chk->send_size, chk->copy_by_ref);
7680 				if (outchain == NULL) {
7681 					*reason_code = 8;
7682 					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
7683 					return (ENOMEM);
7684 				}
7685 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
7686 				/* update our MTU size */
7687 				if (mtu > (chk->send_size + omtu))
7688 					mtu -= (chk->send_size + omtu);
7689 				else
7690 					mtu = 0;
7691 				to_out += (chk->send_size + omtu);
7692 				/* Do clear IP_DF ? */
7693 				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
7694 					no_fragmentflg = 0;
7695 				}
7696 				if (chk->rec.chunk_id.can_take_data)
7697 					chk->data = NULL;
7698 				/*
7699 				 * set hb flag since we can use these for
7700 				 * RTO
7701 				 */
7702 				hbflag = 1;
7703 				asconf = 1;
7704 				/*
7705 				 * should sysctl this: don't bundle data
7706 				 * with ASCONF since it requires AUTH
7707 				 */
7708 				no_data_chunks = 1;
7709 				chk->sent = SCTP_DATAGRAM_SENT;
7710 				chk->snd_count++;
7711 				if (mtu == 0) {
7712 					/*
7713 					 * Ok we are out of room but we can
7714 					 * output without effecting the
7715 					 * flight size since this little guy
7716 					 * is a control only packet.
7717 					 */
7718 					sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
7719 					/*
7720 					 * do NOT clear the asconf flag as
7721 					 * it is used to do appropriate
7722 					 * source address selection.
7723 					 */
7724 					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
7725 					    (struct sockaddr *)&net->ro._l_addr,
7726 					    outchain, auth_offset, auth,
7727 					    stcb->asoc.authinfo.active_keyid,
7728 					    no_fragmentflg, 0, NULL, asconf,
7729 					    inp->sctp_lport, stcb->rport,
7730 					    htonl(stcb->asoc.peer_vtag),
7731 					    net->port, so_locked, NULL))) {
7732 						if (error == ENOBUFS) {
7733 							asoc->ifp_had_enobuf = 1;
7734 							SCTP_STAT_INCR(sctps_lowlevelerr);
7735 						}
7736 						if (from_where == 0) {
7737 							SCTP_STAT_INCR(sctps_lowlevelerrusr);
7738 						}
7739 						if (*now_filled == 0) {
7740 							(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
7741 							*now_filled = 1;
7742 							*now = net->last_sent_time;
7743 						} else {
7744 							net->last_sent_time = *now;
7745 						}
7746 						hbflag = 0;
7747 						/* error, could not output */
7748 						if (error == EHOSTUNREACH) {
7749 							/*
7750 							 * Destination went
7751 							 * unreachable
7752 							 * during this send
7753 							 */
7754 							sctp_move_chunks_from_net(stcb, net);
7755 						}
7756 						*reason_code = 7;
7757 						continue;
7758 					} else
7759 						asoc->ifp_had_enobuf = 0;
7760 					if (*now_filled == 0) {
7761 						(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
7762 						*now_filled = 1;
7763 						*now = net->last_sent_time;
7764 					} else {
7765 						net->last_sent_time = *now;
7766 					}
7767 					hbflag = 0;
7768 					/*
7769 					 * increase the number we sent, if a
7770 					 * cookie is sent we don't tell them
7771 					 * any was sent out.
7772 					 */
7773 					outchain = endoutchain = NULL;
7774 					auth = NULL;
7775 					auth_offset = 0;
7776 					if (!no_out_cnt)
7777 						*num_out += ctl_cnt;
7778 					/* recalc a clean slate and setup */
7779 					if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
7780 						mtu = (net->mtu - SCTP_MIN_OVERHEAD);
7781 					} else {
7782 						mtu = (net->mtu - SCTP_MIN_V4_OVERHEAD);
7783 					}
7784 					to_out = 0;
7785 					no_fragmentflg = 1;
7786 				}
7787 			}
7788 		}
7789 		/************************/
7790 		/* Control transmission */
7791 		/************************/
7792 		/* Now first lets go through the control queue */
7793 		TAILQ_FOREACH_SAFE(chk, &asoc->control_send_queue, sctp_next, nchk) {
7794 			if (chk->whoTo != net) {
7795 				/*
7796 				 * No, not sent to the network we are
7797 				 * looking at
7798 				 */
7799 				continue;
7800 			}
7801 			if (chk->data == NULL) {
7802 				continue;
7803 			}
7804 			if (chk->sent != SCTP_DATAGRAM_UNSENT) {
7805 				/*
7806 				 * It must be unsent. Cookies and ASCONF's
7807 				 * hang around but there timers will force
7808 				 * when marked for resend.
7809 				 */
7810 				continue;
7811 			}
7812 			/*
7813 			 * if no AUTH is yet included and this chunk
7814 			 * requires it, make sure to account for it.  We
7815 			 * don't apply the size until the AUTH chunk is
7816 			 * actually added below in case there is no room for
7817 			 * this chunk. NOTE: we overload the use of "omtu"
7818 			 * here
7819 			 */
7820 			if ((auth == NULL) &&
7821 			    sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
7822 			    stcb->asoc.peer_auth_chunks)) {
7823 				omtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
7824 			} else
7825 				omtu = 0;
7826 			/* Here we do NOT factor the r_mtu */
7827 			if ((chk->send_size <= (int)(mtu - omtu)) ||
7828 			    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
7829 				/*
7830 				 * We probably should glom the mbuf chain
7831 				 * from the chk->data for control but the
7832 				 * problem is it becomes yet one more level
7833 				 * of tracking to do if for some reason
7834 				 * output fails. Then I have got to
7835 				 * reconstruct the merged control chain.. el
7836 				 * yucko.. for now we take the easy way and
7837 				 * do the copy
7838 				 */
7839 				/*
7840 				 * Add an AUTH chunk, if chunk requires it
7841 				 * save the offset into the chain for AUTH
7842 				 */
7843 				if ((auth == NULL) &&
7844 				    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
7845 				    stcb->asoc.peer_auth_chunks))) {
7846 					outchain = sctp_add_auth_chunk(outchain,
7847 					    &endoutchain,
7848 					    &auth,
7849 					    &auth_offset,
7850 					    stcb,
7851 					    chk->rec.chunk_id.id);
7852 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
7853 				}
7854 				outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain,
7855 				    (int)chk->rec.chunk_id.can_take_data,
7856 				    chk->send_size, chk->copy_by_ref);
7857 				if (outchain == NULL) {
7858 					*reason_code = 8;
7859 					SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
7860 					return (ENOMEM);
7861 				}
7862 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
7863 				/* update our MTU size */
7864 				if (mtu > (chk->send_size + omtu))
7865 					mtu -= (chk->send_size + omtu);
7866 				else
7867 					mtu = 0;
7868 				to_out += (chk->send_size + omtu);
7869 				/* Do clear IP_DF ? */
7870 				if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
7871 					no_fragmentflg = 0;
7872 				}
7873 				if (chk->rec.chunk_id.can_take_data)
7874 					chk->data = NULL;
7875 				/* Mark things to be removed, if needed */
7876 				if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7877 				    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK) ||	/* EY */
7878 				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) ||
7879 				    (chk->rec.chunk_id.id == SCTP_HEARTBEAT_ACK) ||
7880 				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN) ||
7881 				    (chk->rec.chunk_id.id == SCTP_SHUTDOWN_ACK) ||
7882 				    (chk->rec.chunk_id.id == SCTP_OPERATION_ERROR) ||
7883 				    (chk->rec.chunk_id.id == SCTP_COOKIE_ACK) ||
7884 				    (chk->rec.chunk_id.id == SCTP_ECN_CWR) ||
7885 				    (chk->rec.chunk_id.id == SCTP_PACKET_DROPPED) ||
7886 				    (chk->rec.chunk_id.id == SCTP_ASCONF_ACK)) {
7887 
7888 					if (chk->rec.chunk_id.id == SCTP_HEARTBEAT_REQUEST) {
7889 						hbflag = 1;
7890 						/*
7891 						 * JRS 5/14/07 - Set the
7892 						 * flag to say a heartbeat
7893 						 * is being sent.
7894 						 */
7895 						pf_hbflag = 1;
7896 					}
7897 					/* remove these chunks at the end */
7898 					if ((chk->rec.chunk_id.id == SCTP_SELECTIVE_ACK) ||
7899 					    (chk->rec.chunk_id.id == SCTP_NR_SELECTIVE_ACK)) {
7900 						/* turn off the timer */
7901 						if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
7902 							sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
7903 							    inp, stcb, net, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_1);
7904 						}
7905 					}
7906 					ctl_cnt++;
7907 				} else {
7908 					/*
7909 					 * Other chunks, since they have
7910 					 * timers running (i.e. COOKIE) we
7911 					 * just "trust" that it gets sent or
7912 					 * retransmitted.
7913 					 */
7914 					ctl_cnt++;
7915 					if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
7916 						cookie = 1;
7917 						no_out_cnt = 1;
7918 					}
7919 					chk->sent = SCTP_DATAGRAM_SENT;
7920 					chk->snd_count++;
7921 				}
7922 				if (mtu == 0) {
7923 					/*
7924 					 * Ok we are out of room but we can
7925 					 * output without effecting the
7926 					 * flight size since this little guy
7927 					 * is a control only packet.
7928 					 */
7929 					if (asconf) {
7930 						sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, net);
7931 						/*
7932 						 * do NOT clear the asconf
7933 						 * flag as it is used to do
7934 						 * appropriate source
7935 						 * address selection.
7936 						 */
7937 					}
7938 					if (cookie) {
7939 						sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
7940 						cookie = 0;
7941 					}
7942 					if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
7943 					    (struct sockaddr *)&net->ro._l_addr,
7944 					    outchain,
7945 					    auth_offset, auth,
7946 					    stcb->asoc.authinfo.active_keyid,
7947 					    no_fragmentflg, 0, NULL, asconf,
7948 					    inp->sctp_lport, stcb->rport,
7949 					    htonl(stcb->asoc.peer_vtag),
7950 					    net->port, so_locked, NULL))) {
7951 						if (error == ENOBUFS) {
7952 							asoc->ifp_had_enobuf = 1;
7953 							SCTP_STAT_INCR(sctps_lowlevelerr);
7954 						}
7955 						if (from_where == 0) {
7956 							SCTP_STAT_INCR(sctps_lowlevelerrusr);
7957 						}
7958 						/* error, could not output */
7959 						if (hbflag) {
7960 							if (*now_filled == 0) {
7961 								(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
7962 								*now_filled = 1;
7963 								*now = net->last_sent_time;
7964 							} else {
7965 								net->last_sent_time = *now;
7966 							}
7967 							hbflag = 0;
7968 						}
7969 						if (error == EHOSTUNREACH) {
7970 							/*
7971 							 * Destination went
7972 							 * unreachable
7973 							 * during this send
7974 							 */
7975 							sctp_move_chunks_from_net(stcb, net);
7976 						}
7977 						*reason_code = 7;
7978 						continue;
7979 					} else
7980 						asoc->ifp_had_enobuf = 0;
7981 					/* Only HB or ASCONF advances time */
7982 					if (hbflag) {
7983 						if (*now_filled == 0) {
7984 							(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
7985 							*now_filled = 1;
7986 							*now = net->last_sent_time;
7987 						} else {
7988 							net->last_sent_time = *now;
7989 						}
7990 						hbflag = 0;
7991 					}
7992 					/*
7993 					 * increase the number we sent, if a
7994 					 * cookie is sent we don't tell them
7995 					 * any was sent out.
7996 					 */
7997 					outchain = endoutchain = NULL;
7998 					auth = NULL;
7999 					auth_offset = 0;
8000 					if (!no_out_cnt)
8001 						*num_out += ctl_cnt;
8002 					/* recalc a clean slate and setup */
8003 					if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
8004 						mtu = (net->mtu - SCTP_MIN_OVERHEAD);
8005 					} else {
8006 						mtu = (net->mtu - SCTP_MIN_V4_OVERHEAD);
8007 					}
8008 					to_out = 0;
8009 					no_fragmentflg = 1;
8010 				}
8011 			}
8012 		}
8013 		/* JRI: if dest is in PF state, do not send data to it */
8014 		if ((asoc->sctp_cmt_on_off > 0) &&
8015 		    (asoc->sctp_cmt_pf > 0) &&
8016 		    (net->dest_state & SCTP_ADDR_PF)) {
8017 			goto no_data_fill;
8018 		}
8019 		if (net->flight_size >= net->cwnd) {
8020 			goto no_data_fill;
8021 		}
8022 		if ((asoc->sctp_cmt_on_off > 0) &&
8023 		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_RECV_BUFFER_SPLITTING) &&
8024 		    (net->flight_size > max_rwnd_per_dest)) {
8025 			goto no_data_fill;
8026 		}
8027 		/*
8028 		 * We need a specific accounting for the usage of the send
8029 		 * buffer. We also need to check the number of messages per
8030 		 * net. For now, this is better than nothing and it disabled
8031 		 * by default...
8032 		 */
8033 		if ((asoc->sctp_cmt_on_off > 0) &&
8034 		    (SCTP_BASE_SYSCTL(sctp_buffer_splitting) & SCTP_SEND_BUFFER_SPLITTING) &&
8035 		    (max_send_per_dest > 0) &&
8036 		    (net->flight_size > max_send_per_dest)) {
8037 			goto no_data_fill;
8038 		}
8039 		/*********************/
8040 		/* Data transmission */
8041 		/*********************/
8042 		/*
8043 		 * if AUTH for DATA is required and no AUTH has been added
8044 		 * yet, account for this in the mtu now... if no data can be
8045 		 * bundled, this adjustment won't matter anyways since the
8046 		 * packet will be going out...
8047 		 */
8048 		data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA,
8049 		    stcb->asoc.peer_auth_chunks);
8050 		if (data_auth_reqd && (auth == NULL)) {
8051 			mtu -= sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
8052 		}
8053 		/* now lets add any data within the MTU constraints */
8054 		switch (((struct sockaddr *)&net->ro._l_addr)->sa_family) {
8055 		case AF_INET:
8056 			if (net->mtu > (sizeof(struct ip) + sizeof(struct sctphdr)))
8057 				omtu = net->mtu - (sizeof(struct ip) + sizeof(struct sctphdr));
8058 			else
8059 				omtu = 0;
8060 			break;
8061 #ifdef INET6
8062 		case AF_INET6:
8063 			if (net->mtu > (sizeof(struct ip6_hdr) + sizeof(struct sctphdr)))
8064 				omtu = net->mtu - (sizeof(struct ip6_hdr) + sizeof(struct sctphdr));
8065 			else
8066 				omtu = 0;
8067 			break;
8068 #endif
8069 		default:
8070 			/* TSNH */
8071 			omtu = 0;
8072 			break;
8073 		}
8074 		if ((((asoc->state & SCTP_STATE_OPEN) == SCTP_STATE_OPEN) &&
8075 		    (skip_data_for_this_net == 0)) ||
8076 		    (cookie)) {
8077 			TAILQ_FOREACH_SAFE(chk, &asoc->send_queue, sctp_next, nchk) {
8078 				if (no_data_chunks) {
8079 					/* let only control go out */
8080 					*reason_code = 1;
8081 					break;
8082 				}
8083 				if (net->flight_size >= net->cwnd) {
8084 					/* skip this net, no room for data */
8085 					*reason_code = 2;
8086 					break;
8087 				}
8088 				if ((chk->whoTo != NULL) &&
8089 				    (chk->whoTo != net)) {
8090 					/* Don't send the chunk on this net */
8091 					continue;
8092 				}
8093 				if ((chk->send_size > omtu) && ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) == 0)) {
8094 					/*-
8095 					 * strange, we have a chunk that is
8096 					 * to big for its destination and
8097 					 * yet no fragment ok flag.
8098 					 * Something went wrong when the
8099 					 * PMTU changed...we did not mark
8100 					 * this chunk for some reason?? I
8101 					 * will fix it here by letting IP
8102 					 * fragment it for now and printing
8103 					 * a warning. This really should not
8104 					 * happen ...
8105 					 */
8106 					SCTP_PRINTF("Warning chunk of %d bytes > mtu:%d and yet PMTU disc missed\n",
8107 					    chk->send_size, mtu);
8108 					chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;
8109 				}
8110 				if (SCTP_BASE_SYSCTL(sctp_enable_sack_immediately) &&
8111 				    ((asoc->state & SCTP_STATE_SHUTDOWN_PENDING) == SCTP_STATE_SHUTDOWN_PENDING)) {
8112 					struct sctp_data_chunk *dchkh;
8113 
8114 					dchkh = mtod(chk->data, struct sctp_data_chunk *);
8115 					dchkh->ch.chunk_flags |= SCTP_DATA_SACK_IMMEDIATELY;
8116 				}
8117 				if (((chk->send_size <= mtu) && (chk->send_size <= r_mtu)) ||
8118 				    ((chk->flags & CHUNK_FLAGS_FRAGMENT_OK) && (chk->send_size <= asoc->peers_rwnd))) {
8119 					/* ok we will add this one */
8120 
8121 					/*
8122 					 * Add an AUTH chunk, if chunk
8123 					 * requires it, save the offset into
8124 					 * the chain for AUTH
8125 					 */
8126 					if (data_auth_reqd) {
8127 						if (auth == NULL) {
8128 							outchain = sctp_add_auth_chunk(outchain,
8129 							    &endoutchain,
8130 							    &auth,
8131 							    &auth_offset,
8132 							    stcb,
8133 							    SCTP_DATA);
8134 							auth_keyid = chk->auth_keyid;
8135 							override_ok = 0;
8136 							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8137 						} else if (override_ok) {
8138 							/*
8139 							 * use this data's
8140 							 * keyid
8141 							 */
8142 							auth_keyid = chk->auth_keyid;
8143 							override_ok = 0;
8144 						} else if (auth_keyid != chk->auth_keyid) {
8145 							/*
8146 							 * different keyid,
8147 							 * so done bundling
8148 							 */
8149 							break;
8150 						}
8151 					}
8152 					outchain = sctp_copy_mbufchain(chk->data, outchain, &endoutchain, 0,
8153 					    chk->send_size, chk->copy_by_ref);
8154 					if (outchain == NULL) {
8155 						SCTPDBG(SCTP_DEBUG_OUTPUT3, "No memory?\n");
8156 						if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
8157 							sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8158 						}
8159 						*reason_code = 3;
8160 						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
8161 						return (ENOMEM);
8162 					}
8163 					/* upate our MTU size */
8164 					/* Do clear IP_DF ? */
8165 					if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
8166 						no_fragmentflg = 0;
8167 					}
8168 					/* unsigned subtraction of mtu */
8169 					if (mtu > chk->send_size)
8170 						mtu -= chk->send_size;
8171 					else
8172 						mtu = 0;
8173 					/* unsigned subtraction of r_mtu */
8174 					if (r_mtu > chk->send_size)
8175 						r_mtu -= chk->send_size;
8176 					else
8177 						r_mtu = 0;
8178 
8179 					to_out += chk->send_size;
8180 					if ((to_out > mx_mtu) && no_fragmentflg) {
8181 #ifdef INVARIANTS
8182 						panic("Exceeding mtu of %d out size is %d", mx_mtu, to_out);
8183 #else
8184 						SCTP_PRINTF("Exceeding mtu of %d out size is %d\n",
8185 						    mx_mtu, to_out);
8186 #endif
8187 					}
8188 					chk->window_probe = 0;
8189 					data_list[bundle_at++] = chk;
8190 					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
8191 						mtu = 0;
8192 						break;
8193 					}
8194 					if (chk->sent == SCTP_DATAGRAM_UNSENT) {
8195 						if ((chk->rec.data.rcv_flags & SCTP_DATA_UNORDERED) == 0) {
8196 							SCTP_STAT_INCR_COUNTER64(sctps_outorderchunks);
8197 						} else {
8198 							SCTP_STAT_INCR_COUNTER64(sctps_outunorderchunks);
8199 						}
8200 						if (((chk->rec.data.rcv_flags & SCTP_DATA_LAST_FRAG) == SCTP_DATA_LAST_FRAG) &&
8201 						    ((chk->rec.data.rcv_flags & SCTP_DATA_FIRST_FRAG) == 0))
8202 							/*
8203 							 * Count number of
8204 							 * user msg's that
8205 							 * were fragmented
8206 							 * we do this by
8207 							 * counting when we
8208 							 * see a LAST
8209 							 * fragment only.
8210 							 */
8211 							SCTP_STAT_INCR_COUNTER64(sctps_fragusrmsgs);
8212 					}
8213 					if ((mtu == 0) || (r_mtu == 0) || (one_chunk)) {
8214 						if ((one_chunk) && (stcb->asoc.total_flight == 0)) {
8215 							data_list[0]->window_probe = 1;
8216 							net->window_probe = 1;
8217 						}
8218 						break;
8219 					}
8220 				} else {
8221 					/*
8222 					 * Must be sent in order of the
8223 					 * TSN's (on a network)
8224 					 */
8225 					break;
8226 				}
8227 			}	/* for (chunk gather loop for this net) */
8228 		}		/* if asoc.state OPEN */
8229 no_data_fill:
8230 		/* Is there something to send for this destination? */
8231 		if (outchain) {
8232 			/* We may need to start a control timer or two */
8233 			if (asconf) {
8234 				sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp,
8235 				    stcb, net);
8236 				/*
8237 				 * do NOT clear the asconf flag as it is
8238 				 * used to do appropriate source address
8239 				 * selection.
8240 				 */
8241 			}
8242 			if (cookie) {
8243 				sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, net);
8244 				cookie = 0;
8245 			}
8246 			/* must start a send timer if data is being sent */
8247 			if (bundle_at && (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
8248 				/*
8249 				 * no timer running on this destination
8250 				 * restart it.
8251 				 */
8252 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8253 			} else if ((asoc->sctp_cmt_on_off > 0) &&
8254 				    (asoc->sctp_cmt_pf > 0) &&
8255 				    pf_hbflag &&
8256 				    ((net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF) &&
8257 			    (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer))) {
8258 				/*
8259 				 * JRS 5/14/07 - If a HB has been sent to a
8260 				 * PF destination and no T3 timer is
8261 				 * currently running, start the T3 timer to
8262 				 * track the HBs that were sent.
8263 				 */
8264 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
8265 			}
8266 			/* Now send it, if there is anything to send :> */
8267 			if ((error = sctp_lowlevel_chunk_output(inp,
8268 			    stcb,
8269 			    net,
8270 			    (struct sockaddr *)&net->ro._l_addr,
8271 			    outchain,
8272 			    auth_offset,
8273 			    auth,
8274 			    auth_keyid,
8275 			    no_fragmentflg,
8276 			    bundle_at,
8277 			    data_list[0],
8278 			    asconf,
8279 			    inp->sctp_lport, stcb->rport,
8280 			    htonl(stcb->asoc.peer_vtag),
8281 			    net->port, so_locked, NULL))) {
8282 				/* error, we could not output */
8283 				if (error == ENOBUFS) {
8284 					SCTP_STAT_INCR(sctps_lowlevelerr);
8285 					asoc->ifp_had_enobuf = 1;
8286 				}
8287 				if (from_where == 0) {
8288 					SCTP_STAT_INCR(sctps_lowlevelerrusr);
8289 				}
8290 				SCTPDBG(SCTP_DEBUG_OUTPUT3, "Gak send error %d\n", error);
8291 				if (hbflag) {
8292 					if (*now_filled == 0) {
8293 						(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8294 						*now_filled = 1;
8295 						*now = net->last_sent_time;
8296 					} else {
8297 						net->last_sent_time = *now;
8298 					}
8299 					hbflag = 0;
8300 				}
8301 				if (error == EHOSTUNREACH) {
8302 					/*
8303 					 * Destination went unreachable
8304 					 * during this send
8305 					 */
8306 					sctp_move_chunks_from_net(stcb, net);
8307 				}
8308 				*reason_code = 6;
8309 				/*-
8310 				 * I add this line to be paranoid. As far as
8311 				 * I can tell the continue, takes us back to
8312 				 * the top of the for, but just to make sure
8313 				 * I will reset these again here.
8314 				 */
8315 				ctl_cnt = bundle_at = 0;
8316 				continue;	/* This takes us back to the
8317 						 * for() for the nets. */
8318 			} else {
8319 				asoc->ifp_had_enobuf = 0;
8320 			}
8321 			outchain = endoutchain = NULL;
8322 			auth = NULL;
8323 			auth_offset = 0;
8324 			if (bundle_at || hbflag) {
8325 				/* For data/asconf and hb set time */
8326 				if (*now_filled == 0) {
8327 					(void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time);
8328 					*now_filled = 1;
8329 					*now = net->last_sent_time;
8330 				} else {
8331 					net->last_sent_time = *now;
8332 				}
8333 			}
8334 			if (!no_out_cnt) {
8335 				*num_out += (ctl_cnt + bundle_at);
8336 			}
8337 			if (bundle_at) {
8338 				/* setup for a RTO measurement */
8339 				tsns_sent = data_list[0]->rec.data.TSN_seq;
8340 				/* fill time if not already filled */
8341 				if (*now_filled == 0) {
8342 					(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
8343 					*now_filled = 1;
8344 					*now = asoc->time_last_sent;
8345 				} else {
8346 					asoc->time_last_sent = *now;
8347 				}
8348 				data_list[0]->do_rtt = 1;
8349 				SCTP_STAT_INCR_BY(sctps_senddata, bundle_at);
8350 				sctp_clean_up_datalist(stcb, asoc, data_list, bundle_at, net);
8351 				if (SCTP_BASE_SYSCTL(sctp_early_fr)) {
8352 					if (net->flight_size < net->cwnd) {
8353 						/* start or restart it */
8354 						if (SCTP_OS_TIMER_PENDING(&net->fr_timer.timer)) {
8355 							sctp_timer_stop(SCTP_TIMER_TYPE_EARLYFR, inp, stcb, net,
8356 							    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_2);
8357 						}
8358 						SCTP_STAT_INCR(sctps_earlyfrstrout);
8359 						sctp_timer_start(SCTP_TIMER_TYPE_EARLYFR, inp, stcb, net);
8360 					} else {
8361 						/* stop it if its running */
8362 						if (SCTP_OS_TIMER_PENDING(&net->fr_timer.timer)) {
8363 							SCTP_STAT_INCR(sctps_earlyfrstpout);
8364 							sctp_timer_stop(SCTP_TIMER_TYPE_EARLYFR, inp, stcb, net,
8365 							    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_3);
8366 						}
8367 					}
8368 				}
8369 			}
8370 			if (one_chunk) {
8371 				break;
8372 			}
8373 		}
8374 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8375 			sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_SEND);
8376 		}
8377 	}
8378 	if (old_start_at == NULL) {
8379 		old_start_at = start_at;
8380 		start_at = TAILQ_FIRST(&asoc->nets);
8381 		if (old_start_at)
8382 			goto again_one_more_time;
8383 	}
8384 	/*
8385 	 * At the end there should be no NON timed chunks hanging on this
8386 	 * queue.
8387 	 */
8388 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
8389 		sctp_log_cwnd(stcb, net, *num_out, SCTP_CWND_LOG_FROM_SEND);
8390 	}
8391 	if ((*num_out == 0) && (*reason_code == 0)) {
8392 		*reason_code = 4;
8393 	} else {
8394 		*reason_code = 5;
8395 	}
8396 	sctp_clean_up_ctl(stcb, asoc);
8397 	return (0);
8398 }
8399 
8400 void
8401 sctp_queue_op_err(struct sctp_tcb *stcb, struct mbuf *op_err)
8402 {
8403 	/*-
8404 	 * Prepend a OPERATIONAL_ERROR chunk header and put on the end of
8405 	 * the control chunk queue.
8406 	 */
8407 	struct sctp_chunkhdr *hdr;
8408 	struct sctp_tmit_chunk *chk;
8409 	struct mbuf *mat;
8410 
8411 	SCTP_TCB_LOCK_ASSERT(stcb);
8412 	sctp_alloc_a_chunk(stcb, chk);
8413 	if (chk == NULL) {
8414 		/* no memory */
8415 		sctp_m_freem(op_err);
8416 		return;
8417 	}
8418 	chk->copy_by_ref = 0;
8419 	SCTP_BUF_PREPEND(op_err, sizeof(struct sctp_chunkhdr), M_DONTWAIT);
8420 	if (op_err == NULL) {
8421 		sctp_free_a_chunk(stcb, chk);
8422 		return;
8423 	}
8424 	chk->send_size = 0;
8425 	mat = op_err;
8426 	while (mat != NULL) {
8427 		chk->send_size += SCTP_BUF_LEN(mat);
8428 		mat = SCTP_BUF_NEXT(mat);
8429 	}
8430 	chk->rec.chunk_id.id = SCTP_OPERATION_ERROR;
8431 	chk->rec.chunk_id.can_take_data = 1;
8432 	chk->sent = SCTP_DATAGRAM_UNSENT;
8433 	chk->snd_count = 0;
8434 	chk->flags = 0;
8435 	chk->asoc = &stcb->asoc;
8436 	chk->data = op_err;
8437 	chk->whoTo = chk->asoc->primary_destination;
8438 	atomic_add_int(&chk->whoTo->ref_count, 1);
8439 	hdr = mtod(op_err, struct sctp_chunkhdr *);
8440 	hdr->chunk_type = SCTP_OPERATION_ERROR;
8441 	hdr->chunk_flags = 0;
8442 	hdr->chunk_length = htons(chk->send_size);
8443 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue,
8444 	    chk,
8445 	    sctp_next);
8446 	chk->asoc->ctrl_queue_cnt++;
8447 }
8448 
8449 int
8450 sctp_send_cookie_echo(struct mbuf *m,
8451     int offset,
8452     struct sctp_tcb *stcb,
8453     struct sctp_nets *net)
8454 {
8455 	/*-
8456 	 * pull out the cookie and put it at the front of the control chunk
8457 	 * queue.
8458 	 */
8459 	int at;
8460 	struct mbuf *cookie;
8461 	struct sctp_paramhdr parm, *phdr;
8462 	struct sctp_chunkhdr *hdr;
8463 	struct sctp_tmit_chunk *chk;
8464 	uint16_t ptype, plen;
8465 
8466 	/* First find the cookie in the param area */
8467 	cookie = NULL;
8468 	at = offset + sizeof(struct sctp_init_chunk);
8469 
8470 	SCTP_TCB_LOCK_ASSERT(stcb);
8471 	do {
8472 		phdr = sctp_get_next_param(m, at, &parm, sizeof(parm));
8473 		if (phdr == NULL) {
8474 			return (-3);
8475 		}
8476 		ptype = ntohs(phdr->param_type);
8477 		plen = ntohs(phdr->param_length);
8478 		if (ptype == SCTP_STATE_COOKIE) {
8479 			int pad;
8480 
8481 			/* found the cookie */
8482 			if ((pad = (plen % 4))) {
8483 				plen += 4 - pad;
8484 			}
8485 			cookie = SCTP_M_COPYM(m, at, plen, M_DONTWAIT);
8486 			if (cookie == NULL) {
8487 				/* No memory */
8488 				return (-2);
8489 			}
8490 #ifdef SCTP_MBUF_LOGGING
8491 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
8492 				struct mbuf *mat;
8493 
8494 				mat = cookie;
8495 				while (mat) {
8496 					if (SCTP_BUF_IS_EXTENDED(mat)) {
8497 						sctp_log_mb(mat, SCTP_MBUF_ICOPY);
8498 					}
8499 					mat = SCTP_BUF_NEXT(mat);
8500 				}
8501 			}
8502 #endif
8503 			break;
8504 		}
8505 		at += SCTP_SIZE32(plen);
8506 	} while (phdr);
8507 	if (cookie == NULL) {
8508 		/* Did not find the cookie */
8509 		return (-3);
8510 	}
8511 	/* ok, we got the cookie lets change it into a cookie echo chunk */
8512 
8513 	/* first the change from param to cookie */
8514 	hdr = mtod(cookie, struct sctp_chunkhdr *);
8515 	hdr->chunk_type = SCTP_COOKIE_ECHO;
8516 	hdr->chunk_flags = 0;
8517 	/* get the chunk stuff now and place it in the FRONT of the queue */
8518 	sctp_alloc_a_chunk(stcb, chk);
8519 	if (chk == NULL) {
8520 		/* no memory */
8521 		sctp_m_freem(cookie);
8522 		return (-5);
8523 	}
8524 	chk->copy_by_ref = 0;
8525 	chk->send_size = plen;
8526 	chk->rec.chunk_id.id = SCTP_COOKIE_ECHO;
8527 	chk->rec.chunk_id.can_take_data = 0;
8528 	chk->sent = SCTP_DATAGRAM_UNSENT;
8529 	chk->snd_count = 0;
8530 	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
8531 	chk->asoc = &stcb->asoc;
8532 	chk->data = cookie;
8533 	chk->whoTo = chk->asoc->primary_destination;
8534 	atomic_add_int(&chk->whoTo->ref_count, 1);
8535 	TAILQ_INSERT_HEAD(&chk->asoc->control_send_queue, chk, sctp_next);
8536 	chk->asoc->ctrl_queue_cnt++;
8537 	return (0);
8538 }
8539 
8540 void
8541 sctp_send_heartbeat_ack(struct sctp_tcb *stcb,
8542     struct mbuf *m,
8543     int offset,
8544     int chk_length,
8545     struct sctp_nets *net)
8546 {
8547 	/*
8548 	 * take a HB request and make it into a HB ack and send it.
8549 	 */
8550 	struct mbuf *outchain;
8551 	struct sctp_chunkhdr *chdr;
8552 	struct sctp_tmit_chunk *chk;
8553 
8554 
8555 	if (net == NULL)
8556 		/* must have a net pointer */
8557 		return;
8558 
8559 	outchain = SCTP_M_COPYM(m, offset, chk_length, M_DONTWAIT);
8560 	if (outchain == NULL) {
8561 		/* gak out of memory */
8562 		return;
8563 	}
8564 #ifdef SCTP_MBUF_LOGGING
8565 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
8566 		struct mbuf *mat;
8567 
8568 		mat = outchain;
8569 		while (mat) {
8570 			if (SCTP_BUF_IS_EXTENDED(mat)) {
8571 				sctp_log_mb(mat, SCTP_MBUF_ICOPY);
8572 			}
8573 			mat = SCTP_BUF_NEXT(mat);
8574 		}
8575 	}
8576 #endif
8577 	chdr = mtod(outchain, struct sctp_chunkhdr *);
8578 	chdr->chunk_type = SCTP_HEARTBEAT_ACK;
8579 	chdr->chunk_flags = 0;
8580 	if (chk_length % 4) {
8581 		/* need pad */
8582 		uint32_t cpthis = 0;
8583 		int padlen;
8584 
8585 		padlen = 4 - (chk_length % 4);
8586 		m_copyback(outchain, chk_length, padlen, (caddr_t)&cpthis);
8587 	}
8588 	sctp_alloc_a_chunk(stcb, chk);
8589 	if (chk == NULL) {
8590 		/* no memory */
8591 		sctp_m_freem(outchain);
8592 		return;
8593 	}
8594 	chk->copy_by_ref = 0;
8595 	chk->send_size = chk_length;
8596 	chk->rec.chunk_id.id = SCTP_HEARTBEAT_ACK;
8597 	chk->rec.chunk_id.can_take_data = 1;
8598 	chk->sent = SCTP_DATAGRAM_UNSENT;
8599 	chk->snd_count = 0;
8600 	chk->flags = 0;
8601 	chk->asoc = &stcb->asoc;
8602 	chk->data = outchain;
8603 	chk->whoTo = net;
8604 	atomic_add_int(&chk->whoTo->ref_count, 1);
8605 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8606 	chk->asoc->ctrl_queue_cnt++;
8607 }
8608 
8609 void
8610 sctp_send_cookie_ack(struct sctp_tcb *stcb)
8611 {
8612 	/* formulate and queue a cookie-ack back to sender */
8613 	struct mbuf *cookie_ack;
8614 	struct sctp_chunkhdr *hdr;
8615 	struct sctp_tmit_chunk *chk;
8616 
8617 	cookie_ack = NULL;
8618 	SCTP_TCB_LOCK_ASSERT(stcb);
8619 
8620 	cookie_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_DONTWAIT, 1, MT_HEADER);
8621 	if (cookie_ack == NULL) {
8622 		/* no mbuf's */
8623 		return;
8624 	}
8625 	SCTP_BUF_RESV_UF(cookie_ack, SCTP_MIN_OVERHEAD);
8626 	sctp_alloc_a_chunk(stcb, chk);
8627 	if (chk == NULL) {
8628 		/* no memory */
8629 		sctp_m_freem(cookie_ack);
8630 		return;
8631 	}
8632 	chk->copy_by_ref = 0;
8633 	chk->send_size = sizeof(struct sctp_chunkhdr);
8634 	chk->rec.chunk_id.id = SCTP_COOKIE_ACK;
8635 	chk->rec.chunk_id.can_take_data = 1;
8636 	chk->sent = SCTP_DATAGRAM_UNSENT;
8637 	chk->snd_count = 0;
8638 	chk->flags = 0;
8639 	chk->asoc = &stcb->asoc;
8640 	chk->data = cookie_ack;
8641 	if (chk->asoc->last_control_chunk_from != NULL) {
8642 		chk->whoTo = chk->asoc->last_control_chunk_from;
8643 	} else {
8644 		chk->whoTo = chk->asoc->primary_destination;
8645 	}
8646 	atomic_add_int(&chk->whoTo->ref_count, 1);
8647 	hdr = mtod(cookie_ack, struct sctp_chunkhdr *);
8648 	hdr->chunk_type = SCTP_COOKIE_ACK;
8649 	hdr->chunk_flags = 0;
8650 	hdr->chunk_length = htons(chk->send_size);
8651 	SCTP_BUF_LEN(cookie_ack) = chk->send_size;
8652 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8653 	chk->asoc->ctrl_queue_cnt++;
8654 	return;
8655 }
8656 
8657 
8658 void
8659 sctp_send_shutdown_ack(struct sctp_tcb *stcb, struct sctp_nets *net)
8660 {
8661 	/* formulate and queue a SHUTDOWN-ACK back to the sender */
8662 	struct mbuf *m_shutdown_ack;
8663 	struct sctp_shutdown_ack_chunk *ack_cp;
8664 	struct sctp_tmit_chunk *chk;
8665 
8666 	m_shutdown_ack = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_ack_chunk), 0, M_DONTWAIT, 1, MT_HEADER);
8667 	if (m_shutdown_ack == NULL) {
8668 		/* no mbuf's */
8669 		return;
8670 	}
8671 	SCTP_BUF_RESV_UF(m_shutdown_ack, SCTP_MIN_OVERHEAD);
8672 	sctp_alloc_a_chunk(stcb, chk);
8673 	if (chk == NULL) {
8674 		/* no memory */
8675 		sctp_m_freem(m_shutdown_ack);
8676 		return;
8677 	}
8678 	chk->copy_by_ref = 0;
8679 	chk->send_size = sizeof(struct sctp_chunkhdr);
8680 	chk->rec.chunk_id.id = SCTP_SHUTDOWN_ACK;
8681 	chk->rec.chunk_id.can_take_data = 1;
8682 	chk->sent = SCTP_DATAGRAM_UNSENT;
8683 	chk->snd_count = 0;
8684 	chk->flags = 0;
8685 	chk->asoc = &stcb->asoc;
8686 	chk->data = m_shutdown_ack;
8687 	chk->whoTo = net;
8688 	atomic_add_int(&net->ref_count, 1);
8689 
8690 	ack_cp = mtod(m_shutdown_ack, struct sctp_shutdown_ack_chunk *);
8691 	ack_cp->ch.chunk_type = SCTP_SHUTDOWN_ACK;
8692 	ack_cp->ch.chunk_flags = 0;
8693 	ack_cp->ch.chunk_length = htons(chk->send_size);
8694 	SCTP_BUF_LEN(m_shutdown_ack) = chk->send_size;
8695 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8696 	chk->asoc->ctrl_queue_cnt++;
8697 	return;
8698 }
8699 
8700 void
8701 sctp_send_shutdown(struct sctp_tcb *stcb, struct sctp_nets *net)
8702 {
8703 	/* formulate and queue a SHUTDOWN to the sender */
8704 	struct mbuf *m_shutdown;
8705 	struct sctp_shutdown_chunk *shutdown_cp;
8706 	struct sctp_tmit_chunk *chk;
8707 
8708 	m_shutdown = sctp_get_mbuf_for_msg(sizeof(struct sctp_shutdown_chunk), 0, M_DONTWAIT, 1, MT_HEADER);
8709 	if (m_shutdown == NULL) {
8710 		/* no mbuf's */
8711 		return;
8712 	}
8713 	SCTP_BUF_RESV_UF(m_shutdown, SCTP_MIN_OVERHEAD);
8714 	sctp_alloc_a_chunk(stcb, chk);
8715 	if (chk == NULL) {
8716 		/* no memory */
8717 		sctp_m_freem(m_shutdown);
8718 		return;
8719 	}
8720 	chk->copy_by_ref = 0;
8721 	chk->send_size = sizeof(struct sctp_shutdown_chunk);
8722 	chk->rec.chunk_id.id = SCTP_SHUTDOWN;
8723 	chk->rec.chunk_id.can_take_data = 1;
8724 	chk->sent = SCTP_DATAGRAM_UNSENT;
8725 	chk->snd_count = 0;
8726 	chk->flags = 0;
8727 	chk->asoc = &stcb->asoc;
8728 	chk->data = m_shutdown;
8729 	chk->whoTo = net;
8730 	atomic_add_int(&net->ref_count, 1);
8731 
8732 	shutdown_cp = mtod(m_shutdown, struct sctp_shutdown_chunk *);
8733 	shutdown_cp->ch.chunk_type = SCTP_SHUTDOWN;
8734 	shutdown_cp->ch.chunk_flags = 0;
8735 	shutdown_cp->ch.chunk_length = htons(chk->send_size);
8736 	shutdown_cp->cumulative_tsn_ack = htonl(stcb->asoc.cumulative_tsn);
8737 	SCTP_BUF_LEN(m_shutdown) = chk->send_size;
8738 	TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8739 	chk->asoc->ctrl_queue_cnt++;
8740 	return;
8741 }
8742 
8743 void
8744 sctp_send_asconf(struct sctp_tcb *stcb, struct sctp_nets *net, int addr_locked)
8745 {
8746 	/*
8747 	 * formulate and queue an ASCONF to the peer. ASCONF parameters
8748 	 * should be queued on the assoc queue.
8749 	 */
8750 	struct sctp_tmit_chunk *chk;
8751 	struct mbuf *m_asconf;
8752 	int len;
8753 
8754 	SCTP_TCB_LOCK_ASSERT(stcb);
8755 
8756 	if ((!TAILQ_EMPTY(&stcb->asoc.asconf_send_queue)) &&
8757 	    (!sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_MULTIPLE_ASCONFS))) {
8758 		/* can't send a new one if there is one in flight already */
8759 		return;
8760 	}
8761 	/* compose an ASCONF chunk, maximum length is PMTU */
8762 	m_asconf = sctp_compose_asconf(stcb, &len, addr_locked);
8763 	if (m_asconf == NULL) {
8764 		return;
8765 	}
8766 	sctp_alloc_a_chunk(stcb, chk);
8767 	if (chk == NULL) {
8768 		/* no memory */
8769 		sctp_m_freem(m_asconf);
8770 		return;
8771 	}
8772 	chk->copy_by_ref = 0;
8773 	chk->data = m_asconf;
8774 	chk->send_size = len;
8775 	chk->rec.chunk_id.id = SCTP_ASCONF;
8776 	chk->rec.chunk_id.can_take_data = 0;
8777 	chk->sent = SCTP_DATAGRAM_UNSENT;
8778 	chk->snd_count = 0;
8779 	chk->flags = CHUNK_FLAGS_FRAGMENT_OK;
8780 	chk->asoc = &stcb->asoc;
8781 	chk->whoTo = net;
8782 	atomic_add_int(&chk->whoTo->ref_count, 1);
8783 	TAILQ_INSERT_TAIL(&chk->asoc->asconf_send_queue, chk, sctp_next);
8784 	chk->asoc->ctrl_queue_cnt++;
8785 	return;
8786 }
8787 
8788 void
8789 sctp_send_asconf_ack(struct sctp_tcb *stcb)
8790 {
8791 	/*
8792 	 * formulate and queue a asconf-ack back to sender. the asconf-ack
8793 	 * must be stored in the tcb.
8794 	 */
8795 	struct sctp_tmit_chunk *chk;
8796 	struct sctp_asconf_ack *ack, *latest_ack;
8797 	struct mbuf *m_ack, *m;
8798 	struct sctp_nets *net = NULL;
8799 
8800 	SCTP_TCB_LOCK_ASSERT(stcb);
8801 	/* Get the latest ASCONF-ACK */
8802 	latest_ack = TAILQ_LAST(&stcb->asoc.asconf_ack_sent, sctp_asconf_ackhead);
8803 	if (latest_ack == NULL) {
8804 		return;
8805 	}
8806 	if (latest_ack->last_sent_to != NULL &&
8807 	    latest_ack->last_sent_to == stcb->asoc.last_control_chunk_from) {
8808 		/* we're doing a retransmission */
8809 		net = sctp_find_alternate_net(stcb, stcb->asoc.last_control_chunk_from, 0);
8810 		if (net == NULL) {
8811 			/* no alternate */
8812 			if (stcb->asoc.last_control_chunk_from == NULL)
8813 				net = stcb->asoc.primary_destination;
8814 			else
8815 				net = stcb->asoc.last_control_chunk_from;
8816 		}
8817 	} else {
8818 		/* normal case */
8819 		if (stcb->asoc.last_control_chunk_from == NULL)
8820 			net = stcb->asoc.primary_destination;
8821 		else
8822 			net = stcb->asoc.last_control_chunk_from;
8823 	}
8824 	latest_ack->last_sent_to = net;
8825 
8826 	TAILQ_FOREACH(ack, &stcb->asoc.asconf_ack_sent, next) {
8827 		if (ack->data == NULL) {
8828 			continue;
8829 		}
8830 		/* copy the asconf_ack */
8831 		m_ack = SCTP_M_COPYM(ack->data, 0, M_COPYALL, M_DONTWAIT);
8832 		if (m_ack == NULL) {
8833 			/* couldn't copy it */
8834 			return;
8835 		}
8836 #ifdef SCTP_MBUF_LOGGING
8837 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
8838 			struct mbuf *mat;
8839 
8840 			mat = m_ack;
8841 			while (mat) {
8842 				if (SCTP_BUF_IS_EXTENDED(mat)) {
8843 					sctp_log_mb(mat, SCTP_MBUF_ICOPY);
8844 				}
8845 				mat = SCTP_BUF_NEXT(mat);
8846 			}
8847 		}
8848 #endif
8849 
8850 		sctp_alloc_a_chunk(stcb, chk);
8851 		if (chk == NULL) {
8852 			/* no memory */
8853 			if (m_ack)
8854 				sctp_m_freem(m_ack);
8855 			return;
8856 		}
8857 		chk->copy_by_ref = 0;
8858 
8859 		chk->whoTo = net;
8860 		chk->data = m_ack;
8861 		chk->send_size = 0;
8862 		/* Get size */
8863 		m = m_ack;
8864 		chk->send_size = ack->len;
8865 		chk->rec.chunk_id.id = SCTP_ASCONF_ACK;
8866 		chk->rec.chunk_id.can_take_data = 1;
8867 		chk->sent = SCTP_DATAGRAM_UNSENT;
8868 		chk->snd_count = 0;
8869 		chk->flags |= CHUNK_FLAGS_FRAGMENT_OK;	/* XXX */
8870 		chk->asoc = &stcb->asoc;
8871 		atomic_add_int(&chk->whoTo->ref_count, 1);
8872 
8873 		TAILQ_INSERT_TAIL(&chk->asoc->control_send_queue, chk, sctp_next);
8874 		chk->asoc->ctrl_queue_cnt++;
8875 	}
8876 	return;
8877 }
8878 
8879 
8880 static int
8881 sctp_chunk_retransmission(struct sctp_inpcb *inp,
8882     struct sctp_tcb *stcb,
8883     struct sctp_association *asoc,
8884     int *cnt_out, struct timeval *now, int *now_filled, int *fr_done, int so_locked
8885 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
8886     SCTP_UNUSED
8887 #endif
8888 )
8889 {
8890 	/*-
8891 	 * send out one MTU of retransmission. If fast_retransmit is
8892 	 * happening we ignore the cwnd. Otherwise we obey the cwnd and
8893 	 * rwnd. For a Cookie or Asconf in the control chunk queue we
8894 	 * retransmit them by themselves.
8895 	 *
8896 	 * For data chunks we will pick out the lowest TSN's in the sent_queue
8897 	 * marked for resend and bundle them all together (up to a MTU of
8898 	 * destination). The address to send to should have been
8899 	 * selected/changed where the retransmission was marked (i.e. in FR
8900 	 * or t3-timeout routines).
8901 	 */
8902 	struct sctp_tmit_chunk *data_list[SCTP_MAX_DATA_BUNDLING];
8903 	struct sctp_tmit_chunk *chk, *fwd;
8904 	struct mbuf *m, *endofchain;
8905 	struct sctp_nets *net = NULL;
8906 	uint32_t tsns_sent = 0;
8907 	int no_fragmentflg, bundle_at, cnt_thru;
8908 	unsigned int mtu;
8909 	int error, i, one_chunk, fwd_tsn, ctl_cnt, tmr_started;
8910 	struct sctp_auth_chunk *auth = NULL;
8911 	uint32_t auth_offset = 0;
8912 	uint16_t auth_keyid;
8913 	int override_ok = 1;
8914 	int data_auth_reqd = 0;
8915 	uint32_t dmtu = 0;
8916 
8917 	SCTP_TCB_LOCK_ASSERT(stcb);
8918 	tmr_started = ctl_cnt = bundle_at = error = 0;
8919 	no_fragmentflg = 1;
8920 	fwd_tsn = 0;
8921 	*cnt_out = 0;
8922 	fwd = NULL;
8923 	endofchain = m = NULL;
8924 	auth_keyid = stcb->asoc.authinfo.active_keyid;
8925 #ifdef SCTP_AUDITING_ENABLED
8926 	sctp_audit_log(0xC3, 1);
8927 #endif
8928 	if ((TAILQ_EMPTY(&asoc->sent_queue)) &&
8929 	    (TAILQ_EMPTY(&asoc->control_send_queue))) {
8930 		SCTPDBG(SCTP_DEBUG_OUTPUT1, "SCTP hits empty queue with cnt set to %d?\n",
8931 		    asoc->sent_queue_retran_cnt);
8932 		asoc->sent_queue_cnt = 0;
8933 		asoc->sent_queue_cnt_removeable = 0;
8934 		/* send back 0/0 so we enter normal transmission */
8935 		*cnt_out = 0;
8936 		return (0);
8937 	}
8938 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
8939 		if ((chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) ||
8940 		    (chk->rec.chunk_id.id == SCTP_STREAM_RESET) ||
8941 		    (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN)) {
8942 			if (chk->sent != SCTP_DATAGRAM_RESEND) {
8943 				continue;
8944 			}
8945 			if (chk->rec.chunk_id.id == SCTP_STREAM_RESET) {
8946 				if (chk != asoc->str_reset) {
8947 					/*
8948 					 * not eligible for retran if its
8949 					 * not ours
8950 					 */
8951 					continue;
8952 				}
8953 			}
8954 			ctl_cnt++;
8955 			if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
8956 				fwd_tsn = 1;
8957 				fwd = chk;
8958 			}
8959 			/*
8960 			 * Add an AUTH chunk, if chunk requires it save the
8961 			 * offset into the chain for AUTH
8962 			 */
8963 			if ((auth == NULL) &&
8964 			    (sctp_auth_is_required_chunk(chk->rec.chunk_id.id,
8965 			    stcb->asoc.peer_auth_chunks))) {
8966 				m = sctp_add_auth_chunk(m, &endofchain,
8967 				    &auth, &auth_offset,
8968 				    stcb,
8969 				    chk->rec.chunk_id.id);
8970 				SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
8971 			}
8972 			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
8973 			break;
8974 		}
8975 	}
8976 	one_chunk = 0;
8977 	cnt_thru = 0;
8978 	/* do we have control chunks to retransmit? */
8979 	if (m != NULL) {
8980 		/* Start a timer no matter if we suceed or fail */
8981 		if (chk->rec.chunk_id.id == SCTP_COOKIE_ECHO) {
8982 			sctp_timer_start(SCTP_TIMER_TYPE_COOKIE, inp, stcb, chk->whoTo);
8983 		} else if (chk->rec.chunk_id.id == SCTP_ASCONF)
8984 			sctp_timer_start(SCTP_TIMER_TYPE_ASCONF, inp, stcb, chk->whoTo);
8985 		chk->snd_count++;	/* update our count */
8986 		if ((error = sctp_lowlevel_chunk_output(inp, stcb, chk->whoTo,
8987 		    (struct sockaddr *)&chk->whoTo->ro._l_addr, m,
8988 		    auth_offset, auth, stcb->asoc.authinfo.active_keyid,
8989 		    no_fragmentflg, 0, NULL, 0,
8990 		    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
8991 		    chk->whoTo->port, so_locked, NULL))) {
8992 			SCTP_STAT_INCR(sctps_lowlevelerr);
8993 			return (error);
8994 		}
8995 		m = endofchain = NULL;
8996 		auth = NULL;
8997 		auth_offset = 0;
8998 		/*
8999 		 * We don't want to mark the net->sent time here since this
9000 		 * we use this for HB and retrans cannot measure RTT
9001 		 */
9002 		/* (void)SCTP_GETTIME_TIMEVAL(&chk->whoTo->last_sent_time); */
9003 		*cnt_out += 1;
9004 		chk->sent = SCTP_DATAGRAM_SENT;
9005 		sctp_ucount_decr(stcb->asoc.sent_queue_retran_cnt);
9006 		if (fwd_tsn == 0) {
9007 			return (0);
9008 		} else {
9009 			/* Clean up the fwd-tsn list */
9010 			sctp_clean_up_ctl(stcb, asoc);
9011 			return (0);
9012 		}
9013 	}
9014 	/*
9015 	 * Ok, it is just data retransmission we need to do or that and a
9016 	 * fwd-tsn with it all.
9017 	 */
9018 	if (TAILQ_EMPTY(&asoc->sent_queue)) {
9019 		return (SCTP_RETRAN_DONE);
9020 	}
9021 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED) ||
9022 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT)) {
9023 		/* not yet open, resend the cookie and that is it */
9024 		return (1);
9025 	}
9026 #ifdef SCTP_AUDITING_ENABLED
9027 	sctp_auditing(20, inp, stcb, NULL);
9028 #endif
9029 	data_auth_reqd = sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks);
9030 	TAILQ_FOREACH(chk, &asoc->sent_queue, sctp_next) {
9031 		if (chk->sent != SCTP_DATAGRAM_RESEND) {
9032 			/* No, not sent to this net or not ready for rtx */
9033 			continue;
9034 		}
9035 		if (chk->data == NULL) {
9036 			printf("TSN:%x chk->snd_count:%d chk->sent:%d can't retran - no data\n",
9037 			    chk->rec.data.TSN_seq, chk->snd_count, chk->sent);
9038 			continue;
9039 		}
9040 		if ((SCTP_BASE_SYSCTL(sctp_max_retran_chunk)) &&
9041 		    (chk->snd_count >= SCTP_BASE_SYSCTL(sctp_max_retran_chunk))) {
9042 			/* Gak, we have exceeded max unlucky retran, abort! */
9043 			SCTP_PRINTF("Gak, chk->snd_count:%d >= max:%d - send abort\n",
9044 			    chk->snd_count,
9045 			    SCTP_BASE_SYSCTL(sctp_max_retran_chunk));
9046 			atomic_add_int(&stcb->asoc.refcnt, 1);
9047 			sctp_abort_an_association(stcb->sctp_ep, stcb, 0, NULL, so_locked);
9048 			SCTP_TCB_LOCK(stcb);
9049 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
9050 			return (SCTP_RETRAN_EXIT);
9051 		}
9052 		/* pick up the net */
9053 		net = chk->whoTo;
9054 		if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
9055 			mtu = (net->mtu - SCTP_MIN_OVERHEAD);
9056 		} else {
9057 			mtu = net->mtu - SCTP_MIN_V4_OVERHEAD;
9058 		}
9059 
9060 		if ((asoc->peers_rwnd < mtu) && (asoc->total_flight > 0)) {
9061 			/* No room in peers rwnd */
9062 			uint32_t tsn;
9063 
9064 			tsn = asoc->last_acked_seq + 1;
9065 			if (tsn == chk->rec.data.TSN_seq) {
9066 				/*
9067 				 * we make a special exception for this
9068 				 * case. The peer has no rwnd but is missing
9069 				 * the lowest chunk.. which is probably what
9070 				 * is holding up the rwnd.
9071 				 */
9072 				goto one_chunk_around;
9073 			}
9074 			return (1);
9075 		}
9076 one_chunk_around:
9077 		if (asoc->peers_rwnd < mtu) {
9078 			one_chunk = 1;
9079 			if ((asoc->peers_rwnd == 0) &&
9080 			    (asoc->total_flight == 0)) {
9081 				chk->window_probe = 1;
9082 				chk->whoTo->window_probe = 1;
9083 			}
9084 		}
9085 #ifdef SCTP_AUDITING_ENABLED
9086 		sctp_audit_log(0xC3, 2);
9087 #endif
9088 		bundle_at = 0;
9089 		m = NULL;
9090 		net->fast_retran_ip = 0;
9091 		if (chk->rec.data.doing_fast_retransmit == 0) {
9092 			/*
9093 			 * if no FR in progress skip destination that have
9094 			 * flight_size > cwnd.
9095 			 */
9096 			if (net->flight_size >= net->cwnd) {
9097 				continue;
9098 			}
9099 		} else {
9100 			/*
9101 			 * Mark the destination net to have FR recovery
9102 			 * limits put on it.
9103 			 */
9104 			*fr_done = 1;
9105 			net->fast_retran_ip = 1;
9106 		}
9107 
9108 		/*
9109 		 * if no AUTH is yet included and this chunk requires it,
9110 		 * make sure to account for it.  We don't apply the size
9111 		 * until the AUTH chunk is actually added below in case
9112 		 * there is no room for this chunk.
9113 		 */
9114 		if (data_auth_reqd && (auth == NULL)) {
9115 			dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9116 		} else
9117 			dmtu = 0;
9118 
9119 		if ((chk->send_size <= (mtu - dmtu)) ||
9120 		    (chk->flags & CHUNK_FLAGS_FRAGMENT_OK)) {
9121 			/* ok we will add this one */
9122 			if (data_auth_reqd) {
9123 				if (auth == NULL) {
9124 					m = sctp_add_auth_chunk(m,
9125 					    &endofchain,
9126 					    &auth,
9127 					    &auth_offset,
9128 					    stcb,
9129 					    SCTP_DATA);
9130 					auth_keyid = chk->auth_keyid;
9131 					override_ok = 0;
9132 					SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9133 				} else if (override_ok) {
9134 					auth_keyid = chk->auth_keyid;
9135 					override_ok = 0;
9136 				} else if (chk->auth_keyid != auth_keyid) {
9137 					/* different keyid, so done bundling */
9138 					break;
9139 				}
9140 			}
9141 			m = sctp_copy_mbufchain(chk->data, m, &endofchain, 0, chk->send_size, chk->copy_by_ref);
9142 			if (m == NULL) {
9143 				SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9144 				return (ENOMEM);
9145 			}
9146 			/* Do clear IP_DF ? */
9147 			if (chk->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9148 				no_fragmentflg = 0;
9149 			}
9150 			/* upate our MTU size */
9151 			if (mtu > (chk->send_size + dmtu))
9152 				mtu -= (chk->send_size + dmtu);
9153 			else
9154 				mtu = 0;
9155 			data_list[bundle_at++] = chk;
9156 			if (one_chunk && (asoc->total_flight <= 0)) {
9157 				SCTP_STAT_INCR(sctps_windowprobed);
9158 			}
9159 		}
9160 		if (one_chunk == 0) {
9161 			/*
9162 			 * now are there anymore forward from chk to pick
9163 			 * up?
9164 			 */
9165 			fwd = TAILQ_NEXT(chk, sctp_next);
9166 			while (fwd) {
9167 				if (fwd->sent != SCTP_DATAGRAM_RESEND) {
9168 					/* Nope, not for retran */
9169 					fwd = TAILQ_NEXT(fwd, sctp_next);
9170 					continue;
9171 				}
9172 				if (fwd->whoTo != net) {
9173 					/* Nope, not the net in question */
9174 					fwd = TAILQ_NEXT(fwd, sctp_next);
9175 					continue;
9176 				}
9177 				if (data_auth_reqd && (auth == NULL)) {
9178 					dmtu = sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
9179 				} else
9180 					dmtu = 0;
9181 				if (fwd->send_size <= (mtu - dmtu)) {
9182 					if (data_auth_reqd) {
9183 						if (auth == NULL) {
9184 							m = sctp_add_auth_chunk(m,
9185 							    &endofchain,
9186 							    &auth,
9187 							    &auth_offset,
9188 							    stcb,
9189 							    SCTP_DATA);
9190 							auth_keyid = fwd->auth_keyid;
9191 							override_ok = 0;
9192 							SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
9193 						} else if (override_ok) {
9194 							auth_keyid = fwd->auth_keyid;
9195 							override_ok = 0;
9196 						} else if (fwd->auth_keyid != auth_keyid) {
9197 							/*
9198 							 * different keyid,
9199 							 * so done bundling
9200 							 */
9201 							break;
9202 						}
9203 					}
9204 					m = sctp_copy_mbufchain(fwd->data, m, &endofchain, 0, fwd->send_size, fwd->copy_by_ref);
9205 					if (m == NULL) {
9206 						SCTP_LTRACE_ERR_RET(inp, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
9207 						return (ENOMEM);
9208 					}
9209 					/* Do clear IP_DF ? */
9210 					if (fwd->flags & CHUNK_FLAGS_FRAGMENT_OK) {
9211 						no_fragmentflg = 0;
9212 					}
9213 					/* upate our MTU size */
9214 					if (mtu > (fwd->send_size + dmtu))
9215 						mtu -= (fwd->send_size + dmtu);
9216 					else
9217 						mtu = 0;
9218 					data_list[bundle_at++] = fwd;
9219 					if (bundle_at >= SCTP_MAX_DATA_BUNDLING) {
9220 						break;
9221 					}
9222 					fwd = TAILQ_NEXT(fwd, sctp_next);
9223 				} else {
9224 					/* can't fit so we are done */
9225 					break;
9226 				}
9227 			}
9228 		}
9229 		/* Is there something to send for this destination? */
9230 		if (m) {
9231 			/*
9232 			 * No matter if we fail/or suceed we should start a
9233 			 * timer. A failure is like a lost IP packet :-)
9234 			 */
9235 			if (!SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9236 				/*
9237 				 * no timer running on this destination
9238 				 * restart it.
9239 				 */
9240 				sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9241 				tmr_started = 1;
9242 			}
9243 			/* Now lets send it, if there is anything to send :> */
9244 			if ((error = sctp_lowlevel_chunk_output(inp, stcb, net,
9245 			    (struct sockaddr *)&net->ro._l_addr, m,
9246 			    auth_offset, auth, auth_keyid,
9247 			    no_fragmentflg, 0, NULL, 0,
9248 			    inp->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
9249 			    net->port, so_locked, NULL))) {
9250 				/* error, we could not output */
9251 				SCTP_STAT_INCR(sctps_lowlevelerr);
9252 				return (error);
9253 			}
9254 			m = endofchain = NULL;
9255 			auth = NULL;
9256 			auth_offset = 0;
9257 			/* For HB's */
9258 			/*
9259 			 * We don't want to mark the net->sent time here
9260 			 * since this we use this for HB and retrans cannot
9261 			 * measure RTT
9262 			 */
9263 			/* (void)SCTP_GETTIME_TIMEVAL(&net->last_sent_time); */
9264 
9265 			/* For auto-close */
9266 			cnt_thru++;
9267 			if (*now_filled == 0) {
9268 				(void)SCTP_GETTIME_TIMEVAL(&asoc->time_last_sent);
9269 				*now = asoc->time_last_sent;
9270 				*now_filled = 1;
9271 			} else {
9272 				asoc->time_last_sent = *now;
9273 			}
9274 			*cnt_out += bundle_at;
9275 #ifdef SCTP_AUDITING_ENABLED
9276 			sctp_audit_log(0xC4, bundle_at);
9277 #endif
9278 			if (bundle_at) {
9279 				tsns_sent = data_list[0]->rec.data.TSN_seq;
9280 			}
9281 			for (i = 0; i < bundle_at; i++) {
9282 				SCTP_STAT_INCR(sctps_sendretransdata);
9283 				data_list[i]->sent = SCTP_DATAGRAM_SENT;
9284 				/*
9285 				 * When we have a revoked data, and we
9286 				 * retransmit it, then we clear the revoked
9287 				 * flag since this flag dictates if we
9288 				 * subtracted from the fs
9289 				 */
9290 				if (data_list[i]->rec.data.chunk_was_revoked) {
9291 					/* Deflate the cwnd */
9292 					data_list[i]->whoTo->cwnd -= data_list[i]->book_size;
9293 					data_list[i]->rec.data.chunk_was_revoked = 0;
9294 				}
9295 				data_list[i]->snd_count++;
9296 				sctp_ucount_decr(asoc->sent_queue_retran_cnt);
9297 				/* record the time */
9298 				data_list[i]->sent_rcv_time = asoc->time_last_sent;
9299 				if (data_list[i]->book_size_scale) {
9300 					/*
9301 					 * need to double the book size on
9302 					 * this one
9303 					 */
9304 					data_list[i]->book_size_scale = 0;
9305 					/*
9306 					 * Since we double the booksize, we
9307 					 * must also double the output queue
9308 					 * size, since this get shrunk when
9309 					 * we free by this amount.
9310 					 */
9311 					atomic_add_int(&((asoc)->total_output_queue_size), data_list[i]->book_size);
9312 					data_list[i]->book_size *= 2;
9313 
9314 
9315 				} else {
9316 					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_RWND_ENABLE) {
9317 						sctp_log_rwnd(SCTP_DECREASE_PEER_RWND,
9318 						    asoc->peers_rwnd, data_list[i]->send_size, SCTP_BASE_SYSCTL(sctp_peer_chunk_oh));
9319 					}
9320 					asoc->peers_rwnd = sctp_sbspace_sub(asoc->peers_rwnd,
9321 					    (uint32_t) (data_list[i]->send_size +
9322 					    SCTP_BASE_SYSCTL(sctp_peer_chunk_oh)));
9323 				}
9324 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_FLIGHT_LOGGING_ENABLE) {
9325 					sctp_misc_ints(SCTP_FLIGHT_LOG_UP_RSND,
9326 					    data_list[i]->whoTo->flight_size,
9327 					    data_list[i]->book_size,
9328 					    (uintptr_t) data_list[i]->whoTo,
9329 					    data_list[i]->rec.data.TSN_seq);
9330 				}
9331 				sctp_flight_size_increase(data_list[i]);
9332 				sctp_total_flight_increase(stcb, data_list[i]);
9333 				if (asoc->peers_rwnd < stcb->sctp_ep->sctp_ep.sctp_sws_sender) {
9334 					/* SWS sender side engages */
9335 					asoc->peers_rwnd = 0;
9336 				}
9337 				if ((i == 0) &&
9338 				    (data_list[i]->rec.data.doing_fast_retransmit)) {
9339 					SCTP_STAT_INCR(sctps_sendfastretrans);
9340 					if ((data_list[i] == TAILQ_FIRST(&asoc->sent_queue)) &&
9341 					    (tmr_started == 0)) {
9342 						/*-
9343 						 * ok we just fast-retrans'd
9344 						 * the lowest TSN, i.e the
9345 						 * first on the list. In
9346 						 * this case we want to give
9347 						 * some more time to get a
9348 						 * SACK back without a
9349 						 * t3-expiring.
9350 						 */
9351 						sctp_timer_stop(SCTP_TIMER_TYPE_SEND, inp, stcb, net,
9352 						    SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_4);
9353 						sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, net);
9354 					}
9355 				}
9356 			}
9357 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9358 				sctp_log_cwnd(stcb, net, tsns_sent, SCTP_CWND_LOG_FROM_RESEND);
9359 			}
9360 #ifdef SCTP_AUDITING_ENABLED
9361 			sctp_auditing(21, inp, stcb, NULL);
9362 #endif
9363 		} else {
9364 			/* None will fit */
9365 			return (1);
9366 		}
9367 		if (asoc->sent_queue_retran_cnt <= 0) {
9368 			/* all done we have no more to retran */
9369 			asoc->sent_queue_retran_cnt = 0;
9370 			break;
9371 		}
9372 		if (one_chunk) {
9373 			/* No more room in rwnd */
9374 			return (1);
9375 		}
9376 		/* stop the for loop here. we sent out a packet */
9377 		break;
9378 	}
9379 	return (0);
9380 }
9381 
9382 
9383 static int
9384 sctp_timer_validation(struct sctp_inpcb *inp,
9385     struct sctp_tcb *stcb,
9386     struct sctp_association *asoc,
9387     int ret)
9388 {
9389 	struct sctp_nets *net;
9390 
9391 	/* Validate that a timer is running somewhere */
9392 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
9393 		if (SCTP_OS_TIMER_PENDING(&net->rxt_timer.timer)) {
9394 			/* Here is a timer */
9395 			return (ret);
9396 		}
9397 	}
9398 	SCTP_TCB_LOCK_ASSERT(stcb);
9399 	/* Gak, we did not have a timer somewhere */
9400 	SCTPDBG(SCTP_DEBUG_OUTPUT3, "Deadlock avoided starting timer on a dest at retran\n");
9401 	sctp_timer_start(SCTP_TIMER_TYPE_SEND, inp, stcb, asoc->primary_destination);
9402 	return (ret);
9403 }
9404 
9405 void
9406 sctp_chunk_output(struct sctp_inpcb *inp,
9407     struct sctp_tcb *stcb,
9408     int from_where,
9409     int so_locked
9410 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
9411     SCTP_UNUSED
9412 #endif
9413 )
9414 {
9415 	/*-
9416 	 * Ok this is the generic chunk service queue. we must do the
9417 	 * following:
9418 	 * - See if there are retransmits pending, if so we must
9419 	 *   do these first.
9420 	 * - Service the stream queue that is next, moving any
9421 	 *   message (note I must get a complete message i.e.
9422 	 *   FIRST/MIDDLE and LAST to the out queue in one pass) and assigning
9423 	 *   TSN's
9424 	 * - Check to see if the cwnd/rwnd allows any output, if so we
9425 	 *   go ahead and fomulate and send the low level chunks. Making sure
9426 	 *   to combine any control in the control chunk queue also.
9427 	 */
9428 	struct sctp_association *asoc;
9429 	struct sctp_nets *net;
9430 	int error = 0, num_out = 0, tot_out = 0, ret = 0, reason_code = 0,
9431 	    burst_cnt = 0, burst_limit = 0;
9432 	struct timeval now;
9433 	int now_filled = 0;
9434 	int nagle_on = 0;
9435 	int frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
9436 	int un_sent = 0;
9437 	int fr_done, tot_frs = 0;
9438 
9439 	asoc = &stcb->asoc;
9440 	if (from_where == SCTP_OUTPUT_FROM_USR_SEND) {
9441 		if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NODELAY)) {
9442 			nagle_on = 0;
9443 		} else {
9444 			nagle_on = 1;
9445 		}
9446 	}
9447 	SCTP_TCB_LOCK_ASSERT(stcb);
9448 
9449 	un_sent = (stcb->asoc.total_output_queue_size - stcb->asoc.total_flight);
9450 
9451 	if ((un_sent <= 0) &&
9452 	    (TAILQ_EMPTY(&asoc->control_send_queue)) &&
9453 	    (TAILQ_EMPTY(&asoc->asconf_send_queue)) &&
9454 	    (asoc->sent_queue_retran_cnt == 0)) {
9455 		/* Nothing to do unless there is something to be sent left */
9456 		return;
9457 	}
9458 	/*
9459 	 * Do we have something to send, data or control AND a sack timer
9460 	 * running, if so piggy-back the sack.
9461 	 */
9462 	if (SCTP_OS_TIMER_PENDING(&stcb->asoc.dack_timer.timer)) {
9463 		sctp_send_sack(stcb);
9464 		(void)SCTP_OS_TIMER_STOP(&stcb->asoc.dack_timer.timer);
9465 	}
9466 	while (asoc->sent_queue_retran_cnt) {
9467 		/*-
9468 		 * Ok, it is retransmission time only, we send out only ONE
9469 		 * packet with a single call off to the retran code.
9470 		 */
9471 		if (from_where == SCTP_OUTPUT_FROM_COOKIE_ACK) {
9472 			/*-
9473 			 * Special hook for handling cookiess discarded
9474 			 * by peer that carried data. Send cookie-ack only
9475 			 * and then the next call with get the retran's.
9476 			 */
9477 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
9478 			    from_where,
9479 			    &now, &now_filled, frag_point, so_locked);
9480 			return;
9481 		} else if (from_where != SCTP_OUTPUT_FROM_HB_TMR) {
9482 			/* if its not from a HB then do it */
9483 			fr_done = 0;
9484 			ret = sctp_chunk_retransmission(inp, stcb, asoc, &num_out, &now, &now_filled, &fr_done, so_locked);
9485 			if (fr_done) {
9486 				tot_frs++;
9487 			}
9488 		} else {
9489 			/*
9490 			 * its from any other place, we don't allow retran
9491 			 * output (only control)
9492 			 */
9493 			ret = 1;
9494 		}
9495 		if (ret > 0) {
9496 			/* Can't send anymore */
9497 			/*-
9498 			 * now lets push out control by calling med-level
9499 			 * output once. this assures that we WILL send HB's
9500 			 * if queued too.
9501 			 */
9502 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1,
9503 			    from_where,
9504 			    &now, &now_filled, frag_point, so_locked);
9505 #ifdef SCTP_AUDITING_ENABLED
9506 			sctp_auditing(8, inp, stcb, NULL);
9507 #endif
9508 			(void)sctp_timer_validation(inp, stcb, asoc, ret);
9509 			return;
9510 		}
9511 		if (ret < 0) {
9512 			/*-
9513 			 * The count was off.. retran is not happening so do
9514 			 * the normal retransmission.
9515 			 */
9516 #ifdef SCTP_AUDITING_ENABLED
9517 			sctp_auditing(9, inp, stcb, NULL);
9518 #endif
9519 			if (ret == SCTP_RETRAN_EXIT) {
9520 				return;
9521 			}
9522 			break;
9523 		}
9524 		if (from_where == SCTP_OUTPUT_FROM_T3) {
9525 			/* Only one transmission allowed out of a timeout */
9526 #ifdef SCTP_AUDITING_ENABLED
9527 			sctp_auditing(10, inp, stcb, NULL);
9528 #endif
9529 			/* Push out any control */
9530 			(void)sctp_med_chunk_output(inp, stcb, asoc, &num_out, &reason_code, 1, from_where,
9531 			    &now, &now_filled, frag_point, so_locked);
9532 			return;
9533 		}
9534 		if (tot_frs > asoc->max_burst) {
9535 			/* Hit FR burst limit */
9536 			return;
9537 		}
9538 		if ((num_out == 0) && (ret == 0)) {
9539 
9540 			/* No more retrans to send */
9541 			break;
9542 		}
9543 	}
9544 #ifdef SCTP_AUDITING_ENABLED
9545 	sctp_auditing(12, inp, stcb, NULL);
9546 #endif
9547 	/* Check for bad destinations, if they exist move chunks around. */
9548 	burst_limit = asoc->max_burst;
9549 	TAILQ_FOREACH(net, &asoc->nets, sctp_next) {
9550 		if ((net->dest_state & SCTP_ADDR_NOT_REACHABLE) ==
9551 		    SCTP_ADDR_NOT_REACHABLE) {
9552 			/*-
9553 			 * if possible move things off of this address we
9554 			 * still may send below due to the dormant state but
9555 			 * we try to find an alternate address to send to
9556 			 * and if we have one we move all queued data on the
9557 			 * out wheel to this alternate address.
9558 			 */
9559 			if (net->ref_count > 1)
9560 				sctp_move_chunks_from_net(stcb, net);
9561 		} else if ((asoc->sctp_cmt_on_off > 0) &&
9562 			    (asoc->sctp_cmt_pf > 0) &&
9563 		    ((net->dest_state & SCTP_ADDR_PF) == SCTP_ADDR_PF)) {
9564 			/*
9565 			 * JRS 5/14/07 - If CMT PF is on and the current
9566 			 * destination is in PF state, move all queued data
9567 			 * to an alternate desination.
9568 			 */
9569 			if (net->ref_count > 1)
9570 				sctp_move_chunks_from_net(stcb, net);
9571 		} else {
9572 			/*-
9573 			 * if ((asoc->sat_network) || (net->addr_is_local))
9574 			 * { burst_limit = asoc->max_burst *
9575 			 * SCTP_SAT_NETWORK_BURST_INCR; }
9576 			 */
9577 			if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst)) {
9578 				if ((net->flight_size + (burst_limit * net->mtu)) < net->cwnd) {
9579 					/*
9580 					 * JRS - Use the congestion control
9581 					 * given in the congestion control
9582 					 * module
9583 					 */
9584 					asoc->cc_functions.sctp_cwnd_update_after_output(stcb, net, burst_limit);
9585 					if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
9586 						sctp_log_maxburst(stcb, net, 0, burst_limit, SCTP_MAX_BURST_APPLIED);
9587 					}
9588 					SCTP_STAT_INCR(sctps_maxburstqueued);
9589 				}
9590 				net->fast_retran_ip = 0;
9591 			} else {
9592 				if (net->flight_size == 0) {
9593 					/* Should be decaying the cwnd here */
9594 					;
9595 				}
9596 			}
9597 		}
9598 
9599 	}
9600 	burst_cnt = 0;
9601 	do {
9602 		error = sctp_med_chunk_output(inp, stcb, asoc, &num_out,
9603 		    &reason_code, 0, from_where,
9604 		    &now, &now_filled, frag_point, so_locked);
9605 		if (error) {
9606 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "Error %d was returned from med-c-op\n", error);
9607 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
9608 				sctp_log_maxburst(stcb, asoc->primary_destination, error, burst_cnt, SCTP_MAX_BURST_ERROR_STOP);
9609 			}
9610 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9611 				sctp_log_cwnd(stcb, NULL, error, SCTP_SEND_NOW_COMPLETES);
9612 				sctp_log_cwnd(stcb, NULL, 0xdeadbeef, SCTP_SEND_NOW_COMPLETES);
9613 			}
9614 			break;
9615 		}
9616 		SCTPDBG(SCTP_DEBUG_OUTPUT3, "m-c-o put out %d\n", num_out);
9617 
9618 		tot_out += num_out;
9619 		burst_cnt++;
9620 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9621 			sctp_log_cwnd(stcb, NULL, num_out, SCTP_SEND_NOW_COMPLETES);
9622 			if (num_out == 0) {
9623 				sctp_log_cwnd(stcb, NULL, reason_code, SCTP_SEND_NOW_COMPLETES);
9624 			}
9625 		}
9626 		if (nagle_on) {
9627 			/*-
9628 			 * When nagle is on, we look at how much is un_sent, then
9629 			 * if its smaller than an MTU and we have data in
9630 			 * flight we stop.
9631 			 */
9632 			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
9633 			    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
9634 			if ((un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD)) &&
9635 			    (stcb->asoc.total_flight > 0)) {
9636 				break;
9637 			}
9638 		}
9639 		if (TAILQ_EMPTY(&asoc->control_send_queue) &&
9640 		    TAILQ_EMPTY(&asoc->send_queue) &&
9641 		    TAILQ_EMPTY(&asoc->out_wheel)) {
9642 			/* Nothing left to send */
9643 			break;
9644 		}
9645 		if ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) <= 0) {
9646 			/* Nothing left to send */
9647 			break;
9648 		}
9649 	} while (num_out && (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) ||
9650 	    (burst_cnt < burst_limit)));
9651 
9652 	if (SCTP_BASE_SYSCTL(sctp_use_cwnd_based_maxburst) == 0) {
9653 		if (burst_cnt >= burst_limit) {
9654 			SCTP_STAT_INCR(sctps_maxburstqueued);
9655 			asoc->burst_limit_applied = 1;
9656 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_MAXBURST_ENABLE) {
9657 				sctp_log_maxburst(stcb, asoc->primary_destination, 0, burst_cnt, SCTP_MAX_BURST_APPLIED);
9658 			}
9659 		} else {
9660 			asoc->burst_limit_applied = 0;
9661 		}
9662 	}
9663 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_CWND_LOGGING_ENABLE) {
9664 		sctp_log_cwnd(stcb, NULL, tot_out, SCTP_SEND_NOW_COMPLETES);
9665 	}
9666 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, we have put out %d chunks\n",
9667 	    tot_out);
9668 
9669 	/*-
9670 	 * Now we need to clean up the control chunk chain if a ECNE is on
9671 	 * it. It must be marked as UNSENT again so next call will continue
9672 	 * to send it until such time that we get a CWR, to remove it.
9673 	 */
9674 	if (stcb->asoc.ecn_echo_cnt_onq)
9675 		sctp_fix_ecn_echo(asoc);
9676 	return;
9677 }
9678 
9679 
9680 int
9681 sctp_output(inp, m, addr, control, p, flags)
9682 	struct sctp_inpcb *inp;
9683 	struct mbuf *m;
9684 	struct sockaddr *addr;
9685 	struct mbuf *control;
9686 	struct thread *p;
9687 	int flags;
9688 {
9689 	if (inp == NULL) {
9690 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
9691 		return (EINVAL);
9692 	}
9693 	if (inp->sctp_socket == NULL) {
9694 		SCTP_LTRACE_ERR_RET_PKT(m, inp, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
9695 		return (EINVAL);
9696 	}
9697 	return (sctp_sosend(inp->sctp_socket,
9698 	    addr,
9699 	    (struct uio *)NULL,
9700 	    m,
9701 	    control,
9702 	    flags, p
9703 	    ));
9704 }
9705 
9706 void
9707 send_forward_tsn(struct sctp_tcb *stcb,
9708     struct sctp_association *asoc)
9709 {
9710 	struct sctp_tmit_chunk *chk;
9711 	struct sctp_forward_tsn_chunk *fwdtsn;
9712 	uint32_t advance_peer_ack_point;
9713 
9714 	SCTP_TCB_LOCK_ASSERT(stcb);
9715 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9716 		if (chk->rec.chunk_id.id == SCTP_FORWARD_CUM_TSN) {
9717 			/* mark it to unsent */
9718 			chk->sent = SCTP_DATAGRAM_UNSENT;
9719 			chk->snd_count = 0;
9720 			/* Do we correct its output location? */
9721 			if (chk->whoTo != asoc->primary_destination) {
9722 				sctp_free_remote_addr(chk->whoTo);
9723 				chk->whoTo = asoc->primary_destination;
9724 				atomic_add_int(&chk->whoTo->ref_count, 1);
9725 			}
9726 			goto sctp_fill_in_rest;
9727 		}
9728 	}
9729 	/* Ok if we reach here we must build one */
9730 	sctp_alloc_a_chunk(stcb, chk);
9731 	if (chk == NULL) {
9732 		return;
9733 	}
9734 	asoc->fwd_tsn_cnt++;
9735 	chk->copy_by_ref = 0;
9736 	chk->rec.chunk_id.id = SCTP_FORWARD_CUM_TSN;
9737 	chk->rec.chunk_id.can_take_data = 0;
9738 	chk->asoc = asoc;
9739 	chk->whoTo = NULL;
9740 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
9741 	if (chk->data == NULL) {
9742 		sctp_free_a_chunk(stcb, chk);
9743 		return;
9744 	}
9745 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
9746 	chk->sent = SCTP_DATAGRAM_UNSENT;
9747 	chk->snd_count = 0;
9748 	chk->whoTo = asoc->primary_destination;
9749 	atomic_add_int(&chk->whoTo->ref_count, 1);
9750 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, chk, sctp_next);
9751 	asoc->ctrl_queue_cnt++;
9752 sctp_fill_in_rest:
9753 	/*-
9754 	 * Here we go through and fill out the part that deals with
9755 	 * stream/seq of the ones we skip.
9756 	 */
9757 	SCTP_BUF_LEN(chk->data) = 0;
9758 	{
9759 		struct sctp_tmit_chunk *at, *tp1, *last;
9760 		struct sctp_strseq *strseq;
9761 		unsigned int cnt_of_space, i, ovh;
9762 		unsigned int space_needed;
9763 		unsigned int cnt_of_skipped = 0;
9764 
9765 		TAILQ_FOREACH(at, &asoc->sent_queue, sctp_next) {
9766 			if (at->sent != SCTP_FORWARD_TSN_SKIP) {
9767 				/* no more to look at */
9768 				break;
9769 			}
9770 			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
9771 				/* We don't report these */
9772 				continue;
9773 			}
9774 			cnt_of_skipped++;
9775 		}
9776 		space_needed = (sizeof(struct sctp_forward_tsn_chunk) +
9777 		    (cnt_of_skipped * sizeof(struct sctp_strseq)));
9778 
9779 		cnt_of_space = M_TRAILINGSPACE(chk->data);
9780 
9781 		if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
9782 			ovh = SCTP_MIN_OVERHEAD;
9783 		} else {
9784 			ovh = SCTP_MIN_V4_OVERHEAD;
9785 		}
9786 		if (cnt_of_space > (asoc->smallest_mtu - ovh)) {
9787 			/* trim to a mtu size */
9788 			cnt_of_space = asoc->smallest_mtu - ovh;
9789 		}
9790 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
9791 			sctp_misc_ints(SCTP_FWD_TSN_CHECK,
9792 			    0xff, 0, cnt_of_skipped,
9793 			    asoc->advanced_peer_ack_point);
9794 
9795 		}
9796 		advance_peer_ack_point = asoc->advanced_peer_ack_point;
9797 		if (cnt_of_space < space_needed) {
9798 			/*-
9799 			 * ok we must trim down the chunk by lowering the
9800 			 * advance peer ack point.
9801 			 */
9802 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
9803 				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
9804 				    0xff, 0xff, cnt_of_space,
9805 				    space_needed);
9806 			}
9807 			cnt_of_skipped = cnt_of_space - sizeof(struct sctp_forward_tsn_chunk);
9808 			cnt_of_skipped /= sizeof(struct sctp_strseq);
9809 			/*-
9810 			 * Go through and find the TSN that will be the one
9811 			 * we report.
9812 			 */
9813 			at = TAILQ_FIRST(&asoc->sent_queue);
9814 			for (i = 0; i < cnt_of_skipped; i++) {
9815 				tp1 = TAILQ_NEXT(at, sctp_next);
9816 				if (tp1 == NULL) {
9817 					break;
9818 				}
9819 				at = tp1;
9820 			}
9821 			if (at && SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_TRY_ADVANCE) {
9822 				sctp_misc_ints(SCTP_FWD_TSN_CHECK,
9823 				    0xff, cnt_of_skipped, at->rec.data.TSN_seq,
9824 				    asoc->advanced_peer_ack_point);
9825 			}
9826 			last = at;
9827 			/*-
9828 			 * last now points to last one I can report, update
9829 			 * peer ack point
9830 			 */
9831 			if (last)
9832 				advance_peer_ack_point = last->rec.data.TSN_seq;
9833 			space_needed = sizeof(struct sctp_forward_tsn_chunk) +
9834 			    cnt_of_skipped * sizeof(struct sctp_strseq);
9835 		}
9836 		chk->send_size = space_needed;
9837 		/* Setup the chunk */
9838 		fwdtsn = mtod(chk->data, struct sctp_forward_tsn_chunk *);
9839 		fwdtsn->ch.chunk_length = htons(chk->send_size);
9840 		fwdtsn->ch.chunk_flags = 0;
9841 		fwdtsn->ch.chunk_type = SCTP_FORWARD_CUM_TSN;
9842 		fwdtsn->new_cumulative_tsn = htonl(advance_peer_ack_point);
9843 		SCTP_BUF_LEN(chk->data) = chk->send_size;
9844 		fwdtsn++;
9845 		/*-
9846 		 * Move pointer to after the fwdtsn and transfer to the
9847 		 * strseq pointer.
9848 		 */
9849 		strseq = (struct sctp_strseq *)fwdtsn;
9850 		/*-
9851 		 * Now populate the strseq list. This is done blindly
9852 		 * without pulling out duplicate stream info. This is
9853 		 * inefficent but won't harm the process since the peer will
9854 		 * look at these in sequence and will thus release anything.
9855 		 * It could mean we exceed the PMTU and chop off some that
9856 		 * we could have included.. but this is unlikely (aka 1432/4
9857 		 * would mean 300+ stream seq's would have to be reported in
9858 		 * one FWD-TSN. With a bit of work we can later FIX this to
9859 		 * optimize and pull out duplcates.. but it does add more
9860 		 * overhead. So for now... not!
9861 		 */
9862 		at = TAILQ_FIRST(&asoc->sent_queue);
9863 		for (i = 0; i < cnt_of_skipped; i++) {
9864 			tp1 = TAILQ_NEXT(at, sctp_next);
9865 			if (tp1 == NULL)
9866 				break;
9867 			if (at->rec.data.rcv_flags & SCTP_DATA_UNORDERED) {
9868 				/* We don't report these */
9869 				i--;
9870 				at = tp1;
9871 				continue;
9872 			}
9873 			if (at->rec.data.TSN_seq == advance_peer_ack_point) {
9874 				at->rec.data.fwd_tsn_cnt = 0;
9875 			}
9876 			strseq->stream = ntohs(at->rec.data.stream_number);
9877 			strseq->sequence = ntohs(at->rec.data.stream_seq);
9878 			strseq++;
9879 			at = tp1;
9880 		}
9881 	}
9882 	return;
9883 
9884 }
9885 
9886 void
9887 sctp_send_sack(struct sctp_tcb *stcb)
9888 {
9889 	/*-
9890 	 * Queue up a SACK or NR-SACK in the control queue.
9891 	 * We must first check to see if a SACK or NR-SACK is
9892 	 * somehow on the control queue.
9893 	 * If so, we will take and and remove the old one.
9894 	 */
9895 	struct sctp_association *asoc;
9896 	struct sctp_tmit_chunk *chk, *a_chk;
9897 	struct sctp_sack_chunk *sack;
9898 	struct sctp_nr_sack_chunk *nr_sack;
9899 	struct sctp_gap_ack_block *gap_descriptor;
9900 	struct sack_track *selector;
9901 	int mergeable = 0;
9902 	int offset;
9903 	caddr_t limit;
9904 	uint32_t *dup;
9905 	int limit_reached = 0;
9906 	unsigned int i, siz, j;
9907 	unsigned int num_gap_blocks = 0, num_nr_gap_blocks = 0, space;
9908 	int num_dups = 0;
9909 	int space_req;
9910 	uint32_t highest_tsn;
9911 	uint8_t flags;
9912 	uint8_t type;
9913 	uint8_t tsn_map;
9914 
9915 	if ((stcb->asoc.sctp_nr_sack_on_off == 1) &&
9916 	    (stcb->asoc.peer_supports_nr_sack == 1)) {
9917 		type = SCTP_NR_SELECTIVE_ACK;
9918 	} else {
9919 		type = SCTP_SELECTIVE_ACK;
9920 	}
9921 	a_chk = NULL;
9922 	asoc = &stcb->asoc;
9923 	SCTP_TCB_LOCK_ASSERT(stcb);
9924 	if (asoc->last_data_chunk_from == NULL) {
9925 		/* Hmm we never received anything */
9926 		return;
9927 	}
9928 	sctp_slide_mapping_arrays(stcb);
9929 	sctp_set_rwnd(stcb, asoc);
9930 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
9931 		if (chk->rec.chunk_id.id == type) {
9932 			/* Hmm, found a sack already on queue, remove it */
9933 			TAILQ_REMOVE(&asoc->control_send_queue, chk, sctp_next);
9934 			asoc->ctrl_queue_cnt--;
9935 			a_chk = chk;
9936 			if (a_chk->data) {
9937 				sctp_m_freem(a_chk->data);
9938 				a_chk->data = NULL;
9939 			}
9940 			sctp_free_remote_addr(a_chk->whoTo);
9941 			a_chk->whoTo = NULL;
9942 			break;
9943 		}
9944 	}
9945 	if (a_chk == NULL) {
9946 		sctp_alloc_a_chunk(stcb, a_chk);
9947 		if (a_chk == NULL) {
9948 			/* No memory so we drop the idea, and set a timer */
9949 			if (stcb->asoc.delayed_ack) {
9950 				sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
9951 				    stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_5);
9952 				sctp_timer_start(SCTP_TIMER_TYPE_RECV,
9953 				    stcb->sctp_ep, stcb, NULL);
9954 			} else {
9955 				stcb->asoc.send_sack = 1;
9956 			}
9957 			return;
9958 		}
9959 		a_chk->copy_by_ref = 0;
9960 		a_chk->rec.chunk_id.id = type;
9961 		a_chk->rec.chunk_id.can_take_data = 1;
9962 	}
9963 	/* Clear our pkt counts */
9964 	asoc->data_pkts_seen = 0;
9965 
9966 	a_chk->asoc = asoc;
9967 	a_chk->snd_count = 0;
9968 	a_chk->send_size = 0;	/* fill in later */
9969 	a_chk->sent = SCTP_DATAGRAM_UNSENT;
9970 	a_chk->whoTo = NULL;
9971 
9972 	if ((asoc->numduptsns) ||
9973 	    (asoc->last_data_chunk_from->dest_state & SCTP_ADDR_NOT_REACHABLE)) {
9974 		/*-
9975 		 * Ok, we have some duplicates or the destination for the
9976 		 * sack is unreachable, lets see if we can select an
9977 		 * alternate than asoc->last_data_chunk_from
9978 		 */
9979 		if ((!(asoc->last_data_chunk_from->dest_state & SCTP_ADDR_NOT_REACHABLE)) &&
9980 		    (asoc->used_alt_onsack > asoc->numnets)) {
9981 			/* We used an alt last time, don't this time */
9982 			a_chk->whoTo = NULL;
9983 		} else {
9984 			asoc->used_alt_onsack++;
9985 			a_chk->whoTo = sctp_find_alternate_net(stcb, asoc->last_data_chunk_from, 0);
9986 		}
9987 		if (a_chk->whoTo == NULL) {
9988 			/* Nope, no alternate */
9989 			a_chk->whoTo = asoc->last_data_chunk_from;
9990 			asoc->used_alt_onsack = 0;
9991 		}
9992 	} else {
9993 		/*
9994 		 * No duplicates so we use the last place we received data
9995 		 * from.
9996 		 */
9997 		asoc->used_alt_onsack = 0;
9998 		a_chk->whoTo = asoc->last_data_chunk_from;
9999 	}
10000 	if (a_chk->whoTo) {
10001 		atomic_add_int(&a_chk->whoTo->ref_count, 1);
10002 	}
10003 	if (SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->highest_tsn_inside_nr_map)) {
10004 		highest_tsn = asoc->highest_tsn_inside_map;
10005 	} else {
10006 		highest_tsn = asoc->highest_tsn_inside_nr_map;
10007 	}
10008 	if (highest_tsn == asoc->cumulative_tsn) {
10009 		/* no gaps */
10010 		if (type == SCTP_SELECTIVE_ACK) {
10011 			space_req = sizeof(struct sctp_sack_chunk);
10012 		} else {
10013 			space_req = sizeof(struct sctp_nr_sack_chunk);
10014 		}
10015 	} else {
10016 		/* gaps get a cluster */
10017 		space_req = MCLBYTES;
10018 	}
10019 	/* Ok now lets formulate a MBUF with our sack */
10020 	a_chk->data = sctp_get_mbuf_for_msg(space_req, 0, M_DONTWAIT, 1, MT_DATA);
10021 	if ((a_chk->data == NULL) ||
10022 	    (a_chk->whoTo == NULL)) {
10023 		/* rats, no mbuf memory */
10024 		if (a_chk->data) {
10025 			/* was a problem with the destination */
10026 			sctp_m_freem(a_chk->data);
10027 			a_chk->data = NULL;
10028 		}
10029 		sctp_free_a_chunk(stcb, a_chk);
10030 		/* sa_ignore NO_NULL_CHK */
10031 		if (stcb->asoc.delayed_ack) {
10032 			sctp_timer_stop(SCTP_TIMER_TYPE_RECV,
10033 			    stcb->sctp_ep, stcb, NULL, SCTP_FROM_SCTP_OUTPUT + SCTP_LOC_6);
10034 			sctp_timer_start(SCTP_TIMER_TYPE_RECV,
10035 			    stcb->sctp_ep, stcb, NULL);
10036 		} else {
10037 			stcb->asoc.send_sack = 1;
10038 		}
10039 		return;
10040 	}
10041 	/* ok, lets go through and fill it in */
10042 	SCTP_BUF_RESV_UF(a_chk->data, SCTP_MIN_OVERHEAD);
10043 	space = M_TRAILINGSPACE(a_chk->data);
10044 	if (space > (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD)) {
10045 		space = (a_chk->whoTo->mtu - SCTP_MIN_OVERHEAD);
10046 	}
10047 	limit = mtod(a_chk->data, caddr_t);
10048 	limit += space;
10049 
10050 	/* 0x01 is used by nonce for ecn */
10051 	if ((SCTP_BASE_SYSCTL(sctp_ecn_enable)) &&
10052 	    (SCTP_BASE_SYSCTL(sctp_ecn_nonce)) &&
10053 	    (asoc->peer_supports_ecn_nonce))
10054 		flags = (asoc->receiver_nonce_sum & SCTP_SACK_NONCE_SUM);
10055 	else
10056 		flags = 0;
10057 
10058 	if ((asoc->sctp_cmt_on_off > 0) &&
10059 	    SCTP_BASE_SYSCTL(sctp_cmt_use_dac)) {
10060 		/*-
10061 		 * CMT DAC algorithm: If 2 (i.e., 0x10) packets have been
10062 		 * received, then set high bit to 1, else 0. Reset
10063 		 * pkts_rcvd.
10064 		 */
10065 		flags |= (asoc->cmt_dac_pkts_rcvd << 6);
10066 		asoc->cmt_dac_pkts_rcvd = 0;
10067 	}
10068 #ifdef SCTP_ASOCLOG_OF_TSNS
10069 	stcb->asoc.cumack_logsnt[stcb->asoc.cumack_log_atsnt] = asoc->cumulative_tsn;
10070 	stcb->asoc.cumack_log_atsnt++;
10071 	if (stcb->asoc.cumack_log_atsnt >= SCTP_TSN_LOG_SIZE) {
10072 		stcb->asoc.cumack_log_atsnt = 0;
10073 	}
10074 #endif
10075 	/* reset the readers interpretation */
10076 	stcb->freed_by_sorcv_sincelast = 0;
10077 
10078 	if (type == SCTP_SELECTIVE_ACK) {
10079 		sack = mtod(a_chk->data, struct sctp_sack_chunk *);
10080 		nr_sack = NULL;
10081 		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)sack + sizeof(struct sctp_sack_chunk));
10082 		if (highest_tsn > asoc->mapping_array_base_tsn) {
10083 			siz = (((highest_tsn - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10084 		} else {
10085 			siz = (((MAX_TSN - highest_tsn) + 1) + highest_tsn + 7) / 8;
10086 		}
10087 	} else {
10088 		sack = NULL;
10089 		nr_sack = mtod(a_chk->data, struct sctp_nr_sack_chunk *);
10090 		gap_descriptor = (struct sctp_gap_ack_block *)((caddr_t)nr_sack + sizeof(struct sctp_nr_sack_chunk));
10091 		if (asoc->highest_tsn_inside_map > asoc->mapping_array_base_tsn) {
10092 			siz = (((asoc->highest_tsn_inside_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10093 		} else {
10094 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_map + 7) / 8;
10095 		}
10096 	}
10097 
10098 	if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10099 		offset = 1;
10100 	} else {
10101 		offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10102 	}
10103 	if (((type == SCTP_SELECTIVE_ACK) &&
10104 	    SCTP_TSN_GT(highest_tsn, asoc->cumulative_tsn)) ||
10105 	    ((type == SCTP_NR_SELECTIVE_ACK) &&
10106 	    SCTP_TSN_GT(asoc->highest_tsn_inside_map, asoc->cumulative_tsn))) {
10107 		/* we have a gap .. maybe */
10108 		for (i = 0; i < siz; i++) {
10109 			tsn_map = asoc->mapping_array[i];
10110 			if (type == SCTP_SELECTIVE_ACK) {
10111 				tsn_map |= asoc->nr_mapping_array[i];
10112 			}
10113 			if (i == 0) {
10114 				/*
10115 				 * Clear all bits corresponding to TSNs
10116 				 * smaller or equal to the cumulative TSN.
10117 				 */
10118 				tsn_map &= (~0 << (1 - offset));
10119 			}
10120 			selector = &sack_array[tsn_map];
10121 			if (mergeable && selector->right_edge) {
10122 				/*
10123 				 * Backup, left and right edges were ok to
10124 				 * merge.
10125 				 */
10126 				num_gap_blocks--;
10127 				gap_descriptor--;
10128 			}
10129 			if (selector->num_entries == 0)
10130 				mergeable = 0;
10131 			else {
10132 				for (j = 0; j < selector->num_entries; j++) {
10133 					if (mergeable && selector->right_edge) {
10134 						/*
10135 						 * do a merge by NOT setting
10136 						 * the left side
10137 						 */
10138 						mergeable = 0;
10139 					} else {
10140 						/*
10141 						 * no merge, set the left
10142 						 * side
10143 						 */
10144 						mergeable = 0;
10145 						gap_descriptor->start = htons((selector->gaps[j].start + offset));
10146 					}
10147 					gap_descriptor->end = htons((selector->gaps[j].end + offset));
10148 					num_gap_blocks++;
10149 					gap_descriptor++;
10150 					if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10151 						/* no more room */
10152 						limit_reached = 1;
10153 						break;
10154 					}
10155 				}
10156 				if (selector->left_edge) {
10157 					mergeable = 1;
10158 				}
10159 			}
10160 			if (limit_reached) {
10161 				/* Reached the limit stop */
10162 				break;
10163 			}
10164 			offset += 8;
10165 		}
10166 	}
10167 	if ((type == SCTP_NR_SELECTIVE_ACK) &&
10168 	    (limit_reached == 0)) {
10169 
10170 		mergeable = 0;
10171 
10172 		if (asoc->highest_tsn_inside_nr_map > asoc->mapping_array_base_tsn) {
10173 			siz = (((asoc->highest_tsn_inside_nr_map - asoc->mapping_array_base_tsn) + 1) + 7) / 8;
10174 		} else {
10175 			siz = (((MAX_TSN - asoc->mapping_array_base_tsn) + 1) + asoc->highest_tsn_inside_nr_map + 7) / 8;
10176 		}
10177 
10178 		if (SCTP_TSN_GT(asoc->mapping_array_base_tsn, asoc->cumulative_tsn)) {
10179 			offset = 1;
10180 		} else {
10181 			offset = asoc->mapping_array_base_tsn - asoc->cumulative_tsn;
10182 		}
10183 		if (SCTP_TSN_GT(asoc->highest_tsn_inside_nr_map, asoc->cumulative_tsn)) {
10184 			/* we have a gap .. maybe */
10185 			for (i = 0; i < siz; i++) {
10186 				tsn_map = asoc->nr_mapping_array[i];
10187 				if (i == 0) {
10188 					/*
10189 					 * Clear all bits corresponding to
10190 					 * TSNs smaller or equal to the
10191 					 * cumulative TSN.
10192 					 */
10193 					tsn_map &= (~0 << (1 - offset));
10194 				}
10195 				selector = &sack_array[tsn_map];
10196 				if (mergeable && selector->right_edge) {
10197 					/*
10198 					 * Backup, left and right edges were
10199 					 * ok to merge.
10200 					 */
10201 					num_nr_gap_blocks--;
10202 					gap_descriptor--;
10203 				}
10204 				if (selector->num_entries == 0)
10205 					mergeable = 0;
10206 				else {
10207 					for (j = 0; j < selector->num_entries; j++) {
10208 						if (mergeable && selector->right_edge) {
10209 							/*
10210 							 * do a merge by NOT
10211 							 * setting the left
10212 							 * side
10213 							 */
10214 							mergeable = 0;
10215 						} else {
10216 							/*
10217 							 * no merge, set the
10218 							 * left side
10219 							 */
10220 							mergeable = 0;
10221 							gap_descriptor->start = htons((selector->gaps[j].start + offset));
10222 						}
10223 						gap_descriptor->end = htons((selector->gaps[j].end + offset));
10224 						num_nr_gap_blocks++;
10225 						gap_descriptor++;
10226 						if (((caddr_t)gap_descriptor + sizeof(struct sctp_gap_ack_block)) > limit) {
10227 							/* no more room */
10228 							limit_reached = 1;
10229 							break;
10230 						}
10231 					}
10232 					if (selector->left_edge) {
10233 						mergeable = 1;
10234 					}
10235 				}
10236 				if (limit_reached) {
10237 					/* Reached the limit stop */
10238 					break;
10239 				}
10240 				offset += 8;
10241 			}
10242 		}
10243 	}
10244 	/* now we must add any dups we are going to report. */
10245 	if ((limit_reached == 0) && (asoc->numduptsns)) {
10246 		dup = (uint32_t *) gap_descriptor;
10247 		for (i = 0; i < asoc->numduptsns; i++) {
10248 			*dup = htonl(asoc->dup_tsns[i]);
10249 			dup++;
10250 			num_dups++;
10251 			if (((caddr_t)dup + sizeof(uint32_t)) > limit) {
10252 				/* no more room */
10253 				break;
10254 			}
10255 		}
10256 		asoc->numduptsns = 0;
10257 	}
10258 	/*
10259 	 * now that the chunk is prepared queue it to the control chunk
10260 	 * queue.
10261 	 */
10262 	if (type == SCTP_SELECTIVE_ACK) {
10263 		a_chk->send_size = sizeof(struct sctp_sack_chunk) +
10264 		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10265 		    num_dups * sizeof(int32_t);
10266 		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10267 		sack->sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10268 		sack->sack.a_rwnd = htonl(asoc->my_rwnd);
10269 		sack->sack.num_gap_ack_blks = htons(num_gap_blocks);
10270 		sack->sack.num_dup_tsns = htons(num_dups);
10271 		sack->ch.chunk_type = type;
10272 		sack->ch.chunk_flags = flags;
10273 		sack->ch.chunk_length = htons(a_chk->send_size);
10274 	} else {
10275 		a_chk->send_size = sizeof(struct sctp_nr_sack_chunk) +
10276 		    (num_gap_blocks + num_nr_gap_blocks) * sizeof(struct sctp_gap_ack_block) +
10277 		    num_dups * sizeof(int32_t);
10278 		SCTP_BUF_LEN(a_chk->data) = a_chk->send_size;
10279 		nr_sack->nr_sack.cum_tsn_ack = htonl(asoc->cumulative_tsn);
10280 		nr_sack->nr_sack.a_rwnd = htonl(asoc->my_rwnd);
10281 		nr_sack->nr_sack.num_gap_ack_blks = htons(num_gap_blocks);
10282 		nr_sack->nr_sack.num_nr_gap_ack_blks = htons(num_nr_gap_blocks);
10283 		nr_sack->nr_sack.num_dup_tsns = htons(num_dups);
10284 		nr_sack->nr_sack.reserved = 0;
10285 		nr_sack->ch.chunk_type = type;
10286 		nr_sack->ch.chunk_flags = flags;
10287 		nr_sack->ch.chunk_length = htons(a_chk->send_size);
10288 	}
10289 	TAILQ_INSERT_TAIL(&asoc->control_send_queue, a_chk, sctp_next);
10290 	asoc->my_last_reported_rwnd = asoc->my_rwnd;
10291 	asoc->ctrl_queue_cnt++;
10292 	asoc->send_sack = 0;
10293 	SCTP_STAT_INCR(sctps_sendsacks);
10294 	return;
10295 }
10296 
10297 void
10298 sctp_send_abort_tcb(struct sctp_tcb *stcb, struct mbuf *operr, int so_locked
10299 #if !defined(__APPLE__) && !defined(SCTP_SO_LOCK_TESTING)
10300     SCTP_UNUSED
10301 #endif
10302 )
10303 {
10304 	struct mbuf *m_abort;
10305 	struct mbuf *m_out = NULL, *m_end = NULL;
10306 	struct sctp_abort_chunk *abort = NULL;
10307 	int sz;
10308 	uint32_t auth_offset = 0;
10309 	struct sctp_auth_chunk *auth = NULL;
10310 
10311 	/*-
10312 	 * Add an AUTH chunk, if chunk requires it and save the offset into
10313 	 * the chain for AUTH
10314 	 */
10315 	if (sctp_auth_is_required_chunk(SCTP_ABORT_ASSOCIATION,
10316 	    stcb->asoc.peer_auth_chunks)) {
10317 		m_out = sctp_add_auth_chunk(m_out, &m_end, &auth, &auth_offset,
10318 		    stcb, SCTP_ABORT_ASSOCIATION);
10319 		SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10320 	}
10321 	SCTP_TCB_LOCK_ASSERT(stcb);
10322 	m_abort = sctp_get_mbuf_for_msg(sizeof(struct sctp_abort_chunk), 0, M_DONTWAIT, 1, MT_HEADER);
10323 	if (m_abort == NULL) {
10324 		/* no mbuf's */
10325 		if (m_out)
10326 			sctp_m_freem(m_out);
10327 		return;
10328 	}
10329 	/* link in any error */
10330 	SCTP_BUF_NEXT(m_abort) = operr;
10331 	sz = 0;
10332 	if (operr) {
10333 		struct mbuf *n;
10334 
10335 		n = operr;
10336 		while (n) {
10337 			sz += SCTP_BUF_LEN(n);
10338 			n = SCTP_BUF_NEXT(n);
10339 		}
10340 	}
10341 	SCTP_BUF_LEN(m_abort) = sizeof(*abort);
10342 	if (m_out == NULL) {
10343 		/* NO Auth chunk prepended, so reserve space in front */
10344 		SCTP_BUF_RESV_UF(m_abort, SCTP_MIN_OVERHEAD);
10345 		m_out = m_abort;
10346 	} else {
10347 		/* Put AUTH chunk at the front of the chain */
10348 		SCTP_BUF_NEXT(m_end) = m_abort;
10349 	}
10350 
10351 	/* fill in the ABORT chunk */
10352 	abort = mtod(m_abort, struct sctp_abort_chunk *);
10353 	abort->ch.chunk_type = SCTP_ABORT_ASSOCIATION;
10354 	abort->ch.chunk_flags = 0;
10355 	abort->ch.chunk_length = htons(sizeof(*abort) + sz);
10356 
10357 	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb,
10358 	    stcb->asoc.primary_destination,
10359 	    (struct sockaddr *)&stcb->asoc.primary_destination->ro._l_addr,
10360 	    m_out, auth_offset, auth, stcb->asoc.authinfo.active_keyid, 1, 0, NULL, 0,
10361 	    stcb->sctp_ep->sctp_lport, stcb->rport, htonl(stcb->asoc.peer_vtag),
10362 	    stcb->asoc.primary_destination->port, so_locked, NULL);
10363 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10364 }
10365 
10366 void
10367 sctp_send_shutdown_complete(struct sctp_tcb *stcb,
10368     struct sctp_nets *net,
10369     int reflect_vtag)
10370 {
10371 	/* formulate and SEND a SHUTDOWN-COMPLETE */
10372 	struct mbuf *m_shutdown_comp;
10373 	struct sctp_shutdown_complete_chunk *shutdown_complete;
10374 	uint32_t vtag;
10375 	uint8_t flags;
10376 
10377 	m_shutdown_comp = sctp_get_mbuf_for_msg(sizeof(struct sctp_chunkhdr), 0, M_DONTWAIT, 1, MT_HEADER);
10378 	if (m_shutdown_comp == NULL) {
10379 		/* no mbuf's */
10380 		return;
10381 	}
10382 	if (reflect_vtag) {
10383 		flags = SCTP_HAD_NO_TCB;
10384 		vtag = stcb->asoc.my_vtag;
10385 	} else {
10386 		flags = 0;
10387 		vtag = stcb->asoc.peer_vtag;
10388 	}
10389 	shutdown_complete = mtod(m_shutdown_comp, struct sctp_shutdown_complete_chunk *);
10390 	shutdown_complete->ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
10391 	shutdown_complete->ch.chunk_flags = flags;
10392 	shutdown_complete->ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
10393 	SCTP_BUF_LEN(m_shutdown_comp) = sizeof(struct sctp_shutdown_complete_chunk);
10394 	(void)sctp_lowlevel_chunk_output(stcb->sctp_ep, stcb, net,
10395 	    (struct sockaddr *)&net->ro._l_addr,
10396 	    m_shutdown_comp, 0, NULL, 0, 1, 0, NULL, 0,
10397 	    stcb->sctp_ep->sctp_lport, stcb->rport,
10398 	    htonl(vtag),
10399 	    net->port, SCTP_SO_NOT_LOCKED, NULL);
10400 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10401 	return;
10402 }
10403 
10404 void
10405 sctp_send_shutdown_complete2(struct mbuf *m, int iphlen, struct sctphdr *sh,
10406     uint32_t vrf_id, uint16_t port)
10407 {
10408 	/* formulate and SEND a SHUTDOWN-COMPLETE */
10409 	struct mbuf *o_pak;
10410 	struct mbuf *mout;
10411 	struct ip *iph, *iph_out;
10412 	struct udphdr *udp = NULL;
10413 
10414 #ifdef INET6
10415 	struct ip6_hdr *ip6, *ip6_out;
10416 
10417 #endif
10418 	int offset_out, len, mlen;
10419 	struct sctp_shutdown_complete_msg *comp_cp;
10420 
10421 	iph = mtod(m, struct ip *);
10422 	switch (iph->ip_v) {
10423 	case IPVERSION:
10424 		len = (sizeof(struct ip) + sizeof(struct sctp_shutdown_complete_msg));
10425 		break;
10426 #ifdef INET6
10427 	case IPV6_VERSION >> 4:
10428 		len = (sizeof(struct ip6_hdr) + sizeof(struct sctp_shutdown_complete_msg));
10429 		break;
10430 #endif
10431 	default:
10432 		return;
10433 	}
10434 	if (port) {
10435 		len += sizeof(struct udphdr);
10436 	}
10437 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_DONTWAIT, 1, MT_DATA);
10438 	if (mout == NULL) {
10439 		return;
10440 	}
10441 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
10442 	SCTP_BUF_LEN(mout) = len;
10443 	SCTP_BUF_NEXT(mout) = NULL;
10444 	iph_out = NULL;
10445 #ifdef INET6
10446 	ip6_out = NULL;
10447 #endif
10448 	offset_out = 0;
10449 
10450 	switch (iph->ip_v) {
10451 	case IPVERSION:
10452 		iph_out = mtod(mout, struct ip *);
10453 
10454 		/* Fill in the IP header for the ABORT */
10455 		iph_out->ip_v = IPVERSION;
10456 		iph_out->ip_hl = (sizeof(struct ip) / 4);
10457 		iph_out->ip_tos = (u_char)0;
10458 		iph_out->ip_id = 0;
10459 		iph_out->ip_off = 0;
10460 		iph_out->ip_ttl = MAXTTL;
10461 		if (port) {
10462 			iph_out->ip_p = IPPROTO_UDP;
10463 		} else {
10464 			iph_out->ip_p = IPPROTO_SCTP;
10465 		}
10466 		iph_out->ip_src.s_addr = iph->ip_dst.s_addr;
10467 		iph_out->ip_dst.s_addr = iph->ip_src.s_addr;
10468 
10469 		/* let IP layer calculate this */
10470 		iph_out->ip_sum = 0;
10471 		offset_out += sizeof(*iph_out);
10472 		comp_cp = (struct sctp_shutdown_complete_msg *)(
10473 		    (caddr_t)iph_out + offset_out);
10474 		break;
10475 #ifdef INET6
10476 	case IPV6_VERSION >> 4:
10477 		ip6 = (struct ip6_hdr *)iph;
10478 		ip6_out = mtod(mout, struct ip6_hdr *);
10479 
10480 		/* Fill in the IPv6 header for the ABORT */
10481 		ip6_out->ip6_flow = ip6->ip6_flow;
10482 		ip6_out->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
10483 		if (port) {
10484 			ip6_out->ip6_nxt = IPPROTO_UDP;
10485 		} else {
10486 			ip6_out->ip6_nxt = IPPROTO_SCTP;
10487 		}
10488 		ip6_out->ip6_src = ip6->ip6_dst;
10489 		ip6_out->ip6_dst = ip6->ip6_src;
10490 		/*
10491 		 * ?? The old code had both the iph len + payload, I think
10492 		 * this is wrong and would never have worked
10493 		 */
10494 		ip6_out->ip6_plen = sizeof(struct sctp_shutdown_complete_msg);
10495 		offset_out += sizeof(*ip6_out);
10496 		comp_cp = (struct sctp_shutdown_complete_msg *)(
10497 		    (caddr_t)ip6_out + offset_out);
10498 		break;
10499 #endif				/* INET6 */
10500 	default:
10501 		/* Currently not supported. */
10502 		sctp_m_freem(mout);
10503 		return;
10504 	}
10505 	if (port) {
10506 		udp = (struct udphdr *)comp_cp;
10507 		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
10508 		udp->uh_dport = port;
10509 		udp->uh_ulen = htons(sizeof(struct sctp_shutdown_complete_msg) + sizeof(struct udphdr));
10510 		if (iph_out)
10511 			udp->uh_sum = in_pseudo(iph_out->ip_src.s_addr, iph_out->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
10512 		offset_out += sizeof(struct udphdr);
10513 		comp_cp = (struct sctp_shutdown_complete_msg *)((caddr_t)comp_cp + sizeof(struct udphdr));
10514 	}
10515 	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
10516 		/* no mbuf's */
10517 		sctp_m_freem(mout);
10518 		return;
10519 	}
10520 	/* Now copy in and fill in the ABORT tags etc. */
10521 	comp_cp->sh.src_port = sh->dest_port;
10522 	comp_cp->sh.dest_port = sh->src_port;
10523 	comp_cp->sh.checksum = 0;
10524 	comp_cp->sh.v_tag = sh->v_tag;
10525 	comp_cp->shut_cmp.ch.chunk_flags = SCTP_HAD_NO_TCB;
10526 	comp_cp->shut_cmp.ch.chunk_type = SCTP_SHUTDOWN_COMPLETE;
10527 	comp_cp->shut_cmp.ch.chunk_length = htons(sizeof(struct sctp_shutdown_complete_chunk));
10528 
10529 	if (iph_out != NULL) {
10530 		sctp_route_t ro;
10531 		int ret;
10532 
10533 		mlen = SCTP_BUF_LEN(mout);
10534 		bzero(&ro, sizeof ro);
10535 		/* set IPv4 length */
10536 		iph_out->ip_len = mlen;
10537 #ifdef  SCTP_PACKET_LOGGING
10538 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
10539 			sctp_packet_log(mout, mlen);
10540 #endif
10541 		if (port) {
10542 #if defined(SCTP_WITH_NO_CSUM)
10543 			SCTP_STAT_INCR(sctps_sendnocrc);
10544 #else
10545 			comp_cp->sh.checksum = sctp_calculate_cksum(mout, offset_out);
10546 			SCTP_STAT_INCR(sctps_sendswcrc);
10547 #endif
10548 			SCTP_ENABLE_UDP_CSUM(mout);
10549 		} else {
10550 #if defined(SCTP_WITH_NO_CSUM)
10551 			SCTP_STAT_INCR(sctps_sendnocrc);
10552 #else
10553 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
10554 			mout->m_pkthdr.csum_data = 0;
10555 			SCTP_STAT_INCR(sctps_sendhwcrc);
10556 #endif
10557 		}
10558 		SCTP_ATTACH_CHAIN(o_pak, mout, mlen);
10559 		/* out it goes */
10560 		SCTP_IP_OUTPUT(ret, o_pak, &ro, NULL, vrf_id);
10561 
10562 		/* Free the route if we got one back */
10563 		if (ro.ro_rt)
10564 			RTFREE(ro.ro_rt);
10565 	}
10566 #ifdef INET6
10567 	if (ip6_out != NULL) {
10568 		struct route_in6 ro;
10569 		int ret;
10570 		struct ifnet *ifp = NULL;
10571 
10572 		bzero(&ro, sizeof(ro));
10573 		mlen = SCTP_BUF_LEN(mout);
10574 #ifdef  SCTP_PACKET_LOGGING
10575 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
10576 			sctp_packet_log(mout, mlen);
10577 #endif
10578 		SCTP_ATTACH_CHAIN(o_pak, mout, mlen);
10579 		if (port) {
10580 #if defined(SCTP_WITH_NO_CSUM)
10581 			SCTP_STAT_INCR(sctps_sendnocrc);
10582 #else
10583 			comp_cp->sh.checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
10584 			SCTP_STAT_INCR(sctps_sendswcrc);
10585 #endif
10586 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), mlen - sizeof(struct ip6_hdr))) == 0) {
10587 				udp->uh_sum = 0xffff;
10588 			}
10589 		} else {
10590 #if defined(SCTP_WITH_NO_CSUM)
10591 			SCTP_STAT_INCR(sctps_sendnocrc);
10592 #else
10593 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
10594 			mout->m_pkthdr.csum_data = 0;
10595 			SCTP_STAT_INCR(sctps_sendhwcrc);
10596 #endif
10597 		}
10598 		SCTP_IP6_OUTPUT(ret, o_pak, &ro, &ifp, NULL, vrf_id);
10599 
10600 		/* Free the route if we got one back */
10601 		if (ro.ro_rt)
10602 			RTFREE(ro.ro_rt);
10603 	}
10604 #endif
10605 	SCTP_STAT_INCR(sctps_sendpackets);
10606 	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
10607 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
10608 	return;
10609 
10610 }
10611 
10612 static struct sctp_nets *
10613 sctp_select_hb_destination(struct sctp_tcb *stcb, struct timeval *now)
10614 {
10615 	struct sctp_nets *net, *hnet;
10616 	int ms_goneby, highest_ms, state_overide = 0;
10617 
10618 	(void)SCTP_GETTIME_TIMEVAL(now);
10619 	highest_ms = 0;
10620 	hnet = NULL;
10621 	SCTP_TCB_LOCK_ASSERT(stcb);
10622 	TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
10623 		if (
10624 		    ((net->dest_state & SCTP_ADDR_NOHB) && ((net->dest_state & SCTP_ADDR_UNCONFIRMED) == 0)) ||
10625 		    (net->dest_state & SCTP_ADDR_OUT_OF_SCOPE)
10626 		    ) {
10627 			/*
10628 			 * Skip this guy from consideration if HB is off AND
10629 			 * its confirmed
10630 			 */
10631 			continue;
10632 		}
10633 		if (sctp_destination_is_reachable(stcb, (struct sockaddr *)&net->ro._l_addr) == 0) {
10634 			/* skip this dest net from consideration */
10635 			continue;
10636 		}
10637 		if (net->last_sent_time.tv_sec) {
10638 			/* Sent to so we subtract */
10639 			ms_goneby = (now->tv_sec - net->last_sent_time.tv_sec) * 1000;
10640 		} else
10641 			/* Never been sent to */
10642 			ms_goneby = 0x7fffffff;
10643 		/*-
10644 		 * When the address state is unconfirmed but still
10645 		 * considered reachable, we HB at a higher rate. Once it
10646 		 * goes confirmed OR reaches the "unreachable" state, thenw
10647 		 * we cut it back to HB at a more normal pace.
10648 		 */
10649 		if ((net->dest_state & (SCTP_ADDR_UNCONFIRMED | SCTP_ADDR_NOT_REACHABLE)) == SCTP_ADDR_UNCONFIRMED) {
10650 			state_overide = 1;
10651 		} else {
10652 			state_overide = 0;
10653 		}
10654 
10655 		if ((((unsigned int)ms_goneby >= net->RTO) || (state_overide)) &&
10656 		    (ms_goneby > highest_ms)) {
10657 			highest_ms = ms_goneby;
10658 			hnet = net;
10659 		}
10660 	}
10661 	if (hnet &&
10662 	    ((hnet->dest_state & (SCTP_ADDR_UNCONFIRMED | SCTP_ADDR_NOT_REACHABLE)) == SCTP_ADDR_UNCONFIRMED)) {
10663 		state_overide = 1;
10664 	} else {
10665 		state_overide = 0;
10666 	}
10667 
10668 	if (hnet && highest_ms && (((unsigned int)highest_ms >= hnet->RTO) || state_overide)) {
10669 		/*-
10670 		 * Found the one with longest delay bounds OR it is
10671 		 * unconfirmed and still not marked unreachable.
10672 		 */
10673 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "net:%p is the hb winner -", hnet);
10674 #ifdef SCTP_DEBUG
10675 		if (hnet) {
10676 			SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT4,
10677 			    (struct sockaddr *)&hnet->ro._l_addr);
10678 		} else {
10679 			SCTPDBG(SCTP_DEBUG_OUTPUT4, " none\n");
10680 		}
10681 #endif
10682 		/* update the timer now */
10683 		hnet->last_sent_time = *now;
10684 		return (hnet);
10685 	}
10686 	/* Nothing to HB */
10687 	return (NULL);
10688 }
10689 
10690 int
10691 sctp_send_hb(struct sctp_tcb *stcb, int user_req, struct sctp_nets *u_net)
10692 {
10693 	struct sctp_tmit_chunk *chk;
10694 	struct sctp_nets *net;
10695 	struct sctp_heartbeat_chunk *hb;
10696 	struct timeval now;
10697 	struct sockaddr_in *sin;
10698 	struct sockaddr_in6 *sin6;
10699 
10700 	SCTP_TCB_LOCK_ASSERT(stcb);
10701 	if (user_req == 0) {
10702 		net = sctp_select_hb_destination(stcb, &now);
10703 		if (net == NULL) {
10704 			/*-
10705 			 * All our busy none to send to, just start the
10706 			 * timer again.
10707 			 */
10708 			if (stcb->asoc.state == 0) {
10709 				return (0);
10710 			}
10711 			sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT,
10712 			    stcb->sctp_ep,
10713 			    stcb,
10714 			    net);
10715 			return (0);
10716 		}
10717 	} else {
10718 		net = u_net;
10719 		if (net == NULL) {
10720 			return (0);
10721 		}
10722 		(void)SCTP_GETTIME_TIMEVAL(&now);
10723 	}
10724 	sin = (struct sockaddr_in *)&net->ro._l_addr;
10725 	if (sin->sin_family != AF_INET) {
10726 		if (sin->sin_family != AF_INET6) {
10727 			/* huh */
10728 			return (0);
10729 		}
10730 	}
10731 	sctp_alloc_a_chunk(stcb, chk);
10732 	if (chk == NULL) {
10733 		SCTPDBG(SCTP_DEBUG_OUTPUT4, "Gak, can't get a chunk for hb\n");
10734 		return (0);
10735 	}
10736 	chk->copy_by_ref = 0;
10737 	chk->rec.chunk_id.id = SCTP_HEARTBEAT_REQUEST;
10738 	chk->rec.chunk_id.can_take_data = 1;
10739 	chk->asoc = &stcb->asoc;
10740 	chk->send_size = sizeof(struct sctp_heartbeat_chunk);
10741 
10742 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_DONTWAIT, 1, MT_HEADER);
10743 	if (chk->data == NULL) {
10744 		sctp_free_a_chunk(stcb, chk);
10745 		return (0);
10746 	}
10747 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10748 	SCTP_BUF_LEN(chk->data) = chk->send_size;
10749 	chk->sent = SCTP_DATAGRAM_UNSENT;
10750 	chk->snd_count = 0;
10751 	chk->whoTo = net;
10752 	atomic_add_int(&chk->whoTo->ref_count, 1);
10753 	/* Now we have a mbuf that we can fill in with the details */
10754 	hb = mtod(chk->data, struct sctp_heartbeat_chunk *);
10755 	memset(hb, 0, sizeof(struct sctp_heartbeat_chunk));
10756 	/* fill out chunk header */
10757 	hb->ch.chunk_type = SCTP_HEARTBEAT_REQUEST;
10758 	hb->ch.chunk_flags = 0;
10759 	hb->ch.chunk_length = htons(chk->send_size);
10760 	/* Fill out hb parameter */
10761 	hb->heartbeat.hb_info.ph.param_type = htons(SCTP_HEARTBEAT_INFO);
10762 	hb->heartbeat.hb_info.ph.param_length = htons(sizeof(struct sctp_heartbeat_info_param));
10763 	hb->heartbeat.hb_info.time_value_1 = now.tv_sec;
10764 	hb->heartbeat.hb_info.time_value_2 = now.tv_usec;
10765 	/* Did our user request this one, put it in */
10766 	hb->heartbeat.hb_info.user_req = user_req;
10767 	hb->heartbeat.hb_info.addr_family = sin->sin_family;
10768 	hb->heartbeat.hb_info.addr_len = sin->sin_len;
10769 	if (net->dest_state & SCTP_ADDR_UNCONFIRMED) {
10770 		/*
10771 		 * we only take from the entropy pool if the address is not
10772 		 * confirmed.
10773 		 */
10774 		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
10775 		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = sctp_select_initial_TSN(&stcb->sctp_ep->sctp_ep);
10776 	} else {
10777 		net->heartbeat_random1 = hb->heartbeat.hb_info.random_value1 = 0;
10778 		net->heartbeat_random2 = hb->heartbeat.hb_info.random_value2 = 0;
10779 	}
10780 	if (sin->sin_family == AF_INET) {
10781 		memcpy(hb->heartbeat.hb_info.address, &sin->sin_addr, sizeof(sin->sin_addr));
10782 	} else if (sin->sin_family == AF_INET6) {
10783 		/* We leave the scope the way it is in our lookup table. */
10784 		sin6 = (struct sockaddr_in6 *)&net->ro._l_addr;
10785 		memcpy(hb->heartbeat.hb_info.address, &sin6->sin6_addr, sizeof(sin6->sin6_addr));
10786 	} else {
10787 		/* huh compiler bug */
10788 		return (0);
10789 	}
10790 
10791 	/*
10792 	 * JRS 5/14/07 - In CMT PF, the T3 timer is used to track
10793 	 * PF-heartbeats.  Because of this, threshold management is done by
10794 	 * the t3 timer handler, and does not need to be done upon the send
10795 	 * of a PF-heartbeat. If CMT PF is on and the destination to which a
10796 	 * heartbeat is being sent is in PF state, do NOT do threshold
10797 	 * management.
10798 	 */
10799 	if ((stcb->asoc.sctp_cmt_pf == 0) ||
10800 	    ((net->dest_state & SCTP_ADDR_PF) != SCTP_ADDR_PF)) {
10801 		/* ok we have a destination that needs a beat */
10802 		/* lets do the theshold management Qiaobing style */
10803 		if (sctp_threshold_management(stcb->sctp_ep, stcb, net,
10804 		    stcb->asoc.max_send_times)) {
10805 			/*-
10806 			 * we have lost the association, in a way this is
10807 			 * quite bad since we really are one less time since
10808 			 * we really did not send yet. This is the down side
10809 			 * to the Q's style as defined in the RFC and not my
10810 			 * alternate style defined in the RFC.
10811 			 */
10812 			if (chk->data != NULL) {
10813 				sctp_m_freem(chk->data);
10814 				chk->data = NULL;
10815 			}
10816 			/*
10817 			 * Here we do NOT use the macro since the
10818 			 * association is now gone.
10819 			 */
10820 			if (chk->whoTo) {
10821 				sctp_free_remote_addr(chk->whoTo);
10822 				chk->whoTo = NULL;
10823 			}
10824 			sctp_free_a_chunk((struct sctp_tcb *)NULL, chk);
10825 			return (-1);
10826 		}
10827 	}
10828 	net->hb_responded = 0;
10829 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
10830 	stcb->asoc.ctrl_queue_cnt++;
10831 	SCTP_STAT_INCR(sctps_sendheartbeat);
10832 	/*-
10833 	 * Call directly med level routine to put out the chunk. It will
10834 	 * always tumble out control chunks aka HB but it may even tumble
10835 	 * out data too.
10836 	 */
10837 	return (1);
10838 }
10839 
10840 void
10841 sctp_send_ecn_echo(struct sctp_tcb *stcb, struct sctp_nets *net,
10842     uint32_t high_tsn)
10843 {
10844 	struct sctp_association *asoc;
10845 	struct sctp_ecne_chunk *ecne;
10846 	struct sctp_tmit_chunk *chk;
10847 
10848 	asoc = &stcb->asoc;
10849 	SCTP_TCB_LOCK_ASSERT(stcb);
10850 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
10851 		if (chk->rec.chunk_id.id == SCTP_ECN_ECHO) {
10852 			/* found a previous ECN_ECHO update it if needed */
10853 			ecne = mtod(chk->data, struct sctp_ecne_chunk *);
10854 			ecne->tsn = htonl(high_tsn);
10855 			return;
10856 		}
10857 	}
10858 	/* nope could not find one to update so we must build one */
10859 	sctp_alloc_a_chunk(stcb, chk);
10860 	if (chk == NULL) {
10861 		return;
10862 	}
10863 	chk->copy_by_ref = 0;
10864 	SCTP_STAT_INCR(sctps_sendecne);
10865 	chk->rec.chunk_id.id = SCTP_ECN_ECHO;
10866 	chk->rec.chunk_id.can_take_data = 0;
10867 	chk->asoc = &stcb->asoc;
10868 	chk->send_size = sizeof(struct sctp_ecne_chunk);
10869 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_DONTWAIT, 1, MT_HEADER);
10870 	if (chk->data == NULL) {
10871 		sctp_free_a_chunk(stcb, chk);
10872 		return;
10873 	}
10874 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10875 	SCTP_BUF_LEN(chk->data) = chk->send_size;
10876 	chk->sent = SCTP_DATAGRAM_UNSENT;
10877 	chk->snd_count = 0;
10878 	chk->whoTo = net;
10879 	atomic_add_int(&chk->whoTo->ref_count, 1);
10880 	stcb->asoc.ecn_echo_cnt_onq++;
10881 	ecne = mtod(chk->data, struct sctp_ecne_chunk *);
10882 	ecne->ch.chunk_type = SCTP_ECN_ECHO;
10883 	ecne->ch.chunk_flags = 0;
10884 	ecne->ch.chunk_length = htons(sizeof(struct sctp_ecne_chunk));
10885 	ecne->tsn = htonl(high_tsn);
10886 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
10887 	asoc->ctrl_queue_cnt++;
10888 }
10889 
10890 void
10891 sctp_send_packet_dropped(struct sctp_tcb *stcb, struct sctp_nets *net,
10892     struct mbuf *m, int iphlen, int bad_crc)
10893 {
10894 	struct sctp_association *asoc;
10895 	struct sctp_pktdrop_chunk *drp;
10896 	struct sctp_tmit_chunk *chk;
10897 	uint8_t *datap;
10898 	int len;
10899 	int was_trunc = 0;
10900 	struct ip *iph;
10901 
10902 #ifdef INET6
10903 	struct ip6_hdr *ip6h;
10904 
10905 #endif
10906 	int fullsz = 0, extra = 0;
10907 	long spc;
10908 	int offset;
10909 	struct sctp_chunkhdr *ch, chunk_buf;
10910 	unsigned int chk_length;
10911 
10912 	if (!stcb) {
10913 		return;
10914 	}
10915 	asoc = &stcb->asoc;
10916 	SCTP_TCB_LOCK_ASSERT(stcb);
10917 	if (asoc->peer_supports_pktdrop == 0) {
10918 		/*-
10919 		 * peer must declare support before I send one.
10920 		 */
10921 		return;
10922 	}
10923 	if (stcb->sctp_socket == NULL) {
10924 		return;
10925 	}
10926 	sctp_alloc_a_chunk(stcb, chk);
10927 	if (chk == NULL) {
10928 		return;
10929 	}
10930 	chk->copy_by_ref = 0;
10931 	iph = mtod(m, struct ip *);
10932 	if (iph == NULL) {
10933 		sctp_free_a_chunk(stcb, chk);
10934 		return;
10935 	}
10936 	switch (iph->ip_v) {
10937 	case IPVERSION:
10938 		/* IPv4 */
10939 		len = chk->send_size = iph->ip_len;
10940 		break;
10941 #ifdef INET6
10942 	case IPV6_VERSION >> 4:
10943 		/* IPv6 */
10944 		ip6h = mtod(m, struct ip6_hdr *);
10945 		len = chk->send_size = htons(ip6h->ip6_plen);
10946 		break;
10947 #endif
10948 	default:
10949 		return;
10950 	}
10951 	/* Validate that we do not have an ABORT in here. */
10952 	offset = iphlen + sizeof(struct sctphdr);
10953 	ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
10954 	    sizeof(*ch), (uint8_t *) & chunk_buf);
10955 	while (ch != NULL) {
10956 		chk_length = ntohs(ch->chunk_length);
10957 		if (chk_length < sizeof(*ch)) {
10958 			/* break to abort land */
10959 			break;
10960 		}
10961 		switch (ch->chunk_type) {
10962 		case SCTP_PACKET_DROPPED:
10963 		case SCTP_ABORT_ASSOCIATION:
10964 		case SCTP_INITIATION_ACK:
10965 			/**
10966 			 * We don't respond with an PKT-DROP to an ABORT
10967 			 * or PKT-DROP. We also do not respond to an
10968 			 * INIT-ACK, because we can't know if the initiation
10969 			 * tag is correct or not.
10970 			 */
10971 			sctp_free_a_chunk(stcb, chk);
10972 			return;
10973 		default:
10974 			break;
10975 		}
10976 		offset += SCTP_SIZE32(chk_length);
10977 		ch = (struct sctp_chunkhdr *)sctp_m_getptr(m, offset,
10978 		    sizeof(*ch), (uint8_t *) & chunk_buf);
10979 	}
10980 
10981 	if ((len + SCTP_MAX_OVERHEAD + sizeof(struct sctp_pktdrop_chunk)) >
10982 	    min(stcb->asoc.smallest_mtu, MCLBYTES)) {
10983 		/*
10984 		 * only send 1 mtu worth, trim off the excess on the end.
10985 		 */
10986 		fullsz = len - extra;
10987 		len = min(stcb->asoc.smallest_mtu, MCLBYTES) - SCTP_MAX_OVERHEAD;
10988 		was_trunc = 1;
10989 	}
10990 	chk->asoc = &stcb->asoc;
10991 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
10992 	if (chk->data == NULL) {
10993 jump_out:
10994 		sctp_free_a_chunk(stcb, chk);
10995 		return;
10996 	}
10997 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
10998 	drp = mtod(chk->data, struct sctp_pktdrop_chunk *);
10999 	if (drp == NULL) {
11000 		sctp_m_freem(chk->data);
11001 		chk->data = NULL;
11002 		goto jump_out;
11003 	}
11004 	chk->book_size = SCTP_SIZE32((chk->send_size + sizeof(struct sctp_pktdrop_chunk) +
11005 	    sizeof(struct sctphdr) + SCTP_MED_OVERHEAD));
11006 	chk->book_size_scale = 0;
11007 	if (was_trunc) {
11008 		drp->ch.chunk_flags = SCTP_PACKET_TRUNCATED;
11009 		drp->trunc_len = htons(fullsz);
11010 		/*
11011 		 * Len is already adjusted to size minus overhead above take
11012 		 * out the pkt_drop chunk itself from it.
11013 		 */
11014 		chk->send_size = len - sizeof(struct sctp_pktdrop_chunk);
11015 		len = chk->send_size;
11016 	} else {
11017 		/* no truncation needed */
11018 		drp->ch.chunk_flags = 0;
11019 		drp->trunc_len = htons(0);
11020 	}
11021 	if (bad_crc) {
11022 		drp->ch.chunk_flags |= SCTP_BADCRC;
11023 	}
11024 	chk->send_size += sizeof(struct sctp_pktdrop_chunk);
11025 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11026 	chk->sent = SCTP_DATAGRAM_UNSENT;
11027 	chk->snd_count = 0;
11028 	if (net) {
11029 		/* we should hit here */
11030 		chk->whoTo = net;
11031 	} else {
11032 		chk->whoTo = asoc->primary_destination;
11033 	}
11034 	atomic_add_int(&chk->whoTo->ref_count, 1);
11035 	chk->rec.chunk_id.id = SCTP_PACKET_DROPPED;
11036 	chk->rec.chunk_id.can_take_data = 1;
11037 	drp->ch.chunk_type = SCTP_PACKET_DROPPED;
11038 	drp->ch.chunk_length = htons(chk->send_size);
11039 	spc = SCTP_SB_LIMIT_RCV(stcb->sctp_socket);
11040 	if (spc < 0) {
11041 		spc = 0;
11042 	}
11043 	drp->bottle_bw = htonl(spc);
11044 	if (asoc->my_rwnd) {
11045 		drp->current_onq = htonl(asoc->size_on_reasm_queue +
11046 		    asoc->size_on_all_streams +
11047 		    asoc->my_rwnd_control_len +
11048 		    stcb->sctp_socket->so_rcv.sb_cc);
11049 	} else {
11050 		/*-
11051 		 * If my rwnd is 0, possibly from mbuf depletion as well as
11052 		 * space used, tell the peer there is NO space aka onq == bw
11053 		 */
11054 		drp->current_onq = htonl(spc);
11055 	}
11056 	drp->reserved = 0;
11057 	datap = drp->data;
11058 	m_copydata(m, iphlen, len, (caddr_t)datap);
11059 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11060 	asoc->ctrl_queue_cnt++;
11061 }
11062 
11063 void
11064 sctp_send_cwr(struct sctp_tcb *stcb, struct sctp_nets *net, uint32_t high_tsn)
11065 {
11066 	struct sctp_association *asoc;
11067 	struct sctp_cwr_chunk *cwr;
11068 	struct sctp_tmit_chunk *chk;
11069 
11070 	asoc = &stcb->asoc;
11071 	SCTP_TCB_LOCK_ASSERT(stcb);
11072 	TAILQ_FOREACH(chk, &asoc->control_send_queue, sctp_next) {
11073 		if (chk->rec.chunk_id.id == SCTP_ECN_CWR) {
11074 			/* found a previous ECN_CWR update it if needed */
11075 			cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11076 			if (SCTP_TSN_GT(high_tsn, ntohl(cwr->tsn))) {
11077 				cwr->tsn = htonl(high_tsn);
11078 			}
11079 			return;
11080 		}
11081 	}
11082 	/* nope could not find one to update so we must build one */
11083 	sctp_alloc_a_chunk(stcb, chk);
11084 	if (chk == NULL) {
11085 		return;
11086 	}
11087 	chk->copy_by_ref = 0;
11088 	chk->rec.chunk_id.id = SCTP_ECN_CWR;
11089 	chk->rec.chunk_id.can_take_data = 1;
11090 	chk->asoc = &stcb->asoc;
11091 	chk->send_size = sizeof(struct sctp_cwr_chunk);
11092 	chk->data = sctp_get_mbuf_for_msg(chk->send_size, 0, M_DONTWAIT, 1, MT_HEADER);
11093 	if (chk->data == NULL) {
11094 		sctp_free_a_chunk(stcb, chk);
11095 		return;
11096 	}
11097 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11098 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11099 	chk->sent = SCTP_DATAGRAM_UNSENT;
11100 	chk->snd_count = 0;
11101 	chk->whoTo = net;
11102 	atomic_add_int(&chk->whoTo->ref_count, 1);
11103 	cwr = mtod(chk->data, struct sctp_cwr_chunk *);
11104 	cwr->ch.chunk_type = SCTP_ECN_CWR;
11105 	cwr->ch.chunk_flags = 0;
11106 	cwr->ch.chunk_length = htons(sizeof(struct sctp_cwr_chunk));
11107 	cwr->tsn = htonl(high_tsn);
11108 	TAILQ_INSERT_TAIL(&stcb->asoc.control_send_queue, chk, sctp_next);
11109 	asoc->ctrl_queue_cnt++;
11110 }
11111 
11112 void
11113 sctp_add_stream_reset_out(struct sctp_tmit_chunk *chk,
11114     int number_entries, uint16_t * list,
11115     uint32_t seq, uint32_t resp_seq, uint32_t last_sent)
11116 {
11117 	int len, old_len, i;
11118 	struct sctp_stream_reset_out_request *req_out;
11119 	struct sctp_chunkhdr *ch;
11120 
11121 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11122 
11123 
11124 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11125 
11126 	/* get to new offset for the param. */
11127 	req_out = (struct sctp_stream_reset_out_request *)((caddr_t)ch + len);
11128 	/* now how long will this param be? */
11129 	len = (sizeof(struct sctp_stream_reset_out_request) + (sizeof(uint16_t) * number_entries));
11130 	req_out->ph.param_type = htons(SCTP_STR_RESET_OUT_REQUEST);
11131 	req_out->ph.param_length = htons(len);
11132 	req_out->request_seq = htonl(seq);
11133 	req_out->response_seq = htonl(resp_seq);
11134 	req_out->send_reset_at_tsn = htonl(last_sent);
11135 	if (number_entries) {
11136 		for (i = 0; i < number_entries; i++) {
11137 			req_out->list_of_streams[i] = htons(list[i]);
11138 		}
11139 	}
11140 	if (SCTP_SIZE32(len) > len) {
11141 		/*-
11142 		 * Need to worry about the pad we may end up adding to the
11143 		 * end. This is easy since the struct is either aligned to 4
11144 		 * bytes or 2 bytes off.
11145 		 */
11146 		req_out->list_of_streams[number_entries] = 0;
11147 	}
11148 	/* now fix the chunk length */
11149 	ch->chunk_length = htons(len + old_len);
11150 	chk->book_size = len + old_len;
11151 	chk->book_size_scale = 0;
11152 	chk->send_size = SCTP_SIZE32(chk->book_size);
11153 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11154 	return;
11155 }
11156 
11157 
11158 void
11159 sctp_add_stream_reset_in(struct sctp_tmit_chunk *chk,
11160     int number_entries, uint16_t * list,
11161     uint32_t seq)
11162 {
11163 	int len, old_len, i;
11164 	struct sctp_stream_reset_in_request *req_in;
11165 	struct sctp_chunkhdr *ch;
11166 
11167 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11168 
11169 
11170 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11171 
11172 	/* get to new offset for the param. */
11173 	req_in = (struct sctp_stream_reset_in_request *)((caddr_t)ch + len);
11174 	/* now how long will this param be? */
11175 	len = (sizeof(struct sctp_stream_reset_in_request) + (sizeof(uint16_t) * number_entries));
11176 	req_in->ph.param_type = htons(SCTP_STR_RESET_IN_REQUEST);
11177 	req_in->ph.param_length = htons(len);
11178 	req_in->request_seq = htonl(seq);
11179 	if (number_entries) {
11180 		for (i = 0; i < number_entries; i++) {
11181 			req_in->list_of_streams[i] = htons(list[i]);
11182 		}
11183 	}
11184 	if (SCTP_SIZE32(len) > len) {
11185 		/*-
11186 		 * Need to worry about the pad we may end up adding to the
11187 		 * end. This is easy since the struct is either aligned to 4
11188 		 * bytes or 2 bytes off.
11189 		 */
11190 		req_in->list_of_streams[number_entries] = 0;
11191 	}
11192 	/* now fix the chunk length */
11193 	ch->chunk_length = htons(len + old_len);
11194 	chk->book_size = len + old_len;
11195 	chk->book_size_scale = 0;
11196 	chk->send_size = SCTP_SIZE32(chk->book_size);
11197 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11198 	return;
11199 }
11200 
11201 
11202 void
11203 sctp_add_stream_reset_tsn(struct sctp_tmit_chunk *chk,
11204     uint32_t seq)
11205 {
11206 	int len, old_len;
11207 	struct sctp_stream_reset_tsn_request *req_tsn;
11208 	struct sctp_chunkhdr *ch;
11209 
11210 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11211 
11212 
11213 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11214 
11215 	/* get to new offset for the param. */
11216 	req_tsn = (struct sctp_stream_reset_tsn_request *)((caddr_t)ch + len);
11217 	/* now how long will this param be? */
11218 	len = sizeof(struct sctp_stream_reset_tsn_request);
11219 	req_tsn->ph.param_type = htons(SCTP_STR_RESET_TSN_REQUEST);
11220 	req_tsn->ph.param_length = htons(len);
11221 	req_tsn->request_seq = htonl(seq);
11222 
11223 	/* now fix the chunk length */
11224 	ch->chunk_length = htons(len + old_len);
11225 	chk->send_size = len + old_len;
11226 	chk->book_size = SCTP_SIZE32(chk->send_size);
11227 	chk->book_size_scale = 0;
11228 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11229 	return;
11230 }
11231 
11232 void
11233 sctp_add_stream_reset_result(struct sctp_tmit_chunk *chk,
11234     uint32_t resp_seq, uint32_t result)
11235 {
11236 	int len, old_len;
11237 	struct sctp_stream_reset_response *resp;
11238 	struct sctp_chunkhdr *ch;
11239 
11240 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11241 
11242 
11243 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11244 
11245 	/* get to new offset for the param. */
11246 	resp = (struct sctp_stream_reset_response *)((caddr_t)ch + len);
11247 	/* now how long will this param be? */
11248 	len = sizeof(struct sctp_stream_reset_response);
11249 	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
11250 	resp->ph.param_length = htons(len);
11251 	resp->response_seq = htonl(resp_seq);
11252 	resp->result = ntohl(result);
11253 
11254 	/* now fix the chunk length */
11255 	ch->chunk_length = htons(len + old_len);
11256 	chk->book_size = len + old_len;
11257 	chk->book_size_scale = 0;
11258 	chk->send_size = SCTP_SIZE32(chk->book_size);
11259 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11260 	return;
11261 
11262 }
11263 
11264 
11265 void
11266 sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *chk,
11267     uint32_t resp_seq, uint32_t result,
11268     uint32_t send_una, uint32_t recv_next)
11269 {
11270 	int len, old_len;
11271 	struct sctp_stream_reset_response_tsn *resp;
11272 	struct sctp_chunkhdr *ch;
11273 
11274 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11275 
11276 
11277 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11278 
11279 	/* get to new offset for the param. */
11280 	resp = (struct sctp_stream_reset_response_tsn *)((caddr_t)ch + len);
11281 	/* now how long will this param be? */
11282 	len = sizeof(struct sctp_stream_reset_response_tsn);
11283 	resp->ph.param_type = htons(SCTP_STR_RESET_RESPONSE);
11284 	resp->ph.param_length = htons(len);
11285 	resp->response_seq = htonl(resp_seq);
11286 	resp->result = htonl(result);
11287 	resp->senders_next_tsn = htonl(send_una);
11288 	resp->receivers_next_tsn = htonl(recv_next);
11289 
11290 	/* now fix the chunk length */
11291 	ch->chunk_length = htons(len + old_len);
11292 	chk->book_size = len + old_len;
11293 	chk->send_size = SCTP_SIZE32(chk->book_size);
11294 	chk->book_size_scale = 0;
11295 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11296 	return;
11297 }
11298 
11299 static void
11300 sctp_add_a_stream(struct sctp_tmit_chunk *chk,
11301     uint32_t seq,
11302     uint16_t adding)
11303 {
11304 	int len, old_len;
11305 	struct sctp_chunkhdr *ch;
11306 	struct sctp_stream_reset_add_strm *addstr;
11307 
11308 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11309 	old_len = len = SCTP_SIZE32(ntohs(ch->chunk_length));
11310 
11311 	/* get to new offset for the param. */
11312 	addstr = (struct sctp_stream_reset_add_strm *)((caddr_t)ch + len);
11313 	/* now how long will this param be? */
11314 	len = sizeof(struct sctp_stream_reset_add_strm);
11315 
11316 	/* Fill it out. */
11317 	addstr->ph.param_type = htons(SCTP_STR_RESET_ADD_STREAMS);
11318 	addstr->ph.param_length = htons(len);
11319 	addstr->request_seq = htonl(seq);
11320 	addstr->number_of_streams = htons(adding);
11321 	addstr->reserved = 0;
11322 
11323 	/* now fix the chunk length */
11324 	ch->chunk_length = htons(len + old_len);
11325 	chk->send_size = len + old_len;
11326 	chk->book_size = SCTP_SIZE32(chk->send_size);
11327 	chk->book_size_scale = 0;
11328 	SCTP_BUF_LEN(chk->data) = SCTP_SIZE32(chk->send_size);
11329 	return;
11330 }
11331 
11332 int
11333 sctp_send_str_reset_req(struct sctp_tcb *stcb,
11334     int number_entries, uint16_t * list,
11335     uint8_t send_out_req,
11336     uint32_t resp_seq,
11337     uint8_t send_in_req,
11338     uint8_t send_tsn_req,
11339     uint8_t add_stream,
11340     uint16_t adding
11341 )
11342 {
11343 
11344 	struct sctp_association *asoc;
11345 	struct sctp_tmit_chunk *chk;
11346 	struct sctp_chunkhdr *ch;
11347 	uint32_t seq;
11348 
11349 	asoc = &stcb->asoc;
11350 	if (asoc->stream_reset_outstanding) {
11351 		/*-
11352 		 * Already one pending, must get ACK back to clear the flag.
11353 		 */
11354 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EBUSY);
11355 		return (EBUSY);
11356 	}
11357 	if ((send_out_req == 0) && (send_in_req == 0) && (send_tsn_req == 0) &&
11358 	    (add_stream == 0)) {
11359 		/* nothing to do */
11360 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
11361 		return (EINVAL);
11362 	}
11363 	if (send_tsn_req && (send_out_req || send_in_req)) {
11364 		/* error, can't do that */
11365 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
11366 		return (EINVAL);
11367 	}
11368 	sctp_alloc_a_chunk(stcb, chk);
11369 	if (chk == NULL) {
11370 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11371 		return (ENOMEM);
11372 	}
11373 	chk->copy_by_ref = 0;
11374 	chk->rec.chunk_id.id = SCTP_STREAM_RESET;
11375 	chk->rec.chunk_id.can_take_data = 0;
11376 	chk->asoc = &stcb->asoc;
11377 	chk->book_size = sizeof(struct sctp_chunkhdr);
11378 	chk->send_size = SCTP_SIZE32(chk->book_size);
11379 	chk->book_size_scale = 0;
11380 
11381 	chk->data = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_DONTWAIT, 1, MT_DATA);
11382 	if (chk->data == NULL) {
11383 		sctp_free_a_chunk(stcb, chk);
11384 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11385 		return (ENOMEM);
11386 	}
11387 	SCTP_BUF_RESV_UF(chk->data, SCTP_MIN_OVERHEAD);
11388 
11389 	/* setup chunk parameters */
11390 	chk->sent = SCTP_DATAGRAM_UNSENT;
11391 	chk->snd_count = 0;
11392 	chk->whoTo = asoc->primary_destination;
11393 	atomic_add_int(&chk->whoTo->ref_count, 1);
11394 
11395 	ch = mtod(chk->data, struct sctp_chunkhdr *);
11396 	ch->chunk_type = SCTP_STREAM_RESET;
11397 	ch->chunk_flags = 0;
11398 	ch->chunk_length = htons(chk->book_size);
11399 	SCTP_BUF_LEN(chk->data) = chk->send_size;
11400 
11401 	seq = stcb->asoc.str_reset_seq_out;
11402 	if (send_out_req) {
11403 		sctp_add_stream_reset_out(chk, number_entries, list,
11404 		    seq, resp_seq, (stcb->asoc.sending_seq - 1));
11405 		asoc->stream_reset_out_is_outstanding = 1;
11406 		seq++;
11407 		asoc->stream_reset_outstanding++;
11408 	}
11409 	if (add_stream) {
11410 		sctp_add_a_stream(chk, seq, adding);
11411 		seq++;
11412 		asoc->stream_reset_outstanding++;
11413 	}
11414 	if (send_in_req) {
11415 		sctp_add_stream_reset_in(chk, number_entries, list, seq);
11416 		asoc->stream_reset_outstanding++;
11417 	}
11418 	if (send_tsn_req) {
11419 		sctp_add_stream_reset_tsn(chk, seq);
11420 		asoc->stream_reset_outstanding++;
11421 	}
11422 	asoc->str_reset = chk;
11423 
11424 	/* insert the chunk for sending */
11425 	TAILQ_INSERT_TAIL(&asoc->control_send_queue,
11426 	    chk,
11427 	    sctp_next);
11428 	asoc->ctrl_queue_cnt++;
11429 	sctp_timer_start(SCTP_TIMER_TYPE_STRRESET, stcb->sctp_ep, stcb, chk->whoTo);
11430 	return (0);
11431 }
11432 
11433 void
11434 sctp_send_abort(struct mbuf *m, int iphlen, struct sctphdr *sh, uint32_t vtag,
11435     struct mbuf *err_cause, uint32_t vrf_id, uint16_t port)
11436 {
11437 	/*-
11438 	 * Formulate the abort message, and send it back down.
11439 	 */
11440 	struct mbuf *o_pak;
11441 	struct mbuf *mout;
11442 	struct sctp_abort_msg *abm;
11443 	struct ip *iph, *iph_out;
11444 	struct udphdr *udp;
11445 
11446 #ifdef INET6
11447 	struct ip6_hdr *ip6, *ip6_out;
11448 
11449 #endif
11450 	int iphlen_out, len;
11451 
11452 	/* don't respond to ABORT with ABORT */
11453 	if (sctp_is_there_an_abort_here(m, iphlen, &vtag)) {
11454 		if (err_cause)
11455 			sctp_m_freem(err_cause);
11456 		return;
11457 	}
11458 	iph = mtod(m, struct ip *);
11459 	switch (iph->ip_v) {
11460 	case IPVERSION:
11461 		len = (sizeof(struct ip) + sizeof(struct sctp_abort_msg));
11462 		break;
11463 #ifdef INET6
11464 	case IPV6_VERSION >> 4:
11465 		len = (sizeof(struct ip6_hdr) + sizeof(struct sctp_abort_msg));
11466 		break;
11467 #endif
11468 	default:
11469 		if (err_cause) {
11470 			sctp_m_freem(err_cause);
11471 		}
11472 		return;
11473 	}
11474 	if (port) {
11475 		len += sizeof(struct udphdr);
11476 	}
11477 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_DONTWAIT, 1, MT_DATA);
11478 	if (mout == NULL) {
11479 		if (err_cause) {
11480 			sctp_m_freem(err_cause);
11481 		}
11482 		return;
11483 	}
11484 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11485 	SCTP_BUF_LEN(mout) = len;
11486 	SCTP_BUF_NEXT(mout) = err_cause;
11487 	iph_out = NULL;
11488 #ifdef INET6
11489 	ip6_out = NULL;
11490 #endif
11491 	switch (iph->ip_v) {
11492 	case IPVERSION:
11493 		iph_out = mtod(mout, struct ip *);
11494 
11495 		/* Fill in the IP header for the ABORT */
11496 		iph_out->ip_v = IPVERSION;
11497 		iph_out->ip_hl = (sizeof(struct ip) / 4);
11498 		iph_out->ip_tos = (u_char)0;
11499 		iph_out->ip_id = 0;
11500 		iph_out->ip_off = 0;
11501 		iph_out->ip_ttl = MAXTTL;
11502 		if (port) {
11503 			iph_out->ip_p = IPPROTO_UDP;
11504 		} else {
11505 			iph_out->ip_p = IPPROTO_SCTP;
11506 		}
11507 		iph_out->ip_src.s_addr = iph->ip_dst.s_addr;
11508 		iph_out->ip_dst.s_addr = iph->ip_src.s_addr;
11509 		/* let IP layer calculate this */
11510 		iph_out->ip_sum = 0;
11511 
11512 		iphlen_out = sizeof(*iph_out);
11513 		abm = (struct sctp_abort_msg *)((caddr_t)iph_out + iphlen_out);
11514 		break;
11515 #ifdef INET6
11516 	case IPV6_VERSION >> 4:
11517 		ip6 = (struct ip6_hdr *)iph;
11518 		ip6_out = mtod(mout, struct ip6_hdr *);
11519 
11520 		/* Fill in the IP6 header for the ABORT */
11521 		ip6_out->ip6_flow = ip6->ip6_flow;
11522 		ip6_out->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11523 		if (port) {
11524 			ip6_out->ip6_nxt = IPPROTO_UDP;
11525 		} else {
11526 			ip6_out->ip6_nxt = IPPROTO_SCTP;
11527 		}
11528 		ip6_out->ip6_src = ip6->ip6_dst;
11529 		ip6_out->ip6_dst = ip6->ip6_src;
11530 
11531 		iphlen_out = sizeof(*ip6_out);
11532 		abm = (struct sctp_abort_msg *)((caddr_t)ip6_out + iphlen_out);
11533 		break;
11534 #endif				/* INET6 */
11535 	default:
11536 		/* Currently not supported */
11537 		sctp_m_freem(mout);
11538 		return;
11539 	}
11540 
11541 	udp = (struct udphdr *)abm;
11542 	if (port) {
11543 		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11544 		udp->uh_dport = port;
11545 		/* set udp->uh_ulen later */
11546 		udp->uh_sum = 0;
11547 		iphlen_out += sizeof(struct udphdr);
11548 		abm = (struct sctp_abort_msg *)((caddr_t)abm + sizeof(struct udphdr));
11549 	}
11550 	abm->sh.src_port = sh->dest_port;
11551 	abm->sh.dest_port = sh->src_port;
11552 	abm->sh.checksum = 0;
11553 	if (vtag == 0) {
11554 		abm->sh.v_tag = sh->v_tag;
11555 		abm->msg.ch.chunk_flags = SCTP_HAD_NO_TCB;
11556 	} else {
11557 		abm->sh.v_tag = htonl(vtag);
11558 		abm->msg.ch.chunk_flags = 0;
11559 	}
11560 	abm->msg.ch.chunk_type = SCTP_ABORT_ASSOCIATION;
11561 
11562 	if (err_cause) {
11563 		struct mbuf *m_tmp = err_cause;
11564 		int err_len = 0;
11565 
11566 		/* get length of the err_cause chain */
11567 		while (m_tmp != NULL) {
11568 			err_len += SCTP_BUF_LEN(m_tmp);
11569 			m_tmp = SCTP_BUF_NEXT(m_tmp);
11570 		}
11571 		len = SCTP_BUF_LEN(mout) + err_len;
11572 		if (err_len % 4) {
11573 			/* need pad at end of chunk */
11574 			uint32_t cpthis = 0;
11575 			int padlen;
11576 
11577 			padlen = 4 - (len % 4);
11578 			m_copyback(mout, len, padlen, (caddr_t)&cpthis);
11579 			len += padlen;
11580 		}
11581 		abm->msg.ch.chunk_length = htons(sizeof(abm->msg.ch) + err_len);
11582 	} else {
11583 		len = SCTP_BUF_LEN(mout);
11584 		abm->msg.ch.chunk_length = htons(sizeof(abm->msg.ch));
11585 	}
11586 
11587 	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11588 		/* no mbuf's */
11589 		sctp_m_freem(mout);
11590 		return;
11591 	}
11592 	if (iph_out != NULL) {
11593 		sctp_route_t ro;
11594 		int ret;
11595 
11596 		/* zap the stack pointer to the route */
11597 		bzero(&ro, sizeof ro);
11598 		if (port) {
11599 			udp->uh_ulen = htons(len - sizeof(struct ip));
11600 			udp->uh_sum = in_pseudo(iph_out->ip_src.s_addr, iph_out->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11601 		}
11602 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "sctp_send_abort calling ip_output:\n");
11603 		SCTPDBG_PKT(SCTP_DEBUG_OUTPUT2, iph_out, &abm->sh);
11604 		/* set IPv4 length */
11605 		iph_out->ip_len = len;
11606 		/* out it goes */
11607 #ifdef  SCTP_PACKET_LOGGING
11608 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
11609 			sctp_packet_log(mout, len);
11610 #endif
11611 		SCTP_ATTACH_CHAIN(o_pak, mout, len);
11612 		if (port) {
11613 #if defined(SCTP_WITH_NO_CSUM)
11614 			SCTP_STAT_INCR(sctps_sendnocrc);
11615 #else
11616 			abm->sh.checksum = sctp_calculate_cksum(mout, iphlen_out);
11617 			SCTP_STAT_INCR(sctps_sendswcrc);
11618 #endif
11619 			SCTP_ENABLE_UDP_CSUM(o_pak);
11620 		} else {
11621 #if defined(SCTP_WITH_NO_CSUM)
11622 			SCTP_STAT_INCR(sctps_sendnocrc);
11623 #else
11624 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11625 			mout->m_pkthdr.csum_data = 0;
11626 			SCTP_STAT_INCR(sctps_sendhwcrc);
11627 #endif
11628 		}
11629 		SCTP_IP_OUTPUT(ret, o_pak, &ro, NULL, vrf_id);
11630 
11631 		/* Free the route if we got one back */
11632 		if (ro.ro_rt)
11633 			RTFREE(ro.ro_rt);
11634 	}
11635 #ifdef INET6
11636 	if (ip6_out != NULL) {
11637 		struct route_in6 ro;
11638 		int ret;
11639 		struct ifnet *ifp = NULL;
11640 
11641 		/* zap the stack pointer to the route */
11642 		bzero(&ro, sizeof(ro));
11643 		if (port) {
11644 			udp->uh_ulen = htons(len - sizeof(struct ip6_hdr));
11645 		}
11646 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "sctp_send_abort calling ip6_output:\n");
11647 		SCTPDBG_PKT(SCTP_DEBUG_OUTPUT2, (struct ip *)ip6_out, &abm->sh);
11648 		ip6_out->ip6_plen = len - sizeof(*ip6_out);
11649 #ifdef  SCTP_PACKET_LOGGING
11650 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
11651 			sctp_packet_log(mout, len);
11652 #endif
11653 		SCTP_ATTACH_CHAIN(o_pak, mout, len);
11654 		if (port) {
11655 #if defined(SCTP_WITH_NO_CSUM)
11656 			SCTP_STAT_INCR(sctps_sendnocrc);
11657 #else
11658 			abm->sh.checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11659 			SCTP_STAT_INCR(sctps_sendswcrc);
11660 #endif
11661 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11662 				udp->uh_sum = 0xffff;
11663 			}
11664 		} else {
11665 #if defined(SCTP_WITH_NO_CSUM)
11666 			SCTP_STAT_INCR(sctps_sendnocrc);
11667 #else
11668 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11669 			mout->m_pkthdr.csum_data = 0;
11670 			SCTP_STAT_INCR(sctps_sendhwcrc);
11671 #endif
11672 		}
11673 		SCTP_IP6_OUTPUT(ret, o_pak, &ro, &ifp, NULL, vrf_id);
11674 
11675 		/* Free the route if we got one back */
11676 		if (ro.ro_rt)
11677 			RTFREE(ro.ro_rt);
11678 	}
11679 #endif
11680 	SCTP_STAT_INCR(sctps_sendpackets);
11681 	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11682 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11683 }
11684 
11685 void
11686 sctp_send_operr_to(struct mbuf *m, int iphlen, struct mbuf *scm, uint32_t vtag,
11687     uint32_t vrf_id, uint16_t port)
11688 {
11689 	struct mbuf *o_pak;
11690 	struct sctphdr *sh, *sh_out;
11691 	struct sctp_chunkhdr *ch;
11692 	struct ip *iph, *iph_out;
11693 	struct udphdr *udp = NULL;
11694 	struct mbuf *mout;
11695 
11696 #ifdef INET6
11697 	struct ip6_hdr *ip6, *ip6_out;
11698 
11699 #endif
11700 	int iphlen_out, len;
11701 
11702 	iph = mtod(m, struct ip *);
11703 	sh = (struct sctphdr *)((caddr_t)iph + iphlen);
11704 	switch (iph->ip_v) {
11705 	case IPVERSION:
11706 		len = (sizeof(struct ip) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr));
11707 		break;
11708 #ifdef INET6
11709 	case IPV6_VERSION >> 4:
11710 		len = (sizeof(struct ip6_hdr) + sizeof(struct sctphdr) + sizeof(struct sctp_chunkhdr));
11711 		break;
11712 #endif
11713 	default:
11714 		if (scm) {
11715 			sctp_m_freem(scm);
11716 		}
11717 		return;
11718 	}
11719 	if (port) {
11720 		len += sizeof(struct udphdr);
11721 	}
11722 	mout = sctp_get_mbuf_for_msg(len + max_linkhdr, 1, M_DONTWAIT, 1, MT_DATA);
11723 	if (mout == NULL) {
11724 		if (scm) {
11725 			sctp_m_freem(scm);
11726 		}
11727 		return;
11728 	}
11729 	SCTP_BUF_RESV_UF(mout, max_linkhdr);
11730 	SCTP_BUF_LEN(mout) = len;
11731 	SCTP_BUF_NEXT(mout) = scm;
11732 	iph_out = NULL;
11733 #ifdef INET6
11734 	ip6_out = NULL;
11735 #endif
11736 	switch (iph->ip_v) {
11737 	case IPVERSION:
11738 		iph_out = mtod(mout, struct ip *);
11739 
11740 		/* Fill in the IP header for the ABORT */
11741 		iph_out->ip_v = IPVERSION;
11742 		iph_out->ip_hl = (sizeof(struct ip) / 4);
11743 		iph_out->ip_tos = (u_char)0;
11744 		iph_out->ip_id = 0;
11745 		iph_out->ip_off = 0;
11746 		iph_out->ip_ttl = MAXTTL;
11747 		if (port) {
11748 			iph_out->ip_p = IPPROTO_UDP;
11749 		} else {
11750 			iph_out->ip_p = IPPROTO_SCTP;
11751 		}
11752 		iph_out->ip_src.s_addr = iph->ip_dst.s_addr;
11753 		iph_out->ip_dst.s_addr = iph->ip_src.s_addr;
11754 		/* let IP layer calculate this */
11755 		iph_out->ip_sum = 0;
11756 
11757 		iphlen_out = sizeof(struct ip);
11758 		sh_out = (struct sctphdr *)((caddr_t)iph_out + iphlen_out);
11759 		break;
11760 #ifdef INET6
11761 	case IPV6_VERSION >> 4:
11762 		ip6 = (struct ip6_hdr *)iph;
11763 		ip6_out = mtod(mout, struct ip6_hdr *);
11764 
11765 		/* Fill in the IP6 header for the ABORT */
11766 		ip6_out->ip6_flow = ip6->ip6_flow;
11767 		ip6_out->ip6_hlim = MODULE_GLOBAL(ip6_defhlim);
11768 		if (port) {
11769 			ip6_out->ip6_nxt = IPPROTO_UDP;
11770 		} else {
11771 			ip6_out->ip6_nxt = IPPROTO_SCTP;
11772 		}
11773 		ip6_out->ip6_src = ip6->ip6_dst;
11774 		ip6_out->ip6_dst = ip6->ip6_src;
11775 
11776 		iphlen_out = sizeof(struct ip6_hdr);
11777 		sh_out = (struct sctphdr *)((caddr_t)ip6_out + iphlen_out);
11778 		break;
11779 #endif				/* INET6 */
11780 	default:
11781 		/* Currently not supported */
11782 		sctp_m_freem(mout);
11783 		return;
11784 	}
11785 
11786 	udp = (struct udphdr *)sh_out;
11787 	if (port) {
11788 		udp->uh_sport = htons(SCTP_BASE_SYSCTL(sctp_udp_tunneling_port));
11789 		udp->uh_dport = port;
11790 		/* set udp->uh_ulen later */
11791 		udp->uh_sum = 0;
11792 		iphlen_out += sizeof(struct udphdr);
11793 		sh_out = (struct sctphdr *)((caddr_t)udp + sizeof(struct udphdr));
11794 	}
11795 	sh_out->src_port = sh->dest_port;
11796 	sh_out->dest_port = sh->src_port;
11797 	sh_out->v_tag = vtag;
11798 	sh_out->checksum = 0;
11799 
11800 	ch = (struct sctp_chunkhdr *)((caddr_t)sh_out + sizeof(struct sctphdr));
11801 	ch->chunk_type = SCTP_OPERATION_ERROR;
11802 	ch->chunk_flags = 0;
11803 
11804 	if (scm) {
11805 		struct mbuf *m_tmp = scm;
11806 		int cause_len = 0;
11807 
11808 		/* get length of the err_cause chain */
11809 		while (m_tmp != NULL) {
11810 			cause_len += SCTP_BUF_LEN(m_tmp);
11811 			m_tmp = SCTP_BUF_NEXT(m_tmp);
11812 		}
11813 		len = SCTP_BUF_LEN(mout) + cause_len;
11814 		if (cause_len % 4) {
11815 			/* need pad at end of chunk */
11816 			uint32_t cpthis = 0;
11817 			int padlen;
11818 
11819 			padlen = 4 - (len % 4);
11820 			m_copyback(mout, len, padlen, (caddr_t)&cpthis);
11821 			len += padlen;
11822 		}
11823 		ch->chunk_length = htons(sizeof(struct sctp_chunkhdr) + cause_len);
11824 	} else {
11825 		len = SCTP_BUF_LEN(mout);
11826 		ch->chunk_length = htons(sizeof(struct sctp_chunkhdr));
11827 	}
11828 
11829 	if (SCTP_GET_HEADER_FOR_OUTPUT(o_pak)) {
11830 		/* no mbuf's */
11831 		sctp_m_freem(mout);
11832 		return;
11833 	}
11834 	if (iph_out != NULL) {
11835 		sctp_route_t ro;
11836 		int ret;
11837 
11838 		/* zap the stack pointer to the route */
11839 		bzero(&ro, sizeof ro);
11840 		if (port) {
11841 			udp->uh_ulen = htons(len - sizeof(struct ip));
11842 			udp->uh_sum = in_pseudo(iph_out->ip_src.s_addr, iph_out->ip_dst.s_addr, udp->uh_ulen + htons(IPPROTO_UDP));
11843 		}
11844 		/* set IPv4 length */
11845 		iph_out->ip_len = len;
11846 		/* out it goes */
11847 #ifdef  SCTP_PACKET_LOGGING
11848 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
11849 			sctp_packet_log(mout, len);
11850 #endif
11851 		SCTP_ATTACH_CHAIN(o_pak, mout, len);
11852 		if (port) {
11853 #if defined(SCTP_WITH_NO_CSUM)
11854 			SCTP_STAT_INCR(sctps_sendnocrc);
11855 #else
11856 			sh_out->checksum = sctp_calculate_cksum(mout, iphlen_out);
11857 			SCTP_STAT_INCR(sctps_sendswcrc);
11858 #endif
11859 			SCTP_ENABLE_UDP_CSUM(o_pak);
11860 		} else {
11861 #if defined(SCTP_WITH_NO_CSUM)
11862 			SCTP_STAT_INCR(sctps_sendnocrc);
11863 #else
11864 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11865 			mout->m_pkthdr.csum_data = 0;
11866 			SCTP_STAT_INCR(sctps_sendhwcrc);
11867 #endif
11868 		}
11869 		SCTP_IP_OUTPUT(ret, o_pak, &ro, NULL, vrf_id);
11870 
11871 		/* Free the route if we got one back */
11872 		if (ro.ro_rt)
11873 			RTFREE(ro.ro_rt);
11874 	}
11875 #ifdef INET6
11876 	if (ip6_out != NULL) {
11877 		struct route_in6 ro;
11878 		int ret;
11879 		struct ifnet *ifp = NULL;
11880 
11881 		/* zap the stack pointer to the route */
11882 		bzero(&ro, sizeof(ro));
11883 		if (port) {
11884 			udp->uh_ulen = htons(len - sizeof(struct ip6_hdr));
11885 		}
11886 		ip6_out->ip6_plen = len - sizeof(*ip6_out);
11887 #ifdef  SCTP_PACKET_LOGGING
11888 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LAST_PACKET_TRACING)
11889 			sctp_packet_log(mout, len);
11890 #endif
11891 		SCTP_ATTACH_CHAIN(o_pak, mout, len);
11892 		if (port) {
11893 #if defined(SCTP_WITH_NO_CSUM)
11894 			SCTP_STAT_INCR(sctps_sendnocrc);
11895 #else
11896 			sh_out->checksum = sctp_calculate_cksum(mout, sizeof(struct ip6_hdr) + sizeof(struct udphdr));
11897 			SCTP_STAT_INCR(sctps_sendswcrc);
11898 #endif
11899 			if ((udp->uh_sum = in6_cksum(o_pak, IPPROTO_UDP, sizeof(struct ip6_hdr), len - sizeof(struct ip6_hdr))) == 0) {
11900 				udp->uh_sum = 0xffff;
11901 			}
11902 		} else {
11903 #if defined(SCTP_WITH_NO_CSUM)
11904 			SCTP_STAT_INCR(sctps_sendnocrc);
11905 #else
11906 			mout->m_pkthdr.csum_flags = CSUM_SCTP;
11907 			mout->m_pkthdr.csum_data = 0;
11908 			SCTP_STAT_INCR(sctps_sendhwcrc);
11909 #endif
11910 		}
11911 		SCTP_IP6_OUTPUT(ret, o_pak, &ro, &ifp, NULL, vrf_id);
11912 
11913 		/* Free the route if we got one back */
11914 		if (ro.ro_rt)
11915 			RTFREE(ro.ro_rt);
11916 	}
11917 #endif
11918 	SCTP_STAT_INCR(sctps_sendpackets);
11919 	SCTP_STAT_INCR_COUNTER64(sctps_outpackets);
11920 	SCTP_STAT_INCR_COUNTER64(sctps_outcontrolchunks);
11921 }
11922 
11923 static struct mbuf *
11924 sctp_copy_resume(struct sctp_stream_queue_pending *sp,
11925     struct uio *uio,
11926     struct sctp_sndrcvinfo *srcv,
11927     int max_send_len,
11928     int user_marks_eor,
11929     int *error,
11930     uint32_t * sndout,
11931     struct mbuf **new_tail)
11932 {
11933 	struct mbuf *m;
11934 
11935 	m = m_uiotombuf(uio, M_WAITOK, max_send_len, 0,
11936 	    (M_PKTHDR | (user_marks_eor ? M_EOR : 0)));
11937 	if (m == NULL) {
11938 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11939 		*error = ENOMEM;
11940 	} else {
11941 		*sndout = m_length(m, NULL);
11942 		*new_tail = m_last(m);
11943 	}
11944 	return (m);
11945 }
11946 
11947 static int
11948 sctp_copy_one(struct sctp_stream_queue_pending *sp,
11949     struct uio *uio,
11950     int resv_upfront)
11951 {
11952 	int left;
11953 
11954 	left = sp->length;
11955 	sp->data = m_uiotombuf(uio, M_WAITOK, sp->length,
11956 	    resv_upfront, 0);
11957 	if (sp->data == NULL) {
11958 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
11959 		return (ENOMEM);
11960 	}
11961 	sp->tail_mbuf = m_last(sp->data);
11962 	return (0);
11963 }
11964 
11965 
11966 
11967 static struct sctp_stream_queue_pending *
11968 sctp_copy_it_in(struct sctp_tcb *stcb,
11969     struct sctp_association *asoc,
11970     struct sctp_sndrcvinfo *srcv,
11971     struct uio *uio,
11972     struct sctp_nets *net,
11973     int max_send_len,
11974     int user_marks_eor,
11975     int *error,
11976     int non_blocking)
11977 {
11978 	/*-
11979 	 * This routine must be very careful in its work. Protocol
11980 	 * processing is up and running so care must be taken to spl...()
11981 	 * when you need to do something that may effect the stcb/asoc. The
11982 	 * sb is locked however. When data is copied the protocol processing
11983 	 * should be enabled since this is a slower operation...
11984 	 */
11985 	struct sctp_stream_queue_pending *sp = NULL;
11986 	int resv_in_first;
11987 
11988 	*error = 0;
11989 	/* Now can we send this? */
11990 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
11991 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
11992 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
11993 	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
11994 		/* got data while shutting down */
11995 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
11996 		*error = ECONNRESET;
11997 		goto out_now;
11998 	}
11999 	sctp_alloc_a_strmoq(stcb, sp);
12000 	if (sp == NULL) {
12001 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12002 		*error = ENOMEM;
12003 		goto out_now;
12004 	}
12005 	sp->act_flags = 0;
12006 	sp->sender_all_done = 0;
12007 	sp->sinfo_flags = srcv->sinfo_flags;
12008 	sp->timetolive = srcv->sinfo_timetolive;
12009 	sp->ppid = srcv->sinfo_ppid;
12010 	sp->context = srcv->sinfo_context;
12011 	sp->strseq = 0;
12012 	(void)SCTP_GETTIME_TIMEVAL(&sp->ts);
12013 
12014 	sp->stream = srcv->sinfo_stream;
12015 	sp->length = min(uio->uio_resid, max_send_len);
12016 	if ((sp->length == (uint32_t) uio->uio_resid) &&
12017 	    ((user_marks_eor == 0) ||
12018 	    (srcv->sinfo_flags & SCTP_EOF) ||
12019 	    (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
12020 		sp->msg_is_complete = 1;
12021 	} else {
12022 		sp->msg_is_complete = 0;
12023 	}
12024 	sp->sender_all_done = 0;
12025 	sp->some_taken = 0;
12026 	sp->put_last_out = 0;
12027 	resv_in_first = sizeof(struct sctp_data_chunk);
12028 	sp->data = sp->tail_mbuf = NULL;
12029 	if (sp->length == 0) {
12030 		*error = 0;
12031 		goto skip_copy;
12032 	}
12033 	sp->auth_keyid = stcb->asoc.authinfo.active_keyid;
12034 	if (sctp_auth_is_required_chunk(SCTP_DATA, stcb->asoc.peer_auth_chunks)) {
12035 		sctp_auth_key_acquire(stcb, stcb->asoc.authinfo.active_keyid);
12036 		sp->holds_key_ref = 1;
12037 	}
12038 	*error = sctp_copy_one(sp, uio, resv_in_first);
12039 skip_copy:
12040 	if (*error) {
12041 		sctp_free_a_strmoq(stcb, sp);
12042 		sp = NULL;
12043 	} else {
12044 		if (sp->sinfo_flags & SCTP_ADDR_OVER) {
12045 			sp->net = net;
12046 			atomic_add_int(&sp->net->ref_count, 1);
12047 		} else {
12048 			sp->net = NULL;
12049 		}
12050 		sctp_set_prsctp_policy(sp);
12051 	}
12052 out_now:
12053 	return (sp);
12054 }
12055 
12056 
12057 int
12058 sctp_sosend(struct socket *so,
12059     struct sockaddr *addr,
12060     struct uio *uio,
12061     struct mbuf *top,
12062     struct mbuf *control,
12063     int flags,
12064     struct thread *p
12065 )
12066 {
12067 	int error, use_rcvinfo = 0;
12068 	struct sctp_sndrcvinfo srcv;
12069 	struct sockaddr *addr_to_use;
12070 
12071 #if defined(INET) && defined(INET6)
12072 	struct sockaddr_in sin;
12073 
12074 #endif
12075 
12076 	if (control) {
12077 		/* process cmsg snd/rcv info (maybe a assoc-id) */
12078 		if (sctp_find_cmsg(SCTP_SNDRCV, (void *)&srcv, control,
12079 		    sizeof(srcv))) {
12080 			/* got one */
12081 			use_rcvinfo = 1;
12082 		}
12083 	}
12084 	addr_to_use = addr;
12085 #if defined(INET) && defined(INET6)
12086 	if ((addr) && (addr->sa_family == AF_INET6)) {
12087 		struct sockaddr_in6 *sin6;
12088 
12089 		sin6 = (struct sockaddr_in6 *)addr;
12090 		if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
12091 			in6_sin6_2_sin(&sin, sin6);
12092 			addr_to_use = (struct sockaddr *)&sin;
12093 		}
12094 	}
12095 #endif
12096 	error = sctp_lower_sosend(so, addr_to_use, uio, top,
12097 	    control,
12098 	    flags,
12099 	    use_rcvinfo ? &srcv : NULL
12100 	    ,p
12101 	    );
12102 	return (error);
12103 }
12104 
12105 
12106 int
12107 sctp_lower_sosend(struct socket *so,
12108     struct sockaddr *addr,
12109     struct uio *uio,
12110     struct mbuf *i_pak,
12111     struct mbuf *control,
12112     int flags,
12113     struct sctp_sndrcvinfo *srcv
12114     ,
12115     struct thread *p
12116 )
12117 {
12118 	unsigned int sndlen = 0, max_len;
12119 	int error, len;
12120 	struct mbuf *top = NULL;
12121 	int queue_only = 0, queue_only_for_init = 0;
12122 	int free_cnt_applied = 0;
12123 	int un_sent;
12124 	int now_filled = 0;
12125 	unsigned int inqueue_bytes = 0;
12126 	struct sctp_block_entry be;
12127 	struct sctp_inpcb *inp;
12128 	struct sctp_tcb *stcb = NULL;
12129 	struct timeval now;
12130 	struct sctp_nets *net;
12131 	struct sctp_association *asoc;
12132 	struct sctp_inpcb *t_inp;
12133 	int user_marks_eor;
12134 	int create_lock_applied = 0;
12135 	int nagle_applies = 0;
12136 	int some_on_control = 0;
12137 	int got_all_of_the_send = 0;
12138 	int hold_tcblock = 0;
12139 	int non_blocking = 0;
12140 	uint32_t local_add_more, local_soresv = 0;
12141 	uint16_t port;
12142 	uint16_t sinfo_flags;
12143 	sctp_assoc_t sinfo_assoc_id;
12144 
12145 	error = 0;
12146 	net = NULL;
12147 	stcb = NULL;
12148 	asoc = NULL;
12149 
12150 	t_inp = inp = (struct sctp_inpcb *)so->so_pcb;
12151 	if (inp == NULL) {
12152 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12153 		error = EINVAL;
12154 		if (i_pak) {
12155 			SCTP_RELEASE_PKT(i_pak);
12156 		}
12157 		return (error);
12158 	}
12159 	if ((uio == NULL) && (i_pak == NULL)) {
12160 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12161 		return (EINVAL);
12162 	}
12163 	user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
12164 	atomic_add_int(&inp->total_sends, 1);
12165 	if (uio) {
12166 		if (uio->uio_resid < 0) {
12167 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12168 			return (EINVAL);
12169 		}
12170 		sndlen = uio->uio_resid;
12171 	} else {
12172 		top = SCTP_HEADER_TO_CHAIN(i_pak);
12173 		sndlen = SCTP_HEADER_LEN(i_pak);
12174 	}
12175 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "Send called addr:%p send length %d\n",
12176 	    addr,
12177 	    sndlen);
12178 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
12179 	    (inp->sctp_socket->so_qlimit)) {
12180 		/* The listener can NOT send */
12181 		SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12182 		error = ENOTCONN;
12183 		goto out_unlocked;
12184 	}
12185 	/**
12186 	 * Pre-screen address, if one is given the sin-len
12187 	 * must be set correctly!
12188 	 */
12189 	if (addr) {
12190 		union sctp_sockstore *raddr = (union sctp_sockstore *)addr;
12191 
12192 		switch (raddr->sa.sa_family) {
12193 #if defined(INET)
12194 		case AF_INET:
12195 			if (raddr->sin.sin_len != sizeof(struct sockaddr_in)) {
12196 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12197 				error = EINVAL;
12198 				goto out_unlocked;
12199 			}
12200 			port = raddr->sin.sin_port;
12201 			break;
12202 #endif
12203 #if defined(INET6)
12204 		case AF_INET6:
12205 			if (raddr->sin6.sin6_len != sizeof(struct sockaddr_in6)) {
12206 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12207 				error = EINVAL;
12208 				goto out_unlocked;
12209 			}
12210 			port = raddr->sin6.sin6_port;
12211 			break;
12212 #endif
12213 		default:
12214 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAFNOSUPPORT);
12215 			error = EAFNOSUPPORT;
12216 			goto out_unlocked;
12217 		}
12218 	} else
12219 		port = 0;
12220 
12221 	if (srcv) {
12222 		sinfo_flags = srcv->sinfo_flags;
12223 		sinfo_assoc_id = srcv->sinfo_assoc_id;
12224 		if (INVALID_SINFO_FLAG(sinfo_flags) ||
12225 		    PR_SCTP_INVALID_POLICY(sinfo_flags)) {
12226 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12227 			error = EINVAL;
12228 			goto out_unlocked;
12229 		}
12230 		if (srcv->sinfo_flags)
12231 			SCTP_STAT_INCR(sctps_sends_with_flags);
12232 	} else {
12233 		sinfo_flags = inp->def_send.sinfo_flags;
12234 		sinfo_assoc_id = inp->def_send.sinfo_assoc_id;
12235 	}
12236 	if (sinfo_flags & SCTP_SENDALL) {
12237 		/* its a sendall */
12238 		error = sctp_sendall(inp, uio, top, srcv);
12239 		top = NULL;
12240 		goto out_unlocked;
12241 	}
12242 	if ((sinfo_flags & SCTP_ADDR_OVER) && (addr == NULL)) {
12243 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12244 		error = EINVAL;
12245 		goto out_unlocked;
12246 	}
12247 	/* now we must find the assoc */
12248 	if ((inp->sctp_flags & SCTP_PCB_FLAGS_CONNECTED) ||
12249 	    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
12250 		SCTP_INP_RLOCK(inp);
12251 		stcb = LIST_FIRST(&inp->sctp_asoc_list);
12252 		if (stcb == NULL) {
12253 			SCTP_INP_RUNLOCK(inp);
12254 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12255 			error = ENOTCONN;
12256 			goto out_unlocked;
12257 		}
12258 		SCTP_TCB_LOCK(stcb);
12259 		hold_tcblock = 1;
12260 		SCTP_INP_RUNLOCK(inp);
12261 	} else if (sinfo_assoc_id) {
12262 		stcb = sctp_findassociation_ep_asocid(inp, sinfo_assoc_id, 0);
12263 	} else if (addr) {
12264 		/*-
12265 		 * Since we did not use findep we must
12266 		 * increment it, and if we don't find a tcb
12267 		 * decrement it.
12268 		 */
12269 		SCTP_INP_WLOCK(inp);
12270 		SCTP_INP_INCR_REF(inp);
12271 		SCTP_INP_WUNLOCK(inp);
12272 		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12273 		if (stcb == NULL) {
12274 			SCTP_INP_WLOCK(inp);
12275 			SCTP_INP_DECR_REF(inp);
12276 			SCTP_INP_WUNLOCK(inp);
12277 		} else {
12278 			hold_tcblock = 1;
12279 		}
12280 	}
12281 	if ((stcb == NULL) && (addr)) {
12282 		/* Possible implicit send? */
12283 		SCTP_ASOC_CREATE_LOCK(inp);
12284 		create_lock_applied = 1;
12285 		if ((inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
12286 		    (inp->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE)) {
12287 			/* Should I really unlock ? */
12288 			SCTP_LTRACE_ERR_RET(NULL, NULL, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12289 			error = EINVAL;
12290 			goto out_unlocked;
12291 
12292 		}
12293 		if (((inp->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) == 0) &&
12294 		    (addr->sa_family == AF_INET6)) {
12295 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12296 			error = EINVAL;
12297 			goto out_unlocked;
12298 		}
12299 		SCTP_INP_WLOCK(inp);
12300 		SCTP_INP_INCR_REF(inp);
12301 		SCTP_INP_WUNLOCK(inp);
12302 		/* With the lock applied look again */
12303 		stcb = sctp_findassociation_ep_addr(&t_inp, addr, &net, NULL, NULL);
12304 		if (stcb == NULL) {
12305 			SCTP_INP_WLOCK(inp);
12306 			SCTP_INP_DECR_REF(inp);
12307 			SCTP_INP_WUNLOCK(inp);
12308 		} else {
12309 			hold_tcblock = 1;
12310 		}
12311 		if (t_inp != inp) {
12312 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12313 			error = ENOTCONN;
12314 			goto out_unlocked;
12315 		}
12316 	}
12317 	if (stcb == NULL) {
12318 		if ((inp->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
12319 		    (inp->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
12320 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOTCONN);
12321 			error = ENOTCONN;
12322 			goto out_unlocked;
12323 		}
12324 		if (addr == NULL) {
12325 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
12326 			error = ENOENT;
12327 			goto out_unlocked;
12328 		} else {
12329 			/*
12330 			 * UDP style, we must go ahead and start the INIT
12331 			 * process
12332 			 */
12333 			uint32_t vrf_id;
12334 
12335 			if ((sinfo_flags & SCTP_ABORT) ||
12336 			    ((sinfo_flags & SCTP_EOF) && (sndlen == 0))) {
12337 				/*-
12338 				 * User asks to abort a non-existant assoc,
12339 				 * or EOF a non-existant assoc with no data
12340 				 */
12341 				SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOENT);
12342 				error = ENOENT;
12343 				goto out_unlocked;
12344 			}
12345 			/* get an asoc/stcb struct */
12346 			vrf_id = inp->def_vrf_id;
12347 #ifdef INVARIANTS
12348 			if (create_lock_applied == 0) {
12349 				panic("Error, should hold create lock and I don't?");
12350 			}
12351 #endif
12352 			stcb = sctp_aloc_assoc(inp, addr, &error, 0, vrf_id,
12353 			    p
12354 			    );
12355 			if (stcb == NULL) {
12356 				/* Error is setup for us in the call */
12357 				goto out_unlocked;
12358 			}
12359 			if (create_lock_applied) {
12360 				SCTP_ASOC_CREATE_UNLOCK(inp);
12361 				create_lock_applied = 0;
12362 			} else {
12363 				SCTP_PRINTF("Huh-3? create lock should have been on??\n");
12364 			}
12365 			/*
12366 			 * Turn on queue only flag to prevent data from
12367 			 * being sent
12368 			 */
12369 			queue_only = 1;
12370 			asoc = &stcb->asoc;
12371 			SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
12372 			(void)SCTP_GETTIME_TIMEVAL(&asoc->time_entered);
12373 
12374 			/* initialize authentication params for the assoc */
12375 			sctp_initialize_auth_params(inp, stcb);
12376 
12377 			if (control) {
12378 				/*
12379 				 * see if a init structure exists in cmsg
12380 				 * headers
12381 				 */
12382 				struct sctp_initmsg initm;
12383 				int i;
12384 
12385 				if (sctp_find_cmsg(SCTP_INIT, (void *)&initm, control,
12386 				    sizeof(initm))) {
12387 					/*
12388 					 * we have an INIT override of the
12389 					 * default
12390 					 */
12391 					if (initm.sinit_max_attempts)
12392 						asoc->max_init_times = initm.sinit_max_attempts;
12393 					if (initm.sinit_num_ostreams)
12394 						asoc->pre_open_streams = initm.sinit_num_ostreams;
12395 					if (initm.sinit_max_instreams)
12396 						asoc->max_inbound_streams = initm.sinit_max_instreams;
12397 					if (initm.sinit_max_init_timeo)
12398 						asoc->initial_init_rto_max = initm.sinit_max_init_timeo;
12399 					if (asoc->streamoutcnt < asoc->pre_open_streams) {
12400 						struct sctp_stream_out *tmp_str;
12401 						int had_lock = 0;
12402 
12403 						/* Default is NOT correct */
12404 						SCTPDBG(SCTP_DEBUG_OUTPUT1, "Ok, defout:%d pre_open:%d\n",
12405 						    asoc->streamoutcnt, asoc->pre_open_streams);
12406 						/*
12407 						 * What happens if this
12408 						 * fails? we panic ...
12409 						 */
12410 
12411 						if (hold_tcblock) {
12412 							had_lock = 1;
12413 							SCTP_TCB_UNLOCK(stcb);
12414 						}
12415 						SCTP_MALLOC(tmp_str,
12416 						    struct sctp_stream_out *,
12417 						    (asoc->pre_open_streams *
12418 						    sizeof(struct sctp_stream_out)),
12419 						    SCTP_M_STRMO);
12420 						if (had_lock) {
12421 							SCTP_TCB_LOCK(stcb);
12422 						}
12423 						if (tmp_str != NULL) {
12424 							SCTP_FREE(asoc->strmout, SCTP_M_STRMO);
12425 							asoc->strmout = tmp_str;
12426 							asoc->strm_realoutsize = asoc->streamoutcnt = asoc->pre_open_streams;
12427 						} else {
12428 							asoc->pre_open_streams = asoc->streamoutcnt;
12429 						}
12430 						for (i = 0; i < asoc->streamoutcnt; i++) {
12431 							/*-
12432 							 * inbound side must be set
12433 							 * to 0xffff, also NOTE when
12434 							 * we get the INIT-ACK back
12435 							 * (for INIT sender) we MUST
12436 							 * reduce the count
12437 							 * (streamoutcnt) but first
12438 							 * check if we sent to any
12439 							 * of the upper streams that
12440 							 * were dropped (if some
12441 							 * were). Those that were
12442 							 * dropped must be notified
12443 							 * to the upper layer as
12444 							 * failed to send.
12445 							 */
12446 							asoc->strmout[i].next_sequence_sent = 0x0;
12447 							TAILQ_INIT(&asoc->strmout[i].outqueue);
12448 							asoc->strmout[i].stream_no = i;
12449 							asoc->strmout[i].last_msg_incomplete = 0;
12450 							asoc->strmout[i].next_spoke.tqe_next = 0;
12451 							asoc->strmout[i].next_spoke.tqe_prev = 0;
12452 						}
12453 					}
12454 				}
12455 			}
12456 			hold_tcblock = 1;
12457 			/* out with the INIT */
12458 			queue_only_for_init = 1;
12459 			/*-
12460 			 * we may want to dig in after this call and adjust the MTU
12461 			 * value. It defaulted to 1500 (constant) but the ro
12462 			 * structure may now have an update and thus we may need to
12463 			 * change it BEFORE we append the message.
12464 			 */
12465 		}
12466 	} else
12467 		asoc = &stcb->asoc;
12468 	if (srcv == NULL)
12469 		srcv = (struct sctp_sndrcvinfo *)&asoc->def_send;
12470 	if (srcv->sinfo_flags & SCTP_ADDR_OVER) {
12471 		if (addr)
12472 			net = sctp_findnet(stcb, addr);
12473 		else
12474 			net = NULL;
12475 		if ((net == NULL) ||
12476 		    ((port != 0) && (port != stcb->rport))) {
12477 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12478 			error = EINVAL;
12479 			goto out_unlocked;
12480 		}
12481 	} else {
12482 		net = stcb->asoc.primary_destination;
12483 	}
12484 	atomic_add_int(&stcb->total_sends, 1);
12485 	/* Keep the stcb from being freed under our feet */
12486 	atomic_add_int(&asoc->refcnt, 1);
12487 	free_cnt_applied = 1;
12488 
12489 	if (sctp_is_feature_on(inp, SCTP_PCB_FLAGS_NO_FRAGMENT)) {
12490 		if (sndlen > asoc->smallest_mtu) {
12491 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12492 			error = EMSGSIZE;
12493 			goto out_unlocked;
12494 		}
12495 	}
12496 	if ((SCTP_SO_IS_NBIO(so)
12497 	    || (flags & MSG_NBIO)
12498 	    )) {
12499 		non_blocking = 1;
12500 	}
12501 	/* would we block? */
12502 	if (non_blocking) {
12503 		if (hold_tcblock == 0) {
12504 			SCTP_TCB_LOCK(stcb);
12505 			hold_tcblock = 1;
12506 		}
12507 		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12508 		if ((SCTP_SB_LIMIT_SND(so) < (sndlen + inqueue_bytes + stcb->asoc.sb_send_resv)) ||
12509 		    (stcb->asoc.chunks_on_out_queue >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12510 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EWOULDBLOCK);
12511 			if (sndlen > SCTP_SB_LIMIT_SND(so))
12512 				error = EMSGSIZE;
12513 			else
12514 				error = EWOULDBLOCK;
12515 			goto out_unlocked;
12516 		}
12517 		stcb->asoc.sb_send_resv += sndlen;
12518 		SCTP_TCB_UNLOCK(stcb);
12519 		hold_tcblock = 0;
12520 	} else {
12521 		atomic_add_int(&stcb->asoc.sb_send_resv, sndlen);
12522 	}
12523 	local_soresv = sndlen;
12524 	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12525 		SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12526 		error = ECONNRESET;
12527 		goto out_unlocked;
12528 	}
12529 	if (create_lock_applied) {
12530 		SCTP_ASOC_CREATE_UNLOCK(inp);
12531 		create_lock_applied = 0;
12532 	}
12533 	if (asoc->stream_reset_outstanding) {
12534 		/*
12535 		 * Can't queue any data while stream reset is underway.
12536 		 */
12537 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EAGAIN);
12538 		error = EAGAIN;
12539 		goto out_unlocked;
12540 	}
12541 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
12542 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
12543 		queue_only = 1;
12544 	}
12545 	/* we are now done with all control */
12546 	if (control) {
12547 		sctp_m_freem(control);
12548 		control = NULL;
12549 	}
12550 	if ((SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_SENT) ||
12551 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_RECEIVED) ||
12552 	    (SCTP_GET_STATE(asoc) == SCTP_STATE_SHUTDOWN_ACK_SENT) ||
12553 	    (asoc->state & SCTP_STATE_SHUTDOWN_PENDING)) {
12554 		if (srcv->sinfo_flags & SCTP_ABORT) {
12555 			;
12556 		} else {
12557 			SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12558 			error = ECONNRESET;
12559 			goto out_unlocked;
12560 		}
12561 	}
12562 	/* Ok, we will attempt a msgsnd :> */
12563 	if (p) {
12564 		p->td_ru.ru_msgsnd++;
12565 	}
12566 	/* Are we aborting? */
12567 	if (srcv->sinfo_flags & SCTP_ABORT) {
12568 		struct mbuf *mm;
12569 		int tot_demand, tot_out = 0, max_out;
12570 
12571 		SCTP_STAT_INCR(sctps_sends_with_abort);
12572 		if ((SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_WAIT) ||
12573 		    (SCTP_GET_STATE(asoc) == SCTP_STATE_COOKIE_ECHOED)) {
12574 			/* It has to be up before we abort */
12575 			/* how big is the user initiated abort? */
12576 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12577 			error = EINVAL;
12578 			goto out;
12579 		}
12580 		if (hold_tcblock) {
12581 			SCTP_TCB_UNLOCK(stcb);
12582 			hold_tcblock = 0;
12583 		}
12584 		if (top) {
12585 			struct mbuf *cntm = NULL;
12586 
12587 			mm = sctp_get_mbuf_for_msg(1, 0, M_WAIT, 1, MT_DATA);
12588 			if (sndlen != 0) {
12589 				cntm = top;
12590 				while (cntm) {
12591 					tot_out += SCTP_BUF_LEN(cntm);
12592 					cntm = SCTP_BUF_NEXT(cntm);
12593 				}
12594 			}
12595 			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
12596 		} else {
12597 			/* Must fit in a MTU */
12598 			tot_out = sndlen;
12599 			tot_demand = (tot_out + sizeof(struct sctp_paramhdr));
12600 			if (tot_demand > SCTP_DEFAULT_ADD_MORE) {
12601 				/* To big */
12602 				SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12603 				error = EMSGSIZE;
12604 				goto out;
12605 			}
12606 			mm = sctp_get_mbuf_for_msg(tot_demand, 0, M_WAIT, 1, MT_DATA);
12607 		}
12608 		if (mm == NULL) {
12609 			SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
12610 			error = ENOMEM;
12611 			goto out;
12612 		}
12613 		max_out = asoc->smallest_mtu - sizeof(struct sctp_paramhdr);
12614 		max_out -= sizeof(struct sctp_abort_msg);
12615 		if (tot_out > max_out) {
12616 			tot_out = max_out;
12617 		}
12618 		if (mm) {
12619 			struct sctp_paramhdr *ph;
12620 
12621 			/* now move forward the data pointer */
12622 			ph = mtod(mm, struct sctp_paramhdr *);
12623 			ph->param_type = htons(SCTP_CAUSE_USER_INITIATED_ABT);
12624 			ph->param_length = htons((sizeof(struct sctp_paramhdr) + tot_out));
12625 			ph++;
12626 			SCTP_BUF_LEN(mm) = tot_out + sizeof(struct sctp_paramhdr);
12627 			if (top == NULL) {
12628 				error = uiomove((caddr_t)ph, (int)tot_out, uio);
12629 				if (error) {
12630 					/*-
12631 					 * Here if we can't get his data we
12632 					 * still abort we just don't get to
12633 					 * send the users note :-0
12634 					 */
12635 					sctp_m_freem(mm);
12636 					mm = NULL;
12637 				}
12638 			} else {
12639 				if (sndlen != 0) {
12640 					SCTP_BUF_NEXT(mm) = top;
12641 				}
12642 			}
12643 		}
12644 		if (hold_tcblock == 0) {
12645 			SCTP_TCB_LOCK(stcb);
12646 			hold_tcblock = 1;
12647 		}
12648 		atomic_add_int(&stcb->asoc.refcnt, -1);
12649 		free_cnt_applied = 0;
12650 		/* release this lock, otherwise we hang on ourselves */
12651 		sctp_abort_an_association(stcb->sctp_ep, stcb,
12652 		    SCTP_RESPONSE_TO_USER_REQ,
12653 		    mm, SCTP_SO_LOCKED);
12654 		/* now relock the stcb so everything is sane */
12655 		hold_tcblock = 0;
12656 		stcb = NULL;
12657 		/*
12658 		 * In this case top is already chained to mm avoid double
12659 		 * free, since we free it below if top != NULL and driver
12660 		 * would free it after sending the packet out
12661 		 */
12662 		if (sndlen != 0) {
12663 			top = NULL;
12664 		}
12665 		goto out_unlocked;
12666 	}
12667 	/* Calculate the maximum we can send */
12668 	inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12669 	if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
12670 		if (non_blocking) {
12671 			/* we already checked for non-blocking above. */
12672 			max_len = sndlen;
12673 		} else {
12674 			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
12675 		}
12676 	} else {
12677 		max_len = 0;
12678 	}
12679 	if (hold_tcblock) {
12680 		SCTP_TCB_UNLOCK(stcb);
12681 		hold_tcblock = 0;
12682 	}
12683 	/* Is the stream no. valid? */
12684 	if (srcv->sinfo_stream >= asoc->streamoutcnt) {
12685 		/* Invalid stream number */
12686 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12687 		error = EINVAL;
12688 		goto out_unlocked;
12689 	}
12690 	if (asoc->strmout == NULL) {
12691 		/* huh? software error */
12692 		SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EFAULT);
12693 		error = EFAULT;
12694 		goto out_unlocked;
12695 	}
12696 	/* Unless E_EOR mode is on, we must make a send FIT in one call. */
12697 	if ((user_marks_eor == 0) &&
12698 	    (sndlen > SCTP_SB_LIMIT_SND(stcb->sctp_socket))) {
12699 		/* It will NEVER fit */
12700 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EMSGSIZE);
12701 		error = EMSGSIZE;
12702 		goto out_unlocked;
12703 	}
12704 	if ((uio == NULL) && user_marks_eor) {
12705 		/*-
12706 		 * We do not support eeor mode for
12707 		 * sending with mbuf chains (like sendfile).
12708 		 */
12709 		SCTP_LTRACE_ERR_RET(NULL, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12710 		error = EINVAL;
12711 		goto out_unlocked;
12712 	}
12713 	if (user_marks_eor) {
12714 		local_add_more = min(SCTP_SB_LIMIT_SND(so), SCTP_BASE_SYSCTL(sctp_add_more_threshold));
12715 	} else {
12716 		/*-
12717 		 * For non-eeor the whole message must fit in
12718 		 * the socket send buffer.
12719 		 */
12720 		local_add_more = sndlen;
12721 	}
12722 	len = 0;
12723 	if (non_blocking) {
12724 		goto skip_preblock;
12725 	}
12726 	if (((max_len <= local_add_more) &&
12727 	    (SCTP_SB_LIMIT_SND(so) >= local_add_more)) ||
12728 	    (max_len == 0) ||
12729 	    ((stcb->asoc.chunks_on_out_queue + stcb->asoc.stream_queue_cnt) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12730 		/* No room right now ! */
12731 		SOCKBUF_LOCK(&so->so_snd);
12732 		inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12733 		while ((SCTP_SB_LIMIT_SND(so) < (inqueue_bytes + local_add_more)) ||
12734 		    ((stcb->asoc.stream_queue_cnt + stcb->asoc.chunks_on_out_queue) >= SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue))) {
12735 			SCTPDBG(SCTP_DEBUG_OUTPUT1, "pre_block limit:%u <(inq:%d + %d) || (%d+%d > %d)\n",
12736 			    (unsigned int)SCTP_SB_LIMIT_SND(so),
12737 			    inqueue_bytes,
12738 			    local_add_more,
12739 			    stcb->asoc.stream_queue_cnt,
12740 			    stcb->asoc.chunks_on_out_queue,
12741 			    SCTP_BASE_SYSCTL(sctp_max_chunks_on_queue));
12742 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
12743 				sctp_log_block(SCTP_BLOCK_LOG_INTO_BLKA, so, asoc, sndlen);
12744 			}
12745 			be.error = 0;
12746 			stcb->block_entry = &be;
12747 			error = sbwait(&so->so_snd);
12748 			stcb->block_entry = NULL;
12749 			if (error || so->so_error || be.error) {
12750 				if (error == 0) {
12751 					if (so->so_error)
12752 						error = so->so_error;
12753 					if (be.error) {
12754 						error = be.error;
12755 					}
12756 				}
12757 				SOCKBUF_UNLOCK(&so->so_snd);
12758 				goto out_unlocked;
12759 			}
12760 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
12761 				sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
12762 				    so, asoc, stcb->asoc.total_output_queue_size);
12763 			}
12764 			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12765 				goto out_unlocked;
12766 			}
12767 			inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12768 		}
12769 		if (SCTP_SB_LIMIT_SND(so) > inqueue_bytes) {
12770 			max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
12771 		} else {
12772 			max_len = 0;
12773 		}
12774 		SOCKBUF_UNLOCK(&so->so_snd);
12775 	}
12776 skip_preblock:
12777 	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12778 		goto out_unlocked;
12779 	}
12780 	/*
12781 	 * sndlen covers for mbuf case uio_resid covers for the non-mbuf
12782 	 * case NOTE: uio will be null when top/mbuf is passed
12783 	 */
12784 	if (sndlen == 0) {
12785 		if (srcv->sinfo_flags & SCTP_EOF) {
12786 			got_all_of_the_send = 1;
12787 			goto dataless_eof;
12788 		} else {
12789 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12790 			error = EINVAL;
12791 			goto out;
12792 		}
12793 	}
12794 	if (top == NULL) {
12795 		struct sctp_stream_queue_pending *sp;
12796 		struct sctp_stream_out *strm;
12797 		uint32_t sndout;
12798 
12799 		SCTP_TCB_SEND_LOCK(stcb);
12800 		if ((asoc->stream_locked) &&
12801 		    (asoc->stream_locked_on != srcv->sinfo_stream)) {
12802 			SCTP_TCB_SEND_UNLOCK(stcb);
12803 			SCTP_LTRACE_ERR_RET(inp, stcb, net, SCTP_FROM_SCTP_OUTPUT, EINVAL);
12804 			error = EINVAL;
12805 			goto out;
12806 		}
12807 		SCTP_TCB_SEND_UNLOCK(stcb);
12808 
12809 		strm = &stcb->asoc.strmout[srcv->sinfo_stream];
12810 		if (strm->last_msg_incomplete == 0) {
12811 	do_a_copy_in:
12812 			sp = sctp_copy_it_in(stcb, asoc, srcv, uio, net, max_len, user_marks_eor, &error, non_blocking);
12813 			if ((sp == NULL) || (error)) {
12814 				goto out;
12815 			}
12816 			SCTP_TCB_SEND_LOCK(stcb);
12817 			if (sp->msg_is_complete) {
12818 				strm->last_msg_incomplete = 0;
12819 				asoc->stream_locked = 0;
12820 			} else {
12821 				/*
12822 				 * Just got locked to this guy in case of an
12823 				 * interrupt.
12824 				 */
12825 				strm->last_msg_incomplete = 1;
12826 				asoc->stream_locked = 1;
12827 				asoc->stream_locked_on = srcv->sinfo_stream;
12828 				sp->sender_all_done = 0;
12829 			}
12830 			sctp_snd_sb_alloc(stcb, sp->length);
12831 			atomic_add_int(&asoc->stream_queue_cnt, 1);
12832 			if ((srcv->sinfo_flags & SCTP_UNORDERED) == 0) {
12833 				sp->strseq = strm->next_sequence_sent;
12834 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_LOG_AT_SEND_2_SCTP) {
12835 					sctp_misc_ints(SCTP_STRMOUT_LOG_ASSIGN,
12836 					    (uintptr_t) stcb, sp->length,
12837 					    (uint32_t) ((srcv->sinfo_stream << 16) | sp->strseq), 0);
12838 				}
12839 				strm->next_sequence_sent++;
12840 			} else {
12841 				SCTP_STAT_INCR(sctps_sends_with_unord);
12842 			}
12843 			TAILQ_INSERT_TAIL(&strm->outqueue, sp, next);
12844 			if ((strm->next_spoke.tqe_next == NULL) &&
12845 			    (strm->next_spoke.tqe_prev == NULL)) {
12846 				/* Not on wheel, insert */
12847 				sctp_insert_on_wheel(stcb, asoc, strm, 1);
12848 			}
12849 			SCTP_TCB_SEND_UNLOCK(stcb);
12850 		} else {
12851 			SCTP_TCB_SEND_LOCK(stcb);
12852 			sp = TAILQ_LAST(&strm->outqueue, sctp_streamhead);
12853 			SCTP_TCB_SEND_UNLOCK(stcb);
12854 			if (sp == NULL) {
12855 				/* ???? Huh ??? last msg is gone */
12856 #ifdef INVARIANTS
12857 				panic("Warning: Last msg marked incomplete, yet nothing left?");
12858 #else
12859 				SCTP_PRINTF("Warning: Last msg marked incomplete, yet nothing left?\n");
12860 				strm->last_msg_incomplete = 0;
12861 #endif
12862 				goto do_a_copy_in;
12863 
12864 			}
12865 		}
12866 		while (uio->uio_resid > 0) {
12867 			/* How much room do we have? */
12868 			struct mbuf *new_tail, *mm;
12869 
12870 			if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
12871 				max_len = SCTP_SB_LIMIT_SND(so) - stcb->asoc.total_output_queue_size;
12872 			else
12873 				max_len = 0;
12874 
12875 			if ((max_len > SCTP_BASE_SYSCTL(sctp_add_more_threshold)) ||
12876 			    (max_len && (SCTP_SB_LIMIT_SND(so) < SCTP_BASE_SYSCTL(sctp_add_more_threshold))) ||
12877 			    (uio->uio_resid && (uio->uio_resid <= (int)max_len))) {
12878 				sndout = 0;
12879 				new_tail = NULL;
12880 				if (hold_tcblock) {
12881 					SCTP_TCB_UNLOCK(stcb);
12882 					hold_tcblock = 0;
12883 				}
12884 				mm = sctp_copy_resume(sp, uio, srcv, max_len, user_marks_eor, &error, &sndout, &new_tail);
12885 				if ((mm == NULL) || error) {
12886 					if (mm) {
12887 						sctp_m_freem(mm);
12888 					}
12889 					goto out;
12890 				}
12891 				/* Update the mbuf and count */
12892 				SCTP_TCB_SEND_LOCK(stcb);
12893 				if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
12894 					/*
12895 					 * we need to get out. Peer probably
12896 					 * aborted.
12897 					 */
12898 					sctp_m_freem(mm);
12899 					if (stcb->asoc.state & SCTP_PCB_FLAGS_WAS_ABORTED) {
12900 						SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ECONNRESET);
12901 						error = ECONNRESET;
12902 					}
12903 					SCTP_TCB_SEND_UNLOCK(stcb);
12904 					goto out;
12905 				}
12906 				if (sp->tail_mbuf) {
12907 					/* tack it to the end */
12908 					SCTP_BUF_NEXT(sp->tail_mbuf) = mm;
12909 					sp->tail_mbuf = new_tail;
12910 				} else {
12911 					/* A stolen mbuf */
12912 					sp->data = mm;
12913 					sp->tail_mbuf = new_tail;
12914 				}
12915 				sctp_snd_sb_alloc(stcb, sndout);
12916 				atomic_add_int(&sp->length, sndout);
12917 				len += sndout;
12918 
12919 				/* Did we reach EOR? */
12920 				if ((uio->uio_resid == 0) &&
12921 				    ((user_marks_eor == 0) ||
12922 				    (srcv->sinfo_flags & SCTP_EOF) ||
12923 				    (user_marks_eor && (srcv->sinfo_flags & SCTP_EOR)))) {
12924 					sp->msg_is_complete = 1;
12925 				} else {
12926 					sp->msg_is_complete = 0;
12927 				}
12928 				SCTP_TCB_SEND_UNLOCK(stcb);
12929 			}
12930 			if (uio->uio_resid == 0) {
12931 				/* got it all? */
12932 				continue;
12933 			}
12934 			/* PR-SCTP? */
12935 			if ((asoc->peer_supports_prsctp) && (asoc->sent_queue_cnt_removeable > 0)) {
12936 				/*
12937 				 * This is ugly but we must assure locking
12938 				 * order
12939 				 */
12940 				if (hold_tcblock == 0) {
12941 					SCTP_TCB_LOCK(stcb);
12942 					hold_tcblock = 1;
12943 				}
12944 				sctp_prune_prsctp(stcb, asoc, srcv, sndlen);
12945 				inqueue_bytes = stcb->asoc.total_output_queue_size - (stcb->asoc.chunks_on_out_queue * sizeof(struct sctp_data_chunk));
12946 				if (SCTP_SB_LIMIT_SND(so) > stcb->asoc.total_output_queue_size)
12947 					max_len = SCTP_SB_LIMIT_SND(so) - inqueue_bytes;
12948 				else
12949 					max_len = 0;
12950 				if (max_len > 0) {
12951 					continue;
12952 				}
12953 				SCTP_TCB_UNLOCK(stcb);
12954 				hold_tcblock = 0;
12955 			}
12956 			/* wait for space now */
12957 			if (non_blocking) {
12958 				/* Non-blocking io in place out */
12959 				goto skip_out_eof;
12960 			}
12961 			/* What about the INIT, send it maybe */
12962 			if (queue_only_for_init) {
12963 				if (hold_tcblock == 0) {
12964 					SCTP_TCB_LOCK(stcb);
12965 					hold_tcblock = 1;
12966 				}
12967 				if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
12968 					/* a collision took us forward? */
12969 					queue_only = 0;
12970 				} else {
12971 					sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
12972 					SCTP_SET_STATE(asoc, SCTP_STATE_COOKIE_WAIT);
12973 					queue_only = 1;
12974 				}
12975 			}
12976 			if ((net->flight_size > net->cwnd) &&
12977 			    (asoc->sctp_cmt_on_off == 0)) {
12978 				SCTP_STAT_INCR(sctps_send_cwnd_avoid);
12979 				queue_only = 1;
12980 			} else if (asoc->ifp_had_enobuf) {
12981 				SCTP_STAT_INCR(sctps_ifnomemqueued);
12982 				if (net->flight_size > (2 * net->mtu)) {
12983 					queue_only = 1;
12984 				}
12985 				asoc->ifp_had_enobuf = 0;
12986 			}
12987 			un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
12988 			    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
12989 			if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
12990 			    (stcb->asoc.total_flight > 0) &&
12991 			    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
12992 			    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
12993 
12994 				/*-
12995 				 * Ok, Nagle is set on and we have data outstanding.
12996 				 * Don't send anything and let SACKs drive out the
12997 				 * data unless wen have a "full" segment to send.
12998 				 */
12999 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13000 					sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13001 				}
13002 				SCTP_STAT_INCR(sctps_naglequeued);
13003 				nagle_applies = 1;
13004 			} else {
13005 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13006 					if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13007 						sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13008 				}
13009 				SCTP_STAT_INCR(sctps_naglesent);
13010 				nagle_applies = 0;
13011 			}
13012 			if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13013 
13014 				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13015 				    nagle_applies, un_sent);
13016 				sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
13017 				    stcb->asoc.total_flight,
13018 				    stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
13019 			}
13020 			if (queue_only_for_init)
13021 				queue_only_for_init = 0;
13022 			if ((queue_only == 0) && (nagle_applies == 0)) {
13023 				/*-
13024 				 * need to start chunk output
13025 				 * before blocking.. note that if
13026 				 * a lock is already applied, then
13027 				 * the input via the net is happening
13028 				 * and I don't need to start output :-D
13029 				 */
13030 				if (hold_tcblock == 0) {
13031 					if (SCTP_TCB_TRYLOCK(stcb)) {
13032 						hold_tcblock = 1;
13033 						sctp_chunk_output(inp,
13034 						    stcb,
13035 						    SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13036 					}
13037 				} else {
13038 					sctp_chunk_output(inp,
13039 					    stcb,
13040 					    SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13041 				}
13042 				if (hold_tcblock == 1) {
13043 					SCTP_TCB_UNLOCK(stcb);
13044 					hold_tcblock = 0;
13045 				}
13046 			}
13047 			SOCKBUF_LOCK(&so->so_snd);
13048 			/*-
13049 			 * This is a bit strange, but I think it will
13050 			 * work. The total_output_queue_size is locked and
13051 			 * protected by the TCB_LOCK, which we just released.
13052 			 * There is a race that can occur between releasing it
13053 			 * above, and me getting the socket lock, where sacks
13054 			 * come in but we have not put the SB_WAIT on the
13055 			 * so_snd buffer to get the wakeup. After the LOCK
13056 			 * is applied the sack_processing will also need to
13057 			 * LOCK the so->so_snd to do the actual sowwakeup(). So
13058 			 * once we have the socket buffer lock if we recheck the
13059 			 * size we KNOW we will get to sleep safely with the
13060 			 * wakeup flag in place.
13061 			 */
13062 			if (SCTP_SB_LIMIT_SND(so) <= (stcb->asoc.total_output_queue_size +
13063 			    min(SCTP_BASE_SYSCTL(sctp_add_more_threshold), SCTP_SB_LIMIT_SND(so)))) {
13064 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13065 					sctp_log_block(SCTP_BLOCK_LOG_INTO_BLK,
13066 					    so, asoc, uio->uio_resid);
13067 				}
13068 				be.error = 0;
13069 				stcb->block_entry = &be;
13070 				error = sbwait(&so->so_snd);
13071 				stcb->block_entry = NULL;
13072 
13073 				if (error || so->so_error || be.error) {
13074 					if (error == 0) {
13075 						if (so->so_error)
13076 							error = so->so_error;
13077 						if (be.error) {
13078 							error = be.error;
13079 						}
13080 					}
13081 					SOCKBUF_UNLOCK(&so->so_snd);
13082 					goto out_unlocked;
13083 				}
13084 				if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13085 					sctp_log_block(SCTP_BLOCK_LOG_OUTOF_BLK,
13086 					    so, asoc, stcb->asoc.total_output_queue_size);
13087 				}
13088 			}
13089 			SOCKBUF_UNLOCK(&so->so_snd);
13090 			if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
13091 				goto out_unlocked;
13092 			}
13093 		}
13094 		SCTP_TCB_SEND_LOCK(stcb);
13095 		if (sp) {
13096 			if (sp->msg_is_complete == 0) {
13097 				strm->last_msg_incomplete = 1;
13098 				asoc->stream_locked = 1;
13099 				asoc->stream_locked_on = srcv->sinfo_stream;
13100 			} else {
13101 				sp->sender_all_done = 1;
13102 				strm->last_msg_incomplete = 0;
13103 				asoc->stream_locked = 0;
13104 			}
13105 		} else {
13106 			SCTP_PRINTF("Huh no sp TSNH?\n");
13107 			strm->last_msg_incomplete = 0;
13108 			asoc->stream_locked = 0;
13109 		}
13110 		SCTP_TCB_SEND_UNLOCK(stcb);
13111 		if (uio->uio_resid == 0) {
13112 			got_all_of_the_send = 1;
13113 		}
13114 	} else {
13115 		/* We send in a 0, since we do NOT have any locks */
13116 		error = sctp_msg_append(stcb, net, top, srcv, 0);
13117 		top = NULL;
13118 		if (srcv->sinfo_flags & SCTP_EOF) {
13119 			/*
13120 			 * This should only happen for Panda for the mbuf
13121 			 * send case, which does NOT yet support EEOR mode.
13122 			 * Thus, we can just set this flag to do the proper
13123 			 * EOF handling.
13124 			 */
13125 			got_all_of_the_send = 1;
13126 		}
13127 	}
13128 	if (error) {
13129 		goto out;
13130 	}
13131 dataless_eof:
13132 	/* EOF thing ? */
13133 	if ((srcv->sinfo_flags & SCTP_EOF) &&
13134 	    (got_all_of_the_send == 1) &&
13135 	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_UDPTYPE)) {
13136 		int cnt;
13137 
13138 		SCTP_STAT_INCR(sctps_sends_with_eof);
13139 		error = 0;
13140 		if (hold_tcblock == 0) {
13141 			SCTP_TCB_LOCK(stcb);
13142 			hold_tcblock = 1;
13143 		}
13144 		cnt = sctp_is_there_unsent_data(stcb);
13145 		if (TAILQ_EMPTY(&asoc->send_queue) &&
13146 		    TAILQ_EMPTY(&asoc->sent_queue) &&
13147 		    (cnt == 0)) {
13148 			if (asoc->locked_on_sending) {
13149 				goto abort_anyway;
13150 			}
13151 			/* there is nothing queued to send, so I'm done... */
13152 			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
13153 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13154 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13155 				/* only send SHUTDOWN the first time through */
13156 				sctp_send_shutdown(stcb, stcb->asoc.primary_destination);
13157 				if (SCTP_GET_STATE(asoc) == SCTP_STATE_OPEN) {
13158 					SCTP_STAT_DECR_GAUGE32(sctps_currestab);
13159 				}
13160 				SCTP_SET_STATE(asoc, SCTP_STATE_SHUTDOWN_SENT);
13161 				SCTP_CLEAR_SUBSTATE(asoc, SCTP_STATE_SHUTDOWN_PENDING);
13162 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWN, stcb->sctp_ep, stcb,
13163 				    asoc->primary_destination);
13164 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
13165 				    asoc->primary_destination);
13166 			}
13167 		} else {
13168 			/*-
13169 			 * we still got (or just got) data to send, so set
13170 			 * SHUTDOWN_PENDING
13171 			 */
13172 			/*-
13173 			 * XXX sockets draft says that SCTP_EOF should be
13174 			 * sent with no data.  currently, we will allow user
13175 			 * data to be sent first and move to
13176 			 * SHUTDOWN-PENDING
13177 			 */
13178 			if ((SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_SENT) &&
13179 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_RECEIVED) &&
13180 			    (SCTP_GET_STATE(asoc) != SCTP_STATE_SHUTDOWN_ACK_SENT)) {
13181 				if (hold_tcblock == 0) {
13182 					SCTP_TCB_LOCK(stcb);
13183 					hold_tcblock = 1;
13184 				}
13185 				if (asoc->locked_on_sending) {
13186 					/* Locked to send out the data */
13187 					struct sctp_stream_queue_pending *sp;
13188 
13189 					sp = TAILQ_LAST(&asoc->locked_on_sending->outqueue, sctp_streamhead);
13190 					if (sp) {
13191 						if ((sp->length == 0) && (sp->msg_is_complete == 0))
13192 							asoc->state |= SCTP_STATE_PARTIAL_MSG_LEFT;
13193 					}
13194 				}
13195 				asoc->state |= SCTP_STATE_SHUTDOWN_PENDING;
13196 				if (TAILQ_EMPTY(&asoc->send_queue) &&
13197 				    TAILQ_EMPTY(&asoc->sent_queue) &&
13198 				    (asoc->state & SCTP_STATE_PARTIAL_MSG_LEFT)) {
13199 			abort_anyway:
13200 					if (free_cnt_applied) {
13201 						atomic_add_int(&stcb->asoc.refcnt, -1);
13202 						free_cnt_applied = 0;
13203 					}
13204 					sctp_abort_an_association(stcb->sctp_ep, stcb,
13205 					    SCTP_RESPONSE_TO_USER_REQ,
13206 					    NULL, SCTP_SO_LOCKED);
13207 					/*
13208 					 * now relock the stcb so everything
13209 					 * is sane
13210 					 */
13211 					hold_tcblock = 0;
13212 					stcb = NULL;
13213 					goto out;
13214 				}
13215 				sctp_timer_start(SCTP_TIMER_TYPE_SHUTDOWNGUARD, stcb->sctp_ep, stcb,
13216 				    asoc->primary_destination);
13217 				sctp_feature_off(inp, SCTP_PCB_FLAGS_NODELAY);
13218 			}
13219 		}
13220 	}
13221 skip_out_eof:
13222 	if (!TAILQ_EMPTY(&stcb->asoc.control_send_queue)) {
13223 		some_on_control = 1;
13224 	}
13225 	if (queue_only_for_init) {
13226 		if (hold_tcblock == 0) {
13227 			SCTP_TCB_LOCK(stcb);
13228 			hold_tcblock = 1;
13229 		}
13230 		if (SCTP_GET_STATE(&stcb->asoc) == SCTP_STATE_OPEN) {
13231 			/* a collision took us forward? */
13232 			queue_only = 0;
13233 		} else {
13234 			sctp_send_initiate(inp, stcb, SCTP_SO_LOCKED);
13235 			SCTP_SET_STATE(&stcb->asoc, SCTP_STATE_COOKIE_WAIT);
13236 			queue_only = 1;
13237 		}
13238 	}
13239 	if ((net->flight_size > net->cwnd) &&
13240 	    (stcb->asoc.sctp_cmt_on_off == 0)) {
13241 		SCTP_STAT_INCR(sctps_send_cwnd_avoid);
13242 		queue_only = 1;
13243 	} else if (asoc->ifp_had_enobuf) {
13244 		SCTP_STAT_INCR(sctps_ifnomemqueued);
13245 		if (net->flight_size > (2 * net->mtu)) {
13246 			queue_only = 1;
13247 		}
13248 		asoc->ifp_had_enobuf = 0;
13249 	}
13250 	un_sent = ((stcb->asoc.total_output_queue_size - stcb->asoc.total_flight) +
13251 	    (stcb->asoc.stream_queue_cnt * sizeof(struct sctp_data_chunk)));
13252 	if ((sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY)) &&
13253 	    (stcb->asoc.total_flight > 0) &&
13254 	    (stcb->asoc.stream_queue_cnt < SCTP_MAX_DATA_BUNDLING) &&
13255 	    (un_sent < (int)(stcb->asoc.smallest_mtu - SCTP_MIN_OVERHEAD))) {
13256 		/*-
13257 		 * Ok, Nagle is set on and we have data outstanding.
13258 		 * Don't send anything and let SACKs drive out the
13259 		 * data unless wen have a "full" segment to send.
13260 		 */
13261 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13262 			sctp_log_nagle_event(stcb, SCTP_NAGLE_APPLIED);
13263 		}
13264 		SCTP_STAT_INCR(sctps_naglequeued);
13265 		nagle_applies = 1;
13266 	} else {
13267 		if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_NAGLE_LOGGING_ENABLE) {
13268 			if (sctp_is_feature_off(inp, SCTP_PCB_FLAGS_NODELAY))
13269 				sctp_log_nagle_event(stcb, SCTP_NAGLE_SKIPPED);
13270 		}
13271 		SCTP_STAT_INCR(sctps_naglesent);
13272 		nagle_applies = 0;
13273 	}
13274 	if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_BLK_LOGGING_ENABLE) {
13275 		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, queue_only_for_init, queue_only,
13276 		    nagle_applies, un_sent);
13277 		sctp_misc_ints(SCTP_CWNDLOG_PRESEND, stcb->asoc.total_output_queue_size,
13278 		    stcb->asoc.total_flight,
13279 		    stcb->asoc.chunks_on_out_queue, stcb->asoc.total_flight_count);
13280 	}
13281 	if (queue_only_for_init)
13282 		queue_only_for_init = 0;
13283 	if ((queue_only == 0) && (nagle_applies == 0) && (stcb->asoc.peers_rwnd && un_sent)) {
13284 		/* we can attempt to send too. */
13285 		if (hold_tcblock == 0) {
13286 			/*
13287 			 * If there is activity recv'ing sacks no need to
13288 			 * send
13289 			 */
13290 			if (SCTP_TCB_TRYLOCK(stcb)) {
13291 				sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13292 				hold_tcblock = 1;
13293 			}
13294 		} else {
13295 			sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13296 		}
13297 	} else if ((queue_only == 0) &&
13298 		    (stcb->asoc.peers_rwnd == 0) &&
13299 	    (stcb->asoc.total_flight == 0)) {
13300 		/* We get to have a probe outstanding */
13301 		if (hold_tcblock == 0) {
13302 			hold_tcblock = 1;
13303 			SCTP_TCB_LOCK(stcb);
13304 		}
13305 		sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_USR_SEND, SCTP_SO_LOCKED);
13306 	} else if (some_on_control) {
13307 		int num_out, reason, frag_point;
13308 
13309 		/* Here we do control only */
13310 		if (hold_tcblock == 0) {
13311 			hold_tcblock = 1;
13312 			SCTP_TCB_LOCK(stcb);
13313 		}
13314 		frag_point = sctp_get_frag_point(stcb, &stcb->asoc);
13315 		(void)sctp_med_chunk_output(inp, stcb, &stcb->asoc, &num_out,
13316 		    &reason, 1, 1, &now, &now_filled, frag_point, SCTP_SO_LOCKED);
13317 	}
13318 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "USR Send complete qo:%d prw:%d unsent:%d tf:%d cooq:%d toqs:%d err:%d\n",
13319 	    queue_only, stcb->asoc.peers_rwnd, un_sent,
13320 	    stcb->asoc.total_flight, stcb->asoc.chunks_on_out_queue,
13321 	    stcb->asoc.total_output_queue_size, error);
13322 
13323 out:
13324 out_unlocked:
13325 
13326 	if (local_soresv && stcb) {
13327 		atomic_subtract_int(&stcb->asoc.sb_send_resv, sndlen);
13328 		local_soresv = 0;
13329 	}
13330 	if (create_lock_applied) {
13331 		SCTP_ASOC_CREATE_UNLOCK(inp);
13332 		create_lock_applied = 0;
13333 	}
13334 	if ((stcb) && hold_tcblock) {
13335 		SCTP_TCB_UNLOCK(stcb);
13336 	}
13337 	if (stcb && free_cnt_applied) {
13338 		atomic_add_int(&stcb->asoc.refcnt, -1);
13339 	}
13340 #ifdef INVARIANTS
13341 	if (stcb) {
13342 		if (mtx_owned(&stcb->tcb_mtx)) {
13343 			panic("Leaving with tcb mtx owned?");
13344 		}
13345 		if (mtx_owned(&stcb->tcb_send_mtx)) {
13346 			panic("Leaving with tcb send mtx owned?");
13347 		}
13348 	}
13349 #endif
13350 #ifdef INVARIANTS
13351 	if (inp) {
13352 		sctp_validate_no_locks(inp);
13353 	} else {
13354 		printf("Warning - inp is NULL so cant validate locks\n");
13355 	}
13356 #endif
13357 	if (top) {
13358 		sctp_m_freem(top);
13359 	}
13360 	if (control) {
13361 		sctp_m_freem(control);
13362 	}
13363 	return (error);
13364 }
13365 
13366 
13367 /*
13368  * generate an AUTHentication chunk, if required
13369  */
13370 struct mbuf *
13371 sctp_add_auth_chunk(struct mbuf *m, struct mbuf **m_end,
13372     struct sctp_auth_chunk **auth_ret, uint32_t * offset,
13373     struct sctp_tcb *stcb, uint8_t chunk)
13374 {
13375 	struct mbuf *m_auth;
13376 	struct sctp_auth_chunk *auth;
13377 	int chunk_len;
13378 
13379 	if ((m_end == NULL) || (auth_ret == NULL) || (offset == NULL) ||
13380 	    (stcb == NULL))
13381 		return (m);
13382 
13383 	/* sysctl disabled auth? */
13384 	if (SCTP_BASE_SYSCTL(sctp_auth_disable))
13385 		return (m);
13386 
13387 	/* peer doesn't do auth... */
13388 	if (!stcb->asoc.peer_supports_auth) {
13389 		return (m);
13390 	}
13391 	/* does the requested chunk require auth? */
13392 	if (!sctp_auth_is_required_chunk(chunk, stcb->asoc.peer_auth_chunks)) {
13393 		return (m);
13394 	}
13395 	m_auth = sctp_get_mbuf_for_msg(sizeof(*auth), 0, M_DONTWAIT, 1, MT_HEADER);
13396 	if (m_auth == NULL) {
13397 		/* no mbuf's */
13398 		return (m);
13399 	}
13400 	/* reserve some space if this will be the first mbuf */
13401 	if (m == NULL)
13402 		SCTP_BUF_RESV_UF(m_auth, SCTP_MIN_OVERHEAD);
13403 	/* fill in the AUTH chunk details */
13404 	auth = mtod(m_auth, struct sctp_auth_chunk *);
13405 	bzero(auth, sizeof(*auth));
13406 	auth->ch.chunk_type = SCTP_AUTHENTICATION;
13407 	auth->ch.chunk_flags = 0;
13408 	chunk_len = sizeof(*auth) +
13409 	    sctp_get_hmac_digest_len(stcb->asoc.peer_hmac_id);
13410 	auth->ch.chunk_length = htons(chunk_len);
13411 	auth->hmac_id = htons(stcb->asoc.peer_hmac_id);
13412 	/* key id and hmac digest will be computed and filled in upon send */
13413 
13414 	/* save the offset where the auth was inserted into the chain */
13415 	if (m != NULL) {
13416 		struct mbuf *cn;
13417 
13418 		*offset = 0;
13419 		cn = m;
13420 		while (cn) {
13421 			*offset += SCTP_BUF_LEN(cn);
13422 			cn = SCTP_BUF_NEXT(cn);
13423 		}
13424 	} else
13425 		*offset = 0;
13426 
13427 	/* update length and return pointer to the auth chunk */
13428 	SCTP_BUF_LEN(m_auth) = chunk_len;
13429 	m = sctp_copy_mbufchain(m_auth, m, m_end, 1, chunk_len, 0);
13430 	if (auth_ret != NULL)
13431 		*auth_ret = auth;
13432 
13433 	return (m);
13434 }
13435 
13436 #ifdef INET6
13437 int
13438 sctp_v6src_match_nexthop(struct sockaddr_in6 *src6, sctp_route_t * ro)
13439 {
13440 	struct nd_prefix *pfx = NULL;
13441 	struct nd_pfxrouter *pfxrtr = NULL;
13442 	struct sockaddr_in6 gw6;
13443 
13444 	if (ro == NULL || ro->ro_rt == NULL || src6->sin6_family != AF_INET6)
13445 		return (0);
13446 
13447 	/* get prefix entry of address */
13448 	LIST_FOREACH(pfx, &MODULE_GLOBAL(nd_prefix), ndpr_entry) {
13449 		if (pfx->ndpr_stateflags & NDPRF_DETACHED)
13450 			continue;
13451 		if (IN6_ARE_MASKED_ADDR_EQUAL(&pfx->ndpr_prefix.sin6_addr,
13452 		    &src6->sin6_addr, &pfx->ndpr_mask))
13453 			break;
13454 	}
13455 	/* no prefix entry in the prefix list */
13456 	if (pfx == NULL) {
13457 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "No prefix entry for ");
13458 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13459 		return (0);
13460 	}
13461 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "v6src_match_nexthop(), Prefix entry is ");
13462 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)src6);
13463 
13464 	/* search installed gateway from prefix entry */
13465 	for (pfxrtr = pfx->ndpr_advrtrs.lh_first; pfxrtr; pfxrtr =
13466 	    pfxrtr->pfr_next) {
13467 		memset(&gw6, 0, sizeof(struct sockaddr_in6));
13468 		gw6.sin6_family = AF_INET6;
13469 		gw6.sin6_len = sizeof(struct sockaddr_in6);
13470 		memcpy(&gw6.sin6_addr, &pfxrtr->router->rtaddr,
13471 		    sizeof(struct in6_addr));
13472 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "prefix router is ");
13473 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, (struct sockaddr *)&gw6);
13474 		SCTPDBG(SCTP_DEBUG_OUTPUT2, "installed router is ");
13475 		SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
13476 		if (sctp_cmpaddr((struct sockaddr *)&gw6,
13477 		    ro->ro_rt->rt_gateway)) {
13478 			SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is installed\n");
13479 			return (1);
13480 		}
13481 	}
13482 	SCTPDBG(SCTP_DEBUG_OUTPUT2, "pfxrouter is not installed\n");
13483 	return (0);
13484 }
13485 
13486 #endif
13487 
13488 int
13489 sctp_v4src_match_nexthop(struct sctp_ifa *sifa, sctp_route_t * ro)
13490 {
13491 	struct sockaddr_in *sin, *mask;
13492 	struct ifaddr *ifa;
13493 	struct in_addr srcnetaddr, gwnetaddr;
13494 
13495 	if (ro == NULL || ro->ro_rt == NULL ||
13496 	    sifa->address.sa.sa_family != AF_INET) {
13497 		return (0);
13498 	}
13499 	ifa = (struct ifaddr *)sifa->ifa;
13500 	mask = (struct sockaddr_in *)(ifa->ifa_netmask);
13501 	sin = (struct sockaddr_in *)&sifa->address.sin;
13502 	srcnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13503 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: src address is ");
13504 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, &sifa->address.sa);
13505 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", srcnetaddr.s_addr);
13506 
13507 	sin = (struct sockaddr_in *)ro->ro_rt->rt_gateway;
13508 	gwnetaddr.s_addr = (sin->sin_addr.s_addr & mask->sin_addr.s_addr);
13509 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "match_nexthop4: nexthop is ");
13510 	SCTPDBG_ADDR(SCTP_DEBUG_OUTPUT2, ro->ro_rt->rt_gateway);
13511 	SCTPDBG(SCTP_DEBUG_OUTPUT1, "network address is %x\n", gwnetaddr.s_addr);
13512 	if (srcnetaddr.s_addr == gwnetaddr.s_addr) {
13513 		return (1);
13514 	}
13515 	return (0);
13516 }
13517